COSO Fraud Risk Management Guide Executive Summary
COSO Fraud Risk Management Guide Executive Summary
COSO Fraud Risk Management Guide Executive Summary
EXECUTIVE SUMMARY
Committee of Sponsoring
Organizations of the
Treadway Commission
B | Fraud Risk Management Guide - Executive Summary | COSO/ACFE
Principal Authors
David L. Cotton, CPA, CFE, CGFM
Chairman, Cotton & Company LLP
Acknowledgements
COSO and ACFE thank each of the Fraud Risk Management Task Force and Advisory Panel
members (see Page vii) for their generous contributions of time, resources and knowledge.
Charles Landes, CPA Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA
American Institute of CPAs (AICPA) The Institute of Internal Auditors
Preface
This project was commissioned by the Committee of Sponsoring Organizations of the Treadway Commission
(COSO), which is dedicated to providing thought leadership through the development of comprehensive
frameworks and guidance on enterprise risk management, internal control, and fraud deterrence designed to
improve organizational performance and governance and to reduce the extent of fraud in organizations.
COSO is a private-sector initiative jointly sponsored and funded by the following organizations:
coso.org
Risk Management Guide
EXECUTIVE SUMMARY
September, 201 6
Research Commissioned by
Committee of Sponsoring
Organizations of the
Treadway Commission
coso.org
COSO/ACFE | Fraud Risk Management Guide | v
Foreword
In 1992 the Committee of Sponsoring Organizations of the For organizations desiring to establish a more comprehensive
Treadway Commission (COSO) released its Internal Control approach to managing fraud risk, this guide includes more
— Integrated Framework (the original framework). The than just the information needed to perform a fraud risk
original framework has gained broad acceptance and assessment. It also includes guidance on establishing an
is widely used around the world. It is recognized as a overall Fraud Risk Management Program including:
leading framework for designing, implementing, and
conducting internal control and assessing the • Establishing fraud risk governance policies
effectiveness of internal control.
• Performing a fraud risk assessment
COSO revised the original framework in 2013 (2013
framework). The 2013 framework incorporates 17 principles.1 • Designing and deploying fraud preventive and detective
These 17 principles are associated with the five internal control activities
control components, and provide clarity for the user in
designing and implementing systems of internal control and • Conducting investigations, and
for understanding requirements for effective internal control.
COSO makes clear that for a system of internal control to be • Monitoring and evaluating the total fraud risk
effective, each of the 17 principles is present, functioning, management program
and operating together in an integrated manner.
This guide is designed to be familiar to COSO Framework
users. It contains principles and points of focus.2 This guide’s
five principles are consistent with the five COSO Internal
Principle 8, one of the risk assessment Control Components3 and the 17 COSO principles.
component principles, states:
The organization considers the potential This guide draws from and updates a 2008 product
for fraud in assessing risks to the published and sponsored by the American Institute of
achievement of objectives. CPAs (AICPA), Institute of Internal Auditors (IIA), and
Association of Certified Fraud Examiners (ACFE). This
prior publication, Managing the Business Risk of Fraud: A
Practical Guide, contained similar guidance for establishing
This publication, Fraud Risk Management Guide (guide), is a comprehensive Fraud Risk Management Program and
intended to be supportive of and consistent with the 2013 has been used by many organizations to manage fraud risk.
Framework and can serve as best practices guidance for COSO is appreciative of the work done by the task force
organizations to follow in addressing this new fraud risk that produced this prior publication. This new guide builds
assessment principle. on that previous product by updating it for more recent
developments, revising terminology to be consistent with
newer COSO terminology, and adding important information
related to technology developments — specifically
data analytics.
1
Per the 2013 COSO Framework, relevant principles “represent fundamental concepts associated with components” of internal control.
2
Per the 2013 COSO Framework, points of focus are “important characteristics of principles.”
3
Per the 2013 COSO Framework, a component is “one of five elements of internal control. The internal control components are the Control
Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities.”
coso.org
vi | Fraud Risk Management Guide | COSO/ACFE
The guide’s executive summary provides a high-level COSO has also published Enterprise Risk Management
overview intended for the board of directors and senior — Integrated Framework (ERM Framework). This guide,
management and is designed to explain the benefits of the 2013 COSO Framework, and the ERM Framework, are
establishing strong anti-fraud policies and controls. The intended to be complementary. Depending on how an
guide’s appendices contain valuable templates, samples, organization implements the Internal Control Framework, the
examples, and tools to assist users in implementing the ERM Framework, and this guide, there may be overlapping
guide’s best practices. and interconnecting areas. Fraud risk can affect areas
beyond accounting and financial management activities.
