Thursday, June 01, 2006

Diarmuid (Der) A. Hurley MBA, CrFA, CFE

Fraud Auditor

Sullivan Miranda, S.C.

Mexico City


Dr. David Boyd, CPA, CMA, CFM, CFE, CrFA

Professor of Accounting and Finance

Jacksonville University

Jacksonville, Florida 32211

(904) 256-7925

Sarbanes Oxley Act - Section 404

Effective Internal Controls? or Overriding Internal Controls?

The principle objectives of the U.S. Sarbanes Oxley Act (SOX) are twofold. The first objective is to minimize the possibility of financial statement fraud occurring within publicly traded corporations. The second objective is to minimize the possibility of external auditors endorsing falsified financial statements.

SOX focuses on four areas: corporate governance, regulating external auditing, confidential reporting of financial statement fraud by employees and internal control over financial reporting. The principle corporate governance mandate calls for strengthening the powers of audit committees (AC) through measures such as having the external auditors report to the AC chairperson as well as mandating CEOs and CFOs to sign off on quarterly and annual financial statements. Regulating the external auditor revolves around the creation of the Public Company Accounting Oversight Board (PCAOB) and mandating that companies hire external auditors to provide one service only - the yearly external audit as opposed to providing multiple services such as audit, consulting and tax services. The principle SOX confidential reporting of financial statement fraud measure mandates public companies to make confidential reporting mechanisms available to all employees. Section 404 of SOX addresses internal control over financial reporting. Management is charged with the responsibility of conducting an annual assessment of the design and operating effectiveness of internal controls over financial reporting. The external auditor is required to audit and report annually on the effectiveness of these controls.

Most occupational fraud experts agree that the SOX corporate governance, regulation of external auditing, and confidential reporting mandates go a long way toward deterring financial statement fraud. Compliance with SOX Section 404 has however, caused a great deal of controversy. According to Ronald Kruszewski, CEO of Stifel Financial Corporation, “Section 404 is a case study of unintended consequences. The spirit of what Sarbanes-Oxley intended to do, which was to create greater accountability, has morphed into a very detailed, very cost prohibitive, very ineffective bureaucracy.”[1] CEOs and CFOs of publicly traded companies have been on the defensive, reluctant to speak out. More and more executives are, however, asking if SOX Section 404 has turned into an expensive emperor with no clothes. When SOX was introduced in 2002, the U.S. Securities and Exchange Commission (SEC) forecasted an average cost of around $90,000 per company for each annual review of internal control over financial reporting. According to CRA International in their Spring 2005 survey, the average cost for larger companies (market capital $700 mil +) during the first year of Section 404 compliance was $8.5 mil.

The key words of Section 404 are: internal control over financial reporting. External audit firms appear to interpret the words to refer to internal controls in general. The CRA study cited above found external auditors reviewed on average 669 internal controls within audited companies, including controls on petty cash, travel expense and other relatively minor line items. Reviewing internal controls is an excellent idea if the objective is to minimize the risk of occupational fraud occurring within a particular area. Reviewing internal controls, however, has little or no value if the objective is to prevent financial statement fraud. Financial statement deception is not a result of defective internal controls. Financial statement fraud is a result of management override of effective internal controls already in place. The internal controls in place at Enron and WorldCom were effective. Most of the financial reporting at both companies was correct. The problem was that management overrode internal controls in order to carry out periodic and selective financial statement falsifications. The issue is not the risk of a breakdown in internal controls; the issue is management override of effective internal controls already in place.

Imagine for a moment that SOX was initiated prior to the WorldCom bankruptcy. Based on current experience, the external auditors at WorldCom would have interpreted Section 404 to mean a thorough review of all internal controls. The external auditors would likely have found that the WorldCom internal controls were effective. Section 404, as currently interpreted, will not prevent another Enron or WorldCom. The emphasis should not be on the risk of fraud occurring. The emphasis should be on the detection of financial statement cheating that has occurred. External audit firms should consider including a financial statement fraud audit as the principal component of their review of the effectiveness of internal controls over financial reporting. Such an audit would greatly improve the probability of detecting irregularities in the books. A review of internal controls without a fraud audit may raise red flags that financial statement fraud could occur, but it gives no indication that such a fraud has occurred.

A financial statement fraud audit is much less time consuming than a full internal control review and it requires fewer auditors to carry it out. The cost of a financial statement fraud audit would be much closer to the original SEC estimate of an average of $90,000 per company for Section 404 compliance.

Financial Statement Fraud Audit

Occupational fraud is likely to occur when four elements come together in the mind of the fraud perpetrator: pressure, rationalization, opportunity and a perception of impunity. Financial statement deception is an occupational fraud. Only the highest level employees, however, have the opportunity to carry it

out. They are in a position to order a subordinate to post false accounting entries. CEOs and CFOs can come under tremendous pressure to get positive results. They can rationalize to themselves that their deception is buying time to ultimately save the company from financial ruin. (Things will get better in the future. Things will turn around.) Or, as is often the case, buying time to provide themselves with financial gain through selling off their own shares in the company. Anyone in a top management position is vulnerable. Perhaps the straw that breaks the camel’s back is the final element. The perception that they can get away with it sometimes comes with the office. A certain sense of omnipotence develops.

Fraud has always been a difficult issue. No amount of internal controls will stop the resolute executive bent on deception from accomplishing his mission. Measuring the risk that management override could occur is effective only in providing direction to a financial statement fraud audit. Imagine for a moment that external auditors find the CEO is an arrogant, dictatorial type and the company being audited is going through some difficult times. Consequently, the external auditors report to the AC Chairperson that the “tone at the top” leaves much to be desired and there is a high risk that the CEO may practice financial statement fraud. The AC Chairperson is likely to reply, “I understand the risk, but is the CEO actually practicing financial statement fraud?” The AC chairs do not want to hear suppositions; they want hard facts . . . . concrete evidence.

People tend to shy away from the word “fraud.” The topic is embarrassing, perhaps due to all of us practicing deception at one time or another in our lives. Occupational fraud can be as non-consequential as deliberately taking a pencil home from work to the massive consequences of the financial statement deception at Enron and WorldCom. External auditors, like everyone else, tend to keep the “fraud” word at bay. However, they are deceiving themselves if they think that a review of internal controls will mitigate the risk of a major financial statement deception occurring in the future. If they continue to focus only on internal controls, external audit firms must accept a high probability of being sued by angry stakeholders when financial statement fraud that escaped their detection is revealed.

The standard audit of a company’s financial statements verifies the fair presentation of the data and compliance with Generally Accepted Accounting Principles (GAAP). Searching the financial data for anomalies, deviations from the norm, and outliers seems to have become a lost art among external auditors. The external auditors need to explore the possibility of management override of internal controls. They should consider the need to conduct a financial statement fraud audit. The fraud audit involves requesting all the financial statements and footnotes from management for several years. The financial statements would not be the standard reports compiled for issuance to the public. These contain too many opportunities for concealing fraudulent numbers in summary totals and lengthy footnotes. Instead, the auditor should receive and work with the detailed financial information prepared for management decision makers. The auditor should then perform a vertical and horizontal analysis of the numbers including calculation of appropriate ratios. Special attention should be given to the footnotes. A similar analysis should be conducted on quarterly financial statements. The extent of the audit would be dependent on the degree of risk perceived by the auditor. The auditor’s perception of the “tone at the top” would weigh heavily in determining the extent of the financial statement audit.

Current technology permits maintenance of financial data in spreadsheet form. As a result, most companies maintain their records in a standardized format that is easily transferred into a worksheet for analysis and generation of internal reports. The input of the data could be carried out by junior members of the audit team. It should be a short, easy step to “copy/paste” the data into an auditor-generated worksheet using a template to maintain consistency in form. Subroutines could be created to generate vertical and horizontal analyses, ratios, and graphs as the data is entered. Based on this initial “standard” output, further analysis could be generated on line items deemed critical to the audit.

After the data is assembled in the worksheet in a standardized form, analysis of it is limited only by the imagination and needs of the analyst/auditor. The analysis of the output should be carried out by a diligent senior auditor experienced in reviewing financial statements and interpreting the changing numbers and ratios. Ultimately, there is no substitute for the human factor. Knowledgeable interpretation of the output is vital to success in detecting fraud. Perhaps the operative term to apply to the fraud audit would be vigilance. Auditors, both senior and junior, should be ever alert and wary. When line item increases or decreases do not make sense, explanations should be solicited from the appropriate management. Their answers should be combined with examination of the accounting records and source documents. If this does not satisfy the auditor, he or she should consider conducting a financial statement fraud assessment interview. Interviews should first be carried out with lower level financial employees who posted or approved questionable accounting transactions. The questionable transactions and initial interviews may indicate the need to conduct further interviews with higher level management, all the way to the top if necessary. The financial statement fraud assessment interview phase is critical. Interviewers must be experienced accountants, but they also need to be experienced fraud assessment interviewers.

A capable, high level manager, intent on committing fraud, will search for ways to beat the financial statement audit program. When collusion occurs, as was the case with Enron and WorldCom, no amount of internal controls can prevent the commission of a crime. Financial statement fraud audits conducted at regular intervals should, however, detect deception and minimize the damage caused by an unprincipled executive. External auditors should keep the audit program flexible and unpredictable. They could consider, for example, asking management for up to ten prior periods of financial statements and footnotes. The extent of the actual analysis could vary over time and would depend on the risk perceived by the auditor. For any given audit year, analysis might begin with the most recent three years. If examination of the results raises unanswered questions, the analysis can be extended to cover whatever time period deemed necessary.


External auditors currently interpret SOX Section 404 to mean a thorough general review of internal controls. Section 404 could, more appropriately perhaps, be interpreted as a review to determine if top management has overridden existing, effective, internal controls. The cost of the latter to the audited company is only a fraction of the cost of an extensive audit of internal controls. Revival of the lost art of financial analysis through a financial statement fraud audit would satisfy SOX 404 and be much more cost effective.

[1] Excerpt of statement to the St. Louis Post-Dispatch, printed on Wednesday, Jan. 26, 2005.