Tag Archives: COSO

Governance and Fraud Detection

Originally, the business owner had the most say in decisions regarding the enterprise. Then, corporate structures were put in place to facilitate decision making, as ownership was spread over millions of shareholders. Boards of directors took over many responsibilities. But with time, the chief executive officer (CEO) ended up having a large say in the composition of the board and, in many instances, ruled and controlled the company and its strategy. The only option for shareholders appeared to be to sell their shares if they were not happy with the performance of a specific organization. Many anti-fraud professionals think that this situation contributed significantly to business demises such as that of Enron and to the horrors consequent to the mortgage meltdown and accompanying fiscal crisis.

Proposals were made to re-equilibrate the power structure by giving more power and responsibilities to the board and to specific committees, such as the audit committee, to better deal with internal control and fair financial reporting or the remuneration committee to better deal with the basis for the type and the level of remuneration of the CEO. New legislation was put into place, such as the US Sarbanes-Oxley Act and Basel II. Compliance with these pieces of legislation consumed a lot of attention, energy and cost.

Enterprises exist to deliver value to their stakeholders. This is accomplished by handling risk advantageously and using resources responsibly. Speedy direction setting and quick reaction to change are essential in such a situation so decision making must be shared among many. Therefore, governance comes into play. Successful enterprises implement an over-arching system of governance that facilitates the achievement of their desired outcomes, both at the enterprise level and at each level within the enterprise; this is especially true with regard to the problem of fraud detection.  In this context, a holistic definition of enterprise governance is in order: Governance is the framework, principles, structure, processes and practices to set direction and monitor compliance and performance aligned with the overall purpose and objectives of an enterprise.

This definition is initially implemented by the answers to and actions on the following governance related questions:

Who is accountable and responsible for enterprise governance? Stakeholders, owners, governing bodies and management are responsible and accountable for governance.

What do they do, and how and where do they do it? They engage in activities (set direction, monitor compliance and performance) in relationship with others and use enablers (frameworks, principles, structures, processes, practices) within the governance view appropriate to them (governance of the enterprise; of an organizational entity within the enterprise such as a business unit, division or function; and of a strategic asset within the enterprise or within an organizational entity).

Why do they do it? They institute governance to create value for their enterprise, determine its risk appetite, optimize its resources and use them responsibly.

In summary, accountability and stewardship are delegated to a governance body by the owner/stakeholder, expecting it to assume accountability for the activities necessary to meet expectations. In alignment with the overall direction of the enterprise, management executes the appropriate activities within the context of a control framework, balancing performance and compliance in achieving the governance objectives of value creation, risk management and resource optimization.

Fraud detection (within the context of a fully defined fraud prevention program) is a vital business process of the over-hanging governance function and can be implemented by numerous generally accepted procedures.  But a few examples …

One way to increase the likelihood of the detection by the governance function of fraud abuses is the conduct of periodic external and internal audits, as well as the implementation of special network security audits. Auditors should regularly test system controls and periodically “browse” data files looking for suspicious activities. However, care must be exercised to make sure employees’ privacy rights are not violated. Informing employees that auditors will conduct a random surveillance not only helps resolve the privacy issue, but also has a significant deterrent effect on computer assisted fraud exploits.

Employees witnessing fraudulent behavior are often torn between two conflicting feelings. They feel an obligation to protect company assets and turn in fraud perpetrators, yet they are uncomfortable in a whistleblower role and find it easier to remain silent. This reluctance is even stronger if they are aware of public cases of whistleblowers who have been ostracized or persecuted by their coworkers or superiors, or have had their careers damaged. An effective way to resolve this conflict is to provide employees with hotlines so they can anonymously report fraud. The downside of hotlines is that many of the calls are not worthy of investigation. Some calls come from those seeking revenge, others are vague reports of wrongdoing, and others simply have no merit. A potential problem with a hotline is that those who operate the hotline may report to people who are involved in a management fraud. This threat can be overcome by using a fraud hotline set up by a trade organization or commercial company. Reports of management fraud can be passed from this company directly to the board of directors.

Many private and public organizations use outside computer consultants or in-house teams to test and evaluate their security procedures and computer systems through the performance of system penetration testing.  The consultants are paid to try everything possible to compromise an enterprise’s system(s). To get into offices so they can look for passwords or get on computers, they masquerade as janitors, temporary workers, or confused delivery personnel. They also employ software based hacker tools (readily available on the Internet) and social engineering techniques.  Using such methods, some outside consultants claim that they can penetrate 90% or more of the companies they “attack” to a greater or lesser degree.

All financial transactions and activities should be recorded in a log. The log should indicate who accessed what data, when, and from which location. These logs should be reviewed frequently to monitor system activity and trace any problems to their source. There are numerous risk analysis and management software packages that can review computer systems and networks and the financial transactions they contain. These packages evaluate security measures already in place and test for weaknesses and vulnerabilities. A series of reports are then generated to explain any weaknesses found and suggest improvements. Cost parameters can be entered so that a company can balance acceptable levels of vulnerability and cost effectiveness. There are also intrusion-detection programs and software utilities that can detect illegal entry into systems along with software that monitors system activity and helps companies recover from fraud and malicious actions.

People who commit fraud tend to follow certain patterns and leave tell-tale clues, often things that do not make sense. Software is readily available to search for these fraud symptoms. For example, a health insurance company could use fraud detection software to look at how often procedures are performed, whether a diagnosis and the procedures performed fit a patient’s profile, how long a procedure takes, and how far patients live from the doctor’s office.

Neural networks (programs that mimic brain activity and can learn new concepts) are quite accurate in identifying suspected fraud. For example, Visa and MasterCard operations employ neural network software to track hundreds of millions of separate account transactions daily. Neural networks spot the illegal use of a credit card and notify the owner within a few hours of its theft. The software can also spot trends before bank investigators do.

Each enterprise needs to determine its appropriate overall governance system and the fraud detection approaches it decides to implement in support of that system. To help in that determination, mapping governance frameworks, principles, structures, processes and practices, currently in use, is beneficial. CFE’s and forensic accountants are uniquely qualified to assist in this process given their in-depth knowledge of all types of fraud scenarios and the tailoring of the anti-fraud controls most appropriate for the control of each within a specific company environment.

Tone Deaf

tone-deafThe sensational bribery and corruption cases all over the news recently mean that tone at the top as a concept is yet again in the eye of the financial press.   Journalists of every stripe and persuasion opine on its importance as a vital control but always seem to fall short on the specifics of just how the notion can be practically applied and its strength evaluated once implemented.  One of the problems is that there are so many facile definitions of the concept in popular use.  The one I like the most is one of the simplest declaring it to be the message, the attitude and the ethical culture the board of directors and upper management disseminate throughout the organization. It’s best described as the consistency among statements, assertions and explanations of the management and its actions. In summary, tone at the top is seen by some as a part of and by others as equal to the internal control environment.

The rub comes in because tone at the top is not only far more complicated than the above definition would lead a casual reader of trade press articles to believe, but also because its invisible to the standard tests of an outside auditor or fraud examiner. So a baseline would be a valuable addition not only for fraud examiners and financial auditors, but also for all types of assurance professionals.

To determine a baseline, one first needs to define the different aspects of the target concept. Thus, a baseline might provide reviewers with a starting point to begin improving their analyses of tone at the top. ACFE studies of hundreds of companies tell us that an enriched tone at the top can not only prevent fraud through its implementation of a well-functioning internal control system, but can also have a positive impact on the financial results of an organization. Organizations with an effective corporate governance policy just perform better than those that don’t. In my own practice as an auditor and fraud examiner, I’ve found COSO’s Enterprise Risk Management (ERM) a useful framework to use in the actual practice of evaluating the effectiveness of internal controls (including tone at the top) during fraud risk assessments.

Tone at the top is based on two schools of thought in management literature: the corporate governance school and the management control systems (MCS) school. These schools of thought share three fundamental theories: the agency theory, the transaction cost economics theory and the stakeholder theory. The agency theory views an organization as a nexus of contracts. Separation of ownership and control is essential for this theory.  The agent (the manager) is in control of the organization; however, he or she does not own the organization; the organization is owned by the principal (stakeholders).  Measures (i.e., corporate governance) need to be taken to ensure that the agent will strive to achieve the goals of the principal.

Transaction cost economics (TCE) is based on the concepts of bounded rationality and of homo economicus: a person chooses the best option based on the available information.  TCF aims to explain how firms are formed.  Firms are created to minimize transaction costs.  The domain of TCE has proven useful to explain management control structures.  The performance evaluation needs to be behavioral based, with non-financial subjective measures.  Output controls are low with TCE.  Individual contributions to the organization (individual performance) are analyzed as the outcomes of contracts between the employer and the employee.

The stakeholder theory is based on the belief that besides shareholders, there are others with interest in the organization.  Corporate governance should not only solve conflicts between management and shareholders but also between the organization and other stakeholders.  Tone at the top represents a form of cultural control to the MCS school.  Cultural controls stimulate employees to monitor and stimulate each other’s behavior.  Cultural controls rely on group pressure; if a person deviates from the group’s values, the group will put the person under pressure to convert him or her back to the dominant values.  Cultural controls are usually translated in corporate governance codes.  Corporate governance codes are mainly formulated to prevent/minimize fraudulent activities in organizations by means of internal control.  Five methods of cultural controls, namely code of conduct, group rewards, transfers, physical and social controls, and tone at the top have been identified.

Tone at the top forms an important part of corporate governance codes.  Management behavior should coincide with the culture it tries to form; managers fulfill an example function. An important factor is implementing and operating a whistleblower policy; if staff at any level observes fraudulent activities they can report them and be protected against possible retaliation.

Each of our above theories concludes that an organization needs to have a corporate governance code to minimize transaction cost, manage stakeholder interest and, thereby, increase shareholder value.  However, recent well publicized corruption cases have led to calls in the popular press for a more formal approach.  So, what might such a formal, COSO based, approach look like?

First, management and the CEO need to demonstrate inspiring leadership, set the right ethical example and focus on people skills. They also need to display integrity.  Their risk awareness, actions and messages need to coincide with the dominant culture.  It is also important for managements to formally commit to competence.

As to culture, an independent and active risk culture is necessary for tone at the top to be successful.  Also, employees need to be empowered to make the right decisions.  The reward systems and the culture need to reward desired behavior and be compliant with the norms.  In the event of something going wrong despite these cultural aspects, there needs to be an effective policy present to protect whistleblowers.

Finally, the risk appetite should be linked to the strategy.  The supervisory board needs to be independent, active and involved.  Responsibilities need to be defined, and management needs to receive adequate information.

All three of the above aspects are an integral part of what the experts currently define as tone at the top.  According to the ACFE, tone at the top can assist in averting fraud throughout every level of an organization. It’s, therefore, necessary to include its assessment in the scope of the fraud examiners fraud risk assessment and to formally schedule its periodic re-evaluation.

The Most Important Internal Control Component for Fraud Examiners


ParisRestaurantA Chapter member, in reference to our last post, wondered aloud over a mutual lunch this week whether the state of her client’s COSO 2013 control environment might not be the initially most important COSO component for close examination by Fraud Examiners performing fraud risk assessments.  After all, she’s right that the control environment is where the organization is called upon to directly demonstrate its commitment to integrity and ethical values.  It’s also in the documentation of the control environment that the board of directors asserts independence from management and outlines tools to exercise oversight of the development and performance of the entire system of internal control.  But that’s not all; management must establish, with board oversight, staff structures, reporting lines, and appropriate authorities and responsibilities to pursue, and hopefully achieve, its defined objectives.  In line with this last, the organization must document and demonstrate a commitment to attract develop, and retain competent individuals as employees.  And lastly, and of particular importance to us fraud examiners as we go about our work of building and documenting cases, there must be defined mechanisms to hold employees accountable for their specifically defined internal control related responsibilities in the pursuit of enterprise objectives.

So, the COSO control environment component is something of a preliminary topographical map or stage setting, if you will, to the client organization’s overall approach to internal control.  A fraud examiner conducting a fraud risk assessment for management would certainly be expected to focus closely on whether or not the following are present and functioning as evidence of the organization’s commitment to integrity and ethical values:

–Tone at the Top: are the board of directors and management at all levels of the organization demonstrating through their directives, actions and behavior the importance of integrity and ethical values in supporting the functioning of the system of internal control?

–Standards of Conduct: have standards of conduct been formally established and published?  Of great follow-on consequence for ultimate, successful prosecution of fraud and corruption cases is the presence of formal documentation and the wide publication of the expectations of the board of directors and management concerning compliance with those integrity and ethical values defined in the entity’s standards of conduct and understood at all levels of the organization as well as by outsourced service providers and business partners.

–Processes to Evaluate Adherence to the Standards of Conduct: having a great set of ethical codes and standards means little if there are no processes in place to evaluate the performance of individuals and work teams against those codes and standards.  This is the area where I think you will find that most of our client’s fall short; the entity can proudly point to its book shelf of standards but there’s little or no evidence that the degree of actual employee compliance is being formally reviewed or audited by anybody. A review means the process is periodically evaluated critically and corrective action, if required, is formally documented and performed by responsible managers.

–Deviations are addressed in a Timely Manner: the fraud examiner during the fraud risk assessment process should look for evidence that identified deviations from the organization’s expected standards of conduct are identified and remedied in a timely and even handed manner;  ‘even handed’ means that deviations are dealt with fairly and consistently no matter what level of employee is involved.

–Establishment of Oversight Responsibilities: has the board of directors identified and does it accept its oversight responsibilities in relation to establishing requirements and expectations?  You can imagine the field day an opposing attorney would have if the defendant company has failed to implement this one!

–The Application of Relevant Expertise: does the board of directors define, maintain and periodically evaluate the skills and expertise needed among its members to enable them to ask all types of probing questions of senior management and then take appropriate action.

–Operates Independently: the fraud examiner has to ask him or herself if the client’s board of directors has enough members who are sufficiently independent from the management to be objective in performing evaluations and taking decisions to provide effective oversight of the client’s entire system of internal control.

Fraud examiners are usually so pressed for time in developing our cases that any documented shortcut into the client’s control structure is of great potential value to us.  COSO 2013, in significantly expanding the scope of the control environment component, has handed our profession yet another useful tool in the performance, not only of fraud risk assessments, but in the basic spade work involved in the basic process of fraud examination and eventual prosecution.

Please make plans to join us on April 16-17th, 2014 for the Central Virginia Chapter’s seminar on the topic of Introduction to Fraud Examination for 16 CPE ($200.00 for early Registration)! For details see our Prior Post entitled, “Save the Date”!

The COSO 2013 Update and the Fraud Examiner


Skyscrapers3As I’m sure a majority of our Chapter members (and the readers of this blog) are aware, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published the first version of its Internal Control – Integrated Framework in 1992.  The purpose of the document was, by providing a sorely needed common definition of internal control, to overcome a high level of existing confusion about exactly what internal control was among organization managements and assurance professionals like internal and external auditors but also among other publics key to the financial control process like regulators and legislators.  The 1992 document and 2013 revision define internal control as a process, effected by the entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance.   The COSO Integrated Framework underwent a substantial revision in 2013, the details of which are relevant to the practice of every CFE, especially as we conduct fraud risk assessments for our client’s and go about the process of investigating and reporting on financially related instances of actual and suspected fraud.

The 1992 Framework definition embodies certain fundamental assumptions about internal control; internal control is a process … it’s a means to an end, not an end in itself; internal control is effected by people and not something constituted by policy manuals and forms, but by people doing their jobs at every level of the organization;  internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board; and internal control is directed toward the achievement of objectives in one or more separate but overlapping categories. The 2013 revision expands on the original definitional framework by emphasizing that internal control is directed not only toward achieving organizational objectives in one or more separate but overlapping categories, but also in general operations, reporting and compliance and that it is a process of ongoing tasks and activities; again, a means to an end, not an end in itself.  Finally, the system of internal control is adaptable to the organization’s structure and flexible in application to the entity or to a particular subsidiary, division, operating unit or business process.

So what’s changed and what hasn’t between the 1992 and 2013 versions of the framework that’s of special importance to fraud examiners?  The major changes are that the 2013 version replaces the 1992 factors of internal control with 17 principles grouped under the five components; 1) control environment, 2) risk assessment, 3) control activities, 4) information and communication and 5) monitoring activities. Two of the principles of those grouped under risk assessment, for example, are:  6. the organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives and, 8. the organization considers the potential for fraud in assessing risks to the achievement of objectives. The 2013 version updates the Framework to reflect evolved changes over the last two decades in business structures, operations and in the financial regulatory environment.  The last of the major changes of interest to fraud examiners is that the 2013 version broadens the arena of financial reporting to include internal and external financial and operational reporting.

