Establishing accountability for your anti-fraud efforts
Take the lead and actively demonstrate methods of preventing fraud in your company.
Some companies have far lower levels of misappropriation of assets and fraudulent financial reporting than others. Why? Because they aggressively take steps to prevent and detect fraud, end of story.
At these exemplary companies, management takes seriously its ethical responsibilities for designing and implementing systems, procedures, and controls to catch fraud and – along with the board of directors – for promoting a culture and corporate environment that demands honesty and ethical behaviour.
How does your company stack up? Well, run through this checklist:
does your organisation have a strong fraud oversight process at both the board and management levels?
does your organisation have robust and effective anti-fraud policies, procedures and controls?
does management regularly evaluate fraud risks and anti-fraud controls?
have the risks of management override and conflicts of interest been independently reviewed within the last 12 to 18 months?
would you say your workforce has a strong ethical culture?
does your company have a corporate policy that encourages whistleblowers to come forward? And do those would-be whistleblowers actually believe it?
If you answered ‘yes’ to all of the above questions, great. You’re well on your way to a strong anti-fraud effort. Now answer three more questions that will help you get ahead of the crowd:
what are the board’s and management’s roles regarding fraud?
what should the internal audit team’s role be regarding fraud?
how can the organisation best help the external auditor meet its responsibilities for evaluating fraud risks?
To answer that last question properly, you need clear answers to two questions immediately preceding it.
Specifically: The board is responsible for defining and approving the organisation’s overall strategic direction and system of internal control, as well as for setting the tone at the top (overall corporate governance). Management operates the business within the guidelines set by the board, periodically reporting on performance and progress toward key strategies and objectives. Management also monitors operations. That includes regular assessments of the effectiveness of the overall system of internal control against the requirements set by the board, as well as the company’s own ethical values and beliefs.
As mentioned earlier, the board is accountable for ensuring an effective system of internal control is established to fight fraud; management is responsible for how that system is designed and enforced to fight fraud. Once you have that clear – and actually done – the internal audit department can contribute to those anti-fraud efforts.
Internal audit’s job: helping fraud prevention efforts Today there is the belief that auditors are looking for – as well as investigating and stopping – frauds. After all, aren’t auditors the last line of defence in identifying crooked management?
Well, no. The truth is that nobody can catch all fraud, and the internal audit department should address the misperception that this is internal auditing’s purpose. Everyone in the company has a role in fraud prevention and detection, and the primary responsibility lies with all members of management (and by that, I mean managers at every level of the company).
An effective internal audit function improves the company’s ethical culture and control environment, both overtly through its audit work and in a more general sense by promoting good practices. Internal audits of anti-fraud activities provide valuable feedback to management and the board on where they can improve overall performance, which contributes in the long term to more effective fraud risk management efforts. It can also be a deterrent when employees know that the internal audit department employs persons with fraud detection knowledge, skills, and tools.
Internal audit should design and plan audits specifically to detect fraud, which directly strengthens the organisation’s internal control system. The internal audit plan should be driven by an audit risk assessment (that is, the risk that an audit might miss something); likewise, efforts against fraud should be driven by a fraud risk assessment, because the greater the organisation’s exposure to fraud, the more antifraud audit effort must be allocated. And you must conduct fraud risk assessments thoughtfully, since it helps nobody to have your workforce believing the internal audit team distrusts everybody.
Audit work should include evaluating the organisation’s efforts in fraud prevention, fraud detection, and fraud investigation. If ‘detective’ procedures are not in place, frauds that are discovered will require more investigative effort and result in greater loss. Over the long term, fraud prevention and deterrence efforts have the most impact on reducing fraud, so this should be a top management priority and be regularly evaluated by internal audit.
Always remember that auditing provides only a reasonable level of assurance; auditors cannot, and will not, provide an insurance policy against every possible fraud. But because of their objectivity and integrity, internal auditors are able to reinforce an organisation’s anti-fraud effort by investigating reports of possible fraudulent behaviour. In fact, more and more corporate internal audit departments include trained forensic accountants.
There are numerous fraud audit techniques today, and more should be incorporated into audit departments. Some simple examples of forensic exercises include: correlating employee names, addresses and other contact details against the supplier database to help identify suspect transactions; examining expenses claims closely; following up religiously on seemingly insignificant discrepancies in control totals; using data mining and computer audit techniques in general to craft and answer cunning questions; and always being aware of the possibility of collusion, deception, and fraud.
There are many useful antifraud management practices, including:
identifying potential indicators of fraud for your industry, company, or activities within your organisation
communicating with experienced people to learn ideas about how frauds may be committed and best detected
devising and routinely running tests to look for fraud indicators and data anomalies
performing ad hoc inquiries as needed to dig into the source data underlying fraud indicators and data anomalies; and perform or include as part of control self-assessment sessions
implementing continuous monitoring and continuous auditing. Norman Marks, a semi-retired chief internal audit executive and old hand at internal auditing at many large companies, recommends that internal audit periodically assess:
the adequacy of the control environment, including: the adequacy of the code of conduct and processes to ensure it is understood, the adequacy of the whistleblower and investigation processes, and the staffing and organisation of those responsible for the prevention and detection of fraud. Internal audit should go beyond traditional techniques such as interviewing or issuing a questionnaire only to senior management; a direct and more useful technique is to ask the workforce via surveys, interviews, and focus groups
management’s risk assessment as it relates to fraud and theft, including: whether the process is systematic and most conceivable fraud schemes identified, fraud risks adequately assessed, and appropriate strategies implemented
management’s monitoring activities, including: whether actual losses are monitored and compared to risk tolerances, and actual losses monitored to identify areas of concern, potential failing of controls, and opportunities for improvement
there will always be limits to an organisation’s antifraud capabilities. Your sample sizes can only be so large. Your budget is only so big. Fraudsters, meanwhile, are cunning people who work hard to conceal their activities and exploit weaknesses in controls.
Organisations must be ever diligent An open discussion about the possibility of fraud (of serious fraud), and the necessary responses, is always beneficial. Ideally, your company should have that discussion before a serious fraud incident rather than afterwards. Setting clear expectations and defining everyone’s responsibilities regarding your antifraud efforts is half the battle. Being diligent in your efforts is the other half.
To fight fraud, we need a firm policy, it must be enforced, and violators must be investigated and appropriate actions taken. Management must understand that it has the responsibility to design and implement antifraud activities, including the monitoring of the results. Internal auditors should also search for fraudulent activities and contribute to the organisation’s ‘no tolerance’ attitude toward fraud.
Once your own house is in order (or perhaps are part of getting your house in order) also consider the potential fraud risks relating to your key business relationships. Whistleblowing by suppliers, partners, or customers is one of the most common ways of discovering fraudulent activities, and it cuts both ways. If a worker at one of your business partner companies wanted to report fraud at your company, would that person have the means (and the encouragement) to do so? What if one of your employees discovered fraud happening at one of your partners? How would you deal with it?
Finally, many organisations have implemented and strengthened their Enterprise Risk Management (ERM) programmes over the past few years. Consider evaluating the organisation’s ERM efforts using a ‘fraud’ lens, ie do the organisation’s risk management efforts properly consider the risk of fraud and have appropriate risk management practices been implemented? It is endless.
Two leading resources are cited below. Consider sharing these resources with the key stakeholders within your organisation as part of your ‘raising of the bar’ in fraud risk management.
Good luck in making a difference!
Dan Swanson – president, Dan Swanson and Associates, Ltd
The Role of the Board in Fraud Risk Management Civil charges against outside directors alleging negligence in the face of fraud serve as a sharp reminder for boards that ignorance of fraud risks and red flags is no excuse for inaction.
Managing the Business Risk of Fraud: A Practical Guide This guide makes recommendations to key stakeholders on how to attempt to prevent fraud in an organisation. It provides guidance from well-respected authorities on establishing an effective fraud risk management programme including examples of programme components and resources used by different organisations. Areas covered are: