Fraud risk assessments: audits focused on identifying fraud-related exposures can serve as the...

INTERNAL AUDITORS AND OTHER KEY PLAYERS IN THE financial reporting process are being pressured to step up their efforts to fight fraud. Legal, regulatory, and standards-setting actions in the United States now require companies to develop effective antifraud programs, controls, and risk-assessment

processes, which independent auditors will audit annually. As a result, fraud risks are on the minds of many auditors, as well as their firms' senior managers. * As corporate executives and audit committees strive to create stronger antifraud programs, they are increasingly turning to internal auditing for support. Sooner or later, with potential fraud exposure moving to the forefront of corporate agendas, internal audit departments should expect to hear the following types of questions from management, the audit committee, or the independent auditor:

[ILLUSTRATION OMITTED]

* What are the company's fraud risks?

* What programs and controls have been implemented to mitigate these risks?

* What is internal auditing doing to prevent and detect issues before they emerge in the form of a corporate scandal?

At public companies, such questions are likely to arise sooner rather than later, and the audit function should be prepared to develop proactive responses.

To address management's fraud-related concerns, auditors should consider conducting a fraud risk assessment. Such assessments can serve as the cornerstone of an effective antifraud program, acknowledging that the organization cannot control risks it has not identified. In addition, these assessments can provide an effective means of addressing U.S. Securities and Exchange Commission (SEC) rules requiring controls related to the prevention, identification, and detection of fraud. Thorough examination of potential exposures represents an essential first step in alleviating executive-level concerns about fraud risk and reputational harm.

[ILLUSTRATION OMITTED]

RISK ASSESSMENTS: HOW THEY DIFFER

All risk assessments are not alike. Fraud assessments build upon, but differ from, traditional risk assessments and those geared toward compliance with the U.S. Sarbanes-Oxley Act of 2002.

Traditional risk assessments link risks to the organization's key objectives. Therefore, fraud can be overlooked during this type of review if it is not considered a core company objective. Assessments aimed at Sarbanes-Oxley compliance focus on financial reporting and often begin with reviews of the significant accounts, disclosures, and related assertions of the financial statements. Reviews target the risk of material misstatement and evaluate existing controls designed to mitigate this risk.

Fraud risk assessments also examine existing controls, but focus specifically on control measures aimed at preventing or detecting fraud. The assessments investigate whether or not controls can be circumvented and consider the susceptibility of controls to management override.

Most importantly, fraud risk assessments concentrate on fraud schemes and scenarios. Assessments aim to identify activity that can: (a) significantly impact the organization's reputation, (b) expose the company to criminal or civil liability, or (c) result in a financial loss. Assessment teams must be able to identify all the potential schemes and scenarios impacting the industries and geographic markets in which the organization conducts business.

GAINING SPONSORSHIP

Critical information about risks residing within individual business units can be difficult to unearth without backing from senior management or the audit committee. Employees or middle managers, who often know where the skeletons lie, may be hesitant to furnish information because they fear suspicion, want to avoid the corporate spotlight, or harbor information about someone's misconduct--perhaps even their own. Internal auditing can be hard-pressed to overcome this hesitancy unless the board or management actively supports investigation efforts.

In today's highly scrutinized business environment, the audit department ordinarily should expect to gain the support it needs for fraud-related assessments. Often, cooperation will simply require internal auditors to raise their concerns and offer a solution. If resistance is met, however, auditors can try the following techniques:

* Establish a dialogue. Fraud is a top concern for many corporate executives. Therefore, internal auditors should be able to quickly arrange for one-on-one discussions about fraud-related issues with the organization's general counsel, director of compliance, or the heads of business units and processes.

To reach a larger audience, auditors can publish a periodic newsletter on fraud or establish a "center of excellence" within the organization that focuses on fraud issues and provides fraud training and education. These awareness-raising tools can bring fraud and misconduct closer to home. For example, publishing information about fraud occurring within the organization's industry or geography will naturally lead company officials to question their vulnerability to similar conduct.

* Ask your independent auditor for input. The organization's independent audit firm will be required to evaluate the company's antifraud programs and controls as a part of its evaluation of the internal controls over financial reporting. Internal auditors should ask to speak to the firm's fraud subject-matter experts and determine the independent auditor's expectations with respect to the fraud risk assessment.

