Managing fraud risk: The audit committee perspective. The audit committee guide series

Managing fraud risk: The audit committee perspective The audit committee guide series

Effective audit committees are critical to the quality of financial reporting and the proper conduct of business. This guide is one of a series that is meant to help audit committees meet their oversight and fiduciary responsibilities. Trent Gazzaway, National Managing Partner of Audit Services Contents 2 Defi nitions 4 Fighting corporate fraud 6 The external auditor s responsibilities 11 The internal auditor s responsibilities 12 Investigating known fraud 13 The audit committee s oversight approach 17 Grant Thornton s forensic accounting, fraud and investigations services 20 Suggested reading 21 Grant Thornton LLP offi ces The audit committee guide series has been adapted from The Audit Committee Handbook, Fifth Edition, published by John Wiley & Sons and available for purchase at www.grantthornton.com/achandbook and through major online booksellers and bookstores nationwide.

In the aftermath of corporate scandals and the passage of the Sarbanes-Oxley Act of 2002 (SOX), the audit committee is vested with greater authority to oversee financial reporting and the appropriation of assets. As a result, the audit committee is responsible for adequate supervision and reporting and for responding to: fraud in a financial statement audit; actual, perceived or potential conflicts of interest; anonymous tips and complaints; and through interaction with general counsel, compliance matters such as those that relate to the Foreign Corrupt Practices Act (FCPA). How will financial reform impact your company? The regulatory landscape is changing for companies and their audit committees. Go to www.grantthornton.com/financialreform to review Grant Thornton s outline of key fi nancial reform issues and actions you can take to guide your company through them: Financial reform: What public companies and their audit committees need to know about the Dodd-Frank Act. Visit our Audit Committee Resource Center at www.grantthornton.com/auditcommittees for relevant and timely information that companies and their audit committees need to know. Managing fraud risk: The audit committee perspective 1

Definitions With different industry definitions and viewpoints, fraud can be a tough issue for audit committee members to grasp for oversight purposes. The Institute of Internal Auditors (IIA), the American Institute of Certified Public Accountants (AICPA) and the Association of Certified Fraud Examiners (ACFE) collaborated in 2008 on landmark guidance that defines fraud. Fraud is any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving a gain. 1 Separately, the IIA has defined fraud as: [a]ny illegal acts characterized by deceit, concealment or violation of trust. These acts are not dependent upon the application of threat of violence or of physical force. Frauds are perpetrated by individuals and organizations to obtain money, property or services; to avoid payment or loss of services; or to secure personal or business advantages. 2 Overseeing fraud management efforts is further complicated by fraud s differing look and impact in various situations. The chameleonlike nature of fraud requires a customized response to the highest-risk areas of individual and organizational fraud. Efforts to mitigate the risk of defalcation, for example, may differ from efforts to counter the risk of management fraud. 1 Institute of Internal Auditors, American Institute of Certifi ed Public Accountants and Association of Certifi ed Fraud Examiners, Managing the Business Risk of Fraud: A Practical Guide (2008), 5 2 Institute of Internal Auditors, The Professional Practices Framework (Altamonte Springs, FL: IIA, 2009) 2 Managing fraud risk: The audit committee perspective

Fraud in a financial statement audit From the auditor s perspective, the Auditing Standards Board of the AICPA describes fraud in this way: Fraud is a broad legal concept and auditors do not make legal determinations of whether fraud has occurred. Rather, the auditor s interest specifically relates to acts that result in a material misstatement of the financial statements. The primary factor that distinguishes fraud from error is whether the underlying action that results in the misstatement of the financial statements is intentional or unintentional. For purposes of the Statement, fraud is an intentional act that results in a material misstatement in financial statements that are the subject of an audit. 3 Misstatements can arise from fraudulent financial reporting and/or from misappropriation of assets (sometimes referred to as theft or defalcation). The Auditing Standards Board defines misstatements, and describes the types of misstatements that anti-fraud measures are intended to mitigate, as follows: Misstatements arising from fraudulent financial reporting are intentional misstatements or omissions of amounts or disclosures in financial statements designed to deceive financial statement users where the effect causes the financial statements not to be presented, in all material respects, in conformity with generally accepted accounting principles (GAAP). Fraudulent financial reporting may be accomplished by the following: Manipulation, falsification or alteration of accounting records or supporting documents from which financial statements are prepared Misrepresentation in or intentional omission from the financial statements of events, transactions or other significant information Intentional misapplication of accounting principles relating to amounts, classification, manner of presentation or disclosure 4 Misstatements arising from misappropriation of assets involve the theft of an entity s assets where the effect of the theft causes the financial statements not to be presented, in all material respects, in conformity with GAAP. Misappropriation of assets can be accomplished in various ways, including embezzling receipts, stealing assets, or causing an entity to pay for goods or services that have not been received. 5 3 Statement on Auditing Standards No. 99, Consideration of Fraud in a Financial Statement Audit (New York: AICPA, 2002), par. 5 4 Ibid., par. 6 5 Ibid. Managing fraud risk: The audit committee perspective 3

Fighting corporate fraud The legal obligations of audit committee members have intensified because their standard duty of care and loyalty to the entity has increased in light of management fraud activities. This heightened obligation is linked directly to the 2002 passage of SOX, which raised the bar of regulatory expectations with regard to board responsibilities for preventing fraud especially management fraud. Since top executives perpetrate management fraud, their processes are generally sophisticated. Therefore, audit committee members must rely on the professional expertise of external and internal auditors, legal counsel and special investigators when investigating management fraud. To support anti-fraud efforts, the IIA, AICPA and ACFE issued Managing the Business Risk of Fraud: A Practical Guide, which provides guidance to the board, senior management and internal auditors in their fight against corporate fraud. The guidance outlines five key principles that organizations can follow to establish an environment that will help effectively manage fraud risk: 1. As part of an organization s governance structure, a fraud risk management program should be in place, including a written policy (or policies) to convey the expectations of the board of directors and senior management regarding managing fraud risk. 2. Fraud risk exposure should be assessed periodically by the organization to identify potential schemes and events that the organization needs to mitigate. 4 Managing fraud risk: The audit committee perspective

3. Prevention techniques to avoid potential key fraud risk events should be established, where feasible, to mitigate possible impacts on the organization. 4. Detection techniques should be established to uncover fraud events when preventive measures fail or unmitigated risks are realized. 5. A reporting process should be in place to solicit input on potential fraud, and a coordinated approach to investigation and corrective action should be used to help ensure potential fraud is addressed appropriately and timely. 6 6 Institute of Internal Auditors, American Institute of Certifi ed Public Accountants and Association of Certifi ed Fraud Examiners, Managing the Business Risk of Fraud: A Practical Guide (2008), 6 Managing fraud risk: The audit committee perspective 5

The external auditor s responsibilities The external auditor is a key member of the fraud management team, and Statement on Auditing Standards No. 99, Consideration of Fraud in a Financial Statement Audit (SAS 99), provides external auditors with revised and expanded guidelines on considering fraud risk. Under SAS 99, external auditors are not only responsible for planning and performing the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud, but are also required to consider fraud throughout the audit. The standard covers two types of material fraud: (1) fraudulent financial reporting involving intentional material misstatements or omissions of material amounts or disclosures in the financial statements; and (2) misappropriation of assets involving the theft of an entity s assets. SAS 99 requires external auditors to: gather information necessary to identify the risks of material misstatements, identify risks of material misstatements, assess identified risks, respond to the results of the assessment, evaluate audit evidence, communicate any evidence of fraud to interested parties, and document the auditors consideration of fraud. 7 7 Statement on Auditing Standards No. 99, Consideration of Fraud in a Financial Statement Audit (New York: AICPA, 2002), par. 2. For further reference, see Carmichael, Douglas R., The Auditor s New Guide to Errors, Irregularities and Illegal Acts, Journal of Accountancy 166, No. 3 (September 1988): 40 48. 6 Managing fraud risk: The audit committee perspective

