The AICPA Audit Committee Toolkit: Private Companies, 2nd Edition
The AICPA Audit Committee Toolkit: Private Companies helps audit committees of private companies at all levels discover best practices for managing and incorporating their role within the organization. This toolkit takes the guesswork out of effectively establishing and managing an audit committee by furnishing you with dozens of useful tools and the most common forms for effective audit committee operation, as well as tools specially tailored for private companies. The accompanying download features forms and checklists that you can fill out and save to efficiently create, file, and track your documentation.
This new second edition has been updated to include the 2013 revised COSO framework. The checklists and worksheets have been revised to make them more user-friendly. The publication has been updated with relevant regulatory changes. Additionally IFRS guidance has been added.
The AICPA Audit Committee Toolkit series is the cornerstone of the Audit Committee Effectiveness Center, located at www.aicpa.org/AudCommCtr.
This newly revised edition of the popular audit committee toolkit is written to help audit committees of private companies to achieve best practices for managing and incorporating their role in the organization.
New to this edition of the toolkit
- Updated with new COSO Framework (May 2013)
- Improved format for forms and checklists
- Updated with regulatory changes
- Includes IFRS guidance
Now with downloadable Microsoft Word tools and checklists, this Toolkit offers a broad sampling of matrices, reports, questionnaires and other pertinent materials specifically tailored to private companies and designed to make audit committee best practices actionable.
Note: The accompanying Microsoft Word download files (forms, checklists, worksheets) will automatically be added to the cart, free of charge, upon selecting the paperback or on-demand version below.
Chapter 10: Fraud and the Responsibilities of the Audit Committee: An Overview
Since the passage of the Sarbanes-Oxley Act of 2002, the public’s expectations have been raised about all parties involved in organizational governance, including the audit committee, management, independent auditors, internal auditors, regulators, and law enforcement. The audit committee’s role has been elevated greatly as a result of such fraud discoveries and by recent legislation and new stock exchange requirements
Regulations such as the U.S. Foreign Corrupt Practices Act of 1977 (FCPA), the 1997 Organisation for Economic Co-operation and Development Anti-Bribery Convention, the U.S. Sarbanes-Oxley Act of 2002, the U.S. Federal Sentencing Guidelines of 2005, and similar legislation throughout the world have increased management’s responsibility for fraud risk management.1
Definition and Categories of Fraud
An understanding of fraud is essential for the audit committee to carry out its responsibilities. According to Black’s Law Dictionary (Tenth Edition, 2014, p.775), fraud
…a knowing misrepresentation or knowing concealment of a material fact made to induce another to act to his or her detriment. A reckless misinterpretation made without justified belief in its truth to induce another person to act. Additional elements in a claim for fraud may include reasonable reliance on the misrepresentation and damages resulting from this reliance. Unconscionable dealing; the unfair use of the power arising out of the parties’ relative positions and resulting in an unconscionable bargain…
…consists of some deceitful practice or willful device, resorted to with intent to deprive another of his right, or in some manner to do him an injury. As distinguished from negligence, it is always positive, intentional…. Fraud, in the sense of a court of equity, properly includes all acts, omissions, and concealments which involve a breach of legal or equitable duty, trust, or confidence justly reposed, and are injurious to another, or by which an undue and unconscientious advantage is taken of another.2
The AICPA defines fraud as “an intentional act by one or more individuals among management, those charged with governance, employees, or third parties, involving the use of deception that results in a misstatement in financial statements that are the subject of an audit.”3
Fraud affecting the organization generally falls within one of three categories:
- Financial statement fraud, where an employee intentionally causes a misstatement or omission of material information in the organization’s financial reports (for example, recording fictitious revenues, understating reported expenses or artificially inflating reported assets).
- Corruption, where an employee misuses his or her influence in a business transaction in a way that violates his or her duty to the employer in order to gain a direct or indirect benefit, such as schemes involving bribery or conflicts of interest.
- Asset misappropriation, where an employee steals or misuses the organization’s resources (for example, theft of company cash, false billing schemes or inflated expense reports).
These fraud schemes can arise from the following sources within a company:
- Executive fraud, which involves senior management’s intentional misrepresentation of financial statements, or theft or improper use of company resources.
- Management fraud, which involves middle management’s intentional misrepresentation of financial statement transactions, for example, to improve their apparent performance.
- Employee fraud, which involves non senior employee theft or improper use of company resources.
- External fraud, which involves theft or improper use of resources by people who are neither management nor employees of the firm. Outside individuals may, for example, collude with management or employees.
Roles of the Audit Committee in the Prevention, Deterrence, Investigation, and Discovery or Detection of Fraud
The members of the audit committee should understand their role of ensuring that the organization has a strong internal control environment in place, including the design and implementation of programs and controls to prevent and detect fraud. The audit committee also needs to be prepared to aid in the discovery of fraud, investigate, and report on its findings to the board. The components of a robust fraud control program should include a fraud risk assessment,4 fraud reporting mechanisms and protocols, investigation protocols, a disciplinary action policy applied consistently, and a process to identify and report conflicts of interest, usually in the form of an annual conflict of interest questionnaire completed by all employees.
The audit committee should ensure that the organization has implemented an effective ethics and compliance program, and that it is tested periodically. The design of the internal control system should consider the risk of fraud explicitly. Since the occurrence of significant frauds can be attributed frequently to an override of internal controls, the audit committee plays an important role by validating the accuracy of information received by applying skepticism and ensuring that internal controls both address the appropriate risk areas and are functioning as designed. Sarbanes-Oxley section 301 requires audit committees of listed companies to establish procedures for the receipt, retention, and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters; and the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters. Private companies should consider this guidance for establishing similar policies and procedures.5 See also the tool in chapter 11, “Whistleblower Policy: Complaint Reporting Procedures and Tracking Report,” in this toolkit.
To set the appropriate tone at the top, the board of directors should first ensure that the board itself is governed properly. This encompasses all aspects of board governance, including independent-minded board members who exercise control over board information, agenda, and access to management and outside advisers, and who independently carry out the responsibilities of the nominating/governance, compensation, audit, and other committees.
The board also has the responsibility to ensure that management designs effective fraud risk management documentation to encourage ethical behavior and to empower employees, customers, and vendors to insist those standards are met every day. The board should do the following:
- Understand fraud risks.
- Maintain oversight of the fraud risk assessment by ensuring that fraud risk has been considered as part of the organization’s risk assessment and strategic plans. This responsibility should be addressed under a periodic agenda item at board meetings when general risks to the organization are considered.
- Monitor management’s reports on fraud risks, policies, and control activities, which include obtaining assurance that the controls are effective. The board should also establish mechanisms to ensure it is receiving accurate and timely information from management, employees, internal and external auditors, and other stakeholders regarding potential fraud occurrences.
- Oversee the internal controls established by management.
- Set the appropriate tone at the top through the CEO job description, hiring, evaluation, and succession-planning processes.
- Have the ability to retain and pay outside experts where needed.
- Provide external auditors with evidence regarding the board’s active involvement and concern about fraud risk management.
The board may choose to delegate oversight of some or all of such responsibilities to a committee of the board. These responsibilities should be documented in the board and applicable committee charters. The board should ensure it has sufficient resources of its own and approve sufficient resources in the budget and long-range plans to enable the organization to achieve its fraud risk management objectives.
1 IIA, AICPA, ACFE. “Managing the Business Risk of Fraud: A Practical Guide.” 2008, p. 5.
2 Black’s Law Dictionary: thelawdictionary.org/fraud/
4 The COSO publication Internal Control—Integrated Framework, Principle 8, (page 78) describes the assessment of fraud risk as one of the fundamental concepts of internal control within an organization.
About the Publisher