C.O.S.O. Fraud Control Model

Introduction

Business owners take on certain responsibilities when they start a business, and protection of the business’s resources is one of them. A large part of any protection system is internal control system, and these need to be created and adjusted as part of a regular planning process.

Control systems protect the business against a range of threats like natural disasters, breakdowns in procedures, mistakes by employees, and fraud. They should be designed to protect resources other than physical assets and money as businesses are vulnerable to threats against their customer information, product designs, pricing lists, or other proprietary information.

Fraud controls need to be part of the protection system. They should prevent or deter fraud as well as detect it once it has occurred, plus they must be able to adjust to different circumstances and new threats as they arise. But how does a business owner start designing a control system?

C.O.S.O. stands for the “Committee Of Sponsoring Organizations”. It is a body composed of various accounting, auditing and executive groups in the United States. This body undertook a study into internal fraud controls and produced a system or model for internal fraud controls that has been widely accepted as a theoretical guideline.

The model builds an internal control system around five considerations. No one control system will fit every business and circumstance, so business owners have to design the system that best fits their circumstance and these guidelines assist in that design process.

These five considerations in the C.O.S.O. model are:

1. The Control Environment
2. Control Activities
3. Risk Assessment
4. Information and Communication Systems
5. Monitoring the System

1. The Control Environment

The strength of any system is in its underlying foundation. No matter how complex the structure, if it doesn’t have a solid foundation, its integrity will be unreliable. The foundation of a control system is the philosophy of the business and people controlling the business. Before designing the controls, one must consider the foundation – its environment.

Three factors make up that environment. Volumes have been written on each of these factors so this paper only provides an overview designed to highlight each factor.

(a) Management style
(b) Audit functions
(c) Employee policies

Management Style

Organizations are lead from the top and business ethics and philosophy will be passed down from owners to management to employees. The more ethical and responsible the management style, the more likely that employees will respond to that style and behave in an ethical and responsible manner. Alternately if management shows little concern for honest and ethical behavior, the employees will follow that lead.

The C.O.S.O. model asks the following questions of management:

(a) Does management take undue business risks to achieve objectives? Does it encourage risk taking or an “achieve at all costs” attitude?
(b) Does management attempt to manipulate performance measures so they appear more favorable? Does it bend the truth?
(c) Does management pressure employees to achieve results regardless of the methods, or with little concern for those methods? Do they believe that the financial ends justify the means?
(d) Is management open and honest with employees about performance and results?

If management’s attitude is to bend the rules, hide or distort the facts, or achieve results regardless of the means, the business environment and the behavior of employees will be influenced, and this behavior will eventually be turned against the business. Owners and Management should practice ethical behavior and insist that employees follow that lead.

Audit Functions

When people think of audit most will think of external accountants, green pens and the annual financial examination. Some people will think of a dedicated internal function and big companies. Few will consider a continuous audit function performed by the staff themselves on coworkers – peer audits. How best to use the audit function can be considered in the following questions:

(a) Where does the audit function fit into the control environment?
(b) What if the audit function was a daily occurrence?
(c) What if all important areas of the business were covered by a regular or daily internal audit function?
(d) What if employees from one area conducted peer audits on another area of the business?

About 70% of occupational fraud is committed by a person acting alone. Peer audits regularly place another set of eyes and controls on a business process, limiting the opportunity to commit a fraud without collusion with that peer. Peer audits should reduce fraud in a few ways:

(a) fraudsters will not want to share the proceeds with an accomplice;
(b) the accomplice could turn them in; or
(c) the more people involved in the fraud, the more chance of discovery.

Combining peer audits with the more traditional internal and external audit roles provides more opportunities to detect fraud, and knowledge that the peer audit process will be undertaken will act as a deterrent to fraud.

Employee Policies

Employees are the heart of most businesses and business owners need to consider how to deal with them. Employees will follow the lead from management, therefore they must be told what is and is not acceptable.

As most fraud on businesses is done by employees, how the business deals with employees – its employee policy – is an important part of any fraud control activity. A good employee policy will cover the following areas:

1. Hiring

The hiring process is the first contact with employees. Business owners should make sure that employees are screened properly and, where possible, have backgrounds checked. Part-time or temporary employees and other people with access to the business premises (like cleaners) should undergo similar checks, particularly when they have access to sensitive areas or computer systems. Computer hackers only need to get cleaning jobs to gain access to computer systems when offices are closed and to create electronic access points (back doors) for later use.

2. Firing

Firing someone is difficult at the best of times. It is important that they are removed from sensitive areas immediately their employment has been terminated. Most employees will not be a risk, but what would happen if they decided to sabotage or copy sensitive data before they left? People may act irrationally and completely out of character in the emotion of the moment.

3. Training

Training is important in any business and it should include areas like security measures, fraud awareness and ethical standards. It should also include the consequences of unethical or inappropriate behavior. This is where management must be prepared to lead by example and live up to the conditions imposed on employees. Consistency is the basis of the environment.

4. Controlling

One effective fraud control is “the perception of detection”. If employees believe that they are likely to be caught and prosecuted, they are less likely to commit a fraud. Most fraud is unreported and is not prosecuted because the victims do not want to advertise a weakness in their business system. Employees must know that there are controls in place and the consequences of illegal or unethical behavior. This creates a perception that the business is serious about fighting fraud.

Summary of the Control Environment

Many business owners do not consider the environment when looking at control systems, but it is an important first step. If management is setting the right example and employees know that management values ethics and integrity, that attitude will be passed down to the employees and the business will have a strong foundation.

2. Control Activities

Control activities are the policies and procedures that provide a basis for individual control techniques. There are five major control activities.

1. Proper Authorization Processes
2. Segregation of Duties
3. Adequate Documentation of Transactions
4. Physical Controls over Assets and Records
5. Independent Internal Checks

1. Proper Authorization Processes

Many employees deal with business assets or incur debt in the name of the business on a daily basis. It is impractical for every transaction to be individually authorized by top management. Therefore, most businesses set levels of authority for employees and policies on who may authorize what. Authorizations may include the power to incur costs below a certain level or from an approved supplier, granting discounts to a certain level, or writing off debtor’s accounts below a certain level.

Employees will usually authorize a transaction with their signature, initials or an electronic equivalent. As forging authorizations is common when conducting frauds, the authorization process has to be monitored and audited at regular intervals. Authorizations – the signatures – must be recorded as they occur to allow an audit to be effective. A system that does not record that a certain authority has been given cannot be properly investigated if a problem occurs.

Authorization policies must be detailed and published. Employees must know where their authority begins and ends. Transactions that exceed the level of authorization may then be classified as suspicious and examined.

2. Segregation of Duties

Segregating duties is an effective deterrence against occupational fraud, especially if combined with rotation of those duties. About 70% of occupational frauds are committed by one person acting alone. Including other people in functions makes collusion necessary, or makes the fraud far more difficult to commit alone. Having to include or bypass another person in order to commit a fraud should deter most would-be fraudsters. This policy increases the “perception of detection”, the belief that you will be caught, and reduces the opportunity to commit the fraud. This is also one of the easiest methods of fraud control to implement.

There are four basic parts to any transaction:

(i) Authorizing the transaction – giving the order or making the sale;
(ii) Recording the transaction in the books;
(iii) Receiving or sending the goods; and
(iv) Making or receiving the payment.

The fewer people involved in the transaction, the greater the opportunity for fraud. Controlling the receipt of and banking of money, and recording the receipt of the money, enables an employee to steal the money and put in entries to hide the theft in the records. Controlling the receipt of goods, the recording of that receipt and authorizing the payment to the supplier allows the goods to the stolen and the theft hidden in the records or a billing fraud to be conducted.

Small businesses may find separating duties difficult because of the limited number of employees. Small business will usually try to employee one person that can do a range of tasks in order to cut costs and be efficient. This person obtains greater control over the records and assets and, because they become trusted over time, they get the opportunity they need to commit and hide frauds.

Computer systems have the same role-limiting effect on business. Computers do routine tasks that used to be done by a number of separate people. Now computer operators or programmers have control over a wide range of operations. Most people trust figures produced by the computer without really considering that the input or process itself could be wrong. On the other hand, computers now handle a lot of transactions that a number of employees used to handle, thereby reducing the risk of impropriety or error. They also allow quick and accurate reporting and verification of data. Ironically, they can be used effectively to both commit and control fraud.

3. Adequate Documentation of Transactions

For a paper trail – or its electronic version – to be investigated, there needs to be paper trail and it needs to be detailed and consistent. Documents should contain all of the information needed to properly record and authorize the transaction, and they should be entered into the records as quickly as possible. The paper trail should contain sufficient information for every person associated to a transaction to prove that they conducted their part properly and had the required authorization to do so.

4. Physical Controls over Assets and Records

Physical security is viewed by most people as protecting assets from third parties. Some may also think of protecting assets from employees, but this will usually be limited to cash and stock. They may not think of protecting their information and other assets from employee theft, accident and unauthorized use.

Some examples of physical controls are:

(i) Maintain an asset register of all physical assets;
(ii) Maintain regular backups of all electronic information;
(iii) Separate recording and handling duties involving assets other than stock;
(iv) Restrict access to physical assets to employees with proper authorization and a need to deal with those assets;
(v) Restrict access to records to employees with proper authorization and a need to access them;
(vi) Use a system to passwords to restrict access to the computer system and install access logs and audit trails to record entries into the system.

5. Independent Internal Checks

Where practical, employees outside the immediate work area should conducting checks on transactions to ensure that they are being done with the proper authority, are being recorded properly, and are accurate. This is the peer audit process discussed above. They are quick to organize and conduct and should not disrupt the business operations to a great degree.

Employees conducting peer audits should be from outside the influence of the people being checked. That is, they should be independent. Rotating this role will also reduce the chances of collusion developing between the fraudster and the person checking the transactions.

These types of checks include:

(a) Reconciling two separately maintained records, like reconciling a bank account to the bank statements, or stock records to stock-take sheets.(b) Comparing actual quantities with recorded amounts. Stock-takes are the most common example. But not many businesses conduct regular counts of other physical assets.

(c) Checking double entry accounting entries, particularly comparing subsidiary ledgers to master ledgers and source documentation. An example is checking between items ordered and the payments for purchases as recorded by the finance department, and recorded as authorized for payment by the receiving department.

(d) Spot checking all parts of a selection of transactions to ensure that all parts are being carried out correctly by all parties involved. This peer review is concentrated on the entire transaction, not the part of the transaction handled by one particular person.

Summary of Control Activities

Control activities have the benefit of acting as a control over innocent errors as well as controlling fraud. Not all types of controls are relevant and business owners will have to determine what controls suit their business.

3. Risk Assessment

Once the environment and control policies are set up, the next question is where to spend the limited time and money to maximum effect. The answer is where the greatest risk is located, but where is that? Risk assessment locates the areas of greatest risk.

There are 7 actions or decisions used to determine whether a risk exists, what level of risk exists, what is the likelihood of a loss, what can be done to protect from that threat and, finally, whether it is commercial to apply that control. These apply to the assessment of any risk, not just the risk of fraud. These actions are:

1. Determine each threats;
2. Estimate the likelihood of a loss from each threat;
3. Estimate the amount of any loss from each threat;
4. Determine what control procedures could be applied;
5. Estimate the costs of implementing and maintaining that control;
6. Decide whether the control is commercial;
7. Implement controls where the cost / benefit assessment is favourable.

These 7 actions can be reduced to four steps.

1. Identify Possible Threats
2. Estimate Risk and Exposure
3. Identify Controls
4. Cost / Benefit Analysis

Identify Possible Threats

The range of threats facing businesses include strategic, operational, financial and information.

Fraud control concentrates mainly on financial risks, including the loss of financial resources, loss of information and the incurring of unnecessary costs resulting from fraud. Business owners should ask five questions to identify possible threats:

(a) What assets are used or traded?
(b) How do you provide and bill for goods or services?
(c) How do you get paid (cash sales, trade debtors etc.)?
(d) How do you order supplies and services?
(e) How do you make payments?

All businesses will have one or more of these areas in its operations. They will have a collection procedure for receiving payments from its customers, and a procedure for ordering goods or services and paying bills. Businesses have to purchase something from suppliers and have to sell its goods or services to customers.

Business owners should identify procedures or assets that might be attacked by a dishonest employee. There are many threats and this is not a “how to” paper. These different frauds are the subject of separate papers in this series.

Estimate Risk and Exposure

The first step in determining risk and exposure is estimating the likelihood of a loss from any particular threat. Some threats are either more likely to occur or will do more commercial damage if they do occur. Some threats are more likely to reoccur after an initial attack.

Estimating the risk of a threat and turning that risk to a percentage chance of that threat occurring is difficult, and there are no rules. The process has to be done by instinct by someone that knows the business. Trying to estimate the probability of reoccurrence is even more difficult.

The next step is estimating the dollar loss due to that threat becoming real. To be conservative, the realistic maximum loss should be used even though the theft of a lesser amount is possible.

Lastly, you must estimate the likelihood of a reoccurrence if no remedial action is taken after the first fraud.

The estimated loss is then a factor of (1) the likelihood of the threat happening, (2) the likelihood of reoccurrence and (3) the estimated loss. Going back to our cash draw example:

risk of occurring x occurrences x loss = a total estimated loss

Identify Controls

We know the possible threats, the risk of them occurring and the possible losses. Next you consider what controls are available. These controls are as numerous as the potential threats. A good fraud control system should have both prevention and detection elements. Some hints:

(i) A control that prevents a fraud is better than one that only detects it after it has happened.
(ii) The perception of detection, or the belief that a fraud will be detected and investigated, is a good deterrent so controls should be obvious.
(iii) Not every control has to be aimed solely at prevention. Some controls should be aimed at detection.

Cost / Benefit Analysis

The last step is the cost / benefit analysis. It is a simple comparison between the cost of a control and the amount that will be “saved” by implementing that control and is used to determine whether the control is commercial. Business owners must consider the practicality of a control. Staff need access to the business system on a day to day basis, so these controls must be practical in the business environment.

Summary

Risk Assessment is not an exact science and a lot of “gut feeling” has to be used in estimating the levels of threats. But the threats and the risk of loss from those threats are real. Complacency is not the answer. Armed with the results of the risk assessment, you will be able to direct your resources to areas where you will get the most benefit.

4. Information and Communication Systems

How does the information and communication system relate to fraud control? Most non-physical fraud controls – e.g. internal or peer audits – relate to the information systems, accounting records, and reporting or communication systems. These controls rely on the adequacy of the records and this is discussed in the control activities area above, and how to get that information in order to conduct the audit.

The information and communication system is made up of the type of information stored and how it is communicated to various parties. The information system records, processes, stores and reports data. The communication system dictates how information is reported, who gets it and how it is used in fraud control. The whole system should:

(i) record transactions as they occur, breaking them into their component parts (dates, amounts, names, accounts, authorizations etc.);
(ii) process, summarize and report that information for management purposes and pure accounting purposes;
(iii) store the data in a format that can be summarized, audited, reviewed and reported quickly and easily; and
(iv) report that information in a format that can be used for fraud control purposes.

Communication is an important part of the system. Information must be stored in a way that it can be used to audit and review transactions, but it must be available to the appropriate people at the appropriate times.

To design controls using this information, the business owner must know:

(i) how, when, where and why a transaction is initiated and who has the responsibility for that transaction, or each part of the transaction. This is needed to know whether a transaction is outside the authority of the person involved, is over or understated, or is fictitious.(ii) how each part of this information is captured by the system, who is responsible for entering it, the integrity of the information and how to collate similar information for comparative purposes, including how computer files are accessed, stored, protected and updated.

(iii) what, how and when information is used for management, accounting and auditing, and fraud control and internal audit purposes to ensure that the right information gets to the right people and they use it correctly.

To create a reliable fraud detection process, the system must be able to:

(a) identify and record all transactions and all parts of the transaction
(b) properly classify transactions
(c) at their proper value
(d) in the proper accounting period
(e) with their proper authorizations
(f) trace transactions through the system from capture to reporting and visa versa.

Fraud controls must be able to dissect information and compare that information to policies and authorizations. For example: Is the supplier an approved supplier? Is the bill from that supplier associated with an approved quote, at an approved price, for an approved quantity? Have the goods been received, approved, stored and checked against the invoice – all by independent people? Are purchases from this supplier materially more than last period?

