By Elliott Flood, Texas Mutual Insurance Company
State fund internal auditors are going to play a larger role in fraud prevention and detection – like it or not. Boards and other governing bodies are under increasing pressure to prevent fraud scandals within their organizations1. So, those internal audit shops that fail to enhance their awareness of internal fraud issues may find themselves facing criticism from their superiors. Should a scandal occur, boards may ask: “Where was internal audit?” This paper provides some suggestions to enable audit directors to anticipate and answer questions from our boards, such as, “What are you in internal audit doing to help the organization prevent and detect fraud?”
Following the scandals of the early 00’s, boards and audit committees have been hit with a wave of advice, education and counsel about fraud, and much of this advice raises expectations about internal audit’s anti-fraud role. For example, Statement on Auditing Standards (SAS) 99, ¶23 requires external auditors to ask internal audit:
- What are internal audit’s views of the risks of fraud?
- Has internal audit performed any procedures to identify or detect fraud?
- Has management satisfactorily responded to any findings in this regard?
- Does internal audit have any knowledge or suspicion that any fraud has occurred?
Additionally, SAS 99 includes a whole section on internal audit under the Exhibit “Anti-Fraud Programs” (see SAS 99, ¶74).
Under the new standards issued by the Public Company Accounting Oversight Board (PCAOB), boards will also be assessing internal auditors based upon evaluations from external auditors. The PCAOB, in its Auditing Standard No. 2, ¶¶24 & 140, requires external audit to evaluate internal audit’s effectiveness in preventing and detecting fraud. An inadequate internal audit function could result in a qualified or adverse opinion. See PCAOB Auditing Standard No. 2, ¶175.
Where Were the (Internal) Auditors?
The board should expect internal audit to help reduce the risk of both major and minor fraud, but the board’s level of concern is different, depending on the type of fraud. Therefore, internal audit directors should understand the difference between major and minor fraud and adopt distinct strategies to deal with each.
A “major fraud” is one that has the potential to create a scandal from the board’s point of view. Examples are large embezzlements, pervasive corruption and significant financial statement frauds (“cooking the books”) that materially impact the organization. The board’s worst nightmare is a major fraud that garners a high level of media attention. Major fraud often involves management override of internal controls, so even a well-designed system of internal controls at the transaction level will not necessarily suffice to prevent major fraud by senior officers of the organization. The nightmare of any board is to wake up one morning and, reading the Wall Street Journal, see a headline about a major fraud scandal in their company, such as senior management involved in:
- “Cooking the books,”
- Conflicts of interest,
- Misappropriation of company assets,
- Scientific fraud, corruption,
- Civil or criminal investigations,
- Allegations of dishonest or unethical conduct.
Reputational catastrophes are usually related to ethical lapses by senior officers. Often, significant damage is done by mere allegations of a major fraud.
On the other hand, “minor frauds” are those that occur in isolated instances, that do not make the news, and that involve immaterial amounts. For example, many, but not all, of the typical occupational frauds described by the Association of Certified Fraud Examiners in its “Report to the Nation” are minor frauds. Although potentially expensive, below a certain level, these frauds don’t necessarily damage the organization’s reputation. Examples of such “minor fraud” are relatively small thefts, embezzlements, corruption, etc. by low- or mid-level employees. Minor fraud only hurts the company if it actually happens. For example, allegations of a major fraud, with publicity, will damage the organization’s reputation, even if the allegations are later cleared. Minor fraud is, by definition, not newsworthy.
Notwithstanding the above, the board will expect internal audit to audit controls around minor fraud risks, such as segregation of duties, safeguarding of assets and enforced vacation policies. These tend to be transactional controls. The control environment, or “soft controls,” are important to both types of fraud. However, in the area of major fraud (e.g. by a CEO or CFO), override is typically present, and the control environment may be the major factor in prevention. Some have commented that Sarbanes Oxley 4042 does little to address major fraud because it focuses so much on controls that can be overridden.
So, what are the expectations the board has, or should have, of internal audit? In the area of major fraud, which must be the greatest concern, the audit director must play the role of trusted advisor to the board, with all that implies. This may invoke the difficult role of challenger to senior management, including the CEO/CFO, usually the two most powerful officers in the organization. The board’s expectations of internal audit in minor fraud are different – they still expect internal audit to address the risks of minor fraud, usually in their audit plan.
If the internal audit director reports to the CFO, this may not be a problem for internal audit playing an effective role in prevention of minor fraud. But if the internal audit director reports to the CFO for purposes of job evaluation, budget and audit plan approval, then its independence with respect to major fraud may be impaired. This is especially true if the board wishes some assurance with regard to the risk of major financial statement fraud, which frequently involves the CFO or CEO. Dan Goelzer of the PCAOB says: “…for the outside auditor to rely on the work of the internal auditor, the external auditor must …[consider] whether internal audit is independent of the CFO and of the other people that are directly responsible for financial reporting.”
This is doubly true if the audit committee relies to any degree on internal audit’s assessment of the internal controls over financial reporting.
The Audit Director’s Annual Report
The Institute of Internal Auditors (IIA) recommends that audit directors give an annual evaluation of internal control to senior management and the board (see PA21.20A1-1). While the advisory is not mandatory, you omit following it at your own risk, given the above-noted increased emphasis on internal audit’s anti-fraud role. The audit director, under the IIA standard, should give his or her opinion on the overall effectiveness of internal control. This opinion is expressed in terms of “negative assurance,” i.e. that the internal audit function knows of nothing that should be revealed to senior management or the board, which would include fraud. The opinion is “based upon the audit work and all other available information during the year.” The core of the recommended procedure is set out by the IIA as follows:
9. The report of the [audit director] on the state of the organization’s risk management and control processes should be presented, usually once a year, to senior management and the board. The report should emphasize the critical role played by the risk management and control processes in the quest for the organization’s objectives, and it should refer to major work performed by internal audit and to other important sources of information that were used to formulate the overall assurance judgment. The opinion section of the report is normally expressed in terms of negative assurance; that is, the audit work performed for the period and other information gathered did not disclose any significant weaknesses in the risk management and control processes that have a pervasive effect. If the risk management and control deficiencies or weaknesses are significant and pervasive, the assurance section of the report may be a qualified or adverse opinion, depending on the projected increase in the level of residual risk and its impact on the organization’s objectives.
Fraud and Audit Planning
Management may try to transfer certain anti-fraud responsibilities to internal audit. Internal audit may facilitate a fraud risk assessment by management, but management owns the anti-fraud control processes. A companywide fraud risk assessment is much more comprehensive than a risk assessment done by the auditor in planning an audit, which only includes fraud risk of the auditable entity.
The theory behind fraud risk assessments is discussed at length in Deloitte & Touche’s publication, Antifraud Programs & Controls:
Historically, most material frauds have often been directed in part by management and detected by employees and those responsible for corporate governance at other levels in the organization. It is therefore critical that employees outside of management are involved in the fraud risk assessment. It is important that the fraud risk assessment include business process owners or those who have significant knowledge, control, or influence over the activities within a significant business process or cycle. The audit committee should evaluate management’s identification of fraud risks, and should have an active role in the oversight of the fraud risk assessment process…. Additionally, internal audit should have an active role in the development, monitoring, and ongoing evaluation of fraud risk assessments.
The bottom line is that we must manage expectations, now more than ever. We must consider the possibility of both minor and major fraud in all audits. We should advise our governing bodies about state-of-the art issues in reporting relationships, executive sessions, fraud risk assessments, etc. While the specific activities under audit may not present much risk of fraud, at a minimum, we should be able to say we assessed the risk of fraud, because we are going to be facing tougher questions from our boards, such as:
- “What is internal audit doing to help the organization prevent and detect fraud?”
- “Have you done a fraud risk assessment lately?”
- “Do you plan to audit our ethics program, and if so, how will you test it?”
- “Do you look for fraud in your audit work?”
Hopefully, this paper will serve as a resource for you to think of ways to answer these questions and others. Good luck.
1In the workers’ compensation business, fraud by claimants is a pervasive part of the landscape. However, this paper only deals with frauds by insiders of the organization. Frauds perpetrated by outsiders, such as claimants, are beyond the scope of this paper.
2While Sarbanes Oxley does not apply to state funds, it is possible that the National Association of Insurance Commissioners (NAIC) will adopt a “look alike” provision for funds that are organized as a mutual insurance company. It is also possible that unique state requirements will impose “look alike” provisions on other types of state funds, or that the fund’s own governing boards/officials may look to Sarbanes as a best practice.