The ACFE/COSO Fraud Risk Management Guide:

2022 Edition
 DAVID L. COTTON, CPA, CFE, CGFM
CHAIRMAN EMERITUS, COTTON & COMPANY

Dave Cotton is founder and Chairman Emeritus of Cotton & Company, Certified Public Accountants, headquartered in
Alexandria, Virginia. Cotton & Company was founded in 1981 and has a practice concentration in assisting Federal and
State agencies, inspectors general, and government grantees and contractors with a variety of government program-
related assurance and advisory services. Cotton & Company has performed grant and contract, indirect cost rate, financial
statement, financial related, and performance audits for more than two dozen Federal inspectors general as well as
numerous other Federal and State organizations, programs, activities, and functions. In April 2022, Cotton & Company
became a wholly-owned subsidiary of Sikich LLP.

Cotton & Company’s Federal agency audit clients have included the U.S. Government Accountability Office, U.S. Navy, U.S.
Marine Corps, U.S. Transportation Command, U.S, Defense Security Cooperation Agency, U.S. House of Representatives,
U.S. Capitol Police, U.S. Small Business Administration, U.S. Bureau of Prisons, Millennium Challenge Corporation, U.S.
Marshals Service, and Bureau of Alcohol, Tobacco, Firearms and Explosives. Cotton & Company also assists numerous
Federal agencies in preparing financial statements and improving financial management, accounting, and internal control
systems.

Dave received a BS in mechanical engineering and an MBA in management science and labor relations from Lehigh
University in Bethlehem, PA. He also pursued graduate studies in accounting and auditing at the University of Chicago
Graduate School of Business. He is a Certified Public Accountant (CPA), Certified Fraud Examiner (CFE), and Certified
Government Financial Manager (CGFM).

Dave served on the Advisory Council on Government Auditing Standards (the Council advises the United States
Comptroller General on promulgation of Government Auditing Standards—GAO’s yellow book). He served on the
Institute of Internal Auditors (IIA) Anti-Fraud Programs and Controls Task Force and co-authored Managing the Business
Risk of Fraud: A Practical Guide. He served on the American Institute of CPAs Anti-Fraud Task Force and co-authored
Management Override: The Achilles Heel of Fraud Prevention. Dave is the past-chair of the AICPA Federal Accounting
and Auditing Subcommittee and has served on the AICPA Governmental Accounting and Auditing Committee and the
Government Technical Standards Subcommittee of the AICPA Professional Ethics Executive Committee. Dave chaired
the Fraud Risk Management Task Force, sponsored by COSO and ACFE and is a principal author of the COSO-ACFE Fraud
Risk Management Guide. Dave is currently co-chairing a task force to update the COSO-ACFE Fraud Risk Management
Guide. In May 2022, Governor Glenn Youngkin appointed Dave to the Virginia Board of Accountancy.

Dave served on the board of the Virginia Society of Certified Public Accountants (VSCPA) and on the VSCPA Litigation
Services, Professional Ethics, Quality Review, and Governmental Accounting and Auditing Committees. He is a member
of the Association of Government Accountants (AGA) and past-advisory board chairman and past-president of the AGA
Northern Virginia Chapter and past Vice Chair of the AGA Professional Ethics Board. He is also a member of the IIA and
the Association of Certified Fraud Examiners.

Dave has testified as an expert in governmental accounting, auditing, and fraud issues before the United States Court of
Federal Claims, the Armed Services Board of Contract Appeals, and other administrative and judicial bodies.

Dave has spoken and written frequently on cost accounting, professional ethics, and auditor fraud detection
responsibilities. He has been an instructor for the George Washington University masters of accountancy program (Fraud
Examination and Forensic Accounting), and has instructed for the George Mason University Small Business Development
Center (Fundamentals of Accounting for Government Contracts).

