internal auditors speak out on controlling employee fraud

INTERNAL AUDITORS SPEAK

OUT ON CONTROLLING

EMPLOYEE FRAUD

Jeffrey S. Zanzig and Dale L. Flesher

ABSTRACT

The purpose of this chapter is to investigate what internal auditors seeas a need for improvement regarding current business risk practicesfor controlling employee fraud. A survey of internal auditors comparesperceptions of current versus desired situations in regard to six commonpractices of employee fraud risk management: training in fraud riskmanagement, understanding how job procedures are designed to managefraud risks, recognizing basic indicators of fraud, providing appropriateemployee compensation incentives, reporting suspicions of fraud, andbackground verification of job applicants. Comparisons for each practiceare made between the United States and Canada.The main finding is thatthe largest weakness in the employee fraud risk management practicesrelates to providing employees with training in their risk managementprograms. Seemingly related deficiencies are also indicated in bothemployee understanding of how their job procedures are designed tomanage fraud risks and the ability of employees to recognize basicindicators of fraud. No measure of fraud prevention is more importantthan those involving the employees who actually conduct the affairs of anorganization. The identification and ranking of gaps in employee fraud

Research on Professional Responsibility and Ethics in Accounting, Volume 15, 225–250

Copyright r 2011 by Emerald Group Publishing Limited

All rights of reproduction in any form reserved

ISSN: 1574-0765/doi:10.1108/S1574-0765(2011)0000015011

225

risk management practices can be used to make a case to deal with areasneeding improvement.

Keywords: Employee fraud; Fraud awareness; Fraud training; Riskmanagement

The news of today is filled with stories of unethical behavior regarding thewaythat businesses conduct their affairs. An underlying cause is that the potentialfinancial reward for the improper behavior often outweighs the penalty. Onerecent incident actually involved an effort to help save the collapse of thefinancial system. The Securities and Exchange Commission reports thatthe situation involved significantly false information in a proxy statement sentby Bank of America to its shareholders to get their approval for Bank ofAmerica’s acquisition of Merrill Lynch. Bank of America’s proxy statementstated that the executives ofMerrill Lynchwould receive no year-end bonuses.In fact, Bank of America had already agreed to pay the executives up to $5.8billion in discretionary bonuses. The suggested penalty for this behavior was a$33million fine alongwith a promise not to do it again. It is interesting that thecourts concluded that they had to penalize the company and therefore itsstockholders, rather than its executives because company lawyers drafted theproxy statement and said it was lawful (Verschoor, 2009).

Company employees – both management and nonmanagement – are in thebest positions to either perpetrate fraud or combat fraud. With the propersense of ethical values and training, all employees can be a part of the fraud-fighting process. This chapter summarizes a study of how well organizationsselect and equip their employees to choose the right road in the fight againstfraud. The Bank of America situation represents an all too familiar scenariowhere company executives set the stage for unethical behavior. In addition,the judicial system inappropriately applied the penalty to the company and itsshareholders. The concept of the fraud triangle is a commonly acceptedtheory that three conditions are generally present when fraud occurs. First,incentives/pressures provide the motivation to commit fraud to address somefinancial need ranging from financial distress to greed. Secondly, there is arationalization/attitude that allows people to equate the fraudulent behavioras being consistent with their sense of ethical values. For example, a personmight conclude that he or she has not been adequately compensated for yearsof services. Put this conclusion together with some financial distress, such assignificant medical expenses, a normally ethical person could well fall into thetrap of committing fraud. Finally, a sense of opportunity is a conditionwherein the fraud can be perpetrated and the person will not be caught. It can

JEFFREY S. ZANZIG AND DALE L. FLESHER226

also be argued that an insignificant penalty for fraudulent behavior alsoprovides opportunity in that being caught has no serious consequences incomparison to the benefits of potentially getting away with the fraud.

This chapter makes use of a survey of internal auditors to consider somecommon concepts regarding how organizational fraud is addressed at thelevel of the individual employee. The first section on the human elementconsiders how the concept of fraud interacts within the humanmind andwhatcan be done to counter it. The second section sets the stage for comparisonsbetween the United States and Canada by considering aspects of theirapproaches to regulation. The next section presents the researchmethodologyand provides some details of the survey. This is followed by a sectiondiscussing the importance of creating an awareness of fraud. The fifth sectionprovides a summary of the fraud risk concepts along with the survey results.This is followed with a consideration of research limitations. The summaryand conclusions section includes a ranking showing the size of the expectationgap that internal auditors perceive for each of the fraud risk concepts.

THE HUMAN ELEMENT

Joseph T. Wells is the founder and chairman of the Association of CertifiedFraud Examiners (ACFE). Wells (2002) provided a discussion of fraudproposing that the human element is a primary key in beating fraud. Hepoints out that prevention deals with removing a problem’s root cause such asfinancial pressures that lead someone to commit fraud. In contrast, deterrenceoccurs when behavior is modified due to the threat of sanctions for beingcaught. In addition, he describes the thought process of a fraudster asbeginning with the pressure that provides the motive for developing a schemeto look for an opportunity to commit fraud. The scheme is then evaluated inregard to the person’s perception of getting caught. This perception can leadto either modification of the scheme to improve its chances of success orabandonment due to fear of being caught. ‘‘People who do have theopportunity but perceive they do not are less likely to take the chance. Theperception – not the actual likelihood – of detection determines whether ornot a person will commit fraud.’’

Wells suggests three alternatives that auditors can use as a means ofincreasing the perception of employees being caught in the act of fraud:

� Closely examine the compensation of management by reviewing theirpersonal financial statements, bank statements, and tax returns.

