Keeping with the times

The Fraud Risk Management Guide has provided valuable guidance to fraud examiners, company leaders and other professionals since it was published five years ago. Now, the Committee of Sponsoring Organizations of the Treadway Commission and the ACFE — the guide’s creators — will incorporate users’ feedback to produce a stronger, updated edition.

Most CFEs are familiar with the Fraud Risk Management Guide (FRMG), which the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the ACFE jointly published in 2016. (See ACFE.com/fraudrisktools.) The FRMG includes more than just information on how to perform fraud risk assessments — it also provides guidance on how fraud risk management programs work.

Given its comprehensive nature, the FRMG quickly gained recognition for its best practices in preventing, detecting and deterring fraud. Global business professionals around the world continue to widely use the FRMG.

The methods and means of fraud are constantly changing and evolving, of course — as are the ways to combat them. In May, the chair of COSO, Paul Sobel, reached out to the ACFE and suggested the two organizations collaborate on an updated version of the FRMG, and the ACFE agreed. Both groups want the FRMG to be current and remain relevant in a rapidly changing fraud risk landscape. The ACFE, which has always had a lead role in determining best practices, wants to hear from CFEs and anti-fraud professionals like you to ensure the FRMG refresh will be effective.

Quick recap on FRMG

The COSO/ACFE FRMG is an authoritative source of guidance on how to assess and manage fraud risk using the COSO framework as a roadmap. According to John Gill, J.D., CFE, the ACFE’s vice president of education, the guide had its genesis when David Cotton, CFE, CPA, CEO of Cotton & Company (a CPA firm), reached out to Gill and said he believed there was a need to provide anti-fraud professionals with more guidance on how to assess fraud risks. Gill says everyone at the ACFE agreed it was a good idea because information about fraud risks and anti-fraud principles, which the ACFE had been disseminating for years, needed to reach a wider global audience. Cotton assembled a team of top professionals — from industry, professional services, academia and government — to start working on a solution. During the first meeting, someone suggested mirroring the COSO internal control framework, which had just been released a couple of years earlier. That idea became the genesis of the FRMG, and the rest is history.

The 2016 FRMG was intended to be supportive of and consistent with the 2013 COSO Internal Controls Framework Principle 8, which states, “The organization considers the potential for fraud in assessing risks to the achievement of objectives.”

However, beyond just risk assessment, the FRMG was organized around five key principles that also mapped to COSO’s 2013 five internal control components that COSO established in 1992 and then expanded in 2013 as part of its Integrated Framework to incorporate 17 principles. As stated in the FRMG, “The guide’s five fraud risk management principles fully support, and are entirely consistent with, and parallel the 2013 COSO Framework’s 17 internal control principles.”

As the FRMG depicts, the correlation between the fraud risk management principles and the 2013 COSO Framework’s internal control components and principles are integrated.

Figure 1: From the 2016 Fraud Risk Management Guide

Thomas Jefferson wrote, “In matters of style, swim with the current; in matters of principle, stand like a rock.” This statement accurately captures the spirit of this update. The five key fraud risk management principles mentioned above will indeed stay the same — they’re like rocks. However, the approach, regulations, technologies and business trends (or style) as to how companies deliver on the principles have changed significantly over the past five years. With your valued input, the FRMG Refresh Task Force looks forward to making important updates to reflect best practices.

Key areas for updates

Once again, David Cotton is spearheading the update, and many of the original authors of the 2016 FRMG (including myself) are on the Refresh Task Force. Cotton said the task force “will update the guide in several ways, most notably with respect to advances in data analytics. We’ll also try to add focus related to recent legal and regulatory developments as well as some recent trends related to fraud, such as pandemic relief, cyber and other major threats. The Refresh Task Force will welcome any and all suggestions from users.”

Explaining how fraud risk management relates to and supports fraud deterrence is one of COSO’s key missions. In that spirit, some of the topics the Refresh Task Force is addressing include the following (but the team isn’t limiting itself to only these topics):

• Updating and expanding information related to the use of data analytics as an integral part of each of the five fraud risk management principles.
• Explaining how internal controls and fraud risk management are related and support each other but are also different in some important respects.
• Adding updated information about recent legal and regulatory developments pertaining to fraud and fraud risk management, such as the Department of Justice’s Evaluation of Corporate Compliance Programs, the Government Accountability Office’s “A Framework for Managing Fraud Risks in Federal Programs” and the U.S. Congress’s Fraud Reduction and Data Analytics Act of 2015.
• Expanding and updating information on the importance of fraud reporting systems (hotlines) in detecting, preventing and thus deterring fraud.
• Adding information pertaining to emerging fraud risk arenas, including cybersecurity and cyberfraud (blockchain and cryptocurrency and ransomware), as well as COVID-19 response efforts (CARES Act and related programs, remote-working and hybrid-working environments).
• Expanding the FRMG’s list of fraud exposures.

How can you get involved?

As an ACFE member, you belong to an anti-fraud community of professionals dedicated to growing and improving our profession. We need your input. The ACFE encourages you to send your comments and suggestions to this inbox: Frmg@ACFE.com. As of publication, the updated FRMG doesn’t have a release date. But the Refresh Task Force hopes that, in coordination with COSO and the ACFE, the updated FRMG will be released in 2022.

Vincent M. Walden, CFE, CPA, is the CEO of Kona AI, whose company mission is to empower compliance, audit, and investigative professionals with research-driven, innovative, and effective analytics to measurably reduce global fraud, corruption and enterprise risk. He works closely with CFEs, internal auditors, compliance, audit, legal, and finance professionals and welcomes your feedback and ideas. Contact Walden at vwalden@konaai.com.