Audit Committees, Internal Audit, and Fraud Risk

Audit committees (AC) are charged with overseeing financial reporting and audit processes in U.S. public companies.  Scandals in the pre-Sarbanes-Oxley Act of 2002 (SOX) era (e.g., Enron, Global Crossing, Tyco International, and WorldCom) demonstrated that corporate governance could be compromised, resulting in fraudulent financial reporting (FFR).

Among the provisions of SOX, Section 407 required companies to disclose that all members of the AC are independent and that at least one member of the AC meets the Securities and Exchange Commission’s (SEC) definition of a “financial expert”, and if not, why not (SOX). Differences in the SOX and SEC definitions of “financial expertise” led to an ongoing controversy as to the appropriate mix of director expertise on the AC.

However, the clear intent of both SOX and the SEC was to improve AC oversight and ensure a financial perspective was included.

The relationships between the AC and the other corporate actors in the corporate governance mosaic who directly influence the quality of corporate governance (e.g., management, internal audit, external audit, board of directors) are complex, and AC members’ abilities to carry out their duties depend on AC members’ access to information, as well as AC members’ backgrounds, capabilities and motivations, and the capabilities and motivations of management and the other corporate governance actors.

Since Regulators and other stakeholders continue to increase the already high expectations of AC’s and the abilities of AC’s to meet their responsibilities, I am providing an overview to help independent directors and the Board understand and effectively govern fraud risk management practices.

Internal Audit

Internal Audit (IA) forms the organization’s 3rd Line of Defense (See below). An independent IA function will, through a risk-based approach to its work, provide assurance to the organization’s board of directors and senior management. This assurance will cover how effectively the organization identifies, assesses and manages its risks and will include assurance on the effectiveness of the first and second lines of defense. It encompasses all elements of an institution’s risk management framework (from risk identification, risk assessment and response, to communication of risk related information) and all categories of organizational objectives: strategic, ethical, operational, reporting and compliance.

The third line of defense is typically prohibited to perform management functions to protect its objectivity and organizational independence. In addition, the third line has a primary reporting line to the board. As such, the third line is an assurance not a management function, which separates it from the second line of defense.

Practice Pointer:  I know that some say the three lines of defense is an antiquated model, proposed structure, or standard.  One way to invalidate that argument is expand the Board and Senior Management roles and responsibilities from what might be purely oversight to active participants or additional “lines of defense”.

three_lines_model_500x210

Practice Pointer:  Although external parties (External Audit, Regulator) are not formally considered to be among an organization’s three lines of defense, groups such as external auditors and regulators often play an important role regarding the organization’s overall governance and control structure. Regulators establish requirements often intended to strengthen governance and control, and they actively review and report on the organizations they regulate. Similarly, external auditors may provide important observations and assessments of the organization’s controls over financial reporting and related risks.

IA is uniquely positioned within the organization to provide global assurance to the audit committee and senior management through targeted validation on the effectiveness of internal governance and risk processes. It is also well-placed to fulfil an advisory role on the coordination of assurance, effective ways of improving existing processes, and assisting management in implementing recommended improvements. In such a framework, IA is a cornerstone and foundation of an organization’s corporate governance.

The use of the three lines of defense to understand the system of internal control and risk management should not be regarded as an automatic guarantee of success. All three lines need to work effectively with each other and with the AC in order to create the right conditions. There must be open communication channels between all lines as well as a clear understanding of assigned roles and responsibilities.

In some organizations the role of IA is combined with elements from the first two lines of defense. For example, some IA functions are asked to play a part in facilitating risk management or managing the internal whistleblower program. Where that happens, boards need to be aware of potential conflicts of interest and ensure they take measures to safeguard the objectivity of IA.

Key issues for Directors Monitoring IA Effectiveness

Key issues that should be considered by directors in order to ensure that IA maximizes its contribution to good governance:

IA should have a functional reporting line to the board or one of its committees, making it independent of the executive, able to make objective judgements, and giving it the authority to conduct its work across the whole organization without constraint. This open access to personnel and data provides a critical transparency to grow and support the IA’s objectives. To work effectively it also needs close relationships with senior leadership and should have access to management information going to the executive committee and board.

IA must be staffed accordingly, including ensuring a consistently high level of professionalism and quality based on the International Standards, plus appropriate knowledge, skills and experience (emphasis added).

IA should have the right tools to conduct its audits (technology and training)

IA should use a risk-based approach in developing and executing their plan in order to focus on the greatest threats to the organization.

IA’s scope should be unrestricted, including all areas of risk – such as key corporate events, culture and ethics, reputation, new products and the outcomes of processes. The following recommendations for directors are consistent with the globally recognized International Standards.

