Thursday, February 21, 2008

E-Payments

Bye Bye Cheques, Hello Fraud

In the corporate accounts payable world payment by cheque is becoming a thing of the past. Gone are the days of preparing cheques, having them signed by two busy executives and then sending them to the cashier’s office for post or collection. Gone is the long wait for a cheque sent through snail mail. No more, the hassle of sending someone to a client to collect a cheque Friday evening after the banks have closed. Gone is the fear of the cheque bouncing. The miracle of electronic bank transfers is here to stay. All a debtor has to do is enter his bank website and with a few keystrokes, money owed is immediately transferred to a supplier’s bank account.

Highly efficient, but unfortunately, e-payments are wide open to abuse. Not by outside hackers but by insiders entrusted with their processing.

The key element in a bank website electronic transfer process is the payee bank account number. Therein lies a major internal control weakness. With the naked eye, it is extremely difficult to identify a bank account owner through the bank account number. How many people have the number of their own bank account in their heads? Very few. How many people have the numbers of other people’s bank accounts in their heads? Nobody. With a few key strokes the bank account number that an e-payment should be made to can be changed to another bank account number. When printing out the e-payment for internal control purposes, an abuser ensures the name of the correct payee appears on the document. Anybody looking at the document may see the correct payee name but will be unable to identify the incorrect bank account number.

As cheques go by the wayside, so too do internal controls associated with the cheque signing process. When sent for signature, cheques should have the source documents attached. If the cheque signers do not see an invoice, a purchase order and a goods/services received stamp they can match to the cheque, they will not sign it. Two signatures on a payment is another typical control that has all but disappeared. A bank website e-payment system may include a second password authorization but in practice that authorization is invariably provided without question. Even if it is not given automatically how does a skeptical second password holder identify a changed bank account number?

Abuse of e-payments can be a fraud in and of itself. The processor of e-payments might decide to simply transfer funds to his or her bank account. However, this type of fraud will quickly come to light once a bank reconciliation is performed. E-payment abusers will not want to get caught so easily. E-payments then become the instrument through which another fraud is very easily liquidated. That

could be any of a number of payroll frauds or accounts payable frauds. Any fraud whereby an excuse is invented to justify a payment that appears to be sent to one bank account but is actually sent to another.

A typical variation of a ghost employee payroll fraud works as follows: A company pays the salaries of its employees through e-transfers. A weekly employee leaves the company. The processor of the payroll e-payments decides to keep the exemployee on the payroll for another week or two. When executing the payroll e-payments, the processor changes the bank account number of the exemployee to his/her own bank account number. On printing the payroll e-payments for internal control purposes, the abuser will ensure he maintains the name of the ex-employee on the document. The real name will not be noticed among a list of hundreds of names on a payroll. A very cautious abuser will change the bank account number back to what it should be but most will not bother as the risk of somebody recognizing an incorrect bank account number is virtually nil.

One of the few ways this type of e-fraud can be brought to light is thorough the use of number sorting computer programs. Known in the internal auditing trade as data mining programs, they compare the bank account numbers that e-payments have been made to with bank account numbers they should have been paid to. Unfortunately, many bank website e-payment systems maintain a record of electronic transfers for one month only. After one month the record of the fraud disappears forever. This represents yet another extremely dangerous internal control breakdown associated with electronic payments.

All the internal controls in the world will not prevent e-payment abuse from occurring; however the following should mitigate the risk:

· Timely bank account reconciliations.

· Separation of duties. Separate payroll and accounts payable processors from e-payment processors. Separate bank account reconciliators from e-payment processors.

· Change of responsibilities. Change e-payment processors at least once per year.

· Regular internal audit focus on the e-payment process.

· Negotiate with your bank the maintenance of e-payments records for at least two years. If this is not possible, consider installing an IT program that duplicates e-payment entries to the bank website.

· High level (CFO, Controller, Treasurer) second password authorization of e-payments.

· Normally e-payments are processed in batches. Before authorizing e-payments, the second password holder should insist on seeing each transaction one by one. He/she should insist that each transaction has source documents attached. The idea here is that a second password holder should approach e-payments no differently from how he/she approaches putting a second signature on a cheque.

· Ensure e-payment processors take their vacations.

Cheques are vulnerable to abuse through signature or endorsement falsifications. However, a cheque is a physical document that is visible to the naked eye. Not everybody is an expert forger and if they are, there is a high risk their forgery will be visible to someone. An electronic bank transfer is a virtually invisible transaction that provides a very low risk opportunity to a processor intent on abusing it.

Pagos Electrónicos

Adiós Cheques, Hola Fraudes

En el mundo corporativo de cuentas por pagar el pago por cheque se está convirtiendo en cosa del pasado. Los días de preparar cheques, llevarlos a firmar por dos ejecutivos atareados para luego mandarlos a la oficina del cajero, están contados. Ya no hay que mandar a alguien el viernes por la tarde a cobrar un cheque después de que los bancos han cerrado. Se ha disipado el miedo de que el cheque rebote. El milagro de las transferencias electrónicas está aquí para quedarse. Todo lo que un deudor tiene que hacer es entrar a la página web de su banco y con unos cuantos tecleos, el dinero debido es transferido de inmediato a la cuenta del proveedor.

Muy eficientes, pero cuidado, los pagos electrónicos son blancos fáciles para el abuso. No por parte de hackers externos, sino por gente de adentro a la que se le ha confiado con el proceso.

El elemento clave en el proceso de transferencia electrónica es el número de cuenta de quien se le va a pagar. Ahí yace la gran debilidad de control interno. A simple vista, es extremadamente difícil identificar al propietario del número de cuenta a través del mismo. ¿Cuanta gente se sabe de memoria el número de su propia cuenta bancaria? Muy poca. ¿Cuanta gente tiene el número de cuenta de otras personas en su cabeza? Nadie. Con algunos tecleos el número de cuenta al que un pago electrónico debería ser formulado puede ser cambiado a otro numero de cuenta bancaria. Al imprimir el pago electrónico para propósitos de control interno, un abusador asegura que el nombre de a quien se le debería pagar aparezca en el documento. Cualquiera que vea el documento puede apreciar el nombre correcto de quien debe recibir el dinero pero será incapaz de identificar el numero de la cuenta bancaria incorrecta.

