Fraud Prevention

review.

I. PREFACE

The Sarbanes-Oxley Act of 2002 is the most major securities regulation to affect companies since the Securities Exchange Act of 1934. Right now there are about 15,000 listed companies, which have a total market value of approximately $37 trillion and are held by tens of millions of shareholders. Studies have indicated that 1 to 6% of all corporate revenue is lost to fraud.   In my consulting practice I have developed close to one hundred templates that I use in protecting companies from the effects of fraud on their revenue stream.

The Enron trial ended after four years of federal investigations and 108 days of sworn evidence. The prosecution based its case on evidence provided by executives below the top level, who themselves took plea deals, and on the Watkins letter, which exposed the fraudulent activities of the corporation in August 2001. Judge Lake invoked a common feature in white-collar prosecutions by giving the ostrich instruction to the jurors. This allows the jury to find a defendant guilty if they had sufficient notice of problems (like the Watkins letter), but deliberately refused to recognize or act on that information. Former WorldCom CEO, Bernard Ebbers, was convicted by way of a similar ruling.

Willful blindness satisfies the knowledge for a conspiracy conviction and the intent (scienter) element of a fraud conviction.   The knowledge element refers to an offending party’s knowledge of the wrongness of an act or event prior to committing it. Black’s Law Dictionary defines fraud under common law as involving three elements: (1) a material false statement made with intent to deceive (also known as the element of scienter); (2) a victim’s reliance on those statements; and (3) damages. If the breach of fiduciary duty has no wrongful intent, it is civil fraud, but if it does, it becomes criminal fraud. This treatise does not cover frivolous cases of civil fraud claims, such as the difficulties of Dave Thomas of Wendy’s with an IPO where a footnote disclosure was found inadequate or Ron Howard’s dissolution of his film company whereby investors claimed civil fraud because he walked away from the corporation.   These cases cross the line of frivolity.

The ostrich instruction is a common feature in white collar crime prosecutions. United States v. Jewell, 532 F.2d 697 (9th Cir. 1976), sets forth the classic instruction in this area: You may infer knowledge from a combination of suspicion and indifference to the truth. If you find that a person had a strong suspicion that things were not what they seemed or that someone had withheld some important facts, yet shut his eyes for fear that he would learn, you may conclude that he acted knowingly. Judge Posner explained how the ostrich instruction should be understood, and its limitations, in United States v. Giovannetti, 919 F.2d 1223 (7th Cir. 1990):

The most powerful criticism of the ostrich instruction is, precisely, that its tendency is to allow juries to convict upon a finding of negligence for crimes that require intent . . . The criticism can be deflected by thinking carefully about just what it is that real ostriches do (or at least are popularly supposed to do). They do not just fail to follow through on their suspicions of bad things. They are not merely careless birds. They bury their heads in the sand so that they will not see or hear bad things. They deliberately avoid acquiring unpleasant knowledge. The ostrich instruction is designed for cases in which there is evidence that the defendant, knowing or strongly suspecting that he is involved in shady dealings, takes steps to make sure that he does not acquire full or exact knowledge of the nature and extent of those dealings. A deliberate effort to avoid guilty knowledge is all the guilty knowledge the law requires.

Jurors were quoted after the trial as saying that for a man as knowledgeable as Enron Chairman Ken Lay was, he had to know what was going on at his own company. They found the high level of stock sales unusual compared to his recommendations at the same time to employees of the company to hold and buy stock.

Why has the last decade seen such an increase in white collar crime? It has been reflected in dozens of cases involving bribery, conflicts of interest, mail and wire fraud, and securities fraud, to name only a few. My name is David Meade.   I consult for privately-held and publicly-held companies and implement anti-fraud strategies. I consult nationwide, and can be reached at DavidMeade7777@gmail.com. It is the purpose of my book to raise the awareness level for business owners of all sizes that their company can operate in a safe environment, free of concern of government investigations, and internal fraud or inefficiency.   By studying the past, and researching what the federal government requires, business owners can see to it that their business is abiding by and following critical principles of strategy that will keep it profitable and secure in this environment.

1. An Overview of Corporate Governance

II. Key Reasons We Need Corporate Governance

Events Leading up to Sarbanes

A variety of corporate scandals led to the passage of the Sarbanes-Oxley Act, including the Enron failure. David Duncan, the former senior audit partner of Arthur Andersen LLP (Arthur Andersen), participated in the shredding of documents in the Enron case. Andy Fastow, the former CFO of Enron, set up a series of partnerships that were used for self-dealing and had the ultimate purpose of hiding debt transactions from the consolidated financial statements of Enron. He was assisted by Michael Kopper, who was involved in money laundering and wire fraud. Other Enron executives were either being investigated or indicted for securities fraud, making false statements to federal investigators, or fraudulent trading practices. With the collapse of Enron, $60 billion in market value was lost.   

Bernard Ebbers, the CEO of WorldCom, had enjoyed the rising price of his holdings in WorldCom’s stock. Ebbers came under increasing pressure from banks to cover margin calls on his WorldCom stock that was used to finance his other businesses. During 2001, Ebbers persuaded WorldCom’s board of directors to provide him corporate loans and guarantees in excess of $400 million to cover his margin calls, but this strategy ultimately failed, and WorldCom became the largest corporate bankruptcy in history.

Beginning in 1999 and continuing through May 2002, the company used fraudulent accounting methods to mask its declining financial condition. The fraud was accomplished primarily in two manners: (1) underreporting operational costs (one of five popular methods of corporate accounting fraud) by capitalizing these costs on the balance sheet rather than properly expensing them and (2) generating revenues with false accounting entries from corporate unallocated revenue. WorldCom’s internal audit department uncovered approximately $4 billion of the fraud in June 2002 during a routine examination of capital expenditures and alerted the company’s external auditors. At the end of the day, it was estimated that the company’s total assets had been inflated by around $11 billion.

Four former HealthSouth CFOs pled guilty after Sarbanes was passed to a variety of charges, including false certification of financial statements under the Sarbanes-Oxley Act, a federal offense punishable by up to twenty years in prison.

After the fact, when the SEC commissioned a study under Section 704 of the Sarbanes-Oxley Act, dozens of corporate governance scenarios were listed, which led to grand jury investigations and investigations by the FBI, Treasury, and SEC, and were followed by indictments and class-action lawsuits against some of the largest publicly held corporations in the world. Almost thirty different bills were proposed in 2002 in Congress before the final version of the Sarbanes-Oxley Act, named after Senator Paul Sarbanes from Maryland and Representative Michael Oxley from Ohio, was accepted and signed into law by President Bush in July 2002.

Corporate governance is defined as the relationship between corporate directors, officers, and providers of capital under the rule of law. Corporate directors are responsible to shareholders for the efficient use and stewardship of resources. Self-regulating corporate governance had failed, and the government stepped in to provide direction with the Sarbanes-Oxley Act of 2002. This act replaced the long-standing Financial Accounting Standards Board with a quasi-government (private but accountable to the SEC) body known as the Public Company Accounting Oversight Board. It was to be responsible for auditing and quality control of firms registered to audit publicly held corporations. Title II of the act covered Auditor Independence Issues, including prohibited services that were in the realm of conflicts. Title III included the all-important Section 302 Certifications, which brought the HealthSouth fraud to a complete halt. Title IV included Section 404, which increased audit responsibilities and also increased corporate accountability for solid internal control system reporting. Corporate fraud and accountability in a variety of areas were covered by Titles IV to XI. The section shortly following provides a list of key changes to the ways listed corporations are governed post-Sarbanes-Oxley.

PCAOB

One of the first responsibilities of the Public Company Accounting Oversight Board (PCAOB) was to establish a Standing Advisory Group (SAG) of twenty-five members who were experts in financial disciplines, as well as independent and objective. Once the SEC had approved this rule for the SAG to take effect, it began a study of current auditing standards in order to begin issuing its own interpretations. Auditing Standard No. 2 followed, which has the rule of law behind it. To violate it is the same as violation of the federal Sarbanes-Oxley Act and carries up to the same maximum civil and criminal penalties. Auditing Standard No. 3 followed, whose topic was audit documentation. Auditing Standard No. 4 had a primary topic of interpretation of material weakness changes. Approximately 8 percent of listed corporations after the first year of Sarbanes compliance reported what are known as material weaknesses in internal controls structures.

This came as a total change from the prior way that audits and auditors were accustomed to operating. Their former self-regulating body, the Financial Accounting Standards Board (FASB) had previously issued the pronouncements utilized in reaching conclusions about presentation and disclosure on annual Form 10-Ks and 10-Qs, the quarterly financials. PCAOB recommended the control environment structure utilized by the Treadway Commission Report, called the Committee of Sponsoring Organizations (COSO), but it did not require its exclusive use in evaluating risk assessments related to internal control issues. Scoping and planning, identifying significant accounts, determining multi-location coverage, and many other topics were addressed in Auditing Standard No. 2 (AS2).

COSO had recommended that five components of internal control become a critical part of management’s Section 404 assessment. The Control Environment establishes an overall tone, and COSO found a group of sub-components that related to corporate governance that comprise this facet, some of which are covered in detail below. Risk Assessment, the second component, is a matter of establishing risks and ranking them. Control Activities are the policies used to ensure that directives are implemented. These could include top-level reviews and metrics. Information & Communication is a fourth component, involving meetings, training, and policy manuals. Finally, Monitoring is the process utilized to assess the quality of internal control and reporting of deficiencies.

Section 302 Certification

Section 302 of the act is a formal signature certification rule that requires CEOs and CFOs to certify in each Form 10-K and 10-Q that:

• The officer reviewed the report;

• Based on the officer’s knowledge, the report does not contain any untrue statement of a material fact in order that the financial statements present fairly the company’s financial condition and results of operations;

• The officer is responsible for maintaining an internal control system that has been designed to ensure that material information is reported;

• The officer has evaluated the effectiveness of the internal controls within ninety days prior to the report;

• In the report, conclusions about the evaluation are reached, as well as whether significant changes have occurred;

• The officer has disclosed to the audit committee all significant deficiencies in design or operation of the internal controls, as well as any fraud that involves management.

Section 302 Certification has caused the SEC to issue guidance to listed corporations that have led them in large part to establish disclosure committees. These comprise key corporate officers and operate under a charter. Their purpose is to review the quarterly and annual reports, proxy statements, registration statements, and press releases to ensure they are in full compliance with the currently mandated disclosure requirements applicable to their industry.

Section 404 Certification

Section 404 of the act states that the commission (SEC) shall prescribe rules requiring each annual report required under the Securities Exchange Act of 1934 to contain an internal control report, which shall state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.

The internal control definition encompasses the internal control system, at both the process and company levels, that provides reasonable assurance that transactions are complete, accurate, and valid and that restricted access exists. Completeness refers to all recorded transactions accepted by the system (only once, with duplicate postings rejected); accuracy refers to key data elements for transactions input as correct; validity refers to transactions being authorized; and restricted access refers to confidentiality of data and segregation of duties.

Segregation of Duties

This is a key concept within the Sarbanes framework. A fundamental element of internal control is the segregation of key duties. No employee should be in a position to perpetrate and to conceal errors in the course of their responsibilities. There are four categories of incompatible duties:

• Custody of assets

• Authorization or approval of related transactions

• Recording or reporting

• Reconciliation or monitoring

An essential feature of segregation of duties is that control over the processing of a transaction should not be performed by the same individual who is responsible for recording and reporting the transaction. Potential incompatible duties would exist if one individual performs duties in more than one category. A template reflecting the segregation of duties in process-level controls is normally utilized to determine whether conflicts exist.

For example, there may be fifteen types of process-level controls within a corporation, including revenue, accounts payable/purchasing, payroll processing, fixed assets, regulatory compliance, debt, investments, stockholders equity, and financial reporting. A matrix with the above four categories at the top, followed by the actual process flow (normally seven to twelve items exist in each process flow) will allow one to determine potential conflicts at a glance. A process flow chart is an advanced means to determine control weaknesses, but it is a much more complicated procedure to perform. Some companies utilize both narrative documentation and process flow charts, however.

Section 404 Documentation

To meet the requirements of Section 404, a variety of documentation is required. At a minimum are the walkthrough document, the Risk control matrix, and an audit program based upon the matrix described above. The walkthrough document is prepared for each process, usually with the assistance of the controller and the process owner, the head of the department responsible for the process. It is a narrative description of the process that assists in the risk assessment process. On a practical level, internal audit decides which key control points affect financial reporting, and those items become key controls. Key controls in the walkthrough are normally listed in bold type and referenced to the risk control matrix by a nomenclature.

The walkthrough contains a complete description of key control points in each process. Normally at least one key control point is discovered at each level. The System Control Chart in the Case Studies chapter on insurance anti-fraud controls illustrates the points at which key controls are located. A key control is defined as a control that affects financial reporting.

The risk control matrix is normally an Excel schedule prepared for each Company-level Control and each Process-level Control that contains, in sequence, the:

• Objective of the Internal Control

• Financial Statement Assertion

• Key control

• Test of the Key control

• Inherent Risk Description

Company-level Controls

Company-level controls were at the heart of the Enron failures. COSO has established an internal control framework widely utilized in North America that provides a basis for organizing a risk control matrix. In addition to the process-level controls, the controls surrounding the corporate environment must be evaluated. At a minimum company-level controls need to be evaluated at these levels:

• Control Environment & Activities

• Information & Communication

• Monitoring

• Risk Assessment

At the control environment level, the objectives (around which appropriate Key controls must be designed) include:

• Management is conservative in accepting business risk.

• Senior managers and operations meet frequently to review risk proposals.

• Management has established and communicated a Code of Ethics policy.

• Company policies and procedures are enforced.

• Managers are prohibited from overriding established controls.

• The human resources department is committed to training and retaining competent individuals.

• Job descriptions and performance evaluations are related to guidelines.

• The company has an effective and active board of directors and audit committee.

• Anti-Fraud Charter is established and in practice.

At the Organization level, the objectives include:

• Relevant reports are identified, processed, and reported by information systems.

• Information system platforms are subject to guidelines and review.

• Organization charts are utilized to communicate duties.

• A whistleblower hotline is established.

At the Monitoring level, the objectives include:

• Audit plan and results are communicated to the audit committee.

• Internal audit reports are reviewed by the Chief Accounting Officer.

• Code of Conduct has been distributed and signed off by employees.

• Internal Audit plans and policies are approved by the audit committee.

• Company accounting manual is widely distributed and updated.

At the Risk Assessment level, the objectives include:

•