Identifying a risk of material misstatement due to fraud requires auditors to use professional judgment and to consider the attributes 8 of the risk, including: type whether the risk involves fraudulent financial reporting or misappropriation of assets; significance whether the risk could lead to a possible material misstatement of the financial statements; likelihood the probability that the risk will result in a material misstatement in the financial statements; and pervasiveness whether the risk affects the financial statements as a whole or is related specifically to a particular assertion, account or class of transactions. External auditors have a responsibility not only for detecting fraud in a financial statement audit but also for detecting illegal acts by client companies, as defined by the Auditing Standards Board: The term illegal acts, for purposes of this Statement, refers to violations of laws or governmental regulations. Illegal acts by clients are acts attributable to the entity whose financial statements are under audit or acts by management or employees acting on behalf of the entity. Illegal acts by clients do not include personal misconduct by the entity s personnel unrelated to their business activities. 9 8 Ibid., pars. 38 40 9 Statement on Auditing Standards No. 54, Illegal Acts by Clients (New York: AICPA, 1988), par. 2. For further discussion, see Neebes, Donald L.; Guy, Dan M.; and Whittington, O. Ray, Illegal Acts: What Are the Auditor s Responsibilities? Journal of Accountancy 171, No. 1 (January 1991): 82 84, 86, 88, 90 93. Managing fraud risk: The audit committee perspective 7

Although the external auditor may recognize that the client has committed an illegal act, the auditor should consult with legal counsel or await a court ruling, depending on the circumstances, for a determination of illegality. Listed in Exhibit 1, however, are some warning signs that may indicate possible illegal acts. Exhibit 1: Warning signals of possible illegal acts 10 Unauthorized transactions, improperly recorded transactions, or transactions not recorded in a complete or timely manner in order to maintain accountability for assets Investigation by a governmental agency, an enforcement proceeding, or payment of unusual fi nes or penalties Violations of laws or regulations cited in reports of examinations by regulatory agencies that have been made available to the auditor Large payments for unspecifi ed services to consultants, affi liates, or employees Sales commissions or agents fees that appear excessive in relation to those normally paid by the client or to the services actually received Unusually large payments in cash, purchases of bank cashiers checks in large amounts payable to bearer, transfers to numbered bank accounts, or similar transactions Unexplained payments made to government offi cials or employees Failure to fi le tax returns or pay government duties or similar fees that are common to the entity s industry or the nature of its business 10 Ibid., par. 9 8 Managing fraud risk: The audit committee perspective

The external auditor s examination is not a guarantee that fraud does not exist. The audit committee should obtain reasonable assurance from the external auditors that management has taken the necessary actions to protect the assets of the entity. This requires the audit committee to determine, through inquiries of the audit partner, the auditor s alertness to the possibility of fraud. Guiding the audit committee in these efforts are the time-tested warning signals of fraud issued by the AICPA s standing committee on methods, perpetration and detection of fraud (Exhibit 2). Exhibit 2: Warning signals of the possible existence of fraud 11 1. Highly domineering senior management and one or more of the following, or similar, conditions are present: An ineffective board of directors and/or audit committee. Indications of management override of signifi cant internal accounting controls. Compensation or signifi cant stock options tied to reported performance or to a specifi c transaction over which senior management has actual or implied control. Indications of personal fi nancial diffi culties of senior management. Proxy contests involving control of the company or senior management s continuance, compensation, or status. 2. Deterioration of quality of earnings evidenced by: Decline in the volume or quality of sales (e.g., increased credit risk or sales at or below cost). Signifi cant changes in business practices. Excessive interest by senior management in the earnings per share effect of accounting alternatives. 3. Business conditions that may create unusual pressures: Inadequate working capital. Little flexibility in debt restrictions such as working capital ratios and limitations on additional borrowings. 11 American Institute of Certifi ed Public Accountants, CPA Letter 59, No. 5 (March 12, 1979), 4 Managing fraud risk: The audit committee perspective 9

