Coalfire has found that many SOC 2 clients struggle with addressing COSO Principle 8 (fraud risk considerations) because they innately think only about financial fraud risks. Many clients do not understand that fraud risks depend on the nature of the business and the environment in which the business operates and as such they do not extend their paradigm to consider non-financial fraud risks.
There are several points of focus1 (POFs) included in COSO Principle 8 that represent the important characteristics of addressing fraud to help users apply the criteria. These POFs include:
TSC Ref. #
Points of Focus
COSO Principle 8: The entity considers the potential for fraud in assessing risks to the achievement of objectives.
- Considers Various Types of Fraud—The assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur.
- Assesses Incentives and Pressures—The assessment of fraud risks considers incentives and pressures.
- Assesses Opportunities—The assessment of fraud risk considers opportunities for unauthorized acquisition, use, or disposal of assets, altering the entity’s reporting records, or committing other inappropriate acts.
- Assesses Attitudes and Rationalizations—The assessment of fraud risk considers how management and other personnel might engage in or justify inappropriate actions.
- Considers the Risks Related to the Use of IT and Access to Information—The assessment of fraud risks includes consideration of threats and vulnerabilities that arise specifically from the use of IT and access to information.
Let’s dive deeper into understanding the guidance provided for COSO Principle 8.
When ‘risks related to fraud’ is brought up, organizations sometimes infer that considerations of fraud risk only apply to financial reporting, regulatory and legal misconduct, and reputation risk. By this inference, organizations fail to take ownership of relevant fraud risks because there is some misunderstanding of which fraud risks are relevant to the organization.
The risk owners at an organization (typically the business and operational leaders) have the responsibility for identifying, measuring, monitoring, controlling, and reporting on risks related to fraud to the company’s executive management as established by the corporate risk framework.
As part of its risk assessment process, a company should have a corporate-level integrated risk management process whereby it maintains a comprehensive risk assessment showing integrated risk functions and common processes across the entire enterprise, including the business units. This integrated risk assessment process should be tied to the risk assessments performed at the business unit level and should be updated continuously based on new technologies, system changes, new risks, new threats, new services, and new products. The company can then identify and consolidate processes, functions, and technologies that support the risk management process.
Factors influencing the risk of fraud
Fraud can come from both internal and external sources and the primary factors that influence fraud depend on the nature of the business and its operating environment. Internally, this could be abuse of privileged access permissions, misappropriation of physical/virtual assets, system misuse, or corruption. Externally, this could be third-party vendor or consumer fraud or other third-party risk exposures such as hackers obtaining and exploiting company or customer-sensitive information, impacting the organization’s ability to fulfill its objectives, commitments, and system requirements.
An organization may provide services that may impact the financial statements of the consumer organization, therefore one of the things audit firms would expect to see from the organization for the purpose of a SOX or SOC 1 engagement is a risk assessment that considers the risks of fraud covering financial reporting. For the purpose of a SOC 2 engagement, the focus is on security, availability, processing integrity, confidentiality, or privacy controls that support the service and affect the consumers of the organization’s service. As such, when evaluating the fraud risks that may impact the achievement of an organization’s objectives, organizations should also consider the non-financial fraud risks including the information technology fraud risks the organization faces. This exercise should be a component of or integrated with the organization’s enterprise risk management program.
Purpose for considering the potential of fraud
According to the AICPA Guide “SOC 2 – SOC for Service Organizations: Trust Services Criteria”, fraud is described as “an intentional act involving the use of deception that results in a misstatement in the subject matter or the assertion.” The potential for fraud is considered when identifying which activities, controls, and processes are most susceptible or vulnerable and could affect an organization’s objectives, commitments, and system requirements resulting “in a misstatement in the subject matter or the assertion.”
Benefits of incorporating considerations for fraud in a risk assessment
- Identifying the organization’s objectives that fraud risk may impact
- Identifying the business activities and processes that are most vulnerable to fraud risks
- Identifying the key roles which expose the organization to fraud risks
- Identifying compensating controls and remediation activities that mitigates fraud risks
- Identifying opportunities to reduce the impact of residual fraud risks
Examples of non-financial fraud risks
- Misappropriation of company assets (physical or logical)
- (Authorized/Unauthorized) logical access to systems or data for personal gain
- Access to audit logs or other monitoring tools used to detect problems
- Changes to system programs or data for personal gain
- Activities by independent contractors that could perpetrate fraud
- Fictitious vendors and/or customers
Steps an organization can take to incorporate considerations for fraud in their risk assessment
- Establish a fraud risk governance policy
- Identify fraud risks
- Identify the organization’s objectives the fraud risks may impact
- Identify likelihood and impact of each risk
- Identify the owners of the fraud risks
- Map existing controls in place to address the fraud risks and identify any gaps.
- Identify compensating controls and/or remediation activities for any gaps identified
- Identify controls and/or measures to mitigate any residual risks
- Via control self-assessments, test the operating effectiveness of the fraud prevention, detection and response controls
A service auditor can likely infer that an organization has controls in place to address fraud risk, however the onus is on the organization to identify the activities and processes within the organization which are the most vulnerable to fraud. If the organization is providing services that may have an impact on the financial statements of consumer organizations, then the service auditor would expect to see a fraud risk assessment covering financial reporting. If the organization is providing services that affect the non-financial reporting controls of consumers of the organization's services, then consideration of non-financial fraud risks including information technology fraud risk exposures are more relevant. Remember to not only consider the nature of the business and the environment in which the business operates, but the individuals who can commit fraud. After all, individuals commit fraud, systems and processes do not. At the end of the day consumers of the service will take greater comfort knowing that a service organization is including considerations for fraud in its enterprise risk management program. It all ties back to risk.
1 The points of focus in TSP Section 100 replaced the “illustrative controls” from TSP Section 100A and are intended to provide guidance about important characteristics of the criteria for management to consider when designing, implementing, and operating controls. The points of focus may also assist management and the service auditor in evaluating the suitability of the design and operating effectiveness of controls to meet the relevant trust services criteria.