Wednesday, March 09, 2005
Audit Committees Take Aim at Fraud
By Gary Larkin, Managing Editor, Audit Committee Insights
When it comes to malfeasance, audit committees face a Herculean task in this post-Enron world: assessing the risk of management overriding internal controls, which can lead to financial statement fraud.
An average of 25 months passes between financial statement fraud being perpetrated and its discovery, according to "Report to the Nation on Occupational Fraud and Abuse," a report by the Association of Certified Fraud Examiners. By the time financial reporting fraud has been discovered, the damage has already been done to the company's reputation -- as well as its coffers.
The stakes could not be higher. Financial reporting fraud has more than doubled since 1998, to 7 percent of frauds committed, according to the KPMG Forensic Fraud Survey in 2003. And consider that while financial reporting fraud makes up a small percentage of total corporate crime, it represents a large majority of total costs from malfeasance. The average annual cost was more than $250 million for companies suffering from fraudulent financial reporting, according to the KPMG survey.
But for audit committees, making sure that management does not override internal financial controls seems nearly impossible. Other than a good whistleblower system, how can audit committees help stem financial reporting fraud?
To begin, they can improve communications with key parties involved in the financial reporting process, and come to the realization that the risk of fraud exists at every organization.
That's part of the message of "Management Override of Internal Controls: The Achilles' Heel of Fraud Prevention," a document from the Antifraud Programs and Controls Task Force of the American Institute of Certified Public Accountants.
"Our [report] outlines specific steps audit committees can take to address the risk of management overriding established internal safeguards," says John Morrow, AICPA vice president of business and industry. "Had audit committees taken these steps, many financial frauds may have been prevented."
The AICPA task force defines management override of internal controls in several ways. It can be misstating the nature of transactions, recording fictitious transactions, changing the timing of recognition of real transactions, abusing reserves to manipulate results, and altering records related to such transactions.
These types of management overrides allegedly occurred at Enron, WorldCom, and HealthSouth.
The consensus among audit committee members, academics, and auditors who collaborated on the AICPA document is that audit committees must build a strong internal communication network through which the possibility of management override of internal controls is discussed.
"I would put the audit committee into executive session and have them ask, 'where are we vulnerable, where can management be overriding internal controls, where are they concealing it?'" says Mark Beasley, an accounting professor at North Carolina State University who sat on the task force.
"I would bring the external auditor and internal auditor into separate executive sessions," he says.
Beasley goes as far as calling for representatives from human resources and general counsel to attend executive sessions. "If we are seeing things on the HR side where people are leaving the company because they are uncomfortable, that may be a sign something's wrong," Beasley says.
Via an extensive information network that includes external and internal auditors, the compensation committee, and key employees, an audit committee improves the likelihood that it will discover management override of internal controls.
"The audit committee has to constantly assess the integrity of management," says Dan L. Goldwasser, an audit committee member for New York-based pharmaceutical company Forest Laboratories. "There are things to look for. The easiest way is to keep tabs on management's perks."
Goldwasser, who served on the task force and also is a partner with the law firm of Vedder, Price, Kaufman & Kammholz in Chicago, believes the audit committee should be responsible for guiding internal and external auditors in reducing the risk of management override of internal controls.
Les Hand, a partner with KPMG's forensics practice, advised the AICPA task force. He sees the audit committee as vital to stopping financial reporting fraud.
"The audit committee plays an important role in the detection process by helping ensure the company's fraud risk plan is in place and that meetings are held with key gatekeepers," Hand says.
Hand cites an idea that one of his clients decided to try as a fraud prevention measure. An audit committee Hand has worked with brainstormed with management, internal audit, and the external auditor to identify key strategic risks. Then, each leader of the company's business units made a presentation, quantifying major financial reporting fraud risks.
"The business unit leader has to talk about what controls there are," he adds. "The audit committee says, 'tell me how you monitor that.'"
Dana Hermanson, an accounting professor at Kennesaw State University in Kennesaw, Ga., suggests that middle and lower management should be a part of any information network. Hermanson has found that CEOs or CFOs were implicated in more than 80 percent of financial reporting fraud from 1987 to 1997.
"In an accounting fraud setting, boards [that interact] only with the CEO and CFO may just be talking to the main perpetrators of the fraud," he says. "Because so many accounting frauds are orchestrated by top executives, boards and audit committees need access to personnel beyond the small group of top executives."
In addition to an information network and whistleblower program, the AICPA task force recommends that audit committees maintain skepticism towards management and strengthen their understanding of the business. They also should brainstorm to identify fraud risks and use the code of conduct to assess financial reporting culture.
"The idea is they have to be skeptical," says Michael P. Glynn, technical manager of Audit and Attest Standards for AICPA. "They can't take the management's word on everything. The audit committee has to be aware that management isn't going to come up and say, 'We're overriding controls.'"
Glynn explains that often financial reporting fraud isn't done maliciously, but instead can happen when management is about to miss an earnings target.
Energy trader Enron and telecommunications company WorldCom (now MCI) are two of the most prominent examples of alleged financial reporting fraud. Enron overstated its earnings by more than $580 million from 1997 to 2001, and then in 2001's third quarter posted a $638 million loss.
An SEC investigation soon after discovered Enron's infamous special purpose entities, or off-balance sheet partnerships, were allegedly used to defraud investors. In the past year, fraud indictments were handed out to former Chair and CEO Kenneth Lay, former COO Jeffrey Skilling, former chief accounting officer Richard Causey, and several other executives.
WorldCom's alleged fraud was not as complex, but was historic in its size -- $11 billion. The telecommunications giant's former CEO Bernard J. Ebbers and former CFO Scott Sullivan have been charged with fraud, conspiracy and making false regulatory filings. As part of a plea-bargain agreement, Sullivan pleaded guilty in exchange for testifying for the federal government against Ebbers.
They have been accused of a revenue recognition scheme from September 2000-July 2002 that greatly inflated company earnings to meet Wall Street targets.
Enron is a small shell of its former self; MCI recently announced that Verizon was buying the former telecom giant.
"In the case of WorldCom, revenue was coming in too low," Glynn says. "There was a quarter where the company was missing its earnings target. They decided to take some expenses off the financial statement. So then the expenses were smaller and the net revenue was higher."
A key to detecting any type of financial reporting fraud is to look for red flags, industry observers say. These red flags may include low employee morale, employee turnover in the accounting department, pressure to meet unrealistic financial targets and infighting among top management.
"The audit committee should encourage the right tone at the top, and be sure that any potential 'red flags' are explored and resolved to the audit committee's satisfaction," says Scott A. Reed, a partner with KPMG's Audit Committee Institute.
Those red flags serve as leads for forensics professionals, who can follow an electronic trail of company and personal e-mail to track alleged wrongdoers.
"In all the years I've been doing this," says KPMG's Hand, "I can say about 90 percent of the [fraud] cases have turned on electronic data. E-mail traffic is what gets people."
posted by Brian Moran @ 10:06 AM