COSO Committee of Sponsoring Organizations of the Treadway Commission
Committee of Sponsoring Organizations of the Treadway Commission
Principle 8: The organization considers the potential for fraud in assessing risks to the achievement of objectives.
The following points of focus highlight important characteristics relating to this principle:
-
Considers Various Types of Fraud—The assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur.
-
Assesses Incentive and Pressures—The assessment of fraud risk considers incentives and pressures.
-
Assesses Opportunities—The assessment of fraud risk considers opportunities for unauthorized acquisition, use, or disposal of assets, altering of the entity's reporting records, or committing other inappropriate acts.
-
Assesses Attitudes and Rationalizations—The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions.
Risk assessment includes management's assessment of the risks relating to the fraudulent reporting and safeguarding of the entity's assets. In addition, management considers possible acts of corruption, both by entity personnel and by outsourced service providers directly impacting the entity's ability to achieve its objectives.
The actions being conducted as part of applying this principle link closely to the preceding principle (Identifies and Analyzes Risks), which assesses risks based on the presumption that the entity's expected standards of ethical conduct are adhered to by management, other personnel, and outsourced service providers. This principle, Assesses Fraud Risk, assesses risk in a different context, when an individual's actions may not align with the expected standards of conduct. Management may also consider the point of focus relating to the principle Identifies and Analyzes Risk when developing, implementing, and conducting internal control. For instance, responses to risks identified as part of this principle fall within the same categories noted above (accept, avoid, reduce, and share). And, as above, the selection and development of controls to effect specific risk responses chosen by management is essential to mitigating fraud risks
Fraudulent reporting can occur when an entity's reports are wilfully prepared with omissions or misstatements. These events may occur through unauthorized receipts or expenditures, financial misconduct, or other disclosure irregularities. A system of internal control over financial reporting is designed and implemented to prevent or detect, in a timely manner, a material omission from or misstatement of the financial statements due to error or fraud.
When assessing risks to the achievement of financial reporting objectives, organizations typically consider the potential for fraud in the following areas:
-
Fraudulent Financial Reporting—An intentional act designed to deceive users of external financial reports and that may result in a material omission from or misstatement of such financial reports
-
Fraudulent Non-Financial Reporting—An intentional act designed to deceive users of non-financial reporting, including sustainability reporting, health and safety, or employment activity, and that may result in reporting with less than the intended level of precision
-
Misappropriation of Assets—Theft of the entity's assets where the effect may cause a material omission or misstatement in the external financial reports
-
Illegal Acts—Violations of laws or governmental regulations that could have a material direct or indirect impact on the external financial reports
As part of the risk assessment process, the organization should identify the various ways that fraudulent reporting can occur, considering:
-
Management bias, for instance in selecting accounting principles
-
Degree of estimates and judgments in external reporting
-
Fraud schemes and scenarios common to the industry sectors and markets in which the entity operates
-
Geographic regions where the entity does business
-
Incentives that may motivate fraudulent behavior
-
Nature of technology and management's ability to manipulate information
-
Unusual or complex transactions subject to significant management influence
-
Vulnerability to management override and potential schemes to circumvent existing control activities
There may be instances where the organization is not able to directly manage the information captured for financial reporting, yet is expected to have controls within the entity that identify, analyze, and respond to that particular risk. For instance, management of a software vendor may not be able to prevent personnel within an on-line retailer from underreporting sales numbers to reduce payments to the software vendor. However, the software company can implement control activities to detect such reporting by comparing new software registration levels to sales volumes.
Further, risks pertaining to the complete and accurate recording of asset losses in the entity's financial statements represent a reporting objective. More specifically related to financial reporting, omission or misstatements may arise from failing to record the loss of assets, manipulating the financial statements to conceal such a loss, or recording transactions outside the appropriate reporting period. For instance, an entity may hold its books open for an extended time after a period end to include additional sales, improperly account for intercompany transfers of inventory, or manipulate the amortization of its capital assets.
Safeguarding of assets refers to protecting against the unauthorized and wilful acquisition, use, or disposal of assets. The inappropriate use of an entity's assets occurs to benefit an individual or group. The unauthorized acquisition, use, and disposal of assets may relate to activities such as illegal marketing, theft of assets, theft of intellectual property, late trading, and money laundering.
Safeguarding of assets typically relates to operations objectives, although certain aspects may relate to other categories of objectives. In terms of operations, management may consider the inappropriate use of an entity's assets and other resources including intellectual property and preventing loss through theft, waste, or neglect. An entity may also lose value of its assets through inefficiency or what turns out to be simply bad business decisions—such as selling a product at too low a price, or extending credit to bad risks. These situations relate to the operations objectives but are not directly linked to safeguarding of assets.
Where legal or regulatory requirements apply, management considers risks relating to safeguarding of assets in relation to compliance objectives. For example, an entity may intentionally prepare inaccurate regulatory reporting statements to avoid inspection and penalties.
Regardless of what objective may be affected, the responsibility and accountability for loss prevention and anti-fraud policies and procedures reside with management of the entity and its subunits in which the risk resides.
In addition to assessing risks relating to the safeguarding of assets and fraudulent reporting, management considers possible corruption occurring within the entity. Corruption is generally relevant to the compliance category of objectives but could very well influence the control environment that also affects the entity's external financial reporting objectives. This includes considering incentives and pressures to achieve objectives while demonstrating adherence to expected standards of conduct and the effect of the control environment, specifically actions linked to Principle 4 (Demonstrates Commitment to Competence) and Principle 5 (Enforces Accountability). Aspects of corruption that are considered in an external financial reporting context typically relate to illegal acts that are considered in government statutes relevant to the activity.
In assessing possible corruption, the entity is not expected to directly manage the actions of personnel within third-party organizations, including those relating to outsourced operations, customers, suppliers, or advisors. However, depending on the level of risk assessed within this component, management may stipulate the expected level of performance and standards of conduct through contractual relations, and develop control activities that maintain oversight of third-party actions. Where necessary, management responds to unusual actions detected in others.
Management override describes action taken to override an entity's controls for an illegitimate purpose including personal gain or an enhanced presentation of an entity's financial condition or compliance status. For example, to allow a large shipment of goods to a customer with unacceptable credit in order to increase revenue, a manager improperly overrides internal control by approving the sale transaction placed on credit hold by a supervisor who conducted the control properly. Actions to override are typically not documented or disclosed, because the intent is to cover up the actions.
Management override should not be confused with management intervention, which represents action that departs from controls designed for legitimate purposes. At times, management intervention is necessary to deal with non-recurring and non-standard transactions or events that otherwise might be handled inappropriately. Providing for management intervention is necessary because controls cannot be designed to anticipate and mitigate every risk. Management's actions to intervene are generally overt and documented or otherwise disclosed to appropriate personnel.
As part of assessing fraud risk, management assesses the risk of management override of internal control. The board of directors or subset of the board (e.g., audit committee) oversees this assessment and challenges management depending on the circumstances. The entity's control environment can significantly influence the risk of management override. This is especially important for smaller entities where senior management may be very involved in conducting many controls.
Assessing the risk of fraud includes considering opportunities to commit fraud, as well as attitudes and rationalizations. Where there is a loss of assets, fraudulent reporting, or corruption, there are typically incentives and pressures, opportunities to access those assets, and attitudes and rationalizations that claim to justify the action. Incentives and pressures often result from and relate to the control environment, as discussed in Principle 5 (Enforces Accountability). As part of assessing fraud risk, the organization considers possible incentives and pressures and the potential impact on fraud risk.
Opportunity refers to the ability to actually acquire, use, or dispose of assets, which may be accompanied by altering the entity's records. Those involved in the inappropriate actions usually also believe that their activities will not be detected. Opportunity is created by weak control activities and monitoring activities, poor management oversight, and management override of control. For instance, the likelihood of a loss of assets or fraudulent external reporting increases when there is:
-
A complex or unstable organizational structure
-
High turnover rates of employees within accounting, operations, risk management, internal audit, or technology staff
-
Ineffective design or poorly executed control activities
-
Ineffective technology systems
Attitudes and rationalizations by individuals engaging in or justifying inappropriate actions may include:
-
A person labeling the use of resources as "borrowing", and fully intending to pay the stolen money back
-
A person believing that something is owed to him or her because of job dissatisfaction (salary, job environment, treatment by managers, etc.)
-
A person not understanding or not caring about the consequences of his or her actions or of accepted notions of decency and trust
It is possible to mitigate the likelihood of a fraud-related risk by taking action within the other components of internal control or by making changes to the entity's operating units, business processes, and activities. An entity may choose to sell certain operations that are prone to having higher risks relating to individual conduct, cease doing business in certain geographic locations, reallocate roles among personnel to enhance the segregation of duties, or reorganize its business processes to avoid unacceptable risks. For example, the risk of misappropriation of funds may be reduced by implementing a central payment processing function with greater segregation of duties instead of having only a few staff process payments at each of the entity's locations. The risk of corruption may be reduced by closely monitoring the entity's procurement process. The risk of financial statement fraud may be reduced by establishing shared services centers to provide accounting services to multiple segments, affiliates, or geographic locations of an entity's operations. A shared services center may be less vulnerable to influence by local operations managers and may be able to cost effectively implement more extensive anti-fraud programs.
When management detects fraudulent reporting, inadequate safeguarding of assets, or corruption, some form of remediation will be necessary. In addition to dealing directly with the improper actions, it may be necessary to take remediation steps within the risk assessment process or amend actions undertaken as part of other components of internal control.
| Generated November 9, 2014 22:46:48 |