the international impact of fraud - 28th Annual ACFE Global Fraud ...

THE INTERNATIONAL IMPACT OF FRAUD DETECTING FRAUD INVOLVING SENIOR EXECUTIVE OVERRIDE & COLLUSION: A SCIENTIFIC APPROACH Many of the most infamous and major frauds in history have involved senior management collusion and override. This session examines why traditional internal and external audit approaches have failed and provides practical advice on how to achieve better results, while still recognizing that this area, more than any other, can represent a Career Limiting Move (CLM) for unwary auditors and fraud examiners. TIM J. LEECH, CFE, FCA, CIA, CSSA Managing Director Leech & Co GRC, Incd. Oakville, Ontario Tim J. Leech, CFE, FCA, CIA, CFE, CCSA, is co-founder and Chief Methodology Officer, Risk Oversight Inc. (ROI). ROI focuses on helping companies more effectively manage risk and assurance to meet escalating due diligence expectations. He has more than 25 years of experience in the forensic accounting field, including expert witness testimony in civil and criminal proceedings and global experience helping public- and private-sector organizations with internal audit transformation initiatives and the design, implementation, and maintenance of integrated GRC/ERM frameworks. A sample of clients he has provided services to include Mobil Oil, RBC, CIBC, Telstra, Boots Plc, Comptroller General Of Argentina, Telstra, British Airport Authority, BellSouth, Farm Credit Canada, Treasury Board Secretariat, Institute of Management Accountants, Manulife, MBNA, National Bank, Potash Corporation, Independent Order of Foresters, Environment Canada, Ontario Provincial government, OPP, Rabobank, ABN Amro, Nordea, Scandia, Fortis, Transport Canada, Northern & Indian Affairs, Parks Canada, Shell, City of Detroit, Australian Taxation Authority, Tucson Electric, and many others. In September 2009, Tim was awarded the first Canadian Outstanding Contributor to the Profession of Internal Auditing award in recognition of over 25 years of global service. In 1997, Leech was awarded the designation Fellow of the Institute of Chartered Accountants (FCA) in recognition of his public service and contributions in the fields of risk and control management. Leech has provided training for tens of thousands of public- and private-sector professional accountants, forensic accountants, and risk management specialists in Canada, the U.S., the EU, Australia, South America, Africa, and the Middle and Far East. He has received worldwide recognition as a pioneer, thought leader, and trainer.

“Association of Certified Fraud Examiners,” “Certified Fraud Examiner,” “CFE,” “ACFE,” and the ACFE Logo are trademarks owned by the Association of Certified Fraud Examiners, Inc.

©2011

DETECTING FRAUD INVOLVING SENIOR EXECUTIVE OVERRIDE & COLLUSION

Why Is the Topic Important? In 1983, when I was a young and inexperienced internal auditor, I received a call one Sunday afternoon from the General Auditor of Gulf Canada, Bruce McCuaig. He asked me to be at a meeting that night at a major Toronto Hotel and be ready to start a new investigative assignment the next day at a remote site. This was not a normal event. At that meeting I met a very senior Gulf executive who sat at on the board of Gulf Canada’s largest subsidiary, Superior Propane. He had been approached by an informant who alleged that a major fraud had been in progress at that company for over a decade and that the participants included the company’s Chairman, CEO and President, VP Finance, and a senior VP in charge of operations. He wanted Gulf’s internal audit department to investigate the allegation and determine if the allegations were true and, if they were true, who was involved and how much damages had Gulf sustained. The informant’s allegations turned out to be true. Virtually the entire senior management team of this large subsidiary had been involved in a major fraud that spanned more than a decade. The fraud involved a number of the senior executives secretly buying land and building a plant and then leasing it to themselves as Superior Propane executives, secretly setting up a propane barbecue tank manufacturing company and sole sourcing all Superior Propane purchases to that company, secretly setting up a company to manufacture large propane storage tanks and sole sourcing all purchases from that company, and more. The fraud had gone on undetected, literally under the noses of Gulf’s board, senior management, internal audit, external auditors, and law department for more than a decade. This case was only the first of many that has taught me that auditors should never assume that segregation of duties is a

©2011

22nd Annual ACFE Fraud Conference and Exhibition 1

NOTES


strong control. All it takes is economic incentive and collusion between executives to open the opportunity to defraud naive victims and, unfortunately, fool naive and/or untrained auditors. Since that time, over a career that is now approaching 30 years in risk management, internal audit, and forensic accounting, events continue to reinforce my belief that auditors, now more than ever, should never assume senior executives, and even boards of directors, are immune to the temptations that are behind most frauds. The recent global economic collapse serves as one more piece of graphic evidence that demonstrates that circumstances can result in situations where hundreds, even thousands of senior-level people are involved in frauds of global proportions against unsuspecting victims. This presentation provides some insights to spot and respond to situations involving senior executive fraud and collusion. Management Override and Collusion and Achilles’ Heels Achilles’ heel injuries:  Have a male to female ratio of 20:1  Disproportionately impact men in their 40s and 50s  Often involve playing sports and/or macho behavior  Often involve trying to do something that, with the benefit of hindsight, was a really dumb idea  Are something that happen to other people ― not me In March of 2004, while on assignment in the UK, I was staying at friend’s place in the country near Nottingham, the home of the world famous, Robin Hood. On a Sunday afternoon while playing soccer with my friend’s husband and her 3-year-old son in their garden, I severed my Achilles tendon (subsequent tests identified a 95% tear) while attempting to dribble the soccer ball wearing a brand

©2011


NOTES


new pair of Doc Martin shoes. At the time I was 49 years old. The injury resulted in my being in a cast and on crutches for almost four months and having to undergo extensive therapy to restore mobility and strength. What I learned from this incident is that Achilles tendon injuries to men in their 40s and 50s are very common. David Beckham, the world famous soccer star, a recent Achilles tendon injury victim, is but one of tens of thousands of illustrations of this condition. My research revealed that a root cause of these injuries is a belief on the part of men at a certain stage in their life that they are still capable of doing activities that are sometimes not supported by their condition/aging bodies. When we look at some of the biggest frauds in history we see hundreds of men in the 40s and 50s as the key perpetrators of the frauds—often in collusion with other like-minded men in their 40s and 50s. These are men in senior positions that have achieved lifestyles and incomes that the vast majority of people in the world can only dream about. Yet they act, often in collusion with others, in frauds that range from so simple and obvious that it’s hard to believe victims were duped to incredibly complex frauds spanning contents and decades. Apparently they, like me on that day in Nottingham in 2004, believe they are invincible and immune from consequences when they undertake what later are obviously stupid acts. A simple question that I believe far more should be asking is: Why are so few of the major frauds involving senior execs, often acting together, detected by internal and external auditors? External Audit Handicaps Turning first to the thousands of instances external auditors have been fooled by ill-intending senior executives, there

©2011


NOTES


are many reasons. Some of the more significant ones are discussed below. Flawed Audit Paradigm: Not Enough Focus on Error Root Cause Analysis Some years ago, the AICPA—as a result of pressure being exerted following colossal audit failures at companies like Enron, WorldCom, HealthSouth, Parmalat, and scores of others—set up a new entity called the Center for Audit Quality (CAQ). The home page of CAQ’s website states: The CAQ continually strives to aid in the pursuit of enhanced audit quality and to foster a greater understanding of the auditing profession's value and efforts. To achieve these goals, the CAQ offers a variety of resources including alerts, comment letters, and information regarding its various committees and task forces. While the resources below are available to the public, other content is available exclusively to members. What the CAQ does not do (or if it does, it does it secretly) is conduct independent post-mortems of major failures by external audit firms to identify what went wrong. With the exception of litigation linked investigations, there have been no systemic efforts to probe and understand what the root causes of major audit failure are. The reasons for this are rooted in the U.S. litigation system, the attitude of professional audit associations (especially but not restricted to the AICPA’s), and, most important given human nature, the absence, at least so far, of regulators who require/force independent and professional post-mortems to determine the root cause(s) when an audit firm provides

©2011


NOTES


an opinion that is subsequently determined to be materially wrong. Litigation Exposure If Errors Are Documented and Analyzed but Warning Signs Ignored Over the past 20 years I have often asked audiences I presented to whether they—if they are external auditors—or their external audit firm maintain a fiveyear history of errors identified during the course of their audits and, most important, if they do any systemic analysis to identify root causes of those errors. Surprisingly, the vast majority of respondents have said that they don’t do this relatively simple control. I think there are a number of reasons for this. The profession in general has largely ignored all of the advances of the quality profession over the past 30 years. There have been no aggressive steps taken to identify root causes of “rework.” Investment in technology to help conduct systemic analysis of “quality defects” has been miniscule relative to many sectors. Perhaps the senior partners fear the litigation consequences from formal documentation of the game known as earnings management. External Audit Staffing Model: Junior Staff Members Perform the Majority of the Audit Work Having worked for a Big 6 audit firm (Coopers & Lybrand), having a daughter who worked for PwC (the successor to C&L), and having trained senior external audit partners and staff around the world and read and investigated scores of cases involving audit failure, one of the most obvious reasons why so many frauds involving senior executives go undetected, or at least unreported, is a simple one—young and relatively inexperienced staff perform that majority of audit work. That is the revenue model of the audit profession. Audit

©2011


NOTES


partners earn significant salaries because hundreds of junior staff members generate multiples of what the firm pays them in billings (i.e., a “two and a half turns” employee is a star). This has been the business model of larger consulting and auditing firms since the profession was born and still is today. The problem with this approach is that frequently the young and relatively inexperienced staff members that do the majority of the work lack the ability to see or, if they see, react to red flags that suggest fraud may be present. Inadequate Use of Technology to Detect Readily Available Fraud Warning Signs After having been in industry from 1981 to 1987, I returned to Coopers & Lybrand to set up a forensic accounting practice in December 1987. What struck me immediately was that consultants and auditors were bluntly “behind the times” in terms of the technology tools used to do their work. The reasons for this link to the fact that investment in technology cost each partner money and the fact that audits are not an activity where it is easy to measure quality. Audit quality failures often have no consequence as they are not uncovered by the outside world. The cost of the small number of instances where audit firms are sued or investigated for failures has been at a level that firms have often been able to simply pass the cost on to customers through higher fees (Arthur Andersen excluded). Much more could be done today to identify red flags in client processes and financial statements—if there was a belief on the part of audit firm partners that they need to do it. Internal Audit Handicaps  Reporting lines—don’t bite the hand that feeds you. Many IA departments report to the CFO.

©2011


NOTES

DETECTING FRAUD INVOLVING SENIOR EXECUTIVE OVERRIDE & COLLUSION 









IA has a historical track record of avoiding high-risk zones. Audit committees that want soothing assurances, not harsh truths or residual risk status reports. Risk of being “dead right.” There are more than a few “do the right thing” CAEs in the Internal Auditor Cemetery. IIA standards/inspections might support not looking at controversial topics/high risk areas. IA staff might not see fraud red flags even when smacked in the face more than once.

Internal Audit Enablers  SOX has forced IA to focus on ICFR and fraud.  Audit committees and senior management now show more interest in identifying “material weaknesses” before outside auditors do.  Class B control weaknesses that raise questions related to senior management integrity increasingly linked to cost of capital, credit ratings, and reserve requirements.

Techniques to Assess Override and Collusion Risk Cliff Proximity Score the organization’s “Cliff Proximity Index” (CPI) and determine the outside auditor’s “Cliff Proximity Tolerance Index” (CPTI). Having been an investigative accountant for a large percentage of my career, it has become obvious to me that even a couple of weeks of focused work can generate a significant amount of information on whether the senior management of an organization, as the expression goes, is willing to “live dangerously.” This information links to how the game of determining an accounting period’s net income and asset/liability position is played, how they approach their obligation to pay taxes, compliance with safety

©2011


NOTES


and environmental laws, dealings with customers and suppliers, and many other areas. With respect to financial statement fraud, it is also important to try to measure the external auditor’s willingness to participate with management who like to live dangerously. Some companies even go so far as to consciously pay auditors more than they need to for their audit so the external auditor will feel they are being compensated for the higher risk that goes with the association. Calculate the Odds of a Wrong Audit Opinion Some of the key areas to evaluate to form an opinion that a company may issue misleading or fraudulent financial statements are shown below. This is an area that warrants substantial investment in research. Unfortunately, this doesn’t appear to be happening in a big way. Note: Many of the relationships are inverse—the low integrity and low knowledge of the business produce higher probabilities of a company issuing materially wrong financial statements. Management/Board’s Integrity and F/S Risk Tolerance

?/20

Management/Board’s Knowledge of Business

?/20

Management and Auditor’s ICFR Effectiveness Prediction Error Rate

?/20

+ Audit Team’s Knowledge/Experience/Nose/Track Record

?/20

Audit Team’s Fraud Detection Skills and Tools

?/20

Calculate LOHFM Scores Score management’s lies, omissions, and half-truths frequency/magnitude (“LOHFM Index”). Determine

©2011


NOTES


the external auditor’s risk tolerance to high LOHFMI scores. Most auditors and investigators who have been in the business for a while become attuned when doing interviews and interrogations to situations where the other party has a tendency or preference to telling lies, omitting key information, and offering half-truths. In some companies staff members are given specific instructions on what they should and shouldn’t tell auditors and how they should approach auditor requests. Some companies like to tightly control auditor requests to ensure the “right” responses and information are provided. The next step is to evaluate how tolerant the company’s external auditors are to information that has a high LOHFM index year after year. Calculate DIMIT Scores Calculate, analyze, and monitor the “Damn, I missed it” (DIMIT) rating for individual audit partners and managers. Not all audit teams and partners are created equal. When I was a junior auditor at C&L it became very obvious to me that some audit partners really knew their stuff and others were better suited to client relations and, back then, the lunch/dinner martini circuit. Smart firms tried to team audit partners with high DIMIT tendencies with technically strong managers. Unfortunately some firms gravitated over time to a mix of staff that had higher and higher DIMIT scores because they were very successful cross-selling other services and landing accounts.

©2011


NOTES


Leopards Don’t Change Their Spots Calculate a “pushing the envelope” score. Analyze how management approaches other areas like tax compliance, general compliance, contract compliance, compliance with union contracts, and so on, over the past ten years. If senior management is unchanged there is a pretty good chance their basic philosophy to business isn’t going to change. Leopards don’t change their spots. Override and Collusion Audit Approach Tactics Tactic #1 Minimize management’s ability to advance a plausible deniability defense (e.g., “I had no idea this was happening,” “I didn’t know it was wrong/against the law,” etc.) GRC technology can be used to record management/staff representations on things like whether the control was or was not done, specific knowledge of specific situations like non-arm’s-length transactions, and others. Tactic #2 Analyze in detail all audit adjustments for the past five years and determine which category each adjustment should be assigned to: 1. Intent/in plain view/catch me if you can 2. Intent/deception/I can fool the auditor 3. Reckless/negligent 4. Knowledge deficient/know what they didn’t know 5. Knowledge deficient/don’t know what they didn’t know 6. Others?―more research required

©2011


NOTES


Tactic #3 Provide all audit team members with deception detection skills training. People can be trained to spot deception. Unfortunately few external firms or internal audit departments provide their staff with this type of training. Tactic #4 Financially support research work to analyze the root causes of failure in financial reporting. Unfortunately, at the current time, little research is being done and there are no organizations dedicated to this task. This needs to change. Tactic #5 Don't pussyfoot around when discussing ethics and fraud. Have frank, candid discussions with management and the audit committee on all issues where the company, the auditor, and audit firm are, or may be, approaching the edge of the cliff. Good Luck! Luck plays a big part dodging fatal bullets.

©2011


NOTES