Analysis

Fraud risk assessments and COSO: Opportunities and common pitfalls

​In light of the new guidance and increasing scrutiny by the SEC, companies may need to revisit their current fraud risk assessment framework and implement new or enhanced procedures and considerations when assessing the risk of fraud.

The purpose and structure of fraud risk assessments

Although a majority of public companies have adopted the 2013 Internal Control – Integrated Framework (the Framework), published by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), approximately one in four have remained with the original 1992 framework or have not disclosed which framework they have followed.1

Companies that have not yet adopted the Framework should take note of the following Securities and Exchange Commission (SEC) statement:

The longer [corporate] issuers continue to use the 1992 framework, the more likely they are to receive questions from the [SEC] staff about whether the issuer’s use of the 1992 framework satisfies the SEC's requirement to use a suitable, recognized framework.2

One area of focus in particular has been implementation of Principle 8, which explicitly requires consideration of the risk of fraud when assessing risks to the achievement of an organization’s objectives.

In light of the new guidance and increasing scrutiny by the SEC, companies may need to revisit their current fraud risk assessment framework and implement new or enhanced procedures and considerations when assessing the risk of fraud.

This article offers some insights into the implementation of fraud risk assessments (FRA or FRAs) with emphasis on leading practice considerations and some common pitfalls.

1“Report: Majority Adopt New COSO Framework,” Tammy Whitehouse, Compliance Week, April 13, 2015, https://www.complianceweek.com/blogs/accounting-auditing-update/report-majority-adopt-new-coso-framework#.

2See minutes of the September 25, 2013, meeting of the Center for Audit Quality SEC Regulations Committee with the staff of the SEC. http://www.thecaq.org/docs/reports-and-publications/2013septembe25jointmeetinghls.pdf.

Opportunities and pitfalls associated with FRA implementation

Some organizations may underestimate the time, effort, and planning required to properly execute a FRA, particularly if the organization’s first FRA is part of a 2013 COSO implementation. Being aware of leading practices mentioned in this article when perfroming a FRA can help organizations effectively comply with 2013 COSO requirements and avoid some common pitfalls:

  • Plan ahead and allow adequate time
  • Involve relevant stakeholders
  • Disregard the control environment when identifying potential fraud schemes
  • Be specific when identifying potential fraud schemes
  • Utilize a risk-based approach
  • Don't forget to consider emerging risks
  • Document the FRA outcomes thoroughly

Download the full article to learn more.

Did you find this useful?