Most risk is not in the accounting records. Why not? Because the vast majority of our work as CPAs involves monetizing and measuring activities that have already occurred. So the risk starts before we do our job. Think recording sales, not making sales. In manufacturing, think cost accounting, not making widgets.
Because our work is historical, one of the major flaws, no matter the type and size of the entity, is that we usually react to change after fraud has occurred. When a new law, regulation or competition affects our employer or client, we fail to implement new controls or audit procedures to compensate for new fraud risks.
It’s important to understand what you need to know about your client or company, and to consider the categories of fraud risk and types of fraud that can occur so you can help minimize risk.
The importance of understanding the entity and its environment
The Risk Assessment Standards require that auditors thoroughly understand the entity and its environment, including:
- Industry, regulatory, and other external factors, such as:
- Competitive environment
- Supplier and customer relationships
- Technological developments
- Regulatory environment
- Accounting, legal, political and environmental issues
- Nature of the entity (think risk of cash business, e.g., a laundromat)
- Objectives and strategies and related business risks (e.g., a life insurance company entering property and casualty without obtaining the appropriate expertise)
Early warning radar system
There are three main categories of fraud risk:
- Legal (federal, state and municipal laws)
Let’s take a look at each of these categories and some examples that illustrate why auditors are required to understand the entity and its environment. Whether you encounter one or all of these risks, the point is that fraud risks are like an early warning radar system. Don’t wait until bombs are falling to protect yourself.
Systemic fraud risk
Systemic fraud risks apply to every entity in every industry every year. Here are a few examples of areas for which CPAs in industry should develop controls and auditors should adopt procedures to compensate for:
Government action/inaction: There are a number of ‘cliffs’ that Washington has to fix in 2013. For example, the country will exceed the federal debt ceiling in the spring. Every time Congress and the administration go to the edge, spending constricts, which creates a going concern risk for some entities that can’t survive.
Failure to understand the entity’s environment: If everything you know about your client’s industry you learned from the client, you are not independent. For example, newspapers are going bankrupt on a regular basis. Google now has more revenue than the entire newspaper industry combined.1 So if your newspaper client says everything’s fine, don’t take their word for it. Industry trends show otherwise.
Failure to know entity information: How do you explain not knowing something that’s public information, especially something that will affect the audit? For example, after I recommended that a client perform a Google search, it found that one of its clients was under criminal investigation. Solution: Before each audit, perform a search for the client name, all top executives, top 10 customers, donors or taxpayers, and products or services (test of obsolescence risk). Set up Google Alerts to automatically get information on clients, industry, client customers (think bad debts), products, services, laws and regulations.
Defective compensation systems: Remember Domino’s “30 Minutes or It’s Free” guarantee? Have you noticed Domino’s doesn’t offer it anymore? The fraud risk occurs when the pay system causes employees to break the law to get paid. A Domino’s driver killed a woman in a crosswalk trying to deliver a pizza on time. After paying $2.8 million, Domino’s ended the system.2
But by far the most common compensation system defect is commissions based on revenue. It creates a fraud risk called bad debt expense. By its nature, any estimate is a fraud risk. For example, when entities are at risk of violating bank loan covenants (e.g., revenue/gross profits, net profits), they will very often accept lower credit quality sales. Even though the debt analysis should be modified for the changed credit quality, auditors typically do a SALY analysis (Same As Last Year).
Relying on management fraud risk: In early January 2013, the SEC charged3 a KPMG partner and senior manager for ignoring red flags and using the same loan default analysis as in previous years, even though the client had started making riskier loans (SALY). Question: Do you rely on your boss or client because you trust them? Remember, trust is not an internal control. And trust is not an audit procedure.
Accounting standard fraud risk: Except for leases of less than 12 months, the forthcoming lease accounting standard will require all leases to be capitalized. This will dramatically increase many companies’ debt, causing the borrower to violate debt-equity ratios. Fraud risk: What audit procedure do you use to test compliance with every bank loan covenant for every client every year?
IRS and ICE targeting employers: The Obama administration is going after employers who hire illegal immigrants. The policy has the IRS and the ICE criminally charging employers. For example, the Phoenix-based Chuy’s Mexican restaurant chain closed its doors, and owner Mark Evenson and son Christopher face 80 years in prison and a $5 million fine.4 Accountant Diane Strehlow faced a 40-year sentence and $2 million fine.5 (Watch my compilation of news clips, Feds Go After Illegal Employers, on YouTube.) Fraud risk: In addition to tax fraud, when a company uses illegal workers, the revenue those employees earned is illegal. Further, how do you conclude you can rely on management integrity for financial reporting?
Fraud whistleblower risk: When there’s fraud, someone almost always knows. The IRS is authorized to pay whistleblowers up to 30 percent for recoveries of at least $2 million from businesses and $200,000 from individuals. The first whistleblower check went to an anonymous financial services company CPA controller who found an unreported $20 million tax liability. The CPA was awarded $4.5 million. Whistleblowers can anonymously report fraud at TaxSqueal. Fraud risk: Fraudsters have to depend on anyone who knows about the fraud to keep the secret. Compensating procedure: Talk to non-management and non-accounting people.
