Principles of Fraud Examination 2nd edition by Joseph T. Wells

Joseph T. Wells is a master at communicating fraud examinations techniques to those interested in Occupational Fraud and Abuse. The Book, Principles of Fraud Examination, starts off with a basic overview of the history of Occupational Fraud and Abuse. Touching up on subjects like Donald Cressey’s Fraud Triangle, Dr. W. Steve Albrecht’s Fraud Scale, Richard C. Hollinger’s and the Hollinger-Clark Study, and a ton of statistics from the 2006 National Fraud Survey conducted by the Association of Certified Fraud Examiners. (ACFE)

The book is well laid out with three main categories of occupational Fraud and Abuse (Corruption, Asset Misappropriations, and Fraudulent Statements). The book then breaks each section down further into specific areas to help Fraud Examiners categorize each type of fraud. Each chapter ends with a summary, essential terms, review questions, discussion issues, and endnotes. Perhaps the most useful tool for fraud examiners is the addition of Proactive Computer Audit Tests for detecting the many of the different types of fraud. These tests will provide details that can help an organization detect occupational Fraud and Abuse.

While some books about fraud can get boring, Principles of Fraud Examination 2nd edition, keeps you entertained by giving real world examples pulled from different areas in the financial world. Joseph T. Wells brings Occupational Fraud to life with his enthusiasm and dedication in Fraud Examination. I would recommend this book to anyone who wants a better understanding of Occupational Fraud and Abuse.

By: Joseph Dustin
read more “Principles of Fraud Examination 2nd edition by Joseph T. Wells”

Billing Fraud - Is Anyone Immune?

When it comes to billing fraud schemes, not even the United States Government is immune from playing the victim. A fraud survey conducted by the Association of Certified Fraud Examiners (ACFE), in 2006, states,

“Among the fraudulent disbursement categories, billing schemes were most commonly reported... Of 675 reported fraudulent disbursement cases, 44 percent involved billing fraud.” (Wells, 2008)

The ACFE Report also stated a median loss of $130,000 per incident. In a recent case that involved the U.S. Government, the United States Government was over charged on a multi-billion dollar contract to supply food for soldiers in Iraq, Kuwait, and Jordan. The Department of Justice submitted a press release on 16 November 2009 stating,

“PUBLIC WAREHOUSING COMPANY, K.S.C., (“PWC”) a logistics company organized under the laws of the Nation of Kuwait has been indicted by a federal grand jury on multiple charges of conspiracy to defraud the United States, committing major fraud against the United States, making false statements, submitting false claims and wire fraud.” (UNITED STATES ATTORNEY’S OFFICE, 2009)

The indictment charges PWC with six counts. Count two in particular alleged a conspiracy based on PWC’s fraudulent over-billing the United States through multiple means. In brief the alleged means are as followed:

1. Intentionally failed to purchase less expensive food items based upon a vendor’s failure to provide PWC with a discount.

2. Fraudulent over billing of the United States by having vendors use a consolidation facility and placing the consolidation costs plus a PWC profit into the Delivered Price paid by the United States contrary to the prime vendor contracts.

3. PWC’s knowingly manipulation and inflation of Delivered Prices.

The indictment goes into further detail about how some of the alleged billing fraud occurred. PWC would call vendors insisting they provide a discount and label the discount to something that would not facilitate PWC from passing the discount on to the U.S.

PWC on other occasions would ask vendors for a “prompt payment discount” in exchange for providing the vendor with “preferred customer” status, thus issuing that vendor with an increase in business.

When a vendor refused to label discounts as “prompt payment discount” PWC would ask the vendor to label the discount “damage allowance.” PWC at times would ask vendors to increase its “prompt payment discount” upon the vendor’s acceptance to do so; more business would then be shuffled to the vendor.

PWC fraudulently inflated the distribution fees that it billed to the United States by soliciting vendors to manipulate the way products were packed, thus allowing PWC to bill the U.S. twice as much as it should have.

