Fighting financial reporting fraud

Internal Auditor, Dec, 2003 by Scott Green

CONGRESS PASSED THE U.S. SARBANES-OXLEY ACT of 2002 with the goal of rebuilding investor confidence and protecting capital markets. It recognized that strong internal controls were an important component of confidence building. Section 404 of the act addresses this component by mandating an annual evaluation of internal controls and procedures for financial reporting and requiring management to assess and certify the effectiveness of these controls.

In addition, Sarbanes-Oxley requires a company's external auditor to complete a separate report that attests to management's assessment of the effectiveness of internal controls and procedures for financial reporting. In short, the external auditor must perform testing to validate management's assessment of the internal control structure.

A strong internal audit function can provide both management and the public accountants with comfort that the control structure is being evaluated regularly and that deficiencies are remedied. Documenting and evaluating a company's processes and related control structure are traditional internal audit tasks that protect the enterprise. However, the degree to which internal auditors focus on the accuracy of their organization's financial reporting presentation and disclosure, in addition to operational audits, is a matter of judgment. Critical factors that will determine the scope of internal auditing's involvement in the financial reporting process include the strength and experience of the external auditors as well as the extent of their reliance on the internal control function, the transparency and management culture of the enterprise, and audit priorities based on solid risk analysis.

There are three steps every auditor should take--regardless of their level of involvement--to help protect the organization from fraudulent financial reporting:

* Listen to rogues and whistleblowers.

* Ask focused questions that may lead to red flags of financial reporting trouble.

* Watch for financial oddities by benchmarking performance.

Investors depend on interim financial reports and need to believe these reports are fair and accurate. Internal auditing can provide valuable oversight to organizations by helping to ensure that communications are free from inappropriate financial engineering.

THE ART OF LISTENING

One of the problems with financial reporting scandals is that an unscrupulous chief financial officer (CFO) and members of his or her team are unlikely to announce their intentions. In fact, a common thread running through WorldCom, Enron, and other high-profile financial scandals is that each company had a strong, respected CFO who kept the number of people involved in the scandal to a minimum, exerted incredible control over the working group, and commanded the group's loyalty above all other ethical considerations. These CFOs reportedly rewarded those who supported them and intimidated, excluded, and punished those who did not. No auditor can reasonably expect such a tightly knit group to volunteer that their boss is playing with the numbers. The CFO's sycophants will court his or her approval at the expense of all else, even the total destruction of the enterprise.

The good news is that, in recent cases, there were outsiders who were willing to step forward. At Enron, for example, Sherron Watkins, a corporate vice president, specifically told both Andersen and senior executives of her concerns regarding the conflict of interest between Enron and the special purpose entities (SPEs) the CFO administered as well as the perception of improper accounting at many of the SPEs he created. She also raised the possibility of the complete financial collapse of the company. Had they listened to Watkins, the fraud might have been identified earlier, thereby limiting the damage to the company and its employees.

The lesson for auditors is clear: Listen to the rogues who complain. Particularly where constructive criticism is viewed as an act of disloyalty, those who are not viewed as a part of the team can be a terrific source of information. It is often too easy to dismiss the grumbling of those who are perceived as outsiders or on the fast track to termination. Internal auditors should resist passive behavior and listen, evaluate, and, if warranted, investigate what they hear.

IDENTIFY RED FLAGS

Although the number of possible disclosure omissions and financial presentation errors are many, internal auditors can look for patterns to help focus their activities to where they will be most effective. Uncovering these red flags may take some digging and may require the auditor to ask tough questions.

AGGRESSIVE REVENUE RECOGNITION POLICIES

A typical red flag is revenue that is matched to future performance or expenses. Qwest Communications has stated that, between 1999 and 2001, it incorrectly accounted for more than $1.1 billion in transactions. Revenues were contingent on the purchase of fiber capacity and future services, but they were improperly booked as earned.