Fighting Fraud Using COSO: A Practical Approach by Internal Auditor
Fraud is a significant threat to organization, especially a complex global organization operating with multiple businesses and geographies. The situation gets more complicated now as opportunities and justification are enhanced during COVID-19. An ACFE report says, organizations typically lose 5 percent of revenues to fraud annually. COSO framework may be used to develop a comprehensive mechanism to mitigate frauds effectively and proactively. |
Frauds in the organization would have an adverse impact on operations, profitability, employee morale and reputation. Internal audit function of the entity can spearhead the fight against fraud by developing a comprehensive mechanism to mitigate frauds.
Get Set Go
To develop a program for mitigating frauds comprehensively, the IA function shall take all stake holders along and success of the fraud prevention program largely depends on acceptability of key stakeholders. Making a cross functional team (CFT) is the best way for bringing the stakeholders on same platform. CFT, comprising the CEO, Chief Compliance Officer, and CIA shall provide guidance and oversight.
Following are the stages in development of a typical fraud prevention program:
- Initial research
- Program model development
- Program components identification
- Pilot assessments
- Risk assessment methodology refined
- First fraud-awareness communication launched
- Ongoing assessment cycles commenced
- Fraud mitigation policy and framework released
- Program refinement and improvement – ongoing.
The CFT can develop fraud prevention mechanism adopting the five components of COSO. The COSO framework, when used in respect of fraud prevention framework would normally look like the following:
Upon establishing the program model, the CFT need to developing the risk and controls assessment methodology through a series of pilot assessments. The focus at this stage would be not only on fraud risks but also on mitigating controls.
The team shall refer to (or create, if not already in place) the fraud risk register and risk universe. The risk register list down relevant fraud risks under four major categories of frauds: asset misappropriation, corruption, fraudulent reporting and external frauds. The fraud risk universe contains various fraud schemes populated from a variety of sources, including previous investigations of compliance with concerned entity and maps specific risks to business processes and known controls.
Various valuable learning would be gained during the assessment stage. The Internal Audit team can take lead in steering in a formal assessment so that the effort is uniform and consistent to produce more reliable results. Finally, the team needs to refine its initial tools and templates used in assessments to make them more effective, user-friendly, and aligned with those used by the entity’s ethics and compliance framework in place.
Risk Assessment
The Internal Audit team shall prepare report on pilot assessments. Based on the pilot assessment results, IA team member shall make a methodology to efficiently address fraud risks by assessing the functions that supported high – risk processes across all verticals in the entity.
For identification of various functions, the IA team shall devise an annual assessment planning process as per fraud risk ranking. Factors such as fraud events reported in past, issues reported in past audit reports, exposure to management, degree of third-party interaction, expenses and previous fraud risk and control assessments shall be considered for ranking besides grading as per likelihood and impact of inherent fraud risks.
The project team shall also develop a standard risk assessment worksheet to document each step of an assessment, including identified inherent fraud risks, fraud schemes, risk ratings, mitigating controls, risk response, and a mitigation plan – as it is done in a typical risk management assignment. Finally, wherever needed, the IA team assists in the preparation and tracking of a fraud mitigation plan.
Communicating Results
The internal audit team shall, jointly with the Chief Compliance Officer, develop a plan for enhancing fraud awareness through a mix of training and communications. Messages need to be sent to employees regarding the impact fraud can have on business operations and how fraud mitigation is responsibility of all employee.
Defining Policy Framework
Next step is drafting of fraud mitigation policy and framework detailing the fraud-related responsibilities of employees and management. The framework shall summarize how to approach fraud mitigation through prevention, detection, reporting, and response.
Advantages of Fraud Management Mechanism
The FMP has become an integral part of HP’s risk management structure, helping the organization demonstrate that it identifies and responds to fraud risks systematically.
With a comprehensive fraud management program, entity can identify fraud risks across multiple business units that allow the remediation of enterprise-wide issues effectively and focuses senior management’s attention on high-impact areas. Internal Audit shall develop and directs the mechanism, and to be reviewed periodically by an independent party.
Conclusion: Just as fraud is evolving especially with justification attributed to job losses due to pandemic, the fraud management mechanism needs to evolve continuously. Internal audit needs to constantly monitor improvements to the methodology and other ways the mechanism can continue to contribute to the entity’s risk mitigation environment and internal audit assurance model.