he audit standard issued by the AICPA auditing standards board (ASB) in
October 2002—SAS no. 99, Consideration of Fraud in a Financial
Statement Audit
—does something no audit standard has ever done. It contains a document
titled Management Antifraud Programs and Controls: Guidance to Help
Prevent, Deter, and Detect Fraud,
which challenges corporate management to be equal partners with auditors
in creating an environment that neither condones, nor is conducive to,
the existence of illegal activities. | “Both SAS no. 99 and the document are important first steps toward regaining public trust in the integrity of U.S. corporations,” says Dennis Chookaszian, CPA, former chairman and CEO of CNA Insurance and a member of both the antifraud detection subgroup and the panel on audit effectiveness which provided the foundation for the SAS. “The standard, which is the cornerstone of the AICPA’s new antifraud and corporate responsibility program, does a good job of telling CPAs what they should be doing during an audit. But what about management’s role? Just as the auditor should be on heightened alert, so too should corporate executives.” |
|
FRAUD COSTING U.S. COMPANIES BILLIONS
The document, sponsored by seven
professional associations including the AICPA, spells out specific
recommendations to help boards of directors, audit committees,
management and others prevent and root out fraud of all kinds—from
unproductive behavior and employee theft to misappropriation of assets
and fraudulent financial reporting. “Fraud is a significant problem
for U.S. companies,” says Joseph T. Wells, chairman of the Association
of Certified Fraud Examiners (ACFE) and a member of the antifraud
detection subgroup. Indeed, according to the ACFE’s 2002 Report to
the Nation: Occupational Fraud and Abuse, an estimated $600
billion, or about $4,500 per employee, was lost last year as a result
of on-the-job fraud and abuse. Although financial statement fraud was
the most costly, with a median loss of $4.25 million per occurrence,
about 95% of all occupational fraud incidents actually involved asset
misappropriation and corruption.
| It is only those
organizations that seriously consider fraud risks and take
proactive steps to create the right kind of climate to reduce
its occurrence that have success in preventing fraud.
—Management Antifraud Programs and Controls:
|
“The exhibit was designed to help create a corporate environment that will deter and detect both kinds of illegal activities—financial statement fraud and traditional employee embezzlement and theft,” says Wells. “The same ethical corporate culture, processes and controls, and oversight that help corporations prevent financial statement fraud also protect against asset misappropriation and corruption.”
Wells points out that small businesses may find the exhibit especially useful since fraud is a particularly severe problem for them. “Surprisingly, a single instance of fraud is likely to be more costly to a small business than to a large one,” he says. The average scheme in a small business, the ACFE report noted, caused $127,500 in losses, compared to $97,000 at the largest companies.
CORE VALUES
The document
identifies the measures an organization should take to prevent, deter
and detect fraud. It maintains companies should establish three
fundamental practices:
A culture of honesty and high ethics.
Antifraud processes and controls.
An appropriate oversight process.
Implementing all or even some of these measures not only helps companies protect themselves and their employees against fraudulent acts but also potentially saves revenue, enhances market value, averts civil lawsuits and maintains a positive company image.
| Research suggests the most
effective way to implement measures to reduce wrongdoing is to
base them on a set of core values…. This provides a platform
upon which a more detailed code of conduct can be constructed,
giving more specific guidance about permitted and prohibited
behavior, based on applicable laws and the organization’s
values. Management needs to clearly articulate that all
employees will be held accountable to act within the
organization’s code of conduct.
—Management Antifraud Programs and Controls:
|
A culture of honesty and high ethics. The document emphasizes that the most important way for management to prevent fraud is to communicate effectively, by both statement and deed, that it will not tolerate it. This may seem self-evident, but setting a “tone at the top” goes a long way toward preventing fraud throughout an organization.
Because most employees are not in a position to observe the actions of company leaders, management must make sure the value system is shared with all personnel. The best way to do this is through a code of conduct. Such a code typically discusses ethics, confidentiality, conflicts of interest, intellectual property, sexual harassment and fraud. But management must back up this code by creating a work culture that rewards ethical actions and does not tolerate dishonest behavior even if it benefits the organization financially. Only then will employees know the code of conduct is more than just words on a piece of paper.
| Setting unachievable goals
for employees can give them two unattractive choices: fail or
cheat. In contrast, a statement from management that says, “We
are aggressive in pursuing our targets, while requiring
truthful financial reporting at all times,” clearly indicates
to employees that integrity is a requirement. This message
also conveys that the entity has “zero tolerance” for
unethical behavior, including fraudulent financial reporting.
—Management Antifraud Programs and Controls:
|
The exhibit also points out that wrongdoing occurs less frequently when employees have positive feelings about their workplace than when they feel abused, threatened or ignored. Poor morale can affect employee attitudes about committing fraud while a culture that empowers employees to participate in creating a positive work environment can build respect for the company’s code of conduct. To encourage employees to practice oversight, organizations should implement a process for them to report in confidence any actual or suspected violation through a telephone hot line monitored by an ethics or fraud officer, the general counsel or another trusted individual.
