Fraud Risk Checklist: A Guide for Assessing the Risk of Internal Fraud Fraud Risk Checklist: A Guide for Assessing the Risk of Internal Fraud Gary A. Rubin Director of Finance Accretive Health, Inc. the source for financial solutions 200 Campus Drive P.O. Box 674 Florham Park, New Jersey 07932-0674 www.ferf.org an affiliate of financial executives international Fraud Risk Checklist: A Guide for Assessing the Risk of Internal Fraud TABLE OF CONTENTS Purpose 1 Introduction 1 Sources and Acknowledgements 3 Identifying potential risk factors for misstatements arising from Fraudulent financial reporting Items No. 1 to 48 4 Identifying potential risk factors for misappropriation of assets Items No. 1 to 15 14 About the Author and Financial Executives Research Foundation, Inc. 16 Fraud Risk Checklist: A Guide for Assessing the Risk of Internal Fraud Purpose The purpose of this checklist is to provide both the board of directors and management with a series of questions to ask that can help in assessing the risk of fraud. It also provides a possible structure for management to use in documenting its thought process and conclusions. INTRODUCTION An integral part of complying with the requirements of Section 404 of the Sarbanes- Oxley Act of 2002 is evaluating whether a company has developed sufficient internal controls associated with fraud and management override. The evaluation of the potential for fraud is specifically included within the COSO framework of internal control. The first part of any efficient evaluation of internal control is the assessment of the relative exposures or risks of a situation occurring. While this type of risk assessment is a routine skill for auditors, many members of management are not familiar with the concept. This checklist provides both the board of directors and management with a series of questions to ask that can help in assessing the risk of fraud. It also provides a possible structure for management to use in documenting its thought process and conclusions. The questions included in this checklist were developed by reviewing readily available literature on the subject of financial fraud. The principal source documents include those listed under “Sources and Acknowledgements.” The broad definition of fraud is “an intentional act to gain an unfair or unlawful advantage or gain”. Fraud can include: • • • • • Fraudulent financial reporting - Many fraudulent financial reporting schemes arise from improper revenue recognition. Other frauds typically involve an overstatement of assets or an understatement of liabilities. Misappropriation of assets - External and internal schemes, such as embezzlement, payroll fraud and theft. Revenues or assets gained by illegal or unethical acts – Over-billing customers, or deceptive sales practices. Expenditures for improper purpose - Commercial and public bribery, as well as other improper payment schemes. Fraudulently obtained revenue or inappropriately avoided expenses Schemes where an entity commits a fraud against its employees or third parties, or when an entity improperly avoids expenses, such as income or sales taxes. 1 • Frauds against the company – Producing counterfeit products or knowingly violating intellectual property rights. Fraudulent financial reporting is a primary focus of the Sarbanes-Oxley Act. However, the definition of internal control over financial reporting also encompasses the preservation of assets. Therefore, this checklist focuses only on these two types of fraud. While the other categories of fraud can be equally damaging to a company’s reputation, and could invoke significant negative financial consequences, they are outside the scope of this checklist. To be most effective, the fraud risk assessment should be conducted by individuals with significant business experience and a broad understanding of the entity and its operations. Assessments are often most effective when completed by a multi-functional team. Furthermore, it is often beneficial if the evaluation is completed at different levels within an organization. For example, the board of directors may want the chief internal auditor to evaluate the risks at an overall company level. On the other hand, the corporate controller may be interested in completing an evaluation on a particular subsidiary or operating group. In such situations, the term “company” should be construed to refer to the subsidiary, division or operating entity being evaluated. 2 SOURCES AND ACKNOWLEDGEMENTS The principal source for the information included in the foregoing discussion was publicly available information included on the internet, particularly on the web sites of the following organizations: • • • • • • • • • • • Deloitte Touche Tohmatsu PricewaterhouseCoopers KPMG, LLP and its affiliate, The 404 Institute Ernst & Young Crowe Chizek and Company, LLC The American Institute of Certified Public Accountants The Committee of Sponsoring Organizations of the Treadway Commission Parsons Consulting Protiviti Marsh & McLennan Companies Resources Global Professionals Specific documents that listed individual risk factors include: • • • • • • • • • • • Management Override of Internal Controls – the Achilles’ Heel of Fraud Prevention; The American Institute of Certified Public Accountants Management Anti-Fraud Programs and Controls, an excerpt of Statement of Auditing Standards No. 99; The American Institute of Certified Public Accountants. Fraud Risk Assessments—A Common Sense Approach; Marsh and McLennan Companies The Good Practice Guidelines for Assessing the Risk of Fraudulent Financial Reporting; The National Commission on Fraudulent Financial Reporting Key Elements of Anti-fraud Programs and Controls; PricewaterhouseCoopers Excerpts from The CPA’s Handbook of Fraud and Commercial Crime Prevention; The American Institute of Certified Public Accountants Anti-fraud Programs and Controls; Deloitte & Touche Identifying Fraudulent Financial Transactions; W. Steven Albrecht, Ph.D., CPA, CIA, CFE, Brigham Young University Auditing for Internal Fraud; Michael Connelley, CFE, CPA Managing the Risk of Fraud, a Guide for Managers; HM Treasury Fraud Risk Management, Developing a Strategy for Prevention, Detection, and Response; KPMG, LLP The questions and risk factors included in the foregoing discussion do not include every matter mentioned in each of the above documents. Many documents contained similar risks, differing only slightly in wording or emphasis. 3 Item No. 1 Identifying potential risk factors for misstatements arising from fraudulent financial reporting Comments and observations – e.g., the likelihood and severity of the risk Work paper reference to identified risk Are there circumstances that might foster the temptation to engage in fraudulent financial reporting? Possible factors include: • • • • • • • • • A significant portion of management’s compensation results from bonuses, stock options, or other incentives, the value of which is contingent upon the entity achieving unduly aggressive targets for operating results, financial position, or cash flow. The company will be unable to consummate a significant pending transaction, such as a business combination or contract award, if poor financial results are reported. A management practice of committing to analysts, creditors, and other third parties to achieve what appear to be unduly aggressive or clearly unrealistic forecasts. The company’s profitability is below industry standards or analyst expectations, and there is significant pressure to report improved results. The company is experiencing a poor or deteriorating financial position, and management has personally guaranteed significant debt. There are threats of imminent bankruptcy, foreclosure, or a hostile takeover. There is uncertainty as to the status of the company’s significant business contracts, licenses, patents or other intellectual property. The company is especially vulnerable to changes in interest rates, energy costs, or other commodities that fluctuate in price. The company will need to report adverse financial results as a result of a significant recent transaction, such as a merger or acquisition. 4 Control(s) identified to mitigate the identified risk Conclusions as to the relative residual exposure after application of the identified control(s) Item No. Identifying potential risk factors for misstatements arising from fraudulent financial reporting 2 Is there an unusual amount of interest in maintaining or increasing the entity’s stock price or earnings trend? On the other hand, is there an unusual amount of interest in minimizing reported earnings for tax-motivated reasons? If either situation is a possibility, consider if the company is using unusually aggressive accounting practices. 3 What is senior management’s attitude regarding internal control and the financial reporting process? Examples of potentially inappropriate behaviors include: • • • Work paper reference to identified risk An ineffective means of communicating and supporting the entity’s values or ethics, or communication of inappropriate values or ethics. Management failing to correct known internal control deficiencies on a timely basis. Management setting unduly aggressive financial targets and expectations for operating personnel. 4 Are there enough accounting and financial or informationtechnology staff to meet the company’s requirements? Is the existing staff effective, and do they have appropriate training and skills? 5 What is the nature of the corporate governance system? Common components of good corporate governance systems are: • • • • Comments and observations – e.g., the likelihood and severity of the risk An independent audit committee Employee hotlines Code of corporate conduct Policies that prohibit retaliatory actions against employees who provide information on suspected violations of company directives 5 Control(s) identified to mitigate the identified risk Conclusions as to the relative residual exposure after application of the identified control(s) Item No. 6 Identifying potential risk factors for misstatements arising from fraudulent financial reporting Comments and observations – e.g., the likelihood and severity of the risk Work paper reference to identified risk Do management attitudes support effective financial reporting? Examples of a lack of support include: • • Non-financial management’s excessive participation in, or preoccupation with, the selection of accounting principles or the determination of significant estimates. Financial reports do not provide full transparency to readers, e.g., they are unduly complex or hard to understand. 7 Has any new computer hardware or software been installed recently? More sophisticated systems may not be fully understood by all parties, allowing some individuals to conceal inappropriate activities. 8 How does the company’s financial and operational performance compare with industry norms? Is the company undergoing unusually rapid growth in income or profitability? 9 What is the typical tenure of senior management, outside legal counsel, or board members? High turnover can indicate problems. 10 Are there positive relationships between the company and its outside advisors, such as bankers or legal counsel? 11 Are there any significant relationships with vendors or customers that seem unusual or questionable? Does the company have an ongoing program to review vendor and customer “quality”? 12 Have there been any new accounting, statutory, or regulatory requirements issued that could impair the financial stability or profitability of the company? 