Fraud Risk Management

The IIA defines fraud as “any illegal act characterized by deceit, concealment, or violation of trust.”  To battle the fast changing fraud landscape, the organization needs to have a robust fraud risk management strategy and a framework.  Fraud deterrence and detection are part of the fraud risk management framework, along with fraud investigations and fraud remediation.

FRM Framework
Sample Fraud Risk Management Framework

The AC needs to understand that according to the IIA, IA is responsible for assessing the organization’s risk management processes and their effectiveness, including the evaluation of fraud risks and how they are managed by the organization (IIA Standard 2120.A2).  Additionally, the Chief Audit Executive (CAE) must report significant risk and control issues, including fraud, to senior management and the board.

Practice Pointer: The AC should ensure they are getting timely unvarnished information from the CAE.  Depending on relationships and the culture of the organizations, I have seen instances where the CAE only provides the minimum, or what is “asked for”, in order to avoid any probe or conflict.

However, assessing the potential for the occurrence of fraud when planning each IA engagement is just as important because new fraud risks can arise at any time.  Therefore, internal auditors must consider the probability of fraud when they develop the objectives of each engagement (IIA Standard 2210.A2). To ensure adequate review of the risks relevant to each engagement, internal auditors should conduct a fraud risk assessment as part of engagement planning (IIA Standard 2210.A1).  Over time, the knowledge the IA activity obtains during individual engagements can be compiled into a more robust and comprehensive enterprise-wide fraud risk assessment.

Critical Point:  IA must recognize the risk assessment process and supporting documentation never ends from universe evaluation to engagements to new control implementation. The risk assessment document must be allowed to develop in detail as the process grows and adapts to the demands of the business and company needs.

Practice Pointer: Although prior risk assessments and investigations may provide valuable insight, the significance of fraud risks can be affected by many factors and may change quickly, as previously mentioned.  Conducting a preliminary assessment of risks for each individual engagement is essential to effective engagement planning.

Internal Auditors are not required to have the expertise of a specialized fraud investigator. However, they must have sufficient knowledge to evaluate the risk of fraud and the manner in which it is managed by the organization (IIA Standard 1210.A2).  The AC should review the fraud risk assessment and challenge the CAE frequently, at a minimum annually.  Moreover, if the AC doesn’t feel comfortable with the assessment of fraud risk or IA investigating an allegation of fraud, they should strongly consider engaging outside specialists or experts.

The IIA ‘s recently released Practice Guide describes the characteristics of fraud and the process of identifying and assessing fraud risks when planning individual audit engagements.  It outlines the process of incorporating a fraud risk assessment into every engagement planning exercise, including how to:

  • Gather information.
  • Brainstorm fraud scenarios. Sometimes individual interviews provide better information, as some are afraid to speak-up in a group setting.
  • Identify fraud risks and rate their significance. Having a clearly defined rating scale which is understood by all IA members and consistently applied is critical to the success of the assessment.
  • Determine which fraud risks should be evaluated further during the engagement.

While the IIA Guide is recommended (non-mandatory), I strongly suggest the AC and IA read and become familiar with its contents.

I might be expanding on this topic in the coming weeks, but in the interim I look forward to your comments, thoughts, and suggestions!

Jonathan

Jonathan T. Marks, CPA, CFF, CFE

 

Attribution and References:

  • Jonathan T. Marks, CPA, CFF, CFE
  • Robert Mainardi
  • Cohen, Krishnamoorthy, & Wright, 2004
  • Bédard & Gendron, 2010, p. 175
  • Sarbanes-Oxley Act of 2002
  • Blue Ribbon Committee, 1999
  • New York Stock Exchange, 2004
  • Institute of Internal Auditors (IIA)- The following selections from The IIA’s
  • International Standards for the Professional Practice of Internal Auditing are relevant to Engagement Planning:
    • Assessing Fraud Risks. Please refer to the Standards for the complete pronouncement. To assist with the implementation of the Standards, The IIA recommends that internal auditors refer to each standard’s respective Implementation Guide.
      • Proficiency 1210.A1 1210.A2 1220
      • Reporting to Senior Management and the Board 2060
      • Due Professional Care 1220.A1 2120
      • Risk Management 2120.A2 2200
      • Engagement Planning 2210
      • Engagement Objectives 2210.A1 2210.A2
  • Related IIA Guidance
  • Practice Guide, “Auditing the Control Environment.”
  • Practice Guide, “Engagement Planning: Establishing Objectives and Scope.”
  • Practice Guide, “Internal Auditing and Fraud.”
  • IIA Position Paper, “The Three Lines Of Defense In Effective Risk Management And Control”
  • IIA Leveraging COSO Across the Three Lines of Defense