Agenda 11/26/13. Updated COSO Framework

Size: px

Start display at page:

Download "Agenda 11/26/13. Updated COSO Framework"

Magdalene Ryan
5 years ago
Views:

Overview Five Control Objectives 17 Control Principles Case Study:

1 Updated COSO Framework Danny M. Goldberg, Founder Agenda COSO Update Overview History/Background Changes Overview Five Control Objectives 17 Control Principles Case Study: Developing a Checklist for Your Organization Fraud Risk Assessment Overview Key Steps Interviewing and Brainstorming 1

Executive Update: Overview COSO Overview Internal Control Publications 1992 2006 2009 2013 Overview of COSO Committee of Sponsoring Organizations

Its major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence.

Accounting Association (AAA), Financial Executives Institute (FEI), The Institute of Internal Auditors (IIA) The Institute of Management

COSO has established a common definition of internal controls, standards, and criteria against which companies and organizations can assess their

2 Executive Update: Overview COSO Overview Internal Control Publications Overview of COSO Committee of Sponsoring Organizations of the Treadway Commission (COSO) US private-sector initiative created in Its major objective is to identify the factors that cause fraudulent financial reporting and to make recommendations to reduce its incidence. COSO is sponsored by 5 main professional accounting organizations in the US: American Institute of Certified Public Accountants (AICPA), American Accounting Association (AAA), Financial Executives Institute (FEI), The Institute of Internal Auditors (IIA) The Institute of Management Accountants (IMA). COSO has established a common definition of internal controls, standards, and criteria against which companies and organizations can assess their control systems.» Source: Integrated Framework 2013 Consists of three volumes: Executive Summary Framework and Appendices Illustrative Tools for Assessing Effectiveness of a System of Internal Control Sets out: Definition of internal control Categories of objectives Components and principles of internal control Requirements for effectiveness 2

3 Why Update What Works The Framework has become the most widely adopted control framework worldwide. Original Framework COSO s Internal Control Integrated Framework (1992 Edition) Refresh Objectives Reflect changes in business & operating environments Expand operations and reporting objectives Articulate principles to facilitate effective internal control Enhancements Updates Context Broadens Application Clarifies Requirements Updated Framework COSO s Internal Control Integrated Framework (2013 Edition) Update expected to increase ease of use and broaden application What is not changing... Core definition of internal control Three categories of objectives and five components of internal control Each of the five components of internal control are required for effective internal control Important role of judgment in designing, implementing and conducting internal control, and in assessing its effectiveness What is changing... Changes in business and operating environments considered Operations and reporting objectives expanded Fundamental concepts underlying five components articulated as principles Additional approaches and examples relevant to operations, compliance, and non-financial reporting objectives added The COSO Definition of Internal Control Internal control is a process, effected by an entity s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories: Effectiveness and efficiency of operations Reliability of financial reporting Compliance with applicable laws and regulations 3

4 COSO Update - Executive Summary Highlights Provides a high level overview intended for the board of directors, chief executive officer, and other senior management. Applicable to all entities but the way in which it is implemented will be different for each organization (i.e., larger entities tend to be more formal and structured) Meant to assist stakeholders both internally and externally without being too prescriptive. Accomplished by defining what constitutes a system of internal control and providing insight to when it is being applied effectively. Judgment is still a major factor in determining what is an effective system of internal control To determine how much control is enough To select, develop, and deploy controls across the entity Management and internal auditors apply judgment as they monitor and assess the effectiveness of the system of internal control. Executive Summary Highlights (continued) Requirements for an effective system of internal control are: Each of the five components and relevant principles (17 principles in total) are present and functioning The five components operate together in an integrated manner or as an integrated system When a major deficiency exists with respect to the presence and functioning of a component or relevant principle, or with respect to the components operating together in an integrated manner, the organization cannot conclude that it has met the requirements for an effective system of internal control. An effective system reduces, to an acceptable level, the risk of not achieving an entity objective and may relate to one, two, or all three categories of objectives (Operations, Reporting, Compliance) Executive Summary Highlights (continued) Limitations do exist: Suitability of objectives are a precondition to internal control Human judgment can be faulty and subject to bias Human failures such as simple errors do occur Management could override internal control Collusion could circumvent controls External events beyond the organization s control Internal control provides reasonable assurance of achieving the entity s objectives but not absolute assurance Management should be aware of these limitations when selecting, developing, and deploying controls 4

