RSM Resources

In its 2006 Report to the Nation, the Association ofCertified Fraud Examiners (ACFE) reports that 60 percent of all fraudssurface either by anonymous tips or sheer accident. Faced with thosekinds of odds, experts say business owners and executives shouldconsider a more proactive risk management approach.

"It’s reallyimportant for corporate management to recognize the value aprofessional internal audit function can deliver," says DominiqueVincenti, chief advocacy officer for the Institute of InternalAuditors. "These are the people who can identify the signs of anethical collapse in a company and take actions to mitigate thoseproblems before it becomes a very public financial collapse."

Severalrecent studies illustrate how companies have underused internal auditas a fraud-fighting resource. For example, a 2005 Global Economic Crimesurvey reported that internal audit functions caught only 30 percent ofall North American fraud cases. The ACFE study, based on more than1,100 cases investigated during the past two years, delivered even morepessimistic results: Internal audit discovered just 20 percent of allfrauds. That number fell to 16 percent for not-for-profit organizationsand privately held companies.

When it comes to fraud, adiligent internal audit function clearly can save time and money.According to the ACFE report, organizations without internal auditresources lost a median $218,000 to fraud — nearly double that of firmswith that capability. The report also shows that companies withinternal audit departments discovered fraudulent activity within 18months of its occurrence, on average. That’s 25 percent faster thanfirms without such an internal review.

The Sarbanes-Oxley Actof 2002 requires public companies to abide by a series of strictinternal controls. While that law has placed a stronger focus on thequality and transparency of financial reporting, Vincenti says it doeslittle to address other forms of financial fraud.

"Sarbanes-Oxleywas driven by a very specific form of fraud at the senior executivelevels of companies, specifically manipulation of financialstatements," she says. While such fraud accounts for the biggest dollarlosses on average, Vincenti says asset misappropriation and corruptionoccur much more frequently than financial statement fraud, and the lawreally doesn’t speak to those risks.

However, Vincenti and otherexperts say midsized companies can use another tool to help minimizefraud risks. The Committee of Sponsoring Organizations of the TreadwayCommission (COSO) has developed a five-component integrated frameworkthat can enhance the preventive value of controls — provided thatmanagement and internal audit agree to the roles each needs to play.

"Enterpriserisk assessment and management is a primary responsibility of thecompany’s executive leadership team," Vincenti says. "Internal auditorscan perform their own activities in support of the bigger picture, butmanagement needs to ensure that the company views risk management in astructured, thoughtful way. Otherwise, any internal process will be setup to fail."

The five components in the COSO internal control framework include:

Control setup.In essence, this is the establishment of the "big picture" of corporateculture, which includes an organization’s stated vision, values andmission. But unstated elements of company activity — such as fairhiring and promotion decisions, appropriate use of outside consultants,an active board of directors, and clear ethical boundaries — arecritical foundations to building a sound control environment.

"Managementneeds to not only set a strong ’tone at the top’ about integrity andethical behavior but also push that tone from top to bottom in anefficient way," Vincenti says. "Enron had an amazing written code ofethics, but as we have since discovered, the tone at the top didn’tsupport it."

Risk assessment. If the control environmentis the heart of a fraud prevention approach, the risk assessment is thebrains. Experts suggest this review should begin with a candiddiscussion of existing antifraud programs and controls, followed by anevaluation of potential internal and external fraud risks. A soundassessment should also rate the likelihood of various fraud riskscenarios and consider how each potential occurrence could affect thecompany’s reputation with key stakeholders.

Control activities.As defined by COSO, control activities are policies and procedures thathelp ensure management directives are carried out. These activities caninclude tasks such as approvals, authorizations, verifications,reconciliations, reviews of operating performance, security of assetsand segregation of duties. It is management’s responsibility todocument, evaluate and test the effectiveness of these controlactivities.

Generally, control activities should touch allfunctions and levels within a company. But Vincenti says businessleaders should not fall into the trap of applying controls that don’tadd value.

"You don’t need to set control mechanisms if they arenot designed to mitigate an identified problem or potential threat,"she says. "To be effective, these control activities must be definedfrom the risk assessment."

Information and communication.In the larger sense, this component helps ensure that companies clearlycommunicate all steps they take to control fraud to employees,customers and other stakeholders. A well-designed communications systemwill reinforce a strong tone at the top and provide internal andexternal parties specific details for how to address or report fraud.

Atthe same time, companies must create communications systems toidentify, capture and communicate regular information about the successof antifraud controls among key business leaders. This type ofreporting should include internally generated data as well as anypertinent detail on external events that affect the company’s antifraudor reputation management programs.

Monitoring. Whilecommon sense suggests monitoring for all control activities, expertsgenerally agree that no two companies will handle that task the same.If a company’s risk assessment defines the application of a largenumber of new control activities, Vincenti suggests frequentevaluations. On the other hand, organizations with little or no changeto their internal antifraud efforts would be wise to maintain a regularschedule to monitor whether the tools are working properly.

Byfollowing these steps, your company can reduce its fraud risk whilesending a clear message of financial and business integrity to allstakeholders.