CHAPTER 6

The Role of the Accounting Professional

The Importance of Accounting Professionals in the Investigation

There is no doubt the high-profile cases of WorldCom, Enron, Tyco, Adelphia, AIG, and others brought an increased public scrutiny of accountants. The demise of the Arthur Andersen firm was directly related to Enron and probably brought the accounting profession to the front lines more than any other single incident. Since the turn of the century there has been much more litigation against accounting firms for their failure to detect fraud. Investors and clients alike have raised outside accountants and auditors to the top of the defendant list, likely because of the hefty malpractice policies accountants carry as well as their propensity to settle claims. The case most notable in recent years would be that of Bernie Madoff. Many accounting firms have been targeted as a result of the massive Ponzi scheme, resulting in losses estimated around $60 billion. Lawsuits will continue for years to come in that case alone, as investors seek any means possible to recover any portion of their lost investments. In my practice I have seen more and more inquiries into the role and responsibilities of the accountants and auditors, especially in embezzlement cases.

Much was written about the state of the accounting profession in the period following Enron and WorldCom, but in recent years, especially after the dust settled on SOX and the newly formed Public Company Accounting Oversight Board (PCAOB), there has been less media attention on the state of accounting and auditing. Financial statement fraud continues today, and auditors continue to be sued, but less press has been devoted to both issues. Beyond the formation of the PCAOB and the regulations promulgated by them for publicly traded entities, the accounting profession has been busy updating standards as well as issuing new standards to address the issues of the earlier years. Much more emphasis has been added regarding an entity's system of internal controls, as well as regarding audit evidence and audit procedures. Fraud has moved to the forefront of standards, and the changes do not stop with audits alone. Revisions to standards over reviews and compilations add greater emphasis on the need to identify and detect fraud, even though “audit” procedures are not required for these levels of financial statement engagements.

Statement on Auditing Standards (SAS) 99, Consideration of Fraud in a Financial Statement Audit, issued by the American Institute of Certified Public Accountants (AICPA) in 2002, significantly expanded the information-gathering phase beyond the traditional audit. The standard requires the auditor to assess the entity's programs and internal controls that address identified fraud risks. Significantly, the standard requires a separate and documented brainstorming session among the audit team to discuss the potential for material misstatement of the financial statements due to fraud. Greater emphasis has been placed on inquiry as an audit procedure to increase the likelihood of fraud detection, expanded analytical procedures, and consideration of other information, such as client acceptance procedures, during the information-gathering stage.

The Association of Certified Fraud Examiners' (ACFE's) 2004 Report to the Nations on Occupational Fraud and Abuse disclosed that only 10.9 percent of frauds were initially detected by external audit, while almost 24 percent were detected by internal audit, which should tell us that utilizing similar skill sets and a skeptical mindset should assist in overall detection. The ACFE's 2010 report reflected that external auditors detected 4.6 percent of frauds, while 13.9 percent were detected by internal audit.1 What's interesting is that both detection means went down substantially in the six years between the reports. The most important qualities the accounting professional can bring to any fraud investigation are an investigative mindset and skepticism. In the past, external accountants have been criticized for a lack of skepticism resulting from fear of upsetting and possibly losing a client (as well as the related revenue associated with the services provided to the client). One would hope that in the wake of the accounting scandals, level of litigation against auditors, and the bad publicity often received in these cases, accountants are beyond that fear and looking more closely at the questionable actions and reporting of clients, especially in light of their responsibilities under SAS 99.

The skeptical mindset is something that has long been inherent in forensic accountants and other internal investigators when looking for evidence of fraud. The investigator historically has asked a set of questions different from those of the conventional auditor, who monitors the financial statements to see whether they are in compliance with GAAP and thereby fairly represent the financial condition of the company.

With the emergence of SAS 99, and under increasing scrutiny, the external auditor is now being pushed to think like the forensic accountant—to think like both a thief and a detective, and be constantly looking for the weak links in the accounting system and among the people who staff it. In the course of the investigation, the forensic accountant must be prepared to reach far beyond the company's books to industry and government information, proprietary databases, court records, and any source that might throw light on the case.

