goldsrd coso update four hour course...11/26/13 4 coso update - executive summary highlights •...

11/26/13

1

Updated COSO Framework

Danny M. Goldberg, Founder

Agenda

•  COSO Update – Overview – History/Background – Changes Overview –  Five Control Objectives – 17 Control Principles – Case Study: Developing a Checklist for Your

Organization •  Fraud Risk Assessment – – Overview – Key Steps –  Interviewing and Brainstorming

11/26/13

2

Executive Update: Overview

•  COSO Overview – Internal Control Publications

1992 2006 2009 2013

Overview of COSO •  Committee of Sponsoring Organizations of the Treadway Commission

(COSO) –  US private-sector initiative created in 1985. –  Its major objective is to identify the factors that cause fraudulent financial

reporting and to make recommendations to reduce its incidence. –  COSO is sponsored by 5 main professional accounting organizations in the

US: •  American Institute of Certified Public Accountants (AICPA), •  American Accounting Association (AAA), •  Financial Executives Institute (FEI), •  The Institute of Internal Auditors (IIA) •  The Institute of Management Accountants (IMA).

•  COSO has established a common definition of internal controls, standards, and criteria against which companies and organizations can assess their control systems.

»  Source: www.coso.org

Integrated Framework 2013

•  Consists of three volumes: –  Executive Summary –  Framework and Appendices –  Illustrative Tools for Assessing

Effectiveness of a System of Internal Control

•  Sets out: – Definition of internal control – Categories of objectives – Components and principles of

internal control – Requirements for effectiveness

11/26/13

3

Original Framework

COSO’s Internal Control–Integrated Framework (1992 Edition)

Refresh Objectives

Updated Framework

COSO’s Internal Control–Integrated Framework (2013 Edition)

Broadens Application Clarifies Requirements

Articulate principles to

facilitate effective

internal control

The Framework has become the most widely adopted control framework worldwide.

Updates Context

Enhancements

Reflect changes in

business & operating

environments

Expand operations and

reporting objectives

Why Update What Works

Update expected to increase ease of use and broaden application

What is not changing... What is changing...

•  Core definition of internal control

•  Three categories of objectives and five components of internal control

•  Each of the five components of internal control are required for effective internal control

•  Important role of judgment in designing, implementing and conducting internal control, and in assessing its effectiveness

•  Changes in business and operating environments considered

•  Operations and reporting objectives expanded

•  Fundamental concepts underlying five components articulated as principles

•  Additional approaches and examples relevant to operations, compliance, and non-financial reporting objectives added

The COSO Definition of Internal Control

Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

•  Effectiveness and efficiency of operations

•  Reliability of financial reporting

•  Compliance with applicable laws and regulations

11/26/13

4

COSO Update - Executive Summary Highlights

•  Provides a high level overview intended for the board of directors, chief executive officer, and other senior management.

•  Applicable to all entities but the way in which it is implemented will be different for each organization (i.e., larger entities tend to be more formal and structured)

•  Meant to assist stakeholders both internally and externally without being too prescriptive. –  Accomplished by defining what constitutes a system of internal

control and providing insight to when it is being applied effectively. •  Judgment is still a major factor in determining what is an effective

system of internal control –  To determine how much control is enough –  To select, develop, and deploy controls across the entity –  Management and internal auditors apply judgment as they monitor

and assess the effectiveness of the system of internal control.

Executive Summary Highlights (continued)

•  Requirements for an effective system of internal control are: –  Each of the five components and relevant principles (17 principles in

total) are present and functioning –  The five components operate together in an integrated manner or as

an integrated system •  When a major deficiency exists with respect to the presence and

functioning of a component or relevant principle, or with respect to the components operating together in an integrated manner, the organization cannot conclude that it has met the requirements for an effective system of internal control.

