The Most Important Internal Control Component for Fraud Examiners


ParisRestaurantA Chapter member, in reference to our last post, wondered aloud over a mutual lunch this week whether the state of her client’s COSO 2013 control environment might not be the initially most important COSO component for close examination by Fraud Examiners performing fraud risk assessments.  After all, she’s right that the control environment is where the organization is called upon to directly demonstrate its commitment to integrity and ethical values.  It’s also in the documentation of the control environment that the board of directors asserts independence from management and outlines tools to exercise oversight of the development and performance of the entire system of internal control.  But that’s not all; management must establish, with board oversight, staff structures, reporting lines, and appropriate authorities and responsibilities to pursue, and hopefully achieve, its defined objectives.  In line with this last, the organization must document and demonstrate a commitment to attract develop, and retain competent individuals as employees.  And lastly, and of particular importance to us fraud examiners as we go about our work of building and documenting cases, there must be defined mechanisms to hold employees accountable for their specifically defined internal control related responsibilities in the pursuit of enterprise objectives.

So, the COSO control environment component is something of a preliminary topographical map or stage setting, if you will, to the client organization’s overall approach to internal control.  A fraud examiner conducting a fraud risk assessment for management would certainly be expected to focus closely on whether or not the following are present and functioning as evidence of the organization’s commitment to integrity and ethical values:

–Tone at the Top: are the board of directors and management at all levels of the organization demonstrating through their directives, actions and behavior the importance of integrity and ethical values in supporting the functioning of the system of internal control?

–Standards of Conduct: have standards of conduct been formally established and published?  Of great follow-on consequence for ultimate, successful prosecution of fraud and corruption cases is the presence of formal documentation and the wide publication of the expectations of the board of directors and management concerning compliance with those integrity and ethical values defined in the entity’s standards of conduct and understood at all levels of the organization as well as by outsourced service providers and business partners.

–Processes to Evaluate Adherence to the Standards of Conduct: having a great set of ethical codes and standards means little if there are no processes in place to evaluate the performance of individuals and work teams against those codes and standards.  This is the area where I think you will find that most of our client’s fall short; the entity can proudly point to its book shelf of standards but there’s little or no evidence that the degree of actual employee compliance is being formally reviewed or audited by anybody. A review means the process is periodically evaluated critically and corrective action, if required, is formally documented and performed by responsible managers.

–Deviations are addressed in a Timely Manner: the fraud examiner during the fraud risk assessment process should look for evidence that identified deviations from the organization’s expected standards of conduct are identified and remedied in a timely and even handed manner;  ‘even handed’ means that deviations are dealt with fairly and consistently no matter what level of employee is involved.

–Establishment of Oversight Responsibilities: has the board of directors identified and does it accept its oversight responsibilities in relation to establishing requirements and expectations?  You can imagine the field day an opposing attorney would have if the defendant company has failed to implement this one!

–The Application of Relevant Expertise: does the board of directors define, maintain and periodically evaluate the skills and expertise needed among its members to enable them to ask all types of probing questions of senior management and then take appropriate action.

–Operates Independently: the fraud examiner has to ask him or herself if the client’s board of directors has enough members who are sufficiently independent from the management to be objective in performing evaluations and taking decisions to provide effective oversight of the client’s entire system of internal control.

Fraud examiners are usually so pressed for time in developing our cases that any documented shortcut into the client’s control structure is of great potential value to us.  COSO 2013, in significantly expanding the scope of the control environment component, has handed our profession yet another useful tool in the performance, not only of fraud risk assessments, but in the basic spade work involved in the basic process of fraud examination and eventual prosecution.

Please make plans to join us on April 16-17th, 2014 for the Central Virginia Chapter’s seminar on the topic of Introduction to Fraud Examination for 16 CPE ($200.00 for early Registration)! For details see our Prior Post entitled, “Save the Date”!

Comments are closed.