The forensic accountant should bring independence and objectivity, as should the auditor. Since fraud is a breach of standards of honesty, the forensic accountant must be of irreproachable personal integrity and without allegiance to anyone or anything but the truth. Everyone encountered in the course of the investigation must be dealt with impartially and evenhandedly.

Any fraud investigation is part art and part science. The science element comes, of course, from academic training in accounting theory, especially the audit side, and from knowledge of business practices and legal processes acquired through experience. This serves as the foundation for the investigator's task. As for the art element, creativity in the procedures that can be performed, and the ability to think on your feet, come into play in many investigations, especially when key records and witnesses are not produced or made available for you. During those times you will have to draw upon your experience to identify a way to accomplish a requirement of an investigation, overcoming the roadblocks and intentional barriers erected by the opposing party and/or their counsel.

What turns a well-trained and experienced accounting professional into a good financial investigator, however, is knowledge of human behavior, a sixth sense, intuition, and the ability to recognize the significance of evidence. The skeptical mindset should raise questions about the reasonableness of all transactions and the evidence that underlies them. Since the magnitude of amounts taken in a long-term fraud, for example, is often invisible except for a small irregularity in the accounts, the financial investigator must be curious and tenacious enough to follow up even the most initially unpromising clues. The judgments made through this skepticism will open up new hypotheses or close down old ones by testing them against the accumulating evidence, until only one explanation is left.

To highlight part of the convergence of the forensic accountant's and auditor's mindset, the AICPA developed the Forensic and Valuation Services (FVS) Center, a section devoted entirely to fraud, forensic accounting, business valuation, and litigation support services. Countless articles have been written in these specialized areas of accounting, along with seminars and courses specific to each area. The AICPA also developed and implemented a new designation, Certified in Financial Forensics (CFF), to allow CPAs who provide forensic services to differentiate themselves from CPAs who don’t. The AICPA has been working closely with the Association of Certified Fraud Examiners, providing articles, courses, and joint efforts in the fraud arena. Forensic accounting techniques have leaked into financial statement audit programs, as well as into traditional audit classes taught worldwide.

Accounting professionals play two important roles in any forensic investigation: as lead financial investigators and, potentially, as expert witnesses in any subsequent civil or criminal trials. In the first instance, they are the key people in any fraud investigation because they understand accounting systems and internal controls, and know how to trace the flow of funds into, through, and out of the organization. They are also in a position to provide an independent, objective, and unbiased critique of the corporate organization. This critique should not only cover the problems in the accounting systems that permitted the fraud to occur in the first place, but also address the integrity of the people at the heart of the process. As experts assisting in case strategy and testimony, accounting professionals must be knowledgeable about court proceedings, rules of evidence, what documents to request, from whom they should request them, whom they should interview, and how to quantify damages arising out of a particular situation.

The good financial investigator must be knowledgeable about fraudulent practices both in general and within a specific industry. Wide experience in how frauds are committed enables the investigator to act quickly in deciding which classes of documents will be most useful and who needs to be interviewed. Because some industries, such as insurance, construction, and banking, are especially prone to fraud, some investigators may specialize in those areas.

Since so much information is now created and stored electronically, a thorough knowledge of computers and information technology is an essential part of the investigator's toolkit. Computer forensics techniques are now commonplace as part of financial investigations. These techniques can assist in recovering “deleted” information such as e-mails and proprietary information transferred to unauthorized computers.

When the evidence has been gathered and the suspects have been identified, good communication skills are needed to write a report that ties the whole story together and makes a well-supported argument in clear language. The ability to translate complex accounting issues into language the layperson understands is especially important within all the contexts in resolving the matter, up through giving expert testimony. A judge, jury, or any other reader of your report not familiar with accounting concepts and terminology must receive the information in a clear and understandable form.

When fraud is suspected, the first job of the forensic accountant is to collect, maintain, preserve, and review any evidence to prove or disprove the allegations. Since the reputations of the suspected principals are at stake, the evidence-gathering process must be extremely discrete. Evidence also must be gathered and preserved in such a way that it can meet the standards-of-proof tests of any court. This is the forensic standard to which investigative accounting is held. In criminal cases, the evidence must establish guilt beyond a reasonable doubt. In civil cases, however, liability is established by the less rigorous standard of preponderance of the evidence (greater than 50%). Nonjudicial regulatory authorities, boards, and tribunals have yet other standards with which the investigator should be familiar.

Evidence typically will come from two primary sources. The first source is the accounting records and any underlying supporting documentation that may exist. In many cases, evidence found in these records might suggest additional research into external databases, such as public records and court documents, as mentioned earlier. The investigator's experience should indicate which issues are well supported, which ones need additional evidence, and which are merely circumstantial.

The second source of evidence is gained through the interview process. Interviews may be conducted with key internal personnel, outside sources, and, ultimately, the suspects and any outside parties, such as vendors or contractors who have done business with the individuals in question. The nature and timing of the interviews will be driven by the nature of the case. (Interviews are discussed at greater length in Chapter 10).

The financial investigator also must be a good psychologist and be able to assess the greater or lesser likelihood that any given suspect is a fraudster. The paper and electronic evidence may show that accounting irregularities exist, but unless the evidence is connected to individuals, no fraud can be established. The forensic investigator must be able to pick up on the motivational and behavioral clues that define a suspect. A winter tan, a better car, an affair, domestic financial worries, and a thousand other clues can all raise suspicions that might develop into a picture of criminal activity. Again, this process is discussed later in this book.

The Audit Process

Every fraud has an institutional context. Fraud is less likely to occur in an ethical corporate culture created by a principled management that respects the law and its employees, pays them adequately, and deals fairly with its customers and suppliers. A permissive corporate culture driven by greedy and even charismatic management that turns a blind eye to cutting corners, overlooks infractions of regulations, and has an inadequate accounting system, gives unscrupulous employees the green light to commit fraud.

Some frauds show amazing ingenuity, but most are quite straightforward if the investigator knows where to look. Many very clever people have committed fraud but have been caught because every fraudster leaves a trail and makes mistakes. Since only a small proportion of fraud is discovered by investigation, most of the forensic investigator's initial work involves checking out preliminary information.2 This is especially true of so-called off-book frauds (i.e., bribery and kickbacks), which do not leave an audit trail and are often discovered by tip-offs.

The fraud itself may be entirely internal, directed against outsiders, or directed by outsiders against the company. Internal frauds are usually abuses of the accounting system to steal cash. Frauds directed against outsiders frequently take the form of misrepresentations of financial information to creditors, shareholders, or insurance carriers. Outsiders defrauding the company commonly involve vendors, contractors, and consultants who supply inferior products, overbill, or seek advantages through bribing employees.

From a historical perspective, the debate on the auditor's role as “watchdog” versus “bloodhound” and the auditor's responsibilities is nothing new. Two AICPA committees, the Cohen Commission of 1978 and the Public Oversight Board of 1977, were established to look at the public perception of the auditor and the perceived role versus the actual role. In addition, the AICPA held a conference in 1992 called the Expectation Gap, which identified fraud as a problem in the industry. It was found that the public truly believed that the independent auditor would detect material misstatements owing to fraud.

The Cohen Commission also noted that users of financial statements were confused as to the respective responsibilities of auditors versus those of management. The most troubling aspect of the Cohen Commission's findings was the confusion that appeared to be prevalent among those who could be considered educated users such as bankers, analysts, and shareholders.

It was hoped that the Auditing Standard Board's SAS 58, Reports on Audited Financial Statements, would clarify the understanding of management and auditor responsibilities. However, as business transactions became more complicated and entities more complex, it became clear that the nature of business left prior perceptions behind. Perhaps because of this business complexity, the standards began to address the role of the auditor, specifically in detecting fraud, and emphasized that the concept of the professional skeptic had to be spelled out not only for the auditor to understand, but for the users of financial statements, who needed to comprehend the auditor role and its separate existence from the management role.

Effective April 1988, financial statement auditors relied upon SAS 53, The Auditor's Responsibility to Detect and Report Errors and Irregularities, as their guide. When fraud continued to plague auditors and the audit process, with the “expectation gap” growing between what clients expected of their auditors for detecting fraud versus what the auditing profession expected of auditors to detect, a new auditing standard regarding fraud was adopted. Effective February 1997, SAS 82, Consideration of Fraud in a Financial Statement Audit, emerged to address this expectation gap (SAS 82 was later superseded by SAS 99).