* Host a fraud summit. Although most senior managers and audit committees undoubtedly concern themselves with fraud risk, they may not discuss the subject in an organized setting. By hosting a dedicated fraud summit, internal auditing can bring internal stakeholders together to discuss areas of potential risk and facilitate constructive dialogue on how to address key concerns.

Regardless of the approach used, internal auditing's primary goal should be to engage senior management and the audit committee in the antifraud program and to persuade them to assume strong ownership of this effort. The assessment process will flow more smoothly if members of the organization understand that these two key groups are active sponsors of the activity.

THE RISK-ASSESSMENT PROCESS

Once board- and management-level support has been obtained, internal auditing can begin the fraud risk assessment process. The following seven-step approach can be used to ensure a thorough, effective assessment.

1. ORGANIZE THE ASSESSMENT Internal auditing can integrate the fraud risk assessment process into the organization's existing business cycles or establish a separate cycle for this purpose. Although both approaches are valid, working with the existing cycles can simplify risk assessments. If internal auditing is evaluating the revenue cycle, for example, the project team can expand the scope of the cycle to specifically consider fraud risks associated with revenue. The downside to this approach is that auditing may overlook a fraud risk that does not fit neatly into a particular business cycle.

If internal auditing chooses to create a separate cycle focused on fraud risk, it should consider a relatively innocuous title for the cycle--such as "safeguarding of assets"--in light of the anxiety-producing nature of fraud-based descriptors.

2. DETERMINE AREAS TO ASSESS To be effective, fraud risk assessments must be conducted at the companywide, business-unit, and significant-account levels. Assessments should also be considered when special circumstances arise, such as operating environment changes, mergers and acquisitions, or corporate restructurings.

At U.S. public companies, internal auditors should liaise with the Sarbanes-Oxley readiness team, because of its ongoing work with the organization's significant business units, accounts, and locations. Auditors should keep in mind, however, that fraud assessments may require a broader reach than the Sarbanes-Oxley effort, as fraud risk does not always equate with financial significance. Because Sarbanes-Oxley reviews call attention only to problems that are financially material to the organization as a whole, potential fraud risks that reside in areas of the company deemed immaterial could go unnoticed.

3. IDENTIFY POTENTIAL SCHEMES AND SCENARIOS Organizations can be defrauded, or commit fraud, in myriad ways. Identifying the organization's universe of potential fraud risks, therefore, represents a critical stage of fraud risk assessment. Internal auditors should begin this process by determining what fraud schemes and scenarios typically affect the industries and locations in which the organization conducts business. Auditors can then consider these schemes and scenarios within the context of the organization's specific profile.

Developing a comprehensive database listing of schemes and scenarios is a formidable task. Although listings may include a substantial number of individual items, fraud risks can be grouped under six basic categories (see page 42 for a graphic representation):

* Fraudulent financial reporting. Most fraudulent financial reporting schemes involve earnings management arising from improper revenue recognition, overstatement of assets, or understatement of liabilities. Fraudulent financial reporting can occur at the entity or business-unit level.

* Misappropriation of assets. Asset misappropriation includes external and internal schemes--such as embezzlement, payroll fraud, and physical theft--as well as schemes involving hard and soft assets.

* Expenditures and liabilities for an improper purpose. This category commonly refers to cash kickbacks and public corruption. Other examples include illegal campaign donations and contracts awarded in exchange for turning a blind eye to improper activity.

* Revenue and assets obtained by fraud. This category refers to fraud schemes in which the organization commits a fraud against its employees or third parties.

* Costs and expenses avoided by fraud. Tax fraud is an example of avoiding expenses through fraudulent activity.

* Financial misconduct by senior management. Senior management misconduct merits its own category because of the serious legal, financial, and reputation risks associated with this type of activity. For example, the new U.S. Public Company Accounting Oversight Board (PCAOB) audit standard mandates a finding of a "significant deficiency" in controls if fraud committed by senior management of "any magnitude" is identified.

The schemes falling within these categories differ drastically by product and service sector and geography. For example, the types of schemes affecting a bank may differ from those affecting a manufacturer. Although both organizations might obtain assets in a fraudulent manner, the bank may do so by charging improper fees whereas the manufacturer may short-ship a distributor.

The typical large multinational company faces hundreds of fraud risks. Developing scheme descriptions for the organization requires a deep knowledge of fraud, the industry or industries in which the organization operates, and the geographies in which business is conducted.

Most likely, the organization will look to internal auditing to provide the requisite fraud expertise. In turn, auditors will need to understand the technicalities and mechanics of each scheme, antifraud preventive and detective control activities, scheme indicia, antifraud control activities, and fraud-auditing procedures. The audit team will also need to understand the specific risks posed by each scheme, as well as the ramifications of those risks. In addition, auditors will need to keep track of new and emerging frauds in the industries and locations where the organization conducts business.

Internal auditing can draw relevant information from individual business units about industries and geographies served. Country managers for international units, for example, represent a critical starting point. However, auditors should keep in mind that industry or geographic experts are not necessarily experts in fraud and misconduct risk assessment or mitigation.

Publicly available information about fraud schemes can also be useful, but such sources may be somewhat limited and generic in nature, reflecting both the reticence of companies to share information about such matters and the scant attention given to fraud prevention and detection before the early 21st century corporate scandals. If internal resources fall short, auditors may want to consider engaging a third-party consultant.

4. ASSESS LIKELIHOOD OF FRAUD Fraud risk assessments, like traditional risk assessments, consider the likelihood that a particular fraud will occur. Under the new PCAOB audit standards, risk likelihood levels are defined as:

* Remote.

* More than remote or reasonably possible.

* Probable.

The standards also specify that, to avoid a finding of "significant deficiency" by the independent auditor, an organization must address risks that have a "more than a remote" likelihood of occurring. Although fraud risks deemed "remote" can be ignored, the assessment team should still consider documenting the organization's consideration of these risks before rating them.

Trying to predict whether or not a particular fraud might occur can be as risky as attempting to predict the weather when planning a vacation. The best source regarding specific risks is often the employees at the unit being assessed. Auditors should consider speaking to the employees about individual schemes and ask why these may or may not occur in their unit.

5. ASSESS SIGNIFICANCE OF RISK After determining the likelihood of possible frauds, auditors should assess the significance of fraud risks with a more than remote likelihood of occurring. In this context, the PCAOB standards use the following criteria:

* Inconsequential.

* More than inconsequential.

* Material.

The term materiality refers to the significance of an item to the users of a set of financial statements. SEC registrants should note that SEC Staff Accounting Bulletin (SAB) 99, which provides guidance on determining materiality when fraud is discovered, rejects the frequently used rule of thumb that a misstatement or omission of less than 5 percent of a given factor--such as net income or net assets--is immaterial. SAB 99 requires that a determination of materiality consider both the "quantitative" and "qualitative" aspects of the particular matter under analysis. Fraud rises to the level of materiality if a reasonable person--such as a shareholder or lender--would consider it important.

When evaluating significance, internal auditing should consider the impact of the fraud scheme individually and in the aggregate. Some frauds, such as travel and expense fraud, might be inconsequential on an individual basis but significant on a combined basis.

Organizations should address fraud risks that are "more than inconsequential" in amount to avoid a significant deficiency finding from their independent auditor. Although the organization can ignore fraud risks deemed inconsequential based on cost-benefit considerations, it should document how this determination was reached.

6. LINK ANTIFRAUD CONTROLS Once fraud risks have been assessed, internal auditing should identify the control activities for fraud risks that are both more than remotely likely to occur and more than inconsequential in amount. Auditors should consider whether or not the controls could be circumvented or overridden by management and others, as well as the methods by which weaknesses could be exploited.

Internal auditing should also identify fraud risks that cannot be tied to effective control measures. In instances where control weaknesses result in more than a remote likelihood of fraud loss of a more than inconsequential amount, corrective measures should be considered. Ultimately, management and the board will need to conduct their own analysis of the costs of controlling a risk versus the benefits of mitigating or eliminating that risk. The organization should always document this analysis, regardless of whether or not management decides to implement corrective measures.

As a general rule of thumb, antifraud controls include controls designed to prevent fraud and those designed to detect fraud in a timely fashion when it occurs. Internal auditing should expect to tie 70 percent to 80 percent of identified fraud risks to existing control activities such as approvals, authorizations, verifications, reconciliations, segregation of duties, reviews of operating performance, and security of assets.

7. APPLY ASSESSMENT RESULTS TO THE AUDIT PLAN As a final step, internal auditing should consider--and document--the results of the fraud risk assessment when developing its audit plan. The audit team will likely need to conduct fraud audits to address residual fraud risks, or those risks that are not mitigated by preventive or detective control activities.

Specific responses to fraud risk, however, vary from one audit department to the next. Some departments may prefer to integrate a fraud-audit module into the regularly scheduled audit cycle. Others might prefer separate, stand-alone audits at higher risk units or processes. Each department needs to assess for itself the best approach.

EVALUATING ANTIFRAUD CONTROLS

Once the fraud risk assessment has been completed, internal auditing will need to decide whether or not to evaluate and test the design and operating effectiveness of antifraud controls. The process of evaluating antifraud controls is similar to testing other control measures.

The new PCAOB standards require an organization's independent auditor to evaluate and test the design and operating effectiveness of the antifraud preventive and detective controls. The standards expressly prohibit the independent auditor from relying on testing conducted by internal auditing.

Still, organizations may want their internal audit group to test in advance of the independent auditor's evaluation. Although some organizations may consider such testing duplicative, opting to leave this task entirely to the independent auditor can increase the likelihood of negative findings during the external audit. If the independent auditor determines that the antifraud control system is flawed or operating ineffectively, the organization will likely receive a "significant deficiency." Internal auditors should coordinate testing of antifraud controls with the audit firm.

FRAUD AUDITING

After evaluating the organization's antifraud controls, auditors should consider conducting fraud audits to address residual fraud risks. Fraud auditing is a relatively new field that combines aspects of forensic investigation and standard audit techniques to audit fraud risks that are not adequately mitigated by a preventive or detective antifraud control.

Similar to forensic investigators, those conducting fraud audits must possess antifraud training. Fraud auditing typically requires knowledge of how frauds can occur in various industries, as well as a firm grounding in key indicators for the fraud schemes being audited. Unlike forensics, however, fraud auditing searches for indicia of fraud; forensic investigations involve inquiries into specific allegations or suspicions of fraud.

When conducting fraud audits, internal auditors should consider using computer-assisted audit tools (CAATs) to search for indicators of fraudulent activity. Because of their ability to sort through massive amounts of data quickly, CAATs can be enormously helpful when searching for the proverbial needle in a haystack.

ADDING VALUE THROUGH ASSESSMENT

A fraud risk assessment can be viewed as the corporate equivalent of a visit to the dentist: Senior management and the board may anticipate pain, yet they experience relief if the assessment determines that risks are under control. Peace of mind, however, is not the sole benefit of antifraud efforts. Effective fraud risk assessments can also have a positive impact on the organization's bottom line.

A 2002 study conducted by the Association of Certified Fraud Examiners, Report to the Nation on Occupational Fraud and Abuse, suggests that fraud can cost roughly 6 percent of a company's annual revenues. Likewise, benchmarking analysis and research by the General Counsel Roundtable, a best-practice and research organization for legal executives, found that each dollar of compliance spending saves organizations, on average, US $5.21 in heightened avoidance of legal liabilities, harm to the organization's reputation, and lost productivity.

Fraud risk assessments not only help satisfy U.S. law requirements, but also serve as an effective method of protecting--and enhancing--organizational value. Thorough, well-planned assessments provide an excellent means for internal auditing to contribute to the organization's bottom line and gain a higher profile with the audit committee and senior management.

For more information on anti-fraud programs, visit www.pwc.com/internalaudit to download a free copy of PricewaterhouseCoopers' white paper, Key Elements of Antifraud Programs and Controls.

JONNY FRANK, PARTNER AND HEAD OF FRAUD RISKS & CONTROLS PRACTICE, PRICEWATERHOUSECOOPERS LLP

To comment on this article, e-mail the author at jfrank@theiia.org.

The views expressed in this article are solely those of the author and do not represent those of PricewaterhouseCoopers or the universities with which the author is associated.

ILLUSTRATION BY RICHARD TUSCHMAN