Detecting fraud: will the new rules help? Sarbanes-Oxley compliance is raising questions about the relationship between internal and external auditors and increased audit costs, Financial Executives Research Foundation (FERF) finds.On Dec. 9, 2003, Parmalat Finanziaria S.p.A.'s founder Calisto Tanzi Calisto Tanzi (born 1938 in Italy) is an Italian businessman notorious for embezzling an estimated eight-hundred million euros from Italian company Parmalat, founded by him, resulting in a great loss for the company. and his son Stefano told executives from private equity fund Blackstone that the Italy-based international food products company's financial accounts were inaccurate. Before the end of the month, Tanzi admitted to diverting 500 million euros (about $640 million) from Parmalat's funds to finance other parts of the business controlled by his family. Assets of Bonlat, a Parmalat subsidiary, were said to include a $4.6 billion Bank of America
Bank of America (NYSE: BAC TYO: 8648 ) is the largest commercial bank in the United States in terms of deposits, and the largest company of its kind in the world. account, but it was later discovered that the account did not exist. With that, Parmalat became the latest corporate fraud to make the headlines, with its chairman allegedly the chief perpetrator A term commonly used by law enforcement officers to designate a person who actually commits a crime. . This newest headline-grabbing fraud, like others of its ilk, involves senior management. These days, a fraud has to be really noteworthy to garner headlines; after all, it's competing with wars, terrorists and tragedies. But there may be some statistical rationale to the link with senior executives. An academic paper published in the June 2002 issue of Critical Perspectives in Accounting notes that the CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. was involved in 70 percent of the 276 frauds that took place between 1987 and 1999, based on an analysis of enforcement actions taken by the Securities and Exchange Commission, and another 20 percent of the frauds (for a total of about 90 percent) involved other members of senior management. The paper, "Defrauding the Public Interest: A Critical Examination of Reengineered Audit Processes and the Likelihood of Detecting Fraud," was authored by Charles P. Cullinan and Steve G. Sutton. "Senior management is responsible for establishing a reliable system of internal controls. Either management or internal audit can detect the small, 'petty cash' frauds, but frauds by senior management are a different problem," says Ellen H. Masterson, global leader of Assurance Methodology for PricewaterhouseCoopers LLP LLP - Lower Layer Protocol . Masterson referred to a July 2002 article in The Wall Street Journal, "Auditors' Methods Make It Hard to Uncover Fraud by Executives," which cited the results of the Cullinan/Sutton academic paper. "The gist of the article," she says, "was that external auditors' methods were not designed to detect financial reporting fraud committed at the executive levels in an organization." The apparent surge in executive-level fraud has raised key detection questions. If auditors--both internal and external--are expected to discover such fraud, how much more should be spent to ensure they can find it? In virtually all recent scandals, the external auditors The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. have claimed that management effectively hid the problems from them. If that's true, is it realistic to expect auditors--even given far more resources--to find fraud? Many executives argue that the scenario simply gives outside auditors reason to levy higher fees, whatever the result. External Auditors In the past, external auditors were not supposed to specifically design their audit procedures to detect fraud, but if they did find fraud, they were expected to report it. However, they did have to evaluate a company's system of internal controls in order to determine how reliable they were, and thereby limit the amount of additional testing that would be required. Then came the Enron and WorldCom debacles. The Sarbanes-Oxley Act See SOX. of 2002--the U.S. legislative response--was signed into law on July 30. "Management fraud is a relatively recent phenomenon, and everybody's role has changed," Masterson says. "The audit committee is now more 'hands on,' internal audit reports to the audit committee rather than the CEO or CFO See Chief Financial Officer. , and the external auditor must become less transparent to those whose reports they are auditing." By "less transparent," Masterson explains, "In the past, in an effort to drive down audit costs, clients often required that auditors review our audit plans with management, including details such as which sites we would visit, to justify our fees. This was being transparent. Now, we have to be much more skeptical and less predictable--we cannot be as open with those whose work we are auditing. In other words Adv. 1. in other words - otherwise stated; "in other words, we are broke" put differently , we have to be less transparent with management." Section 101 of Sarbanes-Oxley calls for the establishment of an independent, non-governmental accounting oversight board to oversee the audit of public companies in order to protect the interests of their investors. To comply, the Public Company Accounting Oversight Board The Public Company Accounting Oversight Board (or PCAOB) (sometimes called "Peekaboo") is a private-sector, non-profit corporation created by the Sarbanes-Oxley Act, a 2002 United States federal law, to oversee the auditors of public companies. (PCAOB PCAOB Public Company Accounting Oversight Board ) was established, and by last October, PCAOB released an exposure draft of a proposed auditing standard, An Audit of Internal Control Over Financial Reporting Performed in Conjunction with an Audit of Financial Statements. (Although comments on this proposed standard were due Nov. 21, 2003, the standard had not yet been finalized when this article went to press.) Both The Institute of Internal Auditors “IIA” redirects here. For IIA in decision theory, see Independence of irrelevant alternatives. Established in 1941, The Institute of Internal Auditors (IIA) is an international professional association of more than 128,000 members with global headquarters in (IIA (1) (Information Industry Association, Washington, DC) In 1999, IIA merged with SPA (Software Publishers Association) to become the Software & Information Industry Association. See SIIA. ) and Financial Executives International's (FEI FEI Fédération Équestre Internationale. ) Committee on Corporate Reporting (CCR 1. CCR - condition code register. 2. CCR - (Database) concurrency control and recovery. ) have expressed various concerns about this proposed standard in their respective comment letters to the PCAOB. [ILLUSTRATION OMITTED] Internal Auditors Internal auditor An employee of a company who analyzes the company's accounting records to that the company is following and complying with all regulations. IIA's primary--and predictable--concern with the proposed standard is that it does not place enough emphasis on the work of internal auditors. "The PCAOB may have gone overboard on the amount of work expected of the external auditors," says IIA President William G. Bishop III. "The inability to rely on the work of others is a problem. The effect will be to drive up external audit fees. We believe that there is room for more reliance on internal audit. Sarbanes-Oxley should foster a greater working relationship rather than less." This concern is echoed by FEI's CCR, whose primary concern with the standard is that it creates a situation where the costs of implementation will far outweigh the benefits. As stated in CCR's comment letter: "Given the limited level of reliance that the external auditor can place on the work of others, the resultant level of duplicative testing will cause numerous interruptions to the operations of our businesses. These interruptions alone are very costly; however, when coupled with the cost of internal and external resources to support management's assertions and the fees associated with the increased work to be performed by the external auditor, the costs are far beyond the benefits attained. Most CCR companies estimate an increase of approximately 30 percent to 50 percent in audit fees as a direct result of the required audit of internal control over financial reporting." [ILLUSTRATION OMITTED] Dennis R. Beresford agrees that the potential costs of compliance with the proposed auditing standard may exceed the potential benefits, at least to the companies being audited. Beresford is the Ernst & Young executive professor of accounting at the Terry College of Business of the University of Georgia Organization The President of the University of Georgia (as of 2007, Michael F. Adams) is the head administrator and is appointed and overseen by the Georgia Board of Regents. . (He joined the University of Georgia after serving two terms as chairman of the Financial Accounting Standards Board Financial Accounting Standards Board (FASB) Board composed of independent members who create and interpret Generally Accepted Accounting Principles (GAAP). from 1987 to 1997.) He is also the chairman of the audit committees (and "financial expert") for three corporations: MCI (1) (Media Control Interface) A high-level programming interface from Microsoft and IBM for controlling multimedia devices. It provides commands and functions to open, play and close the device. (2) (Microwave Communications Inc. (the successor to WorldCom), Legg Mason Founded in 1899, Legg Mason, Inc. (NYSE: LM) is a leading Global Asset Management Firm that serves the institutional, mutual fund and wealth management markets. The firm is headquartered in Baltimore, Maryland, and is located on Lombard and Charles Streets in the Legg Mason Inc. and Kimberly-Clark Corp. As a member of the Special Investigative Committee of the board of directors of WorldCom, Beresford says, "I saw the terrible financial reporting fraud, and I helped the company try to determine what happened and how to prevent reoccurrences." (However, it was "after the fact," since Beresford joined WorldCom's audit committee almost a month after WorldCom first reported a financial statement fraud.) The Special Investigative Committee's final report can be found in the SEC Edgar system. On pages 223 through 263 of that report, the committee discussed the work of Arthur Andersen For the U.S. Supreme Court case commonly known as Arthur Andersen, see . Arthur Andersen LLP, based in Chicago, was once one of the "Big Five" accounting firms (the other four are PricewaterhouseCoopers, Deloitte Touche Tohmatsu, Ernst & Young and KPMG), performing . [ILLUSTRATION OMITTED] On the report, Beresford notes, "Without going into great detail, it is fair to state that Andersen had evaluated WorldCom's internal controls as being very strong, although this review was done before Sarbanes-Oxley was enacted, and rather than reporting on the system of internal controls, they simply reviewed them. I fully recognize that an accounting firm's evaluation of internal control for purposes of planning the audit is nowhere near the same as an audit of internal control. However, I submit that if Andersen could have been so off-base with respect to the general quality of internal control under the old rules, there is no assurance that they would have caught the problems under the new rules." Beresford maintains that either sloppy auditing and/or extremely well-designed frauds may still permit some frauds to go undetected." Is it necessary for all public companies to undergo chemotherapy because a few may develop cancer?" he asks. Masterson says that the external and internal auditors will each play a role reporting to the audit committee to address the risk of material misstatements due to fraud, but the job is not complete. "We don't think the right formula for the relationship of the external auditor and the internal auditor has been established yet," she argues. "However, our number one concern is a quality audit, and we will dig deeper to detect material misstatement mis·state tr.v. mis·stat·ed, mis·stat·ing, mis·states To state wrongly or falsely. mis·state  ment n. in the financial
statements due to management fraud." Both Masterson and IIA's
Bishop agree that management and the external auditors play a part in
this search.
So while Sarbanes-Oxley audit requirements were a dramatic step--though not without controversy and "what-if" scenarios (see box)--ongoing dialogue and continued evaluation of the legislation and practices need to be part of the continuing efforts to combat fraud. RELATED ARTICLE Can internal and external auditors, working as a team, detect and eliminate financial reporting fraud? Philip D. Ameen, Vice President and Comptroller of General Electric Co., offers this hypothesis: Regulation and auditing are capable of eliminating financial reporting fraud. [ILLUSTRATION OMITTED] In a sense, Ameen says, "We're testing this hypothesis with Sarbanes-Oxley. Consider how we would react to either of two possible future outcomes:" 1. We don't see any more financial reporting frauds. In that case, we will have succeeded, but an extremely important question will be unanswered--whether we're imposing too much cost to achieve the benefit. That is, we know there's no reason to add regulation, but we don't know Don't know (DK, DKed) "Don't know the trade." A Street expression used whenever one party lacks knowledge of a trade or receives conflicting instructions from the other party. whether we could have achieved the same result at lower cost, thus relieving funds so they can be invested productively to earn returns; or 2. We experience another major financial fraud, even with the full Sarbanes-Oxley provisions in place. In this case, we will have failed, but will know nothing about what corrective action A corrective action is a change implemented to address a weakness identified in a management system. Normally corrective actions are instigated in response to a customer complaint, abnormal levels if internal nonconformity, nonconformities identified during an internal audit or to take. The data may actually be showing us that no level of auditing can actually eliminate fraud--a counterintuitive coun·ter·in·tu·i·tive adj. Contrary to what intuition or common sense would indicate: "Scientists made clear what may at first seem counterintuitive, that the capacity to be pleasant toward a fellow creature is ... but possible result. And, if auditing is simply incapable of eliminating fraud, then the mandatory audit effort needs to be reduced to the point that it becomes cost-beneficial. This answer, while clearly better for the total economy, is extremely difficult because it tolerates financial misstatements. William M. Sinnett (bsinnett@fei.org) is Manager of Research for Financial Executives Research Foundation Inc. (FERF FERF Financial Executives Research Foundation FERF Far End Reporting Failure FERF Far End Receive Failure ). A wide variety of publications on governance, internal controls and Sarbanes-Oxley, are available at FERF's bookstore: www.fei.orglrfbookstorel. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion