Category Archives: Sarbanes Oxley

Fraud Risk Assessing the Trusted Insider

A bank employee accesses her neighbor’s accounts on-line and discloses this information to another person living in the neighborhood; soon everyone seems to be talking about the neighbor’s financial situation. An employee of a mutual fund company accesses his father-in-law’s accounts without a legitimate reason or permission from the unsuspecting relative and uses the information to pressure his wife into making a bad investment from which the father-in-law, using money from the fund account, ultimately pays to extricate his daughter. Initially, out of curiosity, an employee at a local hospital accesses admission records of a high-profile athlete whom he recognized in the emergency room but then shares that information (for a price) with a tabloid newspaper reporter who prints a story.

Each of these is an actual case and each is a serious violation of various Federal privacy laws. Each of these three scenarios were not the work of an anonymous intruder lurking in cyberspace or of an identity thief who compromised a data center. Rather, this database browsing was perpetrated by a trusted insider, an employee whose daily duties required them to have access to vast databases housing financial, medical and educational information. From the comfort and anonymity of their workstations, similar employees are increasingly capable of accessing personal information for non-business reasons and, sometimes, to support the accomplishment of actual frauds. The good news is that CFE’s can help with targeted fraud risk assessments specifically tailored to assess the probability of this threat type and then to advise management on an approach to its mitigation.

The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) 2013 update of the Internal Control Integrated Framework directs organizations to conduct a fraud risk assessment as part of their overall risk assessment. The discussion of fraud in COSO 2013 centers on Principle 8: “The organization considers the potential for fraud in assessing risks to the achievement of objectives.” Under the 1992 COSO framework, most organizations viewed fraud risk primarily in terms of satisfying the U.S. Sarbanes-Oxley Act of 2002 requirements to identify fraud controls to prevent or detect fraud risk at the transaction level. In COSO 2013, fraud risk becomes a specific component of the overall risk assessment that focuses on fraud at the entity and transaction levels. COSO now requires a strong internal control foundation that addresses fraud broadly to encompass company objectives as part of its strategy, operations, compliance, and reporting. Principle 8 describes four specific areas: fraudulent financial reporting, fraudulent nonfinancial reporting, misappropriation of assets, and illegal acts. The inclusion of non-financial reporting is a meaningful change that addresses sustainability, health and safety, employment activity and similar reports.

One useful document for performing a fraud risk assessment is Managing the Business Risk of Fraud: A Practical Guide, produced by the American Institute of Certified Public Accountants, and by our organization, the Association of Certified Fraud Examiners, as well as by the Institute of Internal Auditors. This guide to establishing a fraud risk management program includes a sample fraud policy document, fraud prevention scorecard, and lists of fraud exposures and controls. Managing the Business Risk of Fraud advises organizations to view fraud risk assessment as part of their corporate governance effort. This commitment requires a tone at the top that embraces strong governance practices, including written policies that describe the expectations of the board and senior management regarding fraud risk. The Guide points out that as organizations continue to automate key processes and implement technology, thus allowing employees broad access to sensitive data, misuse of that data becomes increasingly difficult to detect and prevent. By combining aggressive data collection strategies with innovative technology, public and private sector organizations have enjoyed dramatic improvements in productivity and service delivery that have contributed to their bottom line. Unfortunately, while these practices have yielded major societal benefits, they have also created a major challenge for those charged with protecting confidential data.

CFE’s proactively assessing client organizations which use substantial amounts of private customer information (PCI) for fraud risk should expect to see the presence of controls related to data access surveillance. Data surveillance is the systematic monitoring of information maintained in an automated, usually in a database, environment. The kinds of controls CFE’s should look for are the presence of a privacy strategy that combines the establishment of a comprehensive policy, an awareness program that reinforces the consequences of non-business accesses, a monitoring tool that provides for ongoing analysis of database activity, an investigative function to resolve suspect accesses and a disciplinary component to hold violators accountable.

The creation of an enterprise confidentiality policy on the front end of the implementation of a data surveillance program is essential to its success. An implementing organization should establish a data access policy that clearly explains the relevant prohibitions, provides examples of prohibited activity and details the consequences of non-business accesses. This policy must apply to all employees, regardless of their title, seniority or function. The AICP/ACFE Guide recommends that all employees, beginning with the CEO, be required to sign an annual acknowledgment affirming that they have received and read the confidentiality policy and understand that violations will result in the imposition of disciplinary action. No employees are granted access to any system housing confidential data until they have first signed the acknowledgment.

In addition to issuing a policy, it is imperative that organizations formally train employees regarding its various provisions and caution them on the consequences of accessing data for non-business purposes. During the orientation process for new hires, all employees should receive specialized training on the confidentiality policy. As an added reminder, prior to logging on to any database that contains personal information, employees should receive an electronic notice stating that their activities are being monitored and that all accesses must be related to an official business purpose. Employees are not granted access into the system until they electronically acknowledge this notice.

Given that data surveillance is a process of ongoing monitoring of database activity, it is necessary for individual accesses to be captured and maintained in a format conducive to analysis. There are many commercially available software tools which can be used to monitor access to relational databases on a real-time basis. Transaction tracking technology, as one example, can dynamically generate Structured Query Language (SQL), based upon various search criteria, and provides the capability for customized analyses within each application housing confidential data. The search results are available in Microsoft Excel, PDF and table formats, and may be printed, e-mailed and archived.

Our CFE client organizations that establish a data access policy and formally notify all employees of the provisions of that policy, institute an ongoing awareness program to reinforce the policy and implement technology to track individual accesses of confidential data have taken the initial steps toward safeguarding data. These are necessary components of a data surveillance program and serve as the foundation upon which the remainder of the process may be based. That said, it is critical that organizations not rely solely on these components, as doing so will result in an unwarranted sense of security. Without an ongoing monitoring process to detect questionable database activity and a comprehensive investigative function to address unauthorized accesses, the impact of the foregoing measures will be marginal.

The final piece of a data surveillance program is the disciplinary process. The ACFE tells us that employees who willfully violate the policy prohibiting nonbusiness access of confidential information must be disciplined; the exact nature of which discipline should be determined by executive management. Without a structured disciplinary process, employees will realize that their database browsing, even if detected, will not result in any consequence and, therefore, they will not be deterred from this type of misconduct. Without an effective disciplinary component, an organization’s privacy protection program will ultimately fail.

The bottom line is that our client organizations that maintain confidential data need to develop measures to protect this asset from internal as well as from external misuse, without imposing barriers that restrict their employees’ ability to perform their duties. In today’s environment, those who are perceived as being unable to protect the sensitive data entrusted to them will inevitably experience an erosion of consumer confidence, and the accompanying consequences. Data surveillance deployed in conjunction with a clear data access policy, an ongoing employee awareness program, an innovative monitoring process, an effective investigative function and a standardized disciplinary procedure are the component controls the CFE should look for when conducting a proactive fraud risk assessment of employee access to PCI.

SOX, Fraud and the Audit Committee

sarbans-oxleyA practicing CFE and subscriber to this blog contacted us to say that he’s been asked to make a presentation to the audit committee of a small public company client for whom he recently completed an examination of a financial fraud.  The audit committee, in light of the control vulnerabilities uncovered by our CFE’s report, wants a briefing on its responsibilities under SOX (the Sarbanes-Oxley Act) so it, in turn, can assure that management’s future performance deters any fraud recurrence.

Since its inception in 2002, SOX has had a material impact on the way boards of directors, management, and accountants of publicly held companies operate. It has also had a dramatic impact on the certified public accountants of publicly held companies and the audits of those companies. Since the enactment of Sarbanes Oxley, the Securities and Exchange Commission (SEC) has issued numerous SEC Releases that support and expand the SOX requirements. Many of the most important provisions of SOX and of the corresponding SEC Releases relate to fraud detection and prevention.

SOX gave audit committees more power and responsibility over a company’s auditors. The intent of the rules is to make the audit committee (rather than company management) the auditor’s “client.” Companies can be delisted from the stock exchanges if they fail to comply with the rules.

  • The auditor’s report is to be overseen by a company’s audit committee, not management;
  • Audit committees are responsible for hiring, compensating, and overseeing the registered public accounting firms they employ, and hiring independent counsel and any other advisors they determine necessary;
  • Each person on the audit committee must be a member of the board of directors and be otherwise independent of the company. SOX defines “independent” as not receiving any other compensation from the company and not being affiliated with the company or any of its subsidiaries;
  • One member of the audit committee must be a financial expert. A company without a financial expert must disclose that fact and explain its rationale. The SEC has defined a financial expert as someone with:

–An understanding of GAAP and financial statements;
–The ability to assess whether GAAP was used in estimates, accruals, and reserves;
–Experience with financial statements of a similar breadth and complexity of issues;
–An understanding of internal controls and financial reporting procedures;
–An understanding of audit committee functions;
–The New York Stock Exchange requires the chair of the audit committee to have accounting or financial management experience. It also requires a nominating committee and a compensation committee composed of independent directors;
–Companies provide appropriate funding to their audit committee;
–Audit committees pre-approve all audit and non-audit services provided by their auditor that are not specifically prohibited by SOX;
–Audit committees set up procedures to receive and deal with any complaints the company receives about accounting, internal control, auditing, and similar issues.

