goldsrd coso update four hour course...11/26/13 4 coso update - executive summary highlights •...
TRANSCRIPT
11/26/13
1
Updated COSO Framework
Danny M. Goldberg, Founder
Agenda
• COSO Update – Overview – History/Background – Changes Overview – Five Control Objectives – 17 Control Principles – Case Study: Developing a Checklist for Your
Organization • Fraud Risk Assessment – – Overview – Key Steps – Interviewing and Brainstorming
11/26/13
2
Executive Update: Overview
• COSO Overview – Internal Control Publications
1992 2006 2009 2013
Overview of COSO • Committee of Sponsoring Organizations of the Treadway Commission
(COSO) – US private-sector initiative created in 1985. – Its major objective is to identify the factors that cause fraudulent financial
reporting and to make recommendations to reduce its incidence. – COSO is sponsored by 5 main professional accounting organizations in the
US: • American Institute of Certified Public Accountants (AICPA), • American Accounting Association (AAA), • Financial Executives Institute (FEI), • The Institute of Internal Auditors (IIA) • The Institute of Management Accountants (IMA).
• COSO has established a common definition of internal controls, standards, and criteria against which companies and organizations can assess their control systems.
» Source: www.coso.org
Integrated Framework 2013
• Consists of three volumes: – Executive Summary – Framework and Appendices – Illustrative Tools for Assessing
Effectiveness of a System of Internal Control
• Sets out: – Definition of internal control – Categories of objectives – Components and principles of
internal control – Requirements for effectiveness
11/26/13
3
Original Framework
COSO’s Internal Control–Integrated Framework (1992 Edition)
Refresh Objectives
Updated Framework
COSO’s Internal Control–Integrated Framework (2013 Edition)
Broadens Application Clarifies Requirements
Articulate principles to
facilitate effective
internal control
The Framework has become the most widely adopted control framework worldwide.
Updates Context
Enhancements
Reflect changes in
business & operating
environments
Expand operations and
reporting objectives
Why Update What Works
Update expected to increase ease of use and broaden application
What is not changing... What is changing...
• Core definition of internal control
• Three categories of objectives and five components of internal control
• Each of the five components of internal control are required for effective internal control
• Important role of judgment in designing, implementing and conducting internal control, and in assessing its effectiveness
• Changes in business and operating environments considered
• Operations and reporting objectives expanded
• Fundamental concepts underlying five components articulated as principles
• Additional approaches and examples relevant to operations, compliance, and non-financial reporting objectives added
The COSO Definition of Internal Control
Internal control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:
• Effectiveness and efficiency of operations
• Reliability of financial reporting
• Compliance with applicable laws and regulations
11/26/13
4
COSO Update - Executive Summary Highlights
• Provides a high level overview intended for the board of directors, chief executive officer, and other senior management.
• Applicable to all entities but the way in which it is implemented will be different for each organization (i.e., larger entities tend to be more formal and structured)
• Meant to assist stakeholders both internally and externally without being too prescriptive. – Accomplished by defining what constitutes a system of internal
control and providing insight to when it is being applied effectively. • Judgment is still a major factor in determining what is an effective
system of internal control – To determine how much control is enough – To select, develop, and deploy controls across the entity – Management and internal auditors apply judgment as they monitor
and assess the effectiveness of the system of internal control.
Executive Summary Highlights (continued)
• Requirements for an effective system of internal control are: – Each of the five components and relevant principles (17 principles in
total) are present and functioning – The five components operate together in an integrated manner or as
an integrated system • When a major deficiency exists with respect to the presence and
functioning of a component or relevant principle, or with respect to the components operating together in an integrated manner, the organization cannot conclude that it has met the requirements for an effective system of internal control.
