The Committee of Sponsoring Organizations of the Treadway Commission (COSO) 2013 internal control framework includes five COSO components and 17 COSO principles and is part of the common criteria included in a SOC 2 assessment. The five COSO components include the following:
- Control Environment,
- Risk Assessment,
- Control Activities,
- Information and Communication, and
- Monitoring Activities.
For a system of internal control to operate effectively, each of the five COSO components and 17 COSO principles need to be present and functioning in an integrated manner.
The risk assessment component is made up of four principles including COSO Principle 8 which states that the organization or entity considers the potential for fraud in assessing risks to the achievement of objectives. This discussion will provide considerations for assessing the potential for fraud risks to the achievement of objectives as well as provide an overview of the fraud risk management guide released in 2016 that was developed to serve as a best practice guide for a fraud risk management program.
What is the Definition of Fraud?
Fraud is defined as an intentional act or omission that relies upon deceit to cause harm to an individual or entity and produces a gain to another – as in financial gain, competitive or political advantage. It is a knowing misrepresentation of the truth or omission of a material fact that causes an individual or entity to act based upon the deception to their own detriment. According to the Association of Certified Fraud Examiners (ACFE) 2022 Report to the Nations, an estimated 5% of an organization’s revenue is lost to fraud annually.
Additionally, asset misappropriation schemes are the most common with a median loss of $100,000. Billing, noncash, expense reimbursements, and check and payment tampering are the asset appropriation fraud schemes that present the greatest risk. Common cyber frauds include ransomware, business email compromise, computer viruses and malware, spoofing, phishing, and identity theft.
What are the Types of Fraud Risk?
The types of fraud risk may be classified in the following way as noted below.
- Fraudulent Financial Reporting – Any intentional misstatement of financial information.
- Fraudulent Non-Financial Information – Examples include misstated operational performance metrics, quality assurance reports, safety records, etc.
- Misappropriation of Assets – Includes by employees, vendors, or other third parties impacting tangible and intangible assets such as through theft, fictitious invoices, cyber hacks, etc
- Corruption and Other Illegal Acts – Violation of laws and regulations, bribery, kickbacks, illicit use of PII, ePHI, intellectual property, or national security information, etc.
What is the Fraud Triangle?
The three components of the fraud triangle must be present for fraud to occur. It includes opportunity, incentive/pressure, and attitude/rationalization. The following describes the fraud triangle components within the COSO points of focus when performing a fraud risk assessment.
What Should be in a Fraud Risk Assessment?
A fraud risk assessment evaluates the various ways that potential fraud could occur to prevent the entity from achieving its objectives including its service commitments and system requirements. It also helps to uncover weaknesses in the system of internal control that may increase the likelihood of fraud. COSO Principle 8 has five points of focus that describe the important factors to consider for the criterion as noted below directly from the AICPA SOC 2 Guide. Direct references to the fraud triangle components are noted below in points of focus 2-4.
1. “Considers Various Types of Fraud – The assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur.”
This is best achieved by the entity through brainstorming the various types of fraud schemes that could prevent the organization from achieving its objectives including meeting its service commitments and system requirements. Consideration should be given to potential insider threats and management override of controls.
2. “Assesses Incentives and Pressures – The assessment of fraud risk considers incentives and pressures.”
This considers why and what is motivating the perpetrator to commit fraud. Incentives could include cash, bonus payments, reduced competition, or political motivation. Pressures could be to meet a deadline, a sales goal, operational metrics, or a service level agreement target to avoid a penalty payment.
3. “Assesses Opportunities – The assessment of fraud risk considers opportunities for unauthorized acquisition, use, or disposal of assets, altering of the entity’s reporting records, or committing other inappropriate acts.”
For this point of focus, one must ask how fraud could be committed in the environment being assessed. One needs to put themselves in the shoes of the perpetrator and, absent of controls, brainstorm what and how harm could be committed. Weaknesses in the system of internal control creates the opportunity for fraud to occur.
4. “Assesses Attitudes and Rationalizations – The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions.”
Consider how the perpetrator excuses their actions in perpetrating the fraud. An employee may excuse their actions because they were overlooked for a promotion or raise and are overworked. An employee may think that they were wrongfully dismissed. An external actor may want to do harm in order to lift up another organization or country.
5. “Considers the Risks Related to the Use of IT and Access to Information – The assessment of fraud risks includes consideration of threats and vulnerabilities that arise specifically from the use of IT and access to information.”
For this point of focus, consider cyber risks, threats and vulnerabilities to IT and data assets through consideration of fraud risk at the database, application, and operating system layers. Consider how an individual could harm the IT environment and access sensitive information to cause damage to the entity. Examples are social engineering, phishing attacks, ransomware hacks, distributed denial of service (DDOS) attacks, brute force attacks, etc.
What Should Be Included in a Fraud Risk Management Program?
