Audit Committees Should Be Worried

The U.S. Securities and Exchange Commission and other regulatory agencies are hotly targeting audit committees and directors. Here are ways CFEs can help them fulfill their responsibilities and prevent fraud in their organizations.

On Feb. 28, the U.S. Securities and Exchange Commission (SEC) charged three ex-directors and audit committee members of DHB Industries for failure to appropriately address a growing fraud in their organization.

Last September, a federal jury convicted DHB Industries CEO David Brooks and Chief Operating Officer Sandra Hatfields for, among other things, multiple counts of securities fraud, insider trading and obstruction of justice. The federal government had accused them of "manipulating financial records to boost earnings and profit margins, and thus inflate DHB's stock price."

Now, the SEC is prosecuting the ex-directors because their lack of oversight allowed senior management to manipulate results and to funnel millions of dollars to DHB's founder and chief executive, David Brooks, to pay for luxury cars, costly vacations, art and prostitution services, according to a complaint filed in a Florida federal court. The SEC accused Jerome Krantz, Cary Chasin and Gary Nadelman of being "willfully blind to numerous red flags" of fraud, according to Robert Khuzami, director of the SEC's Division of Enforcement.

"This massive accounting fraud permeated throughout an entire company," said Eric Bustillo, director of the SEC regional office in Miami. "As the fraud swirled around them, Krantz, Chasin and Nadelman ignored the obvious."

This SEC action is not the first time it has held directors responsible for poor oversight. Just last year, the SEC accepted a settlement from InfoGroup Inc. audit committee chairperson Vasant Raval.

The SEC concluded that Raval had conducted an inadequate investigation into allegations of the CEO's improper related-party transactions. Raval accepted an injunction that included a $50,000 fine and a restriction against serving as a director or officer for five years.

The SEC has increased investigation and prosecution efforts directed at board members and audit committee members specifically. According to the SEC's 2010 Performance and Accountability Report, the agency brought 681 enforcement cases covering a broad spectrum of financial wrongdoing in their 2010 fiscal year. Those enforcement cases have resulted in $2.8 billion in penalties and disgorgement, with many of the financial wrongdoings falling under the general oversight of audit committee activities.

Unfortunately, as it stands, only half of all global organizations have formal board risk oversight of fraud deterrence, according to the 2010 report on enterprise risk management released by the Committee of Sponsoring Organizations of the Treadway Commission.

It's never been harder to be an audit committee member. Many qualified candidates are hesitating to serve on boards because they fear facing additional public scrutiny and legal exposure. In the past, audit committee members might have had a complacent, "don't rock the boat" mindset. However, shareholder activism and regulatory interventions are forcing directors to reexamine what it means to uphold the traditional legal requirements of "duty of care' and "duty of loyalty."

The amount of responsibilities can seem overwhelming, but CFEs can help. Here are steps you can supply audit committee members and board directors to help them address their fiduciary responsibilities effectively and efficiently:   

1. Cultivate independence. 
2. Exercise care in the composition and culture of the audit committee.  
3. Know the business.  
4. Leverage internal audit and outside assurance advisors.  
5. Understand your stakeholders, especially regulators.  
6. Direct the external audit.  
7. Address risk proactively.  
8. Spearhead fraud deterrence initiatives.  
9. Expect the unexpected.  
10. Promote accountability through audit committee evaluations.  

Cultivate Independence

Independence is arguably the most important single word for effective boards and audit committees because pre-existing personal relationships can threaten directors' abilities to exercise good judgment. Indeed, common threads running through the parade of financial frauds to hit corporate America this past decade were directors who were caught in dubious conflicts of interest. They fell short in their duties, failed to hold top executives accountable and sometimes passed along sensitive insider information. Frauds occurred and shareholders suffered. The SEC hotly pursues these cases.