Rapid expansion of a product or business line markedly in excess of industry averages. A major investment of the company s resources in an industry noted for rapid change, such as a high technology industry. 4. A complex corporate structure where the complexity does not appear to be warranted by the company s operations or size. 5. Widely dispersed business locations accompanied by highly decentralized management with inadequate responsibility reporting system. 6. Understaffi ng which appears to require certain employees to work unusual hours, to forego vacations, and/or to put in substantial overtime. 7. High turnover rate in key fi nancial positions such as treasurer or controller. 8. Frequent change of auditors or legal counsel. 9. Known material weaknesses in internal control which could practically be corrected but remain uncorrected, such as: Access to computer equipment or electronic data entry devices is not adequately controlled. Incompatible duties remain combined. 10. Material transactions with related parties exist or there are transactions that may involve conflicts of interest. 11. Premature announcements of operating results or future (positive) expectations. 12. Analytical review procedures disclosing signifi cant fluctuations which cannot be reasonably explained, for example: Material account balances. Financial or operational interrelationships. Physical inventory variances. Inventory turnover rates. 13. Large or unusual transactions, particularly at year-end, with material effect on earnings. 14. Unusually large payments in relation to services provided in the ordinary course of business by lawyers, consultants, agents, and others (including employees). 15. Diffi culty in obtaining audit evidence with respect to: Unusual or unexplained entries. Incomplete or missing documentation and/or authorization. Alterations in documentation or accounts. 16. In the performance of an examination of fi nancial statements unforeseen problems are encountered, for instance: Client pressures to complete audit in an unusually short time or under diffi cult conditions. Sudden delay situations. Evasive or unreasonable responses of management to audit inquiries. 10 Managing fraud risk: The audit committee perspective

The internal auditor s responsibilities Working closely with the audit committee, the internal audit function plays an important role in contributing to the overall governance of a fraud risk management program. It provides objective assurance to the board and management that the controls in place to manage fraud risks are designed adequately and operate effectively. Internal auditors may conduct proactive audits to search for corruption, misappropriation of assets and financial statement fraud acting both to detect and to deter fraud. As described in AU 316.86, other dual-purpose activities include determining whether: appropriate authorization policies for transactions are established and maintained; policies, practices, procedures, reports and other mechanisms are developed to monitor activities and safeguard assets, particularly in high-risk areas; and recommendations need to be made for establishing or enhancing cost-effective controls to help deter fraud. Managing fraud risk: The audit committee perspective 11

Investigating known fraud 12 Organizations should have a designated chief compliance officer that oversees fraud investigations. However, the audit committee may, from time to time, wish to engage special investigators and/or external auditors to aid in investigations. The audit committee should oversee the efforts of all internal and external parties to an investigation to ensure proper coordination among them. In particular, the audit committee should ensure that: the suspect has not been notified of the present investigation; all documents and electronic data are immediately secured; the investigation has been properly planned in advance and will be conducted expeditiously to prevent its obstruction; all corporate transactions involving the suspect and the methods used to perpetrate the fraud have been properly investigated and documented; the existence of possible collusion has been carefully considered; the dollar amount of the defalcation has been properly ascertained and the funds have been recovered; and any legal action, if appropriate, has been taken against the perpetrator(s). 12 For further reference, see Causey, Denzil Y., The CPA Guide to Whistle Blowing, CPA Journal 58, No. 8 (August 1988): 26 37. See also Williams, Timothy L. and Albrecht, W. Steve, Understanding Reactions to Fraud, Internal Auditor 47, No. 4 (August 1990): 45 51. The reader should review Section 806, which deals with whistleblowing protection for employees. 12 Managing fraud risk: The audit committee perspective

