Fraud is among the most distasteful fare on management's plate. Not only is it an enormous, unplanned drain on company resources — the Association of Certified Fraud Examiners (ACFE) estimates that fraud costs the typical company 5% of revenue1 — it's spiritually crippling as well. Fraud by company outsiders, as damaging as it may be, simply testifies to human greed and malevolence. Fraud by co-workers and colleagues, often long-serving and trusted, is a gut-wrenching betrayal of faith.

Daily stories of pilfered passwords and leaked emails have placed cyberfraud at the top of management's agenda. This heightened concern coincides with the guidance in COSO's Internal Control — Integrated Framework: Framework and Appendices (COSO 2013), effective December 15, 2014, that requires companies to do a fraud risk assessment (FRA). Clearly, now is the time for companies to comprehensively reassess their approach to evaluating and mitigating potential fraud risks.2

For companies that may not have formally documented processes and controls designed to address fraud risk systematically, adopting COSO 2013 can jump-start a broad and far-reaching program of necessary fraud risk prevention. Companies that have more fully developed FRA processes and procedures in place will see implementing COSO 2013 as an opportunity to re-evaluate and strengthen their fraud prevention effort.

COSO GUIDANCE ON FRAUD RISK ASSESSMENT

Principle 8

The discussion of fraud in COSO 2013 centers on Principle 8 of the framework:

The organization considers the potential for fraud in assessing risks to the achievement of objectives

"For most companies, under 1992 COSO, fraud risk was viewed primarily in terms of satisfying SOX requirements, i.e., identifying and preventing fraud risk at the transaction level," says Michael Rose, partner, Business Advisory Services. "But in COSO 2013, fraud risk becomes a specific component in the overall risk assessment: It addresses fraud at the organization or entity level, not just the transaction level. COSO requires a strong internal control foundation that addresses fraud much more broadly: company objectives, strategy, operations, and compliance, as well as reporting — both external and internal, financial and nonfinancial."

Principle 8 describes four specific areas of concern.

  1. Fraudulent financial reporting: This area has long been at the heart of the mission of COSO; indeed, it is the purpose for which COSO was originally founded in 1985.
  2. Fraudulent nonfinancial reporting: The inclusion of fraudulent nonfinancial reporting is a significant change from 1992 COSO. COSO 2013 mentions sustainability reporting, health and safety reports and reports on employment activity as examples of nonfinancial reporting.
  3. Misappropriation of assets: Principle 8 states that "illegal marketing, theft of assets, theft of intellectual property, late trading, and money laundering" are among the activities that may relate to unauthorized acquisition, use and disposal of assets.
  4. Illegal acts: These are violations of laws or governmental regulations that could have a material direct or indirect impact on the external financial reports. Examples include bribery, corruption and insider trading.

Points of focus

The first point of focus in Principle 8 summarizes the above four areas:

Considers Various Types of Fraud — The assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur.

The three remaining points of focus largely mirror those of the fraud triangle as discussed in SAS 99.3 The standard describes an assessment of fraud risks considering three specific aspects:

  • Incentives and pressures to commit fraud that exist in the control environment;
  • Opportunities for unauthorized acquisition, use, or disposal of assets, altering of the entity's reporting records, or committing other inappropriate acts; and
  • Attitudes and rationalization, i.e., how management and other personnel might engage in or justify inappropriate actions.

Management override of controls

Management override figures prominently in the text of Principle 8. It is an "action taken to override an entity's controls for an illegitimate purpose including personal gain or an enhanced presentation of an entity's financial condition or compliance status." Management override generally occurs in the largest or most significant fraud occurrences and is not easily detected.

As COSO 2013 states, management override should not be confused with management intervention, i.e., action that departs from controls designed for legitimate purposes. The degree to which management can intervene is determined by the board and audit committee's assessment of the control environment.

BUILDING A SUCCESSFUL FRAUD PREVENTION FUNCTION ON THE COSO FOUNDATION

One extremely useful document for management in assessing and enhancing the company's fraud risk function is Managing the Business Risk of Fraud: A Practical Guide, produced by The Institute of Internal Auditors (IIA), AICPA and the ACFE. It offers a highly detailed guide — including a sample fraud policy document, fraud prevention scorecard, and lists of fraud exposures and controls — of how organizations of various sizes and types can establish their own fraud risk management programs. The following discussion draws significantly from that publication.

Fraud risk governance

The FRA should be seen as part of the company's effort for strong corporate governance. This commitment requires a "tone at the top" that facilitates corporate cultures embracing strong governance practices, including written policies that describe the expectations of the board and senior management regarding fraud risk.