Controlling Employee Fraud 227

� Inquire about whether employees are aware of any organizational fraudor if someone has asked them to act in a way that is unethical or evenillegal.� Conduct surprise audits in typical areas of financial statement fraud suchas sales, accounts receivable, and inventory.

The point regarding inquiries of company employees is also addressed inthe American Institute of Certified Public Accountant’s (AICPA)AU Section316 entitled Consideration of a Fraud in a Financial Statement Audit. Thisstandard points out that inquiries are often an effective way of uncoveringfraud. Particularly interesting is the thought that an auditor should makeinquiries not only of persons at differing levels of management but also ofother nonmanagement employees. ‘‘The responses to these other inquiriesmight serve to corroborate responses received from management, or alter-natively, might provide information regarding the possibility of managementoverride of controls – for example, a response from an employee indicating anunusual change in the way transactions have been processed.’’

APPROACHES TO REGULATION

The United States and Canada are significant trading partners whose long-term trading relationship and geographic connection tie the countries to-gether in an important economic relationship. Despite this relationship, thecountries do not necessarily have an identical approach to regulation of theirbusiness environments. Economic difficulties in the United States haveresulted in major regulations such as the Sarbanes-Oxley Act to establishbetter corporate responsibility and control environments. However, the needfor immediate action in these areas may not be as high in Canada.

Lynch (2009) points out that ‘‘the World Economic Forum in Octoberranked the country’s (Canada’s) financial institutions No. 1 in the worldfor solvency.’’ In contrast, the United States banks were ranked 40th. Healso points out that the Canadian ranking could largely be attributable tolimitations on the use of borrowed funds for lending that result due to aCanadian requirement that their banks maintain a higher buffer of capital.The situation regarding the stronger solvency of Canadian banks providesevidence that the urgency of regulatory reform in Canadamay not be as greatas that of the United States. Ramona Dzinkowski is a Canadian economistand former vice president of Financial Executives International (FEI) inCanada. In a article, Dzinkowski (2007) points out that Canada is more likely


to adopt a wait-and-see attitude to see if themeasures to address the economicissues in theUnited States reach an appropriate regulatory equilibrium. If thisis true, it is possible that there could be differing perspectives betweenthe countries in regard to current and desired approaches to fraud riskmanagement. Admittedly, Canada does not have the same whistle-blowinglaws as does the United States.

RESEARCH METHODOLOGY

This research considers how internal auditors feel about certain businesspractices for managing the risk of fraud. The survey concepts were developedon the basis of issues addressed in a study published in a document entitledManaging the Business Risk of Fraud: A Practical Guide (MBRF) (2008). Thisfraud risk management guidance represents a combined effort on the part ofthe Institute of Internal Auditors (IIA), the AICPA, and the ACFE. Specifictheoretical guidance from the MBRF is described within the discussion foreach of the survey concepts. A web-based survey was developed by theauthors in conjunction with the Global Audit Information Network (GAIN)of the IIA. An e-mail invitation was sent by GAIN to 20,000 members of theIIA throughout the United States and Canada. A total of 813 responses (i.e.,669 from theUnited States, 94 fromCanada, and 50 not indicating location ofresidence) were received representing an overall response rate of 4.1 percent.The largest groups of responses were received from public companies (32.9percent), 1,001–5,000 full-time equivalent employees (27.5 percent), 3–6 full-time equivalent members of internal audit (25.7 percent), revenues in therange of $1 billion to less than $10 billion United States dollars (33.2 percent),and the financial services/banking/real estate industry (19.4 percent).

For each of the risk management concepts presented in the survey,respondents rated the concept in regard to the extent to which they perceivethat the concept is currently being applied within their organization (i.e.,current situation). They then rated each concept on the extent to which theyagreed that it should be applied within their organization (i.e., desiredsituation). The purpose of providing the ‘‘current situation’’ versus the‘‘desired situation’’ ratings is to identify risk management concepts where theinternal auditors feel that the extent of their application is different fromwhatit should be to efficiently and effectively serve the organization in managingfraud. The rating scale for both situations is based on a scale from 1 (stronglydisagree) to 5 (strongly agree).


The analysis described earlier is performed on the basis of both the overallresponses from the United States and Canada and also for the separateresponse distributions for each country. The same form of distribution testingis also performed to contrast the countries from two perspectives. First, theresponse distributions for the current situation between the two countries isexamined to see if there are significant differences in the way internal auditorsview the current status of how their organizations apply the fraud riskconcepts. Secondly, the desired situation between the countries is consideredto see if the internal auditors differ between the countries regarding how theyfeel the fraud risk concepts should be applied.

THE IMPORTANCE OF FRAUD AWARENESS

The importance of fraud awareness can be thought of in regard to a scale oflevels of personal integrity. At one end of the scale, fraud awareness candeter the person of lower integrity from allowing self-interest to guide his orher judgment. The other end of the scale contains persons of the highestintegrity who would normally not even consider fraudulent behavior. Giventhe uniqueness of each person’s experiences and resulting sense of values, itis inevitable in a society that persons are going to possess varying levels ofwhat they consider to be ethical behavior.

A rather controversial statement in regard to human nature is the idea that‘‘everyone has their price’’ at which their personal integrity can be bought.The validity of such a dismal assessment of human nature has to be properlyframed to be appropriately interpreted. It is true that there are many personsin our society with the highest sense of integrity. However, it can also beargued that a given combination of conditions could result in a compromiseof a person’s normal behavior that is not the result of greed, but the idea that agreater good is at stake. In fact, one of the survey respondents in part statedthat ‘‘the integrity and honesty so strongly preached means very little to aperson if their basic needs (are) not adequately covered.’’ Such could be thecase of a parent who is in desperate need of funds for a child to cover expensivemedical care to save the child’s life. In such extreme situations, a person’snormal ability to reason toward a more socially acceptable solution could bediminished by the severity of the situation. Appropriate organizationpractices of fraud risk management can help to keep people honest regardlessof their level of integrity. However, it is important to realize that suchpractices will not serve as a deterrent unless organizational personnel have afraud awareness that permits them to perceive that the practices are in place.


Preventive controls serve to institute practices that will stop fraud fromoccurring. A common form of this type of internal control is separation ofduties in regard to authorization, recordkeeping, and custody of assets. Forexample, the theft of customer cash receipts could be prevented whenpersons handling cash receipts are aware that they do not have the authorityto initiate a write-off of an account receivable balance that was actually paidby the customer. In contrast, detective controls serve to detect fraud that hasoccurred. Using the same illustration of customer cash receipts, a processknown as lapping occurs when stolen cash receipts are covered up by applyingsubsequent receipts from other customers to hide the missing receipts. Thissituation can arise due to either collusion or when an organization allows thesame person to have responsibilities over both custody of assets andrecordkeeping. However, the situation can be detected by independentexamination by an outside party such as an internal auditor comparing bankdeposits with the recorded cash receipt information regarding the customer,date, and amount. A lag between the receipt and the deposit date could serveto detect lapping. TheMBRF guidance states that ‘‘combined with preventivecontrols, detective controls enhance the effectiveness of a fraud riskmanagement program by demonstrating that preventive controls are workingas intended and by identifying fraud if it does occur.’’

The MBRF guidance also provides an overview of the five components ofthe Committee of Sponsoring Organization’s (COSO) integrated frameworkas they relate to fraud risk management. Probably, one of the most relevantof those components in regard to organization employees is ‘‘Informationand Communication.’’ Fraud risk management activities in regard to thiscomponent include the following:

� Promoting the importance of the fraud risk management program and the

organization’s position on fraud risk both internally and externally through corporate

communications programs.� Designing and delivering fraud awareness training.

EMPLOYEE FRAUD RISK CONCEPTS

This project’s survey of internal auditors presented six concepts dealing withorganizational practices of fraud risk management at the level of individualemployees. Formal statistical analysis (the Kolmogorov–Smirnov test)identified differences in the distributions of responses between ‘‘currentsituations’’ and ‘‘desired situations.’’ For each concept, tables show the extentto which internal auditors rated these two sets of situations. The tables also


show separate distributions for the responses from the United States andCanada. Similar distribution analysis was also performed within situations(i.e., current and desired) to contrast the response distributions between theUnited States and Canada.

Usinga5percent level of significance, statistically significantdifferenceswerefound for each concept when comparing the distributions for the current to thedesired situations. This finding not only occurs in the overall results but alsowithin the distributions for both theUnited States andCanada. The discussionaccompanying each concept presents exhibits showing the distribution of theresponses and statistical results. In considering the summaries by country,it should be kept in mind that not all respondents indicated where they reside.These unmarked responses are therefore included in the overall distributions,but not in the distributions by country.An illustration of the survey instrumentis provided in the appendix to this article.

Concept 1. Employee policies include a requirement that all employeesreceive initial and ongoing education in the organization’s fraud riskmanagement program

Organizations should have established fraud policies that clearly commu-nicate the role that every employee plays in preventing and detecting fraud. Indiscussing the hiring or promotion of employees, the MBRF guidanceaddresses Concept 1 by stating that:

There should not be any exemption from receiving an initial orientation and ongoing

education on the fraud risk management program in place, regardless of the individual’s

position in the organization.

However, organizations sometimes feel a conflict between trust and activelyworking against fraud. The following responses from the survey capture theseconflicting perspectives:

My company doesn’t like to talk about fraud in fear of giving employees the idea of how

to perform the fraud or that the company doesn’t trust them.

Fraud is not talked about within many organizations because senior management is

uncomfortable with believing that a percentage of employees are actively stealing from

the company.

I believe that education of employees is key in providing an effective fraud program.

Additionally, management needs to stand behind the program and demonstrate support

through talking about the program and holding people responsible.


The survey results point out that many internal auditors feel thatorganizations should take additional steps to improve employee educationin their fraud risk management programs (Exhibits 1(A) and (B)).

As shown in Exhibit 1(A), however, only about 35.2 percent (24.3 percentagree and 10.9 percent strongly agree) of firms currently have a requirementin place for employees to receive education about fraud. Alternatively, 89.2percent of internal auditors agree that they see the need for such a program.There is obviously a disconnect between the current employee fraud trainingand the perceived ideal situation. Although the current situation in both

Exhibit 1(A). Distribution of Responses for Concept 1.

1 2 3 4 5 Total

Responses

Mean

ResponseStrongly

Disagree (%)

Disagree

(%)

Uncertain

(%)

Agree

(%)

Strongly

Agree (%)

Current situation

Overall 9.8 39.3 15.7 24.3 10.9 809 2.87

United

States

9.6 38.0 15.2 25.3 11.9 666 2.92

Canada 14.0 48.4 17.2 18.2 2.2 93 2.46a

Desired situation

Overall 0.4 2.2 8.2 44.3 44.9 804 4.31

United

States

0.5 2.1 7.9 44.0 45.5 662 4.32

Canada 0.0 2.2 8.6 46.2 43.0 93 4.30

aDistribution is significantly different from current situation distribution for the United States.