The United States Government was made aware of the fraud by a lawsuit filed under the Qui Tam provisions. According to Jim Higgins,

Potential purposeful government misbillings came to light in 2005 thanks to a qui tam relator, one Kamal Mustafa Al-Sultan whose company partnered with the company that would become Agility. Justice Department officials have decided to join the civil whistleblower action, providing credence to Al-Sultan’s claims. Al-Sultan stands to share in 15% and 25% of the government’s recovery if it is decided that misbilling fraud has occurred against the military.” (Higgins, 2009)

The U.S. Government's move to pay whistleblowers is paying off in this case and may be something to think about implementing within cooperations.

As this case unfolds the extent at which the United States Government was defrauded is extremely high. My initial thought was that the only victim in this case is the U.S. Government. However upon further thought, I find myself thinking that PWC is also the victim.

PWC stands to lose a multi-billion dollar contract. A loss of revenue this big could quite easily spell disaster for PWC and all of their employees.

How can a company protect itself from the few rogue employees that can plague the cooperation?

The ACFE’s 2008 report to the Nation on Occupational Fraud and Abuse had a question that asked, “How important are the following controls for preventing fraud?” A list was given that included Internal Audit Department, Surprise Audits, Management Review of Internal Controls, Fraud Hotlines, Mandatory Job Rotation/Vacations, and Rewards for Whistleblowers. (Slater, 2008)

An Internal Audit Department rang in at number one and having a CFE can go a long way to prevent ongoing fraud from happening. Another way to prevent billing fraud is through Internal Controls. Internal Controls is simply policies and procedures created to insure business is conducted properly. One of the policies that should be address within your Internal Controls is separation of duties. Creating a separation of duties policy makes it much harder for employees to conduct fraud without collusion. (Rogers)

As you can see anyone can become a victim to billing fraud, even the U.S. Government. Companies stand to lose everything when fraud runs rampant from within. There are some procedures that can be conducted to help deter or detect ongoing fraud.

With procedures in place like whistle blowing rewards, internal controls, and CFE certified Internal Audit Departments fraud will become more difficult to conduct. Only by continually re-analyzing our company’s policies and procedures can we continue to grow our knowledge in helping to fight all types of fraud.

By: Joseph Dustin


Wells, J. T. (2008). Principles of Fraud Examination 2nd edition. In J. T. Wells, Principles of Fraud Examination 2nd edition (p. 96). Hoboken, New Jersey: John Wiley & Sons, Inc.
read more “Billing Fraud - Is Anyone Immune?”

ATM Skimming - On the Rise!

As economic hardship falls upon our great nation and the unemployment rate rises. Many families are left to endure these trying times while having to make do with less. When pressured to feed one’s family, some people may turn to criminal activities to supplement their ever dwindling income.

The Association of Certified Fraud Examiners (ACFE) has stated that during economic hardships the rate of committed fraud also rises. (ACFE, 2009) The ACFE also believes that the rate of fraud will continue to rise until the turmoil of our economy returns to favorable conditions. No one can foresee when the economy will bounce back; companies must be prepared for the increase of fraud and incorporate the proper risk management steps into their risk appetite.

One such criminal activity that’s stealing headlines around the nation is ATM skimming schemes., a leader in security systems, defines ATM skimming as,

ATM skimming is when criminals electronically steal or “skim” a cardholder’s personal financial information during ATM transactions. By fitting an unseen portable electronic card reader and mini camera onto an ATM, they can potentially “cash out” debit card accounts, clone new debit/credit cards or sell cardholder personal information to crime syndicates. (ADT, 2009)

Why do ATM skimming schemes attract so much publicity these days and how can companies deter fraudsters from defrauding company is a hot subject matter.

To get a better look at why ATM fraud is growing we need to take a closer look at how skimming schemes in general are committed. According to Joseph T. Wells CFE, “when it comes to skimming used in fraud schemes, it’s important to remember the “Three R’s”: revenues, receivables, and refunds." (Wells, Skimming: The Achilles’ Heel of the Audit?, 2007)

Both skimming of receivables and refunds require the fraudster to alter the accounting books in order to cover up their theft, thus making the skimming of receivables and refunds more difficult to cover up. However, skimming of revenues takes place prior to entering the books, thus making the skimming of revenues the most difficult to detect in an audit. Recent news reports of ATM skimming schemes are not in short order.

