Question

The 2002 SOX Act required integrated audits for all public companies with immediate implementation by larger accelerated-filers.  The 2010 Dodd-Frank Act modified section 404 of the SOX Act to exempt certain smaller companies (non-accelerated-filers) from having external audits of their ICFR.

Given the importance and function of internal controls and known fraudulent activities, do you agree with this modification that eliminated the need for these smaller public companies from having auditor’s express an opinion on their ICFR? Explain your answer.

Though recommended, there is no requirement for private and not-for-profit companies to have external auditors audit their ICFR. Explain whether you feel these organizations should have their ICFR audited by external auditors.

Answer 1

The Sarbanes-Oxley Act was signed into law on 30 July 2002 by President Bush. The Act is designed to oversee the financial reporting landscape for finance professionals. Its purpose is to review legislative audit requirements and to protect investors by improving the accuracy and reliability of corporate disclosures.

The Dodd-Frank Act (fully known as the Dodd-Frank Wall Street Reform and Consumer Protection Act) is a United States federal law that places regulation of the financial industry in the hands of the government. The legislation, which was enacted in July 2010, created financial regulatory processes to limit risk by enforcing transparency and accountability.

SOX Section 404:
Management Assessment of Internal Controls
Section 404 is the most complicated, most contested, and most expensive to implement of all the Sarbanes Oxley Act sections for compliance. All annual financial reports must include an Internal Control Report stating that management is responsible for an "adequate" internal control structure, and an assessment by management of the effectiveness of the control structure. Any shortcomings in these controls must also be reported. In addition, registered external auditors must attest to the accuracy of the company management assertion that internal accounting controls are in place, operational and effective.

A direct excerpt from the Sarbanes-Oxley Act of 2002 report for section 404:

(a) Rules Required. The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 to contain an internal control report, which shall--
(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

(b) Internal Control Evaluation and Reporting. With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement.

The Sarbanes-Oxley Act requires that the management of public companies assess the effectiveness of the internal control of issuers for financial reporting. Section 404(b) requires a publicly-held company's auditor to attest to, and report on, management's assessment of its internal controls.

Amendments to SOX, including Section 404(b) exemption for nonaccelerated filers, under the dodd-frank wall street reform and consumer protection act

The Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (the "Act") has now been passed by both houses of Congress and is awaiting signature by President Obama. The Act, once implemented by the required regulations, will completely alter the U.S. financial regulatory system. Financial institutions will be materially affected by these regulations, and non-financial institutions will be affected at least indirectly through their use of regulated financial products. Additionally, the Act's amendments to the Sarbanes-Oxley Act of 2002 (“SOX”) and broad changes to executive compensation and corporate governance rules will impact public companies in the United States.

This memorandum is focused on certain provisions of Title IX of the Act that relate to SOX Section 404, including an amendment to SOX Section 404 which exempts nonaccelerated filers from the SOX Section 404(b) requirement to obtain an auditors’ report on management’s assessment of the effectiveness of the company’s internal control over financial reporting.

I. Exemption for Nonaccelerated Filers

Title IX of the Act amends SOX Section 404 to exempt nonaccelerated filers (including smaller reporting companies) from the SOX Section 404(b) requirement to obtain an auditors’ report on management’s assessment of the effectiveness of the company’s internal control over financial reporting. The text of the new subsection (c) reads in its entirety as follows:

‘‘(c) EXEMPTION FOR SMALLER ISSUERS.—Subsection (b) shall not apply with respect to any audit report prepared for an issuer that is neither a ‘large accelerated filer’ nor an ‘accelerated filer’ as those terms are defined in Rule 12b–2 of the Commission (17 C.F.R. 240.12b–2).’’

In addition, the Act directs the Commission to conduct a study to determine how the Commission could reduce the burden of complying with SOX Section 404(b) for companies whose market capitalization is between $75,000,000 and $250,000,000 while maintaining investor protections for such companies. The Commission is also directed to consider whether any such methods of reducing the compliance burden or a complete exemption for such companies from compliance with SOX Section 404(b) would encourage companies to list their initial public offerings on exchanges in the United States. The Commission is directed to provide its report of such study to Congress not later than nine months after the date of the enactment of the Act.

II. GAO Study Regarding Exemption for Smaller Issuers

The Act also directs the Comptroller General of the United States to carry out a study on the impact of the amendment to SOX Section 404, including an analysis of:

whether issuers that are exempt from SOX Section 404(b) have fewer or more restatements of published accounting statements than issuers that are required to comply with SOX Section 404(b);
the cost of capital for issuers that are exempt from SOX Section 404(b) compared to the cost of capital for issuers that are required to comply with SOX Section 404(b);
whether there is any difference in the confidence of investors in the integrity of financial statements of issuers that comply with SOX Section 404(b) and issuers that are exempt from compliance with SOX Section 404(b);
whether issuers that do not receive the attestation for internal controls required under SOX Section 404(b) should be required to disclose the lack of such attestation to investors; and
the costs and benefits to issuers that are exempt from SOX Section 404(b) that voluntarily have obtained the attestation of an independent auditor.
The Comptroller General is directed to provide its report of such study to Congress not later than three years after the date of the enactment of the Act.

THE IMPORTANCE OF A COMPANY’S INTERNALCONTROL SYSTEM IN FRAUD PREVENTION

INTRODUCTION

An efficient management system is a precondition
for achieving company goals. Such a system indicates
careful planning of long-term goals and coherence in
realization. Since reaching targets is a complex and
dynamic process which may go in the wrong direction,
a management system therefore needs qualitative,
well-timed and reliable information generated by
continuous observation and control of all activities.
Monitoring activities should enable detection and
timely reaction to possible target-related deviations,
without jeopardizing the process of activities.
Since partial, occasional and voluntary internal
supervision could not respond to such information needs,
it has gradually been transformed into a complete and
permanent system of internal control of all important
functions and processes. Although the function of
supervision is a part of the management system and
belongs to the exclusive competence of top management,
it cannot be expected that management carries out the
overall performance supervision. Even if we neglect the fact
that management is mainly concentrated in strategy and
the future, there still remain the problems of time needed
for direct supervision as well as the specific knowledge
to ensure qualitative and continuous monitoring of
goods and cash flows within the company. However,
management is considered responsible for setting up an
adequate control environment and control activities to
prevent undesirable events in business and reporting.
The aim of this work is to show how the overall
quality of control and company performance is raised
through implementation of preventive methods of
internal control, and to indicate that a developed system
of internal control represents a protective barrier
against various kinds of data manipulation and fraud
inside companies. Accordingly, the title was chosen to
emphasize the role and significance of an internal control
system, because internal control is the first step in the
process of protection against fraud. The first part of this
study examines the concept and importance of internal
control, while the second concentrates on the essence
and scope of fraud in financial statements, including also
preventive internal control methods. Finally, the third
part refers to the role and responsibility of management
in organizing internal control.

CONCEPT OF INTERNAL
The emergence of internal control over specific
segments of activities was associated with management
needs for information on business performance and
its development. Thus, management was able to
more precisely evaluate consistency between the
actual situation and development targets. The original
supervision was based on occasional, current and
direct inspection of activities or additional inspection
of documentation and information related to the work
done. Although such an approach is still very important,
the practice, however, has showed that management of
a contemporary enterprise requires a different attitude
toward supervision over processes and information.
Modern business is characterized by complexity of goals
and processes demanding qualitative, prompt and reliable
information. Since occasional, partial and voluntary
internal supervision could not meet such information
requests, a complete and permanent system of internal
controls of all important functions and processes in an
enterprise has emerged.

Essence and types of internal control
Among various definitions of internal control
probably the most complete one was provided by the
Committee of Sponsoring Organizations of the Treadway
Commission: “Internal control is a process, effected by
an entity’s board of directors, management and other
personnel, designed to provide „reasonable assurance”
regarding the achievement of objectives in the following
categories: effectiveness and efficiency of operations,
reliability of financial reporting and compliance with
applicable laws and regulations“ (Rezaee, 2002, p. 212).
International Standards on Auditing states that internal
control system “means all the policies and procedures
(internal controls) adopted by the management of an
entity to assist in achieving management’s objective
of ensuring, as far as practicable, the orderly and
efficient conduct of its business, including adherence
to management policies, the safeguarding of assets, the
prevention and detection of fraud and error, the accuracy
and completeness of the accounting records, and the
timely preparation of reliable financial information
(Međunarodni standardi i saopštenja revizije: Značenje
pojmova, SRRS, Beograd, 2005, p. 144).
IThe essence of internal control is a comparison
that enables evaluation of the current state in respect
of an accepted base for comparison which may consist
of tasks, regulations or instructions. The result of the
control should be the confirmation that the current state
is in compliance with established norms or detected
deviations from such norms. Since internal control is not
an event nor a circumstance but an array of activities that
check a company’s performance and since it is established
and implemented by people, the board of directors and
managers expect it to provide a reasonable, not absolute,
assurance that the company’s goals are achieved. But,
constraints are imminent to human nature - management
and employees are usually able to circumvent the
system of internal control individually or by mutual
agreement, making the internal control system useless.
Various types of internal control may be grouped
into two main categories:
1) administrative controls – addressed to strengthen
the successfulness and efficiency of performance, as well
as the compliance with rules and management policies.
Such controls are subject to business and compliance
audit,
2) accounting controls – oriented towards the
correctness of financial data and protection of a
company’s assets against unlawful conversion. As
a result of increasing amount of fraud in financial
reporting there is growing interest in control methods
for protection of company assets. Accounting controls
are considered by independent and internal audit.
Further distinction of internal control types
could be carried out according tothe following criteria
(Kiziukiewicz & Sawicki, 2007, p. 269):
1) control executor,
2) control extent,
3) control period.
In regards to the first distinction criterion of control
executor, there are:
1) institutional control, conducted by specialized
units planned in the organizational structure specifically
for this task,
2) functional control, related to duties of
management in various positions in the company’s
organizational structure.
According to the control extent criterion we
distinguish among:
1) complete control encompassing the whole range
of questions,
2) problem control, concentrated on a specific
question,
3) additional control, conducted in the case of
selected issues,
4) follow-up control, carried out to see if postcontrol activities were conducted.
The control period criterion defines:
1) introductory control, oriented towards future
operations,
2) current control, concentrated on operations
during or after their fulfillment,
3) subsequent control, examining completed
operations in order to determine whether business
activity is performed in compliance with standards and
to propose possible corrective measures. It includes
periodic, formal and essential control.
We can expand the original set of criteria with an
additional one – course of action – so as to define:
1) progressive control, which is directed from the
first business transaction to the last one,
2) retrograde control, which is the opposite from
progressive control, directed from the last business
transaction toward the first one.

Internal control goals and constraints
An internal control system should be the base for
the development plan of each company. A successfully
developed internal control system is a necessary but not
sufficient condition for efficient management. Internal
controls cannot resolve all of a company’s problems.
However, inefficient internal controls or their lack
may cause serious problems for the company. Internal
control becomes a part of the management process.
Nevertheless, even the most effective internal control
techniques are not remedies for bad solutions, inefficient
management or external and unexpected events. On the
other hand, good management and effective internal
controls can limit the effects of unfavourable conditions
through identification and quick response to such
conditions.
Internal control consists of all mechanisms and
procedures covering all the activities and ensuring
efficient and safe functioning. It includes preventive
actions which support achievement of the following
goals:
1) consistent realization of business strategy and
efficient use of available resources,