A recent example involves the insider trading case of a former Goldman and P&G director, Rajat Gupta, who allegedly passed on non-public information about Berkshire Hathaway's $5 billion investment in Goldman Sachs to Raj Rajaratnam, founder of the Galleon Group, a New York City-based hedge fund management firm. (A federal jury convicted Rajaratnam in May on 14 counts of fraud and conspiracy.)

Gupta, a friend and business associate of Rajaratnam, "was honored with the highest trust of leading public companies, and he betrayed that trust by disclosing their most sensitive and valuable secrets," said Khuzami in an SEC statement. "Directors who violate the sanctity of boardroom confidences for private gain will be held to account for their illegal actions."

Regulators and stock exchanges have provided a slew of definitions of what it means to be independent to attempt to promote independence on audit committees, thus mitigating conflict-of-interest risks. However, director independence is a vastly deeper, wider and more complex topic than can be conveyed by the mapping of "interlocking directorships," which can include joint board appointments, reciprocal board appointments and consulting arrangements.

Personal connections formed through neighborhoods, schools, fraternities, social clubs, gyms, industry associations, former board members, political action committees, think tanks, charities, former work associations and common friends can be just as important as interlocking directorships.

A board must go beyond formal, legal definitions of independence on paper to understand and accept the spirit of unbiased actions in actual, everyday situations. Boards and audit committees must strive for a "zero tolerance" culture for all types of fraud, including the illegal passing of insider information.

Exercise Care in the Composition and Culture of the Audit Committee

Of course, an audit committee is only as good as its directors' perspectives, values and talents. The directors must interact collectively for the good of shareholders and complement each other's strengths and weaknesses so they can intelligently ask the company's officers the right questions.

All members should be financial experts or at least financially literate because of the heavy audit responsibilities. Companies should test prospective members for their knowledge of accounting and related internal controls, especially anti-fraud controls. Members must regularly study developing, complex U.S. Generally Accepted Accounting Principles, which now demand much more than just the simple ability to read and understand financial statements.

The members must be critical thinkers and have the complete freedom and gumption to ask difficult questions. A culture of transparency, diversity and accountability should rule.

A nominating committee, a subset of an entire board, selects members of an auditing committee. Some nominating committees are now developing structured wish lists to ensure that important and complementary competencies are represented on boards. Also, some organizations use search firms for finding unbiased board members.

Know the Business

Directors cannot learn the intricacies of an organization's business operations by just reading board packets (information provided by organizations before committee meetings) and listening to management briefings. Directors should:   

• Be on the lookout for back-of-the office, complex transactions that are more form than substance. Case in point: The Enron fraud was built on transactions that posted paper gains while producing no real growth.  
• "Walk the halls." Nothing beats taking an independent measure of the pulse of the organization's culture (for example, What is the state of management's tone at the top?). Talk to employees, read bulletin boards and spend some time in the company cafeteria.  
• Look for management's opportunities to override controls or exercise undue influence over financial reporting, such as CEOs' and CFOs' access to cash and cash equivalents without board-level signatures for requests above a certain dollar amount. Also, a manager could circumvent segregation of duties by giving instructions to two separate, innocent staff persons, which would prevent both from understanding his or her actions. However, their unwitting participation allows the manager to steal and conceal.  

Leverage Internal Audit and Outside Resources

Audit committee members need to rely on independent sources to be their eyes and ears and tell it like it is — not how management wants it told. Many organizations have internal audit functions that provide directors with independent, reliable streams of information. Other organizations might engage outside assurance resources, such as CFEs, CPAs and other consultants, because certain oversight duties can be tricky, if not impossible, for anyone within organizations to candidly assess. These duties can include evaluating fraud risk management systems and assessing entity-level controls, such as board and management competence, corporate culture and organizational structures, among others.

However, regardless of internal audit staffing, the audit committee — not management — must authorize the internal audit's budget, approve the audit plan and evaluate the chief audit executive's (CAE) performance. Committee members must ensure reporting lines for internal auditors remain independent of the CEO and CFO by requesting meetings with internal audit in which management is not present and by approving internal auditors' plans and providing their performance evaluations.

