he audit standard issued by the AICPA auditing standards board (ASB) in October 2002—SAS no. 99, Consideration of Fraud in a Financial Statement Audit—does something no audit standard has ever done. It contains a document titled Management Antifraud Programs and Controls: Guidance to Help Prevent, Deter, and Detect Fraud, which challenges corporate management to be equal partners with auditors in creating an environment that neither condones, nor is conducive to, the existence of illegal activities.

FRAUD COSTING U.S. COMPANIES BILLIONS
The document, sponsored by seven professional associations including the AICPA, spells out specific recommendations to help boards of directors, audit committees, management and others prevent and root out fraud of all kinds—from unproductive behavior and employee theft to misappropriation of assets and fraudulent financial reporting. “Fraud is a significant problem for U.S. companies,” says Joseph T. Wells, chairman of the Association of Certified Fraud Examiners (ACFE) and a member of the antifraud detection subgroup. Indeed, according to the ACFE’s 2002 Report to the Nation: Occupational Fraud and Abuse, an estimated $600 billion, or about $4,500 per employee, was lost last year as a result of on-the-job fraud and abuse. Although financial statement fraud was the most costly, with a median loss of $4.25 million per occurrence, about 95% of all occupational fraud incidents actually involved asset misappropriation and corruption.

“The exhibit was designed to help create a corporate environment that will deter and detect both kinds of illegal activities—financial statement fraud and traditional employee embezzlement and theft,” says Wells. “The same ethical corporate culture, processes and controls, and oversight that help corporations prevent financial statement fraud also protect against asset misappropriation and corruption.”

Wells points out that small businesses may find the exhibit especially useful since fraud is a particularly severe problem for them. “Surprisingly, a single instance of fraud is likely to be more costly to a small business than to a large one,” he says. The average scheme in a small business, the ACFE report noted, caused $127,500 in losses, compared to $97,000 at the largest companies.

CORE VALUES
The document identifies the measures an organization should take to prevent, deter and detect fraud. It maintains companies should establish three fundamental practices:

A culture of honesty and high ethics.
Antifraud processes and controls.
An appropriate oversight process.

Implementing all or even some of these measures not only helps companies protect themselves and their employees against fraudulent acts but also potentially saves revenue, enhances market value, averts civil lawsuits and maintains a positive company image.

A culture of honesty and high ethics. The document emphasizes that the most important way for management to prevent fraud is to communicate effectively, by both statement and deed, that it will not tolerate it. This may seem self-evident, but setting a “tone at the top” goes a long way toward preventing fraud throughout an organization.

Because most employees are not in a position to observe the actions of company leaders, management must make sure the value system is shared with all personnel. The best way to do this is through a code of conduct. Such a code typically discusses ethics, confidentiality, conflicts of interest, intellectual property, sexual harassment and fraud. But management must back up this code by creating a work culture that rewards ethical actions and does not tolerate dishonest behavior even if it benefits the organization financially. Only then will employees know the code of conduct is more than just words on a piece of paper.

The exhibit also points out that wrongdoing occurs less frequently when employees have positive feelings about their workplace than when they feel abused, threatened or ignored. Poor morale can affect employee attitudes about committing fraud while a culture that empowers employees to participate in creating a positive work environment can build respect for the company’s code of conduct. To encourage employees to practice oversight, organizations should implement a process for them to report in confidence any actual or suspected violation through a telephone hot line monitored by an ethics or fraud officer, the general counsel or another trusted individual.

Antifraud processes and controls. Neither fraudulent financial reporting nor misappropriation of assets can occur without a perceived opportunity to commit and conceal the act. The document offers ways an organization can identify and measure the risk of fraud as well as the steps it can take to mitigate those risks and implement preventive internal controls.

It may be possible, for example, to reduce or eliminate the risk of misappropriation of funds by implementing a central lockbox at a bank to receive payments instead of receiving them at the entity’s various locations. A company can avert financial statement fraud by establishing shared services centers to provide accounting services to multiple segments, affiliates or geographic locations. Effective measures vary among organizations, but the exhibit identifies specific deterrents any company can employ.

While all organizations are subject to risk, their internal controls should set up an effective and secure environment. And because fraud can occur when management overrides internal controls, the company’s value system and culture should support employees in declining to participate in a fraud and provide a means for reporting any wrongdoing.

Appropriate oversight process. Management is responsible for overseeing the activities carried out by employees and for implementing and monitoring antifraud processes and controls. But sometimes senior executives themselves may initiate or participate in the commission or concealment of a fraudulent act. For that reason, an audit committee (or board of directors where no audit committee exists) must supervise the activities of senior management.

The exhibit makes clear that corporate management, boards of directors and audit committees should share with the outside auditor the duty of detecting and deterring fraud. While management designs and implements antifraud systems and procedures, strong oversight by the audit committee and/or board of directors is absolutely crucial. These bodies should continually evaluate management’s identification of fraud risks, implementation of antifraud measures and maintenance of the appropriate “tone at the top.” Active oversight reinforces management’s commitment to creating a culture with zero fraud tolerance.

MORE THAN DOLLARS AND CENTS
When a company puts in place the antifraud procedures outlined in the exhibit, it does much more than protect itself from the tremendous monetary damage fraud can cause. It also safeguards its reputation, its ability to achieve its strategic objectives and, certainly, its value.

Perhaps most important, the exhibit also helps a company create the corporate governance and management oversight the public is demanding of organizations of all sizes, private or public. “With these best practices in place,” Chookaszian says, “a company enhances its reputation among its various stakeholders, who can be confident it has made a serious investment in fraud detection and prevention.”

Note: The exhibit was issued jointly by—in addition to the AICPA—the Association of Certified Fraud Examiners, Financial Executives International, Information Systems Audit and Control Association, the Institute of Internal Auditors, Institute of Management Accountants and Society for Human Resource Management. Other organizations that reviewed the document and offered advice included the American Accounting Association, Defense Industry Initiative and National Association of Corporate Directors.

Arleen R. Thomas, CPA, is vice-president of professional standards and services at the American Institute of CPAs. Her e-mail address is athomas@aicpa org. Kim M. Gibson, CPA, is a technical manager on the audit and attest standards team at the AICPA. Her e-mail address is kgibson@aicpa.org. Their views, as expressed in this article, do not necessarily reflect the views of the Institute. Official positions are determined through certain specific committee procedures, due process and deliberation.