What’s New in the Second Edition of the ACFE/COSO Fraud Risk Management Guide

The Association of Certified Fraud Examiners (ACFE) and the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released the second edition of their joint publication, The Fraud Risk Management Guide (the Guide), on May 2, 2023. The significantly expanded second edition builds on the foundational Guide— issued in 2016—which describes five principles organizations should follow when building a sound fraud risk management program, summarized below.

1)     Fraud Risk Governance: The organization establishes and communicates a Fraud Risk Management Program that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk.

2)     Fraud Risk Assessment: The organization performs comprehensive fraud risk assessments to identify specific fraud schemes and risks, assess their likelihood and significance, evaluate existing fraud control activities, and implement actions to mitigate residual fraud risks.

3)     Fraud Control Activities: The organization selects, develops, and deploys preventive and detective fraud control activities to mitigate the risk of fraud events occurring or not being detected in a timely manner.

4)     Fraud Investigation and Corrective Action: The organization establishes a communication process to obtain information about potential fraud and deploys a coordinated approach to investigation and corrective action to address fraud appropriately and in a timely manner.

5)     Fraud Risk Management Monitoring Activity: The organization selects, develops, and performs ongoing evaluations to ascertain whether each of the five principles of fraud risk management is present and functioning and communicates Fraud Risk Management Program deficiencies in a timely manner to parties responsible for taking corrective action, including senior management and the board of directors.

So, what’s new? In short, a lot. The second edition significantly expands on the practical application of the five principles using numerous illustrative examples and effective, reader-friendly text boxes. It provides a mini primer on the use of data analytics in fraud prevention and detection and addresses a slew of new threats that have emerged since the original Guide was published in 2016. Below are three key areas where the updated Guide provides new and expanded information.

·       Emphasis on fraud deterrence

·       Expanded data analytics focus

·       New fraud risks

Emphasis on Fraud Deterrence

The second edition makes it more explicit that fraud risk management promotes fraud deterrence through preventative and detective controls. The Guide defines deterrence as a broad concept that involves addressing the root causes that underlie the factors that lead to fraud. According to the Guide, one of the most effective deterrents is an organizational culture that clearly communicates through its words and actions that fraud will not be tolerated. Culture is the bedrock of a sound fraud risk management program and the updated Guide emphasizes this important concept throughout.

The Guide seeks to underscore that deterrence results from having effective preventive and detective fraud controls in place. This emphasis should be helpful for those fraud program leaders who struggle with executive buy-in. Often leaders weigh the costs of preventative and detective controls against the cost of their known fraud losses. In this evaluation, the anti-fraud controls can often appear to be a poor investment of resources since the known losses may be quite low. It’s vital, however, to recognize that fraud is different from fraud risk. An organization may—and indeed likely does—have far more fraud losses than it has uncovered due to the deceptive nature of fraud. Thus, if a leader sees these controls as a deterrent to fraud—including that which is undetected– the controls can be seen in a new, more cost-effective light, one in which an ounce of prevention is worth a pound of cure.

Expanded Data Analytics Focus

The second edition of the Guide takes a deep dive into data analytics. It describes a wide variety of data analytics techniques that can be used to identify fraud risks. For example, the update includes an expanded list of data analytics techniques that can be used in the fraud risk assessment process related to procurement fraud, including identifying patterns in data that could indicate a disparity in bid prices or a pattern of awards followed by change orders; suspicious keyword terms or descriptions in sales or payment data; and prices dropping when a new or infrequent competitor enters the market.

The Guide includes three comprehensive appendices on data analytics. Three.

One is devoted to building an analytics capability, one provides guidance and practical examples of data analytics techniques and the one explains how different techniques can be used to enhance fraud control activities. Among the techniques described in detail are transaction risk scoring, trend analysis, anomaly detection, text mining, pattern and link analysis, predictive modeling, and the use of AI and Chatbots. Within the appendix, the Guide provides a 5-phased data analytics framework with detailed steps for organizations to take within each phase.

Sprinkled throughout each of the five principles are discussions about how to use analytics, whether that is to gauge the effectiveness of your policies, to monitor your anti-fraud controls, or to use analytics in fraud investigations. If there is one key takeaway the authors want to impart to readers, it is to make better use of data and analytics techniques.

New Fraud Risks

The Guide significantly expands the discussion of potential fraud risk areas. Among the additions is a lengthy discussion called “Know Your Vendors” which describes the growing risk posed by third parties. The Guide provides a detailed list of third-party risk mitigation controls including looking for anomalies in vendor billing and payment patterns, using automated vendor credentialing software tools, and conducting periodic disbursement analysis. The Guide also references the pressure to meet goals or quotas as a significant and underrated driver of fraud risk.

The timeliest updates in the Guide relate to the focus on “cyber fraud,” which has proliferated in recent years and is now the primary mechanism through which fraud is perpetrated. The Guide discusses the importance of understanding digital-asset risk exposures within an organization, across its value chains and with its third-party partners. Given that supply chain attacks have exponentially increased in the last 18 months, this is among the most important considerations the updated Guide describes.

With regard to the blockchain, the Guide describes risks including technical stability and structure (is the blockchain permissioned?); digital asset utility (does the utility of the digital asset sufficiently reduce fraud risk?); auditability (how does the blockchain enable auditing the value chain and financial information?); hacking and theft (how secure is the network and who controls it?); cyber attacks (how do we mitigate the risk of malicious users?); and financial reporting (how will tokenization affect the ability to appropriately report business income?).

The Guide also describes emerging risk considerations including ransomware, identity-theft based fraud, disruptive technologies, and changes in business practices, such as an increase in remote and hybrid work environments.

Other Notable Additions

In the second edition, the COSO/ACFE Guide modifies the Fraud Triangle to create the “Fraud Pentagon” with the addition of two new attributes: “arrogance” and “confidence.” Arrogance is characterized by an attitude of entitlement in which the actor believes that anti-fraud measures do not apply to them. Competence refers to the actors’ ability to conceal their wrongdoing, override controls, and control the social situation, which better facilitates the perpetration of the scheme.

The Guide provides some very useful, illustrative text boxes. Among them, a description of the relationship between a fraud risk, a related fraud control activity, and the use of ongoing monitoring using data analytics related to that risk/control.

The update includes an appendix on fraud risk considerations for smaller entities, and a badly-needed discussion of the tradeoffs smaller organizations face when implementing fraud risk management programs. The Guide provides a framework for considering how to use scarce resources most effectively to prevent and detect fraud and notes that ACFE research has shown that smaller organizations tend to be victimized by fraud more frequently and suffer greater losses, proportionately, than larger organizations. The takeaway: small organizations must thoroughly consider and address their fraud risks, too.

Overall, the new Guide is a significant upgrade that provides timely, detailed, and practical guidance. Audient Group has extensive experience helping organizations implement the ACFE/COSO Fraud Risk Management Guide and our consultants are available to provide strategic guidance and implementation support, no matter your industry, size, or complexity.