• An effective system reduces, to an acceptable level, the risk of not achieving an entity objective and may relate to one, two, or all three categories of objectives (Operations, Reporting, Compliance)
Executive Summary Highlights (continued)
• Limitations do exist: – Suitability of objectives are a precondition to internal control – Human judgment can be faulty and subject to bias – Human failures such as simple errors do occur – Management could override internal control – Collusion could circumvent controls – External events beyond the organization’s control
• Internal control provides reasonable assurance of achieving the entity’s objectives but not absolute assurance
• Management should be aware of these limitations when selecting, developing, and deploying controls
11/26/13
5
Update Considers Changes in Business and Operating Environments Environments changes... • Expectations for governance oversight • Globalization of markets and operations • Changes and greater complexity in business • Complexities in laws, rules, regulations, and
standards • Expectations for competencies and
accountabilities • Use of, and reliance on, evolving technologies • Expectations relating to preventing and
detecting fraud …have driven Framework updates • COSO Cube (2013 Edition)
Update Articulates 17 Principles of Effective Internal Control
Control Environment (CE) 1. Demonstrates commitment to
integrity and ethical values 2. Exercises oversight responsibility 3. Establishes structure, authority
and responsibility 4. Demonstrates commitment to
competence 5. Enforces accountability
Risk Assessment (RA) 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk 9. Identifies and analyzes significant
change Control Activities (CA)
10. Selects and develops control
activities 11. Selects and develops general
controls over technology 12. Deploys through policies and
procedures
Information & Communication (IC) 13. Uses relevant information 14. Communicates internally 15. Communicates externally
Monitoring Activities (MA) 16. Conducts ongoing and/or
separate evaluations 17. Evaluates and communicates
deficiencies
Update Clarifies Requirements for Effective Internal Control
• Effective internal control provides reasonable assurance regarding the achievement of objectives and requires that:
– Each component and each relevant principle is present and functioning
– The five components are operating together in an integrated manner
• Each principle is suitable to all entities; all principles are presumed relevant except in rare situations where management determines that a principle is not relevant to a component
• Components operate together when all components are present and functioning and internal control deficiencies aggregated across components do not result in one or more major deficiencies
• A major deficiency represents an internal control deficiency or combination thereof that severely reduces the likelihood that an entity can achieve its objectives
11/26/13
6
Update Describes Important Characteristics of Principles
• Points of focus may not be suitable or relevant, and others may be identified
• Points of focus may facilitate designing, implementing, and conducting internal control
• There is no requirement to separately assess whether points of focus are in place
Update Describes the Role of Controls to Effect Principles
• The Framework does not prescribe controls to be selected, developed, and deployed for effective internal control
• An organization’s selection of controls to effect relevant principles and associated components is a function of management judgment based on factors unique to the entity
• A major deficiency in a component or principle cannot be mitigated to an acceptable level by the presence and functioning of other components and principles
• However, understanding and considering how controls effect multiple principles can provide persuasive evidence supporting management’s assessment of whether components and relevant principles are present and functioning
ICEFR: A Compendium Overview
• Provides points of focus and approaches to satisfy each of the 17 principles of the Framework. – Points of Focus highlight key characteristics relating to
each principle. – Approaches are summary-level descriptions of activities
that management may consider as they apply the Framework in an ICEFR context.
• Examples are also provided to illustrate practical examples of how to apply principles, based on situations drawn from practical experience.
• Illustrates how various characteristics of principles may be present and functioning within a system of internal control relating to external financial reporting.
11/26/13
7
17 Principles of Effective Internal Control Control Environment (CE)
1. Demonstrates commitment to integrity and ethical values
2. Exercises oversight responsibility 3. Establishes structure, authority and
responsibility
4. Demonstrates commitment to competence
5. Enforces accountability
Risk Assessment (RA) 6. Specifies suitable objectives 7. Identifies and analyzes risk 8. Assesses fraud risk
9. Identifies and analyzes significant change
Control Activities (CA) 10. Selects and develops control activities 11. Selects and develops general controls
over technology 12. Deploys through policies and
procedures
Information & Communication (IC) 13. Uses relevant information
14. Communicates internally 15. Communicates externally
Monitoring Activities (MA) 16. Conducts ongoing and/or separate
evaluations 17. Evaluates and communicates
deficiencies
GROUP EXERCISE
Group Exercise
• Break up groups based on industry
• For each of the Five Objectives, please read each of the Principles (17 in all) and create, as a group, a checklist of actions that a company would do in order to demonstrate each Principle and thus each Objective.
• 45 Minutes allotted to each of the 5 Objectives
11/26/13
8
CONTROL ENVIRONMENT
Control Environment: Principles
1. The organization demonstrates a commitment to integrity and ethical values.
2. The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control.
3. Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives.
4. The organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
5. The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
Principle #1: Approaches
1. Establishing Standards of Conduct
2. Leading by Example on Matters of Integrity and Ethics
3. Evaluating Management and Other Personnel, Outsourced Service Providers, and Business Partners for Adherence to Standards of Conduct
4. Developing Processes to Report and Promptly Act on Deviations from Standards of Conduct
11/26/13
9
Principle #2: Approaches
1. Establishing the Roles, Responsibilities, and Delegation of Authority of the Board of Directors
2. Establishing P&P for Meetings between the BoD and Management
3. Identifying and Reviewing BoD Candidates 4. Reviewing Management’s Assertions and
Judgments 5. Obtaining an External View 6. Considering Whistle-Blower Information about
Financial Statement Errors and Irregularities
Principle #3: Approaches
1. Defining Rules and Reporting Lines and Assessing them for Relevance
2. Defining Authority at Different Levels of Management
3. Maintaining Job Descriptions and Service-Level Agreements
4. Defining the Role of Internal Auditors
Principle #4: Approaches
1. Establishing Required Knowledge Skills, and Expertise 2. Linking Competence Standards to Established
Policies and Practices in Hiring, Training, and Retention Decisions
3. Identifying and Delivering Financial Reporting-Related Training as Needed
4. Selecting Appropriate Outsourced Service Providers 5. Evaluating Competence and Behavior 6. Evaluating the Capacity of Finance Personnel 7. Developing Alternate Candidate for Key Financial
Reporting Roles
11/26/13
10
Principle #5: Approaches
1. Defining and Confirming Responsibilities
2. Developing Balanced Performance Measures, Incentives, and Rewards
3. Evaluating Performance Measures for Intended Influence
4. Approach Linking Compensation and Other Rewards
RISK ASSESSMENT
Risk Assessment
6. The organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives.
7. The organization identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed.
8. The organization considers the potential for fraud in assessing risks to the achievement of objectives.
9. The organization identifies and assesses changes that could significantly impact the system of internal control.
11/26/13
11
Principle #6: Approaches
1. Identifying Financial Statement Accounts, Disclosure and Assertions
2. Specifying Financial Reporting Objectives
3. Assessing Materiality
4. Reviewing and Updating Understanding of Applicable Standards
5. Considering the Range of Activities
Principle #7: Approaches
1. Applying a Risk Identification Process
2. Assessing Risks to Significant Financial Statement Accounts
3. Assessing the Likelihood and Significance of Identified Risks
4. Considering Internal and External Factors
5. Evaluating Risk Responses
Principle #8: Approaches
1. Conducting Fraud Risk Assessments
2. Considering Approaches to Circumvent or Override Controls
3. Reviewing Incentives and Pressures Related to Compensation Programs
11/26/13
12
Principle #9: Approaches
1. Assessing Change in the External Environment
2. Conducting Risk Assessments Relating to Significant Change
3. Considering Change Through Succession
4. Considering CEO and Senior Executive Changes
CONTROL ACTIVITIES
Control Activities
10. The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels.
11. The organization selects and develops general control activities over technology to support the achievement of objectives.
12. The organization deploys control activities through policies that establish what is expected and procedures that put policies into place.
11/26/13
13
Principle #10: Approaches
1. Using Matrices, Workshops, or an Inventory of Control Activities to Map Identified Risks to Control Activities
2. Implementing or Assessing Control Activities when Outsourcing to a Third Party
3. Considering the Types of Control Activities 4. Considering Alternative Control Activities to
the Segregation of Duties 5. Identifying Incompatible Functions
Principle #11: Approaches
1. Using Risk and Control Matrices to Document Technology Dependencies
2. Evaluating End-User Computing 3. Implementing or Assessing Control Activities when
Outsourcing IT Functions to a Third Party 4. Configuring the IT Infrastructure to Support Restricted
Access and Segregation of Duties 5. Configuring IT to Support the Complete, Accurate, and
Valid Processing of Transactions and Data 6. Administering Security and Access 7. Applying a SDLC over Packaged Software 8. Applying an SDLC over Software Developed in-House
Principle #12: Approaches
1. Developing & Documenting P&P
2. Deploying Control Activities through Business Unit or Functional Leaders
3. Conducting Regular and Ad Hoc Assessments of Control Activities
11/26/13
14
INFORMATION & COMMUNICATION
Information & Communication
13. The organization obtains or generates and uses relevant, quality information to support the functioning of internal control.
14. The organization internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control.
15. The organization communicates with external parties regarding matters affecting the functioning of internal control.
Principle #13: Approaches
1. Creating an Inventory of Information Requirements 2. Obtaining Information from External Sources 3. Obtaining Information from Non-Finance
Management 4. Creating and Maintaining Information Repositories 5. Using an Application to Process Data into
Information 6. Enhancing Information Quality through a Data
Governance Program 7. Identifying, Securing, and Retaining Financial Data
and Information
11/26/13
15
Principle #14: Approaches
1. Communicating Information Regarding External Financial Reporting Objectives and Internal Control
2. Communicating Internal Control Responsibilities 3. Developing Guidelines for Communication to the Board of
Directors 4. Reviewing Financial & Internal Control Information with
the BoD 5. Communicating a Whistle-Blower Program to Company
Personnel 6. Communicating through Alternative Reporting Channels 7. Establishing a Mentoring Program to Encourage
Communicating with Management
Principle #15: Approaches
1. Communicating Information to Relevant External Parties
2. Obtaining Information from Outside Sources
3. Surveying External Parties
4. Communicating the Whistle-Blower Program to Outside Parties
5. Reviewing External Audit Communications
MONITORING ACTIVITIES
11/26/13
16
Monitoring Activities
16. The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning.
17. The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.
Principle #16: Approaches
1. Periodically Reviewing the Mix of Monitoring Activities
2. Designing and Implementing a Dashboard 3. Using Technology to Support Monitoring
Activities 4. Conducting Separate Evaluations 5. Using Internal Audit to Conduct Separate
Evaluations 6. Understanding Controls at an Outsourced
Service Provider
Principle #17: Approaches
1. Assessing and Reporting Deficiencies
2. Monitoring Corrective Action
3. Developing Guidelines for Reporting Deficiencies
11/26/13
17
Transition & Impact • Users are encouraged to transition applications and related
documentation to the updated Framework as soon as feasible
• Updated Framework will supersede original Framework at the end of the transition period (i.e., December 15, 2014)
• During the transition period, external reporting should disclose whether the original or updated version of the Framework was used
• Impact of adopting the updated Framework will vary by organization – Does your system of internal control need to address changes in business?
– Does your system of internal control need to be updated to address all principles?
– Does your organization apply and interpret the original framework in the same manner as COSO?
– Is your organization considering new opportunities to apply internal control to cover additional objectives?
Transition & Impact (Continued) • The principles-based approach provides flexibility in applying the
Framework to multiple, overlapping objectives across the entity – Easier to see what is covered and what is missing
– Focus on principles may reduce likelihood of considering something that’s irrelevant
• Understanding the importance of specifying suitable objectives focuses on those risks and controls most important to achieving these objectives
• Focusing on areas of risk that exceed acceptance levels or need to be managed across the entity may reduce efforts spent mitigating risks in areas of lesser significance
• Coordinating efforts for identifying and assessing risks across multiple, overlapping objectives may reduce the number of discrete risks assessed and mitigated
Transition & Impact (Continued)
• Selecting, developing, and deploying controls to effect multiple principles may also reduce the number of discrete, layered-on controls
• Applying an integrated approach to internal control - encompassing operations, reporting, and compliance – may lessen complexity
• In assessing severity of internal control deficiencies, use only the relevant classification criteria as set out in the Framework or by regulators, standard-setting bodies, and other relevant third parties, as appropriate
11/26/13
18
Fraud Risk Assessment
The Definition of Fraud
“… any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.”
Categories of Fraud Risk
• Misappropriation of Assets – involve the theft or misuse of an organization’s assets. (Common
examples include skimming revenues, stealing inventory, and payroll fraud.)
• Corruption – fraudsters wrongfully use their influence in a business transaction in
order to procure some benefit for themselves or another person, contrary to their duty to their employer or the rights of another. (Common examples include accepting kickbacks and engaging in conflicts of interest.)
• Fraudulent Financial Statements – falsification of an organization’s financial statements. (Common
examples include overstating revenues and understating liabilities or expenses.)
11/26/13
19
Asset Misappropriation
Scheme Scenario• Payment to fictitious employees• Payment to terminated employees• Overpayment to existing employees• Theft of inventory items• Consistent shrinkage of items• Increased defective/warranty claims• Reimbursement for personal expenses• Use of card to circumvent competitive bid requirements
Larceny • Theft of materials, supplies, cashPurchasing • Using purchasing authority to purchase raw materials for
personal use.Procurement • Using procurement card for personal, exorbitant
purchases• Reimbursement for undocumented expenses• Reimbursement for luxury accommodations• Reimbursement for travel expenses of family members
Improper Payments • Payments to phantom vendors, shell companies
Reimbursement
Credit Cards
Inventory
Payroll
Corruption/FCPA Scheme Scenario
• Improper or early revenue recognition• Falsifying revenue• Earnings manipulation through reserves• Recording pending transactions as completed transactions
Overstating Assets Improper valuation of securities, inventory, fixed assets• Hiding losses in future reporting periods• Understating expense account balances• Reclassifying (capitalizing) expenses as assets• Improper valuation or manipulation of intercompany accounts
Improper Note Disclosure • Omission of contingencies or subsequent events
• Falsifying external documents to suppliers• Internal memorandums give misleading information• Publicly announced unsubstantiated information
Management Estimates • Manipulation of management estimates for receivables, goodwill or depreciation
Fictitious Revenue
Understating Liabilities and Expenses
Non-financial
Financial Statement Fraud Scheme Scenario
Fictitious Revenue • Improper or early revenue recognition • Falsifying revenue • Earnings manipulation through reserves
• Recording pending transactions as completed transactions Overstating Assets • Improper valuation of securities, inventory, fixed assets Understating Liabilities and Expenses
• Hiding losses in future reporting periods
• Understating expense account balances
• Reclassifying (capitalizing) expenses as assets
• Improper valuation or manipulation of intercompany accounts
Improper Note Disclosure • Omission of material contingencies or subsequent events
Non-financial
• Falsifying external documents to suppliers
• Internal memorandums give misleading information
• Publicly announced unsubstantiated information
Management Estimates • Manipulation of management estimates for receivables, goodwill or depreciation
11/26/13
20
What is Risk?
• “The degree of probability that an unfavorable event will significantly impact a functional area’s ability to meet the organization’s objectives”
FRA - Purpose
• Identify and recognize fraud risks in the organization • Determine the likelihood • Determine how to manage and mitigate fraud risk • Determine critical information • Identify systems that process, store, or transmit
critical information used for red flag identification • Discover vulnerabilities • Create new processes, controls and procedures for
mitigating fraud risk
11/26/13
21
Who Should be Involved?
• C – Suite Officer – CEO
– CFO
– CIO
– General Counsel
– Chief Compliance Officer
• Management – Business Unit Managers
– Sales
– Marketing
– Human Resources
• Accounting – Controller
– Accounting Manager
– Accounting Supervisors
• Oversight – Internal Audit
– Board of Directors
– Audit Committee
– External Auditors
Step 1 – Identify and Evaluate Fraud Risk Factors
1. Schedule interviews and develop the approach. 2. Identify fraud risk factors at the entity level,
significant locations, accounts and business process level. : Consider whether each fraud risk factor indicates the existence of an incentive/pressure, opportunity or attitudes/rationalizations.
3. For each identified fraud risk factor, identify the account balances and potential errors that may be affected and assess the fraud risks.
11/26/13
22
Step 1 – Identify and Evaluate Fraud Risk Factors
Pitfalls • Fraud Risk Factors are not
considered • Existing controls are
considered • The potential for
management override of controls is not considered
• Interviews are not value-added
Recommendations • Use the Fraud Triangle to
explain the significance of fraud risk factors and to initiate thinking
• Do not consider controls EXCEPT when considering the potential for management override
• Develop interview approach that matches area and culture
Step 1 – Identify and Evaluate Fraud Risk Factors
• Identify fraud risk factors at the entity level, significant location, significant account and business process level. Consider whether each fraud risk factor indicates the existence of incentive, pressure, opportunity or attitude and rationalization.
• Identify incentives / pressures to commit fraud, opportunities to commit fraud, or attitudes / rationalizations to justify fraud. – Personnel from various levels of the organization should be involved in
the process.
– Consider internal and external (e.g., regulatory, industry) influences.
Step 2: Identify Possible Fraud Risks, Schemes and Scenarios
1. Identify fraud risks and determine if the fraud risks are pervasive or specific.
2. Brainstorm specific fraud schemes that could result from the specific risks identified.
3. For each fraud scheme, identify internal and external parties who could be involved with reference to incentives/pressure, opportunities, attitudes & rationalizations.
11/26/13
23
Step 2: Identify Possible Fraud Risks, Schemes and Scenarios
Pitfalls • The schemes are too general,
not allowing for sufficient consideration of risks and preventing appropriate level of mapping to controls
• The schemes do not consider the potential for management override of controls
• The schemes do not consider the potential for collusion
• Brainstorming ineffective
Recommendations
• Detail each scheme by considering: – Why?
– Who?
– What?
– Where?
– When?
– How?
Step 3: Prioritize Identified Fraud Risks
• Evaluate possible fraud schemes by: – Type
– Likelihood
– Significance
– Pervasiveness
• Consider Inherent Risk Rating (IRR)
Step 4. Evaluate the Controls’ Existence and Effectiveness
1. Link fraud schemes to mitigating controls. Assess whether each mapped or linked control activity is preventative or detective in nature.
2. Evaluate the effectiveness of controls to determine if they sufficiently mitigate the risk of the identified fraud schemes (control gap analysis).
3. Evaluate the residual fraud risk.
11/26/13
24
Step 4. Evaluate Mitigating Controls
• Antifraud control activities can be preventative or detective in nature – Preventative controls are designed to mitigate
specific fraud risks and can deter frauds from occurring
– Detective control activities are designed to identify fraud if it occurs. Detective controls can also be used as a monitoring activity to assess the effectiveness of antifraud controls and may provide additional evidence of the effectiveness of antifraud programs and controls.
4. Evaluate Mitigating Controls
• Special consideration should be given to the risk of management override of controls.
• Some programs and controls that deal with management override include: – Active oversight from the audit committee – Whistle-blower programs and a system to receive
and – Investigate anonymous complaints; and – Reviewing journal entries and other adjustments for
evidence of possible material misstatement due to fraud.
4. Evaluate Mitigating Controls
Pitfalls • Where gaps are identified, no
remediation efforts are made • Future changes in risk are not
incorporated into the FRA and remediation is not performed
• Effectiveness of controls is not evaluated
• Mapping is done incorrectly and without consideration of existing controls and documentation
Recommendations • Design and implement controls to
close identified gaps • The FRA should be iterative and
should be reassessed at least annually and when there is a significant change in the control environment
• Evaluating the effectiveness of the controls
• Only map those controls identified as significant
• Identify entity level controls that will assist in mitigating remaining residual risk
• Leverage of existing efforts and controls
11/26/13
25
Control Risk Rating
• Evaluate the Control Risk Rating – – Determine if controls sufficiently mitigate the
identified fraud risks and schemes – Decide whether existing controls should be improved
or new controls are required – Consider both the design and the implementation of
the control in mitigating the fraud risk
Fraud controls can be tricky! Consider possible management override of
controls
Step 5: Risk Treatment
1. Prepare a Fraud Risk Action Plan to treat and mitigate fraud risk schemes requiring attention.
2. Implement Fraud Risk Action Plan.
Step 5: Risk Treatment
• Prepare a Fraud Risk Action Plan to treat and mitigate fraud risk schemes requiring attention. – Controls should be implemented or enhanced for identified fraud
schemes where controls are not already present, inadequately designed or poorly implemented.
– Ensure overall responsibility is assigned to responsible personnel to monitor control implementation as detailed in the Fraud Risk Action Plan.
– This responsibility could be defined in the Fraud Control Policy of the entity or specified elsewhere.
– The Audit Committee should oversee the entire process.