You are on page 1of 27

Antifraud Programs & Controls

Table of Contents
Introduction Overview Antifraud Programs and Controls The COSO Framework Section 1: Questions to Consider Section 2: Example Implementation PlanPerforming Fraud Risk Assessments Section 3: Sample Process Section 4: Sample Listing of Fraud Schemes Section 5: Steps and Considerations
This document is intended to provide general information and considerations on a particular subject or subjects and is not an exhaustive treatment of such subject(s). This document provides general references to various sources, including the Sarbanes-Oxley Act of 2002, U.S. Securities and Exchange Commission, Public Company Accounting Oversight Board, American Institute of Certified Public Accountants, and Committee of Sponsoring Organizations of the Treadway Commission. It is the responsibility of boards of directors, audit committees, and companies to read and interpret the sources , or information received from them, to determine, customize and tailor responses based on their companys facts, circumstances and requirements. Deloitte & Touche LLP (Deloitte & Touche) is not, by means of this document, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This document is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. The information contained in this document likely will change in material respects; Deloitte & Touche is under no obligation to update such information. Before making any decision or taking any action that might affect your professional interests, you should consult a qualified professional advisor. Deloitte & Touche is not responsible for any loss sustained by any person who relies on this document.

Introduction
In today's business environment with increased legislative and regulatory requirements, there is a greater need for organizations to understand and address fraud risks. The likelihood of fraud occurring can be reduced by implementing effective antifraud programs and controls that can identify fraud in a timely manner and minimize the resulting damage. Fraud prevention and detection also makes good business sense and can provide cost savings to organizations. This document provides examples and considerations for management and auditors with respect to the risk of fraud and antifraud programs and controls, and is written in the context of the Committee of Sponsoring Organizations (COSO) of the Treadway Commission's Internal ControlIntegrated Framework.1

Overview
Fraud has always represented a business risk for organizations. High-profile financial reporting scandals renewed the focus on fraud, resulting in comprehensive legislation and Securities and Exchange Commission (SEC) rulemaking concerning corporate governance and internal controls. Section 404 of the Sarbanes-Oxley Act of 2002 Management Assessment of Internal Controls, requires company management to file an annual report on internal control over financial reporting. The SECs resultant Final Rule: Managements Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports, provides guidance on managements responsibilities related to fraud: The assessment of a companys internal control over financial reporting must be based on procedures sufficient both to evaluate its design and to test its operating effectiveness. Controls subject to such assessment includecontrols related to the prevention, identification, and detection of fraud.2

Fraud prevention and detection makes good business sense and can provide cost savings to organizations.

Additionally, the Public Company Accounting Oversight Board's (PCAOB) Auditing Standard No. 2 increased responsibilities for auditors beyond those required by Statement on Auditing Standards, Consideration of Fraud in a Financial Statement Audit (SAS 99). Although SAS 99 provides detailed guidance on the fraud risk assessment, it only requires the auditor to gain an understanding of managements antifraud programs and controls. Under the PCAOBs Auditing Standard No. 2, auditors should evaluate antifraud programs and controls as part of the audit of internal control over financial reporting. The PCAOB Auditing Standard No. 2 states:

Internal Control Integrated Framework, Committee of Sponsoring Organizations of the Treadway Commission, copyright 1992, 1994. Executive summary and ordering information for full document available here: http://www.coso.org/publications/executive_summary_integrated_framework.htm. Final Rule: Managements Report on Internal Control Over Financial Reporting and Certification Disclosure in Exchange Act Periodic Reports, U.S. Securities and Exchange Commission, 2003, Section (II)(B)(3)(d). Electronic copy can be viewed at: http://www.sec.gov/rules/final/33-8238.htm.

The auditor should evaluate all controls specifically intended to address the risks of fraud that have at least a reasonably possible likelihood of having a material effect on the companys financial statements. These controls may be a part of any of the five components of internal control over financial reporting...Controls related to the prevention and detection of fraud often have a pervasive effect on the risk of fraud. Such controls include, but are not limited to, the: Controls restraining misappropriation of company assets that could result in a material misstatement of the financial statements; Companys risk assessment processes; Code of ethics/conduct provisions, especially those related to conflicts of interest, related-party transactions, illegal acts, and the monitoring of the code by management and the audit committee or board; Adequacy of the internal audit activity and whether the internal audit function reports directly to the audit committee, as well as the extent of the audit committees involvement and interaction with internal audit; and Adequacy of the companys procedures for handling complaints and for accepting confidential submissions of concerns about questionable accounting or auditing matters. Part of managements responsibility when designing a companys internal control over financial reporting is to design and implement programs and controls to prevent, deter, and detect fraud. Management, along with those who have responsibility for oversight of the financial reporting process (such as the audit committee), should set the proper tone; create and maintain a culture of honesty and high ethical standards; and establish appropriate controls to prevent, deter, and detect fraud.3 Due to the importance of managements antifraud programs and controls, deficiencies in this area ordinarily constitute at least a significant deficiency in internal control over financial reporting. Paragraph 139 of the PCAOB Auditing Standard states: The interaction of qualitative considerations that affect internal control over financial reporting with quantitative considerations ordinarily results in deficiencies in the following areas being at least significant deficiencies in internal control over financial reporting: Controls over the selection and application of accounting policies that are in conformity with generally accepted accounting principles; Antifraud programs and controls; Controls over non-routine and non-systematic transactions; and
3

Controls over the period-end financial reporting process, including controls over procedures used to enter transaction totals into the general ledger; initiate, authorize, record, and process journal entries into the general ledger; and record recurring and nonrecurring adjustments to the financial statements. PCAOB Auditing Standard No. 2 notes that antifraud controls may be a part of any of the five components of internal control over financial reporting and refers to the COSO framework. Antifraud programs and controls are not supplemental to COSO (i.e., they do not represent an additional layer to the framework), but are embedded within the existing five components of the framework.

Summary of Key Terms


Fraud. An understanding of fraud is essential in order for management and auditors to carry out their respective responsibilities. Fraud is defined in paragraphs 5 and 6 of SAS 99 as, an intentional act that results in a material misstatement in financial statements that are the subject of an audit. Two types of misstatements are relevant to the auditors consideration of fraudmisstatements arising from fraudulent financial reporting and misstatements arising from misappropriation of assets. Recognizing that fraud can take many shapes and forms,4 and that the concept of materiality is both quantitative and qualitative in nature, it is recommended that management should consider additional types of fraud (including those not directly referenced in SAS 99 or the PCAOB Auditing Standard No. 2) when designing and implementing antifraud programs and controls. Examples of fraud types that management should consider include: fraudulent financial reporting misstatements arising from misappropriation of assets improper or unauthorized expenditures (including bribery and other improper payment schemes) self-dealings (including kickbacks) violations of laws and regulations (including those that expose the company or its agents to regulatory or criminal actions, e.g., securities frauds, signing false audit confirmations) Antifraud Programs & Controls. Guidance on managements antifraud programs and controls is found in SAS 99 and in an attached exhibit, Management Antifraud Programs and Controls, which describes control activities that management should consider to address fraud risks. Paragraph 20 of SAS 99 notes: The auditor should inquire of management aboutprograms and controls the entity has established to mitigate specific fraud risks the entity has identified, or that otherwise help to prevent, deter, and detect fraud, and how management monitors those programs and controls.

Release No. 2004-001: Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements, Public Company Accounting Oversight Board, 2004, paragraphs 24 and 25. Electronic copy can be viewed at: http://www.pcaobus.org/rules/Release-20040308-1.pdf. Blacks Law Dictionary (Sixth Edition, 1990) defines fraud as, An intentional perversion of truth for the purpose of inducing another in reliance upon it to part with some valuable thing belonging to him or to surrender a legal right. A false representation of a matter of fact, whether by words or by conduct, by false or misleading allegations, or by concealment of that which should have been disclosed, which deceives and is intended to deceive another so that he shall act upon it to his legal injury. . . A generic 2 term, embracing all multifarious means which human ingenuity can devise, and which are resorted to by one individual to get advantage over another by false suggestions or by suppression of truth, and includes all surprise, trick, cunning, dissembling, and any unfair way by which another is cheated.

Antifraud Programs and ControlsThe COSO Framework


Below are the five components derived from COSOs Internal ControlIntegrated Framework that management may consider with respect to their responsibilities for antifraud programs and controls: 1. Performing Fraud Risk Assessments 2. Creating a Control Environment 3. Designing & Implementing Antifraud Control Activities 4. Sharing Information & Communication 5. Monitoring Activities

Management has a unique ability to perpetrate fraud because it frequently is in a position to directly or indirectly manipulate accounting records and present fraudulent financial information. Fraudulent financial reporting often involves management override of controls that otherwise may appear to be operating effectively. Special consideration should be given to the risk of override of controls by management such as (1) recording fictitious journal entries or other adjustments, particularly those recorded close to the end of an accounting period; (2) intentionally biasing assumptions and judgments used to estimate account balances; and (3) entering into significant transactions that are outside of the entitys normal course of business that lack economic substance. The fraud risk assessment should be performed without consideration of the existence or effectiveness of internal controls, and should be updated periodically to include changes in operations and revisions to fraud risks identified during monitoring activities of antifraud programs. An example implementation plan for performing fraud risk assessments is provided in Section 2, Example Implementation Plan Performing Fraud Risk Assessments.

Performing Fraud Risk Assessments


The first step in addressing fraud is the fraud risk assessment. Fraud risk assessments are designed to identify and evaluate fraud risk factors that could enable fraud to occur within the organization. Every organization has inherent fraud risks that arise from internal and external conditions relative to the entitys industry, operations, geographical locations, size, organizational structure, and general economic conditions. For example, SAS 99, paragraph 41 notes that material misstatements due to fraudulent financial reporting often result from overstatements of revenues and therefore, the auditor should ordinarily presume that there is a risk of material misstatement due to fraud relating to revenue recognition. Most companies have at some level already addressed risks of theft. Fraud risk assessments are more than a process to identify risks of theft and should also address other frauds, including fraudulent financial reporting and other misappropriations of assets. The fraud risk assessment involves an expanded focus on considerations of where fraud risk factors may exist within the entity and the potential fraud schemes that could be perpetrated. Management has the primary responsibility for performing fraud risk assessments. The audit committee should have an active role in the oversight of process, understand identified fraud risks, and evaluate managements implementation of antifraud measures. The audit committees evaluation and oversight not only ensures that management fulfills its responsibility, but also can serve as a deterrent to management who themselves could engage in fraudulent activities. The audit committee, together with management, should also consider the potential risk of managements override of controls or other inappropriate influence over the financial reporting process. Paragraph 8 of SAS 99 notes that,

Creating a Control Environment


Emphasis should be placed on the entitys control environment as it influences the tone of the entire organization. It is the foundation for all other components of internal control and provides discipline and structure. Control environment factors include the integrity, ethical values, and competence of the entitys management and employees and have a pervasive effect on how business activities are structured and executed. The control environment allows an entity to develop an ethical framework that should address: fraudulent financial reporting, misappropriation of assets, corruption, and other fraud issues. The control environment should set the proper tone at the top which includes a culture and work environment that promotes open communication, consultation, and ethical behavior. The control environment should be pervasive throughout the organization in actions as well as words. It should: create and maintain a culture of honesty, high ethical standards, and behavior provide discipline for violations of the code of conduct/ethics set an appropriate tone for the entitys attitude towards fraud and fraud prevention promote controls to prevent, deter, and detect fraud A control environment establishes and promotes a collective attitude towards achieving effective internal control and generating reliable financial statements. The proper design and the effectiveness of the control environment is critical. Having controls by themselves is not sufficient to mitigate fraud risks. For example, if no employees have been disciplined for violations of the companys code of conduct/ethics, the code is likely to be ineffective.

All employees have a role in the control environment. Management, the board of directors and the audit committee have the primary responsibility of creating the tone at the top of the organization. The audit committee should take an active role in the oversight of managements efforts to design and implement internal controls, including antifraud programs and controls and should challenge management to ensure that fraud risks are identified and that appropriate control activities are implemented and monitored. Elements of the control environment are discussed in Section 5, Steps and Considerations and include: tone at the top oversight by the audit committee and board of directors internal audit involvement code of ethics/conduct ethics hotline and whistleblower program training responses to control deficiencies and allegations of fraud

Sharing Information & Communication


Effective communication is an important element of all phases of the implementation of antifraud programs and controls. The companys philosophy on fraud prevention and antifraud programs and controls should be clearly communicated throughout the organization so that employees are aware of antifraud activities, have a clear understanding of what is expected of them, and know that the organization takes the risk of fraud seriously. These communications should emanate from all levels of the organization and should include communications with external parties when appropriate (including customers, suppliers, and agents). A companys code of conduct or ethics is often the first line of communication concerning its philosophy on fraud prevention. However, other communication methods should be used to create awareness of antifraud programs and controls. Information on antifraud programs may be communicated through employee handbooks (either printed or online), in company newsletters, company intranet sites, training, and through presentations or discussions led by management. Managements antifraud programs and controls should also be documented to provide reasonable support for its assessments on the design and operating effectiveness of the controls. The procedures implemented to enable communication and information processes should themselves be controlled to prevent unauthorized access or changes.

Designing and Implementing Antifraud Control Activities


After fraud risk assessments are performed and fraud risks are identified, management should address each identified fraud risk by determining whether control activities exist and mitigate the risks. Control activities are policies and procedures designed to address risks and help ensure the achievement of the entitys objectives. Control activities occur throughout the organization, at all levels and in all functions. Antifraud control activities can be preventative and/or detective in nature. Preventative controls are designed to mitigate specific fraud risks and can deter frauds from occurring, while detective control activities are designed to identify fraud if it occurs. Detective controls can also be used as a monitoring activity to assess the effectiveness of antifraud controls and may provide additional evidence of the effectiveness of antifraud programs and controls. Some of these control activities may by automated in nature and include information technology (IT) systems. Where control activities are not already present, management should design and implement additional controls to specifically address the identified fraud risks. Special consideration should be given to the risk of override of controls by management. Some programs and controls that deal with management override include; (1) active oversight from the audit committee; (2) whistle-blower programs and a system to receive and investigate anonymous complaints; and (3) reviewing journal entries and other adjustments for evidence of possible material misstatement due to fraud.

Monitoring Activities
Management and other appropriate parties in the company should monitor the quality and effectiveness of antifraud programs and controls. Monitoring activities and assessments consist of procedures that include independent evaluations of antifraud controls that may be performed by internal audit or other groups, such as business process owners, and other ongoing monitoring activities that are built into normal recurring operating activities, such as timely reconciliations. Ongoing monitoring procedures are built into normal recurring operating activities and can often be more effective than separate evaluations because they take place in real time. Examples of ongoing monitoring activities include: reconciliations of operating and financial reports regular communications with internal and external parties regular reviews and recommendations from internal auditors planning and training sessions to solicit feedback on whether controls are effective Independent evaluations of controls vary in scope and frequency, and are commonly performed by internal audit. Separate evaluations may involve implementing detective activities. For example, internal audit may design tests to specifically look for instances of early revenue recognition to ensure that existing controls for revenue recognition are operating effectively. Detective controls are

essential to antifraud programs because they provide an additional indication of the effectiveness of preventative control activities and can identify additional fraud risk factors that should be included in managements fraud risk assessment. Some monitoring activities can be automated in nature and, as such, may involve IT systems. Organizations should take: Reasonable steps to achieve compliance with its standards, e.g., by utilizing monitoring and auditing systems reasonably designed to detect criminal conduct by its employees and other agents and by having in place and publicizing a reporting system whereby employees and other agents could report criminal conduct by others within the organization without fear of retribution.5 Truly effective antifraud programs are dynamic, where the information obtained through the monitoring process is fed back into the risk assessment and the entire process begins anew. This document is divided into the following sections: Section 1: Questions to Consider. A list of questions to consider with respect to antifraud programs and controls, in the context of the COSO framework. Section 2: Example Implementation PlanPerforming Fraud Risk Assessments. Highlights key steps in performing a fraud risk assessment. Section 3: Sample Process. Two examples of evaluating identified fraud risks and linking programs and controls to the risks. (A) Inappropriate/Early Revenue Recognition (B) Management Override of Controls Improper Journal Entries or Adjustments Section 4: Sample Listing Fraud Schemes. A listing of fraud schemes to assist in identifying possible fraud risks, scenarios, and schemes when performing or evaluating fraud risk assessments. Section 5: Antifraud Programs & ControlsSteps and Considerations. A detailed discussion of considerations of antifraud programs and controls.

United States Sentencing Commission, Guidelines Manual, 8A1.2, comment. 3(K), available at: http://www.ussc.gov/2002guid/8a1_2.htm. In 1991, The United States Sentencing Commission introduced seven criteria for effective programs to prevent and detect violations of law (including fraud). Amendments to the Sentencing Guidelines were submitted to Congress on April 30, 2004. Official text of these amendments is available on the Commissions web site at www.ussc.gov and http://www.ussc.gov/ 2004guid/2004cong.pdf.

Section 1 Questions to Consider


The following is a list of some of the questions for management to consider when designing and evaluating antifraud programs and controls related to each of the COSO components. Management should consider and evaluate the facts and circumstances for their organizations (e.g., the entitys industry, operations, geographical locations, size, organizational structure, and general economic conditions) and tailor their antifraud programs and controls accordingly. Each COSO component should include sufficient documentation to support the programs and controls as well as managements assessments and conclusions regarding the design and operating effectiveness of the programs and controls.6 The following questions and themes are adopted from various sources, including the SarbanesOxley Act of 2002, SEC's Final Rules on Sarbanes-Oxley, SAS 99, PCAOB Auditing Standards No. 2, and COSO.

