Posted on

What an in-house fraud investigation looks like

Because in-house fraud investigations can vary in terms of structure, resources, and performance, sometimes we wonder what does an in-house fraud investigation typically look like.  Well, thanks to the Association of Certified Fraud Examiners (ACFE), we can answer this question.

Last year the ACFE released a report entitled Benchmarking Your In-House Fraud Investigation Team, which analyzed various engagement metrics from over 800 survey responses.  I think you’ll find the results quite interesting.

To frame today’s post, I’ll cover the report’s findings for each of the following critical components of a fraud investigation:

  • Oversight of fraud investigations
  • Outsourced vs. in-house investigation team
  • Time to resolution
  • Disciplinary actions against or prosecution of perpetrators, and
  • Recovery of fraud losses

Oversight of fraud investigations

As for structure, approximately half of survey respondents indicated that the investigation team reports either to internal audit leadership (28.3%) or senior management (22.1%).  Interestingly, only 6.4% reported to in-house legal counsel.  The below chart demonstrates that there is diversity in oversight of fraud investigations, perhaps dependent on the nature of the fraud (financial statement fraud, compliance fraud, asset misappropriation, etc).

SNAG-2

Outsourced vs. in-house investigation team

When it comes to in-house fraud investigations, overwhelmingly the survey respondents (68.2%) indicated they are always performed in-house as opposed to being outsourced.  Furthermore, approximately 23% of organizations outsource their investigations up to 25% of the time.  One reason for organizations infrequently outsourcing fraud investigations could be due to the fact that over 73% of survey respondents indicated their organizations had over 1,000 employees.   Perhaps larger organizations (those with over 1,000 employees) generally have sufficient personnel capacity to perform the investigations.

SNAG-3

Time to resolution

As practitioners understand, resolving investigations in a timely fashion is paramount to (1) effective detective internal controls and (2) setting an appropriate tone within an organization.  According to the report, nearly six in 10 fraud investigations (59.8%) were closed within 30 days.  Conversely, just over 10% of fraud investigations took more than one quarter to close.  Of course, the duration and extent of a fraud investigation is heavily based on the degree of complexity of the alleged fraud.

SNAG-4

Disciplinary actions against or prosecution of perpetrators

Although organizations prefer to prevent fraud from occurring, the reality is that fraud is impossible to completely eliminate from all organizations.  Therefore, when it comes to effective internal controls, management should strive to set a “zero tolerance” policy for fraud.  In essence, how management reacts to known or suspected fraud, therefore, is critical to setting an appropriate tone within the organization.

The following chart shows the percentage of investigations that resulted in disciplinary action.  Less than a third (31%) resulted in disciplinary action between 76% and 100% of the time.  On the other hand, approximately the same amount of investigations (31.6%) resulted in disciplinary action between 0% and 25% of the time.

SNAG-5

The next chart shows an interesting trend in prosecution referrals.  The majority of investigation teams (59%) decided to refer their case for prosecution between 1% and 25% of the time.  Conversely, 9.8% of investigation teams referred their case for prosecution between 76% and 100% of the time.  As one may expect, there are a number of factors involved with the decision to prosecute.  These may include sufficiency of evidence to prosecute, reputational risk, and cost vs. benefit analysis.  Hence, the decision to prosecute must be weighed carefully by an organization.

SNAG-8

Recovery of fraud losses

In the end, just because investigation teams substantiate allegations of fraud does not mean the losses are automatically recovered.  In light of this, I believe the following chart is one of the most relevant statistics in this report.  According to the survey results, the majority of investigation teams surveyed (54.6%) indicated that less than a quarter of the fraud losses were recovered.  In contrast, 13.0% and 13.9% of investigation teams indicated that 51% to 75% and 76% to 100% of fraud losses were recovered, respectively.

SNAG-6

Final observations

These results are interesting, to say the least.  With a focus on continuous improvement, fraud investigation teams should think about how these findings could affect their existing structure, resources, and performance.

In the end, fraud investigation teams will vary in their look and feel, depending on the nature and complexity of the fraud being investigated.  Having adequate staffing of in-house investigations with the right level of experience and bandwidth will put teams in the best position to be efficient as well as thorough in their efforts.

Photo credit

Posted on

What others have said in the past and why it matters

In the past I’ve worked on a number of financial disputes dealing with improper accounting for liabilities, among other things.   In one such instance, the plaintiff alleged that the defendant understated certain liabilities and, as a result, the defendant’s historical financial statements were materially misstated.

To support his opinion, the plaintiff’s expert relied on certain documents produced in the litigation that my team believed were taken out of context.  What was somewhat comical about the situation was that the alleged understatement was so large that it left a number of us scratching our heads.  We wondered why would anyone have gone into that particular business at the time if they “knew” (using the plaintiff expert’s words) they had to record certain liabilities as large as what the plaintiff’s expert claimed.  Indeed, no company in the industry at the time was recording liabilities anywhere near the extent that the plaintiff’s expert alleged should have been recorded by the defendant.

As experienced forensic accounting practitioners and expert witnesses understand, hindsight provides a clear picture of what took place and whether or not it was reasonable.  On the other hand, hindsight can be difficult to justify its reliance.  In particular, if the facts and circumstances known to an entity at the time were the best available information, then they may be considered reliable and reasonable.

Contemporaneous understanding

This brings me to my topic for today, that of understanding what others were saying and doing at the time.  More specifically, to follow my story through I will discuss the importance of identifying (generally speaking, without disclosing confidential information) what the plaintiff in this case was saying at the time and why it matters in a dispute.

For privately-held businesses, obtaining contemporaneous information may prove to be a challenge.  This is because private companies tend to disclose less (or sometimes no) information to the public.  In contrast, publicly-traded companies are held to a higher standard of public disclosure through various means.  These public disclosures can prove to be a treasure chest of information.

Back to my story of the plaintiff, which happened to be a publicly-traded company and a user of the defendant’s financial statements.  The plaintiff’s expert claimed there were all sorts of red flags at the time that the defendant prepared its financial statements.  Further, the plaintiff’s expert alleged that the defendant “should have” noticed these red flags and incorporated them into its accounting decisions.

What I find intriguing is that during the time period in dispute the plaintiff publicly disclosed that it believed the market factors affecting these accounting liabilities were not of big concern.  This was important because the plaintiff’s public statements lent credence to the liability accounting decisions made by the defendant.  Were we able to find these public statements by the plaintiff in the plaintiff’s complaint?  Of course not.

When an entity is in the public light, it provides information to the public in multiple ways.  So, knowing where to look for these types of public statements made our job easier.

SEC resources

A fabulous resource for identifying public statements is the SEC’s website.  For those less familiar, the SEC’s website archives various public filings.  In my experience, the following resources are helpful in identifying historical public statements:

  • Form 10-K – This is probably the most commonly known SEC form.  SEC registrants are required to file this annual report with the SEC, including annual financial statements, related schedules and various textual information.  SEC registrants also include discussion and analysis of financial trends within a section called Management Discussion and Analysis (MD&A).
  • Form 10-Q – SEC registrants are required to file this quarterly report with the SEC, consisting primarily of the company’s quarterly financial statements.  These forms also include a section on MD&A.
  • Form 8-K – These SEC forms can contain a wealth of information.  SEC registrants are required to file these forms with the SEC when certain significant, reportable events occur.  Examples include: quarterly press releases, major acquisitions, material contracts, and legal proceedings.
  • Comment Letters – Generally, the SEC publishes comment letters that it sends to SEC registrants, which can be identified by filtering for “UPLOAD.”  Similarly, the SEC publishes letters it receives from registrants on the SEC’s website, which can be identified by filtering for “CORRESP.”  Because the SEC is a regulator with a heavy hand, what a company writes to the SEC matters greatly.  Therefore, practitioners should pay specific attention to letters between the SEC and registrants.

Other resources

I have found the following other resources to also be worthy of digging through in search of relevant information:

  • Company website – Companies issue press releases and post them on their website.  Practitioners should be aware that not all company press releases are filed with the SEC via Form 8-K.
  • Industry news and reports – Depending on in which industry a company operates, there may be industry publications from reputable sources.  Again, these sources can provide reliable information that was known or communicated at the time.
  • General media communications – Media outlets may overlook or de-emphasize some aspects of company press releases.  In order to attempt to have a degree of control of the narrative, companies often have relationships with major media outlets.  Running web searches of public statements made by company personnel can generate interesting results.

Relevance

As one can gather from my story, it certainly doesn’t help the plaintiff’s case when it was disclosing to the public a certain narrative at the time, but then it switched gears and makes contradictory allegations later in support of its lawsuit.  Therefore, when looking to the correct sources, experienced forensic accountants can find valuable information.  This information can help to obtain a more full, or correct, understanding of the facts and circumstances at the time to assist their clients in all types of dispute matters.

Photo credit

Posted on

Fraud auditing, a new trend

We all know that fraud is alive and well in today’s society.  On a daily basis, it seems, we hear unpleasant fraud statistics and read eye-catching news headlines about new fraud schemes or deceptions.  Indeed, businesses today are no less vulnerable to fraud than before.

Because of its ever-presence in today’s business world, a new trend of fraud auditing is becoming more and more popular.  So, what is it?  In essence, fraud auditing is a two-phase exercise.  First, one designs a fraud risk assessment to identify areas where a company may be susceptible to fraud.  Second, in response to findings of this assessment a monitoring and reporting program is put in place as a tool for management oversight.