6 Control(s) identified to mitigate the identified risk Conclusions as to the relative residual exposure after application of the identified control(s) Item No. Identifying potential risk factors for misstatements arising from fraudulent financial reporting 13 Is there a positive relationship with the Internal Revenue Service or similar taxing authorities, as well as with other regulatory bodies? The existence of significant disputes or strained relationships with these parties could be an indicator that the company is not conducting its affairs in a positive fashion. 14 What is the nature of the relationship with the current or predecessor auditor? Examples of matters that indicate a higher risk include: • • • • Comments and observations – e.g., the likelihood and severity of the risk Work paper reference to identified risk Frequent disputes with the current or predecessor auditor on accounting, auditing, or reporting matters. Unreasonable demands on the auditor, including unreasonable time constraints regarding the completion of the audit or the issuance of the auditor’s reports. Formal or informal restrictions on the auditor that inappropriately limit his or her access to people or information or his or her ability to communicate effectively with the board of directors or audit committee. Domineering management behavior in dealing with the auditor, especially involving attempts to influence the scope of the auditor’s work. 15 Does the company have any significant operations in highly competitive industries or those with a great deal of market saturation? Have there been declines in its margins and/or other profitability measures? 16 Are there significant operations in industries with increasing business failures or declines in customer demand? 7 Control(s) identified to mitigate the identified risk Conclusions as to the relative residual exposure after application of the identified control(s) Item No. 17 Identifying potential risk factors for misstatements arising from fraudulent financial reporting Comments and observations – e.g., the likelihood and severity of the risk Work paper reference to identified risk What is the level of integrity, both in the corporate culture as a whole, and as manifested by specific individuals? A low level of integrity may be indicated by: • • • • Known history of securities-law violations, or claims against the entity, members of its board of directors, or its senior management. alleging fraud or violations of securities laws. Known history of violations of other laws and regulations by members of senior management Management exhibits a disregard or excessive casualness toward complying with laws and regulations. Management or board members who are associated currently, or in the past, with companies or individuals of questionable character. 18 Have there been any changes in the methodology of developing or calculating significant accounting estimates, especially when the new methodology results in significantly different results from the previous methodology? 19 Are there significant operations in industries undergoing rapid changes? Such circumstances can result in a high vulnerability to rapidly changing technology or rapid product obsolescence, both of which can result in earnings pressure. Furthermore, this environment can cause sudden declines in asset values that need to be recognized in the financial statements. 20 Does a significant part of current-year earnings arise from one or two transactions, or from changes in accounting estimates? 8 Control(s) identified to mitigate the identified risk Conclusions as to the relative residual exposure after application of the identified control(s) Item No. Identifying potential risk factors for misstatements arising from fraudulent financial reporting 21 Are operating cash flow and earnings from operations in line each other? Instances of companies that are not generating a positive cash flow from operations, even if they report earnings and/or earnings growth, are common indicators that financial disclosures may be inappropriate. 22 How does the company discipline employees, if any, who violate company policies or otherwise engage in unacceptable practices? Have these methods been effective in the past? 23 Does the company develop and follow regular plans and budgets? Consistently operating in a crisis mode is often a sign of problems. 24 Have there been any significant changes in operations, such as the introduction of new production processes? Difficulties in implementing new operations may motivate individuals to hide poor results by manipulating other parts of the financials. 25 Are strong accounting systems in place? Weak accounting systems can arise for several reasons, including rapid growth in business volume or complexity, which has not been matched by increasing sophistication or capabilities in the accounting systems. 26 Is the turnover in the company’s accounting staff consistent with prior years and with other companies in the industry and the local economy? If new staff members consistently resign shortly after starting, this could indicate that the company is not conducting its affairs in an ethical manner. Comments and observations – e.g., the likelihood and severity of the risk Work paper reference to identified risk 9 Control(s) identified to mitigate the identified risk Conclusions as to the relative residual exposure after application of the identified control(s) Item No. Identifying potential risk factors for misstatements arising from fraudulent financial reporting 27 Has the company introduced new production processes or new marketing programs? If these processes or programs involve unusually large bonuses or other rewards to employees, they may be tempted to manipulate production or sales records to increase their earnings. 28 What is the methodology for reviewing the financial results of subsidiary or operating components, especially if they are located in different markets or are in different industries? 29 Is there any account balance that seems disproportionately high or low, given the age and size of the company and the industry within which it operates? 30 How does the company’s senior-level management monitor the application of significant controls? 31 Does operations management promptly provide reasonable answers to routine questions? Evasive or inadequate answers, or claims that documents that support transactions or balances are lost or missing, may be signs of trouble. 32 Are the company’s banks and other financial service providers stable? Caution could be required with significant new relationships and transactions, or when there are transactions with new entities outside of the normal course of business. 33 Does the company have a good internal audit function in place? 34 Are the accounting estimates reasonable? Patterns of accounting estimates that cluster at one particular end of the range of reasonableness (i.e., always in a way that produces the highest acceptable net income), may be red flags. Comments and observations – e.g., the likelihood and severity of the risk Work paper reference to identified risk 10 Control(s) identified to mitigate the identified risk Conclusions as to the relative residual exposure after application of the identified control(s) Item No. Identifying potential risk factors for misstatements arising from fraudulent financial reporting 35 Does the company have significant assets, liabilities, revenues, or expenses that are based on subjective estimates, judgments or uncertainties, or that are subject to potentially significant changes in the near term? Examples of such items include the collectibility of receivables, or the realizability of a financial instrument that is based on the subjective valuation of nonmarketable collateral. 36 Does the company have important related-party transactions that are not in the ordinary course of business, or with related entities that are not audited or audited by a different firm from the company’s? 37 Do any unusual or highly complex transactions, especially those close to year-end, pose difficult “substance over form” questions? 38 Are there any key bank accounts or subsidiary or branch operations in tax-haven jurisdictions, where there does not appear to be a clear business justification for such accounts or operations? 39 Is the organizational structure appropriate to the circumstances? The existence of an overly complex structure involving numerous or unusual legal entities, unusual managerial lines of authority, or contractual arrangements without apparent business purpose could make it easier to commit or conceal fraudulent financial reporting. 40 Is there an unusually high degree of leverage? Is the company likely to have difficulty meeting its debt repayment requirements, or are there debt covenants that are difficult to maintain? Comments and observations – e.g., the likelihood and severity of the risk Work paper reference to identified risk 11 Control(s) identified to mitigate the identified risk Conclusions as to the relative residual exposure after application of the identified control(s) Item No. Identifying potential risk factors for misstatements arising from fraudulent financial reporting 41 Does the company have a stable and transparent ownership structure, or is it difficult to determine the organization or individual(s) that control(s) the entity? The potential for fraudulent financial reporting generally increases when there is a contest for ownership control of the company, or management or owners perceive that a contest for ownership control of the company could occur in the near future. 42 Are reasonable compensation programs in place? Unrealistically aggressive sales or profitability incentive programs may be a risk factor. This question should be given additional consideration when new marketing or sales arrangements are introduced. 43 How much due diligence is completed before senior management makes significant decisions? Are such decisions made quickly, without adequate review? 44 Are there good subsidiary records and controls over inventory and similar assets? The existence of significant “book” to “physical” adjustments, especially if such items occur frequently, could be a cause for concern. 45 What is the delegation of authority and decision-making? Excessive centralization of authority and decision-making by one of a few individuals, at either the management level or at the board of directors level, may require compensating controls, such as effective oversight by the independent members of the board of directors or audit committee. Comments and observations – e.g., the likelihood and severity of the risk Work paper reference to identified risk 12 Control(s) identified to mitigate the identified risk Conclusions as to the relative residual exposure after application of the identified control(s) Item No. Identifying potential risk factors for misstatements arising from fraudulent financial reporting 46 Are standard human resources practices employed, such as reviewing employee backgrounds before hiring? 47 Is there a systematic financial statement closing process, and is there an adequate review of this process by higher-level entities or management? 48 Is the organizational structure consistent and appropriate? Frequent realignment of operating divisions (e.g., alignment by product instead of geography) might help conceal fraudulent manipulation of financial results. Comments and observations – e.g., the likelihood and severity of the risk Work paper reference to identified risk 13 Control(s) identified to mitigate the identified risk Conclusions as to the relative residual exposure after application of the identified control(s) Item No. 1 Identifying potential risk factors for misappropriation of assets Comments and observations – e.g., the likelihood and severity of the risk Work paper reference to identified risk Are there assets that would be easy to convert to personal use? Examples include: • • • Large amounts of cash on hand or processed. Inventory or fixed-asset items that are physically small, individually possess a high value, and bear little or no permanent ownership identification. Easily convertible assets, such as bearer bonds, diamonds, or computer chips. 2 Does the company operate in an industry where there is a high potential for customers to attempt to defraud or steal from the company? 3 How much oversight of operations is in place, especially at remote locations? 4 What are the applicant screening procedures for employees who will have access to assets that are susceptible to misappropriation? 5 Are there adequate record-keeping, as well as good physical safeguards, over assets susceptible to misappropriation, such as cash, investments, inventory, or fixed assets? 6 Is there effective oversight of the procedures applied to monitor easily convertible assets and of the skills and integrity of the employees in these areas? 14 Control(s) identified to mitigate the identified risk Conclusions as to the relative residual exposure after application of the identified control(s) Item No. Identifying potential risk factors for misappropriation of assets 7 Does the company segregate duties or independently check assets that are subject to misappropriation? 8 What kinds of systems are in place to authorize and approve transactions (for example, in purchasing)? 9 Is there a policy that requires timely and appropriate documentation for transactions (for example, credit for merchandise returns)? 10 Do changes in work practices or systems require prior approval before being implemented? 11 How extensive are the audit trails or documentation required for transactions? 12 Does the company maintain a positive work environment? Difficult working environments, in which employees do not believe that they are adequately appreciated for their performance, can foster inappropriate behaviors. 13 Does the company require mandatory vacations for employees performing key control functions? 14 Does the company follow standard human resources practices, such as reviewing employee backgrounds before hiring? 15 Are there policies that require management or other associates to complete the work performed by all individuals when they are absent? Instances where a particular customer, contractor, or vendor will only work with or talk to a specific employee is an indication that matters could be amiss. Comments and observations – e.g., the likelihood and severity of the risk Work paper reference to identified risk 15 Control(s) identified to mitigate the identified risk Conclusions as to the relative residual exposure after application of the identified control(s) About the author Gary Rubin, CPA, is a member of the Kansas City Chapter of FEI. Gary is currently the Director of Finance – Reporting and Internal Controls for Accretive Health, Inc. Gary’s career includes 10 years as a senior manager with Deloitte & Touche. During this time, he served as a research associate for the National Commission on Fraudulent Financial Reporting, commonly known as the Treadway Commission. His research projects for the Treadway Commission included developing the Good Practice Guidelines for Fraud Risk Assessment, which is included in the Commission’s Final Report. Gary subsequently served as the Chief Financial Officer for several public and privately owned companies and provided professional services on accounting, financial reporting, internal controls and corporate governance for a variety of organizations as an Associate with Resources Global Professionals. Gary authored this report when he was associated with Resources Global Professionals. Gary can be reached at 913-980-9906. About Financial Executives Research Foundation, Inc. Financial Executives Research Foundation, Inc. (FERF) is the non-profit 501(c)3 research affiliate of Financial Executives International (FEI). FERF researchers identify key financial issues and develop impartial, timely research reports for FEI members and nonmembers alike, in a variety of publication formats. The foundation relies primarily on voluntary tax-deductible contributions from corporations and individuals. The views set forth in this publication are those of the authors and do not necessarily represent those of the Financial Executives Research Foundation Board as a whole, individual trustees, employees, or the members of the Advisory Committee. Financial Executives Research Foundation shall be held harmless against any claims, demands, suits, damages, injuries, costs, or expenses of any kind or nature whatsoever, except such liabilities as may result solely from misconduct or improper performance by the foundation or any of its representatives. This and more than 80 other Research Foundation publications can be ordered by logging onto http://www.ferf.org Financial Executives Research Foundation, Inc. 200 Campus Drive Florham Park, New Jersey 07932 Copyright © 2007 by Financial Executives Research Foundation, Inc. All rights reserved. No part of this publication may be reproduced in any form or by any means without written permission from the publisher. International Standard Book Number 1-933130-65-2 Printed in the United States of America First Printing Authorization to photocopy items for internal or personal use, or the internal or personal use of specific clients, is granted by Financial Executives Research Foundation, Inc., provided that an appropriate fee is paid to Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923. Fee inquiries can be directed to Copyright Clearance Center at 978-750-8400. For further information, please check Copyright Clearance Center online at: http://www.copyright.com 16 business / research