Internal Control Frameworks and Control Design

The COSO 2013 framework describes internal control as a process that provides reasonable assurance regarding the achievement of objectives in three categories: operations, reporting, and compliance. Its five components must all be present and functioning for the system to be considered effective. For forensic auditors, the framework functions as a diagnostic tool: each component, when evaluated, can reveal the specific conditions that allowed a fraud to occur or persist.

The 2013 update added 17 principles, one or more associated with each component, that provide specific benchmarks. For example, Principle 8 states that the organisation considers the potential for fraud in assessing risks. This principle is directly relevant to forensic engagements: an auditor can ask whether management formally assessed fraud risk at all, and if not, can characterise the resulting control gaps as a design deficiency at the risk assessment component level.

The control environment is described in the COSO framework as the set of standards, processes, and structures that provide the basis for carrying out internal control. It encompasses five principles: commitment to integrity and ethical values, board independence and oversight, organisational structures and assignment of authority, commitment to competence, and accountability for internal control responsibilities.

For a forensic auditor, evaluating the control environment means gathering evidence about how management actually behaves, not just what the code of conduct says. Indicators of a weak control environment include: ethics hotlines that are rarely used and never result in action, senior managers who routinely override controls without documentation, compensation structures that reward results without regard to how they are achieved, and audit committees that defer entirely to management on fraud risk. The ACFE's biennial Report to the Nations consistently finds that organisations with weak ethics cultures and absent anti-fraud programs suffer longer fraud durations and higher losses.

Tone at the top is an observable phenomenon. Forensic auditors look for evidence of it in board minutes, audit committee reports, whistleblower case logs, prior audit findings and management responses, and employee survey data. A pattern of management overrides that were never questioned by the board is evidence of a failed control environment. A history of retaliation against employees who raised concerns is evidence of a destroyed communication channel. These are not soft observations; they are documented facts that explain why a fraud scheme could run undetected.

Control activities, the third COSO component, include both preventive and detective controls. The distinction is functional: preventive controls act before a transaction is completed, and detective controls act after. Effective fraud risk management requires both. Preventive controls reduce the number of fraudulent transactions that enter the accounting records. Detective controls identify those that do enter, limiting the period over which losses accumulate.

In the accounts payable cycle, preventive controls include vendor master file access restrictions (only designated staff can add or modify vendors), three-way matching of purchase order, receiving report, and invoice before payment, and dual-approval requirements for payments above defined thresholds. Detective controls include periodic vendor master file reviews for anomalies such as employee addresses, reconciliation of payables ledger to statements, and exception reports flagging payments to newly added vendors.

In the payroll cycle, preventive controls include segregation of duties between HR (who controls the employee master file) and payroll processing, mandatory supervisory approval of timesheets, and physical access controls to payroll systems. Detective controls include regular headcount reconciliations between HR records and payroll, comparison of payroll cost to budget by department, and review of terminated employees appearing in subsequent payroll runs.

A forensic auditor reviewing a payroll fraud will map the scheme back to the control environment: which preventive control should have stopped the ghost employee from being created, and which detective control should have identified the anomaly in subsequent payroll runs. Both gaps become findings in the forensic report and form the basis of remediation recommendations.

COBIT, now in its 2019 version and published by ISACA, is the internationally recognised framework for IT governance and management. Where COSO addresses the full scope of internal control, COBIT provides the specific governance and control objectives for the IT environment on which financial controls depend. For forensic auditors, COBIT is most relevant to evaluating IT general controls (ITGCs), because weaknesses in the IT environment can undermine every application-level control built on top of it.

The four IT general control domains most relevant to fraud risk are: access management (ensuring that only authorised users can access systems and data, and that access is promptly removed when employment ends), change management (ensuring that changes to financial systems are tested, approved, and documented, preventing unauthorised system modifications that could obscure transactions), computer operations (backup, recovery, and scheduling controls that ensure data integrity), and data integrity controls (ensuring that data in financial systems has not been altered outside normal processing channels).

COBIT's governance objectives also address the allocation of responsibilities between IT, finance, and business management. In many fraud cases, privileged IT access had been granted to finance staff who needed it to perform their duties, but the access was never reviewed or revoked as roles changed. COBIT's principle of managed identity and access, cross-referenced with COSO's assignment-of-authority principle, provides the framework basis for treating this as a control deficiency rather than merely an IT administration oversight.

Forensic auditors distinguish between control design and operating effectiveness because they yield different conclusions about fraud causation. A control is well-designed if, assuming it operates as described, it would prevent or detect a material misstatement or fraud. A control is operating effectively if it has actually been applied consistently by competent personnel over the evaluation period. Both can fail independently.

Design deficiencies are found by reading the control description and asking whether the control, if it worked as described, could address the risk. A control that requires manager approval for all journal entries above a threshold is not designed to address journal entries below the threshold, regardless of how consistently it is applied. An access control that restricts payment creation but allows the same user to also approve payments is not designed to achieve segregation of duties, because the risk is the single point of authority, not the access itself.

Operating effectiveness deficiencies are found by testing whether the control was actually applied. Evidence includes approvals that were granted without review, reconciliations prepared but never reviewed, exception reports generated but ignored, and access control lists that had not been updated for years. These failures explain why a well-designed control did not catch a fraud. In a forensic engagement, evidence of systematic non-operation of a control is relevant both to the fraud narrative and to potential liability of those responsible for operating or supervising the control.

Some controls are inherently vulnerable to override by management. A forensic auditor evaluating anti-fraud controls must assess not only whether the control exists but whether a perpetrator of the type under investigation could have bypassed it. The COSO framework's Principle 11 states that the organisation selects and develops general control activities, including those that mitigate management override risk. Where that principle has not been implemented, the fraud auditor documents the gap as both a control activity deficiency and, if management override was the actual mechanism, a control environment deficiency.

A forensic report does not merely describe the fraud scheme. It explains the conditions that made the scheme possible, and those conditions are almost always expressible as control framework findings. A framework-based finding has four elements: the standard (what the framework says should be in place), the condition (what was actually in place or absent), the cause (why the gap exists), and the effect (how the gap contributed to the fraud).

Consider a fictitious vendor fraud. The scheme involved an employee adding a shell company to the vendor master file and submitting invoices that were approved by the same employee's direct supervisor without independent verification. The framework finding would be: Standard: COSO Principle 10 requires that control activities include segregation of duties and appropriate authorisations. Condition: a single employee controlled vendor creation and invoice submission; approval was performed by a supervisor with no visibility to the vendor registration process. Cause: the accounts payable policy had not been updated since the migration to the new ERP system, and the old segregation had not been replicated. Effect: the employee was able to create a fictitious vendor and direct approximately USD 340,000 in fraudulent payments over 18 months without any automated or manual control identifying the anomaly.

Remediation recommendations flow directly from the finding. Each design deficiency requires a redesigned control. Each operating effectiveness deficiency requires either a revised procedure or a monitoring control to ensure the original control is consistently applied. Forensic reports in most jurisdictions are expected to include remediation recommendations: the UK's Serious Fraud Office guidance, US Department of Justice cooperation standards, and professional standards from the ACFE's CFE certification all include remediation as a component of a complete fraud examination. In India, the Companies Act 2013 and the Institute of Chartered Accountants guidance on forensic accounting similarly require remediation observations in formal reports.

See Predication and Engagement Planning for how control framework assessment fits within the overall forensic engagement structure, and Evidence Gathering Methods in Fraud Examinations for the methods used to gather evidence of both design and operating deficiencies.