Preventive vs reactive measures

When I was a former Big 4 auditor I incessantly heard complaints from my clients about audit fees being too high.  Indeed, financial statement audits can be expensive because they are designed to cover all aspects of the financial statements.  In contrast, fraud auditing doesn’t have to be expensive.

Moreover, as a preventive measure, one of the benefits of fraud auditing is that the cost of such an assessment can in large part be determined by the company’s management.  Conversely, as it relates to reactive measures, the cost will depend greatly on the motivation by the company for having the fraud audit conducted in the first place.  Examples of motivations imposed on a business may include: response to fraud already identified within the company, restatement of financial statements, or a decision to bolster internal controls because of restrictions imposed by a regulator, to name a few.

We can probably agree that human nature tends to be more reactive than proactive at different phases of life, such as wellness and personal finance.  In a similar vein, too often companies wait to respond to fraud risks until they manifest themselves through fraud or abuse.  Said another way, companies often do not perceive sufficient value in conducting a meaningful fraud risk assessment and, therefore, they wait until the stakes are much higher.  Oh, how relevant today is Benjamin Franklin‘s famous adage that “an ounce of prevention is worth a pound of cure!”

Consideration examples

Next, I wish to give some definition to the look and feel of a fraud risk assessment.  Depending on the nature and extent of a fraud audit, following are some examples for consideration to begin to understand risks and exposure:

  1. Domination of management by a single person or small group.  This gets at the heart of the tone within an organization.  Regardless of the extent of internal controls (even at the transactional level), if there is management domination by one or a few individuals, this can have a pervasive effect on the organization as a whole.
  2. A practice by management of committing to analysts, creditors, or other third parties to achieve aggressive or unrealistic forecasts.  One can see that being overly aggressive can be an area of risk and exposure.  Conversely, for businesses not beholden to outsiders (such as creditors or investors) this, of course, is irrelevant.
  3. Ineffective communication, implementation, support, or enforcement of the entity’s ethical standards by management or the communication of inappropriate ethical standards.  This really goes without saying. If management doesn’t enforce its own rules, then why have them in the first place?
  4. Recurring negative cash flows from operations while reporting earnings and earnings growth.  Financial pressures placed on management to generate favorable results should be considered when assessing the adequacy and effectiveness of business performance reviews.
  5. Rapid growth or unusual profitability, especially compared to that of other companies in the same industry.
  6. Significant, unusual, or highly complex transactions, especially those close to the period end.
  7. Significant related-party transactions not in the ordinary course of business.  A review of an entity’s financial statements or records can reveal the nature and extent of transactions with related parties.
  8. Recurring attempts by management to justify marginal or inappropriate accounting based on materiality.  Although this one may be difficult to assess, an effective fraud audit should incorporate inquiries of multiple company personnel at varying levels within an organization.
  9. Restrictions on the limitation of access to people, information, or communication by the board of directors or those charged with governance.  

I adapted the above points from the PCAOB’s AU 316, Consideration of Fraud in a Financial Statement Audit.  Although the above list is not exhaustive, it can be a good start to identify areas of heightened risk exposure for a company.  Equally important is that AU 316 was specifically designed to apply to external auditors in connection with the performance of financial statement audits.  Despite this, I believe the principles and guidance within this AU can apply to a variety of circumstances and not just financial statement audits.

Checklisting

It seems that in more recent years auditors have gravitated more toward a “checklist” mentality to discharging of their professional duties.  I believe this is heavily influenced by feedback from regulators.  Of course, checklisting has its place within a professional service engagement to mitigate legal and regulatory exposure.  However, as one can gather from my post above, it is important to exercise professional judgment by inserting a healthy degree of flexibility between checklisting activities and allowing free thinking and creativity.  After all, thinking through the “what ifs” of a situation is always an effective way to identify areas of risk and exposure.  To add to this thought, because risk factors can vary greatly depending on the industry and company-specific factors, it is imperative to tailor the nature and extent of a fraud audit to the needs of an organization.

Less rigorous is still better than nothing

In ideal circumstances companies want to get to the right answer from the beginning.  While this sounds good, the reality is that, as I touched upon earlier, many businesses do not place fraud auditing as an area of focus until they are forced to.

One way to assist companies in overcoming the resistance to a full blown fraud audit is to perform a less rigorous fraud risk assessment.  As a valuable resource the Association of Certified Fraud Examiners (ACFE) offers a Fraud Prevention Check-up.  While I recommend any such assessment be performed with the assistance of experienced professionals familiar with the issues, this check-up exercise could, in theory, be performed by the business itself.  In any case management should take the assessment seriously, standing ready to take action should there be cause for concern.  Additionally, I strongly recommend that, if possible, general counsel be aware of and participate in this process for legal protection to the company.

Altogether, companies that take seriously their obligations to protect company assets and stakeholder value should equally take seriously their oversight and monitoring of financial fraud risks.  Fraud audits provide an excellent means of fulfilling these obligations.

Photo credit

Posted on

Changing the U.S. GAAP hierarchy over time

As accounting practitioners, we live and breathe accounting standards.  Without them we wouldn’t have a basis to record transactions or take supportable accounting positions.  So, it goes without saying that reliance on accounting standards are necessary for fair, consistent presentation of financial statements.  Those less familiar with accounting standards and the history behind them may make the mistake of assuming that any and all accounting standards are equally authoritative.  This is simply not the case and for this reason I will focus today’s post on the hierarchy of U.S. GAAP and how it has changed over time.

History

To begin, a little history lesson may be helpful.

1975

Way back in 1975 the AICPA issued SAS No. 5, The Meaning of “Present Fairly in Conformity With Generally Accepted Accounting Principles” in the Independent Auditor’s Report (SAS 5).  Beginning at ¶ 5, the Auditing Standards Board of the AICPA explained that there is no single source for U.S. GAAP standards, but that there are a number of resources, with Rule 203 of the AICPA Code of Professional Conduct requiring compliance with FASB standards, APB opinions, and AICPA accounting research bulletins.  The degree of authoritative GAAP sources trickled down from there.

1992

Next, in 1992 the ACIPA issued SAS No. 69, The Meaning of Present Fairly in Conformity with Generally Accepted Accounting Principles (SAS 69).  This auditing standard clarified the GAAP hierarchy by introducing four levels, (a) through (d).  As auditing practitioners implemented SAS 69, criticisms began to surface for a variety of reasons.  First, this standard, similar to SAS 5, only really applied to auditors, not preparers of financial statements.  Second, this standard was complex.  And third, the GAAP hierarchy ranked the FASB’s Financial Accounting Concepts (CON), which are subject to the same level of due process as FASB SFASs, below industry practices that are widely recognized as generally accepted but that are not subject to the same due process (see ¶ 10 and 11).

2008

In response to these criticisms, in May 2008 the FASB issued SFAS No. 162, The Hierarchy of Generally Accepted Accounting Principles (SFAS 162).  The purpose of the standard was two-fold.  First, it was designed to improve financial reporting by identifying a consistent hierarchy for selecting accounting principles to be used in preparing financial statements presented in conformity with U.S. GAAP (for non-governmental entities).  Second, it was directed to entities (and not auditors) because it is the entity (not the auditor) that is responsible for selecting accounting principles for financial statements that are presented in conformity with GAAP.  In a manner similar to SAS 69, SFAS 162 identified four levels in the hierarchy of U.S. GAAP standards, beginning with level (a) and ending with level (d), as depicted in the chart below.  Once SFAS 162 was issued, the Auditing Standards Board of the AICPA withdrew SAS 69.

GAAP Hierarchy

Just looking at the above chart can spin one’s head because let’s assume, for instance, that a widely recognized and prevalent industry practice is identified.  This falls within level (d), the lowest level, in the above SFAS 162 GAAP hierarchy.  However, in order to perform a thorough due diligence of the matter, one needs to either be familiar with or go searching for other applicable guidance that may be more authoritative, falling into levels (a), (b), or (c).

2009

Only a year later, the FASB rolled out the Accounting Standards Codification (ASC), with an effective date for interim and annual periods ending after September 15, 2009.  Of interest is that the ASC makes it clear which accounting standards are “authoritative” and which are not.  Simply put, if an accounting standard is included in the ASC, then it is “authoritative.”  Conversely, if an accounting standard is not included in the ASC, then it is “non-authoritative.”  An exception to this is that SEC-issued rules and regulations, applying only to SEC registrants, are authoritative even if they are not included in the ASC.

Understanding the way things were

As a forensic accountant, I deal with litigation involving accounting issues from the past.  As I previously blogged about (see “Understand what standard or guidance was applicable at the time”), it’s imperative to put into context the accounting decisions that were made by knowing what accounting standard(s) applied a the time and, if multiple standards were in effect, which was/were most authoritative.  I think it’s helpful to frame the issue by asking some relevant questions:

  1. What time period(s) is/are relevant to the accounting or disclosure issue?
  2. Depending on the answer to question 1, which of the above U.S. GAAP hierarchy standards was in effect at the time?
  3. If the issue relates to transactions post-ASC implementation, have there been any Accounting Standards Updates (ASUs) related to the standard?  Although ASUs are not authoritative standards, it’s important to be aware of them.

Keep in mind that the FASB began issuing ASUs after the Codification went into effect.  ASUs are numbered in the following format:  Year first, then ASU number for that year (e.g., ASU 2009-14 was the 14th ASU to be issued in 2009).

By keeping the above understanding in mind practitioners can successfully apply the relevant GAAP standards to a historical transaction.

Photo credit