IIAarticle





	Fighting Financial Reporting Fraud By Scott Green By keeping their eyes and ears open and asking the right questions, internal auditors can provide a healthy mix of quarterly financial audit procedures that augment their traditional evaluation of internal controls. Congress passed the U.S. Sarbanes-Oxley act of 2002 with the goal of rebuilding investor confidence and protecting capital markets. It recognized that strong internal controls were an important component of confidence building. Section 404 of the act addresses this component by mandating an annual evaluation of internal controls and procedures for financial reporting and requiring management to assess and certify the effectiveness of these controls. By keeping their eyes and ears open and asking the right questions, internal auditors can provide a healthy mix of quarterly financial audit procedures that augment their traditional evaluation of internal controls. In addition, Sarbanes-Oxley requires a company’s external auditor to complete a separate report that attests to management’s assessment of the effectiveness of internal controls and procedures for financial reporting. In short, the external auditor must perform testing to validate management’s assessment of the internal control structure. A strong internal audit function can provide both management and the public accountants with comfort that the control structure is being evaluated regularly and that deficiencies are remedied. Documenting and evaluating a company’s processes and related control structure are traditional internal audit tasks that protect the enterprise. However, the degree to which internal auditors focus on the accuracy of their organization’s financial reporting presentation and disclosure, in addition to operational audits, is a matter of judgment. Critical factors that will determine the scope of internal auditing’s involvement in the financial reporting process include the strength and experience of the external auditors as well as the extent of their reliance on the internal control function, the transparency and management culture of the enterprise, and audit priorities based on solid risk analysis. There are three steps every auditor should take — regardless of their level of involvement — to help protect the organization from fraudulent financial reporting:  Listen to rogues and whistleblowers.  Ask focused questions that may lead to red flags of financial reporting trouble.  Watch for financial oddities by benchmarking performance. Investors depend on interim financial reports and need to believe these reports are fair and accurate. Internal auditing can provide valuable oversight to organizations by helping to ensure that communications are free from inappropriate financial engineering. The Art of Listening One of the problems with financial reporting scandals is that an unscrupulous chief financial officer (CFO) and members of his or her team are unlikely to announce their intentions. In fact, a common thread running through WorldCom, Enron, and other high-profile financial scandals is that each company had a strong, respected CFO who kept the number of people involved in the scandal to a minimum, exerted incredible control over the working group, and commanded the group’s loyalty above all other ethical considerations. These CFOs reportedly rewarded those who supported them and intimidated, excluded, and punished those who did not. No auditor can reasonably expect such a tightly knit group to volunteer that their boss is playing with the numbers. The CFO’s sycophants will court his or her approval at the expense of all else, even the total destruction of the enterprise. The good news is that, in recent cases, there were outsiders who were willing to step forward. At Enron, for example, Sherron Watkins, a corporate vice president, specifically told both Andersen and senior executives of her concerns regarding the conflict of interest between Enron and the special purpose entities (SPEs) the CFO administered as well as the perception of improper accounting at many of the SPEs he created. She also raised the possibility of the complete financial collapse of the company. Had they listened to Watkins, the fraud might have been identified earlier, thereby limiting the damage to the company and its employees. The lesson for auditors is clear: Listen to the rogues who complain. Particularly where constructive criticism is viewed as an act of disloyalty, those who are not viewed as a part of the team can be a terrific source of information. It is often too easy to dismiss the grumbling of those who are perceived as outsiders or on the fast track to termination. Internal auditors should resist passive behavior and listen, evaluate, and, if warranted, investigate what they hear. Identify Red Flags Although the number of possible disclosure omissions and financial presentation errors are many, internal auditors can look for patterns to help focus their activities to where they will be most effective. Uncovering these red flags may take some digging and may require the auditor to ask tough questions. Aggressive Revenue Recognition Policies A typical red flag is revenue that is matched to future performance or expenses. Qwest Communications has stated that, between 1999 and 2001, it incorrectly accounted for more than $1.1 billion in transactions. Revenues were contingent on the purchase of fiber capacity and future services, but they were improperly booked as earned. Unify Corp., a provider of software products, reportedly went even further when it boosted revenue by loaning money to customers. Those customers then bought Unify’s products with no reasonable expectation of ever repaying the loans. A $15 million profit was eventually restated into a $7 million loss. Understanding when revenues are recognized is the first step to comprehending the quality of the revenue stream. Revenues of the highest quality are those that are booked after the customer has received, accepted, and paid for the product or service without any further performance requirement or contingency. To identify aggressive accounting and contingencies, auditors can:  Make a direct inquiry to management as to the existence of loans to customers or asset-swap agreements.  Conduct a detailed analysis of debt obligations, which may uncover undisclosed contingencies.  Evaluate alternative revenue recognition methodologies available to the company and ask the CFO and external auditors why these were rejected in favor of the current practice. Such inquiry is not a sign of ignorance, but instead demonstrates prudence and due diligence. The revenue policy applied must have a sound business rationale that is easily understood by senior management and directors. If it doesn’t, this issue should be raised with the audit committee. Ever-Present Nonrecurring Charges Companies are continually making provisions for future expenses, even if they are not sure of their exact amount. There has been an epidemic of merger, product return, lawsuit, obsolete inventory, and bad loan expenses that usually give rise to reserves or nonrecurring charges. The Center for Business Innovation reports that the number of Standard and Poor’s 500 (S&P 500) firms declaring special losses grew from 68 in 1982 to 233 in 2000. In other words, a whopping 47 percent of the S&P 500 had nonrecurring charges in 2000. There are many legitimate nonrecurring expenses — due to acts of nature, mergers, and asset sales. So how does an auditor identify the misuse of this accounting method to hide underlying weaknesses in operating results? One clue is if a company regularly reverses reserves, such as reorganization expenses, back into operating income. This type of activity creates inflation in reported results. To identify such activity, an auditor should ask probing questions such as:  Why is the charge nonrecurring and not a part of normal operating income?  How was the amount of the charge determined, and how accurate is it?  What is the likelihood that all or a portion of the charge will not be used?  What will be disclosed about the charge in the financial statements? Confusing or hesitant answers should be investigated further. Auditors should have responses documented and on hand for future meetings. If nonrecurring charges are reversed at a later date, auditors should solicit and challenge detailed explanations regarding this treatment. Regular Changes To Reserve, Depreciation, Amortization, or Comprehensive Income Policy Frequent changes in accounting guidance can also mask manipulation of the numbers. It is to be expected that the dollar amount of reserves will change with the business climate, but the method used to calculate reserves should not. If an increase in sales results in an increase in accounts receivable, then a corresponding and proportional increase in reserves and bad debt expenses would be expected. If there does not seem to be a direct correlation, internal auditors should challenge the consistency of the reserve calculation. Likewise, capitalized costs should not increase at a rate greater than revenue over time. There may be a lag in related revenue until after major capitalized projects are completed. Auditors should question capitalization techniques that appear aggressive. Any change in methodology should be justified by long-term trends, not short-term needs. Related-Party Transactions Related parties are entities whose management or operating policies can be controlled or influenced by another party. Although related-party transactions are particularly difficult to identify, there are several activities auditors can regularly undertake to help reveal this red flag. As discussed earlier, ongoing communications with rogues can be effective; however, quarterly procedures should also include activities designed to identify conflicts, such as:  Maintaining open communications with outside auditors.  Conducting periodic balance-sheet analyses.  Scheduling regular management interviews. At Enron, the external auditors were intimately involved in the creation of SPEs and were aware of the potential conflicts of interest associated with them. SPEs can be effective financing and risk management vehicles if used correctly. A parent company’s debt level or other risk factors can hinder the capability of a strong business segment to obtain favorable interest rates to finance its operations. In such a situation, the parent can create an SPE and transfer the asset to it with the goal of receiving more favorable lending rates. As long as there is another independent third-party investor that has contributed at least 3 percent of the assets, the SPE does not have to be consolidated into the parent for financial-reporting purposes. Furthermore, if the assets in the SPE are of high quality, banks will perceive the entity as a desirable borrower, resulting in lower lending rates. The SPE will then use this money to pay the parent for the asset received. The bottom line is that the company obtains the money it requires, but pays less to obtain it than it would without the SPE. Enron ran out of quality assets, so the company transferred inferior assets and pledged Enron stock as a guarantee of payment to the banks. According to the Report of Investigation by the Special Investigative Committee of the Board of Directors of Enron Corp. (Powers Report), Enron reported earnings from the third quarter of 2000 through the third quarter of 2001 of almost $1 billion more than should have been reported as a result of this shell game. External auditors routinely request that management attest to and disclose their knowledge of related-party transactions. Simply asking the external auditors about their knowledge of related-party transactions would have identified this potential threat to the organization. Such inquiries can be easy for the internal audit department if it maintains a strong relationship with the external auditors. Insightful analyses of balance sheet movements, particularly at year-end when the pressure to report strong results is at its peak, might also identify related-party transactions. The asset movements at Enron were large, and inquiry into their removal from the balance sheet would have uncovered the SPEs and the conflicts of interest with the CFO. Internal auditors need to ask management directly about any related-party activities and, where appropriate, raise their existence to the audit committee. Complex Products Some companies provide complex financial products, such as structured financial instruments containing derivatives, or use multifaceted hedging strategies that few understand. When a star performer produces complex products, few want to challenge this success or reveal that they don’t understand how the system works. This is evidenced by the Joe Jett story, the infamous trader who executed seemingly profitable trades that, in reality, had no economic benefit. These trades caused the investment bank Kidder Peabody to report more than $300 million in bogus profit. No one was sure how Jett made his margins, but no one — from supervisors, to auditors, to finance staff — wanted to admit their ignorance. Several internal controls should have identified this control break; however, simply requiring that the process be documented in detail may have dissolved the mirage of profitability. An auditor can insist that managers or their employees map out complex strategies. Jett’s supervisor would not have been able to do this because he did not know how Jett made money on his trades. Likewise, Jett would not be able to document the process, as the fraud would have been discovered. Unsupported Top-Side Entries Top-side adjustments are entries not automatically produced from the company’s accounting system; instead they are manually booked adjustments added “on top” of automated results by management. Many of these adjustments are appropriate and ensure business activities are accounted for in the correct period; however, they can also be used to increase reported income or hide inappropriate actions. Management of financial reports often occurs at the top, and these entries represent a smoking gun. An interesting example comes from the U.S. government, the very institution charged with oversight of financial reporting on behalf of the public. An Oct. 14, 2002, New York Times article by Joel Brinkley stated that “auditors studying the financial records of federal government departments find may of them so disorganized, even chaotic, that the agencies cannot account for tens of billions of dollars.” So how did the agencies make their books balance? Through the magic of top-side balancing entries. The Forest Service, a division of the U.S. Department of Agriculture, tried to balance its books at the end of the 2001 fiscal year. It booked more than 15,337 adjusting entries, debits, and credits totaling more than $11 billion gross. Auditors determined that 73 percent of these adjustments, totaling $7.9 billion, were unsupported. The U.S. Department of Defense alone entered an unsubstantiated balance adjustment totaling $1.1 trillion in 2000, down from $2.3 trillion the prior year. Public companies can learn from the failings of the U.S. government. Material top-side entries need to be carefully examined and their business purpose understood. Internal auditors should request the disclosure of, and supporting rationale for, material top-side adjustments from the CFO and then validate them. Finance professionals can easily bury a person with data. Auditors should insist that they keep it simple. If they cannot explain an entry easily, then the adjustment is likely aggressive or improper. Underfunded Defined Benefit Plans Although defined benefit plans are being replaced by defined contribution pensions, such as 401k plans, there are still many in existence. These plans can have a huge effect on a corporation’s net income. Under a defined benefit plan, a sponsor guarantees a specific payout to participants. Contributions are made to the plan based on assumed future investment returns. If actual gains exceed the assumed returns, they can be reported as income on a company’s income statement. During the U.S. bull market of the 1990s, many companies adjusted their assumptions of investment returns upward. Such a move would make the pension fund look like it had more assets than the company needed. These companies would then turn gains from this financial engineering into income. IBM Corp., for instance, recorded $1.27 billion of net pension income in 2000 and $1.45 billion in 2001. Over the past three years, however, the markets have come nowhere close to meeting those investment assumptions. In fact, pension surpluses have turned into deficits. How big of a problem is this? Credit Suisse First Boston estimates that 240 of the 360 S&P 500 companies with defined benefit plans, or 66 percent, are underfunded. General Motors Corp. alone experienced the pain of a $7 billion 1999 pension surplus that turned into an estimated $29 billion deficit by 2002. Other pension funds appear to be in even worse shape based on their contributor’s ability to pay. Some government projections estimate that the airline industry’s pension funds are underfunded by more than $25 billion as of Sept. 30, 2003. AMR Corp., the parent of American Airlines, has a pension fund that is estimated to be underfunded by an amount that represents 600 percent of its entire market capitalization. Similarly, Delta Air Lines is underfunded by more than 300 percent of its market capitalization. Auditors need to review plan assumptions. Expected returns in excess of 8 percent should be challenged. Only a plan that’s 100 percent invested in stocks would have a chance of exceeding an 8 percent return over time, and that is if past financial performance holds. The fact is that many pension funds have exposure to bonds and other lower-yielding instruments and will do well to earn 8 percent. Management Compensation If there is one area boards of directors have spent considerable time managing, it is senior management compensation. Some boards manage compensation better than others. Smart shareholders recognize that they’ll need to enrich good management that has played a key role in increasing an organization’s value. Owners of companies whose stock continues to outperform the market over time are willing to pay an executive management team handsomely without complaint. Unfortunately, many senior managers seem to obtain ever-higher compensation packages regardless of how well their companies perform. For most managers, poor performance means a reduction in compensation, not an increase. The lack of a causal link between pay and performance can be an important red flag for auditors and investors, signaling that there may be a lack of independence on the company’s board. Even if there is independence, pressures created by overly aggressive financial targets cause some management teams to manipulate the financial reports without board knowledge, to obtain greater bonuses and option awards. It is critical that internal auditors understand the incentives contained in a senior management compensation program to help them identify where they should focus their energies. If the compensation plan rewards management for acquisitions, there will be incentive for management to deliver potential targets. Such incentives increase the risk that these companies may not be the best fit or add to the organization’s overall value. If the compensation plan focuses on year-end profit or revenue targets, as was the case at Enron, there will likely be incentive to create or accelerate revenue recognition or possibly delay expenses. Understanding these motivations will help the auditor identify and focus on the associated risks. Meeting with management to discuss red flags can lead to a healthy dialogue based on trust and candor. A defensive or nonresponsive management team indicates the need for professional skepticism and further investigation on the part of the auditor. Benchmark Performance Benchmarking is a management tool that helps provide perspective to financial numbers produced. Both internal and external comparisons help tell the story that the financials alone cannot. The advantages of going the extra mile to develop external benchmarks are significant. External benchmarks help identify best practices, highlight performance gaps, and can help an auditor identify internal oddities not experienced by other firms. For example, if a company’s revenues seem to be holding up while competitors’ are deteriorating, an auditor would want to investigate. If capitalized costs and operating margins are high relative to peers, the capitalization policy might deserve a review. There are many sources from which to draw comparative data. Traditional external sources include industry association statistics and data compiled and reported regularly by accounting, consulting, and service firms. And now there are Internet participation groups where members in the same industry or market segment can share blind data comparisons. Internal benchmarks can be effective in identifying inconsistencies between branches or offices. In organizations that have offices around the globe, a “single approach” culture can help promote teamwork and consistency. Using a single approach means compensating managers for contributing to the organization as a whole, rather than only to their local operations. Such contributions might include standardizing processes, using global purchasing contracts, and referring business to other locations. With standardized data, internal comparisons can help identify the unique strengths of each office — whether it is in London, Prague, or Miami — and help the firm bring the best-suited talent to every customer need. Variances from the norm can identify problems and provide a company the opportunity to bring its resources to bear in support of the office, regardless of location. Changing With the Times The internal auditor’s role in conducting operational audits will continue to be paramount. However, the world is changing, and internal auditing needs to change with it. Auditors must evaluate the financial reporting presentation and disclosure risks and adjust their activities accordingly. The extent of those activities will differ based on the various risks and priorities they face. By listening, asking, and watching, internal auditors can provide a healthy mix of quarterly financial procedures that augment the operational audits performed. It is the external auditor’s role to opine on the financial statements; internal auditors should not look to replace them or replicate their work, but rather to complement and support their critical role. The tools and guidelines discussed herein can be vital in effectively executing this objective and the common goal of protecting shareholder assets. Weil, Gotshal & Manges in New York and author of Manager’s Guide to the Sarbanes-Oxley Act: Improving Internal Controls to Prevent Fraud. To comment on this article, e-mail the author at sgreen@theiia.org. This article was reprinted with permission from the December 2003 issue of Internal Auditor, published by The Institute of Internal auditors, Inc. ww.theiia.org