A finance professor of mine in graduate school at the University of Richmond was fond of saying, in relation to financial statement fraud, that as staff competence goes down, the risk of fraud goes up. What she meant by that was that the best operated, most flawless control ever put in place can be tested and tested and tested again and score perfectly every time. But its still no match for the employee who doesn’t know, or perhaps doesn’t even care, how to operate that control; or for the manager who doesn’t read the output correctly, or for the executive who hides part of a report and changes the numbers in the rest. That’s why CFEs and the members of any fraud risk assessment team (especially our client managers who actually own the process and its results), should always take a careful look at the human component of risk; the real-world actions, and lack thereof, taken by real-life employees in addressing the day-to-day duties of their jobs.
ACFE training emphasizes that client management must evaluate whether it has implemented anti-fraud controls that adequately address the risk that a material misstatement in the financial statements will not be prevented or detected timely and then focus on fixing or developing controls to fill any gaps. The guidance offers several specific suggestions for conducting top-down, risk-based anti-fraud focused evaluations, and many of them require the active participation of staff drawn from all over the assessed enterprise. The ACFE documentation also recommends that management consider whether a control is manual or automated, its complexity, the risk of management override, and the judgment required to operate it. Moreover, it suggests that management consider the competence of the personnel who perform the control or monitor its performance.
That’s because the real risk of financial statement misstatements lies not in a company’s processes or the controls around them, but in the people behind the processes and controls who make the organization’s control environment such a dynamic, challenging piece of the corporate puzzle. Reports and papers that analyze fraud and misstatement risk use words like “mistakes” and “improprieties.” Automated controls don’t do anything “improper.” Properly programmed record-keeping and data management processes don’t make “mistakes.” People make mistakes, and people commit improprieties. Of course, human error has always been and will always be part of the fraud examiner’s universe, and an SEC-encouraged, top-down, risk-based assessment of a company’s control environment, with a view toward targeting the control processes that pose the greatest misstatement risk, falls nicely within most CFE’s existing operational ambit. The elevated role for CFEs, whether on staff or in independent private practice, in optionally conducting fraud risk evaluations offers our profession yet another chance to show its value.
Focusing on the human element of misstatement fraud risk is one important way our client companies can make significant progress in identifying their true financial statement and other fraud exposures. It also represents an opportunity for management to identify the weak links that could ultimately result in a misstatement, as well as for CFEs to make management’s evaluation process a much simpler task. I can remember reading many articles in the trade press these last years in which commentators have opined that dramatic corporate meltdowns like Wells Fargo are still happening today, under today’s increased regulatory strictures, because the controls involved in those frauds weren’t the problem, the people were. That is certainly true. Hence, smart risk assessors are integrating the performance information they come across in their risk assessments on soft controls into management’s more quantitative, control-related evaluation data to paint a far more vivid picture of what the risks look like. Often the risks will wear actual human faces. The biggest single factor in calculating restatement risk as a result of a fraud relates to the complexity of the control(s) in question and the amount of human judgment involved. The more complex a control, the more likely it is to require complicated input data and to involve highly technical calculations that make it difficult to determine from system output alone whether something is wrong with the process itself. Having more human judgment in the mix gives rise to greater apparent risk.
A computer will do exactly what you tell it to over and over; a human may not, but that’s what makes humans special, special and risky. In the case of controls, especially fraud prevention related controls, our human uniqueness can manifest as simple afternoon sleepiness or family financial troubles that prove too distracting to put aside during the workday. So many things can result in a mistaken judgment, and simple mistakes in judgment can be extremely material to the final financial statements.
CFEs, of course, aren’t in the business of grading client employees or of even commenting to them about their performance but whether the fraud risk assessment in question is related to financial report integrity or to any other issue, CFEs in making such assessments at management’s request need to consider the experience, training, quality, and capabilities of the people performing the most critical controls.
You can have a well-designed control, but if the person in charge doesn’t know, or care, what to do, that control won’t operate. And whether such a lack of ability, or of concern, is at play is a judgment call that assessing CFEs shouldn’t be afraid to make. A negative characterization of an employee’s capability doesn’t mean that employee is a bad worker, of course. It may simply mean he or she is new to the job, or it may reveal training problems in that employee’s department. CFEs proactively involved in fraud risk assessment need to keep in mind that, in some instances, competence may be so low that it results in greater risk. Both the complexity of a control and the judgment required to operate it are important. The ability to interweave notions of good and bad judgment into the fabric of a company’s overall fraud risk comes from CFEs experience doing exactly that on fraud examinations. A critical employee’s intangibles like conscientiousness, commitment, ethics and morals, and honesty, all come into play and either contribute to a stronger fraud control environment or cause it to deteriorate. CFEs need to be able, while acting as professional risk assessors, to challenge to management the quality, integrity, and motivation of employees at all levels of the organization.
Many companies conduct fraud-specific tests as a component of the fraud prevention program, and many of the most common forms of fraud can be detected by basic controls already in place. Indeed, fraud is a common concern throughout all routine audits, as opposed to the conduct of separate fraud-only audits. It can be argued that every internal control is a fraud deterrent control. But fraud still exists.
What CFEs have to offer to the risk assessment of financial statement and other frauds is their overall proficiency in fraud detection and the reality that they are well-versed in, and cognizant of, the risk of fraud in every given business process of the company; they are, therefore, well positioned to apply their best professional judgment to the assessment of the degree of risk of financial statement misstatement that fraud represents in any given client enterprise.