While fraud is commonly associated with bad guys lurking in dark corners of the web, it’s often conducted by someone much closer to home. A fraudster could be the person you passed on your way to the lunchroom or a co-worker you exchanged emails with but never met. They might be running an important division of your organization or orchestrating payments to your vendors. These are just a few of the vantage points from which fraudsters may operate within your organization.
Different fraudsters present different fraud risks, and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) has produced a Fraud Risk Management Guide that provides a framework to help organizations think through these fraud risks and take steps to address them. This article summarizes the five key principles in that guide.1
COSO Fraud Risk Management Guide
Fraud Risk Governance – This is the colloquial “tone at the top.” What tone are the board and senior management setting with respect to the risk of fraud? A well-thought-out and effectively communicated fraud risk management program lets the rest of the organization know that the risk of fraud is taken seriously at the top and should be taken seriously by all employees of the organization.
Fraud Risk Assessment – A fraud risk assessment is where strategy meets tactics. The strategy of the fraud risk management program is executed by blending high-level considerations of potential fraud risks with detailed, tactical assessments of the controls in place to help address those fraud risks. This is a balance that must consider both the likelihood of each identified potential fraud risk, as well as the significance—or potential impact—of each fraud risk were it to occur. Where gaps in controls exist, action steps are prescribed.
Fraud Control Activity – A fraud control activity is a specific activity designed to help prevent or detect fraud. If an identified potential fraud risk is likely and has a potentially significant impact, substantial time should be spent designing controls to help prevent that potential risk from occurring, detect that fraud should it occur, or some combination of the two. Contrast this with a potential fraud risk that is unlikely and potentially insignificant. Comparatively less time, energy, and effort would typically be used to design preventive or detective controls for this type of risk. Once designed, these controls are implemented to help mitigate the identified fraud risks.
Fraud Investigation & Corrective Action – Despite an organization’s best efforts, fraud risk cannot be reduced to zero. Planning ahead for “what if” fraud does occur is a smart move to confirm proper channels of communications are defined and relationships are established to help increase the likelihood of a timely and efficient resolution.
Fraud Risk Management Monitoring Activities – This entire process should be repetitive and ongoing, either periodically or on a continuous basis. This should not be a one-and-done process, especially given the constantly changing fraud schemes, technology, and business processes of an organization.
Conclusion
This framework can help your organization think about the risks of fraud, as well as take specific action steps to help address those risks. To learn more about this framework, check out COSO’s complete Fraud Risk Management Guide. If you need help implementing this framework in your organization, please reach out to a professional at Forvis Mazars or use the Contact Us form below.
- 1“Fraud Risk Management Guide: 2nd Edition,” coso.org, March 2023