In addition, the guide contains hyperlinks to several valuable Indeed, an organization seeking to minimize the adverse
automated tools and templates that can be used to make impacts of fraud needs to consider fraud risk in all areas of
implementation and documentation of a comprehensive the enterprise and its operations.
Fraud Risk Management Program more effective.
The COSO Board would like to thank members of the
Task Force that developed this guide, the Advisory Panel
that reviewed drafts of the guide and provided valuable
feedback, and the COSO Advisory Council for their
contributions in reviewing the guide.
James D. Ratley
ACFE President and CEO
coso.org
COSO/ACFE | Fraud Risk Management Guide | vii
Eric Eisenstein
Cotton & Company LLP
The COSO Board gratefully acknowledges David L. Cotton, Chair of the Fraud Risk Management Task Force, for his
outstanding leadership and efforts toward the completion of this guide.
coso.org
viii | Fraud Risk Management Guide | COSO/ACFE
Fraud is any intentional act or omission designed to deceive others, resulting in the
victim suffering a loss and/or the perpetrator achieving a gain.4
All organizations are subject to fraud risks. It is impossible • Includes a thorough fraud risk assessment periodically
to eliminate all fraud in all organizations. However,
implementation of the principles in this guide will maximize the • Designs, implements, and maintains preventive and
likelihood that fraud will be prevented or detected in a timely detective fraud control processes and procedures
manner and will create a strong fraud deterrence effect.
• Takes swift action in response to allegations of fraud,
The board of directors5 and top management and personnel including, where appropriate, actions against those
at all levels of the organization — including every level involved in wrongdoing
of management, staff, and internal auditors — have
responsibility for managing fraud risk. Particularly, they are This guide provides implementation guidance that defines
expected to understand how the organization is responding principles and points of focus6 for fraud risk management
to heightened risks and regulations, as well as public and and describes how organizations of various sizes and types
stakeholder scrutiny; what form of Fraud Risk Management can establish their own Fraud Risk Management Programs.
Program the organization has in place; how it identifies The guide includes examples of key program components
fraud risks; what it is doing to better prevent fraud, or at and resources that organizations can use as a starting
least detect it sooner; and what process is in place to place to develop a Fraud Risk Management Program
investigate fraud and take corrective action. This Fraud Risk effectively and efficiently. In addition, the guide contains
Management Guide (guide) is designed to help address references to other sources of guidance to allow for
these complex issues. tailoring a Fraud Risk Management Program to a particular
industry or to government or not-for-profit organizations.
This guide recommends ways in which governing boards, Each organization needs to assess the degree of emphasis
senior management, staff at all levels, and internal auditors to place on fraud risk management based on its size and
can deter fraud in their organization. Fraud deterrence is a circumstances.
process of eliminating factors that may cause fraud to occur.
Deterrence is achieved when an organization implements a The guide also contains valuable information for users who
fraud risk management process that: are implementing a fraud risk management process. For
example, it addresses fraud risk management roles and
• Establishes a visible and rigorous fraud governance responsibilities, fraud risk management considerations for
process smaller organizations, data analytics employed as a part
of fraud risk management, and managing fraud risk in the
• Creates a transparent and sound anti-fraud culture government environment.
4
For purposes of this guide, the authors developed this practical definition. The authors recognize that many other definitions of fraud exist,
including those developed by the Auditing Standards Board of the American Institute of Certified Public Accountants, the Public Company
Accounting Oversight Board, and the Government Accountability Office.
5
Throughout this guide, the terms board and board of directors refer to the governing or oversight body or those charged with governance of
the organization.
6
Per COSO’s Internal Control — Integrated Framework (May 2013) (2013 COSO Framework), Relevant Principles represent fundamental
concepts associated with components of internal control. Points of Focus are important characteristics of principles.
coso.org
COSO/ACFE | Fraud Risk Management Guide | ix
3. Management establishes, with board oversight, structures, reporting lines, the expectations of the board of directors and senior
and appropriate authorities and responsibilities in the pursuit of objectives. management and their commitment to high integrity
and ethical values regarding managing fraud risk.
4. The organization demonstrates a commitment to attract, develop, and retain
competent individuals in alignment with objectives.
across the entity and analyzes risks as a basis for determining how the 2. The organization performs comprehensive fraud
risks should be managed. risk assessments to identify specific fraud schemes
Risk
10. The organization selects and develops control activities that contribute to the
mitigation of risks to the achievement of objectives to acceptable levels.
Activities
11. The organization selects and develops general control activities over preventive and detective fraud control activities to
technology to support the achievement of objectives. mitigate the risk of fraud events occurring or not
being detected in a timely manner.
12. The organization deploys control activities through policies that establish
what is expected and procedures that put policies into action.
13. The organization obtains or generates and uses relevant, quality information
to support the functioning of other components of internal control.
Communication
Information &
16. The organization selects, develops, and performs ongoing and/or 5. The organization selects, develops, and performs
separate evaluations to ascertain whether the components of internal ongoing evaluations to ascertain whether each
Monitoring
Activities
control are present and functioning. of the five principles of fraud risk management is
present and functioning and communicates Fraud
17. The organization evaluates and communicates internal control Risk Management Program deficiencies in a timely
deficiencies in a timely manner to those parties responsible for taking manner to parties responsible for taking corrective
corrective action, including senior management and the board of action, including senior management and the board
directors, as appropriate. of directors.
7
The 2013 COSO Framework’s 17 internal control principles have been adopted by the U.S. federal government in the Standards for Internal
Controls in the Federal Government, issued by the Comptroller General of the United States. The Federal Managers’ Financial Integrity Act of
1982 requires federal agencies to follow the Comptroller General’s standards. In addition, the Government Accountability Office (GAO) has
issued a Framework for Managing Fraud Risks in Federal Programs, which was developed based on leading practices as a tool for federal
agencies to use in developing Fraud Risk Management Programs. [See gao.gov/assets/680/671664.pdf.]
coso.org
x | Fraud Risk Management Guide | COSO/ACFE
The most obvious correlation between these two sets fraud schemes and risks, assess their likelihood and
of principles is 2013 COSO Framework principle 8 (The significance, evaluate existing fraud control activities,
organization considers the potential for fraud in assessing and implement actions to mitigate residual fraud risks). In
risks for the achievement of objectives) and fraud risk addition, as the above exhibit displays, all of the 2013 COSO
management principle 2 (The organization performs Framework and fraud risk management principles correlate
comprehensive fraud risk assessments to identify specific and support each other.
Control
Principle
1 The organization establishes and communicates a Fraud Risk
Management Program that demonstrates the expectations of the
board of directors and senior management and their commitment to
high integrity and ethical values regarding managing fraud risk.
Environment
Risk
Assessment
Principle
2 The organization performs comprehensive fraud risk assessments
to identify specific fraud schemes and risks, assess their likelihood
and significance, evaluate existing fraud control activities, and
implement actions to mitigate residual fraud risks.
coso.org
COSO/ACFE | Fraud Risk Management Guide | xi
Control
Activities
Principle
3 The organization selects, develops, and deploys
preventive and detective fraud control activities to
mitigate the risk of fraud events occurring or not being
detected in a timely manner.
Information &
Communication
Principle
4 The organization establishes a communication process to obtain
information about potential fraud and deploys a coordinated
approach to investigation and corrective action to address fraud
appropriately and in a timely manner.
Monitoring
Principle
5 The organization selects, develops, and performs ongoing evaluations to
ascertain whether each of the five principles of fraud risk management is
present and functioning and communicates Fraud Risk Management Program
deficiencies in a timely manner to parties responsible for taking corrective
Activities
action, including senior management and the board of directors.
coso.org
xii | Fraud Risk Management Guide | COSO/ACFE
The 2013 COSO Framework clarifies that for a system of internal control to be effective, each of its 17 principles is present,
functioning, and operating in an integrated manner.
This guide is intended to be supportive of and consistent with the 2013 COSO Framework and can serve as best practices
guidance for organizations to follow in performing a fraud risk assessment.
coso.org
COSO/ACFE | Fraud Risk Management Guide | xiii
This rigorous approach results in an ongoing, comprehensive fraud risk management process as follows:
Establish a fraud
risk management
policy as part of
organizational
governance
This comprehensive approach recognizes and emphasizes Implementing a specific and more focused fraud risk
the fundamental difference between internal control assessment as a separate fraud risk management process
weaknesses resulting in errors and weaknesses resulting in provides greater assurance that the assessment’s focus
fraud. This fundamental difference is intent. An organization remains on intentional acts.
that simply adds the fraud risk assessment to the existing
internal control assessment may not thoroughly examine The comprehensive approach is also likely to result in
and identify possibilities for intentional acts designed to: a more robust and comprehensive assessment of fraud
risk. It also provides the additional structure needed for
• Misstate financial information comprehensive fraud risk management. If organizations use
the more simplified approach (just performing the fraud risk
• Misstate non-financial information assessment), they can combine those results with the 2013
COSO Framework’s results to yield more robust prevention
• Misappropriate assets and detection mechanisms.
coso.org
xiv | Fraud Risk Management Guide | COSO/ACFE
coso.org