The audit committee s oversight approach As part of overseeing the audit process, fulfilling SAS 99 requirements and maintaining good governance, audit committees need to report to the full board of directors any indications of possible illegal acts or fraud and management s actions to remedy them. A review of fraud risk areas requires adequate planning; therefore, audit committee members must be familiar with the entity s: business model and industry, business risks and internal control environment, policies and procedures for detecting fraud and illegal acts, accounting industry practices, complex business transactions and significant contracts, and financial reporting process. Likewise, audit committees need to review the following: The operational characteristics of the entity and the vulnerability of the industry to changing economic conditions and competitive pressures 13 Management s risk assessment process and related internal controls Management s policies and procedures with respect to the following: Conflict-of-interest statements Corporate code of conduct Laws and regulations Management override of controls 13 Such a review would usually include recent annual and interim fi nancial statements, SEC fi lings (1O-Qs and 10-Ks), annual proxy statements, the entity s website, and analytical review procedures (e.g., absolute data comparison, fi nancial ratio data). In addition, an evaluation of management integrity would include biographical information on senior executives and fi nancial management. Managing fraud risk: The audit committee perspective 13

Industry accounting practices, with particular emphasis on the appropriateness of accounting principles Complex business transactions (e.g., restructuring charges) Financial reporting process at the individual financial account and transaction class level Internal and external communication processes Internal and external auditing processes Document-retention program Whistleblower process In addition, the audit committee members must know what questions to ask with respect to the auditors assessment of fraud risk and their response to the overall audit approach. Exhibit 3 provides questions that audit committees can ask during pre-audit meetings to set objectives and implementation measures related to fraud prevention and detection. For post-audit meetings, Exhibit 4 lists some representative questions dealing with fraud detection, illegal acts and internal control breakdowns identified during the audit engagement. 14 Managing fraud risk: The audit committee perspective

Exhibit 3: Representative questions for the pre-audit meeting fraud risk planning To what extent can the planned audit scope be relied on to detect fraud? What steps were taken by the audit engagement team in assessing the likelihood that fraud, which may affect fi nancial information, may be occurring? Inquiries of management and employees other than management Observations with regard to preliminary analytical procedures, including procedures related to revenue recognition (i.e., unusual and unexpected results) Consideration of fraud risk factors relative to fraudulent fi nancial reporting and misappropriation of assets (incentives/pressures, opportunities, and attitudes/rationalizations) Consideration of other information (e.g., integrity of management) Identifi cation of fraud risks, including type of risk, signifi cance, likelihood and pervasiveness Assessment of identifi ed fraud risks and consideration of the entity s programs and controls to prevent, detect and mitigate fraud Response to fraud risk assessment in the overall audit approach, including the nature, timing and extent of audit procedures as well as additional procedures related to management override of controls What areas will be emphasized in response to the heightened likelihood of fraud? What areas require special attention by the audit committee (e.g., SOX s corporate and criminal fraud accountability provision, including record retention and destruction procedures as well as whistleblower protection)? Were there any allegations of unethical behavior in the fi nancial reporting process? Managing fraud risk: The audit committee perspective 15

Exhibit 4: Representative questions for the post-audit meeting fraud risk areas To what extent did the actual scope of the fraud risk audit fi ndings differ from the pre-audit plan? What were the causes for the difference? Did management restrict the scope of the audit or access to requested information? Were there disagreements with management on accounting policies and practices, including estimates and assumptions? What recommendations were made to management to improve the system of internal control? What assessment was given to the entity s policies and procedures for detecting conflicts of interest (e.g., related-party transactions) and management override of controls, including directives of the board of directors? Were there any incidents of noncompliance with laws and regulations, including SOX provisions? Were there any incidents of noncompliance with the corporate code of conduct? What were the accounting treatments with respect to complex transactions, unusual transactions and material contracts? Were there any proposed accounting adjustments, including immaterial uncorrected adjustments? In their review of the financial statements, audit committees should request a fraud risk assessment at the financial-account and transaction level and be alert to breakdowns in the system of internal controls. Finally, audit committees should be concerned with material audit adjustments, immaterial uncorrected misstatements including aggressive versus conservative accounting policies and any changes in accounting principles and potential illegal acts such as FCPA violations. To meet heightened legal obligations, audit committee members must be prepared to dig deep into the many aspects of an entity s fraud risk management program, providing adequate oversight and ensuring its effectiveness. But audit committee members are not alone in their efforts. With front-line support from a team of fraud experts including external and internal auditors, special investigators, and legal counsel and knowledge of the right questions and the warning signs, audit committee members can more fully meet their obligations to oversee financial reporting and the appropriation of assets. 16 Managing fraud risk: The audit committee perspective