5 Update Considers Changes in Business and Operating Environments Environments changes... Expectations for governance oversight Globalization of markets and operations Changes and greater complexity in business Complexities in laws, rules, regulations, and standards Expectations for competencies and accountabilities Use of, and reliance on, evolving technologies Expectations relating to preventing and detecting fraud have driven Framework updates COSO Cube (2013 Edition) Update Articulates 17 Principles of Effective Internal Control Control Environment (CE) 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability Risk Assessment (RA) 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change Control Activities (CA) 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures Information & Communication (IC) 13. Uses relevant information 14. Communicates internally 15. Communicates externally Monitoring Activities (MA) 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies Update Clarifies Requirements for Effective Internal Control Effective internal control provides reasonable assurance regarding the achievement of objectives and requires that: Each component and each relevant principle is present and functioning The five components are operating together in an integrated manner Each principle is suitable to all entities; all principles are presumed relevant except in rare situations where management determines that a principle is not relevant to a component Components operate together when all components are present and functioning and internal control deficiencies aggregated across components do not result in one or more major deficiencies A major deficiency represents an internal control deficiency or combination thereof that severely reduces the likelihood that an entity can achieve its objectives 5

6 Update Describes Important Characteristics of Principles Points of focus may not be suitable or relevant, and others may be identified Points of focus may facilitate designing, implementing, and conducting internal control There is no requirement to separately assess whether points of focus are in place Update Describes the Role of Controls to Effect Principles The Framework does not prescribe controls to be selected, developed, and deployed for effective internal control An organization s selection of controls to effect relevant principles and associated components is a function of management judgment based on factors unique to the entity A major deficiency in a component or principle cannot be mitigated to an acceptable level by the presence and functioning of other components and principles However, understanding and considering how controls effect multiple principles can provide persuasive evidence supporting management s assessment of whether components and relevant principles are present and functioning ICEFR: A Compendium Overview Provides points of focus and approaches to satisfy each of the 17 principles of the Framework. Points of Focus highlight key characteristics relating to each principle. Approaches are summary-level descriptions of activities that management may consider as they apply the Framework in an ICEFR context. Examples are also provided to illustrate practical examples of how to apply principles, based on situations drawn from practical experience. Illustrates how various characteristics of principles may be present and functioning within a system of internal control relating to external financial reporting. 6

17 Principles of Effective Internal Control Control Environment (CE) 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3.

7 17 Principles of Effective Internal Control Control Environment (CE) 1. Demonstrates commitment to integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority and responsibility 4. Demonstrates commitment to competence 5. Enforces accountability Risk Assessment (RA) 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant change Control Activities (CA) 10. Selects and develops control activities 11. Selects and develops general controls over technology 12. Deploys through policies and procedures Information & Communication (IC) 13. Uses relevant information 14. Communicates internally 15. Communicates externally Monitoring Activities (MA) 16. Conducts ongoing and/or separate evaluations 17. Evaluates and communicates deficiencies GROUP EXERCISE Group Exercise Break up groups based on industry For each of the Five Objectives, please read each of the Principles (17 in all) and create, as a group, a checklist of actions that a company would do in order to demonstrate each Principle and thus each Objective. 45 Minutes allotted to each of the 5 Objectives 7

8 CONTROL ENVIRONMENT Control Environment: Principles 1. The organization demonstrates a commitment to integrity and ethical values. 2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control. 3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives. 4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives. 5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. Principle #1: Approaches 1. Establishing Standards of Conduct 2. Leading by Example on Matters of Integrity and Ethics 3. Evaluating Management and Other Personnel, Outsourced Service Providers, and Business Partners for Adherence to Standards of Conduct 4. Developing Processes to Report and Promptly Act on Deviations from Standards of Conduct 8

9 Principle #2: Approaches 1. Establishing the Roles, Responsibilities, and Delegation of Authority of the Board of Directors 2. Establishing P&P for Meetings between the BoD and Management 3. Identifying and Reviewing BoD Candidates 4. Reviewing Management s Assertions and Judgments 5. Obtaining an External View 6. Considering Whistle-Blower Information about Financial Statement Errors and Irregularities Principle #3: Approaches 1. Defining Rules and Reporting Lines and Assessing them for Relevance 2. Defining Authority at Different Levels of Management 3. Maintaining Job Descriptions and Service- Level Agreements 4. Defining the Role of Internal Auditors Principle #4: Approaches 1. Establishing Required Knowledge Skills, and Expertise 2. Linking Competence Standards to Established Policies and Practices in Hiring, Training, and Retention Decisions 3. Identifying and Delivering Financial Reporting-Related Training as Needed 4. Selecting Appropriate Outsourced Service Providers 5. Evaluating Competence and Behavior 6. Evaluating the Capacity of Finance Personnel 7. Developing Alternate Candidate for Key Financial Reporting Roles 9

Principle #5: Approaches 1. Defining and Confirming Responsibilities 2. Developing Balanced Performance Measures, Incentives, and Rewards 3. Evaluating Performance Measures for Intended Influence 4.

10 Principle #5: Approaches 1. Defining and Confirming Responsibilities 2. Developing Balanced Performance Measures, Incentives, and Rewards 3. Evaluating Performance Measures for Intended Influence 4. Approach Linking Compensation and Other Rewards RISK ASSESSMENT Risk Assessment 6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives. 7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed. 8. The organization considers the potential for fraud in assessing risks to the achievement of objectives. 9. The organization identifies and assesses changes that could significantly impact the system of internal control. 10

11 Principle #6: Approaches 1. Identifying Financial Statement Accounts, Disclosure and Assertions 2. Specifying Financial Reporting Objectives 3. Assessing Materiality 4. Reviewing and Updating Understanding of Applicable Standards 5. Considering the Range of Activities Principle #7: Approaches 1. Applying a Risk Identification Process 2. Assessing Risks to Significant Financial Statement Accounts 3. Assessing the Likelihood and Significance of Identified Risks 4. Considering Internal and External Factors 5. Evaluating Risk Responses Principle #8: Approaches 1. Conducting Fraud Risk Assessments 2. Considering Approaches to Circumvent or Override Controls 3. Reviewing Incentives and Pressures Related to Compensation Programs 11

Principle #9: Approaches 1. Assessing Change in the External Environment 2. Conducting Risk Assessments Relating to Significant Change 3. Considering Change Through Succession 4.

12 Principle #9: Approaches 1. Assessing Change in the External Environment 2. Conducting Risk Assessments Relating to Significant Change 3. Considering Change Through Succession 4. Considering CEO and Senior Executive Changes CONTROL ACTIVITIES Control Activities 10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels. 11. The organization selects and develops general control activities over technology to support the achievement of objectives. 12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into place. 12

13 Principle #10: Approaches 1. Using Matrices, Workshops, or an Inventory of Control Activities to Map Identified Risks to Control Activities 2. Implementing or Assessing Control Activities when Outsourcing to a Third Party 3. Considering the Types of Control Activities 4. Considering Alternative Control Activities to the Segregation of Duties 5. Identifying Incompatible Functions Principle #11: Approaches 1. Using Risk and Control Matrices to Document Technology Dependencies 2. Evaluating End-User Computing 3. Implementing or Assessing Control Activities when Outsourcing IT Functions to a Third Party 4. Configuring the IT Infrastructure to Support Restricted Access and Segregation of Duties 5. Configuring IT to Support the Complete, Accurate, and Valid Processing of Transactions and Data 6. Administering Security and Access 7. Applying a SDLC over Packaged Software 8. Applying an SDLC over Software Developed in-house Principle #12: Approaches 1. Developing & Documenting P&P 2. Deploying Control Activities through Business Unit or Functional Leaders 3. Conducting Regular and Ad Hoc Assessments of Control Activities 13

INFORMATION & COMMUNICATION Information & Communication 13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. 14.