Fraud Risk Assessment


1. Does the company have formal and regularly scheduled procedures to perform fraud risk assessments? 2. Are appropriate personnel involved in the fraud risk assessments? 3. Are fraud risk assessments performed at all appropriate levels of the organization (such as the entity level, significant locations or business units, significant account balance or major process level)? 4. Does the fraud risk assessment include consideration of internal and external risk factors (including pressures or incentives, rationalizations or attitudes, and opportunities)? 5. Does the fraud risk assessment include the identification and evaluation of past occurrences and allegations of fraud within the entity and industry? Does it include the evaluations of unusual financial trends or relationships identified from analytical procedures or techniques? 6. Does the fraud risk assessment consider the risk of managements override of controls? 7. Does management consider the type, likelihood, significance, and pervasiveness of identified fraud risks? 8. Are fraud risk assessments updated periodically to include considerations of changes in operations, new information systems, acquisitions, changes in job roles and responsibilities, employees in new positions, results from self-assessments of controls, monitoring activities, internal audit findings, new or evolving industry trends, and revisions to identified fraud risks within the organization? 9. Does management assess the design and operating effectiveness of the fraud risk assessments? 10. Does management adequately document its assessments and conclusions regarding the design and operating effectiveness of the fraud risk assessments? 11. Is the fraud risk assessment designed and operating effectively?

Control Environment
1. Does the company maintain a proper tone at the top? Did management assess the tone of the organization to determine if the culture encourages ethical behavior, consultation, and open communication? (This assessment can be made through anonymous cultural surveys, inquiries and interviews, or by internal audit review.) 2. Do the audit committee and the board of directors have sufficient oversight of managements antifraud programs and controls? 3. Does the internal audit function have sufficient involvement in antifraud programs and controls, including monitoring of the effectiveness of antifraud programs and controls, given the size and complexity of the organization? Does the internal audit function report directly to the audit committee? 4. Does the company have a published code of ethics/conduct (with provisions related to conflicts of interest, related-party transactions, illegal acts, and fraud) made available to all personnel and does management require employees to confirm that they accept and agree to follow it? Does the frequency of exceptions undermine the codes effectiveness? Does the code comply will all applicable rules and regulations?

SEC, Final Rule: Management's Reports on Internal Control, Section (II)(B)(3)(d).

5. Does the company have an ethics/whistleblower hotline with adequate procedures to handle anonymous complaints (received from inside and outside the company), and to accept confidential submission of concerns about questionable accounting, internal accounting control, or auditing matters? Are tips and whistleblower complaints investigated and resolved in a timely manner? 6. Does the company have formal hiring and promotion standards, including background checks for those employees with influence over financial reporting or involved in the preparation of the financial statements? 7. Does the company have formal and effective training for employees and new hires on issues of fraud, ethics, and the code of ethics/conduct? 8. Does the company respond in a timely and appropriate manner to significant control deficiencies, allegations or concerns of fraud, and violations of the code of ethics/conduct? 9. Does management assess the design and operating effectiveness of the control environment? 10. Does management adequately document its assessments and conclusions regarding the design and operating effectiveness of the control environment? 11. Is the control environment designed and operating effectively?

Antifraud Control Activities


1. Does the company adequately map or link identified fraud risks to control activities designed to mitigate the fraud risks? 2. Does management design and implement preventative and detective controls (preventative controls are designed to stop fraud from occurring and detective controls are designed to identify the fraud if it occurs)? 3. Does the company have controls that restrain the misappropriation of company assets that could result in a material misstatement of the financial statements? 4. Does the company have controls that address the risk of managements override of controls (including controls over journal entries and adjustments, estimates, and unusual or nonroutine transactions)? 5. Does the company consider security controls (including IT controls and limited access to accounting systems), and consider the adequacy of fraud detection and monitoring activities utilizing information systems? 6. Does management assess the design and operating effectiveness of antifraud control activities? 7. Does management adequately document its assessments and conclusions regarding the design and operating effectiveness of antifraud control activities? 8. Are antifraud control activities designed and operating effectively?

Information & Communication


1. Is information on ethics and managements commitment to antifraud programs and controls effectively communicated throughout the organization to all employees? 2. Does management have procedures to disseminate and collect information regarding antifraud programs and controls, fraud risks, allegations of fraud, and concerns of improper accounting to and from all levels of the organization and external parties (where appropriate)? 3. Does management assess the design and operating effectiveness of information and communication? 4. Does management adequately document its assessments and conclusions regarding the design and operating effectiveness of information and communication? 5. Are procedures and activities for communicating information regarding antifraud programs and controls designed and operating effectively?

Monitoring Activities
1. Are internal audit and others actively involved in monitoring and assessing antifraud programs and controls? 2. Is the internal audit activity adequate for the size and operations of the organization? 3. Are findings and weaknesses identified during monitoring activities incorporated back into the fraud risk assessment, the design of the control environment and antifraud control activities? 4. Does the audit committee have oversight of monitoring activities? 5. Does management assess the design and operating effectiveness of monitoring activities? 6. Does management adequately document its assessments and conclusions regarding the design and operating effectiveness of the monitoring activities? 7. Are monitoring and assessment activities designed and operating effectively?

Section 2 Example Implementation Plan Performing Fraud Risk Assessments


There is no one standard method by which management may implement its fraud risk assessment. However, the fraud risk assessment is a critical step in addressing fraud risks within an organization and as such should be an area of significant focus for management. The following example implementation plan summarizes certain elements of the fraud risk assessment process described in COSO and SAS 99.

Step Two: Identify Possible Fraud Schemes and Scenarios


This process should involve all appropriate personnel, including management, internal audit, IT management, significant process owners, and oversight from the audit committee. This step involves a brainstorm of possible fraud schemes and scenarios that could result from the identified fraud risk factors. For example, if a company faces significant internal and/or external pressures to achieve revenue targets, the brainstorm should include the identification and consideration of scenarios and fraud schemes that could be perpetrated to manipulate revenues. Special consideration should be given to the risk of override of controls by management such as (1) recording fictitious journal entries or adjustments, particularly those recorded close to the end of an accounting period, (2) intentionally biasing assumptions and judgments used to estimate account balances, and (3) entering into significant transactions that are outside of the entitys normal course of business that lack economic substance. Consideration should also be given to past frauds and allegations of fraud within the organization and the industry. The identification of possible fraud schemes should be performed without consideration of the existence or effectiveness of internal controls.

Step One: Evaluate Fraud Risk Factors


Fraud risk factors are those events or conditions that indicate incentives/pressures to perpetrate fraud, opportunities to carry out the fraud, or attitudes/rationalizations to justify a fraudulent action (example fraud risk factors can be found in the Appendix of SAS 99). Fraud risk factors do not necessarily indicate the existence of fraud; however, they often are present in circumstances where fraud exists. Personnel from various levels of the organization should be involved in this process, including management, internal audit, business process owners, IT management, and the audit committee. The audit committee should take an active role in the oversight of managements efforts to identify and consider fraud risk factors and can challenge management to verify that fraud risks are addressed. This step should involve an evaluation of the fraud factors that are present in the organization. This can be done through several different means, some of which may already be utilized by management in their consideration of internal controls. For example, if management has elected to assess the control environment through an anonymous survey, the results could also be used to evaluate the existence of fraud risk factors. The process should consider other fraud risk factors, including past frauds and allegations of fraud in the organization, frauds in the industry, unusual financial trends or relationships identified from analytical procedures, and the potential role weak IT controls could play in enabling fraudulent activity to occur. The process should consider fraud risk factors at the entity level and significant process level.

Step Three: Prioritize Identified Fraud Risks


This step involves the evaluation of possible fraud schemes and includes the consideration of the following: Type. The type of risk (i.e., a misappropriation of assets, fraudulent financial reporting, etc.) Likelihood. The likelihood of the risk (i.e., the likelihood that it will result in a material misstatement in the financial statements). Significance. The significance of the risk (i.e., whether it is of a magnitude that could result in a possible material misstatement of the financial statements). Pervasiveness. The pervasiveness of the risk (i.e., whether the potential risk is pervasive to the financial statements as a whole or specifically related to a particular assertion, account, or class of transactions). Emphasis should be given to those risks considered to be likely, significant, and/or pervasive.

Step Four: Evaluate Whether Mitigating Controls Exist or Are Effective


Management should determine whether there are controls already in place to sufficiently mitigate the identified fraud risks or if additional emphasis should be placed on existing controls. Where controls are not already present, management should consider the need to design and implement additional antifraud controls to specifically address the identified fraud risks. Management should map or link identified fraud risks to existing internal controls (including control environment, antifraud control activities, and monitoring activities), and document mitigating antifraud control activities related to the fraud risks.

10

Section 3 Sample Process


Presented below are two examples of the antifraud programs and controls process for two common fraud risks. The information is divided into two partsthe fraud risk assessment process, and the programs and controls designed to address the fraud risks identified during the fraud risk assessment. The programs and controls listed below are not intended to represent all of the possible programs and control activities that may address the identified fraud risk, but are shown as an example of activities that may address the identified fraud risk. Management should determine how to best document their fraud risk assessment and the programs and controls in place to address the risks, based on the company's facts and circumstances.

