How To Wage War Against Fraud

While the ‘F’ word has always been an ever-present threat in Corporate America, one particular type of fraud—financial-statement fraud—has taken center stage since the corporate scandals of the first half of the 21st century put Sarbanes-Oxley into motion.

Since the Securities and Exchange Commission’s rules for implementing Section 404 of SOX took effect, companies have had to assess the risk of fraud in their financial statements to meet their internal controls reporting requirements. Trouble is, no comprehensive guidance on how to conduct a fraud risk assessment is readily available in one place.

“The challenge is that in the U.S. there’s no single fraud risk standard to measure against,” says Pam Verick Stone, a director at risk management consulting firm Protiviti.

Bishop

Toby Bishop, a partner at Deloitte Financial Advisory Services, agrees that “a lack of extensive or authoritative guidance” on the subject has left auditors and financial reporting executives vexed. Most of the methodology developed over the last few years, he says, arose “through practical experience.”

That has frustrated some internal auditors, such as Bill Stepaniuk, director of internal audit at PrimeWest Energy Trust, an energy company based in Canada. He says he cannot find “any definitive guidance on how such an assessment is to be performed.”

“Any literature I read takes me onto a comprehensive and costly enterprise risk management path, when I all I wanted was direction on fraud risk assessment,” he laments.

Regulators and industry associations have heard the message, and are trying to respond. The Institute of Internal Auditors is collaborating with the American Institute of Certified Public Accountants and the Association of Certified Fraud Examiners to develop comprehensive guidance on conducting a fraud risk assessment. The Public Company Accounting Oversight Board, meanwhile, issued a report in January urging auditors to pay more attention to fraud. Its standing advisory group also is mulling whether fraud checks can be worked into routine audits more closely.

The IIA’s fraud guidance will cover three areas:

Defining a fraud risk assessment methodology;

Codifying preventive and detective techniques to mitigate fraud risk; and

Developing and implementing an effective anti-fraud program.

David Richards, president of the IIA, readily admits that currently, “there’s lots of written material on the subject, but it’s not pulled together in place.”

Led by a seven-person steering committee, the guidance will be developed by a 25-member task force comprised of representatives from the sponsoring organizations, as well as the Big 4 audit firms, and voices from government, industry and business, management, and audit committees. Richards says the group hopes to have a working draft of the guidance by June, an exposure period in July and August, and final rollout in September.

Working Without Guidance

Until such comprehensive help arrives, says Stone at Protiviti, companies commonly will piece together authoritative guidance and leading practices from a number of sources. Chief among them are the exhibit to Statement on Auditing Standards No. 99, Considerations of Fraud in a Financial Statement Audit, on Management Antifraud Programs and Controls, and a section in Chapter 8 of the Federal Sentencing Guidelines on effective compliance and ethics programs. Other useful sources are stock exchange corporate-governance rules and the Institute of Internal Auditors’ professional practice standards 1210.A1 and 1210.A2 (see box above, right, for related resources).

Anderson

Dow Chemical conducted its first formal assessment of fraud risks to the financial statements, as specified under Section 404, in 2004. “We looked at everything out there,” says Doug Anderson, Dow’s director of corporate auditing. “There wasn’t much.” Anderson even had his staff search through accounting textbooks. “It was good information, but it wasn’t ground breaking and it didn’t tell us how to do the assessment.”

Anderson and his team then created an internal document that spelled out Dow’s financial statement fraud risks and how those risks can be mitigated. In addition to control activities, structural and governance elements are taken into consideration, such as the company’s ethics hotline, its separate fraud investigative services function, its centralized systems and work processes, and its structural separation of the preparers of its financial data and those who analyze it.

While the first year effort was led by internal audit, the internal controls compliance group now owns the process, Anderson says, although internal audit still helps with the assessment.

Anderson also stresses that the assessment focuses narrowly on fraud risks to financial reporting—not all fraud. The company has other processes in place for considering other types of risk. “For this exercise, we only look at things that could result in a material misstatement,” he says. “We didn’t try to bite off whole world of fraud.”

