Establishing Accountability for Your Antifraud Efforts

Some companies have far lower levels of misappropriation of assets and fraudulent financial reporting than others. Why? Because they aggressively take steps to prevent and detect fraud, end of story.

At these exemplary companies, management takes seriously its ethical responsibilities for designing and implementing systems, procedures, and controls to catch fraud—and, along with the board of directors, for promoting a culture and corporate environment that demands honesty and ethical behavior.

How does your company stack up? Well, run through this checklist:

Does your organization have a strong fraud oversight process at both the board and management levels?

Does your organization have robust and effective antifraud policies, procedures and controls?

Does management regularly evaluate fraud risks and antifraud controls?

Have the risks of management override and conflicts of interest been independently reviewed within the last 12 months?

Would you say your workforce has a strong ethical culture?

Does your company have a corporate policy that encourages whistleblowers to come forward? And do those would be whistleblowers actually believe it?

If you answered “yes” to all of the above questions, great. You’re well on your way to a strong antifraud effort. Now answer three more questions that will help you get ahead of the crowd:

What are the board’s and management’s roles regarding fraud?

What should the internal audit team’s role be regarding fraud?

How can the organization best help the external auditor meet its responsibilities for evaluating fraud risks, particularly under Auditing Standard No. 5?

To answer that last question properly, you need clear answers to two questions immediately preceding it. Specifically: The board is responsible for defining and approving the organization’s overall strategic direction and system of internal control, as well as for setting the tone at the top (overall corporate governance). Management operates the business within the guidelines set by the board, periodically reporting on performance and progress toward key strategies and objectives. Management also monitors operations. That includes regular assessments of the effectiveness of the overall system of internal control against the requirements set by the board, as well as the company’s own ethical values and beliefs.

As mentioned earlier, the board is accountable for ensuring an effective system of internal control is established to fight fraud; management is responsible for how that system is designed and enforced to fight fraud. Once you have that clear—and actually done—the internal audit department can also contribute to those antifraud efforts.

Audit’s Job: Helping Fraud Prevention Efforts

Today there is the belief that auditors are looking for—as well as investigating and stopping—frauds. After all, aren’t auditors the last line of defense in identifying crooked management? Well, no. The truth is that nobody can catch all fraud, and the internal audit department should address the misperception that this is internal auditing’s purpose. Everyone in the company has a role in fraud prevention and detection, and the primary responsibility lies with all members of management (and by that, I mean managers at every level of the company).

An effective internal audit function improves the company’s ethical culture and control environment, both overtly through its audit work and in a more general sense by promoting good practices. Internal audits of antifraud activities provide valuable feedback to management and the board on where they can improve overall performance, which contributes in the long term to more effective fraud risk management efforts. It can also be a deterrent when employees know that the internal audit department employs persons with fraud detection knowledge, skills, and tools.

Internal audit should design and plan audits specifically to detect fraud, which directly strengthens the organization’s internal control system. The internal audit plan should be driven by an audit risk assessment (that is, the risk that an audit might miss something); likewise, efforts against fraud should be driven by a fraud risk assessment, because the greater the organization’s exposure to fraud, the more antifraud audit effort must be allocated. And you must conduct fraud risk assessments thoughtfully, since it helps nobody to have your workforce believing the internal audit team distrusts everybody.

Audit work should include evaluating the organization’s efforts in fraud prevention, fraud detection, and fraud investigation. If “detective” procedures are not in place, frauds that are discovered will require more investigative effort and result in greater loss. Over the long term, fraud prevention and deterrence efforts have the most impact on reducing fraud, so this should be a top management priority and be regularly evaluated by internal audit.

Always remember that auditing provides only a reasonable level of assurance; auditors cannot, and will not, provide an insurance policy against every possible fraud. But because of their objectivity and integrity, internal auditors are able to reinforce an organization’s antifraud effort by investigating reports of possible fraudulent behavior. In fact, more and more corporate internal audit departments include trained forensic accountants.

There are numerous fraud audit techniques today, and more should be incorporated into audit departments. Some simple examples of forensic exercises include: correlating employee names, addresses and other contact details against the supplier database to help identify suspect transactions; examining expenses claims closely; following up religiously on seemingly insignificant discrepancies in control totals; using data mining and computer audit techniques in general to craft and answer cunning questions; and always being aware of the possibility of collusion, deception, and fraud.

Some useful antifraud management practices include:

1. Identifying potential indicators of fraud for your industry, company, or activities within your organization;

2. Communicating with experienced people to learn ideas about how frauds may be committed and best detected;

3. Devising and routinely running tests to look for fraud indicators and data anomalies;

4. Performing ad-hoc inquiries as needed to dig into the source data underlying fraud indicators and data anomalies; and perform or include as part of control self-assessment sessions.

5. Implementing continuous auditing.

Norman Marks, a chief internal audit executive at Business Objects and old hand at internal auditing at large companies, recommends that internal audit periodically assess:

The adequacy of the control environment, including: the adequacy of the code of conduct and processes to ensure it is understood, the adequacy of the whistleblower and investigation processes, and the staffing and organization of those responsible for the prevention and detection of fraud. Internal audit should go beyond traditional techniques such as interviewing or issuing a questionnaire only to senior management; a direct and more useful technique is to ask the workforce via surveys, interviews, and focus groups.

Management’s risk assessment as it relates to fraud and theft, including: whether the process is systematic and most conceivable fraud schemes identified, fraud risks adequately assessed, and appropriate strategies implemented.

Management’s monitoring activities, including: whether actual losses are monitored and compared to risk tolerances, and actual losses monitored to identify areas of concern, potential failing of controls, and opportunities for improvement.

There will always be limits to an organization’s antifraud capabilities. Your sample sizes can only be so large. Your budget is only so big. Fraudsters, meanwhile, are cunning people who work hard to conceal their activities and exploit weaknesses in controls.

Organizations Must Be Ever Diligent

An open discussion about the possibility of fraud (of serious fraud), and the necessary responses, is always vital. Ideally, your company should have that discussion before a serious fraud incident rather than afterward. If you want confirmation of that, look at Societe Generale reeling from the multibillion-dollar fraud committed by one person. Now is not the best time for SG to ask how such a thing could happen.

Setting clear expectations and defining everyone’s responsibilities regarding your antifraud efforts is half the battle. Being diligent in your efforts is the other half. To fight fraud, we need a firm policy, it must be enforced, and violators must be investigated and appropriate actions taken. Management must understand that it has the responsibility to design and implement antifraud activities, including the monitoring of the results. Internal auditors should also search for fraudulent activities and contribute to the organization’s “no tolerance” attitude toward fraud.

Once your own house is in order, also consider the potential fraud risks relating to your key business relationships. Whistleblowing by suppliers, partners, or customers is one of the most common ways of discovering fraudulent activities, and it cuts both ways. If a worker at one of your business partner companies wanted to report fraud at your company, would that person have the means (and the encouragement) to do so? What if one of your employees discovered fraud happening at one of your partners? How would you deal with it?