the acfe-coso fraud risk management frameworkvirtualconference.acfe.com/materials/12h-david...

©2016

THE ACFE-COSO FRAUD RISK MANAGEMENT FRAMEWORK

COSO revised its Internal Control Framework (ICF) in 2013, adding 17 important principles.

COSO Principle 8 states, “The organization considers the potential for fraud in assessing risks to

the achievement of objectives.” All publicly traded U.S. companies follow the COSO ICF. This

session will explain the new ACFE- and COSO-sponsored Fraud Risk Management Guide that

can be used to comply with Principle 8.

DAVID COTTON, CFE, CPA, CGFM

Chairman

Cotton & Company LLP

Dave Cotton is chairman of Cotton & Company LLP, Certified Public Accountants. Cotton

& Company is headquartered in Alexandria, Virginia. The firm was founded in 1981 and has a

practice concentration in assisting federal and state government agencies, inspectors general, and

government grantees and contractors with a variety of government-program-related assurance

and advisory services. Cotton is presently serving on the AICPA’s Performance Audit Standards

Task Force and chairs the Fraud Risk Management Task Force, sponsored by COSO and the

ACFE. He has testified as an expert in governmental accounting, auditing, and fraud issues

before the U.S. Court of Federal Claims and other administrative and judicial bodies.

“Association of Certified Fraud Examiners,” “Certified Fraud Examiner,” “CFE,” “ACFE,” and the

ACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc. The contents of

this paper may not be transmitted, republished, modified, reproduced, distributed, copied, or sold without

the prior consent of the author.


27th Annual ACFE Global Fraud Conference ©2016 1

NOTES A significant fraud was discovered in 2012. A trusted and

long-term employee embezzled more $53 million from her

employer. Sounds like a lot of money. But, when you put

her fraud into perspective, it’s a WHOLE lot of money. She

stole $53.8 million from an organization with a $17 million

annual budget. Could your organization survive such a

fraud?

Rita Crundwell was the comptroller of the small Illinois

town of Dixon from 1981 until the fall of 2012. People in

Dixon thought she was a saint. She was, they thought,

independently wealthy as a result of her successful horse-

breeding business. Despite her wealth (she had a ranch and

stables with more than 400 show horses, a spacious home,

and traveled to horse shows around the country in a

luxurious $2 million motor coach), she continued to report

to the town hall every day to help the struggling small town

manage its finances. Ironically, she was, in fact, very

wealthy. But, the wealth came not from her successful

horse-breeding business. The successful horse-breeding

business—and her wealth—came from the money

embezzled from Dixon. Because of Rita’s stealing, Dixon

could not give raises to employees, hire new employees,

upgrade equipment, or even repave Main Street.

After her fraud was discovered (Rita got careless and

another town employee discovered the bogus account that

Rita had set up and through which she was stealing millions)

Dixon spent another $10 million in legal fees, but ultimately

recovered about $50 million through sales of Rita’s assets

and settlements with accounting firms and the bank. On a

net basis, Dixon was “only” out about $14 million—almost

a year’s worth of the town’s budget. Perhaps the greater

damage though, was to the small town’s sense of trust. How

could someone everyone had known all her life do so much

damage to her friends and neighbors?

A trusted employee

stole $53.8 million

from an organization

with a $17 million

annual budget. Could

your organization

survive such a fraud?



NOTES If you are thinking, “well, that’s government for you;

everyone knows that there’s fraud in government; something

like that could not happen to a well-managed private-sector

organization,” let me tell you about Orel Suer. Orel was the

long-serving executive director of the United Way of the

National Capital Area (UWNCA) and had built that

charitable fundraising organization to annual revenues of

$91 million by 2001. In 2002, Suer pleaded guilty to

misappropriating about $500,000 over a six-year period, or

about $83,000 per year. The auditors were quick to point out

that $83,000 was “not material” to a $91 million entity.

Suer’s fraud was not material if you only focus on

quantitative materiality. In terms of qualitative materiality,

however, the story was quite different. The UWNCA’s

revenues dropped from $91 million in 2001 to $19 million

in 2002. (Donors contributing a few hundred dollars a year

simply—and justifiably—concluded that there were better

places to put their hard-earned money.) Could your

organization survive such a revenue reduction?

What allows such frauds to happen? In my view, a leading

cause is the attitude that most organizations have that, “it

can’t happen here.” That’s certainly what Dixon, Illinois,

and UWNCA thought.

These and similar tragedies can be prevented. Well-run

organizations need to make a commitment to protecting

stakeholder assets. Fortunately, there is guidance for such

forward-thinking organizations to follow. The process is not

expensive and it has benefits beyond protecting assets and

reputations.

In 2008, the Association of Certified Fraud Examiners

(ACFE), Institute of Internal Auditors (IIA), and American

Institute of Certified Public Accountants (AICPA) published

Managing the Business Risk of Fraud: A Practical Guide

As the direct result of an

$83,000 per year fraud, the

UWNCA’s revenues dropped

from $91 million in 2001 to

$19 million in 2002. Could

your organization survive

such a revenue reduction?



NOTES (MBRF). MBRF explained how to establish a

comprehensive fraud risk management program. It set forth

the following five principles:

Principle 1: As part of an organization’s governance

structure, a fraud risk management program should be in

place, including a written policy (or policies) to convey the

expectations of the board of directors and senior

management regarding managing fraud risk.

Principle 2: Fraud risk exposure should be assessed

periodically by the organization to identify specific potential

schemes and events that the organization needs to mitigate.

Principle 3: Prevention techniques to avoid potential key

fraud risk events should be established, where feasible, to

mitigate possible impacts on the organization.

Principle 4: Detection techniques should be established to

uncover fraud events when preventive measures fail or

unmitigated risks are realized.

Principle 5: A reporting process should be in place to solicit

input on potential fraud, and a coordinated approach to

investigation and corrective action should be used to help

ensure potential fraud is addressed appropriately and timely.

The overall process is displayed in the following graphic.



NOTES

MBRF set forth detailed guidance for implementing these

principles. Many organizations around the country embraced

MBRF and used it to implement anti-fraud programs and

controls.

The COSO Internal Control Framework and Fraud Risk

Management

COSO is the Committee of Sponsoring Organizations of the

Treadway Commission.1 (The Treadway Commission issued

its Report of the National Commission on Fraudulent

Financial Reporting in 1987, but COSO continued to

operate and focused its efforts on improving internal

controls and managing enterprise risk.) COSO issued its

initial Internal Control—Integrated Framework

(Framework) in 1992. The Framework quickly became the

best-practice roadmap for designing, implementing, and

maintaining a system of internal control. All publicly traded

companies in the United States and most forward-thinking

1 The COSO member organizations are the American Accounting

Association, American Institute of Certified Public Accountants,

Financial Executives International, The Association of Accountants and

Financial Professionals in Business, and The Institute of Internal

Auditors.



NOTES non-public companies, not-for-profit organizations, and

academic institutions also adhere to the COSO Framework.

In 2013, COSO updated the Framework to include (along

with its three internal control objectives and five internal

control components) 17 internal control principles. These

principles represent the “fundamental concepts associated

with each component.”

COSO Framework Principle 8 is:

The organization considers the potential for fraud in

assessing risks to the achievement of objectives.

As soon as the 2013 Framework was issued and

organizations began trying to implement these new

principles, organizations began seeking guidance on how to

comply with Principle 8.

Many organizations—even those who had been conforming

to the Framework for 21 years—were taken aback by this

new fraud addition. Since COSO’s roots were fraud-focused

(the Treadway Commission Report was titled The National

Report on Fraudulent Financial Reporting after all),

shouldn’t fraud risk have always been the central focus of

the Framework? Shouldn’t a sound system of internal

control protect an organization from fraud? Perhaps. It

depends on how the Framework was viewed and

implemented by a given organization.

It’s one thing to design a system of controls to guard against

unintentional errors and misstatements: install checks and

balances, use computer programs to assure accuracy, require

management approvals, segregate duties, pre-approve

vendors, and so forth.



NOTES It’s a different matter, however, to design a system that

protects against intentional misstatements and fraudulent

transactions. When intent is considered, controls designed to

guard against unintentional errors or misstatements may no

longer do the job: checks and balances can be deliberately

circumvented, computer programs can be surreptitiously

altered, managerial approvals can be forged, collusion can

override segregated duties, bogus vendors can be added to

an approved vendor list, and so forth.

It is likely that many organizations following the COSO

Framework had already specifically and explicitly

considered fraud risk as part of their internal controls. Many

organizations, however, likely assumed that baseline

controls—checks and balances, computer controls,

managerial approvals, duties segregation, vendor approvals,

and so forth—were more than sufficient.

COSO Principle 8 should cause all organizations to pause

and reconsider the adequacy of their controls by now asking

a simple extra question with respect to every control: Is this

control adequate if someone tries to intentionally override

or circumvent it?

Better still, the establishment of Principle 8 should cause all

well-run and forward-thinking organizations to address

fraud risk in a more comprehensive manner.

The NEW ACFE/COSO Fraud Risk Management Guide

To meet the demand for more comprehensive guidance on

fraud risk management, the ACFE and COSO formed a task

force in January 2015. This 25-member task force’s mission

was to update MBRF and make it consistent with the 2013

COSO Internal Control Framework. The task force

completed its efforts by the end of December 2015, and this

new guide is expected to be published by May 2016.



NOTES Following that, the guide will be vetted by COSO through a

public exposure and comment process, after which it will be

modified (if necessary) and reissued as a third COSO

Framework.

The new guidance will be similar to the MBRF process, but

with slightly modified principles, as shown in the following

graphic.

In addition to aligning with the COSO internal control

components, as shown, these five principles are supported

by numerous points of focus, consistent with the COSO

Internal Control Framework.

An organization committed to protecting stakeholder assets

and interests from fraud risks will carry out the following

processes.

Establishing a Fraud Risk Governance Policy

The commitment to implement the process needs to come

from the highest organizational level—ideally, the

governing board. It is usually not difficult to convince a



NOTES governing board to embrace and promote comprehensive

fraud risk management: when an organization falls victim to

fraud, board members almost always absorb much or most

of the blame. Implementing the fraud risk management

commitment then entails appointment of a champion to

oversee the process. That person needs to be at a high

enough organizational level to ensure that employees take

the process seriously, have adequate resources, and see it to

completion.

The fraud risk governance policy establishes and documents

the commitment to managing fraud risk; summarizes fraud

control strategies; outlines the fraud risk management

program; defines procedures for reporting fraud; establishes

employment conditions; defines conflict of interest policies;

establishes procedures for fraud investigation; sets forth an

internal audit strategy; and explains the review, monitoring,

and feedback process.

Good news here: you do not need to develop a fraud risk

governance policy from scratch. The guide contains a

“Sample Framework for a Fraud Control Policy” and a

“Sample Fraud Control Policy” that can be adapted to your

organization.

Assessing Fraud Risk

This step is the most important fraud risk management step,

because it establishes the baseline for succeeding steps. A

fraud risk assessment team needs to be assembled. It should

consist of employees from all parts of the organization—not

just financial management and accounting personnel, but

also operations personnel. The fraud risk assessment team

then meets to carry out a comprehensive brainstorming2

2 Brainstorming is “a group problem-solving technique that involves the

spontaneous contribution of ideas from all members of the group; also:



NOTES process. The goal is to think of every possible way that

fraud could happen to or within the organization. The

brainstorming process—if done correctly—may take many

meetings over several weeks’ time. On the plus side, this

process is educational and can be fun.

The documentation of the results of the risk assessment will

look like this:

The goal is to fill out that first column as thoroughly as

possible: if you do not develop a long list of potential fraud

vulnerabilities and schemes, you probably need to keep

brainstorming. (Every time you read or hear about some

other organization being victimized by a fraud, you should

ask yourself, “Could that happen to us?” If you’ve already

done your initial fraud risk assessment and then hear or read

about a fraud scheme, check to see if that scheme is in your

risk assessment.)

the mulling over of ideas by one or more individuals in an attempt to

devise or find a solution to a problem” (www.merriam-webster.com).

http://www.merriam-webster.com/



NOTES More good news here. The guide contains a pretty

comprehensive list of the most common fraud schemes. That

list can serve as a good starting point for the risk assessment

process.

Once you complete the first column, the likelihood (what are

the chances that this might happen?) and significance (if this

happens, how much damage will it cause?) of each potential

fraud scheme needs to be assessed. In assessing

significance, it’s important to think not just in monetary

terms. Reputational damage is often a greater consideration,

especially for tax-exempt, academic, and governmental

organizations.

Once likelihood and significance are assessed for each

possible fraud vulnerability, a heat map can be created, such

as the following:

Every organization has its own tolerance for risk. One

organization may decide that it can ignore low-likelihood-



NOTES low-significance potential frauds (and thus not put controls

in place), while another might want controls for every

possible fraud.

Completing the fraud risk assessment documentation then

entails:

Identifying who might be involved in each possible

fraud scheme or exposure

Identifying any existing anti-fraud control procedures

already in place with respect to each fraud scheme or

exposure

Assessing the effectiveness of each existing control

procedure

Determining the residual risk after considering the

effectiveness of existing controls

Deciding on the fraud risk response where residual risk

exists

The “Fraud Risk Response” column is the trigger for the

next steps in the process: wherever there are residual risks,

we will need additional prevention or detection controls; or

perhaps, both.

Designing and Implementing Fraud Control Activities

Fraud Prevention control procedures are designed to stop a

fraud before it happens. These can include things like

segregation of duties, requiring higher-level approvals, or

better physical security over assets. Prevention control

procedures do not need to be complex or expensive to be

effective. (If the town of Dixon had simply instructed the

bank to no longer send monthly bank statements directly to

Rita, her fraud would have been halted in its tracks.)

The key in designing prevention control activities is to work

from the fraud risk assessment documentation and

assiduously devise the most cost-effective controls that

Prevention controls do not

need to be complex or

expensive. If the town of

Dixon had simply instructed

the bank to no longer send

monthly bank statements

directly to the person doing

the accounting, the fraud

would have been halted in its

tracks.



NOTES should prevent each type of fraud. Your internal auditors

can be effective at designing these controls. If you are too

small to have an internal audit staff, you might need to

retain an accountability professional to help in that part of

the process.

Fraud detection control activities are designed to identify

any frauds that happen as soon as possible after they

happen. If you detect frauds quickly, they cannot grow to

become catastrophic. (As a colleague of mine always says,

“there are no such things as small frauds, just frauds that

haven’t matured yet.”)

If you did a great job designing prevention controls, do you

need detection controls? Good question. There are two

reasons you need detection control procedures even if you

think you did a great job designing prevention control

procedures.

First, it is simply impossible to think of every possible fraud

scenario that might occur—fraud perpetrators are clever,

resourceful, and sometimes desperate enough to take foolish

chances.

Second (and perhaps more important) prevention controls

can come with a cost—not just the cost of the procedure

itself, but also a cost in terms of operational disruption.

Let’s say, for example, that you have a retail clothing

business. You know that shoplifting can erode your profits,

so you decide to put prevention controls in place to stop

shoplifting. You require all shoppers to check their shopping

bags and purses at the door when they enter the store and,

just to make doubly sure, you install closed-circuit TV

cameras in all of the dressing rooms. You will definitely



NOTES stop the shoplifting—because you will quickly lose all of

your customers and go out of business.

So, you need to allow for the fact that your prevention

controls will not stop every fraud scheme. You need to put

detection controls in place that will detect each possible

fraud scheme in your fraud risk assessment if they happen.

While most prevention controls are in the open and visible

for employees and stakeholders to see, the most effective

detection control procedures are usually covert—they

operate quietly in the background and are known only to a

small group of people.

Because every organization now has electronic records,

data analytic control procedures can be the least costly

and most effective detection controls you can implement.

Let’s say that one of your fraud concerns is that an

employee might set up a phony vendor and process

payments to that phony vendor. You can easily set up a

data analytic process that periodically compares your

employee database and your vendor database and identifies

any matching names, addresses, phone numbers, bank

routing numbers, and so forth. That should identify any

bogus vendors as soon as they are set up. (And you can see

why it is important that such control procedures must be

covert.)

