CFE: Fraud Prevention and Deterrence
Terms in this set (175)
effective training programs
U.S. Corporate Sentencing Guideline makes them necessary, also periodically & appropriately communicate program's compliance requirements & procedures to all employees affected by the program, including upper-level personnel
- programs: inform employees about company's stance on corporate compliance and about what kinds of acts and omissions are prohibited by the law and by the organization.
information and communication
component of COSO's Internal Control-Integrated Framework: exchange of info so employees can carry out their internal control responsibilities and achieve the organization's objectives
• obtain or generate & use relevant, quality info to support the functioning of internal control.
• internally communicate info, like objectives & responsibilities for internal control, necessary to support the functioning of internal control.
• communicate with external parties on matters affecting the functioning of internal control.
gathering information during a fraud risk assessment
• Interviews: effective way to conduct candid one-on-one conversations with employees
• Focus groups: enable the assessor to observe the interactions among a group of employees as they collectively discuss a question or issue
• Survey: electronic or paper questionnaires , anonymous or directly attributable to participants
• Anonymous feedback mechanisms: means for anonymous employee suggestions or responses
differential reinforcement theory
people learn social behavior by operant conditioning, behavior controlled by stimuli that follow the behavior
- Behavior is reinforced when positive rewards are gained or punishment is avoided (negative reinforcement)
- behavior is weakened by negative stimuli (punishment) and loss of reward (negative punishment)
- deviant or criminal behavior is begun or persists depends on the degree to which it has been rewarded or punished and the rewards or punishments attached to its alternatives.
social control theory
institutions of the social system train and press people into patterns of conformity.
-Schools: adjustment in society
- peers: ethos of success & conventional behavior
- parents: law-abiding habits in their youngsters, even if themselves sometimes violate the rules
thesis: to extent person fails to become attached to the variety of control agencies of the society, his chances of violating the law are increased.
- "assumes the bond of affection for conventional persons is a major deterrent to crime. The stronger this bond, the more likely the person is to take it into account when and if he contemplates a criminal act."
- "What will my spouse—or my mother and father—think if they find out?"
theory of differential association
developed by criminologist Edwin Sutherland:
(1) criminal behavior is learned
(2) learned from other people by communication
(3) criminal behavior is acquired through participation with intimate personal groups
(4) the learning process includes the shaping of motives, drives, rationalizations, and attitudes
(5) motives are learned from definitions of legal codes as being favorable or unfavorable
(6) person becomes a criminal because of excess of definitions favorable to violation of the law over definitions unfavorable to violation of the law
(7) differential association may vary in frequency, duration, priority, and intensity
(8) learning criminal behavior involves all the mechanisms of other learning
(9) learning differs from pure imitation
(10) while criminal behavior is an expression of general needs and values, it is not explained by these needs and values
"Why People Obey the Law"
Tom Tyler conducted a study (called the Chicago Study) to test the concept that if the authorities have legitimacy, the public will obey the law
- results: people generally have a high level of normative commitment to abide by the law
- felt breaking law was morally wrong and laws should be obeyed even if don't agree with them.
- Authorities who can tap into and encourage those views will inspire compliance
- employees with a strong sense of loyalty to their employer will not violate company policies because would be a betrayal to the company.
essential in giving governments & leaders authority. - authorities have legitimacy, public will obey law
- maximize compliance & minimize hostility toward laws & rules, gain legitimacy in eyes of public
behavior is most effectively modified by managing & modifying desires through reinforcement
- replace destructive behaviors with productive ones instead of punishing an existing impulse.
- behavioral studies show punishment is the least effective method of changing behavior.
- punishing: temporary suppression of behavior, but only with constant supervision and application, loses because provides negative consequences—administering penalties and taking away desirables.
behaviorist view of the workplace
Emotions are a predisposition for people's actions. - emotional associations are important factors in conditioning behavior, associations can be manipulated in conditioning the behavior
- managers can modify employee's bad emotional circumstance with adequate compensation and recognition of workers' accomplishments.
- Incentive programs & task-related bonuses: employees who feel challenged & rewarded by their jobs will produce more work at a higher quality and are less likely to violate the law.
U.S. Corporate Sentencing Guidelines
designed to provide incentives for organizations to maintain internal mechanisms for preventing, detecting, and reporting criminal conduct
- suggest reduction of fines for organizations that have effective compliance programs.
- only apply in U.S. federal courts, not state courts
- Federal judges must consider it when sentencing, but not required to sentence within the range set.
- judges are still required to examine the adequacy of a company's compliance and ethics program.
- organization pay full restitution to victims of the crime to remedy the harm caused by the offense.
Charles McCaghy: "the single most compelling factor behind deviance by industry, whether it be price fixing, the destruction of competition, or the misrepresentation of a product"
Clinard and Yeager: certain industries have severe competition & strong profit drives due to demands for continual development of new products that they might feel pressured to falsify test data, market new products before their full effects are known, or engage in unethical sales techniques that can have disastrous effects on human beings and the environment.
Albert J. Reiss, Jr. & Albert Biderman: "crime violations are those violations of law to which penalties are attached that involve the use of a violator's position of economic power, influence, or trust in the legitimate economic or political institutional order for the purpose of illegal gain, or to commit an illegal act for personal or organizational gain."
-coined by Edwin H. Sutherland in December 1939 during his presidential address in Philadelphia to the American Sociological Society
crimes: antitrust, securities violations, bank embezzlement , credit fraud
Crimes of the Middle Classes: most defendants are males with a moderate social status
- slightly more likely to have a high school diploma (78 percent vs 69 percent) or a college degree (24.7 percent vs 19 percent for the general public).
loyalty and fraud
Diane Vaughan: organizations can be criminogenic because they encourage loyalty
- causes company personnel to perceive that the organization might be worth committing crime for - use of formal & informal rewards & punishments, social activities & pressures to participate, link an employee's needs & goals to company's success.
- company achieves its goals, employees prosper. - interests of an organization and its employees coincide, and sets the stage for unlawful conduct by individuals on the organization's behalf.
the reasons are that:
• organization recruit and attract similar individuals.
• Rewards are given out to those who display characteristics of the "company man."
• long-term loyalty is encouraged through company retirement and benefits.
• Loyalty is encouraged through social interaction, such as company parties and social functions.
• Frequent transfers and long working hours encourage isolation from other groups.
• Specialized job skills can discourage personnel from seeking employment elsewhere.
vast majority (87%) of employees who commit occupational fraud are first-time offenders
-about 82% had never previously been punished or terminated by an employer for fraud or abuse.
Complex companies provide a structure that can foster misbehavior.
- isolate those settings in departments and in locations around a city, a country, or the world
- isolation = info about what one part of a company is doing might be unknown in another, reduces chance of detecting & pushing misbehavior
- company grows larger -> specialized subunits -> specialization breeds a higher risk of fraud
- internally diversified company = few employees who fully understand detailed workings
- specialization hides illegal activities, especially where a firm's tasks are kept separate & unrelated. - Employees cannot garner knowledge about all the particulars of how a firm works
- protects company from effects of turnover & leak of info because no one can offer complete info
Enforcement strategy designed to achieve conformity to the law without having to detect, process, or penalize violators
- systems provide economic incentives for obeying the laws and use administrative efforts to control violations before they occur.
Enforcement strategy designed to detect law violations, determine who is responsible, and penalize offenders to deter future violations.
- systems control immediate behavior of individual, not long-term behaviors (like compliance systems)
% lost to fraud
median estimate of 5 percent
- global fraud loss of nearly $3.7 trillion (based off 2013 estimated Gross World Product of $74.31)
top-ranked motivating factor to commit fraud
Dr. Steve Albrecht: top three most highly ranked personal characteristics fraud factors
(1) living beyond their means
(2) an overwhelming desire for personal gain
(3) high personal debt.
corporate crimes are increasingly difficult to detect
Clinard and Yeager: corporate violations are increasingly difficult to discover, investigate, or prosecute successfully because of their growing complexity and intricacy
- particularly true of antitrust cases, foreign payoffs, computer fraud, and illegal political contributions.
