FRAUD, ETHICS AND INTERNAL CONTROL
Introduction
According to Turner & Weickgenannt (2009), “fraud can be defined as the theft, concealment, and conversion to personal gain of another’s money, physical asset, or information” (p. 80).
Accounting related fraud can be classified into four categories:
Ø Management fraud
Ø Employee fraud
Ø Customer fraud
Ø Vendor fraud
Fraudulent activities can also carried out using computers by people within an organisation or by external parties through hacking, DoS attacks, and spoofing or by other network break-ins.
Fraudulent activities occur within an organisation as a result of unethical behaviours. If the management of an organisation is unethical then fraud is likely to occur in that organisation.
Organisations have internal controls to fight fraud but it is not the only objective of internal controls. Internal controls have the following objectives:
Ø Safeguard assets from fraud or errors
Ø To maintain the accuracy and integrity of accounting data
Ø To ensure that the operational efficiency is promoted
Ø To ensure compliance with management directives
The Committee of Sponsoring Orgnizations (COSO) report states five interrelated components of internal control: the control environment, risk assessment, control activities, information and communication, and monitoring.
This entry focuses on the risk assessment component of internal control.
Risk Assessment
For an organisation to effectively and efficiently protect itself and its shareholders from fraud it should understand the fraud risks and the specific risks that apply to that organisation directly or indirectly. To identify these risks it is important that the organisations perform detailed risk assessment and it has to be performed by division and/or function. It has to also suit the organisation’s size, complexity, industry, and goals and it should be updated periodically. Functions and services such as Finance and Accounting, Human Resources Management (payroll), Purchasing and Contracting, and Information Technology have to be included in the risk assessment.
There are regulations in place throughout the world to ensure that the organisations take responsibility for fraud management. Some examples are the 1997 Organisation for Economic Co-operation and Development Anti-Bribery Convention, the U.S. Sarbanes-Oxley Act of 2002 and the U.S. Federal Sentencing guidelines of 2005.
For a risk assessment to be effective it has to identify where the fraud may occur and who would be the possible perpetrators. Therefore both the fraud scheme and the possible perpetrators within an organisation and also from outside the organisation should be considered when setting up control activities.
When it is possible that the fraud scheme could be carried out by two or more individuals working together (collusive scheme) it is really important that detective controls should also be set up with preventive controls. This is due to the fact that in a collusive scheme the preventive control itself such as segregation of duties would be found ineffective.
An effective fraud detection control would be the one that would not be expected by the perpetrators and it also requires a skeptical mindset. Questions that should be considered when setting up detection control are such as:
Ø How could the perpetrator take advantage of the weakness in the control system?
Ø What could the perpetrator do to override or circumvent the control system?
Ø What actions could a perpetrator take to conceal the fraud?
Keeping these questions in mind an effective risk assessment should:
Ø Identify the internal and external sources of risk
Ø Determine how such risks will impact the organisation’s finance and reputation
Ø Estimate the likelihood of such risk occurring
Ø Develop an action plan that would reduce the probability and the impact of such risks
Ø Execute the action plan and make sure the cycle is continued, beginning again with the first step.
Risk Assessment Team
Every organisation should have a risk assessment team which comprises of individual from throughout the organisation. It should be individuals with different skills, knowledge and perspectives should include both internal and external sources such as:
Ø Accounting/finance personnel
Ø Nonfinancial business unit and operations personnel
Ø Risk management personnel
Ø Legal and compliance personnel
Ø Internal audit personnel
Ø If internal expertise is not available then external consultant with required expertise
Other group of people within the organisation who will be accountable for the effectiveness of the risk assessment of the organisation such as business unit leaders, senior management, and significant process owners (e.g., accounting, procurement, operations, and sales) should also take part in the assessment.
Example of a Risk Assessment Framework
Organisations need to do risk assessment using this framework for all financial areas such as accounting, purchasing, contracting, payroll and for information technology and for every division within an organisation.
There are 8 columns in this framework:
1. Identified Fraud risks and Schemes- State the list of possible fraud risks and schemes that could affect the organisation. This list would be different for different organisations.
2. Likelihood of occurrence- Likelihood of the fraud risks identified. Choose likelihood from remote, reasonably possible, and probable.
3. Significance to the organisation- Consider the quantitative and qualitative factors such as material or immaterial financial risk or impacting the organisation’s reputation. Range from immaterial, significant and material.
4. People/ Department subject to the risk- Evaluate which people inside and outside the organisation is at risk to tailor the organisation’s fraud risk response.
5. Existing anti-fraud Internal controls- Identify which controls already exists to the relevant fraud risk identified.