CSA Sentinel

CSA Sentinel – CSA Center membership required for access.

Welcome to CSA Sentinel, The IIA's quarterly publication for control-self assessment (CSA) professionals. A benefit of membership in The IIA's CSA Center, this newsletter features articles on the latest thinking in CSA and risk, practical "how-to" advice, research, and news with the latest development updates. If you would like to learn more about becoming a CSA member, click here.

In This Issue

CSA Workshop Preparedness
Understanding the challenges that can affect workshops will help facilitators increase the potential for a successful self-assessment.

A Practical Guide to Assessing Fraud Risk in Your Organization
Learn about a practical approach to designing and managing a fraud risk assessment and the differences between a successful and unsuccessful assessment.

Success Story
Find out how the director of Orange County Housing and Community Services used CSA to help shape her department's future.

Q&A With Dave Harmon
Learn how hotlines can be an essential component in enterprise risk management.

According to Mike
Who Said You Can't Audit for Fraud?

Quick Tips: Six Key Elements of an Effective Hotline
Before implementing or modifying a hotline, examine these key elements to make sure your organization not only complies with federal statutes, but also provides an effective mechanism for detecting fraud.

Center News
Control Self-assessment Center Directory; GTAG 6: Managing and Auditing IT Vulnerabilities Now Available; The IIA Releases GAIT Status Report.

Calendar
This section includes a listing of upcoming IIA risk and control training events.

CSA Workshop Preparedness

Understanding the challenges that can affect workshops will help facilitators increase the potential for a successful self-assessment.

CHRIS CARTER, CIA, CCSA, CPA, CISA
MANAGER OF AUDIT SERVICES, ONEOK INC.

Facilitated control self-assessment (CSA) workshops are one of the most effective approaches to self-assessment, but can be challenging to plan and conduct. A CSA workshop has the potential to gather more collaborative information than other approaches, but not without some effort on the facilitator's part. Unlike other approaches, workshops have the potential for discussions to go in many different directions. Facilitators should expect this lack of focus and must be prepared to take control of any unexpected situations that arise. Some of the most common CSA workshop challenges stem from improper planning, difficult personalities, and unexpected workshop discussions.

IMPROPER PLANNING

Planning a workshop consists of working with management to prepare content, identifying participants and location, and handling other logistics and administrative matters. Inadequate or non-applicable workshop content usually is not apparent until the workshop begins. If a workshop begins and the facilitator determines that the content is not going to achieve desired results, the workshop should be postponed. However, if the workshop involved substantial effort to bring the participants together, such as travel from various locations, the facilitator should take a break and quickly determine the best approach to refocus the content.

An example of poor content is reflective of inadequate time spent with management to determine their objectives. If workshop participants have never seen or disagree with the objectives, they will not be willing to participate. More often than not, management cannot provide business objectives on the spot, but given time, they can develop perfectly written objectives that employees or workshop participants will understand. This is vital because objectives may have been communicated, but not actually seen in writing. This also can be a great opportunity for managers to revisit business objectives even if they are in place.

An example of poor logistical planning is the inappropriate selection of a workshop location. A workshop held on company property may yield "drifters" — those people that drift to their office during a break and fail to return for a few hours. Additionally, regardless of the workshop location, the meeting room itself is vital to workshop success. Poor lighting, seating arrangements, food, temperature, and access to restrooms can create major workshop challenges.

DIFFICULT PERSONALITIES

In a workshop, no two participants will be identical. Most do not have time for the workshop, but made arrangements to attend, so it's extremely important to give them a personal thank-you and express how valuable their participation is to the final product. A seasoned facilitator will recognize this and warmly thank the participant for taking time from his or her busy schedule to attend the workshop.

Some personalities facilitators may encounter during workshops include disruptors, sleepers, and dominators. A few tips on how to deal with these difficult personalities follow.

Disruptor

A disruptor is a person who either unintentionally or intentionally disrupts workshop productivity. Unintentional disruptors — the most common type — are participants who do not intend to disrupt discussions, but their personality lends itself to disruptive traits. Although the facilitator should sit during the workshop, except during an opening presentation, he or she can hover in front of a disruptor's chair to get his or her attention. This often will help an unintentional disruptor realize how he or she is behaving.

On the other hand, when dealing with an intentional disruptor — a participant who intends to disrupt productivity — try chatting privately during a break to remind him or her of the value that the workshop provides. Also, reinforce that the participant is vital to the workshop, but only if he or she follows the ground rules, which include things such as one person talking at a time, constructive comments are our target, and respect other participants' comments.

Sleeper

A sleeper is a person who simply does not participate in a workshop. Just because a facilitator encounters a sleeper in the workshop doesn't mean it is due to the facilitation style. While some people actually do fall asleep during workshops, the more common type of sleeper is someone who does not intend to participate. These people should be made aware that they are valuable to the workshop. Otherwise, they would not have been selected to participate. This can be done by discussing the matter in a presentation's opening to ensure all participants know they were deliberately chosen rather than through a lottery-style method.

