the acfe-coso fraud risk management frameworkvirtualconference.acfe.com/materials/12h-david...
TRANSCRIPT
©2016
THE ACFE-COSO FRAUD RISK MANAGEMENT FRAMEWORK
COSO revised its Internal Control Framework (ICF) in 2013, adding 17 important principles.
COSO Principle 8 states, “The organization considers the potential for fraud in assessing risks to
the achievement of objectives.” All publicly traded U.S. companies follow the COSO ICF. This
session will explain the new ACFE- and COSO-sponsored Fraud Risk Management Guide that
can be used to comply with Principle 8.
DAVID COTTON, CFE, CPA, CGFM
Chairman
Cotton & Company LLP
Dave Cotton is chairman of Cotton & Company LLP, Certified Public Accountants. Cotton
& Company is headquartered in Alexandria, Virginia. The firm was founded in 1981 and has a
practice concentration in assisting federal and state government agencies, inspectors general, and
government grantees and contractors with a variety of government-program-related assurance
and advisory services. Cotton is presently serving on the AICPA’s Performance Audit Standards
Task Force and chairs the Fraud Risk Management Task Force, sponsored by COSO and the
ACFE. He has testified as an expert in governmental accounting, auditing, and fraud issues
before the U.S. Court of Federal Claims and other administrative and judicial bodies.
“Association of Certified Fraud Examiners,” “Certified Fraud Examiner,” “CFE,” “ACFE,” and the
ACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc. The contents of
this paper may not be transmitted, republished, modified, reproduced, distributed, copied, or sold without
the prior consent of the author.
THE ACFE-COSO FRAUD RISK MANAGEMENT FRAMEWORK
27th Annual ACFE Global Fraud Conference ©2016 1
NOTES A significant fraud was discovered in 2012. A trusted and
long-term employee embezzled more $53 million from her
employer. Sounds like a lot of money. But, when you put
her fraud into perspective, it’s a WHOLE lot of money. She
stole $53.8 million from an organization with a $17 million
annual budget. Could your organization survive such a
fraud?
Rita Crundwell was the comptroller of the small Illinois
town of Dixon from 1981 until the fall of 2012. People in
Dixon thought she was a saint. She was, they thought,
independently wealthy as a result of her successful horse-
breeding business. Despite her wealth (she had a ranch and
stables with more than 400 show horses, a spacious home,
and traveled to horse shows around the country in a
luxurious $2 million motor coach), she continued to report
to the town hall every day to help the struggling small town
manage its finances. Ironically, she was, in fact, very
wealthy. But, the wealth came not from her successful
horse-breeding business. The successful horse-breeding
business—and her wealth—came from the money
embezzled from Dixon. Because of Rita’s stealing, Dixon
could not give raises to employees, hire new employees,
upgrade equipment, or even repave Main Street.
After her fraud was discovered (Rita got careless and
another town employee discovered the bogus account that
Rita had set up and through which she was stealing millions)
Dixon spent another $10 million in legal fees, but ultimately
recovered about $50 million through sales of Rita’s assets
and settlements with accounting firms and the bank. On a
net basis, Dixon was “only” out about $14 million—almost
a year’s worth of the town’s budget. Perhaps the greater
damage though, was to the small town’s sense of trust. How
could someone everyone had known all her life do so much
damage to her friends and neighbors?
A trusted employee
stole $53.8 million
from an organization
with a $17 million
annual budget. Could
your organization
survive such a fraud?
THE ACFE-COSO FRAUD RISK MANAGEMENT FRAMEWORK
27th Annual ACFE Global Fraud Conference ©2016 2
NOTES If you are thinking, “well, that’s government for you;
everyone knows that there’s fraud in government; something
like that could not happen to a well-managed private-sector
organization,” let me tell you about Orel Suer. Orel was the
long-serving executive director of the United Way of the
National Capital Area (UWNCA) and had built that
charitable fundraising organization to annual revenues of
$91 million by 2001. In 2002, Suer pleaded guilty to
misappropriating about $500,000 over a six-year period, or
about $83,000 per year. The auditors were quick to point out
that $83,000 was “not material” to a $91 million entity.
Suer’s fraud was not material if you only focus on
quantitative materiality. In terms of qualitative materiality,
however, the story was quite different. The UWNCA’s
revenues dropped from $91 million in 2001 to $19 million
in 2002. (Donors contributing a few hundred dollars a year
simply—and justifiably—concluded that there were better
places to put their hard-earned money.) Could your
organization survive such a revenue reduction?
What allows such frauds to happen? In my view, a leading
cause is the attitude that most organizations have that, “it
can’t happen here.” That’s certainly what Dixon, Illinois,
and UWNCA thought.
These and similar tragedies can be prevented. Well-run
organizations need to make a commitment to protecting
stakeholder assets. Fortunately, there is guidance for such
forward-thinking organizations to follow. The process is not
expensive and it has benefits beyond protecting assets and
reputations.
In 2008, the Association of Certified Fraud Examiners
(ACFE), Institute of Internal Auditors (IIA), and American
Institute of Certified Public Accountants (AICPA) published
Managing the Business Risk of Fraud: A Practical Guide
As the direct result of an
$83,000 per year fraud, the
UWNCA’s revenues dropped
from $91 million in 2001 to
$19 million in 2002. Could
your organization survive
such a revenue reduction?
THE ACFE-COSO FRAUD RISK MANAGEMENT FRAMEWORK
27th Annual ACFE Global Fraud Conference ©2016 3
NOTES (MBRF). MBRF explained how to establish a
comprehensive fraud risk management program. It set forth
the following five principles:
Principle 1: As part of an organization’s governance
structure, a fraud risk management program should be in
place, including a written policy (or policies) to convey the
expectations of the board of directors and senior
management regarding managing fraud risk.
Principle 2: Fraud risk exposure should be assessed
periodically by the organization to identify specific potential
schemes and events that the organization needs to mitigate.
Principle 3: Prevention techniques to avoid potential key
fraud risk events should be established, where feasible, to
mitigate possible impacts on the organization.
Principle 4: Detection techniques should be established to
uncover fraud events when preventive measures fail or
unmitigated risks are realized.
Principle 5: A reporting process should be in place to solicit
input on potential fraud, and a coordinated approach to
investigation and corrective action should be used to help
ensure potential fraud is addressed appropriately and timely.
The overall process is displayed in the following graphic.
THE ACFE-COSO FRAUD RISK MANAGEMENT FRAMEWORK
27th Annual ACFE Global Fraud Conference ©2016 4
NOTES
MBRF set forth detailed guidance for implementing these
principles. Many organizations around the country embraced
MBRF and used it to implement anti-fraud programs and
controls.
The COSO Internal Control Framework and Fraud Risk
Management
COSO is the Committee of Sponsoring Organizations of the
Treadway Commission.1 (The Treadway Commission issued
its Report of the National Commission on Fraudulent
Financial Reporting in 1987, but COSO continued to
operate and focused its efforts on improving internal
controls and managing enterprise risk.) COSO issued its
initial Internal Control—Integrated Framework
(Framework) in 1992. The Framework quickly became the
best-practice roadmap for designing, implementing, and
maintaining a system of internal control. All publicly traded
companies in the United States and most forward-thinking
1 The COSO member organizations are the American Accounting
Association, American Institute of Certified Public Accountants,
Financial Executives International, The Association of Accountants and
Financial Professionals in Business, and The Institute of Internal
Auditors.
THE ACFE-COSO FRAUD RISK MANAGEMENT FRAMEWORK
27th Annual ACFE Global Fraud Conference ©2016 5
NOTES non-public companies, not-for-profit organizations, and
academic institutions also adhere to the COSO Framework.
