Whose Job Is It to Find Fraud?

More than a decade into the regulatory war on corporate fraud, the professional groups on the front lines are still not entirely clear exactly whose job it is to detect it.

Most executives, board members, and internal and external auditors are in agreement that senior management at public companies hold chief responsibility for establishing a culture and putting into place controls and processes to deter fraud, a recent survey by the Anti-Fraud Collaboration shows. When it comes to uncovering it, however, their views are not nearly so united.

A majority of board members, for example, say internal and external auditors provide the most important back stop. External auditors believe management and internal auditors are the first line of defense. Internal auditors, barely a majority of them, agree that senior management is primarily responsible, but say they are counting on external auditors to help them carry the load. And company officers themselves also are putting a lot of faith in internal and external auditors to ferret out evidence of wrongdoing. Hardly any professionals in any of those groups believe the buck stops with the board.

The Anti-Fraud Collaboration polled members of the four organizations that make up the collaboration: the Center for Audit Quality, the Institute of Internal Auditors, Financial Executives International, and the National Association of Corporate Directors to arrive at those findings. Members of the four groups also met during a roundtable session earlier this year to discuss the results, acknowledging an “expectations gap” regarding who has what responsibility for detecting fraud. “It does bear out something we've known for a long time, that there's a bit of an expectations gap out there even amongst those who have a responsibility for this,” says Cindy Fornelli, executive director of the CAQ. “It really points out that there needs to be a robust discussion and clear communication to delineate who is going to do what.”

In truth, the answer to the question of who has primary responsibility, is “all of the above,” says Roy McDonald, a partner with law firm DLA Piper. “I wouldn't say any one party has primary responsibility. Perhaps it's not a simple answer because there isn't one.” Defining the roles of the various players is one of the big challenges every public company faces, he says. “It's a concerted effort.”

Brian Fox, a former Big 4 auditor who founded audit services firm Confirmation.com, says external auditors should be at the bottom of the list in terms of who can be expected to find fraud. External auditors have less access to and involvement with daily activities, making them the most removed from possible evidence of fraud.

Indeed some external auditors bristle at the idea that they bear responsibility for uncovering fraudulent activity. Michele Amato, a partner with audit firm Friedman, for example, is dismayed that even within corporate circles some expect auditors to hold primary responsibility for finding fraud. “The perception out there that external auditors are going to find something is unfortunate,” she says. “We're only there once a year, and when there's collusion involved it's very difficult to find fraud. Management is sometimes the one committing fraud.”

“This is an issue where people looked around the table at someone else because their function didn't define it as part of their responsibility.”

—Jonathan Feld,

Member,

Dykema

This is one of the reasons, says Jonathan Feld, a member of law firm Dykema, that the role of the compliance officer is growing in public companies. “Until recently, with the focus on compliance and fraud detection, this is an issue where people looked around the table at someone else because their function didn't define it as part of their responsibility,” he says. Compliance officers are in a great position to assess how the various players are approaching the issue and look for gaps that might produce risks.

Corporate executives are well aware of their duty to detect fraud, says Tracey McBride, vice president of research and accounting policy at the Financial Executives Research Foundation. “But we all know fraud happens at that level,” she says. “The question is who provides that oversight? Where does it start and stop? A lot of times fraud occurs because management knows how to work around controls.” That's where senior management is relying on internal and external auditors to exercise the skepticism necessary to close gaps, she says. A strong tone-at-the-top also encourages others within the company who may spot evidence of wrongdoing to report it, she says.

A Failure to Communicate

The survey results suggest each of the various professional groups should focus on communication, says Hal Garyn, vice president at the IIA. “There's a series of assumptions about what others are doing,” he says. “When you peel back the onion, what do you really do, and what are you capable of doing in your role? It's not just one party's responsibility. It's a collective responsibility, and communication is probably not occurring at the level it needs to.”

FINDING & FIGHTING FRAUD

Below are two tables from the IIA study on fraud detection and deterrence.

Source: The IIA.

Richard Chambers, president and CEO of the IIA, says the survey also reflects some shaken confidence on the part of various professional groups that financial reporting fraud can be deterred or detected. Financial executives show the greatest confidence, internal auditors and board members less, and external auditors the least. “Financial reporting fraud carries with it such a great risk for any organization, it's a huge burden for any one group to think they're the ones who are going to be able to detect it,” he says. “It can be very elusive, as we've seen.”

Michele Hooper, president and CEO of board advisory firm the Directors' Council and a board member for NACD, says she wasn't surprised to see diverse responses to the question of who has primary responsibility, since ultimately it should be shared by the various groups. “It's not solely senior management's responsibility,” she says. “Internal audit has a kick at the can, as does external audit.”

Hooper says companies would be wise to assure boards and audit committees are fully engaged on the discussion of who is responsible for what when it comes to detecting fraud. “I don't think the audit committee can ever be too vigilant.” The key, she says, is a combination of a strong tone-at-the-top, a good system of internal controls, and a healthy skepticism on the part of all involved.

Chamber says the board can play a role in establishing strong governance process and clear lines of communication to assure there are no gaps in fraud detection. “The board has to take the lead to assure the audit committee in particular and all key parties understand the board's assessment of the risk of financial reporting fraud,” he says.

Fornelli agrees an engaged audit committee can play a vital role in assuring all bases are covered. “They are in charge of and have an obligation to oversee the financial reporting process, so they have the ability to direct the other three parties,” she says. “They really need to be the hub or the central point to make sure everyone is clear on their role and responsibilities.”