Fraud: An Ounce Of Prevention

Fraud: An Ounce Of Prevention

Article originally posted in Thomson Reuters/Tax & Accounting. Cost Management [formerly Journal of Cost Management] July/August 2015  by: JANET B. BUTLER AND CECILY RAIBORN

This article highlights ways that organizations can help prevent fraud and strengthen the internal control system by using the COSO framework of internal controls released in May 2013.

Is it better to prevent an illness or to fight the illness with medications once an infection has taken hold? When it comes to human health, most people agree with Benjamin Franklin’s time-honored adage that an ounce of prevention is worth a pound of cure. The same idea applies to fraud: It is better to prevent fraud from ever happening than to try and recover if fraud occurs. Unfortunately, fraud is a significant risk for most firms. According to the 2014 Association of Certified Fraud Examiners’ Report to the Nations, firms lose approximately 5 percent of revenues to fraud each year. 1

An organization’s decision about its fraud prevention investment is multifaceted. At a minimum, determining the amount to be spent reflects the company’s culture, appetite for risk, and cost-benefit analyses. Further, firms face many different risks and compliance issues, so priorities must be established and tradeoffs specified. To help deal with this complex environment, some companies have adopted governance, risk management, and compliance (GRC) programs to help deal with and control risks (including fraud), across the enterprise. 2 The GRC’s integrated approach can be an efficient way to deal with a variety of risks and can also help companies ensure compliance across the firm. Unfortunately, many firms have found it difficult to implement all aspects of the GRC model and have focused on the compliance aspect of GRC. 3

The May 2013 Committee of Sponsoring Organizations (COSO) framework on internal controls (ICs) incorporates many of the very positive elements of GRC programs, and it may help firms working to implement GRC concepts. For example, both GRC and the COSO framework recognize the importance of reducing functional “silos” within the firm and consider compliance management to be integral to business success. Further, the revised COSO framework indicates some new factors for organizations to consider when evaluating the risk of fraud. 4 This article highlights ways that organizations can strengthen their IC systems (the structural equivalent of a body’s immune system) by using the new framework to help protect, detect, and recover from adverse occurrences resulting from fraud. Additionally, suggestions are made for organizations to implement “wellness programs” to act as a form of preventive medicine to help deter fraudsters.

A brief history of COSO and ICs

Organizational fraudsters are not a new phenomenon; they have likely been around as long as there have been humans who have wanted what other humans have. Over the years, firms have adopted a variety of techniques to combat fraud. However, because of a series of financial reporting frauds in the early to mid-1980s resulting in some notable corporate failures, the National Commission on Fraudulent Financial Reporting, better known as the Treadway Commission, was formed. Sponsorship was provided by five organizations: the American Accounting Association, the American Institute of Certified Public Accountants, the Financial Executives Institute, the Institute of Internal Auditors, and the Institute of Management Accountants. A major goal of the commission was to examine factors underlying fraudulent reporting and identify methods to reduce this type of fraud. The commission’s final report included recommendations that later served as the foundation for the 1992 groundbreaking document entitled Internal Control-Integrated Framework (IC), the first COSO internal control framework. 5

The COSO report formally defined IC as “a process, effected by an entity’s board of directors, management and other personnel, designed to provide reasonable assurance regarding the achievement of objectives in the following categories:

• effectiveness and efficiency of operations;

• reliability of financial reporting; and

• compliance with applicable laws and regulations.”6

The following five important components of an effective IC system were identified in this framework:

  1. control environment (the environment within which employees and controls operate);

  2. control activities (the policies and procedures required to achieve management’s objectives and to control risk);

  3. risk assessment (the process of recognizing, evaluating, and controlling business risks);

  4. information and communication (the systems used to obtain and share information necessary for business operations); and

5.monitoring (the review and necessary adaptation of the control systems).

In 2004, COSO published the enterprise risk management (ERM) framework that incorporated the 1992 IC framework, but it had a broader perspective that enabled a more direct and complete focus on organizational risk management issues. Additionally, the 2004 publication introduced a three-dimensional model of ICs and risk management that highlighted interrelationships among organizational structure, model components, and objectives required to achieve expressed goals.

COSO has continued to address issues related to fraudulent financial reporting. Two longitudinal studies published by COSO document a changing landscape for financial reporting fraud, with increases in the number of cases reported, average dollar value of misstatements, and size of firms involved. 7

Updated COSO framework

In May of 2013, COSO published a much-anticipated update to its integrated framework. 8 This revision provides an excellent occasion for a fresh re-examination of current controls and opportunities for fraud that may exist within the organization. The COSO update relies on the same IC definition used in the original framework, retains the same five main components, and incorporates the three-dimensional ERM approach. However, a number of notable enhancements were made. Most strikingly, the revised structure:

• outlines 17 principles reflecting important concepts underlying the various components;

• addresses issues related to fraud and antifraud activities more fully than in previous versions;

• highlights the relationship between fraud and internal controls;

• features an expanded discussion of the importance of organizational objective-setting; and

• broadens the reporting objective to include both financial and nonfinancial reporting.

The updated framework’s three-dimensional model (Exhibit 1) is designed to highlight the interrelated nature of a firm’s objectives, structure, and IC system components. Objectives reflect aspirational goals and targets and are represented in the model by the columns labeled Operations, Reporting, and Compliance. Structure is represented by the cube’s third dimension and reflects the firm’s sub-units and its business processes, such as purchasing and marketing. The five IC components are represented by the model’s rows; each component applies to all of the firm’s objectives, sub-units, and processes. This approach helps to provide a more integrated approach to the internal control system, and it helps to minimize functional “silos” that hamper the operation of the internal control system.

Exhibit 1.

COSO Three-Dimensional Model

Polk & Associates CPA

Objectives and the revised framework.

The objective-setting process reflects corporate governance mechanisms. To implement the revised framework, company management should work with the board of directors to develop a series of entity-level objectives that reflect the firm’s mission and strategies. These entity-level objectives will then be translated into sub-unit and process objectives and should be reflected in each of the five components of the IC system.

The revised framework includes three categories of objectives: operations, compliance, and reporting. Operations objectives focus specifically on internal activities, although such activities may translate into external performance or the manner in which outside stakeholders view the organization. Operations objectives reflect the firm’s “basic mission and vision – the fundamental reason for its existence” – and focus on basic goals such as increasing productivity, reducing production’s environmental impact, or improving financial results. 9 These objectives should also include goals related to safeguarding the firm’s assets, including timely discovery of asset loss caused by fraud or other means. Organizations need to recognize that there is a direct relationship among safeguarding assets, internal controls, and improved profitability. As such, there are implications for the cost-benefit analysis model. The reduction of such a loss by internal control investment could heavily tilt the “benefit” portion of the decision model, but, because that loss may not be directly tied to the cost of one internal control over another, management may overlook that increase in profitability in its analysis process.

In contrast, compliance objectives are established to ensure adherence to laws and regulations. These objectives reflect an important interaction between the organization and society. Organizational management and owners generally (although, unfortunately, not always) want to avoid engaging in activities that are deemed illegal in the environment in which those organizations exist. Compliance controls should be able to identify activities in which the organization is engaging that are outside the legal realm so corrective actions can be taken to preclude continuation of such activities – and, after consultation with counsel, a decision can be made as to whether the organization should voluntarily self-report the violation. According to the Kroll 2013/2014 Global Fraud Report, 16 percent of survey respondents were affected by a regulatory or compliance breach and 14 percent were affected by corruption or bribery fraud. 10 For organizations operating multinationally, one critical element under this category of objectives is compliance with both the bribery and internal controls provisions of the Foreign Corrupt Practices Act. Violations that produce hefty fines and disgorgement of profits can create a substantial cost in the cost-benefit model if proper ICs are not in place.

Under the revised framework, reporting objectives relate to meeting the needs of the internal and external users of the company’s financial or nonfinancial information. For example, internal reporting objectives may relate to such items as customer retention and satisfaction reports, customer or segment profitability analysis, or production quality reporting. In contrast, external financial reporting objectives may reflect requirements imposed through regulations, standards, or contracts. An excellent example of the need for this objective can be seen in the governmental requirement for financial institutions to “know your customers” (KYC) so as to minimize the potential for fraud. The benefit of implementing internal controls to detect and prevent money laundering, to automatically produce validated customer data, and to generate suspicious activity reports is the preclusion of massive civil and/or criminal penalties under the Bank Secrecy Act and USA Patriot Act. 11

Components, principles, and the revised framework.