Antifraud processes and controls. Neither fraudulent financial reporting nor misappropriation of assets can occur without a perceived opportunity to commit and conceal the act. The document offers ways an organization can identify and measure the risk of fraud as well as the steps it can take to mitigate those risks and implement preventive internal controls.
| Employees should be given
the means to obtain advice internally before making decisions
that appear to have significant legal or ethical implications.
They should also be encouraged and given the means to
communicate concerns, anonymously if preferred, about
potential violations of the entity’s code of conduct without
fear of retribution. … For example, some organizations use a
telephone “hotline” that is directed to or monitored by an
ethics officer… or another trusted individual responsible for
investigating and reporting incidents of fraud or illegal
acts.
—Management Antifraud Programs and Controls:
|
It may be possible, for example, to reduce or eliminate the risk of misappropriation of funds by implementing a central lockbox at a bank to receive payments instead of receiving them at the entity’s various locations. A company can avert financial statement fraud by establishing shared services centers to provide accounting services to multiple segments, affiliates or geographic locations. Effective measures vary among organizations, but the exhibit identifies specific deterrents any company can employ.
While all organizations are subject to risk, their internal controls should set up an effective and secure environment. And because fraud can occur when management overrides internal controls, the company’s value system and culture should support employees in declining to participate in a fraud and provide a means for reporting any wrongdoing.
| Active oversight by the
audit committee can help to reinforce management’s commitment
to creating a culture with “zero tolerance” for fraud. …The
audit committee’s evaluation and oversight not only helps make
sure that senior management fulfills its responsibility, but
also can serve as a deterrent to senior management’s engaging
in fraudulent activity….
—Management Antifraud Programs and Controls:
|
Appropriate oversight process. Management is responsible for overseeing the activities carried out by employees and for implementing and monitoring antifraud processes and controls. But sometimes senior executives themselves may initiate or participate in the commission or concealment of a fraudulent act. For that reason, an audit committee (or board of directors where no audit committee exists) must supervise the activities of senior management.
| If senior management is
involved in fraud, the next layer of management may be the
most likely to be aware of it. As a result, the audit
committee (and other directors) should consider establishing
an open line of communication with members of management one
or two levels below senior management to assist in identifying
fraud at the highest levels of the organization….
—Management Antifraud Programs and Controls:
|
The exhibit makes clear that corporate management, boards of directors and audit committees should share with the outside auditor the duty of detecting and deterring fraud. While management designs and implements antifraud systems and procedures, strong oversight by the audit committee and/or board of directors is absolutely crucial. These bodies should continually evaluate management’s identification of fraud risks, implementation of antifraud measures and maintenance of the appropriate “tone at the top.” Active oversight reinforces management’s commitment to creating a culture with zero fraud tolerance.
MORE THAN DOLLARS AND CENTS
When a company puts in place the
antifraud procedures outlined in the exhibit, it does much more than
protect itself from the tremendous monetary damage fraud can cause. It
also safeguards its reputation, its ability to achieve its strategic
objectives and, certainly, its value.
| Some risks are inherent in
the environment of the entity, but most can be addressed with
an appropriate system of internal control. Once fraud risk
assessment has taken place, the entity can identify the
processes, controls and other procedures that are needed to
mitigate the identified risks…. In particular, management
should evaluate whether appropriate internal controls have
been implemented in any area management has identified as
posing a higher risk of fraudulent activity, as well as
controls over the entity’s financial reporting process.
—Management Antifraud Programs and Controls:
|
Perhaps most important, the exhibit also helps a company create the corporate governance and management oversight the public is demanding of organizations of all sizes, private or public. “With these best practices in place,” Chookaszian says, “a company enhances its reputation among its various stakeholders, who can be confident it has made a serious investment in fraud detection and prevention.”
Note: The exhibit was issued jointly by—in addition to the AICPA—the Association of Certified Fraud Examiners, Financial Executives International, Information Systems Audit and Control Association, the Institute of Internal Auditors, Institute of Management Accountants and Society for Human Resource Management. Other organizations that reviewed the document and offered advice included the American Accounting Association, Defense Industry Initiative and National Association of Corporate Directors.
Arleen R. Thomas, CPA, is vice-president of professional standards and services at the American Institute of CPAs. Her e-mail address is athomas@aicpa org . Kim M. Gibson, CPA, is a technical manager on the audit and attest standards team at the AICPA. Her e-mail address is kgibson@aicpa.org . Their views, as expressed in this article, do not necessarily reflect the views of the Institute. Official positions are determined through certain specific committee procedures, due process and deliberation.
| For
Further Information
Management Antifraud Programs and Controls: Guidance to
Help Prevent, Deter, and Detect Fraud can be
downloaded from http://antifraud.aicpa.org/Resources/Auditors/Understanding+Programs+and+Controls/
More information on fraud and on implementing antifraud programs and controls can be found at the following Web sites: | |
| American
Institute of Certified Public Accountants http://antifraud.aicpa.org/
Association of Certified Fraud Examiners www.cfenet.com Financial Executives International www.fei.org Information Systems Audit and Control Association www.isaca.org |
The Institute of Internal Auditors www.theiia.org
Institute of Management Accountants www.imanet.org National Association of Corporate Directors www.nacdonline.org Society for Human Resource Management www.shrm.org |
