WIXLIB

What is the roleof the AuditCommittee?With the increased awareness of fraud risks – andtheir financial, legal and reputational consequences– Audit Committees are re-evaluating their role,responsibilities, relationships and practices with aview to enhancing oversight of the financialreporting process in general and, in particular, theareas that present the greatest risk of fraud.In terms of the revised International Standard onAuditing (ISA) 240: The auditor’s responsibility toconsider fraud in an audit of financial statements,it is primarily the responsibility of management,along with the oversight of those charged withgovernance, to place a strong emphasis on fraudprevention and to establish and maintain internalcontrols to prevent and detect fraud. But certainmanagements do not always assume thisresponsibility with the earnest it calls for and aresometimes even involved in concealing certainfacts which may occasion fraud.This kind of risk heightens independent oversightwhich an Audit Committee should exercise toovercome any managerial shortcomings towardsmonitoring closely the fraud risk factor.The Audit Committee may also be charged withoverseeing the overall risk management approachof the organisation. In such a case, it will ensurethat there exists an environment conducive topreventing, detecting and mitigating fraud risks. Inthe event the Audit Committee is also charged withoverall risk management, they may refer theresponsibility for setting up and maintaining such anenvironment to their Risk Committee, withoutthereby absolving Management from its primaryresponsibility to place appropriate controls andmonitor their regular implementation on a day-today basis.The Audit Committees thus play aprominent role in overseeinginvestigations into significantfraudulent actions, and ensuringthat due processes are followed.The Audit Committees thus play a prominent rolein overseeing investigations into significantfraudulent actions, and ensuring that dueprocesses are followed. ISA 240 requires thosecharged with governance, e.g., the AuditCommittee, to consider and contain the potentialfor Management to deliberately override controlsor exert other inappropriate influence over thefinancial reporting process.Paper 4 7

Audit Committeeapproaches tofraud risk oversightAudit Committees are taking a variety ofapproaches to satisfy their oversight ofmanagement’s process of preventing, detectingand reporting corporate fraud. This is done byreference to, amongst others: Regular and on-going assessment of fraud risksat the level of the organisation Continuing company education and training tokeep alive and enhance awareness/detection offraud at early stages New or enhanced “whistle-blower” policies andprocedures Employment of additional resources and tools toassist with fraud prevention and detectionefforts, such as Internal Audit, a dedicated fraudprevention team, as well as use of fraud-trackingand monitoring software A detailed fraud response or mobilisation actionplan to arrest and/or minimize adverse impact offraud on the organisation in case of emergencies Regular assessment of the entity’s insurancecover A regularly updated fraud prevention plan Learning from reported fraud events in othercompanies to avert similar risks in the company Independently sourced information from externalparties on due diligence.8 Audit Committee ForumFor a Group, it will usually be necessary for the AuditCommittee of the parent company (the Group AuditCommittee) to review issues that relate tosignificant subsidiaries or activities carried out by theGroup. Consequently, the parent Board shouldensure that there is adequate cooperation within theGroup (and with Internal and External Auditors ofindividual companies within the Group) to enable theGroup Audit Committee to discharge itsresponsibilities effectively. To the extent possible, itis advisable for a Group Audit Committee memberto also sit on the Audit Committee of significantsubsidiaries.For a Group, it will usually benecessary for the Audit Committeeof the parent company (the GroupAudit Committee) to review issuesthat relate to significantsubsidiaries or activities carried outby the group.

