Joining Forces to Manage Fraud Risk: The ACFE Partners with COSO


The ACFE has collaborated with the Committee of Sponsoring Organizations of the Treadway Commission (COSO) to produce the Fraud Risk Management Guide (FRMG) to help organizations focus their anti-fraud efforts. The ACFE also created a website at to host interactive tools to complement the FRMG and assist organizations in applying its principles. EY partnered with the ACFE to develop one of the tools, a library of data analytics test. The interactive tool allows you to filter customized tests by risk type. The risks are based on the ACFE's iconic Fraud Tree. 

COSO, a joint initiative of five private-sector accounting and auditing associations organized in 1985, published Internal Control — Integrated Framework in 1992. “The [1992 COSO] framework quickly became the best-practice roadmap for designing, implementing and maintaining a system of internal control,” said David Cotton, CFE, CPA, CGFM, chairman of Cotton & Company LLP. Cotton leads the taskforce of anti-fraud experts that came together last year to produce the FRMG. According to Cotton, the focus of the 1992 COSO framework was to establish a system to prevent errors or misstatements within organizations. But it did not explicitly focus on fraud.

In 2013, COSO updated its framework to include 17 principles in addition to the already established five internal control components. So, with the issuance of this framework update, many users were taken by surprise when it included an explicit fraud-related principle, Principle No. 8: The organization considers the potential for fraud in assessing risks to the achievement of objectives. After focusing primarily on unintentional errors and misstatements for more than 20 years, COSO users were now being told to also focus on intentional misstatements and the deliberate misappropriation of assets — fraud.

“If you want to say that you conform to the COSO framework, you have to have procedures in place for all 17 principles,” Cotton said. As soon as COSO issued the updated framework, users began trying to implement its new principles. Unfortunately, they were doing so with little guidance on how to follow through with fraud risk management. “When intent is considered, controls designed to guard against unintentional errors, misstatements or loss of assets may no longer do the job,” Cotton said.

The FRMG taskforce’s mission was to update a previous guide published by the ACFE, Institute of Internal Auditors (IIA) and American Institute of Certified Public Accountants (AICPA) in 2008 — Managing the Business Risk of Fraud: A Practical Guide (MBRF) — and make it consistent with the 2013 COSO framework. According to Cotton, the new FRMG is similar to MBRF but with slightly modified principles. Organizations can use the FRMG to comply with COSO Principle No. 8, or to develop and implement a more comprehensive fraud risk management program. “Principle No. 8 should cause all organizations to pause and reconsider the adequacy of their controls by asking a simple question with respect to every control: ‘Is this control adequate if someone tries to intentionally override or circumvent it?’ ” Cotton said. To assist with compliance, the taskforce also modified the principles from the MBRF process. Cotton said that organizations committed to protecting assets from fraud should carry out these processes: 

  1. Establish a fraud risk management policy as part of organizational governance. “When an organization falls victim to fraud, board members almost always absorb much or most of the blame,” Cotton said. “The commitment to implement the fraud risk management process needs to come from the highest organizational level — ideally the governing board.” The fraud risk governance policy:
    • Establishes and documents the commitment to managing fraud risk.
    • Summarizes fraud control strategies.
    • Outlines the fraud risk management program.
    • Defines procedures for reporting fraud.
    • Establishes employment conditions.
    • Defines conflict of interest policies.
    • Establishes procedures for fraud investigation.
    • Sets forth an internal audit strategy.
    • Explains the review, monitoring and feedback process.
  2. Perform a comprehensive fraud risk assessment. “This is the most important fraud risk management step, because it establishes the baseline for succeeding steps,” Cotton said. He recommends assembling a fraud risk management team that consists of employees from throughout the organization, he said. This team will brainstorm with the goal of identifying all possible ways fraud could happen within or against the organization. 
  3. Select, develop and deploy preventive and detective fraud control activities. This principle focuses on both prevention and detection of fraud with respect to each fraud risk exposure identified by the fraud risk assessment team. “Fraud prevention control procedures are designed to stop a fraud before it happens,” Cotton said. “Fraud detection control activities are designed to identify any frauds that happen as soon as possible after they happen.”
  4. Establish a fraud-reporting process and coordinated approach to investigation and corrective action. “You need to anticipate what can happen if a fraud perpetrator succeeds despite your fraud risk management efforts,” Cotton said. “A common mistake many organizations make is waiting until they are victimized to decide what to do.” Cotton recommends having a well-thoughtout plan that’s ready to be implemented immediately when chaos strikes, which will provide your organization with a better chance to avoid making emotional — and often unwise — decisions after it discovers a fraud.
  5. Monitor the fraud risk management process, report results and improve the process. As you make these changes and implement processes to manage your organization’s fraud risk, know that you must continually monitor everything. Organizations are dynamic and will change. “Consequently, implementing a fraud risk management program is not a one-and-done exercise,” Cotton said. “Any organizational or operational changes that happen trigger the need to reassess your fraud risk.”

 FRMG website to supply practical tools

“The COSO framework for internal control has become the globally recognized best practice,” Cotton said. “And internal control is the most important aspect of fraud prevention.” The FRMG website at will help your organization take internal controls to the next level by providing documentation templates, interactive scorecards to use in assessing your FRMG program and a library of anti-fraud data analytics tests. Cotton and the taskforce recommend that organizations embrace the entire Fraud Risk Management Guide and use it to instill an entity-wide focus on fraud risk management — not just on assessing fraud risk.