ATM skimming schemes have cropped up in Tennessee, Maryland, Illinois and Georgia and that’s just the tip of the iceberg. The ATM skimming scheme that hit Nashville has been reported by police to have over 600 individuals being victimized; a total of 60 people had fraudulent withdrawals from their accounts for anywhere between $100 to $5,000 dollars. (McGlasson, 2009)

The recent ATM skimming operations in Maryland, Illinois and Georgia has amassed over $120,000 dollars according to law enforcement agencies investigating the crimes. (McGlasson, ATM Fraud: New Skimming Scheme Spreads, 2009)

Once an ATM skimming fraud occurs, what can fraud examiners do to investigate an incident?

In Joseph T. Wells’ book, Principles of Fraud Examination, Wells go on to say that, “essentially three tools are available regardless of the nature of the fraud examination.” (Wells, 2008)

These three tools are: skills in the examination of financial statements, conducting interviews, and observation. Using these three techniques can help us determine if fraud has occurred and maybe to the perpetrators involved.

A fraud case generally begins with predication. Predication is the totality of circumstances that would lead a reasonable, professionally trained, and prudent individual to believe a fraud has occurred, is occurring, and/or will occur. (Wells, Principles of Fraud Examination, 2008)

Using the Fraud Theory Approach as a guideline in our fraud examination we can get a better understanding of the fraud. At the onset of a fraud examination the fraud examiner might be called by a concerned customer that may have discovered a device used for ATM skimming or receive a customer complaint involving missing funds from their bank account. In either case both would give the fraud examiner predication to launch the investigation.

First, I would analyze all current data from the contact, such as the what, when, where, and how the alleged fraud occurred using the conducting interviews tool to investigate. If an ATM device was discovered, I would go to the site, using the observation tool, to determine if the device was operational or a hoax.

Next, if the device was operational I would look at the surveillance tapes if they were available to determine the time the fraud device became active. Once the time became available, a record check of all card activity should be reviewed to determine whose card might have been compromised, thus using the third tool of skills in the examination of financial statements. At this time a decision will need to be made on how to stop the removal of the cash and a call to the FBI might be in order to help find the fraudster before they move forward with the scheme.

To help deter this type of fraud from happening there are a few things a company can do to protect themselves. First, a general understanding of how and why fraud occurs can be helpful. Donald R. Cressey’s fraud triangle can give us a better understanding of what is needed to stop fraud. Cressey’s fraud triangle has three elements to it, they are: Opportunity, Pressure, and Rationalization. According to Cressey all three elements need to be present for fraud to occur. (Kardell, 2007)

Of the three elements opportunity, in ATM skimming, Opportunity would be the element to eliminate to stop the fraud from happening again, as the other two elements are out of your control since to fraudster do not work at your company. Banks will need to protect the ATM using Anti-Skimming devices to help stop the use of the fraud devices and protect their customers. As a customer there is a few ways to protect ourselves from becoming a victim of ATM fraud, like be alert to jammed ATMs, protect your PIN number by covering up the number pad when you enter your number, try to use ATMs during daylight hours, and periodically check your bank account for unauthorized transactions. (LGCU.ORG)

ATM skimming fraud costs banks an ample amount of money each year. As a fraud examiner precaution must be taken to prevent ongoing frauds. ATM skimming schemes may be on the rise, we don’t have to be a victim. The banks need to secure the ATMs from skimming fraud but the banks are not the only ones that have a part in making sure ATM cards are not skimmed. As card holders we have an obligation to insure we do our part and secure our cards from fraudsters.

By: Joseph Dustin
read more “ATM Skimming - On the Rise!”

About Me

My name is Joseph Dustin. I work for a Public K-12 School District as an Accounting Information Systems Specialist in Tulsa, Oklahoma. I have been with the district for the last 4 years providing support and analysis of all financial software, hardware, and associated equipment. We are currently involved in rolling out a new Financial System (including HR, Payroll, AP, AR, Financial Reporting, and many other modules). I have worked in the Electronics and Information Technology Industry since 1998.

I first started college back in 1999, at Spartan College of Aeronautics, where I earned by Associate Degree in Electronic Communications. After graduation I started working for LaBarge Inc., a producer of high-quality Printed Circuit Boards, where durability and peak performance are vital, including military aircraft, radar systems, satellite launch vehicles, airport security equipment, glass container fabrication systems, and oil field tooling.

I was in the Oklahoma Army National Guard (Thunderbirds) for six years from 2001 – 2007,  from 2003 to 2004 our unit received the call to move operations to Camp Phoenix, Afghanistan.  In Afghanistan, I learned first-hand the importance of ethical decision-making and the impact it has on a mission's success or failure.

In September, 2005, Hurricane Katrina devastated several gulf coast states, including that of Louisiana and the city of New Orleans. My unit received the call to help provide relief efforts to the crippled city of New Orleans.  My time in New Orleans showed me how a few random acts of kindness can change the course of one's life and the resilience of the American people when faced with the most dire of situations.

During my enlistment in the military, I managed to find time for college and earn my Bachelors Degree in Information Technology.

I married my childhood sweetheart, Kristina, to whom I have been married since 1996 and have three children with. She is my inspiration that drives me to one day inspire a business culture built on ethics.

I received my Masters Degree in Business Ethics and Compliance (MBEC) from New England College of Business and Finance (NECB).

What I love about the MBEC program is the course work, as it uniquely identifies the Ethics and Compliance degree program. The MBEC program is a first of its kind in how it addresses Business Ethics and Compliance as a core curriculum. In this “Post-Enron” business world that we live in today, Compliance, Ethics, and Governance are playing vital roles in many top corporations. Organizations are finding that their sustainability or (triple-bottom-line) is protected when acting in an ethical manner.

I originally started this blog as a way to express my opinions, beliefs, and values in a way that illuminates The Truth About Business. I hope that through my writing, reader’s feedback, and research, I will come to better understand the driving forces behind unethical decisions that are made by businesses and business leaders in today's Corporations.
read more “About Me”

Cultural Theory’s Black Swan: The Fatalist

Three of the top Economists agree that the Financial Crisis of 2007-2009 is the worst financial crisis since the Great Depression. (Pendery, 2009) The chain of events, leading up to the financial crisis, has been heavily debated as to which events are the main culprits to the financial meltdown we find ourselves in today.

To help us better understand what led to the causes of the financial crisis, Congress set forth a commission to investigate the roots of the causes. The commission was given a broad mandate with subpoena power to tackle issues such as the role of exotic financial instruments and credit rating agencies, compensation, and the failure of regulators to manage risky lending at banks. (Labaton, 2009)

How can we implement preventative measures, to a failing economy, when we cannot agree on what we need to prevent?

With almost everyone having a vested interest in the state our economy is currently in, how do we stop the onset of another financial crisis and mitigate the risk involved?

With the financial crisis of 2007-2009 costing consumer’s wealth to diminish by trillions of U.S. dollars (Martin Neil Baily, 2009), the American people have the right to be angry and demand information that will shed some light into what lead up to the crisis.

The American people should be more involved and take action to insure their risks are being identified and that proper steps are being established to mitigate that risk. One way we can look at risk management is through Cultural Theory and how we can use it to ensure we don’t fall victim to another major financial crisis.

Cultural Theory says that the way that people think of risk is not just “a” key driver, but that it is “the” key driver for group organization. (Ingram, 2009) Cultural Theory was originated in the work of anthropologist Mary Douglas and political scientist Aaron Wildavsky. The two co-authored the 1982 book, Risk and Culture: An Essay on the Selection of Technical and Environmental Dangers.

One of the main concepts being looked at in the Cultural Theory of Risk is the cultural map that it had produced. (Mamadouh, 1999) The cultural map, that was produced, forms a two dimensional topology that helps identify the ways that people approach risk and suggests that there are at least four groups. (Ingram, 2009) The four groups are broken down as followed:

An excerpt of what is suggested to be taught to students taking a class on Cultural Theory of Risk can give us a basic explanation of the four groups. (

  • Individualists believe in Nature Cornucopian. No matter how much humans disturb nature, it will handle it -- just like the sides of the cup are so high you can't shake the ball out of it. This myth of nature shows that there's no need for controls (grid) or cooperation (group), and people can be left free to exploit nature as much as they like.

  • Egalitarians believe in Nature Ephemeral. This is just the opposite -- any little misstep and nature will come crashing down, like a ball balanced on a hill. Unfettered competition (low group) is therefore a threat, as is giving authority too much power, which it may abuse (high grid).

