Friday 10 July 2020

Corporate Fraud Part 2 -- An Alternative Proposal for Enchancing Detection

Abu Arqala Publishes His Proposal

In the previous post, I expressed some concerns about a proposal to combat corporate fraud.

Saying that a particular solution seems unworkable or difficult to implement isn’t really of much utility.

Don’t tell me what can’t be done. Tell me what can.

The point is to outline a possible solution.

What then is AA’s alternative? What is to be done?

To start we have to accept that just as with corporate misgovernance there is no financial equivalent of hydroxychloroquine that is a sure cure. 

Because fraud is not just equivalent of a bad “flu”, financial or otherwise, and won't just go away in July or some other month, we do have to take action.

To that end I offer this alternative proposal which seeks to use existing structures to enhance current risk disclosures and promote risk-based auditing.

A key goal is turning auditors’ attention and action away from what appears to be a sole focus on policies, internal processes and controls, and pieces of paper.

As the old joke goes, if it isn’t written down, it doesn’t exist for an auditor.

The real risk with that mentality is the converse.

If an auditor has a piece of paper—a confirmation, a copy of a contract, etc.--the existence of an asset or liability or a business relationship is a proven fact.

The steps I’m proposing would not mean that auditors would abandon examining adherence to financial reporting and accounting standards, reviewing internal controls and processes for adequacy, nor performing many paper based audit activities, including confirmations, nor issuing opinions on those matters.

Because the majority of companies do not engage in major fraud, that current audit work provides needed information to a wide range of third parties, e.g. shareholders, other investors, lenders, business partners, etc. And so it should continue.

If a company is fraud free, an investor is still going to want to know if the company is following accepted accounting principles, has proper accounting systems and internal controls, has documentary evidence to back up transactions, etc. That it uses reasonable assumptions when valuing hard-to-value assets.

One doesn’t want to invest one’s money with or make a loan to an honest but incompetent or disorganized company.

So my proposals are designed to leave those aspects of auditing in place but enhance the extent of auditors’ work.

First, emphasize the need for auditors to identify if the company has any serious or unusual risks in its business model or practices, including unusual vulnerabilities.

If such risks are found, require that they are disclosed in a clear form in a company’s audited financial statements.

When those risks are pose substantial or unusual vulnerabilities, auditors should include these in the “key audit matters” section of their audit opinion. That would require that they discuss the existence and materiality of such “matters”; describe the additional audit work they have performed to address them; and their resulting assessment on that matter.

If they don’t reach the level of a “key audit matter”, they should be noted and addressed/focused on in the audit plan. 

The goal is not to come up with a laundry list of every potential risk factor similar to a bond or stock offering memorandum which is primarily a CYA or more accurately a CYLE (cover your legal exposure) exercise for the underwriting/offering banks and the issuer. 

All business are subject to a variety of risks.

The point is to identify those risks or vulnerabilities that are not obvious and have a material impact. 

This will become clearer in the post to follow where I outline this “point” applied in actual cases or hypothesize how it might have been applied at Wirecard or Hin Leong Trading.

Second, require that auditing procedures be scaled to risk of an individual asset, liability, etc.

For example, one should not use the same method to verify bank deposits of Euros 1.9 billion that one uses to confirm a USD 100,000 receivable. 

What are these two principles designed to achieve?

The first is designed to alert market participants, lenders, and regulators of vulnerabilities and dependencies that could have a material affect on the company’s health. To raise a red flag. 

That's important because fighting fraud is not the sole job of one group any more than corporate governance is

What that means is that for this aspect of point one to work someone out there has to be "listening".  If the "flag" is missed, the chances of uncovering the fraud decrease. 

It is also intended to cause the auditor to focus on a class of risks that seem often to be overlooked at least in some cases. 

That serves as the "back-up" if no one is listening.

Auditors are already required to assess a company’s risks and then develop a specific audit plan of work to ensure appropriate audit work is done on these areas. So this is a reminder with emphasis of this existing requirement.

But if they don’t focus on this latter class of risks, there is a real danger—as perhaps evidenced by some recent fraud cases—that they will not undertake the work they should have to address these issues.

