coso fraud risk management guide · coso fraud risk d i g mt 17 management guide this publication,...

COSO Fraud Risk COSO Fraud Risk COSO Fraud Risk COSO Fraud Risk Management GuideManagement Guidegg

NSAC TFACC 2017NSAC TFACC 2017August 7, 2017August 7, 2017

Salt Lake City, UTSalt Lake City, UT

InstructorsInstructorsInstructorsInstructors

Phil Miller NSAC Asst. Education Director

01@ t t [email protected]

Bill ErlenbushNSAC Ed i Di NSAC Education Director

[email protected]

22

Discussion TopicsDiscussion Topics3

pp

COSO History COSO History

COSO Integrated Framework

COSO Fraud Risk Management Guide

Fraud Risk Management Principles 1-5

Users of the Guide

Resource InformationResource Information

COSO MissionCOSO Mission4

COSO MissionCOSO Mission

Develop comprehensive guidance on:

Enterprise risk managementEnterprise risk management Enterprise risk managementEnterprise risk management

Internal ControlInternal Control

Fraud DeterrenceFraud Deterrence

Improving Organizational PerformanceImproving Organizational Performance

Improving GovernanceImproving Governance

R d i th E t t f F dR d i th E t t f F d Reducing the Extent of FraudReducing the Extent of Fraud

COSO HistoryCOSO History5

COSO HistoryCOSO History

COSO was organized in 1985 to sponsor the National Commission on Fraudulent Financial R ti i d d t i t tReporting, an independent private-sector initiative that studied the causal factors that can lead to fraudulent financial reporting. It also p gdeveloped recommendations for public companies and their independent auditors, for the SEC and other regulators and forthe SEC and other regulators, and for educational institutions.



The National Commission was sponsored jointly by five major professional association headquartered in the United States:headquartered in the United States:

American Accounting Association (AAA)American Accounting Association (AAA) American Institute of Certified Public American Institute of Certified Public American Institute of Certified Public American Institute of Certified Public

Accountants (AICPA)Accountants (AICPA) Financial Executives Institute (FEI)Financial Executives Institute (FEI) Institute of Internal Auditors (IIA)Institute of Internal Auditors (IIA) National Association of Accountants National Association of Accountants –– now the now the

Institute of Management Accountants (IMA)Institute of Management Accountants (IMA)Institute of Management Accountants (IMA)Institute of Management Accountants (IMA)



The first chairman of the National Commission was James C. Treadway, Jr., Executive Vice P id t d G l C l P i W bbPresident and General Counsel, Paine Webber Incorporated and a former Commissioner of the U.S. Securities and Exchange Commission. gHence, the popular name "Treadway Commission." Currently, the COSO Chairman is Robert HirthRobert Hirth.



Operating Policies:

COSO is a committee of five sponsoring organizations whose representatives come together periodically to work on specifictogether periodically to work on specific projects. COSO’s projects are undertaken, reviewed and finalized in accordance with policies agreed to by the sponsoringpolicies agreed to by the sponsoring organizations.



Key COSO Publications:

1992 I t l C t l I t t d F k 1992 – Internal Control-Integrated Framework 1996 – Internal Control Issues in Derivatives Usage 2006 – Internal Control over Financial Reporting p g

– Guidance for Smaller Public Companies 2009 – Guidance on Monitoring Internal Control

SystemsSystems 2013 – Framework revised and reissued 2016 – Fraud Risk Management Guide

Original TreadwayOriginal TreadwayC i i R tC i i R tCommission ReportCommission Report

•• First Published in 1992

• Gained wide acceptance with financial control failures in the early 2000’s2000’s

• Recognized for ecog ed odesigning, implementing, and conducting internal control

10

Revised FrameworkRevised FrameworkRevised FrameworkRevised Framework

Published in 2013

Added 17 additional principles to add clarity in designing, implementing, and understandingp g, grequirements for an effective internal control system

These 17 principles align with the 5 internal control componentsthe 5 internal control components in the original

COSO COSO 17 Principles 17 Principles ––Th C t l E i tTh C t l E i t

12

The Control EnvironmentThe Control Environment

1. A commitment to integrity and ethical values

2 B d i d d f2. Board independence from management

3. Management structures, reporting lines, and appropriate g , p g , pp pauthorities and responsibilities

4 A commitment to hire competent employees4. A commitment to hire competent employees

5. Individuals held accountable for internal control ibilitiresponsibilities.

COSO COSO 17 Principles 17 Principles ––Ri k A tRi k A t

13

Risk AssessmentRisk Assessment6. The organization specifies objectives with sufficient

clarity to enable the identification and assessment of risks.risks.

