The message is clear: “Focus on Fraud”

Public companies subject to Sarbanes Oxley (SOX) requirements with a calendar year-end are wrapping up their projects to transition to the 2013 COSO Framework. Among the seventeen Principles formalized in the 2013 framework is Principle 8, which states, “The organization considers the potential for fraud in assessing risks to the achievement of objectives.”

Track Fraud Mitigating Controls

One step that many policyIQ clients are taking to demonstrate evidence that they have adequately addressed this principle is to “flag” their controls that are fraud mitigating. If you do not already have one, we recommend adding a field to your Control template in policyIQ to track whether a Control is fraud mitigating. This allows you to easily report on all Controls where the answer is yes and to relate those Controls to Principle 8 (unless you are linking to Points of Focus, in which case you will link each of the Controls to the most appropriate of the four Points of Focus related to Principle 8).

Address Revenue Recognition Fraud

In addition to feeling greater pressure in the last couple of years from the Public Company Accounting Oversight Board (PCAOB) and the Committee of Sponsoring Organizations of the Treadway Commission (COSO), most companies will also be affected by the new Revenue Recognition Standard.  The new standard is the result of a joint effort by the Financial Accounting Standards Board (FASB) and the International Accounting Standards Board (IASB) that aims to improve upon and to address inconsistencies between the previously held International Financial Reporting Standards (IFRS) and US Generally Accepted Accounting Principles (GAAP). No doubt, some of the most notorious cases of corporate fraud have been directly related to revenue recognition fraud.

Complying with the new standard is a big undertaking for companies. We have written on our blog about the application of policyIQ to better monitor your contracts and agreements and the work that RGP has done to prepare a deep pool of Revenue Recognition subject matter experts around the country to walk alongside accounting professionals and help them to close gaps in their practices. Here, also, is a link to access the recording of RGP’s recent webcast: The New Revenue Recognition Standard Webcast Series (Part 2): How to Begin Implementing the New Standard.

Formally Assess the Risk of Fraud

Additionally, many companies are finally formalizing their fraud programs by instituting a dedicated Fraud Risk Assessment, documenting mitigating controls, identifying gaps, and filling gaps, and so on. Whether using your methodology and questionnaires or RGP’s, we can help you to manage the process more efficiently in policyIQ.

Fraud Risk Assessment Sample

Using policyIQ, it is simple to capture and deploy your fraud questionnaire(s) to the relevant employees, inventory responses and analyze results. Similar to other compliance work in policyIQ, you can link your capabilities or controls to any Fraud Risks that were identified and use policyIQ reporting to easily highlight any gaps in coverage.

Interested in bringing automation to your program or need a subject matter expert to help you develop your Fraud Prevention Program? Reach out to us and we’ll put you in touch with the right person in your area.

 

Upcoming Trainings from RGP!

Please join us for some informative web training sessions this June!  Some of RGP’s brightest minds will give you insight into their corners of the business world, and how they apply to companies nearly everywhere.  So come prepared with questions, and enjoy these free trainings!

The ROI of Change Management ( June 19, 2014)

Join us for a lesson in change management, and the concurring difficulties that go along with it. However, the benefits of effective implementation far outweigh the problems, including faster speed of adoption, higher utilization, and ultimately, increased project ROI.

Join guest speaker Pam Magoon, an RGP Human Capital Practice Consultant, on our webcast to discover how investing in change management can benefit your business with minimal disruption and positive results.

Business Risk of Fraud (June 25, 2014)

Fraud can bring a company to its knees with shareholders and employees. Even more damaging is the permanently scarred reputation. During this session, we’ll take a look at real examples of fraud, how to detect it, and most importantly, how to prevent it. We’ll also take a look at a fraud assessment that can be applied to your organization.

Presenting are Trak Patel, RGP’s Director of Client Services & Risk Assurance Leader, and Les Sussman, Senior Practice Director and part of RGP’s Governance, Risk & Compliance Practice.

