The CPA alone cannot prevent fraud. However, the CPA can be instrumental in helping to assemble the resources of the various departments within a company and work with directors, management, employees, and others to institute anti-fraud programs.
Players in the Organization
Audit Committee and Board of Directors
The audit committee (or the board of directors where no audit committee exists) should evaluate management's identification of fraud risks, implementation of anti-fraud measures, and creation of the appropriate "tone at the top." Active oversight by the audit committee can help to reinforce management's commitment to creating a culture with "zero tolerance" for fraud. An entity's audit committee also should ensure that senior management (in particular, the CEO) implements appropriate fraud deterrence and prevention measures to better protect investors, employees, and other stakeholders. The audit committee's evaluation and oversight not only helps make sure that senior management fulfills its responsibility, but also can serve as a deterrent to senior management engaging in fraudulent activity (that is, by ensuring an environment is created whereby any attempt by senior management to involve employees in committing or concealing fraud would lead promptly to reports from such employees to appropriate persons, including the audit committee).
Management is responsible for assessing the risk of fraud and implementing appropriate anti-fraud programs and controls to reduce that risk to an acceptable level. Executives also play an important role in determining the ethical tone of the company by setting the proper example. Employees have a right to expect that their leaders set high standards. In the absence of management integrity, fraud can permeate the company.
Management should also provide a mechanism for employees to report concerns about unethical behavior, actual or suspected fraud, or violations of the entity's code of conduct or ethics policy.
An effective internal audit team can be extremely helpful in performing aspects of the oversight function. Their knowledge about the entity may enable them to identify indicators that suggest fraud has been committed.
Internal audits can be both a detection and a deterrence measure. Internal auditors can assist in the deterrence of fraud by examining and evaluating the adequacy and the effectiveness of the system of internal control, commensurate with the extent of the potential exposure or risk in the various segments of the organization's operations.
Internal auditors may conduct proactive auditing to search for corruption, misappropriation of assets, and financial statement fraud. This may include the use of computer-assisted and analytical procedures to isolate anomalies and performing detailed reviews of high-risk accounts and transactions to identify potential financial statement fraud. The internal auditors should have an independent reporting line directly to the audit committee, to enable them to express any concerns about management's commitment to appropriate internal controls or to report suspicions or allegations of fraud involving senior management.
Independent auditors can assist management and the board of directors (or audit committee) by providing an assessment of the entity's process for identifying, assessing, and responding to the risks of fraud. The board of directors (or audit committee) should have an open and candid dialogue with the independent auditors regarding management's risk assessment process and the system of internal control. Such a dialogue should include a discussion of the susceptibility of the entity to fraudulent financial reporting and the entity's exposure to misappropriation of assets.
Anti-fraud specialists, such as certified fraud examiners, may assist the audit committee and the board of directors with aspects of the oversight process either directly or as part of a team of internal auditors or independent auditors. They can assist the audit committee and board of directors in evaluating the fraud risk assessment and fraud prevention measures implemented by management. Certified fraud examiners also conduct examinations to resolve allegations or suspicions of fraud, reporting either to an appropriate level of management or to the audit committee or the board of directors, depending upon the nature of the issue and the level of personnel involved.
Every company should have an ethics policy and a fraud policy, which should be communicated to employees upon hiring and periodically thereafter. Employees should be trained as to the types of fraud that can occur and what they should do when they suspect fraud.
It is vital that employees be constantly encouraged to report irregularities. Often an employee can "smell" when something does not seem right. For example, a supervisor insists on handling a particular account himself and gets angry when anyone else gets involved. The employee has no evidence that fraud is occurring, but he knows that something is suspicious. Employees should be encouraged to report this conduct.
This is why an anonymous reporting mechanism is so important. The Association of Certified Fraud Examiners' 2002 Report to the Nation on Occupational Fraud and Abuse reported that the most common method for detecting occupational fraud was a tip from an employee, customer, vendor, or anonymous source. An anonymous employee hotline is the most effective reporting mechanism.
