No, COSO’s recently published Fraud Risk Management Guide is not mandatory, but there are some compelling reasons audit committees and compliance officers should study and consider it—perhaps most importantly because it could eventually become a de facto requirement.
COSO, the same collaborative organization that authored the Internal Control—Integrated Framework that provides the most widely accepted path to Sarbanes-Oxley compliance, has published the new fraud guide to elaborate on the 8th principle required under the internal control framework. That’s the principle that says the organization has considered the potential for fraud in assessing the risks to the achievement of objectives.
COSO updated its internal control framework in 2013, sending companies back into internal control documentation to assure they complied with the latest standards. It’s a slippery slope, as the fraud guide is just published, to assert it could fall under the internal control umbrella and become part of Sarbanes-Oxley compliance, but experts say it’s a possibility companies should not ignore.
So at the risk of creating a checklist, a tool that can raise eyebrows in audit circles these days, here is a list of seven reasons why companies should take a closer look at COSO’s new Fraud Risk Management Guide.
7. Companies with anti-fraud controls suffer lower losses under faster detection. The Association of Certified Fraud Examiners says in its 2016 Report to the Nation on occupational fraud and abuse that the presence of anti-fraud controls correlates with lower fraud losses and earlier detection of fraud schemes. Losses in the latest report were 14 percent to 54 percent lower where organizations had specific anti-fraud controls in place, and frauds were detected 33 percent to 50 percent more quickly, the report says. An earlier 2015 global fraud report says as many as three-fourths of all companies fell victim to fraud in some fashion in the past year.
6. The guide represents the latest thinking and technology around how to combat fraud. COSO’s new fraud guide is an update of the 2008 Managing the Business Risk of Fraud guide, providing a more modern approach to how to detect and prevent fraud, says Chuck Landes, vice president at the American Institute of Public Accountants. “It’s been updated to reflect a lot of new anti-fraud techniques that fraud examiners are using these days,” including fast-developing new technology such as data analytics, he says.
“There’s a lot of efficiency in having all those groups and all those functions involved in producing this one guide. We’re all rowing in the same boat.”
Bob Hirth, Chair, COSO
5. The new guide represents a united front, produced by several different organizations that approach the issue from different angles. COSO is sponsored by five different organizations, including the AICPA, the Institute of Internal Auditors, Financial Executives International, the Institute of Management Accountants, and the American Accounting Association. The ACFE participated heavily in producing the new guide with COSO, capturing the entire financial reporting chain, says COSO Chair Bob Hirth. “There’s a lot of efficiency in having all those groups and all those functions involved in producing this one guide,” he says. “We’re all rowing in the same boat.”
4. It’s not just for big companies. The guide is nearly 150 pages in length, but that doesn’t mean every page applies to every organization or every circumstance. “Tremendous efforts have been made to make the guidance scalable,” says Toby Bishop, an independent forensic accountant with a Big 4 background, who participated on the COSO task force that helped produce the guide. “Even the smallest organizations can implement it, so they can take advantage of the sophistication of best practices, but without having to produce telephone-book-size documentation to support it.”
3. The interactive tools and templates are pretty cool. Companies don’t have to buy the complete guide to do the simplest, high-level assessment of their fraud risk to get a sense of where they may have weaknesses. Interactive scorecards assess existing components of a company’s current fraud risk management approach to expose holes. An interactive tool summarizes and explains the various data analytics tests that can be integrated into a company’s fraud approach. Ready-to-use spreadsheets help set up a risk assessment, a follow-up action plan, and documentation.
FRAUD GUIDE’S RELATIONSHIP TO INTERNAL CONTROL FRAMEWORK
Tammy Whitehouse asked the experts whether the new fraud guide would eventually come to be regarded a baseline or a requirement in complying with COSO’s 2013 internal control framework. A response is below:
The guide does not offer any new requirements. It does, however, provide information, clarity, tools and guidance related to complying with the fraud related principles in the 2013 COSO framework, particularly principle 8, which requires organizations to consider the potential for fraud in assessing the risks associated with achieving their objectives. The impact of the guide will vary, and it will be dependent on how rigorously organizations previously considered fraud when performing risks assessments and designing and implementing relevant controls.
While auditors will likely want to understand how management considered the guide when reviewing an organization’s annual risk assessment, the guide’s primary benefit is that it will serve as a great reference source that will provide information and tools to assist management in strengthening its internal controls related to fraud; it will get management (and auditors) more granularly focused on specific fraud schemes that could confront the organization; and it will help organizations design more comprehensive fraud risk management programs.
—Paul Drogosch, Senior Consultation Partner, Office of Accounting Services, Deloitte
Sandra Johnigan, another independent forensic accountant with a Big 4 background, says she’s encouraging skeptics to at least complete the initial scorecards to assess the current fraud program. “If you come up green all around, great,” she says. “If you have a lot of yellow and red, maybe you need to step back and think about doing more of a program, than you thought you needed to do.”
2. The external audit of financial statements could be more efficient. Johnigan believes it’s possible auditors who dig into a company’s internal control environment and see controls in place inspired by the fraud guide will consider that in planning their audits and selecting controls to test. “Obviously, the stronger the control environment you have, the more identifiable your prevention and detection controls are that you can assess, and the more you can rely on them if they are effective,” she says. “That’s the way risk assessments work, both from the audit perspective and the company perspective.”
1. Auditors might even regard the new fraud guide as an extension of the COSO internal control framework. Here’s where the slope to a possible de facto requirement starts to get slick. Companies that adopted COSO’s internal control framework as updated in 2013 may have hit some rough patches with auditors in asserting compliance with the 8th principle that explicitly addresses the risk of fraud.
It became clear during implementation, says Bishop, that companies and auditors needed more specific guidance on how to address fraud risk under the updated approach to internal control. “Fraud specialists were seeing what is politely called a wide diversity of practice,” he says. “Other people might consider it a scary nightmare if you believe in preventing fraud. Bringing greater consistency and quality to the implementation of fraud deterrence and detection was a huge need.”
Bruce Dorris, vice president and program director at ACFE, says he not only believes it’s possible auditors will expect companies to follow the new guidance, but he expects it. The guide is designed to expand on the fraud aspect of the internal control framework, he says. That’s the same framework companies are widely expected to follow to comply with Sarbanes-Oxley.
“It certainly opens the door to what best practices are” in terms of companies asserting they have controls in place to address fraud risk, says Dorris. “It’s going to open up a dialogue between audit, compliance, and management.”
Timothy Hedley, a partner in fraud risk management services at KPMG who was not involved in the development of the new guide, says it's too soon to say whether auditors will expect companies to incorporate the new guidance into their internal control environment for SOX reporting purposes. “We like to see companies do as much as possible with respect to mitigating the risk of fraud and other types of misconduct, but the way we conduct audits is driven by professional standards and the expectations of the Public Company Accounting Oversight Board,” he says.