In 2013, COSO updated the Framework to include (along
with its three internal control objectives and five internal
control components) 17 internal control principles. These
principles represent the “fundamental concepts associated
with each component.”
COSO Framework Principle 8 is:
The organization considers the potential for fraud in
assessing risks to the achievement of objectives.
As soon as the 2013 Framework was issued and
organizations began trying to implement these new
principles, organizations began seeking guidance on how to
comply with Principle 8.
Many organizations—even those who had been conforming
to the Framework for 21 years—were taken aback by this
new fraud addition. Since COSO’s roots were fraud-focused
(the Treadway Commission Report was titled The National
Report on Fraudulent Financial Reporting after all),
shouldn’t fraud risk have always been the central focus of
the Framework? Shouldn’t a sound system of internal
control protect an organization from fraud? Perhaps. It
depends on how the Framework was viewed and
implemented by a given organization.
It’s one thing to design a system of controls to guard against
unintentional errors and misstatements: install checks and
balances, use computer programs to assure accuracy, require
management approvals, segregate duties, pre-approve
vendors, and so forth.
THE ACFE-COSO FRAUD RISK MANAGEMENT FRAMEWORK
27th Annual ACFE Global Fraud Conference ©2016 6
NOTES It’s a different matter, however, to design a system that
protects against intentional misstatements and fraudulent
transactions. When intent is considered, controls designed to
guard against unintentional errors or misstatements may no
longer do the job: checks and balances can be deliberately
circumvented, computer programs can be surreptitiously
altered, managerial approvals can be forged, collusion can
override segregated duties, bogus vendors can be added to
an approved vendor list, and so forth.
It is likely that many organizations following the COSO
Framework had already specifically and explicitly
considered fraud risk as part of their internal controls. Many
organizations, however, likely assumed that baseline
controls—checks and balances, computer controls,
managerial approvals, duties segregation, vendor approvals,
and so forth—were more than sufficient.
COSO Principle 8 should cause all organizations to pause
and reconsider the adequacy of their controls by now asking
a simple extra question with respect to every control: Is this
control adequate if someone tries to intentionally override
or circumvent it?
Better still, the establishment of Principle 8 should cause all
well-run and forward-thinking organizations to address
fraud risk in a more comprehensive manner.
The NEW ACFE/COSO Fraud Risk Management Guide
To meet the demand for more comprehensive guidance on
fraud risk management, the ACFE and COSO formed a task
force in January 2015. This 25-member task force’s mission
was to update MBRF and make it consistent with the 2013
COSO Internal Control Framework. The task force
completed its efforts by the end of December 2015, and this
new guide is expected to be published by May 2016.
THE ACFE-COSO FRAUD RISK MANAGEMENT FRAMEWORK
27th Annual ACFE Global Fraud Conference ©2016 7
NOTES Following that, the guide will be vetted by COSO through a
public exposure and comment process, after which it will be
modified (if necessary) and reissued as a third COSO
Framework.
The new guidance will be similar to the MBRF process, but
with slightly modified principles, as shown in the following
graphic.
In addition to aligning with the COSO internal control
components, as shown, these five principles are supported
by numerous points of focus, consistent with the COSO
Internal Control Framework.
An organization committed to protecting stakeholder assets
and interests from fraud risks will carry out the following
processes.
Establishing a Fraud Risk Governance Policy
The commitment to implement the process needs to come
from the highest organizational level—ideally, the
governing board. It is usually not difficult to convince a
THE ACFE-COSO FRAUD RISK MANAGEMENT FRAMEWORK
27th Annual ACFE Global Fraud Conference ©2016 8
NOTES governing board to embrace and promote comprehensive
fraud risk management: when an organization falls victim to
fraud, board members almost always absorb much or most
of the blame. Implementing the fraud risk management
commitment then entails appointment of a champion to
oversee the process. That person needs to be at a high
enough organizational level to ensure that employees take
the process seriously, have adequate resources, and see it to
completion.
The fraud risk governance policy establishes and documents
the commitment to managing fraud risk; summarizes fraud
control strategies; outlines the fraud risk management
program; defines procedures for reporting fraud; establishes
employment conditions; defines conflict of interest policies;
establishes procedures for fraud investigation; sets forth an
internal audit strategy; and explains the review, monitoring,
and feedback process.
Good news here: you do not need to develop a fraud risk
governance policy from scratch. The guide contains a
“Sample Framework for a Fraud Control Policy” and a
“Sample Fraud Control Policy” that can be adapted to your
organization.
Assessing Fraud Risk
This step is the most important fraud risk management step,
because it establishes the baseline for succeeding steps. A
fraud risk assessment team needs to be assembled. It should
consist of employees from all parts of the organization—not
just financial management and accounting personnel, but
also operations personnel. The fraud risk assessment team
then meets to carry out a comprehensive brainstorming2
2 Brainstorming is “a group problem-solving technique that involves the
spontaneous contribution of ideas from all members of the group; also:
THE ACFE-COSO FRAUD RISK MANAGEMENT FRAMEWORK
27th Annual ACFE Global Fraud Conference ©2016 9
NOTES process. The goal is to think of every possible way that
fraud could happen to or within the organization. The
brainstorming process—if done correctly—may take many
meetings over several weeks’ time. On the plus side, this
process is educational and can be fun.
The documentation of the results of the risk assessment will
look like this:
The goal is to fill out that first column as thoroughly as
possible: if you do not develop a long list of potential fraud
vulnerabilities and schemes, you probably need to keep
brainstorming. (Every time you read or hear about some
other organization being victimized by a fraud, you should
ask yourself, “Could that happen to us?” If you’ve already
done your initial fraud risk assessment and then hear or read
about a fraud scheme, check to see if that scheme is in your
risk assessment.)
the mulling over of ideas by one or more individuals in an attempt to
devise or find a solution to a problem” (www.merriam-webster.com).
THE ACFE-COSO FRAUD RISK MANAGEMENT FRAMEWORK
27th Annual ACFE Global Fraud Conference ©2016 10
NOTES More good news here. The guide contains a pretty
comprehensive list of the most common fraud schemes. That
list can serve as a good starting point for the risk assessment
process.
Once you complete the first column, the likelihood (what are
the chances that this might happen?) and significance (if this
happens, how much damage will it cause?) of each potential
fraud scheme needs to be assessed. In assessing
significance, it’s important to think not just in monetary
terms. Reputational damage is often a greater consideration,
especially for tax-exempt, academic, and governmental
organizations.
Once likelihood and significance are assessed for each
possible fraud vulnerability, a heat map can be created, such
as the following:
Every organization has its own tolerance for risk. One
organization may decide that it can ignore low-likelihood-
THE ACFE-COSO FRAUD RISK MANAGEMENT FRAMEWORK
27th Annual ACFE Global Fraud Conference ©2016 11
NOTES low-significance potential frauds (and thus not put controls
in place), while another might want controls for every
possible fraud.
Completing the fraud risk assessment documentation then
entails:
Identifying who might be involved in each possible
fraud scheme or exposure
Identifying any existing anti-fraud control procedures
already in place with respect to each fraud scheme or
exposure
Assessing the effectiveness of each existing control
procedure
Determining the residual risk after considering the
effectiveness of existing controls
Deciding on the fraud risk response where residual risk
exists
The “Fraud Risk Response” column is the trigger for the
next steps in the process: wherever there are residual risks,
we will need additional prevention or detection controls; or
perhaps, both.
Designing and Implementing Fraud Control Activities
Fraud Prevention control procedures are designed to stop a
fraud before it happens. These can include things like
segregation of duties, requiring higher-level approvals, or
better physical security over assets. Prevention control
procedures do not need to be complex or expensive to be
effective. (If the town of Dixon had simply instructed the
bank to no longer send monthly bank statements directly to
Rita, her fraud would have been halted in its tracks.)
