|
|
|
|
|
|
|
| Fraud Risk Assessments — Part Two |
|
|
|
|
|
 |
|
|
The assessment process should focus on whether the company has identified its significant compliance risks and whether it is effectively managing these risks. The assessment should be holistic, involving not just a review of the corporate compliance function, but also the role of other corporate functions involved in mitigating the risks of company misconduct. These functions will likely include the internal audit, legal, and corporate compliance departments as well as the audit committee.
In assessing the company's compliance activities and functions, the following areas should be reviewed:
- The financial reporting structure and controls in place to ensure independence, accuracy, and completeness in financial reporting.
- Past reported incidents of employee misconduct and non-compliance. The review should look at the incidents involved, the process of how they were handled, investigated and reported, disciplinary action taken as a result of the investigation, and other actions taken to strengthen controls and prevent a reoccurrence.
- The assessment processes undertaken by the company to identify its compliance risks in the past and steps taken to address such risks.
- Company standards, e.g., codes of conduct and more detailed business practices guidelines, put in place to address significant compliance risks. The assessment should answer the question whether the company has identified all its significant company misconduct risks and adopted standards for employee conduct that address these risks.
- The overall compliance structure, professionals involved, their roles and responsibilities, their reporting relationship to management and the board, and their interaction with other corporate functions with compliance responsibilities such as internal audit.
- Effectiveness of mechanisms for employee reporting of misconduct without fear of retaliation.
- Auditing programs and monitoring systems in place that address compliance risks.
- Compliance training, education, and awareness programs.
- Corporate time and money spent on compliance functions and activities, especially time devoted by senior management and the board of directors. The involvement and oversight of senior management and the board in the overall compliance program is perhaps the greatest indicator of the program's effectiveness. The fraud risk assessment should include a qualitative and quantitative review of the audit committee and senior management's activity in this regard.
Assessing company misconduct risk involves the review of documents and interviews of employees to determine whether the company has identified significant compliance risks and has structured its compliance program to effectively manage such risks. Employees to be interviewed should include members of the audit committee, senior management, internal audit, legal and compliance professionals, and members of the company "rank and file." How the program touches this last group and their view of management's attitude toward compliance is perhaps the greatest indicator of the program's effectiveness. Such information can be obtained through employee surveys, focus groups, or a series of individual interviews.
The analysis of the company's compliance program and its effectiveness in deterring company misconduct is, by definition, somewhat of a subjective process. The credibility of the analysis is enhanced by the quality, experience, and independence of the professionals conducting the assessment. It is also enhanced by building a record over time that demonstrates that annual assessments were carefully planned and conducted, thoughtful recommendations were made, and such recommendations were implemented as part of a process of continuous improvement. The assessment work should be extensively documented for review by the company's outside auditor.
Assessing Fraud Risk—Fraud Against the Company
The fraud risk assessment process for examining fraud against the company is quite different from the process for assessing company misconduct risks. The focus is not primarily on what the company is doing to ensure its people are conducting business lawfully and responsibly. Rather, the focus should be on company assets and how are they being protected from rogue employees and outsiders.
Assessing the risks of fraud against the company and management's response generally involves a review of the company's vulnerabilities to persons seeking to steal assets or otherwise harm its business in a deceitful way. The focus should be on the assets that can be most easily stolen and areas providing the greatest opportunity to misuse assets. Areas to be reviewed include cash disbursements, purchasing, procurement, treasury operations, and executive expenditures.
The focus is more traditional—does the company have adequate processes and procedures in place to safeguard its assets? Examples of areas of focus include:
- Controls around vendors and payments to vendors. Is there a process in place to ensure vendors are properly vetted and to provide reasonable assurance that payments are to bona fide vendors for goods purchased or services rendered?
- Controls around the payment authorization process. Are there rules in place to ensure payments are appropriately approved by persons with the appropriate authority?
- Controls around who can sign checks and authorize and execute wire transfers. Is cash appropriately safeguarded?
- Controls around bank reconciliations. Are reconciliations performed on a timely basis for all accounts to assure that cash is safeguarded?
- Screening procedures for new vendors and employees. Who is the company hiring? What vendors are being utilized?
- Gift, conflict of interest and company credit card policies. Does the company have policies to ensure sound decision making by employees on the company's behalf?
- Procedures in place to meaningfully review employee travel and expense transactions. Is the appropriate message being sent to employees concerning expenditures that are highly susceptible to abuse?
The above are just examples of many areas that should be reviewed. Assessing a company's vulnerability to fraud should include a review of company processes and procedures, controls documentation, and most importantly, interviews of personnel. Any incidents of past frauds in this area will also be an important part of the assessment.
Conclusion
Conducting a comprehensive fraud risk assessment is now an essential risk management function that must be performed annually for all public companies. A properly conducted risk assessment helps ensure that a company's anti-fraud programs and controls are up to date and working effectively, thus reducing the risks of company misconduct and fraud against the company. This is a serious process that management and the Board ignore at their peril. In the post Sarbanes-Oxley business environment, having effective anti-fraud programs and controls is not just good corporate governance, it is a requirement of doing business well.
Return to part one of this article.
|
|
|
|
|
