Corporate Governor. Providing vision and advice for management, boards of directors and audit committees Winter 2015

Similar documents
Ramifications of the New COSO Framework & Recent PCAOB Actions

Effective implementation of COSO s new anti-fraud guidance

MANAGING FRAUD RISK. Teresa D. Thamer, CPA, CFE Brenau University

9. Internal control Internal control, as defined in accounting and auditing, is a process for assuring achievement of an organization's objectives in

Anti-Fraud Programs and Control Policy

Fraud incident handling management. Meeting the challenges of fraud

Managing Fraud Risk: New Professional Guidance

Presented by Ed Williamson and Erica Bailey

Agenda 11/26/13. Updated COSO Framework

Fraud Risk Management

COSO Updates and Expectations. IIA San Diego Chapter January 8, 2014

Fraud in focus March Fraud & Corruption in the Victorian Public Sector learnings and insight for 2017 and beyond

McGraw-Hill/Irwin. Copyright 2013 by The McGraw-Hill Companies, Inc. All rights reserved.

An Overview of the 2013 COSO Framework. August 2013

In Control: Getting Familiar with the New COSO Guidelines. CSMFO Monterey, California February 18, 2015

Reducing fraud, bribery and corruption in your private business: 6 things you can do now

STUDY UNIT TEN INTERNAL AUDIT RESPONSIBILITIES FOR FRAUD

Heads Up. Control Integrated Framework. COSO Enhances Its Internal. In This Issue: Enhancements in the 2013 Framework

EY Center for Board Matters. Leading practices for audit committees

A Discussion About Internal Controls February 2016

Fraud Prevention, Detection and Control. Elizabeth Coles, CPA Aldrich CPAs + Advisors LLP

FRAUD AWARENESS UPDATE

2/20/15. Trevor Stewart, CPA Director of Business Services Source documentation includes CCIA and FCMAT

IAASB Main Agenda (March 2005) Page Agenda Item 12-C

Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement

Present and functioning: Fine-tuning your ICFR using the COSO update

Auditing Standards and Practices Council

Chapter 06. Audit Planning, Understanding the Client, Assessing Risks, and Responding. McGraw-Hill/Irwin

716 West Ave Austin, TX USA

38 Years of Excellent Client Service New COSO Model and How Internal Controls Help to Reduce Opportunity for Fraud

Laurie Beets. PDG 27 th National College & University Bursars & SFS Conference

AUDIT RISK ASSESSMENT AND RESPONSES TO ASSESSED RISK BY Geoffrey Byamugisha Partner, Ernst & Young. Lessons on Audit Risk. Responding to fraud risk

FRAUD SCHEMES. South Carolina HFMA Finance & Reimbursement Forum. November 13, 2012 WITH RELATED INTERNAL CONTROLS

Internal Controls for Deans, Directors and Chairs

Eric Kinsherf, CPA MMAAA Conference June 12, 2018

Risk culture. Building great organisations and growing your foundation for success CAPABILITY STATEMENT 2016

Protecting your private business from fraud

Consideration of Fraud in a Financial Statement Audit (Redrafted) *

AN AUDIT OF INTERNAL CONTROL THAT IS INTEGRATED WITH AN AUDIT OF FINANCIAL STATEMENTS: GUIDANCE FOR AUDITORS OF SMALLER PUBLIC COMPANIES

INTERNATIONAL STANDARD ON AUDITING 315 UNDERSTANDING THE ENTITY AND ITS ENVIRONMENT AND ASSESSING THE RISKS OF MATERIAL MISSTATEMENT CONTENTS

FRAUD RISK FACTORS CHECKLIST (Source: New AU Section 240, Appendix A)

Fraud Prevention and Detection Michael Schulstad, CPA/CFF/CGMA/FBI (ret)

Diving into the 2013 COSO Framework. Presented by: Ronald A. Conrad

What Are Your Auditors Doing? Presented by Carrie Kennedy, Partner Travis Smith, Partner Moss Adams LLP

Navigating the PCAOB s and SEC s internal control expectations A discussion. June 2015

Internal Financial Control (IFC)& Internal Financial Controls over Financial Reporting (IFCoFR)

9/17/2017. An Overview of COSO s New Framework and Implementation Guidance SPEAKER. Laura Harden, CPA History

IIA ACFE Conference April 17, 2015

201 Fraud Risk Assessment April 19, 2010 Monday 1:30 2:30 pm Paul M. Baran Mark P. Ruppert, CPA, CIA, CISA, CHFP. Round Up!

Fraud Risk in Difficult Economic Times - questions for directors to ask

Bribery in International Business Transactions. World Headquarters the gregor building 716 West Ave Austin, TX USA

Modern Auditing: Assurance Services and the Integrity of Financial Reporting, 8 th Edition

Community College Audit and Compliance Workshop. VAVRINEK, TRINE, DAY & CO., LLP April 15, 2014

STANDING ADVISORY GROUP MEETING

Fraud in the Insurance Industry How it Can Impact Your Agency

Conducting a Fraud Risk Assessment

Mapping of Original ISA 315 to New ISA 315 s Standards and Application Material (AM) Agenda Item 2-C

Fraud Risk Management

2017 Private Company Audit Committee Outlook

Internal Control in Higher Education

Fraud Awareness Jennifer Murtha Clara Ewing

Module 1: Safeguarding District Resources: Roles & Responsibilities

My experiences with Employee Fraud

The Basics of Internal Controls & Segregation of Duties

August 2010 Guidelines for Managing the Risk of Fraud in Government.

Today s CFO: Changing the game plan for tomorrow

By CPA Alfred Lagat Tullon Audit Consulting Ltd 11 th August 2015

5th Annual National Congress on Health Care Compliance. Internal Audits Role in Compliance (and Vice Versa)

AUDIT RESPONSIBILITIES AND OBJECTIVES

Global Expectations for Addressing Fraud Risk and the Investigative Process

APPENDIX A. Audit Findings Report. For the Year ended March 31, 2016

International Standards for the Professional Practice of Internal Auditing (Standards)

STRENGTHENING INTERNAL CONTROLS. What We Will Cover Today

Introductions. An Overview of the COSO 2013 Framework. Christian Peo Sharon Todd. An Overview of the 2013 COSO Framework.

13-A. Fraud Phase II Issues Paper

EFFICIENT USE OF AUDIT COMMITTEES

Standards for Internal Control in New York State Government 2016 Update

Minimizing fraud exposure with effective ERP segregation of duties controls

IAASB Main Agenda (July 2007) Page Agenda Item

VERSION #1 WRITE ON YOUR SCANTRON!!!

Internal Controls. They Are Everyone s Business. Valdosta State University Office of Internal Audits June 2016

INTEGRATING FORENSIC INVESTIGATION TECHNIQUES INTO INTERNAL AUDITING

The EU raises the bar on data privacy:

Internal Audit s Role in Preventing, Deterring and Detecting Fraud Working as Part of a Fraud Management Team The Way Forward

IAASB Main Agenda (December 2008) Page Agenda Item

HCCA AUDIT & COMPLIANCE COMMITTEE CONFERENCE

INTERNATIONAL STANDARDS FOR THE PROFESSIONAL PRACTICE OF INTERNAL AUDITING (STANDARDS)

AUDITING. Auditing PAGE 1

COSO 2013: Updated internal control framework

The most commonly applied model for designing and auditing internal

International Standards for the Professional Practice of Internal Auditing (Standards)

Risk Management Culture: The Linkage Between Ethics & Compliance and ERM September 14, 2009

[RELEASE NOS ; ; FR-77; File No. S ]

Glossary. Chartered Institute of Internal Auditors. 26 July Add value. Adequate control. Assurance services. Board. Charter

Accounting 408 Exam 2, Chapters 3, 4, 5, 6, E, F

Report on Inspection of K. R. Margetson Ltd. (Headquartered in Vancouver, Canada) Public Company Accounting Oversight Board

