Daily headlines of pilfered passwords and stolen credit card data have put fraud at the top of management’s risk management agenda. This concern coincides with new guidance in The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 2013 update of the
Internal Control–Integrated Framework that directs organizations to conduct a fraud risk assessment as part of their overall risk assessment.
Now is an opportune time for internal auditors to help their organization re-examine its approach to fraud risk. For organizations that have not formally documented processes and controls to address fraud risk, adopting COSO 2013 can jump-start a fraud risk prevention program. Organizations that have a more mature fraud risk assessment can use it to strengthen their fraud prevention processes and procedures.
The discussion of fraud in COSO 2013 centers on Principle 8: “The organization considers the potential for fraud in assessing risks to the achievement of objectives.” Under the 1992 COSO framework, most organizations viewed fraud risk primarily in terms of satisfying U.S. Sarbanes-Oxley Act of 2002 requirements to identify fraud controls to prevent or detect fraud risk at the transaction level.
In COSO 2013, fraud risk becomes a specific component of the overall risk assessment that focuses on fraud at the entity and transaction levels. COSO now requires a strong internal control foundation that addresses fraud broadly to encompass company objectives as part of its strategy, operations, compliance, and reporting.
Principle 8 describes four specific areas: fraudulent financial reporting, fraudulent nonfinancial reporting, misappropriation of assets, and illegal acts. The inclusion of nonfinancial reporting is a significant change that covers sustainability, health and safety, employment activity, and similar reports. Because internal auditors frequently provide assurance in this area, they can provide insights into fraudulent nonfinancial reporting.
One useful document for performing a fraud risk assessment is Managing the Business Risk of Fraud: A Practical Guide, produced by the American Institute of Certified Public Accountants, the Association of Certified Fraud Examiners, and The IIA. This guide to establishing a fraud risk management program includes a sample fraud policy document, fraud prevention scorecard, and lists of fraud exposures and controls.
Fraud Risk Governance
Managing the Business Risk of Fraud advises organizations to view fraud risk assessment as part of their corporate governance effort. This commitment requires a tone at the top that embraces strong governance practices, including written policies that describe the expectations of the board and senior management regarding fraud risk.
But even organizations with committed senior leadership may have inadequate fraud risk assessment programs. Most organizations have some written policies to manage individual fraud components, but many don’t concisely summarize these documents and activities so they can communicate and evaluate the completeness of their fraud management processes. Internal audit can help with this evaluation and address the areas of fraud described in Principle 8.
The Assessment Process
Although a fraud risk assessment should ordinarily be conducted as part of a broader evaluation of organizational risk in an enterprise risk management program, it may initially be done on a stand-alone basis. Regulatory and legal misconduct, such as U.S. Foreign Corrupt Practices Act violations, as well as reputation risk, also should be considered. Internal auditors can help ensure the fraud risk assessment is sufficiently robust.
Assess and Identify Inherent Risk The fraud risk assessment starts with a brainstorming session to uncover the organization’s potential fraud risks, without consideration of mitigating controls. The review should be shaped by the organization’s operating environment, including industry practices, business culture, the state of the economy, applicable regulatory regimes, business practices, and business conditions.
Each risk area should be examined, including fraudulent reporting, possible loss of assets, and corruption. The assessment should consider:
- All types of fraud schemes and scenarios.
- The incentives (such as compensation programs), pressures (such as a chief financial officer who needs to hit an earnings estimate), and opportunities (such as a senior executive with override ability) to commit fraud.
- The IT fraud risks specific to the organization, which may become pervasive without appropriate controls.
Additionally, the fraud risk assessment needs to consider the potential bypass of controls, as well as areas where controls are weak or there is a lack of segregation of duties.
Assess Likelihood and Significance of Fraud Risk This review of identified fraud risks should be based on staff interviews — including business process owners — known fraud schemes, and historical information, both internal and external to the organization. In assessing fraud risk significance, organizations should consider not only exposures to assets and financial statements, but also risk to their operations, brand value, and reputation, as well as criminal, civil, and regulatory liability.
Fraud Prevention and Detection
Fraud prevention requires both preventive and detective controls, but the Managing the Business Risk of Fraud guide points out these are not mutually exclusive: “If effective preventive controls are in place, working, and well-known to potential fraud perpetrators, they serve as strong deterrents to those who might otherwise be tempted to commit fraud. Fear of getting caught due to a company’s known commitment to punishment is always a strong deterrent. Effective preventive controls are, therefore, also strong deterrence controls.”
Segregation of duties in small organizations can be difficult because of limited resources and personnel. These organizations need compensating controls such as periodic budget-to-actual analysis at a precise-enough level to flag and investigate unusual activity.
Fraud Investigation and Corrective Action
The fraud investigation and response system should include a process for categorizing issues, communicating within the organization — including with the audit committee or those charged with governance — conducting the investigation and fact-finding, monitoring the status of fraud cases, and resolving the investigation with a recommendation for prosecution. Standards, regulations, or laws may require parties such as legal counsel, the board, the audit committee, and external auditors to be notified if the allegation involves senior management or affects the financial statements.
An Opportunity for Improvement
Organizations that already have adopted COSO 2013 can continue to build on that foundation to prepare for the fraud challenges ahead. For those organizations that haven’t yet implemented the framework, the opportunity to improve their fraud risk assessment should motivate them to adopt it soon. In either case, internal auditors who are well-versed in COSO 2013 can help the organization’s fraud risk assessment initiative by facilitating the assessment itself or helping align policies and fraud mitigation activities.