managing and assessing the risk of fraudulent financial statements

Managing and Assessing the Risk ofFraudulent Financial Statements

Presented by:

W. James Lloyd, CPA/ABV/CFF, CFE, ASA

And

Doug Arnold, CPA, CFE, CMA, CBA, CFSA

39th Annual Virginia Accounting and Auditing ConferenceSeptember 28-29, 2009

Agenda

• Overview of Fraud

• ACFE’s Report to the Nation

• Types of Financial Statement Frauds

• Managing the Risk of Fraud

• Auditor’s Responsibility to Detect Fraud

• Overview of SAS No. 99

39th Virginia Accounting and Auditing ConferenceSeptember 28 - 29, 2009

Incomplete Work Product

There are two types of companies

Those that have been defrauded

And those that don’t know it…yet.1

1 Association of Certified Fraud Examiners

Fraud Defined

• Fraud is defined in Black’s Law Dictionary as:

– A knowing misrepresentation of the truth or concealment of a material fact to induce another to act to his or her detriment. A misrepresentation made recklessly without belief in its truth to induce another person to act. A tort arising from a knowing misrepresentation made to induce another to act to his or her detriment.

– Could also be defined as – the improper conversion of another’s assets to one’s own benefit.


Essential Elements of Fraud

• Intentional material false statements or willful omission of a material fact

• Knowledge by the perpetrator that the statements or omissions are false and misleading

• Intent for the misrepresentation to be acted upon

• Reliance by the victim

• Damages to the victim



• Defined as “The use of one’s occupation for personal enrichment through the deliberate misuse or misapplication of the employing organization’s resources or assets”

• Can be as simple as stealing supplies or as complex as sophisticated financial statement frauds

Occupational Fraud


The Fraud Triangle

Management or other employees have an incentive or are under pressure

Circumstances exist – ineffective or absent control, or management

ability to override controls – that provide opportunity

Culture or environment enables management or other employees to

rationalize committing fraud

Rationale Opportunity

Incentive


Three Major Categories of Fraud

• All occupational frauds fall into one of three major categories:

– Asset misappropriations

– Corruption

– Fraudulent financial statements


ACFE’s 2008 Report to the NationOn Occupational Fraud & Abuse

• Approximately 7% of revenue is lost each year due to fraud

• Median loss from the 2008 study was $175,000

• Median loss for companies with less than 100 employees was $200,000

• 25% of the cases had losses of at least $1M

• Typical length of time between when the fraud started until it was detected was 2 years

ACFE’s Report to the Nation (Continued)

Initial Detection of Occupational Frauds

46%

19%

20%

23%

9%3%

Employee Tip

Internal Audit

Accident

Internal Controls

External Audit

Notified by Police

Respondents were asked how the frauds they investigated were initially discovered.

The sum of the percentages exceeds 100% because some cases involve more than one type of fraudThe sum of the percentages exceeds 100% because some cases involve more than one type of fraud

Perpetrator’s Profile

• Higher income and education = greater loss

• Highest median losses related to employees with 6-10 years of tenure

$261,000 for 6-10 years vs. $50,000 for <1 year

• Median loss for males was $250,000 vs. $110,000 for females

• More education means higher losses

$550,000 for postgraduate vs. $100,000 for high school

• Ages 51-60 represented the highest median loss

$500,000 for 51-60 vs. $25,000 for <26


Fraud Hotlines

• Median loss for organizations with fraud hotlines was $100,000 as opposed to $250,000 for firms without hotlines

• Median number of months until detection was 16 for organizations with hotlines as opposed to 24 without hotlines


Internal Audits

• Median loss for organizations with an internal audit department was $118,000 as opposed to $250,000 without internal audit


External Audits

• Median loss for organizations with external audits was $150,000 as opposed to $250,000 without external audits

• Median number of months in public companies until detection was 18 for organizations with external audits as opposed to 27 without

• Most common anti-fraud control, but no evidence found that they are particularly effective at detecting fraud


