Subscribe to our weekly Blog Digest

John Verver, CPA CA, CISA, CMC
John Verver, CPA CA, CISA, CMCAdvisor to ACL
Like it? Share it! Facebooktwittergoogle_pluslinkedin

It was great to see the most recent publication from the Committee of Sponsoring Organizations of the Treadway Commission (COSO) on managing fraud risk and its specific call-out to the role of data analytics. The new COSO Fraud Risk Management Guide establishes five principles for managing the risks of fraud and links them to the five components of the 2013 Framework for Internal Controls, as well as the 17 Internal Control Principles. The five principles include guidance on establishing a fraud risk management program.

I have not yet had the chance to read through the detail of the guide and how it refers to the role of data analytics (hard copy publications take a while to arrive)—but my immediate reaction is that analytics can play an important role in support of at least three of the principles. I noticed that long-time data analytics and ACL champion Dave Coderre was on the fraud risk management task force—so I expect that there will be some great content specifically on data analysis.

COSO’s five elements of guidance on establishing a fraud risk management program include:

  1. Establishing fraud risk governance policies
  2. Performing a fraud risk assessment
  3. Designing and deploying fraud preventive and detective control activities
  4. Conducting investigations
  5. Monitoring and evaluating the total fraud risk management program

The role of data analytics in fraud risk management

I expect the guide particularly advocates the usage of data analytics within the second, third and fourth elements.

Data analysis can be used to examine massive volumes of data and activities within entire business processes in order to assess fraud risk and provide indicators of where the most likely risks of fraud exist. It can be used to detect instances in which fraud prevention controls have been bypassed or failed, as well as instances in which fraud has occurred and for which no controls were in place. In some circumstances, it can also be used to prevent fraud from occurring in the first place—primarily when analytics are run at the time of transaction entry and initial processing. All of these techniques can be performed on a one-off basis as needed, or as part of an ongoing continuous monitoring and risk assessment process.    

Incidentally, the existence of control and transaction monitoring can, itself, play a role in fraud prevention if management and employees are aware of it and so think twice before acting in a fraudulent way.

Data analysis can also be used very effectively in the investigation process in order to determine the circumstances of fraud and provide evidence of the full nature and extent.

Some similarities to internal audit usage…

When looking at the role of analytics in COSO’s five elements of fraud risk management, it struck me that they are actually very similar to the role of data analytics in various different stages of the internal audit process.

In this context, analytics can be used to assess risks to support decisions as to what audits to perform. When planning a specific audit, analytics provide direction on where to focus audit activities. They can be used to test controls and perform substantive audit procedures, as well as to investigate initial findings and to support and quantify audit reports that are provided to management. They can also be used to determine the effectiveness of management’s response to audit findings.

Which line of defense is responsible for fraud risk management analytics?

Clearly, there is considerable overlap between the use of data analytics in fraud risk management and internal audit. Of course, this is not surprising, as it really all comes down to the issue of who is performing the activities and with which responsibility.

Direct responsibility for fraud prevention and detection controls presumably lies primarily with business and financial management—the first line of defense. In some organizations, specific responsibility for fraud detection and compliance with fraud controls lies within specialist groups within the second line of defense. In others, it falls to internal audit. The most important thing—from an analytics perspective—is that someone is making use of data analytics and monitoring to address the risks and damaging effects of fraud.

Why is it taking so long for data analysis to shoulder a bigger workload?

COSO and its component professional bodies have been doing great work over the years in producing their risk management and control frameworks. Personally, for many years, I have been both surprised and disappointed that there has been so little specific mention of the role that data analytics and related technologies can play in relation to these frameworks. So, I can only be positive about the importance of COSO’s specific mention about the role of data analytics in their new Fraud Risk Management Guide.

I look forward to receiving my copy of the full guide and will let you know if I have missed anything in my thoughts on the role of analytics in dealing with fraud risks.

Sign up to receive email updates from ACL

Subscribe Now