FRAUD RISK

MANAGEMENT
GUIDE Second
Edition

E X E C U T I V E S U M M A R Y

Committee of Sponsoring
Organizations of the
Treadway Coåmmission
Principal Authors of the Fraud Risk Management Guide
David L. Cotton, CPA, CFE, CGFM
Chairman Emeritus, Cotton, A Sikich Company

Sandra Johnigan, CPA/CFF, CFE

Owner, Johnigan, P.C.

Leslye Givarz
Technical Editor, Public Company Accounting Oversight Board (Retired)

Acknowledgements
COSO and ACFE thank each of the Fraud Risk Management Update Task Force members,
the other anti-fraud professionals who provided recommendations for this Fraud Risk
Management Guide Update, and the original Task Force and Advisory Panel members for
their generous contributions of time, resources, and knowledge (see pages 5 to 7).

In particular, COSO and ACFE gratefully acknowledge David L. Cotton and

Sandra K. Johnigan, co-chairs of the Fraud Risk Management Update Task Force,
for their outstanding leadership and efforts toward the completion of this Guide.

COSO and ACFE also thank Sergio Analco and Laura Hymes for their outstanding
design and editorial expertise.

COSO Board Members

Paul J. Sobel Lucia Wind
Outgoing COSO Chair Incoming COSO Chair

Douglas F. Prawitt Jeffrey C. Thomson

American Accounting Association Institute of Management Accountants (Outgoing Board Member)

Jennifer Burns Larry R. White

American Institute of CPAs Institute of Management Accountants (Incoming Board Member)

Daniel C. Murdock Patty K. Miller

Financial Executives International The Institute of Internal Auditors

Preface
This project was commissioned by the Committee of Sponsoring Organizations of the
Treadway Commission (COSO), which is dedicated to helping organizations improve
performance by developing thought leadership that enhances internal control,
risk management, governance, and fraud deterrence.

COSO is a private-sector initiative jointly sponsored and funded by the following organizations:

American Accounting Association (AAA)

American Institute of CPAs (AICPA)

Financial Executives International (FEI)

The Institute of Management Accountants (IMA)

Committee of Sponsoring Organizations
of the Treadway Commission

The Institute of Internal Auditors (IIA) coso.org

FRAUD RISK
MANAGEMENT
GUIDE Second
Edition

E X E C U T I V E S U M M A R Y
March 202 3 | Research Commissioned by Co-published by

Committee of Sponsoring
Organizations of the
Treadway Coåmmission
2 | Executive Summary | Fraud Risk Management Guide | COSO/ACFE

coso.org
 COSO/ACFE | Executive Summary | Fraud Risk Management Guide | 3

FOREWORD

In 1992 the Committee of Sponsoring Organizations of For organizations desiring a more comprehensive approach
the Treadway Commission (COSO) released its Internal to managing fraud risk, the Fraud Risk Management Guide
Control — Integrated Framework (the original framework). includes the information needed to perform a fraud risk
The original framework gained broad acceptance and was assessment, as well as guidance on establishing an overall
widely recognized as a leading framework for designing, Fraud Risk Management Program including:
implementing, and conducting internal control and
assessing the effectiveness of internal control. • Establishing fraud risk governance policies

COSO revised the original framework in 2013 (COSO 2013 IC • Performing a fraud risk assessment
Framework). The COSO 2013 IC Framework incorporated 17
principles. These 17 principles are associated with the five • Designing and deploying fraud preventive and detective
internal control components, and provide clarity for the user control activities
in designing and implementing systems of internal control
and for understanding requirements for effective internal • Conducting investigations, and
control. COSO makes clear that for a system of internal
control to be effective, each of the 17 principles is present, • Monitoring and evaluating the total Fraud Risk
functioning, and operating together in an integrated manner. Management Program
One important principle focused on fraud risk.
This Guide is designed to be familiar to COSO Framework
users. It contains principles and points of focus. This Guide’s
five principles are consistent with the five COSO Internal
Principle 8, one of the risk assessment
Control Components and the 17 COSO principles.
component principles, states:
The organization considers the potential This Guide updates the first edition of the Fraud Risk
for fraud in assessing risks to the Management Guide published in 2016. It also draws from a
achievement of objectives. 2008 publication published and sponsored by the American
Institute of CPAs (AICPA), Institute of Internal Auditors (IIA),
and Association of Certified Fraud Examiners (ACFE). This
prior publication, Managing the Business Risk of Fraud: A
The Fraud Risk Management Guide, originally published in Practical Guide, contained similar guidance for establishing
2016, was intended to be supportive of and consistent with a comprehensive Fraud Risk Management Program and has
the COSO 2013 IC Framework and to serve as guidance for been used by many organizations to manage fraud risk. The
organizations to follow in addressing this specific fraud risk COSO sponsors and ACFE are appreciative of the work done
assessment principle. by the task forces that produced these prior publications.
This updated Guide builds on them by addressing more
However, fraud is not static. Accordingly, COSO and ACFE recent anti-fraud developments, revising terminology to
initiated an update process that included reaching out to a be consistent with newer COSO terminology, and adding
broad range of users for recommendations on where the important information related to technology developments
Fraud Risk Management Guide could be improved, and — specifically data analytics.
assembled a team to take a refreshed look at the Guide and
assess how and where it should be updated.

