Mitigating the Risk of Common Fraud Schemes: Insights from SEC Enforcement Actions - January 2021 - TheCAQ.org
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Mitigating the Risk of Common Fraud Schemes: Insights from SEC Enforcement Actions January 2021
About the Anti-Fraud Collaboration
The Anti-Fraud Collaboration is dedicated to advancing the discussion of critical anti-fraud efforts through the
development of thought leadership, awareness programs, educational opportunities, and other related resources
focused on enhancing the effectiveness of financial fraud risk management.
The Anti-Fraud Collaboration was formed in October 2010 by the Center for Audit Quality (CAQ), Financial
Executives International (FEI), The Institute of Internal Auditors (The IIA), and the National Association of
Corporate Directors (NACD).
The CAQ is an autonomous FEI is the leading advocate
public policy organization for the views of corporate
dedicated to enhancing investor financial management. Its more
confidence and public trust in than 10,000 members hold
the global capital markets. The policymaking positions as Chief
CAQ fosters high-quality performance by public Financial Officers, Treasurers and Controllers at
company auditors; convenes and collaborates with companies from every major industry. FEI enhances
other stakeholders to advance the discussion of member professional development through
critical issues that require action and intervention; peer networking, career management services,
and advocates policies and standards that promote conferences, research and publications. Members
public company auditors’ objectivity, effectiveness, participate in the activities of 65 chapters in the
and responsiveness to dynamic market conditions. US. FEI is headquartered in Morristown, NJ, with an
Based in Washington, DC, the CAQ is affiliated office in Washington, DC. For more information, visit
with the American Institute of CPAs. For more www.financialexecutives.org.
information, visit www.thecaq.org.
The IIA is the internal NACD empowers more than
audit profession’s most 20,000 directors to lead with
widely recognized confidence in the boardroom.
advocate, educator, and As the recognized authority on
provider of standards, guidance, and certifications. leading boardroom practices,
Established in 1941, The IIA today has more than NACD helps boards strengthen investor trust and
200,000 members from more than 170 countries and public confidence by ensuring that today’s directors
territories. The IIA's global headquarters are located are well-prepared for tomorrow’s challenges. World-
in Lake Mary, Fla. U.S.A. For more information, visit class boards join NACD to elevate performance,
www.theiia.org or www.globaliia.org. gain foresight, and instill confidence. Fostering
collaboration among directors, investors, and
corporate governance stakeholders, NACD has
been setting the standard for responsible board
leadership for 40 years. To learn more about NACD,
visit www.NACDonline.org.
This publication is intended as general information and should not be relied on as being definite or all-inclusive. As with all other Anti-Fraud Collaboration
(AFC) resources, this publication is not authoritative, and readers are urged to refer to relevant rules and standards. If legal advice or other expert assistance
is required, the services of a competent professional should be sought. The AFC and its member organizations make no representations, warranties, or
guarantees about, and assume no responsibility for, the content or application of the material contained herein. The AFC expressly disclaims all liability for
any damages arising out of the use of, reference to, or reliance on this material. This publication does not represent an official position of the AFC or its
member organizations, their respective boards, or their members.
© 2021 Anti-Fraud Collaboration. All Rights Reserved.
INSIGHTS FROM SEC ENFORCEMENT ACTIONS
02 Executive Summary
04 Introduction
06
Contents
The Current Fraud Risk Landscape
09 Fraud Schemes and Related Issues
16 Root Causes and Fraud Factors
20 SEC Enforcement Observations
23 Key Themes and Considerations
27 Conclusion
29 Appendix A: Scope and Methodology
Appendix B: Index of Top In-Scope Fraud
31 Schemes
44 Notes
45 Acknowledgements
1
MITIGATING THE RISK OF COMMON FRAUD SCHEMES
Executive Summary
+ Over the years, the Securities and Exchange fraud schemes. The objective of this study is to
Commission’s (“SEC”) enforcement efforts have provide observations on higher risk areas that
focused on a wide range of alleged misconduct, are susceptible to fraud and insights into what
related but not limited to, intentional and non- companies can do to identify and mitigate these
scienter frauds, issuer reporting and disclosures, types of fraud risks more effectively.
auditor shortcomings, absent or insufficient
internal controls, deficient disclosure controls, non- + The most common types of fraud identified
GAAP measures, the Foreign Corrupt Practices Act, included: improper revenue recognition, reserves
securities offerings, insider trading, broker dealer, manipulation (e.g., inadequate reserves for known
and cyber-related misconduct. liabilities), inventory misstatement, and impairment
issues. Improper revenue recognition appeared
+ Given the unique impact of financial statement to be the most prevalent fraud scheme in almost
frauds and relevance to companies, auditors, and every year, and it was among the top two fraud
investors, the Anti-Fraud Collaboration (“AFC”) schemes from 2014 through mid-2019.
undertook a study to classify common financial
statement fraud schemes based on an analysis + There was rarely a single root cause for each
of SEC enforcement actions involving accounting matter, as each scheme typically encompassed
or auditing issues where the SEC has issued an multiple issues. This study identified a significant
Accounting and Auditing Enforcement Release number of fraud schemes that also included
(“AAER”). misleading or inaccurate financial statement
disclosures, material weaknesses in internal
+ The SEC issued a total of 531 AAERs from January controls, and unsupported journal entries.
1, 2014 through June 30, 2019. This study focused
on 204 enforcement actions related to financial + The industry sector that was most commonly
statement frauds from which we identified 140 charged by the SEC was technology services. The
2
INSIGHTS FROM SEC ENFORCEMENT ACTIONS
finance, energy, manufacturing, and healthcare + Cases were brought against issuers of all sizes,
industries also experienced several accounting and in multiple jurisdictions, and across various
reporting issues. While the SEC frequently charged industries. Although there is no perfect formula for
the issuer, it often also charged employees preventing or detecting every instance of fraud, the
involved in the schemes. CFOs were the most types of fraud identified by the SEC in recent years
commonly charged employees, followed by CEOs. reveal that the most common schemes and higher
risk areas are not necessarily new. The kinds of
+ The SEC often described circumstances and cited business challenges that were frequently present
common issues—such as tone at the top, high- in enforcement cases—pressure to meet analyst
pressure environment, business challenges, and expectations, increased supplier costs, slowing
lack of adequately experienced personnel—that demand for products, and more—are exacerbated
could foster an environment or culture more during a crisis like COVID-19.
conducive to fraud. This observation suggests
a need for the board and audit committee, + As the SEC continues to reinforce its core
management, internal auditors, and external principles, drive new initiatives, and increase
auditors to be attuned to both quantitative and scrutiny of corporate compliance programs,
qualitative metrics. companies should not lose sight of the core issues
and underlying themes that are most pertinent
+ Although in many cases individuals have to them. The key to protecting companies
gone to great lengths to circumvent existing against fraud is vigilance, a continued resolve
controls, executives, companies, and financial to exercise skepticism, and attention to the
reporting ecosystem participants can learn from potential risks. Companies should remain focused
the enforcement actions how controls were on the fundamentals—controls, processes, and
circumvented and should continue to evaluate the environments that impact financial recordkeeping
strength and efficacy of internal controls, identify and decision-making—and company-specific risks
potential weaknesses, and design and implement by conducting regular risk assessments.•
improvements to internal controls.
3
MITIGATING THE RISK OF COMMON FRAUD SCHEMES
Introduction
BACKGROUND issues, where the SEC has issued an Accounting
and Auditing Enforcement Release (“AAER”).
Financial statement frauds impact stakeholders The objective of our SEC Enforcement Study is
across the financial reporting ecosystem and to provide observations on higher risk areas that
damage confidence in financial markets. Over the are susceptible to fraud and insights into what
years, the Securities and Exchange Commission’s companies can do to identify and mitigate these
(“SEC” or “Commission”) enforcement efforts have types of fraud risks more effectively.
focused on a wide range of alleged misconduct,
related but not limited to, intentional and non- Latham & Watkins and AlixPartners assisted
scienter frauds, issuer reporting and disclosures, the AFC with a comprehensive review of 531
auditor shortcomings, absent or insufficient internal AAERs released between January 1, 2014 and
controls, deficient disclosure controls, non-GAAP June 30, 2019 (“Review Period”). For purposes
measures, the Foreign Corrupt Practices Act, of the Review, we identified 204 AAERs related to
securities offerings, insider trading, broker dealer, financial statement fraud and/or books and records
and cyber-related misconduct. violations as “in-scope” (“Scope”). Given that the
enforcement actions highlight the nature of the
Given the unique impact of financial statement alleged misconduct with varying degrees of detail,
frauds and relevance to companies, auditors, and the identification of these violations was limited to
investors, the Anti-Fraud Collaboration (“AFC”) information that the SEC publicly disclosed, which
undertook a study (herein referred to as “SEC was primarily contained in the AAERs, SEC press
Enforcement Study” or “Review”) to classify releases, and/or related SEC complaints when
common financial statement fraud schemes applicable. We further note that the analysis relies
based on an analysis of SEC enforcement actions on the SEC’s fraud allegations, though in most of the
against companies, company employees, and cases the companies and individuals settled with the
outside auditors involving accounting or auditing SEC but did not admit or deny the frauds.
4
INSIGHTS FROM SEC ENFORCEMENT ACTIONS
The Review Period and Scope were determined considerations. The information in this report
to provide an adequate timeframe for an analysis offers perspectives on the variety and prevalence
of common fraud schemes in general, taking into of recent financial reporting fraud schemes,
consideration that the frauds often occurred several observations on contributing fraud factors and
years before the enforcement actions were released. higher risk areas, insights into enforcement trends
As a result, the years cited in this report refer to and regulatory insights, and commentary on other
the years in which the AAERs were issued, and not considerations relevant to fraud deterrence and
necessarily when the frauds were perpetrated or detection.
uncovered, unless otherwise noted. See Appendix A
for more information about the Review’s scope and This report also addresses the changes to the
methodology. current business environment resulting from the
COVID-19 pandemic and its impact on fraud. The
INTENDED USE AND AUDIENCE insights are valuable to members of the financial
reporting supply chain (board of directors, audit
This report highlights the key findings about committees, financial management, internal
common frauds alleged in the enforcement auditors, and external auditors) as well as regulators,
actions and offers insights into violations related anti-fraud professionals, investors, customers,
to accounting and reporting issues and a broader extended enterprises, service organizations, and
perspective on enforcement observations and other stakeholders.•
5MITIGATING THE RISK OF COMMON FRAUD SCHEMES
The Current Fraud Risk
Landscape
A crisis such as COVID-19 can set the stage for based on fraud-related losses increased significantly
many of the factors that contribute to fraud. after the 2008 recession, according to the National
The global economic disruption has challenged Law Review.1 Therefore, organizations should
companies across industries, impacted supply update their fraud risk assessments to consider
chains, and placed enormous pressure on company the pandemic’s potential impact. Many financial
leadership, managers, employees, and business reporting fraud schemes may be more prevalent in
partners to navigate the disruption, meet or adjust the COVID-19 environment, such as:2
financial targets, manage stakeholder expectations,
or minimize the damage caused by revenue declines, + Fabrication of revenue to offset losses.
asset values, and values of intangibles.
+ Understatement of accounts receivable reserves
Past crises have proven that at any time of large- as customers delay payments.
scale disruption or stress on an economy or
industry, companies should be prepared for the + Manipulation of compliance with debt covenants.
possibility of increased fraud. For example, lawsuits
“Fraud prevention should not be an
afterthought in crisis planning and response;
it should be the starting point.”
