Managing Fraud Risks: COSO 101

In the complex landscape of modern business, managing fraud risk is challenging. The COSO framework – a brainchild of the Committee of Sponsoring Organizations of the Treadway Commission – serves as key guidance in this challenging terrain. Rather than a rigid checklist, think of it as a flexible, holistic approach to understanding and mitigating fraud risks within an organisation.

At the heart of the COSO model lies the control environment, essentially the organisation’s culture concerning ethics and integrity. It’s about setting the right tone at the top. This isn’t just about having a set of written rules, it’s about how leadership embodies and reinforces these values. For instance, consider an organisation where top executives regularly communicate the importance of ethical conduct and lead by example. This kind of environment naturally discourages fraudulent behavior. Contrast this with a organisations like Enron, Madoff and Wirecard, where the leadership’s blatant disregard for ethical practices seeped into the organisation’s fabric, culminating in the most significant corporate collapses in history.

Moving on, risk assessment is akin to a organisation’s radar system, constantly scanning for potential fraud risks. It’s about asking the tough questions: Where could fraud emerge in our organisation? Who might be tempted to commit fraud, and why? There are numerous corporate fraud examples, small and large, that remind us of what happens when risks are overlooked or underestimated.

Control activities then act as the guardrails, preventing and detecting fraud. This involves practical measures such as segregation of duties, where no single individual holds all the keys to the kingdom, and authorisation processes that should ensure transactions aren’t rubber-stamped without scrutiny. Consider the WorldCom scandal, where lax control activities enabled the manipulation of financial records, eroding billions in shareholder value.

Information and communication channels play an important role too. It’s not just about bombarding employees with rules but ensuring they understand and can act on them. Regular training, open forums, and speak-up policies are critical. The Wells Fargo account fraud scandal serves as a cautionary tale here. Pressured to meet unrealistic sales targets and with no effective communication channels to voice concerns, employees resorted to creating fake accounts, causing massive reputational damage.

Lastly, monitoring activities ensure that this isn’t a set-and-forget system. Ongoing or periodic reviews help catch issues before they balloon into disasters. These could be performed by internal audits or even (occasionally) by external reviews. Examples here are the frauds at Barings Bank and Societe Generale, where lack of monitoring the internal controls allowed rogue trading activities to go undetected.

When bringing these elements together it is key to tailor the framework to the organisation. We advice that each organisation adapts the COSO model to its unique environment. Furthermore, managing fraud risk is not a one-time event but an ongoing process. The COSO framework, when properly implemented and adapted, offers a dynamic way to navigate the nuances of fraud risk management. It’s about creating an organisational culture that values integrity, continuously assessing and updating risk strategies, and ensuring that everyone in the organisation is aligned in the fight against fraud. This holistic approach is what ultimately protects (as far as possible) an organisation against the pitfalls of fraud.

In May 2023 COSO and the Association of Certified Fraud Examiners published the second edition of their Fraud Risk Management Guide. The purpose of this guide is to address changes in the fraud landscape and keep organisations at the forefront with their anti-fraud program. Keep reading our blogs were we will discuss the specific elements of the COSO Fraud Risk Management Guide.