From Treadway To the Cube (1987 2014) National Society of Accountants for Cooperatives (NSAC) CLAconnect.com Instructor: Ron Durkin, CPA/CFF, CFE, CIRA National Principal in Charge Fraud & Misconduct Investigations 1 So, Who is COSO? COSO, or the Committee of Sponsoring Organizations, is made up of 5 founding members American Accounting Association (AAA) American Institute of CPAs (AICPA) Financial i Executives International ti l(fei) Institute of Management Accountants (IMA) Institute of Internal Auditors (IIA) 2 What Does COSO Do? COSO was founded in 1985 as the primary sponsor for the National Commission on Fraudulent Financial Reporting (also called the Treadway Commission after one of its founding members James C. Treadway, Jr.,who served as a commissioner at the SEC) The Joint initiative of the five members was to provide thought leadership to executive management and governance entities on critical aspects of organizational governance, business ethics, internal control, enterprise risk management, fraud and financial reporting 3 1
A Historical Look At COSO COSO is an organization dedicated to providing thought leadership and guidance on internal control, enterprise risk management and fraud deterrence The early Treadway Commission report on financial reporting was issued din 1987 The initial COSO Internal Control framework was issued in 1992 COSO commissioned fraud deterrence research studies in 1999 and 2010 (Beasley) The Refresh Project 2013 4 The Treadway Commission Report Their mission was to identify causal factors that can lead to fraudulent financial reporting and steps to reduce its incidence The Commission defined fraudulent financial reporting as intentional or reckless conduct, whether by act or omission, that results in materially misleading financial statements They found that one of the most fundamental obligations of the public company is the full and fair public disclosure of corporate information, including financial results 5 Treadway Commission Major Findings Consequences of Fraudulent Financial Reportingvictims Risk of Occurrence (incentives, pressures, opportunity) Realistic Potential for Reducing Risk (corporate governance, auditors, regulators, law enforcement, etc.) Participants in the Financial Reporting Process (CEO, management is responsible) Legal, Financial, and Other Advisors (attorneys, financial analysts, business advisors, etc.) 6 2
Tone At The Top Treadway Commission Report The tone set by top management influences the corporate environment within which financial reporting occurs. To set the right tone, top management must identify and assess the factors that t could lead to fraudulent financial reporting; all public companies should maintain internal controls that provide reasonable assurance that fraudulent financial reporting will be prevented or subject to early detection Source: Report of the National Commission on Fraudulent Financial Reporting, 1987 7 Progression of the COSO Framework 1987 Source: Report of the National Commission on Fraudulent Financial Reporting, 1987 8 Progression of the COSO Framework 1992 Source: Internal Control Integrated Framework, 1992 9 3
Progression of the COSO Framework 2013 Source: Internal Control Integrated Framework, 2013 10 Progression of the COSO Framework 2013 The Cube Objectives (operations, reporting, compliance) Integrated internal control components Control environment, risk assessment, control activities, information and communication, control activities, monitoring activities 17 Principals Implementation of controls in the coop environment Entity level, division, operating unit and functional level 11 Fraud Risk Assessment for 2013 Framework One of the most significant changes from 1992 is the requirement of a specific risk assessment principal related to fraud risks The organization considers the potential for fraud in assessing risks to theachievement of objectives Source: Internal Control Integrated Framework, 2013 12 4
The Control Environment Demonstrates commitment to integrity and values Exercises oversight responsibility Establishes structure, authority, and responsibility Demonstrates commitment to competence Enforces accountability Source: Internal Control Integrated Framework, 2013 13 Risk Assessment Specifies suitable objectives Identifies and analyzes risk Assesses fraud risk Identifies and analyzes significant change Source: Internal Control Integrated Framework, 2013 14 Control Activities Selects and develops control activities Selects and develops general controls over technology Deploys through policies and procedures Source: Internal Control Integrated Framework, 2013 15 5
Information and Communication Uses relevant information Communicates internally Communicates externally Source: Internal Control Integrated Framework, 2013 16 Monitoring Conducts ongoing and/or separate evaluations Evaluates and communicates deficiencies Source: Internal Control Integrated Framework, 2013 17 Fraud Quiz #1 (Journal of Accountancy) Which of the following is NOT one of the specific attributes associated with the risk assessment principle in the updated COSO framework? A. Reporting past instances of fraud and identifying the measures implemented to preventthem them from happening again. B. Considering how management might engage in or justify inappropriate actions. C. Assessing opportunities to commit fraud. D. Evaluating incentives and pressures to commit fraud. 18 6
Deterring Fraud In The Coop Environment Hierarchy of a Coop Federal Laws Federal Sentencing Guidelines Other Federal laws affecting your Coop State Laws Articles of Incorporation (allows the coop to act) Bylaws(what the coop can do) Policies (how the coop can be operated) 19 Federal Sentencing Guidelines This chapter is designed so that the sanctions imposed upon organizations and their agents, taken together, will provide punishment, adequate deterrence, and incentives for organizations to maintain internal mechanisms for preventing, detecting, and reporting criminal conduct. P. 489 This chapter applies to the sentencing of all organizations P. 490 20 Guidelines Continued Specific individual(s) within high level personnel shall be assigned overall responsibility for compliance and ethics program P. 497 The organization shall take reasonable steps to communicate periodically and in a practical manner its standards and procedures, and other aspects of the compliance and ethics program, to individuals referred to in subparagraph (B) by conducting effective training programs and otherwise disseminating information appropriate to such individuals respective roles and responsibilities. P. 498 21 7
Guidelines Continued to evaluate periodically the effectiveness of the organization s compliance and ethics program P. 498 to have and publicize a system, which may include mechanisms that allow for anonymity or confidentiality, whereby the organization s employees and agents may report or seek guidance regarding potential or actual criminal conduct without fear of retaliation. P. 498 22 Fraud Quiz #2 (Journal of Accountancy) Generally speaking, what is the primary objective of a fraud risk assessment? A. To provide an estimate of an organization s fraud losses B. To help an organization s leadership identify areas most vulnerable to fraud. C. To establish the guilt or innocence of an employee suspected of committing fraud. D. To assess the design and effectiveness of internal controls over financial reporting. 23 But What Really Makes the Difference? The Tone at the top is a reflection of the CEO of the Coop Does the Board of Directors exercise proper oversight and guidance on the CEO and his/her management team? Do employees feel comfortable raising issues within the organization? Is there a hotline or upward feedback network? 24 8
Tone At The Top Positive Corporate culture that sends a strong message that fraud will not be tolerated Employees feeling comfortable coming forward to say something if they see something A code of conduct and ethics policy is in force and has been communicated to employees who have been tested on it Management responds quickly and aggressively to address fraud issues Management periodically assesses their antifraud program and its effectiveness 25 An Ineffective Corporate Governance Program Starts with a weak or conflicted (not independent) board No antifraud program in place United States Sentencing Guidelines (USSG) Policies are in place but are not promoted or followed (affiliatedtransactions transactions, relatedparties parties, goodoldboys old allowed to be involved either as vendors, shareholders or board members) Management (below CEO), employees and members concerns are not addressed Lack of or non functioning of the 17 COSO principles Indicates an internal control deficiency 26 Tone At The Top Negative Corporate culture is one of fear, intimidation, and retaliation Management does not walk the talk There is no whistle blower hotline or upward feedback network available to address fraud issues There are no written policies relating to fraud Internal controls are weak or ineffective 27 9
Detection of Fraud In Your Coop Which of these is the most effective means of detecting fraud? A. Whistleblower Hotline B. Internal Audit C. Internal controls D. Accident E. External Audit 28 What Controls Exist in Your Coop That would Detect Fraud? If fraud (occupational) was occurring in your organization, how would it be detected in the ordinary course of business? If you have a hotline, is it working? Does management have the ability to override internal controls? 29 Who Embezzles More Frequently? Men OR Women? 30 10
Famous Quotes From Fraudsters "I really need this money and I'll put it back when I get my paycheck" "I'd rather have the company on my back than the IRS" "I just can't afford to lose everything my home, car, everything" RED FLAGS FOR FRAUD THOMAS B. DINAPOLI 31 Three Fraud Categories 32 Occupational Fraud and Abuse Classification System Source: ACFE 2014 Report to the Nations 33 11
Most Prevalent Asset Misappropriation Schemes Billing Non cash Expense Reimbursement Cash on Hand Skimming Check Tampering Payroll Cash Larceny Register Disbursements Source: 2014 ACFE Report to the Nation 34 Most Prevalent Asset Misappropriation Schemes Source: 2014 ACFE Report to the Nation 35 Median Duration of Fraud Source: 2014 ACFE Report to the Nation 36 12
Initial Detection of Occupation Frauds Source: 2014 ACFE Report to the Nation 37 Every Organization Will Have Fraud Prevention, detection and response are key elements for every organization in combatting fraud Management and employees should know what fraud is as well as the telltale signs Understand the incentives and pressures that drive financial behavior Train employees to be aware of behavioral symptoms and how to react when they see them 38 Knowing Fraud Dave Richards, former IIA president stated: To have No fraud in your organization, you need to Know fraud Every organization has or will have a fraud problem Do you know the fraud du jour? What is the fraud of the day or the most popular fraud for your industry? 39 13
Case Example CEO sets up a for profit subsidiary (corp) Parent subsidizes through loans CEO profits from relationship Board complains nothing happens Senior execs complain nothing happens Coop members complain nothing happens Legal issues follow (civil and criminal) Coop looks very bad in press, community 40 The End Questions? 41 14