•  An effective system reduces, to an acceptable level, the risk of not achieving an entity objective and may relate to one, two, or all three categories of objectives (Operations, Reporting, Compliance)

Executive Summary Highlights (continued)

•  Limitations do exist: –  Suitability of objectives are a precondition to internal control –  Human judgment can be faulty and subject to bias –  Human failures such as simple errors do occur –  Management could override internal control –  Collusion could circumvent controls –  External events beyond the organization’s control

•  Internal control provides reasonable assurance of achieving the entity’s objectives but not absolute assurance

•  Management should be aware of these limitations when selecting, developing, and deploying controls

11/26/13

5

Update Considers Changes in Business and Operating Environments Environments changes... •  Expectations for governance oversight •  Globalization of markets and operations •  Changes and greater complexity in business •  Complexities in laws, rules, regulations, and

standards •  Expectations for competencies and

accountabilities •  Use of, and reliance on, evolving technologies •  Expectations relating to preventing and

detecting fraud …have driven Framework updates •  COSO Cube (2013 Edition)

Update Articulates 17 Principles of Effective Internal Control

Control Environment (CE) 1.  Demonstrates commitment to

integrity and ethical values 2.  Exercises oversight responsibility 3.  Establishes structure, authority

and responsibility 4.  Demonstrates commitment to

competence 5.  Enforces accountability

Risk Assessment (RA) 6.  Specifies suitable objectives 7.  Identifies and analyzes risk 8.  Assesses fraud risk 9.  Identifies and analyzes significant

change Control Activities (CA)

10. Selects and develops control

activities 11. Selects and develops general

controls over technology 12. Deploys through policies and

procedures

Information & Communication (IC) 13. Uses relevant information 14. Communicates internally 15. Communicates externally

Monitoring Activities (MA) 16. Conducts ongoing and/or

separate evaluations 17. Evaluates and communicates

deficiencies

Update Clarifies Requirements for Effective Internal Control

•  Effective internal control provides reasonable assurance regarding the achievement of objectives and requires that:

–  Each component and each relevant principle is present and functioning

–  The five components are operating together in an integrated manner

•  Each principle is suitable to all entities; all principles are presumed relevant except in rare situations where management determines that a principle is not relevant to a component

•  Components operate together when all components are present and functioning and internal control deficiencies aggregated across components do not result in one or more major deficiencies

•  A major deficiency represents an internal control deficiency or combination thereof that severely reduces the likelihood that an entity can achieve its objectives

11/26/13

6

Update Describes Important Characteristics of Principles

•  Points of focus may not be suitable or relevant, and others may be identified

•  Points of focus may facilitate designing, implementing, and conducting internal control

•  There is no requirement to separately assess whether points of focus are in place

Update Describes the Role of Controls to Effect Principles

•  The Framework does not prescribe controls to be selected, developed, and deployed for effective internal control

•  An organization’s selection of controls to effect relevant principles and associated components is a function of management judgment based on factors unique to the entity

•  A major deficiency in a component or principle cannot be mitigated to an acceptable level by the presence and functioning of other components and principles

•  However, understanding and considering how controls effect multiple principles can provide persuasive evidence supporting management’s assessment of whether components and relevant principles are present and functioning

ICEFR: A Compendium Overview

•  Provides points of focus and approaches to satisfy each of the 17 principles of the Framework. –  Points of Focus highlight key characteristics relating to

each principle. –  Approaches are summary-level descriptions of activities

that management may consider as they apply the Framework in an ICEFR context.

•  Examples are also provided to illustrate practical examples of how to apply principles, based on situations drawn from practical experience.

•  Illustrates how various characteristics of principles may be present and functioning within a system of internal control relating to external financial reporting.

11/26/13

7

17 Principles of Effective Internal Control Control Environment (CE)

1.  Demonstrates commitment to integrity and ethical values

2.  Exercises oversight responsibility 3.  Establishes structure, authority and

responsibility

4.  Demonstrates commitment to competence

5.  Enforces accountability

Risk Assessment (RA) 6.  Specifies suitable objectives 7.  Identifies and analyzes risk 8.  Assesses fraud risk

9.  Identifies and analyzes significant change

Control Activities (CA) 10.  Selects and develops control activities 11.  Selects and develops general controls

over technology 12.  Deploys through policies and

procedures

Information & Communication (IC) 13.  Uses relevant information

14.  Communicates internally 15.  Communicates externally

Monitoring Activities (MA) 16.  Conducts ongoing and/or separate

evaluations 17.  Evaluates and communicates

deficiencies

GROUP EXERCISE

Group Exercise

•  Break up groups based on industry

•  For each of the Five Objectives, please read each of the Principles (17 in all) and create, as a group, a checklist of actions that a company would do in order to demonstrate each Principle and thus each Objective.