Exhibit 1(B). Statistical Results for Concept 1 Comparisons.

Current versus Desired Situations Current Situation

Overall 10.834 United States versus Canada 1.518

(.000) (.020)

United States 9.509 Desired Situation

(.000) United States versus Canada .222

Canada 4.693 (1.000)

(.000)

Note: Statistical results show Kolmogorov–Smirnov Z and accompanying p-value for each

comparison.


countries is low for agree and strongly agree, the level of agreement in theUnited States is much higher than in Canada (37.2 percent versus 20.4percent).

Tanner (2008) provides a summary of a survey of fraud riskmanagement byErnst & Young in Ireland. She introduces the survey results by discussing theimportance of organizations having a strong framework of fraud policies. Shestates that an organization without such a framework is much like a countrywithout laws where people simply abide by their ownmoral code. The Ernst &Young survey found that 45 percent of the respondents make use of anongoing training program to help keep employees aware of their policies oforganizational fraud. Although most auditors in the current survey desire theongoing trainingwith amean rating of 4.31 out of 5, it is interesting that the 45percent from Ireland is approximately the same as the strongly agree responseof 44.9 percent for the overall desired situation of Exhibit 1(A).

Concept 2. Employees understand how their job procedures are designedto manage fraud risks

It is possible that members of an organization could be less likely tofollow certain internal controls procedures when they fail to understandtheir significance. The importance of this understanding as stated inConcept 2 is addressed in the MBRF guidance in a discussion regarding theroles and responsibilities of organizational management and staff for fraudrisk management, where it states that these persons:

Should understand how their job procedures are designed to manage fraud risks and

when noncompliance may create an opportunity for fraud to occur and go undetected.

The following responses from the survey indicate the importance ofhaving employees understand how their jobs are designed to manage the riskof fraud, but point out weaknesses in this area:

Job descriptions should contain provisions that would incorporate ‘‘avoidance/

elimination’’ of fraud.

We as auditors do a good job in our organization to try to show the relevancy of (how)

employee duties and responsibilities can detect fraud, but the organization does not do

this through a continuous process.

The results of the survey show that many internal auditors feel thatemployees need more awareness of how job procedures are designed to dealwith fraud risks (Exhibits 2(A) and (B)). The necessity of understanding jobprocedures in regard to fraud risks is important if employees are to apply


proper judgment to situations where demands are placed upon them tocircumvent the normal procedures. Failure to understand the reasoningcould result in a lack of compliance if it is believed that the procedure isunimportant. For example, a job procedure requiring that sales revenue andshipping dates occur in the same accounting period serves to prevent animproper cutoff of sales transactions.

As shown in Exhibit 2(A), just under 48 percent of the respondentsstrongly agreed or agreed that employees currently understand how theirjobs manage fraud risk. This understanding was much higher in the UnitedStates than in Canada (49.8 percent versus 34.1 percent). However, around


1 2 3 4 5 Total

Responses

Mean

ResponseStrongly

Disagree (%)

Disagree

(%)

Uncertain

(%)

Agree

(%)

Strongly

Agree (%)

Current situation

Overall 2.4 27.0 22.7 39.8 8.1 812 3.24

United

States

2.4 26.2 21.6 41.4 8.4 668 3.27

Canada 3.2 37.2 25.5 29.8 4.3 94 2.95a

Desired situation

Overall 0.7 0.9 1.4 36.7 60.3 807 4.55

United

States

0.8 0.7 1.2 36.2 61.1 665 4.56

Canada 0.0 2.1 1.1 34.8 62.0 92 4.57





(.000) (.033)



Canada 4.275 (1.000)

(.000)


comparison.


97 percent of internal auditors in both countries felt that employees shouldhave such knowledge.

Banks (2004) provides an example of how at least one director of internalaudit makes employees more aware of fraud and control concepts through agaming process. He holds classes dealing with the prevention and detectionof fraud and ends the sessions with an unusual twist that the director calls‘‘Rip Off the Organization.’’ During this exercise, the professionals areasked to think like crooks and consider how they could defraud theircompany either internally or from the outside. The exercise is apparentlyvery effective in driving home the importance of control concepts to bettereducate the work force.

Concept 3. Employees have a basic understanding of fraud indicators

The importance of the Concept 3 idea that employees need to be able toidentify potential occurrences of fraud is indicated in the MBRF guidancewhere it states that:

All levels of staff, including management, should have a basic understanding of fraud

and be aware of the red flags.

For example, do employees have a basic understanding that a sale ofproduct with unsupported shipping documentation is an indicator of afictitious sales transaction? The detailed level of experience of organizationalpersonnel in carrying out their duties is far greater than what an auditor candetect through a process of sampling transactions. Therefore, a conclusionregarding this situation indicates that, despite the level of integrity ofindividual employees, a failure to recognize certain indicators of fraud couldresult in many situations going undetected.

Some of the survey responses point out that employees are notappropriately trained regarding indicators of fraud:

Most employees get annual conflict of interest reminders near Christmas holidays but

are clueless on other fraud indicators.

I don’t think employees in general are trained enough to identify fraud in their everyday

work.

The results of the survey indicate that many internal auditors tend to agreethat employees generally have a basic understanding of indicators of fraud(Exhibits 3(A) and (B)). However, although organizations are apparentlyachieving some success in this area, the survey does show that someenhancement of employee understanding of fraud indicators may be needed.


Overall, about two-third of employees are currently viewed as having a basicunderstanding of fraud indicators, with the percentage for the United Statesbeing higher than for Canada. Again, the desired level was similar for bothcountries at about 98 percent.

