What's your fraud IQ?


Recent scandals at Olympus, Barclays, and Wal-Mart, among others, illustrate the ongoing need for organizations to continually review and strengthen their corporate governance practices. CPAs play a key role in this process. Do you know the best practices for setting up a corporate governance system? Can you spot governance weaknesses that might allow for fraud in an organization? Are you up to date with the latest events, issues, and trends on the corporate governance front? Take this Fraud IQ quiz and find out.

1. Which of the following scenarios best exemplifies an agency dilemma?

a. A sales manager for a publicly traded corporation knows that his employer is facing a temporary financial crunch due to the loss of a large sales contract. He also knows that the organization is scheduled to roll out a new product in four months, which should more than make up for the lost revenue. To help his company report better earnings during the current period, he records fictitious sales to one of his division’s biggest customers and plans to reverse those transactions once revenue picks up. His efforts give the company’s profits a short-term boost, allowing the organization to meet its earnings targets for the quarter.
b. A dentist hires a CPA to prepare the federal income tax return for his sole proprietorship. However, the dentist intentionally provides the CPA with a report that understates the money the practice brought in, resulting in an underreporting of revenue and underpayment of income tax to the IRS.
c. Two brothers are partners in an advertising firm. One has retired but retains a 50% ownership interest as a silent partner; the other is the CEO and has full responsibility for managing the organization. Unbeknown to the retired brother, the CEO is running tens of thousands of dollars of personal expenses through the firm, reducing both profits and partnership distributions.
d. None of the above.

2. Which of the following statements is true regarding corporate governance requirements for publicly traded U.S. corporations?

a. Specific governance practices for U.S. public companies are mandated by the Uniform Corporate Governance Act.
b. Unless explicitly excluded, all corporations listed on the New York Stock Exchange (NYSE) or Nasdaq Stock Market must adopt and disclose a code of conduct for all employees and report any waivers of the code for directors or officers.
c. Unless explicitly excluded, all corporations listed on the NYSE or Nasdaq must have an internal audit function.
d. Specific governance practices for a U.S. public company are determined by the company’s corporate governance committee.

3. Allen Corp. is a publicly traded company listed on the NYSE. Allen’s board of directors is evaluating the company’s corporate governance structure to ensure it follows best practices to prevent and detect fraud. The board contains three committees: audit, compensation, and nominating. The audit committee consists of three directors, including Jackson, Allen’s former director of finance. Jackson left the company four years ago and joined the board of directors this year. He was appointed to be the audit committee’s financial expert because he is a CPA with extensive experience in preparing, auditing, and analyzing financial statements, and he is already familiar with the company. The other two members of the audit committee are not financial experts and have never worked as auditors. The committee is responsible for the hiring, firing, and compensation of the independent auditors, as well as overseeing their work. Which of the following changes should Allen make to its board of directors?

a. To comply with the NYSE’s listing standards for public companies, Allen Corp. needs to add a risk management committee to its board of directors.
b. Jackson should be removed from the audit committee because he worked for Allen Corp. within the past five years.
c. The two nonfinancial experts on the audit committee should be replaced so that all three members of the audit committee have accounting or auditing experience.
d. The audit committee should continue to hire and fire the independent auditors, but management needs to determine the auditors’ compensation.

4. Which of the following is the most effective way to incentivize a CEO to build long-term shareholder wealth in an ethical manner?

a. Provide an annual cash bonus based on the company’s financial performance.
b. Structure the compensation package to be made up of only a predetermined annual salary that is greater than those of other executives in the same industry.
c. Include a generous pension in the employment contract.
d. Require that stock options received must be held until the CEO’s retirement.

5. In 2011, the SEC charged military contractor DHB Industries with accounting and disclosure fraud. What was notable about this case regarding corporate governance practices?

a. In addition to charging the company, the SEC also filed separate civil charges against three board members.
b. The company was the first to be found guilty of violating particular requirements of the Sarbanes-Oxley Act.
c. The findings of the case resulted in new rules on compensation committee independence.
d. The company’s lack of an internal audit department resulted in a large increase in the penalties that were imposed.

6. All of the following statements regarding the whistleblower provisions under the Dodd-Frank Wall Street Reform and Consumer Protection Act, P.L. 111-203, are true EXCEPT:

a. Prior to the passage of the Dodd-Frank Act, the SEC could offer awards only for tips related to insider trading cases, and the award amount was capped at 10% of the penalties collected.
b. CPAs working on SEC engagements typically are not eligible to receive whistleblower awards if the information relates to violations by an engagement client.
c. For a whistleblower to receive an award, the information provided to the SEC must result in monetary sanctions in excess of $1 million.
d. Employee whistleblowers must report fraud internally before reporting to the SEC to qualify for an award.
7. Castle Inc. is a Chicago-based private company with several offices around the world. Because the company is so spread out, upper management does not engage in much direct communication with lower-level staff. Nevertheless, Castle has a good reputation and has never experienced any serious scandals involving upper management. Stewart, an employee in the financial reporting department in Castle’s Dallas office, is often asked by Gordon, his manager, to “smooth” revenue figures to meet the monthly goals set by the CFO. Gordon stresses that the Dallas office always meets the budget goals set by the corporate headquarters and that salaries are tied to these metrics. Stewart is new at the company and figures that, although he seems to be violating GAAP, early revenue recognition is an acceptable practice at the company because Gordon told him to do it. Of the following, which is the best conclusion that can be drawn about Castle Inc., given this information?

a. There is no ethics policy in place at Castle Inc.
b. Castle Inc. does not have external auditors examining its revenue recognition policies.
c. There is a poor “tone in the middle” at Castle Inc.
d. Castle Inc. has a policy that allows for income smoothing.

8. When newly appointed Olympus President Michael Woodford blew the whistle on a $1.7 billion cover-up in 2011, it drew global attention to Japanese corporate governance practices. Which of the following is the reason this case was so noteworthy from a governance perspective?

a. Olympus did not have an anti-retaliation policy in place.
b. There were no independent directors on Olympus’s board.
c. The chairman of the board, Tsuyoshi Kikukawa, was never charged with fraud.
d. Japan has a reputation for very strong corporate governance practices and transparency in financial reporting.

9. One of the most important ways shareholders can participate in the corporate governance system is to take part in director elections. However, there are many voting systems, some of which constrain the power of shareholders and limit their ability to monitor the board. In the United States, most public companies employ the plurality voting system. Which of the following best describes this system?

a. Shareholders first write in nominees, and the candidates who receive the most nominations are then voted on by the shareholders.
b. Management provides nominees, and shareholders either vote “for” a director or “withhold” their vote.
c. Shareholders provide the nominees, and management votes “for” or “against” each candidate.
d. Management provides nominees, and shareholders vote “for” or “against” each candidate.

10. Given the increased importance of, and attention to, protecting corporate intellectual property and sensitive customer and employee information, the area of information technology (IT) governance is a growing concern for many corporate boards. Which of the following is true regarding how boards are addressing this issue?

a. The majority of boards are creating separate IT risk committees to address IT governance issues.
b. Boards are adding younger directors to increase the boards’ overall familiarity with IT issues and risks.
c. Boards increasingly are engaging outside IT experts to advise them on IT risks and issues.
d. The majority of boards are spending 20% or more of their meetings discussing IT-related risks and issues.


1. (c) An agency dilemma exists when there is an inherent conflict between the motivations of two parties in an arranged relationship, one of whom (the agent) is intended to act on behalf of the other (the principal). An agent can be a single individual, as with the CEO brother described in this question, or it could be a group, such as a management team at a public company. The same holds true for the principal, which can be a single owner or a group of owners, such as shareholders in a public company.

The scenario is exacerbated when the agent has access to information the principal cannot easily access. In this situation, the principal must rely on the agent’s judgment but cannot ensure that the agent will act in the principal’s best interest.

Public companies are far from the only entities that can run into an agency dilemma. The principal-agent dichotomy can occur at some private companies, such as those funded by a silent partner, venture capital, or angel investors. Nonprofits and government organizations have inherent agency issues, as donors rely on the nonprofit’s staff for effective and efficient use of their donations and taxpayers elect officials to act on their behalf.

A robust corporate governance system addresses the agency dilemma by instituting mechanisms to align the interests of management and stakeholders and ensuring that no single party can make all the business decisions without the influence, input, or approval of other parties. However, it is important for the principals to note that while effective corporate governance addresses this issue and is a crucial component of antifraud efforts, even the most robust governance system will not eliminate the inherent agency problem that arises from the divergence of ownership and management.

2. (b) In the United States, corporate governance requirements are found in legislative and regulatory requirements imposed upon corporations. Each state has laws governing the corporations that are registered in it. Additionally, public companies are subject to federal legislation, such as Sarbanes-Oxley, as well as regulation by securities industry oversight bodies. Specifically, companies with securities listed on the NYSE are bound by the corporate governance requirements contained in the NYSE Listed Company Manual; similarly, the corporate governance standards issued as part of the Nasdaq Stock Market Equity Rules apply to all entities with securities listed on the Nasdaq exchange.

The listing standards for the two exchanges are similar but not identical. For example, both the NYSE and the Nasdaq rules require listed companies to adopt and disclose a code of conduct for all directors, officers, and employees, and require that any waivers of the code of conduct for directors or officers be approved by the board of directors and disclosed (such changes for employees are not required to be disclosed). However, while the NYSE rules state that all listed companies must have an internal audit function, the Nasdaq rules do not impose such a requirement.

3. (b) The board of directors typically divides itself into independently functioning committees that have specific focus areas to make the most efficient use of the members’ time and expertise. NYSE-listing standards require companies on the exchange to have at least three board committees: audit, compensation, and nominating.

The presence of an audit committee gives stakeholders comfort that an independent body is ensuring the integrity of the financial statements. Audit committees are supposed to protect investors’ interests by taking the lead on oversight responsibilities in the areas of internal control, financial reporting, audit activities, and compliance. Responsibilities of the audit committee include appointing, compensating, and overseeing external auditors; reviewing financial reports; overseeing the effectiveness of the company’s internal control structure; and overseeing the company’s whistleblower policy.

Under NYSE listing standards, members of the audit committee must be independent, nonexecutive, outside directors. To be considered independent, audit committee members cannot receive any compensation other than what they are paid as a board member, cannot provide any advisory or consulting services to the company, and cannot have been employed by the company within the past five years.

Additionally, according to Sarbanes-Oxley, the company must disclose whether the audit committee has at least one member who is a financial expert. A financial expert is someone who has an understanding of GAAP, experience in the preparation or auditing of financial statements, experience with internal control, and an understanding of audit committee functions.

4. (d) Executive compensation is a controversial topic, especially in the wake of corporate scandals, bank failures, and government bailouts, and is among the most important corporate governance issues boards face today. The structure of executives’ compensation can set the tone for much of the organization’s operations. If the incentives given to top management are numbers driven (e.g., a high percentage of overall compensation in the form of cash bonuses based on short-term goals), the corporate culture will also be numbers driven, which can foster an environment conducive to fraud. In contrast, an effective compensation structure can reinforce the expectations that management will work to achieve long-term results in an ethical manner. To implement such an approach, the compensation committee must study the entire compensation system within the organization to determine whether the incentives and disincentives encourage an ethical culture, law-abiding behavior, and good corporate governance.

To ensure the CEO is meeting the organization’s strategic objectives, the compensation package must reward company performance and dissuade shortsighted leadership. The combination of stock options and cash payments (i.e., salary and annual bonus) is an effective compensation structure in this regard: It gives executives the short-term incentive to earn the cash and the long-term incentive to add value to the company, making their stock worth more down the line. The key, however, is to implement balancing measures, such as requiring executives who receive stock options or stock grants to hold the stock until—or even beyond—retirement or other departure from the company. If the compensation structure includes such policies, the interests of the executives are more closely aligned with the interests of the shareholders, and executives are incentivized to build shareholder wealth for their entire tenure at the company. The practice is not yet widespread, but it is used by a number of large companies, including Exxon Mobil, PepsiCo, Time Warner, Wells Fargo, and Citigroup.

5. (a) In its 2011 case against military contractor DHB Industries (now known as Point Blank Solutions), the SEC alleged that the company’s senior officers misappropriated assets to personally benefit the former CEO, David H. Brooks, resulting in the filing of materially false and misleading periodic reports to investors. Brooks was convicted of 17 counts, including insider trading and securities fraud, for the scheme, which netted him an estimated $185 million.

While these findings alone are worth noting, from a corporate governance perspective, the case is most notable for the subsequent separate civil charges the SEC filed against three DHB Industries board members. Those charges alleged that the directors were “willfully blind to numerous red flags signaling the accounting fraud, reporting violations, and misappropriations.” Despite being confronted with repeated and convincing evidence of fraud, the board members signed DHB’s false and misleading financial reports, the SEC claimed. The three directors eventually agreed to a settlement calling for them to pay more than $1.6 million in monetary sanctions and be subject to permanent officer-and-director bars by the SEC.

As this case illustrates, board members can be subject to liability exposure under state and federal law. Many states have laws that impose on directors the fiduciary duties of obedience, loyalty, good faith, and due care. Breaches of these duties can result in litigation. Consequently, potential directors should investigate a company’s culture and management’s integrity before accepting a board position and should be vigilant in exercising their fiduciary duties and oversight function.

6. (d) Section 922 of the Dodd-Frank Act authorizes the SEC to pay awards to individuals who provide original information that leads to successful SEC enforcement actions and certain related actions. Under Dodd-Frank, the whistleblower is eligible to receive an award if monetary sanctions from the action exceed $1 million. The range for awards is between 10% and 30% of the money collected by the SEC. Dodd-Frank does not require employees to report fraud to the company first, but it does provide economic incentives for those who do so. Additionally, certain individuals are not eligible for the whistleblower incentives provided by the act, including compliance and internal audit personnel, public accountants working on SEC engagements (if the information relates to violations by an engagement client), foreign government officials, and anyone who has a preexisting legal or contractual duty to report information to the SEC.

7. (c) According to the Association of Certified Fraud Examiners’s  2012 Report to the Nations on Occupational Fraud and Abuse, a poor tone at the top was cited by the CFEs surveyed as the catalyst for 9% of all the fraud cases examined in the study. Furthermore, it was considered the primary factor in 18% of the frauds that resulted in a loss of at least $1 million. Clearly, tone at the top is a critical component of a corporate governance system.

While tone at the top generally refers to the ethical behavior exhibited by management and the board, the idea of setting a proper tone is applicable to anyone in a supervisory role. The tone set by middle management (i.e., tone in the middle) is arguably just as important as the tone at the top, especially in large organizations where the executives and directors rarely communicate directly with lower-level staff. Employees are likely adhering to the standards set by their supervisors. In the case of Castle Inc., a poor tone was set by Stewart’s manager, Gordon. Because Gordon ordered him to “smooth” the financial data (manipulate the revenue figures), Stewart believed this action was OK. Furthermore, Gordon was likely under a great deal of pressure to meet company goals. In large companies, the board pressures management, and management pressures employees to meet financial goals. The idea is to ensure that each individual is working hard and creating value for shareholders. However, pressure to meet profitability targets often leads to fraud. Gordon was—perhaps unintentionally—sending the message to Stewart that committing fraud is acceptable as long as it appears to management that you are meeting goals.

8. (a) After he revealed a $1.7 billion accounting fraud at Olympus, Michael Woodford was dismissed from his position, a move that clearly would have violated an anti-retaliation policy, had the company had one in place. Many people who are privy to corporate fraud are afraid to report it for fear of retaliation. An anti-retaliation policy is an essential part of a good corporate governance system. In the United States, retaliation against whistleblowers might violate various federal and state laws. In fact, under Sarbanes-Oxley, it is a federal felony to retaliate against a whistleblower who provides assistance to law enforcement. It is imperative that a whistleblower policy contain a clause stating that management and the board will not tolerate retaliation against whistleblowers.

9. (b) Boards of directors at public companies are responsible for overseeing management and ensuring that management is acting in the best interest of shareholders. As such, it seems logical that the shareholders choose who is going to serve on the board. However, the election of board members is not always a truly democratic process. Typically, shareholders receive a ballot with nominees selected by management. Most public companies in the United States use a plurality voting system, under which shareholders must choose to either vote “for” a director or to “withhold” their vote. If the election is uncontested, a director can win with just one “for” vote, even if everyone else votes to “withhold” their vote.

Shareholders typically vote for the directors proposed by management. In some cases, a group of shareholders gets together to oppose management’s selection and runs a slate of its own. Many shareholders are dissatisfied with the plurality voting system, and with good reason. Independent nomination of board members, including clear means for shareholders to submit nominations, and careful evaluation of all nominees by the nominating committee are critical to ensure there are no conflicts of interest, to prevent instances of collusion between board members and management, and to make certain that board members have the best interests of shareholders in mind. For this reason, electing directors by a majority vote is considered a better system than the plurality voting system employed by most U.S. companies. At companies that employ a plurality system, executive management and the board of directors should consider changing their election process to be more democratic and put more power into the hands of the company’s owners.

10. (c) Fraud risks and IT risks are closely interwoven, as many frauds include manipulation of data or files housed within the organization’s IT systems, and an increasing number of fraud schemes involve breaching IT security measures to compromise sensitive or proprietary company information. The business and reputational fallout from such attacks can be devastating for organizations, and boards are charged with oversight of the company’s IT initiatives to help protect against such risks. Unfortunately, many boards find oversight of this area to be extremely challenging for many reasons, including the highly technical subject matter and the rapid pace of change.

Current board composition and approaches to the issues can compound these difficulties. According to the Spencer Stuart Board Index 2012, the average age of directors has increased from 60.1 in 2002 to 62.6 in 2012. So, not only has the average board member spent most of his or her professional career in the predigital environment, but the aging trend of board members is also increasing the gap in boards’ inherent familiarity with IT risks, ability to understand the emerging technological advances, and thus their overall confidence in oversight of IT issues. Additionally, according to a PwC report, Insights From the Boardroom 2012, three-quarters of boards spend 10% or less of their meetings discussing IT issues, even though more than half of the boards also describe IT as critical or very important to their businesses. The PwC report also found that the majority of boards (56%) rely on the audit committee to address IT governance issues. The audit committee often oversees other risk issues, so this might appear to be a natural addition to the responsibilities. However, the oversight of IT issues requires knowledge of technical topics that are often outside the skill set of the typical audit committee member.

With all these factors combining to create the current IT knowledge gap, it stands to reason that relying on outside experts to assist with these issues would be increasingly common. The PwC report illustrates this trend: In 2012, about one-quarter of boards engaged outside IT consultants, an increase from 15% in 2011. As the importance, sophistication, and magnitude of IT operations—and IT-related risks—continue to increase, boards would be well-served to incorporate formal IT governance strategies and seek out IT-knowledgeable directors.


If you answered nine or 10 questions correctly, congratulations. Your solid understanding of corporate governance issues and trends will assist you in assessing governance-related fraud risks for your clients or employer.

If you answered seven or eight questions correctly, you’re on the right track. Continue to build your knowledge of corporate governance best practices and developments to help identify governance weaknesses that might facilitate fraud.

If you answered fewer than seven questions correctly, consider strengthening your understanding of corporate governance concepts and awareness of related developments to help ensure that you have what it takes to assess and assist with governance practices designed to protect organizations from fraud.

Andi McNeal ( amcneal@acfe.com ) is director of research and Catherine Lofland ( clofland@acfe.com ) is a research specialist for the Association of Certified Fraud Examiners.

To comment on this article or to suggest an idea for another article, contact Jeff Drew, senior editor, at jdrew@aicpa.org or 919-402-4056.


JofA articles


Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.


News quiz: IRS warning on cyberattacks and a change in pension rules

Once again, the IRS sounds the alarm about a threat from cyberthieves. See how much you know about this and other recent news with this short quiz.


Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.