The board’s role
According to the Committee of Sponsoring Organizations (COSO), “the board of directors and senior management establish the tone at the top regarding the importance of internal control, including expected standards of conduct.” This includes ensuring that proper safeguards are in place.
Fraud historically increases during economic downturns, making the board’s role especially important today. Boards must constantly adapt, as fraudsters evolve new and creative schemes. Consider the government’s Paycheck Protection Program (PPP). While the program only began in April 2020, according to Wired Magazine, as of December, the Secret Service was investigating 700 cases of fraud and the Justice Department has already charged 80 people with attempting to scam $240 million from the program.
The anti-fraud ecosystem
Minimizing fraud risk requires extreme diligence from all the participants in the financial reporting ecosystem, from the board, to management, to the external auditor. Companies can effectively fight fraud by continuously exercising professional skepticism, focusing their attention on high-risk areas and conducting ongoing regular risk assessments. As an annual audit is not a part of a company’s controls, boards and management should conduct ongoing fraud assessments throughout the year.
Actions speak louder than words and setting the right tone around fraud is critical. Tone starts at the top with the board of directors and senior management. But it does not stop there. Boards must integrate an anti-fraud mindset throughout the company, reaching senior management, middle management, internal controls and the external auditor.
Skepticism is also critical. Boards should reinforce that management reminds employees, customers and stakeholders to be wary of emails offering assistance, or directives to override internal controls, even if they appear to come from an official source. Oversight by the board should ensure that management has instructed employees to always verify requests through an alternate channel.
Boards also need to focus on internal controls over fraud. It is critical that internal controls be continually updated for today’s remote workforce. No one knows when COVID will end, but most people believe — myself included — that large numbers of employees will be working remotely on a long-term basis.
Cybersecurity is key, too. Boards should be satisfied that cybersecurity practices and protocols are up to date. This means creating strong firewalls, establishing protocols for remote employees, updating patches, protecting credentials, and maintaining effective password-management procedures. It also means controlling employee and senior management access to sensitive systems.
Ensure your company’s plans includes fraud- and cyber-threat intelligence monitoring of the dark web. This includes information on what cyber fraudsters are buying and selling along with the new techniques they use, providing advance notice of future fraud risks for your organization.
Analytical tools are also useful to boards. Fraud-busting technologies such as data matching, anomaly detection and identity analytics should be employed by management and shared with the board. Of course, data collection and governance are essential. The more data organizations effectively collect now, the better positioned they will be to prevent or timely detect and mitigate fraud to acceptable levels as the pandemic plays out.
Fraud attempts have increased significantly due to the unique circumstances of the past year. By raising awareness about increased fraud risk and responsibility, from the board of directors all the way down to the users of the financial statements, we can better protect the business and its stakeholders.
Grant Thornton and the Association of Certified Fraud Examiners have created an Anti-Fraud Playbook, which may be of assistance to both directors and to management teams as they deal with the increasingly complex dynamics of managing fraud for today’s enterprise.
Grant Thornton library articles: How boards can champion an anti-fraud ecosystem