http://media.johnwiley.com.au/product_data/excerpt/76/04714690/0471469076.pdf
CHAPTER
1
FRAUD: AN INTRODUCTION
Steven L. Skalak
Manny A. Alas
Gus Sellitto
F
raud evokes a visceral reaction in us. It is an abuse of our expectation of fair
treatment by fellow human beings. Beyond that, it is a blow to our self-image as
savvy managers capable of deterring or detecting a fraudulent scheme. Whether
we react because of values or because of vanity, nobody likes to be duped. Many
elements of modern society are focused on maintaining an environment of fair
dealing. Laws are passed; agencies are established to enforce them; police are
hired; ethics and morals are taught in schools and learned in businesses; and
criminals are punished by the forfeiture of their ill-gotten gains and personal
liberty—all with a view to deterring, detecting, and punishing fraud. The profession
of auditing grew out of society’s need to ensure fair and correct dealings in
commerce and government.
One of the central outcomes of fraud is financial loss. Therefore, in the
minds of the investing public, the accounting and auditing profession is inextricably
linked with fraud deterrence, fraud detection, and fraud investigation.
This is true to such an extent that there are those whose perception of what
can be realistically accomplished in an audit frequently exceeds the services
that any accountant or auditor can deliver and, in terms of cost, exceeds what
any business might be willing to pay (see Chapter 2). In the past few years,
public anger over occurrences of massive fraud in public corporations has
spawned new legislation, new auditing standards, new oversight of the
accounting profession, and greater penalties for those who conspire to commit
or conceal financial fraud.
This book addresses the distinct roles of corporate directors, management,
external auditors, internal auditors, and forensic accounting investigators with
ch01.fm Page 1 Thursday, December 15, 2005 3:26 PM
2 Ch. 1 Fraud: An Introduction
respect to fraud deterrence, fraud detection, and fraud investigation.
1
As will
quickly become apparent later in this introductory chapter, these professionals are
by no means the only ones concerned with combating fraud. However, each has
a significant role in the larger effort to minimize fraud.
l
FRAUD: WHAT IS IT?
Generally, all acts of fraud can be distilled into four basic elements:
1.
A false representation of a material nature
2
2.
Scienter—knowledge that the representation is false, or reckless disregard
for the truth
3.
Reliance—the person receiving the representation reasonably and justifiably
relied on it
4.
Damages—financial damages resulting from all of the above
By way of illustration, consider the classic example of the purchase of a used
car. The salesperson is likely to make representations about the quality of the car,
its past history, and the quality of parts subject to wear and tear, ranging from the
transmission to the paint job. The elements of fraud may or may not arise out of
such statements. First, there is a distinction between hype and falsehood. The salesperson
hypes when he claims that the 1977 Chevy Vega “runs like new.” However,
were he to turn back the odometer, he would be making a false representation. Second,
the false statement must be material. If the odometer reading is accurate, the
salesperson’s representation that the car runs like new or was only driven infrequently,
is, strictly speaking, mere hype: the purchaser need only look at the odometer
to form a prudent view of the extent of use and the car’s likely roadworthiness.
Third, the fraudster must make the material false misrepresentation with
scienter,
that is, with actual knowledge that the statement is false or with a reckless disregard
for the truth. For example, the car may or may not have new tires. But if the salesperson,
after making reasonable inquiries, truly believes that the Vega has new
tires, there is no knowing misrepresentation. There may be negligence, but there
is no fraud. Fourth, the potential victim must justifiably rely on the false repre-
1. “Forensic accountants” are members of a broad group of professionals that
includes
those who
perform financial investigations, but it is actually wider. The public often uses the term “forensic
accountants” to refer to financial investigators, although many forensic accountants do not perform
financial investigations. In Chapter 27 we discuss the many other services encompassed under
the broader term “forensic accounting.” A forensic accounting investigator is trained and
experienced in investigating and resolving suspicions or allegations of fraud through document
analysis to include both financial and nonfinancial information, interviewing, and third-party inquiries,
including commercial databases. See Auditing and Investigation at end of this chapter.
“Auditors” is used throughout this text to represent both internal and external auditors unless otherwise
specified as pertaining to one group or the other.
2. The term “material” as used in this context is a legal standard whose definition varies from jurisdiction
to jurisdiction; it should not be confused with the concept of materiality as used in auditing,
in which one considers the effect of fraud and errors related to financial statement reporting.
ch01.fm Page 2 Thursday, December 15, 2005 3:26 PM
Fraud: Prevalence, Impact, and Form 3
sentation. A buyer who wants a blue car may actually believe the salesperson’s representation
that “it’s really blue but looks red in this light.” Reliance in that case
is, at best, naive and certainly not justified. Finally, there must be some form of
damage. The car must in fact prove to be a lemon when the purchaser drives off
in it and realizes that he has been misled. Regardless of context, from Enron to
WorldCom to Honest Abe’s Used Car Lot, fraud is fraud, and it displays the four
simple elements noted above.
l
FRAUD: PREVALENCE, IMPACT, AND FORM
Fraud is a feature of every organized culture in the world. It affects many organizations,
regardless of size, location, or industry. According to the ACFE survey,
approximately $660 billion was lost by U.S. companies in 2004 due to occupational
fraud and abuse, and nearly one in six cases cost the organization in
excess of $1 million.
3
Thirty-two percent of all fraud is committed by males
aged 41 to 50, while the greatest loss per fraudulent act is caused by males aged
60 and over.
4
In the area of material financial reporting fraud, in two studies
conducted on the issue, both using information obtained from the SEC, it was
determined that over 70 percent of all financial statement frauds are committed
by the top executives of the organization.
5
However, if one were to look at the FBI’s statistics for white-collar crime, one
would not reach this conclusion because those statistics are based upon prosecutions
and, as discussed in Chapter 22, “Supporting a Criminal Prosecution,” the overwhelming
majority of frauds are not prosecuted. Based upon our own experience as
well as on surveys conducted by PwC (PwC Economic Crime Survey) and the Association
of Certified Fraud Examiners (ACFE), we believe that fraud is pervasive.
In Europe, according to the PwC Global Economic Crime Survey statistics for
prior years, 42.5 percent of larger European companies fell victim to fraud in 2000
and 2001. Across all of the companies surveyed, the average cost of fraud was
€
6.7
million. Overall, approximately 40 percent of large European organizations
believe that the risk of fraud in the future will be at least as high as it is now, while
about one-third of them believe that it will be even higher.
6
While these statistics
were gathered in 2001, if anything, the current climate in Europe suggests that
higher percentages would prevail today in a resurvey of the same population.
3. Association of Certified Fraud Examiners,
2004 Report to the Nation on Occupational Fraud
and Abuse
(Austin, Tex.: Association of Certified Fraud Examiners, 2004), ii, http://
http://www.cfenet.com/pdfs/2004RttN.pdf.
4. Id.
5. Charles Cullinan and Steve Sutton, “Defrauding the Public Interest: A Critical Examination of
Reengineered Audit Processes and the Likelihood of Detecting Fraud,”
Critical Perspectives on
Accounting
, 13 (2002), 297–310 (fix format). See also Mark S. Beasley, et al.,
Fraudulent Financial
Reporting 1987–1997: An Analysis of U.S. Public Companies
(New York: The Committee
of Sponsoring Organizations of the Treadway Commission, 1999).
6. PricewaterhouseCoopers,
European Crime Survey 2001
, 1,
http://www.pwcglobal.com/cz/eng/ins-sol/publ/Euro_fraudsurvey_2001.pdf.
ch01.fm Page 3 Thursday, December 15, 2005 3:26 PM
4 Ch. 1 Fraud: An Introduction
l
FRAUD IN HISTORICAL PERSPECTIVE
Fraud in one form or another has been a fact of business life for thousands of
years. In Hammurabi’s Babylonian Code of Laws, dating to approximately 1800
B
.C.E
., the problem of fraud is squarely faced: “If a herdsman, to whose care cattle
or sheep have been entrusted, be guilty of fraud and make false returns of the
natural increase, or sell them for money, then shall he be convicted and pay the
owner ten times the loss.”
7
The earliest lawmakers were also the earliest to recognize
and combat fraud.
In the United States, frauds have been committed since the colonies were settled.
A particularly well-known fraud of that era was perpetrated in 1616 in
Jamestown, Virginia, by Captain Samuel Argall, the deputy governor. Captain
Argall allegedly “fleeced investors in the Virginia Co. of every chicken and dry
good that wasn’t nailed down.”
8 According to the book Stealing from America
,
within two years of Argall’s assumption of leadership in Jamestown, the “whole
estate of the public was gone and consumed. . . .”
9
When he returned to England
with a boat stuffed with looted goods, residents and investors were left with only
six goats.
10
Later, during the American Civil War, certain frauds became so common that
legislatures recognized the need for new laws. One of the most egregious frauds
was to bill the United States government for defective or nonexistent supplies
sold to the Union Army. The federal government’s response was the False
Claims Act, passed in March 1863, which assessed corrupt war profiteers double
damages and a $2,000 civil fine for each false claim submitted. Remarkably
enough, this law is still in force, though much amended.
Soon after the Civil War, another major fraud gained notoriety: the Crédit
Mobilier scheme of 1872. Considered the most serious political scandal of its
time, this fraud was perpetrated by executives of the Union Pacific Railroad
Company, operating in conjunction with corrupt politicians. Crédit Mobilier of
America was set up by railroad management and by Representative Oakes Ames
of Massachusetts, ostensibly to oversee construction of the Union Pacific Railroad.
11
Crédit Mobilier charged Union Pacific (which was heavily subsidized by
the government) nearly twice the actual cost of completed work and distributed
the extra $50 million to company shareholders.
12
Shares in Crédit Mobilier were
sold at half price, and at times offered gratis, to congressmen and prominent politicians
in order to buy their support. Among the company’s famous sharehold-
7. Hammurabi’s Code of Laws (1780
BCE
), L. W. King, trans.
8. Carol Emert, “A Rich History of Corporate Crime. Fraud Dates Back to America’s Colonial
Days,”
The San Francisco Chronicle
, July 14, 2002.
9. Id.
10. Id.
11. Id.
12. Peter Carlson, “High and Mighty Crooked: Enron Is Merely the Latest Chapter in the History of
American Scams,”
The Washington Post
, February 10, 2002.
ch01.fm Page 4 Thursday, December 15, 2005 3:26 PM
Types of Fraud 5
ers were Vice President Schuyler Colfax, Speaker of the House James Gillespie
Blaine, future Vice Presidents Henry Wilson and Levi Parsons Morton, and
future President James Garfield.
13
l
TYPES OF FRAUD
There are many different types of fraud, and many ways to characterize and catalog
fraud; however, those of the greatest relevance to accountants and auditors
are the following broad categories:
•
Employee Fraud14/Misappropriation of Assets.
This type of fraud
involves the theft of cash or inventory, skimming revenues, payroll fraud,
and embezzlement. Asset misappropriation is the most common type of
fraud.
15
Primary examples of asset misappropriation are fraudulent disbursements
such as billing schemes, payroll schemes, expense reimbursement
schemes, check tampering, and cash register disbursement schemes.
Sometimes employees collude with others to perpetrate frauds, such as
aiding vendors intent on overbilling the company. An interesting distinction:
Some employee misdeeds do not meet the definition of fraud
because they are not schemes based on communicating a deceit to the
employer. For example, theft of inventory is not necessarily a fraud—it
may simply be a theft. False expense reporting, on the other hand, is a
fraud because it involves a false representation of the expenses incurred.
This fraud category also includes employees’ aiding and abetting others
outside the company to defraud third parties.
•
Financial Statement Fraud.
