Since the enactment of the Sarbanes-Oxley Act of 2002 (“SOA” or “the Act”), most public companies have assessed their internal control over financial reporting (ICFR), and their disclosure controls and procedures around public reports, and reported on the results of those evaluations in accordance with Sections 302 and 404 of the Act. The Public Company Accounting Oversight Board (PCAOB) has issued Auditing Standard No. 2 (AS2) requiring auditors to make certain assessments when evaluating the company’s ICFR.
During the May 10, 2006 SEC roundtable on the second year experiences with SOA Section 404 compliance, several panel members suggested that companies and their auditors needed to shift their focus to more important issues, such as financial statement fraud, company level controls and the period-end financial reporting process. Some panel members pointed out that too much effort was focused on the controls embedded in the detailed upstream processes and not enough effort was being directed to the fundamental issues leading to the financial reporting scandals precipitating the enactment of SOA. As the volume of the dialogue has continued to increase, the SEC has committed to issue guidance to management and the PCAOB has pledged to revise AS2 to sharpen the auditor’s focus.
Throughout these discussions, the one area that all parties have agreed is relevant is the company’s anti-fraud program. What is an anti-fraud program? Why is it important? How should companies evaluate their anti-fraud programs? Is there anything that management should do differently? This issue of The Bulletin will focus on these and other questions.
Protiviti assists companies in different industries with benchmarking leading practices to improve the performance and effectiveness of their processes. Through these activities, we are able to develop broad insights into certain process areas. This publication incorporates insights and “lessons learned” about anti-fraud programs that we hope will be of interest to readers of The Bulletin.
What is an anti-fraud program?
The Federal Sentencing Guidelines, as amended, call for an “effective compliance and ethics program … to prevent and detect criminal conduct; and … promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” This is the mandate of an anti-fraud program. Simply stated, it is a program of policies and procedures, backed by senior management, which fosters ethical and responsible business behavior. However, an anti-fraud program differs from an ethics program.
Business ethics are the principles of conduct governing an organization and the individuals within it, and are defined through the day-to-day behaviors of managers and employees over time, creating a culture in which everyone is able to observe management act in anticipation of and react to events. These observations lead, in turn, to an understanding of how individuals throughout the organization are expected to behave in similar situations. A company’s code of ethics and the procedures around communicating, monitoring, reinforcing and enforcing that code (see Volume 1, Issue 5 of The Bulletin, available at www.protiviti.com) is an integral part of the so-called “tone at the top.”
While an anti-fraud program also contributes to the control environment, it places a stronger emphasis on policies and procedures that prevent, deter and detect fraudulent behavior and illegal acts, and respond to issues relating to such matters. From a Section 404 compliance standpoint, the anti-fraud program encompasses those controls intended to mitigate the risk of fraudulent actions that could have an impact on the reliability of financial reporting. From a business standpoint, the anti-fraud program reduces exposure to reputation and “headline” risk arising from reported fraud.
AS2 explicitly requires the auditor to evaluate annually all controls specifically intended to address fraud that has at least a reasonable likelihood of having a material effect on the company’s financial statements. Controls specifically related to the prevention and detection of fraud often have a pervasive effect on the risk of fraud. Previously, auditors considered a company’s anti-fraud program in response to Statement of Auditing Standard No. 99 (SAS 99), requiring the assessment of the risk of “material misstatement due to fraud” in the context of a financial statement audit. While SAS 99 is still in force, AS2 requires the auditor to evaluate the design and operating effectiveness of the anti-fraud program in the context of auditing ICFR. So, while the notion of an anti fraud program is not new, the breadth and depth of the audit focus is, and it is expected to increase as the PCAOB revises AS2 and issues other standards addressing the auditor’s approach to fraud.
