Volume 2, Issue 9 of The Bulletin, “Protecting Enterprise Value Through Your Anti-Fraud Program,” focuses on the issues that management and audit committees should consider as they establish an effective anti-fraud program and related controls, and evaluate their design and operating effectiveness. This supplement to Issue 9 of The Bulletin provides the following:
- Suggestions for getting started with an evaluation of the anti-fraud program
- Commentary regarding how to assess fraud risk
- Suggestions for management and audit committees to consider when establishing an effective anti-fraud program and related controls
- A COSO-based approach for evaluating the anti-fraud program and related controls
- Important considerations for management and audit committees as they evaluate the effectiveness of their organization’s anti-fraud program with assistance and support from legal counsel and other advisors
- A summary of things to avoid when evaluating the anti-fraud program
While not intended to be all-inclusive in scope or to address all aspects of an anti-fraud program, this supplement provides observations, recommendations and suggestions for management and audit committees.
Getting started with your evaluation
The approach to evaluating the design and operating effectiveness of an anti-fraud program and related controls is no different than it is for other controls. In fact, many elements of the anti-fraud program and controls are often already in place. Many companies have implemented or are implementing key elements of the anti-fraud program and controls (e.g., initiatives relating to SOA Sections 301, 302, 406, 802 and 806). The documentation of controls on Risk and Control Matrices (RCMs) often identifies some controls that serve a dual purpose of mitigating risks of inadvertent and intentional errors at the process level.
Thus, when evaluating internal controls that mitigate fraud at both the entity and process levels, companies should understand the incremental tasks to complete the Section 404 assessment so it is fully responsive to the requirements and expectations relating to the “anti-fraud program and controls.” If this process of defining the incremental tasks has not begun, we recommend that management get started by taking the following two steps:
- Determine from the external auditors their expectations and requirements.
- Inventory the elements of an anti-fraud program currently in place and under development.
These two steps will enable management to conduct a “gap analysis” and determine whether amendments to the Section 404 project plan are necessary. Following are additional steps to take after the two initial steps above:
- If not already completed, conduct a risk assessment (see next section of this supplement).
- Identify gaps in the company’s anti-fraud program and related controls.
- Provide a checkpoint for discussion with the external auditors and other advisors to assess the status of the process and obtain input on the development of the action plan.
- Develop an action plan to close the gaps and determine amendments to the Section 404 assessment project plan.
- Execute the action plan.
There are three key words going forward: “Make fraud explicit.” Make fraud explicit in the company’s risk assessment and controls design and testing. Make fraud explicit during the entity-level controls assessment. Make fraud explicit during the review of the financial reporting process and when identifying assertion risks at the process level. Thus, the company’s anti-fraud program should be integrated with the overall governance process and the organization’s evaluation of internal control over financial reporting. This is necessary because many controls at the process level for mitigating the risk of inadvertent errors also serve the purpose of preventing, deterring and/or detecting fraud. All told, fraud prevention and deterrence, and the mitigation of related financial reporting risks, should be an active part of the management and audit committee agenda.
How is fraud risk assessed?
There are at least three approaches for considering the implications of fraud to financial reporting – common scenarios, process-by-process and fraud indicators. Management can use any or all of these approaches when evaluating fraud risk.
When using the “common scenarios” approach to conduct a risk assessment, management’s approach is to first identify relevant scenarios that could potentially occur within the organization, resulting in a material impact on the financial statements. For each identified scenario, the Section 404 compliance team describes the risk associated with the manner in which the scenario would be perpetrated within the company, the individuals who could make it happen and the financial statement accounts and disclosures that would be affected. Based on the documented scenarios, the team then identifies the controls that would prevent, deter or detect each scenario. The controls documented through this step are compared with the controls in place, and the gaps are identified. An action plan is developed to remediate significant gaps.
When using the “process-by-process” approach to document and evaluate the anti-fraud program and controls, management should “identify and document the points within [each significant] process where a misstatement – including a misstatement due to fraud – related to each relevant financial statement assertion could arise.” Then management must identify and document the controls that have been implemented to address these potential misstatements.
RCMs can be useful in this regard. For example, the Section 404 compliance team can review the RCMs to ascertain whether the fraud risks already identified are complete. When applying this approach, it is important to move beyond third-party fraud to consider the risk of management override, particularly in the period-end financial close process and in non-routine and estimation processes.
Finally, there are fraud risk indicators that provide risk considerations for management to use when developing a fraud risk assessment approach. These indicators can be used to facilitate the gathering of fraud risk factor information and can be used as a guide for dialog with relevant individuals at the entity and process levels. While not conclusive, the existence or absence of risk indicators within a company or its processes may provide insight as to the appropriate scope for fraud monitoring, testing and oversight.
Following is a list of suggestions for management when establishing an effective anti-fraud program and related controls. Each suggestion is accompanied by relevant questions and commentary that provide the basis for a diagnostic:
- Ascertain the comprehensiveness of the program. Determine that the anti-fraud program has all requisite elements. For example, does the program address the key criteria defined by the Federal Sentencing Guidelines, as amended? Does it consider the key elements of SAS 99 and The IIA’s practice advisories regarding fraud, as well as corporate governance rules promulgated by either the NYSE or NASDAQ listing requirements? Does the program encompass all key business processes, business units and divisions that significantly impact financial reporting? Is there an effective pre-employment screening process? Is there segregation of duties? Is there due diligence with respect to suppliers and business partners? Does management determine whether the anti-fraud program is integrated throughout all of the organization’s new acquisitions and expansion efforts? These and other questions facilitate the assessment of the anti-fraud program to ensure it is sufficiently comprehensive at the entity level.
- Maintain the “tone at the top.” Evaluate the evidence of the “tone at the top,” including the policies and processes prohibiting management’s override of controls. For example, does senior management actively support the anti-fraud program efforts? What is the tenor of messages communicated by senior management to middle management and employees? More importantly, do middle management and employees perceive that senior management’s behavior and activities are consistent with their words, i.e., that senior management “walks the talk”? Is there consistency in the way the code of conduct is enforced across all locations and units? Are there effective controls over non-routine transactions? Are company-level controls adequately documented? As discussed further in point (6), do company-level controls include codes of conduct and fraud prevention that apply to all locations and units?
- Assess fraud risk. As the definition of fraud varies among the legal, audit and business communities, determine how fraud is defined within the context of the organization. This will drive the identification of specific industry, geographic and other relevant fraud risk. Ensure that the anti-fraud program considers how this risk is evaluated, mitigated and monitored within the internal control structure. What are the specific industry fraud risks? What are the geography-specific fraud risks (e.g., risk pursuant to the Foreign Corrupt Practices Act, such as corruption, bribery, accuracy of books and records, etc.)? Fraud risk may be assessed using a scenario approach, by evaluating risks within specific processes or by considering the applicability of relevant fraud risk indicators. It is essential that fraud risk is not just identified, but also “prioritized” or measured utilizing criteria agreed upon by management.
- Identify mitigating controls. Does the anti-fraud program specifically address, and mitigate, the identified fraud risk? For example, controls should be linked to specific fraud risk identified at both the entity and process levels. With regard to the design of controls, the Public Company Accounting Oversight Board (PCAOB) states that a company’s documentation should encompass “the design of controls to prevent or detect fraud, including who performs the controls and the related segregation of duties.”
- Conduct fraud testing. Management must determine which controls should be tested, including those that are designated as an anti-fraud control. Internal audit activity relating to fraud identification and detection should be adequate, given the organization’s risks. The internal audit function should report directly to the audit committee. The audit committee should demonstrate an adequate level of involvement and interaction, both proactive and reactive, with internal audit on fraud matters.
- Maintain an effective code of conduct. The PCAOB requires documentation of the code of conduct provisions, especially those related to conflicts of interest, related party transactions, illegal acts and the monitoring of the code by management and the audit committee or board. If there is a code, is it public? Is it communicated adequately throughout the organization? Is it periodically reinforced through employee awareness initiatives and training? Is it enforced consistently? Does it apply to related third parties (e.g., vendors, agents, brokers, etc.)? For further discussion, consult Volume 1, Issue 5 of The Bulletin, The Code of Conduct – Laying a Cornerstone for Effective Governance.
- Exercise anti-fraud program oversight. Fraud risk and related matters need to be on the agenda of meetings of the audit committee, the disclosure committee and the executive committee (or risk management executive committee) at appropriate times. There should be clear documentation of such oversight considerations to establish the viability and substance of the anti-fraud program.
- Identify and investigate complaints in a timely and effective manner. There should be adequate procedures for handling complaints and for accepting anonymous, confidential submissions of concerns about questionable accounting or auditing matters. Has the audit committee established procedures for handling anonymous, confidential complaints and submissions regarding financial reporting and/or audit irregularities in accordance with SOA Section 301? Have intake, escalation and investigative protocols and procedures been defined in order to ensure that matters are dealt with in a consistent manner? What is the frequency of reported frauds? Is there a procedure in place to ensure independent investigations and remediation? What is the time period between receipt of the initial complaint and the resulting investigation? What is the time period between the reporting of investigation results and completion of remediation? What testing is conducted to determine if fraud is reported, investigated and resolved in the manner described in the anti-fraud program? For further discussion, see Volume 1, Issue 11 of The Bulletin, Establishing an Effective Complaint and Confidential, Anonymous Reporting Process.