14 INFORMATION & COMMUNICATION Information & Communication 13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control. 14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control. 15. The organization communicates with external parties regarding matters affecting the functioning of internal control. Principle #13: Approaches 1. Creating an Inventory of Information Requirements 2. Obtaining Information from External Sources 3. Obtaining Information from Non-Finance Management 4. Creating and Maintaining Information Repositories 5. Using an Application to Process Data into Information 6. Enhancing Information Quality through a Data Governance Program 7. Identifying, Securing, and Retaining Financial Data and Information 14

Principle #14: Approaches 1. Communicating Information Regarding External Financial Reporting Objectives and Internal Control 2. Communicating Internal Control Responsibilities 3.

Communicating through Alternative Reporting Channels 7. Establishing a Mentoring Program to Encourage Communicating with Management Principle #15: Approaches 1.

15 Principle #14: Approaches 1. Communicating Information Regarding External Financial Reporting Objectives and Internal Control 2. Communicating Internal Control Responsibilities 3. Developing Guidelines for Communication to the Board of Directors 4. Reviewing Financial & Internal Control Information with the BoD 5. Communicating a Whistle-Blower Program to Company Personnel 6. Communicating through Alternative Reporting Channels 7. Establishing a Mentoring Program to Encourage Communicating with Management Principle #15: Approaches 1. Communicating Information to Relevant External Parties 2. Obtaining Information from Outside Sources 3. Surveying External Parties 4. Communicating the Whistle-Blower Program to Outside Parties 5. Reviewing External Audit Communications MONITORING ACTIVITIES 15

16 Monitoring Activities 16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate. Principle #16: Approaches 1. Periodically Reviewing the Mix of Monitoring Activities 2. Designing and Implementing a Dashboard 3. Using Technology to Support Monitoring Activities 4. Conducting Separate Evaluations 5. Using Internal Audit to Conduct Separate Evaluations 6. Understanding Controls at an Outsourced Service Provider Principle #17: Approaches 1. Assessing and Reporting Deficiencies 2. Monitoring Corrective Action 3. Developing Guidelines for Reporting Deficiencies 16

17 Transition & Impact Users are encouraged to transition applications and related documentation to the updated Framework as soon as feasible Updated Framework will supersede original Framework at the end of the transition period (i.e., December 15, 2014) During the transition period, external reporting should disclose whether the original or updated version of the Framework was used Impact of adopting the updated Framework will vary by organization Does your system of internal control need to address changes in business? Does your system of internal control need to be updated to address all principles? Does your organization apply and interpret the original framework in the same manner as COSO? Is your organization considering new opportunities to apply internal control to cover additional objectives? Transition & Impact (Continued) The principles-based approach provides flexibility in applying the Framework to multiple, overlapping objectives across the entity Easier to see what is covered and what is missing Focus on principles may reduce likelihood of considering something that s irrelevant Understanding the importance of specifying suitable objectives focuses on those risks and controls most important to achieving these objectives Focusing on areas of risk that exceed acceptance levels or need to be managed across the entity may reduce efforts spent mitigating risks in areas of lesser significance Coordinating efforts for identifying and assessing risks across multiple, overlapping objectives may reduce the number of discrete risks assessed and mitigated Transition & Impact (Continued) Selecting, developing, and deploying controls to effect multiple principles may also reduce the number of discrete, layered-on controls Applying an integrated approach to internal control - encompassing operations, reporting, and compliance may lessen complexity In assessing severity of internal control deficiencies, use only the relevant classification criteria as set out in the Framework or by regulators, standard-setting bodies, and other relevant third parties, as appropriate 17

