Ethics has a role in the discussion of internal controls and fraud management. The Association of Certified Fraud Examiners (ACFE) began a project in 2022 to map its fraud risk management best practices based on the 2013 Internal Control—Integrated Framework from the Committee of Sponsoring Organizations of the Treadway Commission (COSO), of which IMA® (Institute of Management Accountants) is a founding member. COSO was formed as a response to the corporate fraud and financial scandals of the 1970s and 1980s, and its first major project was the development of the Internal Control—Integrated Framework, which was released in 1992. It provided a common definition of internal controls and established a comprehensive framework for evaluating internal control systems.


In 2004, the COSO Enterprise Risk Management—Integrated Framework (ERM Framework) debuted, expanding the focus on internal controls to include ERM. Many organizations still use it to evaluate their risk management systems. In 2013, COSO released an updated version of the Internal Control—Integrated Framework (COSO 2013 Framework) to reflect changes in the business environment. This framework is still widely used for assessing the effectiveness of the design and operation of internal control over finan­cial reporting, as required by the Sarbanes-Oxley Act of 2002.


The COSO 2013 Framework consists of five internal control components: control environment, risk assessment, control activities, information and communication, and monitoring activities. They comprise 17 foundational principles, the details of which can be found in the COSO 2013 Framework’s Executive Summary.




The ACFE published Fraud Risk Management Guide in 2016. Both the ACFE and IMA have an interest in promoting best practices related to internal controls, ethics, and fraud mitigation. The ACFE risk guide and the IMA Statement of Ethical Professional Practice can be applied to the COSO 2013 Framework.


The first COSO 2013 Framework component, control environment, aligns with the ACFE’s first fraud risk management principle that “The organization establishes and communicates a fraud risk management program that demonstrates the expectations of the board of directors and senior management and their commitment to high integrity and ethical values regarding managing fraud risk.”


This alignment is further supported and reinforced by the third standard of the IMA Statement, integrity, which consists of four duties:


1. Mitigate actual conflicts of interest and avoid apparent conflicts of interest. 

2. Don’t engage in any conduct that would prejudice carrying out duties ethically.

3. Abstain from any activity that might discredit the profession.

4. Contribute to a positive ethical culture and place integrity above personal interests.


The second component of the COSO 2013 Framework, risk assessment, aligns with the ACFE’s second fraud risk management principle: “The organization performs comprehensive fraud risk assessments to identify specific fraud schemes and risks…and implement actions to mitigate residual fraud risks.”


The IMA Statement is useful in guiding accountants in fulfilling COSO’s second component through adherence to its first standard, competence, which means to maintain an appropriate level of professional expertise by enhancing knowledge and skills; perform duties in accordance with relevant laws, regulations, and standards; and provide accurate, clear, concise, and timely decision support information and recommendations and help manage risk.


Control activities, the third component of the COSO 2013 Framework, is enhanced by the ACFE principle stating: “The organization selects, develops, and deploys preventive and detective fraud control activities to mitigate the risk of fraud events occurring or not being detected in a timely manner.” The IMA Statement’s guidance on competence corresponds to this principle.


The fourth COSO component is the importance of communicating quality information regarding internal control objectives and responsibilities. It also provides the guidance necessary for communicating internal control functions to external parties.


The final component of the COSO 2013 Framework is monitoring activities. This phase evaluates the effectiveness of an organization’s internal controls in mitigating fraud risk and meeting objectives. The output of this component is fed back into the first component, control environment, to inform the process going forward.




The ACFE risk management guide is a useful tool to focus the activities and expectations of the COSO 2013 Framework implementation on mitigating fraud. Mapping the IMA Statement to the ACFE guide creates an opportunity for accountants and finance professionals to leverage their commitment to ethics toward achieving this goal.


The COSO 2013 Framework has been refined to provide a protocol to establish effective internal controls. The primary focus of the ACFE is the mitigation of fraud. IMA focuses on encouraging and ensuring the ethical behavior of its members. Applying the Statement to the combined COSO 2013 Framework and the ACFE’s Fraud Risk Management Guide can inform accountants’ ethical decision making.


The accounting profession gains strength and influence when it acknowledges the synergies between the various accounting organizations and professional societies. Ensuring compliance and meeting legal obligations are the lowest level of ethical achievement and measurement, and following the Statement’s ethical principles and standards isn’t always easy or straightforward. Accounting and finance professionals who commit to continuing professional education centered on ethics and fraud prevention position themselves to go beyond the foundational level of compliance, enabling them to become ethical beacons worthy of being emulated by new generations of accountants.

About the Authors