Center for Audit Quality
6INSIGHTS FROM SEC ENFORCEMENT ACTIONS
+ Unrecognized inventory impairments. Cybersecurity is another key consideration in any
business environment, and there are additional risks
+ Over- or understated accounting estimates to meet in a mobile work environment. To support remote
projections. access for employees, companies could add servers,
adjust access controls, and institute new types of
+ Misleading plans to remain a going concern. verification, such as multifactor authentication. As
a result, “companies may need new controls related
+ Improper capitalization and amortizations of to new technology, tools, applications, or devices
costs. that employees may be using in the work-from-home
environment,” according to the Center for Audit
+ Big bath write-offs or inappropriate timing of write- Quality (“CAQ”).3
offs.
In addition to changing workforce considerations,
+ Intentional failure to disclose the pandemic’s many companies face challenging financial
impact (including impact on forecasts of future circumstances, such as increased liquidity risks
cash flows and other activities). and going concern issues that create significant
uncertainties in forward-looking projections. The
+ Passing off and falsely disclosing underlying SEC Division of Corporation Finance has provided
issues as attributed to the pandemic. guidance on disclosure and financial issues to
assist companies with accurate reporting during this
+ Overstated business interruption insurance claims period. Below is an illustrative list of considerations
that sweep in costs unrelated to the pandemic. companies can use to assess the impact of
COVID-19 and related disclosure obligations,
+ Cookie jar reserves by companies that may be several of which relate to higher risk areas that are
outperforming expectations during the pandemic. susceptible to judgment and manipulation:4
Our SEC Enforcement Study covered the period + How has COVID-19 impacted the company’s
from 2014 through mid-2019, which was a time of capital and financial resources, including its
economic growth, falling after the Great Recession overall liquidity position and outlook (e.g.,
and before the onset of the COVID-19 pandemic. material uncertainty about ongoing ability to meet
The current environment is one of continuous covenants of credit agreements, known trends and
economic uncertainty and it is difficult to predict how uncertainties related to ability to service debt or
or when circumstances might change. Therefore, other financial obligations)?
understanding changes and implications of the
current fraud risk landscape is essential in identifying + How does the company expect COVID-19 to
disruptors, external stressors, and emerging risk areas, affect assets on your balance sheet and its ability
and mitigating their potential impact. to account for those assets (e.g., judgments in
determining fair-value of assets)?
Coupled with these economic challenges is the
need to adapt controls, oversight, and auditing + Does the company anticipate any material
in a virtual world. In response to the crisis, many impairments, increases in allowances for credit
companies have adopted new ways of working— losses, restructuring charges, other expenses, or
from fully remote workforces to hybrid models—that changes in accounting judgments that have had or
may change operating procedures, segregation of are reasonably likely to have a material impact on
duties, and associated internal controls, which can its financial statements?
leave companies vulnerable to emerging fraud risks.
Some vulnerabilities may arise simply due to limited + How have COVID-19-related circumstances such
accessibility to physical accounting records and as remote work arrangements adversely affected
inventory, while other factors such as an increased the company’s ability to maintain operations,
sense of urgency or pressure could result in including financial reporting systems, internal
noncompliance with policies and procedures or lack control over financial reporting, and disclosure
of adherence to internal controls. controls and procedures?
7MITIGATING THE RISK OF COMMON FRAUD SCHEMES
Despite the various types of issues with which
companies are met during the pandemic, the SEC
urges companies to keep investors informed about
“[The Commission] is very
how they assess, plan for, and take steps to address
the effects of the pandemic. More importantly,
aware of the challenges
companies should avoid being tempted to use
the pandemic to cover up past accounting issues
that companies and
or performance problems. Matt Jacques, Chief
Accountant of the SEC Division of Enforcement,
individuals are facing
emphasized the importance of accurate disclosures
and that “companies should document how they
during this time with
arrived at key estimates and other judgments that
are some of the most complex areas of accounting,
regard to financial
including revenue, fair value and impairments,
hedging, and leasing. Companies should [also]
reporting, accounting, and
tell investors how they changed their accounting
policies or assumptions,” according to a Bloomberg
auditing. We are also very
Tax article.5 much aware of the history
Finally, as a reflection of the pandemic’s impact on
fraud, the SEC Office of Market Intelligence received
of economic downturns
approximately 16,000 tips, complaints, and referrals;
and the Division of Enforcement opened more than
and how these situations
150 COVID-19 related inquiries and investigations,
and recommended several COVID-19 related fraud
can reveal past errors or
actions to the Commission from mid-March to
September 30, 2020.6•
frauds.”
SEC Division of Enforcement
8INSIGHTS FROM SEC ENFORCEMENT ACTIONS
Fraud Schemes and
Related Issues
This section highlights key findings from the SEC COMMON FRAUD SCHEMES
enforcement actions about common financial
statement fraud schemes and related accounting Several types of frauds appeared frequently in the
and reporting issues. For a broader perspective enforcement actions. Unsurprisingly, fraud schemes
on enforcement considerations and details on the to increase income—either through revenue
breakdown of enforcement actions analyzed, see recognition or expense manipulation—occurred
SEC Enforcement Observations on page 20. most frequently. Other commonly manipulated
areas included reserves and inventory, along with
We analyzed 531 enforcement actions issued impairments. Below is an analysis of the key issues
from January 1, 2014 through June 30, 2019 to identified and examples of recent enforcement
classify common fraud schemes. We considered actions that illustrate these types of schemes.
204 enforcement actions, or 38 percent of the See Appendix B for a listing of top in-scope fraud
total population, that related to financial statement schemes.
frauds and/or books and records violations as
“in-scope.” See Appendix A for definitions and In addition to the top fraud schemes, we identified
additional information about the Review’s scope and several other fraudulent schemes and misconduct.
methodology. The range of issues related to non-GAAP measures,
misappropriation of assets and company funds,
For purposes of the analysis, we grouped together concealment of assets, related party transactions,
enforcement actions that were part of the business combinations and divestitures, material
same underlying fraud schemes or charges and omission of information and disclosures, and
considered them part of the same “family.” Based on deceiving and/or misleading auditors.
this designation, we identified 140 fraud schemes
from the 204 enforcement actions. This in-scope
population formed the basis of our analysis.
9MITIGATING THE RISK OF COMMON FRAUD SCHEMES
Classification of Fraud
Examples of Key Elements
Schemes
Improper revenue recognition attributable to timing, valuation, fictitious
Revenue related issues
revenues, and percentage of completion.
Manipulation or improper reduction of reserves, timing of reserves and
of recording of expenses, manipulation or misclassification of expenses,
Reserves related issues
improperly calculated rebate/expense accruals, and failure to recognize
liabilities.
Inventory misstatement including misstating cost of sales and misstating or
Inventory related issues
overstating inventory.
Timing of impairments, including loan impairment deferral, failure to record
Impairment related issues
asset impairment, faulty valuations, and improper reserves manipulation.
10INSIGHTS FROM SEC ENFORCEMENT ACTIONS
Improper revenue recognition
ASC 606: REVENUE FROM CONTRACTS
The greatest number of fraud schemes identified in WITH CUSTOMERS9
the Review related to improper revenue recognition,
with 60 instances in 81 enforcement actions, Considering the emphasis on assessing
or 40 percent of the in-scope population. These and accurately reporting revenue from the
schemes often included falsifying customers or their financial reporting supply chain perspective,
contracts; accelerating revenue in a current period organizations should consider the potential
even though all recognition criteria were not met; for changing fraud risks related to the
recognizing revenue when inventory was shipped Financial Accounting Standards Board
on consignment; failing to account for extended (“FASB”) Accounting Standards Update 2020-
terms, concession, or discount side-agreements; 05, Revenue from Contracts with Customers
percentage of completion; and engaging in channel (Topic 606). As is the case with any recently
stuffing—sending customers more goods than they enacted standard, companies are wise to
can be expected to sell to inflate sales figures—and consider new fraud risks that might occur as
failing to properly account for returns. guidance is being implemented. Risks may
result from lack of familiarity with the new
This finding appears to be consistent with a standards as well as from any opportunities
Committee of Sponsoring Organization (“COSO”) for employees to manipulate the new rules in
study of fraudulent financial reporting cases ways that organizations have not yet identified
enforced by the SEC between January 1998 and or adopted.10
December 2007, in which 61 percent of the cases
related to improper revenue recognition.7 Further,
revenue recognition remains a common issuer
reporting and disclosure issue today. In the SEC recorded on the company’s books. Other alleged
Division of Enforcement 2020 Annual Report, many violations included (1) improperly classifying
of the notable cases included some form of alleged costs of goods sold as research and development
improper revenue recognition, such as the inflation, expenses; (2) not capitalizing labor and overhead
overstatement, or creation of fictitious revenues to costs in inventory costs; (3) recognizing revenues
mislead auditors, analysts, and investors alike. While when products were shipped rather than when
the drivers and opportunities for fraud may change, they were delivered; and (4) understating accruals
the need for companies to identify and address risks for product returns. The order also cited an alleged
in complex revenue recognition areas is an ongoing failure to implement sufficient controls to avoid
imperative. misclassifying sales discounts as marketing
expenses and to prevent overstatement of
CASE HIGHLIGHT revenues and gross profits.
The result: In late 2013, a financial restatement
Improper revenue recognition case study: OCZ decreased OCZ’s previously reported revenues by
Technology Group, Inc.8 more than $100 million from FY 2011 Q2 through
FY 2013 Q1, resulting in a significant reduction in
The case: The SEC charged OCZ Technology previously reported revenues and gross profits.
Group, Inc. (“OCZ”) with materially inflating The company subsequently filed for bankruptcy
revenues and gross margins between 2010 protection, liquidated assets, and ceased
and 2012. The SEC alleged that OCZ’s CEO operations. The company CEO was ultimately
mischaracterized sales discounts as marketing charged with accounting fraud, and the CFO with
expenses and ordered the creation of false accounting, disclosure, and internal accounting
documents to conceal the fraud; shipped more controls failures. The company’s auditor was
goods than the company’s largest customer could suspended from appearing and practicing before
be expected to sell; and withheld information on the SEC as an accountant for violating auditing
significant product returns from OCZ’s finance standards.
department and auditor so that they were not
11MITIGATING THE RISK OF COMMON FRAUD SCHEMES
Reserves manipulation inventory on the balance sheet to manage financial
metrics or overall results. This appears to have
The second most common type of fraud scheme been accomplished in a number of ways, including
identified involved reserves related issues, with overcapitalizing costs into inventory and inflating the
34 instances in 57 enforcement actions, or 28 value; recording fake inventory; timing of recording
percent of the in-scope population. The SEC brought inventory reserves; and failing to record losses when
several cases in which a company manipulated cost exceeds market value.
its expenses, including manipulating items on the
income statement (e.g., moving costs out of COGS
to inflate margins), improperly calculated accruals, CASE HIGHLIGHT
and improper reduction or manipulation of reserves
(e.g., accounts receivable, warranties, and rebates). Inventory misstatement case study: Stein Mart,
Inc.12
CASE HIGHLIGHT The case: The SEC alleged that Stein Mart,
Inc. (“Stein Mart”), from at least 2010 through
Reserves manipulation case study: Diamond Foods, November 2012, did not properly take price
Inc.11 discounts or markdowns into account in valuing
inventory. One of Stein Mart’s markdowns,
The case: In the wake of a spike in walnut prices according to the SEC, was a permanent price
in 2010, Diamond Foods, Inc. (“Diamond Foods”) reduction that was marketed as a temporary
faced a hit to net income at the same time it was reduction. The SEC alleged that Stein Mart
experiencing pressure to meet or exceed analysts’ improperly valued the inventory on permanent
expectations. The SEC alleged that the company reduction by writing down the inventory values
CEO characterized some additional payments to when the product was sold rather than when the
walnut growers as special payments that were markdown was taken, thereby overstating inventory
not reported in year-end financial statements in values.