Inappropriate/Early Revenue Recognition


Fraud Risk Assessment Performed by management, internal audit, IT management, significant process owners, and oversight from the audit committee Considered internal and external environmental factors (including pressures or incentives, rationalization, and opportunity) Identified fraud risks at relevant levels and locations within the organization Revenue Inappropriate/early revenue recognition Existence of undisclosed sales terms or conditions Terms granted to the customer that are: Disclosed on the purchase order but not in the order entry system Disclosed on sales negotiation documents only Provided in side letters, e-mails, or orally Sales Manager Sales Representative Sales finance personnel (divisional controller, order entry clerk, credit manager, etc.) Inventory Manager General Counsel Management (CEO, CFO, etc.) Customer Any combination of the aboveone, some, or all

Significant Account or Cycle Fraud Risk Cause of Fraud Fraud Elements (What it might look like)

Fraud Risk Assessment

May Involve

Significance (High, Medium, Low) Likelihood (High, Medium, Low) Pervasiveness

The significance of the risk (i.e., whether it is of a magnitude that could lead to result in a possible material misstatement of the financial statements) (High) The likelihood of the risk (i.e., the likelihood that it will result in a material misstatement in the financial statements) (High) The pervasiveness of the risk (i.e., whether the potential risk is pervasive to the financial statements as a whole or specifically related to a particular assertion, account, or class of transactions) (Risk is related to revenue and A/R accounts)

11

Inappropriate/Early Revenue Recognition (continued)


Control Environment Activities Regular ethics training/policies/adherence Published code of ethics/conduct with provisions related to fraud and ethical behavior Formal hiring and promotion standards Tone at the top, including proper attitudes towards controls and corporate compliance Responsiveness to Internal Audit processes and findings Sales practices training

Control Activities Programs and Controls

Regular review of all sales contracts, with a focus on unusual terms and conditions, and a comparison to actual practices Existence of sale personnel confirmation/verification for completeness and accuracy of recording of sales terms or conditions Regular review of A/R aging with a focus on overdue receivables Segregation of duties (sales and credit/order entry functions) Application controls to prohibit further processing without necessary approvals System of authorization and approval of transactions for sales and write-offs Where appropriate, standardization of sales terms and conditions A system for effective knowledge management to collect and communicate appropriate information pertaining to revenue fraud risks and antifraud programs and controls Internal Audit confirms directly with customers the amount of sales, as well as items such as the payment due date, the details of any right of returns, unrecorded terms and conditions and any outside agreements not contained in the original written agreement Regular review of day sales outstanding and comparison to company normal or industry averages Regular review of significant quarter-end or year-end sales for unusual pricing, billing, delivery, return, exchange, or acceptance clauses

Information and Communication Monitoring Activities

12

Management Override of ControlsImproper Journal Entries or Adjustments


Fraud Risk Assessment Performed by management, internal audit, IT management, significant process owners, and oversight from the audit committee Considered internal and external environmental factors (including pressures or incentives, rationalization, and opportunity) Identified fraud risks at relevant levels and locations within the organization Financial closing and reporting Override of controls for journal entries or adjustments resulting in misstated financial statements Management directs or is involved in journal entries or adjustments to manipulate operating results Journal entries and/or adjustments are recorded to improperly: Increase revenues or income Decrease cost of sales or expenses Manipulate account balances to comply with debt covenants, achieve financial targets or budgets, reduce or hide liabilities, misstate assets, etc. CEO CFO General Counsel General/Divisional Managers Corporate/Divisional Controllers Any combination of the aboveone, some, or all

Significant Account or Cycle Fraud Risk Cause of Fraud Fraud Risk Assessment Fraud Elements (What it might look like)

May Involve

Significance (High, Medium, Low) Likelihood (High, Medium, Low) Pervasiveness

The significance of the risk (i.e., whether it is of a magnitude that could result in a possible material misstatement of the financial statements) (High) The likelihood of the risk (i.e., the likelihood that it will result in a material misstatement in the financial statements) (High7) The pervasiveness of the risk (i.e., whether the potential risk is pervasive to the financial statements as a whole or specifically related to a particular assertion, account, or class of transactions.) (Pervasive throughout the financial statements.)

Paragraph 42 of SAS 99 states, Even if specific risks of material misstatement due to fraud are not identified by the auditor, there is a possibility that management override of controls could occur, and accordingly, the auditor should address that risk apart from any conclusions regarding the existence of more specifically identifiable risks. The risk of management override increases the likelihood of fraud and the likelihood that it will result in a material misstatement in the financial statements.

13

Management Override of ControlsImproper Journal Entries or Adjustments (continued)


Control Environment Activities Active oversight from the audit committee Regular ethics training/policies/adherence Published code of ethics/conduct with provisions related to fraud Formal hiring and promotion standards (with background checks for those with significant influence over financial reporting) Tone at the top, including attitudes towards controls and corporate compliance Segregation of duties and required approvalsjournal entries and adjustments require two signatures including proper approvals before posting Application controls to prohibit further processing without necessary approvals Required supporting documentation for all nonsystematic/manual journal entries General computer controls limiting access to the general ledger system and recording names of individuals who initiate and/or approve nonsystematic/manual journal entries A system for effective knowledge management to collect and communicate appropriate information pertaining to the risk of management override of controls and antifraud programs and controls Identify and evaluate the appropriateness of unusual nonroutine journal entries. (consider utilizing computer assisted techniques to identify unusual or nonroutine entries) Regular review of ethics/whistleblower complaints with allegations or concerns of improper ethical behavior by management or improper financial reporting Regular review of financial results including analytics and financial ratios with a comparison to company normal or industry averages

Programs and Controls

Control Activities

Information and Communication

Monitoring Activities

14

Section 4 Sample Listing of Fraud Schemes


The following listing of possible fraud schemes can be utilized by management and auditors to assist in identifying possible fraud risks, scenarios, and schemes when performing or evaluating managements fraud risk assessments. The listing of fraud schemes is not intended to be a complete listing of all possible fraud schemes for all industries. terms), a company can increase revenue in a specific accounting period regardless of the facts and circumstances that the transaction and the resulting revenue should have been recorded in the subsequent accounting period. Agreements to Sell-Through ProductThese sales agreements include contingent terms that are based on the future performance of the buyer of the goods (commonly distributors or resellers) and impact revenue recognition for the seller. These contingent terms may or may not be included in the sales agreements and may be provided in side agreements. Sell through agreements are similar to consignment sales and can involve shipment of goods to a party who agrees to sell them to third parties. A sale is not considered to have taken place (and therefore revenue should not be recorded) until the goods are sold to a third party (a customer or end-user) with no additional contingent sales terms. Up-Front FeesSome sales transactions require customers to pay up-front fees for services that will be provided over an extended period of time. Companies may attempt to recognize the full amount of the contract or the amount of the fees received before the services are performed (and before revenue is earned). In some instances, the scheme may involve the falsification or modification of accounting records (e.g., purchase orders, invoices and sales contracts). Holding Accounting Periods OpenImproperly holding accounting records open beyond the end of an accounting period can enable companies to record additional transactions that occur after the end of a reporting period in the current accounting period. This scheme commonly involves recording sales and/or cash receipts that occur after the end of the reporting period in the current period. Schemes sometimes include falsification or modification of accounting documentation (dates on shipping documents, purchase orders, bank statements, cash reconciliations, cash receipt journals, etc.) in an attempt to cover the trail of the fraud. Failure to Record Sales Provisions or AllowancesSome sales transactions require companies to record provisions or reductions to gross sales amounts (e.g., to account for future sales returns). By failing to record sales provisions or reductions, companies can improperly overstate revenues. The scheme may involve the falsification or modification of accounting records in an attempt to hide the terms or conditions that may require the sales reduction (e.g., purchase orders, invoices and sales contracts).

