uStrengthening Corporate Governance: Effective Mechanisms for Reporting, Investigating and Remediating Fraud There are numerous resources available that guide those charged with governance (referred to as audit committees) toward building programs to include anti-fraud controls and cultivation of anti-fraud environments.1 When put into place and followed, these programs go a long way in the prevention and deterrence of fraud. However, even when the strongest fraud prevention programs are in place and operating as designed, fraud may still occur. This practice aid is intended to briefly cover the key elements of an anti-fraud environment and responsibilities for such with emphasis on the structure, policies and procedures that audit committees need to ensure are in place before fraud occurs and the specific action steps to take if and when alleged fraud is suspected. Let’s first dispel some common misconceptions: Myth: Handling alleged instances of fraud committed within an organization is solely the responsibility of company management. Truth: Establishing effective mechanisms for the reporting, investigating and remediating of fraud is a shared responsibility with the company’s audit committee: Section 301 of the Sarbanes-Oxley Act specifically requires the audit committee “to establish procedures for the receipt, retention, and treatment of complaints received by the issuer regarding accounting, internal accounting controls, or auditing matters; and the confidential, anonymous submission by employees of the issuer of concerns regarding questionable accounting or auditing matters.” The SEC’s interpretative guidance for management with respect to internal controls2 states: “Management’s evaluation of the risk of misstatement should include consideration of the vulnerability of the entity to fraudulent activity (for example, fraudulent financial reporting, misappropriation of assets, and corruption), and whether any such exposure could result in a material misstatement of the financial statements. Management should recognize that the risk of material misstatement due to fraud ordinarily exists in any organization, regardless of size or type, and it may vary by specific location or segment and by individual financial reporting element...” While the SEC’s guidance does not specifically address the role of the audit committee, it does note: “We would ordinarily expect a board of directors or audit committee, as part of its oversight responsibilities for the company’s financial reporting, to be reasonably knowledgeable and informed about the evaluation process and management’s assessment as necessary in the circumstances.” Additional guidance may be found in auditing literature including PCAOB Auditing Standards (AU 316) that state: “…it is management’s responsibility to design and implement programs and controls to prevent, deter and detect fraud… Management, along with those charged with governance, should set the proper tone, create and maintain a culture of honesty and high ethical standards… When management and those charged with governance fulfill those responsibilities, the opportunities to commit fraud can be reduced significantly.3 Myth: Fraud is primarily found in large, multi-national organizations. Truth: Fraud is not limited to companies of a certain size and composition.

A finding of the 2010 study released by COSO, “Fraudulent Financial Reporting: 1998-2007 – An Analysis of U.S. Public Companies,”4 indicates that the companies charged with fraudulent reporting by the SEC, as represented within the study over a ten-year period, included startups with no assets or revenues as well as much larger companies. Myth: It is not possible to predict potential fraud before it happens, so creating a plan in advance to deal with suspected fraud would be a waste of time and resources. Truth: While not every instance of fraud may be predictable, companies and their audit committees are best served by gaining an understanding of fraud risk factors and establishing a plan in advance to deal with suspected fraud expeditiously if and when it arises rather than scrambling to identify and pull together adequate resources in the midst of a crisis. 1 Refer to the appendix of this practice aid for a listing of several recommended anti-fraud program resources 2 Refer to SEC interpretative release Commission Guidance Regarding Management’s Reporting on Internal Control Over Financial Reporting Under Section 13(a) or 15(d) of the Securities Exchange Act of 1934 available at: http://www.sec.gov/rules/interp/2007/33-8810.pdf 3 Refer to paragraphs .01-.12 of the AICPA’s Statement on Auditing Standards No. 99, “Consideration of Fraud in a Financial Statement Audit,” which is included in the PCAOB’s interim standards (AU 316) available at: http://pcaobus.org/Standards/Auditing/Pages/AU316.aspx 4 Refer to the Committee of Sponsoring Organizations of the Treadway Commission’s (COSO) 2010 study “Fraudulent Financial Reporting: 1998-2007 – An Analysis of U.S.

Public Companies” available at: http://www.coso.org/documents/COSOFRAUDSTUDY2010.pdf © 2010 BDO USA, LLP. All rights reserved. www.bdo.com 1 .

Creating an Anti-Fraud Environment Building an anti-fraud environment can serve to significantly reduce the risk of fraud and increase the likelihood that, if fraud does occur, it will be detected at an early stage. Step 1: Understanding the fraud risk factors an organization faces. This requires an on-going assessment of risks along with the controls that a company has in place to mitigate those risks on an enterprise-wide basis. The activities associated with building a company’s fraud risk profile include: •  identifying susceptibility of the organization to various types of fraud (e.g., asset misappropriation, financial reporting fraud and corruption) and who is likely to commit fraud (e.g., internal - management, employees; external); •  understanding industry “red flags;” •  determining likelihood and significance of potential frauds; and •  assessing effectiveness of anti-fraud controls in place. Step 2: Setting the tone at the top with regard to the effectiveness and visibility of board and audit committee oversight. The activities associated with oversight include: •  understanding what the most significant fraud risks are and where the organization may be susceptible to pressure, opportunity and rationalization to commit fraud (“warning signs”) •  reviewing significant relevant transactions, asking difficult and probing questions, and developing alternative sources of information about what is happening in the company with respect to fraud risks •  evaluating the programs and controls that management has developed for managing fraud risks •  cultivating an ethical corporate culture by ensuring a comprehensive and accessible Code of Conduct is developed and actively supported by management and the audit committee •  independently assessing and monitoring effectiveness of the anti-fraud environment on a periodic basis. Step 3: Evaluating the organizational structure in relation to existing anti-fraud policies and procedures.

The activities associated with this step rely on consideration of the: •  susceptibility of the organization structure to fraud – e.g., opportunity for management override of internal controls; locations where cultural differences may overtly or inadvertently lead to the occurrence of fraud •  effectiveness of policies and procedures designed to prevent/detect fraud – e.g., performing background investigations of newly hired employees and existing employees on a periodic basis, establishing whistle-blower hotlines, disclosure to regulatory and law enforcement authorities, and developing controls over information security and records retention •  development of protocols and procedures in advance to handle suspected fraud if and when it does occur. See CAQ Guidance section for the Center for Audit Quality’s (CAQ’s) 10 question guide for audit committees in exercising skepticism when inquiring about financial reporting fraud. © 2010 BDO USA, LLP. All rights reserved. www.bdo.com 2 .

Effective Mechanisms for Reporting, Investigating and Remediating Fraud Even when there is effective oversight and the risk of fraud within an organization is significantly reduced as a result, there is always the possibility that fraud will still occur. So, what does the audit committee need to do now to detect fraud at an early stage and be able to remediate the system of internal control and minimize damage? As required under the Sarbanes-Oxley Act of 2002, public entities are required to maintain effective whistleblower hotlines to handle employees’ allegations of financial reporting fraud. In addition to these hotlines, allegations of fraud can be identified through many other sources including external and internal auditors, consultants, customers, vendors, anonymous tips, the SEC5 and others. Regardless of the source, audit committees should demand immediate access to information supporting allegations of significant fraud occurring within the organization and give such matters the highest priority. Once suspected fraud comes to the attention of the audit committee, it should evaluate the need to conduct an independent investigation6 into the alleged fraud.

Fiduciary responsibility is first and foremost! The focus of independent investigations involves the following protocols and scoping considerations and often needs to be a flexible and an iterative process. The audit committee may fulfill its responsibility by engaging investigative counsel and forensic accountants, as appropriate7: •  identify who should be involved, both within and external to the company •  define specific roles and responsibilities of individuals •  perform an initial assessment to gather evidence and determine the potential scope/magnitude of the fraud •  identify individuals to interview and conduct thorough interviews •  determine additional procedures required (e.g., computer-assisted data analysis techniques, customer calls/confirmations, etc.) •  ensure regulatory or statutory requirements are appropriately met •  evaluate results and remediate •  determine whether disciplinary actions are appropriate or criminal charges should be brought •  ensure proper disclosures are made •  document findings (how the matter arose; who was involved; who was interviewed; what other evidence was discovered; how the matter was handled; results and why certain conclusions were reached and how they were communicated) •  based upon above, take preventive measures for the future, including making enhancements to internal controls Regardless of whether an investigation is conducted in-house or is outsourced to an independent third party, the audit committee must be involved in every step of the process and must have a plan in place in advance to “triage” instances of suspected fraud to ensure that it is handled properly and handled by the right individuals. Along these lines, a best practice is to cultivate relationships with external advisors before their services may be needed.

Audit committees need to be prepared to spend time and effort throughout the process, as these investigations often take on a life of their own. At the end of this experience, ensure that there is proper reflection on what went wrong and that adjustments are made to policies, procedures and controls and that education is provided throughout the organization to help prevent future recurrence. For further guidance on conducting investigations, refer to the BDO Consulting’s “Investigative Tips for the Non-Investigator” publication available at: http://www.bdoconsulting.com/resources/thought-leaders/investigative%20tips.pdf Summary Facing allegations of fraud within an organization can be a frustrating and challenging time for those charged with governance. Cultivating an ethical culture and having established policies/procedures and identified resources in advance of fraud allegations will allow those with oversight responsibility the wherewithal to react quickly and effectively to combat fraud and minimize the damage to the organization. 5 The SEC may issue a letter known as a Wells Notice to individuals or companies when it is planning to bring an enforcement action against them.

The Wells Notice indicates that the SEC staff has determined it may bring a civil action against an individual or company, and provides the opportunity to the individual or company to provide information as to why the enforcement action should not be brought. 6 Refer to the Ac’senseSM November 2010 Internal Investigation program for further insight into conducting an effective and efficient internal investigation at: http://www.bdo.com/ acsense/events/InternalInvestigations.aspx. 7 Note: Many of the protocols outlined can and should be established before fraud occurs and should be considered as part of the audit committee’s creation of an anti-fraud environment. © 2010 BDO USA, LLP. All rights reserved. www.bdo.com 3 .

CAQ Guidance: Inquiring about Financial Reporting Fraud – A Guide for Audit Committees8 The following is a list of questions prepared as a guide for audit committees excerpted from the Center for Audit Quality’s (CAQ’s) 2010 report, “Deterring and Detecting Financial Reporting Fraud – A Platform for Action.” The questions were prepared by the CAQ as a starting point in order to “advance the thinking of audit committees around the most likely sources of weakness, with a particular eye for business pressures that may influence accounting judgments or decisions.” Audit committees should customize these questions further to apply to their organizations: 1. What are the potential sources of business influence on the accounting staff’s judgments or determinations? 2. What pressures for performance may potentially affect financial reporting? 3. What about the way the company operates causes concern or stress? 4. What areas of the company’s accounting tend to take up the most time? 5. What kind of input into accounting determinations does non-financial management have? 6. What are the areas of accounting about which you are most worried? 7. What are the areas of recurring disagreement or problems? 8. How does the company use technology to search for an unnatural accounting activity? 9. If a Wall Street Journal article were to appear about the company’s accounting, what would it most likely talk about? 10. If someone wanted to adjust the financial results at headquarters, how would they go about it and would anything stop them? 8 Refer to the CAQ’s report on “Deterring and Detecting Financial Reporting Fraud – A Call to Action” available at: http://www.thecaq.org/Anti-FraudInitiative/CAQAntiFraudReport.pdf. © 2010 BDO USA, LLP. All rights reserved. www.bdo.com 4 . Recommended Anti-Fraud Program Resources9: •  BDO Consulting’s Fraud Prevention Program includes the following elements designed to assist management and audit committees in the prevention, detection and remediation of fraud: – Fraud risk assessment – Fraud education – Ethics awareness and education – Background investigations – Mechanisms for reporting and investigating fraud – Board and audit committee oversight For further information on how BDO Consulting can assist your company in forming an effective anti-fraud program, please visit: http://www. bdoconsulting.com/services/fraud-prevention-consulting.aspx •  BDO’s Ac’senseSM program includes several CPE-worthy webinars/self-study courses on the topics of ethics (e.g., Ethics and the Corporate Board) and fraud within the Focus on Fraud Series: – Internal Investigations (2010) – Focus on Fraud: Lessons Learned (2010) – Focus on Fraud: Fraud and Misconduct in the Corporate World (2009) – Focus on Fraud: The Series Continues (2009) For further information and access to archived courses, visit: http://www.bdo.com./acsense/archive.aspx The CAQ’s anti-fraud initiative site is available at: http://www.thecaq.org/Anti-FraudInitiative/index.htm. As part of this initiative, consider the CAQ’s 2010 report “Deterring and Detecting Financial Reporting Fraud – A Platform for Action,” which focuses on financial reporting fraud at publiclytraded companies of all sizes and is available at: http://www.thecaq.org/Anti-FraudInitiative/CAQAnti-FraudReport.pdf. Association of Certified Fraud Examiners’ (ACFE) Fraud Resources available at: http://www.acfe.com/resources/resources.asp The AICPA Anti-Fraud and Corporate Responsibility Center provides various tools and information to professionals in combating fraud available within: http://www.aicpa.org AICPA Fraud and Forensics publications – while aimed at CPAs, these resources may provide additional guidance useful to management and audit committees and are available at: http://www.aicpa.org/Publications/Fraud/Pages/Fraud.aspx 9 At the time of release of this practice aid, the PCAOB has announced that it is in the process of establishing the Financial Reporting Fraud Resource Center to facilitate the prevention and detection of financial reporting fraud. Its primary objectives will be to maintain and develop information related to financial reporting fraud, which can arise from a broad array of factors, including accounting and disclosure, auditing, corporate governance, insider trading, executive compensation, economic and other environmental circumstances, among other things. The Center will publish public reports on risks, and assist in developing educational materials, related to financial reporting fraud. Material discussed in this guide and related practice aids is meant to provide general information and should not be acted upon without first obtaining professional advice appropriately tailored to your individual circumstances. © 2010 BDO USA, LLP.

All rights reserved. www.bdo.com 5 .