Once the broad-based objectives are established, an organization can use the framework’s IC system components to identify elements critical to an effectively functioning control environment. The revised framework retains the five original 1992 IC system components but more fully describes the underlying principles relating to each component (see Exhibit 2).

Exhibit 2.

COSO Components and Principles

Polk & Associates CPA

 

Control Environment: The control environment consists of the standards, procedures, and structures that are the IC system’s foundation. “Tone at the top,” reflecting the attitudes of management and the board toward internal controls, is integral to the control environment.

The first principle addressing the need for “a commitment to integrity and ethical values” has important implications for individuals concerned with monitoring and detecting fraud within an organization. 12 COSO notes that non-compliance with standards can often arise in situations in which (1) coercion to participate in fraud or other unlawful behaviors exists or (2) performance goals are so poorly specified that they cause employees to act in an unethical manner. These types of situations were seen in the cases of Enron, WorldCom, and FORBA Holdings, in which dental clinic operators were pressured to improve clinic productivity by subjecting children to unneeded dental procedures that raised the clinics’ and doctors’ profits. 13 The price tag of developing, communicating, assessing adherence to, and enforcing an organizational ethics policy will likely have a minimal impact on the total cost of internal controls, but it will have a significant benefit by integrating integrity into the decision-making process.

The second principle requires independence between the board of directors and management so that directors will take necessary actions when wrongdoing is uncovered or suspected. Board members must also display professional skepticism, consider organizational risks, and engage in training activities that will ensure currency of skills. Importantly, the board should include members who have an “internal control mindset” that allows valid consideration and assessment of organizational risks as well as the depth and breadth of the IC processes implemented for protection against those risks.COSO’s third control environment principle requires that management establish, with board oversight, a discernable organizational structure that indicates clear lines of authority, responsibility, and communication that will contribute to progress toward meeting objectives. Adequate segregation of duties should be established so that checks and balances are in place, and any conflicts of interest or business process risks are minimized. An important but potentially overlooked element of this principle relates to controls over external service providers. The 2013/2014 Kroll survey indicated that 19 percent of respondents said their companies had been affected by vendor, supplier, or procurement fraud, in addition to 20 percent being affected by management conflicts of interest. 14 Outsourcing service activities may create significant risk and should be carefully monitored: Simply consider the potential risk involved by United Continental Holdings’ decision to outsource 635 baggage-handling and customer service jobs at 12 U.S. airports to third-party vendors paying a starting wage of $9 an hour rather than the in-house wage of $12 to $24 per hour. 15 The expected financial benefit from this decision may appear substantial, but there is a question regarding whether all of the costs of appropriate oversight and vendor-vendee communications were included in the decision model.

The fourth principle states that organizations demonstrate a dedication to hiring and retaining well-qualified individuals who will act to pursue organizational objectives. Under this principle, firms are to delineate competency expectations, evaluate capabilities throughout the firm, and provide training and mentoring to ensure an ongoing commitment to competence. The framework pushes the firm’s boundaries to include outsourced service providers and to address competence inadequacies as necessary. Personnel proficiency is a key component of an ability to ensure that a system is properly functioning; handing a firm’s welfare to individuals who do not have the aptitude or capability to properly perform their duties could easily be a precursor to the opportunity to commit fraud. Lack of knowledge may manifest itself as an inability to notice when overt signals are given about potential problems. Costs of personnel knowledge/skills assessment, gap analysis (between the competencies of the personnel you have and the personnel you need), recruitment, and training are often buried in human resources and not matched in a decision model with the benefits that can be obtained from aware, knowledgeable, and skilled people who can recognize and correct problems or whistleblow when wrongdoing occurs.

The final control environment principle is designed to ensure that the firm’s employees, managers, and board are held accountable for internal controls. This principle highlights the importance of having appropriate performance measures when evaluating internal control responsibilities as well as periodically monitoring the incentive/reward structure for continued relevance and any potential negative consequences. The adage of “what you measure is what gets managed” is true, and sometimes, the demonstrable reality of performance measurement is not the idealized expectation.