Fraudulent Financial Reporting Schemes


Improper Revenue Recognition
Side AgreementsSales terms and conditions may be modified, revoked, or otherwise amended outside of the recognized sales process or reporting channels and may impact revenue recognition. Common modifications may include granting of rights of return, extended payment terms, refund, or exchange. Sellers may provide these terms and conditions in concealed side letters, e-mails, or in verbal agreements in order to recognize revenue before the sale is complete. In the ordinary course of business, sales agreements can and often are legitimately amended, and there is nothing wrong with giving purchasers a right of return or exchange, as long as revenue is recognized in the proper accounting period with appropriate reserves established. Roundtrip TransactionsRecording transactions that occur between two or more companies for which there is no business purpose or economic benefit to the companies involved. These transactions are often entered into for the purpose of inflating revenues or creating the appearance of strong sales growth. Transactions may include sales between companies for the same amount within a short time period, or they may involve a loan to or investment in a customer so that the customer has the ability to purchase the goods. Cash may change hands, but payment alone does not legitimize the transaction or justify the recognition of revenue if there is no underlying business purpose or economic benefit for the transactions. Bill and HoldsA bill and hold transaction takes place when products have been booked as a sale but delivery and transfer of ownership has not occurred as of the date the sale is recorded. The transaction may involve a legitimate sales or purchase order; however, the customer is not ready, willing, or able to accept delivery of the product at the time the sale is recorded. Sellers may hold the goods in its facilities or may ship them to different locations, including third-party warehouses. Altering Shipping DocumentationBy creating phony shipping documentation, a company may falsely record sales transactions and improperly recognize revenue. By altering shipping documentation (commonly changing shipment dates and/or

Inventory Schemes
Inflating the Value of InventoryInventory valuations can be manipulated in a number of ways, including: moving inventory between locations to fictitiously inflate inventory quantities,

15

postponing and under-reporting of write-downs and reserves for obsolescence, manipulating unit valuations applied to on-hand inventories, and improper inventory capitalization. Off-Site or Fictitious InventoryCompanies may create inventory by falsifying journal entries, receiving and shipping reports, purchases orders, or cycle counts. Companies may participate in these schemes to decrease cost of sales as a percentage of sales or maintain inventory balances for debt covenants or other reasons.

the company was in a financial position to create a cushion against future losses. Off-Balance-Sheet Entities and LiabilitiesSome schemes involve the use of off-balance-sheet vehicles or special purposes entities to conceal liabilities. Off-balance-sheet vehicles may be allowable under GAAP; however, some schemes are designed to utilize these entities or transactions to conceal debt and misstate liabilities on the balance sheet and may also have income statement impact as well. Improper Asset ValuationsThere is often a direct relationship between the overstatement of assets and inflation of earnings. Many fraud schemes involve the hiding or misplacement of debits on the balance sheet that should be recorded on the income statement. These debits are often improperly recorded as assets or a reduction to existing liabilities. Overvaluing assets is often considered a relatively simple way to directly manipulate reported earnings. Phony Investment DealsDesigned to overstate assets and earnings, schemes can deliberately overstate existing investments or create fictitious investments. Investments may also be intentionally misclassified resulting in the improper recognition of gains or failure to recognize losses. Other schemes are designed to hide or defer losses from sales or permanent write downs from impairments. Improper Capitalization of ExpensesCapital expenditures are costs that benefit the company over more than one accounting period, and accordingly, the expenditures should be amortized over the life of the asset. Companies may improperly capitalize certain expenditures in order to avoid recognizing the full amount of the expense in the current period. Expenses may be capitalized into various asset accounts, and may include software development costs, research and development costs, start-up costs, interest costs, advertising costs, inventory and labor costs, etc. Adding Back Outstanding Checks to CashCash reconciliations can be manipulated in order to inflate ending cash balances. Some schemes are accomplished with one reconciling item or adjustment on the reconciliation, or may involve selecting and removing specific checks from the outstanding check registers. Unjustified Consolidation EntriesSome schemes occur during the financial closing and consolidation process and involve unjustified or fictitious consolidation entries. Often there is limited accounting documentation or explanations for consolidation entries and activities. Intercompany ManipulationsSimilar to other accounting schemes involving consolidations, intercompany manipulations may have limited documentation or explanations for inter-company entries and activities. Schemes may occur to over/understate balances or may involve the creation of fictitious transactions. Related Parties That Create TransactionsRelated-party transactions are made with entities that are controlled or influenced by the company. Schemes may involve improper or inadequate disclosure of transactions or more elaborate schemes

Other Financial Reporting Schemes


Fraudulent Audit ConfirmationsFraudulent audit confirmations can impact all types of accounts or transactions that are confirmed with third parties (sales, cash, accounts receivables, debt, liabilities, etc.). Schemes may involve collusion with third parties who receive the audit confirmations or may involve the company providing the auditors with false contact information (false mailing addresses, fax numbers, phone numbers, etc.) so that confirmations are diverted to co-conspirators involved in the scheme. Refreshed ReceivablesIn order to mask rising account receivable balances (including known or suspected uncollectible balances) while avoiding increasing the bad debt provision, a company may refresh the aging of receivables and improperly represent A/R balances as being current in nature instead of showing the true age of the receivables. This may occur with exchange transactions with customers, where customers can receive credits to their accounts and allowed to repurchase goods where little, if any, physical transfer of merchandise occurs. Some schemes may simply modify or edit dates of invoices in the A/R system that results in a restart of the aging process for the modified receivables. Schemes may involve the falsification or improper modification of accounting documentation (invoices, purchase orders, change orders, shipping reports, etc.) to cover up the fraud scheme. Promotional Allowance ManipulationsPromotional allowances may be provided as rebates, incentives, or other credits to buyers/customers as an incentive to purchase products. Allowances may take the form of volume discounts, reimbursements for special handling, co-advertising reimbursements, slotting fees, etc. Often promotional allowances are based on future events (such as purchase volumes over a specified period of time, future advertising costs, etc.) and often require considerable estimates that may be manipulated or biased. Some schemes involve the early recognition of revenue on up-front fees collected or the failure to accrue for rebates or credits that are likely to be earned by the buyer. Other fraud schemes involve fraudulent financial reporting and the misclassification of credits on the income statement. Adjustments to EstimatesEstimates are common throughout the accounting process and can be manipulated to impact revenues, expenses, asset valuations, and/or liabilities. Management is often in a position where it can influence or bias estimates. Common fraud schemes involve the reduction of accruals or reserves in order to increase earnings in the current period, and may involve the earlier creation of excess reserves or cookie-jar reserves when

16

to create fictitious transactions between entities, often with the intent to increase reported revenues or assets. Disclosure FraudsFraudulent disclosures may include providing false information or the failure to disclose required information. Schemes may involve a company's failure to disclose certain transactions with related parties, material asset impairments, unrecorded liabilities or accounting practices that violate GAAP.

Misappropriation of Assets
Skimming of CashSkimming schemes often involve the sales cycle, where employees embezzle by not recording the sale or full amount of the cash collected. A typical skimming scheme might involve a retail store where an employee collects cash from a customer, pockets the money, and avoids recording the transaction in the point of sales system. Other skimming schemes are not limited to cash transactions and may involve diverting customer checks. Fraudulent DisbursementsSchemes may include billing schemes, procurement fraud, theft of company checks, payroll and ghost employee schemes, and expense reimbursement schemes. A common procurement scheme is to set up phony vendors or suppliers in the accounts payable system or approve payments for services that are received by the employee or co-conspirator. Payroll schemes can include falsification of hours worked, creation of fictitious employees, failure to remove employees who have left the company and the diversion of payments to employees or co-conspirators.

Other Fraud Schemes


Bribery, Corruption, & KickbacksCorruption and bribery may take a variety of forms within an organization and may include such items as vendors paying gratuities to buyers to secure sales, buyers paying premiums to vendors because of a buyers personal relationships, payments to shell companies for soft services that are not actually rendered, payment terms are structured to avoid proper approval signatures, or the same vendor may appear in the payables system in numerous ways as a method of making duplicate payments. Schemes may also involve preferred service providers who are willing to pay kickbacks to individuals for the companys business. The Foreign Corrupt Practices Act (FCPA) was enacted to reduce the threat of bribery and corruption in foreign countries. Money LaunderingMoney laundering is the process of concealing the source of illegally obtained money. This process is of critical importance to the perpetrator, as it enables the criminal to enjoy profits without revealing their source. Activities may involve disguising the sources, changing the form, or moving the funds to a place where they are less likely to attract attention. Money laundering profits may come from embezzlement, insider trading, bribery, computer fraud schemes, illegal arms sales, smuggling, and the activities of organized crime.

17

Section 5 Antifraud Programs & Controls Steps and Considerations


This section discusses steps and considerations for management in relation to the risk of fraud and antifraud programs and controls. In preparing this section, the following sources have been referenced: SEC, Final Rule: Managements Reports on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports PCAOB Auditing Standard No. 2, An Audit of Internal Control Over Financial Reporting Performed In Conjunction With an Audit of Financial Statements SAS 99, Consideration of Fraud in a Financial Statement Audit SAS 99 Exhibit, Management Antifraud Programs and Controls Committee of Sponsoring Organizations of the Treadway Commission, Internal ControlIntegrated Framework United States Sentencing Commission, Guidelines Manual The five components of the COSO framework are interrelated and the process of implementing and updating antifraud programs and controls is iterative in nature. Truly effective antifraud programs are dynamic, where the information obtained through the monitoring process is fed back into the risk assessment and the entire process begins anew.

Antifraud Programs and Controls Steps and Considerations


Each of the five COSO components is discussed in the context of: scope and objectives participants and responsibilities elements and design management assessments examples of common documentation The evaluation of deficiencies in antifraud programs and controls is part of managements overall assessment of internal control. Management should assess the design and operating effectiveness of antifraud programs and controls and provide sufficient documentation of its programs, assessments, and conclusions including the identification of any deficiencies. As with other internal control deficiencies, management and the auditor should evaluate the significance of their deficiencies.

