Understanding COSO 2017 Enterprise Risk Management Framework and Internal Control Model 

  • Home
  • Q1 2019
  • Understanding COSO 2017 Enterprise Risk Management Framework and Internal Control Model 

Fraud has adverse impacts on institutions in various ways such as nancial, operational, reputational and even psychological. It also results in loss of man-hours as signicant amount of time is spent on fraud investigation.

Fraud could impair the going concern of an entity, as such occurrence could damage client relationships and have irreparable nancial impact. Although the nancial losses, which are measurable, could be substantial, the overall impact of fraud occurrence could be unquantiable and devastating to organizations.

A signicant step in fraud prevention and detection is

the creation of a functional internal control system and internal audit function. It is therefore imperative for Management of organizations to develop strong internal control system, while the internal audit function is tasked with the responsibility of periodically evaluating the adequacy and operating effectiveness of the established controls.

The Institute of Internal Auditor’s (IIA’s) International Professional Practices Framework (IPPF) denes internal auditing as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes”. This indicates that Internal Audit is vital to the corporate governance structure of any organization. Therefore, internal audit function plays an important role in the prevention and detection of fraud.


Fraud is dened as the intentional false representation or concealment of a material fact for the purpose of inducing another to act upon it to his or her injury (as dened by the American Institute of Certied Public Accountants).

Fraud includes all forms of anomalies implemented with an aim to deceive or misrepresent the facts. The IIA’s International Professional Practices Framework (IPPF) denes fraud as any illegal act characterized by deceit, concealment, or violation of trust. These acts are not dependent upon the threat of violence or physical force. Frauds are perpetrated by parties and organizations to obtain money, property, or services; to avoid payment or loss of services; or to secure personal or business advantage.”

According to Murdock (2008:81) to prevent fraud, internal auditors should understand why people commit it. The Fraud Triangle, a model developed by Donald Cressey, an expert on the sociology of crime, has been used for many years to assess the three drivers of fraud–pressure, opportunity, and rationalization. Incidences of fraud have been on the rise in organizations, this could be traced largely to economic issues which leads individuals to feel pressured, identify opportunities for fraud and nally rationalize the perpetration of the fraudulent activities.

The Fraud Triangle


Fraud can be considered a cancer in any organization as it impedes performance; and it exposes organizations to reputational and nancial losses.

The responsibility for fraud prevention is split between the Management and the Audit Committee/Internal Auditors. Management is therefore charged with the responsibility of ensuring proper internal controls are in place to prevent, detect and mitigate fraud incidences.

Internal Audit Responsibility

Internal audit supports management by assessing the effectiveness of the controls put in place. This support

aids the prevention and detection of fraud.

Prevention: Murdock (2008:81) states that the best way to address fraud is to prevent it because the costs and complexities involved increase signicantly after fraudulent activities are committed. Internal auditors assess systems for potential fraud risks, evaluate the effectiveness of established controls, and make recommendations for improvement. This is done by using audit plan and conducting tests. According to Khetan (2018) internal auditors can assist management in the deterrence of fraud by examining and evaluating the adequacy and the effectiveness of internal controls. In addition, they may assist management in establishing effective fraud prevention measures by knowing the organization’s strengths and weaknesses and providing consulting expertise.

Detection: “Internal auditors are often in a better position to detect the symptoms that accompany fraud as they usually have a continual presence within the organization, providing them with a better understanding of the organization and its control systems”(Khetan 2018).

According to Mousa (2017), auditors auditing cases of fraud must be aware of the basic requirements of the detection of fraud. These basic requirements are:

1. Specication of the fraud risk in the organization through the examination of the control and operational environment to determine the categories and methods of fraud;

2. Evaluation of fraud risk;

3. Examination of risks and their occurrence from

the perspective of the perpetrator of fraud in order to determine what the control methods are and the manipulation methods that cause the occurrence of fraud;

4. Full understanding of fraud indicators and the data that may include these indicators; and

5. Readiness for the occurrence of any fraud cases as a result of the indicators, as well knowledge of how to search for these indicators in the data.

He further stated that when these requirements are fullled, it is easy to deter perpetrators, to investigate and report the detected cases, and to develop control methods to detect the repetition of such cases.

The IIA Standards for the Professional Practice of Internal Auditing relating to the internal auditor’s role in detecting, preventing, and monitoring fraud risks include:

IIA Standard 1200: Prociency and Due Professional Care 1210.A2 – Internal auditors must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization, but are not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

IIA Standard 2120: Risk Management 2120.A2 – The internal audit activity must evaluate the potential for the occurrence of fraud and how the organization manages fraud risk.

IIA Standard 2210: Engagement Objectives 2210.A2 – Internal auditors must consider the probability of signicant errors, fraud, noncompliance, and other exposures when developing the engagement objectives.

Corama, Ferguson and Moroney (2006), suggested that organizations with an internal audit function are more likely to detect and report fraud than those that do not. This suggests that internal audit is a veritable source of fraud prevention.

Mousa (2017) asserted that, the role of internal audit can be summed up in the evaluation of how sufficient the fraud risk management is in the organization through asking the following questions:

1. Do the Board of Directors and the Audit Committee have clear responsibilities regarding the fraud risk management?

2. Does the organization have a clear anti-fraud strategy, for example a policy that coordinates the ongoing activities to reduce and detect fraud?

3. Does the organization conduct through examination for the backgrounds of new potential employees? Are the investigations and inspection of the employees who are promoted to higher positions conducted?

4. Is there a process for the documentation of registration, tracking and response to all the allegations or suspicions of a crime (for example reporting violations and fraud hotline)?

5. Is there a regular evaluation of the orientations, incentives, pressures and opportunities to commit the crime across the organization?

6. Does the organization have categorization for the potential fraud and its effect on the organization through an evaluation of all the types of fraud risk including bribery and money laundering?

7. Does the organization evaluate whether the risks are reduced through the existing internal control methods and evaluate the design and effectiveness of such methods (for example, powers, credit, separation of duties, etc.)?

8. Are there effective channels to enhance the ow of information with quality whether top down or vice versa across the organization?

9. Are training and awareness of cases of fraud and corruption for all employees provided? Is the training regularly held and promoted in the organization?

10. Are there sufficient, regular and ongoing procedures to ensure that the Senior Management took into consideration how effective the control environment and risk assessment are and how much modication or update the control methods that reduce fraud risk may need?


This article seeks to highlight the role of the internal audit function in fraud prevention and detection. From the foregoing, it can be stated, without reservations, that organizations need an internal audit function for efficiency in running its business operation.

Leave A Comment

Subscribe to our newsletter

Sign up to receive latest news, updates, promotions, and special offers delivered directly to your inbox.
No, thanks