The key in designing prevention control activities is to work
from the fraud risk assessment documentation and
assiduously devise the most cost-effective controls that
Prevention controls do not
need to be complex or
expensive. If the town of
Dixon had simply instructed
the bank to no longer send
monthly bank statements
directly to the person doing
the accounting, the fraud
would have been halted in its
tracks.
THE ACFE-COSO FRAUD RISK MANAGEMENT FRAMEWORK
27th Annual ACFE Global Fraud Conference ©2016 12
NOTES should prevent each type of fraud. Your internal auditors
can be effective at designing these controls. If you are too
small to have an internal audit staff, you might need to
retain an accountability professional to help in that part of
the process.
Fraud detection control activities are designed to identify
any frauds that happen as soon as possible after they
happen. If you detect frauds quickly, they cannot grow to
become catastrophic. (As a colleague of mine always says,
“there are no such things as small frauds, just frauds that
haven’t matured yet.”)
If you did a great job designing prevention controls, do you
need detection controls? Good question. There are two
reasons you need detection control procedures even if you
think you did a great job designing prevention control
procedures.
First, it is simply impossible to think of every possible fraud
scenario that might occur—fraud perpetrators are clever,
resourceful, and sometimes desperate enough to take foolish
chances.
Second (and perhaps more important) prevention controls
can come with a cost—not just the cost of the procedure
itself, but also a cost in terms of operational disruption.
Let’s say, for example, that you have a retail clothing
business. You know that shoplifting can erode your profits,
so you decide to put prevention controls in place to stop
shoplifting. You require all shoppers to check their shopping
bags and purses at the door when they enter the store and,
just to make doubly sure, you install closed-circuit TV
cameras in all of the dressing rooms. You will definitely
THE ACFE-COSO FRAUD RISK MANAGEMENT FRAMEWORK
27th Annual ACFE Global Fraud Conference ©2016 13
NOTES stop the shoplifting—because you will quickly lose all of
your customers and go out of business.
So, you need to allow for the fact that your prevention
controls will not stop every fraud scheme. You need to put
detection controls in place that will detect each possible
fraud scheme in your fraud risk assessment if they happen.
While most prevention controls are in the open and visible
for employees and stakeholders to see, the most effective
detection control procedures are usually covert—they
operate quietly in the background and are known only to a
small group of people.
Because every organization now has electronic records,
data analytic control procedures can be the least costly
and most effective detection controls you can implement.
Let’s say that one of your fraud concerns is that an
employee might set up a phony vendor and process
payments to that phony vendor. You can easily set up a
data analytic process that periodically compares your
employee database and your vendor database and identifies
any matching names, addresses, phone numbers, bank
routing numbers, and so forth. That should identify any
bogus vendors as soon as they are set up. (And you can see
why it is important that such control procedures must be
covert.)
Establishing Reporting and Investigation Processes
According to the ACFE, the number one source of
discovered frauds is tips from employees of the victim
organization. In smaller organizations (100 employees or
fewer), 29.6 percent of discovered frauds come from this
source; in larger organizations, 43.5% of discovered frauds
come from this source. Further, the ACFE reports that
organizations with fraud hotlines experienced frauds that
Let’s say that one of your fraud
concerns is that an employee
might set up a phony vendor and
process payments to that phony
vendor. You can easily set up a
data analytic process that
periodically compares your
employee database and your
vendor database and identifies
any matching names, addresses,
phone numbers, bank routing
numbers, and so forth. That
should identify any bogus vendors
as soon as they are set up.
THE ACFE-COSO FRAUD RISK MANAGEMENT FRAMEWORK
27th Annual ACFE Global Fraud Conference ©2016 14
NOTES were 50% less costly, and they detected frauds 50% more
quickly.3
Given those statistics, if you and your organization are fully
committed to managing fraud risk, you will set up a hotline
reporting mechanism. But, aren’t hotlines expensive? Not
really; not any more. You can subscribe to an independent,
external, Web- or telephone-based reporting system for a
few hundred dollars per year.4
Once you’ve designed and implemented preventive and
detective control activities for all fraud schemes in your risk
assessment, your work is not done. You need to anticipate
what can happen if a fraud perpetrator succeeds despite your
fraud risk management efforts.
A common mistake many organizations make is waiting
until they are victimized to decide what to do. It’s far better
to have a well-thought-out-in-advance plan, ready to be
taken off the shelf and implemented immediately. Don’t put
yourself in the position of trying to make important
decisions in the chaotic and emotional environment
following the discovery of a fraud. Be committed to taking
swift, decisive, and severe actions against the fraud
perpetrator once the fraud has been discovered and proven.
Avoid the temptation to settle the unpleasant matter quietly
and quickly by letting the perpetrator simply resign and go
away. While that might minimize the reputational impact on
your organization, it will allow the perpetrator to move to
another organization that can be victimized by a now-
3 See ACFE’s 2016 Report to the Nations
(www.acfe.com/rttn/docs/2014-report-to-nations.pdf and
www.acfe.com/rttn2016.aspx). 4 A caution: perform due diligence when selecting an external hotline
vendor. Make sure the vendor has sound information security controls in
place to protect the sensitive information it will possess.
THE ACFE-COSO FRAUD RISK MANAGEMENT FRAMEWORK
27th Annual ACFE Global Fraud Conference ©2016 15
NOTES smarter criminal. Further (and perhaps more important),
despite any efforts to keep the matter quiet, your other
employees will almost undoubtedly know what has
happened. If you send the message that the only
consequences of stealing from your organization are
collecting a severance payment and finding a new job, be
prepared for more fraud.
And, of course, make sure that the control breakdown that
allowed a fraud to happen is fixed quickly.
Monitoring the Entire Fraud Risk Management Process
Don’t make the mistake of thinking that once you’ve
established fraud risk governance, performed a fraud risk
assessment, implemented control activities, and established
reporting and investigation mechanisms your work is done.
Just as internal control documentation does not necessarily
mean that controls are being carried out as documented, so
too, having designed a fraud risk management process does
not mean that the process will continue to work as designed.
The overall process, as well as each component of the
process, must be monitored to ensure that everything
continues to work as designed.
Further, every organization is dynamic and undergoes
change. Organizations grow, merge, combine, and develop
new products and lines of business. Personnel change.
Organizational structures change. Industries, markets, and
operating environments change.
Consequently, implementing a fraud risk management
program is not a one-and-done exercise. Any organizational
or operational changes that happen trigger the need to
reassess your fraud risk. Even if your organization does not
face such changes, you should still conduct a new fraud risk
assessment at least annually. The good news is that
THE ACFE-COSO FRAUD RISK MANAGEMENT FRAMEWORK
27th Annual ACFE Global Fraud Conference ©2016 16
NOTES reassessments should be less time-consuming, because you
are building on work already done. Consider using a new
risk assessment team for reassessments in order to get new
and fresh perspectives.
Finally, your governing board needs to be kept informed
about your fraud risk management efforts and results. They
will want to know how effective the process has been; they
will want to know how rigorous the assessment was; and
they will want to know how effective your controls are.
And, of course, your board will want to know of any hotline
reports, results of investigations, and remediation efforts.
Deterring Fraud
Investigating and remediating frauds is expensive.
Designing and maintaining preventive and detective controls
also comes with a cost. Deterring fraud—establishing an
atmosphere and perception that the likelihood of getting
caught is so high that it scares potential fraud perpetrators
away—is by far the best situation in terms of managing
fraud risk. Fraud deterrence is achieved when an
organization (a) establishes a rigorous fraud governance
process and ensures that employees are aware of that
process; (b) conducts an aggressive fraud risk assessment
periodically; (c) designs, implements, and maintains
effective fraud prevention and detection control processes
and procedures; and (d) takes swift actions against those
who attempt to commit fraud.
According to the ACFE:
The presence of anti-fraud controls is associated with
reduced fraud losses and shorter fraud duration. Fraud
schemes that occurred at victim organizations that had
implemented any of several common anti-fraud controls
were significantly less costly and were detected much
Fraud deterrence is achieved
when an organization (a)
establishes a rigorous fraud
governance process and
ensures that employees are
aware of that process; (b)
conducts an aggressive fraud
risk assessment periodically;
(c) designs, implements, and
maintains effective fraud
prevention and detection
control processes and
procedures; and (d) takes
swift actions against those
who attempt to commit
fraud.
THE ACFE-COSO FRAUD RISK MANAGEMENT FRAMEWORK
27th Annual ACFE Global Fraud Conference ©2016 17
NOTES more quickly than frauds at organizations lacking these
controls.5
Are the Costs Worth the Benefits?
You might be thinking at this point that this whole fraud risk
management thing sounds expensive and will take time
away from other more important activities that your
organization needs to accomplish. After all, you are pretty
sure that your management and employees are trustworthy.
You can roll those dice if you want to. That’s what Dixon
and UWNCA decided to do.
There are some additional benefits of implementing a fraud
risk management program beyond “just” minimizing fraud
risk. The risk assessment will give you a much better
understanding of your organization and how it operates.
Importantly, having strong controls in place protects honest
employees. Finally, the best, most trusted, and most
respected organizations take proactive measures like fraud
risk management. Sending the signal to your stakeholders
that your organization is committed to the strongest fraud
risk management processes conveys an important message:
your money, your time and effort, your trust are safe with
us.
That message will attract more investments, more business,
more donations, more volunteer efforts, more trust, and
more respect. When UWNCA’s revenues dropped from $91
million to $19 million in one year, it was not because donors
stopped donating money; it was because they moved their
money to more trustworthy organizations.
5 ACFE’s 2014 Report to the Nations, www.acfe.com/rttn/docs/2014-
report-to-nations.pdf.
Sending the signal to your
stakeholders that your
organization is committed to
the strongest fraud risk
management processes
conveys an important
message: your money, your
time and effort, your trust are
safe with us.
THE ACFE-COSO FRAUD RISK MANAGEMENT FRAMEWORK
27th Annual ACFE Global Fraud Conference ©2016 18
NOTES Still Not Sure Your Organization Needs a Fraud Risk
Management Program?
Fortunately, there is an easy way to find out if making the
investment in fraud risk management is the right thing for
your organization. Download the guide’s five “scorecards”
at www.cottoncpa.com/wp-content/uploads/2014/08/Fraud-
Risk-Management-Scorecards.pdf. These scorecards can be
used to assess how good your organization’s existing fraud
risk management process actually is right now. They list the
key attributes of strong fraud risk governance, risk
assessments, control activities, reporting and investigations,
and monitoring. Each attribute can be scored as: red (we
have a problem), yellow (we are making progress but have
room for improvement), or green (we have fully
implemented this attribute). At your next staff meeting or
board retreat, take a few minutes to honestly self-assess. Get
some red, yellow, and green dots at your office supply store
and rate each attribute. It should only take about 45 minutes
to complete each scorecard. Tape the scorecard pages up on
the wall, stand back, and look at the results. If you see a lot
of red, be worried; your organization is vulnerable to fraud.
Then ponder what happened to Dixon and UWNCA. I’ll bet
that both of those organizations wish that they had taken the
relatively small amount of time and effort needed to
implement a fraud risk management program.
Dave Cotton is Chairman of Cotton & Company, LLP, in Alexandria, Virginia.
www.cottoncpa.com. Dave served on the original task force that developed Managing the
Business Risk of Fraud: A Practical Guide and chaired the task force that updated the Guide on
behalf of ACFE and COSO.