Sub-Material Fraud Risk: The Elephant in the Room
Ever have one of those moments where you are watching a movie and you find yourself yelling at the television as if your yelling would actually make a difference in the outcome. Maybe it was during the Freddy Krueger movie when the young, beautiful co-ed walks into a dark bathroom while Freddy awaits and you are yelling at her not to go in there. Or, it could be the part where the kids are playing ball in the house next to Mom’s nice china and you’re yelling at them to stop and then… crash! Well… that is how I am feeling right now related to sub-material fraud. I know… only a twisted mind can piece together Freddy Krueger, fraud risk, and auditing. I’ve long ago accepted that I have a twisted mind. I can see the freight train coming, all the pieces are in place, yet I feel helpless to stop it from happening.
Fraud (Wikipedia’s version) is defined as “a deception made for personal gain.” Various frauds led to the implementation of Sarbanes-Oxley in the United States, many of which were cases in which senior executives used corporate resources for their personal gain. SOX and its AS5 requirements are primarily concerned about fraud that could cause a material misstatement in a company’s financial statements. According to the guidance from AS5 - “the auditor should evaluate whether the company's controls sufficiently address identified risks of material misstatement due to fraud and controls intended to address the risk of management override of other controls (italics added for emphasis).“ AS5, specifically, and Sarbanes-Oxley, in general, are focused on the prevention of material fraud and say nothing about preventing fraud below the materiality level.
Should companies be concerned about smaller, less-than-material fraud (what I am calling sub-material fraud)? I will make the argument that sub-material fraud risk is as great of a risk as ever. There are several issues leading to this ‘perfect storm’ related to sub-material fraud. The factors are:
1. External auditors are primarily concerned about MATERIAL fraud in the context of SOX 404 and financial statement audits.
2. Controls related to SOX section 404 have often been designed to only prevent and detect MATERIAL fraud because many companies have had their controls designed by Big 4 auditors who are primarily trained to prevent and detect MATERIAL fraud.
3. Segregation of duties is one of the primary means to prevent fraud and there is little consensus about best practices related to segregation of duties (SOD), even several years since SOX went into effect.
4. SOD testing is primarily focused on system controls and is driven by IT auditors.
5. Processes and testing of internal controls are well-documented, leaving those wishing to commit fraud to know which dark alleys to choose in order to commit fraud.
6. Most SOD testing fails to take into account process outside the system and ways actual theft can occur.
7. Many companies have implemented new ERP systems in the past 10 years and ERP systems have been primarily architected for efficiency, not with an internal controls focus.
8. ERP systems have primarily been implemented by those who have little skills in the design or implementation of internal controls.
Let’s examine each of these factors in detail.
External auditors focus on MATERIAL fraud risk
The need for SOX originated from fraud that led to the misstatement of financial statements. The significance of the fraud was that it DID cause financial statements to be misstated and, in several cases resulted in the collapse or bankruptcy of the company. External auditors will always be primarily focused on whether or not a company’s financial statements are materially accurate. They have no exposure or accountability for fraud that is committed below the materiality threshold. It is up to management to design or redesign controls to catch sub-material fraud.
Section 404 controls are designed to prevent MATERIAL misstatement
In many cases, a company’s internal controls over financial reporting have been developed by a Big 4 firm other than their external auditor. These controls have been designed to prevent MATERIAL misstatements in a company’s financial statements. For example, a company we consulted with allowed their AP clerks to both enter suppliers and enter AP invoices against those suppliers. The primary mitigating control, designed by a big 4 firm, for such access was a review of a Final Payment Register and supporting documentation for all checks over $30,000. This control was a reasonable control to prevent MATERIAL fraud, but left the company exposed to fraud below the $30,000 level.