Register for any of these sessions today to reserve your spot! If you aren’t able to attend, register to receive follow-up emails and a link to the recording as it becomes available.

Addressing COSO Principle #8: Assess Fraud Risk

P8_Call_to_actionRisk and Compliance professionals generally agree that the updated 2013 COSO Internal Control – Integrated Framework is not, in essence, different from the 1992 version. And by now, we recognize that the most notable change requiring action is the formalization of COSO’s 17 Principles that were introduced by language embedded in the earlier version. Public companies subject to Sarbanes Oxley (SOX) requirements that utilize the COSO framework and have a calendar year-end will need to demonstrate that all 17 COSO Principles are “present and functioning” by the end of 2014. COSO_Principles At the conclusion of the mapping process, what many of our clients are finding is that they do already have the necessary controls in place. We are helping some clients to also identify where they have more than adequate controls and can use this thorough review as an opportunity to rationalize and reduce the number of controls that they are testing—and, in turn, reduce costs! And, in some cases, companies recognize that the practices are in place, but the controls may not be formally documented and tested. One of the Principles that is garnering a lot of attention is Principle #8: Principle8If you haven’t before, this will likely be the year that you perform a formal Fraud Risk Assessment. You may need to reinforce documentation around your related Entity Level Controls and will want to ensure that those include measurable indicators of appropriate “Tone at the Top”. If you are not sure that you have the appropriate competencies or subject matter experts on your team, we can help to lead or supplement your assessment and documentation of your related controls. Reach out to us if you’d like more information. Additionally, most companies required to comply with SOX likely already have a fraud hotline in place. Did you know that policyIQ also includes an electronic “WhistleBlower” module that is accessible to all company employees for anonymous submission of suspected financial reporting issues (or other issues, if you choose to rebrand the feature)? The WhistleBlower module is already available in all policyIQ sites and can be enabled at any time at no additional charge. Each case is assigned a 16 character code that is revealed only to the submitter of a case so that he or she may periodically review the progress of any associated investigation and even correspond anonymously with an investigator. This feature provides whistle blowers with greater assurance that their voice or accent will not give away their identity if they wish to remain anonymous. WhistleBlower It is very simple to use policyIQ to demonstrate the presence of preventive and detective fraud mitigating controls. Simply run a report of your Controls and include those two variables as columns in your display. If you haven’t already setup your policyIQ site to capture these items, here are the steps that we recommend:

  1. Add a field to your policyIQ Control Page Template to track whether a Control is fraud mitigating.
  2. Add a field to your policyIQ Control Page Template to track whether a Control is Preventive or Detective (most policyIQ clients already include this).
  3. Review your controls and update the pages to reflect whether they are fraud mitigating and whether they are preventive or detective (note that you can use the Edit Fields option from the Table Toolbar to make bulk changes and save time).
  4. Use a policyIQ Page Detail or Page Detail Link Report to list your Fraud Mitigating Controls and whether they are EvidenceforP8Preventive or Detective
    1. Use the report results to perform your gap analysis
    2. Use the report results as evidence of your compliance or coverage of COSO’s Principle #8!

If you’d like some support from a subject matter expert, have questions about the mapping process, or would like help with properly setting up policyIQ to support your transition to the 2013 COSO Framework, contact us and we’ll put you in touch with the appropriate resource in your area.

2014 Conference GAM-Packed with Great Speakers, Topics, and Connections!

I attended IIA’s 2014 GAM Conference with my colleagues, Les Sussman (Senior Practice Leader of RGP’s Governance, Risk and Compliance Practice) and Susan Miller (Managing Director, Client Service of RGP’s Parsippany office). We took in a lot of great information over the packed three-day conference and want to share some highlights with you in the form of my “Twitter Notes”! (You can check out the IIA’s Recap here.)