Other effective methods of waking a sleeper include periodically mentioning his or her name, making eye contact, or walking in front of his or her table. For clarification, a good facilitator never should call on someone directly because it can cause resentment and, ultimately, turn the person off. However, using the sleeper's name in a workshop example will draw him or her back into the discussion. For instance, if John is the sleeper, the facilitator could say: "That is a great point. I bet it also affects the jobs that John, Sarah, and Karen do. Does anyone else affected by this have any thoughts?"

Dominator

A dominator is the type of person that thinks he or she knows it all, and wants to make sure everyone knows it. Dominators often tend to think that everyone else is incompetent and should not be speaking. Unlike sleepers, facilitators don't need to worry about making sure dominators are included in workshop participation — a dominator will make sure he or she is included.

If a participant continues to dominate the discussion without prompting, privately visit with the dominator during a break and explain that he or she is vital to the workshop because of his or her knowledge about the organization's business. By recognizing and commending the dominator's knowledge, the facilitator can leverage this person for the good of the workshop. The facilitator might say: "Margaret, it's apparent that you are very knowledgeable about your organization's accounting process and your participation is vital. However, there are many other people in the workshop with great knowledge to share, but they aren't as willing as you. Perhaps you could help me think of ways to engage them in workshop discussions." This approach usually is successful and creates no resentment because the dominator now has a mission that only he or she can accomplish — getting others involved. Be cautious, however, not to let the dominator begin facilitating the workshop.

These are only a few examples of the different workshop personalities facilitators will encounter. There are many good CSA publications for sale at local bookstores or on The IIA's Web site to help facilitators identify the different personalities and how to handle them.

UNEXPECTED WORKSHOP DISCUSSIONS

Once the workshop discussion starts flowing, it can go anywhere and facilitators can have all types of challenges thrown at them. For instance, facilitators need to be prepared for statements like:

• "Management has no clue what is going on in this organization."
• "Why are we here? This workshop is the biggest waste of time during my entire career."
• "I've been monitoring some illegal activity in which our management is involved."

While it's neither practical nor possible to prepare for every statement that could be made, facilitators can have a general sense of what to do when blindsided by a comment that would negatively impact the workshop's flow. Facilitators need to learn about the organization and workshop participants prior to the workshop, if possible, to help ensure smooth workshop discussions. This familiarity can help facilitators anticipate possible statements and questions. When statements such as the three above examples are made, do the following:

• Stay calm.
• Take a moment to think before responding.
• One response might be: "That's certainly an interesting comment. I'd like to know how other people here feel about it." Usually, participants will take the other side and after a brief discussion, you can summarize what was said and move on.
• If there is no rebuttal or way to better the situation, say something like: "Thanks for mentioning that. This is an important matter that should be discussed at another time outside this workshop. Please remind me to visit with you about it later." Or: "I understand your concern. Let me see if I can paraphrase and make it apply to our current discussion topic. If not, we'll put it on a list of topics to consider during another meeting."

Preparing for an unexpected workshop discussion will allow the facilitator to keep the flow of the workshop going, as well as avoid losing credibility and purpose in the eyes of the participant.

PARTING WORDS OF WISDOM

Every CSA facilitator experiences challenges arising from improper planning, difficult personalities, and unexpected workshop discussions. However, through research, planning, and practice, facilitators can be prepared for both unexpected and expected challenges during a CSA workshop. Without being prepared, facilitators may lose credibility, not only from workshop participants, but throughout the organization. Lack of positive response from participants can stifle the success of future workshops.

CHRIS CARTER, CIA, CCSA, CPA, CISA, is the manager of audit services for ONEOK Inc., an energy company that purchases, gathers, processes, transports, stores, and distributes natural gas. As an active member of the Tulsa Chapter of The IIA, he serves as an officer and provides frequent presentations and support at chapter events.

A Practical Guide to Assessing Fraud Risk in Your Organization

Learn about a practical approach to designing and managing a fraud risk assessment and the differences between a successful and unsuccessful assessment.

RICHARD WILSON
EXECUTIVE VICE PRESIDENT, RESOLVER INC.

The focus on fraud in corporations has grown tremendously across the globe since 2002. Legislative and legal forces — such as the U.S. Sarbanes-Oxley Act of 2002, the American Institute of Certified Public Accountants' SAS 99, Consideration of Fraud in a Financial Statement Audit, and the Public Company Accounting Oversight Board's Auditing Standard No. 2: An Audit of Internal Control Over Financial Reporting Performed in Conjunction With an Audit of Financial Statements — have created the need for companies to assess and report the likelihood of fraud occurring in their company and its impact.

A significant transition in internal fraud management also has occurred in more recent years. Fraud management used to be largely the responsibility of human resources and security departments. However, since the genesis of Sarbanes-Oxley, audit and finance teams have become a major part of the fraud management equation. This shift in responsibility stems from the fact that even small frauds can have major impacts on corporate reputations and can lead to material impacts on financial reporting. More than ever before, auditors need to be at the forefront of fraud management. An effective tool that auditors can use to help prevent fraud before it occurs is the fraud risk assessment, which can provide a realistic view of where fraud can occur inside an organization.