While the approach to evaluating the design and operating effectiveness of the anti-fraud program is no different than it is for other controls, the focus is primarily on management fraud and the risk stemming from management’s override of controls. This view reaches beyond the traditional issue of third-party fraud to include fraudulent financial reporting, misappropriation of assets, expenditures and liabilities incurred for improper or illegal purposes (e.g., bribes and influence payments), and fraudulently obtained revenue and assets and/or avoidance of taxes or other costs and expenses. In addition, like every other aspect of the annual assessment of ICFR, management reaches and supports a conclusion before the auditor does.
What is the value proposition?
Much has changed in recent years with respect to fraud. SOA sets the expectation for reliable financial reporting. SAS 99 sets requirements for external auditors, and AS2 makes the consideration of fraud more explicit during the assessment of ICFR. The Federal Sentencing Guidelines have been enhanced and require stronger anti-fraud programs. In addition, corporate fines have been increased substantially and stiff jail terms have become the norm for securities fraud. In this high-profile environment, forward-thinking and proactive companies choosing to (1) incorporate a substantive anti-fraud program assessment into their evaluation of ICFR, and (2) act on those assessments to improve their program, will realize the following benefits:
- Increased likelihood of prevention and more timely detection of fraud before it becomes material
- Protection of enterprise assets and resources from misappropriation and other losses due to fraudulent activity
- Reduced reputation risk and increased protection to senior executives when something goes wrong
- More comprehensive and cost-effective Section 404 assessments, with external auditor buy-in as to the effectiveness of the anti-fraud program and related controls
While there are real benefits of conducting an effective anti-fraud program assessment, the risks of NOT performing an assessment are potentially pervasive. left unchecked, the risk of corruption, asset misappropriation and fraudulent financial statements can impact many aspects of an entity’s operations and even affect its ability to survive. In terms of potential loss, fraudulent financial statements can be the most devastating. Once such fraud is uncovered, the reaction of the investing public and the resultant diminution of the entity’s market capitalization is inevitable. Investors, employees, lenders and other stakeholders are impacted severely as the value of their financial interests evaporates, leaving them no recourse except to litigate. In addition to the financial damage inflicted on the company, there is the more enduring, albeit less calculable, damage of reputation loss, market share and brand name erosion. Even after lawsuits are settled and the guilty are prosecuted and sentenced, these damages continue to linger and may be impossible to overcome, except perhaps over very long periods of time. Therefore, a robust, effective anti-fraud program can preserve enterprise value.
If a company does not have an effectively functioning anti-fraud program, AS2 requires the auditor to conclude that the control deficiencies in this area are at least a significant deficiency in ICFR, necessitating, at a minimum, disclosure to the audit committee. If the auditor determines that the deficiencies in the anti-fraud program constitute a material weakness, an adverse opinion is issued. As the PCAOB refocuses audits of ICFR and turns up the volume on what’s important, the message becomes clear: Pay attention, because auditors could start playing this one tough.
What should management do differently?
Historically, for many companies, the anti-fraud model:
- Has often narrowly focused on industry fraud risks (e.g., retail shrinkage, healthcare/Medicare fraud, etc.);
- Was frequently reliant on “silo” management techniques in which the responsibility for managing fraud resides separate and apart from all other key organizational functions; and
- left the responsibility to mitigate fraud to middle managers who were autonomous and not held accountable except for third-party fraud.
The traditional anti-fraud model is inadequate to accomplish the new regulatory initiative in the post-SOA world. While there is no “one size fits all” approach and the various regulations allow for some flexibility, companies need an effective anti-fraud program in place with active involvement from senior management and oversight by the board of directors and audit committee. Management also must be prepared to demonstrate they have developed an effective program. The following are the attributes of an effective program:
- There is a strong emphasis on creating a culture of honesty and high ethics, evaluating anti-fraud processes and controls, and developing an appropriate oversight process.
- Both management and the audit committee are focused on an effective anti-fraud program. Both receive reports evidencing effective operation of the anti-fraud program.
- Ineffective “silo” management of fraud risk is eliminated as the fraud risk focus is broadened and integrated with other aspects of the business. For example, enterprise, business unit, industry and geographic fraud risk assessments are conducted periodically.
- Audit committees and boards have developed a network extending beyond senior management to obtain information and feedback. This network should include internal audit, financial reporting personnel, external auditors and other advisors, and is consulted on a regular basis to ensure that the anti-fraud program is effective and meets the requirements of all applicable regulations, laws and rules.
- Audit committees must provide oversight. For example, a publication issued by the American Institute of Certified Public Accountants (AICPA) indicates that audit committees must recognize that a significant root cause of fraud risk is management’s override of internal controls. The AICPA’s guidance recommends that audit committees, among other things, maintain appropriate skepticism, brainstorm to identify fraud risks, use the code of conduct to assess the financial reporting culture and ensure the entity cultivates a vigorous whistleblower program.
The good news is that most companies already have elements of an anti-fraud program in place. Many of the controls identified at both the entity level and process level serve a dual purpose in preventing, deterring or detecting fraud. Therefore, Section 404 evaluation teams must identify these dual-purpose controls as well as ensure that their inventory of the elements of the anti-fraud program, both currently in place and under development, is complete. By making fraud explicit in the Section 404 assessment, the evaluation team addresses the risk of both inadvertent and intentional errors simultaneously, and not at different points in time. To achieve this integration, there are three key words: “Make fraud explicit.” Make fraud explicit in the company’s risk assessment and controls design and testing, during the entity-level controls assessment, and during the review of the period-end financial reporting process.
How is an anti-fraud program evaluated?
An anti-fraud program evaluation identifies fraud risk within the entity, including the existence of gaps, i.e., areas where the current state of anti-fraud controls is inadequate. Despite the importance of a fraud risk assessment process, only 47 percent of Fortune 1000 companies claim that they have such a process at both the entity and process levels, according to Protiviti’s recent Fraud Risk Management Survey. It is imperative that management’s Section 404 assessment address the design of controls to prevent or detect fraud, including who performs the controls and the related segregation of duties. The assessment should identify areas where fraud could occur, and areas where responsibility and accountability for anti-fraud policies and procedures should be established. As a supplement to this issue of The Bulletin, see Suggestions for Evaluating Your Anti-Fraud Program, available at www.protiviti.com.
The Federal Sentencing Guidelines, as amended, set forth minimum criteria for evaluating the effectiveness of a compliance and ethics program. These amendments require that “high-level personnel of the organization” take the necessary steps to ensure that the organization has an effective compliance and ethics program and that “specific individuals within the organization” are responsible for the day-to-day operation of the program. The “high-level personnel” must be involved in oversight and monitoring activities, and must not delegate such activities in a manner that dilutes accountability and decision-making. They also must participate in other ethics and compliance-related activities, such as:
- Formulating clearly stated compliance standards and procedures to prevent and deter criminal acts
- Communicating the organization’s standards, procedures and other aspects of its compliance and ethics program
- Establishing monitoring and auditing systems as well as reporting systems that provide feedback on the monitoring and auditing process and include appropriate protective safeguards
- Deploying an effective complaint and confidential, anonymous reporting process (see Volume 1, Issue 11 of The Bulletin, available at www.protiviti.com), and investigating dispositions of complaints to ensure appropriate and consistent application across the enterprise
- Periodically reviewing the entity’s anti-fraud-related training to assess its effectiveness and modifying it as necessary to ensure continued effectiveness
- Promoting and enforcing the compliance and ethics program through performance incentives and disciplinary action
- Continuously improving compliance standards and procedures, and other preventive and detective measures, based on experiences with responding to violations
Management and the audit committee should use the criteria, as defined above by the sentencing guidelines, as a baseline for evaluating the organization’s anti-fraud program.
Another useful benchmark when evaluating the effectiveness of the anti-fraud program is the control framework established by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) as set forth in its Internal Control – Integrated Framework. This framework requires an evaluation of the anti-fraud program at both the entity level and process level. In addition, the five interrelated components of the COSO framework provide criteria for evaluating the design of an anti-fraud program. The use of the COSO framework in evaluating the anti-fraud program is illustrated in the supplement (available at www.protiviti.com) on Page 7.
Vigorous enforcement is vital when fraud occurs Once an anti-fraud policy is established, appropriate incentives and performance metrics must be considered for compliance, and strong disciplinary measures meted out for violations. For example, responsibility for executing certain preventive controls should be built into job descriptions and set forth as performance expectations. Performance should be partially evaluated and rewarded based on execution in accordance with those expectations. Based on Protiviti’s Fraud Risk Management Survey, 54 percent of the participating organizations hold managers accountable for the actions of their employees for whom they are responsible. Furthermore, 49 percent place accountability on employees by explicitly stating their roles relating to the prevention of fraud in their job descriptions, while 42 percent incorporate fraud prevention goals within the performance evaluation process.
With the right expectations set forth, the enforcement of established policies is critical when fraud is detected. This is a complex area, frequently requiring responsible, senior level personnel to authorize the initiation of an internal investigation to ascertain the facts and decide on an appropriate course of action (e.g., criminal or civil prosecution, termination, restitution, filing insurance claims, etc.). Often, management may be ill-equipped to manage the investigative process due to time, budgetary or other resource constraints. In some instances, retaining outside counsel and/or other specialists (e.g., fraud examiners, forensic accountants and qualified investigators) to assist in conducting a thorough and independent investigation of the matter should be considered. These outside professionals are best suited to assist the organization in fact-finding, analyzing data and performing technical activities (e.g., copying computer hard drives, performing massive e-mail searches, reviewing books and records, etc.) that will enable management (and outside counsel) to thoroughly investigate a suspected fraud and bring the matter to closure. In addition, an independent investigation is perceived as having greater objectivity and substance when reporting its findings.
A company’s anti-fraud program is an integral part of its corporate governance process and is fundamental to protecting tangible and intangible enterprise value and preserving the reliability of public reporting. With the audit committee providing oversight, management is tasked with establishing, validating and monitoring effective internal controls to prevent, deter and detect fraud on a timely basis. When focused on proactively evaluating, mitigating and monitoring fraud risk (versus a passive, complacent and hands-off belief that the controls in place are satisfactory), an anti-fraud program helps management meet the challenge of reducing the opportunity for material fraud to occur.
Key Questions to Ask
Key questions for board members:
- Has an anti-fraud program been presented to the board that focuses on areas of probable fraud as well as integrates appropriate control measures across all aspects of the company? Is it reinforced regularly by the tone from the top? Are there any gaps requiring remediation? Is there fraud risk requiring attention?
- Is the audit committee compliant with requirements of SOA Section 301 to establish an effective complaint and confidential, anonymous reporting process? Has the audit committee sought out advice regarding the reporting, escalation, tracking and investigative protocols and procedures necessary to make the program work?
- Does the board oversee management’s communication, monitoring, reinforcement and enforcement of the company’s anti-fraud program? For example, when there are incidents requiring follow-up, is the board satisfied with the disciplinary measures taken and the corrective improvements made to the company’s processes
- and controls?
Key questions for management:
- Is management satisfied the company is compliant with the Federal Sentencing Guidelines, as amended?
- Is a senior executive, with access to the CEO, responsible for the anti-fraud program? Is the focus of the program broader than third-party fraud?
- Has the company conducted a fraud risk assessment to identify and prioritize the risks, and source them within the organization? Does the company’s anti-fraud program, and the related controls, correspond to the identified fraud and misconduct risk? Has fraud been made explicit in the Section 404 assessment of ICFR?
- Have the external and internal auditors provided any recommendations for improving the anti-fraud program? Have there been any fraud incidents suggesting the need for improvements to the program? Has management formulated plans to address these improvement opportunities?
The Bulletin (Volume 2, Issue 9)