18 Fraud Risk Assessment The Definition of Fraud any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage. Categories of Fraud Risk Misappropriation of Assets involve the theft or misuse of an organization s assets. (Common examples include skimming revenues, stealing inventory, and payroll fraud.) Corruption fraudsters wrongfully use their influence in a business transaction in order to procure some benefit for themselves or another person, contrary to their duty to their employer or the rights of another. (Common examples include accepting kickbacks and engaging in conflicts of interest.) Fraudulent Financial Statements falsification of an organization s financial statements. (Common examples include overstating revenues and understating liabilities or expenses.) 18

19 Asset Misappropriation Scheme Payroll Inventory Credit Cards Larceny Purchasing Procurement Reimbursement Improper Payments Scenario Payment to fictitious employees Payment to terminated employees Overpayment to existing employees Theft of inventory items Consistent shrinkage of items Increased defective/warranty claims Reimbursement for personal expenses Use of card to circumvent competitive bid requirements Theft of materials, supplies, cash Using purchasing authority to purchase raw materials for personal use. Using procurement card for personal, exorbitant purchases Reimbursement for undocumented expenses Reimbursement for luxury accommodations Reimbursement for travel expenses of family members Payments to phantom vendors, shell companies Scheme Fictitious Revenue Overstating Assets Understating Liabilities and Expenses Improper Note Disclosure Non-financial Management Estimates Corruption/FCPA Scenario Improper or early revenue recognition Falsifying revenue Earnings manipulation through reserves Recording pending transactions as completed transactions Improper valuation of securities, inventory, fixed assets Hiding losses in future reporting periods Understating expense account balances Reclassifying (capitalizing) expenses as assets Improper valuation or manipulation of intercompany accounts Omission of contingencies or subsequent events Falsifying external documents to suppliers Internal memorandums give misleading information Publicly announced unsubstantiated information Manipulation of management estimates for receivables, goodwill or depreciation Scheme Fictitious Revenue Financial Statement Fraud Scenario Improper or early revenue recognition Falsifying revenue Earnings manipulation through reserves Recording pending transactions as completed transactions Overstating Assets Improper valuation of securities, inventory, fixed assets Understating Liabilities Hiding losses in future reporting periods and Expenses Understating expense account balances Reclassifying (capitalizing) expenses as assets Improper Note Disclosure Non-financial Improper valuation or manipulation of intercompany accounts Omission of material contingencies or subsequent events Falsifying external documents to suppliers Internal memorandums give misleading information Publicly announced unsubstantiated information Management Estimates Manipulation of management estimates for receivables, goodwill or depreciation 19

objectives FRA - Purpose Identify and recognize fraud risks in the organization Determine the likelihood Determine how to manage and

20 What is Risk? The degree of probability that an unfavorable event will significantly impact a functional area s ability to meet the organization s objectives FRA - Purpose Identify and recognize fraud risks in the organization Determine the likelihood Determine how to manage and mitigate fraud risk Determine critical information Identify systems that process, store, or transmit critical information used for red flag identification Discover vulnerabilities Create new processes, controls and procedures for mitigating fraud risk 20

21 Who Should be Involved? C Suite Officer CEO CFO CIO General Counsel Chief Compliance Officer Management Business Unit Managers Sales Marketing Human Resources Accounting Controller Accounting Manager Accounting Supervisors Oversight Internal Audit Board of Directors Audit Committee External Auditors Step 1 Identify and Evaluate Fraud Risk Factors 1. Schedule interviews and develop the approach. 2. Identify fraud risk factors at the entity level, significant locations, accounts and business process level. : Consider whether each fraud risk factor indicates the existence of an incentive/pressure, opportunity or attitudes/ rationalizations. 3. For each identified fraud risk factor, identify the account balances and potential errors that may be affected and assess the fraud risks. 21

