SOX and other regulatory standards are forcing audit committees to learn how to prevent fraud. Here's what they need to learn and how you can help them learn it so they will escape litigation, and most importantly, tackle fraud.
Julie Storm has oversight responsibility for DB Inc.'s new refinery operation in Boleslawiac on the outskirts of Warsaw, Poland. Julie sent refinery effluent samples to a Warsaw lab on two occasions to check for the presence of carcinogens and other residual materials that might contaminate the water supply. Because the lab didn't return reports until almost three weeks later, she decided to send the third sample to a speedier German lab. Both reports from the Warsaw lab indicated no contaminants in the water supply but the German report appeared to be more thorough and offered evidence of two highly carcinogenic contaminants in the effluent. Julie now questions her judgment in sending the sample to the German lab. Her company is in compliance with Poland's laws in presenting the reports from the Warsaw lab and opening the refinery as scheduled. She has spoken with the head of operations at DB and he told her to ignore the analyses from the German lab. What is her ethical obligation?
This hypothetical mini-case is an example of a scenario that members of an audit committee can review during an anti-fraud training group session. Most audit committee members in the past wouldn't have had to place an anti-fraud training meeting on their calendars but the Sarbanes-Oxley Act of 2002 and new regulatory standards (such as the Security Exchange Commission's Final Rule on Listed Companies Audit Committees and PCAOB Standard No. 2) have clearly placed responsibility for fraud prevention within the charter of the audit committee.
With responsibilities sharply delineated, we can expect more fraud litigation directed at audit committees. Companies will be charged with malfeasance; the accusation will be that the committee wasn't properly trained for its role because of management's negligence. This potential liability, coupled with an average fraud loss for an American firm of six percent of annual revenues, provides more than ample justification for proactive and preventative steps by management.
The steps required are: 1) investing in the education of audit committee members on key fraud risks, ethical issues, risk mitigation strategies, and 2) conducting ongoing training in methods to more effectively work with the company's internal audit group (including fraud examiners) to reduce the risk of fraud in their organizations.
In this article, we describe the specific fraud prevention activities of the audit committee, the modes of learning that are most efficacious, and the types of training that are best customized to fit their needs. These methods are accompanied with specific program examples, self-assessment questions to evaluate current performance, resources for self-discovery, and a mini-case (in the lead of the article) for exploring ethical issues. The material presented can be used to create a day-long session as a retreat or, alternatively, shorter programs that can be offered after a meeting or as a separate Web cast at another juncture to committee members at remote or off-site locations.
Fraud prevention responsibilities of the audit committee
The audit committee has a broad spectrum of fraud prevention responsibilities within the organization. (See Figure 1 below.) Its sphere of influence includes management oversight, internal audit guidance and direction, reporting to the board, and direct oversight of key fraud prevention programs. Specific responsibilities relating to fraud prevention include:
Figure 1 is no longer available - Legal Imperatives
Audit committee member performance and effectiveness should be assessed annually. This approach can take the form of a self-assessment instrument used alone or it may be coupled with informal feedback from the chief executive officer (CEO), chief financial officer (CFO), compliance officer, external audit partner, director of internal audit, and board members. Another option is a formal written survey which can be distributed in a "360-degree feedback process" to obtain performance information on individual team members. The AICPA has a sample survey, "Conducting an Audit Committee Self Evaluation: Guidelines and Questions."
What does the audit committee need to learn?
Although it's desirable to have several members of the audit committee with a management accounting, audit, or management consulting background, often the audit committee chair is the only member with any significant content knowledge. However, even with an accounting background, the chair may have minimal exposure to fraud. Every member of the audit committee should increase their knowledge of: 1) the organizational history relating to fraud and its prevention; 2) fraud concepts; and 3) ethics including heightened awareness of the potential for fraud within the organization.
Assessment of existing state
The first step for the audit committee is learning the company's history of fraud occurrence and prevention activities so that it can guide the internal audit department and fulfill its responsibilities for fraud prevention. If fraud has occurred in the past, it's important to take a closer look at the specifics of each instance, evaluate the ways it was handled, and examine the safeguards that were added to prevent future occurrences. If the company is conducting annual fraud prevention assessments, the committee will want to review the findings from several previous assessments. If the company hasn't conducted such an assessment, the committee should initiate one to highlight potential areas of risk.
Ethics discussion
According to the SEC's definition of a code of ethics for directors, "honest and ethical conduct" is required. Although the SEC's rule includes a few specifics such as "including the ethical handling of actual or apparent conflicts of interest between personal and professional relationships and full, fair, accurate, timely, and understandable disclosure in filed reports and documents," there are a large number of specific ethical issues that aren't directly addressed. Board members can benefit from a discussion of some of these issues to provide insight into the types of ethical situations faced by both senior executives and line management throughout the organization in everyday operations.
Small group discussions of realistic situations are the most effective forums to face the challenges throughout the organization. Case examples can be purchased or written to specifically describe likely scenarios for a specific organization. These cases should be kept short (such as the case example at the beginning of this article) to allow participants to interpret the situation to most closely fit their perceptions of the organization. The case study should also leave sufficient gray areas to allow participants to effectively grapple with the issues. If the company operates in a global environment, it's important to include some of the unique cultural differences found in other cultures. After the small group of two or three reviews and discusses each mini-case, the members share their results with the larger group.
Fraud Triangle
The iconic Fraud Triangle provides a conceptual view of the essential requirements of any fraud situation. Of course, it's a good starting point for committee members because it provides a solid foundation for development of a fraud prevention program.
With an understanding of the three key ingredients of every fraud or the three points of the triangle - opportunity, pressure, and rationalization - the committee can fulfill its role to ensure that the company eliminates opportunities, places no undue pressure on people to produce impossible business results, and try with every means possible to hire only employees of integrity. Committee members can discuss actual fraud cases and identify the three components of fraud in each. (For more information on the Fraud Triangle and research surrounding it, read "Why Employees Commit Fraud," by Joseph T. Wells, CFE, CPA.)
Major areas of exposure
The audit committee can benefit from learning more about the three major types of fraud:
Audit committee members need to discuss examples of each type of fraud and ways it was uncovered. Also, the committee can best develop safeguards when it's aware of red flags that might be present for each type of fraud. (For more information see the "Corporate Fraud Handbook," by Joseph T. Wells, CFE, CPA.)
Important deterrents
According to the ACFE's "2004 Report to the Nation," almost 40 percent of fraud is found through tips and anonymous disclosures, which makes a hotline an important component of fraud detection. Audit committees need to explore the costs and benefits of extending employee hotline access to vendors and customers.
The internal audit department finds another 24 percent of frauds, which emphasizes that the audit committee give detailed instructions on required safeguards. Surprisingly, another 21 percent is identified by accident. This percentage, regrettably, is significantly more than the amount of fraud that external auditor detects.
The goal for the learning in this area is to understand the offers of each fraud deterrent and to consider other approaches to lowering fraud risk.
Brainstorming fraud risks in the current company
The audit committee has a duty to approach fraud prevention in the organization with skepticism. It's important to take a questioning stance and help guide internal audit to utilize a risk-based approach to probe broader and deeper into areas warranting closer scrutiny. Known fraud risk factors, management override of internal controls, fraud risk assessments, results of employee surveys or hotline calls, and publicized fraudulent activities from other companies are all productive areas for brainstorming sessions. A skilled facilitator, who uses techniques such as encouraging everyone to write down their ideas before sharing, can elicit maximum response from participants. New ideas of merit can be assigned to members of the audit committee for further evaluation or discussion with internal audit. This practical learning experience can have immediate application and payback.
What are the next steps?
After the company defines additional learning components to help audit committee members focus on improving fraud prevention, the committee needs to determine the best time and format for these sessions. Because schedules often fill up months in advance, adequate advance planning three or four months out can ensure that all committee members can make the commitment. Audit committee members can also teach themselves in advance of the meeting by using the resources listed below.
|
Fraud resources for audit committee members
|
Typically, the internal training department won't be prepared to offer board training, but consulting firms, professional organizations, and local universities often have top-notch, experience facilitators with the assistance of internal Certified Fraud Examiners. In many cases, the person selected for the initial learning programs not only facilitates discussions for the audit committee members but also provides broader training for the board, if needed.
With fraud training in place, the accusation will likely disappear that the audit committee is ill-prepared for its role. Of course, an added benefit is that the audit committee's improved oversight probably will decrease the likelihood of fraud within the organization.
|
Question |
Response |
|||||
| (Circle response. 1 = needs improvement; 6 = firm commitment) |
||||||
| Does the committee elicit feedback from internal and external audit on key fraud risks? |
1
|
2
|
3
|
4
|
5
|
6
|
| Does the committee review anti-fraud policies on a regular basis? |
1
|
2
|
3
|
4
|
5
|
6
|
| Does the committee take measures to ensure the effectiveness of internal controls throughout the organization? |
1
|
2
|
3
|
4
|
5
|
6
|
| Has the committee extended the code of conduct to cover all employees? |
1
|
2
|
3
|
4
|
5
|
6
|
| Does the committee participate regularly in continuing education on fraud and other key risk topics? |
1
|
2
|
3
|
4
|
5
|
6
|
| Has the committee extended the whistleblower hotline to customers and suppliers? |
1
|
2
|
3
|
4
|
5
|
6
|
| Does the committee do its part to ensure that an ethical tone emanates from the top of the organization? |
1
|
2
|
3
|
4
|
5
|
6
|
| Does the committee ensure that policies are in place to ensure swift investigation of suspected fraudulent activity? |
1
|
2
|
3
|
4
|
5
|
6
|
Figure 2 - Fraud section of the audit committee effectiveness survey
|
Sample day-long program for audit committee retreat
|
Unlock full access to Fraud Magazine and explore in-depth articles on the latest trends in fraud prevention and detection.
Read Time: 6 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
Read Time: 6 mins
Written By:
Felicia Riney, D.B.A.
Read Time: 7 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
Read Time: 6 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
Read Time: 6 mins
Written By:
Felicia Riney, D.B.A.
Read Time: 7 mins
Written By:
Patricia A. Johnson, MBA, CFE, CPA