Sadly, despite the implementation of SAS 82, the accounting shenanigans discussed in earlier chapters once again brought into question the auditor's role and the perceived value of an audit. It is the users and the regulators who want the auditor to probe deeper, and it is out of this need and expectation that SAS 99 was born. In response, auditors must use inquiry and analytical techniques during the planning of their audit. These results can now be used, in conjunction with other evidence gathered, for purposes of identifying material misstatements.

Given the statistics and the fact that in 2004 approximately 11 percent of initial fraud detection was through external audit (and approximately 24% was from internal audit), together with over 18 percent from internal controls, one would hope that we have all learned from the lessons of the past and have become smarter and better equipped to detect fraud. Certainly, the AICPA and the accounting bodies have gone a long way to instill the fraud mindset in external auditors. Through SASs 53, 82, and, most recently, 99, auditors have been given expanded guidance for detecting material fraud.3

As stated by the AICPA, “The standard reminds auditors that they must approach every audit with professional skepticism and not assume management is honest. It puts fraud at the forefront of the auditor's mind.”4

SAS 99 provides for increased professional skepticism; the auditor must plan for brainstorming how fraud can occur and put aside prior mindset as to management's honesty and integrity. At the planning stage, the auditor is required to identify the risks inherent in the client organization and to keep in mind the essentials of fraud factors, such as incentive, opportunity, and rationalization. In addition, there must be discussions with management, and inquiry must be made as to the risk of fraud and as to whether management is aware of any fraud. Auditors also must talk to employees and outside management, and give people a chance to bring to light problems that may exist (the concept of whistleblowing). This particular factor emphasizes the psychological deterrent to potential perpetrators of knowing there is a better chance they will be turned in if people who are aware of the problem have a chance to provide information in a controlled, somewhat anonymous forum.

In preparing for financial statement audits, one approach to the required risk assessment could focus on the incentives to commit fraud, along with the methods or means in which the fraud would be perpetrated. Four questions could address much of this assessment: Why would the organization engage in fraud? How would the organization engage in fraud? Why would key individuals engage in fraud? And how would key individuals engage in fraud? In discussing these four questions, each would have to be addressed as it pertained to financial statement fraud as well as how each pertained to theft, embezzlement, or other types of fraud (and illegal acts).

SAS 99 also places emphasis on surprise testing of locations and accounts that otherwise might not be tested, and that would therefore come as a surprise to management and employees alike. The standard also includes procedures for auditors to test management's potential override of controls.

So what does all this mean in the context of understanding basic accounting concepts, the concept of fraud, and the use of analytics in conjunction with all other knowledge? What it means is that today's auditors must think like their investigative accounting counterparts. They have to think like a potential fraudster. They have to be experienced in understanding the concept of fraud and must continually be the skeptic. Although this will put pressure on other aspects of the audit—such as staffing and budgeting (a subject near and dear to most clients’ hearts!)—it hopefully will narrow the expectation gap that has existed for so long.

“Think like a fraudster,” that is what much of the literature recommends to accountants and auditors when designing internal controls to prevent and detect fraud, theft, and embezzlement. But just how realistic is that recommendation, when most auditors are not burdened under heavy financial stress and pressure, coupled with the ability to rationalize their contemplated actions. A better recommendation is to think like a forensic investigator, a scientist, or a surgeon, relying on scientific approaches and procedures to detect and identify potentially fraudulent transactions and activity. A physician does not try to think like a previous patient who had brain cancer to determine the controls, policies, and procedures needed to prevent and detect future brain cancer. He or she may use the signs, symptoms, and facts of the previous patient to become better educated and aware of brain cancer, but likely will perform detailed exams, blood tests, and other radiological tests to look for potential signs or symptoms present in future patients. Shouldn't that be the approach accountants and auditors use as well?

In Fraud Risk Assessment: Building a Fraud Audit Program, author Leonard Vona embraces this exact scientific approach to fraud detection, providing a step-by-step roadmap that can be applied to any organization. Vona's system focuses on how fraudulent transactions and activity would be concealed within the organization's transactions, systems, and detail (concealment methodologies), and once all the concealment methodologies have been identified for any given fraudulent scheme, obtaining access to the universe of transactions to search for signs and symptoms of the concealment methodologies.5 His approach parallels within accounting and auditing the process used in medicine.

What about financial statements that are prepared outside of an “audit”—reviews and compilations? What standards and regulations apply to these lower level financial engagements? While the accounting profession has looked into revising the governing pronouncements, Statements of Standards for Accounting and Review Services (SSARS), none have been issued specific to the outside accountant's role in detecting “fraud” within review- and compilation- level financial statement engagements. These financial statements still need to conform to GAAP as with audited statements, but greater discretion exists in the procedures the outside accountant must perform because an audit is not being performed.

Due largely to the fact that many general readers of financial statements do not have a great understanding of the differences between an audit, review, and compilation (the basic financial statements often look similar), accountants are being sued at alarming rates and being held to the standards of an audit even when the lower level services were provided. One could predict that in order to address this trend, the accounting profession will issue new guidance regarding fraud within reviews and compilations, to minimize expectation differences between the different levels of financial statements.

Internal Controls

What are internal controls? Internal controls include an organization's financial policies, accounting procedures, internal processes, systems of authorizations and approvals, checks and balances, and segregation of duties. But internal controls are much more than that, and start with the overall organizational climate, the “tone at the top” culture of an organization. Policies dictate what is expected for each area, and the processes and procedures ensure that transactions are properly authorized, approved, checked, double-checked, recorded, reported, and reflected within the organization's systems, documentation, reports, and financial statements. In order to be effective, every internal control needs to contain three components: expectations, compliance, and consequences. Eliminate any corner of the triangle, and the controls will prove ineffective. A properly designed system of internal controls will start with the role board of director members serve in the organization, and continue throughout every level right down to the lowest functions and responsibilities. In larger organizations, internal auditors conduct audits to ensure compliance with the controls and procedures, and help to identify instances of potential fraud or abuse, further strengthening the internal controls.

Internal controls are part of the protective system against fraud. They are designed to prevent unauthorized transactions and activity, and to ensure early detection. Indeed, the ACFE's 2002 Report to the Nations on Occupational Fraud and Abuse noted that “a strong system of internal controls was viewed as the most effective anti-fraud measure by a wide margin.”6 In its 2004 survey, the ACFE noted that “strong internal controls can have a significant impact on fraud and a well-designed control structure should be a priority in any comprehensive anti-fraud program.”7

Internal controls become a concern to both the auditor and financial investigator when these controls are either absent or vulnerable to manipulation by fraudsters. Controls ensure that transactions are carried out only with appropriate authorization and approval, and are timely and accurately recorded according to transaction type, amount, and time of execution. Good internal controls include restricting access and segregating responsibilities to safeguard assets. Access to data processing centers and to the computers themselves should be strictly controlled. Assets are further controlled through comparing physical inventory counts with the financial records.

So what do we make of cases like Computer Associates, where executives admitted they fraudulently recorded hundreds of millions of dollars worth of contracts to inflate earnings? How about Krispy Kreme or Parmalat or many other companies, which were accused of accounting irregularities? What about Bernie Madoff and other hedge fund managers who operated in a world with little oversight, taking in and “investing” unsuspecting investors’ funds, all the while diverting the proceeds to live lavish lifestyles?

In light of these recent events in the business and accounting world, one of the more important controls over the accounting system has to be the ethical conduct of management. It cannot be stressed enough that the ethical tone of the company is established at the top and works its way down. Good management should ensure that employees are properly trained, that they read and abide by a written code of conduct, and that they know that a policy of integrity will be enforced. The owners also must ensure that the board of directors is composed of individuals with integrity and financial experience. It is especially important that the audit committee include financially educated and sophisticated members who meet regularly and carry out their responsibilities conscientiously.

Hiring at all levels should be done carefully through screening processes in which education and experience claimed on the application form are verified. All employees must take their vacations, and other employees must perform their functions during their absence. This is one of the most basic tenets of business, but also one that is not readily enforced and has been shown to be the roadmap to fraud on so many occasions.

Although the costs of good internal controls can be significant, they should not be more than their anticipated benefit. Smaller companies sometimes are forced to combine duties that would be separated in larger firms. The audit committee as well as the internal and external auditors should be aware of this fact. Individuals with multiple responsibilities must be supervised closely. Many companies have introduced the concept of self-audit, whereby different groups or locations within a company audit one another on a monthly basis, checking certain aspects of one another's business. This process demonstrates not only that controls are actually in place, but also that any fraud likely to be perpetrated would then have to comprise more people in its collusive manner, hence increasing the difficulty of its execution.

Another simple concept, but one that is easily missed, is that of preparing an organizational chart that defines responsibilities. This eliminates “I didn't know that was my job” from the excuse and/or rationalization stage. In addition, forms used within the company should be designed for accurate recording of data. The data as recorded should be complete enough to be accepted as evidence in court. Accounting personnel should be rotated to different duties on a regular basis. Recordkeeping should not be handled by operating personnel, and there should be a clear records management policy with a schedule for retention, archiving, and destruction that meets statutory, legal, and regulatory requirements.

Special attention should be paid to the control of cash receipts and inventory, two of the most common targets of fraud. Only a reasonable amount of cash should be kept on hand at any time, and the custodian should have no access to the accounting records. Ideally cash receipts should be deposited by way of a lockbox arrangement with a bank, eliminating employee access and opportunity to steal. Where a lockbox is not practical due to cost, company size, or nature of the business, cash receipts should be deposited daily by bonded custodians, and bank accounts should be properly authorized, reviewed, and reconciled. The cashier should have no accounting duties. Cash disbursements should be made only through computer-generated checks, and signing authorities should be limited to authorized employees or owners. Inventory counts should be made by employees other than those responsible for managing the stockroom or warehouse. Insurance coverage should reflect the actual value of the current inventory at all times. Periodic physical counts should be compared with the perpetual record, and any differences investigated, to ensure the integrity of the balances and information within the inventory system.

Conclusion

It is unfortunate that despite the vast amount of information that is available today relating to preventing and detecting fraud and abuse, fraud continues to occur and go undetected until reaching catastrophic levels. While no one knows for sure whether the current frequency of occurrences is attributable to more fraud being committed today versus better detection measures available today, it appears clear that the consequences suffered by perpetrating individuals and organizations of past fraudulent schemes have had little impact on deterring future schemes from occurring. While providing job security for forensic investigators, it is a sign that more meaningful consequences are still needed to stem the growing problem of fraud. With that in mind, Part II focuses our attention on investigating financial crimes.

Notes

1. www.acfe.com/rttn/2010-rttn.asp.

2. Bologna and Lindquist state that 90 percent of fraud is discovered by accident. See G. J. Bologna and R. J. Lindquist, Fraud Auditing and Forensic Accounting: New Tools and Techniques (New York: John Wiley & Sons, 1995), 32. This estimate has changed in recent years as reported by the Association of Certified Fraud Examiners. Of the 532 cases whose discovery was studied for the 2002 Report to the Nations: Occupational Fraud and Abuse, only 18.8 percent were found by accident. This figure is especially startling because it is higher than those discovered by internal audit (18.6%), internal controls (15.4%), or external audit (11.5%). Tips from employees were the single largest source of information that fraud was suspected (26.3%).

3. As defined in Statement of Financial Accounting Concepts No. 2 (FASB, May 1980), materiality is “the magnitude of an omission or misstatement of accounting information that, in the light of surrounding circumstances, makes it possible that the judgment of a reasonable person relying on the information would have been changed or influenced by the omission or misstatement.”

4. B. Melancon, AICPA president and CEO.

5. L. W. Vona, Fraud Risk Assessment: Building a Fraud Audit Program. (Hoboken, NJ: John Wiley & Sons, 2008).

6. www.acfe.com/rttn/2010-rttn.asp.

7. www.acfe.com/rttn/2010-rttn.asp.