Corporate compliance professionals can learn a lot from the audit world. Our latest lesson comes in a statement from the Securities and Exchange Commission, warning auditors to do better at identifying the risk of fraud among their corporate clients – and that statement has plenty of practical implications for compliance officers, too.
The statement itself came from Paul Munter, the SECs acting chief accountant. He first reminded auditors that they have a duty to consider the risk of fraud when reviewing clients’ financial statements, and that duty can’t be shirked just because it’s hard.
Lately, Munter said his office has heard “particularly troubling feedback” that audit firms tend to discuss fraud risk with their clients more in terms of what auditors can’t do, or what they aren’t required to do. That attitude has to change, he said.
For compliance officers (and internal auditors and corporate risk managers), Munter’s warning to audit firms has several implications.
First, if your audit firm is going to be more aggressive in assessing fraud risk, that’s going to shift the working relationship you have with them. The auditors might well ask for new types of evidence they hadn’t requested before, or be more persistent with questions about how your policies and controls work. The more you can anticipate those needs now, the better everything will unfold when audit season comes. (Usually in the several months following the end of your fiscal year.)
Second and more importantly, however – compliance officers have an opportunity here, because the ethics and compliance program plays a crucial role in a company’s anti-fraud efforts.
So, the more we understand how the ethics and compliance program supports anti-fraud efforts, the more you have a chance to shine in front of the auditors, senior management, and the board.
Munter gave compliance officers a few clues when he talked about how auditors should assess fraud risk.
First, he said, “Auditors should also devote sufficient time and resources to the assessment of the issuer’s entity-level controls. An auditor is required to obtain an understanding of the issuer’s control environment. This would include assessing whether the organization demonstrates a commitment to integrity and ethical values.”
In practice, that means reviewing things very much in the compliance officer’s purview: the code of conduct, the whistleblower hotline, anti-corruption training, and related efforts to strengthen a culture of ethics compliance.
Munter, however, wants auditors to do more than simply confirm a company has these things – because every public company is supposed to have them, as a routine part of compliance with the Sarbanes-Oxley Act. Munter urged auditors to go further and understand how much code, the hotline, and related controls actually work at the company.
Take the whistleblower hotline as an example, Munter said. “Has the issuer simply checked the box on the requirement, or does the issuer have a culture that encourages whistleblowers who see something to actually say something?”
This is where compliance officers can start getting ahead of the curve. Think about how you would audit the effectiveness of your compliance program. Think about steps such as an employee survey on corporate culture (Munter expressly mentioned that idea) or tests of your whistleblower hotline, as well as reports on the speed and efficiency of your investigations into hotline calls.
The evidence you would gather to assess the effectiveness of your compliance program is the same evidence auditors would want to see when assessing your company’s control environment – and a strong control environment is indispensable to anti-fraud efforts.
The U.S. Sentencing Guidelines and the Justice Department’s guidance on effective compliance programs already talk about the importance of assessing your compliance program from time to time. This new missive from the SEC is icing on that cake: the better you understand how well your compliance program supports a culture of ethics and compliance, the more quickly you can show auditors that, yes, your control environment and anti-fraud efforts are working well.
Compliance officers have another point to consider here: When you do get reports of fraud via your internal hotline, how are they handled? And how do your fraud investigations support your larger anti-fraud efforts?
That is, most large corporations already have an internal audit or anti-fraud team that does its own fraud risk assessment (just like external auditors are supposed to do as part of their annual audit). So how do your fraud investigations, disciplinary actions, and final reports help those internal teams to sharpen their fraud risk assessments?
This is no esoteric point. Munter expressly said in his statement: “An auditor should pay close attention to an issuer’s approach to its own fraud risk assessment as this can provide insight when evaluating the issuer’s control environment.”
Compliance officers won’t do that fraud risk assessment themselves, but your work can be invaluable to help those people in your enterprise who do perform the risk assessment. For example, do you conduct a root-cause analysis to determine why incidents of fraud happened? If you find that a string of fraudulent activity was simply the bad luck of hiring bad employees, that suggests a hiring problem. If you find that everyone was committing the same fraud in the same way, that suggests poor financial controls.
The point is that compliance teams should have strong working relationships with internal audit (or whoever manages fraud at your company) so that your investigations and findings about fraud flow to those teams, so that their fraud risk assessments can be more focused and relevant. They, your external auditors, and ultimately the board’s audit committee will all be thankful for it.
Ultimately, all of this is yet another example of how a strong ethics and compliance program can help a company in ways that go far beyond merely checking the box of regulatory requirements.