Category Archives: COSO

Governance and Fraud Detection

Originally, the business owner had the most say in decisions regarding the enterprise. Then, corporate structures were put in place to facilitate decision making, as ownership was spread over millions of shareholders. Boards of directors took over many responsibilities. But with time, the chief executive officer (CEO) ended up having a large say in the composition of the board and, in many instances, ruled and controlled the company and its strategy. The only option for shareholders appeared to be to sell their shares if they were not happy with the performance of a specific organization. Many anti-fraud professionals think that this situation contributed significantly to business demises such as that of Enron and to the horrors consequent to the mortgage meltdown and accompanying fiscal crisis.

Proposals were made to re-equilibrate the power structure by giving more power and responsibilities to the board and to specific committees, such as the audit committee, to better deal with internal control and fair financial reporting or the remuneration committee to better deal with the basis for the type and the level of remuneration of the CEO. New legislation was put into place, such as the US Sarbanes-Oxley Act and Basel II. Compliance with these pieces of legislation consumed a lot of attention, energy and cost.

Enterprises exist to deliver value to their stakeholders. This is accomplished by handling risk advantageously and using resources responsibly. Speedy direction setting and quick reaction to change are essential in such a situation so decision making must be shared among many. Therefore, governance comes into play. Successful enterprises implement an over-arching system of governance that facilitates the achievement of their desired outcomes, both at the enterprise level and at each level within the enterprise; this is especially true with regard to the problem of fraud detection.  In this context, a holistic definition of enterprise governance is in order: Governance is the framework, principles, structure, processes and practices to set direction and monitor compliance and performance aligned with the overall purpose and objectives of an enterprise.

This definition is initially implemented by the answers to and actions on the following governance related questions:

Who is accountable and responsible for enterprise governance? Stakeholders, owners, governing bodies and management are responsible and accountable for governance.

What do they do, and how and where do they do it? They engage in activities (set direction, monitor compliance and performance) in relationship with others and use enablers (frameworks, principles, structures, processes, practices) within the governance view appropriate to them (governance of the enterprise; of an organizational entity within the enterprise such as a business unit, division or function; and of a strategic asset within the enterprise or within an organizational entity).

Why do they do it? They institute governance to create value for their enterprise, determine its risk appetite, optimize its resources and use them responsibly.

In summary, accountability and stewardship are delegated to a governance body by the owner/stakeholder, expecting it to assume accountability for the activities necessary to meet expectations. In alignment with the overall direction of the enterprise, management executes the appropriate activities within the context of a control framework, balancing performance and compliance in achieving the governance objectives of value creation, risk management and resource optimization.

Fraud detection (within the context of a fully defined fraud prevention program) is a vital business process of the over-hanging governance function and can be implemented by numerous generally accepted procedures.  But a few examples …

One way to increase the likelihood of the detection by the governance function of fraud abuses is the conduct of periodic external and internal audits, as well as the implementation of special network security audits. Auditors should regularly test system controls and periodically “browse” data files looking for suspicious activities. However, care must be exercised to make sure employees’ privacy rights are not violated. Informing employees that auditors will conduct a random surveillance not only helps resolve the privacy issue, but also has a significant deterrent effect on computer assisted fraud exploits.

Employees witnessing fraudulent behavior are often torn between two conflicting feelings. They feel an obligation to protect company assets and turn in fraud perpetrators, yet they are uncomfortable in a whistleblower role and find it easier to remain silent. This reluctance is even stronger if they are aware of public cases of whistleblowers who have been ostracized or persecuted by their coworkers or superiors, or have had their careers damaged. An effective way to resolve this conflict is to provide employees with hotlines so they can anonymously report fraud. The downside of hotlines is that many of the calls are not worthy of investigation. Some calls come from those seeking revenge, others are vague reports of wrongdoing, and others simply have no merit. A potential problem with a hotline is that those who operate the hotline may report to people who are involved in a management fraud. This threat can be overcome by using a fraud hotline set up by a trade organization or commercial company. Reports of management fraud can be passed from this company directly to the board of directors.

Many private and public organizations use outside computer consultants or in-house teams to test and evaluate their security procedures and computer systems through the performance of system penetration testing.  The consultants are paid to try everything possible to compromise an enterprise’s system(s). To get into offices so they can look for passwords or get on computers, they masquerade as janitors, temporary workers, or confused delivery personnel. They also employ software based hacker tools (readily available on the Internet) and social engineering techniques.  Using such methods, some outside consultants claim that they can penetrate 90% or more of the companies they “attack” to a greater or lesser degree.

All financial transactions and activities should be recorded in a log. The log should indicate who accessed what data, when, and from which location. These logs should be reviewed frequently to monitor system activity and trace any problems to their source. There are numerous risk analysis and management software packages that can review computer systems and networks and the financial transactions they contain. These packages evaluate security measures already in place and test for weaknesses and vulnerabilities. A series of reports are then generated to explain any weaknesses found and suggest improvements. Cost parameters can be entered so that a company can balance acceptable levels of vulnerability and cost effectiveness. There are also intrusion-detection programs and software utilities that can detect illegal entry into systems along with software that monitors system activity and helps companies recover from fraud and malicious actions.

People who commit fraud tend to follow certain patterns and leave tell-tale clues, often things that do not make sense. Software is readily available to search for these fraud symptoms. For example, a health insurance company could use fraud detection software to look at how often procedures are performed, whether a diagnosis and the procedures performed fit a patient’s profile, how long a procedure takes, and how far patients live from the doctor’s office.

Neural networks (programs that mimic brain activity and can learn new concepts) are quite accurate in identifying suspected fraud. For example, Visa and MasterCard operations employ neural network software to track hundreds of millions of separate account transactions daily. Neural networks spot the illegal use of a credit card and notify the owner within a few hours of its theft. The software can also spot trends before bank investigators do.

Each enterprise needs to determine its appropriate overall governance system and the fraud detection approaches it decides to implement in support of that system. To help in that determination, mapping governance frameworks, principles, structures, processes and practices, currently in use, is beneficial. CFE’s and forensic accountants are uniquely qualified to assist in this process given their in-depth knowledge of all types of fraud scenarios and the tailoring of the anti-fraud controls most appropriate for the control of each within a specific company environment.

Rigging the Casino

I attended an evening lecture some weeks ago at the Marshall-Wythe law school of the College of William & Mary, my old alma mater, in Williamsburg, Virginia. One of the topics raised during the lecture was a detailed analysis of the LIBOR scandal of 2012, a fascinating tale of systematic manipulation of a benchmark interest rate, supported by a culture of fraud in the world’s biggest banks, and in an environment where little or no regulation prevailed.

After decades of abuse that enriched the big banks, their shareholders, executives and traders, at the expense of others, investigations and lawsuits were finally initiated, and the subsequent fines and penalties were huge. The London Interbank Offered Rate (LIBOR) rate is a rate of interest, first computed in 1985 by the British Banking Association (BBA), the Bank of England and others, to serve as a readily available reference or benchmark rate for many financial contracts and arrangements. Prior to its creation, contracts utilized many privately negotiated rates, which were difficult to verify, and not necessarily related to the market rate for the security in question. The LIBOR rate, which is the average interest rate estimated by leading banks that they would be charged if they were to borrow from other banks, provided a simple alternative that came to be widely used. For example, in the United States in 2008 when the subprime lending crisis began, around 60 percent of prime adjustable-rate mortgages (ARMs) and nearly all subprime mortgages were indexed to the US dollar LIBOR. In 2012, around 45 percent of prime adjustable rate mortgages and over 80 percent of subprime mortgages were indexed to the LIBOR. American municipalities also borrowed around 75 percent of their money through financial products that were linked to the LIBOR.

At the time of the LIBOR scandal, 18 of the largest banks in the world provided their estimates of the costs they would have had to pay for a variety of interbank loans (loans from other banks) just prior to 11:00 a.m. on the submission day. These estimates were submitted to Reuters news agency (who acted for the BBA) for calculation of the average and its publication and dissemination. Reuters set aside the four highest and four lowest estimates, and averaged the remaining ten.

So huge were the investments affected that a small manipulation in the LIBOR rate could have a very significant impact on the profit of the banks and of the traders involved in the manipulation. For example, in 2012 the total of derivatives priced relative to the LIBOR rate has been estimated at from $300-$600 trillion, so a manipulation of 0.1% in the LIBOR rate would generate an error of $300-600 million per annum. Consequently, it is not surprising that, once the manipulations came to light, the settlements and fines assessed were huge. By December 31, 2013, 7 of the 18 submitting banks charged with manipulation, had paid fines and settlements of upwards of $ 2 billion. In addition, the European Commission gave immunity for revealing wrongdoing to several the banks thereby allowing them to avoid fines including: Barclays €690 million, UBS €2.5 billion, and Citigroup €55 million.

Some examples of the types of losses caused by LIBOR manipulations are:

Manipulation of home mortgage rates: Many home owners borrow their mortgage loans on a variable- or adjustable-rate basis, rather than a fixed-rate basis. Consequently, many of these borrowers receive a new rate at the first of every month based on the LIBOR rate. A study prepared for a class action lawsuit has shown that on the first of each month for 2007-2009, the LIBOR rate rose more than 7.5 basis points on average. One observer estimated that each LIBOR submitting bank during this period might have been liable for as much as $2.3 billion in overcharges.

Municipalities lost on interest rate swaps: Municipalities raise funds through the issuance of bonds, and many were encouraged to issue variable-rate, rather than fixed-rate, bonds to take advantage of lower interest payments. For example, the saving could be as much as $1 million on a $100 million bond. After issue, the municipalities were encouraged to buy interest rate swaps from their investment banks to hedge their risk of volatility in the variable rates by converting or swapping into a fixed rate arrangement. The seller of the swap agrees to pay the municipality for any requirement to pay interest at more than the fixed rate agreed if interest rates rise, but if interest rates fall the swap seller buys the bonds at the lower variable interest rate. However, the variable rate was linked to the LIBOR rate, which was artificially depressed, thus costing U.S. municipalities as much as $10 billion. Class action suits were launched to recover these losses which cost municipalities, hospitals, and other non-profits as much as $600 million a year; the remaining liability assisted the municipalities in further settlement negotiations.

Freddie Mac Losses: On March 27, 2013, Freddie Mac sued 15 banks for their losses of up to $3 billion due to LIBOR rate manipulations. Freddie Mac accused the banks of fraud, violations of antitrust law and breach of contract, and sought unspecified damages for financial harm, as well as punitive damages and treble damages for violations of the Sherman Act. To the extent that defendants used false and dishonest USD LIBOR submissions to bolster their respective reputations, they artificially increased their ability to charge higher underwriting fees and obtain higher offering prices for financial products to the detriment of Freddie Mac and other consumers.

Liability Claims/Antitrust cases (Commodities-manipulations claims): Other organizations also sued the LIBOR rate submitting banks for anti-competitive behavior, partly because of the possibility of treble damages, but they had to demonstrate related damages to be successful. Nonetheless, credible plaintiffs included the Regents of the University of California who filed a suit claiming fraud, deceit, and unjust enrichment.

All of this can be of little surprise to fraud examiners. The ACFE lists the following features of moral collapse in an organization or business sector:

  1. Pressure to meet goals, especially financial ones, at any cost;
  2. A culture that does not foster open and candid conversation and discussion;
  3. A CEO who is surrounded with people who will agree and flatter the CEO, as well as a CEO whose reputation is beyond criticism;
  4. Weak boards that do not exercise their fiduciary responsibilities with diligence;
  5. An organization that promotes people based on nepotism and favoritism;
  6. Hubris. The arrogant belief that rules are for other people, but not for us;
  7. A flawed cost/benefit attitude that suggests that poor ethical behavior in one area can be offset by good ethical behavior in another area.

Each of the financial institutions involved in the LIBOR scandal struggled, to a greater or lesser degree with one or more of these crippling characteristics and, a distressing few, manifested all of them.

The CFE, Management & Cybersecurity

Strategic decisions affect the ultimate success or failure of any organization. Thus, they are usually evaluated and made by the top executives. Risk management contributes meaningfully and consistently to the organization’s success as defined at the highest levels. To achieve this objective, top executives first must believe there is substantial value to be gained by embracing risk management. The best way for CFEs and other risk management professionals to engage these executives is to align fraud risk management with achievement (or non-achievement) of the organization’s vital performance targets, and use it to drive better decisions and outcomes with a higher degree of certainty.

Next, top management must trust its internal risk management professional as a peer who provides valuable perspective. Every risk assurance professional must earn trust and respect by consistently exhibiting insightful risk and performance management competence, and by evincing a deep understanding of the business and its strategic vision, objectives, and initiatives. He or she must simplify fraud risk discussions by focusing on uncertainty relative to strategic objectives and by categorizing these risks in a meaningful way. Moreover, the risk professional must always be willing to take a contrarian position, relying on objective evidence where readily available, rather than simply deferring to the subjective. Because CFEs share many of these same traits, the CFE can help internal risk executives gain that trust and respect within their client organizations.

In the past, many organizations integrated fraud risk into the evaluation of other controls. Today, per COSO guidance, the adequacy of anti-fraud controls is specifically assessed as part of the evaluation of the control activities related to identified fraud risks. Managements that identify a gap related to the fraud risk assessments performed by CFEs and work to implement a robust assessment take away an increased focus on potential fraud scenarios specific to their organizations. Many such managements have implemented new processes, including CFE facilitated sessions with operating management, that allow executives to consider fraud in new ways. The fraud risk assessment can also raise management’s awareness of opportunities for fraud outside its areas of responsibility.

The blurred line of responsibility between an entity’s internal control system and those of outsourced providers creates a need for more rigorous controls over communication between parties. Previously, many companies looked to contracts, service-level agreements, and service organization reports as their approach to managing service organizations. Today, there is a need to go further. Specifically, there is a need for focus on the service providers’ internal processes and tone at the top. Implementing these additional areas of fraud risk assessment focus can increase visibility into the vendor’s performance, fraud prevention and general internal control structure.

Most people view risk as something that should be avoided or reduced. However, CFEs and other risk professionals realize that risk is valued when it can help achieve a competitive advantage. ACFE studies show that investors and other stakeholders place a premium on management’s ability to limit the uncertainty surrounding their performance projections, especially regarding fraud risk. With Information Technology budgets shrinking and more being asked from IT, outsourcing key components of IT or critical business processes to third-party cloud based providers is now common. Management should obtain a report on all the enterprise’s critical business applications and the related data that is managed by such providers. Top management should make sure that the organization has appropriate agreements in place with all service providers and that an appropriate audit of the provider’s operations, such as Service Organization Controls (SOC) 1 and SOC 2 assurance reports, is performed regularly by an independent party.

It’s also imperative that client management understand the safe harbor clauses in data breach laws for the countries and U.S. states where the organization does business.  In the United States, almost every state has enacted laws requiring organizations to notify the state in case of a data breach. The criteria defining what constitutes a data breach are similar in each state, with slight variations.

CFE vulnerability assessments should strive to impress on IT management that it should strive to make upper management aware of all major breach attempts, not just actual incidents, made against the organization. To see the importance of this it’s necessary only to open a newspaper and read about the serious data breaches occurring around the world on almost a daily basis. The definition of major may, of course, differ, depending on the organization’s industry and whether the organization is global, national, or local.  Additionally, top management and the board should plan to meet with the organization’s chief information security officer (CISO) at least once a year. This meeting should supplement the CFE’s annual update of the fraud risk assessment by helping management understand the state of cybersecurity within the organization and enabling top managers and directors to discuss key cybersecurity topics. It’s also important that the CISO is reporting to the appropriate levels within the organization. Keep in mind that although many CISOs continue to report within the IT organization, sometimes the chief information officer’s agenda conflicts with the CISO’s agenda. As such, the ACFE reports that a better reporting arrangement to promote independence is to migrate reporting lines to other officers such as the general counsel, chief operating officer, chief risk officer (CRO), or even the CEO, depending on the industry and the organization’s degree of dependence on technology.

As a matter of routine, every organization should establish relationships with the appropriate national and local authorities who have responsibility for cybersecurity or cybercrime response. For example, boards of U.S. companies should verify that management has protocols in place to guide contact with the Federal Bureau of Investigation (FBI) in case of a breech; the FBI has established its Key Partnership Engagement Unit, a targeted outreach program to senior executives of major private-sector corporations.

If there is a Chief Risk Officer (CRO) or equivalent, upper management and the board should, as with the CISO, meet with him or her quarterly or, at the least, annually and review all the fraud related risks that were either avoided or accepted. There are times when a business unit will identify a technology need that its executive is convinced is the right solution for the organization, even though the technology solution may have potential security risks. The CRO should report to the board about those decisions by business-unit executives that have the potential to expose the organization to additional security risks.

And don’t forget that management should be made to verify that the organization’s cyber insurance coverage is sufficient to address potential cyber risks. To understand the total potential impact of a major data breach, the board should always ask management to provide the cost per record of a data breach.

No business can totally mitigate every fraud related cyber risk it faces, but every business must focus on the vulnerabilities that present the greatest exposure. Cyber risk management is a multifaceted function that manages acceptance and avoidance of risk against the necessary actions to operate the business for success and growth, and to meet strategic objectives. Every business needs to regard risk management as an ongoing conversation between its management and supporting professionals, a conversation whose importance requires participation by an organization’s audit committee and other board members, with the CFE and the CISO serving increasingly important roles.

Fraud, ERM & Wells Fargo

wells-fargo_2Could a fully functional Enterprise Risk Management (ERM) program have prevented or otherwise somehow mitigated the Wells Fargo fraud?

As a concept Enterprise Risk Management (ERM) is almost four decades old now and has been repeatedly battle-tested in both private and public organizations around the world as a proven approach to addressing risk in organizations of all sizes by effectively and efficiently concentrating management’s attention on the areas of highest risk to the critical business processes of the enterprise. I don’t have to tell readers of this blog that today’s fiscal realities call for continual and increased efforts to both reduce costs and still deliver optimal customer service; both objectives have a direct impact on fraud prevention because they increase the pressure on management, especially financial and marketing management to meet ever higher sales and earnings performance standards.  The ongoing debacle at Wells Fargo is a case in point of such pressures out of control at seemingly every level of the organization.

ERM was introduced as a management concept in 1974 when a Swedish state risk manager, Gustav Hamilton, identified four elements that are inextricably connected in a risk management process: assessment, control, financing and communications. He called this comprehensive view “the circle of risk” and the concept has continued to evolve in the years since. In September 2004, COSO issued, Enterprise Risk Management—Integrated Framework, a method to systematically consider and manage risk across an enterprise. COSO’s premise is that value is maximized when management sets strategy and objectives to strike a balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives. COSO’s bottom line is that ERM helps an entity get to where it wants to go and avoid pitfalls and surprises like what has overtaken Wells Fargo along the way.  The ultimate goal of ERM for fraud prevention is two-fold: remediate risks (especially the risk of fraud, waste and abuse) to acceptable levels, and eliminate unnecessary controls, processes and ideally, costs. Potential benefits, such as improved service delivery, increased control and cost savings are just some of those documented in the literature. At the heart of ERM is a holistic, integrated, future-focused and process- oriented approach that facilitates the management of risk across an enterprise as opposed to looking at it only within siloed organizational entities. The ERM process focuses on “the right things” and can identify processes and procedures that do not measure up to performance, cultural standards and cost-benefit ratios defined by the entity.

Fraud risk programs align well with ERM concepts. Fraud risk programs start with establishing the risk appetite of the enterprise and are governed by policies that articulate the goals and objectives, ethical conduct standards, roles and responsibilities, strategies and tactics of implementation specific to addressing fraud risk. As with other types of ERM programs, fraud programs include deterrence strategies, preventive internal controls, routine measurement of performance and results, as well as program accountability and transparency to stakeholders. Additionally, there is special emphasis on cyber fraud, given the reliance on information technology to carry out the mission of today’s typical organization. Partnerships between organizational and program management are strong, given the linkage between the programs and their associated fraud risks. ERM also strongly supports whistleblower programs, another area of increasing attention and stakeholder priority.

News reports tell us that those Wells Fargo employees who attempted to fill the whistleblower role at many points in the employee initiated fraud were first disciplined for their efforts and then terminated.

COSO’s ERM framework is premised on four underlying principles. How might each (and all collectively) have benefited Wells Fargo beforehand to avoid the present mess?

–Every entity exists to provide stakeholder value.
Sales goals that are all but impossible to meet and which force employees to sign up customers for services they neither ordered or needed provide no value to the customer, to the employees, to Wells Fargo stockholders or to the public at large.

–All entities face uncertainty, and the challenge for management is to determine how much uncertainty to accept as it strives to grow stakeholder value. This translates to making trade-offs in establishing the level of acceptable risk to assume.
By fostering a culture of corruption among its employees by firing them for not making unrealistic sales goals, it can be argued that Wells Fargo failed to accurately assess both its level of fraud risk and its appetite for such risk.

–Uncertainty presents both risk and opportunity, with the potential to erode or enhance value. Enterprise risk management enables management to more effectively deal with uncertainty and associated risk and opportunity, enhancing the capacity to build value.
Under the COSO model Wells Fargo failed to prioritize risks that might jeopardize its corporate mission, effectiveness and efficiency. It also appears that it lacked a mechanism to take prompt action to stop the basic employee fraud scenario from persisting and spreading to more and more employees.  Only after the fact did it halt its program of unrealistic employee sales goals.

–Value is maximized when management sets strategy and objectives to strike an optimal balance between growth and return goals and related risks, and efficiently and effectively deploys resources in pursuit of the entity’s objectives.
The application of this principle features ongoing monitoring of the performance of the risk model.  Clearly, at the first signs of the fraud, Wells Fargo would have reassessed risk, set risk to the maximum and taken immediate steps to shut down the identified fraud scenario(s).

As a fraud examiner and auditor there are a number of questions I ask my corporate clients to ask themselves that are, in my opinion, critical to both identifying the risk involved with ERM generally and the business processes vulnerable to fraud specifically.

–What keeps you up at night?
–What do we not want to see on the news or in blogs?
–What are the expectations of stakeholders?
–What do we want to make sure happens and happens well?
–What problems have developed or emerged in other organizations that could be a problem in our company as well?
–What controls are now in place? What do we know about how they are working? What do we know about their cost and benefit?
–What level of control can we reasonably afford and how do we get the most bang for the buck?
–What changes have taken place in the company or external to the it that may have introduced new risks?

Would ERM have helped Wells Fargo?  I don’t know whether the bank presently has an ERM program or not but clearly the process as defined by COSO would have helped in providing a risk monitoring and immediate remediation mechanism to reassess risk in responding to the first whistleblower call alerting to the existence of the employee assisted fraud.  And there is no doubt that the forensic accounting and CFE community can play an important role in providing needed leadership and technical assistance to any organization implementing a dynamic, ERM supported, fraud response plan.  As the Wells Fargo experience and so many other instances suggest, the time has come to use the full potential of enterprise risk management as a tool to assist in the identification and rapid remediation of frauds before the costs to all stakeholders become unacceptably high.

Tone Deaf

tone-deafThe sensational bribery and corruption cases all over the news recently mean that tone at the top as a concept is yet again in the eye of the financial press.   Journalists of every stripe and persuasion opine on its importance as a vital control but always seem to fall short on the specifics of just how the notion can be practically applied and its strength evaluated once implemented.  One of the problems is that there are so many facile definitions of the concept in popular use.  The one I like the most is one of the simplest declaring it to be the message, the attitude and the ethical culture the board of directors and upper management disseminate throughout the organization. It’s best described as the consistency among statements, assertions and explanations of the management and its actions. In summary, tone at the top is seen by some as a part of and by others as equal to the internal control environment.

The rub comes in because tone at the top is not only far more complicated than the above definition would lead a casual reader of trade press articles to believe, but also because its invisible to the standard tests of an outside auditor or fraud examiner. So a baseline would be a valuable addition not only for fraud examiners and financial auditors, but also for all types of assurance professionals.

To determine a baseline, one first needs to define the different aspects of the target concept. Thus, a baseline might provide reviewers with a starting point to begin improving their analyses of tone at the top. ACFE studies of hundreds of companies tell us that an enriched tone at the top can not only prevent fraud through its implementation of a well-functioning internal control system, but can also have a positive impact on the financial results of an organization. Organizations with an effective corporate governance policy just perform better than those that don’t. In my own practice as an auditor and fraud examiner, I’ve found COSO’s Enterprise Risk Management (ERM) a useful framework to use in the actual practice of evaluating the effectiveness of internal controls (including tone at the top) during fraud risk assessments.

Tone at the top is based on two schools of thought in management literature: the corporate governance school and the management control systems (MCS) school. These schools of thought share three fundamental theories: the agency theory, the transaction cost economics theory and the stakeholder theory. The agency theory views an organization as a nexus of contracts. Separation of ownership and control is essential for this theory.  The agent (the manager) is in control of the organization; however, he or she does not own the organization; the organization is owned by the principal (stakeholders).  Measures (i.e., corporate governance) need to be taken to ensure that the agent will strive to achieve the goals of the principal.

Transaction cost economics (TCE) is based on the concepts of bounded rationality and of homo economicus: a person chooses the best option based on the available information.  TCF aims to explain how firms are formed.  Firms are created to minimize transaction costs.  The domain of TCE has proven useful to explain management control structures.  The performance evaluation needs to be behavioral based, with non-financial subjective measures.  Output controls are low with TCE.  Individual contributions to the organization (individual performance) are analyzed as the outcomes of contracts between the employer and the employee.

The stakeholder theory is based on the belief that besides shareholders, there are others with interest in the organization.  Corporate governance should not only solve conflicts between management and shareholders but also between the organization and other stakeholders.  Tone at the top represents a form of cultural control to the MCS school.  Cultural controls stimulate employees to monitor and stimulate each other’s behavior.  Cultural controls rely on group pressure; if a person deviates from the group’s values, the group will put the person under pressure to convert him or her back to the dominant values.  Cultural controls are usually translated in corporate governance codes.  Corporate governance codes are mainly formulated to prevent/minimize fraudulent activities in organizations by means of internal control.  Five methods of cultural controls, namely code of conduct, group rewards, transfers, physical and social controls, and tone at the top have been identified.

Tone at the top forms an important part of corporate governance codes.  Management behavior should coincide with the culture it tries to form; managers fulfill an example function. An important factor is implementing and operating a whistleblower policy; if staff at any level observes fraudulent activities they can report them and be protected against possible retaliation.

Each of our above theories concludes that an organization needs to have a corporate governance code to minimize transaction cost, manage stakeholder interest and, thereby, increase shareholder value.  However, recent well publicized corruption cases have led to calls in the popular press for a more formal approach.  So, what might such a formal, COSO based, approach look like?

First, management and the CEO need to demonstrate inspiring leadership, set the right ethical example and focus on people skills. They also need to display integrity.  Their risk awareness, actions and messages need to coincide with the dominant culture.  It is also important for managements to formally commit to competence.

As to culture, an independent and active risk culture is necessary for tone at the top to be successful.  Also, employees need to be empowered to make the right decisions.  The reward systems and the culture need to reward desired behavior and be compliant with the norms.  In the event of something going wrong despite these cultural aspects, there needs to be an effective policy present to protect whistleblowers.

Finally, the risk appetite should be linked to the strategy.  The supervisory board needs to be independent, active and involved.  Responsibilities need to be defined, and management needs to receive adequate information.

All three of the above aspects are an integral part of what the experts currently define as tone at the top.  According to the ACFE, tone at the top can assist in averting fraud throughout every level of an organization. It’s, therefore, necessary to include its assessment in the scope of the fraud examiners fraud risk assessment and to formally schedule its periodic re-evaluation.

SOX, Fraud and the Audit Committee

sarbans-oxleyA practicing CFE and subscriber to this blog contacted us to say that he’s been asked to make a presentation to the audit committee of a small public company client for whom he recently completed an examination of a financial fraud.  The audit committee, in light of the control vulnerabilities uncovered by our CFE’s report, wants a briefing on its responsibilities under SOX (the Sarbanes-Oxley Act) so it, in turn, can assure that management’s future performance deters any fraud recurrence.

Since its inception in 2002, SOX has had a material impact on the way boards of directors, management, and accountants of publicly held companies operate. It has also had a dramatic impact on the certified public accountants of publicly held companies and the audits of those companies. Since the enactment of Sarbanes Oxley, the Securities and Exchange Commission (SEC) has issued numerous SEC Releases that support and expand the SOX requirements. Many of the most important provisions of SOX and of the corresponding SEC Releases relate to fraud detection and prevention.

SOX gave audit committees more power and responsibility over a company’s auditors. The intent of the rules is to make the audit committee (rather than company management) the auditor’s “client.” Companies can be delisted from the stock exchanges if they fail to comply with the rules.

  • The auditor’s report is to be overseen by a company’s audit committee, not management;
  • Audit committees are responsible for hiring, compensating, and overseeing the registered public accounting firms they employ, and hiring independent counsel and any other advisors they determine necessary;
  • Each person on the audit committee must be a member of the board of directors and be otherwise independent of the company. SOX defines “independent” as not receiving any other compensation from the company and not being affiliated with the company or any of its subsidiaries;
  • One member of the audit committee must be a financial expert. A company without a financial expert must disclose that fact and explain its rationale. The SEC has defined a financial expert as someone with:

–An understanding of GAAP and financial statements;
–The ability to assess whether GAAP was used in estimates, accruals, and reserves;
–Experience with financial statements of a similar breadth and complexity of issues;
–An understanding of internal controls and financial reporting procedures;
–An understanding of audit committee functions;
–The New York Stock Exchange requires the chair of the audit committee to have accounting or financial management experience. It also requires a nominating committee and a compensation committee composed of independent directors;
–Companies provide appropriate funding to their audit committee;
–Audit committees pre-approve all audit and non-audit services provided by their auditor that are not specifically prohibited by SOX;
–Audit committees set up procedures to receive and deal with any complaints the company receives about accounting, internal control, auditing, and similar issues.

On the other hand, the biggest requirement for management of public companies that SOX mandates is more responsibility for financial reports filed with the SEC. SOX requires both the chief executive officer (CEO) and chief financial officer (CFO) of a company to prepare a statement to accompany the audit report that certifies their quarterly and annual financial statements and disclosures. There are six elements to the management certification:

  1. The financial statements have been reviewed by management;
  2. The statements do not contain an untrue statement of a material fact or omit a material fact that makes the statements misleading;
  3. The statements fairly present, in all material respects, the operations, financial condition, and cash flow of the issuer;
  4. Management is responsible for designing, installing, and evaluating disclosure controls and procedures, and reporting its conclusions with respect to its effectiveness;
  5. All material internal control weaknesses and fraud are disclosed to the auditor;
  6. All significant changes to internal controls after management’s evaluation have been disclosed and corrected.

These rules were implemented to assure investors that the information in a company’s quarterly and annual reports is accurate and contains all of the company information that the executives believe is important to a reasonable investor. If management willfully and knowingly violates this certification process, it can be punished with imprisonment of up to 20 years and a fine of up to $5,000,000. In addition, if financial reports must be restated due to material noncompliance with financial reporting requirements, a violation of securities laws, or securities fraud, company management can be required to repay bonuses and incentives or equity-based compensation it realized during the twelve months following the issuance or filing of the noncompliant document. It can also be required to repay any profits it realized from the sale of company securities during the same period. As a result of these certification requirements, it’s not surprising that many public company CEOs and CFOs have spent a great deal of time since 2002 conducting due diligence procedures on their financial statements before certifying them.

From a specifically fraud prevention perspective, SOX also sets out the following the following requirements of interest to our CFE reader’s audit committee and executive management:

  • Company officers and directors cannot take any action to fraudulently influence, coerce, manipulate, or mislead auditors to make the financial statements materially misleading;
  • Company executives and directors cannot receive loans that are unavailable to those outside the company. There is an exception for loans, such as a home mortgage or a credit card agreement, if they are on the same terms and conditions as those made to the general public and done in the ordinary course of business;
  • Company executives and directors cannot trade company stock during blackout periods when other employees are unable to do so. Profits from doing so can be recovered;
  • All insider stock trades involving executives and individuals who own 10 percent or more of the company must be reported electronically to the SEC within two days and posted to the company’s website;
  • All financial reports required by GAAP must contain all material correcting adjustments identified by the auditors;
  • All annual and quarterly financial reports must disclose all material off-balance sheet transactions and relationships with unconsolidated entities likely to have a material effect on the company’s financial condition;
  • Pro forma financial information must not contain any untrue statements or omit a material fact that would make it misleading, and it should be in conformance with company financial information prepared according to GAAP;
  • Companies must disclose, in plain English, material changes to their financial condition on a rapid and current basis.

Also of interest to our reader’s audit committee would be the criminal penalties.  Sarbanes-Oxley and the SEC rules implementing its requirements increased the maximum penalties for many white-collar crimes and created tougher penalties for people who destroy records, commit securities fraud, and fail to report fraud. CPA firms are required to preserve all audit or review work papers, including e-mail, for at least seven years after the audit is complete. Willfully failing to do so or intentionally destroying these records is a felony, with penalties of up to 10 years of incarceration. Sarbanes-Oxley also created a new felony, with penalties of up to 20 years of incarceration and a hefty fine, for destroying, altering, or fabricating documents to impede, obstruct, or influence any existing or contemplated federal investigation. The criminal penalty for securities fraud was increased to 25 years. The statute of limitations on securities fraud claims was extended from one to two years from the date the fraud is discovered, and from three to five years after the fraud took place. Sarbanes-Oxley increases the penalty for CEOs and CFOs who knowingly certify fraudulent financial statements or submit materially misleading statements to the SEC to a maximum of 10 years of imprisonment and a $1 million fine. CEOs and CFOs who willingly do so will face a maximum penalty of 20 years of imprisonment and a $5 million fine.

Singing into the Hurricane

StormCloudsDuring the last few weeks, when I can find the time, I’ve been reading chapters of former Fed Chairman Ben Bernanke’s recent book on the financial crisis. It’s a sobering experience.  What’s most striking to me as a fraud examiner and auditor is how apparently flawed the corporate cultures of the banking and insurance firms involved in the crisis were. But tone at the top and culture weren’t problems for banks and insurance companies alone, as the book makes clear. Time and again, boards across America apparently decided what the tone in their organizations should be, but seemed to fail to communicate it to people lower down the chain. Perhaps their audience didn’t understand the message. Perhaps staff members just decided to ignore it. Other times the message was completely clear, and adhered to by everyone, just completely wrong ethically, and that individual business, along with so many others, simply sailed ahead on a fixed collision course with the whirlwind.

The Chairman makes clear that the challenge is not only to set the right tone at the top, but also to ensure that it’s in harmony with what he calls the ‘tune in the middle’ – the unwritten real world rules that describe how people further down the organization should behave and work. For a business to thrive – or to simply survive – everyone in the organization needs to sing from the same piece of ethical sheet music.  On page after page of Bernanke’s  book, as the unfolding of the crisis was described, it occurred to me again and again that there’s a lot CFE’s and other control assurance professionals can do to assist our clients to fore-stall the risk of any future, similar crisis.

I think the first time I saw the term ‘tone at the top’ was in a 1987 report on fraudulent financial reporting from the Treadway Commission, which paved the way for the commission’s Committee of Sponsoring Organizations’ (COSO’s) Internal Control-Integrated Framework.  As I recall the framework said, and still says, the CEO has to take ownership of the organization’s control system. Part of the CEO’s responsibility is to set a tone at the top that will enable a positive control environment. That includes providing direction to senior managers and checking how they’re controlling the business. Senior managers, in turn, assign responsibility for more specific internal control policies and procedures to their subordinates. The idea is that the right tone will cascade all the way down through the organization, from top to bottom. But the CEO isn’t the only person responsible for setting the tone. COSO says the full board and audit committee (if there is one) have an important role, as well.  Eventually, further COSO guidance, published for small public companies, fleshed out what a good tone at the top might sound like. And in its most recent guidance on monitoring controls, COSO puts even more emphasis on tone at the top. All COSO publications stress the importance of establishing a culture in which managers are aware of the risks in their part of the business, monitor the controls designed to mitigate them, and take action if those controls aren’t working.

There’s no shortage of guidance on what a good tone at the top should look and sound like, yet this remains, for Bernanke, an issue that many organizations, to this day, still get badly wrong. The banking and insurance sectors are just one example. Official reports like the Chairman’s into the causes of the credit crunch, and such as the one published years ago by the Financial Stability Forum, a group of central bankers, criticize banks for their poor risk management, and point to organizational cultures that failed to recognize the importance of risk management and internal control functions. Many of the banks that failed literally “disempowered” their risk functions.

A lack of support for the value of risk and control functions wasn’t the only indicator that tone at the top in the financial industry had gone generally awry. Another significant one is the controversy over executive pay in the sector. According to Bernanke, the size of bankers’ pay awards and bonuses, the apparent failure to link rewards to performance, and the refusal to forgo or repay bonuses led to the current global political drive to reintroduce a degree of control over pay. Directors’ pay is the litmus test of tone at the top, because pay is the most significant issue over which the interests of shareholders can directly conflict with those of boards of directors. The former want pay levels set in the company’s best long-term interests, while the directors must fight the temptation to line their pockets with short term rewards. Any company with a chief executive who has pay that is considered offensive by colleagues, owners, or the wider society has failed that fundamental test.

And the nature of the financial crisis, according to the Chairman, also tells us something else generally about tone at the top in the financial services industry. While the rocket scientists inside banks and insurance companies were inventing increasingly complicated financial products, their boards failed to ask the intellectually naive but important questions that might have told them that trouble was brewing.  These would have been simple questions, such as “Do housing prices always go up?” and “Can we always trust the opinions of rating agencies?” In failing to ask such questions, boards set a tone of what Bernanke styles “mindless compliance” – and it’s this tone that cascaded down the organization. That meant that the tune in the middle was not right. Middle managers weren’t applying their minds, only singing into the storm. For banks, this failure of middle management’s tune was as damaging as the poor board-level tone. Clearly, culture isn’t just a question of what board directors say and do; there are leaders throughout every part of the organization.  They range from heads of departments, business unit directors, and project team managers, to shop floor supervisors and shift leaders. Every one of them sets an example, for good or bad. Wherever there is someone in a leadership role, there is an opportunity for a gap to emerge between the stated aspirations of the board and what actually happens.

Tone at the top is often categorized as an issue of business ethics (we’ve repeatedly so categorized it in this blog), but the example of the banking and insurance industries during the crisis, demonstrates that it’s clearly about more than just that. Ethics are universal, applying to all companies; don’t steal, act honestly, and don’t mislead the board. Tone at the top includes how the company should relate to all of its stakeholders, such as its employees, shareholders, suppliers, customers, and the wider community.  So tone at the top symbolizes what the leadership of the business believes the ethical priorities are for that business at this point in time. It’s a question of how senior people expect the organization to be run and organized. That would include the kind of ethical conduct that Bernanke describes, but also the reputational risk appetite associated with every individual project and product sale.

To my mind, Ben Bernanke’s book is the very best on the financial crisis for financially literate readers.  I whole-heartedly recommend it as must reading for all practicing fraud prevention and control assurance professionals.

The Most Important Internal Control Component for Fraud Examiners


ParisRestaurantA Chapter member, in reference to our last post, wondered aloud over a mutual lunch this week whether the state of her client’s COSO 2013 control environment might not be the initially most important COSO component for close examination by Fraud Examiners performing fraud risk assessments.  After all, she’s right that the control environment is where the organization is called upon to directly demonstrate its commitment to integrity and ethical values.  It’s also in the documentation of the control environment that the board of directors asserts independence from management and outlines tools to exercise oversight of the development and performance of the entire system of internal control.  But that’s not all; management must establish, with board oversight, staff structures, reporting lines, and appropriate authorities and responsibilities to pursue, and hopefully achieve, its defined objectives.  In line with this last, the organization must document and demonstrate a commitment to attract develop, and retain competent individuals as employees.  And lastly, and of particular importance to us fraud examiners as we go about our work of building and documenting cases, there must be defined mechanisms to hold employees accountable for their specifically defined internal control related responsibilities in the pursuit of enterprise objectives.

So, the COSO control environment component is something of a preliminary topographical map or stage setting, if you will, to the client organization’s overall approach to internal control.  A fraud examiner conducting a fraud risk assessment for management would certainly be expected to focus closely on whether or not the following are present and functioning as evidence of the organization’s commitment to integrity and ethical values:

–Tone at the Top: are the board of directors and management at all levels of the organization demonstrating through their directives, actions and behavior the importance of integrity and ethical values in supporting the functioning of the system of internal control?

–Standards of Conduct: have standards of conduct been formally established and published?  Of great follow-on consequence for ultimate, successful prosecution of fraud and corruption cases is the presence of formal documentation and the wide publication of the expectations of the board of directors and management concerning compliance with those integrity and ethical values defined in the entity’s standards of conduct and understood at all levels of the organization as well as by outsourced service providers and business partners.

–Processes to Evaluate Adherence to the Standards of Conduct: having a great set of ethical codes and standards means little if there are no processes in place to evaluate the performance of individuals and work teams against those codes and standards.  This is the area where I think you will find that most of our client’s fall short; the entity can proudly point to its book shelf of standards but there’s little or no evidence that the degree of actual employee compliance is being formally reviewed or audited by anybody. A review means the process is periodically evaluated critically and corrective action, if required, is formally documented and performed by responsible managers.

–Deviations are addressed in a Timely Manner: the fraud examiner during the fraud risk assessment process should look for evidence that identified deviations from the organization’s expected standards of conduct are identified and remedied in a timely and even handed manner;  ‘even handed’ means that deviations are dealt with fairly and consistently no matter what level of employee is involved.

–Establishment of Oversight Responsibilities: has the board of directors identified and does it accept its oversight responsibilities in relation to establishing requirements and expectations?  You can imagine the field day an opposing attorney would have if the defendant company has failed to implement this one!

–The Application of Relevant Expertise: does the board of directors define, maintain and periodically evaluate the skills and expertise needed among its members to enable them to ask all types of probing questions of senior management and then take appropriate action.

–Operates Independently: the fraud examiner has to ask him or herself if the client’s board of directors has enough members who are sufficiently independent from the management to be objective in performing evaluations and taking decisions to provide effective oversight of the client’s entire system of internal control.

Fraud examiners are usually so pressed for time in developing our cases that any documented shortcut into the client’s control structure is of great potential value to us.  COSO 2013, in significantly expanding the scope of the control environment component, has handed our profession yet another useful tool in the performance, not only of fraud risk assessments, but in the basic spade work involved in the basic process of fraud examination and eventual prosecution.

Please make plans to join us on April 16-17th, 2014 for the Central Virginia Chapter’s seminar on the topic of Introduction to Fraud Examination for 16 CPE ($200.00 for early Registration)! For details see our Prior Post entitled, “Save the Date”!

The COSO 2013 Update and the Fraud Examiner


Skyscrapers3As I’m sure a majority of our Chapter members (and the readers of this blog) are aware, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published the first version of its Internal Control – Integrated Framework in 1992.  The purpose of the document was, by providing a sorely needed common definition of internal control, to overcome a high level of existing confusion about exactly what internal control was among organization managements and assurance professionals like internal and external auditors but also among other publics key to the financial control process like regulators and legislators.  The 1992 document and 2013 revision define internal control as a process, effected by the entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting and compliance.   The COSO Integrated Framework underwent a substantial revision in 2013, the details of which are relevant to the practice of every CFE, especially as we conduct fraud risk assessments for our client’s and go about the process of investigating and reporting on financially related instances of actual and suspected fraud.

The 1992 Framework definition embodies certain fundamental assumptions about internal control; internal control is a process … it’s a means to an end, not an end in itself; internal control is effected by people and not something constituted by policy manuals and forms, but by people doing their jobs at every level of the organization;  internal control can be expected to provide only reasonable assurance, not absolute assurance, to an entity’s management and board; and internal control is directed toward the achievement of objectives in one or more separate but overlapping categories. The 2013 revision expands on the original definitional framework by emphasizing that internal control is directed not only toward achieving organizational objectives in one or more separate but overlapping categories, but also in general operations, reporting and compliance and that it is a process of ongoing tasks and activities; again, a means to an end, not an end in itself.  Finally, the system of internal control is adaptable to the organization’s structure and flexible in application to the entity or to a particular subsidiary, division, operating unit or business process.

So what’s changed and what hasn’t between the 1992 and 2013 versions of the framework that’s of special importance to fraud examiners?  The major changes are that the 2013 version replaces the 1992 factors of internal control with 17 principles grouped under the five components; 1) control environment, 2) risk assessment, 3) control activities, 4) information and communication and 5) monitoring activities. Two of the principles of those grouped under risk assessment, for example, are:  6. the organization specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives and, 8. the organization considers the potential for fraud in assessing risks to the achievement of objectives. The 2013 version updates the Framework to reflect evolved changes over the last two decades in business structures, operations and in the financial regulatory environment.  The last of the major changes of interest to fraud examiners is that the 2013 version broadens the arena of financial reporting to include internal and external financial and operational reporting.

Other changes include clarification that for internal control to be effective, all five components and seventeen principles must be present and functioning effectively.  Setting objectives is not considered in the revision to be part of internal control; it’s a precondition of internal control.  Assessing internal control for the fraud examiner and other assurance professionals includes determining whether organizational objectives are suitable for the client organization considering relevant facts, circumstances, and established laws.   A corollary of this last point is that objectives and sub-objectives need to be adequately communicated throughout the organization.

The 2013 update enhances organizational governance concepts and consideration of anti-fraud and information management related expectations as well as providing additional approaches and examples relevant to operations, compliance, and non-financial reporting objectives.  The update also applies greater emphasis to flexibility in applying all the defined principles and concepts defined in the update to the unique characteristics of each organization (something that the ACFE never ceases to emphasize to all of us as critical to good fraud examination).

So what hasn’t changed between 1992 and 2013?  The basic definition of internal control, the five components of internal control and the important role of judgment in designing, implementing and conducting internal control, as well as the basic process of assessing the effectiveness of internal control have all not changed.  I would urge every member of our Chapter, and our guests,  to review in detail the components of the 2013 COSO update since many of the changes will substantially extend and improve the guidance available to every active assurance practitioner especially as we’re involved in the process of risk assessment and fraud prevention.

Please make plans to join us on April 16-17th, 2014 for the Central Virginia Chapter’s seminar on the topic of Introduction to Fraud Examination for 16 CPE ($200.00 for early Registration)! For details see our Prior Post entitled, “Save the Date”!