Download COSO-Fraud-Risk-Management-Guide-ExecSummary.pdf PDF

File Size1.6 MB
Total Pages13
Document Text Contents
Page 1

Committee of Sponsoring
Organizations of the
Treadway Commission

R i sk Managem ent Gu ide


Page 2

B !!" Fraud Risk Management Guide - Executive Summary "!!!COSO/ACFE

c o s o . o r g

Principal Authors

David L. Cotton, CPA, CFE, CGFM
Chairman, Cotton & Company LLP

Sandra Johnigan, CPA/CFF, CFE
Owner, Johnigan, P.C.

Leslye Givarz, CPA
Technical Editor, Public Company Accounting Oversight Board (Retired)


COSO and ACFE thank each of the Fraud Risk Management Task Force and Advisory Panel
members (see Page vii) for their generous contributions of time, resources and knowledge.

In particular, COSO and ACFE gratefully acknowledge David L. Cotton,
Chair of the Fraud Risk Management Task Force, for his outstanding leadership
and eRorts toward the completion of this guide.

COSO Board Members

Robert B. Hirth, Jr.
COSO Chair

Douglas F. Prawitt, Ph.D., CPA
American Accounting Association

Charles Landes, CPA
American Institute of CPAs (AICPA)

Mitchell A. Danaher, CMA
Financial Executives International

Sandra Richtermeyer, Ph.D., CMA, CPA
Institute of Management Accountants

Richard F. Chambers, CIA, QIAL, CGAP, CCSA, CRMA
The Institute of Internal Auditors

%0’()<+!)(7/1%8/-%)1/>!’+(5)(0/1,+!/12!7)<+(1/1,+!/12!-)!(+2=,[email protected]+1-!)5!5(/=2!%1!)(7/1%8/-%)1&A


American Accounting Association!9EEE:

American Instituteof CPAs 9EICPE:

Financial Executives International 9FGI:!

The Institute of Management Accountants!9IME:!

The Institute of Internal Auditors!9IIE:!!

Page 6

COSO/ACFE | Fraud Risk Management Guide | vii

c o s o . o r g

Fraud Risk Management Task Force

Fraud Risk Management Advisory Panel

Barbara Andrews


Michael Birdsall

Comcast Corporation

Toby Bishop

Formerly ACFE, Deloitte

Margot Cella

Center for Audit Quality

David Coderre


David L. Cotton, Chair

Cotton & Company LLP

James Dalkin


Ron Durkin

Durkin Forensic, Inc.

Dan Amiram

Columbia University Business School

Zahn Bozanic

The Ohio State University

Greg Brush

Tennessee Comptroller of Treasury

Tamia Buckingham

Massachusetts School Building Authority

Ashley L. Comer

James Madison University

Molly Dawson

Cotton & Company LLP

Eric Eisenstein

Cotton & Company LLP

Michael Justus

University of Nebraska

Theresa Nellis-Matson

New York Office of the State Comptroller

Jennifer Paperman

New York Office of the State Comptroller

Daniel Rossi

New York Office of the State Comptroller

Lynda Harbold Schwartz

Upland Advisory LLC

Rosie Tomforde

Regional Government

Bert Edwards

Formerly State Department

Frank Faist

Charter Communications

Eric Feldman

Affiliated Monitors, Inc.

Dan George


John D. Gill


Leslye Givarz


Cindi Hook

Comcast Corporation

Sandra K. Johnigan

Johnigan, PC

Bill Leone

Norton Rose Fulbright

Andi McNeal


Linda Miller


Kemi Olateju

General Electric

Chris Pembroke

Crawford & Associates, PC

J. Michael Peppers

University of Texas

Kelly Richmond Pope

DePaul University

Carolyn Devine Saint

University of Virginia

Jeffrey Steinhoff


William Titera

Formerly EY

Michael Ueltzen

Ueltzen & Company

Pamela Verick


Vincent Walden


Bill Warren


Richard Woodford

U.S. Coast Guard

Investigative Service

The COSO Board gratefully acknowledges David L. Cotton, Chair of the Fraud Risk Management Task Force, for his

outstanding leadership and efforts toward the completion of this guide.

Page 7

viii | Fraud Risk Management Guide | COSO/ACFE

c o s o . o r g

All organizations are subject to fraud risks. It is impossible

to eliminate all fraud in all organizations. However,

implementation of the principles in this guide will maximize the

likelihood that fraud will be prevented or detected in a timely

manner and will create a strong fraud deterrence effect.

The board of directors5 and top management and personnel

at all levels of the organization — including every level

of management, staff, and internal auditors — have

responsibility for managing fraud risk. Particularly, they are

expected to understand how the organization is responding

to heightened risks and regulations, as well as public and

stakeholder scrutiny; what form of Fraud Risk Management

Program the organization has in place; how it identifies

fraud risks; what it is doing to better prevent fraud, or at

least detect it sooner; and what process is in place to

investigate fraud and take corrective action. This Fraud Risk

Management Guide (guide) is designed to help address

these complex issues.

This guide recommends ways in which governing boards,

senior management, staff at all levels, and internal auditors

can deter fraud in their organization. Fraud deterrence is a

process of eliminating factors that may cause fraud to occur.

Deterrence is achieved when an organization implements a

fraud risk management process that:

• Establishes a visible and rigorous fraud governance


• Creates a transparent and sound anti-fraud culture

• Includes a thorough fraud risk assessment periodically

• Designs, implements, and maintains preventive and

detective fraud control processes and procedures

• Takes swift action in response to allegations of fraud,

including, where appropriate, actions against those

involved in wrongdoing

This guide provides implementation guidance that defines

principles and points of focus6 for fraud risk management

and describes how organizations of various sizes and types

can establish their own Fraud Risk Management Programs.

