The importance of antifraud programs and controls

The impact of fraud upon an organization can be devastating. In addition to the quantifiable costs to business such as revenue leakage, corporate fraud can destroy a company’s reputation, strike at employee morale, and devastate investor confidence.

On March 10, 2006, the Canadian Securities Administrators (CSA) issued Notice 52-313, stating that they would not proceed with Multilateral Instrument 52-111, Reporting on Internal Control over Financial Reporting (MI 52-111). As part of the release, the CSA also indicated that they plan to issue an amended and expanded Multilateral Instrument 52-109, Certification on Disclosure in Issuers’ Annual and Interim Filings, later this year. While management certifications on, amongst other things, the design and operating effectiveness of internal control over financial reporting (ICFR) will still be required, the requirement for auditor attestation on both internal control and management’s assessment process has been removed. In addition, the conclusions of the CEO's and CFO's evaluation of ICFR are to be disclosed in the issuer’s annual Management Discussion & Analysis (MD&A). With the elimination of auditor attestation, the CSA is placing the challenge squarely on companies to design and implement a CEO and CFO certification process that will provide investors with the same level of protection as would have been the case under the CSA’s previous proposals. One of the key areas of focus for management and audit committees will need to be antifraud programs and controls.

What does all this mean? Under the CSA’s original proposals contained in MI 52-111, the board of directors would have been responsible for approving management’s internal control report. Under the CSA’s new stated approach to ICFR, this responsibility will be shifted to the audit committee as Multilateral Instrument 52-110, Audit Committees, states “an audit committee must review the issuers financial statements, MD&A and annual and interim earnings press releases before the issuer publicly discloses this information” and management’s internal control conclusions will now be contained within the MD&A. With the removal of the audit requirement, the audit committee now bears the principal responsibility of monitoring the completeness and accuracy of the disclosures in the MD&A concerning, amongst other things, internal control over financial reporting. Controls related to the prevention and detection of fraud are an integral part of a company’s system of internal control.

Under the legislation, to avoid liability for a misrepresentation in the MD&A (which is a “core document” under Ontario’s legislation for civil liability for secondary market disclosures), a person with actual, implied or apparent authority relating to the affairs of the responsible issuer e.g. audit committee members, will need to establish the basis for a due diligence defence. This can be done by developing proof that before the release of the document or the making of the public oral statement containing the misrepresentation, the person or company conducted or caused to be conducted a reasonable investigation, and by establishing procedures to ensure that at the time of the release of the document or the making of the public oral statement, the person or company had no reasonable grounds to believe that the document or public oral statement contained the misrepresentation. In this regard, boards and audit committees may wish to ensure that their responsibilities as set out in National Policy 58-201 Corporate Governance Guidelines are met.

While management is still charged with the mandate to implement a strong internal control environment, including the design and implementation of antifraud programs and controls, these rule changes clearly highlight the need for audit committees to heighten their monitoring responsibilities when it comes to fraud risks particularly if they do not obtain an opinion on their ICFR from the auditor as they will no longer have the report of an expert upon which they could place reliance. Audit committees must, therefore, ask the tough questions about corporate fraud – and management must be prepared to respond.

Five areas of focus
In overseeing the implementation of antifraud programs and controls, audit committees should consider the five key elements of the internal control integrated framework set out by COSO (Committee of Sponsoring Organizations of the Treadway Commission). In performing their duties, audit committee members may want to ask a range of questions that relate back to each COSO element.

Element 1: Performing a fraud risk assessment
Although management has the primary responsibility for performing the fraud risk assessment, the audit committee should have an active role in overseeing the process and in understanding the identified fraud risks. The audit committee’s oversight and understanding of fraud risks not only helps ensure that management fulfills its responsibility, but also can deter management from committing fraud.

One of the big points often overlooked, the "Achilles’ heel" of fraud prevention, is that the fraud risk assessment should consider management’s override of internal controls. A company can have controls in place that, if operated as stated, would effectively mitigate potential fraud risk. But it is in those instances where management overrides such controls that fraud risk increases. In fact, this is largely what transpired in some of the recent well-publicized events of corporate wrong-doing in the United States and elsewhere.

Here are some questions audit committees should consider asking as part of this assessment:

• Does the company have formal procedures to perform fraud risk assessments?
  
• Are the appropriate personnel involved in the fraud risk assessment (i.e., management, internal audit, business process owners, finance and the audit committee)?
• Are there any undue pressures on management to misstate financial results?
  