Other changes include clarification that for internal control to be effective, all five components and seventeen principles must be present and functioning effectively.  Setting objectives is not considered in the revision to be part of internal control; it’s a precondition of internal control.  Assessing internal control for the fraud examiner and other assurance professionals includes determining whether organizational objectives are suitable for the client organization considering relevant facts, circumstances, and established laws.   A corollary of this last point is that objectives and sub-objectives need to be adequately communicated throughout the organization.

The 2013 update enhances organizational governance concepts and consideration of anti-fraud and information management related expectations as well as providing additional approaches and examples relevant to operations, compliance, and non-financial reporting objectives.  The update also applies greater emphasis to flexibility in applying all the defined principles and concepts defined in the update to the unique characteristics of each organization (something that the ACFE never ceases to emphasize to all of us as critical to good fraud examination).

So what hasn’t changed between 1992 and 2013?  The basic definition of internal control, the five components of internal control and the important role of judgment in designing, implementing and conducting internal control, as well as the basic process of assessing the effectiveness of internal control have all not changed.  I would urge every member of our Chapter, and our guests,  to review in detail the components of the 2013 COSO update since many of the changes will substantially extend and improve the guidance available to every active assurance practitioner especially as we’re involved in the process of risk assessment and fraud prevention.

Please make plans to join us on April 16-17th, 2014 for the Central Virginia Chapter’s seminar on the topic of Introduction to Fraud Examination for 16 CPE ($200.00 for early Registration)! For details see our Prior Post entitled, “Save the Date”!

The Fraud Examiner & the COSO Model

I often get basic questions from CFE examination candidates about organizational internal control and risk assessment that would be easily answered for the questioner if s/he understood the Committee of Sponsoring Organizations of the Treadway Commission (COSO) model.   In the 1980’s the savings and loan scandal and other high profile financial disasters lead legislators to demand changes to prevent such events from recurring.  As a result the National Commission on Financial Reporting was formed in 1985 to study the causal factors that can lead to financial frauds and to develop  recommendations to guide the practice of public companies, independent auditors, the SCC, other regulators and educational institutions.  The bottom line for us here is that one of the major conclusions of the commission was that the best way to prevent major financial frauds was to improve internal control.  That conclusion lead to the eventual  publication of the COSO model of internal control.

Then along came the Sarbanes-Oxley Act of 2002, specifically section 404 of that legislation, requiring management of publicly traded companies evaluate internal controls every year and their financial auditors to opine on the evaluation.  The COSO model was the logical one to use to standardize how internal controls would be defined and evaluated under section 404.

COSO defines internal controls as a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in (1) the effectiveness and efficiency of operations, (2) the reliability of financial reporting and (3) the compliance with applicable laws and regulations.

The COSO Model of Internal Controls uses five elements of internal controls:

–control environment – what is the risk of material misstatement occurring within the current entity and its environment?

–risk assessment – has the entity made an effective effort to identify areas of risk that would allow a material misstatement to occur?

–information and communication – does the entity have sufficient controls to ensure the timely and proper notification of a material misstatement  if and when one occurs?

–control activities – are there sufficient controls that, in the aggregate, effectively mitigate the risk of a material misstatement in the financial statements to an acceptable level?

–monitoring – does the entity have a system of monitoring activities to continuously evaluate and improve the effectiveness of its internal controls?

The importance of the corporate control structure looms so large in our work as fraud examiners that each of us should have an in-depth understanding of all this model has to offer as a framework for the analysis of the performance of any organizational entity, either public or private.  Fraud and irregularities are examples of the breakdown of the structure of internal control and application of the COSO model as an analytic  framework for what ought to be helps us identify what shouldn’t be when we come across it.

It’s imperative that fraud examiners know how to apply the COSO model… this involves not only an understanding of the major components of the model but also how to develop meaningful and effective fraud examination procedures, such as inquiries and observations based on it.