Segregation of duties best practices are not yet mature
Many companies are relying on their auditors or risk-advisory firms (often another Big 4 firm) to provide a list of SOD conflicts in order to ‘pass’ SOX audits. However, within the Big 4 firms, there seems to be little consensus about best practices related to segregation of duties. I have reviewed and evaluated conflict matrices from all of the Big 4 firms and see a wide variety of approaches. Prior to SOX, SOD was primarily the concern of CFEs and Internal Auditors to design controls for the prevention of fraud. While auditors have always evaluated internal controls as part of the scope of their financial statement audits, they mostly relied on top level financial statement controls that happen during the month end/quarter end close process in order to prevent or detect material misstatements and/or fraud. At many audit firms, a firm-wide standard conflict matrix didn’t even exist prior to SOX. With the adoption of AS5, my fear is that SOD controls become de-emphasized or taken out of scope altogether because of the reliance on entity level controls or controls in the financial close process.
Even if there were to be a standardized public domain SOD conflict matrix, the risk assessment process is still maturing. In order for a company to properly assess SOD risk, they need to have a deliberate and thorough process for evaluating risk. This would include a complete understanding of the risks within the manual and system-related processes for each conflict. Then, after identifying the controls that help mitigate the risk(s), the residual risks need to be identified. Those residual risks need to be evaluated by an appropriate level of management to determine whether they are comfortable with such risks or want to put into place additional controls. This process takes people with various skills (department managers, business analysts, security) as well as the support from senior management in order to properly perform the risk assessment process. In most companies, such risk assessment processes are just beginning to mature.
SOD testing is primarily focused on system controls and is driven by IT auditors
The primary testing of controls is for SOX 404 provisions and most of the testing resources are dedicated to prevention of MATERIAL misstatements in a company’s financial statements. Many companies have yet to define controls or allocate testing resources that are NOT key controls. Further, much of the SOD testing is done by IT auditors, looking for conflicts within a system. However, there are considerable risks in manual processes outside the system, especially below the materiality threshold, where IT auditors have little training and experience.
As an example, one common SOD violation is one person has the ability to both set up a supplier and enter a purchase order (PO). IT auditors generally run tests against a company’s systems to make sure that one person didn’t have the access to both functions. However, what if a buyer with access to entering a PO also has the ability to request or approve that a new supplier be set up by signing or completing a supplier request form? Wouldn’t this essentially give them the ability to establish a supplier and generate a PO against that supplier? Considering processes and risks OUTSIDE the system are just as important as those inside the system if you want to look at fraud risk holistically.
Knowing the dark alleys
In some respects, I could argue that SOX has left companies more exposed than ever to fraud because controls are so well defined. Prior to SOX, very little, if any, management testing of internal controls took place. Most of the testing of internal controls was done by internal auditors. Those wishing to commit fraud had very little exposure to how and when testing of internal controls was to be performed by their internal auditors. In today’s culture, controls are very well defined and some of the higher risk employees (such as IT staff, business analysts, managers, and supervisors) have access to know on what data and when the tests will be performed. Therefore, to some extent, their awareness of the dark alleys in their company is more concrete than ever. In the example above, where the primary control was relying on a review of all payments greater than $30,000, everyone knew the first hurdle to clear to commit fraud was that the amount of the check had to be below $30,000. Not to say it was the only hurdle. Other top level financial statement controls such as budget-to-actual review, flux analysis, etc may catch it as well. However, the control was clearly defined to catch significant transactions, not smaller transactions and that information would be very helpful to a potential fraudster.
Thorough testing includes looking at processes outside the system and ways that ‘personal gain’ can be achieved
In our definition above, a key element to fraud is that of ‘personal gain.’ There are various methods a fraudster could ‘gain’ from their position including theft of assets and bribes from suppliers. To properly design a conflict matrix that has the ability to identify areas of high risk you would need to understand ways a person could take assets from a company and conceal them. This would include such things as having access to incoming cash and checks from customers, the ability to initiate a payment (ACH, check, or wire), or ability to re-direct or steal inventory (processes that happen outside the system). However, beyond this awareness, you also need to be aware of ways the misappropriations could be covered. For example, if a collections agent could intercept a payment from a customer, but didn’t have the ability to conceal it, eventually the customer would likely escalate the issue and a review of where their check was cashed would uncover the theft. However, what if the same collections agent could also request that a credit be issued or a balance be written off to coincide with the amount of the check? By doing so, they may have the ability to steal the cash and then conceal the theft, reducing the likelihood of the fraud being uncovered.
