The mindset of white-collar criminal

Auditors of all kinds would be wise to read up on the psychology of white-collar criminals, to better understand the rationalization vector of the fraud triangle:

David Myers, the former controller of WorldCom, recalled thinking that he was “helping people and doing the right thing” while perpetrating one of the largest accounting frauds in history. In his mind, the fraud was superficially sustaining the company, its stock price, and the jobs of its employees.

For some, the theory is that it was a simple cost-benefit calculation, underestimating the likelihood of being caught and, therefore, the cost. But the article linked to above notes that in other cases, there wasn’t a whole lot of calculating going on at all:

Waksal understood that calling his daughter and telling her to dump her shares was wrong. Since he knew the SEC monitors this kind of trading, his decision couldn’t possibly represent the careful reasoning of a self-made man who prided himself on his intellectual prowess. Had he actually put his mind to it, presumably he could have devised a better fraud.

Part of the problem is how separated the perpetrators of white-collar crime are from their victims, or how relatively small the impact of their fraud will be on them, in their minds. As businesses become bigger, and our communities grow and our connections to each other loosen, this will continue to be a big factor.

Actually the article doesn’t really conclude much. Some felt remorse, some didn’t. Most didn’t think things though, but if they did they underestimated the impact on their lives and their victims’ lives. Some acted out of perceived pressure to meet earnings targets, while others believed they were doing what was right and would be recognized as such (*cough* Fastow).

Interesting read, and always fun to read about the schemes and perpetrators’ justifications for them. Be vigilant, it can happen in your company.

Outsource internal audit for greater objectivity

That’s the recommendation from the Institute of Chartered Accountants of India (ICAI), as reported by The India Express:

“In the high-powered committee report on Satyam scam, we have proposed that internal audit should be outsourced and not be in house so that there is more independence. If the auditor is from the organisation, it is as good as being an employee of the organisation and the chances of remaining unbiased decline. Market regulator Sebi through clause 49 and the corporate affairs ministry through the Companies Law should make it mandatory that the internal auditor should be from outside the organisation,” ICAI president Amarjit Chopra told The Indian Express.

I can’t really argue with the logic, but the feasibility of the idea is fair game. The logistics of putting this into place is giving me a headache, and it does seem like an overreaction to a single instance of fraud.

The voice of reason comes from the director of KPMG in India:

“More important [than outsourcing] is the communication between head the of internal audit and CEO or chairman of audit committee. The success depends more on how freely and directly the internal auditor can discuss the shortcomings in a firm with the CEO of audit committee.”

Boards should be ensuring that the lines of communication between the Chief Audit Executive and the Audit Committee are direct and communications frequent and frank. That applies even if IA is outsourced as well.

I blogged a while ago about the Satyam scandal.

Internal audit at Satyam

New charges in the Satyam scandal were laid by India’s Central Bureau of Investigation, for “creating fake invoices to inflate revenues by US$94 million and forging company board resolutions to obtain unauthorised loans worth US$265 million” according to this story in Accountancy Age.

This comes after charges were laid on November 21 against the former Head of Internal Audit, VS Prabhakar Gupta, for the company, for “willful suppression of auditing irregularities.”

A lot of coverage in the blogs (primarily Dennis’ and Francine’s) thus far has focused on the role the external auditor PricewaterhouseCoopers played in the fraud, but Internal Audit arguably should’ve been better able to root out the fraud due to its closer familiarity with business processes.

It’s difficult to detect fraud in the best of circumstances, but when the charges involve suppression of irregularities discovered by internal audit, questions will be raised (and arrests made).

DNA (Daily News & Analysis), an Indian English language newspaper, provided additional detail on the arrest of the former Head of IA:

While the spokesman refused to divulge any further information about Gupta, sources in the agency claimed that the auditor had helped in falsifying accounts including inflating the overseas employees pay bill.

On top of this, the Internal Audit department received the Recognition of Commitment from the Institute of Internal Auditors in 2005, which according to the IIA was “available to all internal audit activities that submitted an application fee and met specific criteria in the areas of quality, outreach and professionalism, based on a point system.” The program was discontinued in 2006.

On the occasion, the now former Head of IA had this to say:

We are extremely happy with the recognition that our Internal Audit team has received on an international platform. Satyam is one of only 26 internal audit departments worldwide receiving this award in 2005 and it reinforces our commitment to meet the international standards in the concepts and approaches to audit function contributing to better corporate governance.

Satyam is now commonly referred to as India’s Enron.

Enron chronicle provides some holiday reading

I have been on vacation for the last half of this month, and that along with Christmas has resulted in much less activity on this blog than is normally seen.

Additionally, I have been immersed in a great book on the Enron scandal, titled “The Smartest Guys In the Room: The Amazing Rise and Scandalous Fall of Enron.”

The book was originally published in 2003, but was recently republished with an extra chapter. “Now includes the Enron trial and the death of Ken Lay,” the cover advertises.

I’m a little surprised I haven’t read a book on Enron until this point, given how fascinating the fraud is to me. I thoroughly enjoyed it.

The book is accessibly written. You don’t have to be an auditor to undeerstand what caused Enron to implod. That sort of disappointed me – the book didn’t go into enough detail for my liking. But they know their audience, which isn’t exclusively the audit profession.

I was hoping to see some debits and credits and maybe even a T-account or two, dissecting each transaction of each special-purpose entity (SPE) in painstaking detail, but I was out of luck.

I won’t go into too much more detail at this point, as I will pull out some of the more memorable passages in future posts and discuss them there.

Suffice it to say the book was awesome and I recommend it to everyone, not just auditors.

Sucks to be Seidman

By now, the verdict in the BDO Seidman lawsuit has been covered by all the major industry blogs. All the heavyweights have registered their opinions in this great swirling mass known as the blogosphere. The mainstream media has tossed it around this way and that. There is near unanimity amongst all commenters: Sucks to be them.

I don’t disagree completely. For failing to detect a fraud perpetrated at E.S. Bankest LLC, Seidman is on the hook for $170 million in actual damages and a whopping $351.7 million in punitive damages. The combined amount of $521.7 million is the value of accounts receivable E.S. Bankest fraudulently reported in their financial statements, which were audited by BDO.

Naturally a lot of speculation has focused on whether the firm will be able to survive, assuming their appeal doesn’t reduce the damages. Big Four Blog does the math:

The WSJ says, “Testimony and evidence presented showed that BDO had profit distributable to partners of more than $170 million for its 2006 fiscal year, which ends in June, and a net worth of about $40.5 million. […] Among 250 partners works out to about $700,000 payout per partner. The $521 million damage is equal to three years of current year earnings. […] Can BDO Seidman effectively handle such a large amount of payouts, without losing its current structure? This is serious money for a medium sized firm.

It’s serious money, period. Jack says:

Even for the Big Four, $522 million is a lot of scratch. Recall that the Department of Justice fined KPMG $450 million in its tax shelter travails. That caused outsiders to wonder if it would interfere with KPMG’s equilibrium. This is not the way BDO Seidman would like to join the big leagues.

Just how much scratch a half billion really is for either a Big Four firm or a mid-tier one is not crystal clear. Francine asks the question:

When will the SEC and PCAOB start encouraging all the firms to be more transparent about their ability to continue to weather all of these high payouts? It seems we only hear there’s a problem with covering the liability when the firm is about to go under.

E.S. Bankest was part-owned by the plaintiff in the lawsuit, Banco Espírito Santo (Get it? E.S.!), and Bankest Capital. BES relied on “faulty audits showing that Bankest Capital’s income had nearly tripled from 1995 to 1996” when deciding to start the venture!

The entity was involved in factoring, which is when a third party buys accounts receivable from companies at a discount (to improve cash flow for the original company), collects the receivables and keeps the profit. Needless to say, the accounts receivable assets of a factoring company should be a main focus of a properly conducted risk-based audit.

Another interesting bit is how quickly the jury decided the firm had been negligent. One hour. Gross negligence. The evidence must’ve been pretty convincing.

The best evidence of the existence and accuracy of receivables is the confirmation. This is where the auditor takes a sample of receivables outstanding at year end and sends a letter to the customer asking them if they agree with the amount owed. If they agree, it is confirmed. If they disagree, they typically provide what they believe the balance was, and the two must be reconciled.

The strength of the confirmation should be obvious. Evidence coming from a third party is stronger than other procedures performed on AR like vouching to invoices and shipping documents, which are client-prepared.

The problem is that most confirmations are not returned. In my experience, I’ve gotten as few as 6 of 20 back, although it really depends on the organization and industry. I’ve heard that some companies or the management have a policy of not returning confirmations. Either way, when confirmations are not returned, the auditor has to fall back on alternative procedures, which are less persuasive.

Another typical procedure is the analysis of the aging of receivables. The longer a receivable has been outstanding, the less likely it will be collected. An auditor will identify larger receivables that have been outstanding for longer than 60 or 90 days, and discuss the situation(s) with management to assess whether the receivables are collectible.

Details regarding the failed audits have been unsurprisingly scarce, but it’s a good bet that the two areas above played a significant part.