Sarbanes-Oxley documentation becoming timesaver for fraud examiners

The new documentation required under sections 302 and 404 of the Sarbanes-Oxley Act helps fraud examiners by quickening the creation of deterrence programs and simplifying investigations.  

ALLTEL Corporation of Little Rock, Ark., according to industry experts, is one of several large companies that started early on SOX compliance and continues to improve on the basics. ALLTEL, a firm with $8 billion annual revenues, provides wireless, local telephone, long-distance, Internet and high-speed data services to more than 13 million residential and business customers in 26 states.

ALLTEL's SOX documentation tells the story of processes and controls throughout the company through explanatory risk/control matrices, flowcharts, and narratives, says the documentation's architect, Brandi Joplin, CPA, vice president of internal audit. The flowcharts provide basic information and the narratives describe
those responsible for activities and controls, specific reports utilized within an activity, and specific description of controls.

The matrices describe specific risks and controls to mitigate the risks, evaluation of each risk's likelihood and impact, and the design assessment and operating effectiveness of the internal controls.

Next on the task list, Joplin says, is to document operational processes in the same manner as the financial processes.

Joplin expects that most companies above the $1 billion mark in sales will provide pictures and narratives. But the new regulations mandate the need to document but stop short of specifying the types or extent of the documentation. "We're not sure yet what substandard versus average versus awesome documentation will look like," says Rich Lanza, CFE, CPA, PMP, president of Cash Recovery Partners, L.L.C. in Lake Hopatcong, N.J. "More than likely it's going to be a narrative of the process, and if mapped through the use of flowcharts it will be more helpful." (Lanza also writes the column, "Fear Not the Software," in Fraud Magazine.)

Whatever the format, the basic 404 documentation is a timesaver. The fraud examiner can gain a detailed understanding of processes included in the investigation without interviewing multiple people and reviewing many documents. "Before (SOX) we would do lots of this grunt work ourselves," says Lanza.

The process documentation can illustrate critical risk and internal control areas, which can provide fraud examiners the details to guide the interview and investigation and help them easily identify reports or physical evidence. "Even in the most basic documentation there will be lots of good control information," says Lanza. "The descriptions and details of the testing will also be especially helpful."

SOX's watershed change
Of course, the existence of process and control documentation isn't new. Many companies have policies and procedures manuals. But SOX's watershed change is the requirement to update and test annually. "Sometimes in the past, employees would tell us that while the manual said one thing they did it differently," says Harry Cendrowski, CFE, CPA, CVA, CFD, founder and president of Cendrowski Corporate Advisors in Bloomfield Hills, Mich. "And while management might have known it was happening they just let it go on before."

According to Cendrowski, if the fraud examiner is investigating a suspicion rather than setting up a prevention program, the documentation is particularly useful in finding weaknesses. For example, if the payroll department has specific controls on which people can make journal entries, the computer department could devise a program that would allow the lowest clerk access to the system. "The new documentation makes it much easier to identify a company's strengths and weaknesses," says Cendrowski. "And all organizations do have both strengths and weaknesses."

According to Joplin, weaknesses might show up as tasks move between departments or divisions such as a purchase order moving from purchasing to accounting. Documentation can help fraud examiners understand how processes linking to each other may impact the investigation. Companies that haven't completed the end-to-end documentation will need to be carefully reviewed to make sure proper controls are in place. But also controls break down over time, according to John L. Tonsick, CFE, CPA, associate director at Protiviti, a risk consulting firm based in Menlo Park, Calif. "It's very helpful to note when controls break down," he says. Tonsick, who is the subject matter expert on fraud for the company's Western region in Los Angeles, points to two situations that are present in all his investigations. Because more than 80 percent of frauds involve asset misappropriation, breakdowns occur frequently in segregation of duties and supervisory review, he says. "I've never done an investigation that one or the other of these two controls had not failed," says Tonsick.

According to Tonsick, the completeness of the documentation does have one downside. While controls within a department might inhibit fraud, the increased control environment forces more collusion. Losses are greater when more than one employee is involved according to the ACFE's Report on Occupational Fraud and Abuse. "But hopefully the improved procedures act to detect frauds early, if the system is circumvented," says Tonsick.

Joplin points out several additional advantages to the new documentation. Once fraud is suspected, the documentation also saves time when requesting other specific documents. Companies that have completed narrative descriptions to accompany the flowcharts list the control, where it's done, who does it, and how often it's performed, she says. The fraud examiner can request information at an advanced starting point compared to the investigations before 404 documentation, Joplin says.

According to Lanza, in addition to having details of process and controls, fraud examiners also can readily review the tests. An examiner may not challenge the testing per se but could review the tests for weaknesses as possible starting points. "The testing documentation might be particularly helpful," says Lanza. "If we can verify the completeness of a test, we can reduce the time spent on false positives."

Lanza points out that testing processes can't be relied on without question. In fact the existence of the tests and reports might be the only thing that makes the fraud examiner's job harder, in Lanza's opinion. "The testing could prejudice an examiner's conclusions," says Lanza. "They might see the tests and that nothing went wrong, but in reality the test and the documentation might have been done incorrectly."

More work for CFEs?
According to Cendrowski, SOX compliance might have another implication for Certified Fraud Examiners SM. The risk of fraud is determined when companies are forced to look and think deeply about their controls, he says. Less fraud should be less work for CFEs®. But the increased penalties for directors and executives tips the scales heavily in the opposite direction, Cendrowski says. Audit committees especially are putting anti-fraud and specialized legal professionals on retainer in growing numbers, he says. "The SEC is indicating that if companies have a problem they want assurance that it will be addressed immediately," says Cendrowksi. "The audit committee doesn't want to wait until something goes wrong to start trying to find the right people with the requisite experience to do this type of work."

Cendrowksi says that the demand for services is growing among private and not-for-profit companies that may not be affected by law but seek best practices. Cendrowski tells of a recent situation with a $1 billion private company for which they just put in an internal audit department. "Our client called us for this work because he said he was tired of reading about SOX in the newspaper and not having the practices at his firm," says Cendrowski.

Fraud examiners should know, however, that state legislatures have enacted SOX-type regulations for not-for-profits in certain states. New York passed one last year and 19 other states are entertaining proposals. "This area could explode for CFEs in the next 24 months," says Cendrowski.

Most fraud professionals agree that SOX documentation is a starting point for fraud examiners but is less than useful in organizations that don't support the spirit of the new rules. "The new tools are not worth a lot unless the company has changed its culture to support proactive employee involvement," says Cendrowksi.

According to Lanza, SOX 302 and 404 really are about controls, which happen throughout the entity processes but also at the entity level. Clues to the true effectiveness of the controls are found in the ways that a company handles problems and comes up with fixes to processes, he says. "Say an employee doesn't have the proper computer system to manage sales price changes," says Lanza. "If the answer to that by superiors is that they do higher level testing so that they do not find much wrong in the test work and not focus on fixing the underlying issue, that could be a problem."

So the new tools will save time for the fraud examiner but in reality the tone at the top still forms the bottom line on the statement of controls effectiveness.

Cynthia Harrington, Associate Member, CFA, is a freelance writer for Fraud Magazine.