22 Step 1 Identify and Evaluate Fraud Risk Factors Pitfalls Fraud Risk Factors are not considered Existing controls are considered The potential for management override of controls is not considered Interviews are not valueadded Recommendations Use the Fraud Triangle to explain the significance of fraud risk factors and to initiate thinking Do not consider controls EXCEPT when considering the potential for management override Develop interview approach that matches area and culture Step 1 Identify and Evaluate Fraud Risk Factors Identify fraud risk factors at the entity level, significant location, significant account and business process level. Consider whether each fraud risk factor indicates the existence of incentive, pressure, opportunity or attitude and rationalization. Identify incentives / pressures to commit fraud, opportunities to commit fraud, or attitudes / rationalizations to justify fraud. Personnel from various levels of the organization should be involved in the process. Consider internal and external (e.g., regulatory, industry) influences. Step 2: Identify Possible Fraud Risks, Schemes and Scenarios 1. Identify fraud risks and determine if the fraud risks are pervasive or specific. 2. Brainstorm specific fraud schemes that could result from the specific risks identified. 3. For each fraud scheme, identify internal and external parties who could be involved with reference to incentives/pressure, opportunities, attitudes & rationalizations. 22

23 Step 2: Identify Possible Fraud Risks, Schemes and Scenarios Pitfalls The schemes are too general, not allowing for sufficient consideration of risks and preventing appropriate level of mapping to controls The schemes do not consider the potential for management override of controls The schemes do not consider the potential for collusion Brainstorming ineffective Recommendations Detail each scheme by considering: Why? Who? What? Where? When? How? Step 3: Prioritize Identified Fraud Risks Evaluate possible fraud schemes by: Type Likelihood Significance Pervasiveness Consider Inherent Risk Rating (IRR) Step 4. Evaluate the Controls Existence and Effectiveness 1. Link fraud schemes to mitigating controls. Assess whether each mapped or linked control activity is preventative or detective in nature. 2. Evaluate the effectiveness of controls to determine if they sufficiently mitigate the risk of the identified fraud schemes (control gap analysis). 3. Evaluate the residual fraud risk. 23

24 Step 4. Evaluate Mitigating Controls Antifraud control activities can be preventative or detective in nature Preventative controls are designed to mitigate specific fraud risks and can deter frauds from occurring Detective control activities are designed to identify fraud if it occurs. Detective controls can also be used as a monitoring activity to assess the effectiveness of antifraud controls and may provide additional evidence of the effectiveness of antifraud programs and controls. 4. Evaluate Mitigating Controls Special consideration should be given to the risk of management override of controls. Some programs and controls that deal with management override include: Active oversight from the audit committee Whistle-blower programs and a system to receive and Investigate anonymous complaints; and Reviewing journal entries and other adjustments for evidence of possible material misstatement due to fraud. 4. Evaluate Mitigating Controls Pitfalls Where gaps are identified, no remediation efforts are made Future changes in risk are not incorporated into the FRA and remediation is not performed Effectiveness of controls is not evaluated Mapping is done incorrectly and without consideration of existing controls and documentation Recommendations Design and implement controls to close identified gaps The FRA should be iterative and should be reassessed at least annually and when there is a significant change in the control environment Evaluating the effectiveness of the controls Only map those controls identified as significant Identify entity level controls that will assist in mitigating remaining residual risk Leverage of existing efforts and controls 24

25 Control Risk Rating Evaluate the Control Risk Rating Determine if controls sufficiently mitigate the identified fraud risks and schemes Decide whether existing controls should be improved or new controls are required Consider both the design and the implementation of the control in mitigating the fraud risk Fraud controls can be tricky! Consider possible management override of controls Step 5: Risk Treatment 1. Prepare a Fraud Risk Action Plan to treat and mitigate fraud risk schemes requiring attention. 2. Implement Fraud Risk Action Plan. Step 5: Risk Treatment Prepare a Fraud Risk Action Plan to treat and mitigate fraud risk schemes requiring attention. Controls should be implemented or enhanced for identified fraud schemes where controls are not already present, inadequately designed or poorly implemented. Ensure overall responsibility is assigned to responsible personnel to monitor control implementation as detailed in the Fraud Risk Action Plan. This responsibility could be defined in the Fraud Control Policy of the entity or specified elsewhere. The Audit Committee should oversee the entire process. 25