Grant Thornton s forensic accounting, fraud and investigations services Today s white-collar criminals are sophisticated, using advanced technology and schemes to commit complex frauds. Fighting state-of-the-art criminal fraud requires state-of-the-art investigators and technologies. Grant Thornton s professionals are experienced in identifying and evaluating fraud risks, designing controls to deter them, and monitoring compliance. We also develop and implement corporate integrity programs, perform antifraud training, prepare corrective action plans, monitor antifraud internal control compliance systems, and conduct whistleblower investigations for public, private, governmental and nonprofit enterprises. Our proprietary Model Accounting Complaint Handling (MACH SM ) process maximizes the effectiveness and accountability of corporate whistleblower claim systems. Our diverse forensics accounting team is made up of CPA auditors and tax professionals, certified fraud examiners, certified anti-money laundering specialists and certified electronic data discovery technologists. They are trained to uncover such corporate crimes as fraud, insider trading, bribery, embezzlement, money laundering, tax scams and forgery. We identify, acquire, analyze and report financial and economic evidence to help parties determine a disputed amount or prove a claim. Managing fraud risk: The audit committee perspective 17

If you suspect wrongdoing in your company, Grant Thornton s forensic accounting professionals can address your areas of concern and provide real, cost-effective and timely solutions to rapidly contain the situation. Our services include: Forensic accounting Fraud investigation Fraud prevention and deterrence Whistleblowers complaints Asset tracing Forensic due diligence Fraud assessment and controls Anti-corruption Anti-money laundering and Foreign Corrupt Practices Act (FCPA) compliance Compliance monitoring False Claims Act investigations Background investigations Contacts Larry Redler National Managing Partner of Economic Advisory Services T 816.412.2426 E Larry.Redler@gt.com Warren Stippich Partner and National Governance, Risk and Compliance Solution Leader T 312.602.8499 E Warren.Stippich@gt.com 18 Managing fraud risk: The audit committee perspective

Subscribe to Grant Thornton publications at www.grantthornton.com/subscribe Receive relevant white papers and timely updates on industry issues and the regulatory environment. CorporateGovernor white paper series Ensure your public company is run well and in accordance with applicable laws and regulations. Explore a range of topics from fraud prevention and detection to fi nancial reporting control and SOX compliance: Fraud in the economic recovery As companies pick up the pieces following a bruising bout of the economic blues, they need to be on the lookout for fraud. From heightened fraud risk to due diligence strategies for companies purchasing distressed assets, this CorporateGovernor white paper provides a sound overview of fraud prevention in today s economic environment. Enterprise risk management: Creating value in a volatile economy discusses why implementing an enterprise risk management (ERM) program can benefi t companies in a down economy and how ERM can help enhance business strategy. Hear that whistle blowing! Establishing an effective complaint-handling process addresses an important mandate of the Sarbanes-Oxley Act: the requirement that audit committees establish procedures for receiving, documenting and handling complaints related to accounting and auditing matters. Timely updates Tailored to management, boards and audit committees of mid-cap public companies, these updates help you stay abreast of issues that affect the marketplace and your business. Information overload: How to make data analytics work for the internal audit function Learn how your internal audit department can effectively use data analytics to add value to your organization. Conflict-of-interest internal audit What is the conflict-of-interest internal audit and why is it important to organizations? Managing fraud risk: The audit committee perspective 19