Small Organizations Suffered Disproportionately Large Losses

38%

20%

23%

19%

0% 10% 20% 30% 40% 50%

Percent of Cases

<100

100-999

1,000-9,999

10,000+

Nu

mb

er o

f E

mp

loy

ees

Percent of Cases Based on Size of Victim Organization

2008

Source: Association of Certified Fraud Examiners 2008 Report to the Nation

Small Organizations Suffered Disproportionately Large Losses

$200,000

$176,000

$116,000

$147,000

$- $50,000 $100,000 $150,000

Median Loss

<100

100-999

1,000-9,999

10,000+

Nu

mb

er o

f E

mp

loye

es

Median Loss Based on Size of Victim Organization

2008


Distribution of Dollar Losses

2%7%

17%11%

28%10%

25%

0% 5% 10% 15% 20% 25% 30% 35%

Percent of Cases

1-999

10,000-49,000

100,000-499,999

1,000,000 and up

Dol

lar

Los

s R

ange

Distribution of Dollar Losses

2008



Median Loss by Method of Fraud

$- $400 $800 $1,200 $1,600 $2,000

Median Loss (in thousands)

AssetMisappropriation

Corruption

FraudulentStatements

Cat

egor

y

All Occupational Frauds

Fraudulent StatementsCorruption

Asset Misappropriation


How Cash is Misappropriated

• Fraudsters use eight common methods to steal cash from their employers

• Methods involving incoming receipts:

– Skimming and cash larceny

• Methods involving outgoing disbursements:

– Billing schemes, expense reimbursements, check tampering, payroll, and cash register disbursements


Asset Misappropriations Involving Incoming Receipts

• Skimming – cash stolen before it is recorded

– Example: employee accepts payment from a customer but does not record the sale

– Median loss: $80,000

• Cash Larceny – cash is stolen after it has been recorded

– Example: employee steals cash and checks from the daily receipts before being deposited into the bank



Asset Misappropriations - Outgoing Disbursements

• Billing schemes – example: employee creates a shell company and bills employer for nonexistent services (Median loss: $100,000)

• Expense reimbursements – example: employee files fraudulent expense reports (Median loss: $25,000)

• Check tampering – example: employee steals blank company checks, makes them payable to himself or an accomplice (Median loss: $138,000)


Asset Misappropriations - Outgoing Disbursements

• Payroll schemes – example: employee claims overtime for hours not worked


• Register disbursements – example: employee fraudulently voids a sale in the cash register and steals the cash




Corruption Related Frauds

• Conflicts of interest – example: employee owns an undisclosed interest in a supplier and negotiates a contract between his employer and the supplier

• Bribery – example: employee accepts a payment from a vendor for confidential information about a competitor’s bid on a project

• Illegal gratuities – example: employee accepts a free vacation from a vendor after negotiating a contract for his employer


Financial Statement Frauds

• Generally committed by upper management to make the company’s earnings and/or financial condition appear better than actual

• Typical reasons include:

– Lure investors or creditors

– Receive performance based compensation

– Keep stock price high for acquisitions

– Debt covenants


Victims of FinancialStatement Frauds

• Victims of financial statement fraud normally include:

– Investors

– Creditors

– Employees

– Customers

– Suppliers

– External CPAs!


The Cost of FinancialStatement Fraud

• Financial statement frauds can have a devastating impact on the organization and its employees

• For publicly-traded companies – market capitalizations will decline substantially overnight

• For public and private companies – debt and equity financing options will evaporate and existing loans could be called


The Cost of FinancialStatement Fraud (Continued)

• Individuals who invested in the company (including employees) could lose substantial amounts of their investment and/or retirement accounts

• Employees may lose their jobs and benefits – such as health insurance


Fraudulent Financial Statements

• Financial statement frauds normally involve one or more of the following:

– Fictitious revenues

– Concealed liabilities and expenses

– Improper asset valuations

– Improper disclosures

– Timing differences


Fictitious Revenues

• Fictitious revenues involve recording revenue that did not actually occur

• Can involve either fake or legitimate customers

• Example:

– Legitimate customer is invoiced for goods that are never shipped. An entry is made in the subsequent accounting period to reverse the transaction.