This type of fraud is characterized by intentional
misstatements or omissions of amounts or disclosures in financial
reporting to deceive financial statement users. More specifically, financial
statement fraud involves manipulation, falsification, or alteration of
accounting records or supporting documents from which financial statements
are prepared. It also refers to the intentional misapplication of
accounting principles to manipulate results. According to a study conducted
by the Association of Certified Fraud Examiners, fraudulent financial
statements, as compared with the other forms of fraud perpetrated by
corporate employees, usually have a higher dollar impact on the victimized
entity as well as a more negative impact on shareholders and the
investing public.
16
13. D. C. Shouter, “The Crédit Mobilier of America: A Scandal That Shook Washington,”
Chronicles
of American Wealth
, No. 4, November 30, 2001, http://www.raken.com/american_wealth/other/
newsletter/chronicle301101.asp.
14. “Employee” here refers to all officers and employees who work for the organization.
15. Association of Certified Fraud Examiners,
2002 Report to the Nation on Occupational Fraud and
Abuse
(Austin, Tex.: Association of Certified Fraud Examiners, 2002), 6.
16. Id.
ch01.fm Page 5 Thursday, December 15, 2005 3:26 PM
6 Ch. 1 Fraud: An Introduction
As a broad classification, corruption straddles both misappropriation of assets
and financial statement fraud. Transparency International, a widely respected
not-for-profit think tank, defines corruption as “the abuse of entrusted power for
private gain.”
17
We would expand that definition to include corporate gain as
well as private gain. Corruption takes many forms and ranges from executive
compensation issues to payments made to domestic or foreign government officials
and their family members. Corrupt activities are prohibited in the United
States by federal and state laws. Beyond U.S. borders, contributions to foreign
officials are prohibited by the Foreign Corrupt Practices Act.
This book is primarily concerned with fraud committed by employees and
officers, some of which may lead to the material distortion of financial statement
information, and the nature of activities designed to deter and investigate such
frauds. Circumstances in which financial information is exchanged (generally in
the form of financial statements) as the primary representation of a business
transaction are fairly widespread. They include, for example, regular commercial
relationships between a business and its customers or vendors, borrowing
money from banks or other financial institutions, buying or selling companies or
businesses, raising money in the public or private capital markets, and supporting
the secondary market for trading in public company debt or equity securities.
This book focuses primarily on two types of fraud: (1) frauds perpetrated by
people within the organization that result in harm to the organization itself and
(2) frauds committed by those responsible for financial reporting, who use financial
information they know to be false in order to perpetrate a fraud on investors
or other third parties, whereby the organization benefits.
l
ROOT CAUSES OF FRAUD
As society has evolved from barter-based economies to e-commerce, so has
fraud evolved into complex forms—Hammurabi’s concern about trustworthy
shepherds was just the beginning. Until just a few years ago, companies headquartered
in the developed world took the view that their business risk was highest
in emerging or Third World regions, where foreign business cultures and
less-developed regulatory environments were believed to generate greater risk.
18
Gaining market access and operating in emerging or less-developed markets
seemed often enough to invite business practices that were wholly unacceptable
at home. Sharing this view, the governments of major industrial countries
enacted legislation to combat the potential for corruption. The United States
enacted the Foreign Corrupt Practices Act (FCPA); countries working together
in the Organization for Economic Cooperation and Development (OECD)
enacted the Convention on Combating Bribery of Foreign Public Officials in
17. Transparency International, “TI’s Vision, Mission, Values, Approach and Strategy,” http://
18. PricewaterhouseCoopers, “Financial Fraud—Understanding Root Causes,”
Investigations &
Forensic Services Report
(2002), 1.
ch01.fm Page 6 Thursday, December 15, 2005 3:26 PM
A Historical Account of the Auditor’s Role 7
International Business Transactions (known as the OECD Convention); and
Canada enacted the Corruption of Foreign Public Officials Act.
However, this way of thinking about risk and markets and of combating corruption
and fraud is no longer adequate. The new paradigm for understanding
risk postulates that fraud risk factors are borderless and numerous. Fraud is now
understood to be driven by concerns over corporate performance, financing pressures
including access to financing, the competition to enter and dominate markets,
legal requirements and exposure, and personal needs and agendas.
19
The
need for this new paradigm has become increasingly clear in the past two years,
when the greatest risk to investors has appeared to be participation in the seemingly
well-regulated and well-established U.S. markets. More recently, events at
several major European multinationals have shown that the risk of massive fraud
knows no borders.
The recent spate of accounting and financial scandals has demonstrated that
large-scale corporate improprieties can and do occur in sophisticated markets;
they are by no means the exclusive province of “foreign” or “remote” markets.
Capital market access and the related desire of listed companies to boost revenue
growth, through whatever means necessary, are major factors contributing to
corporate malfeasance worldwide.
l
A HISTORICAL ACCOUNT OF THE AUDITOR’S ROLE
We have briefly examined the elements, forms, and evolution of fraud. We can
now examine the role of one of the key players in the effort to detect fraud, the
auditor.
AUDITING: ANCIENT HISTORY
Historians believe that recordkeeping originated about 4000
B.C.E
., when ancient
civilizations in the Near East began to establish organized governments and
businesses.
20
Governments were concerned about accounting for receipts and
disbursements and collecting taxes. An integral part of this concern was establishing
controls, including audits, to reduce error and fraud on the part of incompetent
or dishonest officials.
21
There are numerous examples in the ancient
world of auditing and control procedures employed in the administration of public
finance systems. The Shako dynasty of China (1122–256
B.C.E
.), the Assembly
in Classical Athens, and the Senate of the Roman Republic all exemplify
early reliance on formal financial controls.
22
Much later, in the twelfth and thirteenth centuries, records show that auditing
work was performed in England, Scotland, Italy, and France. The audits in Great
19. Id.
20. Robert Hiester Montgomery,
Montgomery’s Auditing
, 12th ed. (New York: John Wiley & Sons,
1998), 1–7.
21. Id.
22. Id.
ch01.fm Page 7 Thursday, December 15, 2005 3:26 PM
8 Ch. 1 Fraud: An Introduction
Britain, performed before the seventeenth century, were directed primarily at
ensuring the accountability of funds entrusted to public or private officials.
23
Those audits were not designed to test the quality of the accounts, except insofar
as inaccuracies might point to the existence of fraud.
Economic changes between 1600 and 1800, which saw the beginning of widespread
commerce, introduced new accounting concerns focused on the ownership
of property and the calculation of profit and loss in a business sense. At the
end of the seventeenth century, the first law prohibiting certain officials from
serving as auditors of a town was enacted in Scotland, thus introducing the modern
notion of auditor independence.
24
GROWTH OF THE AUDITING PROFESSION
IN THE NINETEENTH CENTURY
It was not until the nineteenth century, with the growth of railroads, insurance
companies, banks, and other joint-stock companies, that the auditing profession
became an important part of the business environment. In Great Britain, the passage
of the Joint Stock Companies Act in 1844 and later the Companies Act in
1879 contributed greatly to the auditing field in general and to the development
of external auditing in the United States.
25
The Joint Stock Companies Act
required companies to make their books available for the critical analysis of
shareholders at the annual meeting. The Companies Act in 1879 required all limited
liability banks to submit to auditing, a requirement later expanded to include
all such companies.
26
Until the beginning of the twentieth century, independent
audits in the United States were modeled on British practice and were in fact
conducted primarily by auditors from Britain, who were dispatched overseas by
British investors in U.S. companies. British-style audits, dubbed “bookkeeper
audits,” consisted of detailed scrutiny of clerical data relating to the balance
sheet. These audits were imperfect at best. J. R. Edwards, in Legal Regulation of
British Company Accounts 1836–1900, cites the view of Sir George Jessel, a
lawyer and judge famous in his day, on the quality of external auditing soon
after passage of the Companies Act:
The notion that any form of account will prevent fraud is quite delusive.
Anybody who has had any experience of these things knows that a rogue will
put false figures into an account, or cook as the phrase is, whatever form of
account you prescribe. If anybody imagines that will protect the shareholders,
it is simply a delusion in my opinion. . . . I have had the auditors examined
before me, and I have said, “You audited these accounts?” “Yes.” “Did
23. Id.
24. Id.
25. Id.
26. Dr. Sheri Markose, “Honest Disclosure, Corporate Fraud, Auditors and Stock Market Valuation,”
lecture from course EC247: “Financial Instruments and Capital Market Institutions,” University
of Essex (Essex, U.K., 2003).
ch01.fm Page 8 Thursday, December 15, 2005 3:26 PM
A Historical Account of the Auditor’s Role 9
you call for any vouchers?’ “No, we did not; we were told it was all right, we
supposed it was, and we signed it.”
27
Yet by the end of the nineteenth century, the most sophisticated minds in the
auditing field were certain that auditors could do much better than this. Witness
the incisive view of Lawrence R. Dicksee, author of a manual widely studied in
its day (and still available today, many editions later):
The detection of fraud is the most important portion of the Auditor’s duties,
and there will be no disputing the contention that the Auditor who is able to
detect fraud is—other things being equal—a better man than the auditor who
cannot. Auditor[s] should, therefore, assiduously cultivate this branch of
their functions. . . .
28
In response to the rapidly expanding American business scene, audits in the
United States evolved from the more cumbersome British practice into “test
audits.” According to
Montgomery’s Auditing
, the emergence of independent
auditing was largely due to the demands of creditors, particularly banks, for reliable
financial information on which to base credit decisions.
29
That demand
evolved into a series of state and federal securities acts which significantly
increased a company’s burden to publicly disclose financial information and,
accordingly, catapulted the auditor into a more demanding and visible role.
FEDERAL AND STATE SECURITIES REGULATION BEFORE 1934
Prior to the creation of the Securities and Exchange Commission (SEC) in 1934,
financial markets in the United States were severely underregulated. Before the
stock market crash of 1929, there was very little appetite for federal regulation
of the securities market, and proposals that the government require financial disclosure
and prevent the fraudulent sale of stock were not seriously pursued.
30
Investors were largely unconcerned about the dangers of investing in an unregulated
market. In fact, many were seduced by the notion that they could make
huge sums of money on the stock market. In the 1920s, approximately 20 million
large and small shareholders took advantage of the postwar boom in the
economy and tried to make their fortunes by investing in securities.
31
Although there was little interest during the first decades of the century in
instituting federal oversight of the securities industry, state legislatures had
27. J. R. Edwards,
Legal Regulation of British Company Accounts, 1836–1900
(New York: Garland,
1986), 17.
28. L. R. Dicksee,
Auditing: A Practical Manual for Auditors
(New York: Arno, 1976), 6. Reprint of
the 1892 edition.
29. Id., 1–9.
30. U.S. Securities and Exchange Commission, “Introduction—The SEC: Who We Are, What We
Do,” http://www.sec.gov.
31. Id.
ch01.fm Page 9 Thursday, December 15, 2005 3:26 PM
10 Ch. 1 Fraud: An Introduction
already begun to regulate the securities industry.
32
States in the Midwest and
West were most active in pursuing securities regulation in response to citizens’
complaints that unscrupulous salesmen and dishonest stock schemes were victimizing
them.
33
The first comprehensive securities law of the era was enacted
by Kansas in 1911. That law, the first of many known as “blue-sky laws,”
required the registration of both securities and those who sold them.
34
The intent
was to prevent fraud in the sale of securities and also to prevent the sale of securities
of companies whose organization, plan of business, or contracts included
provisions that were “unfair, unjust, inequitable, or oppressive” or if the investment
did not “promise a fair return.” In the two years following the enactment of
the securities laws in Kansas in 1911, 23 states passed some form of blue-sky
legislation.
35
It was only after the stock market crash in 1929 and the ensuing Great Depression
that interest in enacting federal securities legislation became widespread.
Congress passed the Securities Act of 1933, which had the basic objectives of
requiring that investors receive financial and other significant information concerning
securities offered for public sale, and prohibiting deceit, misrepresentations,
and other fraud in the sale of securities. The primary means of
accomplishing these goals was the disclosure of important financial information
through the registration of securities.
36
The second fundamental set of laws, the Securities Exchange Act of 1934,
created the Securities and Exchange Commission and granted it broad authority
over all aspects of the securities industry, including registering, regulating, and
overseeing brokerage firms, transfer agents, and clearing agencies. The Act
addressed the need for regulation of the securities industry, as well as the need to
address the potential for fraud inherent within it. Several sections of the Act deal
with fraud, including Section 9 (Manipulation of Security Prices), Section 10
(Manipulative and Deceptive Devices), Section 18 (Liability for Misleading
Statements), Section 20 (Liability of Controlling Persons and Persons Who Aid
and Abet Violations), and Section 20A (Liability to Contemporaneous Traders
for Insider Trading).
CURRENT ENVIRONMENT
The recent financial scandals at major corporations and conflict of interest issues
in the financial services industry have caused investor confidence in the stock
market to decline dramatically. In response to the wave of corporate malfeasance,
the U.S. Congress passed the Sarbanes-Oxley Act of 2002, intended to
32. Wisconsin Department of Financial Institutions, “A Brief History of Securities Regulation,”
http://www.wdfi.org/fi/securities/regexemp/history.htm.
33. Id.
34. Id.
35. Id.
36. U.S. Securities and Exchange Commission, “Introduction—The SEC: Who We Are, What We
Do.”
ch01.fm Page 10 Thursday, December 15, 2005 3:26 PM
A Historical Account of the Auditor’s Role 11
“protect investors by improving the accuracy and reliability of corporate disclosures
made pursuant to the securities laws, and for other purposes.”
37
Sarbanes-Oxley prohibits accounting firms from providing many consulting
services for the companies they audit, requires audit committees to select and
essentially oversee the external auditor, and generally strengthens the requirement
that auditors must be independent from their clients. Section 101 of the
Sarbanes-Oxley Act established the Public Company Accounting Oversight
Board (PCAOB) to oversee the audit of public companies that are subject to the
securities laws and related matters. The purpose of the PCAOB is to protect the
interests of investors and to further the public interest.
38
The PCAOB was authorized
to establish auditing and related professional practice standards, and Rule
3100 requires the auditor to comply with these standards.
39
The Sarbanes-Oxley
Act begat an extensive and still evolving series of audit rule changes, prompting
the issuance of three audit standards as of the writing of this book.
In October 2002, the AICPA issued
Statement on Auditing Standards (SAS)
No. 99
, “Consideration of Fraud in a Financial Statement Audit.” Effective for
audits of financial statements for periods beginning on or after December 15,
2002, SAS 99 seeks to improve auditing practice, especially as it relates to the
auditor’s role in detecting fraud, if it exists, in the course of the audit. According
to the AICPA President and CEO, the new “standard will substantially change
auditor performance, thereby improving the likelihood that auditors will detect
material misstatements due to fraud. … It puts fraud in the forefront of the
auditor’s mind.”
40
Further, according to the AICPA’s own assessment, the new
standard is the “cornerstone of a multifaceted effort by the AICPA to help
restore investor confidence in U.S. capital markets and to reestablish audited
financial statements as a clear picture window into Corporate America.”
41
The
standard, however, does not increase or alter the auditor’s fundamental responsibility,
which is to plan and conduct an audit such that if there is a fraud or error
causing a material misstatement of a company’s financial statements, it may be
detected. While this seems an unambiguous mandate, there still remains a difference
between the public perception that audits should detect all fraud and the
actual standards governing the conduct of audits. There is a significant and legitimate
difference between
performing an audit and
conducting a financial fraud
investigation
. That difference is explored throughout this book.
37.
Sarbanes-Oxley Act of 2002
, Public Law 107–204, 107th Cong., 2d sess. (January 23, 2002), 1
(from statute’s official title: “An Act to protect investors by improving the accuracy and reliability
of corporate disclosures made pursuant to the securities laws, and for other purposes”).
38. Public Company Accounting Oversight Board,
Sarbanes–Oxley Act of 2002
org/rules/Sarbanes_Oxley_Act_of_2002.pdf.
39. Public Company Accounting Oversight Board,
Rules of the Board,
documents/rules_of_the_board/Standards%20-%20AS1.pdf.
40. American Institute of Certified Public Accountants, “AICPA Issues New Audit Standard for Detecting
Fraud, Cornerstone of Institute’s New Anti-Fraud Program,” October 15, 2002, http://
http://www.aicpa.org/news/2002/p021015.htm.
41. Id.
ch01.fm Page 11 Thursday, December 15, 2005 3:26 PM
12 Ch. 1 Fraud: An Introduction
In November 2003, the SEC approved the final versions of corporate governance
listing standards proposed by the NYSE and NASDAQ Stock Market.
Both standards expand upon the Sarbanes-Oxley Act of 2002 and SEC rules to
impose significant new requirements on listed companies. These sweeping
reforms mandate independence of directors, increased transparency, and new
standards for corporate accountability. These and other governance standards
emphasize the importance of enhancing governance, ethics, risk, and compliance
oversight capabilities.
In 2004, the Committee of Sponsoring Organizations of the Treadway Commission
(COSO) issued its new Enterprise Risk Management framework. The
new COSO framework identifies key elements of an effective enterprise risk
management approach for achieving financial, operational, compliance, and
reporting objectives. The new COSO framework emphasizes the critical role
played by governance, ethics, risk, and compliance in enterprise management.
On November 1, 2004, the United States Organizational Sentencing Guidelines
(the “Guidelines”) were amended to provide expanded guidance regarding
the criteria for effective compliance programs. The Guidelines emphasize the
importance of creating a “culture of compliance” within the organization; establish
the governance and oversight responsibilities of the board and senior management;
and frame the need for dedicating appropriate resources and authority.
The Guidelines also focus on the relationship between governance, ethics, risk
management, and compliance.
l
AUDITORS ARE NOT ALONE
Although auditors have long been recognized to have an important role in
detecting fraud, it is well recognized that they do not operate in a vacuum. Management,
boards of directors, standard setters, and market regulators are key participants
in corporate governance, each charged with specific responsibilities in
the process of ensuring that financial markets, investors, and other users of corporate
financial reports are well served. They are, in effect, links in a Corporate
Reporting Supply Chain (CRSC) that includes several additional participants
(see Exhibit 1.1).
The concept of the Corporate Reporting Supply Chain makes clear that auditors
are only one of several interconnected participants having a role in delivering
accurate, timely, and relevant financial reports into the public domain.
42
While many may consider the internal, external, and regulatory auditors as the
first lines of defense against fraud, in fact they are all in secondary positions.
The first line of defense is a properly constructed system of corporate governance,
risk management, and internal controls, for which management is responsible.
The board, in turn, and its audit committee are responsible for overseeing
42. Samuel A. DiPiazza and Robert G. Eccles,
Building Public Trust: The Future of Corporate
Reporting
(New York: John Wiley & Sons, 2002), 10–11.
ch01.fm Page 12 Thursday, December 15, 2005 3:26 PM
Deterrence, Auditing, and Investigation 13
management on behalf of shareholders, and so the board too has its share of
responsibility for defending against fraud.
Management and the board share responsibility for certain critical aspects of
deterring fraud in financial reporting:
•
Setting a “tone at the top” that communicates the expectation of transparent
and accurate financial reporting
•
Responding quickly, equitably, and proportionately to violations of corporate
policy and procedure
•
Maintaining internal and external auditing processes independent of management’s
influence
•
Ensuring a proper flow of critical information to the board and external
parties
•
Establishing an adequate system of internal accounting control that will
satisfy the requirements of Section 404 of the Sarbanes-Oxley Act
•
Investigating and remediating problems when they arise
These duties are far-reaching. They incorporate responsibilities from every
component of the Fraud Deterrence Cycle discussed in the next section. And
they represent the first line of defense against fraud. While an audit responds to
the risk of fraud, the forensic accounting investigation responds to suspicions,
allegations, or evidence of fraud. The forensic accounting investigator can assist
the auditor in formulating a plan to respond to outside influences such as
whistleblower allegations.
l
DETERRENCE, AUDITING, AND INVESTIGATION
The increased size and impact of financial reporting scandals and the related loss
of billions of dollars of shareholder value have rightly focused both public and
regulatory attention on all aspects of financial reporting fraud and corporate governance.
Some of the issues upsetting investors and regulators—for example,
executive pay that could be considered by some to be excessive—are in the
nature of questionable judgments, but do not necessarily constitute fraud. On the
E
XHIBIT 1.1
THE CORPORATE REPORTING SUPPLY C
HAIN
Standard Setters
Market Regulators
Enabling Technologies
Company
Executives
Investors
& Other
Stakeholders
Third-Party
Analysts
Information
Distributors
Independent
Auditors
Boards of
Directors
ch01.fm Page 13 Thursday, December 15, 2005 3:26 PM
14 Ch. 1 Fraud: An Introduction
other end of the spectrum, there have been more than a few examples of willful
deception directed toward the investing community via fabricated financial
statements, and many of these actions are gradually being identified and punished.
The investing public may not always make a fine distinction between the
outrageous and the fraudulent—between bad judgment and wrongdoing. However,
for professionals charged with the deterrence, discovery, investigation, and
remediation of these situations, a systematic and rigorous approach is essential.
The remainder of this chapter discusses various elements of what we call the
Fraud Deterrence Cycle (Exhibit 1.2) many of which will be the topics of chapters
to come. Without an effective regimen of this kind, fraud is much more
likely to occur. Yet even with a fraud deterrence regimen effectively in place,
there remains a chance that fraud will occur. Absolute fraud prevention is a laudable
but unobtainable goal. No one can create an absolutely insurmountable barrier
against fraud, but many sensible precautionary steps can and should be taken
by organizations to deter fraudsters and would-be fraudsters. While fraud cannot
be completely prevented, it can and should be deterred.
l
CONCEPTUAL OVERVIEW OF THE FRAUD
DETERRENCE CYCLE
The Fraud Deterrence Cycle occurs over time, and it is an interactive process.
Broadly speaking, it has four main elements:
1.
Establishment of corporate governance
2.
Implementation of transaction-level control processes, often referred to as
the system of internal accounting controls
E
XHIBIT 1.2
THE FRAUD DETERRENCE C
YCLE
FRAUD
DETERRENCE
CYCLE
CORPORATE GOVERNANCE
TRANSACTION LEVEL CONTROLS OF PROCESSES AND TRANSACTIONS
INVESTIGATION & REMEDIATION
RETROSPECTIVE EXAMINATION
OF PROBLEMS
ch01.fm Page 14 Thursday, December 15, 2005 3:26 PM
Conceptual Overview of the Fraud Deterrence Cycle 15
3.
Retrospective examination of governance and control processes through
audit examinations
4.
Investigation and remediation of suspected or alleged problems
CORPORATE GOVERNANCE
An appropriate system of governance should be born with the company itself,
and grow in complexity and reach as the company grows. It should predate any
possible opportunity for fraud. Corporate governance is about setting and monitoring
objectives, tone, policies, risk appetite, accountability, and performance.
Embodied in this definition it is also a set of attitudes, policies, procedures, delegations
of authority, and controls that communicate to all constituencies, including
senior management, that fraud will not be tolerated. It further communicates
that compliance with laws, ethical business practices, accounting principles, and
corporate policies is expected, and that any attempted or actual fraud is expected
to be disclosed by those who know or suspect that fraud has occurred. There is
substantial legal guidance concerning standards for corporate governance, but
generally, the substance and also the vigorous communication of governance
policies and controls need to make clear that fraud will be detected and punished.
While prevention would be a desirable outcome for corporate governance
programs, complete prevention is impossible. Deterrence, therefore, offers a
more realistic view. In short, corporate governance is an entire culture that sets
and monitors behavioral expectations intended to deter the fraudster.
Today, changes in business are being driven by increased stakeholder
demands, heightened public scrutiny, and new performance expectations. Critical
issues related to governance reform are surfacing in the marketplace on a
daily basis. These issues include:
•
Protecting corporate reputation and brand value
•
Meeting increased demands and expectations of investors, legislators,
regulators, customers, employees, analysts, consumers, and other stakeholders
•
Driving value and managing performance expectations for governance,
ethics, risk management, and compliance
•
Managing crisis and remediation while defending the organization and its
executives and board members against the increased scope of legal
enforcement and the rising impact of fines, penalties and business
disruption
In order to execute effective governance, boards and management must effectively
oversee a number of key business processes, including the following:
•
Strategy and operation planning
•
Risk management
•
Ethics and compliance (tone at the top)
•
Performance measurement and monitoring
ch01.fm Page 15 Thursday, December 15, 2005 3:26 PM
16 Ch. 1 Fraud: An Introduction
•
Mergers, acquisitions, and other transformational transactions
•
Management evaluation, compensation, and succession planning
•
Communication and reporting
•
Governance dynamics
All the preceding elements are critical to a good governance process.
TRANSACTION-LEVEL CONTROLS
43
Transaction-level controls are next in the cycle. They are accounting and financial
controls designed to help ensure that only valid, authorized, and legitimate
transactions occur and to safeguard corporate assets from loss due to theft or
other fraudulent activity. These procedures are preventive because they may
actively block or prevent a fraudulent transaction from occurring. Such systems,
however, are not foolproof, and fraudsters frequently take advantage of loopholes,
inconsistencies, or vulnerable employees. As well, they may engage in a
variety of deceptive practices to defeat or deceive such controls. Anti–moneylaundering
procedures employed by financial institutions are an excellent example
of a proactive process designed to deter fraudulent transactions from taking
place through a financial institution. Another familiar example is policy relating
to the review and approval of documentation in support of disbursements.
RETROSPECTIVE EXAMINATION
The first two elements of the Fraud Deterrence Cycle are the first lines of
defense against fraud and are designed to deter fraud from occurring in the first
place. Next in the cycle are the retrospective procedures designed to help detect
fraud before it becomes large and, therefore, harmful to the organization. Retrospective
procedures, such as those performed by auditors and forensic accounting
investigators, do not prevent fraud in the same way that front-end transaction
controls do, but they form a key link in communicating intolerance for fraud and
discovering problems before they grow to a size that could threaten the welfare
of the organization. Further, with the benefit of hindsight, the cumulative impact
of what may have appeared as innocent individual transactions at the time of
execution may prove to be problematic in the aggregate. Although auditing cannot
truly “prevent” fraud in the sense of stopping it before it happens, it can be
an important part of an overall fraud deterrence regime.
INVESTIGATION AND REMEDIATION
Positioned last in the Fraud Deterrence Cycle is forensic accounting investigation
of suspected, alleged, or actual frauds. Entities that suspect or experience a
fraud should undertake a series of steps to credibly maintain and support the
other elements of the Fraud Deterrence Cycle. Investigative findings often form
the basis for both internal actions such as suspension or dismissal and external
43. Principal focus of PCAOB Auditing Standard No. 2 (AS2).
ch01.fm Page 16 Thursday, December 15, 2005 3:26 PM
First Look Inside the Fraud Deterrence Cycle 17
actions
44
against the guilty parties or restatement of previously issued financial
statements. An investigation also should form the basis for remediating control
procedures. Investigations should lead to actions commensurate with the size
and seriousness of the impropriety or fraud, no matter whether it is found to be a
minor infraction of corporate policy or a major scheme to create fraudulent
financial statements or misappropriate significant assets.
All elements of the cycle are interactive. Policies are constantly reinforced
and revised, controls are continually improved, audits are regularly conducted,
and investigations are completed and acted upon as necessary. Without the commitment
to each element of the Fraud Deterrence Cycle
,
the overall deterrent
effect is substantially diminished.
l
FIRST LOOK INSIDE THE FRAUD DETERRENCE CYCLE
We have seen that the Fraud Deterrence Cycle involves four elements: corporate
governance, transaction-level controls, retrospective examination, and investigation
and remediation. Here we want to take a first look inside each of the elements
to identify some of their main features.
CORPORATE GOVERNANCE
In our experience, the key elements of corporate governance are:
•
An independent board composed of a majority of directors who have no
material relationship with the company
•
An independent chairperson of the board or
an independent lead director
•
An audit committee that actively maintains relationships with internal and
external auditors
•
An audit committee that includes at least one member who has financial
expertise, with all members being financially literate
•
An audit committee that has the authority to retain its own advisers and
launch investigations as it deems necessary
•
Nominating and compensation committees composed of independent
directors
•
A compensation committee that understands whether it provides particularly
lucrative incentives that may encourage improper financial reporting
practices or other behavior that goes near or over the line
•
Board and committee meetings regularly held without management and
CEO present
•
Explicit ethical commitment (“walking the talk”) and a tone at the top that
reflects integrity in all respects
•
Prompt and appropriate investigation of alleged improprieties
44. See Chapter 22 for considerations surrounding a referral of matters for prosecution.
ch01.fm Page 17 Thursday, December 15, 2005 3:26 PM
18 Ch. 1 Fraud: An Introduction
•
Internally publicized enforcement of policies on a “no exception” or “zero
tolerance” basis
•
The board and/or audit committee’s reinforcement of the importance of
consistent disciplinary action of individuals found to have committed
fraud
•
Timely and balanced disclosure of material events concerning the company
•
A properly administered hotline or other reporting channels, independent
of management
•
An internal audit function that reports directly to the audit committee without
fear of being “edited” by management (CEO, CFO, controller, et al.)
•
Budgeting and forecasting controls
•
Clear and formal policies and procedures, updated in a timely manner as
needed
•
Well-defined financial approval authorities and limits
•
Timely and complete information flow to the board
TRANSACTION-LEVEL CONTROLS
Systems of internal accounting control are also key elements in the Fraud Deterrence
Cycle. Literature on this topic is extensive, but one manual in particular is
widely recognized as authoritative:
Internal Control: Integrated Framework
, prepared
by the Committee of Sponsoring Organizations of the Treadway Commission
(COSO) and published by the AICPA. This manual lays out a comprehensive
framework for internal control. Any entity undertaking fraud deterrence will want
to be conversant with the elements and procedures covered in this book. Briefly,
the critical elements highlighted in the COSO framework are:
•
The Control Environment
. This is the foundation for all other components
of internal control, providing discipline and structure, and influencing
the control awareness of the organization’s personnel. Control
environment factors include the integrity, ethical values, and competence
of the organization’s people; management’s philosophy and operating
style; management’s approach to assigning authority and
responsibility; and how personnel are organized and developed.
45
•
Risk Assessment.
Effectively assessing risk requires the identification and
analysis of risks relevant to the achievement of the entity’s objectives, as
a basis for determining how those risks should be managed and controlled.
Because economic, industry, regulatory, and operating conditions
continually change, mechanisms are needed to identify and deal with risks
on an ongoing basis.
46
45. Committee of Sponsoring Organizations of the Treadway Commission (COSO),
Internal
Control—Integrated Framework
(New York: Committee of Sponsoring Organizations of the
Treadway Commission, 1994), 23.
Note:
Commonly referred to as the COSO Report.
46. Id., 33.
ch01.fm Page 18 Thursday, December 15, 2005 3:26 PM
First Look Inside the Fraud Deterrence Cycle 19
•
Control Activities.
Control activities occur throughout an organization at
all levels and in all functions, helping to ensure that policies, procedures,
and other management directives are carried out. They help, as well, to
ensure that necessary actions are taken to address risks that may prevent
the achievement of the organization’s objectives. Control activities are
diverse, but certainly may include approvals, authorizations, verifications,
reconciliations, operating performance reviews, security procedures over
facilities and personnel, and segregation of duties.
47
•
Information and Communication
. Successfully operating and controlling a
business usually requires the preparation and communication of relevant
and timely information. This function relies in part on information systems
that produce reports containing operational, financial, and compliancerelated
data necessary for informed decision making. Communication
should also occur in the broader sense, flowing down, up, and across the
organization, so that employees understand their own roles and how they
relate to others. Further, there must be robust communication with external
parties such as customers, suppliers, regulators, and investors and other
stakeholders.
48
•
Monitoring
. COSO recognizes that no system can be both successful and
static. It should be monitored and evaluated for improvements and changes
made necessary by changing conditions. The scope and frequency of evaluations
of the internal control structure depend on risk assessments and the
overall perceived effectiveness of internal controls. However, under the
Sarbanes-Oxley requirements, management and the external auditors are
each charged with performing an evaluation at least annually.
49
To serve the needs of a thorough Fraud Deterrence Cycle, several aspects of
control processes are of particular importance. Among them are the following:
•
Additions/changes/deletions to master data files of customers, vendors,
and employees
•
Disbursement approval processes
•
Write-off approval processes (in accounts such as bad debt, inventory, etc.)
•
Revenue recognition procedures
•
Inventory controls
•
Processes for signing contracts and other agreements
•
Segregation of duties
•
Information systems access and security controls
•
Proper employment screening procedures, including background checks
•
Timely reconciliation of accounts to subsidiary ledgers or underlying
records
47. Id., 49.
48. Id., 59.
49. Id., 69.
ch01.fm Page 19 Thursday, December 15, 2005 3:26 PM
20 Ch. 1 Fraud: An Introduction
•
Cash management controls
•
Safeguarding of intellectual assets such as formulas, product specifications,
customer lists, pricing, and so forth
•
Top-level reviews of actual performance versus budgets, forecasts, prior
periods, and competitors
l
AUDITING AND INVESTIGATION
The remaining two elements of the Fraud Deterrence Cycle are retrospective
examination, that is, auditing and investigation, and remediation of any discovered
problems. As discussed later in detail, there are differences between auditing
and investigating.
These differences make clear that audits and investigations are not the same.
During the course of an audit, an auditor seeks to detect errors or improprieties,
absent any specific information that such improprieties exist. During an investigation,
a forensic accounting investigator seeks to discover the full methods and
extent of improprieties that are suspected or known. Both are important features
of the Fraud Deterrence Cycle
,
but they are, and should be, separate. They
involve different procedures and they are performed by professionals with different
skills, training, education, knowledge, and experience. This is an important
distinction in the current environment, when some commentators have
suggested that the spate of corporate scandals cries out for the conversion of the
standard audit into something resembling an investigation. If the audit in the
future were to take this path, the cost of performing the audit may increase.
GAAS Audit
Forensic Accounting
Investigation
Objective
Form an opinion on the overall
financial statements taken as a whole
Determine the likelihood and/or
magnitude of fraud occurring
a
Purpose
Usually required by third-party users
of financial statements
Sufficient predication that a fraud
has or may have occurred
Value
Adds credibility to reported financial
information
Resolves suspicions and
accusations; determines the facts
Sources of
evidence
Inquiry, observation, examination,
and reperformance of accounting
transactions to support financial
statement assertions
Review detailed financial and
nonfinancial data, search public
records, conduct fact-finding as
well as admission-seeking
interviews, including third-party
inquiries
Sufficiency
of evidence
Reasonable assurance Establish facts to support or refute
suspicions or accusations
a
Ultimately the trier of fact concludes whether fraud has occurred. The focus of a fraud investigation is fact
finding, based on the investigator’s knowledge of the elements of fraud that a trier of fact considers.
Source: Adapted from Association of Certified Fraud Examiners
ch01.fm Page 20 Thursday, December 15, 2005 3:26 PM
