Addressing COSO Principle #8: Assess Fraud Risk

P8_Call_to_actionRisk and Compliance professionals generally agree that the updated 2013 COSO Internal Control – Integrated Framework is not, in essence, different from the 1992 version. And by now, we recognize that the most notable change requiring action is the formalization of COSO’s 17 Principles that were introduced by language embedded in the earlier version. Public companies subject to Sarbanes Oxley (SOX) requirements that utilize the COSO framework and have a calendar year-end will need to demonstrate that all 17 COSO Principles are “present and functioning” by the end of 2014. COSO_Principles At the conclusion of the mapping process, what many of our clients are finding is that they do already have the necessary controls in place. We are helping some clients to also identify where they have more than adequate controls and can use this thorough review as an opportunity to rationalize and reduce the number of controls that they are testing—and, in turn, reduce costs! And, in some cases, companies recognize that the practices are in place, but the controls may not be formally documented and tested. One of the Principles that is garnering a lot of attention is Principle #8: Principle8If you haven’t before, this will likely be the year that you perform a formal Fraud Risk Assessment. You may need to reinforce documentation around your related Entity Level Controls and will want to ensure that those include measurable indicators of appropriate “Tone at the Top”. If you are not sure that you have the appropriate competencies or subject matter experts on your team, we can help to lead or supplement your assessment and documentation of your related controls. Reach out to us if you’d like more information. Additionally, most companies required to comply with SOX likely already have a fraud hotline in place. Did you know that policyIQ also includes an electronic “WhistleBlower” module that is accessible to all company employees for anonymous submission of suspected financial reporting issues (or other issues, if you choose to rebrand the feature)? The WhistleBlower module is already available in all policyIQ sites and can be enabled at any time at no additional charge. Each case is assigned a 16 character code that is revealed only to the submitter of a case so that he or she may periodically review the progress of any associated investigation and even correspond anonymously with an investigator. This feature provides whistle blowers with greater assurance that their voice or accent will not give away their identity if they wish to remain anonymous. WhistleBlower It is very simple to use policyIQ to demonstrate the presence of preventive and detective fraud mitigating controls. Simply run a report of your Controls and include those two variables as columns in your display. If you haven’t already setup your policyIQ site to capture these items, here are the steps that we recommend:

  1. Add a field to your policyIQ Control Page Template to track whether a Control is fraud mitigating.
  2. Add a field to your policyIQ Control Page Template to track whether a Control is Preventive or Detective (most policyIQ clients already include this).
  3. Review your controls and update the pages to reflect whether they are fraud mitigating and whether they are preventive or detective (note that you can use the Edit Fields option from the Table Toolbar to make bulk changes and save time).
  4. Use a policyIQ Page Detail or Page Detail Link Report to list your Fraud Mitigating Controls and whether they are EvidenceforP8Preventive or Detective
    1. Use the report results to perform your gap analysis
    2. Use the report results as evidence of your compliance or coverage of COSO’s Principle #8!

If you’d like some support from a subject matter expert, have questions about the mapping process, or would like help with properly setting up policyIQ to support your transition to the 2013 COSO Framework, contact us and we’ll put you in touch with the appropriate resource in your area.

This entry was posted in Best Practices, Business Lessons, Solutions and tagged , , , , , , , , , , by Stephenie Buehrle. Bookmark the permalink.

About Stephenie Buehrle

Stephenie is the “solutions” expert on the policyIQ team. With RGP since 2004, she designs and develops solutions that capitalize on the best practices of the hundreds of companies that she has touched, while tailoring each configuration to meet the unique needs of each client. Before joining RGP and the policyIQ team, Stephenie enjoyed working as an independent consultant in the non-profit sector. Stephenie also previously performed analyst services for a major brewer ranging from roles in biological and chemical services to analytical roles in business process improvement and innovation. Stephenie quips that she still doesn’t know what she wants to be when she grows up, but hopes to spend her days helping others (companies, individuals, and communities) to realize their full potential.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s