7. The organization identifies risks and analyzes risks as a basis for determining how risks should be managed.basis for determining how risks should be managed.

8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.assessing risks to the achievement of objectives.

9. The organization identifies and assesses changes that could significantly impact the system of internal control..could significantly impact the system of internal control. .

COSO COSO 17 Principles 17 Principles ––C t l A ti itiC t l A ti iti

14

Control ActivitiesControl Activities

10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levelsthe achievement of objectives to acceptable levels.

11. The organization selects and develops general control activities over technology to support the achievementactivities over technology to support the achievement of objectives.

12 The organization deploys control activities through12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.

COSO COSO 17 Principles 17 Principles ––I f ti & C i tiI f ti & C i ti

15

Information & CommunicationInformation & Communication13. The organization obtains or generates and uses

relevant, quality information to support the functioning of other components of internal control.of other components of internal control.

14. The organization internally communicates information, including objectives and responsibilities for internalincluding objectives and responsibilities for internal control, necessary to support the functioning of internal control.

15. The organization communicates with external parties regarding matters affecting the functioning of other components of internal control.p

COSO COSO 17 Principles 17 Principles ––M it i A ti itiM it i A ti iti

16

Monitoring ActivitiesMonitoring Activities16. The organization selects, develops, and performs

ongoing and/or separate evaluations to ascertain whether the components of internal control are presentwhether the components of internal control are present and functioning.

17 The organization evaluates and communicates internal17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors assenior management and the board of directors, as appropriate.

COSO COSO Fraud Risk Fraud Risk M t G idM t G id

17

Management GuideManagement Guide

This publication, Fraud Risk Management Guide(Guide) is intended to be supportive of and consistent with the 2013 Framework and can serve as best practices guidance for organizations to follow.

This guide is designed to be familiar to COSO Framework users. It contains principles and p ppoints of focus. This guide’s five principles are consistent with the five COSO Internal Control Components and the 17 COSO principles.p p p

Definition of FraudDefinition of FraudDefinition of FraudDefinition of Fraud

Fraud is defined as:Fraud is defined as:

“Any intentional act or omission to deceive others, resulting in the victim suffering a loss and/or the resulting in the victim suffering a loss and/or the perpetrator achieving a gain.”

Fraud DeterrenceFraud DeterrenceFraud DeterrenceFraud Deterrence

Deterrence is achieved when an organizationDeterrence is achieved when an organization implements a fraud risk management process that: Establishes a visible and rigorous fraud governance

processp

Creates a transparent and sound anti-fraud culture

Includes a thorough fraud risk assessment periodically Includes a thorough fraud risk assessment periodically

Designs, implements, and maintains preventative and detective fraud control processes and procedures

Takes swift action in response to allegations of fraud, including, where appropriate, actions against those involved in the wrongdoing

COSO COSO Fraud Risk Management GuideFraud Risk Management Guide20

gg

F i ti d i i t t bli hFor organizations desiring to establish a comprehensive approach to managing fraud risk, this guide includes guidance on establishing an overall Fraud Risk Management Program including:

Establishing fraud risk governance policies Performing a fraud risk assessmentPerforming a fraud risk assessment Designing and deploying fraud preventive and detective

control activities Conducting investigations and Conducting investigations, and Monitoring and evaluating the total fraud risk management

program

Ongoing Comprehensive Fraud Ongoing Comprehensive Fraud Ri k M t PRi k M t PRisk Management ProcessRisk Management Process

Establish a fraud risk management policy as part of organizational governancegovernance Perform a

comprehensive fraud assessment

Monitor the fraud risk management process report

E t bli h f d

process, report results, and improve the process

Select, develop, and deploy preventive and detective fraud control activities

Establish a fraud reporting process and coordinated approach to control activitiesppinvestigation and corrective action

Fraud Risk Management PrinciplesFraud Risk Management Principles22

g pg p

Principle No.# 1 – Fraud Risk Governance:

The organization establishes and communicates a Fraud Risk Management Program that demonstrates the expectationsProgram that demonstrates the expectations of the the board of directors and senior management and their commitment to high integrity and ethical values regardingintegrity and ethical values regarding managing Control fraud risk.


