Why Management Fraud is Unstoppable

By Manuel A. Tipgos

In Brief

Enablers of the Enron Debacle?

Management fraud is unstoppable because no controls, past or present, exist to completely control management’s actions. Management controls internal control, and can generally do as it pleases, including overriding controls whenever they prevent management from attaining its objectives.

Corporate governance in its present form is ineffective because it is based on classical economic theory and the agency theory, which is anachronistic and promotes an adversarial relationship between stockholders and management but ignores the existence of the employees. A better system of corporate governance must be developed. The author examined the internal controls that U.S. corporations are supposed to implement and upon which the independent auditor must rely when judging the integrity and reliability of a company’s accounting records and the resulting financial statements. He concluded that the force of law can be a deterrent, but only after the damage has been done.

The concept of internal control has gone through an interesting evolution. In its infancy, from the early 1900s to about 1936, the purpose of internal control was to protect assets, particularly cash, from misappropriations or theft by employees. Audits were detailed, and particularly concerned with the detection of fraud and clerical errors. As the financial markets continued to develop and became the primary source of capital for large public companies, interest in the fairness of the financial statements emerged. In 1929, the Federal Reserve Bulletin (first issued in 1917 to provide detailed instructions for preparing balance sheets) stressed reliance on internal control and the use of testing, instead of detailed verification, when such internal control was deemed
reliable.

In 1936, the AICPA issued a bulletin titled Examination of Financial Statements by Public Accountants, which defined internal control as “those measures and methods adopted within the organization to safeguard the cash and other assets of the company as well as to check the clerical accuracy of the bookkeeping.” This definition reflects the concept of “internal check” that was popular at that time and was used to describe the practices followed within the accounting and finance functions for the dual purpose of minimizing clerical errors and protecting assets, particularly cash, from loss or theft.

In 1949, the AICPA Committee on Auditing Procedures issued a special report broadening the definition of internal control as: [t]he plan of organization and all of the coordinated methods and measures adopted within the business to safeguard its assets, check the accuracy and reliability of its accounting data, promote operational efficiency, and encourage adherence to prescribed management policies.

Beginning in about the 1950s, “operating efficiency” and “adherence to established managerial policies” surfaced in the continuing discussion of internal control. Controls were built into the procedures and processes so that errors and noncompliance with established managerial policies, including irregularities, were detected and corrected on a timely basis. Crucial to this end was the design of procedures and processes, as well as the segregation of duties. In later years, the qualification and training of employees became an important component of adequate or reliable internal control.

After Statement on Auditing Procedures 29 was issued in 1958, the accounting profession started to focus on the components of internal control. In “The Independent Auditor and Internal Check” (Journal of Accountancy, January 1957), Gilbert R. Byrne argues that SAP 29’s definition of internal control suggests three classifications or components: internal administrative control, internal accounting control, and internal check. Internal administrative control is concerned with managerial policies and procedures designed to promote operational efficiency and effectiveness. On the other hand, Byrne continues, internal accounting control refers to those controls that “check the accuracy and reliability of the accounting data.” Internal check are those accounting procedures, statistical or physical, that safeguard assets against defalcations or other irregularities. Byrne’s examples of physical internal checks include fences, gates, and watchmen. These components of internal control became a reference point for discussions of the concept, particularly in standard auditing texts, up to the issuance of the Committee of Sponsoring Organizations (COSO) Report in 1992.

Exhibit 1 presents a timeline in the development of internal control. It took nearly a century, to the issuance of the COSO internal control in 1992, for a substantive change in our view of internal control.

The Giver–Receiver Model

A review of the AICPA pronouncements and discussions concerning internal control from the late 1950s to the COSO Report in 1992 suggests two things:

The crucial question is whether the internal control literature indicates, expressly or by implication, that these same controls are intended to prevent management from committing management fraud. The absence of such an indication strongly suggests that internal control has always been “owned” by management, and that management is free to alter or discontinue such internal control.

In a “giver–receiver” model, management “gives” and subordinates “receive,” meaning management implements internal control and employees are expected to follow it. Because nothing in the internal control literature suggests that management is subject to these controls, management is not a receiver in this model, but rather above these controls. Given that internal control is a mechanism or a “plan of organization” to attain management objectives, what happens when, during hard times, the same internal control prevents management from realizing these objectives? Consider what happens, for example, when management decides to pad revenue but internal accounting control prevents it from doing so. As seen in past fraud cases, management will probably override the controls to show higher revenue and profits. The COSO follow-up study shows a high incidence of CEO (72%) and CFO (43%) involvement in fraud cases investigated by the SEC.

Under normal conditions, internal control and management objectives move together on parallel grounds. If the cost–benefit balance shifts toward internal control, management objectives are minimized. The giver–receiver model suggests that internal control is and can be an instrument to attain management objectives. If the same internal control prevents management from attaining such objectives, management may be tempted or compelled to exercise its right of ownership by overriding it, leading to management fraud and fraudulent financial reporting.

The Treadway Commission

Concerned with the rising incidence of fraudulent financial reporting in the 1970s and ’80s, a private-sector initiative, the National Commission on Fraudulent Financial Reporting, known as the Treadway Commission, was launched to understand factors leading to such problems. Sponsored and funded by COSO, which is composed of the AICPA, the American Accounting Association, the Financial Executives International, the Institute of Internal Auditors, and the Institute of Management Accountants, the study was undertaken from October 1985 to September 1987. Its October 1987 report contained sweeping recommendations to prevent fraudulent financial reporting and urged the sponsoring organizations to integrate their conflicting views of internal control into a workable conceptual framework.

With today’s accounting profession again in turmoil, fundamental questions about the effectiveness of the recommendations of the Treadway Commission have become relevant. It provided a framework for effectively controlling employee errors, irregularities, or fraud, and a foundation for corporate governance. Most importantly, however, the Treadway Commission created an illusion or undue expectation that internal control could control management fraud. In fact, it failed altogether.

A case may be made that the Treadway Commission did not actually intend to deal directly with management fraud. The report focused on fraudulent financial reporting but not management fraud. Its operational definition of fraudulent financial reporting focused on employee fraud:

For purposes of this study and report, the Commission defined fraudulent financial reporting as intentional or reckless conduct, whether act [or] omission, that results in materially misleading financial statements.

Fraudulent financial reporting can involve many factors and take many forms. It may entail gross and deliberate distortion of corporate records, such as inventory count tags, or falsified transactions, such as fictitious sales or orders. It may entail the misapplication of accounting principles. [emphasis added]

Company employees at any level may be involved, from top to middle management to lower-level personnel.

For reference, this author hews to the anecdotal definition of fraudulent financial reporting popularized by the financial press (see Exhibit 2). Type II fraud, creative accounting, may not be fraudulent per se, but present usage portrays it as manipulation of rules, with or without the intent to deceive.

Type I-B and Type II frauds are within the discretionary powers of management and are referred to by this author as “pure” management fraud. The fraud cases found in COSO’s follow-up study and the various creative accounting procedures adopted by high-tech companies currently under investigation by the SEC are of a kindred spirit.

Not all of the fraudulent acts or situations listed in Exhibit 2 can be prevented. Type I-A errors, irregularities or fraud committed by employees, can be effectively prevented by well-designed internal control. Pure management fraud, Type I-B and Type II, are unstoppable, not only because they occur within the discretionary domain of management, but also because there are no existing controls intended to prevent them from happening.

The focus of the Treadway Commission was detection, not prevention, of any fraud within its definition of fraudulent financing reporting. Perhaps one reason for not defining the specific categories of fraud is that the Treadway Commission realized its recommendations would be seriously constrained by not having an effective strategy for preventing management fraud.

Second, the Treadway Commission’s recommendation that top management create an “atmosphere of control awareness” (tone at the top) within the organization applies effectively to employee fraud but not to management fraud. Even a code of ethics imposed by management upon itself can function effectively only to the extent that management desires. Enron underscored this when its board voted twice to suspend its code of ethics to allow the setting up of the partnerships that led to its demise.