Concept 4. Employee policies include compensation and promotionpractices that emphasize long-run performance on a variety of measuresrather than short-run performance using financial results


1 2 3 4 5 Total

Responses

Mean

ResponseStrongly

Disagree (%)

Disagree

(%)

Uncertain

(%)

Agree

(%)

Strongly

Agree (%)

Current situation

Overall 1.9 19.1 12.7 52.0 14.3 811 3.58

United

States

2.1 17.4 12.9 53.2 14.4 667 3.60

Canada 0.0 33.0 14.9 42.6 9.5 94 3.29a

Desired situation

Overall 0.5 0.5 0.7 27.2 71.1 806 4.68

United

States

0.6 0.5 0.9 26.7 71.3 663 4.68

Canada 0.0 1.1 0.0 31.2 67.7 93 4.66





(.000) (.038)



Canada 3.977 (1.000)

(.000)


comparison.


In performing their organizational responsibilities, employees are likely toemphasize achieving company objectives that they know to be linked to howthe organization evaluates their performance. Martin (2010) states that theelimination of financial incentives can result in ‘‘increased turnover, decreasedemployee morale, sapped motivation, and downturn in productivity.’’ Hestates that during an economic downturn, employers should consider a formof employee motivation that moves beyond strictly a financial metric to alsoinclude nonmonetary rewards such as the expression of appreciation andrecognition for achievements. These conclusions point out the importanceof providing an appropriate reward structure that emphasizes what anorganization wishes to accomplish with the efforts of its employees. TheConcept 4 idea of overly focusing on short-term performance evaluationbased on financial results is indicated in the MBRF guidance with thefollowing statement:

Regular and robust assessment of employee performance with timely and constructive

feedback goes a long way to preventing potential problems. Employees who are not

recognized for what they do and what they have accomplished, especially those who may

have been bypassed for promotion, may feel their inappropriate and fraudulent conduct

is justified.

A primary implication of this is that codes of ethical conduct will beineffective if organizational personnel feel that they are rewarded more forshort-term financial performance as opposed to a long-term organizationalstrategy based on ethical conduct and finding appropriate ways to providesociety with valued products and services. The following survey responsecaptures the feeling behind having appropriate compensation practiceswithin an organization:

Executive bonuses (not directly tied to performance) and executive salaries, do more to

damage companies and reduce value to shareholders thany low/mid level (employee)

fraud.

It can be implied from the response that the appropriate performancemeasures should be more long-term measures that represent true improve-ment rather than short-term operating results that may not last and could infact hurt an organization in the long term. The survey results show thatinternal auditors feel that improvement is needed in focusing more on avariety of long-run measures of performance as opposed to short-runfinancial results (Exhibits 4(A) and (B)). Results were similar for both theUnited States and Canada.

Bruner, McKee, and Santore (2008) provide evidence that inappropriatelystructured compensation practices can result in undesirable behavior on the


part of company management. They found evidence that although equity-based compensation increases the productive effort of management, it alsohas the undesirable result of making fraud more attractive to managers.They also suggest that organizations should attempt to find an optimal formof compensation contract to reign in the propensity of organizationalmanagers to commit fraud. The appropriate form of compensation shouldemphasize long-run performance using a variety of measures to capture abalanced scorecard of activities that do not necessarily show up in short-term financial results including the market price of an organization’s equitysecurities.


1 2 3 4 5 Total

Responses

Mean

ResponseStrongly

Disagree (%)

Disagree

(%)

Uncertain

(%)

Agree

(%)

Strongly

Agree (%)

Current situation

Overall 3.8 21.9 23.0 37.9 13.4 812 3.35

United

States

4.2 22.1 23.2 36.7 13.8 669 3.34

Canada 1.1 22.6 21.5 45.1 9.7 93 3.40

Desired situation

Overall 0.5 1.4 6.8 49.9 41.4 804 4.30

United

States

0.3 1.7 7.0 48.9 42.1 663 4.31

Canada 1.1 0.0 6.5 51.1 41.3 92 4.32



Overall 8.052 United States versus Canada .390

(.000) (.998)



Canada 2.554 (1.000)

(.000)


comparison.


Concept 5. Employees know how to report suspicions or incidences fraud

The fact that employees know enough to identify indicators or actualincidences of fraud will be little value if the situations are not reported toappropriate personnel. The MBRF guidance supports the importance of theConcept 5 issue of employee knowledge of the organization’s fraud reportingprocess with the following statement:

Considering that people commit fraud and that people are an organization’s best asset in

preventing, detecting, and deterring fraud, an organization should consider promoting

available fraud reporting resources that individuals may access.

The following survey responses indicate success situations about thecurrent status of fraud reporting hotlines:

Our Company has a fraud and ethics hotline. I work in the gaming industry and we have

incorporated a reward program for frontline employees who detect fraudulent

transactions such as trying to cash counterfeit checks.

We do have a strong compliance program that educates all employees about company

ethics and ways to report fraud and abuse.

We are currently in the process of improving our fraud reporting hotline.

The results of the survey show that internal auditors generally feel thatemployees have some idea regarding how to report fraud issues but that abetter understanding should be achieved (Exhibits 5(A) and (B)). Virtuallyall respondents agreed that knowing how to report fraud is desirable – anobjective associated with the Sarbanes-Oxley whistle-blowing hotline rule –but the current situation is far better in the United States than in Canada.The difference between the U.S. and Canadian respondents is likely due tothe fact that whistle-blowing hotlines became mandatory in the UnitedStates under the Sarbanes-Oxley Act – a situation that has not occurred inCanada.

Employee awareness of fraud is important in that the persons in thetrenches of the organization are in the best position to identify fraudulentactivity. This idea is borne out in a study by the ACFE, which found that tipswere the leading approach to detecting fraud. However, persons providinginformation regarding fraud will sometimes feel threatened and as a result besubject to temporary emotional instability. Tips work best when they involvetwo-way communication between the person providing the information andan experienced interviewer to ensure that enough details are gathered for anappropriate investigation (Slovin, 2005).


Concept 6. Employee policies include verification of the work history andeducation of job applicants

An organization’s employment practices should include a process thatverifies the education and work history of any job applicants. The MBRFguidance emphasizes the thought underlying Concept 6 idea by stating that:

Much can be learned about an individual through confirmation of work history and

education presented on a job application or resume or in follow-up with references


1 2 3 4 5 Total

Responses

(%)

Mean

Response (%)Strongly

Disagree (%)

Disagree

(%)

Uncertain

(%)

Agree

(%)

Strongly

Agree (%)

Current Situation

Overall 2.1 8.4 16.8 47.6 25.1 809 3.85

United

States

1.8 7.4 16.1 48.0 26.7 666 3.91

Canada 4.3 14.0 25.8 44.1 11.8 93 3.45a

Desired Situation

Overall 0.4 0.4 0.5 21.1 77.6 805 4.75

United

States

0.5 0.3 0.4 20.9 77.9 664 4.75

Canada 0.0 1.1 1.1 19.8 78.0 91 4.75





(.000) (.006)



Canada 4.489 (1.000)

(.000)


comparison.


provided. It is possible to find false or embellished information or undisclosed history

and reputation that may represent increased, and possibly unacceptable risk.

Twoof theprimary reasons that thisprocess is important relate to thepersonalintegrity and competence of the applicant. One survey respondent states thatfunding is sometimes a problem with accomplishing job applicant verification:

The district does not allocate sufficient funding to deal with the problem through

thorough and periodic background checks on personnel.

Although some room for improvement is indicated, the survey results showthat internal auditors tend to feel that organizations are indeed verifyingapplicant information in most cases (Exhibits 6(A) and (B)). The currentsituation is already at a surprisingly high 81.6 percent in the United States,but the comparable number for Canada is only 73.1 percent. Practically allrespondents, however, feel that the desired situation would be for pre-employment screening of all employees.

Although the integrity of employees is of paramount importance inestablishing an effective control environment, Jackson (2007) points out thatorganizations should also consider the competence of persons who performcontrols or monitor their performance. Many times, judgment is required inapplying organizational controls to unique situations. There is a commonsaying that ‘‘good judgment comes from experience and experience comes


1 2 3 4 5 Total

Responses

Mean

ResponseStrongly

Disagree (%)

Disagree

(%)

Uncertain

(%)

Agree

(%)

Strongly

Agree (%)

Current Situation

Overall 2.0 7.8 9.7 43.7 36.8 810 4.06

United

States

1.9 6.6 9.9 42.2 39.4 668 4.10

Canada 2.1 14.0 10.8 52.7 20.4 93 3.75a

Desired Situation

Overall 0.4 0.0 0.5 34.5 64.6 799 4.63

United

States

0.5 0.0 0.6 33.0 65.9 659 4.64

Canada 0.0 0.0 0.0 38.0 62.0 92 4.62



from bad judgment.’’ Appropriate education and experience teach peopleabout why certain approaches are wrong so that they can learn from themistakes of the past. The lessons learned also provide an arsenal of proventechniques that can often be used to appropriately address problems.

It can be argued that financial reporting failures such as Enron andWorldCom could still happen under today’s improved regulatory structuresbecause of a lack of appropriate human judgment in applying controlprocedures. Lack of ability in carrying out well-designed controls lowers theoperating effectiveness of those controls. Internal auditors must often judgeproblems in applying controls as arising from a lack of appropriate trainingor the personal integrity of employees (Jackson, 2007). The verification ofthe work history and experience of job applicants provides an effectivemethod of selecting job applicants with appropriate experience and training.

LIMITATIONS OF THE RESEARCH

The research presented in this chapter attempts to identify gaps betweencurrent and desired situations in how organizations apply concepts of fraudrisk management in an effort to highlight areas where improvement is needed.In addition, the research addresses the idea that perceptions regarding theseissues could differ between the United States and Canada. In considering theability to generalize from the results of the survey to the true situations in thesecountries, it is important to consider two basic limitations.




(.000) (.006)



Canada 2.824 (1.000)

(.000)


comparison.


The first limitation is that the sample size for Canadian respondents issmaller than that for the United States and could yield different results with alarger sample from Canada. A second limitation is that a lower sampleresponse rate of 4.1 percent brings up the necessity of addressing nonresponsebias. When survey recipients fail to respond, bias is possibly introducedinto the results in that it is possible that the nonrespondents might havesystematically responded to the survey questions in a different way from thosepersons who responded.

Vicente and Reis (2010) state that it is common for web surveys toexperience low response rates. This potential issue was considered by theresearchers along with the tremendous potential to reach survey participantsthrough the IIA’s program. Although the confidential nature of the IIA’srecipient list and the single distribution terms of the arrangement did notprovide for follow-up requests from nonresponding persons, an offsettingstrength is that there were a large number of responses in both countries.Although anyone using the information from this research should considerits limitations in drawing their own conclusions, the researchers feel that thestrength of the number of total responses in each country provides a goodargument in favor of being able to form a reasonable level of generalizationof the survey results to the true situation.