Virginia Gambale, Director of JetBlue Airways and Managing Partner of Azimuth Partners, was the keynote speaker addressing the topic of “The Board’s View of Governance and the Important Role of Internal Audit”.

pIQTweet1

Gambale talked of how the priorities of audit have shifted with the changing tides in technology as well as with climate issues and the threat of terrorism. She highlighted that Boards need to shift, too (if they haven’t already), to include members with social media and marketing capability, technology, human capital, finance/accounting background, and industry experience.

pIQTweet2

 

pIQTweet3

For many organizations, an annual audit plan is not appropriate any longer. A key takeaway from the great panel discussion that included principals from Cisco Systems, LinkedIn and Google was to be dynamic and agile in audit planning. Participating on the panel were Thomas Austin, VP, Governance Risk & Control at Cisco Systems; Inder Gulati, Head of Internal Audit at LinkedIn; and Lisa Lee, Director of Internal Audit at Google. Lee followed up with a great quote and apparent mantra at Google:

pIQTweet4

More takeaways from the panel:

pIQTweet5
We heard from the National Association of Corporate Directors’ Peter Gleason on “Engaging with the Audit Committee”:

pIQImage6

pIQImage7
Joel Kramer, Managing Director of the MIS Training Institute, was an engaging speaker with a number of great points and memorable quotes! He reminded the audience of audit professionals to “go after the whales, not the minnows” and urged us to not simply roll forward last year’s controls—“business is changing too dramatically and continuously”. Plan to perform a new risk assessment [at least] annually. Here are a couple more Kramer notes:

pIQImage8

pIQImage9Of course, we appreciate his emphasis as we (RGP) have 70 wholly-owned offices around the world with experienced subject matter experts from a range of disciplines (Human Capital, Finance/Accounting, Risk & Compliance, Supply Chain, Legal, Information Management and other operational expertise in addition to Audit Expertise) that can support and supplement your audit teams. Check out our site for more information: http://www.rgp.com.

Olivia Kirtley, Deputy President of the Board of the International Federation of Accountants, further emphasized the need for audit to focus on people as one of their top priorities:

pIQImage10

And there was certainly a great deal of talk about the role of technology—in generating new challenges for audit professionals, as well as in aiding auditors to be more effective and efficient as they take on evermore responsibility:

pIQImage11

pIQImage12
I engaged in an interesting conversation at one of our breaks and it was clear that there is still some confusion regarding the COSO 2013 Internal Control – Integrated Framework and whether it is necessary (for companies subject to SOX requirements who are using the COSO framework) to demonstrate the presence of all 17 of the Principles called out in the updated framework. Yes. And it was great to hear directly from COSO Chairman, Robert Hirth. Here are some of the takeaways:

pIQImage13

pIQImage14

pIQImage15pIQImage16pIQImage17pIQImage18
I really enjoyed listening to Jeanette Franzel, one of five members who make up the Public Company Accounting Oversight Board (PCAOB).

pIQImage19

Acknowledging the timing of the PCAOB’s Inspection Report which has led firms to require more evidence and documentation alongside the updated COSO Framework, Franzel commented that we are in the…

pIQImage20She discussed the Board’s willingness to visit with companies who have concerns or questions and cited some interesting examples.

pIQImage21

pIQImage22
I wish that I could have cloned myself to attend more sessions at this year’s GAM Conference and to take more notes (share more tweets)! Overall, the conference provided some assurance that RGP and policyIQ are on the right track; providing appropriate guidance regarding audit planning, risk assessments, auditing, Auditing Standard No. 5, subject matter expertise, application of the updated COSO framework to finance and accounting professionals and beyond SOX, and that we have a great solution in policyIQ to pull all of the documentation and processes together to promote more effective and efficient teams and processes.

I sincerely appreciate the great connections made and information gathered! If we didn’t get a chance to connect at GAM or you would like to chat more, please feel free to reach out to me (or to have me put you in touch with someone in your local office)!

sbuehrle@rgp.com, and follow us on Twitter: @policyIQ, @ResourcesGlobal