Mitigating Risk

Since the passage of the Sarbanes-Oxley Act (SOX) in 2002, U.S. companies that qualify as accelerated filers have devoted significant resources to developing robust internal controls over financial reporting. In conjunction with heightened Securities and Exchange Commission (SEC) enforcement activity, these efforts have led to an increased focus on preventing and detecting financial statement fraud.

The number of SEC enforcement actions for alleged financial statement fraud declined from 2004 to 2006, but on an annual basis, the number of incidents exceeded the total in 2000 and 2001, before SOX was enacted. From 2004 to 2006, the SEC issued an average of approximately 50 Accounting and Auditing Enforcement Releases (AAERs) annually describing financial statement frauds, detailing an average of 223 fraud schemes per year. This compares to an average of 30 AAERs from 2000 to 2001 describing 86 fraud schemes per year.

“Financial statement fraud remains a significant concern,” says Toby Bishop, a partner in the Chicago Forensic & Dispute Services practice of Deloitte Financial Advisory Services LLP and director of the Deloitte Forensic Center (DFC).

Despite the recent progress driven by SOX and more stringent regulatory enforcement, many corporations still have work to do to make their fraud controls as effective as they could be, to reduce the opportunities to perpetrate financial statement fraud. For such efforts to be successful, the individuals leading the charge will need a good understanding of the type of financial statement fraud that is occurring today.

To this end, the DFC analyzed data gathered from the 344 SEC AAERs relating to financial statement fraud that were issued between 2000 and 2006. From the analysis, the DFC produced a study entitled “Ten Things About Financial Statement Fraud.”

The study identified more than a thousand distinct fraud schemes, over 40 percent of which involved some form of revenue misrepresentation. “This finding is consistent with earlier studies and reinforces the need to have strong controls in this area,” notes the DFC’s Bishop.

The five most prevalent revenue recognition schemes identified by the DFC study include:

• Recording of fictitious revenue (24% of total revenue recognition schemes)
• Recognition of inappropriate amounts of revenue from swaps, round-tripping or barter arrangements (11%)
• Improper accounting for cancellations and refunds (9%)
• Recognition of revenue from sales transactions billed but not shipped (8%)
• Recognition of revenue for transactions with unresolved contingencies (8%)

The study also found that occurrences of revenue recognition fraud schemes rose 344 percent between 1996 and 2000, from 25 to 111 incidents. (See chart below)

“The widespread use of revenue manipulation schemes suggests that the rise in financial statement fraud may have been driven in part by efforts to meet aggressive revenue growth targets,” says DFC’s Bishop.

DFC Advisory Council member Frank Hydoski notes a connection between the DFC findings on revenue manipulation schemes and the findings of a 2006 study from RevenueRecognition.com. The latter study found that “for most companies revenue numbers for financial reporting are collected and prepared outside the financial systems used by companies.” In fact, “for 92% of the companies, some degree of manual process is involved, and in most instances, more than 70%, revenue figures are cumulated and prepared in spreadsheets.” Ultimately, the study finds that “this circumstance presents control challenges and fraud opportunity.”

One of the most illuminating findings of the DFC study is that most of the companies alleged to have engaged in one fraud scheme also were allegedly involved in at least one other fraudulent activity. Moreover, a surprisingly large number had more than ten fraud schemes going on at once. The study specifically found that:

• 74% of the SEC enforcement releases described at least two fraud schemes
• 25% described at least five schemes
• 7% described more than 10 alleged fraud schemes 
• 1% alleged over 20 schemes

“These findings make it clear that when there’s one fraud scheme, there’s likely to be more,” says Bishop. This tendency has implications for senior managers preparing fraud risk assessments and planning fraud controls to mitigate the risk of financial statement fraud. Assessments should be conducted and controls planned with the understanding that a range of frauds could occur simultaneously. 

The DFC study also found notable differences in the occurrence of fraud and types of schemes employed in different industries. Some industries were much less likely to be cited by the SEC. For example, financial services companies have a very low incidence of enforcement actions whereas technology companies were the most likely to be cited by a substantial margin. 

Between 2000 and 2006, the types of fraud committed within different industries generally paralleled the overall pattern of fraud schemes.  Revenue recognition schemes were the most common and their frequency increased through the time period relative to other schemes. The manufacturing industry was one notable exception. Following 1999, it experienced a significant decline in revenue recognition schemes, while in other industries, such as technology, the incidence of schemes increased.  Hydoski suggests that “SEC guidance on revenue recognition issued in 1999 may have been more effective in the manufacturing industry than in the technology industry.”

James D. Cox, a professor of Corporate and Securities Law at Duke University School of Law, notes that prior to the enactment of Sarbanes-Oxley, “there were terrific rewards for the executive management team to make their numbers and boost the stock price.” Recent reforms have taken corporate America a long way in addressing the conflicts of interests that encouraged executives to manipulate reported earnings.

“We now have a very different genre of directors and audit committee members,” notes Cox. SOX also establishes accountability by requiring senior executives to take individual responsibility for the accuracy and completeness of corporate financial reports.

Although not addressed by SOX, the new sense of accountability has been extended to the General Counsel, making its position much more central than ever before. As evidenced by the unprecedented number of General Counsels recently charged with fraud (10 so far in 2007), “General Counsels are now under a lot of pressure to not succumb to management pressures to sign off on inappropriate transactions,” Cox explains. 

Leading companies are calling on compliance professionals to challenge the “go along to get along” culture that prevails in some parts of large organizations. Says Brackett Denniston, vice president and general counsel for GE: “You’ve got to be able to teach the hardest thing: courage. Not just analysis, or expertise, but courage. The courage to stand up and say, ‘This isn’t the way to do business.’”

A more detailed description of the study and its findings appears in a 12-page report entitled “Ten things about financial statement fraud: a review of SEC enforcement releases 2000—2006.”

Video

As used in this document, ‘Deloitte’ means Deloitte LLP (and its subsidiaries). Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.

Stay updated

Subscribe to receive periodic publications from the Deloitte Forensic Center.