Así como los cheques se van de lado, también se van los controles internos asociados con el proceso de firmado del cheque. Al ser mandados a firmar, los cheques deberían tener los documentos fuente adjuntos. Si quienes firman el cheque no ven una factura, una orden de compra y una estampa de bienes/servicios recibidos que puedan comparar con el cheque, no lo firmaran. Dos firmas es otro control interno que casi ha desaparecido. El sistema de la página web de un banco puede incluir una segunda autorización de contraseña pero en la práctica esa autorización es invariablemente provista sin cuestión. ¿Y si la segunda autorización no es dada automáticamente, como puede un poseedor de contraseña secundaria identificar una cuenta bancaria cambiada?

El abuso de los pagos electrónicos puede ser un fraude por sí mismo. El procesador de los pagos electrónicos puede decidir simplemente transferir fondos a su cuenta bancaria sin ton ni son. Sin embargo, este tipo de fraude será revelado rápidamente una vez que una conciliación bancaria sea hecha. Los abusadores de pagos electrónicos no querrán ser pescados tan fácilmente. Los pagos electrónicos entonces se convierten en el instrumento a través del cual otro fraude es fácilmente liquidado. Eso puede ser cualquiera de un número de fraudes de nómina o de cuentas por pagar. Cualquier fraude a través del cual se inventa una excusa para justificar un pago que aparente ser mandado a una cuenta bancaria pero que en realidad es mandado a otra.

Una variación típica de un fraude de pago de nómina a voladores en la nómina funciona de la siguiente manera: Una compañía paga los salarios de sus empleados a través de transferencias electrónicas. Un empleado semanal sale de la compañía. El procesador de la nómina decide dejar al exempleado en la nómina por otra semana o dos. Al ejecutar los pagos electrónicos, el procesador cambia el número de cuenta bancaria del exempleado a su propia cuenta bancaria. Después de una semana o dos, el abusador da de baja de la nómina al empleado que salió y lo reemplaza con otro nuevo que esta saliendo. Al imprimir los pagos electrónicos de nómina para propósitos de control interno, el abusador se asegurará de mantener el nombre del exempleado en el documento. El nombre real no será notado entre una lista de cientos, quizás miles de nombres en la nómina. Un abusador muy cauto cambiará el número de cuenta bancaria de regreso a lo que debería ser pero la mayoría no se molestará ya que el riesgo de que alguien reconozca un número de cuenta incorrecto es virtualmente nulo.

Una de las pocas maneras en que este tipo de fraude electrónico pueda ser revelado es a través del uso de programas sorteadores de números. Conocidos en la profesión de auditoria interna como programas de data mining, sirven para comparar miles de números de cuenta bancarios a los que se han hecho pagos electrónicos con cuentas a las que debieron ser pagadas. Desafortunadamente muchos sistemas de pago mantienen un registro de transferencias electrónicas por un mes solamente. Después de un mes, el registro del fraude desaparece para siempre.

· Conciliaciones de cuentas bancarias a tiempo.

· Separación de deberes. Separe a procesadores de nomina y de cuentas por pagar de los procesadores de pagos electrónicos. Separe conciliadores de cuentas bancarias de procesadores de pagos electrónicos.

· Cambio de responsabilidades. Cambie procesadores de pagos electrónicos por lo menos una vez al año.

· Enfóquese en el proceso de los pagos electrónicos regularmente con auditorias internas.

· Negocié con su banco el mantener los registros de pagos electrónicos por dos años. Si esto no es posible, considere instalar un programa IT que duplique las ejecuciones de pagos electrónicos.

· Autorización de alto nivel de finanzas (CFO, Contralor, Tesorero) de contraseña secundaria en pagos electrónicos.

· Normalmente los pagos electrónicos son procesados en grupos. Antes de autorizar pagos electrónicos, el poseedor de la contraseña secundaria debería insistir en ver cada transacción. Él o ella debe insistir que cada

· transacción tenga documentos fuente adjuntos. La idea aquí es que el ejecutivo de finanzas debe tratar a los pagos electrónicos exactamente igual a como trataba a los cheques.

· Asegure que los procesadores de pagos electrónicos se tomen sus vacaciones.

Los cheques son vulnerables al abuso a través de falsificación de firmas. Sin embargo, un cheque es un documento físico que es visible a primera vista. No todo el mundo es un falsificador experto y si lo fuese, hay un alto riesgo de que su falsificación sea vista por alguien. Una transferencia electrónica bancaria es una transacción virtualmente invisible que provee una oportunidad de riesgo muy baja para un procesador deseoso por abusar de ella.

Thursday, June 01, 2006


Diarmuid (Der) A. Hurley MBA, CrFA, CFE

Fraud Auditor

Sullivan Miranda, S.C.

Mexico City

52-722-2751392

dhurley@smiranda.net

Dr. David Boyd, CPA, CMA, CFM, CFE, CrFA

Professor of Accounting and Finance

Jacksonville University

Jacksonville, Florida 32211

(904) 256-7925

Sarbanes Oxley Act - Section 404

Effective Internal Controls? or Overriding Internal Controls?

The principle objectives of the U.S. Sarbanes Oxley Act (SOX) are twofold. The first objective is to minimize the possibility of financial statement fraud occurring within publicly traded corporations. The second objective is to minimize the possibility of external auditors endorsing falsified financial statements.

SOX focuses on four areas: corporate governance, regulating external auditing, confidential reporting of financial statement fraud by employees and internal control over financial reporting. The principle corporate governance mandate calls for strengthening the powers of audit committees (AC) through measures such as having the external auditors report to the AC chairperson as well as mandating CEOs and CFOs to sign off on quarterly and annual financial statements. Regulating the external auditor revolves around the creation of the Public Company Accounting Oversight Board (PCAOB) and mandating that companies hire external auditors to provide one service only - the yearly external audit as opposed to providing multiple services such as audit, consulting and tax services. The principle SOX confidential reporting of financial statement fraud measure mandates public companies to make confidential reporting mechanisms available to all employees. Section 404 of SOX addresses internal control over financial reporting. Management is charged with the responsibility of conducting an annual assessment of the design and operating effectiveness of internal controls over financial reporting. The external auditor is required to audit and report annually on the effectiveness of these controls.

Most occupational fraud experts agree that the SOX corporate governance, regulation of external auditing, and confidential reporting mandates go a long way toward deterring financial statement fraud. Compliance with SOX Section 404 has however, caused a great deal of controversy. According to Ronald Kruszewski, CEO of Stifel Financial Corporation, “Section 404 is a case study of unintended consequences. The spirit of what Sarbanes-Oxley intended to do, which was to create greater accountability, has morphed into a very detailed, very cost prohibitive, very ineffective bureaucracy.”[1] CEOs and CFOs of publicly traded companies have been on the defensive, reluctant to speak out. More and more executives are, however, asking if SOX Section 404 has turned into an expensive emperor with no clothes. When SOX was introduced in 2002, the U.S. Securities and Exchange Commission (SEC) forecasted an average cost of around $90,000 per company for each annual review of internal control over financial reporting. According to CRA International in their Spring 2005 survey, the average cost for larger companies (market capital $700 mil +) during the first year of Section 404 compliance was $8.5 mil.

The key words of Section 404 are: internal control over financial reporting. External audit firms appear to interpret the words to refer to internal controls in general. The CRA study cited above found external auditors reviewed on average 669 internal controls within audited companies, including controls on petty cash, travel expense and other relatively minor line items. Reviewing internal controls is an excellent idea if the objective is to minimize the risk of occupational fraud occurring within a particular area. Reviewing internal controls, however, has little or no value if the objective is to prevent financial statement fraud. Financial statement deception is not a result of defective internal controls. Financial statement fraud is a result of management override of effective internal controls already in place. The internal controls in place at Enron and WorldCom were effective. Most of the financial reporting at both companies was correct. The problem was that management overrode internal controls in order to carry out periodic and selective financial statement falsifications. The issue is not the risk of a breakdown in internal controls; the issue is management override of effective internal controls already in place.

Imagine for a moment that SOX was initiated prior to the WorldCom bankruptcy. Based on current experience, the external auditors at WorldCom would have interpreted Section 404 to mean a thorough review of all internal controls. The external auditors would likely have found that the WorldCom internal controls were effective. Section 404, as currently interpreted, will not prevent another Enron or WorldCom. The emphasis should not be on the risk of fraud occurring. The emphasis should be on the detection of financial statement cheating that has occurred. External audit firms should consider including a financial statement fraud audit as the principal component of their review of the effectiveness of internal controls over financial reporting. Such an audit would greatly improve the probability of detecting irregularities in the books. A review of internal controls without a fraud audit may raise red flags that financial statement fraud could occur, but it gives no indication that such a fraud has occurred.

A financial statement fraud audit is much less time consuming than a full internal control review and it requires fewer auditors to carry it out. The cost of a financial statement fraud audit would be much closer to the original SEC estimate of an average of $90,000 per company for Section 404 compliance.

Financial Statement Fraud Audit

Occupational fraud is likely to occur when four elements come together in the mind of the fraud perpetrator: pressure, rationalization, opportunity and a perception of impunity. Financial statement deception is an occupational fraud. Only the highest level employees, however, have the opportunity to carry it

out. They are in a position to order a subordinate to post false accounting entries. CEOs and CFOs can come under tremendous pressure to get positive results. They can rationalize to themselves that their deception is buying time to ultimately save the company from financial ruin. (Things will get better in the future. Things will turn around.) Or, as is often the case, buying time to provide themselves with financial gain through selling off their own shares in the company. Anyone in a top management position is vulnerable. Perhaps the straw that breaks the camel’s back is the final element. The perception that they can get away with it sometimes comes with the office. A certain sense of omnipotence develops.

Fraud has always been a difficult issue. No amount of internal controls will stop the resolute executive bent on deception from accomplishing his mission. Measuring the risk that management override could occur is effective only in providing direction to a financial statement fraud audit. Imagine for a moment that external auditors find the CEO is an arrogant, dictatorial type and the company being audited is going through some difficult times. Consequently, the external auditors report to the AC Chairperson that the “tone at the top” leaves much to be desired and there is a high risk that the CEO may practice financial statement fraud. The AC Chairperson is likely to reply, “I understand the risk, but is the CEO actually practicing financial statement fraud?” The AC chairs do not want to hear suppositions; they want hard facts . . . . concrete evidence.

People tend to shy away from the word “fraud.” The topic is embarrassing, perhaps due to all of us practicing deception at one time or another in our lives. Occupational fraud can be as non-consequential as deliberately taking a pencil home from work to the massive consequences of the financial statement deception at Enron and WorldCom. External auditors, like everyone else, tend to keep the “fraud” word at bay. However, they are deceiving themselves if they think that a review of internal controls will mitigate the risk of a major financial statement deception occurring in the future. If they continue to focus only on internal controls, external audit firms must accept a high probability of being sued by angry stakeholders when financial statement fraud that escaped their detection is revealed.