• Did the fraud risk assessment consider internal and external environmental factors, such as the incentives and pressures to increase the likelihood of fraud, attitudes and rationalizations that would allow a perpetrator to justify the fraud, and opportunities to commit fraud?
  

In terms of the audit committee’s oversight responsibilities:

• Does the audit committee meet independent of management to discuss the risk of fraud and the management override of controls?
  
• Does the audit committee conduct fraud risk brainstorming sessions? Create “what if” scenarios?
  
• Does the audit committee understand the performance incentives and possible unintended consequences that could create incentives for fraudulent financial reporting?

Element 2: Creating an antifraud control environment
Emphasis should be placed on the entity’s control environment as it influences the culture of the entire organization. To create an environment that discourages fraud, it is important for the audit committee to help management set the right tone at the top.

Here are some questions audit committees may ask as part of this assessment:

• Did management assess the tone of the organization to determine if the culture encourages ethical behaviour and open communication? This assessment could be made through anonymous cultural surveys, inquiries, and interviews, or by an internal audit review.
  
• What fraud risks are being monitored by the internal audit team on a periodic or regular basis?
  
• When was the last time the code of conduct was revised? What is the timeliness and quality of employee education on the code of conduct?
  
• How effective is the whistleblower program? Is the program available to outsiders i.e., vendors and/or customers?
  
• Does the company have formal hiring and promotion standards, including background checks for employees?
  
• Is general counsel aware of potential violations of laws by employees?
  
• Does the company have formal training for new hires on matters of fraud and ethics?
  

In terms of the audit committee’s oversight responsibilities:

• Does the audit committee benchmark management against the code of conduct? If not, then who does?
  
• Does the audit committee review exit interview notes and resignation letters of key members of management or those with a significant role in the internal control framework?
  
• Does the audit committee’s charter reflect its antifraud oversight responsibilities?

Element 3: Designing and implementing antifraud programs and control activities
As part of its oversight responsibility, an entity’s audit committee should help ensure that senior management implements appropriate fraud deterrence and prevention measures. Here are some questions audit committees may ask as part of this assessment:

• Did management link identified fraud risks to control activities to mitigate risk?
  
• Do the company’s control activities deter the misappropriation of assets that could result in a material misstatement of the financial statements?
  
• Are there appropriate control activities over journal entries, estimates, and unusual or non-routine transactions?
  
• What specific procedures does internal audit perform to address the risk of management override of controls?

Here are some questions audit committees may ask as part of this assessment:

• Is information on ethics and management’s commitment to antifraud programs effectively communicated throughout the organization?
  
• Are new employees informed of the company’s commitment to antifraud programs?
  
• Are the communications consistent across the organization?
  
• Has management designed, tested, and documented procedures to disseminate information about its antifraud programs?

Element 5: Monitoring activities
A final step for management and audit committees is the monitoring of the quality and effectiveness of an entity’s antifraud programs and controls. Monitoring can be done in two ways: through ongoing activities or separate evaluations. Separate evaluations can be performed by internal audit or other interested parties, such as business process owners. Monitoring activities can include timely reconciliations, confirmation of information by external parties, and periodic confirmations from personnel that they understand and comply with the company’s code of conduct.

Here are some considerations and questions audit committees may ask as part of this assessment:

• Is the internal audit function involved in monitoring and assessing antifraud programs?
  
• Is internal audit adequate for the size and operations of the organization? Does it report directly to the audit committee?
  
• Are findings and weaknesses identified during monitoring incorporated into the fraud risk assessment, the design of the control environment, and the design of antifraud control activities?

Responding to audit committee questions
As audit committees heighten their oversight of an entity’s fraud prevention processes, management must be prepared to respond to this increased scrutiny. While many of the elements of an antifraud program may exist within an organization, they are often not cohesively organized or appropriately documented. To meet audit committee mandates and address regulatory requirements, it is essential that management develop a structured process to support their antifraud control activities.

Effective antifraud measures can go a long way towards reducing the likelihood and frequency of corporate fraud. As organizations continue to grapple with the complexities of the CEO/CFO certification process, an increased focus on fraud prevention can only help to bolster an entity’s internal control environment – delivering sustainable benefit to both corporate stakeholders and the investing public.

Other interesting articles and publications
Management Override of Internal Controls: The Achilles’ Heel of Fraud Prevention, American Institute of Certified Public Accountants, 2005

National Policy 58-201, Corporate Governance Guidelines, Canadian Securities Administrators, 2005