Showing posts with label Wirecard. Show all posts
Showing posts with label Wirecard. Show all posts

Sunday, 9 May 2021

“Muddy Waters” on Actual versus Nominal Losses


 

Often there is confusion in media reports on losses

So today I’m here with Muddy Waters to set the record straight.

Manufactured returns can overstate the actual loss investors have incurred.

Early reports were that investors in BLMIS (Bernard L. Madoff Investment Securities, LLC) potentially lost some US$ 65 billion based on the nominal value of their accounts.

Similarly, Wirecard was reported to have “lost” some Euros 1.9 billion in deposits.

In both cases, a lot of the initial speculation focused on alleged theft of the amounts.

But in both cases, the losses were overstated by the amount of manufactured returns.

In the case of Madoff, roughly US$ 19 billion df the US$65 billion was the original investment amount.

The rest US$ 46 billion was fictitious “profit”.

In the case of Wirecard, the Euros 1.9 billion in deposits arose because income was “fiddled” to a corresponding amount.

As Professor Waters (above) has rightly said:

Well, you know, you can't spend what you ain't got

You can't lose what you ain't never had

That doesn’t mean that investors in Madoff’s funds did not have a real loss.

Their loss was opportunity cost of not earning a return on their original investment.

No doubt lower than the US$ 46 billion, but still significant.

Adding insult to injury, the courts ruled that any Madoff investor who received a profit distribution (any amount in excess of the investor’s original investment) had to return it because it was “fictitious”. 

Here’s the US Court of Appeals Second District’s decision.

The US Supreme Court refused to hear the defendants’ appeal on 3 May 2020 (20-1382).

At stake was US$ 41 million.

You are capable of doing the math.

Not many of BLMIS “wise” investors were withdrawing their “profits”.

For Wirecard, the losses were to those lenders and stock investors that extended credit or bought Wirecard stock based on manufactured earnings. 

Unlike the BLMIS investors, the Wirecard "punters" are going to lose a much greater percentage of their original investment.

Friday, 26 March 2021

Wirecard: More Missing Money - This Time Real Money

Recommended Not Only for Its Fine Weather
But Also for Its Banking Facilities and "Discretion"

The FT reported 24 March that sources told them that Oliver Bellenhaus, late of WireCard and Al Alam, informed investigators that in 2011 he and Jan Marsalek, Wirecard’s former CF), began a scheme to shift money out of WC into “an array” of offshore accounts of shell companies in Hong Kong and the British Virgin Islands. Said account opened in 2010.

As I read this account, I suspected that many readers would think that this is where WC’s missing Euros 1.9 billion had gone.

I don’t think that this is the case.

Why?

Because it’s hard to steal what doesn’t exist.

If press reports are correct and WC was loss making, then the Euros 1.9 billion never existed. And couldn’t therefore be stolen.

These “shifted” funds would have had to be derived from other sources. And while no doubt significant, nothing close to the former amount.

Earlier I posted a detailed explanation why fiddling with the income statement requires fiddling dollar for dollar with the balance sheet (and vice versa) in my earlier post here.

Let’s look at WC’s financials from FY 2004 though 3Q19 to see if there was evidence of income above the imaginary Euros 1.9 billion. That may have produced actual cash to be stolen.

Why that period?

Prior to 2004 Wirecard was InfoGenie, a rather small call center with negative retained earnings.

There wasn’t much to fiddle with before 2004.

As the table below shows, during that period WC reported Euros 1.919 billion in net income, paid dividends of Euros 165 million, and had other adjustments to retained earnings of Euro 15 million. The dividends were likely funded via increased liabilities rather than cash flow from operations.


So, if there were transfers of “millions” as Mr. Bellenhaus is reported to have said, where did they come from?

Two likely possibilities.

Overstatement of  Expenses/Costs

Either those recognized through the income statement (expenses) or capitalized (costs).

For the former, professional services are a frequent favorite as they don’t generate a hard asset. Or business acquisition/referral fees, processing fees. 

Perhaps, imaginary fees on the imaginary transactions with the difference here is that the latter were paid in cash.

A particularly fertile ground for the latter might be the creation of intangible assets.

What is the proof of the cost of new software, other than the bill for development, particularly if outside vendors were contracted?

In its FY 2018 annual report, WC discloses it spent some Euros 86 million in FY 2018 and Euros 98 million in FY 2017 in cash for “investments in intangible assets”.

Over the period 2016 through 2017, WC’s internally created and other intangible assets increased from Euros 181 million to Euros 252 million.

Could some of these be the result of shifting funds? We don’t know.

Overpayment for Acquisitions

Acquisitions by their nature are “chunky” unless there are periodic payments, e.g., if the newly acquired company performs above a benchmark, the sellers may be entitled to a payment reflecting the greater value of the company they sold. That of course will depend on the terms of sale.

Another possibility would be fees to those who sourced acquisitions for WC, provided WC financial advice, performed due diligence, etc. This presumes such charges were capitalized as part of the cost of the acquisition rather than expensed.

Expense fiddling would a better “cover” for frequently recurring transfers than acquisitions which tend to be lumpy, particularly if the same accounts were used again and again.

It’s not clear from the FT article whether the same accounts were used over and over. 

Does “array of accounts” mean a single group of accounts created in 2010? 

Or could it mean repeated creation of new accounts?

Acquisitions would allow for larger payments in a single transaction. But it would seem that these would be handled by using a different (new) account for each acquisition rather than the same accounts. 

It would (should?) look a bit suspicious to auditors –at least I hope so—if acquisitions from different sellers and in different part of the world went to the same account.

So, if I’ve read the FT article correctly, my best guess would be expense fiddling.

With Mr. Bellenhaus’ co-operation and access to WC’s accounting records, investigators should be able to calculate the amount “shifted” and what transactions were used for cover.

Presumably, the stolen amounts were used to fund the costs associated with running the income fraud as well as to compensate the key players (like Mr. Bellenhaus) for their role.

Thursday, 17 December 2020

Wirecard A Series of Unfortunate Regulatory Incidents

 

"Who are the police?
We need a police to catch the police?"

No sooner had I posted about regulatory lapses by Apas in re Wirecard than the weekend edition of the FT landed at my doorstep.

Was für eine Überraschung! (Quelle surprise!)

Olaf Storbeck had another article on German parliamentary hearings on Wirecard.

This time the head of Apas, Mr. Ralf Bose, gave testimony.

Herr Bose admitted that he purchased an undisclosed number of Wirecard shares in April and sold them at an undisclosed loss in May – while Ba-Fin and Apas were in confidential talks about Wirecard.

Bundesminister für Wirtschaft und Energie Peter Altmaier, reportedly found Herr Bose’s comments “disconcerting” (beunruhigend?)

Ba-Fin fresh from its success supervising Wirecard will investigate Herr Bose’s share trading.

In that regard, I would hasten to note that Herr Bose was “long” not “short” Wirecard shares so the investigation may be able to be concluded quickly.

First time an oversight. Second time a mistake. Third time an unfortunate coincidence?

You may recall a post from some years back in which I ridiculed the idea of the imagined superiority of supervision in the “developed” West when discussing l’affaire Abraaj.

I’d offer the WC saga as re-enforcement of that argument.


Saturday, 12 December 2020

Wirecard - Great Moments in Regulatory Oversight

 

Wachsam sein --immerzu

On 10 December Mr. Naif Kanwan, executive director for enforcement and market monitoring at Apas, the Federal Republic’s audit “watchdog”, gave testimony at German parliamentary hearings on Wirecard.

Olaf Storbeck has an absolutely delightful (though ultimately disturbing) account on that testimony which appears in the print edition of Friday’s FT (where else?)

Let’s run through the quotes. AA’s commentary in italics.

“My impression was: somebody is on the case, has been looking at the allegations and came to certain conclusions.” He added that this “subconsciously influenced my thoughts about the matter”. 

One reading of this quote is that it is an admission that the apparently aptly named naif was not on the case. And saw little reason to disturb himself. George will do it. 

Perhaps as well, that Mr. Naif’s investigations are conducted based primarily on the operation of the subconscious. If you will, a Freudian approach to regulation. Hence the picture above. The subconscious, as I hope you know, is more active during sleep.

Alternatively, it could just be an attempt to create an excuse. Feigned faulty memories or low intelligence are often proffered to “explain” failures.

Asked if he believed in early 2019 that FT journalists colluded with short sellers, Mr Kanwan pointed to BaFin’s ban and criminal complaint. “These moves were in line with such a picture,” he said.

Indeed, it is certainly well known-at least in certain circles-that short sellers are a nefarious bunch always up to no good bad mouthing fine companies. And that short sellers have never ever pointed out fraud before regulators woke up.

Equally that there really haven’t been any cases of external auditors missing or colluding in accounting irregularities.

It’s also well known that major financial newspapers don’t take action against columnists that collude with short sellers, particularly when a major regulatory agency lodges a criminal complaint.

Shame on you, FT! 

Especially since this also happened with NMC – though to be fair in that case no criminal charges were lodged.

He acknowledged the watchdog at the time was unaware of earlier allegations against Wire-card raised by short sellers in 2016 in the so-called Zatarra report. That only changed in October 2019 after the FT published internal Wirecard documents pointing to a concerted effort to fraudulently inflate sales and profits.

One (at least AA) expects a watchdog to “wachsam sein immerzu” to quote the old song from the East. Though AA admits that he may be ignoring the possibility of “repressed memories”.

As a positive comment, I’ve heard--and not just from short sellers or financial journalists--of a communications service called the “internet” which I am assured allows one to follow news, conduct searches, etc. 

They say it’s quite useful.

I am even also told that one  can set up “alerts” to be advised of news on a particular topic, company, etc. without having to take an active steps –other than setting up the alerts.

Remarkable if true.

On that latter point, he did note: 

 “As a lesson learned, we have improved our press monitoring.”

лучше поздно, чем никогда!


Monday, 30 November 2020

And Now for Something Completely Different - The Financial Times

 

AA at His Rona Rig
Sufficiently Socially Distant so no Mask Required

If you’re one of the select (few) readers of this blog, what you usually find here are posts that focus on the negative. 

Misrepresentation of financial statements, questionable business strategies, other frauds and fakes, financial and economic fairy tales and the like.

That certainly is a “field” offering multiple opportunities to comment.

As the picture above indicates, today it is time for something completely different.

Some kudos to The Financial Times and the no doubt underpaid journalists who work there.

A bit of context.

Overall journalism ain’t what it used to be. 

And since it was never perfect, that’s quite a disappointing development.

Some basic “have to’s” are often missing. 

A breathless review of an exhibition that omits what in the past would have been basic facts: where, when, cost 

Other sloppiness that misses the "meat" of the story.

More seriously is the substitution of mindless partisanship for reporting. The intrusion of the editorial page into the news columns.

The FT is welcome respite from these two frequent lapses.

Some examples to make the case: NMC UAE, Wirecard, H20.

First, there is the uncovering of the basic story. 

Second the pursuit of the story despite pressure. 

Dan McCrum’s experience on the Wirecard story is instructive – working from a windowless office at FT central on an air-gapped PC. 

It is not the only case – NMC is another -- where external pressures were ignored.

Third rigorous smart in-depth analysis.

The report doesn’t stop at the surface of the story but goes into detail. 

It seems that often the chips are allowed to fall where they should. 

Did a “hero” in the Wirecard case have a less “heroic” role in related case in Mauritius? Dan McCrum and Olaf Storbeck report it.

Or BondHack and Cynthia O’Murchu digging through filings at EMCR and discovering that NMC had pledged assets (future credit card A/R). 

Something apparently unknown to folks who might be presumed to have a more serious interest in this disclosure.

“Folks” like equity investors or providers of funds -- other than ADCB.

Fourth, a global network that allows input from journalists around the globe to round out the story with local insights. 

Simeon Kerr weighing in on Wirecard from the UAE.

Is the FT perfect?

No, but it’s very good.

Disclosures:

  1. No shareholding in companies related to FT.
  2. No compensation for this article.

Monday, 20 July 2020

Applying AA’s Corporate Fraud Detection Proposal to Wirecard - Part 1

AA's Hindsight is 20/20  Foresight Much Less

This is the first to two posts on this topic. Second post here.

In an earlier post, I proposed two measures to enhance the detection of corporate fraud.

This post and the one that follows outline how it might have been applied to Wirecard.

To start a recap of the two points in my proposal:
  1. Reemphasize the auditor’s duty to identify unique material risks and vulnerabilities in a company’s business model or practices and disclose them as appropriate in the financial statements, e.g., key audit matters and/or footnotes. And as well to ensure the auditor performs the appropriate amount of audit work on these and other risks.
  2. Scale audit work to risk. For example, one should not confirm the existence of Euros 1.9 billion in deposits in the same way one confirms a Euro 100,000 receivable.
Before you proceed further, it’s probably useful to take a look at my earlier post which details the proposal, its rationale, and more importantly its limitations.

That will help provide the context necessary for you to make an informed assessment of the potential efficacy of my proposal.

From that and what follows you will see that I’m under no illusion that this is a “perfect” solution—one that will detect all fraud or even all major fraud.

But it will, I think, increase the odds of detection. 

It is a necessary but not sufficient step.

Now to Wirecard.

Point One: Identification and Disclosure of Significant Business Risk

It’s pretty clear from a cursory understanding of basic accounting that the fact that WC’s Euros 1.9 billion deposits were imaginary meant that an equivalent amount of earnings were as well. 26 June post .

Recently the FT reported that a special KPMG “audit” found that Wirecard had been loss making for years. A even more dire situation. 

Let’s assume that in their review of the company’s revenues and net profit, WC’s then auditors (who were not KPMG) noticed that WC was dependent on three companies for the bulk of revenues and profits. See FT article here for details.

At this point, let’s assume there was no hint of fraud.

Because of this dependence, WC faced the risk that these third-parties might take their business to another company, leaving WC with a massive “hole” in revenues and income.

Or these companies might have future problems of their own which would then impact WC.

Now this is not something that can be dismissed with a wave of the corporate hand. “But we work through 100 partners where we don’t have licenses”.

The fact is that if the business with these 3 companies didn’t exist, WC’s revenues and net profit would be vastly different.

Under my proposal, the auditors would have had to insist that WC disclose this “material” reliance on third parties. The auditors would have also had to treat this dependence as a “key audit matter”.

The latter would require enhanced audit measures to analyze the risks of this dependency. For example, to determine how much discretion those third parties had to redirect the business elsewhere, what sort of pressures they might bring to force WC to accept reductions in compensation, etc. What were the risks that these companies faced to their business.

WC no doubt would have made arguments against disclosure of this dependency in its financials citing business confidentiality, maintenance of a competitive advantage, etc. If the “secret” of its third party relationships were revealed, a competitor might poach them. And so on.

The resulting compromise might have been something like “WC’s historical and future profitability has been and remains critically dependent on business flow from 3 third party firms.”

In reviewing this relationship, the auditors should also have noticed that these third parties had been granted access to WC funds (the imaginary escrow accounts).

Or, if the business reliance were not disclosed or overlooked by the auditors, the single fact that the third parties had access to WC’s escrow accounts should have raised further investigation on the accounts.

An investigation which could have led to the auditors discovering WC’s dependence on the third parties for the bulk of revenues and profit.

Assuming that this more detailed work were done, then the fraud might have been caught years earlier.

According to information that the FT was given, at one point AlAlam owed WC an amount roughly equal to one year’s net income.

That certainly qualifies as a material risk.

The two banks that held the accounts BDO and Bank of the Philippine Islands are the largest and third largest in the Republic of the Philippines (ROP) by total assets.

Big fish but small pond.

As of 31 December 2018, BDO had total consolidated assets of US$62 billion equivalent and total shareholders’ equity of US$7 billion equivalent. BPI’s comparable figures were US$43 billion and US$5 billion equivalent.

As of the same date, Deutsche Bank had roughly Euros889 billion in total assets and some Euros55 billion in equity. Bank of America some US$2.4 trillion in assets and US$265 billion in equity.

Euros 1.9 billion in deposits with the Philippine banks should raise credit risk issues as well as other more practical ones, e.g., liquidity.. To be fair an escrow/trust account structure would address some of these.

Beyond that is the issue of country and regulatory risk.

The ROP is judged to have defects in its legal and financial sector supervisory system. See the US Government’s 2019 INSCR issued in March 2019 (page 157 and following) and the 2019 Asia/Pacific Group on Monetary Laundering Mutual Evaluation Report (page 10 points 8 and 9).

Based on the foregoing, WC was taking several significant risks with its “arrangements” for the escrow accounts.

Recognition of that “fact” would require that the auditors perform additional measures to review that credit and risks.

With respect to the three parties, that would mean an investigation of the conditions of their access, the reasonableness of amounts that they were permitted to access, the escrow agreement’s effective protections, etc..

As well, the auditors would have to review the credit exposure to the two Philippine banks who “held” the deposits and regulatory and credit issues related to the choice of the ROP as the “depository” country.

That doesn’t mean that the auditors would necessarily determine if the decision were the right one.

After their review, they might note “issues” surrounding the credit decision for public disclosure. And equally important factor these risks into their audit plan.

At the very minimum it would seem that the third party access—which seems not to be a usual business practice—would warrant disclosure by a sentence or two in the note to the financial statement about cash and banks.

These disclosure should alerted investors, analysts, other market participants to these risks and hopefully triggered questions.

But there’s a critical dependency. Warnings are of little utility if they are missed for whatever reason.

However, this “finding” should also have resulted in the auditor having greater focus on these issues in conducting the audit. And thus provide a back-up in the case market participants were somnolent or in throes of irrational exuberance.

The resulting effect on audit work is very important because the auditor has access to more information than outside parties. Thus, there is more likelihood that the auditor will have more success in “pulling on a loose thread” and unraveling a fraud.

In the next post, I'll look at some enhanced audit measures that the auditors could have employed.

Applying AA's Fraud Detection Proposal to Wirecard Part 2

AA is Looking Backward Not Forward

This is the second of two posts on this topic. First post here.

Point Two: Enhanced Audit Work

The following outlines some possible enhanced steps auditors could have taken.

I don’t know what steps the auditors took.

That WC was able to perpetrate its fraud for so long perhaps suggests the auditors were not employing any of these enhanced steps or had not completed them.

Confirmation of the Euros 1.9 Billion Accounts

Audit Confirmations

Given the unusual arrangements with the escrow accounts and their Euros 1.9 billion balance, WC’s auditor should have not relied on a single step verification – the typical bank confirmation--and probably used more than one method.

What additional steps could WC’s auditors have taken?

First, in view of the amounts, they could have requested two bank officer signatures on the confirm, and specified an official title, e.g., “one of whom must be a Vice President in the xxx Department”.

Second, once the audit confirmation was returned, the auditors could have attempted to determine that the signer(s) on the confirmation were employees of the bank and worked in a department that would be responsible for replying.

This could be done by referring to the bank’s “book” of authorized signers. This document lists officers authorized to sign, any limits on their authority, and the departments in which they work. Often the officers are assigned a unique identifier number in case their penmanship rivals AA’s.

Or by phoning the bank and telling the receptionist that they had something important to send the signer and wanted to confirm the appropriate department to send their letter. In this case they would not mention that audit confirm.

If the receptionist couldn’t find the employee’s name in the bank’s records or responded that the individual worked in “Marketing”, alarm bells should go off.

The auditors could send a copy of the confirmation back to the bank requesting that in light of the amount involved the bank reconfirm both the information in the confirm and the authority of the signer(s).

The reconfirmation request should not be sent to the party or parties signing the confirmation as received, but rather to another department.

For example, if the auditors received the confirm from someone in the Trust Department, they could send the reconfirmation request to the Trust Department Internal Audit Department. Or the bank’s Internal Audit Department. Or to the Head of the Trust Division. And when a billion or so Euros are involved, perhaps even the President of the bank.

The auditing firm could have asked a senior officer of its affiliate in the ROP to assist by contacting a senior officer at the bank for a reconfirmation. 

Alternative Measures

The auditors could ask the bank to send duplicates of account statements directly to them. If the bank doesn’t have an account for that customer, then it would so advise.

If it sends a statement with much lower balances, then questions would arise over the amount claimed in the account.

“So what you’re saying is that between 1 and 31 December, these accounts received Euros 1.8 billion in net credits.” 

The idea with this step is that requests for duplicate statements would not reach the person within the Bank conspiring to provide false information on confirmations. One department replies to audit confirms. Another department handles “routine” requests for duplicate statements.

If the auditors were engaged in reviewing the use of WC’s accounts by the third parties to determine the amounts those parties needed access to, as my proposal suggests, they should have then they should already have requested account statements.

Transactions shown in the statements should match entries in WC’s accounts. The auditors could take a statistical sample to trace/match transactions between the two.

There are other methods.

The ones outlined here are designed to prove the existence of the account, not necessarily the balance.

If there was doubt about the veracity of the account statements, the auditors could use statistical analysis of transaction amounts and patterns to identify those that likely have been “faked”. Benford’s “Law” is one such technique but there are others.

I met a chap at a financial crimes conference (anti not pro, if you’re wondering) who claimed that using Benford’s Law he quite easily “proved” that financial statements provided for an investigation had been “cooked”.

WC’s establishment of the escrow accounts probably ostensibly to mitigate the credit risk of the two Philippine banks should have resulted in a file documenting management and board discussions, engagement of ROP counsel, correspondence on legal points, review by the board, and a legal document signed by both WC and the two banks in question.

If such a file did not exist, that should raise questions. Often those perpetrating fraud do not create the full set of “backstory” documentation to support the fraud. Or miss critical details in their backstory.

If it did, it should provide another opportunity to verify the existence of the account. Contact the bank and ask to speak to its lawyer named in the correspondence. Check to see if the person signing the agreement on behalf of the bank was in the “right” department and had the authority.

Auditors could also send a request to the bank to confirm that there had been no changes to the escrow agreement. Again if the bank replied that there was no such agreement then alarm bells would go off.

Send a small payment to the bank favour the escrow account prior to fiscal year end. If it’s returned with the notation “no account”, then alarm bells go off. If it’s not returned, it should show up in statements. If not, the bells ring again.

Look for evidence of use of the escrow accounts by WC.

A transfer funds to its main operating account would confirm the existence of the accounts, but, of course, not the balance. 

The bank holding the operating account should be able to provide details of any transfer – by order party (the escrow account), originating bank (one of the two Philippine banks), and date of credit to WC’s operating account. So the auditor should not simply match amounts, but look to the transaction details. Again on a sample basis.

If WC never used any funds from the escrow accounts, that should raise questions, particularly if WC is borrowing funds to pay dividends or expenses.

Review of Third Party Companies

WC gave access to its accounts to these companies, As noted, WC therefore had a credit risk exposure to them.

The auditors should understand WC’s rationale for taking this risk and ask to see the “file”. That would include among other things WC’s credit approval policy and process, documentation of WC’s review, determination of appropriate amount of access, official approval by WC authorized officers/board, supporting documents, e.g., these companies’ audited financial statements, DNB checkings, bank references, etc..

[Side Comment: AA’s smarter, elder brother expert in many things Asian once discovered a massive fraud by reviewing DNB’s for some Asian companies that were used to execute the fraud. If we believe his account, and I can think of no reason why not to, he took all of 20 minutes to do so. For this purpose, I am ignoring his much earlier persuasion of AA that our paternal grandfather was 2,000 years old and had attended grade school with Jesus.]

If WC doesn’t have this information—specifically financials and other credit information—already, the auditors should question why WC are letting these parties have access to their accounts.PPThe auditors could also check ancillary sources of information.

As indicated by the its article referenced above and this one, the FT found some rather strange things about the companies.

Now one might respond that the FT benefited from disclosures by a whistleblower and the auditors had no such help.

But if the auditors were examining the rationale and reasonableness of these companies’ access to WC escrow accounts, then they would have come across the same opaqueness and unsettling information that the FT did.

If they had details of these companies supposed contribution to revenues and net income, they would also have had reason to dig deeper.

In “simple” 30 minute Google search on Alalam I did not turn up the sort of information one would expect for tech company on the “bleeding edge” of the “PSP space”.

What's the point with the 30 minutes here and the even shorter 20 minutes ascribed to AA's wiser, elder brother?
  
Simply that additional audit measures do not require massive investments in time or energy if done properly.  

Nothing in Crunchbase. A rather incomplete profile at Owler, where AlAlam has but one follower.

Not much in the way of third party reporting other than regurgitation of press releases. No interviews with key persons sharing their vision or thought leadership. Sad.

AlAlam has an English language website. But it doesn’t appear to have an Arabic one. Rather strange for a company in the UAE which presumably is pitching customers in the region. Perhaps, they are on the “bleeding edge” of the marketing “space” as well and have moved beyond traditional methods of marketing.

No information on officers, directors, etc.

A laughably short company profile.




Friday, 10 July 2020

Corporate Fraud Part 2 -- An Alternative Proposal for Enchancing Detection

Abu Arqala Publishes His Proposal

In the previous post, I expressed some concerns about a proposal to combat corporate fraud.

Saying that a particular solution seems unworkable or difficult to implement isn’t really of much utility.

Don’t tell me what can’t be done. Tell me what can.

The point is to outline a possible solution.

What then is AA’s alternative? What is to be done?

To start we have to accept that just as with corporate misgovernance there is no financial equivalent of hydroxychloroquine that is a sure cure. 

Because fraud is not just equivalent of a bad “flu”, financial or otherwise, and won't just go away in July or some other month, we do have to take action.

To that end I offer this alternative proposal which seeks to use existing structures to enhance current risk disclosures and promote risk-based auditing.

A key goal is turning auditors’ attention and action away from what appears to be a sole focus on policies, internal processes and controls, and pieces of paper.

As the old joke goes, if it isn’t written down, it doesn’t exist for an auditor.

The real risk with that mentality is the converse.

If an auditor has a piece of paper—a confirmation, a copy of a contract, etc.--the existence of an asset or liability or a business relationship is a proven fact.

The steps I’m proposing would not mean that auditors would abandon examining adherence to financial reporting and accounting standards, reviewing internal controls and processes for adequacy, nor performing many paper based audit activities, including confirmations, nor issuing opinions on those matters.

Because the majority of companies do not engage in major fraud, that current audit work provides needed information to a wide range of third parties, e.g. shareholders, other investors, lenders, business partners, etc. And so it should continue.

If a company is fraud free, an investor is still going to want to know if the company is following accepted accounting principles, has proper accounting systems and internal controls, has documentary evidence to back up transactions, etc. That it uses reasonable assumptions when valuing hard-to-value assets.

One doesn’t want to invest one’s money with or make a loan to an honest but incompetent or disorganized company.

So my proposals are designed to leave those aspects of auditing in place but enhance the extent of auditors’ work.

First, emphasize the need for auditors to identify if the company has any serious or unusual risks in its business model or practices, including unusual vulnerabilities.

If such risks are found, require that they are disclosed in a clear form in a company’s audited financial statements.

When those risks are pose substantial or unusual vulnerabilities, auditors should include these in the “key audit matters” section of their audit opinion. That would require that they discuss the existence and materiality of such “matters”; describe the additional audit work they have performed to address them; and their resulting assessment on that matter.

If they don’t reach the level of a “key audit matter”, they should be noted and addressed/focused on in the audit plan. 

The goal is not to come up with a laundry list of every potential risk factor similar to a bond or stock offering memorandum which is primarily a CYA or more accurately a CYLE (cover your legal exposure) exercise for the underwriting/offering banks and the issuer. 

All business are subject to a variety of risks.

The point is to identify those risks or vulnerabilities that are not obvious and have a material impact. 

This will become clearer in the post to follow where I outline this “point” applied in actual cases or hypothesize how it might have been applied at Wirecard or Hin Leong Trading.

Second, require that auditing procedures be scaled to risk of an individual asset, liability, etc.

For example, one should not use the same method to verify bank deposits of Euros 1.9 billion that one uses to confirm a USD 100,000 receivable. 

What are these two principles designed to achieve?

The first is designed to alert market participants, lenders, and regulators of vulnerabilities and dependencies that could have a material affect on the company’s health. To raise a red flag. 

That's important because fighting fraud is not the sole job of one group any more than corporate governance is

What that means is that for this aspect of point one to work someone out there has to be "listening".  If the "flag" is missed, the chances of uncovering the fraud decrease. 

It is also intended to cause the auditor to focus on a class of risks that seem often to be overlooked at least in some cases. 

That serves as the "back-up" if no one is listening.

Auditors are already required to assess a company’s risks and then develop a specific audit plan of work to ensure appropriate audit work is done on these areas. So this is a reminder with emphasis of this existing requirement.

But if they don’t focus on this latter class of risks, there is a real danger—as perhaps evidenced by some recent fraud cases—that they will not undertake the work they should have to address these issues.

The second is designed to "force" auditors to scale audit work to risks.

What’s the relation to fraud?

As I noted in an earlier post, many but not all types of fraud necessarily require the overstatement of assets. 

We’re most concerned with major frauds that threaten the viability of a company that is the reason for risk based scaling of audit work.

At first blush, this may sound like a good proposal. Or at least that's what I tell myself.

But it is not a panacea. There are no 100% solutions.

Why?

As to reliance on large numbers of market participants reacting to alerts (the first point), if you’ve read this blog before, you know I have little faith in the mythology of efficient markets.

Not no faith. Just a slight bit more than I have in the “Power Ponies”.

Admittedly, I’m banking on a very small number of market participants to read, understand, and then take action on any red flags raised by disclosure of these sort of business risks.  

That being said, just a few persistent sharp investigative (but probably underpaid) journalists at the FT played a major role in uncovering NMC and Wirecard
.
But, the effectiveness of this point doesn't just rely on those sort of market participants.

Widening auditors' risk focus and thus getting them to adjust their audit focus and work should also contribute to detection, particularly because they have access to detailed company financial information that other market participants don't.

But neither of these two intended goals will result in fraud detection all the time.

That’s the reason for the second point.

That’s why it’s in some respects more important than the first. 

Enhanced audit work. Moving beyond the tick-the-box approach to one that is based on risk. The more risk the more work required.

Why is that important?

As I’ve argued, “fiddling” with the income statement requires “fiddling” with the balance sheet pretty much dollar for dollar.

Major fraud requires major fiddling.  

If audit procedures disclose that assets are overvalued or non existent, it’s very good sign that the income statement has been overstated and income is non existent. And vice versa.

There are other cases of fraud that might be detected by enhanced audit work to confirm the existence of an asset or its carrying value.

Some examples.

Knowingly exchanging one asset for another of lesser or of no value.

Or, as happened at Hin Leong Trading, selling inventory without recognizing the sale in the accounts.

Failure to recognize the financial impact of a “good” transaction that has gone bad. A receivable associated with a legitimate sale turns out to be uncollectable. An asset purchased in good faith goes “south”. But there is no charge to the income statement or to equity.

Harder to detect frauds would be inflating expenses to take cash out of the firm. For example, overpaying for goods or services actually received. Or paying for non existent services.

Note in the second part of the previous sentence I’ve eliminated “goods”. It’s much easier to determine that an asset doesn’t exist, than it is that a service wasn’t performed. Or performed in full.

Enhanced audit procedures should lead to discovery of some and perhaps even many of those frauds, primarily those likely to have a material adverse impact on the company. 

Smaller amount items are likely to remain undetected. 

All well and good, you might say. But what about other cases of fraud like NMC where billions of US dollars in liabilities were not recorded in the financials.

Indeed.

These are extremely difficult to detect.

The “first line” of defense is the auditor’s confirm from lenders or providers of funds. This is not ironclad because auditors do not send confirms for each and every loan or other asset of the lender. 

If clever people are perpetrating the fraud, they may arrange a fraudulent reply to the confirms.  

One might hope that as part of annual credit reviews, lenders and other providers of funds look to see if their debt is reflected in the borrower's financials.  They have the details that generally should enable them to identify their debt, e.g., rate, tenor, currency in the absence of their name in the financials.

Banking on "hope" is a endeavor with limited probabilities of success.

Other difficult to detect frauds involve hard-to-value assets, e.g., non listed investments, or real estate. 

Slight changes in assumptions can result in large changes in value. If stock analysts have trouble accurately valuing listed securities, it’s unlikely that accountants or even forensic accountants will fare better.

Enhanced audit work (my second point) does not provide an airtight solution. It does, however, raise the odds of detection.

That means that at best my proposal will not detect all fraud, but it might result in more fraud being detected than currently.

In a post to follow, I’ll detail how both steps have been applied and might have been applied at Wirecard and Hin Leong.  The latter by drawing on my legendary powers of 20/20 hindsight.