Fictitious Revenues (Continued)

• Red Flags:

– Too little cash collected from the revenues being reported

– Unusual journal entries

– Unexplained items on bank and other reconciliations

– Customers that have not been through the normal customer approval process


Concealed Liabilitiesand Expenses

• Understating liabilities and expenses is one of the most common ways companies manipulate their financial statements

• It is generally easier to not record an expense than to falsify revenues

• Concealed liabilities and expenses can be difficult to detect because there is generally no audit trail to follow

• Examples:

– Omitting legitimate accounts payable

– Capitalizing inappropriate expenses

– Failure to disclose warranty costs and liabilities


Concealed Liabilitiesand Expenses (Continued)

• Red Flags:

– Recurring negative cash flows from operations while reporting positive earnings and growth

– Unusual increase in gross margin or margins in excess of industry peers


Improper Asset Valuations

• Generally involve overstated:

– Inventory

– Accounts receivable

– Fixed assets

– Intangible assets

• Red Flags:

– Asset values based on estimates that involve subjective judgment

– Allowances for bad debts and/or obsolete inventory are shrinking in percentage terms and/or out of line with industry peers


Improper Disclosures

• Improper disclosures generally involve one or more of the following:

– Liability omissions

– Subsequent events

– Management fraud

– Related party transactions

– Accounting methods and/or changes in methods


Timing Differences

• Recognizing revenues and/or expenses in the wrong period are generally the most common forms of financial statement fraud

• Red Flags:

– Unusual growth in the number of days’ sales in receivables

– Unusual decline in the number of days’ purchases in accounts payable

What To Look For –Red Flags

• Large checks written to cash (or large number of smaller checks)

• Unusual cash transfers

• Transactions not consistent with the entity’s business

• Unusual related party transactions

• Bank accounts not reconciled timely

• Out of balance subsidiary ledgers


What To Look For – Red Flags

• Pressure from investors or lenders to achieve a certain level of profitability and/or financial condition

• Standard of living is unusual relative to known financial resources

• Disorganized operations

• Poor internal controls – easy for management to override

• Unusual and/or unsupported journal entries39th Annual Virginia Accounting and Auditing ConferenceSeptember 28-29, 2009

What To Look For – Red Flags

• High dependence on a relatively small number of customers or suppliers

• Impressive financial results in a poor economy and/or with poor industry performance

• Unusually consistent financial performance and growth

• Disconnect between cash and profitability

• Growing days in AR – higher than industry average



Tools and Techniques

• Techniques used to analyze financial statements and underlying transactions:

– Vertical analysis

– Horizontal analysis

– Benchmark analysis

• Operating ratios

• Financial ratios

– Data mining

FRAUD PREVENTION



Managing the Risk of Fraud

• Effective ways that organizations can reduce the risk of becoming a fraud victim:

– Create a positive workplace

– Develop a Code of Conduct

– Follow sensible personnel procedures

– Utilize sound internal controls


Create a positive workplace

• Management must set the tone at the top by creating a culture of no tolerance for fraud or other inappropriate behavior

– To be effective, top management must conduct themselves in the same manner as they expect employees to act

• Establish open lines of communication

– Help employees should feel like an important part of the organization

Create a positive workplace

• Provide positive feedback

– Acknowledge employees for ethical behavior

• Compensate employees fairly

– Employees who feel underpaid are more inclined to participate in fraudulent activity


Develop a Code of Conduct

• A code of conduct can be an effective tool for communicating the organization’s intolerance for fraud and other inappropriate behavior. To be an effective fraud risk tool, it should:

– Be in writing and communicated to all employees

– Clearly establish a reporting structure

• Employees need to know who they can/should talk to if they have a problem or suspect inappropriate activity

• Fraud Hotline


Code of Conduct

• Consistently punish violators

• Management must send a clear message that fraudulent behavior will not be tolerated

• Acknowledged by employees and reinforced on a regular basis

– Employees should acknowledge reading and agree to adhere to it – in writing

– Review and re-acknowledge on an regular basis (i.e. annual reviews)



