COSO – Sarbanes-Oxley and Supply Chain Fraud


The Committee Of Sponsoring Organizations (COSO) internal controls framework highlights the following 5 key components which are a useful guide for the detection and reduction of supply chain fraud. Control Environment, Risk Assessment, Control Activities, Information & Communication and last but not least, Monitoring. In summary:


The “tone” of the organization as set by example and action of senior management. If executives display a cavalier attitude towards ethical practices and professional behavior, even to the point of the commission of fraud, this negative behavior will trickle down to all ranks of employee as being acceptable and could be perpetrated against not only the organization, but also customers and suppliers.


All risks must be assessed for, among other characteristics, their likelihood, damage impact, costs of correction, and costs of prevention. In terms of supply chain fraud, supplier metrics and the vendor scorecard are useful tools in determining suppliers that may be putting the organization “at risk”. Viewing the internal supply chain in a similar way can help identify bottleneck processes, information gaps, software deficiencies, etc.


The control activities are the policies, procedures, validations, verifications, etc. that are used to ensure that all levels of business operations function correctly because there is sufficient oversight. Control activity documentation should include not just how, for example, suppliers and employees are supposed to act, but also how they will interact – the organization with its suppliers, customers, and itself (between departments and groups).


The information an employee needs to perform their job functions efficiently and effectively must be provided based on the employee’s security clearance or level of job function. To withhold such information may force the employee to create unsecured data files that, if stolen or lost, could contain competitively sensitive information about the organization.


The effectiveness of all control activities, such as those used to detect and reduce supply chain fraud – whether manual or systematic – must be constantly evaluated for accuracy and relevance as the organization grows and changes. Like the control activities themselves, the monitoring should not be invasive or excessive as such to inhibit performance or job function.

Other articles in this series:

Understanding and Attacking Supply Chain Fraud

An Introduction to Supply Chain Fraud

Supply Chain Fraud and Sarbanes-Oxley

Definition of Supply Chain

Definition of Fraud

Who’s Involved in Supply Chain Fraud?

What Are the Causes of Supply Chain Fraud?

Where Does Supply Chain Fraud Happen?

Assessing the Impacts of Supply Chain Fraud

Methods of Detecting Supply Chain Fraud

Dreaded Shrinkage: Bottomless Pit or Grave?

Importance of Internal Assessments Before SOX Audits

Budgeting For the Repercussions of Supply Chain Fraud

Summarizing Challenges Surrounding Supply Chain Fraud

Guest Author: Norman Katz

Copyright © Katzscan, Inc. – Source: Supply Chain Fraud White Paper

Telephone: 954-942-4141   Since January 1996 

This entry was posted in , Emerging Trends, Security, SOX/Bill 198, Supply Chain Fraud, Support Services & Industry Initiatives. Bookmark the permalink.

Comments are closed.