|
With the rush on for public companies to complete their Sarbanes-Oxley Section 404 documentation and testing of internal controls, there seems to be much confusion about what is required in the area of fraud risk. Public companies are now required to conduct "fraud risk assessments," but regulators as well as the major public auditing firms have provided little, if any guidance on how to conduct these assessments. This paper provides a common sense approach for conducting a comprehensive fraud risk assessment.
Background and Regulatory Framework
The Sarbanes-Oxley Act, passed and signed into law in the summer of 2002, was the most far-reaching legislation affecting public companies since the passage of the Securities Act and the Securities Exchange Act during the Great Depression. Sarbanes-Oxley imposed an entirely new regulatory oversight regime over public accountants and the auditing of public companies, established new standards for corporate governance, increased accountability of corporate management and corporate boards over financial reporting, and increased penalties for corporate fraud.
Sarbanes-Oxley also spawned additional rulemaking by the U.S. Securities and Exchange Commission (SEC), the newly created Public Company Accounting Oversight Board (PCAOB), self-regulatory organizations such as the New York Stock Exchange and the NASDAQ, and the U.S. Federal Sentencing Commission, among others. The thrust of all this activity is to impose greater safeguards against corporate fraud and prevent corporate wrongdoing that had led to debacles such as Enron, Arthur Andersen, WorldCom, Tyco, Adelphia, etc.
Pursuant to responsibilities imposed on them by Sarbanes-Oxley, the SEC and PCAOB issued regulations specifically outlining steps companies must take to address the risk of fraud affecting their organizations.1 These regulations provide that:
- Public companies are required to have in place "anti-fraud programs and controls" that, at a minimum, address the risk of fraud that has at least a reasonably possible likelihood of having a material effect on the company's financial statements.
- Annually, under Sarbanes Oxley Section 404, management is required to assess the effectiveness of its internal control structure. As part of this assessment, management is required to perform a fraud risk assessment to evaluate the effectiveness of the company's anti-fraud programs and controls.
- Annually, the independent auditor must audit and issue an attestation report and state whether the auditor agrees or disagrees with management's assessment of the effectiveness of its internal control structure.
Of course, "anti-fraud programs and controls" predate Sarbanes-Oxley. Many large corporations already had corporate compliance programs. Virtually all public companies have a system of internal controls that are designed to promote accuracy in their financial reporting and to protect against misappropriation of assets.
The thrust of the new regulatory paradigm is that virtually all public companies today are now required to have in place both effective compliance programs and effective internal controls and must now prove it on an annual basis. Tying anti-fraud programs and controls to the annual financial reporting process ensures that public companies will face increasing scrutiny over the programs and controls they put in place to prevent and detect fraud and misconduct.
The deadline for performing fraud risk assessments is fast approaching. Such attestation reports are required for accelerated filers with fiscal year-ends on or after November 15, 2004 and effective for all other filers with fiscal year-ends on or after July 15, 2005. A public company that does not conduct a comprehensive fraud risk assessment and ensure appropriate steps are taken to mitigate fraud risks runs a significant risk that its external auditors might report a significant deficiency in its system of internal controls.
Defining Fraud Risk
Before discussing how to conduct a fraud risk assessment, it is helpful to first define what "fraud risk" means. "Fraud risks" found by most companies today are essentially two-fold:
- The risk that a company employee or agent might engage in fraud or improper business practices to secure some real or perceived gain for the company to the detriment of a third party, e.g., competitors, shareholders, or others
- The risk that an employee, agent or other person might perpetrate a fraud to harm the company directly, e.g., misappropriate assets or otherwise harm the business
Shareholders are harmed by either type of fraud. However, responding to and managing the risks associated with each requires very different approaches.
The first type of fraud is potentially the most damaging and generally poses the greatest risk because the company is legally responsible for all the acts of its employees and agents in furtherance of its business. Actions taken by employees and agents that harm others subject the company to potential criminal and civil liability, forfeiture, investor lawsuits, and great reputational harm.
In extreme cases under the U.S. Federal Sentencing Guidelines, a federal judge could even order a company out of existence. Examples of these types of misconduct include fraudulent financial reporting, unfair competitive practices, over-charging, bribery, bid rigging, environmental crimes, etc. For the purposes of this discussion we will call the first type of fraud or misconduct "company misconduct" as the company could be found to be legally responsible for the fraudulent acts taken in its name and to its benefit.
In the second type of fraud, the company is the victim. Generally, the financial and internal audit functions of companies have taken a more traditional, internal-controls approach to mitigate the risks of this type of fraudulent activity. Examples of such frauds include theft, embezzlement, misappropriation of company secrets, vendor fraud, etc. Although this type of fraud can cause a company great harm, the risk of severe harm is generally not as great as the harm caused by company misconduct. For purposes of discussion, we will call this second type of fraud —"fraud against the company."
Company misconduct and fraud against the company pose very different risks. Assessing and analyzing the degrees of risk and implementing strategies to manage these separate fraud risks comprise two very different and separate activities.
