Corporate Governor Providing vision and advice for management, boards of directors and audit committees Winter 2015 COSO 2013 framework boosts fraud risk assessment and prevention Fraud is among the most distasteful fare on management s plate. Not only is it an enormous, unplanned drain on company resources the Association of Certified Fraud Examiners (ACFE) estimates that fraud costs the typical company 5% of revenue 1 it s spiritually crippling as well. Fraud by company outsiders, as damaging as it may be, simply testifies to human greed and malevolence. Fraud by co-workers and colleagues, often long-serving and trusted, is a gut-wrenching betrayal of faith. For companies that may not have formally documented processes and controls designed to address fraud risk systematically, adopting COSO 2013 can jump-start a broad and far-reaching program of necessary fraud risk prevention. Companies that have more fully developed FRA processes and procedures in place will see implementing COSO 2013 as an opportunity to re-evaluate and strengthen their fraud prevention effort. Daily stories of pilfered passwords and leaked emails have placed cyberfraud at the top of management s agenda. This heightened concern coincides with the guidance in COSO s Internal Control Integrated Framework: Framework and Appendices (COSO 2013), effective Dec. 15, 2014, that requires companies to do a fraud risk assessment (FRA). Clearly, now is the time for companies to comprehensively reassess their approach to assessing and mitigating potential fraud risks. 2 1 ACFE: Report to the Nations on Occupational Fraud and Abuse 2014 Global Fraud Study. See www.acfe.com/rttn-summary.aspx for more information. 2 COSO released a new report, COSO in the Cyber Age, which provides direction on how the Internal Control-Integrated Framework and the Enterprise Risk Management-Integrated Framework can help organizations manage cyberrisks. Visit www.coso.org to download the report.
COSO guidance on fraud risk assessment Principle 8 The discussion of fraud in COSO 2013 centers on Principle 8 of the framework: The organization considers the potential for fraud in assessing risks to the achievement of objectives. For most companies, under 1992 COSO, fraud risk was viewed primarily in terms of satisfying SOX requirements, i.e., identifying and preventing fraud risk at the transaction level, says Michael Rose, partner, Business Advisory Services. But in COSO 2013, fraud risk becomes a specific component in the overall risk assessment: It addresses fraud at the organization or entity level, not just the transaction level. COSO requires a strong internal control foundation that addresses fraud much more broadly: company objectives, strategy, operations, and compliance, as well as reporting both external and internal, financial and nonfinancial. Principle 8 describes four specific areas of concern. 1. Fraudulent financial reporting: This area has long been at the heart of the mission of COSO; indeed, it is the purpose for which COSO was originally founded in 1985. 2. Fraudulent nonfinancial reporting: The inclusion of fraudulent nonfinancial reporting is a significant change from 1992 COSO. COSO 2013 mentions sustainability reporting, health and safety reports and reports, on employment activity as examples of nonfinancial reporting. 3. Misappropriation of assets: Principle 8 states that illegal marketing, theft of assets, theft of intellectual property, late trading, and money laundering are among the activities that may relate to unauthorized acquisition, use and disposal of assets. 4. Illegal acts: These are violations of laws or governmental regulations that could have a material direct or indirect impact on the external financial reports. Examples include bribery, corruption and insider trading. 2 CorporateGovernor Winter 2015
Points of focus The first point of focus in Principle 8 summarizes the above four areas: Considers various types of fraud The assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur. The three remaining points of focus largely mirror those of the fraud triangle as discussed in SAS 99. 3 The standard describes an assessment of fraud risks considering three specific aspects: 1. Incentives and pressures to commit fraud that exist in the control environment 2. Opportunities for unauthorized acquisition, use, or disposal of assets, altering of the entity s reporting records, or committing other inappropriate acts 3. Attitudes and rationalization, i.e., how management and other personnel might engage in or justify inappropriate actions Management override of controls Management override figures prominently in the text of Principle 8. It is an action taken to override an entity s controls for an illegitimate purpose, including personal gain or an enhanced presentation of an entity s financial condition or compliance status. Management override generally occurs in the largest or most significant fraud occurrences and is not easily detected. As COSO 2013 states, management override should not be confused with management intervention, i.e., action that departs from controls designed for legitimate purposes. The degree to which management can intervene is determined by the board and audit committee s assessment of the control environment. Building a successful fraud prevention function on the COSO foundation One extremely useful document for management in assessing and enhancing the company s fraud risk function is Managing the Business Risk of Fraud: A Practical Guide, produced by The Institute of Internal Auditors (IIA), AICPA and the ACFE. It offers a highly detailed guide including a sample fraud policy document, fraud prevention scorecard, and lists of fraud exposures and controls of how organizations of various sizes and types can establish their own fraud risk management programs. The following discussion draws significantly from that publication. Fraud risk governance The FRA should be seen as part of the company s effort for strong corporate governance. This commitment requires a tone at the top that facilitates corporate cultures embracing strong governance practices, including written policies that describe the expectations of the board and senior management regarding fraud risk. But even companies with committed senior leadership may have inadequate FRA programs. Most companies have some written policies to manage individual fraud components say, expense account procedures. We have also noted that many companies engage in some fraud management activities to assess, identify and control override risks. What most companies don t do is concisely summarize these documents and activities, so they can communicate and evaluate the completeness and sufficiency of their fraud management processes. 3 AICPA Statements on Auditing Standards No. 99. See www.aicpa.org/research/standards/auditattest/pages/sas.aspx for more information. 3 CorporateGovernor Winter 2015
Fraud risk assessment The fraud risk assessment should ordinarily be conducted as part of a broader assessment of company risk in an enterprise risk management program. But the fraud risk assessment itself may initially be conducted as part of that process or on a standalone basis. Regulatory and legal misconduct, such as Foreign Corrupt Practices Act violations, as well as reputation risk, should also be considered. Assess and identify inherent risk The FRA starts with a brainstorming session that seeks to uncover the potential fraud risks in the organization, without consideration of mitigating controls. The review takes place and is shaped by the company s operating environment, including industry practices, business culture, the state of the economy, applicable regulatory regimes, company business practices (e.g., heavy reliance on cash transactions), and business conditions. Each area of risk fraudulent reporting, possible loss of assets, and corruption should be examined. The FRA should include: Consideration of all types of fraud schemes and scenarios The incentives (such as through compensation programs), pressures (a CFO that needs to hit an earnings estimate) and opportunities (a senior manager with management override ability) to commit fraud Assess likelihood and significance of fraud risk The next step is to assess the relative likelihood and potential significance of identified fraud risks. This review should be based on interviews with staff, including business process owners; known fraud schemes; and historical information, both internal and external to the entity. In assessing fraud risk significance, companies should consider not only exposures to assets and the financial statements, but risk to an organization s operations, brand value and reputation, as well as criminal, civil and regulatory liability. Factors in fraudulent reporting Principle 8 lists various considerations organizations should make when identifying ways fraud in reporting can occur: Management bias for instance, in selecting accounting principles Degree of estimates and judgments in external reporting Fraud schemes and scenarios common to the industry sectors and markets in which the entity operates Geographic regions where the entity does business Incentives that may motivate fraudulent behavior Nature of technology and management s ability to manipulate information Unusual or complex transactions subject to significant management influence Vulnerability to management override and potential schemes to circumvent existing control activities The IT fraud risks specific to the organization Importantly, the FRA needs to consider the potential bypass of controls through management override, as well as areas where controls are weak or there is a lack of segregation of duties. 4 CorporateGovernor Winter 2015
Fraud prevention and detection Once the likelihood and significance of fraud risks are identified, design and implementation of mitigating controls follow. Fraud prevention requires both preventative and detective controls. Preventative controls include policies, procedures, training, and communication and certain computer-based application controls, while detective controls involve activities designed to identify specific examples of fraud or misconduct that is occurring or has occurred, such as reconciliations and other types of manual controls. However, these are interrelated concepts, as described below: If effective preventive controls are in place, working and well-known to potential fraud perpetrators, they serve as strong deterrents to those who might otherwise be tempted to commit fraud. Fear of getting caught due to a company s known commitment to punishment is always a strong deterrent. Effective preventive controls are, therefore, also strong deterrence controls. 4 Keep in mind that, in designing controls, segregation of duties in small companies can be difficult to achieve because of limited resources and personnel. Smaller firms need to work to assure that compensating controls (such as periodic budget to actual analysis at a precise-enough level to flag and investigate unusual activity) or other monitoring controls are in place to mitigate this occurrence. Fraud investigation and corrective action No system of internal control can eliminate fraud completely, so a program for how the company responds to identified fraud or potential illegal acts is essential. The investigation and response system should include a process for categorizing issues, communicating within the organization including the audit committee or those charged with governance (depending on the potential severity of the matter), conducting the investigation and fact-finding, and resolving or closing the investigation with a recommendation for prosecution. A tracking system for monitoring the status of fraud cases is a necessity. If the allegation involves senior management or affects the financial statements, there may be standards, regulations or laws that require parties like legal counsel, board, audit committee or external auditors to be notified. Conclusion COSO 2013 includes some key elements that management can leverage for companies starting or upgrading their FRA. Organizations that have adopted COSO 2013 can continue to build on that experience to prepare for the fraud challenges ahead. For companies that haven t yet implemented the framework, the direction it provides for improving FRA should motivate management to strive for adoption as soon as possible. Contacts Michael Rose Partner, Business Advisory Services T +1 215 376 6020 E michael.rose@us.gt.com Kevin Bennett Managing Director, Forensic and Valuation Services T +1 612 677 5348 E kevin.bennett@us.gt.com Priya Sarjoo Principal, Business Advisory Services T +1 214 283 8166 E priya.sarjoo@us.gt.com Brad Preber National Managing Partner, Forensic and Valuation Services T +1 602 474 3440 E brad.preber@us.gt.com Editor Evangeline Umali Hannum E evangeline.umalihannum@ us.gt.com 4 Managing the Business Risk of Fraud: A Practical Guide, p. 30-34. The Institute of Internal Auditors (IIA), AICPA and ACFE. See www.acfe.com/uploadedfiles/acfe_website/content/documents/ managing-business-risk.pdf for more information. 5 CorporateGovernor Winter 2015
About the newsletter CorporateGovernor is published by Grant Thornton LLP. The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest-quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd, one of the world s leading organizations of independent audit, tax and advisory firms. Grant Thornton International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct legal entity. Content in this publication is not intended to answer specific questions or suggest suitability of action in a particular case. For additional information about the issues discussed, consult a Grant Thornton LLP client service partner or another qualified professional. Connect with us grantthornton.com @grantthorntonus linkd.in/grantthorntonus Grant Thornton refers to Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd (GTIL). GTIL and its member firms are not a worldwide partnership. All member firms are individual legal entities separate from GTIL. Services are delivered by the member firms. GTIL does not provide services to clients. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another s acts or omissions. Please visit grantthornton.com for details. 2015 Grant Thornton LLP All rights reserved U.S. member firm of Grant Thornton International Ltd