The guide includes examples of key program components

and resources that organizations can use as a starting

place to develop a Fraud Risk Management Program

effectively and efficiently. In addition, the guide contains

references to other sources of guidance to allow for

tailoring a Fraud Risk Management Program to a particular

industry or to government or not-for-profit organizations.

Each organization needs to assess the degree of emphasis

to place on fraud risk management based on its size and


The guide also contains valuable information for users who

are implementing a fraud risk management process. For

example, it addresses fraud risk management roles and

responsibilities, fraud risk management considerations for

smaller organizations, data analytics employed as a part

of fraud risk management, and managing fraud risk in the

government environment.

Executive Summary | Fraud Risk Management

Fraud is any intentional act or omission designed to deceive others, resulting in the

victim su7ering a loss and/or the perpetrator achieving a gain.4

4 For purposes of this guide, the authors developed this practical definition. The authors recognize that many other definitions of fraud exist,
including those developed by the Auditing Standards Board of the American Institute of Certified Public Accountants, the Public Company
Accounting Oversight Board, and the Government Accountability OQce.

5 Throughout this guide, the terms board and board of directors refer to the governing or oversight body or those charged with governance of
the organization.

6 Per COSO’s Internal Control — Integrated Framework (May 2013) (2013 COSO Framework), Relevant Principles represent fundamental
concepts associated with components of internal control. Points of Focus are important characteristics of principles.

Page 12

COSO/ACFE | Fraud Risk Management Guide | xiii

c o s o . o r g

Establish a fraud
risk management
policy as part of

Establish a fraud
reporting process and
coordinated approach
to investigation and
corrective action

Monitor the fraud risk
management process,
report results and
improve the process

Select, develop and
deploy preventive
and detective fraud
control activities

Perform a

fraud risk

Figure 1. Ongoing, Comprehensive Fraud Risk Management Process

This rigorous approach results in an ongoing, comprehensive fraud risk management process as follows:

This comprehensive approach recognizes and emphasizes

the fundamental difference between internal control

weaknesses resulting in errors and weaknesses resulting in
fraud. This fundamental difference is intent. An organization
that simply adds the fraud risk assessment to the existing

internal control assessment may not thoroughly examine

and identify possibilities for intentional acts designed to:

• Misstate financial information

• Misstate non-financial information

• Misappropriate assets

• Perpetrate illegal acts or corruption

Implementing a specific and more focused fraud risk

assessment as a separate fraud risk management process

provides greater assurance that the assessment’s focus

remains on intentional acts.

The comprehensive approach is also likely to result in

a more robust and comprehensive assessment of fraud

risk. It also provides the additional structure needed for

comprehensive fraud risk management. If organizations use

the more simplified approach (just performing the fraud risk

assessment), they can combine those results with the 2013

COSO Framework’s results to yield more robust prevention

and detection mechanisms.

Page 13

xiv | Fraud Risk Management Guide | COSO/ACFE

c o s o . o r g

Use by Interested Parties

Board of Directors and Audit Committee
A well-performing and engaged board discusses with

senior management the state of the entity’s Fraud Risk

Management Program and provides oversight as needed.

Senior management has overall responsibility for the

design and implementation of a Fraud Risk Management

Program, including setting the tone at the top that creates

the culture for the entire organization. The board establishes

policies and procedures explaining how the board provides

oversight, including defining expectations about integrity

and ethical values, transparency, and accountability

for the implementation and operation of the Fraud Risk

Management Program. Senior management informs the

board of the residual risks of fraud from its fraud risk

assessments, as well as any incidents of fraud or suspected

fraud. The board challenges management and asks the

tough questions, as necessary. It seeks input from internal

auditors, independent auditors, external reviewers, and

legal counsel and utilizes these resources as needed to

investigate any issues.

Senior Management
Senior management assesses the entity’s Fraud Risk

Management Program in relation to this Fraud Risk

Management Guide, focusing on how the organization

applies the five principles in support of its Fraud Risk

Management Program. Further, they assess the entity’s

fraud risk in compliance with principle 8 of the 2013 COSO


Other Management and Personnel
Managers and other personnel consider how they are

conducting their responsibilities in light of this guide and

discuss with more senior personnel ideas for strengthening

fraud risk controls. More specifically, they consider how

existing controls affect the relevant principles within the five

components of fraud risk management, as well as principle 8

of the 2013 COSO Framework.

Internal Audit
Internal auditors review their internal audit plans and how

the plans are applied to the entity’s Fraud Risk Management

Programs in connection with implementation of this

guidance. Internal auditors will review this guide and

consider possible implications of changes to the entity’s

fraud risk program on audit plans, evaluations, and any

reporting on the entity’s fraud risk management and system

of internal control.

Independent Auditors
In many situations, an independent auditor is engaged to

audit or examine the effectiveness of the client’s internal

control over financial reporting in addition to auditing the

entity’s financial statements. The 2013 COSO Framework

introduced principle 8: the organization considers the

potential for fraud in assessing risks to the achievement of

objectives. Auditors can assess the entity’s implementation

of that principle using this guide.

Other Professional Organizations
Other professional organizations providing guidance

on fraud risk as it relates to operations, reporting, and

compliance may consider their standards and guidance in

comparison to the guide. To the extent diversity in concepts

and terminology is eliminated, all parties benefit.

With the presumption that the guide attains broad

acceptance, its concepts and terms will find their way into

university curricula.

Similer Documents