18

1. Performing Fraud Risk Assessments


Scope & Objectives
Fraud risk assessments should be performed at all appropriate levels within the organization, including: the entity level and should consider internal and external factors and pressures on the organization the significant account balance leveldealing with risks at this level helps focus fraud risk assessments on accounts that could be materially misstated significant locations or business units, as fraud risks commonly differ from location to location due to differing operations, organizational structures, culture, etc. The fraud risk assessment should consider collusive fraud and the risk of managements override of controls. Collusive fraud is when more than one individual within and/or outside the entity have engaged in a conspiracy to circumvent or override internal control activities. Often collusive fraud may not be identified through traditional testing techniques. Consideration should also be given to the risk of managements override of controls, as management typically has the ability to commit fraud because it frequently is in a position to directly or indirectly manipulate accounting records.8 Management override of controls can occur in unpredictable ways.

in new positions, results from self-assessments of controls, monitoring activities, internal audit findings, new or evolving industry trends, and revisions to identified fraud risks within the organization or industry. Management should identify events or conditions that indicate incentives/pressures to perpetrate fraud, opportunities to carry out the fraud, or attitudes/rationalizations to justify a fraudulent action. Such events or conditions are referred to as fraud risk factors. Fraud risk factors do not necessarily indicate the existence of fraud; however, they often are present in circumstances where fraud exists and can help identify potential fraud risks. Incentives/PressuresPressure may be real or perceived. Pressure is usually created by circumstances the perpetrator is either subject to or perceives him/herself to be subjected to (e.g., personal financial pressures such as a spouse who loses a job, or market pressures to meet financial targets or goals). There may also be incentives that increase the likelihood of fraud (e.g., managements bonus structure based on achievement of financial targets). Attitudes/RationalizationsThe process by which a person committing a fraud legitimizes or justifies the crime is rationalization. This often includes an attitude or feeling of entitlement and/or a belief that the company can afford it. For example, a perpetrator may rationalize a theft by saying the company makes millions, it wont miss a few thousand and I really need the money or by making our numbers nobody will be laid off. OpportunitiesOpportunities to commit fraud can manifest themselves in different ways. If internal controls are inadequate surrounding financial reporting or safeguarding assets, it may be relatively easy for a perpetrator to record fraudulent transactions or steal assets. Some employees (often within management) may be in a position to override controls which may create opportunities to commit fraud. There is another consideration for opportunities that is often overlookedlow perception of detection or meaningless consequences to inappropriate behavior within the organization may allow for greater opportunities for fraud to occur than if there is the deterrent element of a high likelihood of detection and severe consequences. Further, collusion may enable perpetrators to bypass existing controls, rendering those controls ineffective. Most traditional internal preventative controls are not effective at addressing collusive fraud. Collusive fraud is generally found by detective controls coupled with an understanding of the business and operating environment. The Appendix to SAS 99 provides examples of fraud risk factors that management may consider as part of the fraud risk assessment. Management should also consider additional fraud risk factors such as known frauds within the industry and organization and past allegations or suspicions of fraud. The consideration

Participants & Responsibilities


Management has the primary responsibility for performing fraud risk assessments. Historically, most material frauds have often been directed in part by management and detected by employees and those responsible for corporate governance at other levels in the organization. It is therefore critical that employees outside of management are involved in the fraud risk assessment. It is important that the fraud risk assessment include business process owners or those who have significant knowledge, control, or influence over the activities within a significant business process or cycle. The audit committee (or the board of directors where no audit committee exists) should evaluate managements identification of fraud risks, and should have an active role in the oversight of the fraud risk assessment process. IT management should participate, as some fraud schemes are enabled by the disabling or circumventing of information system controls. Additionally, internal audit should have an active role in the development, monitoring, and ongoing evaluation of fraud risk assessments.

Elements & Design


A formal fraud risk assessment should be performed, documented, and updated periodically. Updates should include considerations of changes in operations, new information systems, acquisitions, changes in job roles and responsibilities, employees
8

SAS 99, paragraph 8.

19

of fraud risk factors is critical, as risk factors lead to fraud risks that need to be considered when implementing control activities and programs. Management should evaluate fraud risk factors, brainstorm possible fraud schemes and scenarios that could result from the fraud risk factors, and evaluate the fraud schemes and scenarios to identify those that should be considered fraud risks. Paragraph 40 of SAS 99 states: the identification of a risk of material misstatement due to fraud involves the application of professional judgment and includes the consideration of the attributes of the risk, including: the type of risk that may exist, that is, whether it involves fraudulent financial reporting or misappropriation of assets the significance of the risk, that is, whether it is of a magnitude that could lead to result in a possible material misstatement of the financial statements the likelihood of the risk, that is, the likelihood that it will result in a material misstatement in the financial statements the pervasiveness of the risk, that is, whether the potential risk is pervasive to the financial statements as a whole or specifically related to a particular assertion, account, or class of transactions Although the intent of the process is not to identify insignificant risks (i.e., immaterial theft of office supplies), it should be noted that inappropriate behavior may be indicative of broader issues in the control environment. Also, Section 302 of Sarbanes-Oxley requires disclosure of any fraud whether or not material, that involves management or other employees who have a significant role in the issuer's internal controls. The fraud risk assessment should be performed without consideration of the existence or effectiveness of internal controls. Fraud risks should be identified, documented, and evaluated before management determines if existing control activities sufficiently mitigate the identified fraud risk. Later during the design and implementation of antifraud control activities, identified fraud risks should be mapped or linked to antifraud control activities to ensure that all identified fraud risks are sufficiently mitigated.

external auditors identify fraud risks that the organization had not previously identified

Examples of Common Documentation


The purpose of the documentation is to provide evidence of the existence of the program and managements processes to identify fraud risks. Documentation should be sufficient for auditors to understand how management implemented the program and their conclusions regarding the design and operating effectiveness of the fraud risk assessment. Documentation related to fraud risk assessments may include the following: periodic updates including the consideration of past frauds, fraud risks, and involvement of appropriate employees oversight and review of the fraud risk assessment process by management and the audit committee participation by internal audit, including testing of effectiveness of the risk assessment process and internal controls managements evaluation of fraud risk factors to determine which risk factors are identified as fraud risks managements assessment and conclusions regarding the design and operating effectiveness of the fraud risk assessment

2. Creating a Control Environment


Scope & Objectives
The control environment should be pervasive throughout the organization in actions as well as in words and should permeate down to all levels of the organization. The control environment should create and maintain a culture of honesty; set high ethical standards; promote ethical behavior; provide discipline for violations of the code of ethics/conduct; set an appropriate tone for the entitys attitudes toward fraud and fraud prevention; and promote controls to prevent, deter, and detect fraud.

Participants & Responsibilities


Management, along with those who have responsibility for oversight of the financial reporting process (such as the audit committee), are primarily responsible for creating the control environment. The audit committee and board of directors should be independent of management and actively involved in the creation, communication, and oversight of the control environment. The internal audit function also has an important role in the control environment and should have an independent reporting line directly to the audit committee. Employees are also participants in the control environment as they should embrace and support the programs and controls and report suspicions of fraud and provide insights into the tone of the organization during cultural assessments.

Management Assessments
Management should evaluate the design and operating effectiveness of the fraud risk assessment process and document its conclusions. Examples of situations or circumstances that may indicate that fraud risk assessments are not operating effectively include: the audit committee and internal audit involvement is insufficient frauds that have occurred indicate that the fraud risk assessment process is ineffective

20

Elements & Design


Tone at the top The control environment should include a proper tone at the top which includes a culture and work environment that promotes open communication, consultation, and ethical behavior. Management should consider taking reasonable steps to evaluate the culture of the organization to ensure that a proper tone at the top exists. Assessments may include inquiry from management, internal audit, or involve anonymous surveys or other means to gain insight into the tone of the organization. A proper tone at the top encourages ethical behavior as well as the development of and compliance with antifraud activities, such as controls restraining fraudulent financial reporting and the misappropriation of company assets that could result in a material misstatement of the financial statements. Management should design controls to safeguard assets, deter defalcations and misappropriations of assets, and to restrain other inappropriate uses of company assets (such as unauthorized cash payments, improper use of company assets or services, misuse or theft of intangibles including intellectual property). There may be situations where an employee defalcation, however small, may be considered a red flag or indicative of broader issues including a culture of rationalization. Because of the importance of the tone at the top and managements influence on organizations, Section 302 of the SarbanesOxley Act of 2002 requires the signing officers to disclose to the issuers auditors and the audit committee of the board of directors any fraud, whether or not material, that involves management or other employees who have a significant role in the issuers internal controls. Oversight by the audit committee and board of directors The audit committee has the responsibility to: monitor the financial reporting process oversee the internal control system and antifraud programs and controls oversee the internal audit and independent public accounting functions report findings to the board of directors The audit committee should understand their role of ensuring that the organization has antifraud programs and controls in place to help prevent, detect, and deter fraud. It should take an active role in the oversight of managements efforts to design and implement internal controls, including antifraud programs and controls, and should challenge management to emphasize that fraud risks are identified during risk assessments and that appropriate control activities are designed and monitored to mitigate the fraud risks.