The standard audit of a company’s financial statements verifies the fair presentation of the data and compliance with Generally Accepted Accounting Principles (GAAP). Searching the financial data for anomalies, deviations from the norm, and outliers seems to have become a lost art among external auditors. The external auditors need to explore the possibility of management override of internal controls. They should consider the need to conduct a financial statement fraud audit. The fraud audit involves requesting all the financial statements and footnotes from management for several years. The financial statements would not be the standard reports compiled for issuance to the public. These contain too many opportunities for concealing fraudulent numbers in summary totals and lengthy footnotes. Instead, the auditor should receive and work with the detailed financial information prepared for management decision makers. The auditor should then perform a vertical and horizontal analysis of the numbers including calculation of appropriate ratios. Special attention should be given to the footnotes. A similar analysis should be conducted on quarterly financial statements. The extent of the audit would be dependent on the degree of risk perceived by the auditor. The auditor’s perception of the “tone at the top” would weigh heavily in determining the extent of the financial statement audit.

Current technology permits maintenance of financial data in spreadsheet form. As a result, most companies maintain their records in a standardized format that is easily transferred into a worksheet for analysis and generation of internal reports. The input of the data could be carried out by junior members of the audit team. It should be a short, easy step to “copy/paste” the data into an auditor-generated worksheet using a template to maintain consistency in form. Subroutines could be created to generate vertical and horizontal analyses, ratios, and graphs as the data is entered. Based on this initial “standard” output, further analysis could be generated on line items deemed critical to the audit.

After the data is assembled in the worksheet in a standardized form, analysis of it is limited only by the imagination and needs of the analyst/auditor. The analysis of the output should be carried out by a diligent senior auditor experienced in reviewing financial statements and interpreting the changing numbers and ratios. Ultimately, there is no substitute for the human factor. Knowledgeable interpretation of the output is vital to success in detecting fraud. Perhaps the operative term to apply to the fraud audit would be vigilance. Auditors, both senior and junior, should be ever alert and wary. When line item increases or decreases do not make sense, explanations should be solicited from the appropriate management. Their answers should be combined with examination of the accounting records and source documents. If this does not satisfy the auditor, he or she should consider conducting a financial statement fraud assessment interview. Interviews should first be carried out with lower level financial employees who posted or approved questionable accounting transactions. The questionable transactions and initial interviews may indicate the need to conduct further interviews with higher level management, all the way to the top if necessary. The financial statement fraud assessment interview phase is critical. Interviewers must be experienced accountants, but they also need to be experienced fraud assessment interviewers.

A capable, high level manager, intent on committing fraud, will search for ways to beat the financial statement audit program. When collusion occurs, as was the case with Enron and WorldCom, no amount of internal controls can prevent the commission of a crime. Financial statement fraud audits conducted at regular intervals should, however, detect deception and minimize the damage caused by an unprincipled executive. External auditors should keep the audit program flexible and unpredictable. They could consider, for example, asking management for up to ten prior periods of financial statements and footnotes. The extent of the actual analysis could vary over time and would depend on the risk perceived by the auditor. For any given audit year, analysis might begin with the most recent three years. If examination of the results raises unanswered questions, the analysis can be extended to cover whatever time period deemed necessary.

Conclusion

External auditors currently interpret SOX Section 404 to mean a thorough general review of internal controls. Section 404 could, more appropriately perhaps, be interpreted as a review to determine if top management has overridden existing, effective, internal controls. The cost of the latter to the audited company is only a fraction of the cost of an extensive audit of internal controls. Revival of the lost art of financial analysis through a financial statement fraud audit would satisfy SOX 404 and be much more cost effective.




[1] Excerpt of statement to the St. Louis Post-Dispatch, printed on Wednesday, Jan. 26, 2005.

Monday, May 22, 2006

The 2002 U.S. Sarbanes-Oxley Act

Will it work and how does it affect Mexico?

By: Der Hurley MBA, CrFA, CFE

Most large corporations need the investing public to provide them with financing. Their shares are bought and sold in stock markets. The investing public will buy shares they think will bring the highest return. The value or price of a share is determined by how a company is doing at a given moment. Entities produce financial statements to inform the public how they are doing. Companies that offer their shares for sale to the public are mandated by law to hire an external auditing company to independently certify that their financial statements are true. U.S. stock exchanges are popular places for selling shares. Why? The U.S. is a wealthy country and one in every two U.S. adult citizen’s trade in stock markets. Most major multinationals of the world sell their shares in the U.S., including major Mexican based corporations. The U.S. share market is very competitive. There is tremendous pressure on companies to increase or at least maintain the price of their shares. They do this by putting their best face forward. People who are trying to sell themselves in an interview or on a date will dress or apply make-up to kill. So too can companies trying to sell their shares. The financial statements corporations produce to support their share price may range from the whole truth to a pack of downright lies. In the U.S. the regulatory body that oversees the public share market is the Securities and Exchange Commission or SEC for short. The SEC exists to oversee that all financial statements presented by share offerers to the U.S. public are not a bunch of lies. The 2002 Sarbanes-Oxley (SOX) Act extends the SEC’s regulatory powers. SOX was born out of a crisis just as the SEC itself was. The SEC was created soon after the Wall Street Crash of 1929. SOX was passed soon after the crashes of Enron, WorldCom and the external auditing company Arthur Andersen. Towards the end of the last decade some large U.S. based multinationals began to experience financial difficulties. Most rode the storm and reported the difficulties within their financial statements. A few decided differently, including Enron and WorldCom. Both companies produced false financial statements to cover up their financial woes. Enron and WorldCom deceived their outside auditors Arthur Andersen into thinking they were making profits when in fact they were losing money heavily. Once Enron and WorldCom got past their auditing gatekeepers they were able to deceive the SEC and the whole world. When the truth eventually came out, their share prices plummeted and both corporations went into bankruptcy. Arthur Andersen was barely recovering after Enron when WorldCom came along. WorldCom was Arthur Andersen’s deathblow and they too disappeared. Thousands lost their jobs. Millions lost their investments. The sheer scale of public outrage prompted the U.S. congress to introduce the SOX act.

Will SOX Work?