Dave was the recipient of the ACFE 2018 Certified Fraud Examiner of the Year Award (“presented to a CFE who has
demonstrated outstanding achievement in the field of fraud examination … based on their contributions to the ACFE, to
the profession, and to the community”); AGA’s 2012 Educator Award (“to recognize individuals who have made significant
contributions to the education and training of government financial managers”); and AGA’s 2006 Barr Award (“to
recognize the cumulative achievements of private sector individuals who throughout their careers have served as a role
model for others and who have consistently exhibited the highest personal and professional standards”).
 The ACFE/COSO Fraud Risk Management Guide: 2022 Edition

• A short history: COSO, internal control, enterprise risk

management, and fraud risk management
• The big picture: principles, standards, and leading practices
• FRMG overview
• The 2022 Update Task Force
• What has not changed
• Major changes
• Fraud risk management tools
• Be part of the antifraud effort

Disclaimer

The views expressed in this

presentation are my views and do not
necessarily align with the views of the
Virginia Board of Accountancy.

[email protected] 1
 A short history: COSO, internal control, enterprise risk
management, and fraud risk management

• 1985: Committee of Sponsoring Organizations of the Treadway

Commission
• 1987: Treadway Commission Report
• 1992: Internal Control—Integrated Framework

Very little emphasis on fraud

Focus was on:

• Economy and efficiency of operations,
including safeguarding of assets and
achievement of desired outcomes;
• Reliability of financial and management
reports; and
• Compliance with laws and regulations.

[email protected] 2
 A short history: COSO, internal control, enterprise risk management,
and fraud risk management

• 1985: Committee of Sponsoring Organizations of the Treadway

Commission
• 1987: Treadway Commission Report
• 1992: Internal Control—Integrated Framework
• 1992-2001: COSO IC Framework gained broad recognition
• 2002: SOX section 404 mandated establishing/reporting on IC
• 2002-2012: COSO IC Framework gained global recognition

A short history: COSO, internal control, enterprise risk management,

and fraud risk management

• 2004: COSO Enterprise Risk Management Framework

• 2013: COSO Internal Control—Integrated Framework
• Principle 8: Consider fraud when assessing risks

[email protected] 3
 A short history: COSO, internal control, enterprise risk management,
and fraud risk management

• 2004: COSO Enterprise Risk Management Framework

• 2013: COSO Internal Control—Integrated Framework
• Principle 8: Consider fraud when assessing risks
• 2014: ACFE/COSO Fraud Risk Management task force
• 2015: GAO Fraud Risk Management Framework

[email protected] 4
 A short history: COSO, internal control, enterprise risk management,
and fraud risk management

• 2004: COSO Enterprise Risk Management Framework

• 2013: COSO Internal Control—Integrated Framework
• Principle 8: Consider fraud when assessing risks
• 2014: ACFE/COSO Fraud Risk Management task force
• 2015: GAO Fraud Risk Management Framework
• 2016: ACFE/COSO Fraud Risk Management Guide

[email protected] 5
 A short history: COSO, internal control, enterprise risk management,
and fraud risk management

• 2004: COSO Enterprise Risk Management Framework

• 2013: COSO Internal Control—Integrated Framework
• Principle 8: Consider fraud when assessing risks
• 2014: ACFE/COSO Fraud Risk Management task force
• 2015: GAO Fraud Risk Management Framework
• 2016: ACFE/COSO Fraud Risk Management Guide
• 2017: COSO Enterprise Risk Management Framework—
Integrating with Strategy and Performance

[email protected] 6
 The big picture: principles, standards, and leading practices

Private Sector Government

Accounting Principles

Auditing Standards

Internal Control

Fraud Risk Management

Enterprise Risk Management

The big picture: principles, standards, and leading practices

Private Sector Government

Accounting Principles

Auditing Standards

Internal Control

Fraud Risk Management

Leading practices

Enterprise Risk Management

[email protected] 7
 The big picture: principles, standards, and leading practices

Private Sector Government

Accounting Principles

Auditing Standards

Internal Control

Fraud Risk Management

Required by law

Enterprise Risk Management

2016 FRMG overview

• Five fraud risk management principles

• Maps to COSO IC Framework
• Detailed information on performing a fraud risk assessment
• 19 Appendices

[email protected] 8
 Joint ACFE-COSO Task Force

Joint ACFE-COSO Advisory Panel

[email protected] 9
 The 2022 Update Task Force

What has not changed

• Mapping to COSO IC Framework

[email protected] 10
 Mapping of COSO
Components and
Principles to the Fraud
Risk Management Guide

What has not changed

• Mapping to COSO IC Framework

• Five fraud risk management principles and the basic process

[email protected] 11
 Basic fraud risk management process has not changed

What has not changed

• Mapping to COSO IC Framework

• Five fraud risk management principles and the basic process
• The fraud risk assessment process

[email protected] 12
 Risk assessment process has not changed
Establish the fraud risk
assessment team, considering:
- Appropriate management
levels
- All organizational components

Reassess risk periodically, Identify all fraud schemes and

considering changes: fraud risks, considering:
- External to the organization - Internal and external factors
- Operational - Various types of fraud
- Leadership - Risk of management override

Fraud Risk
Document the risk
assessment
Assessment Estimate likelihood and
significance of each fraud
scheme and risk

Assess and respond to residual

risks that need to be mitigated:
Determine all personnel and
-Strengthen existing control departments potentially
activities involved considering the fraud
-Add control activities triangle
-Consider data analytics
Identify existing controls and
assess their effectiveness
25

Major changes

• Fraud risk management and deterrence linkage

• COSO’s two frameworks and fraud risk management linkage
• Expanded information on data analytics
• Internal control and fraud risk management: how they differ
• Assessing the effectiveness of existing control procedures
• Changes in the legal and regulatory environment
• Fraud reporting systems (hotlines)
• Changes in the external environment and fraud landscape
• Appendices changes
• Fraud risk management tools

[email protected] 13
 Fraud risk management and deterrence

• COSO’s mission is to help organizations improve performance

by developing thought leadership that enhances internal
control, risk management, governance and fraud deterrence.
• According to the National Institute of Justice:
• The certainty of being caught is a vastly more powerful deterrent
than the punishment.
• Police deter crime by increasing the perception that criminals will be
caught and punished.

Fraud risk management and deterrence

Fraud deterrence is the combined result of prevention and

detection:

+ =

[email protected] 14
 Fraud risk management and deterrence

• Deterrence is also supported and enhanced by the knowledge

throughout the organization that:
• Those charged with governance have made a commitment to
comprehensive fraud risk management.
• Periodic fraud risk assessments are being conducted.
• Overt and covert fraud control activities are in place.
• Suspected frauds are investigated quickly.
• Fraud reporting mechanisms are in place.
• Discovered frauds are remediated thoroughly.
• The entire Fraud Risk Management Program is being monitored on an
ongoing basis.

COSO’s two frameworks and fraud risk management

• COSO Internal Control—Integrated Framework: 1992, 2013

• COSO Enterprise Risk Management Framework: 2004
• Enterprise Risk Management — Integrating with Strategy and
Performance: 2017
• Fraud Risk management Guide: 2016, 2022

[email protected] 15
 COSO’s two frameworks and fraud risk management

Expanded information on data analytics

• Added a data analytics Point of Focus under each of the five

fraud risk management Principles:
1. Uses Data Analytics to Support Fraud Risk Governance
2. Uses Data Analytics Techniques for Fraud Risk Assessment and
Fraud Risk Responses
3. Uses Proactive Data Analytics Procedures
4. Performs Data Analytics
5. Uses Data Analytics to Continuously Monitor and Improve

[email protected] 16
 Expanded information on data analytics

Expanded Data Analytics Appendices

• Appendix D-1 explains how to build a sustainable data analytics
capability, develop a data analytics plan, attract, and develop a
team of skilled professionals, acquire the right technological
solutions, and implement processes and procedures.
• Appendix D-2 provides both guidance and practical examples of
the application of data analytics techniques and approaches as part
of a fraud risk assessment.
• Appendix D-3 explains how data analytics techniques can enhance
fraud control activities to mitigate residual risks that were
identified during the fraud risk assessment.

Internal control and fraud risk management

• Internal control and fraud risk management are related and

support each other, but are different in some important
respects.
• Controls that may assure accuracy in accounting and financial
reporting may not be sufficient to protect against fraud.