SUMMARY

The excerpt below is from the Institute of Internal Auditors' "International Standards for the Professional Practice of Internal Auditing":

Attribute Standard 1210

Proficiency

Internal auditors should possess the knowledge, skills, and other competencies needed to perform their individual responsibilities. The internal audit activity collectively should possess or obtain the knowledge, skills, and other competencies needed to perform its responsibilities.

Implementation Standard 1210.A1 (Assurance Engagements)

The chief audit executive should obtain competent advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies needed to perform all or part of the engagement.

Implementation Standard 1210.A2 (Assurance Engagements)

The internal auditor should have sufficient knowledge to identify the indicators of fraud but is not expected to have the expertise of a person whose primary responsibility is detecting and investigating fraud.

Implementation Standard 1210.A3 (Assurance Engagements)

Internal auditors should have knowledge of key information technology risks and controls and available technology-based audit techniques to perform their assigned work. However, not all internal auditors are expected to have the expertise of an internal auditor whose primary responsibility is information technology auditing.

Implementation Standard 1210.C1 (Consulting Engagements)

The chief audit executive should decline the consulting engagement or obtain competent advice and assistance if the internal audit staff lacks the knowledge, skills, or other competencies needed to perform all or part of the engagement.

Source

International Standards For The Professional Practice Of Internal Auditing (IIA)

On paper, conducting a fraud risk assessment seems relatively simple: Companies evaluate their fraud risk factors; identify possible fraud schemes and scenarios; prioritize their identified fraud risks; evaluate whether their mitigating controls are effective and address any gaps. But experts say executing those steps can prove challenging. A company’s size, the nature of its operations, its processes, controls, and geographies all factor into its fraud risks and the risks themselves change.

“There’s no one right way to do a fraud risk assessment, but there are a lot of wrong ways,” says Protiviti's Stone, who stresses that a fraud risk assessment must be tailored to the organization. “No two organizations have the same fraud risk profile.”

Where Mistakes Happen

Identifying all of the types of financial-statement fraud that might strike a business is where many companies falter. Companies may underestimate some risks—or miss them completely— simply because they may not have the internal expertise to recognize all of the potential fraud schemes that could occur in their organization.

“Inventorying all of their fraud risks is where most people fall down,” says Tim Hedley, a partner in KPMG’s forensic-services practice. “People don’t know what they don’t know.”

Companies need to go beyond getting input from inside the organization to figure out all of the risks applicable to their business, Hedley says. For instance, they should scour existing resources and information from professional associations, such as the ACFE, to learn about fraud risks specific to their industry. He also suggests companies study the SEC’s auditing and accounting enforcement releases for companies in their industry

Stone says getting input from employees across all areas and levels of the company is critical. “No one group can do a fraud risk assessment well by themselves,” she says. “You need the benefit of other people’s thinking.”

Stepaniuk, of PrimeWest Energy Trust, says one challenges he has faced has been getting employees to participate in the discussion. When he sent out an internally developed survey to key staff members, Stepaniuk recalls, some recipients didn’t understand the intent of the survey; some refused to answer the questions.

“The guidance suggests that you ask people to think like a crook when identifying fraud risk,” he says. “The wrong message is sent, or people quickly tune out. We are actively promoting entity level controls and a positive ‘tone at the top.’ Dialogues around fraud fly in the face of this initiative.”

Experts say such a reaction isn’t uncommon. “No one likes to think there’s fraud in their organization,” Stone says. “When the ‘F’ word comes up, people have a ‘There’s no fraud here,’ mentality.” That kind of thinking can doom an assessment from the start, she says.

To take people off of the defensive, Stone suggests using a “scenario-based approach.” For example, a scenario could be “bribery,” which a company might define in its Code of Conduct as the inappropriate exchange of some item of value to obtain some business advantage. One risk associated with this scenario may be that an employee offers a bribe to a foreign government official specifically in exchange for new business opportunities in a certain geographic location, thereby violating company policy and the Foreign Corrupt Practices Act.

“A scenario-based approach gets people thinking about the possibilities and takes them out of defensive position,” she says.