By Donald J. Kaiser, CPA, McCarthy & Company, PC
Internal controls are among the most important anti-fraud controls that businesses have. According to the Report to the Nations on Occupational Fraud and Abuse (2018) from the Association of Certified Fraud Examiners (ACFE), in 30 percent of the cases studied, a simple lack of internal controls was the main factor that enabled the fraud to occur. Another 19 percent of the cases happened because the perpetrator was able to override the controls. More internal control weaknesses cited in the research included lack of management overview (18 percent), poor tone at the top (10 percent), lack of competent personnel in oversight roles (8 percent), lack of independent checks/audits (4 percent), lack of employee fraud education (2 percent), lack of clear lines of authority (2 percent) and lack of a reporting mechanism (less than 1 percent).
It is not surprising that more fraud cases were reportedly done in accounting than any other department in the Report to the Nations. An external audit of company financial statements was one of the most common anti-fraud controls reported being used by 80 percent of the entities. Companies with this mechanism in place typically reduced the median loss due to fraud from $170,000 to $150,000 (29 percent).
Other controls may be more effective in reducing a median loss like having a code of conduct (56 percent); proactive data monitoring (52 percent); surprise audits (51 percent); external audit of internal controls, management review and hotline (50 percent); anti-fraud policy (47 percent); internal audit department (46 percent); management certification of the financial statements (43 percent); fraud training for employees (43 percent); and formal fraud risk assessments (41 percent).
The Auditor’s Role
The American Institute of CPAs defines internal controls as a process “effected by those charged with governance, management and other personnel — designed to provide reasonable assurance about the achievement of the entity’s objectives with regard to the reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. Internal control over safeguarding of assets against unauthorized acquisition, use or disposition may include controls related to financial reporting and operations objectives.”
The auditor’s job when conducting an audit is to identify and assess the risks of material misstatement due to fraud or error. To do this, the auditor must understand the entity, its environment and its internal controls. The auditor should have information on internal factors such as the company’s ownership, management team, operations, investment opportunities, growth strategy, financing, and accounting methods and policies. The auditor also needs to understand how external factors like industry trends, economic data and regulatory requirements impact the entity.
The auditor must know the classes of transactions, account balances and disclosures to be made to the financial statements. The auditor should evaluate whether the entity’s accounting policies are appropriate for its business and consistent with industry standards. A review of the entity’s financial performance needs to be done. The auditor must also know who, if anyone, is in the position to override internal controls meant to safeguard the company.
This information will help the auditor design the audit plan, decide what needs to be tested and determine how to assess the risk of material misstatement or fraud.
Risk Assessment Best Practices
The auditor should know if the entity has processes in place to accomplish the following:
- Identify business risks relevant to financial reporting objectives
- Estimate the significance of the risks
- Assess the likelihood of their occurrence
- Decide about actions to address those risks
If the auditor identifies a risk of material misstatement, it must be discussed with management to determine the cause. If the entity does not have a risk assessment policy, management should be advised to develop one. The auditor must evaluate whether the absence of a documented risk assessment process is appropriate and if it represents a deficiency or material weakness.
The auditor is not responsible for finding fraud. Management and those involved with governance over the entity are responsible for fraud detection and prevention. This includes establishing an honesty-based culture, developing and enforcing an anti-fraud policy, training employees to recognize fraud, and reminding employees to watch for and report suspected cases of fraud.
Donald J. Kaiser, CPA, is a principal with McCarthy & Company, PC. He is a member of the NJCPA and can be reached at [email protected]
Reprinted with permission of the New Jersey Society of CPAs, njcpa.org.