Fraud risks are impossible to entirely eliminate within an organization. Best case scenario is for an organization to understand its fraud risk exposures and implement a strong fraud risk management program to address them. Management is responsible for an ethical culture through an appropriate tone at the top and making sure controls are in place and operating effectively to deter, prevent, timely detect and mitigate significant acts of fraud. The fraud risk management guide describes the fraud risk management program including the five fraud risk management principles and how it aligns with the COSO integrated internal control framework to manage fraud risk.
What are the Fraud Risk Management Principles?
The five fraud risk management principles align with the COSO integrated internal control framework and provide an overview for managing fraud risk and supporting the control environment. The fraud risk management components and principles directly from the COSO fraud risk management guide are noted below.
Control Environment
“Principle 1 – The organization establishes and communicates a Fraud Risk Management Program that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk.”
This may be reflected by a strong corporate culture notably through management’s “tone at the top” and documented within the entity’s code of conduct.
Risk Assessment
“Principle 2 – The organization performs comprehensive fraud risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risks.”
This may be demonstrated within a broader enterprise-wide risk assessment or through a separate standalone fraud risk assessment conducted by a diversified team of functional leaders using a risk-based approach. Results should be incorporated within the entity’s risk register matrix and include the likelihood and impact of the fraud risk without consideration of existing controls. Mitigating controls that exist, if any, would be applied against the inherent risk to determine the residual fraud risk and whether additional actions are needed to reduce the risk to an acceptable risk tolerance level.
Fraud risk covers a broad range of examples that includes financial statement misstatements, conflicts of interest, kickbacks, bid rigging, larceny, billing schemes, fictitious invoices, check tampering, skimming, etc. Cyber fraud risk examples include social engineering attacks, phishing attacks, ransomware hacks, distributed denial of service attacks, business email compromises, etc.
Control Activities
“Principle 3 – The organization selects, develops, and deploys preventive and detective fraud control activities to mitigate the risk of fraud events occurring or not being detected in a timely manner.”
A combination of preventative controls and detective controls should be established through policies and procedures that support the functioning of fraud control activities to deter, prevent, and detect the occurrence of fraudulent events in a timely manner. Policies and procedures should be communicated and shared with staff so that they understand their responsibilities including managing fraud risk. Proper segregation of duties is a key anti-fraud control that assists in reducing fraud risk. Other examples include reconciliations, management reviews, data analysis, securing networks, requiring strong passwords, encrypting data, enabling multi-factor authentication, training staff on cybersecurity risks, etc.
Information and Communication
“Principle 4 – The organization establishes a communication process to obtain information about potential fraud and deploys a coordinated approach to investigation and corrective action to address fraud appropriately and in a timely manner.”
The entity may demonstrate this through an open door policy or whistleblower policy along with a whistleblower hotline. Methods for reporting concerns may be communicated in the employee handbook along with documentation for disciplinary actions including up to dismissal for policy violations or other performance issues. A plan should be put in place to expeditiously investigate allegations of fraud or misconduct including roles and responsibilities, root cause, corrective action, and lessons learned to incorporate back into the plan.
Monitoring Activities
“Principle 5 – The organization selects, develops, and performs ongoing evaluations to ascertain whether each of the five principles of fraud risk management is present and functioning and communicates fraud risk management program deficiencies in a timely manner to parties responsible for taking corrective action, including senior management and the board of directors.”
Ongoing and/or periodic evaluations of the fraud risk management program should be performed to make sure it covers emerging fraud risks as well as changes in the system of internal control and continues to be designed and operating effectively. Deficiencies identified should be remediated in a timely manner to mitigate potential fraud risks.
Summary
Fraud risk can’t be entirely eliminated. Consideration of the potential for fraud in assessing risks to the organization’s achievement of objectives including its service commitments and system requirements is needed to meet COSO Principle 8 requirements. Implementing a fraud risk management program and performing periodic fraud risk assessments assist an entity to deter, prevent, and detect fraud in a timely manner. Entities that proactively manage fraud risk decrease their risk of financial loss, strengthen their system of internal controls, reduce lost time and resources investigating allegations of fraud, minimize the need for legal services, and limit reputational damage.
Contact us at Linford & Company, if you would like more information about our services to help you with your SOC reporting needs. Our team of IT professionals completes SOC 1 assessments (f. SAS 70 / SSAE 16) and SOC 2 assessments on behalf of many service organizations around the world.
Becky McCarty has over 20 years of experience in internal controls, audit, and advisory services. She specializes in SOC 1 and SOC 2 examinations for Linford & Co., LLP. Becky completed a Bachelor’s degree in Business Administration (Accounting) and a Master of Science degree in Management Information Systems. She worked 6 years with KPMG LLP commencing in 1999, worked several years in the energy industry, and joined Linford & Co., LLP in 2018. Becky also served 9 years on the Board of Directors for a home healthcare nonprofit. She works closely with clients so that the examinations are performed efficiently and with minimal disruption while ensuring performance in accordance with professional guidance. She enjoys helping clients successfully achieve the requirements for their SOC compliance efforts based on their objectives and/or applicable trust services criteria.