FY 2010 and FY 2011. Instead, the payments were
designated as advances on crops that had not yet The result: The SEC alleged that Stein Mart
been delivered and recorded on the balance sheet. materially overstated its pretax income by nearly 30
The SEC alleged that by delaying the reporting percent in FY 2012 Q1. In 2013, Stein Mart restated
of these costs, Diamond Foods reduced its its financial results for FY 2012 Q1, all reporting
current expenses and was able to exceed analyst periods in FY 2011, and its annual reporting period
estimates. in FY 2010 primarily because of this accounting
error. Stein Mart consented to an SEC cease-and-
The result: When the company restated annual desist order in 2015.
and periodic financial statements beginning with
the quarter ended January 31, 2010 and continued Loan impairment deferral
through the year ended July 31, 2011, reported
earnings fell by $10.5 million for FY 2010 and $23.6 There were also several fraud schemes involving
million for FY 2011. The SEC brought cease-and- loan impairments and allowances, with 15 instances
desist proceedings and accepted the company’s in 17 enforcement actions, or 8 percent of the in-
settlement offer. scope population. These cases involved instances
where creditors failed to recognize loan impairments
Inventory misstatement and their associated reserve allowances or
improperly reclassified loans to specific categories
The misstatement and manipulation of inventory that do not require review for impairment or other
were among the Review’s top in-scope fraud issues. Both impairment reserve amounts and
schemes, with 15 instances in 24 enforcement timing of recognition appear to be issues facing
actions, or 12 percent of the in-scope population. creditors.
Based on the Review, the misstatements related
to inventory typically aligned with increasing
12INSIGHTS FROM SEC ENFORCEMENT ACTIONS
ASC 326: FINANCIAL INSTRUMENTS—CREDIT LOSSES13
FASB Accounting Standards Update 2016-13, Financial Instruments—Credit Losses (Topic 326): Measurement
of Credit Losses on Financial Instruments, established new rules for determining the allowance for current
expected credit losses (“CECL”). One significant change is a switch from recognizing probable credit losses
when they were incurred to recognizing them when the loan is originated based on an estimate of lifetime
credit losses. The guidance applies to a wide range of companies, including those that hold loans, debt
securities, receivables, or off-balance-sheet credit exposures. As the new rules require more judgment from
senior management, companies should consider potential fraud risks as they implement the new standard.
RELATED ACCOUNTING AND REPORTING
CASE HIGHLIGHT ISSUES
Loan impairment deferral case study: Santander In addition to the conduct described above, some of
Consumer USA Holdings Inc.14 the schemes also included manipulating disclosures
or books and records, creating unsupported journal
The case: The SEC alleged that Santander entries, or exploiting internal control gaps. This
Consumer USA Holdings Inc. (“SCUSA”) did not section discusses some of the specific conduct
properly calculate and report its incurred credit described by the SEC in the fraud cases analyzed.
loss allowance beginning before its initial public
offering in January 2014 and through most of Misleading or inaccurate financial statement
2016. The company purchased and securitized disclosures
retail installment contracts (“RICs”) associated
with car loans. The bulk of the RICs it bought Misleading or inaccurate disclosures are a common
were subprime, so they carried a higher credit risk symptom of financial statement frauds. The Review
and a greater likelihood of default than do loans identified 78 instances of false or inaccurate
issued to borrowers with higher credit scores. financial statement disclosures. The disclosure
The SEC alleged that the company grouped issues related to financial reporting typically may
troubled debt restructuring loans (“TDRs”) with signal how a fraud might be carried out or indicate a
other loan assets and evaluated the whole result of fraud’s existence.
group for impairment in violation of GAAP, which
requires that TDRs be evaluated separately using In the current environment, disclosures have
a discounted cash flow. The SEC also alleged become more important than ever before. The
that the company used an incorrect discount SEC Division of Corporate Finance has warned
rate and incorrectly calculated its accretion. As companies that are grappling with underlying
a result, the company understated its credit loss issues against “big bath” disclosures and attributing
allowance and did not appropriately recognize problems entirely to the impact of COVID-19.
related credit losses. Disclosures continue to be an area on which all
members of the financial reporting ecosystem
The result: SCUSA restated its financial should be focused. This includes evaluating whether
statements twice during the period when the COVID-19 related disclosures are accurate when
allegations occurred. The SEC charged that tied to poor performance, impairment, or failing to
SCUSA violated the reporting, books and records, meet expectations and not an effort to mask other
and internal accounting controls provisions of problems, including fraud.
the federal securities laws. The SEC undertook
cease-and-desist proceedings and accepted the
company’s offer of settlement.
13MITIGATING THE RISK OF COMMON FRAUD SCHEMES
Material weakness in internal controls
“With very few exceptions,
Public companies are required to maintain a system
of internal accounting controls sufficient to prepare most of the major
timely and accurate financial statements. However,
outright management override of controls poses fraud cases in the
a significant risk and is something the AICPA has
called the “Achilles’ heel of fraud prevention.”15 One past 50 years that had
key reason is that because management designs
and implements a company’s internal controls, it is catastrophic results for
also in a unique position to bypass those controls.
Fraud frequently involves the circumvention of the organization were
internal controls because companies tended to
allow, encourage, or take advantage of internal perpetrated by senior
control weaknesses—or lack of controls in the first
place. members of management
The Review identified 44 instances in which the circumventing or
issuer failed to maintain an effective system of
internal accounting controls. Examples of internal overriding seemingly
control weaknesses cited include inadequate
segregation of duties, financial statements prepared sound systems of internal
by employees with insufficient training or accounting
knowledge, and failure to reconcile significant control.”
account balances. The enforcement actions can
offer insights into how companies can mitigate American Institute of
these issues, because they spotlight weaknesses Certified Public Accountants
in the design and implementation or operating
effectiveness of controls.
For example, OCZ’s CEO was charged with failing to
implement controls that would have prevented the
misclassification of sales discounts as marketing
expenses and from overstating revenues and gross
profits. In another instance, Orthofix International
14INSIGHTS FROM SEC ENFORCEMENT ACTIONS
N.V. was charged with having inadequate internal In 11 instances, the SEC specifically referenced
controls over its distributor revenue recognition (see respondents using unsupported journal entries to
Key Themes and Considerations on page 23). perpetrate the frauds. Improper journal entries can be
found in a wide variety of frauds, including schemes
Unsupported journal entries with inventory inflation or fabricated purchases.
Unsupported journal entries are often also associated
Public companies are required by federal securities with management override of internal controls, such
laws to maintain accurate books and records. as when management or accounting personnel
When there is a financial statement fraud, there manipulate entries or create phony transactions to
are necessarily inaccurate books and records. inflate or postpone revenue or expenses.•
COSO INTERNAL CONTROL—INTEGRATED FRAMEWORK SETS FORTH FIVE INTEGRATED
COMPONENTS OF INTERNAL CONTROL:
+ Control environment. The standards, + Management or employees cannot effectively
processes, and structures that govern how and timely prevent or detect material
internal controls are implemented across the misstatements, due to problems with the
organization. design or operation of one or more controls.
+ Risk assessment. The process used to identify, + Controls are not used effectively to prevent
assess, and manage risks that pose threats incentives, pressures, and opportunities for
to the organization and will prevent it from fraud.
reaching its goals.
+ Controls do not reflect the company’s unique
+ Control activities. A wide range of preventive circumstances.
or detective measures that mitigate risks
and enable the organization to achieve its + Controls are not designed and implemented
objectives. to allow for making complex accounting
judgments in accordance with GAAP.
+ Information and communication. The gathering
and sharing of knowledge that reinforce the + Controls do not function as intended due to
value of control objectives, among others. fraud, collusion, or management override.
+ Monitoring activities. Ongoing evaluations + The company fails to reinforce a code of
to determine if the five elements of internal conduct that clearly discourages—and
controls are functioning. stipulates the consequences for—behavior that
could lead to fraud or circumvention of internal
Some contributing factors to control deficiencies controls.
include the following:
+ The company fails to establish standards of
+ Directors and management do not use conduct and to train employees on ethical
appropriate tone at the top to articulate and behaviors and how to address unethical
demonstrate support for effective controls. behaviors.
15MITIGATING THE RISK OF COMMON FRAUD SCHEMES
Root Causes and Fraud
Factors
The Review provides an opportunity to assess by senior management—reflects the importance
potential root causes for fraud, to be mindful of of integrity and ethical values and a commitment
contributing factors, and take proactive steps— to reliable financial reporting.”16 In addition, as
particularly during this unique COVID-influenced organizations shift to remote work, “leadership and
time-period—to prevent future frauds. The department heads should make an active effort to
enforcement actions issued by the SEC are helpful maintain communication with their workforce.”17
in this regard because of their descriptions of the
facts and circumstances that potentially contributed A strong corporate and compliance culture will
to the fraud schemes. The enforcement actions encourage ethical behavior and deter wrongdoing.
described high-pressure environments, a poor tone In a 2014 speech addressing the Commission’s
at the top, and other factors that appeared across enforcement considerations, former SEC Chair, Mary
cases and provide lessons for boards, management, Jo White, stated that the SEC charges individuals
and auditors in evaluating fraud risks. in most of its cases, focusing first on those closest
to the wrongdoing, then determining from there
TONE FROM ABOVE who else should be charged, including whether to
charge the company. Mary Jo White emphasized
Through their actions and communications, leaders that a company “can only act through its employees
articulate and exemplify a certain set of ethical and and if an enforcement program is to have a strong
behavioral standards and expectations. They also— deterrent effect, it is critical that responsible
intentionally or not—foster a culture that permeates individuals be charged, as high up as the evidence
the organization. Leaders who set and follow ethical takes us.”18
standards will have a positive influence on the
standards their employees follow. The CAQ notes According to the Association of Certified Fraud
that “controls designed to generate reliable financial Examiners (“ACFE”), “if upper management appears
reporting are more likely to succeed if the company’s unconcerned with ethics and focuses solely on
culture—including the ‘tone-at-the-top’ established the bottom line, employees will be more prone to
16INSIGHTS FROM SEC ENFORCEMENT ACTIONS
commit fraud because they feel that ethical conduct + Failing to provide ethics training or to articulate the
is not a focus or priority within the organization.”19 company’s expectations and standards in a code
The ACFE also notes that problematic tone at the of conduct; to punish those who lack integrity; or
top can manifest itself in many ways, including the to support and recognize those who demonstrate
following: integrity.
+ Condoning an acceptance or culture of lax Increasingly, companies are also recognizing the
procedures (e.g., corner cutting) or disregard of importance of middle managers in promoting a
controls. culture of compliance and preventing fraud. As
middle managers are the closest to a company’s
+ Focusing on revenues and profits at all cost. daily operations, these employees play a critical role
in overseeing and enhancing a company’s corporate
+ Violating laws or regulations or pressuring culture and values by filtering down the right ethical
employees to do so. tone to the rest of the employees within a company.
Tone in the middle can have a significant impact on
+ Tying compensation or bonuses to unrealistic a company’s fraud risk.
goals that may incentivize employees to engage in
misconduct. HIGH-PRESSURE ENVIRONMENT
+ Creating a workplace that is not perceived by The fraud triangle, which illustrates the factors
employees as a meritocracy, but rather as a place necessary for fraud to occur, is formed by
where some workers are unfairly favored. This opportunity, rationalization, and pressure. People
can lead to grievances that enable workers to often perceive pressure as an individual concern,
rationalize fraud. relating to someone with financial concerns or other
problems that lead them to rationalize unethical
+ Illegally discriminating against employees or behavior. However, that pressure may also be
engaging in sexual harassment or other abusive caused by the work environment in a department or
behavior. an entire organization. A high-pressure environment
may demand that employees meet unrealistic goals,
+ Retaliating against employees who report fraud or for example, or may cause employees to feel their
other misconduct. jobs are threatened if they do not circumvent certain
standards or procedures.
“The board of directors and senior
management establish the tone at the top
regarding the importance of internal control,
including expected standards of conduct.
Management reinforces expectations at
various levels of the organization.”
COSO Internal Control—Integrated Framework
17MITIGATING THE RISK OF COMMON FRAUD SCHEMES
In a high-pressure environment where employees
perceive that delivering bad news is unacceptable, CASE HIGHLIGHT
they may rationalize that it is expected, or implicitly
encouraged, to make numbers or take whatever Manipulation of financial results case study:
steps they need to meet earnings projections and Computer Sciences Corporation20
other expectations. Even if management or the
board believe they have modeled ethical behavior The case: The SEC alleged that Computer
themselves, an unnecessarily or unhealthy high- Sciences Corporation (“CSC”) engaged in a wide-
pressure environment can lead to intentional or ranging accounting and disclosure fraud that
inadvertent failures of control activities and can be a resulted in a material overstatement of earnings
potential contributor to fraud. and concealed significant problems with its
largest contract from investors from 2009 to
Actions that can counter-balance the risk from a 2011. The company CEO was accused of using
high-pressure environment include, among other improper accounting models for the company’s
things, greater transparency and more training. largest, multi-billion dollar contract with the United
Pressure to skirt the rules is potentially reduced in Kingdom’s National Health Service (“NHS”) and,
an environment where targets and achievements with the CFO, failed to make required disclosures
are clearly reported, so that observers from the top and made misleading statements to investors
or other parts of the organization have a chance to about the NHS contract.
understand how they are or can be achieved.
In 2009, CSC’s Finance Director reported to his
Another approach is to offer employees training colleagues that CSC would fall more than $1 billion
on the organization’s ethical expectations and short of the original $5.4 billion revenue target for the
rewarding those who follow the rules. Employees contract, the NHS account had “no basis” for holding
in a high-pressure environment may assume that its operating income and revenue forecasts, and
the departures from ethical behaviors are the that CSC’s accounting model was “non-sustainable.”
norm—or implicitly condoned by management. CSC finance personnel prepared an accounting
Training can clarify the organization’s standards and model that reflected the contract was no longer
expectations as well as compliance requirements, profitable compared to the previously forecasted 16
and rewards can demonstrate that meeting them percent profit margin. CSC’s Finance Director did not
is important to company leadership. Considering immediately communicate this to the CEO or CFO,
ethical expectations and the tone that managers set and led a fraudulent “gap closing” exercise in which
in performance evaluations can also reinforce the his team manipulated assumptions to conceal the
importance of adherence to rules and guidelines. significant profit reductions.
In addition, executive leaders should consider Several CSC finance personnel in the United
whether the pressure being seen in some or all Kingdom, Australia, and Denmark were allegedly
levels of an organization is a result of the unrealistic complicit in the schemes. Their actions included
expectations or deadlines that they are setting. using a fraudulent accounting model with
While striving to meet analysts’ estimates does not fabricated assumptions to avoid earnings declines;
always lead to misconduct, for example, demands overstating earnings using “cookie jar” reserves
that employees meet unfeasible objectives to meet and failing to record expenses properly; and
those targets may cause employees to succumb manipulating accounting to overstate earnings.
to the pressure and do something they know is CSC’s Nordic region engaged in this misconduct
inappropriate or not what they would otherwise to improve operating income in a region that was
choose to do. Finally, company leaders should struggling to achieve budgets set by management
also address bad news, such as failure to meet in the US. In addition, the SEC charged the company
analyst expectations, and what positive steps the for misleading investors and failing to make
organization will take to address it. It is especially required disclosures.
important now for leaders to not knowingly or
unknowingly squash bad news in a remote work The result: The company paid a $190 million
environment. penalty to settle charges that its executives
18INSIGHTS FROM SEC ENFORCEMENT ACTIONS
manipulated financial results and that it concealed often associated with improper revenue recognition.
significant problems with the company’s largest COSO recommended that “close examination of
and most high-profile contract. Among the eight revenue accounting and related fraud techniques
former executives charged, its CEO agreed to repay is needed to better understand how revenue
the company $3.7 million in compensation under recognition is used to distort financial statement
the clawback provision of the Sarbanes-Oxley Act information.” Inexperienced staff may not have
and to pay a $750,000 penalty. The former CFO sufficient knowledge of certain components of
agreed to repay $369,100 in compensation and pay their functions or tasks. As a result, they may not
a $175,000 penalty. recognize inadequate supporting documentation,
noncompliance with policies or revisions in
LACK OF PERSONNEL WITH SUFFICIENT standards, or irregularities in journal entries. The
ACCOUNTING EXPERIENCE OR TRAINING need for adequate expertise can also increase when
applying complex accounting rules that require more
Experienced and well-trained accounting staff judgment—such as conducting a full analysis of
are often better equipped to identify and address non-standard contracts—by sufficiently experienced
fraud than those who have less expertise. A new accounting staff.
or inexperienced person may also be more likely
to accept excuses or rationalizations from those As the landscape of accounting rules and the ways
attempting to perpetrate fraud because they are in which companies operate are everchanging, there
unaware of any reason not to trust the superior who may be a continual need to refresh and update your
is asking them to bend a rule or make an exception. employees’ skill sets. Companies should strive to
This is a risk enhanced during challenging economic keep employees informed and up to date on best
times where companies may look to cut costs by practices, new guidance, and potential emerging
hiring newer, lower-salaried employees, instead of risks. While many companies have transitioned
retaining costlier and more experienced employees. to a fully remote or hybrid work model in the
current environment, it has become even more
New or complex accounting standards can also critical to timely equip employees with appropriate
complicate the situation. As noted in the COSO knowledge and training on systems, processes, and
study of fraudulent financial reporting, fraud was technologies to adopt new accounting guidance.•
19MITIGATING THE RISK OF COMMON FRAUD SCHEMES
SEC Enforcement
Observations
Based on an accumulation of historical data top 10 industry sectors, and issuer size by market
released by the SEC, we observed that the capitalization.
