Fraud Risk Management #3 – Determining Control Activities

In recognition of International Fraud Awareness Week, Windham Brannon’s Matt Stelzman takes a deeper dive into the Internal Control-Integrated Framework from the Committee of Sponsoring Organizations of the Treadway Commission (commonly referred to as COSO).

Our second article discussed Principle 2: Fraud Risk Assessment and its relation to the Control Environment and its four underlying COSO principles. This article focuses on Fraud Risk Management Principle 3: Fraud Control Activities.

Principle 3: Fraud Control Activities

“The organization selects, develops, and deploys preventive and detective fraud control activities to mitigate the risk of fraud events occurring or not being detected in a timely manner.”

Fraud Control Activities correlate to COSO principles 10 through 12, or more broadly, the Internal Control Component Control Activities. To establish adequate fraud control activities, an organization should promote fraud deterrence through preventive and detective control activities.

• Preventive Control – A control activity designed to avoid a fraudulent event at the time of occurrence. It is impractical to design and implement a control structure that would prevent all occurrences of fraud, as it would hinder business operations and be extremely costly.
• Detective Control – A control activity designed to discover a fraudulent event after the initial occurrence, but in a timely fashion. Detective controls can be covert in nature, such as transaction monitoring through data analysis.

Preventive and detective controls are not the only ways an organization should promote fraud deterrence; establishing a visible fraud governance process and creating an anti-fraud culture are additional components that should be utilized. Finally, if a fraudulent event occurs, taking swift action in response to the allegation will help support a solid control structure.

How do control activities connect with the fraud risk assessment?

The fraud control activities should integrate with the fraud risk assessment. As discussed in our previous article, existing control activities should be identified, assessed, and linked to specific fraud risks and schemes. However, what happens if additional fraud types are discovered and the residual fraud risk remains at unacceptable levels for the organization’s risk tolerance? Additional fraud controls can be applied to bring residual risk to an acceptable level, but these controls should be documented on the fraud risk assessment as well.

What other factors should be considered?

Consideration should also be given to organization-specific factors and relevant business processes when developing a control structure and activities. Some factors to consider include, but are not limited to:

• Person-to-person judgment differences
• Workarounds and overrides of controls
• Inconsistencies caused by people in the process

Also relevant is the application of control activities to differing levels of the organization. Managerial fraud has been shown to cause significantly greater damage to an organization than fraud perpetrated by lower-level employees. Preventive and detective controls can be used strategically to mitigate fraudulent events at all levels of an organization.

What are the most significant fraud control activities for an organization?

Fraud control activities are not standalone processes, and the entire organization has a role to play in control activities. The following includes which fraud control activities would be most significant for an organization:

• Fraud Preventive Control Activities: The most proactive method for fighting fraud. These generally fall into the areas listed below:
  • Business process control activities
  • Physical access controls
  • Logical access controls
  • Transaction-level control procedures
  • Technological controls
• Fraud Detective Control Activities: One of the more effective deterrents to fraudulent behavior. These types of controls typically depend on the fraud risks identified through the fraud risk assessment, but are not typically apparent in the everyday business environment, but rather operate in the background.
• Human Resources Procedures: Plays an important role in fraud prevention.
  • Background investigations
  • Fraud risk management training
  • Evaluation of performance and compensation programs
  • Measurement and monitoring of corporate culture
  • Exit interviews
• Segregation of Duties: One of the strongest anti-fraud controls that can be put into place. Ensures no one single individual has the responsibility/authority for all steps in a business process.
• Authority and Responsibility Limits: It is paramount that an individual’s level of authority is commensurate with their level of responsibility within the organization.
• Whistleblower System: One of the most important and strongest deterrents and detective methods of fraud in an organization. The Association of Certified Fraud Examiners (ACFE) has provided research in Occupational Fraud: A Report to the Nations, reporting that more fraud is detected by a whistleblower than by any other source.

What happens after an organization selects its fraud control activities?

Finally, once the control activities have been decided upon, they must be deployed, most commonly through policies and procedures. Policies and procedures establish:

• Responsibility and Accountability: What will be done, and who will do it.
• Implementation: Timing of the activity and follow-up corrective actions when necessary.
• Reassessment: Best practices would indicate that all policies and procedures are reassessed at specific intervals, and fraud control activities should also be reassessed to ensure effectiveness and that they are functioning as designed.

For more information about fraud control activities and which ones are best for your organization’s fraud risk management program, contact your Windham Brannon advisor today, or contact Matt Stelzman.

Sources:

COSO, Internal Control – Integrated Framework (May 2013)

COSO & ACFE, Fraud Risk Management Guide 2^nd Edition (2023)

ACFE, Occupational Fraud 2022: A Report to the Nations (2022)