| ncentives that reward individuals for
short-term results, a culture that has been
insufficiently vigilant, advances in technology and
more sophisticated business transactions have
increased opportunities for fraud and abuse and
enabled fraudsters to flourish. Consider this: 75%
of companies responding a 2003 KPMG fraud survey
said they had experienced at least one instance of
fraud—a 13% increase over KPMG’s 1998 survey. While
employee fraud appeared to be the most common type,
financial reporting and medical/insurance fraud were
the most costly. And the number of cases more than
doubled from 1998 to 2003. |
The shakeout has been
wrenching. Over the past two and a half years the
stream of news about Enron, Global Crossing,
Worldcom, Adelphia and other high-visibility fraud
cases has resulted in a tremendous loss of market
capitalization. To stem the tide and restore
confidence in the capital markets, Congress passed
the Sarbanes-Oxley Act of 2002, which clearly
delineates the roles of senior management, boards
of directors, audit committees and outside
auditors. Although it’s not possible to detect
every instance of fraud, now all parties
responsible for financial reporting and internal
control must exercise greater vigilance.
Offering a view from the trenches about the
daily challenges CPAs face in this arena, Sandra
Johnigan, a Dallas CPA and chairperson of the
AICPA’s forensic and litigation services
committee, shared her views with the Journal
of Accountancy about why corporate fraud
has become such a critical concern for the CPA
profession and what—in addition to SAS no. 99 and
other AICPA initiatives (see “ Resources ”)—is being
done to improve performance and rebuild the
How is the public focus on fraud affecting the
Johnigan: If you work for a
public company, serve on a public company board or
audit public companies, you already are dealing
with the Sarbanes-Oxley Act and the Public Company
Accounting Oversight Board [PCAOB]. Fraud was one
of the driving forces responsible for both the
passage of Sarbanes-Oxley and the formation of the
PCAOB. They already have had a big effect on CPAs
and how they carry out their responsibilities.
How concerned should I be with Sarbanes-Oxley
if I’m involved with only private companies?
Johnigan: The initial focus has
been on public companies, but this does not mean
board members, owners, employees or auditors of
private companies (including nonprofits and state
and local entities) should ignore what’s going on.
Large ripple effects could end up having an impact
on those in the private sector as well. If you are
a consultant or auditor, your challenges are tied
directly to the issues facing both public and
privately held companies. One challenge is to make
sure private-company owners and management
understand the risk of fraud in their companies
and accept responsibility for strong corporate
governance and strong internal controls that will
help prevent and deter fraud.
Are you surprised Congress was able to pass
the act with the speed at which it did, given
the far-reaching impact from both a regulatory
and a profession-wide standpoint?
Johnigan: It’s hard to believe
now, but at one point Sarbanes-Oxley was given
almost no chance of passage, at least in its
current form. It had started out as a reaction to
Enron, but as that was becoming old news and the
legislation was faltering, along came WorldCom.
WorldCom’s problems were disclosed in late June
2002, when the company announced it had
understated expenses by $3.8 billion. Exactly one
month later, on July 25, 2002, the House and
Senate approved the conference report on the
Sarbanes-Oxley legislation by votes of 423 to 3
and 99 to 0, respectively. The president signed
the bill on July 30. The focus on fraud was clear
in the president’s speech when he said: “This law
says to every dishonest corporate leader: You’ll
be exposed and punished. The era of low standards
and false profits is over. No boardroom in America
is above or beyond the law.”
So Sarbanes-Oxley created a forum through
which management can be called to account for
its actions. Does it address the willful
misleading of auditors?
Johnigan: To paraphrase section
303 of the act, it’s illegal for any company
officer or director to fraudulently influence or
mislead any CPA engaged in the performance of an
audit of financial statements or to cause the
statements to be materially misleading. The SEC,
in its release no. 34-47890, expanded on an
existing rule dealing with improper influence by
amending the rule to include any other person
acting “under the direction” of officers and
directors, replacing the previous “under the
supervision” of officers and directors rule.
Is the locus of “improper influence” limited
to company employees?
Johnigan: The language “under the
direction” extends the rule well beyond employees
to cover attorneys, customers, vendors, creditors
and underwriters if they provide false or
misleading confirmations to auditors or otherwise
try to mislead them.
Can you give us some examples of “improper
influence” under the SEC definition?
Johnigan: It can be a situation
where a company provides an auditor with
inaccurate or misleading legal analysis or
threatens to cancel an existing or future audit
(or nonaudit) engagement or to remove a partner
from an audit engagement if the auditor challenges
a treatment of an accounting issue.
Let’s talk about PCAOB Auditing Standard no.
1, effective May 24, 2004. It requires that
“auditors’ reports on audits and other
engagements relating to public companies and
other issuers include a reference that the
engagement was performed in accordance with the
standards of the PCAOB.” This replaces the
previous reference to generally accepted
auditing standards. Doesn’t this create
confusion in the marketplace because there are
now, in effect, two sets of standards?
Johnigan: The issue is just
beginning to have an impact. The PCAOB, in release
no. 2003-006, established interim standards that
were tantamount to GAAS as they existed on April
16, 2003. The SEC also approved those standards in
release no. 8222. It subsequently approved PCAOB
Auditing Standards nos. 1 and 2, which did depart
from GAAS by creating the requirement that an
auditor assess and report on the effectiveness of
a public company’s internal control over its
Where do you see things heading?
Johnigan: It remains to be seen
what state boards and other regulators will do.
Will they set up dual standards for audits of
public and private companies, or will they decide
to mandate PCAOB standards for all entities? As it
stands we have two sets of auditing standards, and
many states are recognizing both. An important
step the AICPA Council approved last fall was to
include National Association of State Boards of
Accountancy (NASBA) members on the auditing
standards board (ASB). The AICPA, working with
NASBA, has a lot to offer to the process of
providing timely auditing guidance and standards.
Where do our courts fit in?
Johnigan: With two sets of
standards, there’s some risk litigators may assert
that the PCAOB’s apply to private companies,
especially if an audit fails to discern a fraud.
Consequently, what standards apply to public and
private companies most likely will be tested in
court. Presumably, if auditors note which set of
standards they followed, the court should hold
them to that set. Still, it remains to be seen how
this will play out.
Could that perception affect private-sector
Johnigan: I don’t want CPAs who
work for privately held companies to feel left out
of all the excitement. Sarbanes-Oxley provisions
create a number of potential differences between
public and private companies, ranging from the
composition of audit committees to the extent of
internal controls and even whether a company can
make loans to its officers.
So where can a practitioner turn to get a
handle on all this?
Johnigan: It makes sense for all
of us, whether we audit or work with public or
private companies, to pay attention to what the
AICPA and PCAOB are doing. To see whether new
developments have taken place, CPAs periodically
should check the AICPA Sarbanes-Oxley Act/PCAOB
Implementation Central Web site at http://cpcaf.aicpa.org/Resources/Sarbanes+Oxley/The+Changing+Regulatory
+Landscape.htm as well as look for
updates at www.pcaobus.org
We’ve noted the regulatory changes resulting
from high-profile cases. Looking now at the
heart of the matter, what does “fraud” mean?
Johnigan: Since fraud is a broad
legal concept we generally leave the specific
definition to the legal community and the criminal
justice system. However, CPAs who work for
companies and who are auditors of companies are
being directed to be the “watchdogs” and to “find
the fraud.” Phrases to that effect have appeared
in press releases, court decisions and plaintiffs’
briefs. Acknowledging that CPAs needed a
definition with which to frame the nature of their
work, the AICPA, in SAS no. 99, describes fraud
within the framework an auditor applies:
“intentional acts that result in a material
misstatement in financial statements that are the
subject of an audit.”
What is the difference between “fraud” and
Johnigan: The factor that
distinguishes fraud from error is described as
being “whether the underlying action that results
in the misstatement of the financial statements is
intentional or unintentional.” If the misleading
act is intentional, then it’s fraud. That is key.
However, a CPA who participates in fraud
investigations may work with a slightly different
definition. For example, the AICPA Handbook of
Fraud and Commercial Crime Prevention
describes fraud as “criminal deception
intended to financially benefit the deceiver.” In
that definition it needs only to be intended to
benefit the deceiver or, as some call them, the
fraudster. If the criminal act fails because the
deceiver isn’t any good at what he or she does, it
still is a crime. In my work with the U.S.
Attorney’s office, I’ve found the focus of an
investigation to have subtle differences when
viewed strictly through the criminal justice
Isn’t it difficult to determine intent?
Johnigan: Absolutely, and SAS no.
99 acknowledges that in footnote 4. It also says
the auditor nevertheless has “to plan and perform
an audit to obtain reasonable assurance about
whether the financial statements are free of
material misstatement [and] whether the
misstatement is intentional or not.”
What types of fraud are relevant to an
Johnigan: There are two basic
types: misstatements arising from fraudulent
financial statements and misstatements arising
from misappropriation of assets. The first type is
the one we have been reading about in the press.
Such fraud can be accomplished through a number of
methods, usually falsified documents, the omission
of significant events or the intentional
misapplication of GAAP. I’m sure we all have read
about or seen examples of falsified documents or a
second set of books supported by manufactured
documentation such as forged contracts or
documents with altered sections. Omissions tend to
represent significant events or transactions that
could materially affect the financial statements,
such as side agreements; these are often an issue
in revenue recognition. An example of an
intentional misapplication of GAAP was alleged
with WorldCom, where it capitalized lease
What about the other type of fraud?
Johnigan: External auditors
generally are concerned with misappropriation of
assets, such as by theft or defalcation, when it
results in material misstatement of the financial
statements. The CPA working in the business
enterprise may have a very different view from the
external auditor of what is important in this
area. While the outside auditor generally is
concerned with material financial statement
consequences, the internal CPA is more likely to
focus on theft or misappropriations.
What kinds of cultures usually are breeding
grounds for fraud?
Johnigan: A typical environment
is one whose top leader has an autocratic
management style. Some of the characteristics we
see in companies ruled with an iron hand are an
emphasis on dollars and cents; their goals are
short-term and solely profit-focused; mistakes are
not tolerated; there’s a high incidence of
employee burnout; and there’s a highly emotional
and feared CEO.
Business culture is a term that’s been
connected to some of the biggest scandals, such
as Tyco. What can be done to significantly
reduce, or even eliminate, deficiencies in
honesty and ethics?
Johnigan: We need to create
stronger support for an ethically sound and honest
environment. One source of information is
Management Antifraud Programs and Controls,
a paper commissioned by the ASB’s fraud task
force and developed and issued jointly by the
AICPA, Association of Certified Fraud Examiners
[ACFE], Financial Executives International,
Information Systems Audit and Control Association,
Institute of Internal Auditors, Institute of
Management Accountants and Society for Human
Resource Management. It provides management
guidance to accomplish the goal of creating the
type of culture that we hope will prevent fraud.
To create a culture that encourages honesty
and ethical behavior is no small task if it
involves altering long-running practices.
Johnigan: No small task indeed!
Let me discuss several important first steps:
Set the tone at the top. As
Management Antifraud Programs and Controls
states, “research in moral development
strongly suggests that honesty can best be
reinforced when a proper example is set.” In many
cases we’ve read about in the press, top
management’s pressure to meet the numbers at any
cost influenced the behavior of individuals at
varying levels below.
Create a positive workplace
environment. Research shows that wrongdoing occurs
less frequently when employees have positive
feelings about an entity.
Hire and promote appropriate
employees. This can be summed up simply: Put
people you trust in positions of trust.
Train your employees. If you don’t
tell people what’s required, don’t expect much.
Employees need information about the company’s
standards. Give explicit recommendations to
communicate certain matters; list the types of
matters; give information on how and to whom to
communicate those matters.
Get confirmation. Ask each employee
to periodically confirm the company code of ethics
to reinforce the organization’s policies.
Administer discipline. What a company
does when fraud occurs is very important. A
cause-and-effect approach sends a message to all
employees and is a deterrent. When an incident
occurs, the company should immediately conduct a
thorough investigation, take appropriate and
consistent action against violators, assess and
improve the relevant controls and communicate and
implement training to reinforce the entity’s
values, code of conduct and expectations.
Are you saying no matter how ethical a
business culture is it still needs controls?
Johnigan: Absolutely. Fraud
occurs if there is an “opportunity,” so companies
should evaluate their environment. Identifying and
measuring fraud risks will differ based on the
company’s size and complexity. When you identify
risks, you can find ways to mitigate them.
Let me give you an example. I serve as
treasurer for a small not-for-profit in Dallas.
The NPO has only one employee who, of course, does
much of the work related to donations and handles
the cash. I personally reconcile the office
manager’s member donor list of gifts with the
lists of donor requests sent. The list and
mailings are controlled by a volunteer in charge
of membership. Another volunteer reconciles bank
accounts, and checks are signed by at least two
individuals, neither of them the office manager.
All payments are matched to designated programs,
and we don’t pay unless there is an adequate
balance. The beneficiary organization for which we
raise funds approves all expenditures.
report detailed financial results quarterly to the
executive committee and the board of directors. I
focus on the amount of revenue received and get
the other volunteers with assigned roles to
monitor results in each of their revenue areas.
That’s about all I could think of to do, and I am
sure there are those in the organization who think
it is overkill. I based the procedures on my view
of what is required to reduce opportunity so a
perfectly wonderful office manager would not be
put at risk due to our lack of oversight.
We’ve talked about regulation, fraud and its
prevention—what about detection?
Johnigan: The question of who can
and should detect fraud is being looked at more
closely now. At the 2003 Fraud and Litigation
Services Conference, KPMG’s Ron Durkin and Tim
Hedley talked about SAS no. 99 and forensic
procedures and described the KPMG 2003 fraud
survey, which included statistics about who
detects fraud (
). The ACFE also has traditionally performed
research in this area, and its 2004 Report to the
Nation, based on a study of more than 500 frauds
involving $761 million in losses, said the best
sources of detection were employee tips ( www.cfenet.com/report
). It’s logical to think that tools to provide
greater fraud detection are needed. The KPMG study
ranked internal auditors higher than external
auditors in their capacity to detect.
Is any system perfect?
Johnigan: : No. Let’s face it;
detecting fraud is not easy. There’s a reason the
AICPA included in SAS no. 99 the statement:
“Absolute assurance is not attainable and thus
even a properly planned and performed audit may
not detect a material misstatement resulting from
Is this where whistle-blowers play a role?
Johnigan: I believe so. Fraud
detection seems to have a strong support group in
whistle-blowers. In the ACFE 2004 study, about 40%
of frauds were discovered through whistle-blowers.
The effect of that was not lost on Congress.
Section 806 of Sarbanes-Oxley offers protection
for employees who provide evidence of fraud. And
section 301, which is directed at the
responsibilities of the public company audit
committees, includes the statement, “The audit
committee shall establish procedures for the
‘receipt, retention, and treatment of complaints’
received by the issuer regarding accounting,
internal controls, and auditing.”
the above are specifically public-company rules, I
recommend that private companies consider the
same. As for auditors of private or public
companies, ignore whistle-blowers at your peril. A
number of high-profile cases have involved
whistle-blowers: Baptist Foundation in Arizona,
Enron and many others that didn’t make the press
but did make a dent in someone’s pocket.
Whistle-blowers may not always be right, but they
shouldn’t be ignored.
So how does the term forensic fit
practitioners who investigate fraud?
Johnigan: A “forensic CPA” or
“forensic specialist” is a professional who
investigates fraud when litigation is threatened
or pending or when an investigation is called for
in circumstances that don’t involve a court
setting. In the dictionary the word forensic
means “belonging to courts.” In the course of
performing a “traditional” audit an auditor may
wind up investigating a fraud. The line can be
blurred when a CPA crosses over into the role of
Doesn’t SAS no. 99 refer to “forensic
Johnigan: : Yes. SAS no. 99
refers to assigning persons with specialized
skills and knowledge, such as forensic
specialists, when responding to an identified risk
of material misstatement. The role of forensic
specialists can vary according to whether they are
brought in due to a perception of risk or after
there’s been a discovery of fraud. Materiality
considerations when there is simply a perception
of risk will normally depend on overall audit
What are the relevant forensic investigation
Johnigan: There are a variety of
AICPA standards to look at, such as the Code of
Professional Conduct, consulting standards,
auditing standards and attest standards. In
looking for a way to sort through the possible
standards a good starting point is AICPA
Consulting Services Special Report 03-1,
Litigation Services and Applicable
Professional Standards. One of the
appendices [appendix B] contains a decision tree
that helps explain what standards apply in
Where is the profession headed in this new era
of financial accountability? Start with CPAs
working inside public companies.
Johnigan: I’ll begin by saying
that Sarbanes-Oxley is here to stay, so don’t
fight it. Second, be supportive of active,
involved audit committees, increased focus on
internal controls, a strong code of ethics and
support for whistle-blower hot lines. Finally, for
those in the private sector, take an active
interest in the audit and work with your external
What about CPAs working inside private
Johnigan: I recommend monitoring
the SEC, PCAOB and AICPA Web sites. Think of
Sarbanes-Oxley as a menu—are you sure that some of
the provisions wouldn’t look good on your plate?
Finally, if about 40% of frauds were detected as a
result of whistle-blowers, doesn’t a hot line make
sense for you, too?
And what about CPAs who work as auditors?
Johnigan: I cannot stress enough
that before accepting an engagement you should
consider whether you have the necessary skills and
you know enough to assess the risk. If you don’t,
can you accept the assignment? If you do, then as
you work on the engagement, be aware of any
changes in your client such as new management, a
new line of business, unexplained changes in
suppliers, new compensation arrangements and/or
sudden performance improvement over competitors.
If there was one overarching recommendation
you could make to CPAs in this new reporting
era, what would it be?
Johnigan: Be willing to
acknowledge that our mission is to restore the
public trust and bring fraud under control.