On the other hand, the biggest requirement for management of public companies that SOX mandates is more responsibility for financial reports filed with the SEC. SOX requires both the chief executive officer (CEO) and chief financial officer (CFO) of a company to prepare a statement to accompany the audit report that certifies their quarterly and annual financial statements and disclosures. There are six elements to the management certification:

  1. The financial statements have been reviewed by management;
  2. The statements do not contain an untrue statement of a material fact or omit a material fact that makes the statements misleading;
  3. The statements fairly present, in all material respects, the operations, financial condition, and cash flow of the issuer;
  4. Management is responsible for designing, installing, and evaluating disclosure controls and procedures, and reporting its conclusions with respect to its effectiveness;
  5. All material internal control weaknesses and fraud are disclosed to the auditor;
  6. All significant changes to internal controls after management’s evaluation have been disclosed and corrected.

These rules were implemented to assure investors that the information in a company’s quarterly and annual reports is accurate and contains all of the company information that the executives believe is important to a reasonable investor. If management willfully and knowingly violates this certification process, it can be punished with imprisonment of up to 20 years and a fine of up to $5,000,000. In addition, if financial reports must be restated due to material noncompliance with financial reporting requirements, a violation of securities laws, or securities fraud, company management can be required to repay bonuses and incentives or equity-based compensation it realized during the twelve months following the issuance or filing of the noncompliant document. It can also be required to repay any profits it realized from the sale of company securities during the same period. As a result of these certification requirements, it’s not surprising that many public company CEOs and CFOs have spent a great deal of time since 2002 conducting due diligence procedures on their financial statements before certifying them.

From a specifically fraud prevention perspective, SOX also sets out the following the following requirements of interest to our CFE reader’s audit committee and executive management:

  • Company officers and directors cannot take any action to fraudulently influence, coerce, manipulate, or mislead auditors to make the financial statements materially misleading;
  • Company executives and directors cannot receive loans that are unavailable to those outside the company. There is an exception for loans, such as a home mortgage or a credit card agreement, if they are on the same terms and conditions as those made to the general public and done in the ordinary course of business;
  • Company executives and directors cannot trade company stock during blackout periods when other employees are unable to do so. Profits from doing so can be recovered;
  • All insider stock trades involving executives and individuals who own 10 percent or more of the company must be reported electronically to the SEC within two days and posted to the company’s website;
  • All financial reports required by GAAP must contain all material correcting adjustments identified by the auditors;
  • All annual and quarterly financial reports must disclose all material off-balance sheet transactions and relationships with unconsolidated entities likely to have a material effect on the company’s financial condition;
  • Pro forma financial information must not contain any untrue statements or omit a material fact that would make it misleading, and it should be in conformance with company financial information prepared according to GAAP;
  • Companies must disclose, in plain English, material changes to their financial condition on a rapid and current basis.

Also of interest to our reader’s audit committee would be the criminal penalties.  Sarbanes-Oxley and the SEC rules implementing its requirements increased the maximum penalties for many white-collar crimes and created tougher penalties for people who destroy records, commit securities fraud, and fail to report fraud. CPA firms are required to preserve all audit or review work papers, including e-mail, for at least seven years after the audit is complete. Willfully failing to do so or intentionally destroying these records is a felony, with penalties of up to 10 years of incarceration. Sarbanes-Oxley also created a new felony, with penalties of up to 20 years of incarceration and a hefty fine, for destroying, altering, or fabricating documents to impede, obstruct, or influence any existing or contemplated federal investigation. The criminal penalty for securities fraud was increased to 25 years. The statute of limitations on securities fraud claims was extended from one to two years from the date the fraud is discovered, and from three to five years after the fraud took place. Sarbanes-Oxley increases the penalty for CEOs and CFOs who knowingly certify fraudulent financial statements or submit materially misleading statements to the SEC to a maximum of 10 years of imprisonment and a $1 million fine. CEOs and CFOs who willingly do so will face a maximum penalty of 20 years of imprisonment and a $5 million fine.