Sunday, July 01, 2007
Why did the fraud numbers increase
Oversight's 2007 fraud survey shows a double digit increase over the 2005 survey results despite the implementation of Sarbanes Oxley controls regimens. Is there any way to reduce the reported fraud numbers? Does that mean we have to implement even more controls?
Over the past few weeks I've had the chance to discuss these results with a number of experts and have developed a consensus view that we can reduce fraud further. And more surprisingly we can do it with fewer more "rationalized controls." Thankfully the "top down risk based approach" advocated in Audit Standard 5 (AS5) gives the opening to effect this change.
Many (if not most) of the first iterations of controls for Sarbanes Oxley compliance were created with a bottoms up approach that attempted to cover every possible contingency. Think of everything that could possibly result in financial reporting fraud and then design a way to prevent it. While most control activity will reduce risks there is a finite amount of time and effort available for all the activity. Covering every possible contingency dilutes the overall fraud reduction effort by spreading effort documenting low value activities.
For instance, the physical security of tapes used to back up the financial applications in the Sarbanes Oxley controls is an example of an activity that has a relatively low fraud reduction payback for the effort invested. In order to effect the fraud someone would have to manipulate the precise fields in the back up tape to change the financial numbers and then cause the financial applications to crash and then have the systems restored from the manipulated back up tapes. Frankly restoring from a back up tape is not always the most reliable process. A lot of things have to happen in this fraudulent financial reporting scenario - it's a low probability occurence.
When you compare the back up tape scenario with a manager or other privileged user overriding controls and posting a fraudulent entry in the General Ledger (GL) it is clear that the management override is much easier to effect. Both are possible, one is much more probable and very difficult to absolutely prevent. Finding the irregular GL posting requires diligent forensic evaluation of journal entries which takes time and expertise.
The top down risk based approach advocated by regulators in would devote more effort to the journal entry evaluation and reduce the time spent on low probability risks. By rationalizing the control activity according the the real risk there's more time for the high impact activities that materially affect fraudulent financial reporting. With AS5 we have the opportunity to adapt control investments towards activities with a real pay off in fraud reduction.
Labels: AS5, Fraud monitoring
posted by Patrick Taylor @ 7:38 PM