g pg p

Principle No.# 1 – Fraud Risk Governance – the Importance of Ethics:p

Effective boards and organizations address issues of ethics and the effects of ethicalissues of ethics and the effects of ethical behavior on business strategy, operations, and long-term survival. The level of board and

i ti l it t t thorganizational commitment to these objectives varies widely and directly effects the fraud risk tolerance of an organization.g


g pg p

P i i l N # 1 F d Ri k G Principle No.# 1 – Fraud Risk Governance – the Tone at the Top:

One of the most important elements of effective fraud risk management is the “Tone at the Top” of the organization. Organization p g gleadership has a responsibility to lead by example to ensure that all personnel and all business partners understand that the porganization is serious about promoting ethical behavior and is committed to deterring, preventing, and detecting fraud.g, p g, g


g pg p

Principle No.# 2 – Fraud Risk Assessment:

The organization performs comprehensive fraud risk assessments to identify specific fraud schemes and risks, assess theirfraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risksto mitigate residual fraud risks.


g pg p

Principle No.# 2 – Fraud Risk Assessment –Involve Appropriate Levels of Management:pp p g

Before conducting a risk assessment, senior management identifies a risk managementmanagement identifies a risk management team. The team should include individuals from throughout the organization with different k l d kill d ti Iknowledge, skills, and perspectives. In addition, the risk assessment relies on a combination of internal and external resources.


g pg p

Principle No.# 2 – Fraud Risk Assessment –Considers Various Types of Fraud:yp

To ensure a comprehensive assessment of potential fraud risks impeding an organizationpotential fraud risks impeding an organization based on its identified objectives, management considers various types of fraud th t b itt d i t b ththat can be committed against or by the organization.


g pg p

Principle No.# 3 – Fraud Control Activity:

The organization selects, develops, and deploys preventive and detective fraud control activities to mitigate the risk of fraudcontrol activities to mitigate the risk of fraud events occurring or not being detected in a timely manner.


g pg p

Principle No.# 3 – Fraud Control Activity –the Importance of Documentation:p

Fraud control activities are documented with descriptions of the identified fraud risk anddescriptions of the identified fraud risk and scheme, the fraud control activity that is designed to mitigate the fraud risk, and the id tifi ti f th ibl f thidentification of those responsible for the fraud control activity.


g pg p

Principle No.# 3 – Fraud Control Activity –Fraud Preventive Controls:

A fraud preventive control is a control activity designed to avoid a fraudulent event ordesigned to avoid a fraudulent event or transaction at the time of initial occurrence. Such control activities are specific processes

d d d i d t h l li i t thand procedures designed to help eliminate the causes of fraud from occurring.


g pg p

Principle No.# 3 – Fraud Control Activity –Fraud Detective Controls:

A fraud detective control is a control activity designed to discover a fraudulent event or

i f h i i i l i htransaction after the initial processing has occurred. Such control activities are specific processes and procedures designed to identify attempted or existing frauds in a timely manner, thereby limiting the effects of any fraud that circumvents the organization’s preventive controls.


g pg p

Principle No.# 4 – Fraud Investigation and Corrective Action:

The organization establishes a communication process to obtain informationcommunication process to obtain information about potential fraud and deploys a coordinated approach to investigation and

ti ti t dd f dcorrective action to address fraud appropriately and in a timely manner.


g pg p

Principle No.# 4 – Fraud Investigation and Corrective Action – “Say Something if You S S hi ”See Something”:

It is essential that any reasonably suspected y y por known violation, deviation, or other breach of the code of conduct, fraud, or corruption be communicated internally and dealt with in a ytimely and effective manner, regardless of where in the organization these occur or by whom these are committed.


g pg p

Principle No.# 4 – Fraud Investigation and Corrective Action – Conduct Investigations:

An investigation team establishes the investigation tasks as outlined in an investigation work plan and assigns each task t th i t t b Th lto the appropriate team members. The plan prioritizes the performance of tasks to provide reports of findings. The investigation team considers legal issues and constraints inconsiders legal issues and constraints in dealing with employees and third parties, obtains relevant information, and develops related documentation.e ated docu e tat o


g pg p

Principle No.# 4 – Fraud Investigation and Corrective Action – Communicate Results:

Reports of investigations are delivered to the individuals overseeing the investigation (e.g., l l l CEO b d h i dilegal counsel, CEO, board chair, directors, senior management) who ultimately will decide on the specific disciplinary or other actions to be taken. The investigation report has to be accurate, clear, and impartial. It presents only relevant facts and is timely in its preparation and delivery.


g pg p

P i i l 5 F d i k Principle No.# 5 – Fraud Risk Management Monitoring Activities:

The organization selects, develops, and performs ongoing evaluations to ascertain whether each of the five principles of fraudwhether each of the five principles of fraud risk management is present and functioning and communicates Fraud Risk Management Program deficiencies in a timely manner toProgram deficiencies in a timely manner to parties responsible for taking corrective action, including senior management and the board of directors.board of directors.


g pg p

Principle No.# 5 – Fraud Risk Management Monitoring Activities – “Why,” “Who,” ”Where ” ”What’s Next”?:Where, What s Next ?:

Ongoing evaluations are generally routine processes that monitor a control activity on aprocesses that monitor a control activity on a real-time basis. A plan that targets the organization’s areas of highest fraud risk assists the organization in managing anassists the organization in managing an ongoing evaluation of the five principles of fraud risk management.

Users of the GuideUsers of the Guide38

Board of Directors:

Provides oversight Provides oversight

Defines expectations

Challenges Management / asks tough questions

S k i t f i t l dit i d d t Seeks input from internal auditors, independent auditors, external reviewers, and legal counsel and utilizes these resources as needed to i ti t iinvestigate any issues.


Senior Management:

Assesses the entity’s Fraud Risk Management Program in relation to this Fraud Risk Management Guide, focusing on how theManagement Guide, focusing on how the organization applies the five principles in support of its Fraud Risk Management Program. Further they assess the entity’s fraud risk inFurther, they assess the entity’s fraud risk in compliance with principles of the 2013 COSO Framework.


Other Management and Personnel:

Consider how they are conducting their Consider how they are conducting their responsibilities in light of this guide and discuss with more senior personnel ideas for t th i f d i k t l Mstrengthening fraud risk controls. More

specifically, they consider how existing controls affect the relevant principles within the five components of fraud risk management, as well as principles of the COSO Framework.


l di Internal Audit:

Review their internal audit plans and how the plans Review their internal audit plans and how the plans are applied to the entity’s Fraud Risk Management Programs in connection with implementation of thi id I t l dit ill i thithis guidance. Internal auditors will review this guide and consider possible implications of changes to the entity’s fraud risk program on audit g y gplans, evaluations, and any reporting on the entity’s fraud risk management and system of internal controlinternal control.


I d d A di Independent Auditors:

In many situations, an independent auditor is y pengaged to audit or examine the effectiveness of the client’s internal control over financial reporting in addition to auditing the entity’s p g g yfinancial statements. The 2013 COSO Framework introduced principle 8: the organization considers the potential for fraud in assessing p grisks to the achievement of objectives. Auditors can assess the entity’s implementation of that principle using this guide..p p g g


Other Professional Organizations:

Providing guidance on fraud risk as it relates to operations, reporting, and compliance may consider their standards and guidance inconsider their standards and guidance in comparison to the guide. To the extent diversity in concepts and terminology is eliminated, all parties benefitparties benefit.


Educators:

With the presumption that the guide attains broad acceptance, its concepts and terms will find their way into university curricula.find their way into university curricula.

COSO COSO Fraud Risk Management GuideFraud Risk Management GuideV l bl A diV l bl A di

45

Valuable AppendicesValuable Appendices

The Guide contains some 60 pages of appendices. These appendices contain valuable templates, samples, examples, and tools to assist users in p , p ,implementing the guide’s best practices. Included are: glossary of terms, sample fraud control policy frameworks listings of fraud risk exposuresframeworks, listings of fraud risk exposures, sample surveys, reference materials, and sample scorecards for risk governance, risk assessment, fraud control activities, fraud investigations, risk management monitoring, and fraud corrective actions.

COSO COSO Fraud Risk Management GuideFraud Risk Management Guidet B Ct B C

46

to Buy a Copyto Buy a Copy

To buy a copy of the Guide, go t Th I tit t f I t lto The Institute of Internal Auditors website Bookstore: $ 55.20 for members, $ 69.00 for non-members: at www.theiia.org.

ResourcesResourcesResourcesResources

Committee of Sponsoring Organizations (COSO): www.coso.orgg

Institute of Internal Auditors (IIA): www.theiia.org

Association of Certified Fraud Association of Certified Fraud Examiners (ACFE): www.acfe.com

4747

COSO Fraud Risk COSO Fraud Risk COSO Fraud Risk COSO Fraud Risk Management GuideManagement Guidegg

Questions???Questions???QQ

coso fraud risk management guide · coso fraud risk d i g mt 17 management guide this publication,...

Documents