Fraud deterrence

Last updated

Fraud deterrence has gained public recognition and spotlight since the 2002 inception of the Sarbanes-Oxley Act. Of the many reforms enacted through Sarbanes-Oxley, one major goal was to regain public confidence in the reliability of financial markets in the wake of corporate scandals such as Enron, WorldCom and Waste Management. Section 404 of Sarbanes Oxley mandated that public companies have an independent Audit of internal controls over financial reporting. In essence, the intent of the U.S. Congress in passing the Sarbanes Oxley Act was attempting to proactively deter financial misrepresentation (Fraud) in order to ensure more accurate financial reporting to increase investor confidence. This same concept is applied in the discussion of fraud deterrence.

Contents

Until recently, fraud deterrence has not been specifically identified under one common definition. While it has been discussed by many authoritative sources such as the American Institute of Certified Public Accountants (AICPA) Practice Aid Series, “Fraud Detection in a GAAS Audit: SAS No. 99 Implementation Guide,” (explicitly) The Committee of Sponsoring Organizations of the Treadway Commission (COSO), “Internal Control – Integrated Framework,” (implicitly) and the National Association of Certified Valuation Analysts Certified Fraud Deterrence Analyst (CFD) designation (recently merged into the Certified Forensic Financial Analyst (CFFA) designation), an actual definition of the term “fraud deterrence” has been difficult to find.

Concept

Fraud deterrence is based on the premise that fraud is not a random occurrence; fraud occurs where the conditions are right for it to occur. Fraud deterrence attacks the root causes and enablers of fraud; this analysis could reveal potential fraud opportunities in the process, but is performed on the premise that improving organizational procedures to reduce or eliminate the causal factors of fraud is the single best defense against fraud. Fraud deterrence involves both short-term (procedural) and long-term (cultural) initiatives.

Fraud deterrence is not earlier fraud detection, and this is often a confusing point. Fraud detection involves a review of historical transactions to identify indicators of a non-conforming transaction. Deterrence involves an analysis of the conditions and procedures that affect fraud enablers, in essence, looking at what could happen in the future given the process definitions in place, and the people operating that process. Deterrence is a preventive measure – reducing input factors” [1]

Analogy

Deterrence is distinct from remediation and detection. An analogy can be drawn in considering unhealthy weight gain and the actions undertaken in response. Identifying the action(s) that deter unhealthy weight gain is the key to understanding fraud deterrence in this analogy.

Deterrence vs. Prevention

Deterrence involves eliminating factors that may cause fraud, whereas prevention involves identifying and stopping existing fraud.[ citation needed ]

Fraud Triangle

Fraud Triangle.png
The Fraud Triangle

The causal factors that should be removed to deter fraud (as described above) are best described in the Fraud or Compromise Triangle. This idea was first put forward in an article by Donald R. Cressey and Edwin Sutherland. The term was later coined by Steve Albrecht. [2] The Fraud Triangle describes three factors that are present in every situation of fraud:

  1. Motive (or pressure) – the need for committing fraud (need for money, etc.);
  2. Rationalization – the mindset of the fraudster that justifies them to commit fraud; and
  3. Opportunity – the situation that enables fraud to occur (often when internal controls are weak or nonexistent).

Breaking the Fraud Triangle

Breaking the Fraud Triangle is the key to fraud deterrence. Breaking the Fraud Triangle implies that an organization must remove one of the elements in the fraud triangle in order to reduce the likelihood of fraudulent activities. “Of the three elements, removal of Opportunity is most directly affected by the system of internal controls and generally provides the most actionable route to deterrence of fraud” (Cendrowski, Martin, Petro, The Handbook of Fraud Deterrence).

SAS 99

Statement on Auditing Standards No. 99 (SAS 99), Consideration of Fraud in a Financial Statement Audit, was “the first major audit standard to be released since the passage of Sarbanes-Oxley” (AICPA, Detection in a GAAS Audit: SAS No. 99 Implementation Guide). While the standard was intended to assist auditors in detecting fraud during a financial statement audit, its application was more pervasive. “SAS No. 99 has the potential to significantly improve audit quality, not just in detecting fraud, but in detecting all material misstatements and improving the quality of the financial reporting process” (AICPA, Fraud Detection in a GAAS Audit: SAS No. 99 Implementation Guide).

The SAS 99 Practice Aid discusses fraud deterrence in addition to its primary focus of fraud detection, “Because fraud prevention, detection, deterrence are management’s responsibility, the new fraud SAS now requires you to determine whether management has designed programs and controls that address identified risks of material misstatement due to fraud and whether those programs and controls have been placed in operation” (AICPA, Detection in a GAAS Audit: SAS No. 99 Implementation Guide). In essence, the AICPA has identified that fraud deterrence can be achieved through the implementation of controls and procedures that mitigate (Mitigating Controls) against areas already identified as risk areas.

The COSO Model

The COSO “Internal Control – Integrated Framework,” (COSO Model) describes five interrelated components of internal control that provide the foundation for fraud deterrence. These elements of internal control are the means for which the ‘Opportunity’ factors in the Fraud Triangle can be removed to most effectively limit instances of fraud. In fact, The Association of Certified Fraud Examiners (ACFE) 2002 Report to the Nation on Occupational Fraud and Abuse reveals that 46.2% of frauds occur because the victim lacked sufficient controls to prevent the fraud. The five COSO components are:

1. Control Environment

The Control environment consists of the actions, policies, and procedures that reflect the overall attitudes of top management, directors and owners of an entity about internal control and its importance to the entity.” Some subcomponents of the Control environment include: integrity and ethical values; commitment to competence; board of directors or Audit committee participation; management’s philosophy and operating style; organizational structure; assignment of authority and responsibility; and human resource policies and practices (Arens, Elder, Beasley, Auditing and Assurance Services).

2. Risk Assessment

“Risk Assessment is a forward looking survey of the business environment to identify anything that could prevent the accomplishment of organizational objectives. As it relates to fraud deterrence, risk assessment involves the identification of internal and external means that could potentially defeat the organization’s internal control structure, compromise an asset, and conceal the actions from management. Risk assessment is a creative process; it involves identifying as many potential threats as possible, and evaluating them in a way to determine which require action, and the priority for that action” (Cendrowski, Martin, Petro, The Handbook of Fraud Deterrence).

3. Control Activities

“Policies and procedures, in addition to those included in the other four components, that help ensure that necessary actions are taken to address risks in the achievement of the entity’s objectives” (Arens, Elder, Beasley, Auditing and Assurance Services). "Control procedures are also a prime focus area for fraud deterrence engagements; if control procedures are not adequately defined and consistently enforced within the organization, the opportunity for fraud is introduced” (Cendrowski, Martin, Petro, The Handbook of Fraud Deterrence). “For asset protection, this typically involves identifying assets within the organization that would be susceptible to fraud, and defining control procedures such that the assets cannot be removed and the removal concealed. Fraud deterrence involves proactively examining these control procedures to verify they are adequately designed and actually functioning within the organization” (Cendrowski, Martin, Petro, The Handbook of Fraud Deterrence). Control activities generally fall into the five following specific control activities: 1) adequate separation of duties; 2) proper authorization of transactions and activities; 3) adequate documents and records; 4) physical control over assets and records; and 5) independent checks on performance (Arens, Elder, Beasley, Auditing and Assurance Services).

4. Information & Communication

“Information and Communication relates to the flow of information in two directions within the organization. First, information should flow downward to the line functions and provide the best, most accurate information as needed to allow the function to produce the best results possible. Second, information about performance should flow upwards through management, through both formal and informal communication channels, providing objective feedback. Both communication channels must function effectively to safeguard the organization” (Cendrowski, Martin, Petro, The Handbook of Fraud Deterrence).

5. Monitoring

“Monitoring activities deal with ongoing or periodic assessment of the quality of internal control performance by management to determine that controls are operating as intended and that they are modified as appropriate for changes in conditions” (Arens, Elder, Beasley, Auditing and Assurance Services). “Monitoring involves both fraud deterrence and fraud detection activities. First, management(what if some in the management are the perpetrators of fraud- JUDGE -MIDLANDS STATE UNIVERSITY) must ensure that all control processes are performed as designed and approved. Control compliance analysis to verify correct performance of procedures could reveal a control that has been inappropriately modified or one that is not performed as approved; this control weakness could present the opportunity for fraud. Proactively identifying these weaknesses and correcting the weakness is this is the fraud deterrence aspect of the monitoring process” (Cendrowski, Martin, Petro, The Handbook of Fraud Deterrence).

Related Research Articles

Accounting Measurement, processing and communication of financial information about economic entities

Accounting or accountancy is the measurement, processing, and communication of financial and non financial information about economic entities such as businesses and corporations. Accounting, which has been called the "language of business", measures the results of an organization's economic activities and conveys this information to a variety of users, including investors, creditors, management, and regulators. Practitioners of accounting are known as accountants. The terms "accounting" and "financial reporting" are often used as synonyms.

Sarbanes–Oxley Act United States law covering finance and accountability

The Sarbanes–Oxley Act of 2002, also known as the "Public Company Accounting Reform and Investor Protection Act" and "Corporate and Auditing Accountability, Responsibility, and Transparency Act" and more commonly called Sarbanes–Oxley or SOX, is a United States federal law that set new or expanded requirements for all U.S. public company boards, management and public accounting firms. A number of provisions of the Act also apply to privately held companies, such as the willful destruction of evidence to impede a federal investigation.

American Institute of Certified Public Accountants

The American Institute of Certified Public Accountants (AICPA) is the national professional organization of Certified Public Accountants (CPAs) in the United States, with more than 418,000 members in 143 countries in business and industry, public practice, government, education, student affiliates and international associates. Founded in 1887, the organization sets ethical standards for the profession and U.S. auditing standards for audits of private companies, non-profit organizations, federal, state and local governments. It also develops and grades the Uniform CPA Examination. The AICPA maintains offices in New York City; Washington, DC; Durham, NC; and Ewing, NJ.

Audit Systematic and independent examination of books, accounts, documents and vouchers of an organization

An audit is an "independent examination of financial information of any entity, whether profit oriented or not, irrespective of its size or legal form when such an examination is conducted with a view to express an opinion thereon.” Auditing also attempts to ensure that the books of accounts are properly maintained by the concern as required by law. Auditors consider the propositions before them, obtain evidence, and evaluate the propositions in their auditing report.

An audit committee is a committee of an organisation's board of directors which is responsible for oversight of the financial reporting process, selection of the independent auditor, and receipt of audit results both internal and external.

Auditors report

The auditor's report is a formal opinion, or disclaimer thereof, issued by either an internal auditor or an independent external auditor as a result of an internal or external audit, as an assurance service in order for the user to make decisions based on the results of the audit.

Statement on Auditing Standards No. 99: Consideration of Fraud in a Financial Statement Audit, commonly abbreviated as SAS 99, is an auditing statement issued by the Auditing Standards Board of the American Institute of Certified Public Accountants (AICPA) in October 2002. The original exposure draft was distributed in February 2002.

Information Technology Auditing began as Electronic Data Process (EDP) Auditing and developed largely as a result of the rise in technology in accounting systems, the need for IT control, and the impact of computers on the ability to perform attestation services. The last few years have been an exciting time in the world of IT auditing as a result of the accounting scandals and increased regulation. IT auditing has had a relatively short yet rich history when compared to auditing as a whole and remains an ever-changing field.

In business and accounting, information technology controls are specific activities performed by persons or systems designed to ensure that business objectives are met. They are a subset of an enterprise's internal control. IT control objectives relate to the confidentiality, integrity, and availability of data and the overall management of the IT function of the business enterprise. IT controls are often described in two categories: IT general controls (ITGC) and IT application controls. ITGC include controls over the Information Technology (IT) environment, computer operations, access to programs and data, program development and program changes. IT application controls refer to transaction processing controls, sometimes called "input-processing-output" controls. Information technology controls have been given increased prominence in corporations listed in the United States by the Sarbanes-Oxley Act. The COBIT Framework is a widely used framework promulgated by the IT Governance Institute, which defines a variety of ITGC and application control objectives and recommended evaluation approaches. IT departments in organizations are often led by a Chief Information Officer (CIO), who is responsible for ensuring effective information technology controls are utilized.

External auditor

An external auditor performs an audit, in accordance with specific laws or rules, of the financial statements of a company, government entity, other legal entity, or organization, and is independent of the entity being audited. Users of these entities' financial information, such as investors, government agencies, and the general public, rely on the external auditor to present an unbiased and independent audit report.

Committee of Sponsoring Organizations of the Treadway Commission

The 'Committee of Sponsoring Organizations of the Treadway Commission' ('COSO') is a joint initiative to combat corporate fraud. It was established in the United States by five private sector organizations, dedicated to guiding executive management and government entities in relevant aspects of organizational governance, business ethics, internal control, business risk management, fraud and financial reports. COSO has established a common internal control model against which companies and organizations can evaluate their control systems. COSO has the support of five support organizations: American Institute of Certified Public Accountants (AICPA), American Accounting Association (AAA), Financial Executives International (FEI), Institute of Internal Auditors (IIA) and Institute of Management Accountants (IMA)

Generally Accepted Auditing Standards

Generally Accepted Auditing Standards, or GAAS are sets of standards against which the quality of audits are performed and may be judged. Several organizations have developed such sets of principles, which vary by territory. In the United States, the standards are promulgated by the Auditing Standards Board, a division of the American Institute of Certified Public Accountants (AICPA).

Internal audit

Internal auditing is an independent, objective assurance and consulting activity designed to add value to and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control and governance processes. Internal auditing achieves this by providing insight and recommendations based on analyses and assessments of data and business processes. With commitment to integrity and accountability, internal auditing provides value to governing bodies and senior management as an objective source of independent advice. Professionals called internal auditors are employed by organizations to perform the internal auditing activity.

Internal control, as defined by accounting and auditing, is a process for assuring of an organization's objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies. A broad concept, internal control involves everything that controls risks to an organization.

SOX 404 top–down risk assessment

In financial auditing of public companies in the United States, SOX 404 top–down risk assessment (TDRA) is a financial risk assessment performed to comply with Section 404 of the Sarbanes-Oxley Act of 2002. Under SOX 404, management must test its internal controls; a TDRA is used to determine the scope of such testing. It is also used by the external auditor to issue a formal opinion on the company's internal controls. However, as a result of the passage of Auditing Standard No. 5, which the SEC has since approved, external auditors are no longer required to provide an opinion on management's assessment of its own internal controls.

In the United States, the Auditing Standards Board (ASB) is the senior technical committee designated by the American Institute of Certified Public Accountants (AICPA) to issue auditing, attestation, and quality control statements, standards and guidance to certified public accountants (CPAs) for non-public company audits. Created in October 1978, it is composed of 19 members representing various industries and sectors, including public accountants and private, educational, and governmental entities. It issues pronouncements in the form of statements, interpretations, and guidelines, which all CPAs must adhere to when performing audits and attestations.

Entity-level controls

Entity-level controls are internal controls that help to ensure that management directives pertaining to the entire entity are carried out. They are the second level of a top-down approach to understanding the risks of an organization. Generally, entity refers to the entire company.

The Model Audit Rule 205, Model Audit Rule, or MAR 205 are the commonly applied terms for the Annual Financial Reporting Model Regulation. Model Audit Rule is a financial reporting regulation applicable to insurance companies, and borrows significantly from the Sarbanes Oxley Act of 2002. The Model Audit Rule is co-developed by the American Institute of Certified Public Accountants (“AICPA”) and National Association of Insurance Commissioners (“NAIC”) and issued by NAIC with revisions in 2006 and has taken effect in 2010.

Statement on Standards for Attestation Engagements no. 16 is an auditing standard for service organizations, produced by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board, which supersedes Statement on Auditing Standards no. 70 and has been superseded by SSAE No. 18.

Statement on Standards for Attestation Engagements no. 18 is a Generally Accepted Auditing Standard produced and published by the American Institute of Certified Public Accountants (AICPA) Auditing Standards Board. Though it states that it could be applied to almost any subject matter, its focus is reporting on the quality of financial reporting. It pays particular attention to internal control, extending into the controls over information systems involved in financial reporting. It is intended for use by Certified Public Accountants performing attestation engagements, the preparation of a written opinion about a subject, and the client organizations preparing the reports that are the subject of the attestation engagement. It prescribes three levels of service: examination, review, and agreed-upon procedures. It also prescribes two types of reports for reporting on an examination of controls at a service organization relevant to user entities' internal control over financial reporting: Type 1, which includes an assessment of internal control design, and Type 2, which additionally includes an assessment of the operating effectiveness of controls. Published April 2016, SSAE 18 and all previous standards it supersedes are represented in section AT-C of the AICPA Professional Standards, with most sections becoming effective on May 1, 2017.

References

  1. The handbook of fraud deterrence. Cendrowski, Harry., Martin, James P., Petro, Louis W. Hoboken, N.J.: Wiley. 2007. ISBN   978-1-119-20216-5. OCLC   253935785.CS1 maint: others (link)
  2. Albrecht, Steve, Iconic Fraud Triangle endures (PDF)
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.