[email protected] 17
 Establish the fraud risk
assessment team, considering:
- Appropriate management levels
- All organizational components

Reassess risk periodically, Identify all fraud schemes and

considering changes: fraud risks, considering:
- External to the organization - Internal and external factors
- Operational - Various types of fraud
- Leadership - Risk of management override

Fraud Risk
Document the risk
assessment Assessment Estimate likelihood and
significance of each fraud
scheme and risk

Assess and respond to residual

risks that need to be mitigated:
Determine all personnel and
-Strengthen existing control departments potentially involved
activities considering the fraud triangle
-Add control activities
-Consider data analytics
Identify existing controls and VERY Important Step
assess their effectiveness

35

Internal control and fraud risk management

• Internal control and fraud risk management are related and

support each other, but are different in some important
respects.
• Controls that may assure accuracy in accounting and financial
reporting may not be sufficient to protect against fraud.
• Let’s look at some examples …

[email protected] 18
 Internal control and fraud risk management

• Segregation of Duties.
• Approved Vendor Lists.
• Higher Transaction Approval Authorities.
• Asset Verification Physical Counts.

Segregation of Duties Overt Control Activity

• Do not let one person control all transaction phases

• Good for accuracy in accounting and financial reporting
• BUT, in assessing fraud risk, we need to consider how that control
can be circumvented or rendered ineffective
• Collusion among the people across whom duties are segregated
• Password-sharing
• I.e., residual fraud risk
• Let’s apply additional controls to mitigate the residual risk
• Frequently rotate the duties ntrol Activ
ity
Covert Co
• Monitor password use and attendance 38

[email protected] 19
 Approved Vendor List Overt Control Activity

• We only do business with reputable companies that have been thoroughly

vetted
• Good for accuracy in accounting and financial reporting
• BUT, in assessing fraud risk, we need to consider how that control can be
circumvented or rendered ineffective
• Employee gains access to vendor database and adds bogus company
• Corrupt vendor offers bribes or kickbacks
• I.e., residual fraud risk s
ivitie
ro l Act
• Let’s apply additional controls to mitigate the residual risk rt Co
nt
Cove
• Match fields in employee and vendor databases
39
• Apply data analytics to track unusual buying and pricing patterns

Approved Vendor List

• Wait: what if your organization includes employees in the vendor database in

order to process travel expense reimbursement transactions?

40

[email protected] 20
 Higher Level Approvals Required for Large Transactions
Ov
er
tC
on
tro
l
• Any purchase of more than $50,000 requires regional manager approval Activ
ity
• Good for accuracy in accounting and financial reporting
• BUT, in assessing fraud risk, we need to consider how that control can be
circumvented or rendered ineffective
• Purchase-splitting
• Regional manager becomes corrupt
• I.e., residual fraud risk
s
• Let’s apply additional controls to mitigate the residual risk ivitie
tro l Act
n
rt Co
• Apply Benford’s Law to the purchasing database Cove

• Apply data analytics to track unusual buying and pricing patterns 41

Physical Counts of Assets/Inventory

Ov
ert
Co
nt
ro
lA
• We periodically take physical counts of assets and inventory cti
vit
y
• Good for accuracy in accounting and financial reporting
• BUT, in assessing fraud risk, we need to consider how that control can be
circumvented or rendered ineffective
• Actual inventory is moved from location to location
• Empty boxes are disguised to appear to have contents ies
c tivit
A
rol
• I.e., residual fraud risk C ont
ert
• Let’s apply additional controls to mitigate the residual risk Cov

• Vary the inventory counting process to conduct surprise counts or simultaneous

location counts
42
• Vary the counting process (weigh boxes; open boxes; etc.)

[email protected] 21
 More examples …

• Two signatures required for checks above a certain amount.

• Thresholds for procurements:
• Up to $50,000 requires 3 or more quotes/bids
• Above $50,000 requires full/open competition
• CFO approval of all journal entries above $100,000
• ?
• ?
• ?
43

Library of Internal Controls

• If your organization is following the COSO framework, you

probably have a list (“library”) of all controls
• Apply this “how could fraud happen despite this control”
analysis to every control

44

[email protected] 22
 Assessing the effectiveness of existing control procedures

Clarification that assessing the effectiveness of existing controls

is a two step process.
• First, a determination will be made as to whether the control is
in place and functioning as designed.
• Once that determination is made, the control will be re-
assessed in terms of its effectiveness for preventing and
detecting fraud.

Changes in the legal and regulatory environment

• Includes updated information with respect to recent legal and

regulatory developments pertaining to fraud and fraud risk
management, including:
• The Department of Justice’s Evaluation of Corporate Compliance
Programs.
• The Government Accountability Office’s A Framework for Managing
Fraud Risks in Federal Programs.
• U.S. Securities and Exchange Commission Climate and ESG Task Force

[email protected] 23
 47

Fraud reporting systems (hotlines)

• ACFE research consistently reveals the importance of having

fraud hotlines or whistleblower reporting systems in place.

[email protected] 24
 2022 Report to the Nations

2022 Report to the Nations

[email protected] 25
 2022 Report to the Nations

2022 Report to the Nations

[email protected] 26
 Fraud reporting systems (hotlines)

• ACFE research consistently reveals the importance of having

fraud hotlines or whistleblower reporting systems in place.
• Expanded information on the importance of hotlines as part of
Principle 1 (Control Environment) and Principle 4 (Information
and Communication)

Changes in the external environment and fraud landscape

The fraud landscape is changing rapidly. The 2022 FRMG edition

includes information on this changing environment, including:
• Environmental, social and governance (ESG) initiatives and reporting
• Cyberfraud
• Blockchain, cryptocurrency, and digital assets
• Ransomware
• COVID-19 response efforts, the CARES Act, and related programs
• Remote working and hybrid working environments
• Innovative and virtual management tools and accounting procedures

[email protected] 27
 Appendices changes

• 2016 edition had 19 appendices

• 2022 edition has 7 appendices

Appendices changes

[email protected] 28
 Fraud risk management tools at ACFE

https://www.acfe.com/fraud-resources/fraud-risk-tools---coso/tools
• Antifraud Playbook
• Library of Antifraud Data Analytic Tests
• Fraud Risk Management Interactive Scorecards
• Risk Assessment and Follow-Up Action Templates
• Points of Focus Documentation Templates

Fraud risk management tools at ACFE

• Sample Fraud Control Policy

• Fraud Risk Management High-Level Assessment
• Sample Fraud Policy Responsibility Matrix
• Sample Fraud Risk Management Policy
• Sample Fraud Risk Management Survey
• Expanded list of fraud exposures, hyperlinked to underlying
descriptions
• Generic schemes
• Industry-specific schemes

[email protected] 29
 Fraud risk management tools at ACFE

Coming soon:
• PowerPoint Deck to use to explain Fraud Risk Management
and its importance to senior management and those
charged with governance.
• Fraud Risk Management Implementation Program: an audit-
program-like set of step-by-step procedures for
implementing a robust FRM program.

[email protected] 30
 Risk Assessment and Follow-up Actions Template

[email protected] 31
 Fraud Risk Heat Map

Fraud Risk Ranking Matrix

[email protected] 32
 Points of Focus Documentation

65

Data
Analytics
Library

[email protected] 33
 Skimming

Data
Analytics
Library

Library of Data Analytics Tests

CASH - SKIM M ING

Cash Receipts Analysis Review sequential num bering of cash receipts journal to ensure no out-of-sequence num bers

Vertical Analysis Vertical analysis of sales accounts, (i.e., cash as a percentage of total assets over tim e, etc. can be used to detect skim m ing at a high level)

Horizontal Analysis Horizontal analysis of sales accounts, (i.e., cash percent change over tim e, can be used to detect skim m ing at a high level)

Current Ratio Analysis Track current assets to current liabilities over tim e

Quick Ratio Analysis (Cash+Securities+Receivables) over Current Liabilities percent change over tim e

Track inventory shrinkage due to unrecorded sales. Inventory detection m ay include statistical sam pling, trend analysis, reviews of receiving
Inventory Analysis reports and inventory records and verification for m aterial requisition and shipping docum entation as well as actual physical inventory counts

Red Flags Bank em ployee questions the validity of a check

Red Flags Inspect for a forged endorsem ent on a check

Red Flags Inspect for an em ployee bank account with a nam e sim ilar to the com pany nam e

Red Flags Inspect for alteration of the check payee or endorsem ent

Analysis of journal entries m ade to the cash and inventory accounts to identify: (1) False credits to inventory to conceal unrecorded or
understated sales, (2) W rite-offs related to lost, stolen or obsolete product, (3) W rite-offs to accounts receivable, (4) Irregular entries to cash
Journal Entry Review accounts

Journal Entry Review Analysis of journal entries to review suspicous or inaccurate journal entries.

