Document Text Contents
Page 14
someone’s technical or creative ability, this provides additional insight
into the person’s capabilities.
If there are concerns about capability, respond
accordingly. If someone’s capabilities present a significant risk factor,
respond with stronger controls or enhanced audit testing. For example,
if the sales vice president is overly aggressive, competitive, and
obsessed with hitting monthly sales quotas, there may be a need for
extra-tight controls over revenue recognition or expanded testing of
sales during the annual audit. In addition, implementing a periodic
rotation of routine, but key, functions among staff can minimize the
opportunities for fraud gained from long-term knowledge of the
function and its controls. In this response phase, a key to mitigating
fraud is to focus particular attention on situations offering, in addition
to incentive and rationalization, the combination of opportunity and
capability. In other words, “Do we have any doorways to fraud that can
be opened by people with the right set of keys?” If so, these areas are
especially high risk, because all the elements are in place for a fraud
opportunity to become reality.
For example, when designing detection systems, it is important
to consider who within the organization has the capability to quash a
red flag, or to cause a potential inquiry by internal auditors to be
redirected. Cynthia Cooper, the internal auditor at WorldCom credited
with discovering the massive fraud, has described in Time magazine
how CFO Scott Sullivan had exercised his position and seniority to
dissuade her team from looking into certain areas that later proved to
have been infested with massive fraud. But believing they were on to
something, her teams worked behind Sullivan’s back, on many
occasions at night or from home, to avoid detection and retribution.
Although it appears he tried, according to Cooper, in this instance
Sullivan was not capable of completely thwarting the persistent efforts
of the auditors to uncover the apparent fraud.
Reassess the capabilities of top executives and key
personnel. Assessing capability and responding to concerns should
not be viewed as one-time exercises. Continuous updating of the
capability assessment and response is warranted for two reasons. First,
people can develop new capabilities over time, especially if they are
climbing the corporate ladder and growing professionally. Just because
someone did not have enough power or knowledge of an area to
commit fraud in the past, there is no guarantee that the person will not
develop such power or knowledge in the future. Their capability to
someone’s technical or creative ability, this provides additional insight
into the person’s capabilities.
If there are concerns about capability, respond
accordingly. If someone’s capabilities present a significant risk factor,
respond with stronger controls or enhanced audit testing. For example,
if the sales vice president is overly aggressive, competitive, and
obsessed with hitting monthly sales quotas, there may be a need for
extra-tight controls over revenue recognition or expanded testing of
sales during the annual audit. In addition, implementing a periodic
rotation of routine, but key, functions among staff can minimize the
opportunities for fraud gained from long-term knowledge of the
function and its controls. In this response phase, a key to mitigating
fraud is to focus particular attention on situations offering, in addition
to incentive and rationalization, the combination of opportunity and
capability. In other words, “Do we have any doorways to fraud that can
be opened by people with the right set of keys?” If so, these areas are
especially high risk, because all the elements are in place for a fraud
opportunity to become reality.
For example, when designing detection systems, it is important
to consider who within the organization has the capability to quash a
red flag, or to cause a potential inquiry by internal auditors to be
redirected. Cynthia Cooper, the internal auditor at WorldCom credited
with discovering the massive fraud, has described in Time magazine
how CFO Scott Sullivan had exercised his position and seniority to
dissuade her team from looking into certain areas that later proved to
have been infested with massive fraud. But believing they were on to
something, her teams worked behind Sullivan’s back, on many
occasions at night or from home, to avoid detection and retribution.
Although it appears he tried, according to Cooper, in this instance
Sullivan was not capable of completely thwarting the persistent efforts
of the auditors to uncover the apparent fraud.
Reassess the capabilities of top executives and key
personnel. Assessing capability and responding to concerns should
not be viewed as one-time exercises. Continuous updating of the
capability assessment and response is warranted for two reasons. First,
people can develop new capabilities over time, especially if they are
climbing the corporate ladder and growing professionally. Just because
someone did not have enough power or knowledge of an area to
commit fraud in the past, there is no guarantee that the person will not
develop such power or knowledge in the future. Their capability to
