Internal auditors can help their organization manage fraud and misstatement risks in the conversion to International Financial Reporting Standards.

A gainst the backdrop of a worldwide financial crisis and economic recession in November 2008, the G20 nations asserted their commitment to creating a single set of high-quality global financial reporting standards. Soon after, the U.S. Securities and Exchange Commission and the American Institute of Certified Public Accountants each endorsed the conversion from U.S. Generally Accepted Accounting Principles (GAAP) to International Financial Reporting Standards (IFRS).

But converting to IFRS effectively mandates a change in accounting policies and the internal controls over financial reporting that poses a significant risk of financial statement fraud and misstatement for U.S.-listed firms. Internal auditors need to understand these risks and recommend increased management oversight and guidance to their organizations. The IFRS conversion is more than just a change in accounting standards affecting the finance function — it will have an organizationwide impact. Internally, any business function required to prepare financial information, or impacted by it, is vulnerable to change. Externally, IFRS will affect customer relationships, how companies are perceived in financial markets, shareholder value, and regulatory compliance.

The main change in the IFRS conversion lies in the mind-set companies apply to accounting and financial reporting. While U.S. GAAP is both principles- and rules-based, IFRS is solely principles-based. This difference will require management to shift its accounting and financial reporting from a compliance-based approach to an economic-value approach. Management must use judgment in presenting financial statements, which adds a human element that could increase the risk of financial statement fraud and misstatement.

OPPORTUNITIES FOR FRAUD

The fraud scale developed by Steve Albrecht of Brigham Young University in Salt Lake City, Utah, measures the propensity for fraud based on three

Potential Fraud Schemes IFRS conversion changes regarding recognition of revenues and expenses, valuation, and classification of assets and liabilities expose companies to many financial statement fraud schemes, including:  Altering the valuation of accounts receivable by failing to establish appropriate reserves and allowances and recognize related expenses. Manipulating the methods to value inventory, creating an overstatement of inventory quantities and unit costs. When preparing IFRS opening balances, writing off inventory when future value exists. Misclassifying investments to realize gains or avoid recognizing losses in current results. Depreciating fixed assets using unreasonable methods and assumptions. Overstating the value of assets. Manipulating restructuring, purchase accounting, and other reserves. Misclassifying lease structures. Inappropriately recognizing revenue and expenses. Inappropriately recording journal entries to reduce expenses or cost of goods sold. Not disclosing related-party transactions and balances appropriately. Failing to disclose significant accounting policies, estimates, and changes appropriately. Inappropriately accounting for business combinations. Manipulating financial statements to manage the firm’s perceived value. Restating the opening balances. One of the key concerns about the conversion to IFRS is the value judgment element. This element will be present to varying degrees in all of the possible types of financial statement fraud schemes, which are aimed at deceiving parties that rely on financial statements.

criteria: situational pressures, perceived opportunities, and personal integrity. When situational pressures and perceived opportunities are high and personal integrity is low, fraud is much more likely to occur than when the opposite is true. The IFRS conversion may increase the opportunity to commit financial statement fraud, as accounting policies and internal controls over financial reporting change, according to Gerard Lack, author of Fair Value Accounting Fraud: New Global Risks and Detection Techniques (see “Potential Fraud Schemes” at right). The pressure component is already high considering the reasons why recent financial statement frauds occurred, such as top management’s concealment of true business performance, preservation of personal status and control, and maintenance of personal wealth. Lastly, the personal integrity component will vary from organization to organization based on the effectiveness of its hiring and promotion vetting process and ethics program. Applying Albrecht’s fraud scale to the IFRS conversion, taking the economic downturn into consideration, yields a high opportunity to commit fraud, high situational pressure, and a medium-high to high propensity of fraud.

Although the IFRS conversion project is management’s responsibility, it requires involvement by most departments. For management, the conversion is an opportunity to take a clean-slate approach to accounting policies, procedures, and financial reporting. The audit committee also plays an integral role by providing oversight and advising management on the importance of implementing a sound conversion risk assessment.

CHANGE IN FINANCIAL REPORTING

At the core of the IFRS conversion is the review and adaptation of existing accounting and financial reporting policies and procedures. Management will have to take a judgment-based position on key differences between U.S. GAAP and IFRS, including:

• Timing and proportion of revenue recognition.
• Timing and value of expense recognition of share-based payments.
• Timing, value, and reporting of expense recognition of employee benefits.
• Selection of asset impairment testing models that affect the timing of nonfinancial asset impairment.
• Capitalization of development costs as opposed to expensing as incurred.
• Development of fair market valuation of financial assets as opposed to recorded cost.

Accounting policies, processes, and procedures are preventive controls. The process of adjusting these core controls to meet IFRS requirements creates an opportunity and method to manipulate them for unsavory purposes and potentially embed a self-perpetuating fraud mechanism.