Fraud detection systems vary, but good systems have the ability to compare different sources of information and find discrepancies between what is recorded and what actually did, or should have, happened.

Summary

Information and communication systems begin with the proper documentation and authorization of transactions, and adequate communication of that information. A control is only as good as the underlying system. If business records are not kept properly or are not accessible, they cannot be readily checked and frauds will be more difficult to detect.

5. Monitoring the System

A lot of time, money and effort is expended assessing fraud threats and risks. Business owners must consider the control activities and consider the information and communication procedures needed to make those controls work. They can then create a worthwhile fraud control system.

This new system will work great, until people forget about it or find ways to bypass it. Like any system, it needs to be monitored and enforced and updated. The fraud control system should monitor three areas:

(1)Supervision of Employees;
(2) Accountability and Responsibility; and
(3) Internal Systems Audits.

Supervision of Employees

Dealing with employees was covered briefly in an earlier section. Employees should be the greatest asset in a business, but can be a fraud threat. A balance, therefore, must be made between handing over responsibility to, and controlling employees.

Controlling employees is important in businesses that are too small to effectively separate duties, or where the costs of internal audits and other monitoring functions are prohibitive. Three basic employee supervision procedures can be implemented.

1. Training. Training should include the procedures for fraud control and is especially important for people responsible to enforce these controls.2. Monitoring performance. Increases or decreases in the performance levels may be due to many reasons, one of which may be fraud. For example: large increases in productivity, especially around bonus time or towards the end of a financial period, may be an indication that this extra productivity may not be real.

3. Asset Protection. Employees need access to assets to perform their duties, but the assets become vulnerable at that time. Employees should only have access to the assets that they need to perform their duties and only at the times necessary to do so.

Accountability and Responsibility

Most people are familiar with the use of budgets to monitor performance. Most will also be familiar with the use of standard processes and costs; quality standards; performance reporting and variance reporting. These functions are useful to control fraud.

1. Standard processes and costs and variance reporting are used for cost control. Monitoring these factors alerts the business owner to potential cost overruns etc. They are also a useful method of monitoring fraud controls. Variances from standard procedures or overruns in costs are indicators that people are not adhering to the system, and fraud may be the reason. This type of variance reporting puts up red flags that business owners may wish to examine further.2. The need for quality standards in business is obvious, but they can also work as a fraud control monitor. For example: A decrease in the quality of a product could mean that inferior materials are being purchased by a purchasing officer, possibly acting in collusion with a supplier. This decrease could trigger a review of purchases from suppliers and a review of the actual material purchased and costs charged.

3. Performance reporting or input / output comparison is the process of checking whether the amount of inputs (money, supplies or time) results in the expected amount of output from the process. Is the process using more resources than necessary to get the output, and what happened to the surplus material? Is it procurement fraud?

Internal Systems Audits

An internal auditor verifies financial information and internal processes, but there are three areas where the internal audit process can audit the fraud control system.

1. Review of internal control systems to determine whether the control still works, or is relevant. Has the business environment changed to make some controls irrelevant? Does the control system cause more difficulty than it is worth? The risk assessment process may have to be undertaken on a regular basis, if the business process or environment changes.2. Assessing compliance with control systems. Are people using the control systems that have been put into place? Are people attempting (innocently or otherwise) to circumvent the system?

3. Subjective auditing (the “does that seem strange?” test). Good internal auditors will be able to assess circumstances as well as information. Would you ask questions if a clerk drives to work in a Ferrari? Subjective auditing is a non-technical process of determining whether the whole circumstance feels right and whether it calls for further examination.

Summary

Systems only work if they are monitored and maintained, and a fraud control system is just another of these systems.

Summary of the C.O.S.O. system

The C.O.S.O. system is not a set list of tasks to undertake and this paper is not meant to be a “how to” manual. The C.O.S.O. system is a theoretical model. This paper is meant to highlight the risks from fraud and to guide the business owner through the process of implementing their own custom fraud control system. There is no “one size fits all” control system, and what is appropriate today may need to be changed tomorrow.