"beating the system"
Dr. Steve Albrecht: these perpetrators committed larger fraud
- perpetrators who believed their pay was not adequate committed primarily small frauds
- pressures/weaknesses associated with large frauds: no segregation of responsibilities, undeserved trust in key employees, unrealistic goals, and operating on a crisis basis
- College graduates less likely to spend proceeds on extravagant vacations, recreational property, support extramarital relationships, and buy expensive automobiles
- lower salaries: more likely to have prior criminal record.
not ex post facto means of justifying old theft t
- necessary component of crime before it happens - part of motivation for crime
- embezzler doesn't view himself as a criminal,
he must justify misdeeds before he commits them.
three major categories of occupational fraud with highest median loss
asset misappropriation schemes: most common
- occurring in more than 85 percent of cases
- least costly of the three major categories
- median loss of $130,000
Financial statement fraud: least common reported - occurring in just 9 percent of cases reported
- caused considerably more damage than other 2
- median loss was $1,000,000
Corruption schemes: middle in frequency and cost
- occurs in 37% of the cases
- causing a median loss of $200,000.
beliefs used by businesses to rationalize illegal conduct
Silk and Vogel found several beliefs:
• Government regulations are unjustified because the additional costs of regulations and bureaucratic procedures cut heavily into profits.
• Regulation is unnecessary because the matters being regulated are unimportant.
• some violations involve large sums of money, the damage is so diffused among a large number of consumers that, individually, there is little loss.
• Violations are caused by economic necessity; aim to protect value of stock, ensure a return for stockholders, & protect job security of employees by ensuring financial stability of the corporation.
Gary Green: "any act punishable by law which is committed through opportunity created in the course of an occupation which is legal."
- legal offenses committed by individuals in the course of their occupation
four categories of crimes:
• organizational: benefit of employing organization
• government authority: through exercise of their government-based authority
• professional: in their capacity as professionals
• Crimes by individuals as individuals
EX: accepting or offering bribes
Dr. Gilbert Geis: individuals are trained in illegal behavior as part of their occupational roles.
Schrager & Short: criminal behavior stems more from the roles an employee is expected to fulfill than from individual pathology
- executives know behavior is illegal but justify it as simply common practice in the business world.
Clinard & Yeager: in rationalizing their behavior, corporations obey laws selectively (i.e., obeying according to situational needs and determined by factors like social class and occupation).
crime committed by businesses, particularly corporations, and the government
- antitrust offense, such as bid rigging or price fixing, would be an organizational crime
complex relationships and expectations among:
- boards of directors, executives, and managers
- And parent corporations, corporate divisions, and subsidiaries on the other.
organizational environment red flags
Albrecht's research, ranked by presence:
1. Placing too much trust in key employees
2. Lack of proper procedures for authorization of transactions
3. Inadequate disclosures of personal investments and incomes
4. No separation of authorization of transactions from the custody of related assets
5. Lack of independent checks on performance
6. Inadequate attention to details
7. No separation of custody of assets from the accounting for those assets
8. No separation of duties between accounting functions
9. Lack of clear lines of authority and responsibility
10. Department that is not frequently reviewed by internal auditors
by far the most common detection method in our
- catching 3X as many frauds as any other form
- most common means in every study since 2002
- employees are source of half leading to the detection of fraud—more than twice the amount provided by any other source
proactive data monitoring and analysis
most effective at limiting the duration and cost of fraud schemes; victim organizations with control experienced losses 60 percent smaller & schemes 50 percent shorter than organizations that did not.
compared median loss & median duration of fraud schemes based on if victim organization had particular controls in place at time fraud occurred. - Every control was associated with reductions in both the cost and duration of fraud
1940s, Donald R. Cressey
- One leg: perceived non-shareable financial need. - second leg: perceived opportunity
- third leg: rationalization
role of the non-shareable problem is important, trust violators explain they refrained from violating other previous positions of trust or current position at an earlier time because:
(a) There was no need for it like there was this time (b) The idea never entered my head.
(c) I thought it was dishonest then, but this time it did not seem dishonest at first.
situational pressures & perceived opportunities are high & personal integrity is low, occupational fraud is more likely to occur than when opposite is true.
created by Dr. Steve Albrecht
- components of situational pressures
- perceived opportunities
- personal integrity
Clinard & Yeager found that publicity about law violations is most feared consequence of sanctions imposed on a corporation
- can inform public about operation of regulatory controls and can enable people to understand the purposes of the controls
Informal publicity: carried as news items
formal publicity: requirement as part of an enforcement action, corporation must publish an advertisement or some other statement acknowledging a violation and assuring that corrective measures are being taken.
Fines imposed under the U.S. Corporate Sentencing Guidelines
based on two factors:
- seriousness of the offense: determines the base fine to be imposed, can be quite high
- organization's culpability: measure of the actions taken by the organization that either mitigated or aggravated the situation
--base fine can be increased by as much as 400 percent or reduced by as much as 95 percent
Efforts to control corporate crime
- change in corporate attitudes & structure
--Voluntary changes involve development of stronger business ethics and certain corporate organizational reforms
- intervention by government to force changes in corporate structure, with legal measures to deter or punish
--corporate chartering, deconcentration & divestiture, larger & more effective enforcement staffs, stiffer penalties, wider use of publicity as a sanction, and nationalization of corporations.
- consumer action
--group pressures through lobbying, selective buying, boycotts, & large consumer cooperatives.
factors that have contributed to the rising problem of economic crime
• economy increasingly runs on credit: rising personal debt. serious discrepancies "between their resources and their commitments."
• New information technologies: growing opportunity for wrongdoing, & techniques are not widely comprehended by businesses or individuals
• Government programs distributing large amounts of money make an enticing target for defalcations.
• importance of credentials: influence individuals to inflate credentials or make them up.
• overarching culture based on affluence and ever-higher levels of success: advertising promises no one has to settle for second best, prompting those running behind to conceal the difference, crossing ethical and sometimes legal lines.
Donald R. Cressey: most lived beyond their means for some time before deciding to embezzle."
- most interesting fact about offenders' aggregate financial status is not the value of their assets but the extent of their liabilities.
U.S. Corporate Sentencing Guidelines' types of remedies for an organization convicted of an offense
fines, restitution, remedial orders, and probation.
White-collar defendants are more likely to insist on a trial than other offenders
- > 90% of criminal cases: defendants plead guilty, avoiding the expense and effort of a trial
- 18% white-collar defendants pleaded "not guilty." - bank embezzlement: simple cases with clear evidence, plea bargains are easily negotiated and "prosecutors may actively seek guilty pleas."
U.S. Corporate Sentencing Guidelines recommended conditions for probation
run for at least 1 year but no more than 5 years.
• Publicizing nature of offense, organization's conviction, punishment imposed, and steps taken to prevent the recurrence of a similar offense
• Providing periodic reports to the court of the organization's financial condition and expense
• Requiring organization to submit to examinations of the organization's business records and to interviews of knowledgeable employees
• Requiring organization to notify court upon learning of a material adverse change to its financial condition or commencement of any major legal proceedings, including bankruptcy, or any investigation by authorities
• Requiring periodic payments under the court's specifications, with priority in the order of restitution, fine, and any other monetary sanction
• Developing a program to avoid violations of law and a schedule to implement it
• Notifying the organization's employees and shareholders of its violation and its program to avoid and detect violations of law
• Reporting to court on implementation of a program to avoid and detect violations of law and disclosing any investigation by authorities
embezzler's non-shareable problems
Cressey- non-shareable problems encountered by people arose from six basic categories:
- violation of ascribed obligations
- problems resulting from personal failure
- business reversals
- physical isolation
- status gaining
- employer-employee relations.
All situations dealt with status-seeking or status-maintaining activities by the subjects threatened:
- status of the subjects
- to prevent them from achieving a higher status
determinant aspect of white-collar crime
organizational opportunity: criminal's position in an organization & ability to organize scheme has more bearing on crime than social status or class alone.
higher individual's status, more likely person to be imprisoned. doctors have 30% greater likelihood of being imprisoned than truck drivers & almost 13% greater likelihood than managers."
- Judges find persons of higher prestige more blameworthy in the commission of their crimes.
non-shareable financial need
Cressey: in all cases of trust violation, the violator considered that a financial problem confronting him could not be shared with persons who probably could have aided in solution of problem - financial: can be solved by theft of cash or assets. - Ex: gambling debts, addiction problems, or credit card debt from excessive shopping.
position and occupational fraud
majority of occupational frauds are committed by employees and mid-level managers
- Owners & executives: less 18.6% of all cases, but median loss was approximately 4X higher than managers & nearly 7X that of employees.
Edward Gross: company's reliance on "the bottom line" make them criminogenic
- invite fraud as a means of obtaining goals.
