Armed with professional skepticism and the authority to interrogate data and employees, auditors are a formidable opponent to corporate criminals—at least, in theory. In reality, though, external auditors uncover the misdeeds in just 3 percent of cases (5 percent at larger companies), which is less often than is discovered by accident. Why? “Normally, audit procedures are not designed to detect illegal acts,” Tim Hedley, global fraud risk management leader for KPMG, says.
As companies work to implement the updated COSO internal control framework, they are finding they must close the gap from the old version to the new. Most common areas of concern include controls over risk assessments, outsourced service providers, and information quality. In these areas companies are identifying missing controls, or controls that exist but aren’t tested for operating effectiveness. “We have not seen many companies identifying principle gaps,” says Sandy Herrygers, a partner with Deloitte.
The Treasury Department’s Financial Crimes division has proposed new rules that will require financial firms to go to greater lengths to determine the real owners of the businesses with which they transact. The rules, intended to help the government pursue money laundering and terrorist financing, could help to prevent shadowy business from opening accounts. “Some financial institutions may determine it’s not worth the risk,” says Charles Horn, a partner with law firm Morgan Lewis.
Nearly all companies provide some online compliance training. So how do they know it is working? Many don’t. But companies are getting better at evaluating the effectiveness of training and observing to see if it actually changes behavior at the company. “Over the last twelve to 18 months, I’m hearing more clients talk about effectiveness,” says Ingrid Fredeen, vice president of advisory services with NAVEX Global.
When it comes to assessing risks or planning annual audits, companies may be making the same mistakes over and over again, perhaps realizing they are hitting a wall, but failing to find a way around. In the latest edition of our GRC Illustrated Series, which explores how to conduct risk assessments, Jason Mefford, president of Mefford Associates, outlines the proper steps for making your risk assessment work for your audit plan. More inside.
Companies that rely on third-party service providers to handle their customers’ credit card data can rest a little easier. Um, assuming those providers play by the rules, that is. The Payment Card Industry Security Standards Council has issued new guidance on how to ensure that payment card data entrusted to third parties is securely maintained. It walks companies through the steps to verify that security measures are in place. More inside.
Just over a year ago the Securities and Exchange Commission announced the formation of a Financial Reporting and Audit Task Force, intended to enhance the SEC’s ability to detect fraudulent and improper accounting, reporting, and auditing. Inside, columnist Robert Herz looks at recent SEC enforcement themes and actions on financial reporting fraud.