- Remediate deficiencies in a timely manner. When deficiencies in the anti-fraud program and in related controls are identified, they should be remedied in a timely manner. Management also should consider whether there are indicators to suggest that such deficiencies have been exploited, i.e., whether anyone internally or externally seized the opportunity to take advantage of the control weakness for personal or corporate gain.
- Consult with advisors. Management should consult with legal advisors, fraud specialists and the external auditors as the company documents, evaluates and refines the anti-fraud program and related controls.
Using a COSO-based approach to evaluate the effectiveness of an anti-fraud program
A useful benchmark for evaluating the effectiveness of the anti-fraud program is the control framework established by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as set forth in its Internal Control – Integrated Framework. This framework requires an evaluation of the anti-fraud program at two levels. The evaluation takes place at the company level because the control environment includes, but is not limited to, controls specifically established to prevent and detect fraud that is reasonably possible to result in a material misstatement of the financial statements. It also takes place at the process level with the identification of specific controls that mitigate the risk of fraud within key processes.
The five interrelated components of the COSO framework also provide criteria for evaluating the design of an anti-fraud program. These components and their applicability to an anti-fraud program are illustrated below:
- Control Environment – The “tone at the top” is one of the most crucial elements to preventing fraud within an organization. The acts (and failures to act) of management and the board or audit committee have a significant impact on an organization’s fraud risk profile. Elements of the control environment include the adoption and communication of a code of conduct throughout the organization as a cornerstone of effective corporate governance; management’s guidance regarding acceptable behavior (i.e., “right and wrong”), as well as its overall business philosophy and attitude towards overriding established controls; active involvement and oversight by the board and/or audit committee; effective hiring policies to assess the level of honesty of new hires, including background checks; thorough investigation of violations of company policies and compliance programs; and timely remediation of significant control deficiencies.
- Risk Assessment – Every organization needs a documented and sustainable process to identify and evaluate its fraud risk and provide a context for evaluating the adequacy of controls in place for mitigating such risk. As an element of the anti-fraud program, the risk assessment process should explicitly address fraud risk. This includes evaluating management’s identification of risks that may result in material misstatement of accounts and in failure to achieve financial reporting assertions, and an assessment of the effectiveness of existing internal controls in the preventing and detecting of unauthorized transactions in a timely manner.
- Control Activities – To mitigate the risks identified during a fraud risk assessment, management must implement the necessary policies and procedures within the appropriate business processes. Management must maintain documentation supporting the design of these and other related controls embedded within all significant processes and the testing of them to determine whether they are operating effectively.
- Information and Communication – Effective communication up, down and across the organization is important in mitigating fraud risk. For example, in addition to communicating its code of conduct, management should communicate its expectations of an ethical organization and responsible business behavior to all employees and related third parties. A timely and effective means of reporting and acting upon employee complaints regarding accounting and reporting practices and deficiencies in internal control over financial reporting must also be provided.
- Monitoring – To effectively prevent and deter fraud, an entity should have an appropriate oversight function in place to ensure periodic and ongoing monitoring of its fraud risk. Oversight can take many forms and can be performed by different functions within the entity, with the audit committee providing overall oversight. It is essential that the code of conduct be monitored to ensure that its content is relevant and that employees acknowledge their understanding and compliance with prescribed policies and ethical standards. The performance of critical control activities also must be monitored in order to evaluate their design and operating effectiveness.
In summary, the five components of the COSO framework provide useful criteria for evaluating the anti-fraud program and provide the key to integrating fraud into the Section 404 assessment.
Some things to do
We provide important considerations below for management and audit committees as they evaluate their organization’s anti-fraud program with assistance and support from counsel and other advisors:
- Have adequate representation from qualified counsel who is well-versed in the rules and regulations of the SEC and exchanges.
- Evaluate the organization’s risks, culture, management operating style, internal resources and existing procedures regarding reporting of audit and accounting irregularities and fraud before designing the anti-fraud program. Understand the unique risks relating to fraud within your organization, within your industry and within the geographies where your company operates. Because there is no “one size fits all” approach when formulating an anti-fraud program, the answers and solutions will evolve as you learn more about your options, and are able to evaluate which ones fit best within your organization.