“Tone at the Top” fraud risk: Ever heard, “It’s my company. I can do whatever I want”? The statement is simply not true. Even if your boss or client owns the company, he or she can’t do “whatever she wants.” They have to pay taxes and comply with hundreds if not thousands of laws and regulations. Fraud risk: A client cannot run clearly personal expenses through the company without deliberately violating the system of internal controls. Even if the amount is ‘immaterial,’ it’s illegal. How do you then conclude you do not have a material weakness in controls over financial reporting?
Unclaimed property fraud risk: Failure to escheat unclaimed funds is very common. Do you know how much is being illegally retained? What’s the effect on financial reporting? If unclaimed funds were taken back into revenue to meet loan covenants, now you may have bank fraud and the loan may become immediately due and payable. Fraud risk: What audit procedure do you use to assess the amount, the effect on cash flow, and is there a going concern issue?
Industry-specific fraud risks
Here are a few examples of fraud risks specific to various industries:
Tax-exempt status: The IRS recently revoked the tax exemption of nearly 300,000 charitable entities. If the charity is still holding out as tax exempt, is it defrauding donors? Further, if someone donates in good faith to one of these charities and took a deduction, could the taxpayer be subject to fines and penalties? Suggestion: Check loss of tax exemption at “Automatic Revocation of Exemption List."
Fraudulent review risk: In late December 2012, Google deleted 2 billion fake reviews from music sites.6 This is the first volley in the review war. What percentage of revenue or funding is derived from fake reviews? What procedure or control do you have to detect cash disbursements for fake reviews to generate revenue? Fraud risk: If your boss or client will lie to get business, what makes you think he won’t lie about financial reporting?
Food fraud risk: Food fraud is a major problem. Recently, U.S. Pharmacopeial Convention, a trusted independent lab, found that 7 percent of food contains fraudulent ingredients, including expensive extra virgin olive oil, pomegranate and lemon juices, spices, and tea bags with cut lawn grass.7Fraud risk: How can a company sell more of an expensive food than it bought? Match the source of the revenue to the cost of the inputs. And be sure to watch the ABC News video.
State and city legal fraud risks
New state and city laws are particularly dangerous because many entities and CPAs simply don’t know about them.
California fraud risk: The Golden Bear state alone has 800 new laws for 2013. Just one example: When student athletes at UCLA, Stanford, USC and California State lose their athletic scholarships due to a sports-related injury, the state requires the school to provide academic scholarships and to cover insurance deductibles and premiums for injured lower-income athletes.8 Failure to pay could require a liability to be recorded. If the violation is intentional, it would be fraud.
Bottled water fraud risk: Except during emergencies, it is now illegal to sell water in single-serve bottles in Concord, Mass., with a fine up to $50.9Audit procedure: Do you see sales of bottled water and/or bottled water during inventory observation? No? The store owner might be hiding the sales and storing the inventory off site. Compensating procedure: Visit the store unannounced. Is bottled water for sale?
What is your risk assessment system?
What’s your system to uncover any new threats every year for every client or your company? Hopefully this article has given you some solid ideas.
- You should have a thorough understanding of all of the external factors facing your client or company, such as industry, regulatory, competitive, supplier and customer relationships, political and more; and you should know the nature of the entity and any business risks related to its objectives.
- Controllers and CFOs should implement any new controls required to comply with new legal requirements.
- Because most CPAs are not attorneys, ask legal counsel what new laws or regulations apply to your entity or client.
Bottom line: Just because analytical ratios are SALY, it does not mean they’re true. Consistency is not the same thing as the truth.
©Gary D. Zeune, CPA, 2013. Gary Zeune is a nationally recognized speaker and writer on fraud, auditing and ethics. He also founded The Pros & The Cons, the nation’s only speakers’ bureau for white-collar criminals. You can reach Gary at firstname.lastname@example.org.
1 “Google Has Officially Eaten the Newspaper Industry,” Slate, Will Oremus, Monday, Nov. 12, 2012
2 “Does your compensation system encourage illegal activity?,” Gary D. Zeune, CPA, White Collar Crime Fighter
3 SEC Charges Two KPMG Auditors for Failed Audit of Nebraska Bank Hiding Loan Losses During Financial Crisis, RELEASE 2013-2
4 “A Crackdown on Employing Illegal Workers,” New York Times, May 29, 2011
5 “Chuy’s Accountant Sentenced; Expected to Testify Against Owners,” KVOA.com, Nov. 27, 2912
6 “YouTube Strips Universal and Sony of 2 Billion Fake Views,” The Daily Dot, Dec. 21, 2012
7 “Group Finds More Fake Ingredients in Popular Foods,” ABC News,
Jan. 22, 2013
8 “New California Laws 2013,” KQED.com, Jan. 1, 2013
9 “Mass. Town’s Plastic Bottle Ban in Effect,” Boston.com, Jan. 1, 2013