Strengthening Governance: Effective Mechanisms for Reporting, Investigating and Remediating Fraud
Strengthening Governance: Effective Mechanisms for Reporting, Investigating and Remediating Fraud
There are numerous resources available that guide those charged with governance (referred to as audit committees) toward building programs to include anti-fraud controls and cultivation of anti-fraud environments.1 When put into place and followed, these programs go a long way in the prevention and deterrence of fraud. However, even when the strongest fraud prevention programs are in place and operating as designed, fraud may still occur. This practice aid is intended to briefly cover the key elements of an anti-fraud environment and responsibilities for such with emphasis on the structure, policies and procedures that audit committees need to ensure are in place before fraud occurs and the specific action steps to take if and when alleged fraud is suspected.
Let’s first dispel some common misconceptions:
Handling alleged instances of fraud committed within an organization is solely the responsibility of organization management.
Establishing effective mechanisms for the reporting, investigating and remediating of fraud is a shared responsibility with the organization’s audit committee:
Section 301 of the Sarbanes-Oxley Act specifically requires the audit committee “to establish procedures for the receipt, retention, and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters; and the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.” Nonprofit organizations can use the specific requirements for audit committees as outlined in the Sarbanes-Oxley Act and the Securities and Exchange Commission rules as a guide. The requirements can be found on the AICPA Web site at www.aicpa.org/sarbanes/index.asp.
Fraud is primarily found in large, multinational organizations.
Fraud is not limited to organizations of a certain size and composition. A finding of the 2010 study released by COSO, Fraudulent Financial Reporting: 1998-2007 – An Analysis of U.S. Public Companies,2 indicates that the organizations charged with fraudulent reporting by the SEC, as represented within the study over a 10-year period, included startups with no assets or revenues as well as much larger organizations.
It is not possible to predict potential fraud before it happens, so creating a plan in advance to deal with suspected fraud would be a waste of time and resources.
While not every instance of fraud may be predictable, organizations and their audit committees are best served by gaining an understanding of fraud risk factors and establishing a plan in advance to deal with suspected fraud expeditiously if and when it arises rather than scrambling to identify and pull together adequate resources in the midst of a crisis.
Creating An Anti-Fraud Environment
Building an anti-fraud environment can serve to significantly reduce the risk of fraud and increase the likelihood that, if fraud does occur, it will be detected at an early stage.
Understanding the fraud risk factors an organization faces. This requires an ongoing assessment of risks along with the controls that a organization has in place to mitigate those risks on an enterprise-wide basis. The activities associated with building an organization’s fraud risk profile include:
- identifying susceptibility of the organization to various types of fraud (e.g., asset misappropriation, financial reporting fraud and corruption) and who is likely to commit fraud (e.g., internal -management, employees; external)
- understanding industry “red flags”
- determining likelihood and significance of potential frauds
- assessing effectiveness of anti-fraud controls in place
Setting the tone at the top with regard to the effectiveness and visibility of board and audit committee oversight. The activities associated with oversight include:
- understanding what the most significant fraud risks are and where the organization may be susceptible to pressure, opportunity and rationalization to commit fraud (“warning signs”)
- reviewing significant relevant transactions, asking difficult and probing questions, and developing alternative sources of information about what is happening in the organization with respect to fraud risks
- evaluating the programs and controls that management has developed for managing fraud risks
- cultivating an ethical corporate culture by ensuring a comprehensive and accessible code of conduct is developed and actively supported by management and the audit committee
- independently assessing and monitoring effectiveness of the anti-fraud environment on a periodic basis
Evaluating the organizational structure in relation to existing anti-fraud policies and procedures. The activities associated with this step rely on consideration of the:
- susceptibility of the organization structure to fraud – e.g., opportunity for management override of internal controls; locations where cultural differences may overtly or inadvertently lead to the occurrence of fraud
- effectiveness of policies and procedures designed to prevent/detect fraud – e.g., performing background investigations of newly hired employees and existing employees on a periodic basis, establishing whistle-blower hotlines, disclosure to regulatory and law enforcement authorities, and developing controls over information security and records retention
- development of protocols and procedures in advance to handle suspected fraud if and when it does occur
See CAQ Guidance section below for the Center for Audit Quality’s (CAQ’s) 10-question guide for audit committees in exercising skepticism when inquiring about financial reporting fraud.
Effective Mechanisms for Reporting, Investigating and Remediating Fraud
Even when there is effective oversight and the risk of fraud within an organization is significantly reduced as a result, there is always the possibility that fraud will still occur. So, what does the audit committee need to do now to detect fraud at an early stage and be able to remediate the system of internal control and minimize damage?
As required under the Sarbanes-Oxley Act of 2002, all entities (this is one of the provisions of Sarbanes-Oxley that is applicable to nonprofit organizations) are required to maintain effective whistleblower hotlines to handle employees’ allegations of financial reporting fraud. In addition to these hotlines, allegations of fraud can be identified through many other sources including external and internal auditors, consultants, customers, vendors, anonymous tips and others. Regardless of the source, audit committees should demand immediate access to information supporting allegations of significant fraud occurring within the organization and give such matters the highest priority.
Once suspected fraud comes to the attention of the audit committee, it should evaluate the need to conduct an independent investigation into the alleged fraud. Fiduciary responsibility is first and foremost! The focus of independent investigations involves the following protocols and scoping considerations and often needs to be a flexible and an iterative process. The audit committee may fulfill its responsibility by engaging investigative counsel and forensic accountants, as appropriate:3
- Identify who should be involved, both within and external to the organization
- Define specific roles and responsibilities of individuals
- Perform an initial assessment to gather evidence and determine the potential scope/magnitude of the fraud
- Identify individuals to interview and conduct thorough interviews
- Determine additional procedures required (e.g., computer-assisted data analysis techniques, customer calls/confirmations, etc.)
- Ensure regulatory or statutory requirements are appropriately met
- Evaluate results and remediate
- Determine whether disciplinary actions are appropriate or criminal charges should be brought
- Ensure proper disclosures are made
- Document findings (how the matter arose; who was involved; who was interviewed; what other evidence was discovered; how the matter was handled; results and why certain conclusions were reached and how they were communicated)
- Based upon above, take preventive measures for the future, including making enhancements to internal controls
Regardless of whether an investigation is conducted in-house or is outsourced to an independent third party, the audit committee must be involved in every step of the process and must have a plan in place in advance to “triage” instances of suspected fraud to ensure that it is handled properly and handled by the right individuals. Along these lines, a best practice is to cultivate relationships with external advisors before their services may be needed. Audit committees need to be prepared to spend time and effort throughout the process, as these investigations often take on a life of their own. At the end of this experience, ensure that there is proper reflection on what went wrong and that adjustments are made to policies, procedures and controls and that education is provided throughout the organization to help prevent future recurrence.
Facing allegations of fraud within an organization can be a frustrating and challenging time for those charged with governance. Cultivating an ethical culture and having established policies/procedures and identified resources in advance of fraud allegations will allow those with oversight responsibility the wherewithal to react quickly and effectively to combat fraud and minimize the damage to the organization.
CAQ Guidance: Inquiring About Financial Reporting Fraud – A Guide For Audit Committees4
The following is a list of questions prepared as a guide for audit committees excerpted from the Center for Audit Quality’s (CAQ’s) 2010 report, Deterring and Detecting Financial Reporting Fraud – A Platform for Action. The questions were prepared by the CAQ as a starting point in order to “advance the thinking of audit committees around the most likely sources of weakness, with a particular eye for business pressures that may influence accounting judgments or decisions.” Audit committees should customize these questions further to apply to their organizations:
- What are the potential sources of business influence on the accounting staff’s judgments or determinations?
- What pressures for performance may potentially affect financial reporting?
- What about the way the organization operates causes concern or stress?
- What areas of the organization’s accounting tend to take up the most time?
- What kind of input into accounting determinations does non-financial management have?
- What are the areas of accounting about which you are most worried?
- What are the areas of recurring disagreement or problems?
- How does the organization use technology to search for an unnatural accounting activity?
- If a newspaper article were to appear about the organization’s accounting, what would it most likely talk about?
- If someone wanted to adjust the financial results at headquarters, how would they go about it and would anything stop them?
Recommended Anti-Fraud Program Resources:
BDO Consulting’s Fraud Prevention Program includes the following elements designed to assist management and audit committees in the prevention, detection and remediation of fraud:
- Fraud risk assessment
- Fraud education
- Ethics awareness and education
- Background investigations
- Mechanisms for reporting and investigating fraud
- Board and audit committee oversight
The CAQ’s anti-fraud initiative site is available at: http://www.thecaq.org/Anti-FraudInitiative/index.htm. As part of this initiative, consider the CAQ’s 2010 report “Deterring and Detecting Financial Reporting Fraud – A Platform for Action,” which focuses on financial reporting fraud at publicly traded organizations of all sizes.
Association of Certified Fraud Examiners’ (ACFE) Fraud Resources available at: http://www.acfe.com/fraud-resources.aspx.
The AICPA Anti-Fraud and Corporate Responsibility Center provides various tools and information to professionals in combatting fraud available within: http://www.aicpa.org.
AICPA Fraud and Forensics publications – while aimed at CPAs, these resources may provide additional guidance useful to management and audit committees.
UP NEXT: Foreign Corrupt Practices Act
GO BACK: Effective Audit Committee Guide
(1) Refer to the appendix of this practice aid for a listing of several recommended anti-fraud program resources
2) Refer to the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) 2010 study “Fraudulent Financial Reporting: 1998-2007 – An Analysis of U.S. Public Companies”
(3) Note: Many of the protocols outlined can and should be established before fraud occurs and should be considered as part of the audit committee’s creation of an anti-fraud environment.
(4) Refer to the CAQ’s report on “Deterring and Detecting Financial Reporting Fraud – A Call to Action”