Statement on Auditing Standards (SAS) No. 112, Communicating Internal Control Related Matters Identified in an Audit, emphasizes the need for governments to have a financial reporting system in place that is sufficient to provide reasonable assurance that management can prepare financial statements in conformity with generally accepted accounting principles (GAAP). To meet that objective, a financial reporting system must be designed to detect not only material fraud or abuse, but also any questionable accounting or auditing practices that could jeopardize the integrity of financial reporting. SAS No. 112 instructs independent auditors that inadequate anti-fraud programs and controls constitute, at a minimum, a significant deficiency that would need to be reported.
In most cases, potential instances of fraud or abuse and questionable accounting or auditing practices come to the attention of responsible parties thanks to employees or citizens who become aware of such practices. Governments can and should take practical steps to encourage and facilitate such reporting.
GFOA recommends that every government establish policies and procedures to encourage and facilitate the reporting of fraud or abuse and questionable accounting or auditing practices. At a minimum, a government should do all of the following:
- Formally approve, and widely distribute and publicize an ethics policy that can serve as a practical basis for identifying potential instances of fraud or abuse and questionable accounting or auditing practices.
- Establish practical mechanisms (e.g., hot line) to permit the confidential, anonymous reporting of concerns about fraud or abuse and questionable accounting or auditing practices to the appropriate responsible parties.1
- A government should regularly publicize the availability of these mechanisms and encourage individuals who may have relevant information to provide it to the government.
- Since ensuring or enhancing confidentiality can significantly increase costs, consider minimizing those costs by providing a separate reporting mechanism for employees, who typically desire greater assurance of confidentiality than do outside parties. In this regard, a government may wish to explore the possibility of engaging the services of an outside vendor to receive complaints from employees. The use of an outside vendor offers a number of potential advantages, including the following:
- Employees may be more readily persuaded of the confidentiality of their calls if they are made directly to a party outside the government.
- Vendors may be able to provide extended hours of service, thus avoiding the need to place a call during regular working hours (i.e., while the employee is still at work).
- Train those answering calls from the general public to recognize calls that are reporting fraud or abuse and direct them appropriately to ensure that reports of instances of fraud or abuse by outside parties receive the appropriate disposition even when they are not made through the mechanism established for that purpose.
- Make internal auditors (or their equivalent) responsible for the mechanisms used to report instances of potential fraud or abuse and questionable accounting or auditing practices. Emphasize that they should take whatever steps are necessary to satisfy themselves that a given complaint is without merit before disposing of it. Further, they also should document the disposition of each complaint received so it can be reviewed by the audit committee.
- Have the audit committee, as part of its evaluation of the governments internal control framework, examine the documentation of how complaints were handled to satisfy itself that the mechanisms for reporting instances of potential fraud or abuse, and questionable accounting or auditing practices are in place and working satisfactorily.
1While providing mechanisms to promote the reporting of fraud is an important element of an overall fraud prevention program there are other elements necessary for a complete program that are outside the scope of this recommended practice.
This best practice was previously titled Encouraging and Facilitating the Reporting of Fraud and Questionable Accounting and Auditing Practices.