Category Archives: Audit Committees - Page 2

The Initially Immaterial Financial Fraud

Posted by cwl890 on June 4, 2017 Comments Off

At one point during our recent two-day seminar ‘Conducting Internal Investigations’ an attendee asked Gerry Zack, our speaker, why some types of frauds, but specifically financial frauds can go on so long without detection. A very good question and one that Gerry eloquently answered.

First, consider the audit committee. Under modern systems of internal control and corporate governance, it’s the audit committee that’s supposed to be at the vanguard in the prevention and detection of financial fraud. What kinds of failures do we typically see at the audit committee level when financial fraud is given an opportunity to develop and grow undetected? According to Gerry, there is no single answer, but several audit committee inadequacies are candidates. One inadequacy potentially stems from the fact that the members of the audit committee are not always genuinely independent. To be sure, they’re required by the rules to attain some level of technical independence, but the subtleties of human interaction cannot always be effectively governed by rules. Even where technical independence exists, it may be that one or more members in substance, if not in form, have ties to the CEO or others that make any meaningful degree of independence awkward if not impossible.

Another inadequacy is that audit committee members are not always terribly knowledgeable, particularly in the ways that modern (often on-line, cloud based) financial reporting systems can be corrupted. Sometimes, companies that are most susceptible to the demands of analyst earnings expectations are new, entrepreneurial companies that have recently gone public and that have engaged in an epic struggle to get outside analysts just to notice them in the first place. Such a newly hatched public company may not have exceedingly sophisticated or experienced fiscal management, let alone the luxury of sophisticated and mature outside directors on its audit committee. Rather, the audit committee members may have been added to the board in the first place because of industry expertise, because they were friends or even relatives of management, or simply because they were available.

A third inadequacy is that audit committee members are not always clear on exactly what they’re supposed to do. Although modern audit committees seem to have a general understanding that their focus should be oversight of the financial reporting system, for many committee members that “oversight” can translate into listening to the outside auditor several times a year. A complicating problem is a trend in corporate governance involving the placement of additional responsibilities (enterprise risk management is a timely example) upon the shoulders of the audit committee even though those responsibilities may be only tangentially related, or not at all related, to the process of financial reporting.

Again, according to Gerry, some or all the previously mentioned audit committee inadequacies may be found in companies that have experienced financial fraud. Almost always there will be an additional one. That is that the audit committee, no matter how independent, sophisticated, or active, will have functioned largely in ignorance. It will not have had a clue as to what was happening within the organization. The reason is that a typical audit committee (and the problem here is much broader than newly public startups) will get most of its information from management and from the outside auditor. Rarely is management going to voluntarily reveal financial manipulations. And, relying primarily on the outside auditor for the discovery of fraud is chancy at best. Even the most sophisticated and attentive of audit committee members have had the misfortune of accounting irregularities that have unexpectedly surfaced on their watch. This unfortunate lack of access to candid information on the part of the audit committee directs attention to the second in the triumvirate of fraud preventers, the internal audit department.

It may be that the internal audit department has historically been one of the least understood, and most ineffectively used, of all vehicles to combat financial fraud. Theoretically, internal audit is perfectly positioned to nip in the bud an accounting irregularity problem. The internal auditors are trained in financial reporting and accounting. The internal auditors should have a vivid understanding as to how financial fraud begins and grows. Unlike the outside auditor, internal auditors work at the company full time. And, theoretically, the internal auditors should be able to plug themselves into the financial reporting environment and report directly to the audit committee the problems they have seen and heard. The reason these theoretical vehicles for the detection and prevention of financial fraud have not been effective is that, where massive financial frauds have surfaced, the internal audit department has often been somewhere between nonfunctional and nonexistent.. Whatever the explanation, (lack of independence, unfortunate reporting arrangements, under-staffing or under-funding) in many cases where massive financial fraud has surfaced, a viable internal audit function is often nowhere to be found.

That, of course, leaves the outside auditor, which, for most public companies, means some of the largest accounting firms in the world. Indeed, it is frequently the inclination of those learning of an accounting irregularity problem to point to a failure by the outside auditor as the principal explanation. Criticisms made against the accounting profession have included compromised independence, a transformation in the audit function away from data assurance, the use of immature and inexperienced audit staff for important audit functions, and the perceived use by the large accounting firms of audit as a loss leader rather than a viable professional engagement in itself. Each of these reasons is certainly worthy of consideration and inquiry, but the fundamental explanation for the failure of the outside auditor to detect financial fraud lies in the way that fraudulent financial reporting typically begins and grows. Most important is the fact that the fraud almost inevitably starts out very small, well beneath the radar screen of the materiality thresholds of a normal audit, and almost inevitably begins with issues of quarterly reporting. Quarterly reporting has historically been a subject of less intense audit scrutiny, for the auditor has been mainly concerned with financial performance for the entire year. The combined effect of the small size of an accounting irregularity at its origin and the fact that it begins with an allocation of financial results over quarters almost guarantees that, at least at the outset, the fraud will have a good chance of escaping outside auditor detection.

These two attributes of financial fraud at the outset are compounded by another problem that enables it to escape auditor detection. That problem is that, at root, massive financial fraud stems from a certain type of corporate environment. Thus, detection poses a challenge to the auditor. The typical audit may involve fieldwork at the company once a year. That once-a-year period may last for only a month or two. During the fieldwork, the individual accountants are typically sequestered in a conference room. In dealing with these accountants, moreover, employees are frequently on their guard. There exists, accordingly, limited opportunity for the outside auditor to get plugged into the all-important corporate environment and culture, which is where financial fraud has its origins.

As the fraud inevitably grows, of course, its materiality increases as does the number of individuals involved. Correspondingly, also increasing is the susceptibility of the fraud to outside auditor detection. However, at the point where the fraud approaches the thresholds at which outside auditor detection becomes a realistic possibility, deception of the auditor becomes one of the preoccupations of the perpetrators. False schedules, forged documents, manipulated accounting entries, fabrications and lies at all levels, each of these becomes a vehicle for perpetrating the fraud during the annual interlude of audit testing. Ultimately, the fraud almost inevitably becomes too large to continue to escape discovery, and auditor detection at some point is by no means unusual. The problem is that, by the time the fraud is sufficiently large, it has probably gone on for years. That is not to exonerate the audit profession, and commendable reforms have been put in place over the last decade. These include a greater emphasis on fraud, involvement of the outside auditor in quarterly data, the reduction of materiality thresholds, and a greater effort on the part of the profession to assess the corporate culture and environment. Nonetheless, compared to, say, the potential for early fraud detection possessed by the internal audit department, the outside auditor is at a noticeable disadvantage.

Having been missed for so long by so many, how does the fraud typically surface? There are several ways. Sometimes there’s a change in personnel, from either a corporate acquisition or a change in management, and the new hires stumble onto the problem. Sometimes the fraud, which quarter to quarter is mathematically incapable of staying the same, grows to the point where it can no longer be hidden from the outside auditor. Sometimes detection results when the conscience of one of the accounting department people gets the better of him or her. All along s/he wanted to tell somebody, and it gets to the point where s/he can’t stand it anymore and s/he does. Then you have a whistleblower. There are exceptions to all of this. But in almost any large financial fraud, as Gerry told us, one will see some or all these elements. We need only change the names of the companies and of the industry.

Rigging the Casino

Posted by cwl890 on May 6, 2017 Comments Off

I attended an evening lecture some weeks ago at the Marshall-Wythe law school of the College of William & Mary, my old alma mater, in Williamsburg, Virginia. One of the topics raised during the lecture was a detailed analysis of the LIBOR scandal of 2012, a fascinating tale of systematic manipulation of a benchmark interest rate, supported by a culture of fraud in the world’s biggest banks, and in an environment where little or no regulation prevailed.

After decades of abuse that enriched the big banks, their shareholders, executives and traders, at the expense of others, investigations and lawsuits were finally initiated, and the subsequent fines and penalties were huge. The London Interbank Offered Rate (LIBOR) rate is a rate of interest, first computed in 1985 by the British Banking Association (BBA), the Bank of England and others, to serve as a readily available reference or benchmark rate for many financial contracts and arrangements. Prior to its creation, contracts utilized many privately negotiated rates, which were difficult to verify, and not necessarily related to the market rate for the security in question. The LIBOR rate, which is the average interest rate estimated by leading banks that they would be charged if they were to borrow from other banks, provided a simple alternative that came to be widely used. For example, in the United States in 2008 when the subprime lending crisis began, around 60 percent of prime adjustable-rate mortgages (ARMs) and nearly all subprime mortgages were indexed to the US dollar LIBOR. In 2012, around 45 percent of prime adjustable rate mortgages and over 80 percent of subprime mortgages were indexed to the LIBOR. American municipalities also borrowed around 75 percent of their money through financial products that were linked to the LIBOR.

At the time of the LIBOR scandal, 18 of the largest banks in the world provided their estimates of the costs they would have had to pay for a variety of interbank loans (loans from other banks) just prior to 11:00 a.m. on the submission day. These estimates were submitted to Reuters news agency (who acted for the BBA) for calculation of the average and its publication and dissemination. Reuters set aside the four highest and four lowest estimates, and averaged the remaining ten.

So huge were the investments affected that a small manipulation in the LIBOR rate could have a very significant impact on the profit of the banks and of the traders involved in the manipulation. For example, in 2012 the total of derivatives priced relative to the LIBOR rate has been estimated at from $300-$600 trillion, so a manipulation of 0.1% in the LIBOR rate would generate an error of $300-600 million per annum. Consequently, it is not surprising that, once the manipulations came to light, the settlements and fines assessed were huge. By December 31, 2013, 7 of the 18 submitting banks charged with manipulation, had paid fines and settlements of upwards of $ 2 billion. In addition, the European Commission gave immunity for revealing wrongdoing to several the banks thereby allowing them to avoid fines including: Barclays €690 million, UBS €2.5 billion, and Citigroup €55 million.

Some examples of the types of losses caused by LIBOR manipulations are:

Manipulation of home mortgage rates: Many home owners borrow their mortgage loans on a variable- or adjustable-rate basis, rather than a fixed-rate basis. Consequently, many of these borrowers receive a new rate at the first of every month based on the LIBOR rate. A study prepared for a class action lawsuit has shown that on the first of each month for 2007-2009, the LIBOR rate rose more than 7.5 basis points on average. One observer estimated that each LIBOR submitting bank during this period might have been liable for as much as $2.3 billion in overcharges.

Municipalities lost on interest rate swaps: Municipalities raise funds through the issuance of bonds, and many were encouraged to issue variable-rate, rather than fixed-rate, bonds to take advantage of lower interest payments. For example, the saving could be as much as $1 million on a $100 million bond. After issue, the municipalities were encouraged to buy interest rate swaps from their investment banks to hedge their risk of volatility in the variable rates by converting or swapping into a fixed rate arrangement. The seller of the swap agrees to pay the municipality for any requirement to pay interest at more than the fixed rate agreed if interest rates rise, but if interest rates fall the swap seller buys the bonds at the lower variable interest rate. However, the variable rate was linked to the LIBOR rate, which was artificially depressed, thus costing U.S. municipalities as much as $10 billion. Class action suits were launched to recover these losses which cost municipalities, hospitals, and other non-profits as much as $600 million a year; the remaining liability assisted the municipalities in further settlement negotiations.

Freddie Mac Losses: On March 27, 2013, Freddie Mac sued 15 banks for their losses of up to $3 billion due to LIBOR rate manipulations. Freddie Mac accused the banks of fraud, violations of antitrust law and breach of contract, and sought unspecified damages for financial harm, as well as punitive damages and treble damages for violations of the Sherman Act. To the extent that defendants used false and dishonest USD LIBOR submissions to bolster their respective reputations, they artificially increased their ability to charge higher underwriting fees and obtain higher offering prices for financial products to the detriment of Freddie Mac and other consumers.

Liability Claims/Antitrust cases (Commodities-manipulations claims): Other organizations also sued the LIBOR rate submitting banks for anti-competitive behavior, partly because of the possibility of treble damages, but they had to demonstrate related damages to be successful. Nonetheless, credible plaintiffs included the Regents of the University of California who filed a suit claiming fraud, deceit, and unjust enrichment.

All of this can be of little surprise to fraud examiners. The ACFE lists the following features of moral collapse in an organization or business sector:

Pressure to meet goals, especially financial ones, at any cost;
A culture that does not foster open and candid conversation and discussion;
A CEO who is surrounded with people who will agree and flatter the CEO, as well as a CEO whose reputation is beyond criticism;
Weak boards that do not exercise their fiduciary responsibilities with diligence;
An organization that promotes people based on nepotism and favoritism;
Hubris. The arrogant belief that rules are for other people, but not for us;
A flawed cost/benefit attitude that suggests that poor ethical behavior in one area can be offset by good ethical behavior in another area.

Each of the financial institutions involved in the LIBOR scandal struggled, to a greater or lesser degree with one or more of these crippling characteristics and, a distressing few, manifested all of them.

Zack is Back on Internal Investigations!

Posted by cwl890 on March 14, 2017 Comments Off

Our Chapter is looking forward with anticipation to our next two-day training event (May 17^th and 18^th) when we will again have Gerry Zack, one of the ACFE’s best speakers, presenting on the topic ‘Conducting Internal Investigations’. Gerry was last with us several years ago, when he taught ‘Introduction to Fraud Examination’ to an overflow crowd; judging from the number of early registrations, it looks like this year’s event will be an attendance repeat!

One of the training event segments Gerry presented in detail last time dealt with related party transactions internal to the organization and some of the unique challenges they can pose for fraud examiners. Such ethical lapses take the form of schemes where individuals who approve one or more transactions for their organizations also benefit personally from them. Per the ACFE, the business processes most affected by such scenarios are the loan function, the sales function and corporate purchases.

Regarding loan schemes, the key risks fraud examiners should look for are:

— The provision of loans to senior management, other employees, or board members at below-market interest rates or under terms not available in the marketplace;
— Failure to disclose the related party nature of the loan;
— The client organization providing guarantees for private loans made by employees or board members.

In these scenarios, the favorable terms benefit the employee at the expense of the employing organization. To identify undisclosed loans to senior management, board members, and employees, the CFE could search for related-party loans using data analysis to compare the names on all notes receivables and accounts receivables with employee names from payroll records and board member names from board minutes. If a match occurs, the CFE should assess whether the related-party transaction was appropriately authorized and disclosed in the accounting records and financial statements. Examiners can also search for undisclosed related-party loans by examining the interest rate, due dates, and collateral terms for notes receivables. Notes receivable containing zero or unusually low interest rates, or requiring no due dates or insufficient collateral, may indicate related-party transactions. The CFE can also examine advances made to customers or others who owe money to her client organization. Organizations generally do not advance money to others who owe them money unless a related-party relationship exists.

Gerry’s presentation for related party sales pin-pointed red flags like employees:

— Selling products or services significantly below market price or providing beneficial sales terms that ordinarily would not be granted to arms-length customers.
— Inflating sales for bonuses or stock options using related parties to perpetrate the scheme. Either a sale really has not taken place because the goods were not shipped or there was an obligation to repurchase the goods sold so the sale was incomplete.
— Approving excessive sales allowances or returns as well as accounts receivable adjustments or write-offs for related parties.

To cover up the related-party transaction, employees may deny reviewers access to customers to impede them from acquiring evidence concerning the related-party relationship. Where the CFE suspects related party sales, s/he should perform analytical procedures to compare price variations among customers to identify those who pay significantly below the average sales price. Examiners can also attempt to identify any customer who pays prices that differ from the approved price sheet. Customer contracts can be directly analyzed for unusual rights of return, obligations to repurchase goods sold, and unusual extended repayment terms. Analytical procedures to identify customers with excessive returns, sales allowances, account receivable adjustments, or write-off’s may also be performed. Any variances in these areas might indicate undisclosed related-party transactions. Gerry also point out that data analysis can be used to efficiently compare employee addresses, telephone numbers, tax identification numbers, and birthdays with customer addresses, telephone numbers, tax identification numbers, and company organization dates. When creating a shell company, many individuals use their own contact information for convenience and their own birth date as the organization date because it is easy to remember. Any matches could indicate a related-party association and should be investigated minutely.

For third party purchases schemes, some of the key red flags are:

— the company paying prices significantly above market for goods or services;
— the company receiving significantly below average quality goods or services that are purchased at market prices for high quality goods or services;
— the company never actually receiving the purchased goods or services.

CFE’s should consider comparing cost variations among vendors to identify those whose costs significantly exceed the average cost. For identified variances, examiners should discover why the cost variations occurred to assess whether a related-party relationship exists. Like the examination steps for customers, it’s important to compare the employee’s address, telephone number, tax identification number, and birth date to vendors’ information to see if a relationship exists. CFE’s can also assess the use of sales intermediaries for products they can purchase directly from the manufacturer at lower costs.

For the comprehensive review of all this information, Gerry stressed that the level and quality of client company documentation is critical. In reviewing their client organization’s documentation, the CFE may find that the organization does not have in place any policies or procedures prohibiting related-party relationships or transactions without prior approval. The organization also may not provide training to employees around related-party relationships and transactions, or require employees even to certify whether they are involved in any conflicts of interest with the organization. CFE’s should recommend, as a component of the fraud prevention program, that their client organization maintain written policies and procedures defining the process for obtaining approval for related-party relationships and transactions.

Key risks exist if:

— Written related-party policy and procedures are nonexistent or insufficient;
— Employees are not required to certify regularly whether they have a conflict of interest;
— Related-party transactions are not approved in accordance with established organizational policies and procedures;
— Related-party transactions are approved with exceptions to organizational policies and procedures.

The CFE should review approved related-party policies and procedures documentation. If related-party policies or procedures don’t exist or if they don’t sufficiently mitigate the risk of unauthorized or inappropriate related-party relationships or transactions, the examiner should consult with senior management and the board, if necessary, to offer guidance on a pro-active basis toward the development of such policies and procedures as a key fraud prevention measure. The CFE should also review conflict of interest statements. If an employee documents a conflict of interest in his or her statement, the examiner should assess whether the conflict of interest was appropriately authorized and whether the process recognizes and discloses conflicts of interest.

Third party transactions are but a single topic of many to be covered by Gerry in our May event. If you are called upon by your employer to investigate instances of fraud, waste and abuse both within your parent company and within related business affiliates, this is a seminar for you. A well run internal investigation can enhance an enterprise’s well-being and can help detect the source of lost funds, identify responsible parties and recover losses. It can also provide a defense to legal charges by terminated or disgruntled employees. But perhaps most importantly, an internal investigation will signal to other employees that the company will not tolerate fraud. This seminar will prepare you for every step of an internal investigation into potential fraud, from receiving the initial allegation to testifying as a witness. Learn to lead an internal investigation with accuracy and confidence by gaining knowledge about key topics, such as relevant legal aspects of internal investigations, using computers in an investigation, collecting and analyzing internal information, interviewing witnesses and writing reports.

There are only 70 training slots available and our seminars fill up fast! If you are interested in this vital investigative topic, you can find the seminar agenda, venue information, speaker bio and registration information at http://rvacfes.com/events/conducting-internal-investigations/.

The CFE, Management & Cybersecurity

Posted by cwl890 on February 26, 2017 Comments Off

Strategic decisions affect the ultimate success or failure of any organization. Thus, they are usually evaluated and made by the top executives. Risk management contributes meaningfully and consistently to the organization’s success as defined at the highest levels. To achieve this objective, top executives first must believe there is substantial value to be gained by embracing risk management. The best way for CFEs and other risk management professionals to engage these executives is to align fraud risk management with achievement (or non-achievement) of the organization’s vital performance targets, and use it to drive better decisions and outcomes with a higher degree of certainty.

Next, top management must trust its internal risk management professional as a peer who provides valuable perspective. Every risk assurance professional must earn trust and respect by consistently exhibiting insightful risk and performance management competence, and by evincing a deep understanding of the business and its strategic vision, objectives, and initiatives. He or she must simplify fraud risk discussions by focusing on uncertainty relative to strategic objectives and by categorizing these risks in a meaningful way. Moreover, the risk professional must always be willing to take a contrarian position, relying on objective evidence where readily available, rather than simply deferring to the subjective. Because CFEs share many of these same traits, the CFE can help internal risk executives gain that trust and respect within their client organizations.

In the past, many organizations integrated fraud risk into the evaluation of other controls. Today, per COSO guidance, the adequacy of anti-fraud controls is specifically assessed as part of the evaluation of the control activities related to identified fraud risks. Managements that identify a gap related to the fraud risk assessments performed by CFEs and work to implement a robust assessment take away an increased focus on potential fraud scenarios specific to their organizations. Many such managements have implemented new processes, including CFE facilitated sessions with operating management, that allow executives to consider fraud in new ways. The fraud risk assessment can also raise management’s awareness of opportunities for fraud outside its areas of responsibility.

The blurred line of responsibility between an entity’s internal control system and those of outsourced providers creates a need for more rigorous controls over communication between parties. Previously, many companies looked to contracts, service-level agreements, and service organization reports as their approach to managing service organizations. Today, there is a need to go further. Specifically, there is a need for focus on the service providers’ internal processes and tone at the top. Implementing these additional areas of fraud risk assessment focus can increase visibility into the vendor’s performance, fraud prevention and general internal control structure.

Most people view risk as something that should be avoided or reduced. However, CFEs and other risk professionals realize that risk is valued when it can help achieve a competitive advantage. ACFE studies show that investors and other stakeholders place a premium on management’s ability to limit the uncertainty surrounding their performance projections, especially regarding fraud risk. With Information Technology budgets shrinking and more being asked from IT, outsourcing key components of IT or critical business processes to third-party cloud based providers is now common. Management should obtain a report on all the enterprise’s critical business applications and the related data that is managed by such providers. Top management should make sure that the organization has appropriate agreements in place with all service providers and that an appropriate audit of the provider’s operations, such as Service Organization Controls (SOC) 1 and SOC 2 assurance reports, is performed regularly by an independent party.

It’s also imperative that client management understand the safe harbor clauses in data breach laws for the countries and U.S. states where the organization does business. In the United States, almost every state has enacted laws requiring organizations to notify the state in case of a data breach. The criteria defining what constitutes a data breach are similar in each state, with slight variations.

CFE vulnerability assessments should strive to impress on IT management that it should strive to make upper management aware of all major breach attempts, not just actual incidents, made against the organization. To see the importance of this it’s necessary only to open a newspaper and read about the serious data breaches occurring around the world on almost a daily basis. The definition of major may, of course, differ, depending on the organization’s industry and whether the organization is global, national, or local. Additionally, top management and the board should plan to meet with the organization’s chief information security officer (CISO) at least once a year. This meeting should supplement the CFE’s annual update of the fraud risk assessment by helping management understand the state of cybersecurity within the organization and enabling top managers and directors to discuss key cybersecurity topics. It’s also important that the CISO is reporting to the appropriate levels within the organization. Keep in mind that although many CISOs continue to report within the IT organization, sometimes the chief information officer’s agenda conflicts with the CISO’s agenda. As such, the ACFE reports that a better reporting arrangement to promote independence is to migrate reporting lines to other officers such as the general counsel, chief operating officer, chief risk officer (CRO), or even the CEO, depending on the industry and the organization’s degree of dependence on technology.

As a matter of routine, every organization should establish relationships with the appropriate national and local authorities who have responsibility for cybersecurity or cybercrime response. For example, boards of U.S. companies should verify that management has protocols in place to guide contact with the Federal Bureau of Investigation (FBI) in case of a breech; the FBI has established its Key Partnership Engagement Unit, a targeted outreach program to senior executives of major private-sector corporations.

If there is a Chief Risk Officer (CRO) or equivalent, upper management and the board should, as with the CISO, meet with him or her quarterly or, at the least, annually and review all the fraud related risks that were either avoided or accepted. There are times when a business unit will identify a technology need that its executive is convinced is the right solution for the organization, even though the technology solution may have potential security risks. The CRO should report to the board about those decisions by business-unit executives that have the potential to expose the organization to additional security risks.

And don’t forget that management should be made to verify that the organization’s cyber insurance coverage is sufficient to address potential cyber risks. To understand the total potential impact of a major data breach, the board should always ask management to provide the cost per record of a data breach.

No business can totally mitigate every fraud related cyber risk it faces, but every business must focus on the vulnerabilities that present the greatest exposure. Cyber risk management is a multifaceted function that manages acceptance and avoidance of risk against the necessary actions to operate the business for success and growth, and to meet strategic objectives. Every business needs to regard risk management as an ongoing conversation between its management and supporting professionals, a conversation whose importance requires participation by an organization’s audit committee and other board members, with the CFE and the CISO serving increasingly important roles.

Team Work is Hard Work

Posted by cwl890 on February 1, 2017 Comments Off

From reading posts and comments posted to LinkedIn, it seems that a number of our Chapter members and guests from time to time find themselves involved in internal fraud investigations either as members of internal or external audit units or as sole practitioners. As CFE’s we know that we can make significant contributions to a financial crime investigation, if we can work effectively, as team members, with the victim company’s internal and external auditors, as well as with other constituents involved in resolving allegations or suspicions of internal fraud. In addition to a thorough knowledge of accounting and auditing, CFE’s bring to bear a variety of skills, including interviewing, data mining and analysis. We also know that some auditors assume that simply auditing more transactions, with the use of standard procedures, increases the likelihood that fraud will be found. While this can prove to be true in some cases, when there is suspicion of actual fraud, the introduction of competent forensic accounting investigators may be more likely to resolve the issue and bring it to a successful conclusion.

Within the boundaries of an investigation, we CFE’s typically deal with numerous constituencies, each with a different interest and each viewing the situation from a different perspective. These parties to the investigation may well attempt to influence the investigative process, favor their individual concerns, and react to events and findings in terms of personal biases. CFE’s thus often have the task of conveying to all constituencies that the results of the investigation will be more reliable if all participants and interested parties work together as a team and contribute their specific expertise or insight with objectivity. In the highly-charged environment created by a financial crime investigation, the forensic accounting investigator can make a huge contribution just by displaying and encouraging the balance and level headedness which comes from his or her detailed familiarity with the mechanics of the standard types of financial fraud.

The ACFE recommends that all parties with a stake in the process, management, audit committee, auditors, and legal counsel, should always consider including forensic accounting investigators in the front-end process of decision making about an investigation. One of the key initial decisions is, usually, the degree to which the forensic accounting investigators can work with and rely on the work of others, specifically, the internal and external auditors. Another common front-end decision is whether CFE’s—with their knowledge of accounting systems, controls, and typical fraud schemes, may be added to the team that eventually evaluates the organization’s business processes to strengthen the controls that allowed the fraud to occur. Management may at first be inclined to push for a quick result because it feels the company will be further damaged if it continues to operate under a shadow.

Senior executives may be unable or in some cases unwilling to see the full scope of issues and may attempt to limit the investigation, sometimes as a matter of self-protection, or they may seek to persuade the CFE that the issues at hand are immaterial. Whatever happened, it happened on their watch, and they may understandably be very sensitive to the CFE’s intrusion into their domain. Any defensiveness on the part of management should be defused as quickly and as thoroughly as possible, usually through empathy and consideration on the part of the forensic accounting investigator. The party or entity engaging the forensic accounting investigator, for example, the audit committee, management, or counsel, should be committed to a thorough investigation of all issues and is ultimately responsible for the investigation. The committee may engage CFE’s and forensic accounting investigators directly and look to them for guidance, or it may ask outside counsel to engage the CFE, who usually will work at counsel’s direction in fulfilling counsel’s responsibilities to the audit committee.

Every CFE should strive to bring independence and objectivity to the investigation and strive to assist each of the interested parties to achieve their unique but related objectives. As to the CFE’s objectives, those are determined by the scope of work and the desire to meet the goals of whoever retained their services. Regardless of the differing interests of the various constituencies, forensic accounting investigators must typically answer the following questions:

Who is involved?
Could there be coconspirators?
Was the perpetrator instructed by a higher supervisor not currently a target of the investigation?
How much is at issue or what is the total impact on the financial statements?
Over what period did this occur?
Have we identified all material schemes?
How did this happen?
How was it identified, and could it have been detected earlier?
What can be done to deter a recurrence?

CFE’s should always keep in mind that they are primarily fact finders and not typically engaged to reach or provide conclusions, or, more formally, opinions. This differs from the financial auditor’s role. The financial auditor is presented with the books and records to be audited and determines the nature, extent, and timing of audit procedures. On one hand, the financial statements are management’s responsibility, and an auditor confirms they have been prepared in accordance with generally accepted accounting principles after completing these procedures and assessing the results. The CFE or forensic accounting investigator, on the other hand, commands a different set of skills and works at the direction of an employer that may be management, the audit committee, counsel, or an auditing firm itself.

Teaming with all concerned parties together with the internal and external auditors, the forensic accounting investigator should strive to bring independence and objectivity to the investigation and strive to assist each of the interested parties to achieve each team member’s unique but related objectives; management understandably may be eager to bring the investigation to a quick conclusion. The chief financial officer may be defensive over the fact that his or her organization allowed this to happen; the board of directors, through the independent members of its audit committee, is likely to focus on conducting a thorough and complete investigation, but its members may lack the experience needed to assess the effort. In addition, they may be concerned about their personal reputations and liability. The board is likely to look to legal counsel and in some cases, to forensic accounting investigators to define the parameters of the project; as to counsel, in most investigations in which counsel is involved, they are responsible for the overall conduct of the investigation and will assign and allocate resources accordingly; the internal auditor may have a variety of objectives, including not alienating management, staying on schedule to complete the annual audit plan, and not opening the internal audit team to criticism. The internal audit team may also feel embarrassed, angry, and defensive that it did not detect the wrongdoing; the external auditor may have several concerns, including whether the investigative team will conduct an investigation of adequate scope, whether the situation suggests retaining forensic accountants from the auditors’ firm, whether forensic accountants should be added to the audit team, and even whether the investigation will implicate the quality of past audits.

In summary, team work is complex, hard work. While fraud is not an everyday occurrence at most companies, boards and auditing firms should anticipate the need to conduct a financial fraud investigation at some time in the future. CFE’s can be an integral part of the planning for such investigations and can be of great help in designing the pre-planned team work protocols that ensure that, if a fraud exists, there is a high probability that it will be identified completely and dealt with in a timely and appropriate manner.

Inside and Out

Posted by cwl890 on January 5, 2017 Comments Off

I had quite a good time a little over a month ago, addressing a senior auditing class at the University of Richmond on the topic of how fraud examiners and forensic accountants can work jointly together, primarily with a client’s internal auditors and, secondarily with its external auditors, to substantially strengthen any fraud investigation assignment.

Internal and external auditors each play an important role in the governance structure of their client organizations. Like CFEs, both groups have mutual interests regarding the effectiveness of internal financial controls, and both adhere to ethical codes and professional standards set by their respective professional bodies. Additionally, as I told the very lively class, both types of auditors operate independently of the activities they audit, and they’re expected to have extensive knowledge about the business, industry, and strategic risks faced by the organizations they serve. Yet, with all their similarities, internal auditing and external auditing are two distinct functions that have numerous differences. The Institute of Internal Auditors (IAA) defines internal auditing as “an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” Internal auditors in the public sector (where I spent most of my audit career as a CIA) place an additional emphasis on providing assurance on performance and compliance with policies and procedures. Concerned with all aspects of the organization – both financial and non-financial – the internal auditors focus on future events because of their continuous review and evaluation of controls and processes.

In contrast, external auditing provides an independent opinion of a company’s financial statements and fair presentation. This type of auditing encompasses whether the statements conform with Generally Accepted Accounting Principles, whether they fairly present the financial position of the organization, whether the results of operations for a given period are represented accurately, and whether the financial statements have been affected materially (i.e., whether they include a misstatement that is likely to influence the economic decisions of financial statement users). External auditing’s approach is mainly historical in nature, although some forward-looking improvements may be suggested in the auditors’ recommendations to management based on the analysis of controls during a financial statement audit.

I emphasized to the students that these definitions alone pinpoint the key distinctions that separate the two audit approaches. However, internal auditing is much broader and more encompassing than external auditing. Its value resides in the function’s ability to look at the underlying operations that drive the financial numbers before those numbers hit the books. For instance, when considering “sales” as a line item in a set of financial statements, the external audit focuses primarily on the existence, completeness, accuracy, classification, timing, posting and summarization of sales numbers. The internal audit goes beyond these assertions and looks at sales operations in a much broader context by asking questions regarding the target market, sales plan, organizational structure of the sales department, qualifications of sales personnel, effectiveness of sales operations, measurement of sales performance, and compliance with sales policies.

These types of questions probe the very core of sales operations and can greatly impact the sales numbers recorded in financial statements. For example, assuming a sales number of $6 million, the external auditor has merely to render an opinion regarding the validity of that number. The internal auditor, however, can ask whether the number could have really been $12 million, if only the right market had been targeted, and if operations had been effective in the first place. It’s this emersion in detail and the overall knowledge of operations that makes the internal auditor such a strong partner for the fraud examiner in any joint investigation.

Internal auditors represent an integral part of the organization – their primary clients are management and the board. Although historically internal auditors reported to the chief financial officer or other senior management staff, for the last two decades internal auditing has reported directly to the audit committee of the board of directors, which helps strengthen auditor independence and objectivity. Today, internal audit functions, for the most part, follow this reporting relationship, which is consistent with the IIA’s Standard on Organizational Independence.

The chief audit executive’s (CAE’s) appointment is normally meant to be permanent, unless he or she resigns or is dismissed. In some quasi and intergovernmental organizations, CAEs are given tenured positions – five-year appointments, for example – to enhance independence. Conversely, external auditors are not part of the organization, but are engaged by it. Their objectives are set primarily by statute and by their main client, the board of directors. External auditors are appointed by the board, and they submit an annual report to the company’s shareholders. The appointment is meant to extend for a specified time – external auditors can be re-appointed at the company’s annual general meeting. In some jurisdictions, there are limits on an external auditor’s length of service, often five or seven years.

In general, internal audit functions are not mandatory for organizations. Instead, their installment is left up to individual organizations’ discretion but internal auditing is mandatory in some cases. Companies listed on the New York Stock Exchange must have an internal audit function, whether in-house or outsourced. An external audit is legally required for many companies, particularly those listed on a public exchange. External audits of some government agencies are also legislated, requiring government auditors to submit the audit report to their respective legislature.

The necessary qualifications for an internal auditor rest solely on the judgment of the employer. Although internal auditors are often qualified as accountants, some are qualified engineers, sales personnel, production engineers, and management personnel who have moved through the ranks of the organization with a sound knowledge of its operations and have garnered experience that makes them abundantly qualified to perform internal auditing. Annually, more and more internal auditors hold the IIA’s Certified Internal Auditor designation, which demonstrates competency and professionalism in the field of internal auditing. Because of their continuous investigation into all the organization’s operating systems, internal auditors who remain in the same organization for many years constitute a unique resource to the CFE of comprehensive and current knowledge of the organization and its operations.

External auditors are required to understand errors and irregularities, assess risk of occurrence, design audits to provide reasonable assurance of material detection, and report on such findings. In most countries, auditors of public companies must be members of a body of professional accountants recognized by law – for example, the Institute of Chartered Accountants in England and Wales, American Institute of Certified Public Accountants, or Canadian Institute of Chartered Accountants. Because external auditors’ scope of work is narrowly focused on financial statement auditing, and they come into the organization only once or twice a year, their knowledge of the organization’s operations is unlikely to be as extensive as that of the internal auditors.

Those entering the CFE profession need to realize that patterns of business growth, globalization, and corporate scandals have changed the thrust of the internal audit profession in recent years. In its early years, internal auditing focused on protection oriented objectives and emphasized compliance with accounting and operational procedures, verification of calculation accuracy, fraud detection and protection of assets. Gradually, new dimensions were added that ranged from an evaluation of financial and compliance risks to an assessment of business risks, ethics and corporate governance. These changes have only increased the gap between the disciplines of internal and external auditing. Yet, despite their differences, internal auditing and external auditing no longer work in competition, as was the case before the U.S. Sarbanes-Oxley Act was enacted, when a company’s external auditors would sometimes compete with in-house audit departments for internal audit work. Regulations like Sarbanes-Oxley prohibited the external auditor from providing both external and internal audit services to the same company. Today all CFEs can benefit from the complementary skills, areas of expertise, and perspectives of both the external and the internal auditors. The ACFE recommends that to strengthen the fraud prevention program they should meet periodically to discuss common interests (like the fraud prevention program), strive to understand each other’s scope of work and methods, discuss audit coverage and scheduling to minimize redundancies, jointly assess areas of fraud risk, and provide access to each other’s reports, programs, and work papers.

In summary, fulfilling its oversight responsibilities for assurance, the board also should require internal and external auditors to coordinate their audit work to increase the economy, efficiency, and effectiveness of the overall audit process. Despite some similarities, a world of difference exists between internal auditing and external auditing. Nonetheless, both audit types, and the respective services they provide, are essential to maintaining an effective governance structure. With a greater understanding of the unique perspective of each, CFEs can maximize the aggregate contribution or each to our joint investigations and thereby ensure organizational success.

On Auditors, Lawyers & Data

Posted by cwl890 on November 28, 2016 Comments Off

When it comes to gaining access to sensitive, internal digital data during a forensic examination, the corporate council can be the fraud examiner’s best ally. It, therefore, behooves us to fully understand the unifying role the client counsel holds in overseeing the entire review process. As our guest blogger, Michael Hart, and other experienced practitioners have pointed out, data analysis becomes most effective when it’s integrated into the wider forensic accounting project. If the end results are to cohere with findings from other sources, forensic data analysis should not be performed as a separate investigation, walled off from the other review efforts undertaken to benefit the client. Today, it’s a truism that data analysis can serve many functions within a forensic accounting project. On some occasions, it’s rightfully the main engine of an engagement. When such is the case, data analysis is used for highlighting potentially unusual items and trends. More often, however, in actual practice, data analysis is a complementary part of a wider forensic accounting investigation, a piece of a puzzle (and never the be all and end all of the investigation), that involves several other parallel methods of information analysis or evidence gathering, including document review, physical inspection, and investigative interviews.

The timing of the data analysis work depends on the extent to which the forensic accounting team needs to work with the results as defined by counsel. Frequently, once the method of a fraud has been established, data analysis is conducted to estimate the amount of damage. If the team knows that several components of an organization were affected by a fraud scheme, that team may be able to compare these results with those derived from analyses of unaffected branches and, after adjusting for other relevant factors, provide management with a broad estimate of the total effect on the financial statements. When such an approach is used, the comparison should be performed after the investigation has determined the characteristics of the fraud scheme. However, in most cases, as the ACFE tells us, the purpose of data analysis in an investigation is to identify suspicious activity on which the forensic accounting team can act.

Suspicious transactions can be identified in several ways: comparing different sources of evidence, such as accounting records and bank statements, to find discrepancies between them; searching digital records for duplicate transactions; or identifying sudden changes in the size, volume, or nature of transactions, which need to be explained. While data analysis often is a fast and effective way of highlighting potential areas of fraud, it will never capture every detail that an experienced fraud examiner can glean from reviewing an original document. If data analysis is performed to identify suspicious activity, it typically is performed before any manual review is carried out. This helps ensure that investigative resources are targeting suspicious areas and are concentrating on confirming fraudulent activity rather than concentrating on a search for such activity within a sea of legitimate transactions.

The first person to be contacted when there is a suspected fraud is typically in-house counsel. Depending on the apparent severity of the matter and its apparent location in the company, other internal resources to be alerted at an early stage, in addition to the board (typically through its audit committee), may include corporate security, internal audit, risk management, the controller’s office, and the public relations and investor relations groups. Investigations usually begin with extensive conversation about who should be involved, and the responsible executives may naturally wish to involve some or all the functions just mentioned. Depending on the circumstances, the group of internal auditors (if there is one) can in fact be a tremendous asset to an independent forensic investigative team. As participants in the larger team, internal auditors’ knowledge of the company may improve both the efficiency with which evidence is gathered and the forensic team’s effectiveness in lining up interviews and analyzing findings. The ACFE advices client executives and in-house counsel to engage an external team but to consider making available to that team the company’s internal auditors, selected information systems staff and other internal resources for any investigation of substantial size.

The key to the success of all this from the forensic accountant’s point of view, especially in gaining access to critical digital data, can be the corporate counsel. On one hand, the forensic accounting investigator may find that the attorney gives the forensic accounting investigator free rein to devise and execute a strategic investigative plan, subject to the attorney’s approval. That scenario is particularly likely in cases of asset misappropriation. On the other hand, some attorneys insist on being involved in all phases of the investigation. It’s the attorney’s call. When engaged by counsel, forensic accounting investigators take direction from counsel. You should advise per your best judgment, but in the end, you work at counsel’s direction.

When working with attorneys on projects involving sensitive digital data, forensic accounting investigators should specifically understand:

Their expected role and responsibilities vis-à-vis other team members;
Critical managers and players within the information systems shop and their various roles;
What other professionals are involved (current or contemplated);
The extent and source of any external scrutiny (SEC, IRS, DOJ, etc.);
Any legal considerations (extent of privilege, expectation that the company intends to waive privilege, expectation of criminal charges, and so on);
Anticipated timing issues, if any;
Expected form, timing, and audience of interim or final deliverables;
Specifics of the matters under investigation, as currently understood by counsel;
Any limitations on departments or personnel that can be involved, interviewed, or utilized in the investigation process.

Independent counsel, with the help of forensic accounting investigators, often takes the lead in setting up, organizing, and managing the entire investigative team. This process may include the selection and retention of other parties who make up the team. Independent counsel’s responsibilities typically encompass the following:

Preparing, maintaining, and disseminating a working-group list (very helpful in sorting out which law firms or experts represent whom);
Establishing the timetable in conjunction with the board of directors or management, disseminating the timetable to the investigating team, and tracking progress against it;
Compiling, submitting, and tracking the various document and personnel access requests that the investigating team members will generate;
Organizing client or team meetings and agendas;
Preparing the final report with or for the board or its special committee, or doing so in conjunction with other teams from which reports are forthcoming;
Establishing and maintaining communication channels with the board of directors and other interested parties, generally including internal general counsel, company management, regulatory personnel, law enforcement or tax authority personnel, and various other attorneys involved.

As fraud examiners, we’re frequently conversant in areas related to financial accounting and reporting such as valuation, tax, and the financial aspects of human resource management but conversant doesn’t necessarily indicate a sufficient level of knowledge to fully guide a complex organizational investigation. What we can do, however, is to work closely with the corporate counsel to assist him or her in the building of a team on the back of which even the most complex examination can be brought to a successful conclusion.

From the Head Down

Posted by cwl890 on August 22, 2016 Comments Off

The ACFE tells us that failures in governance are among the most prominent reasons why financial and other types of serious fraud occur. Often the real cause of major corporate scandals and failures detailed in the financial trade press is a series of unwelcome behaviors in the corporate leadership culture: greed, hubris, bullying, and obfuscation leading to fantasy growth plans and decisions taken for all the wrong reasons; so, that old saying remains true, fish rot from the head down.

CFE’s find themselves being increasingly called upon by corporate boards and upper operating management to assist as members of independent, control assurance teams reviewing governance related fraud risk. In such cases, where a board has decided to engage a third party, such as a consulting firm or law firm, to assess the risk associated with certain governance processes and practices, a CFE member of the team can ensure that the scope of work is sufficient to cover the risk of fraud, that the team’s review process is adequate, and that the individuals involved can provide a quality assessment. Thus, if the CFE has suggestions to make concerning any fraud related aspect of the engagement, these can be shared with the review team as a whole.

As the fraud expert on a review team identifying governance related risks, the ACFE recommends that the CFE keep an open mind. Even the best boards, with the most experienced and competent directors, can fail. Examples of red flag, fraud related governance risks to consider include:

–Organizational strategies are approved and performance monitored by executives and the board without reliable, current, timely, and useful information;
–There is too great a focus on short-term results without sufficient attention to the organization’s long-term strategy;
–Oversight by the board is limited by a lack of directors with the required business, industry, technical, IT, or other experience;
–The board’s dynamics do not include sufficient challenge and skeptical inquiry by independent directors;
–Oversight by the audit committee is limited by a lack of experience in financial reporting and auditing;
–There have been instances in the past of the external auditors having failed to detect material misstatements because part of their team lacked the necessary industry experience and understanding of relevant accounting standards;
–Board oversight of risk management is constrained by a lack of risk management experience;
–Strategies approved by the board are not linked to individual goals and objectives of managers in operating departments or over key business processes;
–IT priorities are not consistent with business and organizational priorities due to a lack of communication and alignment of goals and incentive programs;
–Employees do not understand the corporate code of business conduct because it has not been clearly communicated and/or explained to them.

Once the team has identified and assessed the principal governance-related risks, the first step is to determine how to address them. The review team should take each in turn and determine the best approach. Several options might be considered. Using generally accepted traditional control approaches, many governance-related risk areas (such as awareness of the corporate code of conduct, alignment of management incentive plans and organizational strategies, or the quality of information used by the executive leadership team and the board) can be addressed without too much difficulty.

Next, the CFE needs to consider which fraud risks to recommend to the team for periodic re-assessment in recurring risk assessment plans. It’s not necessary or appropriate to periodically assess every identified governance-related fraud risk, only those that represent the most significant on-going risk to the success of the organization and its achievement of its overall fraud prevention objectives.

In a relatively mature organization, the most valuable role for the CFE team member is likely to be that of providing assurance that governance policies and practices are appropriate to the organization’s fraud risk control and management needs – including compliance with applicable laws and regulations – and that they are operating effectively. On the other hand, if the organization is still refining its governance processes, the CFE may contribute more effectively to the governance review team in an anti-fraud consulting capacity advising or advocating improvements to enhance the evolving fraud prevention component of the organization’s governance structure and practices.

Within the context of the CFE’s traditional practice, there will be times when the board or general counsel (which has so often historically directly engaged the services of CFEs) wants the assessment of a particular governance fraud risk area to be performed by the in-house counsel. In such instances, the CFE can directly partner with the in-house staff, forming a relationship alternative to performance as a review team member with another type of assurance provider or outside consultant. This arrangement can offer significant advantages, including:

–Ensuring that the CFE has the benefit of the in-house legal team’s subject-matter expertise as well as knowledge of the company;
–Allow more CFE control over the scope of work, the way the engagement is performed, the conclusions drawn, and over the final report itself; for example, some CFE’s might feel more confident about expressing an opinion on whether the fraud risk under review is managed effectively by the board with in-house counsel support.

A risk-based fraud prevention plan is probably not complete unless it includes consideration of the risks inherent in the organization’s governance processes. Selecting which areas of governance to review should be based on the assessed level of risk, determined with input from management and (in all likelihood) the board itself. Different governance risk areas with fraud impact potential may merit different CFE involved review strategies, but, whatever approach is taken, careful planning is always a must.

Reviews of fraud risk related to corporate governance are never easy, and they often carry political risk. However, they are clearly important and should be given strong consideration as a component of every fraud prevention effort – not just because they are required by professional assurance standards, but because governance process failures can contribute so devastatingly to financial frauds of all kinds.

SOX, Fraud and the Audit Committee

Posted by cwl890 on May 15, 2016 Comments Off

A practicing CFE and subscriber to this blog contacted us to say that he’s been asked to make a presentation to the audit committee of a small public company client for whom he recently completed an examination of a financial fraud. The audit committee, in light of the control vulnerabilities uncovered by our CFE’s report, wants a briefing on its responsibilities under SOX (the Sarbanes-Oxley Act) so it, in turn, can assure that management’s future performance deters any fraud recurrence.

Since its inception in 2002, SOX has had a material impact on the way boards of directors, management, and accountants of publicly held companies operate. It has also had a dramatic impact on the certified public accountants of publicly held companies and the audits of those companies. Since the enactment of Sarbanes Oxley, the Securities and Exchange Commission (SEC) has issued numerous SEC Releases that support and expand the SOX requirements. Many of the most important provisions of SOX and of the corresponding SEC Releases relate to fraud detection and prevention.

SOX gave audit committees more power and responsibility over a company’s auditors. The intent of the rules is to make the audit committee (rather than company management) the auditor’s “client.” Companies can be delisted from the stock exchanges if they fail to comply with the rules.

The auditor’s report is to be overseen by a company’s audit committee, not management;
Audit committees are responsible for hiring, compensating, and overseeing the registered public accounting firms they employ, and hiring independent counsel and any other advisors they determine necessary;
Each person on the audit committee must be a member of the board of directors and be otherwise independent of the company. SOX defines “independent” as not receiving any other compensation from the company and not being affiliated with the company or any of its subsidiaries;
One member of the audit committee must be a financial expert. A company without a financial expert must disclose that fact and explain its rationale. The SEC has defined a financial expert as someone with:

–An understanding of GAAP and financial statements;
–The ability to assess whether GAAP was used in estimates, accruals, and reserves;
–Experience with financial statements of a similar breadth and complexity of issues;
–An understanding of internal controls and financial reporting procedures;
–An understanding of audit committee functions;
–The New York Stock Exchange requires the chair of the audit committee to have accounting or financial management experience. It also requires a nominating committee and a compensation committee composed of independent directors;
–Companies provide appropriate funding to their audit committee;
–Audit committees pre-approve all audit and non-audit services provided by their auditor that are not specifically prohibited by SOX;
–Audit committees set up procedures to receive and deal with any complaints the company receives about accounting, internal control, auditing, and similar issues.

On the other hand, the biggest requirement for management of public companies that SOX mandates is more responsibility for financial reports filed with the SEC. SOX requires both the chief executive officer (CEO) and chief financial officer (CFO) of a company to prepare a statement to accompany the audit report that certifies their quarterly and annual financial statements and disclosures. There are six elements to the management certification:

The financial statements have been reviewed by management;
The statements do not contain an untrue statement of a material fact or omit a material fact that makes the statements misleading;
The statements fairly present, in all material respects, the operations, financial condition, and cash flow of the issuer;
Management is responsible for designing, installing, and evaluating disclosure controls and procedures, and reporting its conclusions with respect to its effectiveness;
All material internal control weaknesses and fraud are disclosed to the auditor;
All significant changes to internal controls after management’s evaluation have been disclosed and corrected.

These rules were implemented to assure investors that the information in a company’s quarterly and annual reports is accurate and contains all of the company information that the executives believe is important to a reasonable investor. If management willfully and knowingly violates this certification process, it can be punished with imprisonment of up to 20 years and a fine of up to $5,000,000. In addition, if financial reports must be restated due to material noncompliance with financial reporting requirements, a violation of securities laws, or securities fraud, company management can be required to repay bonuses and incentives or equity-based compensation it realized during the twelve months following the issuance or filing of the noncompliant document. It can also be required to repay any profits it realized from the sale of company securities during the same period. As a result of these certification requirements, it’s not surprising that many public company CEOs and CFOs have spent a great deal of time since 2002 conducting due diligence procedures on their financial statements before certifying them.

From a specifically fraud prevention perspective, SOX also sets out the following the following requirements of interest to our CFE reader’s audit committee and executive management:

Company officers and directors cannot take any action to fraudulently influence, coerce, manipulate, or mislead auditors to make the financial statements materially misleading;
Company executives and directors cannot receive loans that are unavailable to those outside the company. There is an exception for loans, such as a home mortgage or a credit card agreement, if they are on the same terms and conditions as those made to the general public and done in the ordinary course of business;
Company executives and directors cannot trade company stock during blackout periods when other employees are unable to do so. Profits from doing so can be recovered;
All insider stock trades involving executives and individuals who own 10 percent or more of the company must be reported electronically to the SEC within two days and posted to the company’s website;
All financial reports required by GAAP must contain all material correcting adjustments identified by the auditors;
All annual and quarterly financial reports must disclose all material off-balance sheet transactions and relationships with unconsolidated entities likely to have a material effect on the company’s financial condition;
Pro forma financial information must not contain any untrue statements or omit a material fact that would make it misleading, and it should be in conformance with company financial information prepared according to GAAP;
Companies must disclose, in plain English, material changes to their financial condition on a rapid and current basis.

Also of interest to our reader’s audit committee would be the criminal penalties. Sarbanes-Oxley and the SEC rules implementing its requirements increased the maximum penalties for many white-collar crimes and created tougher penalties for people who destroy records, commit securities fraud, and fail to report fraud. CPA firms are required to preserve all audit or review work papers, including e-mail, for at least seven years after the audit is complete. Willfully failing to do so or intentionally destroying these records is a felony, with penalties of up to 10 years of incarceration. Sarbanes-Oxley also created a new felony, with penalties of up to 20 years of incarceration and a hefty fine, for destroying, altering, or fabricating documents to impede, obstruct, or influence any existing or contemplated federal investigation. The criminal penalty for securities fraud was increased to 25 years. The statute of limitations on securities fraud claims was extended from one to two years from the date the fraud is discovered, and from three to five years after the fraud took place. Sarbanes-Oxley increases the penalty for CEOs and CFOs who knowingly certify fraudulent financial statements or submit materially misleading statements to the SEC to a maximum of 10 years of imprisonment and a $1 million fine. CEOs and CFOs who willingly do so will face a maximum penalty of 20 years of imprisonment and a $5 million fine.

Global Storm Clouds Rising

Posted by cwl890 on February 14, 2016 Comments Off

The recent turbulence in the global financial markets is raising the by now too familiar questions in the trade press. Who is managing the risk? Where is the oversight? Could this financial turmoil have been avoided if associated risks had been managed more proactively? Manage has a positive connotation, implying that someone is in control, as in “The governor is managing the coastal flooding event.” Risk has a negative connotation, implying a lack of control, as in “An unattended gun puts lives at risk.” Risk is everywhere and can be an opportunity or a threat. Although an effective risk management system cannot provide absolute assurance that events such as the current unsettled market situation will not occur, it can, as the least, lend confidence that the key risks will be identified and dealt with timely.

As a first step, understanding the structure and dimensions of ideal risk management can support common understanding and effective implementation by management and an adequate fraud risk assessment effort by CFE’s and other assurance professionals. Management must understand the key vulnerabilities to the business model and establish risk expectations, which can then be incorporated into business practices. Likewise, CFE’s must understand and consider the context of those expectations in their periodic fraud risk assessments. A thorough management understanding of fraud risk also improves the quality of any subsequent investigation of financial irregularities as it creates a standard against which to compare management’s due diligence efforts. Although it may be difficult for your individual clients to identify ideal standards for risk management, addressing some fundamentals can help frame those ideals.

Regulatory, market, and fraud risks are common and familiar to CFE’s, who’re used to identifying these external events and asking “What if” questions: What if this process is not in compliance? What if a fraud were to occur as a result? Inside counsel and auditors often encourage management to address these types of risks immediately, which can result in operational silos dedicated to addressing a single significant fraud risk. However, these single events are only part of the picture. What about process efficiency risk, process design risk, system implementation risk, data integrity risk, skill-set risk, and the myriad other internal risks that, from the CFE’s informed perspective impact operations and fraud prevention? In the end, a risk is only important if it affects achievement of strategic and business objectives. Both external and internal risks can be placed in the context of their impact on business objectives. The strategic and objective framework must be defined and understood if an organization is to gauge the impact of the risks confronting it. The simplest way to define this framework is to start with the strategy and identify who is accountable for its parts. The framework is further defined as interviews with senior management reveal its objectives and accountability. The process continues until the framework has been constructively defined down to a relevant level for any external or internal risk. The relevance is determined based on the fraud risk’s ability to impact key elements of the framework. The framework provides a formal structure for ensuring strategic achievement.

Fraud risk management requires adequate identification of general risks and an awareness of existing vulnerabilities. Failure to do so can have dire consequences as the ever increasing volume of recent fraud cases attest. A century ago, modern soldiers recognized that good weapons were important to survival. However, realizing the value of tanks and exploding shells was only one element of effective risk management. Another was assessing the quality of the armor tanks carried into battle. No general would order a tank advance, without adequate vehicle armor. An army with limited protection would avoid or delay battles while its vehicles were being adequately fitted. Likewise, as an organization pursues its objectives, it must understand its strengths and vulnerabilities. Organizations cannot charge into daily economic battles without both weapons for success and armor to manage their inherent risks. Historically, assurance professionals have operated in a black-and-white world – a control is either present or absent, effective or ineffective. Although this may work for compliance or financial reporting objectives, it doesn’t help management effectively improve governance, risk management, or overall fraud prevention. Recognizing that business operations mature over time requires critical anti-fraud controls to mature with them. So if operations and controls mature over time, how does an organization organize the current state of affairs to avoid fraud vulnerabilities?

It’s important for fraud prevention to evaluate how effectively current business processes are supporting the achievement of strategic and business objectives. This evaluation will provide insights into the overall maturity of the fraud prevention controls that are in place to manage key risks. If the objective is to attack, yet the process or control maturity shows insufficient strength, it’s likely that the risk appetite of the general exceeds that of his government and country. Risk becomes more manageable with a framework of key risks in the context of key objectives and process/control maturity.

Business process and control vulnerability to fraud can be measured by defining high-level management controls that illustrate what management is doing to achieve its strategic and business objectives. By this point organizations should understand the strategy and objectives and be aware of their people, process, and technology capabilities; but this alone does not provide an overall understanding of fraud control maturity. Because maturity implies sustainability, it’s important to concurrently understand just how capable or strong the systems of control are. One way to begin creating a control maturity perspective is to look at what management is currently doing to ensure it achieves its objectives.

Does management have formal fraud prevention objectives that are well-written and communicated?
Is accountability clearly established?
Have metrics been set to measure the progress of those who are accountable?
Is existing reporting capable of illustrating the metric?
Are the information and communication channels adequate?
Does the tone at the top champion ethical behavior?

Frank answers to these types of simple questions help determine whether the CFE’s client organization is closer to the top, middle, or low levels of management fraud control maturity. This determination can help the organization identify gaps between its current level of maturity and the desired level so that actions can be prioritized to address the largest gaps. The answers to these questions can also help determine how formally objective achievement is being managed. They also provide a window into process capabilities and indicate the degree to which these capabilities are aligned with objective achievement. Informal alignment can create vulnerabilities. Management fraud control maturity is by no means the ultimate tool, but it provides a bridge in assessing risk management vulnerabilities.

All CFE’s have a role in educating senior management and the board (if there is one) about effective fraud risk management and irregularity prevention. Risk management means many things to almost everyone, yet communicating a few basic principles to clients will help CFE’s not only be successful but will provide the foundation for a program of robust fraud risk assessment. These principles help define a framework for valuing risk, assessing vulnerabilities, and determining the necessary steps for improving management fraud control maturity. Taken together, they can help any client organization improve the management of its overall risk and fraud prevention program.

« Previous page | Next page »

theinnerauditor

BLOG OF THE CENTRAL VIRGINIA CHAPTER OF THE ASSOCIATION OF CERTIFIED FRAUD EXAMINERS

Category Archives: Audit Committees - Page 2

The Initially Immaterial Financial Fraud

Rigging the Casino

Zack is Back on Internal Investigations!

The CFE, Management & Cybersecurity

Team Work is Hard Work

Inside and Out

On Auditors, Lawyers & Data

From the Head Down

SOX, Fraud and the Audit Committee

Global Storm Clouds Rising

Recent Posts

Subscribe to this Blog via Email

Archives

Categories

Pages

Blogroll