The author of the most widely accepted framework for internal control over financial reporting in the United States has released a new guide meant to help companies better establish fraud risk management practices.
COSO, or the Committee of Sponsoring Organizations of the Treadway Commission, has published a guide that is intended to do more than just provide a road map to a fraud risk assessment. It gives suggestions on how to establish fraud risk governance policies, how to design and deploy controls to prevent and detect fraud, how to conduct an internal investigation, and how to monitor and evaluate a complete fraud risk management program. It is an update to a 2008 guide on managing fraud risk published by the American Institute of Certified Public Accountants, the Institute of Internal Auditors, and the Association of Certified Fraud Examiners.
The new fraud risk management guide will make a great deal of sense to those familiar with COSO’s 17 principles of internal control as defined and explained in COSO’s 2013 Internal Control -- Integrated Framework, or COSO’s Enterprise Risk Management framework that is being updated. COSO says users may notice “overlapping and interconnecting areas,” as fraud risk is similar to the risks addressed in those frameworks, but the new guide reaches further to encompass all areas of an enterprise and its operations where fraud could occur.
The guide advocates an ongoing loop of activity to comprehensively manage fraud risk, beginning with the establishment of a fraud risk management policy, performance of a fraud risk assessment, selection and development of appropriate controls and reporting, followed by monitoring that will influence subsequent fraud risk management activities.
COSO makes a point to call out the distinction between internal control issues that can result in errors compared with those that permit fraud to occur. “The fundamental difference is intent,” COSO says. “An organization that simply adds the fraud risk assessment to the existing internal control assessment may not thoroughly examine and identify possibilities for intentional acts designed to misstate financial information, misstate nonfinancial information, misappropriate assets, or perpetrate illegal acts or corruption.”
With fraud risk present in so many areas of the organization, the fraud risk management guide is meant for use by many different players who can have a role to play in mitigating risk, like board members and audit committee members, senior management, management at other levels in the organization, internal auditors, external auditors, other professional service providers, and even educators, COSO says.