But even companies with committed senior leadership may have inadequate FRA programs. Most companies have some written policies to manage individual fraud components — say, expense account procedures. We have also noted that many companies engage in some fraud management activities to assess, identify and control override risks. What most companies don't do is concisely summarize these documents and activities so they can communicate and evaluate the completeness and sufficiency of their fraud management processes.

Fraud risk assessment

The fraud risk assessment should ordinarily be conducted as part of a broader assessment of company risk in an enterprise risk management program. But the fraud risk assessment itself may initially be conducted as part of that process or on a standalone basis. Regulatory and legal misconduct, such as Foreign Corrupt Practices Act violations, as well as reputation risk, should also be considered.

Assess and identify inherent risk

The FRA starts with a brainstorming session that seeks to uncover the potential fraud risks in the organization, without consideration of mitigating controls. The review takes place and is shaped by the company's operating environment, including industry practices, business culture, the state of the economy, applicable regulatory regimes, company business practices (e.g., heavy reliance on cash transactions), and business conditions.

Each area of risk —fraudulent reporting, possible loss of assets, and corruption — should be examined. The FRA should include:

  • Consideration of all types of fraud schemes and scenarios;
  • The incentives (such as through compensation programs), pressures (a CFO that needs to hit an earnings estimate) and opportunities (a senior manager with management override ability) to commit fraud; and
  • The IT fraud risks specific to the organization.

Importantly, the FRA needs to consider the potential bypass of controls through management override, as well as areas where controls are weak or there is a lack of segregation of duties.

Assess likelihood and significance of fraud risk

The next step is to assess the relative likelihood and potential significance of identified fraud risks. This review should be based on interviews with staff, including business process owners; known fraud schemes; and historical information, both internal and external to the entity.

In assessing fraud risk significance, companies should consider not only exposures to assets and the financial statements, but risk to an organization's operations, brand value and reputation, as well as criminal, civil and regulatory liability.

Fraud prevention and detection

Once the likelihood and significance of fraud risks are identified, design and implementation of mitigating controls follow. Fraud prevention requires both preventative and detective controls. Preventative controls include policies, procedures, training, and communication and certain computer-based application controls, while detective controls involve activities designed to identify specific examples of fraud or misconduct that is occurring or has occurred, such as reconciliations and other types of manual controls. However, these are interrelated concepts, as described below:

If effective preventive controls are in place, working and well-known to potential fraud perpetrators, they serve as strong deterrents to those who might otherwise be tempted to commit fraud. Fear of getting caught due to a company's known commitment to punishment is always a strong deterrent. Effective preventive controls are, therefore, also strong deterrence controls.4

Keep in mind that, in designing controls, segregation of duties in small companies can be difficult to achieve because of limited resources and personnel. Smaller firms need to work to assure that compensating controls (such as periodic budget to actual analysis at a precise-enough level to flag and investigate unusual activity) or other monitoring controls are in place to mitigate this occurrence.

Fraud investigation and corrective action

No system of internal control can eliminate fraud completely, so a program for how the company responds to identified fraud or potential illegal acts is essential. The investigation and response system should include a process for categorizing issues, communicating within the organization — including the audit committee or those charged with governance (depending on the potential severity of the matter), conducting the investigation and fact-finding, and resolving or closing the investigation with a recommendation for prosecution.

A tracking system for monitoring the status of fraud cases is a necessity. If the allegation involves senior management or affects the financial statements, there may be standards, regulations or laws that require parties like legal counsel, board, audit committee, external auditors, etc. to be notified.

CONCLUSION

COSO 2013 includes some key elements that management can leverage for companies starting or upgrading their FRA. Organizations that have adopted COSO 2013 can continue to build on that experience to prepare for the fraud challenges ahead. For companies that haven't yet implemented the framework, the direction it provides for improving FRA should motivate management to strive for adoption as soon as possible.

Footnotes

1. ACFE: "Report to the Nations on Occupational Fraud and Abuse — 2014 Global Fraud Study."

2. COSO released a new report, COSO in the Cyber Age, which provides direction on how the Internal Control-Integrated Framework and the Enterprise Risk Management-Integrated Framework can help organizations manage cyber risks. Visit www.coso.org to download the report.

3. AICPA — Statements on Auditing Standards No. 99.

4. Managing the Business Risk of Fraud: A Practical Guide, p. 30-34. The Institute of Internal Auditors (IIA), AICPA and ACFE. See www.acfe.com/uploadedfiles/acfe_website/content/documents/managing-business-risk.pdf for more information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.