To conduct an effective fraud risk assessment follow these steps:
1. Organize and define the assessment objectives with company management and your internal audit committee. Form a team of fraud and control experts, and get senior management and audit committee buy-in: Ask them to communicate their endorsement and sponsorship of both the process and a strong anti-fraud program to the entire organization.
2. Determine the business and accounting process(es) to be assessed and investigated. Usually, the initial processes selected are those where fraud or abuse has previously occurred or that management has identified as critical business processes that may be susceptible to fraud or abuse.
3. Identify potential schemes and scenarios specific to the process(es) to be examined against current controls. Fraud schemes and scenarios should be selected based on the specific business process, the industry, physical location of the process operation and any known frauds or abuses concerning the process.
4. Determine the likelihood of a fraud occurring within each scheme and scenario. The Public Company Accounting Oversight Board has defined risk levels as remote, more than remote or reasonably possible, and probable. If assessing a public company, assess the risk levels in relation to SOX compliance efforts.
5. After the fraud risks for individual processes have been identified, documented, and rated as to risk level, match the controls within each process to the identified fraud risks. Determine the effectiveness of each control in preventing or providing a means of early detection for the fraud risk. Group the risks as to their probability of occurring within the process.
6. Estimate the probable loss in dollars should the fraud or abuse occur. Try to place a value on loss of reputation if that is a possible outcome.
7. Prepare recommendations for strengthening controls and present to management.
One big question on fraud is this. Has Sarbanes-Oxley been any help? A recent survey by Oversight Systems has some interesting statistics:
Of those surveyed, 79 percent report having stronger internal controls as a result of SOX compliance. Nearly three quarters (74 percent) say their companies realized a benefit from SOX compliance. When asked to identify the benefits from SOX, the survey reports that:
* 46 percent say SOX compliance ensures the accountability of individuals involved in financial reports and operations
* 33 percent say SOX compliance decreases the risk of financial fraud
* 31 percent say they have reduced errors in their financial operations
* 27 percent say SOX improvements in the accuracy of financial reports
* 25 percent say SOX compliance empowers the board audit committee by providing it with deeper information, and
* 20 percent say SOX strengthens investors’ view of the company.
However, the bottom-line benefits of SOX compliance seem fuzzier when the group was asked what impact SOX compliance had on shareholder value. Many, 37 percent, of those surveyed say SOX increased shareholder value because investors know they operate as an ethical business, and 25 percent report that SOX boosts shareholder value by building overall confidence in the market. However, 33 percent say SOX compliance created a cost burden that suppresses stock prices, and 14 percent feel that SOX decreased their ability to pay out dividends because compliance expenses are a significant drain on earnings (respondents could select all that applied).
SOX may be expensive, yet we are confident that as most executives realize that this is not another Y2K exercise, they will invest even more wisely in the years to come.