Identify larger entries split into sm aller entries to avoid exceeding their approval lim it. To ensure authorization and validity of the Journal Entry
Journal Entry Review based on the approval lim its

[email protected] 34
 Bid Rigging

Data
Analytics
Library

Library of Data Analytics Tests

BID RIGGING

Corruption: Bid Rigging Compare inventory levels and turnover rates on a by project or by product basis, by region

Corruption: Bid Rigging Inventory written-off and then new purchase made (total write-offs and quantities purchased by product)

Corruption: Bid Rigging Compare contract awards by vendor (number of contracts won compared to bids submitted)

Corruption: Bid Rigging Sole sourced contracts - number of bids per contract

Check for vague contract specifications: (i) amendments, extension, increases in contract values, (ii) total number of amendments, (iii) original delivery date and final delivery
Corruption: Bid Rigging date, (iv) original contract value and final contract value

Corruption: Bid Rigging Check for split contract (same vendor, same day)

Corruption: Bid Rigging Bids submitted after bid closing date

Corruption: Bid Rigging Last bid wins

Corruption: Bid Rigging Low bidder drops out, and subcontracts to higher bidder (compare contractor with invoice payee)

Corruption: Bid Rigging Fictitious bids - verify bidders and prices

[email protected] 35
 Data Fictitious Revenue

Analytics
Library

Library of Data Analytics Tests

REVENUE RECOGNITION

Analysis of inventory that has been "segregated" or shipped to a third party interm ediary where the custom er has not taken title and assum ed the
Bill & Hold risks, yet the com pany has booked this isolated inventory as revenue

Bill & Hold Identify revenue and receivables recorded prior to shipm ent

Channel Stuffing Com pare discounts or incentives on a m onthly basis to identify unusual spikes at the end of the quarter or year.

Channel Stuffing Com pare sales and corresponding returns on a per custom er basis

Debt Swap Identification of Journal Entries with Net Debit to Liability and Credit to Revenue

Debt Swap Identification of Journal Entries with Net Debit to Liability and Credit to Expenses

Fake Invoices Analysis of sequentially num bered invoices

Fake Invoices Benford's analysis of the first two digits to identify anom alies such as a disproportionate num ber of invoices starting with 7, 8 or 9

Fake Invoices Analysis of com pany nam es that "sound like" known vendors

Fake Invoices Exam ine inventory records to identify locations or item s that require specific attention during or after the physical inventory count

Revenue Recognition Analysis and anom aly detection of the sequence of transactions to identify m issing checks, invoices

Revenue Recognition Com pare A/R credit m em os to A/P invoices

Revenue Recognition Com pare revenue reported by m onth and by product line during the current period with com parable prior periods

Revenue Recognition Confirm with selected, high risk custom ers relevant contract term s or question com pany staff regarding shipm ents near the end of the period

Revenue Recognition Identification of revenue recognized at period end and subsequently reversed or partially reversed

E-m ail analysis of selected em ployees (accounting or sales) for "Rev Rec" related key words around incentive/pressure, opportun ity and
Fraud Triangle Analytics rationalization

[email protected] 36
 Be part of the antifraud effort

• The tools at ACFE are intended to be crowd-sourced.

• If you have:
• Suggestions for modifications to existing tools
• Ideas for additional tools
• Additional fraud exposures to add to the list
• Other comments or recommendations….
Contact us.

Yes, Yes, Yes…It’s Hard Work

Just remember
• The perps hope you are lazy
• If the perps discover that you are not lazy and
have thoroughly implemented fraud risk
management processes, they will move on to
find easier targets

74

[email protected] 37