THE ANATOMY OF A FRAUD RISK ASSESSMENT

It is useful to provide some context for implementing a fraud risk assessment within the broader goal of managing fraud. Two types of anti-fraud activities commonly deployed by companies are reactive detection and investigation activities, both of which take place after the fraud has occurred.

Ideally, companies should be proactive rather than reactive and prevent fraud before it occurs. According to the Association of Certified Fraud Examiners, the top five most effective fraud prevention tactics are:

1. Implementing strong internal controls.
2. Background checks for new hires.
3. Anti-fraud policies.
4. Ethics training.
5. Surveillance.

A fraud risk assessment can be effective in preventing fraud before it occurs. The goal is to identify fraud risks that are likely to occur and will negatively impact the company's finances and reputation. The results can be plotted on a traditional X-Y heat map to indicate the risks that range from low to high on each assessment scale. Figure 1 is an example of a traditional X-Y heat map showing risks ranked on their likelihood of occurrence and impact to the organization.

It is important for companies to spend adequate time designing their assessment metrics to create reliable results. To illustrate this, think of a small car — maybe it's a compact car such as a BMW MINI; a smart automobile, which is even smaller; or a toy car (Figure 2). Regardless, all three fit the label "small car." As you can see from this example, confusion can result from not providing specific metrics around assessment criteria, such as likelihood and impact. For instance, specify whether the lowest level on your likelihood assessment scale represents no possibility of happening or 0 to 25 percent likelihood.

Similarly, there are two key metrics that should be detailed for impact, which are reputational and financial. The highest level on your impact assessment scale could include the following descriptions for reputation:

• Negative media attention.
• Loss of confidence.
• Major public embarrassment.
• Opinion leaders or customers unanimous in public criticism.
• Shareholder involvement in addressing issues.
• Chief executive officer held publicly accountable.

Financial metrics for this same level of impact are often a percentage of operating income that would represent a catastrophic loss to the company financially. It is extremely important to get these metrics right before moving forward.

THE HIDDEN CHALLENGE

Risk assessments are not a new concept for many corporations, but there is a particular challenge in assessing fraud risk versus other operational, financial, or compliance risks. Fraud is about people acting illegally in your organization — the people you pass in the hall, go to lunch with, and share a toast with at the annual holiday party — which poses a challenge. Assessing the probability of fraud occurring in your organization is equivalent to asking, "Do you believe that anyone you know could defraud the company?" Most people will reply, "No." Everyone knows that companies experience fraud, but it's difficult to imagine that the people we know could do it. Therefore, it is not surprising that at the conclusion of many fraud risk assessments, the picture looks overly optimistic with low likelihood and impact scores.

GO BROAD, THEN DEEP

Tackling the fraud assessment challenge requires certain insights into human nature. First, identify which of the hundreds of fraud schemes could be perpetrated within your organization. To go broad, begin by running a risk assessment online that uses Web-based risk assessment software, such as that in Figure 3, to house the risks. At minimum, participants should be chosen from each of the company's business units or geographic locations including finance, internal auditing, sales, distribution, human resources, security, and internal legal council. It is important to offer participants anonymity so they can be candid.

Expect the results received to underestimate the magnitude of the impact and likelihood of each risk. If that's the case, why should companies bother conducting the online assessment if the results are not accurate? The answer is that while the results do not show how much risk the company currently faces, online assessments are a best practice that's accurate in prioritizing which risks need to be watched closely.

To go deep, assemble a team of fraud risk owners for a fraud assessment workshop. The workshop usually consists of a cross section of appropriate participants from the business units or geographic locations mentioned above. Load the top-ranked risks from the online risk assessment into a risk and control self-assessment (RCSA) software program, demonstrated in Figure 4. Present the participants with the results from the previous online risk assessment during the risk workshop.

Next, consider beginning with the person in the room with the greatest knowledge about the fraud risk to start a discussion on the impact followed by the likelihood of the risk occurring. The reason for discussing impact before likelihood is interesting. The human mind is good at creating associations between two different, but related concepts. Often, if people come to a conclusion about how likely a risk is to occur, they will translate the result onto the impact score. For example, a low score for likelihood often can result in the impact having a low score. Impact and likelihood ratings are separate questions, and there are many instances where likelihood can be low, but if the risk happened, the impact would be catastrophic.

After a candid discussion about the risk, participants could use anonymous voting techniques to score each risk systematically with the same criteria as the online assessment. Because the results generated by the RCSA software are anonymous, participants could communicate their honest opinion about fraud without being influenced by outside factors such as peer pressure, politics, scrutiny from their superiors, or influence from a dominant speaker in the meeting.

Auditors will find that the order of risks ranked in the online risk assessment and the order of risks ranked in the workshop are often similar. Typically, the difference is that the fraud risks from the workshop have received higher overall scores across both criteria and represent a more realistic view of where fraud can occur inside the organization.

CLOSING THOUGHTS

A successful fraud risk assessment consists of several components:

• Begin the process with the end result in mind, which is to understand where fraud is most likely to occur so that the risk of fraud can be controlled effectively.
• Reach out across the organization to gather many opinions about where fraud can occur.
• Consider the frame of mind that the participants have while they are conducting the assessment, remembering that most people cannot easily envision fraud happening.
• Offer fraud risk stakeholders the opportunity to engage in a discussion that is collaborative and anonymous by using RCSA software.
• During your assessment, don't dismiss an outlier who has an opinion that differs from the rest of the group, as they often have a perspective that is enlightening and worth listening to.

After the assessment is complete, stand back from the results and ask yourself if they make sense. If they don't, keep reassessing the risks until you are confident that the picture on your X-Y heat map represents the company you are trying to protect.

Richard Wilson is executive vice president of Resolver Inc. He recently designed and managed an online fraud risk assessment that included more than 650 participants across 25 countries, followed by workshops with key stakeholders throughout the United States. Wilson has experience managing the operations of a growing company and has skills in strategic planning, organizational design, process planning, and resource management.

Success Story

Find out how the director of Orange County Housing and Community Services used CSA to help shape her department's future.

AN INTERVIEW WITH
PAULA BURRIER-LUND
DIRECTOR, ORANGE COUNTY HOUSING AND COMMUNITY SERVICES
ORANGE COUNTY, CALIF.

California's Orange County Housing and Community Services Department provides affordable housing opportunities for renters and homebuyers; manages neighborhood revitalization efforts in unincorporated communities; and administers community services programs for special needs populations, including older adults, veterans, victims of domestic violence and hate crimes, unemployed workers, and the homeless.

HOW DID YOU LEARN ABOUT CSA?

I began working for Orange County in 1999 and took over the Housing and Community Development Department, which had undergone several leadership and organizational changes during previous years. I knew the department had been scrutinized heavily prior to my arrival, so I wanted to create a safe environment for people at all levels to discuss issues — both good and bad — to help me determine where I should focus my efforts. The department's main goal was to make sure an action plan was created to address the issues, as well as communicate with the staff to show we were following up on the things they shared with us.

I first learned about control self-assessment (CSA) from the director of internal auditing who began working for the county around the same time I did. Our first discussions about CSA mostly happened by chance. As the new directors with the county, we were discussing our departments and how things were going. Hearing about the issues and changes my department had undergone, the director of internal audit began explaining the CSA process to me. I thought the concept was tremendous and embraced it right away.

HOW DID YOU BEGIN USING CSA IN YOUR DEPARTMENT?

Shortly after learning about CSA, I asked internal auditing to conduct an assessment in my department. I discovered that a lot of people don't embrace this process and that most are afraid of it, but as the new person, it was easy for me to see the value in CSA. At that time, there were approximately 110 staff members in three divisions in my department. I had all the divisions go through a self-assessment, but based on conversations with internal auditing, we chose a broad representation of all classifications in the division. We also avoided having too many representatives from management so that other staff members felt safe in contributing honest opinions and feedback.

Approximately four years after my first experiences with CSA, the county's board of supervisors merged the Community Services Agency into mine and created the Housing and Community Services Department. This merger increased my three-division department to seven divisions with a total of 230 staff members. I once again used CSA to help me get up to speed as quickly as possible on the organizational issues within the new department, which helped me focus on merging two different organizational cultures.

WHAT ARE SOME WAYS THAT CSA HELPED YOUR DEPARTMENT?

From the start, I learned that CSA is a valuable tool to help focus on the most important issues first. The results of the self-assessment were mapped graphically, indicating the biggest red and green areas. Green areas indicate where there's a strong consensus that things are working and are well-aligned whereas red areas indicate the opposite. These results helped me triage the department by identifying the greatest discrepancies between our goals and professional standards for the organization and the reality as perceived by the staff. For example, we wanted a skilled, well-trained staff, and the CSA revealed whether the staff felt they had the necessary skills and training to do their job.

CSA was the perfect tool to help me figure out where the biggest problems in my department were. It also helped uncover the talent and commitment in the department and showed that many organizational obstacles had stifled these qualities. After the self-assessment, I was able to identify these obstacles fairly quickly and start taking proactive action to eliminate them, which allowed the department to blossom. Had we not been so successful with our first CSA effort, I don't think the board would have merged another department with us if they weren't pleased with the way we turned around the Housing and Community Development Department. CSA helped us do that much more quickly than we would have been able to do otherwise.

I also view CSA as an excellent tool to help communicate with staff that breaks down some of the hierarchies in the organization. I think by using CSA from the beginning, I was able to send the message that there's an opportunity at all levels to communicate in a safe environment.

DO YOU HAVE ANY RECOMMENDATIONS OR WORDS OF WISDOM FOR OTHERS WHO ARE CONSIDERING IMPLEMENTING A CSA PROGRAM?

I think one of the most important things to do prior to introducing CSA is to assure the manager having the self-assessment that CSA is an evaluation tool, not something to judge the manager against. In my opinion, you have to assure management that there won't be negative repercussions against them if the results show problems or issues needing to be addressed. If you don't, you’ll never get an honest reaction or feedback about what's going on within the department. So, I think that's one of the most important things to stress — that CSA is not an evaluation of the manager; it's an opportunity to hear from people in your department that normally don't speak up.

Also, position CSA as a communication tool. Some of the things that are raised as you explore them in a self-assessment sometimes don't turn out to be what you originally thought they were. If you took one of the CSA reports that I received and stopped there, you would have missed the boat completely. You have to follow up on the self-assessment and explore exactly what people mean when they say something is a problem. Don't just go by the words that were used on the report. The words are all structured and the questions are always the same. But if you don't dig a little deeper into what it is people really mean, you'll solve the wrong problem.

Therefore, CSA is a starting point, not a final document. CSA creates a fascinating opportunity to have a good discussion with your staff about what issues there are in the organization and what obstacles prevent them from functioning at their highest level. Don't just take the original document, though. Use it as the start of the conversation rather than the finish.

DO YOU HAVE ANY FINAL THOUGHTS TO SHARE ABOUT CSA?

I think CSA is extremely valuable for everyone, but particularly a new manager. Even if you join a high-performing organization, CSA is an excellent way to let people know that you care about what they think and are willing to explore whether there are any issues that need to be addressed. If you're lucky enough to get "all green" as the graph would say, which means everyone is rowing in the same direction and understands their purpose, then that's great. That's valuable, too.

Paula Burrier-Lund has more than 20 years of senior management experience in city and county government. She currently serves as the director of Housing and Community Services in Orange County, Calif. Previously, Burrier-Lund served in similar positions throughout California for the San Diego Housing Commission, the city of Santa Monica, the Los Angeles County Community Development Commission, and the city of Lawndale.

Q&A With Dave Harmon

"A few years ago, my company implemented an ethics hotline as part of our response to comply with Sarbanes-Oxley. Our service contract will expire soon, and we are reevaluating what we have in place. Thinking beyond Sarbanes-Oxley, what implications might our hotline have for ERM or CSA?"

DAVE HARMON, CIA, CCSA, CPA, CISA
DIRECTOR OF FINANCIAL MANAGEMENT PROGRAMS, UNIVERSITY OF CALIFORNIA

To directly answer your question, hotlines have a significant role to play with enterprise risk management (ERM) and the Committee of Sponsoring Organizations of the Treadway Committee (COSO) because they have control implications for components of COSO and span across the entire business enterprise.

Hotlines are hotter than ever before, and for good reason. According to the Association of Certified Fraud Examiners' 2006 Report to the Nation on Occupational Fraud and Abuse, "Occupational frauds are more likely to be detected by a tip than by other means such as internal audits, external audits, or internal controls." As you point out, hotlines are mandated for many companies to comply with the U.S. Sarbanes-Oxley Act of 2002. In fact, Sarbanes-Oxley compliance has undoubtedly been the primary driver by requiring a hotline for all publicly traded companies. In 2005, California even passed a similar requirement for nonprofit organizations. However, the philosophy of ERM and COSO makes a strong case for expanding hotline applications beyond merely complying with Sarbanes-Oxley at the lowest possible cost. For enlightened management, this expansion should not be a big jump to make. It just requires that hotlines be regarded as a key component of internal control rather than a statutory requirement.

The effective use of a hotline sends a clear message regarding management's intentions and expectations, which clearly figures into how employees view the organization's tone at the top. Keep in mind that the key word here is effective. Transparency and accountability are critical to how hotlines are viewed throughout an organization. Do people understand how the reporting works?For instance, do they believe hotlines are truly confidential and that there is accountability? One measure that strengthens how hotlines are perceived is when they are used in combination with a formal code of conduct, which helps clarify desirable versus unacceptable behavior.

Hotlines also can play an essential role in risk assessment when issues arise that otherwise might not get management's attention. This particularly could be true where there is a weak control environment. If you are embarking upon an ERM effort, you may find that sanitized hotline information is useful to expand what management views as their risk universe beyond financial management. Conversely, ERM and other risk assessment activities may give you insight into how to plan and organize your hotline's reporting to be more effective.

Additionally, hotlines are a significant enterprisewide control and monitoring activity. They are preventive in the sense that the threat of sanctions may deter inappropriate and fraudulent activities and are detective in that they monitor these activities for appropriate follow-up. Given these benefits, you may want to take a more critical look at what you have in place and consider whether enhancements are needed. This not only includes the nature of your service contract, but also your internal hotline's operating procedures.

I think it is important to look at hotlines within the larger context of an ethics program. Many organizations have a patchwork of activities such as implementing a hotline and adopting a code of ethics or conduct. However, standalone activities that are not integrated into a cohesive program do not really have a significant impact on what is perceived by employees as the tone at the top. To find out where your organization stands, ask yourself these questions:

• Do we have an ethics program or a designated ethics officer?
• Is there some type of mandatory ethics and compliance training? If so, who has oversight responsibility? Ideally, the answer would be the audit committee.
• How often does senior management discuss ethics and compliance in internal communications to employees? If the answer is not at all or one or two times a year, that's not enough to get people to believe that the organization is really serious about a hotline. Consistent and regular communication is a critical success factor.

I think you get my point. Hotlines are important with regards to Sarbanes-Oxley, as well as ERM and COSO. However, they are only one part of the larger picture of ethics.

David Harmon, CIA, CCSA, CPA, CISA, is director of financial management programs at the University of California, Los Angeles, and instructs several IIA courses on CSA. Harmon helped to develop a CSA program in his former position at Fannie Mae and contributed to the questions in The IIA's Certification in Control Self-assessment exam.

According to Mike

Who Said You Can't Audit for Fraud?

MICHAEL PIDZAMECKY, CFE, CMA
CONSULTANT, TORONTO

I attended a recent fraud conference where there was, shockingly, much talk about fraud. Personally, I find it ironic that when we read or talk about fraud, it's always about what happened in this scheme or that scheme. The key message here is that it always seems to be after the fact. Many of us who are auditors — external or internal — say we do not audit for fraud. Rather, we audit an organization's internal controls and processes. In completing such a review, we make sure that reasonable and effective controls are in place to prevent fraud, but there is never absolute assurance. Yes, we may get lucky and discover fraud during a review, but not because of a planned audit review.

Well guess what? I am going to challenge this notion and say that we — auditors, fraud examiners, management, lawyers, controllers, or whomever — actually can audit for fraud in an effective and efficient manner. You probably are shaking your heads thinking, "Mike is really stretching the use of self-assessment. There is no way you can identify and audit specific frauds taking place in your organization by just sitting and talking around a table." Well, I want you to know that you can. In fact, one of this issue's feature articles, "A Practical Guide to Assessing Fraud Risk in Your Organization,"  discusses using self-assessment workshops to identify potential fraud.

In traditional risk and control self-assessments, we gather information and people to analyze what is taking place in the organization. We have them look at the business, as well as its objectives and processes, through interviews and workshops. In doing so, we develop an understanding and an enterprisewide view of what risks the organization faces, and analyze them to determine if and how they might impact our ability to achieve our various strategic and business objectives.These risks can have negative consequences, in which case we develop internal controls and processes that will mitigate them to an acceptable level for us to achieve our goals. In some cases, we find that the risks are extremely trivial and we are using entirely too many resources trying to control them. And, in other cases, we find that a risk is an exploitable business opportunity that when managed, properly, may provide new economic or social benefits to the organization.

Using the same techniques for risk and control self-assessment, you can identify fraud risks that threaten your organization. By analyzing the hundreds of fraud schemes that could affect their business, organizations can zero in on the most potentially damaging or probable frauds that can be or are taking place. These fraud schemes are determined by brainstorming potential fraudulent situations that are common to all organizations and those specifically attributed to your particular industry or organization.

To help you get started, here are two general examples that could be included in anyone's assessment:

1. Intellectual property theft by employees. Employees may commit theft for their own personal gain while employed or after leaving a company by selling information to competitors.
2. Side letter agreements. The Securities and Exchange Commission's Staff Accounting Bulletin: No. 101 – Revenue Recognition in Financial Statements requires a definitive sales or service agreement. However, customer-vendor relationships often change. For example, a company enters into an arrangement, but later makes changes in a written or oral agreement that is executed outside normal control and reporting channels. The real terms of the deal are not represented in the official contract — a document often used when making business decisions, valuations, or investments.

An actual audit of potential or real fraud can now take place because you know where, when, why, and how it can be or is happening. Once you have your list of schemes, follow the same process you would use for other self-assessment reviews — you determine the probability and impact such schemes will have on your organization. If they rate high, start auditing to find out if it's too late or if you are just in time to stop it.

As you can see, there is no reason for any organization not to be proactive in auditing for fraud. A fraud self-assessment is a perfect tool to help you and your management team audit potential fraud loopholes in controls and processes long before they become reality and your company is talked about at the next fraud conference.

Michael Pidzamecky, CFE, CMA, is a private consultant who works with CSA and ERM processes. Pidzamecky has developed several self-assessment approaches, presented sessions for IIA courses and conferences, and written questions for The IIA's Certification in Control Self-assessment exam.

Six Key Elements of an Effective Hotline

Before implementing or modifying a hotline, examine these key elements to make sure your organization not only complies with federal statutes, but also provides an effective mechanism for detecting fraud.

DAVID CHILDERS
PRESIDENT AND CEO, ETHICSPOINT

There are more than 60 federal statutes, including the U.S. Sarbanes-Oxley Act of 2002, supporting or requiring a methodology for anonymous reporting and whistleblower protections. Against this regulatory backdrop, and further bolstered by Federal Sentencing Guidelines, ethics and compliance hotlines have become key components of enterprise risk management and a form of self-assessment because employees are reporting on and helping to evaluate an organization's culture. Studies such as the Association of Certified Fraud Examiners' 2006 Report to the Nation on Occupational Fraud and Abuse have indicated that hotlines are the most prevalent method of detecting fraud, and by extrapolation, other risk events that may impede an organization's strategic objectives.

Hotlines should not be viewed as simply a whistleblowing mechanism, but rather a means to identify and resolve sensitive issues, encourage compliance across multiple disciplines, and minimize financial, legal, and reputational risk. Today’s hotlines must provide a methodology for reports to be triaged and managed toward resolution in a manner that can be measured and audited. The following six key elements have emerged from organizations that use hotline systems as an indicator of the organization's health and as a catalyst to strengthen their cultural underpinnings.

1. ASSESS AND TAILOR YOUR HOTLINE TO MEET YOUR ORGANIZATION'S INHERENT RISK FACTORS AND CULTURAL MAKEUP

Each organization is unique in its risk assessment and risk response strategies. Hotlines must be tailored accordingly. An example includes tailoring hotline incident categories to meet company-specific risk factors head-on. Multiple intake methods, including telephone- and Web-based reporting, should be provided to best match stakeholder communication preferences. Companies with global operations should consider localizing hotline communication into local languages and must take into account international data privacy standards.

2. PLAN FOR ORGANIZATIONAL READINESS

Before rushing to implement a hotline, spend time in the planning phase to lay the groundwork for a successful system. It is essential to create an environment where employees, vendors, and customers understand the organization's commitment to ethics and compliance and are knowledgeable about the guidelines established for the way the organization does business. Awareness for the hotline must be established, and a culture of transparency encouraged, from the top down. Many organizations implement ongoing, multifaceted communications programs that not only introduce the hotline, but also position it within an overall program of compliance, ethics, and risk management.

Organizational readiness also means being prepared to handle hotline reports. For instance, who will review the reports and who will investigate? The ability to immediately assign reports based on skills or roles will eliminate bottlenecks and allow reports to be reviewed faster. Also consider how management is involved and determine the process for the escalation of issues.

3. PROVIDE FAST AND EFFECTIVE RESOLUTION FOR HOTLINE CALLS

Because a trusted hotline supports the tone at the top and a company's open-door policy, make sure the reporting system encompasses a wide range of risk and violation categories so that stakeholders don't feel as if management only wants to hear about a narrow set of issues. It also is critical to be able to handle complex issues that touch on multiple categories. For example, a suspected case of embezzlement could include the threat of violence and drug use. The ability to handle complex issues reinforces to stakeholders and those charged with review and resolution that the hotline is more than a "check-the-box" system —it is also an important resource that can handle the complexities of the real world.

Furthermore, it is critical to follow up immediately with hotline users, even those who've chosen to remain anonymous. Giving acknowledgement of receipt and updates on progress and resolution are instrumental in reinforcing the organization's commitment to transparency. An effective reporting system facilitates such interaction and makes it easy to probe for more information while maintaining anonymity and confidentiality (e.g., through the use of unique report password protections). This gives the organization better insight into the issue being raised and also can help identify frivolous or unsubstantiated reports.

4. IMMEDIATELY ASSESS AND RESOLVE ISSUES THAT ARE RAISED

This is where the rubber meets the road. Assuming you've laid the groundwork, your organization now should be prepared to handle reports. During report intake, make sure that issues are categorized correctly and that sufficient information is gathered using collaborative interviewing and data-gathering techniques. Assign issues for assessment to the right personnel using automatic assignments predetermined by the organization — when possible — to eliminate bottlenecks. Prepare for and know how to select the appropriate analysis approach, such as internal analysis, special investigations sometimes involving external agencies like the Securities Exchange Commission, or external investigations.

5. PERIODICALLY ASSESS AND REVIEW ALL REPORTS TO IDENTIFY "HOT SPOTS" OR NEW RISK AREAS

The hotline reporting environment should provide the statistics and analytics needed to understand more about the patterns of behavior and establish benchmarks for trending and review. This review should look for breakdowns of internal controls, geographical or departmental "hot spots," the need for additional training, or the need to adjust policy. This should include information received from hotline reports, in addition to information obtained through an organization's open door policy or through performance reviews, internal audits, or investigations. All of this data should be warehoused in a central location that can be reviewed to formulate an overall risk assessment review. This evolving data source then should be used to create a primary risk summary or as an ongoing comparison against the organization's established risk profile.

