The requirement of Section 404 of the Sarbanes-Oxley Act that management of public companies issue reports on the effectiveness of internal controls over financial reporting — including fraud prevention and detection — is well known.
How to do this is another matter.
“There is a great lack of guidance with respect to exactly what should be present, how to measure effectiveness and what the threshold is for a passing score,” says Toby Bishop, president and CEO of the Association of Certified Fraud Examiners (ACFE). “So there is tremendous uncertainty among everyone working in this area.”
Because there’s no consensus on what constitutes the best internal control practices, many companies are spending much time documenting policies and procedures that have little to do with the reasons behind Sarbanes-Oxley, according to Bishop.
“People sometimes forget why this legislation was there in the first place,” he says. “This is all about protecting investors from massive financial frauds. We must focus on that issue before worrying about the small stuff.
“With respect to fraud, the problem is not documentation. It’s a fairly consistent series of major gaps in anti-fraud measures at companies. I have worked with several thousand participants in ACFE training courses, going through the ACFE Fraud Prevention Checkup. Only two of those several thousand have claimed their organization would score more than half marks in that assessment. No organization would pass the evaluation.”
Urton Anderson, a professor of accounting at University of Texas, points out that management has the responsibility for systems, policies and procedures. Fraud is not a direct responsibility of internal audit functions. Professor Anderson, who is also the former Chairman of IIA Internal Audit Standards Board (IASB), says, “the question becomes how can internal audit assist management?”
“They can do this through risk analysis,” he says. “The other role they play is that once fraud is suspected, they have the skills to help investigate the activity. Internal audit has a lot of things they can look at: risk assessment, risk allocation, how the organization handles tips on hotlines, because that’s where you get the most benefit. You don’t find a lot of fraud through auditing. WorldCom is an example of where internal audit found it, but that’s not something the internal audit department would routinely look at.”
Guidance for keeping fraud at bay
The Standards for the Professional Practice of Internal Auditing, issued by the Institute of Internal Auditors, state: “The internal auditor should have sufficient knowledge to identify the indicators of fraud but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.”
The IIA standards require internal auditors to assess risks facing their organizations to serve as the basis from which audit plans are devised and against which internal controls are tested. To aid in this effort, the ACFE and six other organizations — American Institute of Certified Public Accountants, Financial Executives International, Information Systems Audit and Control Association, Institute of Internal Auditors, Institute of Management Accountants and Society for Human Resource Management — have developed Management Anti-Fraud Programs and Controls: Guidance to Help Prevent, Deter and Detect Fraud.
Among other things, this document recommends that internal auditors determine whether:
- The organizational environment fosters control consciousness.
- Realistic organizational goals and objectives are set.
- Written polices (for example, a code of conduct) exist that describe prohibited activities and the action required whenever violations are discovered.
- Appropriate authorization policies for transactions are established and maintained.
- Policies, practices, procedures, reports and other mechanisms are developed to monitor activities and safeguard assets, particularly in high-risk areas.
- Communication channels provide management with adequate and reliable information.
- Recommendations need to be made for the establishment or enhancement of cost-effective controls to help deter fraud.
Joseph Wells, a former FBI agent, white-collar criminologist, Certified Public Accountant and founder and chairman of the Association of Certified Fraud Examiners, has studied and stopped thousands of corporate frauds. His experience has convinced him that good internal controls are necessary but not sufficient to detect and deter fraud.
“I think controls are vital, but one thing controls don’t do well is measure the culture of the organization,” Wells says. “That is a major factor in fraud. Studies indicate that tips and complaints uncover more fraud than all other methods put together. It’s vitally important that there be a culture in the organization and a method of reporting so people can furnish information without fear of reprisal.”
Recognition of the importance of a culture of integrity is leading to new developments regarding what constitutes effective fraud measures, according to Bishop. New tools are needed because recent experience has shown that senior management, who commit more than 80 percent of financial statement frauds, frequently overrides traditional internal controls.
Bishop suggests the use of new survey tools to measure an organization’s ethical environment and propensity for wrongdoing. These surveys would be sent to a statistically valid sample of employees. In a Fortune 100 company, for instance, the survey would go to several thousand employees.
It would ask a series of questions which, according to Bishop, research has shown to be reliable indicators of the integrity of the workplace. Questions would probe whether employees believe management would support them if they raised concerns about wrongdoing or if they would be punished or suffer retribution.
“These survey techniques have been used to evaluate ethics programs in large organizations,” Bishop says. “They can be effective in identifying environments that are vulnerable to wrongdoing. They provide extremely valuable data for audit committees. It can be argued the use of these tools is critical for performing a meaningful evaluation under Section 404. Yet from what I hear, adoption of these tools has been extremely limited.”
Bishop says that in the current climate, benchmarking against peer companies is often a misleading exercise, because most companies are similarly unprepared. For this reason, persons with deep knowledge about preventing and detecting fraud have never been in greater demand. He recommends that most organizations have a certified fraud examiner on their internal audit staff. “There is a pressing need for more certified fraud examiners or other fraud experts to help companies and independent auditors to cope with the large amount of catching up that is necessary to implement world-class fraud prevention and detection measures,” Bishop says.
There are 14,500 certified fraud examiners, about half the ACFE membership. The number of applicants to the certified fraud examiner program is up 40 percent from a year ago, according to Bishop. That followed a 50 percent jump the year before.
“There has been an explosion of interest in learning about fighting fraud effectively, which has been largely driven by the corporate scandals and need to rebuild public trust in financial reporting and auditing,” Bishop says. “We don’t pretend we can prevent or detect all frauds. But we know that with knowledge we can do a much better job.”
The ‘perception of detection’
Wells says one way internal auditors can do a better job is to “take a higher stance. Let people in the organization know you are looking for fraud and welcome information from employees who have suspicions. This is what actually prevents and deters fraud. It’s a concept we call the perception of detection.”
His skepticism over the ability of internal controls by themselves to rein in fraud ties in with the Statement on Auditing Standards 99 (SAS 99), issued in 2002 by the Auditing Standards Board of the American Institute of Certified Public Accountants. AICPA standards apply to the external audits of public companies but may be used by internal auditors. The Institute of Internal Auditors endorses but does not require SAS 99.
SAS 99 emphasizes that auditors should exercise professional skepticism and identify risks that may result in a material misstatement due to fraud by brainstorming, asking management and performing analytical procedures. It also stresses that auditors should assess the risk of fraud after taking into account an evaluation of the firm’s programs and controls and says the audit should be adapted based on the findings.
Internal auditors can help their companies prepare for the SAS 99-related procedures the external auditors will undertake for the financial statement audit. They also can undertake the procedures directly within their own non-financial and operational reviews to assure management that anti-fraud programs are working.
Key provisions of SAS 99 include:
- Increased emphasis on professional skepticism.
- Discussions with management and other personnel.
- Unpredictable audit tests.
- Responding to management override of controls.
Understanding SAS 99’s anti-fraud thrust
Anti-fraud programs and controls as discussed in SAS 99 include the following major elements:
Creation and maintenance of a culture of honesty and ethics. SAS 99 states that management needs to set the ethical culture through both their daily words and actions.
Evaluation of fraud risks and implementation of risk mitigation. Fraud risk factors are included in SAS 99 and are separated into the areas of fraudulent financial reporting and asset misappropriation. Responses may include preventative controls (reducing the opportunity to commit fraud); mitigation control (reducing the impact of potential fraud); and transference (selecting appropriate fraud insurance such as a fidelity insurance policy).
Development of an appropriate oversight process. SAS 99 says internal and external parties need to oversee the risk of, and responses to, fraudulent financial reporting. It also says employees should be able to communicate wrongdoing without fear of retribution and calls for independent verifications by internal and external auditors to ensure controls are operating effectively.
Marie Hendrixson, a Protiviti managing director in Philadelphia, recommends internal auditors use SAS 99 as a “tool kit.” Codes of conduct, ethics hotlines, whistleblower programs, hiring and employee screening processes, fraud investigation/remediation and fraud risk assessment all should be open to internal audit review, she says.
“Even in situations where a company has a separate forensic audit group, this group should use internal audit as a resource,” Hendrixson says. “Internal audit is in the field daily and therefore is in the best position to assess areas of potential fraud.”
Where to turn for more anti-fraud information
The Association of Certified Fraud Examiners offers a “Fraud Prevention Checkup,” a series of questions with scoring criteria to help organizations determine fraud vulnerabilities.
The checkup and other useful information may be viewed at the association’s Web site.