Commission’s enforcement of core issues has
remained consistent throughout the Review ENFORCEMENT ACTIONS BY RESPONDENT
Period. This section provides a holistic view of TYPE
the enforcement actions based on the individuals
involved and their roles and the types of companies When financial statement fraud occurs, the SEC
represented. We summarized the information using frequently charges the issuer/company. Over the past
the following categories: top five respondent types, few years, the SEC has emphasized the importance
20INSIGHTS FROM SEC ENFORCEMENT ACTIONS
REGULATORY INSIGHT
SEC Division of Enforcement focus on individual accountability. From 2014 through 2020, the SEC Division
of Enforcement has highlighted individual accountability as a key pillar in its enforcement program by
pursuing charges against individuals for misconduct, including executives at all levels of the corporate
hierarchy, such as CEOs, CFOs, other high-ranking executives, accountants, and gatekeepers. In its 2018
Annual Report, the Commission stated that “institutions act only through their employees, and holding
culpable individuals responsible for wrongdoing is essential to achieving [the Commission’s] goals for
general and specific deterrence and protecting investors by removing bad actors from our markets.”21
of individual accountability and frequently charges recognition issues to address. Technology services
company employees, along with the company or companies were most often cited in cases for which
independently for their conduct. Company CFOs are the fraud included premature recognition of revenue
the most commonly charged employees, followed when all the recognition criteria were not met, such
by CEOs, and other employees—such as chief as when there was still a right of return. Finance
accounting officers, other accounting department and energy companies most frequently encountered
employees, and sales personnel. We also noted that reserves and impairment related issues. And as
respondents cited in the enforcement actions could with many other industries, manufacturing and
have more than one role, which would result in more healthcare companies were often cited with revenue
than one designation illustrated herein. recognition and inventory misstatement frauds.
ENFORCEMENT ACTIONS BY ISSUER ENFORCEMENT ACTIONS BY ISSUER SIZE
INDUSTRY
The Review identified 79 enforcement actions,
The industry sector that was most commonly or 39 percent of the in-scope population, that
charged by the SEC was technology services. The cited companies with less than $250 million in
finance, energy, manufacturing, and healthcare market capitalization as a respondent. The next
industries also experienced several accounting and tier of small-cap companies charged represented
reporting issues. We noted parallels between certain 44 enforcement actions, or 22 percent of the in-
industry sectors and fraud schemes identified in scope population, followed by mid- and large-cap
our analysis. For example, technology services companies, which each represented 11 percent of
companies often appeared to have complex revenue the in-scope population.22
21MITIGATING THE RISK OF COMMON FRAUD SCHEMES
The risks of a material weakness of internal control Another Audit Analytics study noted that non-
over financial reporting (“ICFR”) and financial accelerated US filers accounted for 61 percent
restatement may be higher among smaller of the total financial restatements between 2003
companies. According to an Audit Analytics study, and 2019. The top restatement issues included
39 percent of non-accelerated US filers—companies revenue recognition, liabilities, payables, reserves,
with market capitalization of less than $75 million— and accrual estimate failures.25 Though not directly
disclosed material weaknesses in ICFR in 2019, linked to financial statement fraud and not in all
as required by the Sarbanes-Oxley Act Section cases, issues such as material weaknesses in
404.23 One of the primary reasons contributing to internal controls and restatements can be potential
the existence of material weaknesses disclosed indicators of fraud.•
by management was staffing, which included the
competency and training of accounting staff, lack of
segregation of duties, and design of controls.24
22INSIGHTS FROM SEC ENFORCEMENT ACTIONS
Key Themes and
Considerations
Issuers and individuals that manipulated certain and procedures.26 As an important starting point,
financial accounts, including revenue and expenses, management must know its culture in order to
often did so to meet analyst estimates or year-end effectively manage, preserve, and enhance it.
financial metrics. This observation suggests a need Management needs to know what the key drivers
for the board and audit committee, management, of the company’s culture are to understand what
internal auditors, and external auditors to be attuned the culture is and how it might change over time,
to quantitative and qualitative metrics, including according to Jay Clayton.
the company’s culture and tone at the top (and
middle). Culpable employees also tend to try to There are many methods to communicating,
conceal their conduct, so qualitative assessments monitoring, and reinforcing cultural objectives—
of management’s integrity should play a critical role compliance programs, policies and procedures,
in identifying audit and misstatement risks. This training, and personnel decisions (including
section discusses some of the qualitative factors evaluations and compensation), and so on, all
companies can consider to potentially identify of which are important. Culture can serve a “gap
yellow and red flags sooner, and more effectively filling” function when individuals on the front lines
mitigate fraud risks overall. encounter circumstances not contemplated by
their policies and procedures and need to make
CULTURE AND SKEPTICISM decisions. The actions companies take in such
scenarios reflect a great deal about the company’s
The SEC has demonstrated its dedication to culture. When employees make mistakes and
observing culture in its enforcement priorities diverge from cultural expectations, compliance
for many years. In a 2018 speech addressing mandates, or legal requirements, companies should
the importance of culture, former SEC Chairman, consider the following questions:
Jay Clayton, emphasized that “culture is not
optional” even at companies with the most + Do the controls make clear that lying is
comprehensive compliance programs and policies unacceptable?
23You can also read