Mr. Jim Sylph Technical Director International Auditing and Assurance Standards Board 545 Fifth Avenue, 14th Floor New York, NY 10017

Fraud risk management in not for profit organisations

Who Owns Fraud Uniting Corporate Executives to Manage Your Anti-Fraud Program

INTERNAL AUDIT PLAN AND CHARTER 2018/19

Transcription:

Corporate Governor Providing vision and advice for management, boards of directors and audit committees Winter 2015 COSO 2013 framework boosts fraud risk assessment and prevention Fraud is among the most distasteful fare on management s plate. Not only is it an enormous, unplanned drain on company resources the Association of Certified Fraud Examiners (ACFE) estimates that fraud costs the typical company 5% of revenue 1 it s spiritually crippling as well. Fraud by company outsiders, as damaging as it may be, simply testifies to human greed and malevolence. Fraud by co-workers and colleagues, often long-serving and trusted, is a gut-wrenching betrayal of faith. For companies that may not have formally documented processes and controls designed to address fraud risk systematically, adopting COSO 2013 can jump-start a broad and far-reaching program of necessary fraud risk prevention. Companies that have more fully developed FRA processes and procedures in place will see implementing COSO 2013 as an opportunity to re-evaluate and strengthen their fraud prevention effort. Daily stories of pilfered passwords and leaked emails have placed cyberfraud at the top of management s agenda. This heightened concern coincides with the guidance in COSO s Internal Control Integrated Framework: Framework and Appendices (COSO 2013), effective Dec. 15, 2014, that requires companies to do a fraud risk assessment (FRA). Clearly, now is the time for companies to comprehensively reassess their approach to assessing and mitigating potential fraud risks. 2 1 ACFE: Report to the Nations on Occupational Fraud and Abuse 2014 Global Fraud Study. See www.acfe.com/rttn-summary.aspx for more information. 2 COSO released a new report, COSO in the Cyber Age, which provides direction on how the Internal Control-Integrated Framework and the Enterprise Risk Management-Integrated Framework can help organizations manage cyberrisks. Visit www.coso.org to download the report.

COSO guidance on fraud risk assessment Principle 8 The discussion of fraud in COSO 2013 centers on Principle 8 of the framework: The organization considers the potential for fraud in assessing risks to the achievement of objectives. For most companies, under 1992 COSO, fraud risk was viewed primarily in terms of satisfying SOX requirements, i.e., identifying and preventing fraud risk at the transaction level, says Michael Rose, partner, Business Advisory Services. But in COSO 2013, fraud risk becomes a specific component in the overall risk assessment: It addresses fraud at the organization or entity level, not just the transaction level. COSO requires a strong internal control foundation that addresses fraud much more broadly: company objectives, strategy, operations, and compliance, as well as reporting both external and internal, financial and nonfinancial. Principle 8 describes four specific areas of concern. 1. Fraudulent financial reporting: This area has long been at the heart of the mission of COSO; indeed, it is the purpose for which COSO was originally founded in 1985. 2. Fraudulent nonfinancial reporting: The inclusion of fraudulent nonfinancial reporting is a significant change from 1992 COSO. COSO 2013 mentions sustainability reporting, health and safety reports and reports, on employment activity as examples of nonfinancial reporting. 3. Misappropriation of assets: Principle 8 states that illegal marketing, theft of assets, theft of intellectual property, late trading, and money laundering are among the activities that may relate to unauthorized acquisition, use and disposal of assets. 4. Illegal acts: These are violations of laws or governmental regulations that could have a material direct or indirect impact on the external financial reports. Examples include bribery, corruption and insider trading. 2 CorporateGovernor Winter 2015

Points of focus The first point of focus in Principle 8 summarizes the above four areas: Considers various types of fraud The assessment of fraud considers fraudulent reporting, possible loss of assets, and corruption resulting from the various ways that fraud and misconduct can occur. The three remaining points of focus largely mirror those of the fraud triangle as discussed in SAS 99. 3 The standard describes an assessment of fraud risks considering three specific aspects: 1. Incentives and pressures to commit fraud that exist in the control environment 2. Opportunities for unauthorized acquisition, use, or disposal of assets, altering of the entity s reporting records, or committing other inappropriate acts 3. Attitudes and rationalization, i.e., how management and other personnel might engage in or justify inappropriate actions Management override of controls Management override figures prominently in the text of Principle 8. It is an action taken to override an entity s controls for an illegitimate purpose, including personal gain or an enhanced presentation of an entity s financial condition or compliance status. Management override generally occurs in the largest or most significant fraud occurrences and is not easily detected. As COSO 2013 states, management override should not be confused with management intervention, i.e., action that departs from controls designed for legitimate purposes. The degree to which management can intervene is determined by the board and audit committee s assessment of the control environment. Building a successful fraud prevention function on the COSO foundation One extremely useful document for management in assessing and enhancing the company s fraud risk function is Managing the Business Risk of Fraud: A Practical Guide, produced by The Institute of Internal Auditors (IIA), AICPA and the ACFE. It offers a highly detailed guide including a sample fraud policy document, fraud prevention scorecard, and lists of fraud exposures and controls of how organizations of various sizes and types can establish their own fraud risk management programs. The following discussion draws significantly from that publication. Fraud risk governance The FRA should be seen as part of the company s effort for strong corporate governance. This commitment requires a tone at the top that facilitates corporate cultures embracing strong governance practices, including written policies that describe the expectations of the board and senior management regarding fraud risk. But even companies with committed senior leadership may have inadequate FRA programs. Most companies have some written policies to manage individual fraud components say, expense account procedures. We have also noted that many companies engage in some fraud management activities to assess, identify and control override risks. What most companies don t do is concisely summarize these documents and activities, so they can communicate and evaluate the completeness and sufficiency of their fraud management processes. 3 AICPA Statements on Auditing Standards No. 99. See www.aicpa.org/research/standards/auditattest/pages/sas.aspx for more information. 3 CorporateGovernor Winter 2015

Fraud risk assessment The fraud risk assessment should ordinarily be conducted as part of a broader assessment of company risk in an enterprise risk management program. But the fraud risk assessment itself may initially be conducted as part of that process or on a standalone basis. Regulatory and legal misconduct, such as Foreign Corrupt Practices Act violations, as well as reputation risk, should also be considered. Assess and identify inherent risk The FRA starts with a brainstorming session that seeks to uncover the potential fraud risks in the organization, without consideration of mitigating controls. The review takes place and is shaped by the company s operating environment, including industry practices, business culture, the state of the economy, applicable regulatory regimes, company business practices (e.g., heavy reliance on cash transactions), and business conditions. Each area of risk fraudulent reporting, possible loss of assets, and corruption should be examined. The FRA should include: Consideration of all types of fraud schemes and scenarios The incentives (such as through compensation programs), pressures (a CFO that needs to hit an earnings estimate) and opportunities (a senior manager with management override ability) to commit fraud Assess likelihood and significance of fraud risk The next step is to assess the relative likelihood and potential significance of identified fraud risks. This review should be based on interviews with staff, including business process owners; known fraud schemes; and historical information, both internal and external to the entity. In assessing fraud risk significance, companies should consider not only exposures to assets and the financial statements, but risk to an organization s operations, brand value and reputation, as well as criminal, civil and regulatory liability. Factors in fraudulent reporting Principle 8 lists various considerations organizations should make when identifying ways fraud in reporting can occur: Management bias for instance, in selecting accounting principles Degree of estimates and judgments in external reporting Fraud schemes and scenarios common to the industry sectors and markets in which the entity operates Geographic regions where the entity does business Incentives that may motivate fraudulent behavior Nature of technology and management s ability to manipulate information Unusual or complex transactions subject to significant management influence Vulnerability to management override and potential schemes to circumvent existing control activities The IT fraud risks specific to the organization Importantly, the FRA needs to consider the potential bypass of controls through management override, as well as areas where controls are weak or there is a lack of segregation of duties. 4 CorporateGovernor Winter 2015