SUMMARY AND CONCLUSIONS

The survey results presented in this chapter indicate that internal auditors seea gap between current and desired situations for employee concepts of fraudrisk management. This gap is statistically significant for both the overallsurvey results and within countries for each of the fraud risk managementconcepts presented. It could be argued that internal auditors will generallyalways want better internal controls over fraud risk management than whatorganizations are willing to implement. This could be attributed to the ideathat internal auditors seek ideal situations of managing risk, whereascompany management has to find a control structure that allows them toreasonably perform their job. Also, the cost-benefit ratio aspects of controlsmust be considered. However, these arguments can be countered with the factthat many organizations have recently been plagued with the discovery offraudulent acts and that internal auditors are in an ideal position with theirtraining and exposure to company operations to evaluate risk situations andadvise company management. This logically leads to the conclusion thatalthough a small portion of the gaps are likely attributable to the ideal


standards of the internal auditor, improvement is generally needed in the waythat organizations apply fraud risk management practices to employees.

The concepts presented in the chapter were purposely presented in theorder of the size of the gap between the desired and the current situationmeans for the overall results. Exhibit 7 summarizes the fraud risk conceptsshowing the gap between the means for each concept.

Similar gap rankings appear when comparing the separate mean gaps forthe United States and Canada. The only difference in the rankings occurs in

Exhibit 7. A Ranking of Expectation Gaps in Applying Fraud RiskPractices to Employees.

Concept

Number

Employee Risk Management Concept Desired

Situation

Mean

Current

Situation

Mean

Mean

Gap

1 Employee policies include a requirement that all

employees receive initial and ongoing education

in the organization’s fraud risk management

program

4.31 2.87 1.44

Overall

4.32 2.92 1.40

(United

States)

4.30 2.46 1.84

(Canada)

2 Employees understand how their job procedures

are designed to manage fraud risks

4.55 3.24 1.31

4.56 3.27 1.29

4.57 2.95 1.62

3 Employees have a basic understanding of fraud

indicators

4.68 3.58 1.10

4.68 3.60 1.08

4.66 3.29 1.37

4 Employee policies include compensation and

promotion practices that emphasize long-run

performance on a variety of measures, rather

than short-run performance using financial

results

4.30 3.35 0.95

4.31 3.34 0.97

4.32 3.40 0.92

5 Employees know how to report suspicions or

incidences of fraud

4.75 3.85 0.90

4.75 3.91 0.84

4.75 3.45 1.30

6 Employee policies include verification of the work

history and education of job applicants

4.63 4.06 0.57

4.64 4.10 0.54

4.62 3.75 0.87


Canada where the survey results show that Concept 5 has a higher mean gapthan Concept 4.

Some interesting issues have been observed by comparing the responses ofthese countries. The research shows that both countries have commonaspirations to put measures into place to maintain the integrity of theirorganizations. This is evidenced in that the survey results show that internalauditors in both the United States and Canada have similar perceptionsregarding desired situations for each of the fraud risk concepts. Anotherobservation is that, with the exception of Concept 4, the current situationdistributions for Canada ratings show significantly different ratings incomparison to those ratings for the United States. It could be that internalauditors in Canada feel that their organizations have been more reluctant toimplement some of the employee risk management practices described inthis chapter. This observation is certainly no reflection on the integrity of theCanadian people because the concepts simply represent preventive fraudpractices that organizations have chosen to implement. In addition, thelower ratings for the current situations in Canada could well be attributableto differences in regulatory approaches previously discussed.

An organization must have some basic trust to function effectively. Manypersons are understandably reluctant to implement some fraud risk manage-ment practices because managers may feel that implementation signals alack of trust of company employees. However, such practices also help keepgood people honest when they face difficult situations that may tempt them tobehave in a manner that would be inappropriate. A proper balance of trustand control is needed for an effective control environment. Such a balanceshows employees appropriate respect for the valuable contributions theymake, while also helping them to understand that all persons are subject toa reasonable level of being held accountable for their actions. Organizationscannot function effectively unless employees help one another to functionwell as a unit. Part of this responsibility is a duty to help each other stayhonest.

ACKNOWLEDGMENTS

The authors of this chapter wish to express their sincere appreciation to theGlobal Audit Information Network (GAIN) of the Institute of InternalAuditors (IIA) who assisted in the development of the survey and distributedit to theirmembership. Also, appreciated is the time of each survey respondentwhose contributions made this research possible.


REFERENCES

American Institute of Certified Public Accountants (2002, October). AU Section 316 –

Consideration of Fraud in a Financial Statement Audit.

Banks, D. G. (2004). The fight against fraud. Internal Auditor, April, 34–39.

Bruner, D., McKee, M., & Santore, R. (2008). Hand in the Cookie Jar: An experimental

investigation of equity-based compensation and managerial fraud. Southern Economic

Journal, 75(1), 261–278.

Dzinkowski, R. (2007). Sarbanes-Oxley north: Not a major drama. Financial Executive, April,

15–16.

Jackson, R. (2007). The human side of risk. Internal Auditor, October, 38–44.

Lynch, D. J. (2009). U.S. could learn from Canada’s banks. USA Today, July 2, 05b.

Managing the Business Risk of Fraud: A Practical Guide. (2008). The Institute of Internal

Auditors, American Institute of Certified Public Accountants, Association of Certified

Fraud Examiners.

Martin, K. J. (2010). Cash motivation limited, try alternative forms. Pennsylvania CPA Journal

(Spring), 1–3.

Slovin, D. (2005). Hotlines heat up fight against fraud. National Underwriter/Property and

Casualty Risk and Benefits Management, October 10, 32–33.

Tanner, S. (2008). Managing risk how organisations respond to fraud risk. Accountancy Ireland

(June), 26–28.

Verschoor, C. (2009). Empty promises aren’t enough to prevent unethical behavior. Strategic

Finance, 14, 16 and 61.

Vicente, P., & Reis, E. (2010). Using questionnaire design to fight non response bias in web

surveys. Social Science Computer Review, 28(2), 251–267.

Wells, J. T. (2002). Let them know someone’s watching. Journal of Accountancy (May), 106–

110.


https://www.researchgate.net/publication/24050139_Hand_in_the_Cookie_Jar_An_Experimental_Investigation_of_Equity-Based_Compensation_and_Managerial_Fraud?el=1_x_8&enrichId=rgreq-0ad39d9c0b81fb55430a5b1f09a870db-XXX&enrichSource=Y292ZXJQYWdlOzIzNTI3MTUwNDtBUzoyMDA4MjMyNjgyMjA5MjlAMTQyNDg5MTQwNjQ4NQ==



https://www.researchgate.net/publication/235783932_Using_Questionnaire_Design_to_Fight_Nonresponse_Bias_in_Web_Surveys?el=1_x_8&enrichId=rgreq-0ad39d9c0b81fb55430a5b1f09a870db-XXX&enrichSource=Y292ZXJQYWdlOzIzNTI3MTUwNDtBUzoyMDA4MjMyNjgyMjA5MjlAMTQyNDg5MTQwNjQ4NQ==

https://www.researchgate.net/publication/235783932_Using_Questionnaire_Design_to_Fight_Nonresponse_Bias_in_Web_Surveys?el=1_x_8&enrichId=rgreq-0ad39d9c0b81fb55430a5b1f09a870db-XXX&enrichSource=Y292ZXJQYWdlOzIzNTI3MTUwNDtBUzoyMDA4MjMyNjgyMjA5MjlAMTQyNDg5MTQwNjQ4NQ==

https://www.researchgate.net/publication/298723743_The_Consideration_Of_Fraud_In_A_Financial_Statement_Audit_Some_Study_Questions?el=1_x_8&enrichId=rgreq-0ad39d9c0b81fb55430a5b1f09a870db-XXX&enrichSource=Y292ZXJQYWdlOzIzNTI3MTUwNDtBUzoyMDA4MjMyNjgyMjA5MjlAMTQyNDg5MTQwNjQ4NQ==

https://www.researchgate.net/publication/298723743_The_Consideration_Of_Fraud_In_A_Financial_Statement_Audit_Some_Study_Questions?el=1_x_8&enrichId=rgreq-0ad39d9c0b81fb55430a5b1f09a870db-XXX&enrichSource=Y292ZXJQYWdlOzIzNTI3MTUwNDtBUzoyMDA4MjMyNjgyMjA5MjlAMTQyNDg5MTQwNjQ4NQ==

APPENDIX. SURVEY INSTRUMENT

GAIN – THE IIA’S PREMIER BENCHMARKING

PROGRAM IN CONNECTION WITH IIA

EDUCATIONAL PROGRAMS

Business Practices for Managing Fraud

When the impact of the economic slowdown began to be felt, increased focuson fraud risk became a hot topic among internal auditors. The purpose of thissurvey is to gather your input regarding the existence of proposed componentsof organizational structure to deal with issues of fraud, as part of a study beingconducted by researchers at the University of Mississippi and JacksonvilleState University.

The survey represents two categories of responses for each question:

Category 1 deals with whether you believe that the component exists in yourorganization. Your response here is based on your perception.Category 2 deals with whether you believe that the component should existin your organization.

1. Please select your response to the question stated at the top of thecolumn. The possible responses range from:

1¼ Strongly Disagree to 5¼ Strongly Agree

1. Employees: Category 1 Category 2Do you believe thatyour organizationadheres to this

concept?

Should yourorganization adhereto this concept?

a. Have a basicunderstanding offraud indicators?

(Click here to choose) (Click here to choose)

b. Understand howtheir jobprocedures aredesigned tomanage fraudrisks.



c. Know how toreport suspicionsor incidences offraud


2. Please select your response to the question stated at the top of thecolumn. The possible responses range from:

1¼ Strongly Disagree to 5¼ Strongly Agree

2. Employee policiesinclude:

Category 1 Category 2Do you believe thatyour organization

adheres to this concept?

Should yourorganization adhereto this concept?

a. Verification of thework history andeducation of jobapplicants.


b. Compensationand promotionpractices thatemphasize long-run performanceon a variety ofmeasures, ratherthan short-runperformance usingfinancial results.


c. A requirementthat all employeesreceive initial andongoing educationin theorganization’sfraud riskmanagementprogram.



3. Please share any other comments you may have on this survey or topic:

About you

4. Type of organization:� Private sector� Government sector� Public company� Nonprofit� Other, please describe:

5. How many full-time equivalent employees are in your organization?� Fewer than 50 � 5,001–20,000� 51–100 � 20,001–50,000� 101–500 � 50,001–100,000� 501–1,000 � More than 100,000� 1,001–5,000

6. What is the size of your internal audit activity (calculated in total full-timeequivalents)?� 1–2 � 21–30� 3–6 � More than 30� 7–15 � Not applicable� 16–20

7. Select the annual revenue range that best describes your organization?

(Click here to choose)

8. Which category best describes your organization’s primary industry?


9. In which state/province do you reside?



internal auditors speak out on controlling employee fraud

Documents