In a rapidly evolving digital landscape, the application of data analytics in fraud detection and the adoption of fraud risk assessment tools as part of a comprehensive fraud risk program are more important than ever. Organizations need a trusted manual to help them navigate today’s risk landscape. During her session at the 35th Annual ACFE Global Fraud Conference, Lucia Wind, CFE, board chair and executive director of the Committee of Sponsoring Organizations (COSO), led an in-depth review of the 2023 Fraud Risk Management Guide, focusing on new and emerging guidance.

Adapt and Embrace

Last updated in 2016, the Fraud Risk Management Guide needed a refresh, according to Wind. “We’re not the same organizations we were before COVID. We’ve all undergone a tremendous digital transformation,” she explains. “A lot of our processes, controls, organizations, teams and skills aren’t the same as they were 10 years ago. We’ve all had to adapt and embrace new technology.”

COSO, which focuses on internal controls, enterprise risk management, fraud and governance, and the Association of Certified Fraud Examiners (ACFE) partnered to update the 2023 Fraud Risk Management Guide. It can be purchased at the ACFE.com.

Principles and Approaches

The 2023 Fraud Risk Management Guide bridges COSO’s 2013 Internal Control (IC) — Integrated Framework and 2017 Enterprise Risk Management (ERM) Framework. Wind says this is accomplished through five components (control environment, risk assessment, control activities, information and communication, and monitoring activities) and 17 principles, some of which include commitment to integrity and ethical values; clear objectives specified; control activities selected and developed; quality information obtained, generated and used; internal control deficiencies evaluated and communicated.

Among the five internal controls, Wind identifies information and communication as often overlooked by organizations when developing a fraud risk management program. She emphasizes the need to account for internal and external communication. “When you do have potential or actual fraud, how do you communicate it within your organization all the way up to the board? Where does that communication go, and how is it escalated to the board? When and how do you disclose to your external auditors? Those requirements sometimes get overlooked within this category, but the guide takes you through the channels you need to consider.”

In addition, the updated guide features what Wind refers to as “points of focus” that expand on the 17 principles and provide examples that map out where organizations can start and how they can deploy resources. “They’re not prescriptive … but if you don’t know where to start having that conversation with your management, these are some ideas,” she says.

For organizations in search of straightforward risk management advice, the revised guide offers two key approaches to fraud risk management:

1. Conduct a fraud risk assessment compliant with COSO IC Framework Principle 8.

2. Implement a comprehensive fraud risk management program.

The level of priority placed on fraud risk, availability of resources and governance maturity will determine which option an organization selects, Wind says.

COSO’s standards call for each of the 17 principles to be present, functioning and operating in an integrated manner for an IC system to be effective. Wind points to IC Framework Principle 8 as especially important due to its emphasis on fraud risk. Principle 8 states: “The organization considers the potential for fraud in assessing risks to the achievement of objectives.” The second edition of the Fraud Risk Management Guide walks organizations through addressing this specific fraud risk assessment principle.

Major Changes and Next Steps

Wind highlights these significant changes in the 2023 Fraud Risk Management Guide:

• Fraud risk management and deterrence.

• Relationships among COSO’s ERM and IC frameworks and fraud risk management.

• Expanded information on data analytics.

• Internal control and fraud risk management.

• Existing fraud risk control procedures.

• Changes in the legal and regulatory landscape.

• Fraud reporting systems or hotlines.

• Changes in the external environment and fraud landscape.

Wind elaborates on the expanded information on data analytics featured in the updated guide. “Each chapter in the updated guide contains specific data analytics examples for you to think through deploying in your organization,” she says. “We have the technology; everything’s automated. Let’s use that. Let’s come up with the right scripts so you can make your life a little easier. But you first have to understand the technology and your configuration.”

According to Wind, the updated guide’s appendices also contain valuable information, including fraud risk management considerations for smaller enterprises, data analytics capability and techniques, and fraud, waste and abuse management in government.

Once an organization has implemented a fraud risk management program, Wind says gaining continued buy-in and resources is essential. “If it’s working effectively, you’re going to identify fraud or you’re not because you’ve done the right things and implemented the right controls. Continue to monitor the processes and controls you have in place to show that it’s working effectively”