Read the interview of Charles Lundelious, author of the book – Financial Reporting Fraud: A Practical Guide to Detection and Internal Control conducted by Nadine Sebai, blogging at Sleight of Hand. Mr.Lundelious book provides a detailed analysis of the role of senior management and the CPA in preventing financial reporting fraud. The interview below is re-blogged from Sleight of Hand. The interview provides excellent insight to financial fraud, and the challenges and limitations for detecting the same. A must read for those passionate about financial frauds and risk management.
Mr. Lundelius is the author of the book, Financial Reporting Fraud: A Practical Guide to Detection and Internal Control, published by the American Institute of Certified Public Accountants. He has also published articles on accounting, valuation, insurance and corporate governance. Charles Lundelius is a senior managing director in the FTI Forensic and Litigation Consulting practice and is based in Washington, D.C. Mr. Lundelius specializes in financial institutions consulting, with expertise in International Financial Reporting Standards (IFRS), US Generally Accepted Accounting Standards (US GAAP) and insurance statutory accounting practices (SAP). With 20 years of experience in the securities, investment banking and insurance industries, Mr. Lundelius provides expert testimony and advice on securities valuation, investment management and insurance matters, having testified in over 30 matters. To read his full profile click here.
Ms Sebai is the author of the blog Sleight of Hand. Her blog provides insightful information on white-collar crime, corporate governance, business ethics, and legal psychology. She is an accountant aspiring to help protect the investment community from white-collar criminals. She has completed her Bachelors of Business Administration in Accounting from the University of Miami. She is working on obtaining her CPA and CFE licenses. Click here to visit her blog.
Interview of Charles Lundelius conducted by Nadine Sebai
In Chapter 1, you present the legal and regulatory standards that were put in place to prevent fraud such as the FCPA Act of 1997, the Federal Sentencing Guidelines Manual, SAS No. 53, 82, and 99, and Sarbanes Oxley Act of 2002. Do you think these regulations are effectively deterring fraud considering it hasn’t been successful in the past two years?
Well I think they are a good start. It always comes down to enforcement and actual applications. You may have seen that I was involved in helping the SEC’s Inspector General in trying to find out why they failed to catch Madoff and that is a vivid illustration of what happens when enforcement fails to do its job. It was very clear that there were lots of warning signs to the SEC that there was a problem here. The various groups within the SEC failed to act and to put proper measures to rein this operation in and they could have done so well before it fell apart. I think that the SASs and the laws that you mentioned were all good steps. In terms of the SASs, they give guidance to auditors. Sarbanes Oxley and other laws helped institute within companies various mechanisms by which they can monitor activities and transactions in much greater deal and I think that is a very positive step. It comes down to the companies and the auditors to implement them. I think we’ve made some progress there.
The new COSO studies (they come out with a big research report every ten years) shows that the magnitude of fraud is increasing. Since the previous COSO study done 10 years ago, the magnitude of fraud has increased about 4 to 6 times. CFOs and CEOs are still heavily involved in those frauds. Around 89% of frauds involved a CEO, a CFO or both. So it certainly is just as serious as it’s been in the past, but this last study period really just picked up the first few years of implementation of Sarbanes Oxley so we really haven’t seen a full blown comprehensive study of its effect or its impact. I think we’ll just have to wait for the next COSO study.
You mentioned that the issues presented in the 1987 Treadway Report are still prevalent in the most recent reports, like Sarbanes Oxley. Why do you think that is?
I wish I could. My best educated guess is that until you get to Sarbanes Oxley, you don’t have any motivator that gets companies to take and implement all the fine concepts and to take preventive measures needed as identified in the Treadway Report. You’ve got a long period of time where fraud was identified. I gave you the statistic for the number of CEOs and CFOs involved in fraud. The original Treadway Report stated that 69% of frauds involved a CEO or CFO, and that number now is close to 89%. So the problem only got worse really during this time period. However, auditors were starting to move in the right direction. An auditor can only catch so much. It really takes people at the company and the tone set by those at the top to really make a change. And it’s only after you see the full-board implementation of Sarbanes Oxley, do you really get a framework that is setup that is designed to try to catch these issues at an early stage. It still doesn’t succeed all the time. I’ve seen from some of the public information that’s available and some of the work I’ve done over the last few years with some of the mortgage companies that went belly-up. They have fine internal control structures. Obviously, they weren’t able to catch all of the issues. I don’t necessarily think fraud brought them down, it was risk. You have a number of companies that have implemented much more robust internal control systems that hopefully will start to turn some of these trends downward and we’ll see some improvement.
In regards to switching to IFRS, do you think it may lead to more fraud?
Well, I don’t think that a switch to IFRS necessarily means more fraud. It depends on how it’s done. If regulators took a fairly hands off approach and said, ‘Oh, well here we have a set of standards that allows for more judgment and interpretation on the part of a SEC registrant. We’ll let them go and do whatever they want to do.’ I think that would be problematic. I don’t think that’ll be the case though. The SEC came out with kind of a work plan (that’s the best way to describe it) in late October. They’ve got a number of milestones and requirements in there before they actually start to accept the broader implementation of IFRS. For a broader implementation of IFRS, the SEC will require considerably more.
What I am pushing in the book, on that chapter that deals with IFRS, is the concept that we need to have. If you’re going to have more generalized standards, let’s say in regards to revenue recognition where revenue recognition will not be as meticulously spelled out as it is currently with U.S. GAAP. If that’s the case, then what you do need is very good comprehensive disclosure. Disclosure as to what your revenue recognition policies are will help readers of financial statements compare your company with what’s going on with companies in that industry and maybe peer group companies. Company ‘A’ recognizes revenue at an accelerated pace and Company ‘B’ is closer to the U.S. model and defers recognition. Then at least you, the reader, can make some adjustment and compensate for that and hopefully make some sense out of it. With disclosure that’s possible. I think auditors (and this will be an interesting challenge for them), will start paying a lot more attention to peer group reporting. When they go in to audit Company ‘A’ they’re probably going to look at Company ‘B’,’C’, and ‘D’ in the same industry, take their revenue recognition policies, and see if Company ‘A’ is significantly different than that, and to the extent that it is, I suspect auditors will strongly recommend to Company ‘A’ to disclose any diversions from peer group.
Maybe with these steps we won’t see an increase in fraud as IFRS is implemented. IFRS is important. We’ve got to get a system set up so that analysts in one country can analyze companies in another country because the free flow of capital is absolutely essential to our global economy and for the U.S. to pull out of the recession we’ve been in. This is coming, it’s just how it’s coming is a bit of an issue. Hopefully with some careful implementation and some diligence on part of auditors and audit committees this will not result in a huge increase of fraud.
In regards to revenue recognition, the ASB concluded that the auditors should consider it as a presumption of fraud…”Therefore, the auditor should ordinarily presume that there is a risk of material misstatement due to fraud relating to revenue recognition”. Shouldn’t an auditor think like this in every instance? Taking the “guilty until proven innocent” approach?
I think that particular requirement on auditors means then that they must do testing of revenue recognition. It doesn’t say necessarily that they can’t rely on the company’s books per se but that they will test the books. What it said is, frankly, tied very much to the COSO findings. In every single COSO study, revenue recognition is an element that has shown up in over 50% of the fraud cases in each and every study; and I think it’s up to 60% in the most recent study. It is an area that has been clearly identified as a problem. As such, I think it makes sense for auditors to be more skeptical. What it’s telling auditors is that they can’t rely just on the internal controls of the company. As you know, auditors first test internal controls to see if they’re operating correctly and then, based upon that testing, they design their program to go forward.
The results of the internal control testing help determine how much testing is done in these various areas of the income statement and balance sheet of the company. This guidance is telling auditors the internal controls for revenue recognition may test out and be just fine but you, the auditor, still need to go back and test individual transactions. Then your question is, should they go back and implement that for everything else? It would be pretty difficult to do. Testing of internal controls is a good guide to auditors to tell them where they are more likely to encounter fraud than where they are not. Internal controls in other areas, lets say in recording asset values, they should be allowed to rely on them and utilize the knowledge that the controls are in place to help guide how much testing they do of individual accounts. With that said, I would like to see COSO identify some other areas that are also very commonly found problem areas among companies engaged in fraud. Perhaps they could perform some additional testing in areas dealing with the understatement of expenses and liabilities or overstatement of assets. Those could also be areas where I’d like to see auditors encouraged to do a little more testing.
The Big Four accounting firms have been under much scrutiny lately for failing to effectively perform audits. In your experience at the Big Four, what are the problems that are being faced by these firms to perform?
I don’t think that there’s an answer that applies only to the Big Four that’s any different to any non-Big Four firm. There have been problems all up and down a range of auditing firms in various points in time. I’ve got a lot of confidence in the audit profession that they manage well most of the audits performed. Realize that we have over 5,000 or 6,000 publicly traded companies in the U.S. Given those companies routinely go through audits every year, everything is okay, they’re not involved in fraud. COSO identified, for each 10-year period, approximately 350 companies (plus or minus) were fraud companies. That’s only 350 out of a population of 6,000. We’re not seeing fraud on such a scale that we can call on the audit profession and say ‘You guys have failed’. It’s quite the opposite. They’ve come through in a fine fashion. There have been some isolated failures but I don’t see anything that is widespread.
Do you see a bright future for the SEC and other regulatory bodies who “missed the boat” more times than necessary (e.g. Bernie Madoff)?
I’m not sure what a bright future is for a regulator [laughter]. I can tell you what I do see at the SEC. After we completed the analysis of what went wrong in terms of their failure to detect Madoff’s Ponzi scheme, I and my colleagues at FTI put forward a set of recommendations to the SEC for corrective measures. Particularly the Office of Compliance, Inspection, and Examinations which is the area we looked at most carefully, was agreeable to all of our recommendations. I know the Inspector General said that sometime in the very near future he will come back and make sure they did implement the recommendations as we listed them. So I think that there we’re going to see some fairly serious corrective changes.
As for the other regulators, I don’t know if we can always rely on regulators to catch everything but I’m hoping to see more enforcement activity in general from the SEC with regard to the accounting and the other (potentially) fraud related issues in regards to public companies. I’m hoping to see more activity on the part of self-regulatory organizations like FINRA that look after the affairs of securities brokers. I’m hoping that we do see more enforcement actions brought by regulators. I think if that’s the case, then the regulators will be doing their job and they should have a bright future, if that’s what you want to call it. I think that’ll help all of us because there are certainly still problems out there that need to be rooted out.
Can you describe the recommendations you provided to the SEC when you went in to investigate their wrongdoings for Madoff’s Ponzi scheme?
Oh, sure. It’s a matter of public record. It was published on the Inspector General’s website. It sites to me and my team a lot in that report and then we at FTI came out with a separate report about a month later with recommendations. Our recommendations were generally to address a number of different areas, say the competence the personnel that they have hired. Since then I know that the SEC has reached out and engaged in a much more aggressive hiring plan. They’re taking advantage of the recession by picking up some good talented people who’ve had experience with various trading programs and understand say, options and derivates trading, and areas like that. Those were issues that tended to hold up SEC examination of Madoff because he had an options strategy (or he allegedly did) and so some of the examinations of Madoff’s operations were being held up because they didn’t have enough people that had options trading experience. So yeah, we’ve got recommendations that go along those lines. Pretty much every major area that we identified as a problem for the SEC we made recommendations for.
My next question is in regards to the Dodd-Frank bill. You stated that the best preventative measures for fraud are good internal controls and a functioning internal audit mechanism that allows employees to raise issues confidentially with the audit committee and have those issues thoroughly investigated. Many are worried that employees will skip their internal audit committee and go straight to the government for their reward. What are your thoughts on this?
I think that is a legitimate concern about the Dodd-Frank whistle-blowing provision because it sets a very sizable monetary award that is meaningful. What you’re reporting on is a large problem and can have a large financial impact. Dodd-Frank sets out very large reward to the tipper. It will encourage people to pick up the phone and call the SEC directly as opposed to going up through the internal control procedures at the company. That said, the SEC is trying to implement this list of things they will do. One of the things they will mention is to encourage anyone calling in to go up through the various internal control procedures or processes that get the company to make the appropriate people aware of the problem. I think that is an issue. I think it was an unintended consequence of the law not having thought it through. I think that does pose a problem for internal control at companies if you’re having everyone pick up the phone and first calling the SEC. The SEC has just a few people that can respond at any point in time. They are stretched in terms of the investigations and the enforcement activities they are able to conduct. They just have a finite set of personnel so if they are flooded with calls that would ordinarily have gone to the whistleblower hotline at a publicly traded company, this could pose a real serious enforcement problem from the SEC’s perspective. I suspect that something needs to be done here as a correction to the legislation.
The regulations between private and public companies are quite different. For example, private companies are not required to have an audit committee and are only encouraged (not demanded) to have directors. Also the small company can choose between cash or accrual basis. The transition from going from private to public can encourage fraud. How do you propose to bridge this gap so that private companies statements are more reliable?
My advice to a venture capitalist or private equity type of person, and they’re looking at a portfolio company and they’re looking at management trying to get that company ready to go public or get it to a position, if it’s not going public, to merge into a public company, then the best advice is to start planning as soon as possible. It requires retaining good personnel who understand internal controls in a way that audit committees should function and getting those folks on board as early as possible. It can’t be something that you wait until the last minute.
The problems I talk about in my book really are problems that tend to occur when everybody waits till the last minute and then they say, ‘Oh my goodness, we need to bring this into compliance with Sarbanes Oxley’. They realize that they’ve got something to do and they’re in a rush to do it. If that’s the case, then that is a bad set of circumstances, which tends to lead to some very bad fraudulent actions that are meant to deal with old problems that haven’t been dealt with. That’s a problem that arises here. That’s why I encourage early implementation. Lets say a CFO is on board who understands how to set up appropriate controls and the control mechanisms, and you’ve got an audit committee that’s up and functioning and they’re asking good questions, pushing back. Before the company actually rolls out and gets ready to go public, if these issues arise, they would get flagged early and get dealt with and that’s the best of all worlds. We’re not talking about a lot of expense here; we’re just looking for good qualified personnel. That’s the best advice I’d give to those folks.
The pressure to perform is probably the most prevalent reason why companies commit fraud. The pressure of a private company to meet their numbers in order to go public or the pressure of a public company to meet analyst’s expectations every quarter. Do you think that the expectations of these firms are too high? Do you think that the market is too focused on short-term profits?
I think that, yes, short term pressure to meet quarterly performance targets does present problems and give rise to some of the motives for fraud. A lot of this ties back to compensation. If you have compensation that is setup so that it looks to longer-term performance, that helps to mitigate quarterly pressure. It’s undeniable, but if you tell your senior management and your employees, ‘Look we can ride through some bad quarters. If we get to a point where a year or two or maybe three years down the road we’re at a certain milestone that will trigger some bonus payments we can get some people compensated that way’, then there’s a different orientation.
There was an interesting finding in the COSO study, and it was quite unexpected. I was reading through it and almost skipped over it. There is a statistically significant finding that fraud companies in this latest batch tended to not have a separate compensation committee more so than the non-fraud companies. Companies without a separately constituted compensation committee had a higher probability of getting involved in something that was fraudulent. That was interesting and surprising to me because the focus, of course, before was on the audit committee. Now they’re coming over and telling us that we should pay attention to this compensation committee. I can only speculate as to why but my best guess is that if you don’t have a separate compensation committee, this job of setting out company targets falls to the Board as a group.
The Board has a lot of things to deal with, and if they are busy doing other stuff they may not give as much attention to the mechanisms to compensation as they should. It then defaults to say quarterly or yearly bonus targets or bonus plans that are at the center of these fraud issues because such short-term targets essentially reward people for trying to come up with ways to fudge the numbers to meet these targets. I think it tells auditors and all of us involved in consulting companies that they ought to have a separately constituted compensation committee, and that committee ought to be as vigilant about the fraud potential of any compensation plan that they set up as say the audit committee. So hopefully that will be something that gets a little more public consideration and we’ll hopefully start focusing on that. But compensation is definitely at the center of this. Yes it’s embarrassing if you can’t hit your numbers for a quarter but if you know that your compensation is set up so that you have time to make up for a bad quarter, that time will allow you to get your bonuses, and that’s the way bonuses will be determined in some multi-year period. I think that is very helpful and will go a long way in taking away the incentive to fudge the numbers.