•  45 Minutes allotted to each of the 5 Objectives

11/26/13

8

CONTROL ENVIRONMENT

Control Environment: Principles

1. The organization demonstrates a commitment to integrity and ethical values.

2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.

3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.

4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.

5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.

Principle #1: Approaches

1.  Establishing Standards of Conduct

2.  Leading by Example on Matters of Integrity and Ethics

3.  Evaluating Management and Other Personnel, Outsourced Service Providers, and Business Partners for Adherence to Standards of Conduct

4.  Developing Processes to Report and Promptly Act on Deviations from Standards of Conduct

11/26/13

9


1.  Establishing the Roles, Responsibilities, and Delegation of Authority of the Board of Directors

2.  Establishing P&P for Meetings between the BoD and Management

3.  Identifying and Reviewing BoD Candidates 4.  Reviewing Management’s Assertions and

Judgments 5.  Obtaining an External View 6.  Considering Whistle-Blower Information about

Financial Statement Errors and Irregularities


1.  Defining Rules and Reporting Lines and Assessing them for Relevance

2.  Defining Authority at Different Levels of Management

3.  Maintaining Job Descriptions and Service-Level Agreements

4.  Defining the Role of Internal Auditors


1.  Establishing Required Knowledge Skills, and Expertise 2.  Linking Competence Standards to Established

Policies and Practices in Hiring, Training, and Retention Decisions

3.  Identifying and Delivering Financial Reporting-Related Training as Needed

4.  Selecting Appropriate Outsourced Service Providers 5.  Evaluating Competence and Behavior 6.  Evaluating the Capacity of Finance Personnel 7.  Developing Alternate Candidate for Key Financial

Reporting Roles

11/26/13

10


1.  Defining and Confirming Responsibilities

2.  Developing Balanced Performance Measures, Incentives, and Rewards

3.  Evaluating Performance Measures for Intended Influence

4.  Approach Linking Compensation and Other Rewards

RISK ASSESSMENT

Risk Assessment

6.  The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.

7.  The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.

8.  The organization considers the potential for fraud in assessing risks to the achievement of objectives.

9.  The organization identifies and assesses changes that could significantly impact the system of internal control.

11/26/13

11


1.  Identifying Financial Statement Accounts, Disclosure and Assertions

2.  Specifying Financial Reporting Objectives

3.  Assessing Materiality

4.  Reviewing and Updating Understanding of Applicable Standards

5.  Considering the Range of Activities


1.  Applying a Risk Identification Process

2.  Assessing Risks to Significant Financial Statement Accounts

3.  Assessing the Likelihood and Significance of Identified Risks

4.  Considering Internal and External Factors

5.  Evaluating Risk Responses


1.  Conducting Fraud Risk Assessments

2.  Considering Approaches to Circumvent or Override Controls

3.  Reviewing Incentives and Pressures Related to Compensation Programs

11/26/13

12


1.  Assessing Change in the External Environment

2.  Conducting Risk Assessments Relating to Significant Change

3.  Considering Change Through Succession

4.  Considering CEO and Senior Executive Changes

CONTROL ACTIVITIES

Control Activities

10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.

11. The organization selects and develops general control activities over technology to support the achievement of objectives.

12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into place.

11/26/13

13


1.  Using Matrices, Workshops, or an Inventory of Control Activities to Map Identified Risks to Control Activities

2.  Implementing or Assessing Control Activities when Outsourcing to a Third Party

3.  Considering the Types of Control Activities 4.  Considering Alternative Control Activities to

the Segregation of Duties 5.  Identifying Incompatible Functions


1.  Using Risk and Control Matrices to Document Technology Dependencies

2.  Evaluating End-User Computing 3.  Implementing or Assessing Control Activities when

Outsourcing IT Functions to a Third Party 4.  Configuring the IT Infrastructure to Support Restricted

Access and Segregation of Duties 5.  Configuring IT to Support the Complete, Accurate, and

Valid Processing of Transactions and Data 6.  Administering Security and Access 7.  Applying a SDLC over Packaged Software 8.  Applying an SDLC over Software Developed in-House


1.  Developing & Documenting P&P

2.  Deploying Control Activities through Business Unit or Functional Leaders

3.  Conducting Regular and Ad Hoc Assessments of Control Activities

11/26/13

14

INFORMATION & COMMUNICATION

Information & Communication

13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.

14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.

15. The organization communicates with external parties regarding matters affecting the functioning of internal control.


1.  Creating an Inventory of Information Requirements 2.  Obtaining Information from External Sources 3.  Obtaining Information from Non-Finance

Management 4.  Creating and Maintaining Information Repositories 5.  Using an Application to Process Data into

Information 6.  Enhancing Information Quality through a Data

Governance Program 7.  Identifying, Securing, and Retaining Financial Data

and Information

11/26/13

15


1.  Communicating Information Regarding External Financial Reporting Objectives and Internal Control

2.  Communicating Internal Control Responsibilities 3.  Developing Guidelines for Communication to the Board of

Directors 4.  Reviewing Financial & Internal Control Information with

the BoD 5.  Communicating a Whistle-Blower Program to Company

Personnel 6.  Communicating through Alternative Reporting Channels 7.  Establishing a Mentoring Program to Encourage

Communicating with Management


1.  Communicating Information to Relevant External Parties

2.  Obtaining Information from Outside Sources

3.  Surveying External Parties

4.  Communicating the Whistle-Blower Program to Outside Parties

5.  Reviewing External Audit Communications

MONITORING ACTIVITIES

11/26/13

16

Monitoring Activities

16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.

17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.


1.  Periodically Reviewing the Mix of Monitoring Activities

2.  Designing and Implementing a Dashboard 3.  Using Technology to Support Monitoring

Activities 4.  Conducting Separate Evaluations 5.  Using Internal Audit to Conduct Separate

Evaluations 6.  Understanding Controls at an Outsourced

Service Provider


1.  Assessing and Reporting Deficiencies

2.  Monitoring Corrective Action

3.  Developing Guidelines for Reporting Deficiencies

11/26/13

17

Transition & Impact •  Users are encouraged to transition applications and related

documentation to the updated Framework as soon as feasible

•  Updated Framework will supersede original Framework at the end of the transition period (i.e., December 15, 2014)

•  During the transition period, external reporting should disclose whether the original or updated version of the Framework was used

•  Impact of adopting the updated Framework will vary by organization –  Does your system of internal control need to address changes in business?

–  Does your system of internal control need to be updated to address all principles?

–  Does your organization apply and interpret the original framework in the same manner as COSO?

–  Is your organization considering new opportunities to apply internal control to cover additional objectives?

Transition & Impact (Continued) •  The principles-based approach provides flexibility in applying the

Framework to multiple, overlapping objectives across the entity –  Easier to see what is covered and what is missing

–  Focus on principles may reduce likelihood of considering something that’s irrelevant

•  Understanding the importance of specifying suitable objectives focuses on those risks and controls most important to achieving these objectives

•  Focusing on areas of risk that exceed acceptance levels or need to be managed across the entity may reduce efforts spent mitigating risks in areas of lesser significance

•  Coordinating efforts for identifying and assessing risks across multiple, overlapping objectives may reduce the number of discrete risks assessed and mitigated

Transition & Impact (Continued)

•  Selecting, developing, and deploying controls to effect multiple principles may also reduce the number of discrete, layered-on controls

•  Applying an integrated approach to internal control - encompassing operations, reporting, and compliance – may lessen complexity

•  In assessing severity of internal control deficiencies, use only the relevant classification criteria as set out in the Framework or by regulators, standard-setting bodies, and other relevant third parties, as appropriate

11/26/13

18

Fraud Risk Assessment

The Definition of Fraud

“… any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.”

Categories of Fraud Risk

•  Misappropriation of Assets –  involve the theft or misuse of an organization’s assets. (Common

examples include skimming revenues, stealing inventory, and payroll fraud.)

•  Corruption –  fraudsters wrongfully use their influence in a business transaction in

order to procure some benefit for themselves or another person, contrary to their duty to their employer or the rights of another. (Common examples include accepting kickbacks and engaging in conflicts of interest.)

