Keeping With The Times: Preparing for the updated Fraud Risk Management Guide

The Fraud Risk Management Guide has provided valuable guidance to fraud examiners, company leaders and other professionals since it was published five years ago. Now, the Committee of Sponsoring Organizations of the Treadway Commission and the ACFE — the guide’s creators — will incorporate users’ feedback to produce a stronger, updated edition.

Most CFEs are familiar with the Fraud Risk Management Guide (FRMG), which the Committee of Sponsoring Organizations of the Treadway Commission (COSO) and the ACFE jointly published in 2016. (See The FRMG includes more than just information on how to perform fraud risk assessments — it also provides guidance on how fraud risk management programs work.

Given its comprehensive nature, the FRMG quickly gained recognition for its best practices in preventing, detecting and deterring fraud. Global business professionals around the world continue to widely use the FRMG.

The methods and means of fraud are constantly changing and evolving, of course — as are the ways to combat them. In May, the chair of COSO, Paul Sobel, reached out to the ACFE and suggested the two organizations collaborate on an updated version of the FRMG, and the ACFE agreed. Both groups want the FRMG to be current and remain relevant in a rapidly changing fraud risk landscape. The ACFE, which has always had a lead role in determining best practices, wants to hear from CFEs and anti-fraud professionals like you to ensure the FRMG refresh will be effective.

Quick recap on FRMG

The COSO/ACFE FRMG is an authoritative source of guidance on how to assess and manage fraud risk using the COSO framework as a roadmap. According to John Gill, J.D., CFE, the ACFE’s vice president of education, the guide had its genesis when David Cotton, CFE, CPA, CEO of Cotton & Company (a CPA firm), reached out to Gill and said he believed there was a need to provide anti-fraud professionals with more guidance on 2013 COSO Internal Controls Framework Principle 8, which states, “The organization considers the potential for fraud in assessing risks to the achievement of objectives.” (See “Fraud Risk Management Guide, Executive Summary,” COSO, September 2016,, and “The 2013 COSO Framework & SOX Compliance,” 

However, beyond just risk assessment, the FRMG was organized around five key principles that also mapped to COSO’s 2013 five internal control components that COSO established in 1992 and then expanded in 2013 as part of its Integrated Framework to incorporate 17 principles. [See “Internal Control — Integrated Framework (2013),” COSO,] 

As stated in the FRMG, “The guide’s five fraud risk management principles fully support, and are entirely consistent with, and parallel the 2013 COSO Framework’s 17 internal control principles.” As the FRMG depicts, the correlation between the fraud risk management principles and the 2013 COSO Framework’s internal control components and principles are integrated. (See table on page 9.) 

Thomas Jefferson wrote, “In matters of style, swim with the current; in matters of principle, stand like a rock.” This statement accurately captures the spirit of this update. The five key fraud risk management principles mentioned above will indeed stay the same — they’re like rocks. However, the approach, regulations, technologies and business trends (or style) as to how companies deliver on the principles have changed significantly over the past five years. With your valued input, the FRMG Refresh Task Force looks forward to making important updates to reflect best practices. 

Key areas for updates 

Once again, David Cotton is spearheading the update, and many of the original authors of the 2016 FRMG (including myself) are on the Refresh Task Force. Cotton said the task force “will update the guide in several ways, most notably with respect to advances in data analytics. We’ll also try to add focus related to recent legal and regulatory developments as well as some recent trends related to fraud, such as pandemic relief, cyber and other major threats. The Refresh Task Force will welcome any and all suggestions from users.” 

Explaining how fraud risk management relates to and supports fraud deterrence is one of COSO’s key missions. In that spirit, some of the topics the Refresh Task Force is addressing include the following (but the team isn’t limiting itself to only these topics): 

  • Updating and expanding information related to the use of data analytics as an integral part of each of the five fraud risk management principles.
  • Explaining how internal controls and fraud risk management are related and support each other but are also different in some important respects.
  • Adding updated information about recent legal and regulatory developments pertaining to fraud and fraud risk management, such as the Department of Justice’s Evaluation of Corporate Compliance Programs (see, the Government Accountability Office’s “A Framework for Managing Fraud Risks in Federal Programs” (see and the U.S. Congress’s Fraud Reduction and Data Analytics Act of 2015 (see
  • Expanding and updating information on the importance of fraud reporting systems (hotlines) in detecting, preventing and thus deterring fraud.
  • Adding information pertaining to emerging fraud risk arenas, including cybersecurity and cyberfraud (blockchain and cryptocurrency and ransomware), as well as COVID-19 response efforts (CARES Act and related programs, remote-working and hybrid-working environments).
  • Expanding the FRMG’s list of fraud exposures. 

This article was originally published on Fraud Magazine on December 2021.