The audit committee should ensure that the organization has implemented an effective ethics and compliance program, and that it is periodically tested. Since the occurrence of significant fraud can frequently be attributed to an override of internal controls by management (and others), the audit committee plays an important role to ensure that internal controls address the appropriate risk areas and are functioning as designed. Given the importance of the audit committees oversight role with regard to antifraud programs and controls, PCAOB Auditing Standard No. 2 notes that ineffective oversight by the audit committee may be a strong indicator that a material weakness exists in internal control over financial reporting.9 Internal audit involvement An effective internal audit function can be extremely helpful in the design, implementation, and oversight of antifraud programs and controls. Internal auditors have the opportunity to identify and evaluate fraud risks and controls and to recommend actions to mitigate risks and improve control. Internal audits can serve to both detect and deter fraud by examining and evaluating the adequacy and effectiveness of the system of internal control. Internal auditors may conduct proactive auditing to search for corruption, misappropriation of assets, and financial statement fraud. Internal auditors should have an independent reporting line directly to the audit committee to enable them to express any concerns about managements commitment to appropriate internal controls or to report suspicions or allegations of fraud involving senior management.10 PCAOB Auditing Standard No. 2 notes that an ineffective internal audit function should be regarded as at least a significant deficiency in internal control over financial reporting.11 Code of ethics/conduct A code of ethics/conduct should have provisions related to conflicts of interest, related-party transactions, illegal acts, and the monitoring of the code by management and the audit committee or board. Section 406 of the Sarbanes-Oxley Act of 2002 and the SECs Final Rule, Disclosure Required by Sections 406 and 407 of the Sarbanes-Oxley Act of 200212, require a registrant to disclose whether it has adopted a code of ethics and if it has not, to explain why. The NYSE and NASDAQ rules also require the adoption and public disclosure of a code of business conduct and ethics. The SECs final rule defines the term code of ethics as, Written standards that are reasonably designed to deter wrongdoing and to promote:

9 10 11 12

PCAOB, Auditing Standard No. 2, paragraph 140. Exhibit to SAS 99, Management Antifraud Programs and Controls section Internal Auditors. PCAOB, Auditing Standard No. 2, paragraph 140. Final Rule: Disclosure Required by Sections 406 and 407 of the Sarbanes-Oxley Act of 2002, SEC, section (II)(B)(2)(c), Final Definition of Code of Ethics. Electronic copy can be reviewed at http://www.sec.gov/rules/final/33-8177.htm

21

Honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest between personal and professional relationships; Full, fair, accurate, timely, and understandable disclosure in reports and documents that a registrant files with, or submits to, the Commission and in other public communications made by the registrant; Compliance with applicable governmental laws, rules, and regulations; The prompt internal reporting to an appropriate person or persons identified in the code of violations of the code; and Accountability for adherence to the code. The code of ethics/conduct should apply to all individuals who are involved with and/or have influence over the financial statements and anyone who prepares the financial statements, including those who have direct involvement or oversight responsibilities (e.g., members of the board of directors, general counsel, and executive officers). The board of directors and audit committee have oversight responsibilities for the code of ethics/conduct that may be documented in the board of directors meeting minutes along with their review and acceptance of the code of ethics/conduct. Companies should consider developing a code of ethics/ conduct for all employees with periodic confirmations that employees understand the code and agree to follow it. There should also be training on the code of ethics/conduct and proper communication to all employees about where it can be found and whom to call if there are questions or concerns about the policies. Ethics hotline and whistleblower program Section 301 of the Sarbanes-Oxley Act of 2002, Standards Relating to Listed Company Audit Committees, requires each issuers audit committee to establish procedures for: the receipt, retention, and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters and the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters Hotlines should be accessible to all employees. Management may consider making them available to individuals outside of the organization (i.e., vendors, customers, and agents) to report fraudulent behavior without fear or retribution. There should be training to ensure that all employees know how and when to use the hotline. Companies should assess the adequacy of procedures for handling complaints and for ac-

cepting confidential whistleblower submissions of concerns about questionable accounting or auditing matters. In addition to establishing the hotline, companies should have a formal program and procedures for proper follow up on reported allegations. The procedures implemented to enable whistleblower processes should themselves be controlled to prevent unauthorized access or changes. Hiring and promotion standards Organizations should take steps to ensure that appropriate standards exist for hiring and promoting personnel. For those individuals with influence over financial reporting or involved in the preparation of the financial statements (including board of directors, audit committee, general counsel, CFO, and controllers), these standards should include a background investigation of prior education, work experience, evidence of integrity, and a search for evidence of criminal activity. All steps taken should be documented and reviewed by appropriate personnel. Management should consider background investigations for existing employees if they were not performed when the employee was initially hired or promoted, or if employees were put in key positions through acquisitions or mergers. Specific individuals within management should be assigned overall responsibility to oversee compliance with antifraud standards and procedures. The organization should use due care not to delegate substantial discretionary authority to individuals the organization knows, or should know through the exercise of due diligence, to have a propensity to engage in illegal activities.13 Training Management should provide training for new hires and periodic training for all employees to reinforce the companys ethical values and antifraud control environment with a focus on ethics, fraud, and the companys code of ethics/conduct. Management should also consider tailored training based on the organizations identified fraud risks. For example, if the organization has identified fraud risks related to inappropriate or early revenue recognition, training can be provided to relevant personnel involved in the sales cycle to address the identified fraud risks. Training may also include and reinforce other topics within the organizations code of ethics/conduct including compliance with laws and regulations, use of whistleblower hotlines, and hiring standards. Responses to control deficiencies & allegations of fraud Management and audit committees should have timely and appropriate responses to significant control deficiencies, allegations or concerns of fraud, and violations of the code of conduct.

13

United States Organizational Sentencing Commission, Guidelines Manual, 8A1.2, comment, 3(K)

22

Management and audit committees should have processes in place to respond to allegations of fraud, and investigations should be initiated in a timely manner. In certain circumstances, such as those alleged to involve senior management, thorough independent investigations should be performed utilizing external specialists. Prompt and appropriate actions should be taken against those involved in fraudulent activities, and any fraud, whether or not material, that involves management, should be communicated to the audit committee and external auditors.14 Management and the audit committee should ensure that significant control deficiencies are corrected in a timely manner. PCAOB Auditing Standard No. 2 notes that significant deficiencies that have been communicated to management and the audit committee and remain uncorrected after some reasonable period of time should be regarded as at least a significant deficiency and are a strong indicator that a material weakness in internal control over financial reporting exists.15 Additionally, management should ensure that appropriate and timely disciplinary actions are taken for those found to be in violation of the code of ethics/conduct. Appropriate and timely disciplinary actions can demonstrate and provide evidence of managements commitment to ethical values and reinforce managements intolerance of fraudulent and other inappropriate behavior.

Examples of Common Documentation


The purpose of the documentation is to provide evidence of the existence of the control environment elements. Documentation may include an evaluation or assessment of the tone of the organization and other documents created in the execution of the control environment elements. Documentation should be sufficient for auditors to understand how management implemented the program and its conclusions regarding the design and operating effectiveness of the control environment. Documentation related to the control environment may include the following: managements assessments of the culture and tone of the organization should be documented and reviewed by the audit committee controls restraining misappropriation of company assets and fraudulent financial reporting that could result in a material misstatement of the financial statements the audit committee and internal audit involvement in antifraud programs and controls the code of ethics should be published and made available to all employees in employee handbooks, policy manuals, online, or in some other formal documentation or location certification or confirmation from employees that they comply with laws and regulations and that they understand and accept the published code of ethics/conduct the receipt and the handling of complaints and concerns regarding questionable accounting or auditing matters, including managements investigation and responses to allegations and concerns formal hiring and promotion standards including evidence of background investigations performed and reviewed periodic training should be given to all employees and should include a discussion of ethics, fraud, laws, and regulations fraud and ethics training should be provided for all new employees evidence that management and the audit committee responded appropriately and in a timely manner to significant control deficiencies, allegations or concerns of fraud, and violations of the code of ethics/conduct appropriate and timely disciplinary actions with communication of violations of codes of conduct/ethics and the organizations responses to such violations managements assessment of the design and operating effectiveness of the control environment

Management Assessments
Cultural assessments should be performed at various levels and locations throughout the organization to determine the operating effectiveness of the programs and controls implemented. Management may consider using anonymous cultural surveys or interviews to assess employees views on the control environment. Management should assess the design and operating effectiveness of the control environment and document its assessment and conclusions. Examples of situations or circumstances that may indicate deficiencies within the control environment include: few or no calls on the ethics/whistleblower hotline no documented violations of the code of ethics/conduct employees are not receiving ethics and fraud training employees with significant influence over financial reporting are hired and promoted without background investigations management does not address and correct significant control deficiencies within a reasonable period of time allegations or concerns of fraud are not investigated in a timely manner cultural survey results indicate concerns about the integrity of management and the tone at the top of the organization

14 15

Sarbanes-Oxley Act of 2002, Section 302(a)(5)(B). PCAOB, Auditing Standard No. 2, paragraph 140.

23

3. Designing and Implementing Antifraud Control Activities


Scope & Objectives
Antifraud control activities are those actions taken by management to mitigate specific fraud risks and to prevent, detect, and deter fraud. Control activities should be designed to prevent fraud from occurring and detect it if it does and to mitigate the risk of managements override of controls and other schemes to circumvent control activities.

organizations can add significant value in terms of preventing and deterring fraud. Control activities should include general computer controls that limit access to information systems and ensure accurate processing. In addition, business cycle application controls can help automate the detection and prevention of fraud. Some of the relevant controls include validation of data processed by application, built-in reasonableness tests to detect unusual amounts, prices or volumes, automated flagging of exceptions to help bring deviations to managements attention, segregation of duties controls implemented in applications, checks built into applications to prevent unusual processing of transactions, and other cross-checks to ensure that all transactions were indeed processed.

Participants & Responsibilities


Management, along with those who have responsibility for oversight of the financial reporting process (such as the audit committee), should establish appropriate controls to prevent, deter, and detect fraud. Employees, business process owners, or those responsible for significant accounts or processes should be involved in the design and implementation of antifraud control activities. The audit committee should review and approve the adequacy of antifraud control activities, and ensure that controls are designed to address the risk for managements override of controls or other inappropriate influence over the financial reporting process. IT management can provide insights into information systems and IT processes and can assist in the design of IT controls. Internal audit should assist in the development of antifraud controls based on its understanding of operations and internal audit findings.

Examples of Common Documentation


The purpose of the documentation is to provide evidence of the existence of the program and managements processes to implement preventative and detective antifraud control activities. Documentation should be sufficient for auditors to understand how management implemented the program and its conclusions regarding the design and operating effectiveness of antifraud control activities. Documentation related to antifraud control activities may include the following: policies and procedures relative to the control activities identifying who performs the activities, the frequency of the procedures, and the underlying evidence for the activities antifraud control activities are mapped to fraud risks identified during the fraud risk assessment

Management Assessments
The assessment of antifraud control activities is part of the broader assessment of all control activities. Management should assess the design and operating effectiveness of antifraud control activities and document its conclusions. Examples of situations or circumstances that may indicate that control activities are not operating effectively include: lack of detective antifraud controls failure to link identified fraud risks to mitigating control activities insufficient documentation exists to support managements assessment activities

4. Sharing Information & Communication


Scope & Objectives
Management should communicate its commitment to ethical behavior and the existence of antifraud programs. All employees should have a clear understanding of what is expected of them with regards to ethical behavior and understand what behavior is acceptable and what is unacceptable. Communication from management should include content that is appropriate and information provided should be timely, current, accurate, and accessible.

Elements & Design


Management should map or link control activities to fraud risks identified during the risk assessment to ensure that all identified fraud risks are adequately mitigated. Consideration should be given to fraud environmental factors, including: pressures or incentives, rationalization, and opportunity. It is not always possible to create controls to address employee pressures, incentives, and rationalizations, however, management can create strong internal controls that significantly reduce fraud opportunities within the organization. Eliminating fraud opportunities and increasing the perception of detection within

Participants & Responsibilities


Management has the primary responsibility to ensure effective communication of antifraud programs throughout the organization. The audit committee should be actively involved in the oversight and review of information and communication related to antifraud programs. Other departments or functions within the organization may be involved in sharing information, including Human Resources and those responsible for

24

employee training. Department heads and managers should also be involved in communicating antifraud and ethical attitudes to their respective departments. Internal audit, employees, and external parties should have the responsibility to report improper behavior and have access to mechanisms such as hotlines where fraudulent issues and other improprieties can be reported.

5. Monitoring Activities
Scope & Objectives
Monitoring activities and assessments should consist of procedures that include independent evaluations of antifraud controls that may be performed by internal audit or other groups and other ongoing monitoring activities that are built into normal recurring operating activities such as reconciliations.

Management Assessments
Management should assess the design and operating effectiveness of communication and information related to antifraud programs and controls, and document its assessment and conclusions. Examples of situations or circumstances that may indicate that communication and information activities are not operating effectively include: the audit committee fails to receive and review fraud risk assessments employees dont have access to the code of ethics/conduct fraud that involves management is not communicated to the audit committee and external auditors managements assessments of antifraud programs and controls are not sufficiently documented

Participants & Responsibilities


Management, along with those who have responsibility for oversight of the financial reporting process (such as the audit committee) should be actively involved in monitoring activities. Monitoring activities can first begin with self-assessments from persons responsible for significant accounts, processes, or operations and involve employees outside of management. Results should be subject to review and assessment by management, internal audit, and the audit committee. The internal audit function should have ongoing responsibilities to evaluate the effectiveness of antifraud controls and communicate control deficiencies and weaknesses to management and the audit committee. The audit committee should be involved in the oversight of monitoring activities and IT management should be involved with IT-related montoring activities.

Elements & Design


Every organization must capture pertinent financial and nonfinancial information relating to external as well as internal events and activities. Management should design a system for effective knowledge management to collect and communicate appropriate information pertaining to fraud risks and antifraud programs and controls. Information provided should be timely, current, accurate, and accessible.

Elements & Design


Evaluations of antifraud controls should be performed by management and internal audit to look for occurrences of fraud within the organization and to determine if antifraud controls are effective. Findings and weaknesses from monitoring activities should be incorporated back into the fraud risk assessments. The audit committee should review internal audits assessments of the effectiveness of antifraud controls and determine if monitoring activities are sufficient to mitigate identified fraud risks. The audit committee should evaluate the adequacy of the internal audit activity and ensure that the internal audit function reports directly to the audit committee. Audit committee minutes should document meetings and functional reporting of internal audit. The internal audit function is critical to the overall success of monitoring activities.

Examples of Common Documentation


The purpose of the documentation is to provide evidence of the existence of the program and managements processes of communicating information related to its antifraud programs and controls. Communication and information should be processed and made available for each of the five components of the COSO framework related to antifraud programs and controls. There should be evidence of managements assessment of the design and operating effectiveness of communication and information, and documentation should be sufficient for external auditors to evaluate the effective communication of antifraud programs and controls. Documentation related to information and communication of antifraud programs and controls may include the following: communication of the code of ethics/conduct corporate Web sites providing information on ethics and antifraud programs and controls training materials on ethics and fraud corporate newsletters addressing ethics and antifraud programs CEO speeches or messages on ethics

Management Assessments
Management should assess the design and operating effectiveness of monitoring activities and document its assessment and conclusions. Examples of situations or circumstances that may indicate that monitoring activities are not operating effectively include: insufficient involvement of internal audit or the audit committee the internal audit function is ineffective failure to communicate monitoring findings back into the fraud risk assessment and the design of antifraud control activities

25

Examples of Common Documentation


The purpose of the documentation is to provide evidence of the existence of the program and managements processes of monitoring activities. Documentation should be sufficient for auditors to understand how management implemented the program and its conclusions regarding the design and operating effectiveness of monitoring activities. Documentation related to the monitoring of antifraud programs and controls may include the following: evaluations performed by management and internal audit to monitor and assess the effectiveness of antifraud programs and controls internal control deficiencies and weakness should be identified, documented, and communicated upwards to the appropriate level within the organization internal controls updated or modified as a result of the monitoring of the antifraud controls the review of the audit committee of monitoring processes (both evaluations and ongoing monitoring activities) and approval of the adequacy of such controls managements assessment of the design and operating effectiveness of monitoring activities

26

About Deloitte Deloitte, one of the nations leading professional services firms, provides audit, tax, consulting, and financial advisory services through nearly 30,000 people in more than 80 U.S. cities. Known as an employer of choice for innovative human resources programs, the firm is dedicated to helping its clients and its people excel. Deloitte refers to the associated partnerships of Deloitte & Touche USA LLP (Deloitte & Touche LLP and Deloitte Consulting LLP) and subsidiaries. Deloitte is the U.S. member firm of Deloitte Touche Tohmatsu. For more information, please visit Deloittes Web site at www.deloitte.com/us.

Deloitte Touche Tohmatsu is an organization of member firms devoted to excellence in providing professional services and advice. We are focused on client service through a global strategy executed locally in nearly 150 countries. With access to the deep intellectual capital of 120,000 people worldwide, our member firms, including their affiliates, deliver services in four professional areas: audit, tax, consulting, and financial advisory services. Our member firms serve more than one-half of the worlds largest companies, as well as large national enterprises, public institutions, locally important clients, and successful, fast-growing global growth companies.

Deloitte Touche Tohmatsu is a Swiss Verein (association), and, as such, neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each others acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names Deloitte, Deloitte & Touche, Deloitte Touche Tohmatsu, or other, related names. The services described herein are provided by the member firms and not by the Deloitte Touche Tohmatsu Verein. For regulatory and other reasons, certain member firms do not provide services in all four professional areas listed above.

Copyright 2004 Deloitte Development LLC. All rights reserved

Member of Deloitte Touche Tohmatsu

27