Accounting

Better Get Brisk Assessing Your Fraud Risk


by Edith Orenstein

In case you missed it among the hundreds of pages of new guidance, examples and illustrations released by COSO last year as part of its updated internal control-integrated framework , do not lose sight of a major new requirement -- labeled "Principle 8'" in the updated framework -- that management conduct its own fraud risk assessment.

This topic formed the focus of the final webcast in the five-part webcast series on COSO sponsored by Financial Executives International and Protiviti.

Pam Verick, a director in Protiviti's Investigations and Fraud Risk Management Solutions Department, began the discussion of this new requirement, the 8th of COSO's 17-principle updated internal control framework, which specifically states:

PRINCIPLE 8: The organization considers the potential for fraud in assessing risks to the achievement of objectives.
Most of us understand what fraud means - or so we believe - and Verick went into a fair amount of detail on just what the scope of fraud encompasses in her presentation - but do you know what COSO means by "risks to the achievement of objectives"? To understand that, a quick review of COSO's Principles 6 and 7 are in order. Principle 6 requires a company to "Specify objectives," including external financial reporting objectives, nonfinancial reporting objectives, compliance objectives, and others. Within each Principle, COSO also defined Points of Focus (POF), to assist  in understanding and applying the principles; the POF for Principle 6 include such things as "Complies with Applicable accounting standards" and "considers materiality." Principle 7 is "Identifies and Analyzes Risk to the Achievement of Objectives."

Moving on to Principle 8 on Fraud Risk Assessment, throughout Verick's presentation, it seemed to me as an observer that the grey areas of what COSO didn't state, and left up to management's judgment in maintaining its structure as a principles-based framework, were significant, and would pose implementation challenges or opportunities, depending on whether one looks at the glass as being half-empty or half-full, in terms of applying some of COSO's definitions to your company's facts and circumstances.

For example, Verick noted that COSO’s Principle 8 does not say how fraud should be defined, but rather, organizations should focus their fraud risk analysis on the types of fraud to be considered. Also, she emphasized, "Principle 8 does not prescribe a specific methodology [such as] interviews , workshop, or data analytics,” to conduct the fraud risk assessment. “We think this is very important, and  that you have to have a robust methodology so you can confidently say you have the ability to identify fraud risk, and prioritize [those risks].”

Verick reiterated that Principle 8 requires an organization to consider the potential for fraud in assessing risks to the achievement of its objectives, (e.g., reliable financial reporting).

Moving to a discussion of the “COSO Cube,” Verick said, “Typically we see a focus on the financial reporting aspect of the cube; Fraud Principle 8 really speaks to insuring that Operations is considered as well.” The time-honored COSO cube developed in 1992 (and updated since then in the 2013 release of COSO's updated internal control framework) is best known for addressing financial reporting, but has 3 "slices" vertically: Reporting, Operations, and Compliance with Laws and Regulations. COSO has always stated that its framework has general applicability broadly for all three purposes, not only financial reporting, although its framework has become most well-known with its usage in financial reporting, particularly in the post-Sarbanes-Oxley period.

Upping Their Game

Significantly, Protiviti’s Varick added, “While some organizations may have considered operations at the entity level, we now see it considered at process level as well….So think about , how you approach mapping… we see organizations inventorying elements of fraud risk programs at the process level as well, so perhaps where organizations did not have a process narrative before, they now do, or where, since the last time they did their narrative, they have ‘upped their game’ – getting a far better view of how their view [into internal controls] now looks.”

In conducting your fraud risk assessment, COSO has built into the Points of Focus supporting Principle 8 the time-honored principles of the "Fraud Triangle" first developed by Donald Cressy. POF 32, 33 and 34 address these aspects of the 'fraud triangle:

  •  Assesses incentives and pressures
  • Assesses opportunities
  • Assesses attitudes and rationalizations
 

What Constitutes "Fraud"?

Verick described some of the varied types of fraud that COSO is asking companies to ask themselves if those types of fraud could take place at their companies, noting in some instances these are the kinds of engagements that come across her desk in her practice, ranging from

  •  fraudulent financial reporting – or what is typically thought of as “cooking the books,”
  • unauthorized use of assets,
  • corruption,
  • inappropriate management override of controls.
  • Foreign Corrupt Practice Act (FCPA),
  • illegal gratuities,
  • kickbacks,
  • commercial bribery
  • employees accepting a bribe that results in misdirection  of corporate opportunities,
  • conflicts of interest;
  • In the procurement process, how do you disclose conflicts
  • “Good old classic bribery, improper thank you’s after a contract has been awarded; or requests for bribes or a quid pro quo.”
  • On the topic of “Management override of controls,” Verick said that, “COSO 2013 makes a really good point, there is management override of control that is justified, but particularly for fraud, we want to … think about  critical issues around management override of controls.
  • “Fraudulent non-financial reporting,” she continued,”  can be OSHA, conflict minerals, perhaps fraudulent information in marketing activities, all of those reports that come into the company or go out that you all highlight or show what your company is all about.”
  • Misappropriation of assets as well as illegal acts are other things to be explicitly considered as part of fraud risk assessment, she noted.
  • “Safeguarding of assets, in terms of their use, disposal, or as an appropriate benefit to an individual or group internal to the company, or a vendor or supplier, external body we have a relationship with.. people, intellectual property, physical property, reputation, all the things that make up our company,” is to be considered as well, continued Verick.
“One of the things we’ve gotten the most questions about,” said Verick, “is, how do you assess the likelihood of the potential impact of fraud?Some organizations use ‘significant,’ some use ‘likelihood,’ ‘impact,’ ‘probability’. “

She continued,”Principle 7 [in the COSO framework] uses ‘risk,’ ‘velocity,’ those concepts are brought over into Principle 8, not just the identification of fraud risk, but about assessing, how significant would the impact be.. how you define that, its all up to you.”

Other questions she has been asked, said Verick, are: “Do you have to have a Risk Control Matrix?”

“There is nothing prescribed,’ in COSO’s updated framework, she continued,” however we will see either a Risk and Control Matrix (RCM), or we will see RCMs where there are specific fraud risks called out, and specific controls called out, baking into individual processes specific fraud risks and specific controls that address those fraud risks.”

Keith Kawashima, a Managing Director in Protiviti’s Silicon Valley office, who played a major role in each of the five webcast series, asked Verick if referencing the fraud controls back to the related COSO principles would be useful.

Verick replied, “absolutely, you always want to have explicit evidence regarding how you are mitigating a fraud risk, as a specific control.”

Kawashima noted that, “as a reminder, we will try to differentiate between rolling out COSO for purposes of financial reporting and the Sarbanes-Oxley Act, and a more broad use of COSO 2013 for internal controls for the rest of the organization.”

Interestingly , in response to a polling question taken during the webcast, out of 1051 total votes,

  • 43.3 % said they planned to implement COSO 2013 for Sarbanes Oxley in FY 2014
  • 16.8%  said they planned to implement … in FY 2015
  • 16.7% …. Not sure
  • 23.2% … Not applicable, we aren’t subject to Sarbanes-Oxley or Sarbanes-Oxley –like regulations
The remainder of the webcast featured an Implementation Panel, featuring FEI COSO Working Group Chairman and Committee on Governance, Risk and Compliance Member Ray Purcell, who serves as Director of Financial Control at Pfizer, as well as Steve McNally, Finance Director and Controller for Campbell Soup’s Napoleon and Flavor Operations, John Beeler, Chief Compliance Officer of Salesforce.com and Nick Moscaritolo, VP of Risk Assurance at TeleTech. FEI wishes to express its appreciation to www.protiviti.com for sponsoring the webcast series. You can listen to the archived webcast series here (no CPE for archived webcasts; CPE is available to listeners on the live webcasts only). Visit www.financialexecutives.org/coso for upcoming webcasts and more FEI resources on COSO.