The Fraud Examiner & the COSO Model

I often get basic questions from CFE examination candidates about organizational internal control and risk assessment that would be easily answered for the questioner if s/he understood the Committee of Sponsoring Organizations of the Treadway Commission (COSO) model.   In the 1980’s the savings and loan scandal and other high profile financial disasters lead legislators to demand changes to prevent such events from recurring.  As a result the National Commission on Financial Reporting was formed in 1985 to study the causal factors that can lead to financial frauds and to develop  recommendations to guide the practice of public companies, independent auditors, the SCC, other regulators and educational institutions.  The bottom line for us here is that one of the major conclusions of the commission was that the best way to prevent major financial frauds was to improve internal control.  That conclusion lead to the eventual  publication of the COSO model of internal control.

Then along came the Sarbanes-Oxley Act of 2002, specifically section 404 of that legislation, requiring management of publicly traded companies evaluate internal controls every year and their financial auditors to opine on the evaluation.  The COSO model was the logical one to use to standardize how internal controls would be defined and evaluated under section 404.

COSO defines internal controls as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in (1) the effectiveness and efficiency of operations, (2) the reliability of financial reporting and (3) the compliance with applicable laws and regulations.

The COSO Model of Internal Controls uses five elements of internal controls:

–control environment – what is the risk of material misstatement occurring within the current entity and its environment?

–risk assessment – has the entity made an effective effort to identify areas of risk that would allow a material misstatement to occur?

–information and communication – does the entity have sufficient controls to ensure the timely and proper notification of a material misstatement  if and when one occurs?

–control activities – are there sufficient controls that, in the aggregate, effectively mitigate the risk of a material misstatement in the financial statements to an acceptable level?

–monitoring – does the entity have a system of monitoring activities to continuously evaluate and improve the effectiveness of its internal controls?

The importance of the corporate control structure looms so large in our work as fraud examiners that each of us should have an in-depth understanding of all this model has to offer as a framework for the analysis of the performance of any organizational entity, either public or private.  Fraud and irregularities are examples of the breakdown of the structure of internal control and application of the COSO model as an analytic  framework for what ought to be helps us identify what shouldn’t be when we come across it.

It’s imperative that fraud examiners know how to apply the COSO model… this involves not only an understanding of the major components of the model but also how to develop meaningful and effective fraud examination procedures, such as inquiries and observations based on it.

Comments are closed.