Connect With an Advisor
Home | Resource Center | Articles

November 13, 2023

Matt Stelzman

Principal, Litigation & Valuation Advisory Leader

Chattanooga, TN

423-690-7944

[email protected]

Related Services




< Back to Resource Center

Fraud Risk Management #1 – The Importance of Governance

In recognition of International Fraud Awareness Week, Windham Brannon’s Matt Stelzman takes a deeper dive into the Internal Control-Integrated Framework from the Committee of Sponsoring Organizations of the Treadway Commission (commonly referred to as COSO). Released in 1992, the framework became widely adopted as the leading framework for designing, implementing and conducting internal controls and measuring their effectiveness. COSO revised the framework in 2013, incorporating 17 principles that correlate with five main internal control components.

Fraud risk management is a part of the framework (see Principle 8), but to enhance the understanding and applicability of fraud risks and controls, the Association of Certified Fraud Examiners (ACFE) developed the Fraud Risk Management Guide in 2016 to aid organizations that were intent on deterring fraud. The guide was then updated in 2023, and this article is the first of five articles to explore in-depth each of the five fraud risk management principles and how they relate to the COSO framework.

 

Principle 1: Fraud Risk Governance

“The organization establishes and communicates a Fraud Risk Management Program that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk.”

Fraud risk governance correlates to COSO principles one through five, or what is known as the Control Environment. There are several key points of this principle that can guide an organization on the principle’s intent:

  1. The organization makes a commitment to fraud risk management by the board of directors and senior management.
  2. Support of fraud risk governance by the board of directors, senior management and middle management.
  3. Establishment of a comprehensive fraud risk management program by the board of directors and management.
  4. Establishment of fraud risk governance roles and responsibilities throughout the organization.
  5. Document the fraud risk management program (formally), as well as regular updates to the program.
  6. Communication of fraud risk management across all levels of the organization to demonstrate management’s commitment to deterring, preventing and detecting fraud.

What should be considered when developing a control environment?

There are several points that should be considered when developing a control environment. First, organizational culture plays a key role in supporting the control environment. If an organization does not have established expectations of behavior that reflects integrity, accountability, ethical values and oversight, the control environment will be weak and ineffective.

Second, the risk appetite or risk tolerance of the organization must be defined. Risk tolerance is defined by COSO’s 2017 ERM (Enterprise Risk Management) Framework as, “The organization defines risk appetite in the context of creating, preserving, and realizing value.” This can be, and usually is, different from organization to organization. Where it pertains to fraud risk management is the organization’s fraud risk tolerance, a subset of risk tolerance. Fraud risk tolerance is the risk of a fraudulent event occurring after the application of controls, or residual risk. It would be unreasonable to eliminate all fraud risk, therefore a fraud risk tolerance should be determined.

Third, the tone at the top is an important element of the control environment. The leadership of the organization, management and the board of directors should demonstrate ethical behaviors and genuinely support the deterrence, prevention and detection of fraud. Additionally, how management and the board of directors respond to a fraudulent event can send a strong message to the rest of the organization, serving further as a deterrent to fraudulent activity. Tone at the top isn’t just behaviors that are demonstrated, but should also include written standards of business conduct that reflect integrity and ethics.

Who should “own” fraud risk management within the organization?

While there is no single best answer, the overall responsibility for fraud risk management should be assigned to an appropriate member of senior management. However, this does not mean that this person is solely responsible for fraud risk in the organization. A good example of fraud risk management and control can be found using the Institute of Internal Auditors’ Three Lines Model. The first line of defense is usually the customer-facing employees, who clearly have a role in the fraud risk management process. The second line of defense usually involves employees who support the fraud risk management process through monitoring, reporting and compliance activities. The third line of defense is usually an independent function that reports separately to senior management or the board of directors – internal audit would be a good example of a third line of defense. The third line of defense also provides objective assurance on the fraud risk management program’s functionality and effectiveness.

What about training and whistleblower systems?

Fraud awareness training should be conducted routinely with all employees of the organization. This helps keep fraud risks on the forefront of employees’ minds and educates them on new fraud trends that could emerge. Second, a whistleblower system, or “hotline,” should be put in place. The whistleblower system does not have to be a phone line, but it could be another set of processes that allows employees to report suspected fraudulent activities without fear for repercussions. The ACFE has long demonstrated and reported that whistleblower processes are very effective in determining if a fraudulent event has occurred. However, this is not to discredit other essential aspects of the control environment, including corporate security, auditors, regulators and even vendors.

A strong control environment goes hand-in-hand with a fraud risk management program, as both support each other in terms of effectiveness. For more information about how to optimize controls and a strong fraud risk management program, reach out to your Windham Brannon advisor today, or contact Matt Stelzman.

Sources:

COSO, Internal Control – Integrated Framework (May 2013)

COSO & ACFE, Fraud Risk Management Guide 2nd Edition (2023)

ACFE, Occupational Fraud 2022: A Report to the Nations (2022)