•  Fraudulent Financial Statements –  falsification of an organization’s financial statements. (Common

examples include overstating revenues and understating liabilities or expenses.)

11/26/13

19

Asset Misappropriation

Scheme Scenario• Payment to fictitious employees• Payment to terminated employees• Overpayment to existing employees• Theft of inventory items• Consistent shrinkage of items• Increased defective/warranty claims• Reimbursement for personal expenses• Use of card to circumvent competitive bid requirements

Larceny • Theft of materials, supplies, cashPurchasing • Using purchasing authority to purchase raw materials for

personal use.Procurement • Using procurement card for personal, exorbitant

purchases• Reimbursement for undocumented expenses• Reimbursement for luxury accommodations• Reimbursement for travel expenses of family members

Improper Payments • Payments to phantom vendors, shell companies

Reimbursement

Credit Cards

Inventory

Payroll

Corruption/FCPA Scheme Scenario

• Improper or early revenue recognition• Falsifying revenue• Earnings manipulation through reserves• Recording pending transactions as completed transactions

Overstating Assets Improper valuation of securities, inventory, fixed assets• Hiding losses in future reporting periods• Understating expense account balances• Reclassifying (capitalizing) expenses as assets• Improper valuation or manipulation of intercompany accounts

Improper Note Disclosure • Omission of contingencies or subsequent events

• Falsifying external documents to suppliers• Internal memorandums give misleading information• Publicly announced unsubstantiated information

Management Estimates • Manipulation of management estimates for receivables, goodwill or depreciation

Fictitious Revenue

Understating Liabilities and Expenses

Non-financial

Financial Statement Fraud Scheme Scenario

Fictitious Revenue • Improper or early revenue recognition • Falsifying revenue • Earnings manipulation through reserves

• Recording pending transactions as completed transactions Overstating Assets • Improper valuation of securities, inventory, fixed assets Understating Liabilities and Expenses

• Hiding losses in future reporting periods

• Understating expense account balances

• Reclassifying (capitalizing) expenses as assets

• Improper valuation or manipulation of intercompany accounts

Improper Note Disclosure • Omission of material contingencies or subsequent events

Non-financial

• Falsifying external documents to suppliers

• Internal memorandums give misleading information

• Publicly announced unsubstantiated information

Management Estimates • Manipulation of management estimates for receivables, goodwill or depreciation

11/26/13

20

What is Risk?

•  “The degree of probability that an unfavorable event will significantly impact a functional area’s ability to meet the organization’s objectives”

FRA - Purpose

•  Identify and recognize fraud risks in the organization •  Determine the likelihood •  Determine how to manage and mitigate fraud risk •  Determine critical information •  Identify systems that process, store, or transmit

critical information used for red flag identification •  Discover vulnerabilities •  Create new processes, controls and procedures for

mitigating fraud risk

11/26/13

21

Who Should be Involved?

•  C – Suite Officer –  CEO

–  CFO

–  CIO

–  General Counsel

–  Chief Compliance Officer

•  Management –  Business Unit Managers

–  Sales

–  Marketing

–  Human Resources

•  Accounting –  Controller

–  Accounting Manager

–  Accounting Supervisors

•  Oversight –  Internal Audit

–  Board of Directors

–  Audit Committee

–  External Auditors

Step 1 – Identify and Evaluate Fraud Risk Factors

1.  Schedule interviews and develop the approach. 2.  Identify fraud risk factors at the entity level,

significant locations, accounts and business process level. : Consider whether each fraud risk factor indicates the existence of an incentive/pressure, opportunity or attitudes/rationalizations.

3.  For each identified fraud risk factor, identify the account balances and potential errors that may be affected and assess the fraud risks.

11/26/13

22


Pitfalls •  Fraud Risk Factors are not

considered •  Existing controls are

considered •  The potential for

management override of controls is not considered

•  Interviews are not value-added

Recommendations •  Use the Fraud Triangle to

explain the significance of fraud risk factors and to initiate thinking

•  Do not consider controls EXCEPT when considering the potential for management override

•  Develop interview approach that matches area and culture


•  Identify fraud risk factors at the entity level, significant location, significant account and business process level. Consider whether each fraud risk factor indicates the existence of incentive, pressure, opportunity or attitude and rationalization.