Risk assessment: Organizations need to engage in an ongoing process of ascertaining the likelihood of being affected by adverse events and the level of impact (monetary, reputational, legal/regulatory, etc.) that such adversity may have. The firm’s risk tolerance, or willingness to accept outcome uncertainties, must be considered in setting a control environment. Keeping consequences to an acceptable level requires that risk be constrained to tolerable parameters or performance ranges in the event that an uncertainty becomes a reality. 16 For example, an online retailer may specify that every order is to be shipped within 24 hours of its receipt, but may accept that only 95 percent of orders may be filled within that time frame.

There are four principles underlying risk assessment, the first two of which indicate that objectives need to be clearly specified so that risks can be identified, assessed, and managed. The third and fourth principles in this category require consideration of the organization’s fraud risk and its potential causes. In other words, the organization needs to evaluate the likelihood of fraud occurring and continue to analyze the cost/benefit of installation of internal controls. The primary risks identified in a recent survey of risk professionals were data security and data privacy. 17 However, an unplanned benefit from engaging in “mature risk management practices” and integrating such practices into operational and strategic activities is that firms that engage in these practices tend to be more highly valued by investors than are companies without such practices. 18

Control activities: The principles included in this COSO framework component address the selection and implementation of entity-specific, business process, transaction, technology, and general controls to help mitigate risks. Such controls can be identified in organizational policies and procedures that establish clear lines of responsibility and accountability and that are periodically reviewed for conformity and currency. Together, the controls create a multi-faceted defense system that helps mitigate risk to an acceptable level.

Organizational first-line control activities protect the firm from risks being realized. In the case of fraud, these preventive measures include policies and procedures designed to ensure adequate segregation of duties within the firm so that no one individual has the ability to easily commit fraud and conceal the scheme. Other preventive measures include physical controls over valuable assets, background and credit checks on potential employees, and firewalls and virtual private networks to keep unauthorized users from accessing, changing, or deleting information technology-based files.

In the IC system, the second line of defense should be control activities designed to detect problems as they arise and take corrective action to protect the organization when negative events occur. For example, monitoring network traffic is a detective control that can identify the movement of large amounts of data outside the firm, possibly indicating that defenses have been breached and data are being stolen. Common corrective controls include maintaining adequate insurance and establishing a computer incident response team to contain and respond to intrusions and other information technology-related problems.

Similarly, data analytics can be used to monitor for billing schemes and other fraudulent transactions. 19 An example of this can be seen in a recent fraud scheme involving Canadian banks. Fraudsters took advantage of a Canadian law stating that $100 of every deposit must be immediately available to the depositor. After inserting “deposit” envelopes at ATMs, fraudsters were quickly withdrawing funds – with the banks only realizing later that the “deposit” was actually an empty envelope. Data analytics revealed that the time gap between people trying to access real deposits was more than a day, while people who engaged in “empty envelope deposits” tried to access deposit funds within hours. 20 Such knowledge can be used to identify and flag high-risk transactions to potentially minimize losses involved in such transactions.

Control activities, such as those that prevent unauthorized access to data, help prevent internal performance metric manipulations and external financial statement fraudulent reporting. Not having, or having ineffective, controls in these areas can allow the payment of improper bonuses at best and, at worst, bring the downfall of a company because of criminal charges or bankruptcy. Additionally, reputational damage can be massive. To illustrate, consider that in 2011 falsification of appointment records to meet the target standard at VA hospitals generated over $5 million in bonuses to claims processors, cost the head of the VA (Eric Shinseki) his job, and damaged the public’s opinion of the VA. 21

Information and communication: The 2013 COSO framework asserts the need for relevant and quality information and stresses the importance of communicating that information to appropriate parties. As shown in Exhibit 3, communication channels must incorporate iterative processes that provide, share, and obtain information.

Polk & Associates CPA

The three principles underlying the information and communication component highlight that, for an organization’s IC system to operate effectively, communication channels must be designed to share the right information at the right time with the right people, as well as to restrict information access from the wrong people. Within the firm, these channels should clearly communicate the firm’s objectives to help managers understand the seriousness of carrying out internal control-related responsibilities and the organizational benefits to be derived from such performance. The internal communication channels should also allow for the potential of anonymity (such as the establishment of a whistleblower hotline) to protect individuals from possible retribution or retaliation upon the provision of bad news. When communicating with stakeholders such as customers and analysts, mechanisms must also exist to allow those parties to communicate IC-related information. For example, customer feedback regarding duplicate billings can be extremely helpful in detecting possible fraudulent occurrences in the organization.

Monitoring activities: Monitoring and reporting are key activities for both the GRC and COSO models, and these activities are important parts of feedback loops that can provide important information about the health of the internal control system. An effective IC system uses both ongoing and individualized techniques to monitor organizational activities for possible irregularities. Some techniques, such as a vendor payments review to detect duplicate remittances, should be a part of routine business processes. Other techniques would be conducted periodically, separate from typical daily business processes. When ongoing or separate monitoring reveals a problem, management or the board of directors must be notified in a timely fashion, and steps must be implemented to address the problem that has been identified.

The IC system: Protect your organization against fraud

Developing and instituting ICs are, however, only two steps in preventing an organization from being affected by fraud. Just as “an ounce of prevention” helps protect the human body from illness, an ongoing fraud prevention program related to a company’s IC system helps ensure that controls are operating as intended. Exhibit 4 provides a sample of factors that should be ongoing responsibilities of such a wellness program.

Exhibit 4.

Activities in Fraud Prevention Program

Polk & Associates CPA

Types of fraud. An important step in performing a fraud wellness check is to recognize the different forms of fraud commonly occurring in organizations – with asset misappropriation, corruption, and financial statement fraud constituting the basic fraud schemes and the banking/financial services, government/public administration, and manufacturing being the most common sectors affected. 22 The most common type of fraud, asset misappropriation (theft or misuse of firm resources), creates the lowest median loss; financial statement fraud is the least likely type of fraud but also the most costly. Corruption (in which employees personally benefit) falls between the other two in both number of instances and size of loss. 23

The risk of asset misappropriation in an organization is high because the manner in which such schemes can be perpetrated is almost infinite, ranging from a restaurant employee stealing $2,285 from the cash deposits to a VP of Finance at Koss Corp. charging personal purchases worth $34 million to organizational accounts. 24 Relative to corruption schemes, risk level seems to be influenced both by type of industry and global location. One tool available to help evaluate the risk of public sector corruption in various countries is the Corruption Perceptions Index published annually by Transparency International. In 2013, almost 70 percent of the 177 countries included in the survey scored below a 50 on a scale of zero (highly corrupt) to 100 (very clean). 25 Information from such sources should be considered in assessing the risk of expanding operations to new foreign locations.

Financial statement fraud, in which financial reports are intentionally misstated or include material omissions, is one type of fraudulent reporting that generally involves managerial-level personnel and often has widespread implications for all organizational stakeholders. Risk assessments should include not only the potential for employees at all levels and locations to circumvent controls to commit fraud but also the possibility that external parties (including customers and outsourcing vendors) may engage in activities (possibly collusive ones) that could make the organization vulnerable to fraud or illegal activities.

Fraud risk factors.

Another important step when conducting a fraud wellness program is to identify any factors that might contribute to an organization’s risk of fraud. One primary risk factor is having fraud opportunities exist in the organization due to IC weaknesses. These weaknesses can arise from instances in which management has the ability to easily override controls; from organizational restructuring due to growth, downsizing, or mergers; from implemented technology or process changes; from new technology that rendered current systems vulnerable; from failures of physical safeguards; or from improper employee actions relative to the duties designated in the internal control system.

Recognition should also be given in the risk assessment process to the incentives/pressures and attitudes/rationalization aspects of the fraud triangle. While the control environment can create incentives and pressures that can make fraud more likely to occur, attitudes and rationalizations are employee-specific and may not be readily identifiable. A person often begins a fraud simply because the opportunity is available and a subconscious rationalization exists justifying the action (e.g., the fraudster is merely “borrowing” and not stealing). However, continuation of the fraud requires conscious planning, an escalation of activity, and a more elaborate rationalization process (such as “they owe me” or “everyone does it”) – all often propelled by a non-shareable pressure such as excessive personal debt or inability to meet work-related performance targets.

In relation to fraud risk, preventive ICs may seem to be expensive but, if the potential costs of lawsuits, poor public relations, and lost goodwill are considered, prevention costs may be well worth the expenditures. To illustrate, one estimate of the total cost (to all parties affected) of Target’s 2013 data breach is approximately $680 million, with Target taking a fourth quarter charge of $61 million in total. 26 Indeed, much-publicized fraud events like Target’s bear similarities to external failure costs in the field of total quality management (TQM). Both involve a breach of trust between a vendor and customer; the lost future sales can be very large and unknowable.

Conclusion

Managers may think of fraud as something that just happens in an organization – but, in truth, the adage “an ounce of prevention” is equally applicable to human and organizational health, and both need to be concerned with an ongoing wellness program that reflects actions to help minimize harm. Given the estimated annual 5 percent of revenues lost by organizations to fraud, any and all actions that can be taken to reduce that loss will benefit the organization, its stockholders, its other stakeholders, and the economy.

An organizational wellness program ties the COSO components and principles to techniques that encourage assessment of risk, determination of barriers to best practices, and implementation of practices that inhibit the opportunity for fraud to infect the organization. This program can also have the added benefit of enhancing the effectiveness of GRC processes. The bottom line is that it is much easier to stay healthy than to get healthy after illness strikes – and it is much easier to prevent fraud than to attempt to detect or correct it after it occurs.

1 Association of Certified Fraud Examiners, “Report to the Nations on Occupational Fraud and Abuse: 2014 Global Fraud Study” (Austin, TX: ACFE, 2014), 4. Available at: http://www.acfe.com/rttn/docs/2014-report-to-nations.pdf (accessed May 21, 2014).

2 Balachandran, B. and Sundar, S., Governance, risk and compliance: The value driver for good corporate governance, Cost Management 27, no. 6 (2013): 39-47.

3 Nelsestuen, R., “The Future of Risk Management: Getting GRC Right” (The Tower Group, Inc., 2011). Available at: http://www.tcs.com/resources/white_papers/Pages/Future-Risk-Management.aspx (accessed Aug 13, 2014).

4 Committee of Sponsoring Organizations of the Treadway Commission (COSO), “Internal Control – Integrated Framework: Framework and Appendices” (Durham, NC: The Committee of Sponsoring Organizations of the Treadway Commission, May 2013a).

5 Committee of Sponsoring Organizations of the Treadway Commission (COSO), “Internal Control – Integrated Framework Executive Summary” (AICPA, 1992).

6 Ibid.

7 Beasley, M., Carcello, J., and Hermanson, D., “Fraudulent Financial Reporting: 1987-1997. An Analysis of U.S. Public Companies” (The Committee of Sponsoring Organizations of the Treadway Commission, 1999). Available at: http://www.coso.org/publications/FFR_1987_1997.PDF (accessed May 15, 2014); Beasley, M., Carcello, J., Hermanson, D. and Neal, T., “Fraudulent Financial Reporting: 1998-2007. An Analysis of U.S. Public Companies” (Durham, NC: The Committee of Sponsoring Organizations of the Treadway Commission, 2010). Available at: http://www.coso.org/documents/COSOFRAUDSTUDY2010_001.pdf (accessed May 15, 2014).

8 Committee of Sponsoring Organizations of the Treadway Commission (COSO), “FAQs for COSO’s Enterprise Risk Management – Integrated Framework” (Durham, NC: The Committee of Sponsoring Organizations of the Treadway Commission, May 2013b). Available at: http://www.coso.org/documents/ERM-FAQs.pdf (accessed May 15, 2014).

9 Op. cit. note 4, p. 7.

10 Kroll, “2013/2014 Global Fraud Report” (2013) (New York, New York: Kroll): 6. Available at: http://fraud.kroll.com/?utm_campaign=global-fraud-report&utm_source=Kroll&utm_medium=Web (accessed July 31, 2014).

11 Steptoe & Johnson LLP, “The USA PATRIOT Act and Financial Institutions” (n/d). Available at: http://www.steptoe.com/assets/attachments/1624.pdf (accessed Aug 7, 2014).

12 Op. cit. note 4, p. 33.

13 Barrett, S., Massive dental fraud uncovered, Dental Watch (Aug 11, 2011). Available at: http://www.dentalwatch.org/news/forba.html (accessed Aug 5, 2014).

14 Op. cit. note 10, p. 6.

15 Carey, S., United to outsource jobs at 12 airports, The Wall Street Journal (July 18, 2014), B3.

16 “Exploring Risk Appetite and Risk Tolerance,” Risk and Insurance Management Society, Inc. (RIMS) (2012): 7. Available at: http://www.rims.org/resources/ERM/Documents/RIMS_Exploring_Risk_Appetite_Risk_Tolerance_0412.pdf (accessed May 15, 2014).

17 Katz, D., CFOs disregarding cyber risks, CFO (June 2014): 20.

18 Katz, D., CFOs the value of risk management, CFO (June 2014): 21.

19 Raiborn, C., Butler, J., and Zelazny, L., Standard costing variances: Potential red flags of fraud? Cost Management 27, no. 3 (2013) 16-27.

20 Deloitte, “Tipping the Triangle: Predictive Analytics to Mitigate Empty Envelope Fraud” (2014).Available at: http://www.deloitte.com/view/en_US/us/Services/additional-services/deloitte-analytics-service/d569b76589df3410VgnVCM2000003356f70aRCRD.htm# (accessed May 14, 2014).

21 The Daily Briefing, “Despite Massive Backlogs, VA Says Claims Workers Earned Bonuses” (The Advisory Board Company: Aug 29, 2013). Available at: http://www.advisory.com/Daily-Briefing/2013/08/29/Despite-massive-backlogs-VA-says-claims-workers-earned-bonuses (accessed Aug 3. 2014); Associated Press, Gibson: VA has lost trust of veterans, American people, FoxNews.com (July 16, 2014). Available at: http://www.foxnews.com/politics/2014/07/16/gibson-va-has-lost-trust-vets-american-people/ (accessed Aug 3, 2014).

22 Ibid.

23 Op cit. note 22.

24 Golden, D., Restaurant employee found guilty of theft, Find a Criminal Defense Attorney (Jan 30, 2012). available at: http://www.findacriminaldefenseattorney.com/Profiles/David-Golden-P-A-/Articles/Restaurant-Employee-Found-Guilty-of-Theft.aspx (accessed May 23, 2014); Hajewski, D. and Daykin, T., Former Koss Corp. executive Sachdeva sentenced to 11 Years in Prison, Milwaukee Wisconsin Journal Sentinel (Nov 17, 2010). Available at: http://www.jsonline.com/business/108706789.html (accessed May 23, 2014).

25 Transparency International, “Corruption Perceptions Index 2013.” Available at: http://cpi.transparency.org/cpi2013/results (accessed May 15, 2014).

26 Lambert, B., One estimate: Cost of target data breach could hit $680 million, MinnPost (Dec 20, 2013). Available at: http://www.minnpost.com/glean/2013/12/one-estimate-cost-target-data-breach-could-hit-680-million (accessed May 22, 2014); “Data-Breach Costs Take Toll on Target Profit,” AOL.com (Feb 26, 2014). Available at: http://www.aol.com/article/2014/02/26/data-breach-costs-take-toll-on-target-profit/20838708/ (accessed May 22, 2014). © 2015 Thomson Reuters/Tax & Accounting. All Rights Reserved.

Article originally posted in Thomson Reuters/Tax & Accounting. Cost Management [formerly Journal of Cost Management] July/August 2015  by: JANET B. BUTLER AND CECILY RAIBORN

JANET B. BUTLER is an associate professor of accounting at Texas State University. She received her Ph.D. from the University of Georgia and teaches and researches in the areas of accounting information systems, cost/managerial accounting, and environmental reporting. Some of her articles have been published in Cost Management, Business Horizons, Issues in Accounting Education, Strategic Finance, and Management Accounting Quarterly.

CECILY RAIBORN is the McCoy Endowed Chair in Accounting at Texas State University. She received her Ph.D. from Louisiana State University. Her areas of teaching and research are financial and cost/managerial accounting, corporate social responsibility, and business ethics. Some of her articles have been published in Cost Management, Journal of Business Ethics, Journal of Corporate Accounting and Finance, Business Horizons, CPA Journal, and International Journal of Business Performance Management.

Leave a Comment

You must be logged in to post a comment.