Fraud Risk: Are You Prepared?

The mission: to create stronger support for an ethically sound business environment.

ncentives that reward individuals for short-term results, a culture that has been insufficiently vigilant, advances in technology and more sophisticated business transactions have increased opportunities for fraud and abuse and enabled fraudsters to flourish. Consider this: 75% of companies responding a 2003 KPMG fraud survey said they had experienced at least one instance of fraud—a 13% increase over KPMG’s 1998 survey. While employee fraud appeared to be the most common type, financial reporting and medical/insurance fraud were the most costly. And the number of cases more than doubled from 1998 to 2003.

The shakeout has been wrenching. Over the past two and a half years the stream of news about Enron, Global Crossing, Worldcom, Adelphia and other high-visibility fraud cases has resulted in a tremendous loss of market capitalization. To stem the tide and restore confidence in the capital markets, Congress passed the Sarbanes-Oxley Act of 2002, which clearly delineates the roles of senior management, boards of directors, audit committees and outside auditors. Although it’s not possible to detect every instance of fraud, now all parties responsible for financial reporting and internal control must exercise greater vigilance.

Offering a view from the trenches about the daily challenges CPAs face in this arena, Sandra Johnigan, a Dallas CPA and chairperson of the AICPA’s forensic and litigation services committee, shared her views with the Journal of Accountancy about why corporate fraud has become such a critical concern for the CPA profession and what—in addition to SAS no. 99 and other AICPA initiatives (see “ Resources ”)—is being done to improve performance and rebuild the profession’s image.

JofA: How is the public focus on fraud affecting the CPA profession?
Johnigan: If you work for a public company, serve on a public company board or audit public companies, you already are dealing with the Sarbanes-Oxley Act and the Public Company Accounting Oversight Board [PCAOB]. Fraud was one of the driving forces responsible for both the passage of Sarbanes-Oxley and the formation of the PCAOB. They already have had a big effect on CPAs and how they carry out their responsibilities.

JofA: How concerned should I be with Sarbanes-Oxley if I’m involved with only private companies?
Johnigan: The initial focus has been on public companies, but this does not mean board members, owners, employees or auditors of private companies (including nonprofits and state and local entities) should ignore what’s going on. Large ripple effects could end up having an impact on those in the private sector as well. If you are a consultant or auditor, your challenges are tied directly to the issues facing both public and privately held companies. One challenge is to make sure private-company owners and management understand the risk of fraud in their companies and accept responsibility for strong corporate governance and strong internal controls that will help prevent and deter fraud.

JofA: Are you surprised Congress was able to pass the act with the speed at which it did, given the far-reaching impact from both a regulatory and a profession-wide standpoint?
Johnigan: It’s hard to believe now, but at one point Sarbanes-Oxley was given almost no chance of passage, at least in its current form. It had started out as a reaction to Enron, but as that was becoming old news and the legislation was faltering, along came WorldCom. WorldCom’s problems were disclosed in late June 2002, when the company announced it had understated expenses by $3.8 billion. Exactly one month later, on July 25, 2002, the House and Senate approved the conference report on the Sarbanes-Oxley legislation by votes of 423 to 3 and 99 to 0, respectively. The president signed the bill on July 30. The focus on fraud was clear in the president’s speech when he said: “This law says to every dishonest corporate leader: You’ll be exposed and punished. The era of low standards and false profits is over. No boardroom in America is above or beyond the law.”

JofA: So Sarbanes-Oxley created a forum through which management can be called to account for its actions. Does it address the willful misleading of auditors?
Johnigan: To paraphrase section 303 of the act, it’s illegal for any company officer or director to fraudulently influence or mislead any CPA engaged in the performance of an audit of financial statements or to cause the statements to be materially misleading. The SEC, in its release no. 34-47890, expanded on an existing rule dealing with improper influence by amending the rule to include any other person acting “under the direction” of officers and directors, replacing the previous “under the supervision” of officers and directors rule.

JofA: Is the locus of “improper influence” limited to company employees?
Johnigan: The language “under the direction” extends the rule well beyond employees to cover attorneys, customers, vendors, creditors and underwriters if they provide false or misleading confirmations to auditors or otherwise try to mislead them.

JofA: Can you give us some examples of “improper influence” under the SEC definition?
Johnigan: It can be a situation where a company provides an auditor with inaccurate or misleading legal analysis or threatens to cancel an existing or future audit (or nonaudit) engagement or to remove a partner from an audit engagement if the auditor challenges a treatment of an accounting issue.

JofA: Let’s talk about PCAOB Auditing Standard no. 1, effective May 24, 2004. It requires that “auditors’ reports on audits and other engagements relating to public companies and other issuers include a reference that the engagement was performed in accordance with the standards of the PCAOB.” This replaces the previous reference to generally accepted auditing standards. Doesn’t this create confusion in the marketplace because there are now, in effect, two sets of standards?
Johnigan: The issue is just beginning to have an impact. The PCAOB, in release no. 2003-006, established interim standards that were tantamount to GAAS as they existed on April 16, 2003. The SEC also approved those standards in release no. 8222. It subsequently approved PCAOB Auditing Standards nos. 1 and 2, which did depart from GAAS by creating the requirement that an auditor assess and report on the effectiveness of a public company’s internal control over its financial reporting.

JofA: Where do you see things heading?
Johnigan: It remains to be seen what state boards and other regulators will do. Will they set up dual standards for audits of public and private companies, or will they decide to mandate PCAOB standards for all entities? As it stands we have two sets of auditing standards, and many states are recognizing both. An important step the AICPA Council approved last fall was to include National Association of State Boards of Accountancy (NASBA) members on the auditing standards board (ASB). The AICPA, working with NASBA, has a lot to offer to the process of providing timely auditing guidance and standards.

JofA: Where do our courts fit in?
Johnigan: With two sets of standards, there’s some risk litigators may assert that the PCAOB’s apply to private companies, especially if an audit fails to discern a fraud. Consequently, what standards apply to public and private companies most likely will be tested in court. Presumably, if auditors note which set of standards they followed, the court should hold them to that set. Still, it remains to be seen how this will play out.

JofA: Could that perception affect private-sector companies?
Johnigan: I don’t want CPAs who work for privately held companies to feel left out of all the excitement. Sarbanes-Oxley provisions create a number of potential differences between public and private companies, ranging from the composition of audit committees to the extent of internal controls and even whether a company can make loans to its officers.

JofA: So where can a practitioner turn to get a handle on all this?
Johnigan: It makes sense for all of us, whether we audit or work with public or private companies, to pay attention to what the AICPA and PCAOB are doing. To see whether new developments have taken place, CPAs periodically should check the AICPA Sarbanes-Oxley Act/PCAOB Implementation Central Web site at
as well as look for updates at .

JofA: We’ve noted the regulatory changes resulting from high-profile cases. Looking now at the heart of the matter, what does “fraud” mean?
Johnigan: Since fraud is a broad legal concept we generally leave the specific definition to the legal community and the criminal justice system. However, CPAs who work for companies and who are auditors of companies are being directed to be the “watchdogs” and to “find the fraud.” Phrases to that effect have appeared in press releases, court decisions and plaintiffs’ briefs. Acknowledging that CPAs needed a definition with which to frame the nature of their work, the AICPA, in SAS no. 99, describes fraud within the framework an auditor applies: “intentional acts that result in a material misstatement in financial statements that are the subject of an audit.”

JofA: What is the difference between “fraud” and “error”?
Johnigan: The factor that distinguishes fraud from error is described as being “whether the underlying action that results in the misstatement of the financial statements is intentional or unintentional.” If the misleading act is intentional, then it’s fraud. That is key.

However, a CPA who participates in fraud investigations may work with a slightly different definition. For example, the AICPA Handbook of Fraud and Commercial Crime Prevention describes fraud as “criminal deception intended to financially benefit the deceiver.” In that definition it needs only to be intended to benefit the deceiver or, as some call them, the fraudster. If the criminal act fails because the deceiver isn’t any good at what he or she does, it still is a crime. In my work with the U.S. Attorney’s office, I’ve found the focus of an investigation to have subtle differences when viewed strictly through the criminal justice system.

JofA: Isn’t it difficult to determine intent?
Johnigan: Absolutely, and SAS no. 99 acknowledges that in footnote 4. It also says the auditor nevertheless has “to plan and perform an audit to obtain reasonable assurance about whether the financial statements are free of material misstatement [and] whether the misstatement is intentional or not.”

JofA: What types of fraud are relevant to an auditor?
Johnigan: There are two basic types: misstatements arising from fraudulent financial statements and misstatements arising from misappropriation of assets. The first type is the one we have been reading about in the press. Such fraud can be accomplished through a number of methods, usually falsified documents, the omission of significant events or the intentional misapplication of GAAP. I’m sure we all have read about or seen examples of falsified documents or a second set of books supported by manufactured documentation such as forged contracts or documents with altered sections. Omissions tend to represent significant events or transactions that could materially affect the financial statements, such as side agreements; these are often an issue in revenue recognition. An example of an intentional misapplication of GAAP was alleged with WorldCom, where it capitalized lease expenses.

JofA: What about the other type of fraud?
Johnigan: External auditors generally are concerned with misappropriation of assets, such as by theft or defalcation, when it results in material misstatement of the financial statements. The CPA working in the business enterprise may have a very different view from the external auditor of what is important in this area. While the outside auditor generally is concerned with material financial statement consequences, the internal CPA is more likely to focus on theft or misappropriations.

JofA: What kinds of cultures usually are breeding grounds for fraud?
Johnigan: A typical environment is one whose top leader has an autocratic management style. Some of the characteristics we see in companies ruled with an iron hand are an emphasis on dollars and cents; their goals are short-term and solely profit-focused; mistakes are not tolerated; there’s a high incidence of employee burnout; and there’s a highly emotional and feared CEO.

JofA: Business culture is a term that’s been connected to some of the biggest scandals, such as Tyco. What can be done to significantly reduce, or even eliminate, deficiencies in honesty and ethics?
Johnigan: We need to create stronger support for an ethically sound and honest environment. One source of information is Management Antifraud Programs and Controls, a paper commissioned by the ASB’s fraud task force and developed and issued jointly by the AICPA, Association of Certified Fraud Examiners [ACFE], Financial Executives International, Information Systems Audit and Control Association, Institute of Internal Auditors, Institute of Management Accountants and Society for Human Resource Management. It provides management guidance to accomplish the goal of creating the type of culture that we hope will prevent fraud.

JofA: To create a culture that encourages honesty and ethical behavior is no small task if it involves altering long-running practices.
Johnigan: No small task indeed! Let me discuss several important first steps:

Set the tone at the top. As Management Antifraud Programs and Controls states, “research in moral development strongly suggests that honesty can best be reinforced when a proper example is set.” In many cases we’ve read about in the press, top management’s pressure to meet the numbers at any cost influenced the behavior of individuals at varying levels below.

Create a positive workplace environment. Research shows that wrongdoing occurs less frequently when employees have positive feelings about an entity.

Hire and promote appropriate employees. This can be summed up simply: Put people you trust in positions of trust.

Train your employees. If you don’t tell people what’s required, don’t expect much. Employees need information about the company’s standards. Give explicit recommendations to communicate certain matters; list the types of matters; give information on how and to whom to communicate those matters.

Get confirmation. Ask each employee to periodically confirm the company code of ethics to reinforce the organization’s policies.

Administer discipline. What a company does when fraud occurs is very important. A cause-and-effect approach sends a message to all employees and is a deterrent. When an incident occurs, the company should immediately conduct a thorough investigation, take appropriate and consistent action against violators, assess and improve the relevant controls and communicate and implement training to reinforce the entity’s values, code of conduct and expectations.

JofA: Are you saying no matter how ethical a business culture is it still needs controls?
Johnigan: Absolutely. Fraud occurs if there is an “opportunity,” so companies should evaluate their environment. Identifying and measuring fraud risks will differ based on the company’s size and complexity. When you identify risks, you can find ways to mitigate them.