Additionally, tracking the outcome and post-corrective action for each incident provides the ability to review these actions so that your pending corrective actions are balanced and appropriate. This is critical when demonstrating that a system provides consistent and fair treatment for all types of reports. With the recent changes in the Federal Sentencing Guidelines, the ability to track resolution activity and steps taken to prevent future similar misconduct has never been more important.

6. REVIEW AND IMPROVE THE PROCESS

Adopting the motto "what gets measured gets done" can help organizations remain focused on reviewing and improving the hotline process. Create a schedule for reviewing how the hotline is working, especially regarding communication, operational efficacy, and cultural assessment. Reviewing the process will help determine whether or not there is a need for additional training or new or updated policies within the organization.

IN THE END

Today's ethics and compliance incident awareness and hotline reporting systems should be much more than check-the-box solutions. Integrated Web- and telephony-based systems, coupled with powerful incident management and analytic tools, are proving instrumental in helping organizations manage enterprise risk. Fortunately, many organizations are already well down this road, reaping the benefits of consistent risk management, improved operational performance, reduced operational surprises, and transparent cultures.

If you have a "quick tip" that you'd like to share, please e-mail the editor.

David Childers is the chief executive officer and director of EthicsPoint, as well as a charter member of the Open Compliance and Ethics Group (OCEG), a nonprofit coalition of the nation's business leaders assembled to develop compliance standards and guidelines. Childers serves on the OCEG Leadership Council and Technology Council and is a member of the Ethics and Compliance Officers Association, the Society of Corporate Compliance Executives, and the National Association of Corporate Directors.

Center News

CONTROL SELF-ASSESSMENT CENTER DIRECTORY

NOW AVAILABLE — GTAG 6: MANAGING AND AUDITING IT VULNERABILITIES

Chief audit executives and internal auditors who want to learn more about managing and auditing IT vulnerabilities are in luck. The IIA recently released the sixth guide in its Global Technology Audit Guide (GTAG) series, Managing and Auditing IT Vulnerabilities. The 24-page guide was developed to help CAEs and internal auditors ask the right questions of IT security staff when assessing the effectiveness of their vulnerability management processes. The guide recommends specific management practices to help an organization achieve and sustain higher levels of effectiveness and efficiency, and illustrates the differences between high- and low-performing vulnerability management efforts.

To download the guide, visit The IIA's GTAG Web page, www.theiia.org/download.cfm?file=39632. (PDF, 574 KB)

THE IIA RELEASES GAIT STATUS REPORT

To keep the internal audit community informed on the current status of The IIA's Guide to the Assessment of IT General Controls Scope Based on Risk (GAIT), the GAIT core team recently published its first Status Report, which provides information on the state of GAIT, a letter from the GAIT team leader, experiences from organizations implementing GAIT, and "Ask Dr. GAIT" — a question and answer section through which the GAIT core team will respond to practical questions from users of the GAIT methodology.

"The GAIT status report is an effort to fulfill a long-recognized need to create a communications vehicle among the GAIT core team, The IIA, and the various constituencies who have expressed interest in the GAIT initiative," says Heriot Prentice, The IIA's director of technology practices. "We think this is important, because the GAIT core team has been working round-the-clock to finalize the GAIT methodologies and principles, as well as to create consensus between management and external auditors."

To read the full report, visit The IIA Web site, www.theiia.org/download.cfm?file=39892. (PDF, 1.2 MB) If you would like to provide feedback for the upcoming GAIT Status Report, contact Heriot Prentice at heriot.prentice@theiia.org. Inquiries to "Ask Dr. GAIT" can be sent to drgait@theiia.org.

Calendar

DECEMBER

• Dec. 4–5; Lake Buena Vista (Orlando), Fla.

Evaluating Internal Controls: A COSO-based Approach

• Dec. 4–6; Lake Buena Vista (Orlando), Fla.
• Dec. 11–13; Las Vegas

Sarbanes-Oxley Act: Impact on Information Technology

• Dec. 4–6; Lake Buena Vista (Orlando), Fla.

JANUARY

• Jan. 22–24; Phoenix

FEBRUARY

Adding Value Using Risk-based Auditing

• Feb. 21–23; New Orleans

Corporate Governance: Strategies for Internal Audit

• Feb. 28–Mar. 2; San Diego

Evaluating Internal Controls: A COSO-based Approach

• Feb. 19–21; New Orleans

Facilitating Results Using CSA

• Feb. 21–23; New Orleans

• Feb. 19–21; New Orleans

• Feb. 21–23; New Orleans

MARCH

Enterprise Risk Management: Process Improvement Workshop

• Mar. 29–30; Las Vegas

Enterprise Risk Management: What's New? What's Next?

• Mar. 28–30; Las Vegas

Evaluating Internal Controls: A COSO-based Approach

• Mar. 5–7; Orlando

Sarbanes-Oxley Act: Impact on Information Technology

• Mar. 7–9; Orlando

To add your CSA course, seminar, conference, or event to the calendar, please forward all pertinent information to Editor Allison Cain via e-mail, allison.cain@theiia.org, or by fax, +1-407-937-1103.