Oliver Williamson: because of a department's concern with reaching its goals, managers might tend to maximize their department's own interests to the detriment of the organization.
punishment of choice
More often than prison is the imposition of fines
- 6% of "common criminals" received fines, all of the antitrust violators did
circumstances where required to impose probation on offending organization
• secure payment of restitution, enforc remedial order, ensure completion of community service
• safeguard organization's ability to pay monetary penalty that wasn't paid at the time of sentencing
• at least 50 employees did not have an effective program to detect and prevent violations of law
• organization was adjudicated within the past five years to have committed misconduct similar to any part of the misconduct of the instant offense
• ensure changes are made to reduce the likelihood of future criminal conduct
• When the sentence does not include a fine
• to accomplish one or more purposes of sentencing set forth in 18 U.S.C. § 3553(a)(2)
fraud risk assessment benefits
corporate governance strategy & business sense. benefits include enabling the organization to:
• Improve communication & awareness about fraud.
• Identify where it is most vulnerable to fraud and what activities put the company at the greatest risk.
• Know who puts organization at the greatest risk.
• Develop plans to mitigate risk.
• Develop techniques to investigate and determine if fraud has occurred in areas of high risk.
• Assess internal controls.
• Comply with regulations & professional standards.
fraud risk assessment and audit
plays significant role in informing & influencing the audit process, should drive thinking & awareness in development of audit programs for areas having a moderate-to-high risk of fraud
- helps design audit procedures enabling them to look for fraud in known areas of high risk.
fraud risks including:
• Payment of bribes or gratuities to companies, private individuals, or public officials
• Receipt of bribes, kickbacks, or illegal gratuities
• Aiding and abetting of fraud by outside parties, such as customers or vendors
mitigating the risk
implementing appropriate countermeasures, such as prevention and detection controls
- evaluate countermeasures to determine if it is cost effective and reasonable given the probability of occurrence and impact of loss.
transferring the risk
purchasing fidelity insurance or a bond
- cost to organization is the premium paid for the insurance or bond. The covered risk of loss is then transferred to the insurance company.
Risks that are present before management action are described.
-EX: risk that employee in charge of receiving customer payments at a small company might embezzle incoming cash.
The risks that remain after management action
- Controls, such as segregation of duties and oversight from the company owner, can be implemented to help mitigate this risk
- even with such controls in place, some residual risk will likely remain that the bookkeeper might still manage to embezzle funds. The objective of the controls is to make the residual risk significantly smaller than the inherent risk.
announcement and execution of the fraud risk assessment
including the reporting of the results, will only be effective if completed in language of the business. - ACFE does not have a standardized risk assessment report, nor advocates use of template
assuming the risk
determines that the probability of occurrence and impact of loss are low
- decides more cost effective than to eliminate the asset or discontinue the activity, buy insurance to transfer the risk, or implement countermeasures to mitigate the risk.
fraud risk assessment team
consists of individuals:
- diverse knowledge, skills, and perspectives that will lead and conduct the fraud risk assessment.
- size of team will depend on size of organization and the methods used to conduct the assessment. - individuals who are credible and who have experience in gathering and eliciting information.
might include internal and external resources:
• Accounting & finance personnel: familiar with the financial reporting processes and internal controls
• Nonfinancial business unit & operations personnel knowledgable of day-to-day operations, customer & vendor interactions, & issues within the industry
• Risk management personnel can ensure that fraud risk assessment process integrates w/ organization enterprise risk management program
• general counsel/members of legal department
• Members of any ethics or compliance functions within the organization
• Internal auditors
• External consultants with fraud and risk expertise
• Any business leader with direct accountability for effectiveness of fraud risk management efforts
company's vulnerability to fraud
risk in way someone makes decisions, behaves, or treats others within and outside the organization
- fraud risk assessment can help hone in on those people and their activities increasing fraud risk.
factors influence how at-risk an organization is to fraud
Some of the main factors are:
• The nature of the business in which it is engaged (i.e., its industry and operations)
• The environment in which it operates (e.g., storefront or Internet, geographical location)
• The effectiveness of the internal controls within the business processes
• ethics & values of the company and its employees
brainstorming to identify the fraud risks
include discussions regarding:
- incentives, pressures, & opportunities: including incentive programs effects on employee behavior; the potential for management's override of controls; and the universe of fraud risks and the subset of risks, including reputation risk, pertaining to specific categories of fraud that apply to a particular organization.
fraud risk assessment process
most effective when management & auditors share ownership of process & accountability for success
- effectively conducted either by people inside the organization or with external resources
- people leading & conducting must remain independent & objective throughout
- must be perceived as independent and objective
- think like a fraudster. Don't allow thoughts of "it couldn't happen here" to moderate evaluation
sponsor for a fraud risk assessment
must be senior enough in the organization and command the employees' respect to elicit full cooperation in the process
- someone committed to learning the truth about where company's fraud vulnerabilities really are.
- not someone prone to rationalization or denial; must be a truth seeker
- Ideally independent board director or audit committee member. However, a good CEO or internal senior leader can be equally as effective.
Fraud risk assessment
process aimed at proactively identifying & addressing an organization's vulnerabilities to internal and external fraud
- starts with an identification and prioritization of fraud risks that exist in the business
- evolves as the results of that identification and prioritization begin to drive education, communication, organizational alignment, and action around effectively managing fraud risk and identifying new fraud risks as they emerge.
Following the conclusion of the fraud risk assessment
management should use the results to:
• Begin dialogue across the company and promote awareness, education, and action planning.
• Look for fraud in high-risk areas.
• Hold action owners accountable for progress against agreed-upon plans.
• Keep the assessment process alive and relevant.
• Monitor key internal controls.
manual or automated processes that stop something bad from happening before it occurs.
can be manual or automated, but are designed to identify something bad that has already occurred.
avoiding a risk
eliminating an asset or discontinuing an activity if control measures required to protect organization against an identified threat are too expensive
- requires fraud risk assessment team to complete a cost-benefit analysis of value of asset or activity to organization compared to cost of implementing measures to protect the asset or activity.
vulnerability that an organization faces from individuals capable of combining all three elements of the fraud triangle
- sources both internal & external to organization.
managing the moderate-to-high fraud risks
Ways auditors can do so by:
• Identifying & mapping existing preventive & detective controls pertaining to moderate-to-high fraud risks identified in the fraud risk assessment
• Designing & performing tests to evaluate whether identified controls operate effectively & efficiently
• Identifying whether there is a moderate-to-high risk of management override of internal controls
• Developing & delivering reports that incorporate results of validation & testing of fraud risk controls
Regulatory and legal misconduct
wide range of risks: conflicts of interest, insider trading, theft of competitor trade secrets, anti-competitive practices, environmental violations, & trade/customs regulations areas of import/export
high level of fraud risk
not conclusively mean that fraud is occurring there. - identify areas to proactively investigate to determine whether fraud has in fact occurred
- putting under increased scrutiny deters potential fraudsters by increasing perception of detection.
types of fraud risks
major areas of fraud risks—fraudulent financial reporting, asset misappropriation, and corruption
others: risk of regulatory & legal misconduct, reputation risk, & risk to information technology
Brainstorming also includes discussing incentives, pressures, and opportunities to commit fraud,
- incentive programs: affect on employee behavior
- potential for management's override of controls.
system of internal controls
well-designed & effective internal controls can deter the average fraudster by:
- reducing the opportunity to commit the fraud
- increasing the perception of detection
- right balance of preventive & detective controls,
internal control weaknesses
internal control is a dynamic system & requires constant reevaluation of its weaknesses.
• Controls that might have been eliminated due to restructuring efforts (e.g., elimination of separation of duties due to downsizing)
• Controls that might have eroded over time due to reengineering of business processes
• New opportunities for collusion
• Lack of internal controls in a vulnerable area
• Nonperformance of control procedures (control procedures compromised for sake of expediency)
• Inherent limitations of internal controls, including opportunities for those responsible for a control to commit and conceal fraud (through management and system overrides)
fraud awareness training program
No individuals should be exempted from an initial orientation and ongoing anti-fraud education.
- managers and executives should receive special training addressing added fraud prevention and detection responsibility—and ability—provided by their authority positions
- ex: department managers trained in specific warning signs and prevention/detection methods pertinent to their department's functions.
strong corporate culture
observed by its outcome, rather than by any individual component
- culture of ethics & compliance runs deeper than simply implementing a checklist of initiatives
- culture of corruption can exist even in companies with seemingly sound policies in place.
anonymous reporting channel
reporting mechanism, ex. ethics hotline, to report suspicious activity anonymously or confidentially (where permitted by law) without fear of reprisal.
- reports of suspicious activity will be promptly and thoroughly evaluated.
In educating emphasized that:
• Fraud,waste,&abuse occur in nearly all companies
• Such conduct costs the company jobs and profits.
• The company actively encourages any employee with information to be able to come forward.
• employee can come forward & provide info anonymously & without fear of retaliation
• There is an exact method for reporting an incident (e.g., a telephone number or online form).