2) risk identification and handling on a regular basis,
asset preservation, reliable and complete data needed to
access the financial situation and prepare the financial
statements on time,
3) compliance with laws and regulations as well as
the internal codex and instructions.
With regard to these goals, each enterprise should
have an internal control system. It is a hierarchical system
of different control areas, methods, and means for its
implementation in observing and registration, detection
of deviations and their causes, as well as in presentation
of results.
Understanding the nature and goal of internal
control can be a challenge for many directors and
members of management and supervisory boards. They
oppose lengthy and often boring reports and other
documents, as well advice of numerous experts who
present the subject in a much more complicated way
than necessary. Therefore, directors usually understand
internal control as “bureaucracy“. Indeed, too complex
methods and procedures discourage initiative and lead to
unnecessary spending of a company’s resources. Internal
control actually aims to help the company to achieve
its goals. It is important to distinguish internal control
from various types of external controls. Namely, internal
control facilitates efficiency and effectiveness and is
therefore a necessary condition for long-term survival of
the company, while it may operate well without external
control.
Efficiency of internal control may be constrained
by management, employees and secret agreements.
Management is sometimes a limiting factor due to
possible omissions during the control process. Employees
can make mistakes while processing orders and come up
with wrong conclusions. Secret agreements among a few
individuals may take place in order to usurp a company’s
assets, which can be prevented by clear division of tasks

and responsibilities.

Internal control in detecting and preventing fraud

Earlier internal control used to deal with fraud more
directly than today. The situation started to change when
the scope of internal control services expanded, so the
accent was more on preventing than detecting fraud. It
turned out that effects were greater if a good internal
control system and management procedures were
developed to reduce the possibilities of fraud. Such a
transition from fraud detection to development of better
systems and procedures for fraud prevention enabled
internal auditors to provide more constructive services
through the operational audit. However, internal auditors
should always be aware of their real responsibilities
while providing help in fraud prevention and detection.
Management bears the responsibility for fraud.
Nevertheless, there always appears the question
during the fraud investigation “When was the last audit
conducted?“ or “Where were the auditors?“. Once fraud
takes place, auditors become responsible to explain
why they failed to detect weaknesses that could lead to
a fraud.
Internal control is expected to identify possibilities
of better prevention which is more desirable than
detection. The role of internal control is determined
by the standards of professional practice. According
to these standards internal auditors should be aware
of intentional violations, mistakes and omissions,
inefficiency, spoilage, ineffectiveness, and conflicts
of interest. Internal control cannot provide absolute
assurance in avoiding irregularities, but it can highlight
the probability of faultiness. Standards do not place the
responsibility for fraud detection on internal control.
Yet these standards require internal auditors to expect
potential conditions for fraud, identify the possibility for
their existence, and to be aware that fraud might occur
during the auditing process.
Numerous financial scandals have proven that many
financial statement frauds were influenced intentionally
or not by external auditors’ advice and lack of warning
when the risk of fraud existed. Therefore, companies
have realized that it is safer and cheaper to establish
their own internal control system in order to prevent
fraud in the future.

Essence and scope of fraud in financial statements

Manipulation of financial statements may shake up
even the most developed capital markets, disturb their
functioning and lead to a less or more serious financial
crisis. Decrease of investments, GDP, and employment
also affect a national economy. It is widely known that
the decrease in investment attractiveness resulting from
uncertainty, higher risks and an inefficient capital market
slow down economic activities. Therefore, financial
statements can contribute to or threaten the stability
of the economic-financial environment. High-quality
financial statements do not only represent the interest
of investors and accounting profession but also of the
regulatory bodies and relevant state institutions.

Nature of fraud in financial statements

Financial statements based on International
Accounting Standards should present correct data as
the basis for the decision making process. Without
qualitative financial reporting it is not possible to manage
the company adequately, attract potential investors,
procure desired loans, influence share prices at stock
exchanges, etc. Managers usually receive a fixed salary
and a premium if owners expectations are achieved.
There is a risk that managers might abuse their position
by setting their own interests before the interests of their
company, which may lead to undesirable consequences
for the shareholders, investors, other stakeholders, the
capital market and society in general. Almost all business
scandals in the last years were the result of fraud in
financial statements. A large number of financial scandals
in the USA (Wordcom, Enron) and in Europe (Parmalat,
Ahold) demonstrated that even in developed market
economies scandals can negatively influence the status
of employees, pensioners, business partners and other
parties which are not protected from the risk of fraud.
Globalized, financial markets detect frequent frauds
at national as well as at the international level. Large
disorders in regional capital markets caused by frauds
in financial reports have initiated serious monetary
shocks, especially in developing countries, since they
are very sensitive to international financial frauds.
Frauds in financial statements could be defined as
conscious violation of accounting standards while making
financial reports and presenting false data. Such frauds
exist as long as financial reporting is oriented toward the
achievement of a manager’s short-term goals. They are
present not only in transition countries but also in countries
with developed economies and traditional financial
reporting. Frauds in financial reports in the recent past
have caused devastating effects in developed countries
leading to the emergence of global financial crises.
Pursuant to International Audit Standards (IAS)
frauds in financial reports are considered criminal
activities of intentional wrong data presentation
(Međunarodni standardi i saopštenja revizije“, Savez
računovođa i revizora Srbije, Beograd, 2005, p. 277)
Association of Certified Fraud Examiners (ACFE) defines
financial report frauds as “the intentional, deliberate,
misstatement or omission of material facts, or accounting
data which is misleading and, when considered with
all the information made available, would cause the
reader to change or alter his/her judgment or decision“
(Zabihollah, 2002, p. 2). The American Institute of Certified
Public Accountants (AICPA) defines financial statements
fraud as “intentional mis-statements including omissions
of amounts or disclosures in the financial report to
deceive financial statement users”.
The consequences of financial statement fraud can
be very unpleasant, sometimes even dramatic. The most
common reasons for such fraud are managers’ personal
benefits. Those benefits are always gained at the cost
of other interest groups, so managers are able to enjoy
favourable results only in the short-run. In the longterm

consequences are negative and mostly affect those
who do not participate in the financial fraud. Damage
can be direct and measurable in terms of realized loss
or omitted gains, as well as indirect such as omitted
dividends or capital gains. Opportunity costs in terms of
omitted gains because the best investing alternative was
rejected are good examples of certain damage which is
not easily measurable. Financial statement fraud may be
accomplished through:
1) falsification of material facts, documents or
business transactions,
2) false presentation of events, transactions,
accounts, and other important information which is
included in a financial report,
3) deliberate wrong use of accounting principles,
policies or procedures which serve to evaluate, recognize
and record business transactions,
4) false presentation of financial information in
financial reports. (Wells, 2005, p. 324).
Damage to the accounting profession due to financial
statement fraud, although hardly measurable, is certainly
significant. Despite enormous efforts this profession puts
in establishing qualitative regulation, it is still impossible
to develop perfect rules, and there is also creative
interpretation of rules, as well as the unethical behavior
of managers, accountants, and auditors. Lost trust in the
quality of the financial reporting system and reliability
of auditing opinion is an inevitable consequence. Since
financial statements may have hidden losses, there is
a huge risk for those who make decisions on the basis
of such information. Consequently, information risk
increases the costs of accounting information.