Effectivefraud riskmanagementIt is the role of the Audit Committee to ensure thatthe organisation is equipped with appropriate fraudrisk management tools and practices. It shouldensure the pragmatic implementation of goodpractices to ward off risks of fraud. For example, itshould ascertain whether all sensitive areas (e.g.handling of cash and valuables) are alwayssubmitted to the ‘four eyes’ principle at least, thusinsulating the company from risk exposure to one ora couple of ill-intentioned complicit officers.Fraud risk management is an essential part of goodbusiness practices. Having policies in place toprevent, detect and respond to fraud is crucial,although their success is dependent upon whetherthe policies are enforced with results to showactual effectiveness or whether they are ‘just forshow’. When these policies are backed by aconsistent “meaning-business” tone from the top,company-wide education and awareness, andeffective enforcement, they can go a long waytowards mitigating the risk of fraud by enforcing aculture of an impregnable internal sense ofdiscipline and commitment. Where cases of fraudare dealt with uncompromisingly, the correct signalis also being sent at all levels not even tocontemplate indulging in such activity.However, even companies that have robust internalcontrols in place can be susceptible to fraud. Forexample, when internal controls are compromised— such as through management override orcollusion between employees and third parties — itis possible for perpetrators to hide their fraudulentactivities and make their detection very difficult.Potential for insider collusion in the perpetration offraud must be technically identified and dealt withimmediately. All loose ends must be identified andbrought under control by proper processes andstrict procedures.While there is broad agreement that fraud riskmanagement is an important activity in a well-runcompany, there is always room for improvement inapplying this in practical terms. Opportunities forfraud arise in the evolution of companies’ lines ofbusiness or from adoption of new and sophisticatedtools to record transactions. The converse is alsotrue in areas where changes are slow, for example,fraud associated with manipulation of funds indormant customer or internal accounts.Fraud risk management is anessential part of good businesspractices. Having policies in placeto prevent, detect and respond tofraud is crucial, although theirsuccess is dependent uponwhether the policies are enforcedwith results to show actualeffectiveness or whether they are‘just for show’.Paper 4 9

Effective fraud mitigation requires companies tohave strong fraud risk management practices inplace. More importantly, Audit Committees mustensure that these systems go beyond simpleformalities and are actually backed up by thesubstance of robust procedures and a willingness toplug loopholes before they are employed to thedetriment of the company.Also, a history of no-fraud in a company should notbe interpreted to mean that it is not exposed to therisk of fraud. The Audit Committee should remainon the lookout for potential loopholes which may befraudulently exploited due to complacency.The following factors are essential to themanagement of the risk of fraud within thecompany:(i) Capabilities of Audit Committee membersAudit Committee members equipped with the rightskills stand as a vanguard to protect theircompanies from falling victim to fraud. They areoften required to deal with complex situations,especially when it comes to potential cases offraud. If they can develop a comprehensiveunderstanding of the entity’s business and possessthe necessary analytical skills to deal with issues,they will constitute a valuable asset in the fightagainst fraud.Without the apt skills, it will be difficult for them todetect fraud, given the complex environment inwhich financial structures work. For example, animportant skill which should be mastered by AuditCommittee members is to understand theimportance of balance sheet reconciliation toidentify possible irregularities. Audit Committeemembers are responsible for scrutinising theircompany’s financial statements and addressingpossible areas of fraud. They need to employ theirskills to take a closer look at their company’ssystems and processes to determine how robustthey are and in which areas improvements can bemade.Effective Audit Committees also requireIndependent Directors to be truly independent andobjective, even if this runs contrary to what otherCommittee members may want.10 Audit Committee ForumIf Audit Committee members enjoy theirindependence and objectivity, they are more likely tobe effective in identifying and counteracting fraud —especially if the fraud is the result of Managementoverride. The question is: are Audit Committeemembers willing to stand up and challengemanagement, where the need arises?(ii) Competency of Internal AuditorsIt is necessary to have Internal Auditors capable ofmonitoring the system and identifying possiblecases of fraud.For Audit Committees, an important question toconsider is whether the company has Internal Auditwith a blend of competencies and sufficientknowledge of fraud to identify red flags indicatingfraud may have been committed. If that is not so,they should do all they can to equip the InternalAudit team with the means to deliver withcompetence and high integrity on their assignment.An Independent director is adirector who is non-executiveand who can exerciseindependent judgment in thecarrying-out of his/her duties, hasan outstanding independence ofmind, free from any direct orindirect interests in the dischargeof the duties as a member of theAudit Committee.

