| |
||
| March 1 , 2005 | The
Monthly Newspaper of the NYSSCPA |
Vol.
8, No.4 |
AICPA Releases Best Practices for Audit Committees
A Tool to Combat Management Overrides of Internal Controls
New guidance encourages audit committees to develop skepticism, hold brainstorming sessions on potential risks and adopt other techniques already employed by auditors in uncovering management fraud.
The American Institute of CPAs in January released “Management Override of Internal Controls: The Achilles’ Heel of Fraud Prevention,” a 26-page document explaining how management may circumvent internal controls and what audit committees can do to stop it.
Observers called the document an effective and useful tool for public, private and not-for-profit companies, especially smaller entities that aren’t necessarily as heavily scrutinized as, say, those that fall under the jurisdiction of the Public Company Accounting Oversight Board.
“This is a reiteration of best practices, of SAS 99,” said Margaret Wood, vice chair of the New York State Society of CPAs’ Financial Accounting Standards Committee. “Audit committee members never read SAS 99. They didn’t have to. This is a place that audit committee members can go and learn, and that’s not bad for smaller companies. Bigger companies, the auditors are already all over them.”
The AICPA identified three common frauds that management is in a position to commit and that audit committees, in this post-Enron era, should be vigilant over. These include recording fictitious business transactions, altering records, and reversing reserves to manipulate results. In addition to developing a healthy dose of skepticism and brainstorming possible fraud risks, committees should also apply the code of conduct to assess whether management will maintain integrity in the face of pressure or opportunity to commit fraud; cultivate a network beyond management to get feedback about risks; and ensure that the company has a “vigorous” whistleblower program.
“All audit committees, even those not covered by the Sarbanes-Oxley Act of 2002, should seriously consider establishing a whistleblower hotline,” AICPA Vice President John Morrow said in a Jan. 25 press release. “It’s the number one method for catching fraud at the management level.”
The AICPA and others say that, considering the fact that management creates and maintains internal controls, it can subvert them as well, given the proper incentive.
“Thus, otherwise effective internal controls cannot be relied upon to prevent, detect, or deter fraudulent financial reporting perpetrated by senior management,” the new guidance states. “The audit committee must evaluate whether oversight mechanisms are in place ...(to) prevent, deter, or detect management override of internal controls.”
John Heveron, a Rochester practitioner who spoke about best practices at the NYSSCPA’s Nonprofit Conference in January, said in an interview that there is a fraud risk where there is “anyone dealing with money that is not their own.”
The problem for auditors and audit committees, though, is to find a fine line between skepticism and overzealousness.
“The question is, ‘How do we not get lulled into the idea that nobody is committing fraud?’” Heveron said. “You should never let your guard down, but you shouldn’t be overly suspicious.”
Heveron called the new guidance “excellent,” and both he and Wood singled out the whistleblower program as one of the better suggestions in the guidance.
But Heveron said that he would like to have seen the AICPA include a suggestion for audit committees to develop a comprehensive fraud detection program that would involve a review of controls and a process to identify specifically what risks there are, and to develop ways to minimize management’s ability to override those controls.
Wood emphasized the usefulness of guidance for smaller public companies and private companies, whose audit committees have had to take on a far more active role in overseeing management.
“Audit committees are meeting more often,” she said. “In a private company, it used to be lucky if they met twice a year for audit and scope presentations. But the larger private companies’ audit committees are starting to meet more frequently.”
The AICPA has posted its guidance on its Audit Committee Effectiveness Center Web page at www.aicpa.org/audcommctr.