- Integrate ethics policies and procedures for reporting fraud and accounting irregularities across business units, geographies and subsidiaries (including international locations, to the extent appropriate under local law). Strive for a common platform to receive, evaluate and investigate complaints, and in particular, one that includes new acquisitions.
- Involve both management and the board in evaluating and strengthening the anti-fraud program. Understand the processes management already has in place to prevent, deter and detect fraud. Obtain the board’s support in strengthening the existing anti-fraud program, as it is difficult to enhance and/or execute in isolation.
- Retain specialists, if needed, to design and execute the program. Identify forensic accountants, certified fraud examiners and fraud risk management specialists. Even if management (or the audit committee) doesn’t use these advisors right away, it is helpful to pre-qualify them in the event they are needed on short notice to conduct an investigation involving a sensitive matter.
- Do the necessary homework with respect to evaluating the firms offering confidential reporting of complaints and other related solutions. There are many new firms offering various solutions related to whistleblower programs (e.g., hotlines, employee training and awareness programs, etc.). Some of these companies are better than others. Determine whether the vendor has adequate resources to service your needs. Examine the vendor’s experience and reputation. Ensure that the service-level agreement contracts include stipulations regarding confidentiality and completeness of timely information. Make sure the solution the vendor provides fits your needs. Organizations should consider establishing guidelines and other specialized protocols for call routing, service outages and contingencies, and operator training.
- Communicate the anti-fraud policy and program often within the organization. A comprehensive and ongoing communication strategy ensures that all employees understand (a) the importance of preventing fraud, (b) their role and responsibilities in the reporting of concerns and complaints involving potential violations of company policy, laws and regulations, (c) the confidentiality of such submissions, and (d) the organization’s expectations regarding ethical behavior.
- Emphasize the appropriate level of independence with respect to the reporting and investigation of complaints. Simply stated, the person or group screening complaints or investigating complaints must not have a vested interest in the outcome. Substantial discretionary authority must be delegated carefully to ensure the appropriate independence.
- Remember that Sarbanes-Oxley has specific provisions to protect whistleblowers. Ensure that your program includes sufficient investigative protocols and procedures to ensure that employees who report potential accounting irregularities and fraudulent acts are not singled out or discriminated against because of their actions. Make sure that confidentiality is maintained and anonymity promises are kept. Concerns or complaints regarding fraudulent activity must be evaluated on an individual case-by-case basis in order to ensure proper treatment – especially those that are received on a confidential basis. The audit committee also should review the overall number and type of concerns or complaints received by the organization to determine if there are specific patterns that indicate a pervasive issue with an individual, department, geographic location, etc. As whistleblowers are provided with certain protections under SOA, most companies ensure that the Office of General Counsel and Human Resources are actively involved in remedial action resulting from investigations. This coordination is particularly important when letting someone go, reducing their compensation or passing them over for a promotion.
- Understand and consider the implications of the Federal Sentencing Guidelines. Over a decade ago, the U.S. Sentencing Commission revised its sentencing guidelines and penalties to organizations convicted of criminal behavior. One of the effects of the revised guidelines was to set forth some minimum criteria for an effective fraud deterrence and detection program. It makes sense for management and the audit committee to ensure that their organization’s compliance program satisfies the criteria as defined by the sentencing guidelines. These guidelines can provide a baseline for evaluating established procedures and conducting periodical procedural reviews.
Under the guidelines, there are several basic elements that should be considered for inclusion into any effective compliance program:
- Compliance standards and procedures must be established to deter crime.
- High-level personnel must be involved in oversight (rather than delegating oversight in such a manner that accountability and decision-making are diluted).
- Substantial discretionary authority must be delegated carefully.
- Compliance standards and procedures must be communicated to employees.
- Steps must be taken to achieve compliance in establishing monitoring and auditing systems, as well as reporting systems that provide feedback on the process and include protective safeguards.
- Standards must be enforced consistently (which may include the deployment of a repository of complaint handling and investigation dispositions to ensure consistent application across the enterprise).
- Any violations require appropriate responses, which may include modification of compliance standards and procedures, as well as other preventive measures.
According to the sentencing guidelines, these are the elements of effective compliance programs. Management, the audit committee and their advisors should consider incorporating these elements as a baseline for evaluating established anti-fraud policies and procedures.