(iii) Strategies for risk mitigationIt may never be possible to eliminate fraudcompletely. There will always be people — whetherdriven by greed, financial difficulty or othermotivations — finding new ways to beat thesystem and avoid detection. If someone wants tobeat the system, the question is how can wedetect it as soon as possible?The best that Audit Committees, Management andRegulators can do is to ensure that their fraud riskmanagement frameworks are robust and constantlyevolving. The following are some insights whichmay be employed in implementing a sound fraudrisk management framework: Learn from the past. One pitfall facing someAudit Committees is that they tend to bereactive rather than proactive: they take thenecessary action when an incident of fraudarises, but they do not always learn the lessonthat will help them prevent an identical fraudfrom recurring. Adopt a holistic approach. Fraud canpotentially take place in any part of a business,so for maximum effectiveness, fraud preventionmust be tackled holistically. Unfortunately, this isnot always done, as some companies implementfraud prevention measures on a piecemeal basiswithout much thought given to how differentaspects of the business relate to each other.All strategies for fraud prevention must becombined into a unified and effective one. Ifthere is unusual smoke in some area, it isimportant to find out the fire which is the causebehind it and deal with the situationcomprehensively. Ensure autonomy in reporting. When itcomes to fraud detection and compliance, theindividuals reporting on these issues shouldhave as much autonomous independence aspossible. This is important to prevent themfrom being pressured into ‘watering down’ orholding back their concerns, thus underminingthe full understanding of the systemic nature ofthe fraud risk from the perspective of thebusiness as a whole. Back policies with enforcement. Manycompanies have a lot of top-down emphasison fraud prevention and compliance withinternal controls. However, this is often notbacked up by sufficient enforcement andfollow through. For fraud prevention measuresand internal controls to be effective, theremust be strong support from top managementto ensure that these policies are takenseriously.Paper 4 11

The AuditCommittee’sresponse tofraud riskImportantly, the Audit Committee must be informedand actively engaged in overseeing the processwhile avoiding taking on the role or responsibilitiesof management.To this end, Audit Committees should consider thefollowing activities: Assess, monitor and influence the tone at thetop and reinforce a zero-tolerance policy for fraud Evaluate Management’s process and proceduresfor:– the identification and mitigation of fraud risk,including the measures implemented byManagement designed to help detect andprevent fraud;– spotting and acting to stop cases where topcadres of the company adopt a selfinterested condescending/constructiveattitude towards higher-level decisionsinvolving potential fraudulent activities;– verifying and reporting on reasons for unusualdepartures (up or down) from previousvolumes of business flows in specific areasof the company’s activities;– ensuring that past dues/non-performing debtsowing to or owed by the company are notdeliberately understated/overstated towindow-dress accounts;12 Audit Committee Forum– screening potential employees, includingwhether proper background checks areperformed and duly acted upon so as not toexpose the company;– significant estimates used in the financialreporting process;– the processing of manual journal entries andreporting cycle of the closing process;– follow on process for comments receivedfrom stakeholders or anonymous letters;and– establishing a whistle-blower process. Provide oversight to management’s internalcontrols and contemplate the potential formanagement override of, or inappropriateinfluence over, those controls Compare the reasonableness of financialresults with prior or projected results andconsider quarterly analysis of key provisions Provide other fresh insight into and guidanceon implementing or strengthening fraudprevention and detection measures, includingby seeking any independent views fromoutside sources when it was felt that sourcingsuch information could throw better light onsuspected cases of fraud involving thecompany.

ConclusionAs is well known, the nature of fraud keeps evolving. The scale of its impact on individual companies can besignificant. Substantial powers are sometimes given to some individuals/committees within companies whichare sometimes unaccountably employed by specific members of those committees to bind the companiesinto unreasonable and untenable situations. Their decisions can sometimes prove to be catastrophic to theconcerned companies, without constituting what may be termed as a ‘fraud’ in as much as they appear to bewithin the powers conferred upon them when doing the transactions. Companies may protect themselvesagainst fraud/abuse precisely by keeping under the hardest scrutiny powers which have been undulyappropriated by one or a few to override the collective systems and controls, whether through explicitly givenpowers or by undertaking fraudulent practices.Organisations have to design anti-fraudmechanisms that look both ways, insideand outside. And they need to be awareof the possibility that a lone, fraudsterfrom the inside may be working with asizeable group of people on theoutside. There are many permutationsorganisations must guard against.Global profiles of the fraudster(KPMG, 2016)Paper 4 13