Performing periodic fraud risk assessments is an important

element of good governance. Additionally, it is also a COSO
2013 IC Framework requirement.

coso.org
4 | Executive Summary | Fraud Risk Management Guide | COSO/ACFE

The Guide’s executive summary provides a high-level COSO has also published Enterprise Risk Management
overview intended for the board of directors, senior — Integrating with Strategy and Performance (COSO 2017
management, and chief audit executives. It is designed to ERM Framework). This Guide, the COSO 2013 IC Framework,
explain the benefits of establishing strong anti-fraud policies and the COSO 2017 ERM Framework, are intended to
and controls. The updated Guide’s appendices contain be complementary. Depending on how an organization
valuable information: implements the Internal Control Framework, the ERM
A. Glossary Framework, and this Guide, there may be overlapping and
B. Fraud Risk Management Roles and Responsibilities interconnecting areas. Fraud risk can affect areas beyond
C. Fraud Risk Management Considerations for accounting and financial management activities.
Smaller Entities Indeed, an organization seeking to minimize the adverse
D. Data Analytics and FRM impacts of fraud needs to consider fraud risk in all areas of
E. Fraud Risk Assessment Example the enterprise and its operations.
F. Fraud Risk Management Tools
G. Managing the Risk of Fraud, Waste, The COSO Board would like to thank members of the
and Abuse in the Government Environment Task Force that updated this Guide, the other anti-fraud
professionals who provided recommendations for this
The updated Guide also contains links to several Update, the original Task Force and Advisory Panel
valuable tools and templates that can be used to make members, and the COSO member organizations for their
implementation and documentation of a comprehensive contributions in reviewing the Guide (see pages 5, 6, and 7).
Fraud Risk Management Program more effective.
Finally, the COSO Board gratefully acknowledges David
L. Cotton and Sandra K. Johnigan, co-chairs of the Update
Task Force, for their outstanding leadership and efforts
toward the completion of this update.

Paul J. Sobel
COSO Chair

Bruce Dorris
ACFE President and CEO

coso.org
 COSO/ACFE | Executive Summary | Fraud Risk Management Guide | 5

Fraud Risk Management Guide Update Task Force

Tom Caulfield Sandra K. Johnigan, Co-Chair Jeffrey Steinhoff

Procurement Integrity Consulting Services Johnigan, PC Formerly KPMG and GAO

David Coderre Andi McNeal Pamela Verick

CAATS ACFE Protiviti

David L. Cotton, Co-Chair Linda Miller Vincent Walden

Cotton, A Sikich Company Audient Group, LLC KonaAI

John D. Gill Lynda Schwartz

ACFE University of Massachusetts Amherst

Anti-Fraud Professionals Who Provided Recommendations

for this Fraud Risk Management Guide Update

Tim Berichon Anne Mercer

Institute of Internal Auditors Institute of Internal Auditors

Sonia Boguslavsky Rhod Newcombe

Bank of Israel Brit Insurance

Dr. El-fred Boo Joseph Palmar

Nanyang Technological University Palmar Forensics

Mike Carter Brad Preber

Bittrex, Inc. Grant Thornton

Margot Cella Katherine Robinson

Center for Audit Quality Sterling Bank & Trust, FSB

Dr. Todd DeZoort Valerie Scarantino

The University of Alabama UGI Corporation

Scott Hilsen Paul Sobel

Cox Automotive, Inc. COSO Chairman

Robert Hirth Dr. Robert Tennant

Protiviti Institute of Management Accountants

Robert Hogan Lucy Wang

Hogan Forensics Center for Audit Quality

Ryan Hubbs Elizabeth Zachem Woodward

Schlumberger Dean Dorton

Jonathan T. Marks
Baker Tilly US, LLP

coso.org
6 | Executive Summary | Fraud Risk Management Guide | COSO/ACFE

In addition to the Task Force and Anti-Fraud Professionals listed above who contributed to the development of this 2023
Update, COSO and ACFE gratefully acknowledge those listed below, who previously contributed to the 2016 Guide.

Fraud Risk Management Task Force

Barbara Andrews Dan George Kelly Richmond Pope
AICPA USAC DePaul University

Michael Birdsall John D. Gill Carolyn Devine Saint

Comcast Corporation ACFE University of Virginia

Toby Bishop Leslye Givarz Jeffrey Steinhoff

Formerly ACFE, Deloitte Formerly AICPA, PCAOB Formerly KPMG and GAO

Margot Cella Cindi Hook William Titera

Center for Audit Quality Comcast Corporation Formerly EY

David Coderre Sandra K. Johnigan, Co-Chair Michael Ueltzen

CAATS Johnigan, PC Ueltzen & Company

David L. Cotton, Chair Bill Leone Pamela Verick

Cotton, A Sikich Company Norton Rose Fulbright Protiviti

James Dalkin Andi McNeal Vincent Walden

GAO ACFE KonaAI

Ron Durkin Linda Miller Bill Warren

Durkin Forensic, Inc. Audient Group, LLC PwC

Bert Edwards Kemi Olateju Richard Woodford

Formerly State Department General Electric U.S. Coast Guard Investigative Service

Frank Faist Chris Pembroke

Charter Communications Crawford & Associates, PC

Eric Feldman J. Michael Peppers

Affiliated Monitors, Inc. University of Texas

coso.org
 COSO/ACFE | Executive Summary | Fraud Risk Management Guide | 7

Fraud Risk Management Advisory Panel

Dan Amiram Michael Justus
Columbia University Business School University of Nebraska

Zahn Bozanic Theresa Nellis-Matson

The Ohio State University New York Office of the State Comptroller

Greg Brush Jennifer Paperman

Tennessee Comptroller of Treasury New York Office of the State Comptroller

Tamia Buckingham Daniel Rossi

Massachusetts School Building Authority New York Office of the State Comptroller

Ashley L. Comer Lynda Schwartz

James Madison University University of Massachusetts Amherst

Molly Dawson Rosie Tomforde

Cotton & Company LLP Regional Government

Eric Eisenstein
Cotton & Company LLP

The COSO Board gratefully acknowledges everyone who contributed their time, experience, thoughts, and expertise to both
the original Guide and this updated Guide.

coso.org
8 | Executive Summary | Fraud Risk Management Guide | COSO/ACFE

EXECUTIVE SUMMARY | FRAUD RISK MANAGEMENT

The Ever-Present Risk of Fraud and its Costs A Growing Area of Fraud Risk
All organizations are subject to fraud risks. Some Organizations committed to fraud prevention, detection, and
organizational leaders may question whether the benefits deterrence will address not just internal fraud risks — frauds
derived from implementing and maintaining a Fraud Risk perpetrated by parties within the organization, but also
Management Program outweigh the costs. This Guide external fraud risks — fraud perpetrated on the organization
demonstrates why the answer to that question is Yes, and by outside parties such as ransomware, data breaches,
provides help in implementing such a program. identity theft, and a wide range of corruption schemes that
continue to evolve.
Publicized fraudulent behavior by key executives, other
employees, and outsiders repeatedly demonstrate the Fraud Deterrence Now and in the Future
reality of this ever-present risk and how it negatively impacts Implementation of the principles in this Guide will maximize the
reputations, brands, and images of many organizations likelihood that fraud will be prevented or detected in a timely
around the globe. Large frauds have led to the collapse manner and can create a strong fraud deterrence effect.
of entire organizations, massive asset losses, significant
legal costs, incarceration of key individuals, and erosion of COSO’s mission is to help organizations improve performance
confidence in capital markets, government, and not-for-profit by developing thought leadership that enhances internal
entities. Even relatively small frauds can be devastating to an control, risk management, governance and fraud deterrence.
organization, resulting in: The Fraud Risk Management Guide is a key tool for furthering
this mission, particularly with respect to fraud deterrence.
• Loss of trust in management and the breakdown of
teamwork and organizational cohesion As a first step in discussing fraud deterrence, the following
practical definition of fraud1 is used in this Guide:
• Increased scrutiny from law enforcement and
regulatory bodies
Fraud is any intentional act or omission
• Loss of trust by stakeholders (shareholders, donors, designed to deceive others, resulting in the
customers, taxpayers, and the public) victim suffering a loss and/or the perpetrator
achieving a gain.
• Increased employee and management turnover

• Reputational damage
Therefore, to successfully achieve fraud deterrence,
• Loss of competitive advantage organizations will implement policies and procedures that
target the prevention and detection of fraud. Organizations
It is impossible and impractical to eliminate all fraud in all that implement a rigorous Fraud Risk Management Program
organizations. However, effective leaders address fraud will further strengthen fraud deterrence by making it known
risk as they do any risk — they manage it. The Fraud Risk that potential fraud perpetrators face a significant likelihood
Management Guide provides a blueprint to do just that. It is of getting caught and being punished.
based on the proven principles of enterprise risk management
as published by COSO, most recently in 2017. This Guide gives Deterrence is also supported and enhanced by the
organizations, whether large or small, government or private, knowledge throughout the organization that:
profit or non-profit, the information necessary to design a
plan specific to the risks for that entity. There is no “one- • Those charged with governance have made a
size-fits-all approach” to managing fraud risk. But with the commitment to comprehensive fraud risk management
right approach, an organization can create a custom-fitted
program tailored to its specific needs.

The authors recognize that many other definitions of fraud exist, including those developed by the Auditing Standards Board of the American
1

Institute of Certified Public Accountants, the Public Company Accounting Oversight Board, and the Government Accountability Office. Some
legal definitions of fraud do not include scienter, or intent.

coso.org
 COSO/ACFE | Executive Summary | Fraud Risk Management Guide | 9

• Periodic fraud risk assessments are being conducted The Guide also contains valuable information for users
and updated as risks change or new information who are implementing a Fraud Risk Management Program.
becomes known This includes addressing fraud risk management roles and
responsibilities, fraud risk management considerations for
• Fraud preventive and detective control activities, smaller organizations, data analytics, and managing fraud
including data analytics — overt and covert — are being risk in the government environment.
conducted
What’s New in the 2023 Fraud Risk
• Suspected frauds are investigated quickly Management Guide?
Following publication of the Fraud Risk Management
• Fraud reporting mechanisms are in place Guide in 2016, it became recognized as containing a
widely accepted set of leading practices for anti-fraud
• Discovered frauds are remediated thoroughly professionals and organizations intent on deterring fraud.
But, fraud is not static. Accordingly, COSO and ACFE
• Wrongdoing has been appropriately disciplined initiated an update process that included reaching out to
a broad range of users for recommendations on where the
• The entire Fraud Risk Management Program is being Guide can be improved, and assembled a team to take a
constantly monitored refreshed look at the Guide and assess how and where it
should be updated. Following are the key changes to this
Roles and Responsibilities 2023 edition:
The board of directors2 and top management have
responsibility for managing fraud risk. In particular, they • Fraud risk management and deterrence. This edition
are expected to understand how the organization is explains how fraud risk management relates to and
responding to heightened risks and emerging exposures, supports fraud deterrence — a key theme in COSO’s
as well as public and stakeholder scrutiny; what form of missions.
Fraud Risk Management Program the organization has
in place; how it identifies fraud risks; what it is doing to • Relationships among COSO’s two frameworks and
better prevent fraud, or at least detect it sooner; and fraud risk management. This edition explains how the
what processes are in place to investigate fraud and take COSO 2013 Internal Control — Integrated Framework,
corrective action. Further, personnel at all levels of the the COSO 2017 Enterprise Risk Management —
organization have a responsibility to understand the effects Integrating with Strategy and Performance Framework
of fraud and the importance of preventing fraud. This Guide and the Fraud Risk Management Guide are related and
is designed to help address these complex issues. support each other.

How it Works • Expanded information on data analytics. Data analytics

This Guide provides implementation guidance for a Fraud continues to grow in importance as a key tool for the
Risk Management Program that defines principles and prevention and early detection of fraud. Advanced
points of focus for fraud risk management and describes applications of data analytics may be less familiar to
how organizations of various sizes and types can establish some users than standard tools, such as interviewing
their own Fraud Risk Management Programs. The Guide and whistleblower systems. Accordingly, this edition
includes examples of key program components and includes expanded and updated information on data
resources that organizations can use as a starting place analytics, while continuing to emphasize the importance
to develop a Fraud Risk Management Program effectively of interviewing and whistleblower systems. A data
and efficiently. In addition, and recognizing that no two analytics Point of Focus has been added to each of the
organizations are the same, the Guide contains references five fraud risk management principles to demonstrate
to other sources of guidance to allow for tailoring a how the use of data analytics is an integral part of each
Fraud Risk Management Program to a particular industry principle. Further, the data analytics appendix has been
or to government or not-for-profit organizations. Each updated and expanded. This approach is not meant
organization will assess the degree of emphasis to to downplay the importance of other tools, but rather,
place on fraud risk management based on its size and to highlight the increasing power of data analytics in
circumstances. managing fraud risk.

Throughout this Guide the terms board and board of directors refer to the governing or oversight body or those charged with governance of
2

the organization. The terms chief executive officer (CEO) and chief financial officer (CFO) refer to the senior-level management individuals
responsible for overall organization performance and financial reporting.

coso.org
10 | Executive Summary | Fraud Risk Management Guide | COSO/ACFE

• Internal control and fraud risk management. This - Environmental, Social, and Governance (ESG)
edition explains how internal control and fraud risk initiatives and reporting
management are related and support each other, but - Cyber fraud
are different in some important respects. Examples are - Blockchain, cryptocurrency, and digital assets
provided to show that many “go-to” internal control - Ransomware
processes and procedures may be adequate for - COVID-19 response efforts, the CARES Act (Public
ensuring accuracy in accounting and financial reporting Law 116-136) and other related programs
but may not provide sufficient fraud protection. - Remote working and hybrid working environments
- Innovative and virtual management tools and
• Assessing the effectiveness of existing control accounting procedures
procedures as related to fraud risk. Chapter 2 (Fraud
Risk Assessment) provides additional information • Appendices changes. The 2016 Guide had 19 appendices.
on this important step in the fraud risk assessment This 2023 edition has 7. Several of the 2016 appendices
process. It clarifies and emphasizes that assessing have been moved to ACFE’s Fraud Risk Management
control effectiveness involves (a) identifying existing Tools web site so that they can be updated as needed.
control procedures related to each identified inherent The appendices moved are:
fraud risk, (b) assuring that the controls have been - Sample Fraud Control Policy Framework
implemented and are working as designed, and (c) (2016 Appendix F-1)
assessing whether the controls are adequate to - Fraud Risk Management High-Level Assessment
address the fraud risks that have been identified. That (2016 Appendix F-2)
last step is in addition to an assessment of the design - Sample Fraud Policy Responsibility Matrix
and operating effectiveness of controls from an internal (2016 Appendix F-3)
control over financial reporting perspective. Further, - Sample Fraud Risk Management Policy
it is the key to identifying residual fraud risk so that (2016 Appendix F-4)
additional fraud control activities such as additional - Sample Fraud Risk Management Survey
data analytics can be applied. (2016 Appendix F-5)
- Fraud Risk Exposures (2016 Appendix G)
• Changes in the legal and regulatory environment. - The five Fraud Risk Management Scorecards
This edition includes updated information with respect (2016 Appendices I-1 through I-5)
to recent legal and regulatory developments in the
U.S. pertaining to fraud and fraud risk management, The Appendix, Managing the Risk of Fraud, Waste, and
including: Abuse in the Government Environment, has been updated
- The Department of Justice’s Evaluation of Corporate and expanded, and remains in the Guide as a valuable
Compliance Programs resource.
- The Government Accountability Office’s A Framework
for Managing Fraud Risks in Federal Programs Finally, and significantly, the ACFE tools site includes a
- U.S. Securities and Exchange Commission’s Climate greatly-expanded list of fraud risk exposures and fraud
and Environmental, Social, and Governance (ESG) schemes. Each scheme in the expanded list is hyperlinked
Task Force Reports to an underlying description of the scheme and how it
is carried out. This list contains generic schemes —
• Fraud reporting systems or hotlines. ACFE research schemes that can victimize any organization — but also
consistently shows that the majority of frauds are industry-specific schemes (healthcare, financial services,
discovered through tips, often from employees in manufacturing, and so forth). Again, through input from
an organization. This edition includes updated and users, this resource will continue to expand. These dynamic
expanded information related to the importance of resources are readily accessible to anti-fraud professionals
fraud reporting systems in detecting, preventing, and implementing Fraud Risk Management Programs.
deterring fraud.
COSO and ACFE are confident that this updated Fraud Risk
• Changes in the external environment and fraud Management Guide will continue to grow in importance as
landscape. The fraud landscape is changing rapidly. the set of leading practices for preventing, detecting, and
This edition includes information on this changing deterring fraud.
environment, including:

coso.org
 COSO/ACFE | Executive Summary | Fraud Risk Management Guide | 11

Fraud Risk Management and the COSO Internal Control Framework

COSO revised its Internal Control — Integrated Framework The Guide also defines important terminology (see
in 2013 to incorporate 17 principles. These 17 principles are Appendix A), explains key roles and responsibilities (see
associated with the five internal control components COSO Appendix B), and describes how it can be applied to
established in 1992. The principles provide clarity for the user smaller organizations (see Appendix C).
in designing and implementing systems of internal control
and for understanding requirements for effective internal Consequently, organizations applying the COSO 2013 IC
control. COSO clarifies that for a system of internal control to Framework can choose from the following two approaches
be effective, each of the 17 principles is present, functioning, in addressing this important fraud risk assessment
and operating in an integrated manner. Throughout this Guide principle:
the COSO 2013 IC Framework has been used as a source for
describing aspects of internal control. • First Approach: They can use this Guide’s second
fraud risk management principle (The organization
performs comprehensive fraud risk assessments to
Principle 8, one of the risk assessment identify specific fraud schemes and risks, assess their
component principles, states: likelihood and significance, evaluate existing fraud
The organization considers the potential control activities, and implement actions to mitigate
for fraud in assessing risks to the residual fraud risks) on a stand-alone basis to conduct
achievement of objectives. a fraud risk assessment that is compliant with COSO
2013 IC Framework Principle 8. Under this approach, an
organization would overlay this fraud risk assessment
process on its existing internal control structure by
This Guide is intended to be supportive of and consistent revisiting each component of internal control and
with the COSO 2013 IC Framework and can serve as assessing vulnerabilities to fraud.
guidance for organizations to follow in performing a fraud
risk assessment. • Second Approach: They can implement this Guide as a
separate, compatible, and more comprehensive process
For organizations desiring to establish a more to not only periodically assess, but to also manage the
comprehensive approach to managing fraud risk, however, organization’s fraud risks as part of a broader Fraud
this Guide includes more than just the information needed Risk Management Program. That approach includes a
to perform a fraud risk assessment. It also provides fraud risk assessment and also encompasses fraud risk
guidance on establishing the other components of an governance, designing and implementing fraud control
overall Fraud Risk Management Program, including: activities, fraud investigation and corrective action, and
fraud risk management evaluation and monitoring. Once
• Establishing fraud risk governance policies the Guide is implemented, its results will support and will
be consistent with the overall COSO 2013 IC Framework.
• Designing and deploying fraud preventive and detective
control activities The second approach results in an ongoing, comprehensive
Fraud Risk Management Program as follows in Figure 1.
• Conducting investigations and taking corrective actions

• Monitoring and evaluating the total Fraud Risk

Management Program

coso.org
12 | Executive Summary | Fraud Risk Management Guide | COSO/ACFE

Figure 1. Ongoing, Comprehensive Fraud Risk Management Process

Establish a fraud
risk management
policy as part of
organizational
governance

Monitor the fraud risk

management process,
report results, and Perform
improve the process comprehensive
fraud risk
assessments
Establish a fraud
reporting process and
coordinated approach
to investigation and Select, develop, and
corrective action, deploy preventive
including analyzing and and detective fraud
remediating root causes control activities

This comprehensive approach recognizes and emphasizes Implementing a specific and more focused fraud risk
the fundamental difference between internal control assessment as a separate Fraud Risk Management Program
weaknesses resulting in errors and weaknesses resulting in enhances the likelihood that the assessment’s focus
fraud. This fundamental difference is intent. An organization remains on intentional acts.
that simply adds the fraud risk assessment to the existing
risk assessment may not thoroughly examine and identify The recommended approach is also likely to result in a more
possibilities for improper acts designed to: robust and comprehensive assessment of fraud risk. It also
provides the additional structure needed for comprehensive
• Misstate financial information fraud risk management. If organizations use the more
simplified approach (just performing the fraud risk
• Misstate non-financial information assessment), they can combine those results with the COSO
2013 IC Framework’s results to yield more robust prevention
• Misappropriate assets and detection mechanisms.

• Perpetrate illegal acts or corruption

coso.org
 COSO/ACFE | Executive Summary | Fraud Risk Management Guide | 13

Relationships Among COSO’s Two Frameworks and this Fraud Risk Management Guide

COSO published Internal Control — Integrated Framework Enterprise risk management is broader than internal control
in 2013 (COSO 2013 IC Framework) and published in that it focuses on a variety of risk responses to manage
Enterprise Risk Management — Integrating with Strategy risk in all aspects of business. Internal control is a subset
and Performance in 2017 (COSO 2017 ERM Framework). and integral part of enterprise risk management, while
This Fraud Risk Management Guide, the COSO 2013 IC enterprise risk management is a subset of organizational
Framework, and the COSO 2017 ERM Framework, are governance. Of course, fraud risk can impact all aspects of
intended to be complementary. both enterprise risk and internal control.

Depending on how an organization implements the Internal This Fraud Risk Management Guide is intended to be an
Control Framework, the ERM Framework, and this Guide, important component of a holistic risk response that is
there may be overlapping and interconnecting areas. Fraud both effective and efficient in addressing wide-ranging
risk can affect all areas of accounting functions, financial fraud risks, including those originating from internal sources
management and reporting activities, and non-financial (e.g., management, employees, consultants), external
management and reporting activities. Indeed, an organization sources (e.g., cyber/hacking risk), or both (e.g., conspiracy,
seeking to minimize the adverse impacts of fraud will consider corruption, money laundering, drug trafficking/terrorism
fraud risk in all areas of the enterprise and its operations. financing).

Summary of Fraud Risk Management Components and Principles

Fraud Risk Governance

Fraud risk governance is an integral component of corporate reporting, and legal responsibilities to stakeholders.
governance and the internal control environment. Corporate The internal control environment creates the discipline
governance addresses the manner in which the board of that supports the assessment of risks to the achievement
directors and management meet their respective obligations of the organization’s goals.
to achieve the organization’s goals, including its fiduciary,

Control
Principle
1 The organization establishes and communicates a Fraud Risk
Management Program that demonstrates the expectations of the
board of directors and senior management and their commitment to
high integrity and ethical values regarding managing fraud risk.
Environment

Fraud Risk Assessments

A fraud risk assessment is a dynamic and iterative process Organizations can tailor this approach to meet their
for identifying and assessing fraud risks relevant to the individual needs, complexities, and goals. Fraud risk
organization. Fraud risk assessment addresses the risk assessment is not only an integral component of risk
of fraudulent financial reporting, fraudulent non-financial assessment and internal control, it also is specifically
reporting, asset misappropriation, and corruption (including linked to COSO 2013 IC Framework Principle 8.
illegal acts and noncompliance with laws and regulations).

Risk
Assessment
Principle
2 The organization performs comprehensive fraud risk assessments
to identify specific fraud schemes and risks, assess their likelihood
and significance, evaluate existing fraud control activities, and
implement actions to mitigate residual fraud risks.

coso.org
14 | Executive Summary | Fraud Risk Management Guide | COSO/ACFE

Fraud Control Activity

A fraud control activity is an action established after the initial processing has occurred). The selection,
through policies and procedures that helps ensure that development, implementation, and monitoring of fraud
management’s directives to mitigate fraud risks are carried preventive and fraud detective control activities are crucial
out. A fraud control activity is a specific procedure or elements of managing fraud risk. Fraud control activities
process intended either to prevent fraud from occurring or are documented with descriptions of the identified fraud
to detect fraud quickly in the event that it occurs. risk and scheme, the fraud control activity that is designed
to mitigate the fraud risk, and the identification of those
Fraud control activities are generally classified as either responsible for the fraud control activity. Fraud control
preventive (designed to avoid a fraudulent event or activities are integral to the ongoing fraud risk assessment
transaction at the time of initial occurrence) or detective component of internal control.
(designed to discover a fraudulent event or transaction

Control
Activities
Principle
3 The organization selects, develops, and deploys
preventive and detective fraud control activities to
mitigate the risk of fraud events occurring or not being
detected in a timely manner.

Fraud Investigation and Corrective Action

Control activities cannot provide absolute assurance against allegations involving potential fraud and misconduct. An
fraud. As a result, the organization’s governing board organization can improve its chances of loss recovery, while
ensures that the organization develops and implements minimizing exposure to litigation and damage to reputation,
a system for prompt, competent, and confidential review, by establishing and carefully preplanning investigation and
investigation, and resolution of instances of corrective action processes.

Information &
Communication
Principle
4 The organization establishes a communication process to obtain
information about potential fraud and deploys a coordinated
approach to investigation and corrective action to address fraud
appropriately and in a timely manner.

Fraud Risk Management Monitoring Activities

The fifth fraud risk management principle relates to the fraud monitoring activities. Similar to the COSO 2013 IC
monitoring the overall Fraud Risk Management Program. Framework, ongoing evaluations in a Fraud Risk
Organizations use fraud risk management monitoring Management Program that are built into the organization’s
activities to ensure that each of the five principles of fraud risk business processes at varying levels provide timely
management is present and functioning as designed and that information. In contrast, organizations conduct separate
the organization identifies needed changes in a timely manner. evaluations periodically that vary in scope and timing based
on numerous factors, including the results of ongoing
Organizations use ongoing and separate (periodic) evaluations.
evaluations, or some combination of the two, to perform

Monitoring
Principle
5 The organization selects, develops, and performs ongoing evaluations to
ascertain whether each of the five principles of fraud risk management is
present and functioning and communicates Fraud Risk Management Program
deficiencies in a timely manner to parties responsible for taking corrective
Activities
action, including senior management and the board of directors.

coso.org
 COSO/ACFE | Executive Summary | Fraud Risk Management Guide | 15

Use by Interested Parties

Board of Directors and Audit Committee Internal Audit

A well-performing and engaged board discusses with Internal auditors review their internal audit plans and how
senior management the state of the entity’s Fraud Risk the plans are applied to the entity’s Fraud Risk Management
Management Program and provides oversight as needed. Program in connection with implementation of this
Senior management has overall responsibility for the guidance. Internal auditors will use this Guide to 1) assess
design and implementation of a Fraud Risk Management how effective their risk assessments are in evaluating fraud
Program, including setting the tone at the top that creates risk and improve them, and 2) help assess fraud risk in
the culture for the entire organization. The board establishes each internal audit project, and 3) identify potential control
policies and procedures explaining how the board provides enhancements to minimize ongoing fraud risk.
oversight, including defining expectations about integrity
and ethical values, transparency, and accountability External Independent Auditors
for the implementation and operation of the Fraud Risk In many situations, an external independent auditor is
Management Program. Senior management informs the engaged to audit or examine the effectiveness of the
board of the residual risks of fraud from its fraud risk client’s internal control over financial reporting in addition
assessments, as well as incidents of fraud or suspected to auditing the entity’s financial statements. The COSO
fraud. The board challenges management and asks the 2013 IC Framework introduced Principle 8: the organization
tough questions, as necessary. It seeks input from internal considers the potential for fraud in assessing risks to the
auditors, external independent auditors, specialists, and achievement of objectives. Auditors can assess the entity’s
legal counsel and utilizes these resources as needed to implementation of that Principle using this Guide.
investigate any issues.
Specialists
The board is an important check on the risk of management In addition to the audit committee, internal audit, and
wrongdoing, including management override of anti-fraud management, the organization also may include internal and
and other internal controls. The board assesses the risk of external professionals with specific domain expertise, such
management override and also considers and addresses as legal, compliance, investigations, emerging markets,
fraud allegations related to senior management if they arise. human resources, security, and data analytics.

Senior Management Other Professional Organizations

Senior management assesses the entity’s Fraud Risk Other professional organizations providing guidance on
Management Program in relation to this Fraud Risk fraud risk as it relates to operations, reporting, and
Management Guide, focusing on how the organization compliance may consider their standards and guidance in
applies the five principles in support of its Fraud Risk comparison to the Guide. To the extent diversity in concepts
Management Program. Further, they assess the entity’s and terminology is eliminated, all parties benefit.
fraud risk in compliance with Principle 8 of the COSO 2013 IC
Framework. Educators
The concepts of fraud risk management are important to
Other Management and Personnel professional education. Because fraud risks are pervasive
Managers and other personnel consider how they are and perennial, every professional benefits from a solid
conducting their responsibilities in light of this Guide and grounding in the Guide’s concepts and approaches.
discuss with more senior personnel ideas for strengthening Educators can leverage the Guide as a teaching text or as
fraud risk controls. More specifically, they consider how source material for lessons in leadership, business decision-
existing controls affect the relevant principles within the five making, management and organizational behavior, ethics,
components of fraud risk management, as well as Principle advanced audit, information management, data analytics,
8 of the COSO 2013 IC Framework. and forensic accounting.

coso.org
16 | Executive Summary | Fraud Risk Management Guide | COSO/ACFE

Relationship Between the COSO 2013 IC Framework’s Five Components and 17 Internal
Control Principles and this Guide’s Five Fraud Risk Management Principles

COSO revised its Internal Control — Integrated Framework in 2013 to incorporate 17 principles. These 17 principles are
associated with the five internal control components COSO established in 1992. This Guide’s five fraud risk management
principles fully support, are entirely consistent with, and parallel the COSO 2013 IC Framework’s 17 internal control principles.
The correlation between the fraud risk management principles and the COSO 2013 IC Framework’s internal control
components and principles is as follows:

COSO Framework Components and Principles Fraud Risk Management Principles

1. The organization demonstrates a commitment to integrity and ethical values.

2. The board of directors demonstrates independence from management and

exercises oversight of the development and performance of internal control.
1. The organization establishes and communicates a
Environment

Fraud Risk Management Program that demonstrates

Control

3. Management establishes, with board oversight, structures, reporting lines, the expectations of the board of directors and senior
and appropriate authorities and responsibilities in the pursuit of objectives. management and their commitment to high integrity
and ethical values regarding managing fraud risk.
4. The organization demonstrates a commitment to attract, develop, and retain
competent individuals in alignment with objectives.

5. The organization holds individuals accountable for their internal control

responsibilities in the pursuit of objectives.

6. The organization specifies objectives with sufficient clarity to enable the

identification and assessment of risks relating to objectives.

7. The organization identifies risks to the achievement of its objectives

Assessment

across the entity and analyzes risks as a basis for determining how the 2. The organization performs comprehensive fraud
risks should be managed. risk assessments to identify specific fraud schemes
Risk

and risks, assess their likelihood and significance,

8. The organization considers the potential for fraud in assessing risks to the evaluate existing fraud control activities, and
achievement of objectives. implement actions to mitigate residual fraud risks.

9. The organization identifies and assesses changes that could significantly

impact the system of internal control.

10. The organization selects and develops control activities that contribute to the
mitigation of risks to the achievement of objectives to acceptable levels.
3. The organization selects, develops, and deploys
Activities
Control

11. The organization selects and develops general control activities over preventive and detective fraud control activities to
technology to support the achievement of objectives. mitigate the risk of fraud events occurring or not
being detected in a timely manner.
12. The organization deploys control activities through policies that establish
what is expected and procedures that put policies into action.

13. The organization obtains or generates and uses relevant, quality information
to support the functioning of other components of internal control.
Communication
Information &

4. The organization establishes a communication

14. The organization internally communicates information, including process to obtain information about potential fraud
objectives and responsibilities for internal control, necessary to support and deploys a coordinated approach to investigation
the functioning of internal control. and corrective action to address fraud appropriately
and in a timely manner.
15. The organization communicates with external parties regarding matters
affecting the functioning of other components of internal control.

16. The organization selects, develops, and performs ongoing and/or 5. The organization selects, develops, and performs
separate evaluations to ascertain whether the components of internal ongoing evaluations to ascertain whether each
Monitoring

control are present and functioning. of the five principles of fraud risk management is
Activities

present and functioning and communicates Fraud

17. The organization evaluates and communicates internal control Risk Management Program deficiencies in a timely
deficiencies in a timely manner to those parties responsible for taking manner to parties responsible for taking corrective
corrective action, including senior management and the board of action, including senior management and the board
directors, as appropriate. of directors.

The most obvious correlation between these two sets of principles is COSO 2013 IC Framework Principle 8 and Fraud Risk
Management Principle 2. In addition, as the above exhibit displays, all of the COSO 2013 IC Framework and Fraud Risk
Management Principles correlate with and support each other.

coso.org
Testimonials
“The Guide is a great resource for professionals who appreciate
the need to take a holistic approach to fraud risk management.”

Todd DeZoort, Ph.D., CFE, NACD.DC

Durr-Fillauer Chair in Business Ethics and Professor of Accounting
Culverhouse School of Accountancy, The University of Alabama

“As much as we don’t like to think about it, fraud is just part of the
business landscape and human condition. Pressure, greed, insecurity, and
many other emotions are involved which unfortunately fuel intentional
bad behavior and decision-making. This guide expands upon Principle 8
in the 2013 COSO Internal Control — Integrated Framework in an effective
way to help all organizations regardless of size, industry, form, or ownership
more effectively address the unwelcome subject of fraud. Boards,
management, accountants, internal auditors, and others will benefit
from its advice, structure, and guidance.”

Robert B. Hirth, Jr.

Senior Managing Director, Protiviti
COSO Chair Emeritus (2013–2018)

“Being a CPA as well as a CFE, I was already familiar with COSO guidance.
Coupling that with a fraud risk management perspective is ideal for anyone
in a corporate role. The FRMG provides clear direction for identifying and
addressing risks, and makes it easy to integrate with overall corporate risk
management efforts.”

Valerie Scarantino
UGI Corporation

“I found the Guide to be a cost effective and valuable resource for fighting
fraud as it approaches fraud prevention and detection on a comprehensive
basis as opposed to piecemeal, which as is often the approach used by most
organizations. Proactiveness vs. reactiveness is both more cost effective as
well as protecting from something you can never recover from, reputation
damage…the true cost of fraud. Unfortunately, many organizations fall into the
“comfortable in action mode,” in other words “it can’t happen here,” or simply
don’t know where or how to start a comprehensive, all-encompassing approach
to fraud protection and detection. You now have a tool and
resource to guide you through this process!”

Joseph M. Palmar, CPA, CFE, CFF

Chief Executive Officer
Palmar Forensics

FRAUD RISK
MANAGEMENT
GUIDE Second
Edition

Committee of Sponsoring
Organizations of the
Treadway Coåmmission
FRAUD RISK
MANAGEMENT
GUIDE Second
Edition

Committee of Sponsoring
Organizations of the
Treadway Coåmmission