Assessing an Organization's Risk of Fraud
As has been demonstrated throughout this course, fraud is an expensive drain on an entity's financial resources. In today's globally competitive environment, no one can afford to throw away the 6% of revenues that represents the largely hidden cost of fraud. Those businesses that have identified their most significant fraud costs (such as insurance and credit card companies) have made great strides in attacking and reducing those costs. If an entity isn't identifying and tackling its fraud costs, it is vulnerable to competitors who lower their costs by doing so.
CPAs can help their employers and their clients by assisting them in evaluating each of the fraud prevention processes set forth below and helping to correct any deficiencies.
Fraud Risk Oversight
To what extent has the entity established a process for oversight of fraud risks by the board of directors or others charged with governance (e.g., an audit committee)?
Fraud Risk Ownership
To what extent has the entity created "ownership" of fraud risks by identifying a member of senior management as having responsibility for managing all fraud risks within the entity and by explicitly communicating to business unit managers that they are responsible for managing fraud risks within their part of the entity?
Fraud Risk Assessment
To what extent has the entity implemented an ongoing process for regular identification of the significant fraud risks to which the entity is exposed?
Fraud Risk Tolerance and Risk Management Policy
To what extent has the entity identified and had approved by the board of directors its tolerance for different types of fraud risks? For example, some fraud risks may constitute a tolerable cost of doing business, while others may pose a catastrophic risk of financial or reputational damage to the entity. The entity will likely have a different tolerance for these risks.
To what extent has the entity identified and had approved by the board of directors a policy on how the entity will manage its fraud risks? Such a policy should identify the risk owner responsible for managing fraud risks, what risks will be rejected (e.g., by declining certain business opportunities), what risks will be transferred to others through insurance or by contract, and what steps will be taken to manage the fraud risks that are retained.
Process Level Anti-Fraud Controls/Re-engineering
To what extent has the entity implemented measures, where possible, to eliminate or reduce through process re-engineering each of the significant fraud risks identified in its risk assessment? Basic controls include segregation of duties relating to authorization, custody of assets and recording or reporting of transactions. In some cases it may be more cost-effective to re-engineer business processes to reduce fraud risks rather than layer on additional controls over existing processes. For example, some fraud risks relating to receipt of funds can be eliminated or greatly reduced by centralizing that function or outsourcing it to a bank's lockbox processing facility, where stronger controls can be more affordable.
To what extent has the entity implemented measures at the process level designed to prevent, deter and detect each of the significant fraud risks identified in its risk assessment? For example, the risk of sales representatives falsifying sales to earn sales commissions can be reduced through effective monitoring by their sales manager, with approval required for sales above a certain threshold.
Environment Level Anti-Fraud Controls
To what extent has the entity implemented a process to promote ethical behavior, deter wrongdoing and facilitate two-way communication on difficult issues? Such a process typically includes:
Having a senior member of management who is responsible for the entity's processes to promote ethical behavior, deter wrongdoing and communicate appropriately on difficult issues.
A code of conduct for employees at all levels, based on the entity's core values, which gives clear guidance on what behavior and actions are permitted and which ones are prohibited.
- Training for all personnel upon hiring and regularly thereafter concerning the code of conduct, seeking advice and communicating potential wrongdoing.
- Communication systems to enable employees to seek advice where necessary prior to making difficult ethical decisions and to express concern about known or potential wrongdoing affecting the entity.
- A process for promptly investigating where appropriate and resolving expressions of concern regarding known or potential wrongdoing, then communicating the resolution to those who expressed the concern.
- Monitoring of compliance with the code of conduct and participation in the related training.
- Regular measurement of the extent to which the entity's ethics/compliance and fraud prevention goals are being achieved.
Incorporation of ethics/compliance and fraud prevention goals into the performance measures against which managers are evaluated and which are used to determine performance related compensation.
Proactive Fraud Detection
To what extent has the entity established a process to detect, investigate and resolve potentially significant fraud? Such a process should typically include proactive fraud detection tests that are specifically designed to detect the significant potential frauds identified in the entity's fraud risk assessment. Other measures can include audit "hooks" embedded in the entity's transaction processing systems that can flag suspicious transactions for investigation and/or approval prior to completion of processing. Leading edge fraud detection methods include computerized e-mail monitoring (where legally permitted) to identify use of certain phrases that might indicate planned or ongoing wrongdoing.