Personnel Procedures

• Establish and follow good hiring and promotion guidelines

– Always check references

• Require employees to use vacation time

– It is difficult to cover up a trail of fraudulent activity while on vacation

• Conduct exit interviews

– Good way to learn about possible fraud or other misconduct


Internal Controls

• Identify high risk areas

• Determine where material misstatements could occur

• Implement appropriate controls to mitigate the risks


Fraud Hotlines

• A tip reporting system, such as a fraud hotline, can substantially reduce the risk of fraud

– Must protect confidentiality of the caller

– Eliminate concerns about retaliation

• Options include:

– Internally answered

– External service

– Email

– Web based

Financial Statement Fraudfrom an Auditor’s Perspective


Auditor’s Responsibility to Detect Fraud: A Brief History

• Statement on Auditing Procedure No.1, Extensions of Auditing Procedure (1930’s):– The auditor is not expected to find all defalcations,

although the discovery of defalcations frequently results.

– The SEC was created and a requirement for “independent” audits implemented.

• Statement on Auditing Procedure No. 30, Responsibilities and Functions of the Independent Auditor in the Examination of Financial Statements (1960’s):– The audit is not primarily or specifically designed and

cannot be relied upon to disclose defalcations and other similar irregularities, although their discovery may result.


Auditor’s Responsibility to Detect Fraud: A Brief History (Continued)

• Statement on Auditing Standards No.16, The Independent Auditor’s Responsibility for the Detection of Errors or Irregularities (late 1970’s):

– The auditor has the responsibility, within the inherent limitations of the auditing process, to plan his examination to search for errors and irregularities.


Lincoln Savings& Loan (1987)

• Nature of the Fraud

– Charles Keating (CEO) and his family misappropriated approximately $1.1 billion from the S&L by:

• Using government insured deposits to invest in risky bonds and schemes

• Recording fictitious revenue from real estate deals with the Keating-controlled parent company

• Related Problems

– Keating paid himself and his family over $34 million in salaries and sales of stock

• $1.5 million of which was paid in gifts and contributions to U.S. Senators in order to influence banking regulations (the “Keating 5”)


Lincoln Savings &Loan (1987) (Continued)

• Symptoms

– CEO had been sanctioned by the SEC and signed a consent decree to never again be involved in the management of a financial institution

– 4 out of 8 company officers of the S&L’s parent company were Keating and his relatives

– Questionable relationships and agreements with related parties

– Questionable timing of investment purchases


Lincoln Savings &Loan (1987) (Continued)

• What Auditor Could Have Done

– Understand management background

– Investigate related parties and related party transactions

– Review the timing for significant investment purchases for patterns (monthly investment statements, interim financial statements, journal entries)


Auditor’s Responsibility to Detect Fraud: SAS No. 53

• Statement on Auditing Standards No. 53, The Auditor’s Responsibility to Detect and Report Errors and Irregularities (1988):

– The auditor is responsible for designing the audit to provide reasonable assurance of detecting material errors and irregularities


PharMor (1992)


– Overstated inventory:

• Moved between stores so it could be counted more than once

• Increased value of inventory without support

– Determined where auditor inventory counts would be done in advance, and did not alter the records at these stores

– CFO and CEO (Monus) were convicted of embezzlement

• $10 million was moved from Phar-Mor to the World Basketball League, founded by Monus

– Prosecutors estimated that the total loss to all investors exceeded $1 billion.


PharMor (1992) (Continued)

• Symptoms

– Rapid growth

– Entity heavily controlled by Monus

– Cash flow questions

– Unpaid vendors

– Unrelated vendors (World Basketball League, travel agency of World Basketball League, etc.)


PharMor (1992) (Continued)


– Incorporate unpredictability for inventory counts

– Address cash flow issues

– Review vendor listings and agings

– Address management override risk:

• Review application of accounting principles

• Segregation of duties issues

• Review journal entries


Auditor’s Responsibility toDetect Fraud: SAS No. 82

• Statement on Auditing Standards No.82, Consideration of Fraud in a Financial Statement Audit (1997):

– Addressed fraud specifically – not “errors” or “irregularities”

– Lessened the “expectation gap” between auditors and users

– Provided specific guidance for planning, evaluating internal controls, exercising due professional care, and gathering evidentiary matter

– Still based upon reasonable rather than absolute assurance

– Established that responsibilities extended throughout the audit – not only at planning


Independent Auditor’s Responsibility

• “The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud.” (SAS No. 82)


Enron (2001)


– Used related party “special purpose entities” to hide significant losses and debt and enter risky derivative transactions, mostly at quarter and year end

– Phantom profits from these entities increased Enron’s stock price

• Related Problems

– Before the issuance of FIN 46R, these entities were not consolidated

– Enron officers, including CEO Skilling, unloaded approximately $1 billion in Enron stock as the business began to fail, while employees holding stock in the company through its retirement plan were not permitted to sell


Enron (2001) (Continued)

• Symptoms

– Seven key executives left the company between August 2000 and August 2001

– Rapid change from a pipeline transportation and distribution company to a wholesale company trading in gas and other derivatives, including weather derivatives

– October 15, 2001 earnings release did not include any balance sheet or cash flow information, or a write off of $1.2 billion in equity



• Symptoms (Continued)

– Executive arrogance:

• Banner in lobby changed from “THE WORLD’S LEADING ENERGY COMPANY” to “THE WORLD’S LEADING COMPANY”

– Continued earnings growth without positive cash flows

– Significant competition among employees

• Employees reported being fearful of going to the restroom and leaving their computers unattended



• Symptoms (Continued)

– Aggressive earnings targets and management bonuses based on meeting these targets

– Excessive interest in stock price




– Make sense of a complex financial situation

– Question executive arrogance

– Increase skepticism as the market began to question the entity’s stock price

– Examine cash flows

– Further assess internal controls over derivative trading – the largest and riskiest part of Enron’s business


SAS No. 99 Overview

• Issued in 2002

• Did not change auditor’s responsibility as outlined under SAS No. 82

• Did not change management’s responsibility to establish controls to prevent and detect fraud


SAS No. 99 Requirements

• Higher level of professional skepticism

“…a material misstatement due to fraud could be present, regardless of any past experience with the entity and regardless of the auditor’s belief about management’s honesty and integrity” (SAS No. 99, paragraph 13)

• Engagement team brainstorming session

• Specific response to the risk of management’s override of controls (fictitious journal entries)


SAS No. 99 Requirements (Continued)

• Specific response to the risk of revenue manipulation

• Gather and consider much more information to assess fraud risk through the consideration of fraud symptoms


Recognition ofFraud Symptoms

• Analytical symptoms

– Changes within the financial statements that do not make sense when compared to an expectation

– Example: PharMor cash flows

• Accounting and documentary symptoms

– Missing or unavailable information

– Overly complex transactions with little or no accounting guidance

– Example: Enron’s use of special purpose entities and complex derivatives


Recognition ofFraud Symptoms (Continued)

• Control symptoms

– Weak or inactive audit committee

– Excessive executive power

– Examples: Keating, Monus, Skilling

• Behavioral, verbal or lifestyle symptoms

– Earnings incentives

– Competition among employees

– Example: Enron’s arrogance and employee competition


Recognition ofFraud Symptoms (Continued)

• Tips and complaints symptoms

– Use of regulatory, whistle-blower or other reporting mechanisms

– Market analyst questions

– Examples: Keating’s SEC sanction and Enron’s questionable earnings announcement


How to Follow Up on Fraud Symptoms

• Exercise a higher level of professional skepticism

• Assignment of personnel to the engagement with higher skill level

• Further consideration of management’s selection and application of accounting principles


How to Follow Up on Fraud Symptoms (Continued)

• Assess control risk below the maximum, conduct additional tests of controls or maybe not rely on controls

• Consider a change in the nature, timing or extent of audit tests (unpredictability)


Other Standards Resultingfrom Fraud Concerns

• Professional standards issued subsequent to SAS No. 99 impacting the auditor’s assessment, documentation, or communication as it relates to fraud:

– SAS No:

• 105• 106• 107• 108• 109• 110• 111• 112• 113• 114

QUESTIONS?

managing and assessing the risk of fraudulent financial statements

Documents

auditing conference

fraud triangle

type of fraud

thannual virginia accounting

fraud median loss

occupational fraud abuse

major categories of

fraud overview of sas