It is a question that always arises in the wake of any high-profile fraud: How could this have happened? Followed quickly by: Who is responsible?
The responses are equally predictable.
Management will assert that every questionable transaction was reviewed by outside lawyers and accountants, and therefore must have been perfectly legal. The company’s auditors explain that management concealed vital information from them or conspired to foil their audit process in devious ways. The Board of Directors claims ignorance of the details behind the reported financials, having relied in good faith on the statements of management and the competence of outside professionals. The lawyers would love to explain what happened, but they are bound by sacred attorney-client privilege not to say a peep.
Responsibility for fraud is a hot potato passed from hand to hand when disaster strikes.
But whose job is it to detect and prevent fraud in the first place? And why has the proliferation of new regulations following each major outbreak of fraud failed to prevent its recurrence?
A study from 2013, suggested that public company fraud is detected in only 1 out of 3 cases, that 1 out of 8 companies engage in fraud, and that the annual cost of corporate fraud to investors is in the range of $180 to $360 billion.
This prevalence of fraud in modern corporations, if true, is astounding when one considers the architecture that is in place intended to eliminate it. At any sizable public company, there is now a whole “financial reporting value chain” designed to detect fraud and remediate it before it has a material impact on the company’s results.
The responsible parties include:
With all of these eyes trained on the process of compiling and reporting financial results, one might ask, “How is fraud even possible?”
To answer this question, I talked to those who, in one way or another, have made a business out of fraud and its repercussions — including investors, investigative reporters, and attorneys who represent opposing sides when there are accusations of fraud. In addition to outlining the shared responsibility for preventing fraud, I wanted to understand how these roles break down when fraud does occur. Finally, I heard a range of ideas to decrease the incidence of fraud in the future.
Company management has the ultimate responsibility for both preparing the financial statements and for preventing fraud.
“Company management, with oversight by the Audit Committee and... the full Board of Directors, have legal responsibility under federal securities laws and corporate law to detect and prevent corporate fraud,” said Michele Johnson, who as Chair of Litigation & Trial Department at Latham & Watkins has ample experience working to defend big companies in a range of class-action suits.
Management can seek to “fraud-proof” the company by investing in strong internal controls and establishing a corporate culture that encourages ethical behavior and shows little tolerance for misconduct. When the system works, the public is unlikely to ever learn about frauds, since management will detect them and discipline the perpetrators before the issue becomes material. Yet a study of all of the SEC accounting and auditing enforcement actions brought between 1998 and 2007, showed that in these alleged accounting frauds the CEO and/or CFO was directly involved 89% of the time.
So how to you protect the henhouse, when the foxes have the keys?
“You cannot name a true financial fraud... in recent history that wasn’t, apart from accounting technicalities, fairly elementary in conception and scope,” says Roddy Boyd, who spends his time poring through legal filings and government records in pursuit of corporate malfeasance at the Southern Investigative Reporting Foundation. “Many financial executives I’ve encountered simply don’t have the level of fear about detecting and preventing fraud that they do about missing earnings bogeys or not being perceived as sophisticated financial engineers. That has to end.”
The theory of the “fraud triangle” identifies three elements that are required for fraud to take place:
Pressure, whether it comes from Wall Street or is self-imposed, is an unavoidable aspect of corporate culture in the era of global competition and activist shareholders. Management often begins by taking a small step to bend the accounting rules or book a transaction that lacks substance to “make the quarter” or close a crucial financing. But rather than correcting it next quarter, the first step inevitably leads to more audacious maneuvers that may earn approbation from analysts and investors for “delivering the numbers” until they are unmasked.
So how can the unrelenting pressure to perform be counter-balanced so as to prevent a company drifting into the fraud triangle?
The internal audit function is a company’s first line of defense in preventing misappropriation of assets and improper accounting for transactions. Its scope of work includes evaluating the effectiveness of risk management systems, ensuring compliance with corporate policies, and implementing strong internal controls with checks and balances to protect against fraud. As a matter of best practice, internal audit should have an open line of communication with the audit committee and be led by a chief audit executive (CAE).
The NYSE requires that listed companies have an internal audit function, and there have been calls to extend that requirement to all public companies. However, recently the pendulum has been swinging towards reducing the regulatory burden imposed by such standards. The SEC recently proposed that all public companies with revenues of less than $100 million be exempt from the requirement to have auditors evaluate their system of internal controls. The stated goal is to make it more attractive for smaller companies, such as biotechnology firms, to go public by reducing the expense and complexity.
The Board of Directors is in a unique position to shape the environment to deter fraud through their oversight of a company’s compensation, accounting, and ethics policies.
Most important is the “tone at the top” set by management with regards to what is acceptable conduct and what gets valued and rewarded at the company. The National Business Ethics Survey in 2013 determined that at companies with weak ethics and compliance cultures, 88% of employees had observed misconduct at work, whereas at those with strong cultures only 20% of employees had. Clearly, a lack of ethical boundaries brings out a propensity for bad behavior.
“It’s really important that you set a tone of compliance from the board of directors through senior management down through the ranks, because otherwise you are setting yourself up for failure,” said Caryn Schechtman of DLA Piper, who often trains senior management and board members on corporate governance. “The audit committee and board need to be armed with an army of employees who feel empowered to when they see something, to say something.”
By designing compensation schemes using targets that are subject to manipulation by management, the Board can inadvertently provide a powerful incentive to cross the line. The Board has the responsibility to ensure that the pressure to achieve ambitious corporate goals is counter-balanced by an effective set of controls that remove the opportunity to manipulate the scorecard to get there.
The Board needs to be informed about the major risk factors for fraud and bring an appropriate level of independent thinking to all of its interactions with management. Broadly, most frauds fall into three categories:
A Board that knows what to look for will be able to ask probing questions of management and make sure that the company has a robust set of systems designed to prevent fraud from occurring.
The Audit Committee, in particular, has a specific responsibility for the selection and oversight of independent auditors, oversight of the internal audit function, and scrutinizing all material changes to accounting policies, management estimates, and material transactions to make sure that they have a reasonable basis. In practice, however, many audit committees effectively delegate many of their responsibilities to management.
There are clearly limits to what outside directors can accomplish given that board service is a part-time position. Famed investor Warren Buffet recently commented that “I’ve seen a lot of corporate boards operate. The independent directors, in many cases, are the least independent.” If the fees directors receive to serve on boards make up a significant portion of their income, “they’re not going to upset the apple cart” by making management uncomfortable, according to Buffet.
In most cases, directors depend on management to provide accurate information to monitor corporate performance and decision making. Despite the authority granted to them, some independent directors may feel pressure to stay in management’s good graces, as long as the stock price is performing.
In order to keep management honest, the Board may turn to qualified outside professionals, such as the public company accounting firm, for a second opinion.
The role of the outside auditor is perhaps the most widely misunderstood of all the participants.
The investing public often has the impression that a company’s auditor prepares the financial statements on management’s behalf — while in fact the auditor is legally prohibited from doing so. Even the courts often show confusion about this issue, sometimes asserting that auditors have “certified” or guaranteed the accuracy of published financials that investors relied upon.
In the 2006 case of Deephaven v. Grant Thornton, the 10th Circuit clarified the role of the auditor: “auditors do not ‘certify’ a company’s financial statements in the sense that the ‘guarantee’ or ‘insure’ them. Nor do they, by virtue of auditing a company’s financial statements, somehow make, own, or adopt the assertions contained therein.”
Instead, the purpose of the audit is to perform as series of tests that enable the auditor to express its opinion of “reasonable assurance,” not certainty, that the financials are free of error. Auditors only express opinions about the annual financial statements, and do not do substantial testing of quarterly financial reports or opine on any “non-GAAP” financial metrics that may be contained in earnings press releases and analyst reports.
