Sarbanes-Oxley Compliance:

Laying Plans for Check Fraud Prevention Controls

Written by Jessica Andrews, AP Technology

Effectively adopting technologies and documenting internal procedures/controls that minimize the risk of financial fraud are important means of complying with Section 404 of the Sarbanes-Oxley Act. This article gives an easy-to-digest overview of:

  1. I The Sarbanes-Oxley Act and Section 404 Requirements
  2. II COSO's Enterprise Risk Management Framework (ERM Framework) - which has become the SEC-accepted methodology for compliance with Section 404
  3. III Check Fraud Prevention Controls - An ERM-directed approach to evaluating a company's risk for check fraud and to establishing preventative internal controls

I The Sarbanes-Oxley Act and Section 404 Requirements

Sarbanes-Oxley legislation was enacted July 2002 to regulate financial practice and corporate governance with stringent rules designed "to protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to the securities laws." It is also meant to "deter and punish corporate and accounting fraud and corruption, ensure justice for wrongdoers, and protect the interests of workers and shareholders." (Quote: President Bush). *1

The Sarbanes-Oxley Act, named after its creators, Senator Paul Sarbanes and Representative Michael Oxley, was prompted in large part by a series of high-profile scandals, like Enron. The act is comprised of eleven segments. However, Sarbanes Oxley Section 404, "Management Assessment of Internal Controls," seems to be raising the most concern as to how exactly to comply. *1

In very quick summary, Section 404 requires:

  1. 1) A company's annual report contains an "internal control report."
    • The "internal control report" must:
      a) state management's responsibility for establishing and maintaining adequate "internal control" policies and procedures for financial reporting, and
      b) contain an annual assessment of the effectiveness of the "internal control" policies and procedures for financial reporting.
  2. 2) Each company's auditor shall attest to - report on - the assessment made by the company's management.
  3. 3) Each company must disclose whether it has adopted a code of ethics and requires prompt disclosure of any change to this code of ethics. *2

II COSO's Enterprise Risk Management Framework

How exactly can a company comply with Section 404, you ask?
Compliance requires aligning a company's personnel and operations with the key components of the Enterprise Risk Management Framework (ERM Framework). The Committee of Sponsoring Organizations (COSO) of the Treadway Commission has recently released (Sept. '04) their final ERM Framework report that has become recognized by the SEC as the critical methodology for Sarbanes-Oxley Section 404 compliance. The new ERM Framework includes the essential entirety of the 'Internal Control-Integrated Framework', which was an earlier COSO report, and points to 'internal control' as the essential aspect of enterprise risk management. *3

What are the potential benefits of whole-hearted compliance with Section 404 and the ERM Framework, beyond simple compliance with applicable laws and regulations?
CREATING IDEAL COMPANY MANAGEMENT
Compliance requires taking a global view of company operations, assessing potential events in all areas of operation that represent risks and opportunities that may affect meeting company-wide and lower-level objectives, implementing risk management controls that will manage risks and opportunities within the boundaries of the company's risk appetite and provide reasonable assurance of meeting company objectives, and ongoing monitoring of this implementation. It is a holistic mindset that requires an ethical-corporate-culture buy-in at all levels of the organization (the board room, senior management, all levels of personnel). Compliance with Section 404 can effectively manage organizational risk to increase competitiveness and efficiency, and reduce fraudulent activity.

What is the definition of Enterprise Risk Management, as defined by the ERM Framework?

"Enterprise risk management is a process, effected by an entity's board of directors, management and other personnel, applied in a strategy setting and across an enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives." *4

In very quick summary:

  • 1) The ERM Framework establishes reasonable assurance of meeting a company's OBJECTIVES.
    Objective Categories:
    • a) Strategic - high-level goals and the company's mission
    • b) Operations - effective/efficient use of the company's resources
    • c) Reporting - reliability of the company's reporting
    • d) Compliance - meeting requirements of applicable laws and regulations
    • e) Safeguarding of Resources* - preventing loss the company's assets/resources, whether through fraud, theft, waste, inefficiency, bad business decisions, etc.
      * Some companies use 'Safeguarding of Resources' as a specific 'objective.' Others place this objective within the boundaries of the 'Operations' objective. *5
  • 2) The ERM Framework is comprised of Enterprise Risk Management COMPONENTS.
    These components represent the aspects that are needed to achieve the company's OBJECTIVES. They are the basic framework that must guide establishing and maintaining the "internal control" policy and procedure to comply with Section 404 of Sarbanes-Oxley.
    ERM Components:
    • a) Internal Environment (company risk management philosophy, company risk appetite, Board of Directors, company ethics/values, commitment to competence, organizational structure, assignment of authority and responsibility, human resource standards)
    • b) Objective Setting (strategic objectives, related objectives, risk appetite, risk tolerances)
    • c) Event Identification (events, influencing factors, event identification techniques, event interdependencies, event categories, distinguishing risks and opportunities)
    • d) Risk Assessment (inherent and residual risk, establishing likelihood and impact, data sources, assessment techniques, event relationships)
    • e) Risk Response (evaluating possible responses, selected responses, portfolio view)
    • f) Control Activities (integration with risk response, types of control activities, policies and procedures, controls over information systems, entity specific)
    • g) Information and Communication
    • h) Monitoring (ongoing monitoring activities, separate evaluations, reporting deficiencies) *6
  • 3) The third dimension of the ERM framework is the organizational structure: Entity-Level, Division, Business Unit, Subsidiary. This organization-structure dimension, which will be unique for each company, accounts for looking at the ERM COMPONENTS and OBJECTIVES relative to the company's conceptual business units. *7
    Once again, how exactly can a company begin to comply with Section 404, you ask?
    Compliance, in a nutshell, is complicated and difficult for many companies to easily put their arms around. An important part of reducing enterprise risk and meeting the company's OBJECTIVES for 'Operations' and 'Safeguarding of Resources' involves Fraud Prevention within the context of the ERM Framework stated above. Specifically with regards to Fraud Prevention, a company needs to:
    • 1) Consider and document their Internal Environment, in terms of exposing and evaluating fraud vulnerabilities
    • 2) Consider and document their strategic and related Objectives, as well as its risk appetite and tolerances, as they relate to fraud prevention
    • 3) Identify and document possible Events at all levels of a company that present risk for fraud
    • 4) Size up and Document the Risks by looking at the likelihood and impact of fraud vulnerabilities at all levels of the company
    • 5) Evaluate possible Responses to the Risks for fraud
    • 6) Implement and document Control Activities to prevent fraud
    • 7) Communicate fraud prevention information, policies and procedures throughout the company
    • 8) Monitor and document the success/failure of fraud prevention control activities, and modify them as needed

III Check Fraud Prevention Controls

AP Technology has developed The Check Fraud Risk Assessment Survey as a way for any company to take a thorough look at their present risk for check fraud by examining their current internal control policies and procedures. The survey assesses the likelihood of check fraud negatively impacting a company's resources (high, medium and low risk) based on a weighted measure of the various risk factors present within the company. The Survey also provides internal control recommendations tailored for a company based on their specific areas of vulnerability. The survey's Recommended Control Activities are in synch with the areas of Control Activities described in the ERM Framework:

A Company Can Begin Assessing their Risk for Check Fraud with The Check Fraud Risk Assessment SurveyT from AP Technology

  • 1) Top-level Reviews
  • 2) Direct Functional or Activity Management
  • 3) Information Processing Controls
  • 4) Physical Controls
  • 5) Performance Indicators
  • 6) Segregation of Duties *8

Company Checklist For Assessing Fraud Risk and Control Activities

A good place for any company to begin assessing their risks for check fraud is to use a valuable tool like The Check Fraud Risk Assessment Survey from AP Technology. Another approach is to review a checklist of potential risks to determine exactly where controls and policies need to be implemented. Following is a general checklist of areas to consider for check fraud prevention:

Employee Policies and Communications

  • Develop agenda for staff and department meetings that let employees know you areactively working to prevent check fraud
  • Provide check fraud awareness training with the latest information from law enforcement and your bank
  • The screening process for all new and part-time employees should include a review of past employers, criminal and credit records, drug test results, and samples (handwriting, fingerprinting, and photograph)
  • Your employee handbook should cover SOP computer security, password security, and fraud prevention procedures
  • Have employee policies for access to keys, security/alarm, and software passwords/employee IDs
  • Have electronic surveillance
  • Have policies in place for termination or departure
  • Offer a security training program
  • Accounting and check processing employees should have job descriptions, reporting procedures, open-ended drug testing and credit checks, and a vendor gift policy
  • Rotate accounting personnel
  • Have mandatory vacation time
  • Conduct surprise internal audits
  • Separate financial responsibilities
  • Allow basic controls to operate as intended without being circumvented by those at higher levels; supervisors should recognize the importance of the review and approval process
  • Supervisors should be made aware of the company's risk for check fraud and, in turn, they should communicate this awareness to their employees
  • Have unique bank accounts for payroll, AP, refund, and other
  • Have policies and restrictions for establishing new bank accounts, check signing, check dollar authorizations, and the ordering and storing of check stock
  • Require multiple signatures or manual signatures on checks over a specified dollar limit
  • Mail AP checks from the post office and not from a local or personal post box

Banking Procedures

  • Reconcile your check disbursements and deposits within 10-20 days
  • Train reconciliation employees to understand check fraud and perform simple tests:
    Look for differences in check stock color or for smudges/stains on checks; know the typical dollar range for checks from the account; look for inconsistencies in payee names
  • Have policy for handling check fraud: Notify the bank; close the account; destroy old check stock; identify outstanding payees; issue new checks; file 1099 against the perpetrator, if they are an employee
  • Read and understand all contracts signed with your bank

Check Signing Policies

  • Review and update signature cards at your bank on a regular basis
  • Have policies regarding the publishing of executive signatures on any electronic document
  • Do not use rubber stamp for check signatures
  • Have policies for mechanical check signing equipment

Check Processing

  • Use high-quality, blank check stock with built-in security features: fluorescent fibers, artificial watermark, toner grip, chemical resistance, bleach-reactive brown stain, photocopy void pantograph, endorsement backer, thermochromic ink, padlock icon, microprinting, warning band border, laid lines, non-negotiable mark
  • Purchase stock from respectable vendors
  • Establish employee order/re-order policy for stock
  • Have a process for your receiving department
  • Secure check stock, deposit slips, bank statements and cancelled checks
  • Have a policy for destroying the same
  • Inventory both stored and in-use stock
  • Identify responsible person and procedure for approval of invoices. (Match invoices with POs & require secondary approval for exceptions)
  • Other checks and reimbursements should be requested by a department manager, with secondary approval from financial management
  • Require accounting management approval before checks are processed
  • Determine procedure for who reviews checks before they are signed and distributed
  • Review an event log of check printing activity
  • Review a check printing audit trail, that shows user access and activity
  • Have a dedicated check printer
  • Establish a check-numbering policy
  • Establish manual check printing requirements
  • Require check printing passwords
  • Positive Pay Implementation
    • How positive pay works:
      • Company sends its bank a positive pay file that lists all checks written against their account(s) (includes check issue date, amount, number/account, and payee name).
      • As checks are presented for payment, the bank compares each check against the positive pay file.
      • Any discrepancies are brought to the attention of the issuing company to verify check authenticity.
    • Implements the UCC standard of "ordinary care."
    • Establishes a fraud prevention partnership with your bank.
    • It is the single strongest defense against check fraud - virtually eliminating your exposure. Your PEO can develop a strong external as well as internal defense strategy - a system of checks and balances that that makes your organization proactive in preventing check fraud.

AP Technology Fraud Prevention Solutions

Through our work with over 6,000 check printing and bank positive pay clients, and involvement with the nation's leading banks and fraud experts, AP Technology has developed technologies and expertise that help protect organizations from check fraud and save money by increasing check handling security and efficiencies. Our products include solutions for MICR laser check printing, positive pay, check signing, security check stock and MICR toner. These solutions are engineered to create end-to-end check fraud prevention, and are part of the control framework needed for company-wide fraud prevention and compliance with regulations such as Section 404 of the Sarbanes-Oxley Act.


*References
  • 1 Introduction to Sarbanes-Oxley, The Sarbanes-Oxley Act Community Forum
    http://www.sarbanes-oxley-forum.com/
  • 2 Section 404: Management Assessment Of Internal Controls
    http://www.aicpa.org/info/sarbanes_oxley_summary.htm
  • 3 SarbOx Compliance: Getting Into the ERM Frame of Mind by Ann Elizabeth Robinson, Ph.D. - Visage Solutions, November 14, 2003
    http://www.visagesolutions.com/pdf/ERM_Frame_of_Mind.pdf
  • 4 COSO's Enterprise Risk Management Framework - Framework, pg 16
  • 5 COSO's Enterprise Risk Management Framework - Framework, pg 21
  • 6 COSO's Enterprise Risk Management Framework - Application Techniques, pg 2
  • 7 COSO's Enterprise Risk Management Framework - Framework, pg 23
  • 8 COSO's Enterprise Risk Management Framework - Framework, pgs 62-63
Back to the top of the page