•  Identify incentives / pressures to commit fraud, opportunities to commit fraud, or attitudes / rationalizations to justify fraud. –  Personnel from various levels of the organization should be involved in

the process.

–  Consider internal and external (e.g., regulatory, industry) influences.

Step 2: Identify Possible Fraud Risks, Schemes and Scenarios

1.  Identify fraud risks and determine if the fraud risks are pervasive or specific.

2.  Brainstorm specific fraud schemes that could result from the specific risks identified.

3.  For each fraud scheme, identify internal and external parties who could be involved with reference to incentives/pressure, opportunities, attitudes & rationalizations.

11/26/13

23

Step 2: Identify Possible Fraud Risks, Schemes and Scenarios

Pitfalls •  The schemes are too general,

not allowing for sufficient consideration of risks and preventing appropriate level of mapping to controls

•  The schemes do not consider the potential for management override of controls

•  The schemes do not consider the potential for collusion

•  Brainstorming ineffective

Recommendations

•  Detail each scheme by considering: –  Why?

–  Who?

–  What?

–  Where?

–  When?

–  How?

Step 3: Prioritize Identified Fraud Risks

•  Evaluate possible fraud schemes by: – Type

– Likelihood

– Significance

– Pervasiveness

•  Consider Inherent Risk Rating (IRR)

Step 4. Evaluate the Controls’ Existence and Effectiveness

1.  Link fraud schemes to mitigating controls. Assess whether each mapped or linked control activity is preventative or detective in nature.

2.  Evaluate the effectiveness of controls to determine if they sufficiently mitigate the risk of the identified fraud schemes (control gap analysis).

3.  Evaluate the residual fraud risk.

11/26/13

24

Step 4. Evaluate Mitigating Controls

•  Antifraud control activities can be preventative or detective in nature – Preventative controls are designed to mitigate

specific fraud risks and can deter frauds from occurring

– Detective control activities are designed to identify fraud if it occurs. Detective controls can also be used as a monitoring activity to assess the effectiveness of antifraud controls and may provide additional evidence of the effectiveness of antifraud programs and controls.

4. Evaluate Mitigating Controls

•  Special consideration should be given to the risk of management override of controls.

•  Some programs and controls that deal with management override include: – Active oversight from the audit committee – Whistle-blower programs and a system to receive

and –  Investigate anonymous complaints; and – Reviewing journal entries and other adjustments for

evidence of possible material misstatement due to fraud.

4. Evaluate Mitigating Controls

Pitfalls •  Where gaps are identified, no

remediation efforts are made •  Future changes in risk are not

incorporated into the FRA and remediation is not performed

•  Effectiveness of controls is not evaluated

•  Mapping is done incorrectly and without consideration of existing controls and documentation

Recommendations •  Design and implement controls to

close identified gaps •  The FRA should be iterative and

should be reassessed at least annually and when there is a significant change in the control environment

•  Evaluating the effectiveness of the controls

•  Only map those controls identified as significant

•  Identify entity level controls that will assist in mitigating remaining residual risk

•  Leverage of existing efforts and controls

11/26/13

25

Control Risk Rating

•  Evaluate the Control Risk Rating – – Determine if controls sufficiently mitigate the

identified fraud risks and schemes – Decide whether existing controls should be improved

or new controls are required – Consider both the design and the implementation of

the control in mitigating the fraud risk

Fraud controls can be tricky! Consider possible management override of

controls

Step 5: Risk Treatment

1.  Prepare a Fraud Risk Action Plan to treat and mitigate fraud risk schemes requiring attention.

2.  Implement Fraud Risk Action Plan.

Step 5: Risk Treatment

•  Prepare a Fraud Risk Action Plan to treat and mitigate fraud risk schemes requiring attention. –  Controls should be implemented or enhanced for identified fraud

schemes where controls are not already present, inadequately designed or poorly implemented.

–  Ensure overall responsibility is assigned to responsible personnel to monitor control implementation as detailed in the Fraud Risk Action Plan.

–  This responsibility could be defined in the Fraud Control Policy of the entity or specified elsewhere.

–  The Audit Committee should oversee the entire process.

goldsrd coso update four hour course...11/26/13 4 coso update - executive summary highlights •...

Documents