Establishing Reporting and Investigation Processes

According to the ACFE, the number one source of

discovered frauds is tips from employees of the victim

organization. In smaller organizations (100 employees or

fewer), 29.6 percent of discovered frauds come from this

source; in larger organizations, 43.5% of discovered frauds

come from this source. Further, the ACFE reports that

organizations with fraud hotlines experienced frauds that

Let’s say that one of your fraud

concerns is that an employee

might set up a phony vendor and

process payments to that phony

vendor. You can easily set up a

data analytic process that

periodically compares your

employee database and your

vendor database and identifies

any matching names, addresses,

phone numbers, bank routing

numbers, and so forth. That

should identify any bogus vendors

as soon as they are set up.



NOTES were 50% less costly, and they detected frauds 50% more

quickly.3

Given those statistics, if you and your organization are fully

committed to managing fraud risk, you will set up a hotline

reporting mechanism. But, aren’t hotlines expensive? Not

really; not any more. You can subscribe to an independent,

external, Web- or telephone-based reporting system for a

few hundred dollars per year.4

Once you’ve designed and implemented preventive and

detective control activities for all fraud schemes in your risk

assessment, your work is not done. You need to anticipate

what can happen if a fraud perpetrator succeeds despite your

fraud risk management efforts.

A common mistake many organizations make is waiting

until they are victimized to decide what to do. It’s far better

to have a well-thought-out-in-advance plan, ready to be

taken off the shelf and implemented immediately. Don’t put

yourself in the position of trying to make important

decisions in the chaotic and emotional environment

following the discovery of a fraud. Be committed to taking

swift, decisive, and severe actions against the fraud

perpetrator once the fraud has been discovered and proven.

Avoid the temptation to settle the unpleasant matter quietly

and quickly by letting the perpetrator simply resign and go

away. While that might minimize the reputational impact on

your organization, it will allow the perpetrator to move to

another organization that can be victimized by a now-

3 See ACFE’s 2016 Report to the Nations

(www.acfe.com/rttn/docs/2014-report-to-nations.pdf and

www.acfe.com/rttn2016.aspx). 4 A caution: perform due diligence when selecting an external hotline

vendor. Make sure the vendor has sound information security controls in

place to protect the sensitive information it will possess.

http://(www.acfe.com/rttn/docs/2014-report-to-nations.pdf

http://www.acfe.com/rttn2016.aspx



NOTES smarter criminal. Further (and perhaps more important),

despite any efforts to keep the matter quiet, your other

employees will almost undoubtedly know what has

happened. If you send the message that the only

consequences of stealing from your organization are

collecting a severance payment and finding a new job, be

prepared for more fraud.

And, of course, make sure that the control breakdown that

allowed a fraud to happen is fixed quickly.

Monitoring the Entire Fraud Risk Management Process

Don’t make the mistake of thinking that once you’ve

established fraud risk governance, performed a fraud risk

assessment, implemented control activities, and established

reporting and investigation mechanisms your work is done.

Just as internal control documentation does not necessarily

mean that controls are being carried out as documented, so

too, having designed a fraud risk management process does

not mean that the process will continue to work as designed.

The overall process, as well as each component of the

process, must be monitored to ensure that everything

continues to work as designed.

Further, every organization is dynamic and undergoes

change. Organizations grow, merge, combine, and develop

new products and lines of business. Personnel change.

Organizational structures change. Industries, markets, and

operating environments change.

Consequently, implementing a fraud risk management

program is not a one-and-done exercise. Any organizational

or operational changes that happen trigger the need to

reassess your fraud risk. Even if your organization does not

face such changes, you should still conduct a new fraud risk

assessment at least annually. The good news is that



NOTES reassessments should be less time-consuming, because you

are building on work already done. Consider using a new

risk assessment team for reassessments in order to get new

and fresh perspectives.

Finally, your governing board needs to be kept informed

about your fraud risk management efforts and results. They

will want to know how effective the process has been; they

will want to know how rigorous the assessment was; and

they will want to know how effective your controls are.

And, of course, your board will want to know of any hotline

reports, results of investigations, and remediation efforts.

Deterring Fraud

Investigating and remediating frauds is expensive.

Designing and maintaining preventive and detective controls

also comes with a cost. Deterring fraud—establishing an

atmosphere and perception that the likelihood of getting

caught is so high that it scares potential fraud perpetrators

away—is by far the best situation in terms of managing

fraud risk. Fraud deterrence is achieved when an

organization (a) establishes a rigorous fraud governance

process and ensures that employees are aware of that

process; (b) conducts an aggressive fraud risk assessment

periodically; (c) designs, implements, and maintains

effective fraud prevention and detection control processes

and procedures; and (d) takes swift actions against those

who attempt to commit fraud.

According to the ACFE:

The presence of anti-fraud controls is associated with

reduced fraud losses and shorter fraud duration. Fraud

schemes that occurred at victim organizations that had

implemented any of several common anti-fraud controls

were significantly less costly and were detected much

Fraud deterrence is achieved

when an organization (a)

establishes a rigorous fraud

governance process and

ensures that employees are

aware of that process; (b)

conducts an aggressive fraud

risk assessment periodically;

(c) designs, implements, and

maintains effective fraud

prevention and detection

control processes and

procedures; and (d) takes

swift actions against those

who attempt to commit

fraud.



NOTES more quickly than frauds at organizations lacking these

controls.5

Are the Costs Worth the Benefits?

You might be thinking at this point that this whole fraud risk

management thing sounds expensive and will take time

away from other more important activities that your

organization needs to accomplish. After all, you are pretty

sure that your management and employees are trustworthy.

You can roll those dice if you want to. That’s what Dixon

and UWNCA decided to do.

There are some additional benefits of implementing a fraud

risk management program beyond “just” minimizing fraud

risk. The risk assessment will give you a much better

understanding of your organization and how it operates.

Importantly, having strong controls in place protects honest

employees. Finally, the best, most trusted, and most

respected organizations take proactive measures like fraud

risk management. Sending the signal to your stakeholders

that your organization is committed to the strongest fraud

risk management processes conveys an important message:

your money, your time and effort, your trust are safe with

us.

That message will attract more investments, more business,

more donations, more volunteer efforts, more trust, and

more respect. When UWNCA’s revenues dropped from $91

million to $19 million in one year, it was not because donors

stopped donating money; it was because they moved their

money to more trustworthy organizations.

5 ACFE’s 2014 Report to the Nations, www.acfe.com/rttn/docs/2014-

report-to-nations.pdf.

Sending the signal to your

stakeholders that your

organization is committed to

the strongest fraud risk

management processes

conveys an important

message: your money, your

time and effort, your trust are

safe with us.

http://www.acfe.com/rttn/docs/2014-report-to-nations.pdf

http://www.acfe.com/rttn/docs/2014-report-to-nations.pdf



NOTES Still Not Sure Your Organization Needs a Fraud Risk

Management Program?

Fortunately, there is an easy way to find out if making the

investment in fraud risk management is the right thing for

your organization. Download the guide’s five “scorecards”

at www.cottoncpa.com/wp-content/uploads/2014/08/Fraud-

Risk-Management-Scorecards.pdf. These scorecards can be

used to assess how good your organization’s existing fraud

risk management process actually is right now. They list the

key attributes of strong fraud risk governance, risk

assessments, control activities, reporting and investigations,

and monitoring. Each attribute can be scored as: red (we

have a problem), yellow (we are making progress but have

room for improvement), or green (we have fully

implemented this attribute). At your next staff meeting or

board retreat, take a few minutes to honestly self-assess. Get

some red, yellow, and green dots at your office supply store

and rate each attribute. It should only take about 45 minutes

to complete each scorecard. Tape the scorecard pages up on

the wall, stand back, and look at the results. If you see a lot

of red, be worried; your organization is vulnerable to fraud.

Then ponder what happened to Dixon and UWNCA. I’ll bet

that both of those organizations wish that they had taken the

relatively small amount of time and effort needed to

implement a fraud risk management program.

Dave Cotton is Chairman of Cotton & Company, LLP, in Alexandria, Virginia.

www.cottoncpa.com. Dave served on the original task force that developed Managing the

Business Risk of Fraud: A Practical Guide and chaired the task force that updated the Guide on

behalf of ACFE and COSO.

http://www.cottoncpa.com/wp-content/uploads/2014/08/Fraud-Risk-Management-Scorecards.pdf

http://www.cottoncpa.com/wp-content/uploads/2014/08/Fraud-Risk-Management-Scorecards.pdf

http://www.cottoncpa.com/

the acfe-coso fraud risk management frameworkvirtualconference.acfe.com/materials/12h-david...

Documents