Dave Cotton, CFE, CPA, chairman at Cotton & Company, LLP, has played a significant role in developing best practices in anti-fraud controls. Under his leadership, the ACFE and COSO co-published the Fraud Risk Management Guide, and he was also the recipient of this year’s Certified Fraud Examiner of the Year award. Continuing on his trailblazing trajectory, Cotton recently collaborated with several members of the ACFE to start a new group* in the ACFE Community dedicated to fraud risk management. In this group, members can discuss how to perform fraud risk assessments, implement best practices and raise fraud risk management awareness in organizations of all sizes and industries.
Below, Cotton shares why he wanted to start this group and what he hopes ACFE members will gain from a discussion forum dedicated to fraud risk management.
Why was it important for you to start a group in the ACFE Community dedicated to this topic?
The publication of the updated COSO Internal Control-Integrated Framework in 2013 was a transforming event. COSO’s roots were in the study of fraud prevention. COSO’s original reason for being was to sponsor the Treadway Commission, which issued the landmark Report of the National Commission on Fraudulent Financial Reporting in 1987. That report lead to an increased interest in internal control and the publication of the original Internal Control—Integrated Framework in 1992. The 2013 updated Framework placed renewed attention on fraud by including Principle 8: “The organization considers the potential for fraud in assessing risk to the achievement of objectives.”
Since almost all organizations worldwide adhere to the COSO Framework, Principle 8 has caused an enormous interest in how an organization can manage fraud risk. This new ACFE group will be a place to share best practices, discuss success stories and exchange innovative new ideas. My prediction is that auditing standards will be revised to require auditors not just to assess fraud risk, but to assess how well the auditee organization is managing fraud risk — similar to the evolution related to auditor responsibilities regarding internal control. Until the mid-1990s, auditors were not required to document and test internal controls, but now, internal control testing is a foundational part of every audit. The same will happen regarding fraud risk management. The ACFE/COSO Fraud Risk Management Framework is quickly becoming the recognized set of best practices in this area.
Since the Fraud Risk Management Guide (FRMG) was released in 2016, what sorts of developments have you seen in this area?
Following publication of the FRMG two years ago, the response has been overwhelming, and overwhelmingly positive. The FRMG provides a well-defined structure for comprehensive fraud risk management. Organizations now have five fraud risk management principles to follow, and a clear blueprint for how to perform a fraud risk assessment and implement fraud control activities. Importantly, FRMG’s authors recognized that the tools in the guide would evolve, and evolve rapidly. Instead of just including some tools in the guide itself, the authors worked with the ACFE to actually house these tools on the ACFE website.
The intent is that these tools will be crowd-sourced so that they are constantly evolving and improving. As people use the tools, they can suggest improvements to existing tools as well as new tools that they help develop. For example, the site has a library of data analytic tests for preventing and detecting different types of fraud. Data analytics is probably the most rapidly advancing focus area of the accountability profession. The library of data analytic tests will grow constantly as users develop new ways to prevent and detect fraud.
Similarly, the ACFE is close to being able to publish on the site a comprehensive list of fraud schemes, hyperlinked to underlying definitions/descriptions. That list will continue to grow as users suggest additional schemes. How useful will it be for an organization performing its fraud risk assessment to have a comprehensive list to consider and ask, “Could that happen to us?” I think it will be hugely important and valuable.
What do you hope your fellow ACFE members will gain from participating and contributing to the discussions?
Instead of trying to “reinvent the wheel” every time a fraud risk management issue arises, ACFE members will have a place to go to get help, support and advice. In particular, I predict that there will be a number of industry-specific support areas within the new group. If you work in health care, you can share information about the nuances of health care fraud schemes and best practices for preventing and early-detecting them. If you work in the financial sector, you can get support and share experiences from others in that sector. And so forth. At a more macro level, just knowing that others are out there struggling with the same or similar issues will mean a lot. Have a problem or concern? Rest assured that you are not the first to encounter that issue; someone in the group can help you find the solution.
What are some of the most challenging areas of fraud risk management that you hope get discussed in the new group?
Probably the greatest challenge to CFEs trying to implement fraud risk management is getting upper management and those charged with governance to embrace the importance of fraud risk management. Most organizations have an “it can’t happen to us” attitude about fraud. Group members will be able to share methods they have used to educate their organizational leaders about the importance of maintaining fraud risk awareness. Also, embracing and employing technology as a central component of fraud risk management is a challenge, given how rapidly technology is changing. Group members will be able to knowledge-share.
Ultimately, I believe that the new Fraud Risk Management Group will become the go-to resource for CFEs charged with implementing a comprehensive fraud risk management program. Not sure of the best way to prevent a particular type of fraud? Go to the FRM Group. Need help dealing with how many risk assessment teams your organization should have and who should be on them? Go to the FRM Group. And so forth.
The new Fraud Risk Management Group* is open to all members of the ACFE. Log in to the ACFE Community and join the discussions today!
*Please note that you will need to log in to the ACFE Community before clicking on this link.