The second is designed to "force" auditors to scale audit work to risks.

What’s the relation to fraud?

As I noted in an earlier post, many but not all types of fraud necessarily require the overstatement of assets. 

We’re most concerned with major frauds that threaten the viability of a company that is the reason for risk based scaling of audit work.

At first blush, this may sound like a good proposal. Or at least that's what I tell myself.

But it is not a panacea. There are no 100% solutions.

Why?

As to reliance on large numbers of market participants reacting to alerts (the first point), if you’ve read this blog before, you know I have little faith in the mythology of efficient markets.

Not no faith. Just a slight bit more than I have in the “Power Ponies”.

Admittedly, I’m banking on a very small number of market participants to read, understand, and then take action on any red flags raised by disclosure of these sort of business risks.  

That being said, just a few persistent sharp investigative (but probably underpaid) journalists at the FT played a major role in uncovering NMC and Wirecard
.
But, the effectiveness of this point doesn't just rely on those sort of market participants.

Widening auditors' risk focus and thus getting them to adjust their audit focus and work should also contribute to detection, particularly because they have access to detailed company financial information that other market participants don't.

But neither of these two intended goals will result in fraud detection all the time.

That’s the reason for the second point.

That’s why it’s in some respects more important than the first. 

Enhanced audit work. Moving beyond the tick-the-box approach to one that is based on risk. The more risk the more work required.

Why is that important?

As I’ve argued, “fiddling” with the income statement requires “fiddling” with the balance sheet pretty much dollar for dollar.

Major fraud requires major fiddling.  

If audit procedures disclose that assets are overvalued or non existent, it’s very good sign that the income statement has been overstated and income is non existent. And vice versa.

There are other cases of fraud that might be detected by enhanced audit work to confirm the existence of an asset or its carrying value.

Some examples.

Knowingly exchanging one asset for another of lesser or of no value.

Or, as happened at Hin Leong Trading, selling inventory without recognizing the sale in the accounts.

Failure to recognize the financial impact of a “good” transaction that has gone bad. A receivable associated with a legitimate sale turns out to be uncollectable. An asset purchased in good faith goes “south”. But there is no charge to the income statement or to equity.

Harder to detect frauds would be inflating expenses to take cash out of the firm. For example, overpaying for goods or services actually received. Or paying for non existent services.

Note in the second part of the previous sentence I’ve eliminated “goods”. It’s much easier to determine that an asset doesn’t exist, than it is that a service wasn’t performed. Or performed in full.

Enhanced audit procedures should lead to discovery of some and perhaps even many of those frauds, primarily those likely to have a material adverse impact on the company. 

Smaller amount items are likely to remain undetected. 

All well and good, you might say. But what about other cases of fraud like NMC where billions of US dollars in liabilities were not recorded in the financials.

Indeed.

These are extremely difficult to detect.

The “first line” of defense is the auditor’s confirm from lenders or providers of funds. This is not ironclad because auditors do not send confirms for each and every loan or other asset of the lender. 

If clever people are perpetrating the fraud, they may arrange a fraudulent reply to the confirms.  

One might hope that as part of annual credit reviews, lenders and other providers of funds look to see if their debt is reflected in the borrower's financials.  They have the details that generally should enable them to identify their debt, e.g., rate, tenor, currency in the absence of their name in the financials.

Banking on "hope" is a endeavor with limited probabilities of success.

Other difficult to detect frauds involve hard-to-value assets, e.g., non listed investments, or real estate. 

Slight changes in assumptions can result in large changes in value. If stock analysts have trouble accurately valuing listed securities, it’s unlikely that accountants or even forensic accountants will fare better.

Enhanced audit work (my second point) does not provide an airtight solution. It does, however, raise the odds of detection.

That means that at best my proposal will not detect all fraud, but it might result in more fraud being detected than currently.

In a post to follow, I’ll detail how both steps have been applied and might have been applied at Wirecard and Hin Leong.  The latter by drawing on my legendary powers of 20/20 hindsight.

No comments: