Management Is Responsible, Too

Practical advice to help corporations prevent, detect and deter fraud.

he audit standard issued by the AICPA auditing standards board (ASB) in October 2002—SAS no. 99, Consideration of Fraud in a Financial Statement Audit —does something no audit standard has ever done. It contains a document titled Management Antifraud Programs and Controls: Guidance to Help Prevent, Deter, and Detect Fraud, which challenges corporate management to be equal partners with auditors in creating an environment that neither condones, nor is conducive to, the existence of illegal activities.
“Both SAS no. 99 and the document are important first steps toward regaining public trust in the integrity of U.S. corporations,” says Dennis Chookaszian, CPA, former chairman and CEO of CNA Insurance and a member of both the antifraud detection subgroup and the panel on audit effectiveness which provided the foundation for the SAS. “The standard, which is the cornerstone of the AICPA’s new antifraud and corporate responsibility program, does a good job of telling CPAs what they should be doing during an audit. But what about management’s role? Just as the auditor should be on heightened alert, so too should corporate executives.”

Preventable Losses

Financial statement fraud costs businesses an average of $4.25 million per incident.

Source: 2002 Report to the Nation: Occupational Fraud and Abuse, Association of Certified Fraud Examiners, .

The document, sponsored by seven professional associations including the AICPA, spells out specific recommendations to help boards of directors, audit committees, management and others prevent and root out fraud of all kinds—from unproductive behavior and employee theft to misappropriation of assets and fraudulent financial reporting. “Fraud is a significant problem for U.S. companies,” says Joseph T. Wells, chairman of the Association of Certified Fraud Examiners (ACFE) and a member of the antifraud detection subgroup. Indeed, according to the ACFE’s 2002 Report to the Nation: Occupational Fraud and Abuse, an estimated $600 billion, or about $4,500 per employee, was lost last year as a result of on-the-job fraud and abuse. Although financial statement fraud was the most costly, with a median loss of $4.25 million per occurrence, about 95% of all occupational fraud incidents actually involved asset misappropriation and corruption.

It is only those organizations that seriously consider fraud risks and take proactive steps to create the right kind of climate to reduce its occurrence that have success in preventing fraud.

—Management Antifraud Programs and Controls:
Guidance to Help Prevent, Deter, and Detect Fraud

“The exhibit was designed to help create a corporate environment that will deter and detect both kinds of illegal activities—financial statement fraud and traditional employee embezzlement and theft,” says Wells. “The same ethical corporate culture, processes and controls, and oversight that help corporations prevent financial statement fraud also protect against asset misappropriation and corruption.”

Wells points out that small businesses may find the exhibit especially useful since fraud is a particularly severe problem for them. “Surprisingly, a single instance of fraud is likely to be more costly to a small business than to a large one,” he says. The average scheme in a small business, the ACFE report noted, caused $127,500 in losses, compared to $97,000 at the largest companies.

The document identifies the measures an organization should take to prevent, deter and detect fraud. It maintains companies should establish three fundamental practices:

A culture of honesty and high ethics.
Antifraud processes and controls.
An appropriate oversight process.

Implementing all or even some of these measures not only helps companies protect themselves and their employees against fraudulent acts but also potentially saves revenue, enhances market value, averts civil lawsuits and maintains a positive company image.

Research suggests the most effective way to implement measures to reduce wrongdoing is to base them on a set of core values…. This provides a platform upon which a more detailed code of conduct can be constructed, giving more specific guidance about permitted and prohibited behavior, based on applicable laws and the organization’s values. Management needs to clearly articulate that all employees will be held accountable to act within the organization’s code of conduct.

—Management Antifraud Programs and Controls:
Guidance to Help Prevent, Deter, and Detect Fraud

A culture of honesty and high ethics. The document emphasizes that the most important way for management to prevent fraud is to communicate effectively, by both statement and deed, that it will not tolerate it. This may seem self-evident, but setting a “tone at the top” goes a long way toward preventing fraud throughout an organization.

Because most employees are not in a position to observe the actions of company leaders, management must make sure the value system is shared with all personnel. The best way to do this is through a code of conduct. Such a code typically discusses ethics, confidentiality, conflicts of interest, intellectual property, sexual harassment and fraud. But management must back up this code by creating a work culture that rewards ethical actions and does not tolerate dishonest behavior even if it benefits the organization financially. Only then will employees know the code of conduct is more than just words on a piece of paper.

Setting unachievable goals for employees can give them two unattractive choices: fail or cheat. In contrast, a statement from management that says, “We are aggressive in pursuing our targets, while requiring truthful financial reporting at all times,” clearly indicates to employees that integrity is a requirement. This message also conveys that the entity has “zero tolerance” for unethical behavior, including fraudulent financial reporting.

—Management Antifraud Programs and Controls:
Guidance to Help Prevent, Deter, and Detect Fraud

The exhibit also points out that wrongdoing occurs less frequently when employees have positive feelings about their workplace than when they feel abused, threatened or ignored. Poor morale can affect employee attitudes about committing fraud while a culture that empowers employees to participate in creating a positive work environment can build respect for the company’s code of conduct. To encourage employees to practice oversight, organizations should implement a process for them to report in confidence any actual or suspected violation through a telephone hot line monitored by an ethics or fraud officer, the general counsel or another trusted individual.

Antifraud processes and controls. Neither fraudulent financial reporting nor misappropriation of assets can occur without a perceived opportunity to commit and conceal the act. The document offers ways an organization can identify and measure the risk of fraud as well as the steps it can take to mitigate those risks and implement preventive internal controls.

Employees should be given the means to obtain advice internally before making decisions that appear to have significant legal or ethical implications. They should also be encouraged and given the means to communicate concerns, anonymously if preferred, about potential violations of the entity’s code of conduct without fear of retribution. … For example, some organizations use a telephone “hotline” that is directed to or monitored by an ethics officer… or another trusted individual responsible for investigating and reporting incidents of fraud or illegal acts.

—Management Antifraud Programs and Controls:
Guidance to Help Prevent, Deter, and Detect Fraud

It may be possible, for example, to reduce or eliminate the risk of misappropriation of funds by implementing a central lockbox at a bank to receive payments instead of receiving them at the entity’s various locations. A company can avert financial statement fraud by establishing shared services centers to provide accounting services to multiple segments, affiliates or geographic locations. Effective measures vary among organizations, but the exhibit identifies specific deterrents any company can employ.

While all organizations are subject to risk, their internal controls should set up an effective and secure environment. And because fraud can occur when management overrides internal controls, the company’s value system and culture should support employees in declining to participate in a fraud and provide a means for reporting any wrongdoing.

Active oversight by the audit committee can help to reinforce management’s commitment to creating a culture with “zero tolerance” for fraud. …The audit committee’s evaluation and oversight not only helps make sure that senior management fulfills its responsibility, but also can serve as a deterrent to senior management’s engaging in fraudulent activity….

—Management Antifraud Programs and Controls:
Guidance to Help Prevent, Deter, and Detect Fraud

Appropriate oversight process. Management is responsible for overseeing the activities carried out by employees and for implementing and monitoring antifraud processes and controls. But sometimes senior executives themselves may initiate or participate in the commission or concealment of a fraudulent act. For that reason, an audit committee (or board of directors where no audit committee exists) must supervise the activities of senior management.

If senior management is involved in fraud, the next layer of management may be the most likely to be aware of it. As a result, the audit committee (and other directors) should consider establishing an open line of communication with members of management one or two levels below senior management to assist in identifying fraud at the highest levels of the organization….

—Management Antifraud Programs and Controls:
Guidance to Help Prevent, Deter, and Detect Fraud

The exhibit makes clear that corporate management, boards of directors and audit committees should share with the outside auditor the duty of detecting and deterring fraud. While management designs and implements antifraud systems and procedures, strong oversight by the audit committee and/or board of directors is absolutely crucial. These bodies should continually evaluate management’s identification of fraud risks, implementation of antifraud measures and maintenance of the appropriate “tone at the top.” Active oversight reinforces management’s commitment to creating a culture with zero fraud tolerance.

When a company puts in place the antifraud procedures outlined in the exhibit, it does much more than protect itself from the tremendous monetary damage fraud can cause. It also safeguards its reputation, its ability to achieve its strategic objectives and, certainly, its value.

Some risks are inherent in the environment of the entity, but most can be addressed with an appropriate system of internal control. Once fraud risk assessment has taken place, the entity can identify the processes, controls and other procedures that are needed to mitigate the identified risks…. In particular, management should evaluate whether appropriate internal controls have been implemented in any area management has identified as posing a higher risk of fraudulent activity, as well as controls over the entity’s financial reporting process.

—Management Antifraud Programs and Controls:
Guidance to Help Prevent, Deter, and Detect Fraud

Perhaps most important, the exhibit also helps a company create the corporate governance and management oversight the public is demanding of organizations of all sizes, private or public. “With these best practices in place,” Chookaszian says, “a company enhances its reputation among its various stakeholders, who can be confident it has made a serious investment in fraud detection and prevention.”

Note: The exhibit was issued jointly by—in addition to the AICPA—the Association of Certified Fraud Examiners, Financial Executives International, Information Systems Audit and Control Association, the Institute of Internal Auditors, Institute of Management Accountants and Society for Human Resource Management. Other organizations that reviewed the document and offered advice included the American Accounting Association, Defense Industry Initiative and National Association of Corporate Directors.

Arleen R. Thomas, CPA, is vice-president of professional standards and services at the American Institute of CPAs. Her e-mail address is athomas@aicpa org . Kim M. Gibson, CPA, is a technical manager on the audit and attest standards team at the AICPA. Her e-mail address is . Their views, as expressed in this article, do not necessarily reflect the views of the Institute. Official positions are determined through certain specific committee procedures, due process and deliberation.

For Further Information

Management Antifraud Programs and Controls: Guidance to Help Prevent, Deter, and Detect Fraud can be downloaded from

More information on fraud and on implementing antifraud programs and controls can be found at the following Web sites:

American Institute of Certified Public Accountants

Association of Certified Fraud Examiners

Financial Executives International

Information Systems Audit and Control Association

The Institute of Internal Auditors

Institute of Management Accountants

National Association of Corporate Directors

Society for Human Resource Management


Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.


News quiz: Retirement planning, tax practice, and fraud risk

Recent reports focused on a survey that gauges the worries about retirement among CPA financial planners’ clients, a suit that affects tax practitioners, and a guide that offers advice on fraud risk. See how much you know with this short quiz.


Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.