Elephant In The Room

Ivan was an excellent accounts payable clerk for Bacme Corporation. Management trusted him implicitly. Ivan entered new suppliers into the system and subsequently entered invoices related to these same suppliers. Big mistake; Ivan had been using that freedom to create several new fictitious suppliers and to write checks worth thousands of dollars to himself. A tenacious external auditor finally found the fraud.

How did Ivan get away with his crimes? The primary mitigating control over his access, designed by a Big 4 firm, was a review of a final payment register that included supporting documentation for all checks totaling more than $30,000. Ivan knew about this control, so he never wrote a check to himself exceeding that amount. This control prevented material misstatements in the financial statements, but it left the company exposed to supposed immaterial fraud. Maybe it was technically immaterial, but these were substantial losses.

This case is fictitious, but the factors that led to it are very real.

SOX MATERIAL MISSTATEMENTS 

Various substantial frauds led to the implementation of the Sarbanes-Oxley Act (SOX) in the United States. SOX and its Auditing Standard 5 (AS5) requirements are primarily concerned with frauds that can cause a material misstatement in a company's financial statements. According to guidance from AS5, "the auditor should evaluate whether the company's controls sufficiently address identified risks of material misstatement due to fraud and controls intended to address the risk of management override of other controls [italics added for emphasis]." AS5, specifically, and SOX, in general, focus on the prevention of material fraud.

However, company executives should not only concern themselves with material fraud. There's a smaller, less-than-material fraud (what I call "sub-material fraud") that could prove to be a substantial risk to companies.

Now, immaterial fraud is a term used in financial statement audits to indicate fraud below the level of materiality. A definition of immaterial (Webster's) is "of no substantial consequence" or "unimportant." I choose to use the term sub-material so that the significance of any fraud wouldn't be minimized. There's no CFO who would deem a $100,000 fraud committed against his or her company as "of no substantial consequence or import."

ENGAGEMENTS WITH TWO COMPANIES 

This article is based on engagements with two large, publicly traded companies with which our firm has consulted. Each company had a Big 4 firm as its external auditor and also outsourced components of its internal audit function and/or controls design to a different Big 4 firm. In each case, we identified credible risk of sub-material fraud.

Here are several of the potential risk factors we found:

• Most of the controls that relate to SOX section 404 (which requires companies to "publish information in their annual reports concerning the scope and adequacy of the internal control structure and procedures for financial reporting" as well as then "assess the effectiveness of such internal controls and procedures") had been designed to only prevent and detect material fraud.
   
• External auditors were primarily concerned about material fraud in the context of SOX 404 and financial statement audits.
   
• IT auditors did the segregation of duties (SOD) testing, but they were primarily focused on system controls.
   
• While processes and testing of internal controls are thoroughly documented, would-be fraudsters found some new dark alleys in which to commit their crimes.
   
• Most SOD testing failed to consider processes outside the system and ways in which actual theft can occur.
   
• New Enterprise Resource Planning (ERP) systems were implemented within the last 10 years. (ERP is a way to integrate an organization's data and processes into a single system.) While ERP systems have been designed primarily to increase an organization's efficiency, they don't necessarily improve its internal controls.
   
• Those who implement ERP systems normally know little about internal controls design.

1. Section 404 Controls are Designed to Prevent Material Misstatement
In many cases, a company's accounting firm, other than its external auditor, has developed its internal controls over financial reporting. These controls have been designed to prevent material misstatements in a company's financial statements. For example, a company with which we consulted allowed its AP clerks to enter both suppliers and AP invoices against those suppliers. As in the opening fictitious case, the primary mitigating control designed by a Big 4 firm for such access was a review of a final payment register and supporting documentation for all checks of more than $30,000, which left the company exposed to frauds less than that amount.

2. External Auditors Focus on Material Fraud Risk
The need for SOX originated from frauds in public companies, which led to misstatements of financial statements and, in several cases, resulted in the collapse or bankruptcy of companies. External auditors will always focus on whether a company's financial statements are materially accurate, so management must design or redesign controls to catch sub-material fraud.

3. SOD Testing was Primarily Focused on System Controls
Many companies are relying on their auditors or risk-advisory firms (often other Big 4 firms) to provide a list of SOD conflicts to "pass" SOX audits. However, within the Big 4 firms, there seems to be little consensus on SOD best practices. I've reviewed and evaluated "conflict matrices" from the Big 4 firms, and I see a wide variety of approaches. (Conflict matrices are a common post-SOX practice.)

Prior to SOX, CFEs and other internal auditors designed controls for the prevention of fraud incorporating SOD. At many audit firms, companywide standard conflict matrixes didn't even exist prior to SOX. With the adoption of AS5, my fear is that SOD controls have been de-emphasized or deleted altogether because of the reliance on entity-level controls or controls in the financial closing process.

The primary testing of controls is dedicated to prevention of material misstatements in a company's financial records. Many companies have yet to define controls or allocate testing resources that are not key controls. Furthermore, IT auditors, looking for conflicts within a system, often conduct much of the SOD testing. However, there are considerable risks in manual processes outside the system, especially below the materiality threshold, in which IT auditors have little training and experience.

Even if a company has a standardized public-domain SOD conflict matrix, its risk-assessment process is probably still maturing. It needs a deliberate and thorough process for evaluating general risk to properly assess specific SOD risk, which would include a complete understanding of the risks within the manual- and system-related processes for each conflict. Then, after it identifies the controls that help mitigate the risk(s), it also has to identify the residual risks.

An appropriate level of management needs to evaluate if the company is comfortable with these residual risks or wants to implement additional controls. This process takes people with various skills (department managers, business analysts, security) as well as senior management's support to properly perform the risk-assessment process.

4. Knowing the Dark Alleys
We could argue that SOX has left companies more exposed than ever to fraud because controls are so well defined. Prior to SOX, management of companies seldom tested internal controls; internal auditors handled that duty. Potential fraudsters seldom knew how and when that would happen. However, in today's culture, higher-risk employees (such as IT staff, business analysts, managers, and supervisors) often know this information beforehand. Therefore, they're much more aware of how to manipulate the system and commit fraud under the radar.

5. Looking at Processes Outside the System
You need to understand the ways in which a person could take assets from a company and conceal them before you can properly design a conflict matrix that can identify areas of high risk. This means you need to know:

• Who has access to incoming cash and checks from customers?
   
• Who has the ability to initiate a payment (Automated Clearing House, check, or wire)?
   
• Who has the ability to redirect or steal inventory (processes that happen outside the system)? 

However, you must also be aware of ways in which misappropriations could be covered up. For example, if a collections agent could intercept a payment from a customer but didn't have the ability to conceal it, eventually the customer would discover where the check was cashed and uncover the theft. But what if the same collections agent could also request that a credit be issued or a balance be written off to coincide with the amount of the check? By doing so, the agent might have the ability to steal the cash and then conceal the theft, which would reduce the likelihood of the fraud being uncovered.

6. ERP Systems Don't Always Promote Internal Controls
Companies that wish to migrate from legacy (aka older and outdated) systems to ERP systems, such as SAP and Oracle, are often shocked at the complexity of the implementation. The companies that are also subject to SOX 404 requirements have to wrestle with changes in their business processes in addition to their controls and testing strategies. On top of that, ERP systems require companies to update their IT security procedures and change-management processes. This is why many companies implementing ERP systems for the first time rely heavily on their systems integrators to guide them.

7. Integrators Don't Know How to Design an ERP to Detect Fraud
Complicating matters further, few systems integrators have the necessary skills to help companies design and configure systems that will meet both the necessary operational and compliance objectives. As a result, I've often seen internal-control risks in process designs or system configurations because best practices for sub-material fraud detection and prevention are still developing.

Operational efficiency and effectiveness - not internal controls - have been the primary driver of most ERP system development specs thus far. In some cases, no one can tell what the driving factor is or was.

EVALUATING MATERIAL AND SUB-MATERIAL FRAUD RISKS VIA SINGLE-RISK ASSESSMENT 

Management faces the challenge of developing a comprehensive approach to evaluating and addressing both material and sub-material fraud risks in a single risk-assessment process. First, let's take a look at some examples of how some audit firms have addressed their identification of risks.

Example 1: Suppliers
Figure 1 represents several conflicts identified by one audit firm. They took a high-risk function, "Suppliers" (entry of new suppliers into the system) and paired it with several other functions. However, this doesn't really reflect the true risk. For example, how could a combination of Suppliers and Tax Certificates, Payment Terms, or Tax Groups lead to an "inappropriate payment"? Or how could a combination of Suppliers and Run MassCancel or Requisition Templates lead to "payments to fictitious vendors?"

Example 2: Banks
Figure 2 shows how one audit firm dealt with conflicts related to another high-risk single function: bank account entries. An employee who maintains bank accounts could change a supplier's bank account being paid via ACH. However, this employee doesn't need access to the Requisition Templates, Returns, or Update Accounting Entries function to commit fraud.

This particular audit firm didn't really take a risk-based approach to developing its conflict matrix. The risk noted for each of these conflicts is the same, and the second process (Requisition Templates, Returns, Update Accounting Entries) doesn't appear to add to the risk. In this case, the Banks function is a high-risk sensitive function on its own.

Example 3: Missing Processes
To illustrate the lack of focus on sub-material fraud risk, let me give you an example of what's often missing. A fraudster could hide the theft of incoming cash (or theft of a check) from a customer by having the ability to generate a credit memo. Figure 3 shows the analysis of several well-known audit firms of the only risks associated with an employee having the ability to enter credit memos. Not one of the firms mentions theft of cash.

Other missing processes of many conflict matrices include access to cash, ability to initiate a wire transfer or sign checks, and account reconciliations.

COMPONENTS OF A RISK BASED 'CONFLICT' MATRIX 

A comprehensive risk-assessment project starts by first identifying the risks inherent in the process. Obviously, your identification and development of mitigating controls might leave out critically needed controls if the starting population of your risks isn't accurate and comprehensive.

Assess your company's unique risks. Then, do the following:

• Identify the mitigating key and non-key controls already in place.
   
• Assess residual risk. Consider both the design effectiveness and operating effectiveness of the controls.
   
• Determine your responses to residual risk. Your choices include changing access controls or the process, adding or changing related controls, or assuming the risk. A conflict matrix built for a true risk analysis would take into account the following:
   
• Sometimes all it takes to commit fraud is one high-risk function such as the ability to maintain suppliers, bank accounts, or remit-to addresses. Look for a matrix that has high-risk single functions identified with specific risks.
   
• In some cases, high-risk single functions can conflict with "inquiry access." For example, if an employee with access to maintaining bank accounts knew when invoices for a particular supplier were coming due for payment, he or she would know when to change the bank account to redirect the funds to a fictitious account.
   
• Employees commit fraud by stealing inventory, assets, or incoming or outgoing cash. A conflict matrix should identify conflicts such as "Access to Cash vs. Entry of Credit Memos" so that management or an internal auditor can look at the potential for theft and ways it could be concealed.
   
• Consider risks outside the system when you're writing conflict descriptions and risks. For example, when you're looking at the entry of suppliers, take into account not just who has access to set up a new supplier in the system, but also the ways the company initiates and approves it. If the person performing the supplier-entry function is merely entering those suppliers who are approved or requested, then this becomes another point of risk you need to evaluate. 

SUB-MATERIAL FRAUD IS REAL FRAUD 

The Sarbanes-Oxley Act and its Section 404 requirements have given auditors and company management new reasons and incentives to look at their anti-fraud programs. However, the approach taken to detect and prevent fraud has been heavily reliant on external audit firms whose primary focus has been the prevention of material fraud. This has left many companies with processes and controls subject to significant risks of sub-material fraud. I fear that the risk of sub-material fraud is either widely unknown, or is the elephant in the room that no one wants to acknowledge.

Jeffrey T. Hare, CPA, CISA, CIA, an industry analyst, author and consultant, is the founder and CEO of ERP Seminars in Platteville, Colo. 

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.