In the early 1930’s the SEC was created to protect the U.S. public from corporations and individuals that deliberately lie in order to attract investors. At that time the U.S. investing public cried out for a gatekeeper institution that would minimize the risk of their investing in fraudulent projects. The challenge for the SEC is that most investment projects that eventually turn fraudulent, start out honestly. The most notorious investment fraud scheme of all, the infamous Ponzi scheme, started life in good faith. Charles Ponzi was an impoverished Italian post World War 1 immigrant to the U.S. when he saw an opportunity that he genuinely thought was worth investing in. After the First World War, some European countries began issuing and selling postage stamps to finance reconstruction. Mr. Ponzi began buying and selling stamps. He initially turned a profit so he invited outside investors to participate. He promised huge short-term returns that he genuinely believed he could pay. The postage stamp business soon turned sour and Mr. Ponzi found himself in trouble. Rather than informing his investors that he could not meet his obligations he decided to pay them off. In order to get money to pay the initial investors Mr. Ponzi found more investors promising even higher returns. The new investors saw Mr. Ponzi paying huge dividends to the first investors so they thought they were onto a good thing. Many of the initial investors reinvested. Soon Mr. Ponzi forgot all about the postage stamps and concentrated all his efforts in persuading people to invest in nothing for huge returns. It went on and on, new investors paying off previous investors and also, of course, paying for Mr. Ponzi´s fabulous new lifestyle.

After the SEC was founded, two tools have been relied upon to achieve the objective of preventing people like Ponzi from soliciting investment funds from the U.S. public. The principal tool was that corporations were mandated to contract independent external auditors to verify whether or not their financial statements were true. A secondary tool was that the same corporations were required to send their quarterly and annual financial statements to the SEC. The system worked well. The U.S. economy grew by leaps and bounds. Most companies selling their shares through the U.S. stock markets were honest. Naturally they were exceptions. The SEC could not be expected to be 100% effective.

Then came Enron and WorldCom. The problem was not only the scale of the debacle. Another major issue was that Enron and WorldCom easily surmounted the principal SEC safeguard - independent assessment of the financial statements by the external auditors. There was a strong perception within U.S. public opinion that not only did Enron and WorldCom succeed in duping Arthur Andersen but they actually succeeded in co-opting the external auditors on board their fraudulent schemes. Forensic accountants and fraud examiners combed through Enron and WorldCom. They discovered the relationship both companies had with Arthur Andersen was altogether too cozy. The external auditing company was providing both Enron and WorldCom with all sorts of services that had nothing to do with the external audit. It was then perfectly legal for the external auditors to provide extra services to their clients. Something had to be done about this.

SOX attempts to address the ‘duping/co-opting’ issue through mandating external auditors to limit their services to each client to external auditing or other services but not both. Differently expressed, an external auditing company providing external audit services to a public corporation cannot provide other consulting services to the same client. Through this measure, SOX attempts to limit the commercial relationship between a publicly quoting corporation and its independent external auditors. It limits the commercial relationship but it does not avoid it. A corporation still has to pay an external auditing company to perform the audit. Some would argue that as long as the external auditors continue to have a commercial relationship with the company being audited they could never be truly independent.

Another issue highlighted by the Enron and WorldCom financial statement frauds was that their CEO’s cried ‘I did not know this was going on, I really thought our company was in great shape’. They tried to blame it all, at least initially, on lower-level employees. We all know what any good accountant is likely to say when asked what is two plus two - what would you like it to be is the half joking, half real reply! The moral of the story is that an accountant will declare that two plus two is equal to ten, only when requested to do so by the boss. SOX addresses the ‘no clue what was going on’ syndrome through mandating all CEO´s and CFO´s to sign-off on their quarterly and annual financial statements sent to the SEC. SOX mandates heavy jail time for signing off on falsified financial statements. However, there is no doubt that we will see in the future a CEO claiming the defense ‘I know I signed off on those financial statements but I was told by our financial people everything was okay.’

It is a commonly held belief that the financial statement fraud that occurred in Enron and WorldCom was due to weak internal controls. This is a myth. The internal controls over financial reporting in place in Enron and WorldCom were fine. What occurred at both companies is that top management overrode the internal controls. They put the internal controls to one side and went about their shenanigans. Fraud is more likely to occur in a company with weak internal controls. This statement is true for all frauds other than financial statement fraud. Internal controls over financial reporting will only function well in preventing financial statement fraud if allowed to by top management. The perpetrators of financial statement frauds are in a position to command their subordinates to ignore internal controls. SOX addresses the supposed weak internal control issue by mandating all publicly quoting companies to perform a yearly review of their internal controls over financial reporting. SOX further requires the external auditor’s certification of management’s review. Will this SOX measure be effective in preventing financial statement frauds in the future? As a forensic accountant and fraud examiner I am convinced that it will have little or no affect. I said above that occasionally corporations present financial statements that are a pack of lies. That is not quite true. What I should have said was - the final profit figure they come up with can be a huge lie. What occurred at Enron and WorldCom was that top management decided to manipulate a few accounts in order to come up with the final results they required. It was a bit like asking the accountants one hundred times what is two plus two. Ninety nine times out of the hundred they came up with four as the correct answer. Once in a hundred times they came up with ten as the false answer. Within Enron and WorldCom most of the financial reporting was done correctly. Consequently, the internal controls over financial reporting had to be functioning correctly. That little part of the financial reporting that was falsified and that had such enormous consequences was not a result of poor internal controls. It was a result of top management overriding the adequate internal controls in place in order to manipulate a limited number of accounting entries. With the internal control review mandate, SOX is trying to fix something that isn’t broken. The issue should not be the internal controls over financial reporting. The issue should be corporate governance and top management’s override of internal controls already in place. Apparently, there are thousands of public corporations currently spending millions of dollars in reviewing their internal controls over financial reporting. They are spending further enormous sums in paying their external auditors to review their review.