Anti-Fraud Programs and Controls
Historically, companies have created separate programs and controls to address the risks of misconduct and fraud against the company. Many companies have created corporate compliance programs to address the risks of corporate misconduct. Several have followed the blueprint for a compliance program structure endorsed by the U.S. Federal Sentencing Commission in its sentencing guidelines for organizations.2
A robust system of anti-fraud programs and controls is, however, broader than a company's compliance function. It is an integrated system that not only includes a company's compliance function, but also involves its internal control structure, its accounting and internal audit functions, and extensive involvement of the senior management and audit committee. Such an integrated structure was endorsed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in its October 1987 Report of the National Commission on Fraudulent Financial Reporting.3 Such an anti-fraud program will include:
- A comprehensive fraud risk assessment process
- Controls linked to risks identified in the fraud risk assessment
- Processes for monitoring and investigating fraud and company misconduct, including employer hotlines, compliance audits, and other systems designed to ientify and address potential frauds
- Processes and controls put in place to ensure accurate financial reporting and safeguard company assets, particularly liquid company assets that are most susceptible to misappropriation
- Fraud/compliance awareness training
- A process for determining the effectiveness of the program and for continuous review and improvement
An effective anti-fraud program must be highly visible within the organization and be a top priority for both senior management and the audit committee. It should be adequately funded and run by senior-level executives with appropriate skills and experience and at least a dotted-line reporting relationship with the audit committee. All aspects of the program should be extensively documented in the Sarbanes-Oxley Section 404 process.
Conducting the Fraud Risk Assessment
Generally, there are three principal steps to conducting the fraud risk assessment:
- Planning and defining the scope and assessment worksteps
- Conducting the fieldwork, including interviews and reviews of documents
- Analyzing and reporting of findings and recommendations for improvement
The fraud risk assessment involves information gathering, analysis, and risk assessment. Information must be gathered from two principal sources: people and documents. Extensive interviewing will be required, and good interviewing skills are crucial. Processes to be reviewed and persons to be interviewed should be identified in the planning stage. Additional areas of inquiry may be added as required by facts uncovered.
Experience matters greatly—the fraud risk assessment will only be as good as the person(s) conducting it. Knowledge of fraud and potential fraud schemes is crucial. Some combination of legal and forensic accounting skills is also very helpful. It is also essential that the persons conducting the assessment thoroughly understand the company's business.
Companies hiring outside professionals to conduct fraud risk assessments should ask the question: Who is going to do the work? They should review the individual backgrounds of the engagement team to ensure they have the experience to effectively conduct the assessment. A fraud risk assessment is very unlike an audit, where large numbers of junior persons are employed to perform "tests" to confirm information.
The fraud risk assessment should be carefully planned, with input provided from senior management and the audit committee. Since the external auditor will be passing judgment on the assessment, it would probably be a good idea to review the plan in advance with the audit firm.
Following completion of the field work and a written report on the assessment, it is management's responsibility to implement new controls and processes linked to the fraud risks reported and to conduct follow-up audits and other procedures to ensure such controls are working properly. A checklist for implementing recommendations should be developed with responsibilities defined and timetables for completion established. Reviewing management's follow-up actions should be included as a first step in the succeeding year's fraud risk assessment.
Assessing Fraud Risk—Company Misconduct
The fraud risk assessment process requires a review of the company's efforts in identifying its areas of greatest risk of company misconduct, and the processes and procedures put in place to mitigate these risks. For most public companies, this means reviewing its corporate compliance structure and related programs and processes.
Continued: Read part two.
Footnotes
1See SEC Release No. 33-8392-Final Rule On Management's Reports Of Internal Control Over Financial Reporting And Certification Of Disclosure In Exchange Act Periodic Reports, issued February 24, 2004 and PCAOB Auditing Standard No. 2—An Audit Of Internal Control Over Financial Reporting Performed In Conjunction With An Audit Of Financial Statements issued March 9, 2004.
2See U.S. Federal Sentencing Guidelines Manual, Section 8A1.2, Commentary Note 3.k., "An effective program to prevent and detect violations of law." The Guidelines model has been largely followed because under U.S. law, a company found guilty of a federal offense gets sentencing credit if it has a compliance program modeled after the formula suggested by the Sentencing Commission. That formula contains seven basic elements: (1) compliance standards, (2) high level person responsible for the program, (3) due care in the delegation of authority, (4) effective communication and training of standards, (5) auditing and monitoring systems, (6) appropriate disciplinary measures, and (7) continuous improvement. It should be noted that in light of Sarbanes-Oxley, the U.S. Sentencing Commission has recently promulgated more detailed draft guidelines for organizational compliance programs. The new guidelines, for the first time, make risk assessment a mandatory process in the design of corporate compliance programs. They also require companies to perform periodic risk assessments to ensure that their compliance programs are appropriately addressing all relevant risks of criminal conduct emanating from the organization. These new guidelines, although not mandatory, are likely to influence the shape of future corporate compliance programs.
|
