How Section 404 can help deter fraud: more than simply an exercise in compliance, Sarbanes-Oxley's section on internal controls can be a good starting point for reinvigorating measures to identify and halt manipulation of financial reporting and asset misappropriation.The Sarbanes-Oxley Act See SOX. of 2002's mandate for authoritative documentation is expected to enhance a company's internal control structure to add prevention--not just detection--of fraud. Within the regulations are management's requirements to identify schemes and scenarios that could invite fraud. By establishing checks and balances in internal controls--regardless of technical or resource restrictions--fraud can be halted early instead of running unnoticed for months, as has been common. [ILLUSTRATION OMITTED] As financial executives know well, Sarbanes-Oxley Section 404 calls for documented proof that a company has an adequate internal control structure and procedures for financial reporting, as well as assessment of the effectiveness of these same areas. This means that company management must accept full responsibility for internal controls, and those controls must also pass the scrutiny of external auditors The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. . Furthermore, in the process of confirming internal control effectiveness, management can and should increase antifraud efforts to identify and halt manipulation of financial reporting and asset misappropriation misappropriation n. the intentional, illegal use of the property or funds of another person for one's own use or other unauthorized purpose, particularly by a public official, a trustee of a trust, an executor or administrator of a dead person's estate, or by any , since the most common incarnations of fraud in today's companies are "inside jobs." It's a worthy next step. New responsibilities for external auditors also help guard against fraud. In addition to inquiring about how management prevents fraud as prescribed by the Auditing Standards Board's Statement on Auditing Standards (SAS (1) (SAS Institute Inc., Cary, NC, www.sas.com) A software company that specializes in data warehousing and decision support software based on the SAS System. Founded in 1976, SAS is one of the world's largest privately held software companies. See SAS System. ) No. 99, today auditors must actually attest To solemnly declare verbally or in writing that a particular document or testimony about an event is a true and accurate representation of the facts; to bear witness to. To formally certify by a signature that the signer has been present at the execution of a particular writing so as to the effectiveness of the internal control structure. The auditing industry is also working to enhance the Committee of Sponsoring Organizations (COSO COSO Committee of Sponsoring Organizations of the Treadway Commission COSO Church of Spiral Oak COSO Corporate South COSO Class of Service Override COSO Combat Oriented Supply Operations (USAF) ) framework to include fraud elements. More Questions than Answers The word "fraud" appears nowhere in Sarbanes-Oxley's brief Section 404 paragraph ("Management Assessment of Internal Controls"). Fraud is getting much more focus in companies today, however, because of the increasing and stringent expectation that internal controls should be structured precisely to avoid or detect fraud. The standard issued to provide guidance for Section 404 does give a cursory cur·so·ry adj. Performed with haste and scant attention to detail: a cursory glance at the headlines. [Late Latin curs elaboration on fraud, but still generates as many questions as answers, such as: What's the ratio of preventative vs. detective measures? How extensive should preventative measures be around the largest asset base or revenue stream? Since every industry is different, clear-cut fraud prevention or detection standards that can be deployed across companies in the same industry are not always applicable to other sectors. Managers should zero in on existing and emerging best practices in their particular industries by utilizing consultants or specialists with extensive knowledge and experience with that industry's internal controls. For example, antifraud standards for a high-tech manufacturing company that produces serialized inventory parts would be very different than one that manufactures large, high-tech industrial products. Standards aside, there are clear advantages to merging the new administrative responsibility administrative responsibility Any task or duty related to managing an institution; non-Pt management-related responsibilities of physicians include chart review, participation in the tumor board or tissue committee, etc. Cf Clinical responsibility. with improved perspectives and processes capable of rooting out fraud, both real and potential. Fraud Assessment For starters, Section 404 fosters renewed value for internal fraud assessment. Starting with an end goal has clear benefits: A fraud assessment and monitoring plan is key to an organization having a true control structure that identifies, prevents and detects fraud. It behooves upper management to identify areas of particular susceptibility among employees in production, operations and administration. Fraud risk assessment begins simply by brainstorming to uncover available schemes and scenarios that could permit fraud. Companies can start by asking how an employee at any level could divert money or assets. Possibilities here include taking assets and tagging them "return to vendors," taking inventory and calling it salvage or recording a credit payment and immediately recording a debit on the same account. For instance, are accounts at the $20,000-and-under level ever reconciled, and do employees know that? Equally threatening are the gaps in accounting that pave the way for managers to commit fraud. Look for ways in which executives can make direct gains, such as misappropriations, misreporting or manipulation of earnings or financial results. Commonly, if managers' commissions or bonuses are based on earnings per share or reported earnings for the first three quarters of the fiscal year, then they may have an incentive to manipulate reporting for those periods. An annual fraud assessment of risk is strongly recommended for all organizations. The Best Defense A comprehensive antifraud program should include expert help in developing both design and operations. Among the extensive checks and balances enforced system-wide, the information technology (IT) infrastructure, systems and procedures need scrutiny. IT's internal and external security, access permissions and restrictions and system configuration also must be assessed. A periodic IT scan of the critical financial and operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. permissions can reveal whether some employee received greater administrative rights to records than is warranted. Access and permission to electronic data is vitally important to manage because access to assets such as cash funds and inventory can be manipulated without detection. The remedy is a segregation of duties in today's technically sophisticated organization. Does an accounts payable clerk have access to online banking for cash disbursements? Does someone handling inventory control have the ability to both receive and release inventory? Such questions were often left unasked un·asked adj. 1. Not asked: Several unasked questions remain. 2. Not invited: Unasked guests arrived at the party. 3. prior to major fraud scandals that have rocked the corporate world. Management used to worry about the person who physically got the check or cash and deposited it with the bank. Now, they worry about the person who receives it by wire or automated clearing house See ACH. (ACH (Automated Clearing House) A system of the U.S. Federal Reserve Bank that provides electronic funds transfer (EFT) between banks. It is used for all kinds of fund transfer transactions, including direct deposit of paychecks and monthly debits for routine payments to ). The ease, lightening lightening /light·en·ing/ (lit´en-ing) the sensation of decreased abdominal distention produced by the descent of the uterus into the pelvic cavity, two to three weeks before labor begins. speed and covert nature of automated fraud has far surpassed the potential ever posed by manual fraud. Large transactions today through electronic data interchange See EDI. (application, communications) electronic data interchange - (EDI) The exchange of standardised document forms between computer systems for business use. EDI is part of electronic commerce. (EDI (Electronic Data Interchange) The electronic communication of business transactions, such as orders, confirmations and invoices, between organizations. Third parties provide EDI services that enable organizations with different equipment to connect. ) never hit paper, leaving little or no trace. Smart management focuses on operational safeguards, too, and it's critical to consider both potential deficiencies and material weaknesses. For instance, if a company knows it has deficiencies in the way it recognizes revenue, then the company has a vulnerability point. A manager can exploit that control weakness to record revenue never received, and could then get an unmerited bonus or make an insupportably profitable stock trade. Every company should issue a separate fraud prevention policy to augment a code of ethics Code of Ethics can refer to:
All employees must realize, via effective communication, that the company is relentless in practicing leading-edge measures for both preventing and detecting fraud. A clear explanation should also be provided about possible termination--whether the worker is management or rank-and-file--as well as information about how the company will investigate allegations of fraud and, if warranted, criminal prosecution. In fact, past cases of fraud prosecution should be cited as examples of actions the company might take in the future. Given the fact that fraud most often stems from the malfeasance The commission of an act that is unequivocally illegal or completely wrongful. Malfeasance is a comprehensive term used in both civil and Criminal Law to describe any act that is wrongful. of one or two employees operating in an isolated environment, policies enforcing segregation of duties, cross-training, job rotation 17:43, 15 October 2007 (UTC)17:43, 15 October 2007 (UTC)17:43, 15 October 2007 (UTC)17:43, 15 October 2007 (UTC)17:43, 15 October 2007 (UTC)17:43, 15 October 2007 (UTC)~~×≥ An approach to management development is job rotation and mandatory vacations also have definite advantages. Incompatible duties should be divided; the person who receives money shouldn't be the same person who reconciles the bank account. Likewise, collaboration should be limited, since the two in this example could defraud To make a Misrepresentation of an existing material fact, knowing it to be false or making it recklessly without regard to whether it is true or false, intending for someone to rely on the misrepresentation and under circumstances in which such person does rely on it to his or the company without detection because the only protective control might be performed by one of the pair. Also, while there are advantages to sole individuals serving as a "gate-keeper" or "go-to person," any time a system rotates solely around one person, that person may have too much control. Believing that "we can't function because Sharon or Sam is on vacation" may signal a need to re-evaluate the division of responsibilities. The employees may be very trustworthy and ethical, but the company is vulner-able to fraud nonetheless. The Value of Internal Auditing Many companies have removed resources from traditional internal auditing operations to achieve compliance with the internal control standard. This has resulted in a trade-off of continuous fraud prevention for elite internal controls, and that move has increased vulnerability. Keeping a close watch each quarter on transaction flow, asset changes, inventory shrinkage, fixed assets fixed assets npl → activo sg fijo fixed assets npl → immobilisations fpl fixed assets fix npl → , loss prevention and cash control is less prevalent. Is that wise? Internal auditing accomplishes both internal control identification and fraud prevention, as aligned with COSO standards. Therefore, the good news is that reinstituting tried-and-true internal auditing helps compliance with Sarbanes-Oxley Section 404, and thus is well worth it. Ultimately, Sarbanes-Oxley Section 404 is about internal control and administrative responsibility, not about fraud. Writing down what the company already does leads to a stronger, more controlled system. That creates a unique opportunity on the operations side, however, that presents possibly unrecognized value for the company. And what company, internal auditor Internal auditor An employee of a company who analyzes the company's accounting records to that the company is following and complying with all regulations. or executive doesn't value fraud prevention and detection and wouldn't jump at the chance to improve safeguards? Alyssa G. Martin, CPA (Computer Press Association, Landing, NJ) An earlier membership organization founded in 1983 that promoted excellence in computer journalism. Its annual awards honored outstanding examples in print, broadcast and electronic media. The CPA disbanded in 2000. , is Partner in Charge of the Risk Assessment and Sarbanes-Oxley Solutions group at Weaver and Tidwell, LLP LLP - Lower Layer Protocol , an accounting firm with offices in Fort Worth and Dallas. She can be reached at 817.332.7905. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion