|
Abu Arqala Publishes His Proposal |
In
the previous
post, I expressed some concerns about a proposal to combat
corporate fraud.
Saying
that a particular solution seems unworkable or
difficult to implement
isn’t really of much utility.
Don’t
tell me what can’t be done. Tell me what
can.
The
point is to outline a possible solution.
What
then is AA’s alternative? What is to be done?
To
start we have to accept that just as with corporate misgovernance
there is no financial equivalent of hydroxychloroquine that is a sure
cure.
Because
fraud is not just equivalent of a bad “flu”, financial or
otherwise, and won't just go away in July or some other month, we do have to take
action.
To
that end I offer this alternative proposal which seeks to use existing structures to enhance current risk disclosures
and promote risk-based
auditing.
A
key goal is turning auditors’ attention and action away
from what appears to be a sole
focus
on policies, internal processes and controls, and pieces of
paper.
As
the old joke goes, if it isn’t written down, it doesn’t exist for
an auditor.
The
real risk with that mentality is the converse.
If
an auditor has a piece of paper—a confirmation, a copy of a
contract, etc.--the existence of an asset or liability or a business
relationship is a proven fact.
The
steps I’m proposing would not mean that auditors would abandon
examining
adherence to financial reporting and accounting standards, reviewing
internal controls and processes for adequacy, nor performing many
paper based audit activities, including confirmations, nor issuing
opinions on those matters.
Because the majority of companies do not engage in major fraud, that
current audit work provides needed information to a wide range of
third parties, e.g. shareholders, other investors, lenders, business
partners, etc. And so it should continue.
If
a company is fraud free, an investor is still going to want to know if
the company is following accepted accounting principles, has proper
accounting systems and internal controls, has documentary evidence to
back up transactions, etc. That it uses reasonable assumptions when
valuing hard-to-value assets.
One
doesn’t want to invest one’s money with or make a loan to an
honest but incompetent or disorganized company.
So
my proposals are designed to leave those aspects of auditing in place
but enhance the extent of auditors’ work.
First, emphasize
the need for
auditors to
identify if
the company has any serious
or
unusual risks
in its
business
model or practices, including unusual vulnerabilities.
If
such risks are found, require
that they
are
disclosed in a clear form in a company’s audited financial
statements.
When
those risks are pose
substantial
or
unusual
vulnerabilities,
auditors should include these in the “key audit matters” section
of their audit opinion. That would require that they discuss the
existence and materiality of such “matters”; describe the
additional audit work they have performed to address them; and their
resulting assessment on that matter.
If
they don’t reach the level of a “key audit matter”, they should
be noted and addressed/focused on in the audit plan.
The
goal is not to come up with a laundry list of every potential
risk factor similar to a bond or stock offering memorandum which is
primarily a CYA or more accurately a CYLE (cover your legal exposure)
exercise for the underwriting/offering banks and the issuer.
All
business are subject to a variety of risks.
The point is to identify those
risks or vulnerabilities that are not obvious and have a material
impact.
This will become clearer in the post to follow where I
outline this “point” applied in actual cases or hypothesize how
it might have been applied at Wirecard or Hin Leong
Trading.
Second,
require that auditing procedures be scaled to risk of an individual
asset, liability, etc.
For example, one should not use the same
method to verify bank deposits
of Euros
1.9
billion that one uses to confirm a USD 100,000 receivable.
What
are these two principles designed to achieve?
The
first
is designed to alert market participants, lenders, and regulators of
vulnerabilities and dependencies that could have a material affect on
the company’s health. To raise a red flag.
That's important because fighting
fraud is not the sole job of one group any more than corporate
governance is.
What that means is that for this aspect of point one to work someone out there has to be "listening". If the "flag" is missed, the chances of uncovering the fraud decrease.
It
is also intended to cause the auditor to focus on a class of risks
that seem often to be overlooked at least in some cases.
That serves as the "back-up" if no one is listening.
Auditors
are already required to assess a company’s risks and then develop a
specific audit plan of work to ensure appropriate audit work is done
on these areas. So this is a reminder with emphasis of this existing requirement.
But
if they don’t focus on this latter class of risks, there is a real
danger—as perhaps evidenced by some recent fraud cases—that they
will not undertake the work they should have to address these
issues.
The
second
is designed to "force" auditors to scale audit work to risks.
What’s
the relation to fraud?
As
I noted in an earlier post, many
but not all
types of fraud necessarily require the overstatement of assets.
We’re
most concerned with major frauds that threaten the viability of a
company that is the reason for risk based scaling of audit work.
At
first blush, this may sound like a good proposal. Or at least that's what I tell myself.
But
it is not a panacea. There are no 100% solutions.
Why?
As
to reliance on large numbers of market participants reacting to alerts (the first
point), if you’ve read this blog before, you know I have little
faith in the mythology of efficient markets.
Not
no
faith.
Just
a slight bit more than I have in the “Power Ponies”.
Admittedly,
I’m banking on a very small number of market participants to read,
understand, and then take action on any red flags raised by
disclosure of these sort of business risks.
That being said, just a few persistent sharp investigative (but probably underpaid) journalists at the FT played a major role in uncovering NMC and Wirecard
.
But, the effectiveness of this point doesn't just rely on those sort of market participants.
Widening auditors' risk focus and thus getting them to adjust their audit focus and work should also contribute to detection, particularly because they have access to detailed company financial information that other market participants don't.
But
neither of these two intended goals will result in fraud detection
all the time.
That’s
the reason for the second point.
That’s why it’s in some
respects more important than the first.
Enhanced
audit work. Moving beyond the tick-the-box approach to one that is
based on risk. The more risk the more work required.
Why
is that important?
As
I’ve argued,
“fiddling” with the income statement requires “fiddling” with
the balance sheet pretty much dollar for dollar.
Major fraud requires major fiddling.
If
audit procedures disclose that assets are overvalued or non existent,
it’s very good sign that the income statement has been overstated
and income is non existent. And vice versa.
There
are other cases of fraud that might be detected by enhanced audit
work to confirm the existence of an asset or its carrying
value.
Some
examples.
Knowingly
exchanging one asset for another of lesser or of no value.
Or,
as happened at Hin Leong Trading, selling inventory without
recognizing the sale in the accounts.
Failure
to recognize the financial impact of a “good” transaction that
has gone bad. A receivable associated with a legitimate sale turns
out to be uncollectable. An asset purchased in good faith goes
“south”. But there is no charge to the income statement or to
equity.
Harder
to detect frauds would be inflating expenses to take cash out of the
firm. For example, overpaying for goods or services actually
received. Or paying for non existent services.
Note in the second
part of the previous sentence I’ve eliminated “goods”. It’s much
easier to determine that an asset doesn’t exist, than it is that a
service wasn’t performed. Or performed in full.
Enhanced
audit procedures should lead to discovery of some and perhaps even
many of those frauds, primarily those likely to have a material
adverse impact on the company.
Smaller amount items are likely to
remain undetected.
All
well and good, you might say. But what about other cases of fraud
like NMC where billions of US dollars in liabilities were not
recorded in the financials.
Indeed.
These
are extremely difficult to detect.
The
“first line” of defense is the auditor’s confirm from lenders
or providers of funds. This is not ironclad because auditors do not
send confirms for each and every loan or other asset of the lender.
If clever people are perpetrating the fraud, they may arrange a fraudulent reply to the confirms.
One might hope that as part of annual credit reviews, lenders and other providers of funds look to see if their debt is reflected in the borrower's financials. They have the details that generally should enable them to identify their debt, e.g., rate, tenor, currency in the absence of their name in the financials.
Banking on "hope" is a endeavor with limited probabilities of success.
Other difficult to detect frauds involve hard-to-value assets, e.g., non listed
investments, or real estate.
Slight changes in assumptions can
result in large changes in value. If stock analysts have trouble
accurately valuing listed securities, it’s unlikely that
accountants or even forensic accountants will fare better.
Enhanced
audit work (my second point) does not provide an airtight solution.
It does, however, raise the odds of detection.
That
means that at best my proposal will not
detect all fraud, but it might result in more fraud being
detected than currently.
In
a post to follow, I’ll detail how both steps have been applied and might have been
applied at Wirecard and Hin Leong. The latter by drawing on my legendary powers of 20/20 hindsight.