Overlaps between U.S. GAAP and IFRS may further contribute to fraud. Current interpretations of IFRS 1 suggest that U.S. publicly listed companies likely will be required to report financial statements under both standards for up to three years — doubling the possibility of misstatement. From an operational standpoint, the changes to financial ratios and performance indicators in combination with earnings volatility will require customer credit and vendor policies, procedures, and processes to be reexamined and adjusted, contributing to fraud risk.

Controls over financial reporting also will be susceptible to modification. Because these controls provide the basis for management’s certification process for the U.S. Sarbanes-Oxley Act of 2002, the ability to alter their design heightens misstatement and noncompliance risk. Among the most effective controls in this area are the review and sign-off by the external auditors of all changes to the controls over financial reporting and Sarbanes-Oxley-related controls as well as external audits of both sets of financial statements by external auditors. Internal auditors should review the reconciliation between both financial statements and understand the assumptions made by management in going from U.S. GAAP to IFRS.

IT is another area that can impact financial reporting under IFRS. The operating parameters of accounting applications are core preventive controls that may be altered during the conversion, increasing the risk of fraud and erroneous misstatement.

RISK MANAGEMENT

Risk management plays an important role in safeguarding shareholder value and mitigating reputational risk emerging from the IFRS conversion. Using a tailored fraud risk management program based on The Committee of Sponsoring Organizations of the Treadway Commission’s (COSO’s) Enterprise Risk Management–Integrated Framework provides those charged with governance, management, and enterprise risk management (ERM) with an entitywide framework to identify, manage, and mitigate financial statement fraud and misstatement risks effectively and comprehensively. This can be a new program to address specific risks related to the conversion or an addition to an existing program. As part of the conversion project, a work stream dedicated to providing fraud risk management is essential. A work stream commits qualified resources to perform activities with defined objectives and outputs within a designated time frame. The COSO approach interweaves the focus of management, governance, and risk management on the IFRS project and establishes fraud monitoring mechanisms based on the framework’s five components.

Control EnvironmentCompanies should create a control environment that sets the tone at the top, establishes a code of conduct and ethics, embeds a whistleblower hotline into the conversion project, and links to the ERM program. The tone at the top conveys a clear message to the organization that the board, audit committee, management, and internal auditing are committed to high ethical standards and lack of tolerance for impropriety. The CAE can assist by asking management questions about its organizationwide control environment and auditing the control mechanisms management has implemented. CAEs also can review training, how the control environment is embedded into the organization, and the active use and enforcement of policies that reward ethical behavior and discourage unethical and fraudulent behavior.

Risk Assessment Performing a fraud risk assessment as part of the IFRS conversion can identify fraud risks, schemes, and mitigating controls. For each risk factor, this assessment should:

• Identify what would cause a fraud to occur, or the fraud risk factor.
• Determine the fraud risk.
• Determine potential schemes.
• Identify affected financial accounts.
• Identify positions that could potentially be involved.
• Assess the type, likelihood, significance, and inherent risk.
• Formulate the controls that could mitigate the risk.
• Classify the controls by type (i.e., preventive, detective, entity-, and process-level).
• Identify and assess residual risk.

A fraud risk assessment for IFRS conversions is akin to a brainstorming session with a cross-section of business process owners impacted by the change. The scope of the session should be tailored to the risks of financial statement fraud and misstatement as well as management override of controls over financial statement reporting. To maintain the link with the ERM program, the results — including management’s determination of acceptable residual risks — should be communicated to the board and audit committee. Additionally, the board and audit committee should understand the impact and fraud risks associated with the IFRS conversion and conduct their own brainstorming session to assess how management might attempt to override IFRS conversion project controls as well as controls over financial reporting.

Internal auditing can have an active role in developing the conversion fraud risk assessment as well as facilitating the risk assessment sessions. Specifically, auditors should develop an understanding of not only IFRS, but also of the associated fraud risks. Armed with this knowledge and coupled with their risk assessment and group facilitation skills, auditors can help management and the audit committee identify, assess, and develop mitigation actions. Moreover, as a result of being close to the conversion fraud risk management process, auditors can best tailor their reviews of key controls during and after the conversion.

Control Activities Following the fraud risk assessment, the team responsible for the conversion fraud risk work stream should design and implement the control activities to mitigate the identified risks. It is imperative that these control activities be communicated and supported by management and be embedded effectively in the IFRS conversion project. Key control activities include reasonableness testing of all accounting judgments and accounting policies and procedures, and sign-off by external auditors with IFRS expertise. On the IT side, testing should ensure that the expected output of relevant applications matches approved application parameter changes, and adherence to application change management controls is maintained.

Anti-fraud control activities should be detailed in a conversion fraud risk action plan, including the specific personnel responsible for implementation and the timetable aligned with the conversion project. Furthermore, the plan should classify controls within an entity- and process-level anti-fraud control framework that categorizes controls as preventive or detective. Auditors can advise the project team on developing anti-fraud controls based on their understanding of the conversion fraud risks and internal controls over financial reporting. Moreover, they can review and challenge the relevance of risk mitigating controls to the identified risks.

Communications The IFRS conversion project should communicate about anti-fraud programs and controls effectively during and after the conversion. The communications program should integrate objectives of the anti-fraud work stream and provide appropriate, timely, and repeated communications regarding fraud awareness, monitoring, and accessibility to reporting mechanisms. Consideration of multicultural and language challenges is necessary to both the success of the IFRS conversion and the anti-fraud project work stream. Internal auditors can provide valuable assistance in managing cultural, language, accounting, and reporting challenges. For example, internal audit departments that have the cultural, anti-fraud, local accounting, and IFRS skills are well-positioned to assist management in assessing whether a subsidiary should be included in the consolidated financial statements. This assistance becomes of greatest value when consolidating subsidiaries previously not consolidated under U.S. GAAP, but required by IFRS.

Monitoring The effectiveness of anti-fraud programs and controls should be monitored during and after conversion, and the conversion fraud risk work stream should be adjusted based on the results. One key monitoring activity is the testing of pre- and post-IFRS account balances for accuracy, reasonableness, and completeness. Internal auditing can advise the project team on developing monitoring controls that integrate with the company’s continuous monitoring program. In addition to guidance, auditors can review controls over the initial IFRS conversion and monitor implemented controls, processes, and system changes. Both during and at the conclusion of convergence, internal auditing can provide management assurance that internal controls over financial reporting are embedded in the organization.

EFFECTIVE INTEGRATION

To integrate the IFRS fraud risk program with the conversion project effectively, it helps to understand the structure, time line, objectives, impact, and personnel involved. Such insight allows project team members to identify what needs to be created from scratch and what can be leveraged to reach the anti-fraud work stream’s objectives. In essence, the integration will require structures and objectives to be mapped to both the conversion project and the ERM program. Key points to consider in integrating a fraud risk management program with the conversion project include:

• Leveraging IFRS project communication structures.
• Building IFRS conversion fraud risk awareness among those charged with governance and project management.
• Mapping anti-fraud activities to IFRS impact assessment results.
• Involving the anti-fraud work stream in the project steering committee or project management office.
• Establishing a link with IT to develop and monitor anti-fraud controls that can be leveraged during and after transition (continuous monitoring).
• As the efforts of the fraud risk work stream and the conversion project become integrated, understanding success factors for IFRS conversion is needed, including:
• Understanding the resources, timing, risks, and nature of the IFRS conversion, including the differences and impact between U.S. GAAP and IFRS that are specific to the organization.
• Commitment to the project from management, the board, and the audit committee.
• Integration of necessary skill sets from all impacted areas of the company.
• A well-structured project management team with a project charter that is supported companywide.
• Early involvement by IT personnel.
• IFRS training for all impacted company personnel.
• Project personnel with a high level of IFRS knowledge.
• Strong change management practitioners within the project leadership.
• Integration of the conversion project with the company’s ERM program.
• Awareness of the risk of fraud and impropriety.

These success factors are derived from the IFRS conversion experiences of European companies. Underlying many of the findings cited in studies of IFRS conversion in Europe is the underestimation of the impact, timing, and resources needed to manage the IFRS conversion successfully.

INTERNAL AUDITING’S ROLE

Internal auditing should view the conversion to IFRS as a unique opportunity to add value to the organization. Leveraging their enterprisewide knowledge, auditors should be involved early in this project to create awareness of the IFRS conversion’s impact and fraud risks to management, the board, and affected departments. Obtaining an oversight role on the IFRS project steering committee can enable the audit function to assist in planning, scoping, and project governance; ensure that all aspects — people, processes, systems, operations, and risks — are addressed; and monitor progress.

In addition to its guidance and assurance roles, internal auditing can provide training on IFRS’ impact, operational changes, and new operating procedures. Auditors also can identify opportunities to streamline costs, including shortening the accounting period-close process and initiating more efficient IFRS and Sarbanes-Oxley compliance testing.

The IFRS conversion project may overwhelm some issuers to the extent that they will turn to their internal and external auditors for help. Although the temptation to assist the organization is strong, adopting a COSO-based approach can enable internal auditors to maintain their independence.

To comment on this article, e-mail the author at fernando.cancino@theiia.org.

 

Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.

Name:

Email:

Subject:

Comment:

---

To make something bold:
<strong>Text to bold</strong>

To make something italic:
<em>Text to italicize</em>

To make a hyperlink:
<a href="URL">Text to link</a>

---