Organizations of the Treadway Commission (COSO) has been tackling fraud-fighting issues since it released its first report in 1987. Te COSO’s 2013 “Internal Control – Integrated Framework”—a revision and update of COSO’s 1992 version—contains a specific focus on fraud risk management, which became an explicit requirement for COSO followers. Te 2013 framework includes (along with its three internal control objectives and five internal control components) 17 internal control principles. Tese principles represent the fundamental concepts associated with each component.


Organizations taken aback by principle 8. Principle 8 of COSO’s 2013 “Internal


Control – Integrated Framework” is: Te organization considers the potential for fraud in assessing risks to the achievement of objectives. In response to the 2013 COSO framework, organizations began trying to implement its new principles and seeking guidance on how to comply with principle 8. Many organizations — even those that had been conforming to the 1992 framework for 21 years — were taken aback by this new fraud addition. Since COSO’s roots were fraud-focused (the Treadway Commission Report was titled “Te National Report on Fraudulent Financial Reporting,” after all), shouldn’t fraud risk have always been the central focus of the framework? Shouldn’t sound systems of internal control have protected organizations from fraud? Perhaps. It depends on how organizations view and implement the framework. It’s one thing to design a system of baseline controls to guard against unintentional errors and misstatements, such as installing checks and balances, using computer programs to ensure accuracy, requiring management approvals, segregating duties and pre-approving vendors. It’s a different matter, however, to design a system that protects against


intentional misstatements and fraudulent transactions.


When organizations consider intent,


controls designed to guard against unintentional errors or misstatements might no longer do the job. For example, it’s possible to deliberately circumvent checks and balances, surreptitiously alter computer programs, forge or evade managerial approvals, override the segregation of duties and add bogus vendors to an approved vendor list. It’s likely that many organizations


following the 1992 COSO framework hadn’t specifically and explicitly considered fraud risk as part of their internal controls and that many of them assumed that baseline controls were more than sufficient. However, COSO principle 8 warrants that all organizations pause and reconsider the adequacy of their controls by asking a simple extra question with respect to every control: Is this control adequate if someone tries to intentionally override or circumvent it? Another more important consideration regarding the establishment of principle 8 is to prompt all well-run and forward- thinking organizations to address fraud risk in a more comprehensive and proactive manner.


Task force yields new COSO/ACFE guide. To meet the demand for more


comprehensive guidance on fraud risk management, COSO and the ACFE formed a task force in January 2015. Tis 31-member task force’s mission was to update the 2008 publication “Managing the Business Risk of Fraud — A Practical Guide” (MBRF) to make it consistent with and supportive of the 2013 COSO framework. (In the earlier guide, the ACFE, Institute of Internal Auditors and the American Institute of CPAs explained how to establish a comprehensive fraud risk management program consisting of fraud risk governance, fraud risk assessments, fraud prevention and detection controls


and an investigation and reporting process.) Te task force completed its efforts


by the end of 2015, and the “Fraud Risk Management Guide” was published in September 2016. In addition to aligning with the 2013 COSO Framework’s internal control components, the “Fraud Risk Management Guide” supports its five principles with numerous points of focus that also are consistent with those in the 2013 COSO framework.


Understand the five essential processes. Te “Fraud Risk Management Guide” describes implementation of the five principles through five essential processes to protect stakeholder assets and interests from fraud risks.


1. Establish fraud risk governance policy. Te commitment to implement the fraud risk management process will come from the highest organizational level—ideally, the governing board. It’s usually not difficult to convince a governing board to embrace and promote comprehensive fraud risk management. When an organization falls victim to fraud, board members almost always absorb most of the blame because of their governance responsibilities. Implementing the fraud risk management commitment then entails appointment of a champion to oversee the process. Tat person needs to be at a high enough organizational level to ensure that employees take the process seriously, have adequate resources and see it through to completion. Te fraud risk governance policy establishes and documents the commitment to managing fraud risk; summarizes fraud control strategies; outlines the fraud risk management program; defines procedures for reporting fraud; establishes employment conditions; defines conflict of interest policies; establishes procedures for fraud investigation; sets forth an internal audit strategy; and explains the review, monitoring and feedback processes.


May/June 2018


(RISK cont. 25) CPAFOCUS


21


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32