ERP systems design
A background in implementing ERP systems has given me additional insight into the risks where companies have implemented such systems. Having used and implemented Oracle Applications since 1998, I can tell you that the primary driver of ERP system development specs has NOT been internal controls. In most cases, the primary driver of these systems has been operational efficiency and effectiveness. In some cases, no one can tell what the driving factor is/was.
Additionally, there are several gaping holes in the design of the applications that can be exploited for personal gain or to commit fraud. Some are minor and some are significant technical issues. For example, in Oracle Applications there is a setting that allows a user to override a supplier address when generating a check. This would allow a fraudster to change the address to a location such as a personal PO Box to re-direct the check. No one with any internal controls common sense would ever have allowed that ‘feature’ to be put into the application. However, from an operational perspective, it makes sense. An AP clerk that is asked by a supplier to change the mailing address for a check run (i.e. to re-direct to a physical address instead of a lockbox address in order to get an order on credit hold released) can do so without involving the person in charge of supplier master maintenance.
ERP Systems implementations
Companies that migrate to ERP systems, such as SAP and Oracle, from legacy systems are often shocked at the complexity of the implementation. Those companies that are also subject to SOX 404 requirements have to wrestle with changes in their business processes as well as their controls and testing strategies. Add to that, companies have new IT security procedures and significant changes in their change management process. Many companies implementing ERP systems for the first time are heavily reliant on the expertise of their systems integrator in the design of the system to guide them through the implementation. However, few systems integrators have the necessary skills to help companies design and configure the applications to meet both the necessary operational and compliance objectives. I have, as a result, often seen internal control challenges in process design or system configuration. Considering that best practices for sub-material fraud detection and prevention are still developing, significant risk for sub-material fraud is often still evident post-implementation.
Evaluating Material and Sub-Material Fraud Risks via a Single Risk Assessment
The challenge that management faces is how to develop a comprehensive approach to evaluating and addressing both material and sub-material fraud risks in a single risk assessment process. First, let’s take a look at some examples of how some audit firms have addressed their identification of risks.
Example 1: Suppliers
Following are several conflicts identified by one audit firm. They took a high risk function, Suppliers (entry of suppliers) and paired it with several other functions. However, the risk noted does not really reflect the true risk. For example, how could a combination of Suppliers and Tax Certificates, Payment Terms, or Tax Groups lead to an ‘inappropriate payment?’ Or, how could a combination of Suppliers and Run MassCancel or Requisition Templates lead to ‘payments to fictitious vendors?’
Example 2: Banks
Following is another high risk single function, bank account entry. From a fraud perspective, access to maintaining bank accounts could lead to fraud by allowing an employee to change the bank account for a supplier being paid via ACH. However, a fraudster doesn’t need access to the Requisition Templates, Returns, or Update Accounting Entries function in order to commit fraud.
As you can see from this example, this particular audit firm isn’t really taking a risk-based approach to developing their conflict matrix. The risk noted for each of these conflicts is the same and the second process (Requisition Templates, Returns, Update Accounting Entries) doesn’t appear to add to the risk. In this case, the Banks function is a high risk sensitive function on its own.
Example 3: Missing Processes
To illustrate the lack of focus on sub-material fraud risk, let me give you an example of what is missing. The ability to generate a credit memo is one way a fraudster could hide the theft of incoming cash (or theft of a check) from a customer. Below are the only major risks noted with having access to enter credit memos from several well-known audit firms. Not one of them mentions theft of cash in their risks.
Other missing components of many conflict matrices are processes such access to cash, ability to initiate a wire transfer or sign checks, and account reconciliations.
Components of a risk-based ‘conflict’ matrix
A conflict matrix built for a true risk analysis would take into account the following:
· Sometimes all it takes to commit fraud is a high-risk single function such as the ability to maintain suppliers, bank accounts, or remit-to addresses. Look for a matrix that has high-risk single functions identified with specifics risks to those functions.
· In some cases, high risk single functions can be a conflict with inquiry access. For example, if someone with access to maintain bank accounts knew when invoices for a particular supplier were coming due for payment (i.e. via inquiry access), they would know when they need to change the bank account in order to re-direct the funds to their fictitious account.
· In order for fraud to be committed, in many cases something has to be ‘taken’ for personal gain. This usually involves the theft of inventory, assets, or cash (incoming or outgoing). A conflict matrix should identify conflicts such as “Access to Cash versus Entry of Credit Memos” so that management or an internal auditor can look at the potential for theft and ways the theft could be concealed.
· Each ‘conflict’ or high-risk single function should have its own unique risk identified. The risk should state specifics of how misstatement or fraud could be committed. If you see the same risk identified for a function (such as the Suppliers example above) that is in conflict with a lot of other functions that seem unrelated, the real risk probably lies with access to the single function.
· Conflict descriptions and risks should take into account risks outside the system. For example, when looking at the entry of suppliers, one needs to take into account not just who has access to set up a supplier in the system, but also how a new supplier comes to be initiated and approved. If the person performing the supplier entry function is merely entering those suppliers that are approved or requested, then the request or approval process becomes another point of risk that needs to be evaluated.
Assessing Risk: The Project as a Whole
A comprehensive risk assessment project starts by first identifying the risks inherent in the process. If the starting population of your risks is flawed or is not complete, your identification and development of mitigating controls may leave out critically needed controls. Therefore, it is critical to start with the most comprehensive and accurate set of risks when starting a risk-assessment project.
Once you feel comfortable with your library of risks, you can proceed with a risk assessment that is unique to your company. As it relates to user access controls and segregation of duties, then next steps in your project are:
1. Identify the mitigating controls already in place – some may be key controls and some may be non-key controls
2. Assess residual risk – this should take into account both the design effectiveness and operating effectiveness of the controls
3. Determine response to residual risk – your choices are to change access controls, change the process, add or change the related controls, or assume the risk
Conclusion
Sarbanes-Oxley and its section 404 requirements have given auditors and company management new reason and incentive to look at their anti-fraud programs. However, the approach taken to fraud prevention and detection has been heavily reliant on external audit firms whose primary focus has been the prevention of MATERIAL fraud. This has left many companies with process and controls subject to significant risks of SUB-MATERIAL fraud. I fear that the risk of sub-material fraud is either widely unknown or is the elephant in the room that no one wants to acknowledge.
End note
Sub-material fraud versus immaterial fraud
First, I’d like to clarify the use of the term sub-material instead of immaterial fraud. Immaterial fraud is a term used in financial statement audits to indicate fraud below the level of materiality. A definition of immaterial (Webster’s) is “of no substantial consequence” or “unimportant.” I chose to use the term sub-material so that the significance of any fraud would not be minimized. There is no CFO who would deem a $100,000 fraud committed against his/her company as “of no substantial consequence or unimportant.”
About the Author
Jeffrey T. Hare, CPA CISA CIA
Jeffrey is the founder of ERP Seminars (www.erpseminars.com) and the Oracle User Best Practices Board (www.oubpb.com) and has written various white papers on Internal Controls and Security Best Practices in an Oracle Applications environment. He has presented white papers to various users groups throughout the country as well as at OAUG and Appsworld conferences. He is the author and presenter of the seminar “Internal Controls and Security Best Practices in an Oracle Applications Environment.” His background includes Big 4 experience, over six years experience in CFO/Controller roles, and in the Oracle Applications space since 1997. Jeffrey can be reached at jhare@erpseminars.com.
About ERP Seminars:
We recognize the need for companies to have continuing knowledge of industry Best Practices. We team with respected independent consultants and firms to provide quality, relevant seminars based on these Best Practices prepared and presented by well-rounded professionals with ERP expertise.
About Oracle Users Best Practices Board:
The mission of the OUBPB is the aggregation of willing writers and reviewers who will participate in a process to develop Best Practices for the Oracle community. The end result will be a repository of "best practice" white papers and other content for end users and consultants to reference in their projects and ongoing development.
Version Control
|
Date |
Author |
Version |
Reference |
|
11-Jul-08 |
Jeffrey Hare |
1.0 |
Initial publication |
The opinions, beliefs and viewpoints expressed by the various authors and forum participants on this web site do not necessarily reflect the opinions, beliefs and viewpoints of AuditNet®