• reports don't have to be to immediate superiors.
"action constituting fraud" section in a fraud prevention policy
details what actions constitute fraudulent conduct
- gives management legal grounds to investigate and punish violators. The actions listed can include:
• Any dishonest or fraudulent act
• Forgery or alteration of documents
• Misapplication of funds or assets
• Impropriety in reporting financial transactions
• Profiting on insider knowledge
• Disclosing securities transactions to others
• Accepting gifts from vendors
• Destruction/disappearance of records or assets
• Any similar or related irregularity
proper flow of information
well-designed organizational structure: with key areas of authority & clear & proper lines of reporting is effective fraud prevention measure
- confused structure: easier for a fraudster to perpetrate and conceal his misdeeds.
Flowcharts with organizational and departmental hierarchies can be a helpful tool for this purpose.
- ensure info is being properly received and that instructions are being carried out
analytical review procedures
performed during a financial statement audit.
-scheme must materially impact financial statements in order to detect with this technique.
Auditors be mindful of the following trends:
• Increasing expenses
• Increasing cost of sales
• Increasing receivables/decreasing cash
• Increasing inventories
• Increasing sales/decreasing cash
• Increasing returns and allowances
• Increasing sales discounts
anti-fraud education and training
frequent exposure to anti-fraud topics is the key to ensuring employees absorb and apply information - Formal training should be an ongoing process that begins at the time of hire
- refresher training at least annually to help keep the program alive and engrained in their minds.
formal training can take many forms, including live, in-class instruction; recorded video or animated courses; or interactive self-study programs
- organization should use informal means, such as periodic newsletters or posters in break rooms
most important: training based on realities of the organization, not generic anti-fraud messages.
messages from an employee's direct supervisor often carry the most weight with an employee, so cascading training can be especially effective
- managers tasked with & specifically educated on how to provide anti-fraud training to own staff
- training customized to each team's own needs
effective in increasing employees' perception of detection & in uncovering actual frauds
- predictability allows perpetrators the time to conceal their acts by altering, destroying, or misplacing records and other evidence.
minimize the pressures to commit fraud
companies should take steps to increase managers' awareness, as well as to assist an employee who might be having difficult times:
• Open-door management policies
• Fair & equitably applied personnel policies and procedures
• Measures to boost employee morale, such as career development opportunities, special events for employees, and recognition for jobs well done
• Employee support programs, such as counseling for addiction, family and marital problems, and financial difficulties
proactive audit procedures
analytical review procedures, fraud assessment questioning, and surprise audits where possible
hiring background checks
check of any employee who will have constant access to cash, checks, credit card numbers, or any other items that are easily stolen.
- run on existing employees who are being promoted or moved to positions that include access to sensitive or valuable company resources.
- check to identify any changes or occurrences that have taken place during the individual's tenure.
- verify past employment, ask previous employers if applicant is eligible for rehire.
- hiring manager or HR should contact the references provided by the candidate.
- people assume, incorrectly, former supervisor or coworker will provide a good reference
12 components necessary:
• Vision statement
• Values statement
• Code of ethics
• Designated ethics official
• Ethics task force or committee
• Ethics communication strategy
• Ethics training
• Ethics help and fraud report telephone line
• Ethical behavior rewards and sanctions
• system to monitor & track ethics data
• Periodic evaluation of ethics efforts and data
Fraud assessment questioning
nonaccusatory interview technique used as a part of a normal audit, theory that employees' attitudes are a good indicator of potential problems, and that one of the most effective ways to assess potential fraud is to ask about it.
• Part of my duty as an auditor is to find fraud, waste, and abuse. Do you understand that?
• Do you think fraud is a problem for business in general?
• Do you think this company has any particular problem with fraud?
• Has anyone ever asked you to do anything that you felt was illegal or unethical?
• If you felt that there was a problem in the company with respect to fraud, what would you do?
• Do you have any indication that there is fraud occurring in the company now?
collection of a person's beliefs and morals makes up a set of principles
- judgments about right and wrong
- person's moral obligations to society that determine a person's actions
- complicated: moral standards and generally accepted social behavior change with time
- different groups in the same society might have conflicting ideas of right and wrong
four factors that generally affect decisions:
• The law and other government regulations
• Industry and organizational ethical codes
• Social pressures
• Tension between personal standards & organizational needs
perception of detection
most effective fraud prevention method
- Controls do little good in preventing fraud if you do not know of presence of possible detection
accomplished in several ways:
- surprise audits
- employee anti-fraud education
- enforcement of mandatory vacation
- job-rotation policies
- strong management oversight
- effective reporting programs
- reporting programs
- rewards for whistleblowers
- proactive audit policies
performance measurement and management programs
well-defined job descriptions & performance goals
- goals routinely reviewed to ensure that they do not set unrealistic standards
- training on consistent basis: ensure employees maintain skills needed to perform tasks effectively. - determine where deficiencies in employee's conduct exist & work with them to fix the problem.
- employee compensation or job security is tied to unachievable performance goals, have incentive to create fraudulent approaches to meeting them.
- Including ethics-based metrics: how employees do business, not just how much business they do
written ethics policy
method by which management can objectively communicate its philosophy and develop a successful ethics program.
- disseminated among all employees
- can share with vendors and available for public
- exposure reinforces importance on ethics & provides external parties with a tool to help identify & report breaches of employee conduct.
These considerations include:
• Understanding why good people can commit unethical acts
• Defining current—as well as desired—organizational values
• Determining if ethics is currently a leadership issue in the organization
• Determining if organizational values have been properly communicated
• Ascertaining how board members, stockholders, management, employees, and any other pertinent members of the organization define success
• Producing written ethics policies, procedures, or structures
components of fraud risk management program
• Commitment: written statement of commitment to program from board of directors & senior mgt
• Fraud awareness: formal fraud risk awareness program for all employees
• Affirmation process: requirement for directors, employees, & contractors to explicitly affirm that they have read, understood, and complied with the organization's code of conduct and fraud risk management program
• Conflict disclosure: mechanism for directors, employees, & contractors to self-disclose to the organization potential or actual conflicts of interest
• Fraud risk assessment: proactive identification and assessment of the organization's fraud risks
• Reporting procedures & whistleblower protection: mechanisms & support for receiving fraud allegations from employees & other parties
• Investigation process: formalized process that is undertaken following all reports of suspected fraud
• Corrective action: policies reflect consequences & processes for individuals who commit or condone fraudulent activity, & identify & remediate any control deficiencies allowing fraud to occur
• Process evaluation & improvement (quality assurance): formal procedures to periodically evaluate the fraud risk management program's effectiveness
• Continuous monitoring: ongoing review of the program to ensure it is addressing the organization's current needs and risks
Fraud risk management programs
address fraud before, during, and after it occurs.
- incorporate policies & procedures designed to:
• Prevent fraud: activities focus on proactively identifying & assessing fraud risks & taking steps to address those risks; first line of defense, includes policies, procedures, training, & communication.
• Detect fraud: identify fraud occurrences as soon as possible begin to limit the damage done.
• Respond to identified fraud: investigating the allegation, determine party or parties responsible, means of infraction, & extent of resulting damage; punishing perpetrator through employment sanctions or legal action; remediating control weaknesses that allowed fraud; and rebuilding stakeholders' confidence in the organization.
include mechanisms designed to monitor, identify, & address breaches in compliance.
- include failures in design or operation of anti-fraud controls, as well as occurrences of fraud.
- specific individual or team designated as responsible for monitoring compliance and for handling suspected instances of noncompliance.
- Formal sanctions for intentional noncompliance must be well-publicized & carried out in a consistent & firm manner.
responsible for developing & supporting the organization's underlying fraud risk management strategy.
- management responsible for designing, implementing, monitoring, and improving the fraud risk management program is held by
• intimately familiar with organization's fraud risks.
• Ensure organization has specific and effective internal controls in place to prevent & detect fraud.
• Set a tone at top & monitor company culture to ensure it appropriately supports organization's fraud prevention & detection strategies. Senior management must exude ethics for staff to be inspired & feel obligated to follow suit.
• Clearly communicate that fraud is not tolerated.
• Take seriously all reports of fraud and undertake investigations for such reports deemed reliable.
• Punish perpetrators of discovered fraud appropriately. Punishing perpetrators reinforces culture of ethics and fact fraud not be tolerated.