Audit committee members should encourage the "perception of detection" by supporting surprise audits. The ACFE's "2010 Report to the Nations on Fraud and Abuse" indicates that organizations use surprise audits only 28 percent of the time, yet they reduce fraud losses by more than 50 percent. Quick surprise audits are great because they can be relatively effective even with small sample sizes and can provide the threat of detection that can deter fraud.

Understand Your Stakeholders, Especially Regulators

Key stakeholders, such as customers, communities, creditors, suppliers and regulators, must understand and support your company. If they do not, your company is in trouble because your shareholders will not see as much long-term value in your organization. Stakeholders like transparency and accountability. Creditors and investors have more faith in organizations that are open and reputable.

Audit committee members must know the latest laws, regulations and other applicable compliance criteria. The U.S. Sarbanes-Oxley Act mandates audit committees and gives composition requirements. In addition, there are corporate governance provisions included in the U.S. Federal Sentencing Guidelines, Foreign Corrupt Practices Act and USA PATRIOT Act that place requirements on audit committee members.

Direct the External Audit

One of the most fundamental responsibilities of audit committees is overseeing the external audit relationship from hiring to possible termination. These actions will help ensure a healthy relationship, both for your organization and its auditor:

Understand the Expectation Gap

Be aware of what external audits do and do not do. More frauds are detected through tips, management reviews, internal auditors and even by accident, than by external auditors, according to survey results from the "2010 Report to the Nations."

Ensure Auditor Independence

Auditors possess tremendous insights into organizations' vulnerabilities, but they might shade the truth, while complying with professional standards, to retain clients. (Auditors might not regard possible suspicious situations as material, and therefore they might not report them as anomalies.) Let your auditors know that you demand the unvarnished truth.

Discuss Risks with the Auditors

External auditors might provide valuable insights into organizational risks but often only if you ask. (Some CPA firms try to stay close to just required communications per their standards to limit potential liability down the road.) Be on the lookout for misstatements related to revenue recognition, estimates, related party transactions, contingencies and derivatives.

Do not Forget About Disclosures Outside the Financial Statements

Restatements pertain strictly to an organization's financial statements, but most entities are subject to additional regulatory disclosures. These can range from tax returns to satisfying debt covenants to regulatory reporting, such as proxy statements, annual reports and real-time reports as required by the SEC. A public company's management and discussion analysis disclosures are especially important. Confirm the auditor's responsibilities for these disclosures, and procure independent assurance activities for important disclosures not covered by the external audit process.

Address Risk Proactively

The audit committee plays a vital role in identifying risks and providing oversight on how officers manage those risks. Ideally, these activities are incorporated in the company's enterprise risk management (ERM) system. Coordinating this effort with other risk objectives — such as strategic, operational and compliance — is essential in helping to ensure an efficient and effective company-wide risk response. The audit committee, as well as the entire board (and not management), must approve the level of risk they can stomach.

As part of the ERM process, organizations must understand and address the risks from both internal and external sources. A robust risk management program, which includes a strong fraud risk management component, will ensure that the organization proactively will identify and address vulnerabilities. An ERM process follows along similar lines as a fraud risk management process:   

• Catalogue and evaluate all risks that could compromise organizational objectives. Good places to start: complaints by customers or vendors and information from fraud surveys, such as the "Report to the Nations.' Be sure to consider the qualitative aspects of risk, including the significance of the risk to the organization's operations, brand value and reputation as well as criminal, civil and regulatory liabilities. 
• Consider the mitigating controls and determine risk responses. An organization might choose to accept, share, mitigate or avoid risk. Mitigating controls might bring fraud risks within agreed-upon risk thresholds. If not, an organization is likely to avoid the risk or at the very least seek to share the risk with a third party through insurance or joint-venture partnering.  
• Evaluate the ERM process. The fraud risk assessment process is not a one-time event because new risks continuously emerge. Reevaluate the process periodically throughout the year to be sure that business reorganizations, downsizing, economic events, political upheaval and regulatory or environmental issues do not create a significant risk, which the organization has not adequately addressed.  

Spearhead Fraud Deterrence Initiatives

Headline fraud cases are forcing many shareholders to shoulder enormous losses, so fraud deterrence now has become one of the primary jobs of audit committee members.

The ACFE has amassed large amounts of data on the effectiveness of various fraud deterrence tools, and it has found that many of the least-expensive fraud deterrence tools are the most effective. Be sure your organization is taking advantage of some of these most effective fraud deterrence tools:

Whistleblower Hotlines

According to the "Report to the Nations," 40 percent of frauds are discovered through anonymous tips, with 67 percent of those tips received through hotlines for organizations that offer them. This indicates that whistleblower hotlines are the most effective fraud detection tools available. (See "Hotline for Heroes." ) Successful hotlines include provisions for anonymity and strong anti-retaliation policies.

Employee Support Programs

According to Cressey's fraud triangle, three elements must be present for an ordinary person to commit fraud: opportunity, rationalization and financial pressure. Employee support programs are so effective because they provide employees with psychiatric and credit counseling at a time when they are most needed — before they commit fraud. Also, these programs help redirect employees' efforts to more productive solutions to their problems.

Codes of Ethics and Ethics Training

Codes of ethics and routine ethics training sessions reduce median fraud losses by more than $100,000 per incident, according to the "Report to the Nations.' They serve critical roles in helping investigate frauds and discipline fraudsters. In addition, employers can eliminate employees' "stupidity defenses' when they require them to attend ethics training.

These fraud deterrence tools work in tandem with such internal-audit efforts as data-assisted continuous monitoring and surprise audits to help audit committee members and board directors address the ever-expanding scope of director responsibilities.

Expect the Unexpected

Of course, it is impossible to anticipate every possible emergency that could trigger an audit committee response. Here are several scenarios that should always be on your radar screen: 

• Emergency succession planning of officers: Does the company have contingency plans to quickly fill the vacancies of key officers in case of emergency situations? This is especially important for the CFO, the CAE, the chief risk officer and other positions that might report directly to the audit committee.  
• Investigative responses to high-level fraud: Does the company have resources to successfully investigate allegations of fraud?  
• Backup external audit firm: Does your organization have contacts with other CPA firms if your external auditor suddenly resigns?  
• Disaster contingency plans: Has the audit committee worked with the full board on backup and recovery plans if a natural or physical disaster occurs?  
• Crisis media plans: Does the company have a comprehensive crisis media plan to inform shareholders, stakeholders and the press of sensitive material developments?  

Promote Accountability Through Audit Committee Evaluations

Organizations are scrutinizing their management more but often are still neglecting to hold their audit committee members' feet to the fire. Be sure to evaluate your audit committee via a well-defined, periodic performance protocol. Though the precise tool might differ with each organization, all boards should agree on the methodology of the evaluations, including the who, what, when, why and how to ensure objectivity and uniformity.

Call to Action

Recent and proposed audit standards and the SEC's increased enforcement of laws on the books show a serious focus on boardroom accountability and fraud detection.

Good governance of audit committees requires systematic approaches that organizations must continuously update and monitor to address emergent threats. You can be sure that the scrutiny over the execution of director and audit committee duties will continue to increase in direct proportion to the level of the public's distrust over financial reporting. CFEs can work with audit committees to install numerous measures that can protect the organization's directors and reputation, stakeholder interests and, most importantly, shareholders.

Sheila Keefe, CFE, CPA, is principal at BD Advisors LLC, in Lake Geneva, Wisc. She is an ACFE faculty member. 

Ron Kral, CPA, CMA, is managing partner of Candela Solutions LLC, a CPA firm with a national focus on governance, risk and compliance (www.CandelaSolutions.com). 

The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.Fraud-Magazine.com or ACFE.com. Permission of the publisher is required before an article can be copied or reproduced.