COSO’s Fraud Risk Management Guide: Reasonable Steps, Rewarding Returns
06.21.2017 | Berdon Industry Insights
Five Fraud Risk Management Principles
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has taken steps in guiding companies in establishing formidable fraud risk management practices. In an environment where company defenses seem more porous than ever, COSO has augmented and aligned its 17 principles of internal control, issued in 2013, with an additional five fraud risk management principles. These principles should be accepted as integral components of corporate governance and a sound internal control environment.
The measures discussed in the Fraud Risk Management Guide (the “Guide”) are practical, and if properly implemented, can add another layer of security in a business environment.
The Guide sets out specific processes for effective fraud risk management. In order to achieve optimal results, best practice is to implement a program that covers the following five principles:
- Principle 1 recommends establishment of fraud risk governance, which would begin with an assessment of the organization’s commitment to integrity and ethics. A positive corporate environment should encompass anti-fraud sentiment by all layers of the organization, starting with the board of directors and filtered down to the rest of the organization.
- Principle 2 requires companies to perform a comprehensive fraud risk assessment addressing and evaluating “fraud risk scenarios” specific to each organization. The scenarios should cover various possibilities of fraudulent acts, such as fraudulent financial reporting, and misappropriation of assets, including fraud committed by employees, customers or vendors. Other illegal acts may include bribery, money laundering, cybersecurity breaches, and violation of labor and consumer protection regulations and laws.
- Principle 3 recommends examination and augmentation of existing control activities to ensure that both preventative and detective control activities are in place.
- Principle 4 suggests organizations set up protocols and mechanisms, which can be easily deployed for identification of fraudulent activities, timely investigations, identification of root causes, and formulation of remediation steps.
- Principle 5 covers both on-going and separate evaluations of effectiveness of the first four principles described above. The evaluations can be achieved with the help of internal or external resources, such as internal audits, or monitoring of key risk indicators.
Only by covering all of these bases can a business hope to establish a solid defensive shield against fraud. COSO stresses that internal control issues stemming from errors differ from basic flaws that open a business to fraud. It is the difference between accident and intent. By not assessing the internal control environment thoroughly to identify possibilities where intentional acts of fraud may be committed, a business can be vulnerable to:
- Misstated financial information
- Misstated nonfinancial information
- Misappropriated assets
- Direct illegal acts and corruption
The Guide acknowledges that fraud risk can be present in many areas of a business and recommends that multiple stakeholders have roles in mitigating risk. These soldiers in the war on fraud can include:
- Board members
- Audit committee members
- Senior management
- Management at lower department levels
- Internal auditors
- External auditors
- Service providers
The Guide, which was co-sponsored by the Association of Certified Fraud Examiners (ACFE), is essentially a blueprint for helping businesses establish an overall fraud risk management program. The Guide covers recent developments in risk management, including details on the use of technology, in particular, the value of data analytics.
Data analysis enables an organization to examine massive volumes of data and activities within entire business processes to assess fraud risk and highlight indicators of where risks of fraud may exist. Companies may also be able to detect circumstances where existing fraud prevention controls failed, were breached, circumvented, or bypassed entirely. Companies may even uncover areas where they do not have, or never had, proper controls in place.
Anti-fraud Program Development
The Guide provides examples of key program components and resources that organizations can tap into in order to develop a fraud risk management program. Still, further, the Guide offers references to other sources of guidance for developing a fraud risk management program for specific industries.
The ideas, thoughts, and recommendations in the Guide are both reasonable and prudent. The steps that an organization can take based on the information in the Guide can deliver a return that may not be easily measured. Unless, of course, peace of mind, security, profitability, and the ongoing existence of a business can be quantified. The Guide is a resource that crosses industries and business sectors. The only question a company owner should ask now is: “How much risk am I willing to take?”
If you have questions about the best approach to fraud risk management for your company or would like to discuss having a fraud risk assessment performed, contact Alexander Moshinsky, Director, Internal Controls & Risk Management at 212.331.7448 | AMoshinsky@BERDONLLP.com.
Berdon LLP, New York Accountants