Fraud. It’s the business world’s dirty little word. “Generally speaking, corporations don’t talk about it, and nobody wants to really think that they are subject to it,” says David Richards, president of the Institute of Internal Auditors.
Richards
Such a view is dangerous, Richards warns. “That’s not the right attitude because it’s the big companies that have been susceptible to this more in the last few years than ever before,” he says. “It’s something organizations can’t ignore.”
Still, identifying fraud in all its forms—or even just assessing a company’s risk of it—is often an ill-understood part of auditing. Sarbanes-Oxley has helped companies focus on some fraud issues; Section 301, for example, requires audit committees to employ procedures like whistleblower hotlines so they can receive complaints, while Section 302 obligates a company to disclose any fraud to its auditors and board, regardless of whether it would have a material impact.
SOX, however, mainly addresses fraud risks related to accounting, internal accounting controls or auditing, which can help companies police against false financial reporting, says Brad Preber, a partner at Grant Thornton. The law isn’t designed to address other sorts of fraud—such as enterprise or occupational fraud—that may not immediately show up on the financial statements, he says.
“If management allows [occupational fraud] to occur, they are in essence setting the tone at the top that that type of behavior will be tolerated,” Preber explains. “If the tone at the top is not clear, unethical behavior will show up, which may result in fraudulent financial statements.”
Making matters more complicated is the ugly truth that fraud often is perpetrated by a trusted employee, Richards says. That perpetrator generally knows the company’s systems, processes and safeguards, and how to evade them. Anticipating such an attack and devising ways to block it require companies to conduct fraud risk assessments.
To Catch A Thief
While no generally accepted definition of a fraud risk assessment exists, the Committee of Sponsoring Organizations of the Treadway Commission does offer some guidelines for an enterprise-based approach. Some of its basic recommendations include establishing a code of conduct that is distributed to all employees or setting up a hotline and whistleblower program.
The assessment itself should incorporate a few important features. First, Preber says, companies need to define fraud risk at all levels of the organization. The company might face external risks such as operating in a country more prone to certain types of fraud. It may also confront internal risks such as the misappropriation of assets, corruption and fraudulent financial reporting.
Companies should also ask themselves what the scope of the risk assessment will be and why they are doing an assessment in the first place. Many might examine fraud risk solely to meet compliance obligations under Sarbanes-Oxley, but Pam Verick Stone, a director at risk management consulting firm Protiviti, stresses that fraud can affect a company’s operations and reputation as well as its financials.
“What we know from SOX is that people’s focus has been fraud in the context of internal control over financial reporting,” says Stone, who focuses on investigations and fraud risk management. “That’s a narrow view. Fraud is one type of risk that will be in the overall portfolio of risk. Understanding that portfolio helps you evaluate, mitigate and monitor fraud risk.”
Companies should also consider common fraud scenarios that may affect the organization. “You have to play through what can go wrong; that’s the hallmark difference between an internal control risk assessment and a fraud risk assessment,” Preber says. “It requires you to think like the criminal to determine what risks may be harmful to the business.”
“What we know from SOX is that people’s focus has been fraud in the context of internal control over financial reporting. That’s a narrow view.”
— Pam Verick Stone, Protiviti
Companies need to identify the magnitude of a possible fraud risk, as well as the likelihood that it could actually occur, to determine the extent to which the organization may be exposed to material fraud, Preber says. This will help management determine levels of tolerance for certain risks, as well as identify controls needed to put in place to deter them.
The last step is monitoring the effectiveness of anti-fraud measures, typically by using either an internal auditor or an outside consultant, Preber says.
Assessments And Oversight
Donald Floyd, chief audit executive of Polycom, a $580 million provider of conferencing and collaborative communications solutions, conducts an annual risk assessment that considers processes for financial reporting as well as the enterprise as a whole.
Polycom has a steering committee made up of senior management that oversees the performance of internal control over financial reporting, Floyd explains. The committee develops a specific fraud risk assessment as it pertains to Section 404 compliance and financial reporting. In addition to that assessment, Polycom’s internal audit function also performs an enterprise-wide risk assessment, incorporating input from the operational areas of the company, which is then used to develop the annual project plan for the audit group.
“Our objective is to set up our fraud controls from a preventative perspective,” Floyd says. “That has to be the initial thought process.”
Ruth Brayer, a forensic document examiner who owns Brayer Handwriting International in New York, recommends that companies take other basic steps to help prevent fraud and the costly lawsuits that can ensue should a problem arise.
Brayer
Companies should keep handwriting samples in personnel files, she says, particularly for those individuals who deal with large sums of money or are in sensitive positions. “It doesn’t matter if it’s the CEO or the CFO,” Brayer says. “We know about Enron.”
Handwriting differs between right-handed and left-handed individuals, and can be affected by age, medical conditions or even emotional trauma, Brayer explains, so periodically updating the samples in the file is essential. Companies should require that individuals print their name and the date next to any signature on an official document, particularly when dealing with large financial sums.
Legibility isn’t just for names. Watch out for accuracy when writing down numbers as well, says Brayer. One common mistake companies make when creating fraud risk assessments is failing to identify or gather information from all parts of the organization. The process requires input from more than one person, and department, to work properly, Stone says.
Companies also often fail to measure or rate the risk. Prioritizing risk helps to make control assessments more effective, Stone says. Worse, once the assessment is completed, many companies don’t do anything with the information.
“As much as companies have focused on Sarbanes-Oxley compliance efforts, one of the last-minute things they’ve acted on has been the issue of anti-fraud programs and control, which is a little ironic because Sarbanes-Oxley is one of the biggest anti-fraud measures out there,” Stone says.
No comments yet