Let me give you an example. I serve as treasurer for a small not-for-profit in Dallas. The NPO has only one employee who, of course, does much of the work related to donations and handles the cash. I personally reconcile the office manager’s member donor list of gifts with the lists of donor requests sent. The list and mailings are controlled by a volunteer in charge of membership. Another volunteer reconciles bank accounts, and checks are signed by at least two individuals, neither of them the office manager. All payments are matched to designated programs, and we don’t pay unless there is an adequate balance. The beneficiary organization for which we raise funds approves all expenditures.

We report detailed financial results quarterly to the executive committee and the board of directors. I focus on the amount of revenue received and get the other volunteers with assigned roles to monitor results in each of their revenue areas. That’s about all I could think of to do, and I am sure there are those in the organization who think it is overkill. I based the procedures on my view of what is required to reduce opportunity so a perfectly wonderful office manager would not be put at risk due to our lack of oversight.

JofA: We’ve talked about regulation, fraud and its prevention—what about detection?
Johnigan: The question of who can and should detect fraud is being looked at more closely now. At the 2003 Fraud and Litigation Services Conference, KPMG’s Ron Durkin and Tim Hedley talked about SAS no. 99 and forensic procedures and described the KPMG 2003 fraud survey, which included statistics about who detects fraud ( ). The ACFE also has traditionally performed research in this area, and its 2004 Report to the Nation, based on a study of more than 500 frauds involving $761 million in losses, said the best sources of detection were employee tips ( ). It’s logical to think that tools to provide greater fraud detection are needed. The KPMG study ranked internal auditors higher than external auditors in their capacity to detect.

JofA: Is any system perfect?
Johnigan: : No. Let’s face it; detecting fraud is not easy. There’s a reason the AICPA included in SAS no. 99 the statement: “Absolute assurance is not attainable and thus even a properly planned and performed audit may not detect a material misstatement resulting from fraud.”

JofA: Is this where whistle-blowers play a role?
Johnigan: I believe so. Fraud detection seems to have a strong support group in whistle-blowers. In the ACFE 2004 study, about 40% of frauds were discovered through whistle-blowers. The effect of that was not lost on Congress. Section 806 of Sarbanes-Oxley offers protection for employees who provide evidence of fraud. And section 301, which is directed at the responsibilities of the public company audit committees, includes the statement, “The audit committee shall establish procedures for the ‘receipt, retention, and treatment of complaints’ received by the issuer regarding accounting, internal controls, and auditing.”

Although the above are specifically public-company rules, I recommend that private companies consider the same. As for auditors of private or public companies, ignore whistle-blowers at your peril. A number of high-profile cases have involved whistle-blowers: Baptist Foundation in Arizona, Enron and many others that didn’t make the press but did make a dent in someone’s pocket. Whistle-blowers may not always be right, but they shouldn’t be ignored.

JofA: So how does the term forensic fit practitioners who investigate fraud?
Johnigan: A “forensic CPA” or “forensic specialist” is a professional who investigates fraud when litigation is threatened or pending or when an investigation is called for in circumstances that don’t involve a court setting. In the dictionary the word forensic means “belonging to courts.” In the course of performing a “traditional” audit an auditor may wind up investigating a fraud. The line can be blurred when a CPA crosses over into the role of forensic CPA.

JofA: Doesn’t SAS no. 99 refer to “forensic specialist”?
Johnigan: : Yes. SAS no. 99 refers to assigning persons with specialized skills and knowledge, such as forensic specialists, when responding to an identified risk of material misstatement. The role of forensic specialists can vary according to whether they are brought in due to a perception of risk or after there’s been a discovery of fraud. Materiality considerations when there is simply a perception of risk will normally depend on overall audit considerations.

JofA: What are the relevant forensic investigation standards?
Johnigan: There are a variety of AICPA standards to look at, such as the Code of Professional Conduct, consulting standards, auditing standards and attest standards. In looking for a way to sort through the possible standards a good starting point is AICPA Consulting Services Special Report 03-1, Litigation Services and Applicable Professional Standards. One of the appendices [appendix B] contains a decision tree that helps explain what standards apply in different circumstances.

JofA: Where is the profession headed in this new era of financial accountability? Start with CPAs working inside public companies.
Johnigan: I’ll begin by saying that Sarbanes-Oxley is here to stay, so don’t fight it. Second, be supportive of active, involved audit committees, increased focus on internal controls, a strong code of ethics and support for whistle-blower hot lines. Finally, for those in the private sector, take an active interest in the audit and work with your external auditors.

JofA: What about CPAs working inside private companies?
Johnigan: I recommend monitoring the SEC, PCAOB and AICPA Web sites. Think of Sarbanes-Oxley as a menu—are you sure that some of the provisions wouldn’t look good on your plate? Finally, if about 40% of frauds were detected as a result of whistle-blowers, doesn’t a hot line make sense for you, too?

JofA: And what about CPAs who work as auditors?
Johnigan: I cannot stress enough that before accepting an engagement you should consider whether you have the necessary skills and you know enough to assess the risk. If you don’t, can you accept the assignment? If you do, then as you work on the engagement, be aware of any changes in your client such as new management, a new line of business, unexplained changes in suppliers, new compensation arrangements and/or sudden performance improvement over competitors.

JofA: If there was one overarching recommendation you could make to CPAs in this new reporting era, what would it be?
Johnigan: Be willing to acknowledge that our mission is to restore the public trust and bring fraud under control.

Books and special reports
AICPA Consulting Services Special Report 03-1, Litigation Services and Applicable Professional Standards. (# 055297JA).

CPA’s Handbook of Fraud and Commercial Crime Prevention (# 56504JA).

Financial Reporting Fraud: A Practical Guide to Detection and Internal Control (# 029879JA).

General Audit Risk Alert (# 022334JA).

How to Prevent, Deter and Detect Fraud in Your Business (a brochure CPAs can give to clients) (# 018200JA).

Practice Aid, Fraud Detection in a GAAS Audit—Revised Edition (# 006615JA).

SAS no. 99, Consideration of Fraud in a Financial Statement Audit (# 060701JA).

Finding the Truth: Effective Techniques for Interview and Communication (# 730164JA).

Fraud and the Financial Statement Audit: Auditor Responsibilities Under SAS 99. Available in DVD/Manual (# 181821JA), VHS/Manual (# 181811JA) or self-study text (# 731811JA).

How Fraud Hurts You and Your Organization, a free CD-ROM; $8 shipping fee (# 056513JA).

Identifying Fraudulent Financial Transactions (# 730244JA).

Income Reconstruction: A Guide to Uncovering Unreported Income (# 056500JA).

Introduction to Fraud Examination and Criminal Behavior (# 730275JA).

Revenue Recognition in Today’s Business Climate (# 732420JA).

Score an A+ on Your Next Peer Review (# 731691JA).

Small Business Audits: Balancing Risk, Effectiveness and Efficiency in Today’s World (# 732430JA).


AICPA Conference on Advanced Litigation Services
and Fraud, September 27–29, 2004
JW Marriott Desert Ridge, Phoenix

Antifraud initiatives

Antifraud and Corporate Responsibility Resource Center, .

SAS no. 99 information.

Management Antifraud Programs and Controls (SAS no. 99 exhibit).

Fraud Specialist Competency Model.

Free corporate fraud-prevention training and CPE.

Academia outreach and assistance.

Other antifraud activities.

For more information, to place an order or to register, go to or call the Institute at 888-777-7077.

Steven E. Sacks, CPA, is owner of Solutions to Results LLC, Fair Lawn, New Jersey, and specializes in strategic planning, communications and education development. He formerly headed consulting services at the AICPA and the development of the ABV credential program. His e-mail address is .


Implementing a global statutory reporting maturity model

Assess your organization's capabilities and progress toward an ideal state of global statutory reporting. Sponsored by Workiva.


Black CPA Centennial, 1921–2021

With 2021 marking the 100th anniversary of the first Black licensed CPA in the United States, a yearlong campaign kicked off to recognize the nation’s Black CPAs and encourage greater progress in diversity, inclusion, and equity in the CPA profession.