BY LEE DITTMAR AND TOBY BISHOP
THE GOVERNANCE, RISK, AND COMPLIANCE (GRC) domain that has received the most attention in the past five years is financial reporting. Since the passage of the Sarbanes-Oxley Act (SOX) in 2002, companies have devoted significant resources, time and energy to documenting, testing and improving internal controls to reduce the risk of financial reporting problems. In conjunction with heightened Securities and Exchange Commission (SEC) enforcement activity, these efforts have led to an increased focus on detecting and preventing financial statement fraud.
REPORTING FRAUD
Unfortunately, despite a great deal of hard work and investment as well as more stringent regulatory enforcement, financial statement fraud remains a significant concern. Although the number of SEC enforcement actions for alleged financial statement fraud declined from 2004 to 2006, the average annual number of incidents reported during that period substantially increased over the number of incidents reported in 2000 and 2001, the two years before SOX was enacted.
From 2004 to 2006, the SEC issued an average of approximately 50 Accounting and Auditing Enforcement Releases (AAERs) describing financial statement frauds each year, detailing an average of 223 fraud schemes per year. This compares to an average of 30 AAERs in each of 2000 and 2001, describing 86 fraud schemes per year.
Whether this rise reflects an actual increase in fraud or simply more effective detection, it’s clear that many corporations still have work to do to further reduce opportunities to perpetrate financial statement fraud. For such efforts to be successful, the individuals leading the charge will need a good understanding of the type of financial statement fraud that is still occurring today.
REVENUE RECOGNITION
To explore the incidence of the most common types of financial statement fraud, the Deloitte Forensic Center analyzed data gathered from the 344 SEC AAERs relating to financial statement fraud that were issued between 2000 and 2006. This analysis, published in a report entitled “Ten Things About Financial Statement Fraud,” identified over a thousand distinct fraud schemes, more than 40 percent of which involved some form of revenue misrepresentation. In fact, occurrences of revenue recognition fraud schemes rose 344 percent between 1996 and 2000, from 25 to 111 incidents.
The five most prevalent revenue recognition schemes described in the report were:
• Recording of fictitious revenue (24 percent of total revenue recognition schemes)
• Recognition of inappropriate amounts of revenue from swaps, round-tripping, or barter arrangements (11 percent)
• Improper accounting for cancellations and refunds (9 percent)
• Recognition of revenue from sales transactions billed but not shipped (8 percent)
• Recognition of revenue for transactions with unresolved contingencies (8 percent)
The widespread use of revenue recognition schemes suggests that the rise in financial statement fraud may be driven by a desire to report achievement of revenue forecasts. Prior to the enactment of SOX, notes James D. Cox, a professor of Corporate and Securities Law at Duke University School of Law, “there were terrific rewards for the executive management team to make their numbers and boost the stock price.”
SIMULTANEOUS FRAUD
Another key finding of the Deloitte Forensic Center study is that most of the companies alleged to have engaged in one fraud scheme were also allegedly involved in at least one other fraudulent activity. A large number of offenders had more than ten fraud schemes going on at once. We note in the report that:
• Seventy-four percent of the SEC enforcement releases described at least two fraud schemes
• Twenty-five percent described at least five schemes
• Seven percent described more than 10 alleged fraud schemes
• One percent alleged over 20 schemes
This tendency toward multiple instances of fraud has serious implications for senior managers preparing fraud risk assessments and designing controls aimed at mitigating the risk of financial statement fraud. Conduct assessments and plan controls with the understanding that a range of frauds could occur simultaneously.
INDUSTRIES CAN DIFFER
Our analysis also identified notable differences in the occurrence of fraud and the types of schemes employed in different industries. Some industries were much less likely than others to be cited for fraud by the SEC. For example, financial services companies had a very low incidence of enforcement actions, whereas technology companies were the most likely to be cited by a substantial margin.
Between 2000 and 2006, the types of fraud committed in different industries generally paralleled the overall pattern of fraud schemes. Revenue recognition schemes were the most common, with their frequency relative to other schemes increasing over the time period examined. The manufacturing industry was one notable exception: In contrast to other industries, such as technology, the incidence of revenue recognition schemes decreased among manufacturers. One possible explanation for this is that the SEC’s 1999 guidance on revenue recognition may have been more effective in the manufacturing industry than in the technology industry.
FAILURE TO ALIGN TECHNOLOGY
The question remains: Why are such revenue recognition schemes not more easily detected? We believe the problem has much to do with information technology – specifically, a failure to align IT systems with this particular area of risk. Without appropriate IT systems to support the process, the estimates and judgments that go into revenue recognition may not be readily traceable as part of a systemic record.
The findings of a 2006 study from RevenueRecognition.com and IDC (Enterprise Systems and Revenue Recognition: The Missing Link) highlight the problem. The study found that “92% of public companies rely on manual processes to perform key revenue recognition and reporting functionality (nearly the same percentage is true for private companies).” The study reported, “84% of companies that initially stated Financials/ERP systems DO automate revenue accounting are actually using spreadsheets for these activities.”
The lack of a system-based approach to financial reporting creates the opportunity for fraud, as manual processes and the resulting lack of transparency can make wrongdoing extremely hard to detect. Therefore, improving fraud prevention and detection is a key driver of the need to implement more effective IT systems for reporting, analysis and controls, an important element in a company’s efforts to align IT with GRC. Expect to see an increased focus on leveraging technology to increase control effectiveness and financial reporting transparency.
IMPROVED TRANSPARENCY
The environment is ripe for this type of improvement. Recent reforms have taken corporate America a long way in changing the balance of risks and rewards associated with the temptation to manipulate reported earnings. SOX established clear accountability for senior executives by requiring them to take individual responsibility for the accuracy and completeness of corporate financial reports. And the bar has been raised on boards as well: We now have a very different environment for directors, especially audit committee members, from that of the pre-SOX era, when board membership often was treated as a sinecure.
Clearly, the scope of fraud risks and concerns goes far beyond financial reporting. But the lessons and insights concerning financial reporting fraud are instructive and can be usefully applied in the design and execution of broader fraud prevention and detection practices. Early detection of fraud is important, but it’s just as important, if not even more important, to maintain processes and systems that short-circuit the opportunity to commit fraud in the first place. That’s what strong GRC is all about: creating an environment that makes it hard to misbehave – and easy to do the right thing.
As used in this article, “Deloitte” means Deloitte Financial Advisory Services LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries.
This article contains general information only and is based on the experiences of Deloitte practitioners. Deloitte is not, by means of this article, rendering business, financial, investment, or other professional advice or services.
