How Section 404 can help deter fraud: more than simply an exercise in compliance, Sarbanes-Oxley's section on internal controls can be a good starting point for reinvigorating measures to identify and halt manipulation of financial reporting and asset misappropriation.
As financial executives know well, Sarbanes-Oxley Section 404 calls for documented proof that a company has an adequate internal control structure and procedures for financial reporting, as well as assessment of the effectiveness of these same areas. This means that company management must accept full responsibility for internal controls, and those controls must also pass the scrutiny of external auditors.
Furthermore, in the process of confirming internal control effectiveness, management can and should increase antifraud efforts to identify and halt manipulation of financial reporting and asset misappropriation, since the most common incarnations of fraud in today's companies are "inside jobs." It's a worthy next step.
New responsibilities for external auditors also help guard against fraud. In addition to inquiring about how management prevents fraud as prescribed by the Auditing Standards Board's Statement on Auditing Standards (SAS) No. 99, today auditors must actually attest to the effectiveness of the internal control structure. The auditing industry is also working to enhance the Committee of Sponsoring Organizations (COSO) framework to include fraud elements.
More Questions than Answers
The word "fraud" appears nowhere in Sarbanes-Oxley's brief Section 404 paragraph ("Management Assessment of Internal Controls"). Fraud is getting much more focus in companies today, however, because of the increasing and stringent expectation that internal controls should be structured precisely to avoid or detect fraud. The standard issued to provide guidance for Section 404 does give a cursory elaboration on fraud, but still generates as many questions as answers, such as: What's the ratio of preventative vs. detective measures? How extensive should preventative measures be around the largest asset base or revenue stream?
Since every industry is different, clear-cut fraud prevention or detection standards that can be deployed across companies in the same industry are not always applicable to other sectors. Managers should zero in on existing and emerging best practices in their particular industries by utilizing consultants or specialists with extensive knowledge and experience with that industry's internal controls.
For example, antifraud standards for a high-tech manufacturing company that produces serialized inventory parts would be very different than one that manufactures large, high-tech industrial products. Standards aside, there are clear advantages to merging the new administrative responsibility with improved perspectives and processes capable of rooting out fraud, both real and potential.
For starters, Section 404 fosters renewed value for internal fraud assessment. Starting with an end goal has clear benefits: A fraud assessment and monitoring plan is key to an organization having a true control structure that identifies, prevents and detects fraud. It behooves upper management to identify areas of particular susceptibility among employees in production, operations and administration.
Fraud risk assessment begins simply by brainstorming to uncover available schemes and scenarios that could permit fraud. Companies can start by asking how an employee at any level could divert money or assets. Possibilities here include taking assets and tagging them "return to vendors," taking inventory and calling it salvage or recording a credit payment and immediately recording a debit on the same account. For instance, are accounts at the $20,000-and-under level ever reconciled, and do employees know that?
Equally threatening are the gaps in accounting that pave the way for managers to commit fraud. Look for ways in which executives can make direct gains, such as misappropriations, misreporting or manipulation of earnings or financial results. Commonly, if managers' commissions or bonuses are based on earnings per share or reported earnings for the first three quarters of the fiscal year, then they may have an incentive to manipulate reporting for those periods.
An annual fraud assessment of risk is strongly recommended for all organizations.
The Best Defense
A comprehensive antifraud program should include expert help in developing both design and operations. Among the extensive checks and balances enforced system-wide, the information technology (IT) infrastructure, systems and procedures need scrutiny. IT's internal and external security, access permissions and restrictions and system configuration also must be assessed. A periodic IT scan of the critical financial and operating systems permissions can reveal whether some employee received greater administrative rights to records than is warranted.
Access and permission to electronic data is vitally important to manage because access to assets such as cash funds and inventory can be manipulated without detection. The remedy is a segregation of duties in today's technically sophisticated organization. Does an accounts payable clerk have access to online banking for cash disbursements? Does someone handling inventory control have the ability to both receive and release inventory? Such questions were often left unasked prior to major fraud scandals that have rocked the corporate world.
Management used to worry about the person who physically got the check or cash and deposited it with the bank. Now, they worry about the person who receives it by wire or automated clearing house (ACH). The ease, lightening speed and covert nature of automated fraud has far surpassed the potential ever posed by manual fraud. Large transactions today through electronic data interchange (EDI) never hit paper, leaving little or no trace.
Smart management focuses on operational safeguards, too, and it's critical to consider both potential deficiencies and material weaknesses. For instance, if a company knows it has deficiencies in the way it recognizes revenue, then the company has a vulnerability point. A manager can exploit that control weakness to record revenue never received, and could then get an unmerited bonus or make an insupportably profitable stock trade.
Every company should issue a separate fraud prevention policy to augment a code of ethics that is reviewed annually and understood and practiced by every employee. Similarly, every employee should know the company takes fraud very seriously, whether committed by the highest board member or the lowliest shop worker. They should also know that whistleblowers are welcomed.
All employees must realize, via effective communication, that the company is relentless in practicing leading-edge measures for both preventing and detecting fraud. A clear explanation should also be provided about possible termination--whether the worker is management or rank-and-file--as well as information about how the company will investigate allegations of fraud and, if warranted, criminal prosecution. In fact, past cases of fraud prosecution should be cited as examples of actions the company might take in the future.
Given the fact that fraud most often stems from the malfeasance of one or two employees operating in an isolated environment, policies enforcing segregation of duties, cross-training, job rotation and mandatory vacations also have definite advantages. Incompatible duties should be divided; the person who receives money shouldn't be the same person who reconciles the bank account. Likewise, collaboration should be limited, since the two in this example could defraud the company without detection because the only protective control might be performed by one of the pair.
Also, while there are advantages to sole individuals serving as a "gate-keeper" or "go-to person," any time a system rotates solely around one person, that person may have too much control. Believing that "we can't function because Sharon or Sam is on vacation" may signal a need to re-evaluate the division of responsibilities. The employees may be very trustworthy and ethical, but the company is vulner-able to fraud nonetheless.
The Value of Internal Auditing
Many companies have removed resources from traditional internal auditing operations to achieve compliance with the internal control standard. This has resulted in a trade-off of continuous fraud prevention for elite internal controls, and that move has increased vulnerability. Keeping a close watch each quarter on transaction flow, asset changes, inventory shrinkage, fixed assets, loss prevention and cash control is less prevalent. Is that wise?
Internal auditing accomplishes both internal control identification and fraud prevention, as aligned with COSO standards. Therefore, the good news is that reinstituting tried-and-true internal auditing helps compliance with Sarbanes-Oxley Section 404, and thus is well worth it.
Ultimately, Sarbanes-Oxley Section 404 is about internal control and administrative responsibility, not about fraud. Writing down what the company already does leads to a stronger, more controlled system. That creates a unique opportunity on the operations side, however, that presents possibly unrecognized value for the company. And what company, internal auditor or executive doesn't value fraud prevention and detection and wouldn't jump at the chance to improve safeguards?
Alyssa G. Martin, CPA, is Partner in Charge of the Risk Assessment and Sarbanes-Oxley Solutions group at Weaver and Tidwell, LLP, an accounting firm with offices in Fort Worth and Dallas. She can be reached at 817.332.7905.
|Printer friendly Cite/link Email Feedback|
|Author:||Martin, Alyssa G.|
|Date:||May 1, 2005|
|Previous Article:||Leasing: mature industry, new wrinkles; Equipment leasing offers time-honored arguments for risk avoidance, balance sheet management and...|
|Next Article:||Risky business? Not if you set thresholds, manage exposure: experts agree that companies are doing a poor job of assessing and managing risk--either...|