United States: COSO 2013 Framework Boosts Fraud Risk Assessment And Prevention

Fraud is among the most distasteful fare on management's plate. Not only is it an enormous, unplanned drain on company resources — the Association of Certified Fraud Examiners (ACFE) estimates that fraud costs the typical company 5% of revenue1 — it's spiritually crippling as well. Fraud by company outsiders, as damaging as it may be, simply testifies to human greed and malevolence. Fraud by co-workers and colleagues, often long-serving and trusted, is a gut-wrenching betrayal of faith.

Daily stories of pilfered passwords and leaked emails have placed cyberfraud at the top of management's agenda. This heightened concern coincides with the guidance in COSO's Internal Control — Integrated Framework: Framework and Appendices (COSO 2013), effective December 15, 2014, that requires companies to do a fraud risk assessment (FRA). Clearly, now is the time for companies to comprehensively reassess their approach to evaluating and mitigating potential fraud risks.2

For companies that may not have formally documented processes and controls designed to address fraud risk systematically, adopting COSO 2013 can jump-start a broad and far-reaching program of necessary fraud risk prevention. Companies that have more fully developed FRA processes and procedures in place will see implementing COSO 2013 as an opportunity to re-evaluate and strengthen their fraud prevention effort.


Principle 8

The discussion of fraud in COSO 2013 centers on Principle 8 of the framework:

The organization considers the potential for fraud in assessing risks to the achievement of objectives

"For most companies, under 1992 COSO, fraud risk was viewed primarily in terms of satisfying SOX requirements, i.e., identifying and preventing fraud risk at the transaction level," says Michael Rose, partner, Business Advisory Services. "But in COSO 2013, fraud risk becomes a specific component in the overall risk assessment: It addresses fraud at the organization or entity level, not just the transaction level. COSO requires a strong internal control foundation that addresses fraud much more broadly: company objectives, strategy, operations, and compliance, as well as reporting — both external and internal, financial and nonfinancial."

Principle 8 describes four specific areas of concern.

  1. Fraudulent financial reporting: This area has long been at the heart of the mission of COSO; indeed, it is the purpose for which COSO was originally founded in 1985.
  2. Fraudulent nonfinancial reporting: The inclusion of fraudulent nonfinancial reporting is a significant change from 1992 COSO. COSO 2013 mentions sustainability reporting, health and safety reports and reports on employment activity as examples of nonfinancial reporting.
  3. Misappropriation of assets: Principle 8 states that "illegal marketing, theft of assets, theft of intellectual property, late trading, and money laundering" are among the activities that may relate to unauthorized acquisition, use and disposal of assets.
  4. Illegal acts: These are violations of laws or governmental regulations that could have a material direct or indirect impact on the external financial reports. Examples include bribery, corruption and insider trading.

Points of focus

The first point of focus in Principle 8 summarizes the above four areas:

Considers Various Types of Fraud — The assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur.

The three remaining points of focus largely mirror those of the fraud triangle as discussed in SAS 99.3 The standard describes an assessment of fraud risks considering three specific aspects:

  • Incentives and pressures to commit fraud that exist in the control environment;
  • Opportunities for unauthorized acquisition, use, or disposal of assets, altering of the entity's reporting records, or committing other inappropriate acts; and
  • Attitudes and rationalization, i.e., how management and other personnel might engage in or justify inappropriate actions.

Management override of controls

Management override figures prominently in the text of Principle 8. It is an "action taken to override an entity's controls for an illegitimate purpose including personal gain or an enhanced presentation of an entity's financial condition or compliance status." Management override generally occurs in the largest or most significant fraud occurrences and is not easily detected.

As COSO 2013 states, management override should not be confused with management intervention, i.e., action that departs from controls designed for legitimate purposes. The degree to which management can intervene is determined by the board and audit committee's assessment of the control environment.


One extremely useful document for management in assessing and enhancing the company's fraud risk function is Managing the Business Risk of Fraud: A Practical Guide, produced by The Institute of Internal Auditors (IIA), AICPA and the ACFE. It offers a highly detailed guide — including a sample fraud policy document, fraud prevention scorecard, and lists of fraud exposures and controls — of how organizations of various sizes and types can establish their own fraud risk management programs. The following discussion draws significantly from that publication.

Fraud risk governance

The FRA should be seen as part of the company's effort for strong corporate governance. This commitment requires a "tone at the top" that facilitates corporate cultures embracing strong governance practices, including written policies that describe the expectations of the board and senior management regarding fraud risk.

But even companies with committed senior leadership may have inadequate FRA programs. Most companies have some written policies to manage individual fraud components — say, expense account procedures. We have also noted that many companies engage in some fraud management activities to assess, identify and control override risks. What most companies don't do is concisely summarize these documents and activities so they can communicate and evaluate the completeness and sufficiency of their fraud management processes.

Fraud risk assessment

The fraud risk assessment should ordinarily be conducted as part of a broader assessment of company risk in an enterprise risk management program. But the fraud risk assessment itself may initially be conducted as part of that process or on a standalone basis. Regulatory and legal misconduct, such as Foreign Corrupt Practices Act violations, as well as reputation risk, should also be considered.

Assess and identify inherent risk

The FRA starts with a brainstorming session that seeks to uncover the potential fraud risks in the organization, without consideration of mitigating controls. The review takes place and is shaped by the company's operating environment, including industry practices, business culture, the state of the economy, applicable regulatory regimes, company business practices (e.g., heavy reliance on cash transactions), and business conditions.

Each area of risk —fraudulent reporting, possible loss of assets, and corruption — should be examined. The FRA should include:

  • Consideration of all types of fraud schemes and scenarios;
  • The incentives (such as through compensation programs), pressures (a CFO that needs to hit an earnings estimate) and opportunities (a senior manager with management override ability) to commit fraud; and
  • The IT fraud risks specific to the organization.

Importantly, the FRA needs to consider the potential bypass of controls through management override, as well as areas where controls are weak or there is a lack of segregation of duties.

Assess likelihood and significance of fraud risk

The next step is to assess the relative likelihood and potential significance of identified fraud risks. This review should be based on interviews with staff, including business process owners; known fraud schemes; and historical information, both internal and external to the entity.

In assessing fraud risk significance, companies should consider not only exposures to assets and the financial statements, but risk to an organization's operations, brand value and reputation, as well as criminal, civil and regulatory liability.

Fraud prevention and detection

Once the likelihood and significance of fraud risks are identified, design and implementation of mitigating controls follow. Fraud prevention requires both preventative and detective controls. Preventative controls include policies, procedures, training, and communication and certain computer-based application controls, while detective controls involve activities designed to identify specific examples of fraud or misconduct that is occurring or has occurred, such as reconciliations and other types of manual controls. However, these are interrelated concepts, as described below:

If effective preventive controls are in place, working and well-known to potential fraud perpetrators, they serve as strong deterrents to those who might otherwise be tempted to commit fraud. Fear of getting caught due to a company's known commitment to punishment is always a strong deterrent. Effective preventive controls are, therefore, also strong deterrence controls.4

Keep in mind that, in designing controls, segregation of duties in small companies can be difficult to achieve because of limited resources and personnel. Smaller firms need to work to assure that compensating controls (such as periodic budget to actual analysis at a precise-enough level to flag and investigate unusual activity) or other monitoring controls are in place to mitigate this occurrence.

Fraud investigation and corrective action

No system of internal control can eliminate fraud completely, so a program for how the company responds to identified fraud or potential illegal acts is essential. The investigation and response system should include a process for categorizing issues, communicating within the organization — including the audit committee or those charged with governance (depending on the potential severity of the matter), conducting the investigation and fact-finding, and resolving or closing the investigation with a recommendation for prosecution.

A tracking system for monitoring the status of fraud cases is a necessity. If the allegation involves senior management or affects the financial statements, there may be standards, regulations or laws that require parties like legal counsel, board, audit committee, external auditors, etc. to be notified.


COSO 2013 includes some key elements that management can leverage for companies starting or upgrading their FRA. Organizations that have adopted COSO 2013 can continue to build on that experience to prepare for the fraud challenges ahead. For companies that haven't yet implemented the framework, the direction it provides for improving FRA should motivate management to strive for adoption as soon as possible.


1. ACFE: "Report to the Nations on Occupational Fraud and Abuse — 2014 Global Fraud Study."

2. COSO released a new report, COSO in the Cyber Age, which provides direction on how the Internal Control-Integrated Framework and the Enterprise Risk Management-Integrated Framework can help organizations manage cyber risks. Visit www.coso.org to download the report.

3. AICPA — Statements on Auditing Standards No. 99.

4. Managing the Business Risk of Fraud: A Practical Guide, p. 30-34. The Institute of Internal Auditors (IIA), AICPA and ACFE. See www.acfe.com/uploadedfiles/acfe_website/content/documents/managing-business-risk.pdf for more information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions