Question

Fraud examination and financial forensic skills have a key role in corporate governance. Appraise the key roles in corporate governance, indicating how gaps in the roles may lend itself to corporate fraud.

Answer 1

Role of the board of directors

A proper corporate governance structure begins with the board of directors, whose job is to:

• implement an effective business ethics program;
• understand fraud risks;
• maintain oversight of fraud risk assessment;
• monitor management fraud and control-related activities;
• oversee internal controls established by management;
• set the appropriate tone at the top;
• have the ability to retain and pay outside experts; and
• provide to external auditors evidence of active involvement.

Achieving these objectives requires a strong commitment, fraud awareness, an affirmation process, disclosure of conflicts of interest, active and ongoing fraud risk assessment, fraud reporting procedures (e.g., hotlines) and whistleblower protection, corrective actions, ongoing process evaluation and improvement, and continuous monitoring.

Role of the audit committee

In larger firms, the board typically delegates its fraud risk management responsibilities to the audit committee. The audit committee should comprise independent board members, include at least one financial expert (preferably an accountant), and meet regularly alone with the internal auditor and out of the presence of management.

The audit committee must be proactive in overseeing fraud risk management to minimize risk. It must have a good, open dialog with the external auditor, especially concerning fraud issues and risks. It should also have good, open lines of communication with legal counsel with whom it should consult when fraud is suspected.

Role of firm management

Although the audit committee serves as the overseer, management is responsible for designing and implementing the fraud risk management program. As part of this task, management must, to minimize risk, set the correct tone at the top for the organization, implement adequate internal controls, and report to the board regarding fraud management policies and procedures to evaluate their effectiveness. In many companies, one representative of management (e.g., a chief ethics officer) reports to the board of directors regarding fraud risk management efforts.

All levels of management (and staff) should:

• understand fraud and its red flags;
• understand their roles in the internal control framework;
• read and understand policy and procedure manuals;
• participate as required in creating and designing a strong control environment;
• participate in monitoring activities;
• report suspicions or incidences of fraud; and
• cooperate in investigations.

Role of the internal auditor

The role of the internal auditor is especially important. The internal auditor should provide assurances to the board (via the audit committee) that fraud controls are sufficient for the risks and are functioning effectively. As part of accomplishing this task, the internal auditor should review the adequacy of identified risks, especially risks relating to management override.

The internal auditor’s role and responsibilities should be expressed in a written charter approved by the board. This charter should spell out the internal auditor’s roles and responsibilities for fraud risk management, including those about investigations, monitoring whistle-blowing reports and processes, providing ethics training, and maintaining a code of conduct.

Smaller firms may not have the resources of larger firms to design and implement policies and procedures to minimize fraud risk. The board of managers of such firms can design a system that weighs the trade-offs of costs and benefits of a fraud management system. If a firm does not have internal resources to assess the trade-offs and implement a system, an outside firm with risk and forensic advisory expertise can assist.

Fraud risk assessment

Given a strong governance structure, the focus should be on effective processes for fraud risk assessment (which, in turn, must be followed by a focus on fraud prevention, fraud detection, and fraud investigation). The fraud risk assessment must be considered within the larger context of enterprise risk management.

The three key elements of fraud risk assessment are 1) identifying inherent fraud risk (i.e., the risk of frauds), 2) assessing the likelihood and significance of each inherent fraud risk, and 3) responding to likely and significant inherent risks.

Management should appoint a risk assessment team that includes accounting and finance personnel, legal counsel, risk management personnel, internal audit staff, and any other persons who may be helpful. The team should brainstorm to identify fraud risks. To accomplish this task, the team must understand the population of fraud risks as such risks relate to fraudulent financial reporting, misappropriation, and corruption.

When surveying the population of fraud risks, the team should consider the following:

• Incentives, pressures, and opportunities
• The risk of management override of controls
• Information technology as it relates to fraud risk
• Regulatory, legal, and reputation fraud risks

When assessing the likelihood and significance of identified inherent fraud risks, the fraud risk assessment team should consider the following:

• The history of the fraud in the organization
• The incidence of fraud in the industry
• The complexity of the risk
• The risks for particular individuals or departments
• The number of people and transactions involved

When estimating significance, the team should consider significance to the organization’s operations, brand value, reputation, and legal liability (criminal, civil, and regulatory). An adequate procedure is to assign one of three likelihoods to each identified inherent risk: remote, reasonably possible, or probable. Alternatively, one could assign more than three likelihoods to each risk.

The team should discuss with management and the board the appropriate responses to residual risks(i.e, risks that remain with a set of controls). Options include accepting residual risks based on their perceived likelihood and significance or increasing the level of controls to compensate.

The team’s fraud risk assessment should be documented using a structured framework, and the team should discuss its findings with the audit committee. The entire process should be iterative and ongoing, with a focus on continuous improvement. An outside risk advisory professional can assist in the assessment if the firm does not have adequate resources in-house.