So, does that mean auditors are off the hook when it comes to fraud? Far from it.
In 2017, the Public Accounting Oversight Board (PCAOB) modified the responsibilities of the auditor to make it clear that detecting fraud is within the scope those duties.
“The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. Because of the nature of audit evidence and the characteristics of fraud, the auditor is able to obtain reasonable, but not absolute, assurance that material misstatements are detected.”
The PCAOB has also provided auditors with detailed guidance as to how to identify fraud risks, perform supplemental procedures in high risk areas, and communicate their findings to management, the board and to regulators when they do find fraud. Central to the auditor’s “gatekeeper” function is to exercise “professional skepticism” when substantiating and evaluating the reliability of information provided by management. Auditors should understand the factors that make up the “fraud triangle,” be alert to situations where management can override accounting controls, and question if the accounting treatment fairly represents the economic substance of a transaction.
Some of the tools available to auditors include surprise visits to locations and cash counts, interviews with lower level employees, analyzing data that is disaggregated to see if there are discrepancies, verifying major customers and distributors, and performing computerized testing of underlying revenue data for irregularities. With the increasing availability of artificial intelligence tools, auditors should be able to flag suspect patterns for further investigation more easily.
Given these standards for audit diligence, it is astounding that none of the major cases of fraud in the past two decades were first discovered and reported to regulators by the independent auditor.
Francine McKenna, who regularly writes about the audit industry for MarketWatch and was formerly an auditor at KPMG and PwC, says that too often the audit industry has acted as enablers, rather than watchdogs, when it comes to financial fraud. When problems emerge, audit firms default to talking about an “expectations gap” between the degree of assurance audits provide and absolute assurance to excuse shortcomings.
“What other profession would rather admit, over and over again that they’re idiots and incompetent and can be fooled over and over and over again by their own clients, just to evade liability?” she said in front of a meeting of lawyers who defend audit firms.
McKenna believes that because the compensation of senior partners is tied to keeping large clients happy, it is very difficult for them to exercise true independence. Most of the partners’ energies go towards expanding the scope of engagement, rather than pressing uncomfortable questions on corporate management.
Emily Alexander, whose law firm recently scored a $335 million settlement with PwC related to the collapse of Colonial Bank, says that in the cases she’s involved in the auditors simply failed to follow basic audit procedures or accepted documents that were bogus at face value.
“There’s an underlying requirement of an auditor to understand the client’s business, which is the foundation of the obligation to get evidence to justify the numbers, all of which encompasses a duty to discover fraud,” she says. In some cases, the lapses go beyond a lack of professional skepticism, she says, “It goes to becoming the audit client’s advocate, whether it’s against regulators or coming up with better numbers for the market.”
Even when auditors are well-intentioned, there are certain types of sophisticated fraud that may be difficult to detect without employing specialized forensic audit expertise. For example, collusion between the company and its banks, major customers, or government agencies can result in an auditor “confirming” fictional revenue or cash balances. This is a particular risk in developing markets, where counter parties may lack robust internal controls of their own. In other cases, computer forensics and expertise in document authentication required to catch fraud are outside the scope of a normal audit.
If an auditor has evidence that fraud may exist, they are required to report it — to senior management for localized fraud and directly to the audit committee if senior management is involved in illegal acts that impact the accuracy of the financial statements. If after raising the issue with the audit committee, no action is taken to address the issues, then the auditor is required to withdraw their opinion, terminate the engagement, and make a filing using form 10A(b) to the Securities and Exchange Commission.
However, as a matter of practice such filings are very rare, with only 29 10A(b) reports filed between 1996 and 2003, according to the GAO. “This gets talked about a lot, but the auditors don’t do it,” according to McKenna, who sought updated information on the frequency of these filings from the SEC, only to be told that the data was not being tracked and not available. Often, it seems, auditors prefer to quietly withdraw from troubled clients.
When the internal and external systems designed to prevent fraud function as designed, investors will normally never learn about it — accounting issues will be rectified, and internal controls strengthened before there is any material impact on the financial results.
“It seems a little counterintuitive to tell your employees to find problems and present them to you. But every company has problems,” said Caryn Schechtman. “So, the real key to preventing it from becoming a fraud that can bring down a company is being able to identify the issue at an early stage and properly resolve it.”
But when these systems fail, then other actors may come forward with allegations of fraud, including whistleblowers, short sellers, and investigative journalists. This can create a chain reaction in which the company faces investigations by the SEC, Department of Justice, their stock market, PCAOB and others. In many cases, such allegations also result in shareholder plaintiffs filing class-action lawsuits against the company.
Michelle Johnson feels that there is an imbalanced playing field when financially incentivized players come to the table with claims of wrongdoing that may be unfounded or overblown and are able to reap quick profits.
“Short sellers views can be wrong, and when they are, their allegations impose significant cost to shareholders and harm to companies,”she said. For example, if a short seller publishes a report or blog post that causes the stock to drop based on misleading information, they may cover their position within minutes as the stock collapses in a speculative panic. “The company is left to defend shareholder lawsuits, government investigations, and market speculation long after the blogger’s claims are shown to be inaccurate.”
Emily Alexander feels that class-action lawsuits are often ineffective as a means to make investors whole. While there has been an explosion of class-action securities litigation over the past three decades, most of these suits are treated as nuisance litigation that settle out of court and have little proven effect on fraud deterrence. These suits “are not effective in getting restitution to the ones who actually lost money or in deterring fraud. They are actually a complete fail,” Alexander said.
In summary, a blizzard of new regulations, including the Dodd-Frank (849 pages) and Sarbanes-Oxley legislation (200 pages, with amendments), do not appear to have eliminated public company financial shenanigans. Shareholder lawsuits alleging fraud continue to escalate each year, while the “vigilante justice” of short seller reports imposes exorbitant costs on shareholders without prior knowledge of the publication and can cause lasting damage to companies when the allegations are unfounded.
Given these circumstances, are there any changes that could significantly reduce the incidence of public company fraud?
Until the day that greed and mendacity are eliminated from human behavior, it is unlikely that investing in the equity markets will ever be entirely “safe” from the risk of financial fraud.
“There’s no red pill for frauds and scams, nor for fraudsters and scam artists,” notes Roddy Boyd.
He believes that more aggressive enforcement actions by the SEC and DOJ criminal prosecutions are required to focus the minds of executives and board members on the downside of corporate malfeasance. This would include naming and docking the compensation of managers who were in the chain of command when frauds occurred, doing away with financial settlements in which corporations are permitted to “neither acknowledge nor deny” guilt, and holding boards civilly and criminally liable. “Directors who have been notified about the existence of a possible fraud and who don’t make good faith efforts to at least determine the truth need to be held culpable,” Boyd said.
Enforcement efforts in the financial markets tend to run in cycles, with urgent calls for accountability following major market downturns, often followed by a laxer approach during bull markets. But there are some structural changes that could be effective in reducing the incidence of fraud across the market cycle through improved education and more transparent disclosure.
Here are a few suggestions:
While financial fraud remains the exception among public companies, its consequences to investors’ net worth and to confidence in the fairness of the markets can be devastating. A greater focus on training, transparency, and proper alignment of incentives can help make major public company fraud a rare event.
The opinions is in this article reflect those of the author and not those of Marcum Bernstein and Pinchuk or Marcum LLP.
MarcumBP is a top-ranked provider of SEC audit, accounting, and consulting services to Chinese companies listed in the U.S. capital markets. We provide financial due diligence and forensic accounting services for overseas investors and companies seeking to invest in China. And we offer comprehensive services to Chinese companies and individuals for overseas expansion, including M&A, global tax, capital verification, financial due diligence, real estate, and EB-5 investment services.
For more information please visit: www.marcumbp.com