The COSO 2013 Update and the Fraud Examiner


Skyscrapers3As I’m sure a majority of our Chapter members (and the readers of this blog) are aware, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published the first version of its Internal Control – Integrated Framework in 1992.  The purpose of the document was, by providing a sorely needed common definition of internal control, to overcome a high level of existing confusion about exactly what internal control was among organization managements and assurance professionals like internal and external auditors but also among other publics key to the financial control process like regulators and legislators.  The 1992 document and 2013 revision define internal control as a process, effected by the entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance.   The COSO Integrated Framework underwent a substantial revision in 2013, the details of which are relevant to the practice of every CFE, especially as we conduct fraud risk assessments for our client’s and go about the process of investigating and reporting on financially related instances of actual and suspected fraud.

The 1992 Framework definition embodies certain fundamental assumptions about internal control; internal control is a process … it’s a means to an end, not an end in itself; internal control is effected by people and not something constituted by policy manuals and forms, but by people doing their jobs at every level of the organization;  internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board; and internal control is directed toward the achievement of objectives in one or more separate but overlapping categories. The 2013 revision expands on the original definitional framework by emphasizing that internal control is directed not only toward achieving organizational objectives in one or more separate but overlapping categories, but also in general operations, reporting and compliance and that it is a process of ongoing tasks and activities; again, a means to an end, not an end in itself.  Finally, the system of internal control is adaptable to the organization’s structure and flexible in application to the entity or to a particular subsidiary, division, operating unit or business process.

So what’s changed and what hasn’t between the 1992 and 2013 versions of the framework that’s of special importance to fraud examiners?  The major changes are that the 2013 version replaces the 1992 factors of internal control with 17 principles grouped under the five components; 1) control environment, 2) risk assessment, 3) control activities, 4) information and communication and 5) monitoring activities. Two of the principles of those grouped under risk assessment, for example, are:  6. the organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives and, 8. the organization considers the potential for fraud in assessing risks to the achievement of objectives. The 2013 version updates the Framework to reflect evolved changes over the last two decades in business structures, operations and in the financial regulatory environment.  The last of the major changes of interest to fraud examiners is that the 2013 version broadens the arena of financial reporting to include internal and external financial and operational reporting.

Other changes include clarification that for internal control to be effective, all five components and seventeen principles must be present and functioning effectively.  Setting objectives is not considered in the revision to be part of internal control; it’s a precondition of internal control.  Assessing internal control for the fraud examiner and other assurance professionals includes determining whether organizational objectives are suitable for the client organization considering relevant facts, circumstances, and established laws.   A corollary of this last point is that objectives and sub-objectives need to be adequately communicated throughout the organization.

The 2013 update enhances organizational governance concepts and consideration of anti-fraud and information management related expectations as well as providing additional approaches and examples relevant to operations, compliance, and non-financial reporting objectives.  The update also applies greater emphasis to flexibility in applying all the defined principles and concepts defined in the update to the unique characteristics of each organization (something that the ACFE never ceases to emphasize to all of us as critical to good fraud examination).

So what hasn’t changed between 1992 and 2013?  The basic definition of internal control, the five components of internal control and the important role of judgment in designing, implementing and conducting internal control, as well as the basic process of assessing the effectiveness of internal control have all not changed.  I would urge every member of our Chapter, and our guests,  to review in detail the components of the 2013 COSO update since many of the changes will substantially extend and improve the guidance available to every active assurance practitioner especially as we’re involved in the process of risk assessment and fraud prevention.

Please make plans to join us on April 16-17th, 2014 for the Central Virginia Chapter’s seminar on the topic of Introduction to Fraud Examination for 16 CPE ($200.00 for early Registration)! For details see our Prior Post entitled, “Save the Date”!

Comments are closed.