Fraud, Waste and Abuse Resources

Fraud, Waste and Abuse Defined by the Oregon Secretary of State

 

 The Fraud Triangle

This image shows a blue triangle labeled as the fraud triangle. On top of the triangle is the word opportunity. On the left point of the triangle is the word pressure. On the right point of the triangle is the word rationalization.

By reducing opportunity, greater presssure and rationalization is needed to commit fraud.

COSO Fraud Risk Management Principles (2016)

The image is divided into 2 sections on the left, COSO framework components and principles, and on the right, fraud risk management principles. The left side has 5 sections; control environment in yellow, risk management in green, control activities in blue, information & communication in purple, and monitoring activities in black. Each has an outline of principles as follows. Control environment: 1) The organization demonstrates a commitment to integrity and ethical values. 2) The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control 3) Management establishes, with board oversight structures reporting lines and appropriate authorities and responsibilities In pursuit of objectives. 4) The organization demonstrates a commitment to attract, develop and retain competent individuals in alignment with objectives. 5) The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives. Risk Assessment: 6) The organization specifies objectives with sufficient clarity to enable the identification ans assessment of risks relating to objectives. 7) The organization identifies risks to the achievement of its objectives across the entity and analyses risk risks as a bias for determining how the risks should be managed. 8) The organization considers the potential for fraud in assessing risks to the achievement of objectives. 9) The organization identifies and assesses changes that could significantly affect the system of internal control. Control Activities: 10) The organization selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable values. 11) The organization selects and develops general control activities over technology to support the achievement of objectives. 12) The organization deploys control activities through policies that establish what is expected and procedures that put policies into action. Information & Communication: 13) The organization obtains or generates and uses relevant quality information to support the functioning of internal control. 14) The organization internally communicates information including objectives and responsibilities for internal control, necessary to support the functioning of internal control. 15) The organization communicates with external parties regarding matters affecting internal control. Monitoring activities: 16) The organization selects develops and performs ingoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. 17) The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors as appropriate. The first 5 points in control environment points to number one under fraud risk management principles. One reads as follows: The organization establishes and communicates a fraud risk management program that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk. The points under risk management point to number two in the right section which reads: The organization performs compressive fraud risk assessments to identify specific fraud schemes, and risks and assess their likelihood and significance, evaluate exiting fraud control activities and implement actions to mitigate residual fraud risk. Control activities points to number 3: The organization selects develops and deploys preventive and detective fraud control activities to mitigate the risk of fraud events occurring or not being detected in a timely manner. Information & communication points to number 4: The organization establishes a communication process to obtain information in a about potential fraud and deploys a coordinated approach to investigation and corrective action to address fraud appropriately and in a timely manner. Monitoring activities points to number five that reads: The organization selects, develops, and performs ongoing evaluations to ascertain whether each of the five principles of fraud risk management is present and functioning and communicated Fraud Risk Management Program deficiencies in a timely manner to parties responsible for taking corrective action, including senior management and the board of directors.

 

 

Figure 1. Ongoing, Comprehensive Fraud Risk Management Process. A gray arrow goes in a circle starting at the top and passes behind five green boxes moving to the right initially. The boxes read as follows: Establish a fraud risk management policy as part of organizational governance. Perform a comprehensive fraud risk assessment. Select, develop and deploy preventive and detective fraud control activities. Establish a fraud reporting process and coordinate approach to investigation and corrective action. Monitor the fraud risk management process, report results and improve process. After the fifth box the arrow points to the first box completing the circle.

 
"How might a fraud perpetrator exploit weaknesses in your system of controls?
How could a perpetrator overrride or circumvent controls?
Who might have a motive or incentive to commit fraud?
Given identified fraud risks, which controls are critical to preventing fraud?
What controls might be subject to fraudulent attacks?"
- COSO "Fraud Risk Management Guide", 2016

 

Exhibit 1.1 Internal Audit Roles in Fraud Awareness. Three boxes are positioned above a circle with arrows that point down to the circle. The boxes are labeled educator, facilitator, and assessor from left to right. The circle that they point down to is labeled fraud awareness.