Internal control in preventing financial
statement fraud

Generally, responsibility for internal control system
functioning must be attached to the highest hierarchical
level in the company. Companies should develop an
internal control system able to fully protect both owners
and resources. It includes procedures designed to lower
the risk of criminal activities and obtain reliable and
objective financial reports. Internal control officers are
often considered exclusively responsible for preventing
criminal activities. However, primary responsibility for
the effectiveness of internal control still rests with the
management system of the company. Firstly, internal
control standards suggest making a list of potential
criminal activities, i.e. :
1) investigating if there is a risk of criminal activities
(jointly with the managing authority),
2) investigating (jointly with the external auditor)
possible material errors in financial statements (Fraud
Risk Management: A guide to good practice, 2009, CIMA,
p. 9).
In order to achieve a successful performance of
internal control in fraud detection it is necessary to:
1) acquire the knowledge of an internal control
system – it is necessary for management to acquire the
knowledge of key elements of internal control and the
way they function. It means the estimation of control
usefulness and applicability – whether the control,
individually or in combination with other controls,
effectively prevents, detects and corrects material errors.
Understanding of an internal control system is achieved
by:
a. conducting the preliminary review,
b. documenting the internal control system,
c. identifying transaction cycles,
d. conducting the procedure of “walking“ through
transactions,
e. designating control procedures which can be
relied upon.
2) Estimate control risk – no matter how efficient
an internal control system is, none can completely
prevent false data due to errors, and especially due to
secret agreements of employees and managers. It is
therefore necessary to estimate the reliability of an
internal control system before deciding upon the scope
of further activities. This step helps to evaluate the
purposefulness, successfulness and structure of internal
control in detecting and preventing false material data
in financial statements. During control risk assessment
it is possible to notice whether possible errors or frauds
may appear in financial reports. Control risk evaluation is
forwarded to the management and auditing committee
if there are significant omissions in the internal control
system. Accordingly, while evaluating control risk it is
necessary to:
a. consider potential fraud or errors that may appear
in financial statements,
b. consider necessary control steps for fraud and
error prevention,
c. conduct control tests and evaluate control risk,
d. inform the responsible bodies about the internal
control omissions observed (Petković, 2010, p. 156).
3) Determine the effect of control risk assessment
on essential tests – after assessing the internal control
usefulness, and if it is estimated that fraud may appear
and alter significantly the data in financial statements, it is
necessary to determine the overall response for financial
statements and further procedures whose nature, time
and scope are adequate for the estimated risks. It is
reflected through the essential tests affected by control
risk evaluation. If control tests reveal favourable data
about thesuccessfulness of the internal control system
and control risk level, then the size of the essential tests
may be reduced. Usually, the estimated control risk level
is not low enough to completely eliminate the need
for essential testing. That is why the relevant balances
as well as transaction types should be submitted to
essential testing. On the other hand, if it is estimated
that internal controls are weak and unsuccessful, which
means that the risk of fraud is greater, it is necessary to
conduct wider essential testing.
Internal controls must be correctly evaluated in
order to be useful, and to reveal financial statement
fraud in time.
Internal control techniques in
financial statement fraud prevention
IInternal control and other types of control (external
auditing and forensic accounting) should develop and
describe techniques for dealing with criminal activities.
It is very important in fraud prevention because all
participating subjects are informed about how to handle
fraud. Documenting will support the supervision of
preventive controls or suggest that such controls are
ineffective. Testing of the procedures which ensure
adequate operations of preventive controls and their
results have to be documented in detail. The most
important is that documentation contains a detailed
description of elements used to prevent financial
statement fraud, emphasizing the roles and responsibilities
of all participating parties. When companies evaluate
management programs to fight fraud, or try to improve
such programs, they should also evaluate techniques for
fraud prevention. Therefore, a company should, with
the help of internal and external auditors, periodically
evaluate preventive techniques in order to make sure
that none of the preventive control elements has been
warped. Internal control enables an additional evaluation
process and preventive techniques by external auditors
and forensic accountants who analyze them in detail and
report in the case where specific programs are not as
supposed or their consistent implementation will cause
more damage than benefit. One of the best ways for
prevention of financial statement fraud is in providing a
control environment which encompasses:
1) a codex of behavior, an ethical policy in order to
establish a proper attitude towards fraud prevention at
the highest level of organizational structure,
2) ethical and warning programs of communication
for alerting and reporting the noted deviations,
3) instructions, practice and rewards for
employees,
4) supervision by audit committee and managing
board,
5) investigation of reported cases and elimination of
any confirmed fraud.
The plan, approach and scope of monitoring fraud in
financial statements should be documented and upgraded
in every company. Taking into account all parties which
participate in risk process evaluation and subsequently
designed control activities, it is very inconvenient to
require that an independent body regularly monitor

the fraud preventive measurements. Additional revision
should be conducted separately from any routine or
planned audit. Forensic accountants, as a special kind
of controller, should deal with the implementation of
continuous internal control, and a positive result may be
guaranteed. Before any program revision, problems such
as significant changes in organization and their risks,
changes in responsibilities for activities implementation,
as well as the result from the previous investigation, will
determine the extent to which the current investigation
scope has to be changed. Each evaluation should contain
proofs that the management are actively involved in
the management risk of fraud, and that the corrective
measures were undertaken in time.

Role and responsibility of management
in organizing internal control

Management is responsible for the establishment,
maintenance, and monitoring of internal control
structure to ensure the achievement of company’s goals.
Its tasks are as follows:
1) creating the culture of ethical behavior –
management is responsible to clearly explain to all
employees how they are expected to behave. The basis
of a business environment in which the company can
successfully deal with fraud is a strong system of values
formed through various codes of conduct, an ethical
codex, etc. At the same time they make grounds for
creating the culture of ethical behavior which consists
of:
a. personal example,
b. creating a favourable working environment,
c. adequate recruitment,
d. employee training and development,
e. accepting responsibility and norms of behavior,
f. punishing (http:\\www.aicpa.org\download\
antifraud\SAS-99-Exhibit.pdf, accessed 08.07.2012).
2) estimating reliability of an internal control
system – none of the financial statement frauds could
be conducted without the identified possibilities for
their performance and camouflage. A weak internal
control system increases such chances. That is why
management has responsibility to periodically estimate
the effectiveness of internal controls in preventing fraud
by:
a. evaluating and measuring risk factors of financial
statement fraud,
b. considering possible ways of fulfillment,

c. putting emphasis on detected risk factors,
d. assessing the successfulness of internal controls
which ease the risk factors.
3) designing and implementing internal controls
directed against financial statement fraud – although
internal controls reduce the possibility of financial
statement fraud, there is always a certain degree of
risk that they will not perform the way they were
supposed to. None of the internal control systems
is immune to fraud, especially in the case of secret
agreements between employees. However, there is a
dilemma related to special control steps designed for
fraud prevention. Contemporary management and
control theory and practice imply that there are fraud
specific internal controls which represent a “system of
special control procedures designed and derived for
the basic, if not exclusive aim of fraud prevention and
discouragement“(Davia, Coggins, Wideman & Kastantin,
2000, p. 102). Correct design and implementation of
those controls enable a company to achieve its goals for
property protection against illegal action,
4) supervision of internal control performance – an
internal control system must be supervised in order to
estimate if controls still function and whether changed
risks have imposed the need for implementation of
new control procedures. Management together with
other bodies (such as an auditing committee) should
be strongly involved in supervision of internal controls.
Monitoring could start with “self-assessment“ among
persons responsible for important accounts, procedures
and operations including the non-management staff.
Management and the auditing committee should analyze
the results. Management should also evaluate the
purposefulness and effectiveness of supervisory activities
over internal controls, and document their estimation
and conclusions. The aim of documenting is collection
of proof in favour of management’s supervisory program
and activities. Documentation should be sufficient
for auditors to understand how the management has
conducted the program and conclusions regarding design
and operational effectiveness of supervisory activities.
Documentation following the supervision over internal
controls for detecting criminal activities might include:
a. management and auditing committee’s
estimations regarding the supervision and assessment
of internal control successfulness in preventing financial
statement fraud,
b. omissions and weaknesses of internal control
which should be considered at the responsible
organizational level of the company,
c. internal controls which are “refreshed“ and
changed as a result of internal control activities in
fraud prevention.

CONCLUSION
Dynamic market growth has contributed to
increasing competition, forcing companies to adapt to
changing demands. While responding to complex market
needs, companies are exposed to numerous internal and
external influences, some of which may cause significant
damage. In order to avoid this, companies tend to establish
an effective internal control system. The primary task of
internal control is not finding the cause of fraud, but
rather detecting and stopping further fraud expansion. An
internal control system, if well designed and functioning,
ensures that it will be successful in all segments. However,
even then it happens that internal control is not able to
find the solution to fraud. To overcome such problems
internal control should cooperate with other controls
(external auditing and forensic accounting) and, as far as
it is capable, implement new methods and techniques
for fraud prevention. Preventive techniques used by
internal control ease the job of detecting frauds. These
techniques are a necessary part of the overall process,
because if used correctly, the chances of fraud detection
increase. Preventive methods are not new, they have
always been present inside the company, but in different
form. They should be treated with much attention,
because their adequate implementation increases the
quality of business performance and control. Internal
control should gradually implement new methods for
fraud prevention. Nevertheless, internal control should
at least consult other controls while handling fraud in
order to increase the quality of a company’s defense
mechanisms. The considered internal control techniques
for fraud prevention may be practically implemented
only when a company has a developed system of internal
control which regularly performs the process of control.
Many companies do have internal control but its role
in fraud prevention is marginalized, especially when
managers are personally involved in fraud