• Take any steps necessary to remediate weaknesses that allowed frauds to occur.
objective of the fraud risk management program
balance the following factors:
• The investment in anti-fraud controls
• The prevention of frauds that are material in nature and/or amount
• Management's risk appetite
starting point: examine previous occurrences of fraud and explore how risk management program would have prevented, detected, and responded
- consider factors that allowed frauds to occur.
sub-group of the board of directors, delegated oversight of organization's financial, accounting, and audit matters.
- active role in overseeing assessment & monitoring of organization's fraud risks:
• Receiving regular reports on the status of reported or alleged fraud
• Meeting regularly with key internal parties (chief audit executive or other senior financial persons) to discuss identified fraud risks & steps being taken to prevent and detect fraud
• Understanding how internal & external audit strategies address fraud risk
• Provide external auditors with evidence they are dedicated to effective fraud risk management
• Engaging in open conversations with external auditors about any known or suspected fraud
important component in a fraud risk management program, though not a legally necessary one
- requires directors, employees & contractors to state explicitly that they have read, understood & complied with code of conduct, fraud control policy & other documentation
- management weighs any potential legal issues involved with having such a process with the increased fraud risk of not having one.
- If enacted, it should include consistent sanctions for individuals who refuse to sign off
- can require individuals to acknowledge they have fiduciary duty to report known instances of fraud.
formal statement of commitment
board of directors & senior management should communicate, in writing, commitment to proactively prevent, detect, and addressing fraud.
can be made as part of:
- written statement of values & principles
- code of conduct
- separate short document, like a letter, provided to all employees, vendors, and customers.
• Be endorsed or authored by a senior executive or board member.
• Be provided to employees as part of the orientation process and be reissued periodically.
• Stress the importance of fraud risk mitigation.
• Acknowledge organization's vulnerability to fraud.
• responsibility of each person within organization to support fraud risk management efforts.
• Reinforce "no tolerance" stance on fraud behavior
board of directors
recognize specific risks of fraud to, as well as their potential impact, and respond by:
• Setting appropriate tone & realistic expectations of management to enforce an anti-fraud culture
• Raising awareness of the risks of fraud
• Developing a strategy to assess & manage fraud risks that aligns with the organization's risk appetite and strategic plans
• Overseeing fraud risk management activities
consequences and processes for individuals who commit or condone fraudulent activity
anti-fraud policy might include:
- termination of employment (or a contract)
- reporting of the incident to law enforcement or regulatory authorities
- pursuit of civil or criminal action
important for management to ensure that any corrective action taken is applied consistently for all involved in the fraudulent act
- specific policies to identify & remediate control deficiencies allowed fraudulent conduct to occur.
COSO's Enterprise Risk Management—Integrated Framework
builds on 5 components identified in COSO's Internal Controls—Integrated Framework and includes an additional three components.
The eight components of the ERM Framework are:
• Internal environment
• Objective setting
• Event identification
• Risk assessment
• Risk response
• Control activities
• Information and communication
involves identification, prioritization, treatment, and monitoring of risks that threaten an organization's ability to provide value to its stakeholders,
- increasing profitability and shareholder value for a for-profit entity or achieving program-specific goals for a nonprofit or governmental agency.
- balances risk appetite with ability to meet strategic, operational, reporting, & compliance objectives.
expressed appropriately for culture & operations
- qualitatively: low, medium, or high
- quantitatively: using a numeric scale
- can also be broken down into specific types or sources of fraud, which allows for prioritization
enterprise risk management
Committee of Sponsoring Organizations (COSO):
"process designed to identify potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives."
who has responsibility for dealing with fraud risk
Managing the Business Risk of Fraud: A Practical Guide, "personnel at all levels of the organization—including every level of management, staff, and internal auditors, as well as the organization's external auditors
fraud examiner roles in professional ethics
Every person acts not only as an individual but also as a member of a profession & member of society.
fraud examiners might also be:
- spectators: observing decisions of colleagues
- advisors: counseling with coworkers
- instructors: teaching new employees on the job
- judges: serving on disciplinary committees
- critics: commenting on ethical decisions of others
primary goal is arrive at set of acceptable methods for making ethical decisions to fulfill all his roles.
- honesty, truthfulness, trustworthiness, confidentiality
- subordination of desires for personal gain to the interests of clients, employers, and the public
- independence of mental attitude & avoidance of conflicts of interest.
have a well-developed sense of moral philosophy - ability to analyze situations where no rules of the ACFE Code of Professional Ethics are specifically applicable & distinguish right from wrong
does not mean:
- ACFE member is perfect in all technical matters
- nor that fraud examiners and others cannot have honest differences of opinion
- inadvertent errors, mistakes of judgment, and other problems might cause conflict. In such cases,
admit error or convincingly justifying a difference of perception or opinion to preserve integrity
disclosure of confidential client information
Article IV: ACFE member will comply with lawful orders of the courts, and will testify to matters truthfully and without bias or prejudice
Article VI says: ACFE member shall not reveal any confidential information obtained during an engagement without proper authorization
not bound by confidentiality when doing so would violate the law, can reveal client confidences when responding to a legal court order
ACFE Code of Professional Ethics, ACFE members: collect & evaluate sufficient amount of evidence to afford reasonable & logical basis for decisions.
- collect evidence, exculpatory or incriminating, supporting fraud examination results and will be admissible in subsequent proceedings
- must obtain & document evidence in a manner that ensures that all necessary evidence is obtained and chain of custody is preserved.
- preserve integrity of relevant evidence/material.
accusing a suspect
Article V of the ACFE Code of Professional Ethics: ACFE member conducting examination, will obtain evidence or other documentation to establish a reasonable basis for any opinion rendered. No opinion shall be expressed regarding the guilt or innocence of any person or party
- applies to statements of opinion to third parties.
- interviewing a suspect whose guilt was highly probable, not prohibited from making accusations. - admission-seeking process requires accusations be made of the probable guilty party
evidence and conclusions that would affect clients' decisions based on a fraud examiner's report.
- user-oriented concept
Article VII: requires fraud examiners to reveal all material matters discovered during the course of an examination which, if omitted, could cause a distortion of the facts.
Libel and slander
can cause personal injury and subject a fraud examiner to a lawsuit for damages.
- Libel: written defamation of someone else's character. Slander: spoken defamation.
The content must:
• Contain words that injure another person's character or reputation or hold him up to ridicule.
• communicated orally or in writing to others
• Cause an actual damage to the subject
The risks involved are reasons for having rule that prohibits expression of opinions on the guilt or innocence of people.
prohibited by ACFE Code of Professional Ethics
Article II: An ACFE member shall not engage in any illegal or unethical conduct, or any activity which would constitute a conflict of interest.
composite of three explicit prohibitions:
- illegal conduct
- unethical conduct
- conflict of interest
begin with belief something is wrong/someone is committing fraud (depending on nature of assignment & preliminary information available).
- relax attitude of skepticism only when evidence shows no signs of fraudulent activity.
- At no time is a fraud examiner entitled to assume a fraud problem does not exis
- opinions or attestations about a fraud-free environment are absolutely prohibited
expressing opinions regarding guilt or innocence
judgment is by judge or jury, not fraud examiner.
- fraud examiners are absolutely prohibited from expressing opinions regarding guilt or innocence.
Article V: An ACFE member will obtain evidence or other documentation to establish a reasonable basis for any opinion rendered. No opinion shall be expressed regarding the guilt or innocence of any person or party
conflict of interest
exists when a fraud examiner's ability to objectively evaluate & present an issue for a client is impaired by a current, prior, or potential future relationship with parties to the fraud examination.
• A fraud examiner employed full time by a company should not engage in other jobs that create a hardship or loss to the employer.
• A fraud examiner should not be a "double agent" employed by one company, but retained by another company or person to infiltrate the employer and transmit inside information (unless, of course, the employing company agrees to the arrangement in order to apprehend other parties employed by the company).
• A fraud examiner should not accept engagements from both sides to a controversy
Article II: "An ACFE member shall not engage in any illegal or unethical conduct, or any activity which would constitute it
- fraud examiner does not have the same responsibilities as Chartered Accountant or CPA.
- CA or CPA generally would not be able to express an audit opinion on a company in which he held a major financial interest
- fraud examiner would be able to accept such an assignment since goal of fraud examiner is to gather facts regarding a potential fraud, not to express an opinion. should, however, make appropriate disclosures regarding his ownership.
claim ignorance of the law
Fraud examiners are not entitled to, are expected to know a considerable amount of law in connection with investigations,
- are expected to know when to consult a lawyer.
Failing to properly supervise all assistants & others who are delegated work on a fraud examination engagement would be in violation of Article I of the ACFE Code of Professional Ethics
-"An ACFE member shall at all times demonstrate a commitment to professionalism and diligence in the performance of his or her duties."
- including properly planning assignments and supervising assistants and colleagues, avoiding conflicts of interest, performing tasks with competence, obtaining sufficient evidence to establish a basis for opinions, maintaining confidential relations, & avoiding distortion of facts.
blowing the whistle
fraud examiners not obligated to blow the whistle on clients or employers
- circumstances might exist in which you are morally & legally justified in making disclosures to appropriate outside parties
codes of professional ethics
code of conduct is a reference and a benchmark
- makes explicit some of the criteria for conduct particular to a profession
- able to provide some direct solutions that might not be available from general ethics theories.
- individual able to know what profession expects
- organized profession: code is public declaration of principled conduct & means of facilitating enforcement of standards of conduct
- Practical enforcement & profession-wide internal discipline would be much more difficult if members were not first put on notice of the standards.
Skipping vital investigation steps
to improve the efficiency of a fraud examination would not only create the possibility of missing key pieces of evidence, but it would also be a violation of Article I of ACFE Code of Professional Ethics:
- An ACFE member shall at all times demonstrate a commitment to professionalism and diligence in the performance of his or her duties.
info that cannot be demanded, even by a court.
- Common law privileges exist for husband-wife and attorney-client relationships, and physician-patient and priest-penitent relationships have obtained the privilege through state statutes
- privilege, which can be waived only by the client, patient, or penitent who holds the privilege.
- Fraud examiners don't have protected privileges in common law or statute, anddoesn't assume a privileged status for the fraud examiner-client/employer relationship.
Independence of attitude
requires impartiality and fairness in examining & in reaching resulting conclusions and judgments.
- be sensitive to appearance of independence so that conclusions & judgments will be accepted as impartial by knowledgeable third parties
- Fraud examiners who become aware of a situation or relationship that could be perceived to impair independence, whether or not actual impairments exist, should inform management immediately and take steps to eliminate the perceived impairment, including withdrawing from the examination if necessary.
ability to conduct examinations without being influenced by one's own personal feelings or the feelings and motives of others
- maintain an independent mental attitude, reach judgments on examination matters without undue influence from others, and avoid being placed in positions where they would be unable to work in an objective professional manner.
- possible conflicts of interest should be disclosed.
how well fraud examiners do their job.
- Determination always depends on specific facts & circumstances of the assignment
Article III: "An ACFE member shall, at all times, exhibit the highest level of integrity in the performance of all professional assignments, and will accept only assignments for which there is a reasonable expectation that the assignment will be completed with professional competence."
COSO's Internal Control—Integrated Framework
5 interrelated components of internal control:
- control environment
- risk assessment
- control activities
- information & communication
effectiveness of internal controls can be determined from an assessment of whether
(1) each of these five components is in place and functioning effectively
(2) five components are operating together in an integrated manner.
board of directors and compliance program
must be knowledgeable about the content and operation & oversee its implementation.
four principal benefits to this practice:
• involvement of the board lends an air of authority & identifies it as a matter of company policy.
• board provides oversight by personnel who are not involved in program's day-to-day operation.
• Efforts to implement an effective program can be documented in the committee's meeting minutes, can prove useful if company ever has to defend its actions and seek mitigation of a criminal fine.
• involvement of board members on the audit committee will help ensure that the board is knowledgeable about the content and operation
Sarbanes-Oxley Act whistleblowers
• Section 806: creates a civil liability for employer who, out of retaliation, fires, demotes, suspends, threatens, harasses, or discriminates against an employee who provided information or otherwise assisted in an investigation of fraudulent activity.
- protected against retaliation for filing, testifying, participating, or assisting in a proceeding filed or about to be filed relating to an alleged violation of securities laws and regulations
- provision only covers employees of publicly traded companies and therefore does not provide protection to all whistleblowers.
• Section 1107: criminal sanctions for anyone who retaliates against another party for providing information regarding an alleged federal offense to a law enforcement officer
- protection applies to all individuals
process, effected by an entity's board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance
designed to assist management in meeting the following three categories of objectives:
1. Operations objectives: effectiveness and efficiency of the organization's operations
2. Reporting objectives: reporting of financial and nonfinancial info to internal & external parties
3. Compliance objectives: adherence to the laws and regulations to which it is subject
provide foundation for internal control system throughout the entire organization
- Established by directors and senior management, sets moral & ethical tone of an organization, which reinforces importance of internal controls and expected standards of conduct.
principles supporting design and implementation:
• Personnel at all levels demonstrate a commitment to integrity and ethical values.
• board of directors is independent from management and oversees the development and performance of internal control.
• with board oversight, management establishes the structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of organizational objectives.
• organization demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives.
• holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
Section 302 of Sarbanes-Oxley Act
requires CEO & CFO personally certify following six items in every annual and quarterly report:
• They have personally reviewed the report.
• to their knowledge, report doesn't contain any material misstatement rendering report misleading.
• financial statements & info in report fairly present in all material respects financial condition & results of company's operations.
• responsible for designing, establishing, and maintaining adequate internal controls and have evaluated the effectiveness of the internal controls within the last 90 days and presented the conclusions of that evaluation within the report.
• disclosed to their auditors & audit committee any significant deficiencies & material weaknesses in internal controls & any fraud involving employees who have a significant role in the internal controls.
• indicated in the report whether there have been any significant changes in the internal controls since the filing of the company's last report.
process that assesses the effectiveness of a control system over time.
- component of COSO's Internal Control—Integrated Framework includes both ongoing evaluations & periodic, separate evaluations, the findings of which should be evaluated against pre-defined criteria.
Framework principles supporting this component:
• select, develop, & perform ongoing & separate evaluations to ascertain whether the components of internal control are present and functioning.
• evaluates & communicates internal control deficiencies in timely manner to those parties responsible for taking corrective action, including senior management & board of directors
possibility that an event will occur and adversely affect the achievement of objectives
- Every entity faces a variety from external & internal sources
identification & assessment of the risks the entity faces in achieving its organizational objectives
- process is dynamic & iterative, & it forms basis for determining how risks will be managed.
COSO: an organization must:
• set sufficiently clear objectives to enable the identification & assessment of risks relating to the objectives.
• identifies risks to the achievement of its objectives across the entity and analyzes these risks as a basis for determining how the risks should be managed.
• considers the potential for fraud in assessing risks to the achievement of objectives.
• identifies & assesses changes that could significantly impact the system of internal control.
internal control report
Section 404 of the Sarbanes-Oxley Act: public U.S. companies must issue it within their annual report:
• A statement of management's responsibility for establishing and maintaining adequate ICOFR
• A statement identifying the framework used by management in testing effectiveness of ICOFR
• actual assessment of effectiveness of the ICOFR
• A statement that independent auditor issued an attestation report on assessment of the ICOFR
policies & procedures that enforce management's directives intended to mitigate risk
- actions performed at all levels of organization, at all stages of business processes, and through both manual and automated procedures
- can be designed to prevent occurrence of risks, detect the occurrence of risks, or both.
• select & develop activities that mitigate risks to achievement of objectives to acceptable levels.
• select & develop general control activities over technology to support achievement of objectives.
• deploy through policies that establish what is expected & procedures putting policies into action
board of directors, or if no board of directors, the organization's highest-level governing body.
- program's day-to-day operations can be delegated, not duties outlined below:
--knowledge on implementation of organization's compliance & ethics program
-U.S. Corporate Sentencing Guidelines require that they be knowledgeable about content & operation of the compliance and ethics program and exercise reasonable oversight with respect to the program's implementation and effectiveness.
compliance officer or compliance committee
has sufficient authority to ensure that compliance standards are strictly adhered to
- person/persons will resolve questions about the program and to help measure its effectiveness.
effectiveness of a compliance program
U.S. Corporate Sentencing Guidelines provides incentives for organizations to maintain internal mechanisms for preventing, detecting, and reporting criminal conduct.
- if a convicted organization has an effective compliance program in place at time of offense, sentencing judge considers organization's acts of due diligence in trying to prevent illegality when deciding to increase or mitigate the sentence
- effective compliance program: reasonably designed, implemented, and enforced so that it generally will be effective in preventing and detecting criminal conduct.
- failure to prevent or detect offense in question doesn't mean that the program is ineffective.
U.S. Corporate Sentencing Guidelines provide a benchmark & foundational guidance for developing an effective compliance program.
- Consistent enforcement is one of the factors; a program will not be effective if company does not punish employees who violate the program.
- adhere to a system of disciplinary actions
- new employees will be advised, & sign annual statement acknowledging they understand of it.
- range of possible punishments spelled out.
- management promotes compliance & ethics program, with incentives encouraging employees to perform in accordance with program
--incentives: rewards for reporting ethical concerns or misconduct, or for ideas for new or innovative detection and monitoring methods.
liable for criminal acts committed as a matter of organizational policy
- may be held liable for criminal acts of employees if acts done in course & scope of their employment & for ostensible purpose of benefiting corporation. - "in the course and scope": if employee has actual authority or apparent authority to engage in acts
liability of corporate officers and directors
companies must identify employee misconduct and deal with any known or suspected instances of misconduct with efficient and decisive measures.
- doctrine of accountability: officers & directors aware of potentially illegal conduct by senior employees liable for any recurrence of similar misconduct, & may have an obligation to halt & cure any continuing effects of initial misconduct.
- penalties for failing to take voluntary action to redress apparent misconduct by senior employees.
- failure to create an adequate compliance system render director liable for losses caused by non-compliance with applicable legal standards.
- directors should make sure that their companies have a corporate compliance plan in place to detect misconduct and deal with it effectively
- directors monitor the company's adherence. will help corporation avoid fines under U.S. Corporate Sentencing Guidelines and help prevent individual liability on the part of the directors and officers.
designing compliance and ethics programs
• industry size and practice: follow industry practice or government regulation standards
• Size of organization: Large organizations are expected to devote more formal operations and greater resources to meeting the requirements than are small organizations
• Recurrence of similar misconduct: creates doubt organization took steps to meet the requirements.
factors for effective corporate compliance program
1. Established standards and procedures to prevent and detect criminal conduct
2. Proper assignment of responsibility and oversight for the compliance program
3. Due diligence in hiring process to ensure ethics of individuals who exercise a substantial measure of discretion in acting on behalf of an organization
4. Periodic & practical communication of the compliance policy through effective training programs and other means
5. ensure program comaluating program's effectiveness, & have publicized reporting system
6. Promotion & consistent enforcement of program through appropriate incentives for compliance & disciplinary measures for violations
7. Reasonable response to any discovered criminal conduct to prevent further similar criminal conduct, like modifying compliance and ethics program
code of ethics for senior financial officers
Sarbanes-Oxley Act requires public U.S. companies to disclose in annual report whether they have code of ethics for senior financial officers, and if not, reasoning for excluding it.
- establishment of detailed provisions of code of ethics is best left to the discretion of the company. - rules don't have detailed requirements, particular language, compliance procedures, or sanctions for violations that must be in the code of ethics
- does encourage broader and more comprehensive adoption of codes
allows government to prove employer had knowledge of a particular fact, establishing liability - shows employer knew there was a high probability the fact existed and consciously avoided confirming the fact.
- cannot turn a blind eye, if steps not taken to deter activity, company itself may be found liable.
corporate governance board participation
- foundation of fraud risk management
- active and committed board participation in the fraud risk management process is essential
- Managing the Business Risk of Fraud: A Practical Guide: "effective governance processes are the foundation of fraud risk management. Lack of effective corporate governance seriously undermines any fraud risk management program."
- directors are middlemen between corporation's shareholders & management, & are guardians of the organization's resources and assets
- oversees business operations by assessing the strategy and underlying purpose of management's decisions and actions.
OECD Principles of Corporate Governance
hallmark source of guidance for corporate governance practices for organizations
- nonbinding, implementation must be adapted to different legal, economic, & cultural circumstances. --key strength, makes a useful tool worldwide, both in developed economies & emerging markets
• Promote transparent and fair markets and the efficient allocation of resources.
• Be consistent with the rule of law.
• Support effective supervision and enforcement.
• Protect & facilitate exercise of shareholders rights
• Ensure equitable treatment of all shareholders, including minority and foreign shareholders.
• Provide all shareholders with the opportunity to obtain effective redress for violation of their rights.
• sound incentives throughout investment chain.
• Enable stock markets to function in a way that contributes to good corporate governance.
• Recognize the rights of stakeholders established by law or through mutual agreements.
• push active cooperation between corporations & stakeholders in creating wealth, jobs, & sustainability of financially sound enterprises
• timely & accurate disclosure on all material matters regarding corporation, including the company's financial situation, performance, ownership, and governance.
• Ensure strategic guidance of company, effective monitoring of management by board, & board's accountability to company and the shareholders.
code of conduct
Companies with securities listed on the NYSE are bound by the corporate governance requirements contained in the NYSE Listed Company Manual
corporate governance standards issued as part of the NASDAQ Equity Rules apply to all entities with securities listed on the NASDAQ exchange
Both rules include a requirement that companies adopt and disclose a code of conduct for all directors, officers, and employees
any waivers of the code of conduct for directors or officers must be approved by the board of directors and disclosed.
corporate governance management
leads organization and its employees, responsible for making day-to-day decisions affect company performance &, ultimately, shareholder wealth.
roles pertaining to corporate governance include:
• Establishing strategic goals & operating objectives under board's oversight
• Directing employees to carry out business activities & managing their performance of tasks
• use & allocation of company resources and assets
• Evaluating organization's successes or failures & recalibrating the strategic approach accordingly
• Holding responsibility for the design and operation of the organization's internal controls
• Setting the true ethical tone of the organization
corporation's government; oversight responsibilities of different parties for an organization's direction, operations, & performance
- Organisation for Economic Co-operation and Development (OECD): procedures & processes an organisation is directed and controlled under, specifies distribution of rights & responsibilities among different participants in organisation-board, managers, shareholders & other stakeholders- & lays down rules & procedures for decision-making
Solid corporate governance practices are most necessary in organization where owners not also individuals responsible for setting its strategy and carrying out its business activities (such as a publicly traded company).
Sir Adrian Cadbury, purpose is to encourage efficient use of resources & equally to require accountability for stewardship of those resources, align as nearly as possible the interests of individuals, corporations, and society
NYSE Listed Company Manual requirements
board of directors have the following committees:
• nominating/corporate governance committee: identifies & select qualified director nominees, develops & recommends corporate governance guidelines, & oversees evaluation of board & mgt
• compensation committee charged with reviewing & approving corporate goals & objectives relevant to CEO's; compensation,performance, determining & approving compensation, & advising board on compensation of other executive officers
• audit committee: oversight of external audit function& related activities
- also must be independent
NASDAQ rules: require listed company boards to have audit committee & compensation committee. - Unlike NYSE rules, don't require board have nominating/corporate governance committee.
defines responsibility of auditor in preventing and detecting fraud, formed and sponsored by five predominant professional auditing organizations at the time—the American Institute of Certified Public Accountants, The Institute of Internal Auditors, the American Accounting Association, Financial Executives International, and the Institute of Management Accountants.
• mandatory independent audit committee made up of outside directors
• written charter that sets forth the duties and responsibilities of the audit committee
• audit committee should have adequate resources and authority to carry out its responsibilities
• audit committee: informed, vigilant, and effective
core principles of sound corporate governance
Sarbanes-Oxley Act requirements for the audit committees
- has sole responsibility for hiring, overseeing, & paying external auditors & resolving disputes arising between auditors & management regarding financial reporting issues.
- required to establish procedures (hotline) for receiving, retaining, & dealing with complaints, confidential/anonymous employee tips, regarding irregularities in the company's accounting methods, internal controls, or auditing matters.
- required to pre-approve all services performed by external auditors, may consult with outside advisors, not required to approve those advisors hired by management.
- must be members of board of directors & be "independent," meaning receive compensation only for their service on the board, cannot be paid by company, or its subsidiaries, for any consulting or advisory work, includes indirect payments by company to a party related to committee member
-- independent in fees and affiliation: not an executive officer or subsidiaries & not shareholder of 10 % or more of any class of voting stock
Shareholders and corporate governance
owners of corporations; primarily concerned with maximizing the return on their investment:
• Remain informed on operations & performance
• Reading annual reports & other communications from management to the shareholders
• Attending shareholder meetings
• Electing capable board directors
• Holding the board of directors accountable for proper governance and oversight
• Appoint or ratify audit committee's appointment of organization's independent auditors
• Voting on significant issues, like changes relating to business operations, company's corporate governance framework, & rights & responsibilities of the board of directors and executive managers
AU Section 240
requires auditors to "brainstorm" to discuss the potential for material misstatements due to fraud.
• How and where they believe the entity's financial statements might be susceptible to fraud
• How mgt could perpetrate or conceal fraud
• How the entity's assets could be misappropriated
also include a consideration of known external and internal factors affecting the entity that might:
• Create incentives/pressures for management and others to commit fraud.
• Provide opportunity for fraud to be perpetrated.