Appendices

Appendix 1Glossary of fraud and related terminologyFraud is any intentional act or omission designed to deceive others, resulting in the victim suffering a loss orthe perpetrator achieving a gain. Actions taken on behalf of the organisation for its benefit but to deceive andcause another party to suffer a loss are also considered as Fraud. Below is a non-exhaustive list of fraud to beused as guidance and must be read in conjunction with the applicable legislations of Law of Mauritius suchas, but not limited to, “The Prevention of Corruption Act, 2002”, “The Financial Intelligence and Anti-moneyLaundering Act, 2002”, etc.FraudAssetExpenseRelationshipAccounting andTaxOthersAssetMisappropriationDisbursement FraudConflict of InterestFinancial StatementFraudInefficiency/MismanagementA person causes theorganisation to issuea payment forfictitiousgoods/services,inflated invoices orinvoices for personalpurchasesUndisclosed personaleconomic interest ina transaction thatadversely affects theorganisation, or theshareholders’interestsManipulating recordswhich affect thefinancial statementto one’s advantageManagingincompetently ordishonestlyStealing cash or assetand concealing thetheftLappingDiverting paymentsfrom a customer forpersonal use andusing payments fromother customers tocover missingpaymentsDataMisappropriationTheft or wilfuldestruction or removalof company recordsInsider DealingUnauthorised useor disclosure ofconfidentialinformation forpersonal gainExpenseReimbursementFraudAn employee is paidfor fictitious orinflated expenses(e.g. reimbursementfor personal travel)Payroll FraudCreating a fictitiousemployee for invalidpayment/manipulatingpersonnel recordsfor personal gainsuch asoverpayment ofovertimeDiversionAn act to divert apotentially profitabletransaction to anexecutive or any otheremployeeFavouritism/NepotismThe favouring of oneperson or group overothers with equalclaims and potentialInformationMisrepresentationProviding falseinformation usually tothose outside theorganisationTax EvasionIntentionally avoidingpaying the actual taxliability (including bytransfer pricing)BlackmailTo extract moneyfrom a person bythe use of threatsCorruptionMisuse of entrustedpower for private gainBriberyOffering, giving,receiving or solicitingof anything of value toinfluence an outcomeRelated PartyActivityOne party receivessome benefit notobtainable in an arm’slength transactionPaper 4 15

Appendix 2Fraud risk factorsAs Audit Committees work to understand management’s risk assessment and risk management policies,they should consider any cultural or organisational aspects of the entity that may be a potential risk factor offraud. Those who have been long enough in the organisation are conscious of weak control areas and it isimportant to ensure that such knowledge is not employed to the detriment of the organisation or to that ofthe persons it deals with.Possible risk factors include the following:Risk factors relating to management characteristics: Abuse of authority by the CEO or Chairperson of the Audit CommitteeThe Top Manager being the decisive person in the allocation of contracts on behalf of the companyand, hence, in deciding the pay-out for them for deriving personal advantage to the detriment of thecompanyA significant portion of management’s compensation is represented by bonuses, stock options, or otherincentives, the value of which is contingent upon the entity achieving aggressive targets for operatingresults or financial positionAn excessive interest in maintaining or increasing the entity’s stock price or earnings trend throughthe use of unusually aggressive accounting practicesNon-financial management’s excessive participation in, or preoccupation with, the selection ofaccounting principles for the determination of significant estimatesA practice by management of committing to analysts, creditors, and other third parties to achievewhat appear to be aggressive or unrealistic forecasts High turnover of accounting personnel, senior management, counsel, or board membersTolerance by management of absence of dual or full controls in sensitive areas of work, such as handlingof cashKnown history of law violations or claims against the entity or its senior management alleging fraud orviolations of laws, including tax structuresStrained relationship between management and the current or the previous external auditorsManagement recommendation for changes in auditorsInfighting among top managementManagement and certain key stakeholders’ insistence to be personally present at all times during allAudit Committee meetings wit

Mauritius Institute of Directors (MIoD) and KPMG have set up the Audit Committee Forum (the Forum) in order to help Audit Committees in . Audit Committee approaches to fraud risk oversight 8 5. Effective fraud risk management 9 6. The Audit Commit