  • Hierarchists believe in Nature Perverse/Tolerant. Nature can be exploited freely within certain well-defined limits -- but if those limits are passed, a catastrophe will result. This justifies having strict authority and experts who can determine exactly where those limits are, and then enforce rules that prevent people from crossing that line.

  • Fatalists believe in Nature Unpredictable. There's no way to foresee how nature will react to any stimulus, so there's no point in fighting over how to manage it. Instead, you should just try to roll with the punches.

By now you might be asking yourself, “How does the cultural map apply to risk management?” We can use the cultural map to help us identify the groups responsible for managing risk. Each cultural group will have different risk strategies base upon the type of group or group hybrid they belong to.

For example, a banking institution with a CEO and CFO that fall within the cultural map as Individualists would find risk management as a threat to incoming profits. You may also find that within the group Hierarchists, one would take risk based upon a well written policy that sets limits on the amount of risk that should be taken.

Policy that sets out limits to establish thresholds and address risk was part of everyday life, for many companies, prior to the 2007 – 2009 Financial Crisis. (Nocera, 2009)

All four grid/groups have their place within the development of risk management but one was deemed an outcast and shunned by the other three groups, that group is the Fatalist.

One such accusation comes from the handbook of Public Policy Analysis, “… under conditions of adversity, policymakers resort to “fuzzy gambling.” In its extreme, fatalist form, any decision making is senseless.” (Frank Fisher, 2007)

Why were fatalists, often the group being written off and just where were the fatalists during the Financial Crisis of 2007 – 2009?

To identify the root causes of the financial crisis, we would need to seek out those companies that stand out. Companies like Goldman Sachs, the one Wall Street firm that was not, at that time, taking a hit for billions of dollars of suddenly devalued mortgage-backed securities. (Nocera, 2009)

Why was Goldman Sachs immune to this initial crisis?

In 2006, Goldman’s various indicators, such as Value at Risk or VaR, began to suggest that something was wrong. This same VaR was used by most of the Financial Institutions that collapsed during the crisis. VaR could be considered a type of policy to mitigate risk using a quantitative value and I would be led to believe that such policy to be Hierarchist in nature.

Nassim Taleb, a Fatalist, would like to suspend the current version of VAR as potentially dangerous malpractice. He also says,

“I maintain that the due-diligence VAR tool encourages untrained people to take misdirected risk with shareholders', and ultimately the taxpayers', money.” (Taleb, 1997)

Goldmans held a meeting of about 15 top level executive manager and several risk manager to take a closer look at the mortgage-backed securities and how the market felt.

The “feeling” indicated that the market was going to get worse before it would get better, so they decide to rein in the risk and thus ultimately side stepping the disastrous financial crisis. (Nocera, 2009)

Goldman Sachs stepped out of the Hierarchist group by choosing to ignore meritocracy and choosing a fatalist viewpoint by believing that they could not foresee the future and preparing for unseen events.

Fatalist views are not that of passive risk management, they are active views that are misunderstood. The fatalist understands that the future cannot be predicted by quantitative measures and embraces the unforeseen future and sets policy based on the “feeling” of current events. As Nassim Taleb describes in the Black Swan, the name of one his books and a term he uses for unexpected events, is that everything the experts think they know about forecasting is wrong, and if you think you can predict the future performance of the stock market from a study of past trends, you're gonna be losing lots of money. (Wolfe, 2008)

Nassim helped bring the fatalist views to the forefront of risk management and is now seen, in some venues, as a rock star. In light of the financial crisis, let us no longer fear the fatalist’s approach to risk and embrace it as an equal amongst the cultural groups.


Frank Fisher, G. M. (2007). 3.4.3 Isolates: "surviving without Resistance". In G. M. Frank Fisher, Handbook of Public Policy Analysis: theory, politics. and methods (p. 300). Boca Raton: CRC Press.

By: Joseph Dustin
read more “Cultural Theory’s Black Swan: The Fatalist”

Sarbanes-Oxley: The Cost of Compliance

Alexis Adelaide is less than one month away from being able to fully retire with her current place of employment. Alexis has worked at her current job for nearly thirty-five years and has accrued a substantial amount of money from her retirement plan over the years.

During her thirty-five year tenure, Alexis had managed to set aside 5% of her income to her company’s 401(k) plan. The 401(k) is a matched contribution of 100% of all funds paid into the plan up to 5% of the employee’s total base pay. Alexis’ employer matched her contributions with company stocks that now makes up 90% of her total retirement package.

Alexis had received the majority of the matched stocks when they were about five dollars per share. Now, each share is worth approximately ninety dollars a share and she stands to retire with well over a few million dollars. About a month ago Alexis sold her home in Tulsa, Oklahoma in preparation of moving to her dream home near Merritt Island, Florida.

Alexis is planning to move to Merritt Island with her husband and three grand children that she is currently taking care of. Everything is in place and all she can stand to do is day dream about her soon to come new life. As Alexis opens the morning addition of the Tulsa World she sees that her company has made the front page.

The headlines read, “XYZ Corp Investigated for Accounting Fraud.” Later that week, after a full collapse of the company, Alexis found out her once ninety dollar stocks are now worth .23 cents a share and her once dream of retirement is now all but disappeared.


Late 2001, the gas pipeline tycoon Enron had this very instance happened to them.
Enron’s stock had nearly tripled in two years, to $90 in August 2000, and booking sales of more than $100 billion the previous year, seventh on the FORTUNE 500. Enron’s 401(k) plan was available to 21,000 employees and loaded with the company’s stock, those shareholders were devastated. [Failure] With the financial collapse of Enron, Shareholders were the ones left to carry the financial burden.

With Enron, World Com, and Tyco all leaving their shareholders with empty pockets, the public was starting to shy away from the stock markets. The need to strengthen the public trust began with new legislation in what is now commonly known as the Sarbanes–Oxley Act of 2002 or SOX. Sarbanes–Oxley was named after Senator Paul Sarbanes and Representative Michael Oxley, who were its main architects. (SOX Law)

Sarbanes–Oxley is separated into eleven different titles. According to the important sections in regards to compliance are sections 302, 401, 404, 409, 802, and 906. The requirements of this act changed compliance risk management in many ways. One way that SOX changed compliance risk management was by raising the total costs for compliance that companies had to endure.

Citing the cost of compliance among other things, various groups and individuals have called for the repeal of Sarbanes, challenging the law in the courts. (Accounting Web, 2008) The two largest contributors to cost for the Sarbanes-Oxley Act are sections 302 and 404. Section 302, also known as SOX 302, is listed under Title III and pertains to, ‘Corporate Responsibility for Financial Reports’. SOX 302 demand that the Periodic Statutory Financial Reports are to include a number of certifications.

Certifying that the signing officers have reviewed the report, verify that the reports do not contain untrue statements or omissions, and that the signing officers are responsible for internal controls. (SOX Law) Internal control is defined by the Committee of Sponsoring Organizations (COSO) as a process designed to provide reasonable assurance regarding the reliability of financial reporting, among other things.

Documentation of Internal Controls is going to be a large task to take on. Christopher Baudouin, of Jupitermedia Corp. has stated:

“Documenting internal control is the major thing. Initially, there’s work being done writing manuals. Of course, we will have to continually update them and maintain them. We are careful how we allocate manpower within the department. We have increased the staff. We’ve also purchased software to assist us. The cost of the audit will increase since there will be more testing.” (D'Aquila)

Sarbanes-Oxley requires companies to adopt and declare a framework used to define and assess internal controls. Two control frameworks have emerged as foundational to the compliance efforts and have been adopted by a majority of companies: COSO, primarily for financial processes, is an integrated framework providing specific guidance on implementing and maintaining internal controls. Endorsed by the SEC, COSO is the most widely adopted company-wide control framework. COBIT, or “Control Objectives for Information and related Technologies,” is an IT framework that maps to COSO (COSO offers little detail for IT controls). (BPO Systems)

Section 404, also known as SOX 404, is listed under Title IV and pertains to, ‘Management Assessment of Internal Controls’. SOX 404 have two main components 404(a)(1) and 404(a)(2). SOX 404(a)(1) says: state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and SOX404(a)(2) says: contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting. (Karln, 2002)

With SOX 404 in place IT Departments will have to invest in new ways to become compliant. Investments can include new employee to help analyze, implement, and monitor the new internal controls. Some companies, relying on archaic ERP system, may have to spend revenue on a new ERP package.

The passing of the Sarbanes-Oxley Act of 2002 was by no means an easy road to drive down for publicly traded companies to comply with. With years of abuse by public companies, shareholders were demanding something to be done to protect their interests.

With the enactment of Sarbanes-Oxley Act of 2002, I believe we are well on our way to providing more transparency for financial reporting and helping to bring back trust between public companies and their shareholders. However, that trust came to the shareholders with a hefty price tag.

The 2008 Annual Survey Report from the Financial Executives International (FEI) stated that forty-three percent of the companies surveyed said their total IT spending increased over the past three years. Forty-six percent of respondents expect higher levels of IT spending, while only about 14 percent of respondents expect IT spending levels to decrease. (Information Integrity) Sarbanes-Oxley has changed compliance risk management by adding new costs to businesses trying to keep compliant.

The Sarbanes-Oxley Act has forever changed the way business is conducted. Compliance and Risk Management has merged and a new bread of professionals versed in the language of compliance and ethics will lead the way.

By: Joseph Dustin
read more “Sarbanes-Oxley: The Cost of Compliance”

Long Term Compliance

Companies that are publicly traded rely on investors to help their company grow. Without the extra revenue that investors provide many companies will go bankrupt. Investors use a variety of tools to help them make educated decisions; one such tool is provided through a company called Standard & Poor’s (S&P).

Standard & Poor's credit ratings are designed primarily to provide relative rankings among issuers and obligations of overall creditworthiness; the ratings are not measures of absolute default probability. Creditworthiness encompasses likelihood of default, and also includes (i) payment priority, (ii) recovery, and (iii) credit stability. (S&P, 2009)

How are the credit ratings calculated?

The answer to that question goes beyond the scope of this essay but one of the variables are new to the formula. That variable is Enterprise Risk Management (ERM). S&P states,

“This enterprise risk management initiative is an effort to provide more in-depth analysis and incisive commentary on the many critical dimensions of risk that determine overall creditworthiness.”
(Standard and Poors, 2009)

Investors using S&P, as a source of creditworthiness, will utilize the ratings provided to help make educated decisions before investing their capital. What exactly does this mean for publicly traded companies? Choosing to ignore ERM can now have a major financial impact on your ability to generate revenues. To avoid this impact companies are now implementing Enterprise Risk Management as part of the overall business plan. (SearchCIO, 2008)

In order for corporations to build a reliable Enterprise Risk Management Solution, they will need to think long-term. COSC provides an integrated framework for executives to align organizational goals and the goals that encompass risk management.

COSO's main objectives are to assist organizations regarding:

1) effectiveness and efficiency of operations

2) reliability of financial reporting

3) compliance with applicable laws and regulations

Each of these objectives can be analyzed in light of the interrelated components of an organization's control environment, risk assessment, control activities, information and communication, and monitoring. (Carolyn A. Sigg, 2002)

Implementing a framework like the one set out by COSO, can be considered a long-term goal. Two areas of Risk Management that are essential to long-term success are Risk Assessment and Risk Prevention. Creating a risk assessment life-cycle plan will help you achieve long-term goals for assessing risk.

The life-cycle for risk assessment can be broken down into four main focuses:

1) Goal Definition and Scoping

2) Inventory Risk Analysis

3) Impact Risk Assessment

4) Interpretation of the Risks (Scientific Applications International Corporation, 2006)

When considering long-term risk assessment, implementing these four steps will help you identify, assess, and prioritize your risks. Once you have identified your risk the next step is to mitigate, prevent, or ignore the risks.

Risk prevention is about taking action to prevent risks identified during the risk assessment phase. Prevention can come in many forms, such as policy, training, monitoring, and security.

According to COSO’s Guidance on Monitoring Introduction, The monitoring guidance further suggests that these principles are best achieved through monitoring that is based on three broad elements:

1) Establishing a foundation for monitoring

2) Designing and executing monitoring procedures

3) Assessing and reporting results (COSO, 2009)

These three steps are to help with risk prevention by creating a long-term risk prevention life-cycle process.

The key steps to long-term risk assessment and prevention is implementing life-cycles that allow you to create and monitor processes that will allow continuous improvements.

By: Joseph Dustin
read more “Long Term Compliance”