Fraud finds: auditors, armed with SOX provisions, chip away at corporate fraud.An independent auditor is required to plan and perform an audit to obtain reasonable assurance that financial statements are free of material misstatements, whether caused by error or fraud. [ILLUSTRATION OMITTED] Generally accepted auditing standards define the auditor's responsibility related to fraud in Statement on Auditing Standards No. 99, Consideration of Fraud in a Financial Statement Audit (SAS No. 99), which provides guidance in connection with fraudulent financial reporting and the misappropriation of assets. SAS No. 99 uses a risk assessment approach that includes a discussion among engagement personnel about fraud risks, gathering information to identify fraud risks, assessing fraud risks after considering internal controls and responding to any significant fraud risks discovered. One of the intended consequences of the Sarbanes-Oxley Act was to help independent auditors fight corporate fraud. Among other things, SOX required the disclosure of company ethics policies, enhanced conflict of interest protections and defined corporate responsibility for the disclosure of fraud to the auditor. It also called for corporate procedures to collect and investigate whistle-blower fraud claims. Each of these measures has helped auditors identify and assess financial statement fraud risks. ETHICS, CONFLICTS OF INTEREST SOX Sec. 406 requires each company to disclose its code of ethics, defined as standards for senior financial officers that are "reasonably necessary to promote: * Honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest between personal and professional relationships; * Full, fair, accurate, timely and understandable disclosure in the periodic reports required to be filed by the issuer; and * Compliance with applicable governmental rules and regulations." Additional conflict of interest prohibitions cover corporate loans to officers and directors. If a company has not adopted a code of ethics, it is required to disclose this fact and the reasons therefore. The communication of ethics and conflict of interest policies by senior corporate officials, together with consistent employee fraud awareness and ethics training, set the tone necessary to reduce fraud risks. Key executives can be interviewed to determine their knowledge of policies and any efforts taken to ensure communication and compliance by company personnel; training programs can be evaluated and attendance verified; and compliance with policies can be tested by looking at annual employee policy sign-offs, whistle-blower processes and reports. As such, auditors are paying more attention to enterprise self-assessments of fraud risks and focusing on internal control testing in areas deemed to have significant fraud risk exposure, such as revenue recognition, understatement of expenses and liabilities or the manipulation of assets. In addition, the communication and training that SOX mandates related to ethics should lead to more employee whistle-blower reports that provide valuable evidence to the auditor about fraud. The Committee of Sponsoring Organizations of the Treadway Commission reinforces the concept of strong internal controls centered on ethical corporate behavior. COSO believes that internal control is made up a five key components, one of which is control environment factors that set the tone of the company. These factors, according to COSO, include "the integrity, ethical values and competence of the entity's people; management's philosophy and operating style; the way management assigns authority and responsibility, and organizes and develops its people; and the attention and direction provided by the board of directors." Additional evidence that demonstrates to the auditor the value of well-functioning fraud and ethics policy controls is found in a recent study of more than 1,100 fraud cases reported by the Association of Certified Fraud Examiners. In its 2006 study, "2006 A CFE Report to the Nation on Occupational Fraud and Abuse," the median time to detect a fraud was 15 months for organizations having fraud awareness or ethics training. For companies without such programs, the time increased markedly to 24 months. Similarly, median fraud losses were cut from $200,000 to $100,000 for companies whose employees have had fraud or ethics training. DISCLOSURE OF FRAUD Executive officers are required under SOX Sec. 302 to disclose fraud to the auditor. Specifically, the principal executive and financial officers must "have disclosed to the issuer's auditors and the audit committee of the board of directors (or persons fulfilling the equivalent functions): * All significant deficiencies in the design or operation of internal controls which could adversely affect the issuer's ability to record, process, summarize, and report financial data and have identified for the issuer's auditors any material weaknesses in internal controls; and * Any fraud, whether or not material, that involves management or not material, that involves management or other employees who have a significant role in the issuer's internal controls ..." Although it would seem that this is clearly a management responsibility, there are past examples of situations in which management, by choice or ignorance, would fail to provide the auditor full and complete disclosure. This is no longer acceptable by law. The statutory requirement for the disclosure of fraud significantly strengthens the written representations provided by management to the auditor. In addition, there are severe penalties for intentional failure to comply. For example, executives and officers may be terminated and charged with civil and criminal crimes bearing long prison terms and large monetary fines under revised sentencing guidelines. The importance of this fraud disclosure to the auditor is emphasized again by the ACFE 2006 study, which shows that owners and senior management are the most likely to commit a material fraud against any company. That is because "the more authority an individual has, the greater that individual's access to organizational resources, and the more ability that person has to override controls in order to conceal the fraud," according to the report. The median loss for a fraud committed by an owner or executive is $1 million. If the individual earns more than $500,000, the median loss soars to $8 million per fraud. That is compared to $75,000-$78,000 in fraud losses caused by an average employee. WHISTLE-BLOWERS Under Sec. 301, the audit committee is charged with the responsibility to "establish procedures for: * The receipt, retention and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing; and * The confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting and auditing matters." SOX gives audit committees the right to engage advisers and necessary funding to investigate whistle-blower allegations and provides whistle-blower protections that ensure employees of public companies will not suffer undesirable consequences from raising and reporting a concern. Whistle-blower complaints are a key source for auditors to identify fraud and assess the appropriateness of company remedial actions connected to such claims. According to the ACFE, fraud is discovered more than 40 percent of the time through a tip in public companies. Whistle-blower complaints can reveal fraud risks, potential internal control weaknesses, ineffective oversight and adverse trends. Research by the National Bureau of Economic Research shows that auditors are discovering more fraud after the enactment of SOX (http://nber.org/papers/w12882). The 2007 report "Who Blows the Whistle on Corporate Fraud," provided a detailed study of every reported corporate fraud from 1996-2004 for companies with more than $750 million in assets. The results show "a significant uptick in the overall level of auditor involvement in detection [of fraud] and the scope of their detection activity." The study reflects that auditors are better at identifying different types of fraud and that their detection of fraud has increased more than 75 percent post-SOX. Prior to SOX, "auditors accounted for just 9.6 percent of frauds detected by external actors, and focused exclusively on frauds requiring financial restatements." Post-SOX, "They account for 16.9 percent of cases, and their activity is spread across not only financial restatement cases, but also those cases not involving restatements." An independent auditor is required to plan and perform an audit to obtain reasonable assurance that financial statements are free of material misstatements, whether caused by error or fraud. The enactment of SOX has given the auditor additional resources to identify and assess financial statement fraud risks. Through executive disclosure, improved policies and audit committee whistle-blower responsibilities, auditors have access to new information that is being used to fight fraud. BY BRADLEY J. PREBER, CPA AND ANN E. WILSON, CPA Bradley J. Preber, CPA, CFE, is the West Region Partner-in-Charge of Forensic Accounting & Investigative Services at Grant Thornton LLP. He can be reached at brad.preber@gt.com. Ann E. Wilson, CPA is the Southern California Forensic Accounting & Investigative Services Director for Grant Thornton LLP. She can be reached at ann.wilson@gt.com. |
|
||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion