The authors experience as an accountant, head of internal audit and fraud examiner is that company management are certainly concerned about the fraud risk but are often unclear about the allocation of responsibilities, particularly for monitoring and investigation. The absence of fraud policies and contingency plans is still common and in his days in the insurance industry the author realised the need to fill this particular gap and, very soon thereafter, the need to develop expertise and to find sources of guidance. Based on this experience and having done many things wrong, out of ignorance, when he first confronted actual fraud, the author has developed his own ideas. He has shared these through speaking at conferences and contributing material to the Association of Certified Fraud Examiners, whose assistance and influence on his ideas and practices he gratefully acknowledges, and also by extensive networking both informally and formally. Until earlier this year, the author was chairman of the IIA's Banking and Financial Services Group and he has long been a committee member for the London Investment Banking Association's Internal Audit Committee and the ACCA's Internal Audit Members' Network Panel, and also a member of the London Fraud Group.
Get your grade
or your money back
using our Essay Writing Service!
The author has recently reviewed his practices following the credit crisis and reflecting on the United Kingdom's resulting corporate governance review and emphasis on board level risk oversight. This is relevant to risk management generally but no less to fraud risk management specifically.
Sir David Walker's interim report, " A review of corporate governance in UK banks and other financial industry entities" , envisages a need for a greater commitment of time by non-executive directors (particularly for the chairman), more financial industry experience and demonstrable independence of mind. Oversight of remuneration will require non-executive directors to concentrate on risk matters and boards to be much more involved in high level risk management.
The interim report does not criticise the Combined Code's " comply or explain" approach.
The report's key recommendations include the following:
1. Establish a board risk committee separately from the audit committee with responsibility for oversight and advice to the board on the current risk exposures of the entity and future risk strategy.
2. The board risk committee (or board) risk report should be included as a separate report within the annual report and accounts, including information on the key exposures inherent in the strategy and the associated risk tolerance. Its key principles should be:
â€¢ strategic focus;
â€¢ forward looking;
â€¢ risk management practices.
3. For any proposed strategic transaction the board risk committee should oversee a due diligence appraisal of the proposition.
4. The board should be served by a CRO who should participate in the risk management and oversight process at the highest level.
5. The remit of the remuneration committee should be extended where necessary to cover all aspects of remuneration policy on a firm-wide basis with particular emphasis on the risk dimension.
6. Deferral of incentive payments should provide the primary risk adjustment mechanism. 7. For at least one-half of the variable remuneration, half of the award should vest after not less than three years and the remainder after five years. Claw back should be used in limited circumstances of misstatement and misconduct.
8. The remuneration committee should seek advice from the board risk committee on an arm's-length basis on specific risk adjustments to be applied to performance objectives set.
9. Thematic business awareness sessions for non-executive directors.
10. The board discussion and decision-taking on risk matters is based on accurate and appropriately comprehensive information.
It is best practice to have a risk model covering all risks including fraud risks. These fraud risks would then be mitigated by internal financial controls. The risk model should be prepared by management, typically facilitated by the risk managers.
It is important to strike the right balance between determining a risk model which, on the one hand, is either generic or only tailored to the industry sector and, on the other hand, is too cluttered so that the nature of the risk is lost. Perhaps a greater concern is that each part of the company or group inconsistently interprets things and the cut-off between major and minor risks is wildly different.
Always on Time
Marked to Standard
Where possible, monetary values should be attributed in order to reflect the gross (inherent) risks and the benefits of mitigation in order to arrive at the net (residual) risk as follows:
â€¢ Inherent risk: gross " impact" and " probability" scores giving " risk" (probability x impact);
â€¢ Mitigation/control: factors to reduce " impact" and " probability" scores;
â€¢ Residual risk: net scores.
Risk appetite should have already been determined (by the board or one of its Committees) for the various risk categories, including fraud risks.
Because there is no risk-reward equation for operational risks including fraud risks, the risk appetite may be defined as " zero tolerance" . This can present a practical dilemma to the risk management function; e.g. what is the stance with staff who take pencils home on a " swings and roundabouts" basis?
The risk model ought to be presented to the board, or one of its committees (such as the audit committee), for review and to consider the need for control improvements; *Comp. Law. 99 typically where the level of residual risk is considered to be too high.
Management and staff, at all levels, now become responsible for:
â€¢ controlling activities and operations in line with this risk model;
â€¢ updating the risk model;
â€¢ seeking appropriate opportunities to reduce risk in accordance with the risk appetite;
â€¢ maintaining audit trails;
â€¢ vigilance in case controls are circumvented or targeted;
â€¢ reviewing detective controls such as logs, exception reports and reconciliations which might indicate, shortly after fraud is committed, what has happened.
Risk managers are responsible for such things as:
â€¢ challenging the risk model;
â€¢ monitoring controls and their effectiveness; â€¢ reviewing audit trails;
â€¢ reporting concerns to management for remedial action.
Fraud investigation would normally be performed by specialist security staff or, in their absence by internal auditors with an ACFE or equivalent qualification. The investigation processes are not covered in this article; however, the following requirements should be met:
â€¢ be meticulous not only in following the trail but in documenting the investigation and the evidence;
â€¢ objectivity leads to fairness;
â€¢ only those who know how to interview should do it and they may be different people from those who know how to follow the paper trail;
â€¢ it is imperative to learn and action the control lessons.
The role of internal audit
Where there is an independent internal audit function, it too ought to review the risk model and also the manner in which the responsibilities set out above are discharged. In conducting this independent appraisal of the group's risk management processes, internal audit should challenge all controls, financial and otherwise.
Once internal audit is content with the accuracy and integrity of the risk model it is appropriate to map the internal audit universe against it. The integrated audit risk model thus derived may be presented so that audit planning is now based on the extent of risk mitigation, as asserted by management and relied upon by the board.
As an example the planned audit frequency of each risk may be as follows:
â€¢ Red : high risks, which have combined mitigating risk factors (impact and probability) exceeding, say, £150 million. These are to be audited every year. In addition certain risks that have combined mitigating risk factors of less than £150 million may be included as red, where there is a separate requirement for an annual audit.
â€¢ Amber : medium risks, which have combined mitigating risk factors (impact and probability) between, say, £25 million and £150 million. These are to be audited every two years.
â€¢ Green : Low risks, which have combined mitigating risk factors (impact and probability) of less than £25 million. These are to be audited every three years.
Risk analysis (assessment) is used to place each of the areas or activities into a priority category and as a result the desired frequency and level of audit cover is assessed for each area. The audit resource for each audit is estimated and as a result the total audit resource requirement for the forthcoming periods can be calculated. It is essential to regulate the workload so as to even out peaks and troughs in audit resource requirements. The resource requirement is then matched to forecasts of available audit staff to identify any recruitment needs, taking into account the various skill and experience levels required. Allowance must always be made for unplanned work and special projects.
This Essay is
a Student's Work
This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.Examples of our work
The internal audit department is required to test and thereby either to give assurance on key controls to management and the audit committee or to report on weaknesses and high residual exposures. It also assists management by evaluating and reporting to them on the adequacy and effectiveness of the controls for which they are responsible.
However, it remains the duty of management, not internal audit, to operate an adequate and effective system of internal control. It is for management to determine whether or not to accept audit recommendations and to recognise and accept the risk of not taking action; the board defined risk appetite will be its guide.
When circulating the draft audit report it is good practice to append the relevant portion of the risk model and to cross-reference both positive assurance findings and the reported weaknesses. Subsequently these challenges to the risk model can be advised to the risk managers. The risk managers should also be apprised of any operational errors that should have been on their incident log. Furthermore, for financial services companies, the internal audit department should have regular meetings with the regulatory compliance and risk management functions; however, these three functions are separate in terms of their responsibilities. In the Financial Service Authority's " three lines of defence" , compliance assists management in the first line; risk management provides a second line; and internal audit the third line.
The expected internal audit skill set will include:
1. breadth of knowledge over group operations;
2. independence and objectivity;
3. red flag appreciation (though with fraud risk this varies from one auditor to another and, in the author's experience, most have less awareness than ACFEs);
4. risk model knowledge of all risks including fraud;
5. assurance through testing and facilitation;
6. recommendations for improvements through high profile internal audit reports.
An integrated approach to fraud risk management
Financial crime is defined by the Financial Services Authority as covering fraud and money laundering. The requirement is that:
" A firm must take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime."
In most industries this can be supplemented by the need to guard against counterfeiting and the theft of intellectual property.
*Comp. Law. 100 Risk appetite
This should be determined by the board and then interpreted by management.
The company's policy needs to be specific and to quote examples of fraud schemes that it faces within its industry sector and areas of operation, including geographical areas.
Those internal controls which seek to prevent fraud need to be targeted at the specific frauds that the company faces. As well as obvious controls, such as review and authorisation, it is vital to have effective segregation of duties. A consideration of the risk of collusion is important too.
This involves those internal controls that check after the event whether fraud, an unauthorised transaction or an error has occurred, so that prompt corrective action can be taken. Reconciliation controls and log reviews are examples. It is the effectiveness of this kind of monitoring that becomes critical if poor segregation of duties or collusion are happening.
Red flags may become apparent through pattern observation and behavioural awareness.
Staff awareness is built up over time based on experience but needs to be guided by understanding the fraud policy and by management and staff training. Debriefing on actual frauds which the company has prosecuted, if any, is helpful in making the whole process seem less academic. Repeating the message as staff progress through the management training programme is desirable.
The Financial Services Authority requires the implementation of a whistle-blowing process for suspected frauds which could be via a dedicated hotline.
It is worth remembering that historically internal auditors received risks and controls training but little actual fraud training. Clearly some internal auditors have built on this but others have not and shun the role of " corporate policeman" .
As will be discussed later, the fraud related role of internal audit will differ significantly from its role in auditing other risks. In addition to performing regular testing via the annual audit plan, a dedicated quarterly or annual review may be desirable depending upon the nature and scale of the risk.
The use of computer assisted audit techniques (CAATS) based upon file and database interrogations, data matching and mining using specialist software and re-performance of exception reports are to be encouraged.
As part of business continuity planning, it is necessary to make containment and recovery provisions specific to fraud, including the embarrassment factor. If material, an immediate response is likely with a strong human resource angle as the effect on people within and outside the business can be catastrophic.
Specialist skills may need to be available or out-sourced including asset tracing.
Lessons must be learnt based upon unpleasant experiences and the role of internal audit in this should be included.
An additional fraud risk review
In addition to discharging the traditional function of internal audit, as set out above, there is an opportunity to participate further in the corporate governance process in light of the fraud risk challenge.
In the United States, Â§404(a) of the Sarbanes-Oxley Act of 2002 places specific demands on the management of companies and on their external auditors:
â€¢ Company management is required to assess the effectiveness of the company's internal control over financial reporting, as of the end of the company's most recent financial year, and to disclose in the annual report the conclusions of this assessment.
â€¢ A company's external auditors are then required to attest to the adequacy of management's assessment effectiveness of the company's internal control over financial reporting.
In the United Kingdom, the Combined Code (C2 and & C2.1) supplements LSE listing requirements:
â€¢ C.2: " The board should maintain a sound system of internal control to safeguard shareholders' investments and the company's assets."
â€¢ C.2.1: " The board should, at least annually, conduct a review of the effectiveness of the group's system of internal control and should report to shareholders that they have done so. The review should cover all material controls, including financial, operational and compliance controls and risk management systems."
Implementation advice is followed via the Turnbull Committee: Internal Control Guidance for Directors, which clarified to boards of directors what is expected of them. Reference can be made to the following Guidance Points:
The Board's annual review of control effectiveness
" 26: Effective monitoring on a continuous basis is an essential component of a sound system of internal control. The board cannot, however, rely solely on the embedded monitoring processes within the company to discharge its responsibilities. It should regularly receive and review reports on internal control. In addition, the board should undertake an annual assessment for the purposes of making its public statement on internal control to ensure that it has considered all significant aspects of internal control for the company for the year under review and up to the date of approval of the annual report and accounts."
Embedded control systems and reporting
" 21: The system of internal control should:
â€¢ be embedded in the operations of the company and form part of its culture;
â€¢ be capable of responding quickly to evolving risks to the business arising from factors within the company and to changes in the business environment; and
â€¢ include procedures for reporting immediately to appropriate levels of management any significant control failings or weaknesses that are identified *Comp. Law. 101 together with details of corrective action being undertaken.
22: A sound system of internal control reduces, but cannot eliminate, the possibility of poor judgement in decision-making; human error; control processes being deliberately circumvented by employees and others; management overriding controls; and the occurrence of unforeseeable circumstances.
26: Effective monitoring on a continuous basis is an essential component of a sound system of internal control. The board cannot, however, rely solely on the embedded monitoring processes within the company to discharge its responsibilities. It should regularly receive and review reports on internal control. In addition, the board should undertake an annual assessment for the purposes of making its public statement on internal control to ensure that it has considered all significant aspects of internal control for the company for the year under review and up to the date of approval of the annual report and accounts.
31: The board's annual assessment should, in particular, consider:
â€¢ the changes since the last annual assessment in the nature and extent of significant risks and the company's ability to respond to changes in its business and the external environment;
â€¢ the scope and quality of management's ongoing monitoring of risks and of the system of internal control, and, where applicable, the work of its internal audit function and other providers of assurance;
â€¢ the extent and frequency of the communication of the results of the monitoring to the board (or board committee(s)) which enables it to build up a cumulative assessment of the state of control in the company and the effectiveness with which risk is being managed;
â€¢ the incidence of significant control failings or weaknesses that have been identified at any time during the period and the extent to which they have resulted in unforeseen outcomes or contingencies that have had, could have had, or may in the future have, a material impact on the company's financial performance or condition; and
â€¢ the effectiveness of the company's public reporting processes."
Financial risks, detection of fraud and policies on internal control
" 3: Effective financial controls, including the maintenance of proper accounting records, are an important element of internal control. They help ensure that the company is not unnecessarily exposed to avoidable financial risks and that financial information used within the business and for publication is reliable. They also contribute to the safeguarding of assets, including the prevention and detection of fraud.
" 15: The Board of Directors is responsible for the company's system of internal control. It should set appropriate policies on internal control and seek regular assurance â€¦ [it must ensure that] the system of internal control is effective in managing risks â€¦."
The question arises as to how best to comply each year with these requirements and expectations. If the directors set control policy, and management is responsible for controlling activities and operations in line with this risk model, and risk management staff are responsible for monitoring day by day, where is the regular assurance to come from?
Typically the board, via its audit committee, will look to management to schedule and present to them, each year, its key risk exposures and controls. Internal audit is expected to not only orientate its risk-based audit plan around this but also to provide assurance. There is a particularly high expectation on the audit committee to focus on internal financial risks and controls, including fraud.
If risk management procedures are resilient to fraud they are resilient to most operational risk and this helps management and directors discharge their duties. Fraud differs from other risks in its deviousness. It targets weaknesses, and the systematic and calculated destruction or amendment of audit trails is frequently a factor.
The role of internal audit in relation to fraud risks thus differs from its auditing in relation to other risks.
For " prevention" controls we need to rely less on testing their design (adequacy) and routine effectiveness and more on considering such things as the likelihood of management over-ride or control circumvention. To do this it is normal to think through ways of beating the control systems over vulnerable areas, particularly where inward cash flows can be diverted away or outward cash flows can, either simultaneously or shortly afterwards, be arranged to the benefit of a crook.
In thinking through the various fraud schemes, across the range of operations, it is important to include the possible participation of company insiders as well as external criminals. Where fraud is perpetrated by outsiders, they frequently use or compromise employees for information and/or active assistance. For this purpose, organised crime may introduce its own staff into your own organisation or its service suppliers.
For " detection" controls we need to bring an awareness of red flags to bear on such things as reviews of account reconciliations and exception reports. We also need to consider whether staff have some awareness of these red flags or a simple tendency to correct " errors" and ignore the implications rather than to get to the bottom of why they occurred.
When concentrating on fraud risks and mis-statements we can use the original Cadbury Committee definition of internal financial controls:
" The internal controls established in order to provide reasonable assurance of the:
(a) safeguarding of assets against unauthorised use or disposition; and
(b) maintenance of proper accounting records and the reliability of financial information used within the business or for publication."
A financial control matrix can be used to schedule the group's major financial risks and controls together with a column which dynamically adds independent assurance by cross-referencing internal audit testing performed or planned. The headings are as follows:
â€¢ Nature of financial mis-statement or fraud risk.
â€¢ Risk exposure and appetite.
â€¢ Control and mitigation.
â€¢ Evidence of control/monitoring arrangements.
â€¢ Log/MIS reports of breaches of controls/significant loss or damage.
â€¢ Internal audit report or plan (if not recently audited).
*Comp. Law. 102 The latter column also contains notes of very significant outstanding recommendations, subject to regular follow up.
In populating or challenging this matrix, questions will be asked to cover the following types of concerns:
â€¢ Nature of financial misstatement or fraud risk (main ways of committing fraud or manipulating accounts).
â€¢ Are adequate financial controls operating to minimise the risk of fraud and financial misstatements? â€¢ Loss experience.
â€¢ Adequacy of internal audit coverage?
A financial controls review programme can be derived from the financial control matrix, in order to test the integrity of the controls and to cross-refer either exceptions found or assurance. The headings are as follows:
â€¢ Audit Steps.
â€¢ Audit Reference.
The " Results" column has two purposes:
1. To explain the way that management operates the control/process (i.e. descriptive and non-judgmental). If monitoring was deficient or over-ride or control circumvention a danger, this would be indicated.
2. An assurance conclusion on " adequacy" and " effectiveness" judged by whether it is fit for purpose. Weaknesses would also be shown.
In its annual report to the audit committee, internal audit can advise that the key internal financial risks in the matrix are reviewed by internal audit annually, albeit that the emphasis of control testing will change from year to year, depending upon which other audits are scheduled for the year in question. During the year recently ended, it may conclude that these key financial controls were largely evidenced; and where evidence was not available, mitigating controls were sometimes relied upon. Reports to management should cover any exceptions found in order that the management action plans could be formulated for implementation. The exceptions can then be classified, e.g.:
3. Compliance 19.
4. Accounting Records and Management Information 7.
5. Safeguarding Assets 30.
It is worth commenting that major control deficiencies are followed up until implementation.
The inter-relationship of risk management and shareholder value
Shareholder value is the sum of discounted cash flows during the life of the organisation. This is not a new concept the market has to assess them, as in the past.
Risk management impacts the bottom line and increases shareholder value, in two ways. Costs are reduced and assurance of risk management improves the perceived quality of the higher earnings:
Table 1: Risk management value added illustration
â€¢ Management reduces the incidence of risk (through better control).
â€¢ It also reduces the impact of risk (through better and faster responses).
It lowers the cost base over time, thereby increasing net profit.
If management cannot only manage risk better, but also can assure that and demonstrate it, then it can reduce the cost of capital (interest) because the market will require less compensation for risk. Bear in mind the following:
â€¢ market risk assumed is rewarded by higher return on capital;
â€¢ credit risk can be rewarded by higher return on capital.
However, operating risk has no reward; its impact lowers profits and there are no benefits. Consider fraud, in particular where is the reward for accepting fraud risk? Risk management processes are needed to reduce the residual fraud risk.
This also lowers the cost base and increases profit.
Then there is the multiplier effect: by working through the risk/reward equation and lowering the risks associated with projected earnings, shareholder value can be dramatically increased because of the benefits of gearing. The internal rate of return is lowered, more projects will cross the acceptance threshold and NPV is greater on all projects accepted. Lowering the risk increases the P/E ratio applied by the market (if risk management is assured), as shown in Table 1.
This assumes that, based on the benefits of good risk management, the following can be achieved:
1. Cost savings of £2 million per annum via efficiencies and reduction in error, waste and fraud.
2. Improved quality of earnings resulting in interest charges being lower.
3. Improved quality of earnings resulting in higher PE ratio. 2 and 3 arise from 1. Highly geared increases in profit and shareholder value arise from the cost savings.
John Webb MA, FCCA, CFE, Independent Internal Audit Consultant and Certified Fraud Examiner (email: johnwebb firstname.lastname@example.org). This article is based on his paper delivered at the 27th International Symposium on Economic Crime at Jesus College, Cambridge in September 2009