Fraud prevention and detection Once the likelihood and significance of fraud risks are identified, design and implementation of mitigating controls follow. Fraud prevention requires both preventative and detective controls. Preventative controls include policies, procedures, training, and communication and certain computer-based application controls, while detective controls involve activities designed to identify specific examples of fraud or misconduct that is occurring or has occurred, such as reconciliations and other types of manual controls. However, these are interrelated concepts, as described below: If effective preventive controls are in place, working and well-known to potential fraud perpetrators, they serve as strong deterrents to those who might otherwise be tempted to commit fraud. Fear of getting caught due to a company s known commitment to punishment is always a strong deterrent. Effective preventive controls are, therefore, also strong deterrence controls. 4 Keep in mind that, in designing controls, segregation of duties in small companies can be difficult to achieve because of limited resources and personnel. Smaller firms need to work to assure that compensating controls (such as periodic budget to actual analysis at a precise-enough level to flag and investigate unusual activity) or other monitoring controls are in place to mitigate this occurrence. Fraud investigation and corrective action No system of internal control can eliminate fraud completely, so a program for how the company responds to identified fraud or potential illegal acts is essential. The investigation and response system should include a process for categorizing issues, communicating within the organization including the audit committee or those charged with governance (depending on the potential severity of the matter), conducting the investigation and fact-finding, and resolving or closing the investigation with a recommendation for prosecution. A tracking system for monitoring the status of fraud cases is a necessity. If the allegation involves senior management or affects the financial statements, there may be standards, regulations or laws that require parties like legal counsel, board, audit committee or external auditors to be notified. Conclusion COSO 2013 includes some key elements that management can leverage for companies starting or upgrading their FRA. Organizations that have adopted COSO 2013 can continue to build on that experience to prepare for the fraud challenges ahead. For companies that haven t yet implemented the framework, the direction it provides for improving FRA should motivate management to strive for adoption as soon as possible. Contacts Michael Rose Partner, Business Advisory Services T +1 215 376 6020 E michael.rose@us.gt.com Kevin Bennett Managing Director, Forensic and Valuation Services T +1 612 677 5348 E kevin.bennett@us.gt.com Priya Sarjoo Principal, Business Advisory Services T +1 214 283 8166 E priya.sarjoo@us.gt.com Brad Preber National Managing Partner, Forensic and Valuation Services T +1 602 474 3440 E brad.preber@us.gt.com Editor Evangeline Umali Hannum E evangeline.umalihannum@ us.gt.com 4 Managing the Business Risk of Fraud: A Practical Guide, p. 30-34. The Institute of Internal Auditors (IIA), AICPA and ACFE. See www.acfe.com/uploadedfiles/acfe_website/content/documents/ managing-business-risk.pdf for more information. 5 CorporateGovernor Winter 2015

About the newsletter CorporateGovernor is published by Grant Thornton LLP. The people in the independent firms of Grant Thornton International Ltd provide personalized attention and the highest-quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member firm of Grant Thornton International Ltd, one of the world s leading organizations of independent audit, tax and advisory firms. Grant Thornton International Ltd and its member firms are not a worldwide partnership, as each member firm is a separate and distinct legal entity. Content in this publication is not intended to answer specific questions or suggest suitability of action in a particular case. For additional information about the issues discussed, consult a Grant Thornton LLP client service partner or another qualified professional. Connect with us grantthornton.com @grantthorntonus linkd.in/grantthorntonus Grant Thornton refers to Grant Thornton LLP, the U.S. member firm of Grant Thornton International Ltd (GTIL). GTIL and its member firms are not a worldwide partnership. All member firms are individual legal entities separate from GTIL. Services are delivered by the member firms. GTIL does not provide services to clients. GTIL and its member firms are not agents of, and do not obligate, one another and are not liable for one another s acts or omissions. Please visit grantthornton.com for details. 2015 Grant Thornton LLP All rights reserved U.S. member firm of Grant Thornton International Ltd

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback