AICPA RSS
x
Username

Password

Remember Me Register | Forgot Username? | Password?


Home Interest Areas Forensic & Valuation Resources Fraud Prevention, Detection & Response
Back to browsing

Qualitative Predictors (Factors That Lead to Fraud) 


Internal Work Environment and Corporate Governance

The board of directors is a group of persons elected by the shareholders to represent them at the highest level of corporate decision making and to monitor the work of management. A report published in 1999 for the NYSE and NASD by the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees (BRC) says explicitly that "the board must perform active and independent oversight to be, as the law requires, a fiduciary for those who invest in the company." 1 The board must be committed to the principles of transparency and full disclosure and, one might add, to full compliance with GAAP and the regulations of the appropriate regulatory bodies. If the board understands its independent role, then it is likely the audit committee, a creature of the board, will also do its duty. Companies proven to be earnings manipulators tend to be those with no audit committee or a very weak and compromised one. About a quarter of all companies subject to SEC enforcement action did not have audit committees.

The report sees the role of the audit committee as follows.

The committee's job is clearly one of oversight and monitoring, and in carrying out this job it acts in reliance on senior financial management and the outside auditors. A proper and well-functioning system exists, therefore, when the three main groups responsible for financial reporting (the full board including the audit committee, financial management including the internal auditors, and the outside auditors) form a "three-legged stool" that supports responsible financial disclosure and active and participatory oversight.

Characteristics of a Good Audit Committee

The BRC made numerous recommendations for the effective working of a good audit committee. Despite the fact that the BRC's mandate was to make recommendations for the conduct of audit committees of companies big enough to be listed on the NYSE or the National Association of Security Dealers and Quotation Analysts (NASDAQ), many of the principles would apply equally well to smaller, private companies.

The foundation of a good audit committee is the independence of its members. Recent studies have shown a direct correlation between audit committee independence and better monitoring and a lower incidence of financial statement fraud. The BRC defines independence as follows.

Members of the audit committee shall be considered independent if they have no relationship to the corporation that may interfere with the exercise of their independence from management and the corporation. Examples of such relationships include:

  • A director being employed by the corporation or any of its affiliates for the current year or any of the past five years;
  • A director accepting any compensation from the corporation or any of its affiliates other than compensation for board service or benefits under a tax-qualified retirement plan;
  • A director being a member of the immediate family of an individual who is, or has been in any of the past five years, employed by the corporation or any of its affiliates as an executive officer;
  • A director being a partner in, or a controlling shareholder or to which the corporation made, or from which the corporation received, payments that are or have been significant to the corporation or business organization in any of the past five years;
  • A director being employed as an executive of another company where any of the corporation's executives serves on that company's compensation committee.

Building on this foundation of independence, the BRC recommends that for listed companies with capitalization in excess of $200 million, the audit committee should be composed of a minimum of three financially literate and entirely independent directors. The audit committee should have a charter approved by the full board describing its structure and responsibilities. The outside CPA should be accountable to the whole board of directors. The audit committee should be responsible for the selection of the outside CPA. The audit committee should have a formal written statement from the outside CPA describing all relationships between itself and the company. The audit committee should discuss with the outside CPA all aspects of the effectiveness or lack thereof of the company's accounting practices. If the board of directors is weak and the audit committee is weak or nonexistent, internal controls are likely to be deficient or lacking altogether.

COSO

The COSO, a voluntary private sector organization dedicated to improving the quality of financial reporting, in its recently published Fraudulent Financial Reporting: 1987-1997 (An Analysis of U.S. Public Companies) sought to identify and examine company and management characteristics in corporations involved in financial statement fraud. 2 The COSO examined about 200 cases from which it drew a number of generalized conclusions about the governance of fraud companies.

The presence and efficient functioning of internal controls is central to limiting the opportunities for fraud. Unfortunately, the small size of many companies makes them unable or unwilling to spend the money for proper controls or to pay for better trained and more experienced senior executives. These smaller companies are also unlikely to have strong audit committees capable of monitoring the nebulous but important matter of pressure on senior executives to report aggressively to meet investment community expectations or the numbers required to trigger bonuses. The CEO or CFO was involved in 83 percent of the reported fraud cases.

A strong audit committee is an essential element in fraud prevention. Among the fraud companies surveyed, 25 percent had no audit committee and among those that did, 65 percent of the directors were not certified in accounting or had held no accounting or financial positions. At the fraud companies, the committee usually met only once a year. (A pliable, inexperienced, and inattentive board is often the creation of a domineering CEO. Given the fact that in 83 percent of the reported fraud cases the CEO or CFO was involved, the combination of a weak board and aggressive leaders could be an indicator of financial statement fraud.)

The COSO report confirmed the findings of the BRC mentioned above concerning the need for an independent board of directors. At the fraudulent companies, about 60 percent of the board members were insiders or "gray" directors, meaning, outsiders with some family, business, equity, or other tie to the company or its management. About 40 percent of the boards had no directors serving on the boards of other companies. Directors and officers owned about a third of the companies' stock while the CEO or president owned about 17 percent. In about 40 percent of the companies, there were family relationships among the directors and officers. About 20 percent showed officers holding incompatible positions such as CEO and CFO.

The average period during which fraud occurred was 23.7 months and often started with the misstatement of interim statements. Therefore, it is important to review the controls surrounding quarterly statement preparation. Because misstatements of accounts often occur near the period ends, internal controls relating to transaction cutoff and asset valuation should be tested.

The Boeing Company adopted recommendations from a previous COSO report entitled Internal Control Integrated Framework and came up with a list of criteria to be used to establish an unsatisfactory rating. 3 The following sections describe those criteria.

Control Environment.

The criteria for the control environment are the following.

  • Hard controls are missing or inadequate.
  • There are verified instances of breakdowns or soft controls.

Risk Assessment.

The criteria for risk assessment are the following.

  • Management has not predefined relevant objectives.
  • Such objectives are incompatible with broader objectives.
  • Management has not identified relevant risks to achieving its objectives.
  • Management does not have a basis for determining which risks are most critical.
  • Management has not ensured mitigation of critical operating risks.
  • Audit tests detect key risks not previously contemplated by management.

Control Activities.

The criteria for control activities are the following.

  • Key control activities are not functioning as intended.

  • Management's risks mitigation strategy is not adequately reflected within control activities.

Information and Communication.

The criteria for information and communication are the following.

  • Key metrics are not identified, collected, and communicated.

  • Employees' misunderstanding of their control responsibilities is pervasive.

  • Customer or supplier complaints and disputes are not resolved or remedial action is not undertaken in a timely manner.

Monitoring.

Management has not established a means of determining the quality of the internal control system over time either through independent evaluations or ongoing, structured, and independent process checks.

Overall.

The ratings of all components should be considered to determine whether controls provide reasonable assurance that management objectives will be achieved. Strength in the internal controls of one component may compensate for a control weakness in another.




1. Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees, 1999. Available at http://www.nyse.com and http://www.nasdaqnews.com/.

2. http://www.coso.org

3. Dennis Applegate and Ted Wills, "Struggling to Incorporate the COSO Recommendations into Your Audit Process? Here's One Audit Shop's Winning Strategy," Internal Auditor, published by The Institute of Internal Auditors, December 1999, http://www.coso.org/Articles/audit_shop.htm.  




A A A

Print
Print Page
Acrobat Small Image
Get a free version of Adobe Acrobat Reader
Copyright © 2006-2012 American Institute of CPAs.