SOX does attempt to address the corporate governance issue through requiring the external auditors to report to the audit committee rather than top management. This sounds like the audit committee is being given some teeth at last. But who controls the audit committee’s budget? Will the CFO continue to control the cheques going out to the external auditors? In practice, the outside auditors will still have to deal mainly with the finance area for the day-to-day operation of the audit.

Another attempt to address the management override issue is the SOX mandate to all publicly quoting companies to allow their employees the opportunity to access a confidential fraud reporting mechanism. The SOX measure requires the confidential reporting mechanism, also known as a fraud hot-line, to be overseen by the audit committee and not top management. The thinking behind this measure is – would one or more of the lower-level employees at Enron and WorldCom have blown-the-whistle sooner if they had the opportunity? I am convinced they would have. Most accountants resent it when asked by their boss to declare two plus two is equal to ten. Many would jump at the opportunity to report the behaviour confidentially. The eventual whistle-blowers at WorldCom were their own internal auditors. Although they, like their external counterparts, are frequently seen as the enemy the internal auditors at WorldCom were tipped off by a lower-level financial employee. Studies conducted by the Association of Certified Fraud Examiners consistently show that fraud hot-lines are the most effective means of discovery of all types of fraud, not just financial statement fraud.

Under current corporate governance practice the chief internal auditor reports to the CFO or CEO. It was a miracle at WorldCom that the internal auditors eventually blew the whistle. The last decades have seen large corporations eliminating or downsizing their internal audit function. The U.S. investing public would have been well served if SOX mandated all public corporations to have an internal audit area. It would have been doubly well served if SOX mandated the head internal auditor to report directly to the chairperson of the audit committee. Then the internal auditors would be really looked upon as the enemy. Maybe after Enron, WorldCom and Arthur Andersen that would not be such a bad thing.

SOX FALLOUT IN MEXICO

SOX applies to all Mexican corporations that quote their shares in the U.S. or are subsidiaries of any corporation that quotes its shares in the U.S.

When SOX first appeared some non-U.S. based multinationals immediately cried foul. Many European commentators complained the U.S. was attempting to breach their sovereignty through the application of an extra-territorial law. It was quickly pointed out to European corporations if they wanted to enter the U.S. to look for financing they would have to abide by U.S. laws protecting that financing. The extra-territoriality issue has recently been brought to the fore in Mexico as a result of the SEC investigation into TV Azteca. Newspaper columnists have questioned the SEC´s right to investigate the Mexico City based conglomerate. The SEC´s reply is that TV Azteca quotes in the U.S. stock market. The SEC is actually not looking at the dealings of TV Azteca. Rather, it is looking at one deal carried out by TV Azteca’s president Ricardo Salinas. By questioning the deal, the SEC’s states it is looking after the interests of TV Azteca’s minority shareholders.

SOX mainly addresses financial statement fraud such as that occurred at Enron and WorldCom. However, the TV Azteca case does not involve financial statement fraud at all. It would be better described as a conflict-of-interest fraud. The key points of the case appear to be as follows:

TV Azteca owns some 45% of a telecommunications company called Unefon.

·- Unefon owed some U.S. $325M. to Canadian based communications equipment supplier Nortel.

·- Unefon claims to have financial difficulties and cannot pay Nortel.

·- Nortel finally agrees to accept U.S. $107M. to liquidate the debt.

·-A Unefon now claims it cannot pay the U.S. $107M.

·- TV Azteca president Ricardo Salinas and Unefon president Moises Saba form a U.S. corporation called Codisco.

·- Codisco pays Nortel U.S. $107M.

·- Unefon pays Codisco U.S. $325M. for services rendered.

·- Messrs. Salinas and Saba, apparently, make U.S. $109M. each on the deal.

No criminal charges have yet to be brought against anyone. The Mexican financial authority the Comisión Nacional Bancaria y Valores (CNBV) is currently investigating. The SEC alleges Mr. Salinas and Mr. Saba defrauded Unefon of some U.S. $218M. Many have asked in Mexico what business is that of the SEC’s? The SEC´s reply is that it is their business because TV Azteca is a 45% shareholder in Unefon and TV Azteca quotes in the U.S. stock market. The SEC claims that TV Azteca’s minority shareholders were damaged by the deal. The SEC has informed Mr. Salinas he has to pay damages to TV Azteca and a fine to the SEC. Otherwise, Mr. Salinas would be banned from executive office in any corporation that sells its shares in the U.S.

Salvatierra - Land of Lincoln

By: Der Hurley MBA, CrFA, CFE

January 2006

Immigrant remittances are a significant factor in Mexico’s economy. Last year immigrants sent some 20 billion dollars back to loved ones in Mexico. Figures for 2006 are expected to be around $25 billion. Remittances are now second only to oil exports and well ahead of tourism in foreign exchange earnings. Many families in the states of Zacatecas, Michoacan, Oaxaca and Guanajuato rely heavily on remittances sent by relatives living in the U.S.

They say there are more Guanajuatenses in the U.S. than there are in Mexico. The municipios surrounding Salvatierra in southern Guanajuato have the highest immigration records. It is a fertile area, rich in agriculture. Perhaps this explains the exodus. Agriculture, no matter how rich, seems to produce but not hold on to large populations. Salvatierra is a pleasant colonial city, not unlike San Miguel de Allende located to the north of Guanajuato state. It is ironic but there is U.S. immigration to Guanajuato. Foreigners are mainly located in and around San Miguel which has a population of about 90,000. Around 15,000 are mainly from the U.S. and Canada. Immigrants to Guanajuato make up in prestige what they lack in numbers. Antonio Banderas and Melanie Griffith keep a home near San Miguel. Perhaps it is not so ironic in this day and age of fast communications and fast travel that young Guanajuatenses go the U.S. to earn a living while older U.S. citizens retire to Guanajuato.