- Formulate an anti-fraud program policy. In formulating the entity’s anti-fraud policy, management should consider the implications of privacy laws, human rights and requirements under the securities laws. The policy should be developed based on discussions among and between the audit committee, other members of the board of directors, general counsel, operating personnel, functional management (e.g., purchasing, payroll, human resources, etc.) and outside advisors. Once the policy is developed, it must be communicated to the entire organization in a manner that clearly conveys management’s commitment to prevent and detect fraud and other illegal acts. To this end, a message from the CEO or other senior officer is a powerful reinforcement to employees. Appropriate incentives and performance metrics should be considered for compliance with the policy, and strong disciplinary measures should be meted out for violations. For example, responsibility for executing certain preventive controls may be built into job descriptions and set forth as individual performance expectations, and performance might be partially evaluated and rewarded based on execution in accordance with those expectations.
- Listen to employees when they express their concerns and complaints through other feedback mechanisms. Often times, a call to the hotline results when other proactive efforts to address potential issues have failed. Many whistleblowers have indicated that they would have never gone public with their concerns about an entity’s financial statements if senior management had been more attentive to them when they raised the issues in the first place. Indicating to employees that the lines of communication are open does not necessarily mean that you have opened the floodgates to unwanted (or unwarranted) criticism – two-way feedback is critical to the health and well-being of organizations. However, when management invites feedback from employees through such mechanisms as management discussions, formal surveys, suggestion boxes, etc., expectations are set that management will openly listen and is prepared to act as necessary on legitimate concerns or complaints.
- Watch for the need to refine the program. As an entity matures, so must its anti-fraud program and controls. Over time, employees may develop their own procedures for doing things, some of which may defeat the intent of critical anti-fraud controls. A dynamic program is therefore one that can evolve in response to changes in structure, operations and other circumstances, and yet still remains effective. Periodically, management should assess the risk of fraud or illegal acts occurring and evaluate whether the existing anti-fraud policy is sufficiently effective to mitigate that risk. Where determined necessary, existing policies and procedures should be enhanced to address areas of increased risk. High-level personnel should, with assistance from counsel, review new or proposed policies for compliance with applicable laws.
Some things to avoid
The following are some mistakes that management and audit committees should strive to avoid with respect to evaluating their organization’s anti-fraud program and related controls:
- Delaying taking action. Remediation of controls may be necessary as management undertakes efforts to ensure that the anti-fraud program is effective. There may be fraud risk that creates unacceptable exposures to the company. The sooner these matters are identified, the sooner actions can be taken to address them.
- Taking a program developed for another company, and blindly implementing it within your organization. There is no “one size fits all” approach to developing an anti-fraud program, just as a “best practice” for one company is not necessarily best for all. To be effective, a plan to implement an anti-fraud program requires careful thought and analysis to ensure the proper cultural fit, mitigation of actual risk and management support.
- Forgetting about potential conflicts of interest when developing or executing your anti-fraud program. For example, establish appropriate intake and escalation procedures, and determine who will conduct investigations of sensitive matters to ensure the appropriate objectivity is preserved before such matters occur.
- Failing to document your activities and monitor complaints regarding fraud. Maintain adequate records of meetings, accomplishments and decisions. This type of recording is useful if you ever need to defend your process or actions. In addition, track complaints over time to determine whether the percentage of complaints relating to financial reporting and the absolute volume of such complaints change over the period tracked. If companies have tracked complaints in the past, management will be better able to define the task at hand.
- Developing overly complicated solutions that are doomed to fail. Avoid burdensome programs, creating unnecessary expenses and duplicative internal reporting. If the program requires time, effort and money disproportionate to the risk, it will ultimately fail. For example, your organization may have one or more internal hotlines in play. Having too many hotlines can confuse employees, which is a problem for many companies. Carefully weigh your options before deciding on how to go forward with a new hotline, if this is determined to be the appropriate solution. In short, keep the program as simple as possible.
- Forgetting to emphasize prevention and deterrence. While the SEC rules require companies to develop procedures to handle complaints about problems, it makes sense to concurrently develop policies and processes to prevent and deter accounting irregularities or fraud. Detection procedures alone are inadequate. Therefore, establish monitoring and auditing systems or reporting systems with protective safeguards. In addition, reinforce compliance by appropriately responding to violations.
- Ignoring complaints that appear to be insignificant or immaterial. Sometimes a specific fraud incident or complaint could be a part of a broader pattern. Sometimes the cost of a fraudulent act, including the inherent damage to the organization’s reputation, can escalate to significant proportions. Materiality should not necessarily be a threshold for determining when a complaint is escalated to the audit committee prior to comprehensive periodic reporting. The assessment of significance is the responsibility of the audit committee, not management.
The Bulletin (Volume 2, Issue 9 Supplement)