The ACFE tells us that failures in governance are among the most prominent reasons why financial and other types of serious fraud occur. Often the real cause of major corporate scandals and failures detailed in the financial trade press is a series of unwelcome behaviors in the corporate leadership culture: greed, hubris, bullying, and obfuscation leading to fantasy growth plans and decisions taken for all the wrong reasons; so, that old saying remains true, fish rot from the head down.
CFE’s find themselves being increasingly called upon by corporate boards and upper operating management to assist as members of independent, control assurance teams reviewing governance related fraud risk. In such cases, where a board has decided to engage a third party, such as a consulting firm or law firm, to assess the risk associated with certain governance processes and practices, a CFE member of the team can ensure that the scope of work is sufficient to cover the risk of fraud, that the team’s review process is adequate, and that the individuals involved can provide a quality assessment. Thus, if the CFE has suggestions to make concerning any fraud related aspect of the engagement, these can be shared with the review team as a whole.
As the fraud expert on a review team identifying governance related risks, the ACFE recommends that the CFE keep an open mind. Even the best boards, with the most experienced and competent directors, can fail. Examples of red flag, fraud related governance risks to consider include:
–Organizational strategies are approved and performance monitored by executives and the board without reliable, current, timely, and useful information;
–There is too great a focus on short-term results without sufficient attention to the organization’s long-term strategy;
–Oversight by the board is limited by a lack of directors with the required business, industry, technical, IT, or other experience;
–The board’s dynamics do not include sufficient challenge and skeptical inquiry by independent directors;
–Oversight by the audit committee is limited by a lack of experience in financial reporting and auditing;
–There have been instances in the past of the external auditors having failed to detect material misstatements because part of their team lacked the necessary industry experience and understanding of relevant accounting standards;
–Board oversight of risk management is constrained by a lack of risk management experience;
–Strategies approved by the board are not linked to individual goals and objectives of managers in operating departments or over key business processes;
–IT priorities are not consistent with business and organizational priorities due to a lack of communication and alignment of goals and incentive programs;
–Employees do not understand the corporate code of business conduct because it has not been clearly communicated and/or explained to them.
Once the team has identified and assessed the principal governance-related risks, the first step is to determine how to address them. The review team should take each in turn and determine the best approach. Several options might be considered. Using generally accepted traditional control approaches, many governance-related risk areas (such as awareness of the corporate code of conduct, alignment of management incentive plans and organizational strategies, or the quality of information used by the executive leadership team and the board) can be addressed without too much difficulty.
Next, the CFE needs to consider which fraud risks to recommend to the team for periodic re-assessment in recurring risk assessment plans. It’s not necessary or appropriate to periodically assess every identified governance-related fraud risk, only those that represent the most significant on-going risk to the success of the organization and its achievement of its overall fraud prevention objectives.
In a relatively mature organization, the most valuable role for the CFE team member is likely to be that of providing assurance that governance policies and practices are appropriate to the organization’s fraud risk control and management needs – including compliance with applicable laws and regulations – and that they are operating effectively. On the other hand, if the organization is still refining its governance processes, the CFE may contribute more effectively to the governance review team in an anti-fraud consulting capacity advising or advocating improvements to enhance the evolving fraud prevention component of the organization’s governance structure and practices.
Within the context of the CFE’s traditional practice, there will be times when the board or general counsel (which has so often historically directly engaged the services of CFEs) wants the assessment of a particular governance fraud risk area to be performed by the in-house counsel. In such instances, the CFE can directly partner with the in-house staff, forming a relationship alternative to performance as a review team member with another type of assurance provider or outside consultant. This arrangement can offer significant advantages, including:
–Ensuring that the CFE has the benefit of the in-house legal team’s subject-matter expertise as well as knowledge of the company;
–Allow more CFE control over the scope of work, the way the engagement is performed, the conclusions drawn, and over the final report itself; for example, some CFE’s might feel more confident about expressing an opinion on whether the fraud risk under review is managed effectively by the board with in-house counsel support.
A risk-based fraud prevention plan is probably not complete unless it includes consideration of the risks inherent in the organization’s governance processes. Selecting which areas of governance to review should be based on the assessed level of risk, determined with input from management and (in all likelihood) the board itself. Different governance risk areas with fraud impact potential may merit different CFE involved review strategies, but, whatever approach is taken, careful planning is always a must.
Reviews of fraud risk related to corporate governance are never easy, and they often carry political risk. However, they are clearly important and should be given strong consideration as a component of every fraud prevention effort – not just because they are required by professional assurance standards, but because governance process failures can contribute so devastatingly to financial frauds of all kinds.
Comments are closed.