Salvatierra has some fine 16th and 17th century churches. There is a beautiful 17th century bridge that’s still in use. The bridge leads to a park that overlooks waterfalls on the fast flowing Rio Lerma. However, you do not see many foreign travelers in Salvatierra. Tourists or no, Salvatierra is a busy place. What stands out is returning immigrants and their vehicles. Texas trucks and cars from Illinois. Lincoln’s face looks out from most U.S. number plates. Many of the vehicles with Guanajuato plates are legalized immigrant imports. I have heard many people speaking Spanish in New York, Los Angeles and Miami and found it perfectly normal but I was taken by surprise hearing young people conversing in English in Salvatierra. Probably kids of immigrants going home to see the grandparents - feeling more comfortable speaking English, the language they went to school in.

Vicente Fox is a Guanajuatense. He was governor of the state prior to his election as Mexico’s president. When he was governor he founded a state organization that aids Guanajuato immigrants. The Atención al Migrante office in Salvatierra is coordinated by Octavio García. Octavio tells me Salvatierra has a 30% immigration level. Some nearby municipios like Ocampo and Santiago Maravatio have levels of 50% plus. Octavio reckons 80% of all immigrants from Guanajuato are male. It used to be 100% male. More and more younger girls are now immigrating. This leads to a growing female exploitation problem along the Mexican side of the border. For the males the main objective is to support the wife and kids left behind. But time and distance sometimes skew that objective. The main focus of the Atención al Migrante office is to attend the relatives left behind rather than the immigrants themselves. A growing problem is household violence when men return. A much smaller but also growing problem is the HIV virus. Settled immigrants in Illinois can sometimes send their problem kids back to the grandparents for straightening out in Guanajuato. Octavio García perceives the reverse occurs - problem kids introduce gang violence and drug consumption to remote rural communities.

Most first time immigrants from south Guanajuato are illegal. An enganchador - a local facilitator and representative of the border coyote gangs, gathers a group of individuals together in a rural community. The Mexican immigration service, the Instituto Nacional de Migración, calls the people smugglers polleros - chicken runners. The group of about ten or twelve individuals will frequently be told to gather at a certain date at the bus station in Celaya or Queretaro where the enganchador will be waiting for them with their one-way tickets to Nogales, Ciudad Juarez or Reynosa. There, the border coyotes pick them up and take them to a local hotel. The total cost to cross illegally and get to their final destination varies from $2,000 to $3,000 dollars per person one way. A hefty price for a kid whose main reason for undertaking the hazardous journey is to earn money. However, illegals pay in stages. They will first pay for the ride from their hometown to Queretaro. Then pay the bus ticket Queretaro-Mexican border city. Then the hotel at the border town. More and more frequently the polleros decide to bus their groups to a smaller border town in the desert. This means further expense for the illegals in another hotel. Many illegals have to work their way across - most of the young first-timers will not have two to three thousand dollars to get them to Chicago or Atlanta.

Due to increased U.S. side border vigilance illegally crossing is becoming more and more expensive - and dangerous. The coyotes have to decide whether to take the safe route near population centers where the risk of getting caught is higher. Or take the desert route where the risk of at least some of their group losing their lives is greater. If the coyotes themselves get caught, they don’t get deported, they get jail. More and more they opt for the desert route. When crossing time comes and the illegals are faced with the enormity of the task before them, they have little choice but to move ahead as they are by now deep in debt to the coyotes. Octavio García, the Atención al Migrante coordinator in Salvatierra, reports what he perceives to be a disquieting trend. Illegal immigrant’s call his office from U.S. jails claiming they are serving time falsely accused of being coyotes. The story goes that the entire group is caught. The real coyote pretends to be just another illegal. He, frequently a good English speaker, ingratiates himself with the Border Patrol. He falsely accuses a non-English speaking illegal of being the coyote. The would-be illegal immigrant goes to jail. The coyote gets deported and lives to fight another day.

Everywhere you go in South Guanajuato you meet immigrants who have their fascinating story to tell. Like 22 year old Armando Montes who cleaned my sneakers in the Jardín of Salvatierra. Six years ago Armando made his first and last attempt to get in to the U.S. He crossed the Rio Bravo near Laredo along with nine others, including a coyote. Armando reckons the coyote was inexperienced. He allowed another one of the group to play his Walkman while crossing the river at night! They got to the other side okay and Armando began to relax a little. The then sixteen year-old allowed himself the luxury of thinking he might possibly succeed in getting as far as Atlanta. There his cousins had set-up a successful house painting business. Three days into the U.S. disaster struck. The Migra picked up eight of the group in San Antonio, including Armando and the inexperienced coyote. Armando was back in Mexico the following day. The Walkman player was one of the two who made it. I asked the would-be Atlanta house painter how much he charged for the shoeshine. Armando replied - whatever I thought was appropriate.

Vicente Zepeda left San Nicolas de Los Agostinos when he was twenty years old. San Nicolas is a rural community located close to Salvatierra. Vicente Zepeda immigrated to Moline, Illinois. It was tough at the beginning. He got the odd laboring job. After a while he got regular work and began sending money home to his parents. He saved enough to rent a shop selling Mexican food products. By now there was a huge Mexican population in Moline. They cried out for real tortillas, Mexican cheese, genuine sauces and a variety of chilies. Vicente now owns a chain of stores called La Imperial. In Guanajuato the governor initiated a program called Dos por Uno. For every peso an immigrant would put into a social program, the state government would invest a peso and the municipal government another peso. February 2005 Governor Romero inaugurated a badly needed health clinic in San Nicolas. Vicente Zepeda returned home for the first time in twenty eight years to be at the ceremony. He had contributed some $40,000 dollars towards the construction. The governor asked him to say a few words. Vicente went to the podium but no words came, only tears.

In 1550 the Augustinians built an awesome fortress-like church to dominate the local people around Yuriria. The magnificent monastery still dominates Yuriria to this day. The same Augustinians engineered a huge lake nearby. Strange bunch the conquistadors! They drained a beautiful natural lake in Tenochtitlan/Mexico City and they created a shabby, artificial one in Yuriria. Maybe it wasn’t back then but it’s pretty shabby today. Coca-Cola and Pepsi would be swamped if they organized a return of their plastic bottles. Neither the lake nor the church draws many tourists to Yuriria these days. Yuriria is better known for the travelers that leave.

Rafael Cisneros is known to all in Yuriria as Don Rafa. He looks older than he is. Don Rafa has been through some tough battles trying to make a living. He first entered the U.S. illegally when he was 18. Since then he has come and went many times. No coyotes for Don Rafa, he believes in doing things himself. He almost died after spending three freezing nights in the desert near Yuma, Arizona. The longest he held down a job was for four years as a maintenance man in a Chicago golf course. He earned twelve dollars an hour there. In one of his returns to Yuriria he married Doña Socorro. While in Yuriria he and Socorro worked a mobile taco stand. In 1985 Don Rafa availed of an amnesty and received a U.S. green card. He traveled to Alaska and worked processing fish at twenty five dollars an hour. Coming and going. Off to the U.S. for a few months, back to Mexico for a few months. Come 1990 his wife put the foot down. By now they had six children. Sink or swim, Don Rafa was back to Yuriria for good. They moved their tacos to a permanent location on the road out of Yuriria towards Morelia. Though roofless, it was a good spot. They began to bring in about five thousand pesos a day. Don Rafa bought a plot of land and built a house. About eight years later disaster and salvation came calling the same day. Disaster in the form of the local municipal authorities informing the road needed widening. The Cisneros would have to move on. Salvation came a few hours later while Rafa sat dejected at one of his open-air tables. An individual came to eat and told Don Rafa he had a big site for sale about a half-kilometer up the road. Don Rafa went to see it and immediately decided to mortgage his home for a bank loan. He moved the open-air kitchen, tables and chairs to the new place. The first day he brought in fifteen thousand pesos! When he lay down to sleep that night Don Rafa made two promises to himself. The first was that one day he would employ a hundred people. The second promise; he would never return to the U.S.

The next step was to put a roof over the tables. Then came the construction of a hundred and twenty table restaurant. Next a twenty-four bedroom hotel on two floors over the restaurant. Then the construction of a salon-de-fiestas behind the restaurant. Don Rafa is currently building another restaurant down by the lake. Right now he employs about 50 people, including his six kids. Don Rafa hired a professional accountant to administer the business as well as a professional restaurant manager. They need the accountant. When I checked out of the hotel I asked Doña Socorro for an invoice. She looked around a little embarrassed and whispered she did not know how to prepare one. She said the accountant was not in but she could give me the invoice block so I could prepare it myself!

Doña Socorro and her kids have vacationed many times in the U.S., mostly visiting relatives in Illinois. They tried to persuade Don Rafa his promise was no longer binding. Last year he vacationed in Cuba. The year before he went to Cancun. The year before that Puerto Vallarta. He plans to travel to Canada this year. Don Rafa is a man of his word; he intends to keep both promises he made to himself that fateful night.

Santiago Maravatio has the highest per capita immigration rate of all the municipios of Guanajuato. In spite of that, or perhaps because of it, there is an air of prosperity about the place. The fields surrounding the town all seem to have electric pumps providing water for irrigation. You see in and around Santiago Maravatio something rare in rural Mexico - tractors. Adolfo Sanchez left for Wheeling, Illinois when he was seventeen years old. Adolfo did okay for himself. He initially stayed with relatives and did part-time work. He soon got regular night-shift work at a Honeywell plant. He made enough money to rent his own apartment and buy a car. When he was twenty seven years old Adolfo got engaged. Jennifer Wiedemann was a twenty year old classical piano player and live-in nanny at the home of one of Adolfo Sanchez’s wealthy relatives in Wheeling. Adolfo visited his uncle’s place often. The couple got to know each other and decided to marry. But a few months later Jennifer called off the arrangement. She returned the engagement ring to Adolfo. He spent a couple of days trying to persuade her back. She was adamant. In the early hours of September 22, 2001 someone with a key entered the house where Jennifer worked, went down to the basement and shot her dead while she slept. A blood stained shotgun was found in Adolfo’s apartment and his abandoned car was found a few days later in Milwaukee. Local authorities believe Adolfo fled to Mexico.

María del Carmen Cardoso left Salvatierra when she was eighteen. Carmen is not her real name. She did not want her actual name published out of fear of getting booted out of the Phoenix university where she is currently studying law. She found a novel and safe way of entering the U.S. illegally. She traveled to Puerto Peñasco, Sonora where her aunt has a small hotel. Puerto Peñasco is located on the bridge of land connecting Baja California with Sonora, north of the Sea of Cortez. It is a beach resort little known in Mexico but well known in the U.S. state of Arizona. It used to be known as Punto Peñasco. Punto Peñasco´s English translation is Rocky Point. The beaches around Rocky Point are about a four hour drive from the two desert cities of Phoenix and Tucson. People from Phoenix go to Puerto Peñasco as frequently as people from Mexico City go to Acapulco. They are welcomed warmly by Puerto Peñascans despite sporadic outbreaks of trouble making, especially during Spring break. Many Arizonians have beach homes in the rapidly developing resort and many have immigrated there permanently. Puerto Peñasco´s population is about 100,000, around 8,000 of whom are U.S. immigrants. Carmen Cardoso found work cleaning the Puerto Peñasco beach home of a wealthy Arizona family. About a year later the parents asked her if she would like to become a nanny in their Phoenix home. Carmen jumped at the opportunity. One Monday morning she joined them in their minivan along with their three kids. There was a long line of RV’s going through the border crossing at Sonoyta, Sonora and Lukeville, Arizona. The border authorities on both sides just waved the family through.