For many organizations, fraud risk management consists of checking boxes and thinking positive thoughts:
“We hire good people.”
“We have a code of conduct.”
“We comply with Sarbanes-Oxley (SOX).”
“Our hotline does not ring (for serious things).”
“Fraud simply doesn’t happen here.”
Of course, as forensic professionals, we know that this is not enough. So does the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Recognizing the need to both elevate and evolve management thinking on the topics of fraud prevention, detection and deterrence, COSO released its Fraud Risk Management Guide (“COSO Guide”) in September 2016.
The COSO Guide provides a valuable blueprint of leading practices and user-friendly templates to help organizations not only correlate, but actively apply, the five fraud risk management principles first outlined in Managing the Business Risk of Fraud: A Practical Guide (jointly published by the AICPA, The IIA and ACFE in 2008) within the context of the 2013 COSO Framework.
These principles serve as a universal foundation for anti-fraud programs. They are:
- Fraud Risk Governance
- Fraud Risk Assessment
- Fraud Control Activity
- Fraud Investigation and Corrective Action
- Fraud Risk Management Monitoring Activities
Of these five principles, fraud risk assessment is perhaps the most widely recognized because the consideration of the potential for fraud was explicitly included within the 2013 COSO Framework. Since that time, the identification and assessment of fraud risk has been a focal point of inquiry for internal and external auditors. However, the scope of management’s fraud risk assessment is still often limited to fraud scenarios that would cause a material misstatement on an organization’s financial statements. In contrast, the COSO Guide encourages an elevated and evolved assessment of fraud risk in the context of the organization’s overarching fraud risk management program in order to achieve better support of, and greater consistency with, the overall 2013 COSO Framework.
The COSO Guide is both user-friendly and pragmatic in its design. Each chapter is organized to provide a clear snapshot of how individual fraud risk management principles align with the COSO 2013 Framework’s components and principles, and outlines unique characteristics for each fraud risk management principle within specific points of focus. These points of focus are structured similarly to those contained in the 2013 COSO Framework and are useful in considering the design and operating effectiveness of management’s own fraud risk management capabilities. Whether an organization is new to the topic of fraud risk management or seeking a more detailed view on the “how-to” of certain fraud risk management activities, the COSO Guide provides information that is both thorough and thoughtful, as well as applicable to a variety of audiences.
Whether an organization is in pursuit of a “best-in-class” fraud risk management program, or simply looking to enhance certain elements of its anti-fraud control activities, below are some suggestions for utilizing the information and templates included within the COSO Guide:
- Map and analyze the fraud risk management process for improvement opportunities
- Evaluate whether there is proper oversight and assignment of resources for fraud control activities
- Create or update the organization’s fraud control policy
- Conduct a fraud risk management survey
- Expand documentation and visualization of the organization’s fraud risk and controls matrix
- Assess the organization’s list of potential fraud exposures
- Review the organization’s fraud response plan
- Implement a data analytics framework
- Enhance awareness of fraud risk through communication with various organizational constituencies
It is important to note that the COSO Guide offers insights into leading practices encompassing fraud prevention, detection and deterrence. It is not intended to create a prescriptive standard for either fraud risk management or fraud risk assessment. Furthermore, there is no “one size fits all” approach to fraud risk management and fraud risk assessment. Each process needs to be tailored to an organization’s operations, objectives, industry, people, geographies and technologies.
Finally, it is critical to recognize that fraud is a highly dynamic event. There is no guarantee that an organization will be free from its occurrence or effect simply because it has implemented leading practices. The ability to prevent and detect fraud can — and should — evolve with the organization’s internal control framework, and the COSO Guide provides a clear roadmap that can help drive organizations toward excellence in fraud risk management.