Suggested reading The Audit Committee Handbook, Fifth Edition (Wiley, 2010, ISBN: 978-0-470-56048-8, U.S. $95.00). The Audit Committee Handbook is co-authored by Grant Thornton LLP audit committee experts R. Trent Gazzaway, national managing partner of Audit Services, and Robert H. Colson, partner in Public Policy and External Affairs, along with Louis Braiotta Jr., professor of accounting at SUNY Binghamton s School of Management, and Sridhar Ramamoorti, principal at Infogix Advisory Services. The Audit Committee Handbook provides practical, in-depth guidance on all audit committee functions, duties and responsibilities. This latest edition features regulatory updates, new chapters on audit planning and oversight, heightened focus on fraud risk, and broad international coverage. The Audit Committee Handbook is available at www.grantthornton.com/achandbook and through major online booksellers and bookstores nationwide. The Anti-Corruption Handbook: How to Protect Your Business in the Global Marketplace (Wiley, 2010, ISBN: 978-0-470-61309-2, U.S. $75.00) Today s demanding marketplace expects CFOs, auditors, compliance officers and forensic accountants to take responsibility for fraud detection. These expectations are buoyed by such legislation as the Foreign Corrupt Practices Act, which makes it a crime for any U.S. entity or individual to obtain or retain business by paying bribes to foreign government officials. Written by William P. Olsen, the national practice leader of Forensics, Litigation and Investigation Services at Grant Thornton LLP, The Anti-Corruption Handbook provides guidelines addressing the challenges of maintaining business integrity in the global marketplace. 20 Managing fraud risk: The audit committee perspective

Grant Thornton LLP offices National Office 175 West Jackson Boulevard Chicago, IL 60604 312.856.0200 National Tax Office 1900 M Street, NW, Suite 300 Washington, DC 20036 202.296.7800 Arizona Phoenix 602.474.3400 California Irvine 949.553.1600 Los Angeles 213.627.1717 Sacramento 916.449.3991 San Diego 858.704.8000 San Francisco 415.986.3900 San Jose 408.275.9000 Woodland Hills 818.936.5100 Colorado Denver 303.813.4000 Florida Fort Lauderdale 954.768.9900 Miami 305.341.8040 Orlando 407.481.5100 Tampa 813.229.7201 Georgia Atlanta 404.330.2000 Illinois Chicago 312.856.0200 Oakbrook Terrace 630.873.2500 Kansas Wichita 316.265.3231 Maryland Baltimore 410.685.4000 Massachusetts Boston 617.723.7900 Michigan Detroit 248.262.1950 Minnesota Minneapolis 612.332.0001 Missouri Kansas City 816.412.2400 St. Louis 314.735.2200 Nevada Reno 775.786.1520 New Jersey Edison 732.516.5500 New York Long Island 631.249.6001 Downtown 212.422.1000 Midtown 212.599.0100 North Carolina Charlotte 704.632.3500 Greensboro 336.271.3900 Raleigh 919.881.2700 Ohio Cincinnati 513.762.5000 Cleveland 216.771.1400 Oklahoma Oklahoma City 405.218.2800 Tulsa 918.877.0800 Oregon Portland 503.222.3562 Pennsylvania Philadelphia 215.561.4200 South Carolina Columbia 803.231.3100 Texas Austin 512.391.6821 Dallas 214.561.2300 Houston 832.476.3600 San Antonio 210.881.1800 Utah Salt Lake City 801.415.1000 Virginia Alexandria 703.837.4400 McLean 703.847.7500 Washington Seattle 206.623.1121 Washington, D.C. Washington, D.C. 202.296.7800 Wisconsin Appleton 920.968.6700 Milwaukee 414.289.8200 Managing fraud risk: The audit committee perspective 21

Grant Thornton LLP All rights reserved U.S. member fi rm of Grant Thornton International Ltd The people in the independent fi rms of Grant Thornton International Ltd provide personalized attention and the highest quality service to public and private clients in more than 100 countries. Grant Thornton LLP is the U.S. member fi rm of Grant Thornton International Ltd, one of the six global audit, tax and advisory organizations. Grant Thornton International Ltd and its member fi rms are not a worldwide partnership, as each member fi rm is a separate and distinct legal entity. In the U.S., visit Grant Thornton LLP at www.grantthornton.com.