• Indicate culture or environment enables mgt & others to rationalize committing fraud.
judgments about risk of material misstatements due to fraud have effect on how the audit is conducted:
• Predictability of auditing procedures: consistent audit procedures enables staff members to predict the tests, gives dishonest employees opportunity to disrupt the procedures or falsify data.
- address risk: incorporate an "element of unpredictability" in selection of auditing procedures to be performed, differing sampling methods and performing procedures at different locations or at locations on an unannounced basis.
• Assignment of personnel and supervision: auditor might consult with specialists in a particular field.
• Accounting principles: consider management's selection and application of significant accounting principles, particularly those related to subjective measurements and complex transactions.
fraud-related misstatements relevant for audit:
- misstatements from fraudulent financial reporting, occurs through intentional fraudulent omissions or inclusions in the financial statements
- misstatements from misappropriation of assets. Fraudulent financial reporting, involves the theft or misuse of company assets.
identifying risks that might result in material misstatements due to fraud, consider information in context of incentives/pressures, opportunities, and attitudes/rationalizations, as well as:
• type of risk that might exist (if involves fraudulent financial reporting or misappropriation of assets)
• significance of the risk (whether magnitude that could result in a possible material misstatement)
• likelihood risk results in material misstatement
• pervasiveness of risk (risk is pervasive to financial statement as whole or specifically to a particular assertion, account, or class of transactions)
IIA's IPPF—Practice Guide: Internal Auditing and Fraud internal auditor
responsibilities that the internal auditor should carry out in conducting audit engagements
- not mandatory but recommended
• Consider fraud risks when assessing internal control design & determining of audit steps
• sufficient knowledge to identify red flags
• Be alert to opportunities that could allow fraud
• Evaluate if mgt is retaining responsibility for oversight of fraud risk mgt program, timely and sufficient corrective measures have been taken with respect to any noted control deficiencies or weaknesses, & if plan for monitoring program is still adequate for program's ongoing success.
• Evaluate the indicators of fraud and decide whether any further action is necessary or whether an investigation should be recommended.
• Recommend investigation when appropriate.
provides generally accepted government auditing standards (GAGAS), framework of guidance for auditors of government entities and entities that receive government awards.
- standards for financial audits and performance audits of government organizations
- standards covering attestation engagements, such as examinations and reviews, and other non-audit services for government organizations
- standards covering ethics, independence, professional judgment and competence, quality control, audit performance, and reporting.
Government Auditing Standards, paragraph 6.31
when auditors identify factors or risks related to fraud they believe are significant within context of audit objectives, design procedures to provide reasonable assurance of detecting such fraud.
- Assessing risk of fraud is an ongoing process throughout the audit & relates to planning audit & evaluating evidence obtained during the audit
IIA's Practice Guide: Internal Auditing and Fraud parties' typical roles and responsibilities for fraud detection and prevention
parties and their responsibilities include:
• Board of directors: effective and responsible corporate fraud governance & overseeing management's actions to manage fraud risks.
• Audit committee: evaluate management's identification of fraud risks & implementation of anti-fraud measures, provide tone at the top that fraud will not be accepted in any form, overseeing controls to prevent or detect management fraud.
• Management: overseeing activities of employees, assessing vulnerability of entity to fraud, & establishing and maintaining an effective internal control system at a reasonable cost.
• Legal counsel: advises the organization on legal matters pertaining to fraud.
• External auditors: comply with professional standards & plan & perform audit of financial statements to obtain reasonable assurance that financial statements are free of material misstatements, whether caused by error or fraud.
• Loss prevention manager: deals with crimes, disasters, accidents, waste, & other business risks, & works closely with internal auditors to identify areas of weak internal controls in organization.
• Fraud investigators: detecting and investigating fraud, as well as recovering assets.
• Other employees: report suspicious activity to a hotline, internal audit department, or management.
Institute of Internal Auditors' Standard 2120.A2
internal audit activity must evaluate potential for occurrence of fraud and how the organization manages fraud risk.
Internal Auditing Standard 1220
internal auditors must apply care & skill expected of reasonably prudent/competent internal auditor, BUT due professional care doesn't imply infallibility
generally accepted government auditing standards (GAGAS) fraud-related responsibilities of an auditor
fundamentally same as required of auditors under AU Section 240; however, include requirements related to considerations of noncompliance and abuse during a financial audit.
incorporates AICPA's generally accepted standards of reporting with several additional reporting standards specifically for government financial audits. These pertain to:
• Reporting audit performed according to GAGAS
• Reporting on internal control and on compliance with provisions of laws, regulations, contracts, and grant agreements
• Communicating identified deficiencies in internal control, fraud, and instances of noncompliance
• Reporting the views of responsible officials in instances where the report discloses deficiencies in internal control, fraud, noncompliance, or abuse
• Reporting confidential or sensitive information
• Distributing audit reports
PCAOB Audit Standards No. 5
requirements & provides guidance for auditors who are engaged to perform an audit of mgt's assessment of the internal controls that is integrated with an audit of the financial statements.
- replacement to Auditing Standard No. 2 by the Sarbanes-Oxley Act
- although objectives of financial statement audits & audits of ICOFR not identical, they should be integrated, with auditor planning and performing the work to achieve the objectives of both audits.
- auditor may choose to issue single report with both an opinion on company's financial statements and on its internal control over financial reporting (ICOFR), or separate report for each opinion.
Government Auditing Standards, paragraph 6.32
if info comes to auditors' attention indicating fraud that is significant within context of audit objectives maybe occurred, auditors should extend the audit steps and procedures, as necessary
(1) determine whether fraud has likely occurred
(2) determine its effect on audit findings, if is not significant within context of audit objectives, auditors may conduct additional audit work as a separate engagement, or refer the matter to other parties with oversight responsibility or jurisdiction
Private Securities Litigation Reform Act (PSLRA)
responsibilities for independent auditors of public companies: each audit of financial statements of a public company include procedures designed to provide reasonable assurance of detecting illegal acts that would have a direct & material effect on the determination of financial statement amounts.
auditor detects/becomes aware an illegal act (whether or not perceived to have a material effect on the financial statements of the issuer) has or might have occurred must then:
• Determine & consider possible effect of illegal act on financial statements, include monetary effects such as fines, penalties, & damages.
• Inform appropriate mgt "as soon as practicable."
• Ensure audit committee (or board of directors in the absence of an audit committee) is informed of illegal acts unless acts are clearly inconsequential
PCAOB Auditing Standard No. 5
test design & operating effectiveness of company's internal control over financial reporting (ICOFR)
- design effectiveness: determine whether controls satisfy company's control objectives & effectively prevent or detect errors or fraud that could result in material misstatements
- operating effectiveness: determine if controls are operating as designed, & person operating control has appropriate authority & competence
(1) controls enacted to address the risk of management override of other controls
(2) whether the company's internal controls adequately address the risk of material misstatement due to fraud. These controls include:
• Controls over significant unusual transactions
• Controls over journal entries & adjustments made during end of period financial reporting process
• Controls over related-party transactions
• Controls related to significant mgt estimates
• Controls mitigating motivations for & pressures on management to engage in inappropriate earnings management and financial statement fraud
Government Auditing Standards, paragraph 6.30
"In planning the audit, auditors should assess the risks of fraud occurring that are significant within the context of the audit objectives" and should do so with an attitude of professional skepticism.
- Fraud is a type of illegal act, whether an act is fraud is determined through the judicial or other adjudicative system and is beyond auditors' professional responsibility.
Government Auditing Standards, paragraph 6.31
when auditors identify factors or risks related to fraud that has occurred or is likely to have occurred that they believe are significant within the context of the audit objectives, they should design procedures to provide reasonable assurance of detecting such fraud
Internal Auditing Standard 2120.A1
internal audit activity must evaluate risk exposures relating to the organization's governance, operations, and information systems regarding:
•Achievement of strategic objectives
•Reliability & integrity of financial & operational info
•Effectiveness & efficiency of operations
•Safeguarding of assets
•Compliance with laws, regulations, and contracts
AU Section 315
guidance on how auditor obtains knowledge about entity & its environment, including internal controls
- procedures to identifying the risks of material misstatement due to fraud:
• Make inquiries of mgt & others within entity to obtain their views on the risks of fraud and how those risks are addressed.
• Consider any unusual or unexpected relationships that have been identified in performing analytical procedures when planning the audit.
• Consider if one or more fraud risk factors exist.
• Consider info that might be helpful in identifying risks of material misstatement due to fraud.
role internal audit plays in fraud investigations
varies by organization:
- primary responsibility for fraud investigations
- resource for the investigations, or might have no involvement at all in the investigations.