Enterprise Risk Management: Managing Organizational Risk Under the Updated COSO 2013 Framework
Organization leaders don’t want to think about fraud and risk assessment, but it’s definitely something that they can’t avoid it. Fraud has long disrupted the idea of business as usual. While most employees don’t commit fraudulent acts, companies must implement monitoring and control systems to minimize the risk of fraud.
Just like the 1992 version, the Updated COSO 2013 Framework provides a working system that establishes principles and guidelines for managing organizational fraud and risk assessment through internal control implementation.
The newer version helps those responsible for controls understand basic control concepts. It classifies 17 principles that support the original five internal control components. It further encourages users to implement designated controls but also to use their judgment in determining whether the controls are present, functioning, and operating together.
The Need for Fraud and Risk Assessment
The Association of Certified Fraud Examiners once again highlighted the need for functional corporate fraud and risk assessment controls. Their “2018 Global Study on Occupational Fraud Abuse” report documented corporate fraud’s alarming trends. The results consider the fraud statistics from 2,690 global business fraud cases.
- Corporations lost 7 Billion dollars to fraud.
- The average loss per instance of fraud was $130,000.
- Internal control weaknesses caused nearly 50% of all fraud cases.
- The 2,690 cases studied represent a fraction of actual fraud losses.
- A survey of CFEs estimated fraud losses totaled 5% of their annual revenue.
- Anti-fraud controls enabled lower losses and earlier detection.
Addressing Fraud with Internal Controls
The many methods of creative deception and cover-up would seem to make risk assessment difficult and fraud opportunities impossible to control. While technology has given criminals an arsenal of new weapons to commit fraud more efficiently, the types of fraud committed remain predictable. ACFE aptly categorizes instances of fraud as fitting into one of three basic categories:
- Corruption, – May (no comma) involve bribery, kickbacks, etc.
- Asset misappropriation – Theft of cash, fraudulent disbursements, etc.
- Financial statement fraud – Net worth or income over or understatements
The updated COSO 2013 Framework is enhanced to refine the targeting of known fraud risks. It includes a focus on IT vulnerabilities that didn’t exist when they rolled out the original version in 1992.
Updated COSO 2013 Framework Changes
The new version reflects a number of changes. It severs the connection between objective-setting and internal controls, increases the focus on IT controls and enhances the focus on governance oversight. The difference in the cube configuration reflects a broadened reporting objective that now includes internal and external operations, compliance, and financial and non-financial reporting. The new framework also elevates the consideration of fraud and its potential causes, and it guides fraud-targeting internal control principles.
17 Principles | 77 Points of Focus
As with the previous version, the Updated COSO 2013 Framework continues its focus on preventative, detective, and corrective controls. It also revives the five internal control components:
- Control Environment
- Risk Assessment
- Control Activities
- Information and Communication
- Monitoring Activities
The updated COSO CUBE configuration illustrates control principle integration within all organizational levels and functions. The new Framework outlines 17 Principles that further refine these components and provide a roadmap to achieve internal control.
The 17 Principles in the new guidelines existed in the previous version, but they were not specifically classified. COSO 2013 derives the principles from the five control components. When implemented, they ensure that an organization affects the desired level of internal control. The COSCO Internal Control CUBE infographic lists all 17 Principals and their corresponding control component.
The new Framework evaluates and explains the role of outsourced service providers for which management is responsible. It demonstrates that outside entities who process data for a corporation should be subject to that corporation’s internal controls. External auditors and regulators who don’t process information are not.
Contact R&A CPAs
Call us at 520.881.4900 or complete our online contact form to learn more about the Updated COSO 2013 Framework or for more information about fraud and risk assessment options.
About this Author
Charlie provides assurance and tax services as well as forensic accounting for a breadth of industries including real estate, construction, and manufacturing. His experience includes Sarbanes Oxley compliance and fraud risk assessments, reorganizations and debt restructures, financial services, employee benefit plans, not-for-profit organizations, and captive insurance.