Third, the audit committee and the internal audit function are intended as checks on management to create an atmosphere of controls within the organization. Again, however, these controls are intended to prevent employee fraud but not management fraud.

Fourth, the Treadway Commission’s recommendation to improve audit quality by having auditors take more responsibility for fraud detection can work only to the extent that the independent auditor allows itself to be exposed to the resulting legal liability. The recent audit failures, particularly Enron, have shown that the accounting profession, despite its 100-year franchise to serve the public interest, does also pursue its own interest.

Fifth, the Treadway Commission recommended improvements in laws and regulation as deterrents to fraudulent financial reporting, and regulating the public accounting profession to improve audit quality. Unfortunately, laws and regulations only show the perpetrators that crime does not pay. The perpetrators of the Enron scandal may yet serve prison sentences, but only after they have inflicted damage on many lives and the financial markets.

Sixth, the Treadway Commission recommended that business schools across the country include ethics in their curricula. In fact, Arthur Andersen spent considerable resources teaching hundreds of business school faculty members how to integrate ethics into their courses. Ethics education is always a good investment for the future, but applying this knowledge is voluntary and cannot be imposed or legislated.

Finally, perhaps the most important shortcoming of the Treadway Commission was its failure to authoritatively state that management is not above the controls recommended in its report. In fact, the Treadway Commission reinforced the long-held notion that management owns internal control. This makes the giver–receiver model a robust predictor of management override of internal control in order to attain its objectives.

COSO and Internal Control

After the Treadway Report was issued, COSO lost no time developing a conceptual framework for internal control. In September 1992, COSO issued Internal Control–Integrated Framework. This report was hailed as a landmark study that provided a comprehensive definition of internal control and a framework, the “house of controls,” against which systems of internal control of any size firm could be evaluated and improved. COSO defined internal control from a process standpoint as:

A process—effected by an entity’s board of directors, management, and other personnel—designed to provide reasonable assurance regarding the achievement of objectives in the following categories: (a) effectiveness and efficiency of operations; (b) reliability of financial reporting, and (c) compliance with applicable laws and regulation.

The report provides five interrelated components of internal control and establishes the control environment as the foundation of all these components:

Commentators hailed the COSO report as a milestone in assessing both the effectiveness of internal control and the efficiency and effectiveness of operations.

Its emphasis on the control environment or “tone at the top” separates a management with high ethical standards, integrity, and commitment to an organization with high sense of discipline and responsibility from those without one.

The COSO report provided a framework for and a model of a “house of controls” against which the internal control of any organization can be objectively evaluated. The traditional or pre-COSO internal control provided no such a framework or model.

COSO’s contribution to internal control as an instrument of corporate governance is not without its shortcomings. As already discussed, COSO internal control can be effective in preventing employee fraud but not pure management fraud.

Second, in its eagerness to win management’s acceptance, COSO gives management vested right and power over internal control through ownership. Ownership includes the right to do whatever management pleases with such internal control, including the right to override it. Also, listing “effectiveness and efficiency of operations” ahead of two equally important objectives in the definition of internal control sends the wrong signal about how COSO views these objectives and how management should prioritize them. Intuitively, “reliability of financial reporting,” the second objective, should be more important. COSO should list management override as a limitation—a serious limitation—of its house of controls.

Third, when the COSO report was issued in September 1992, a structural change from hierarchical to reengineered organizations had been under way and therefore internal control was in an advanced state of obsolescence. The key elements or structure of COSO’s house of controls may still be valid, but the process leading to the structure has not stood the test of time. In “CoActive Control” (Internal Auditor, June 1995), John D. Tongren argues that COSO internal control is an imposed control and is inconsistent with empowered or reengineered organizations:

The old “internal control–management control” paradigm is based on hierarchical organizations. Those at the top establish the need for controls by edicts commonly known as corporate policy. Those farther down in the organization develop specific control mechanisms by drafting and implementing corporate procedures. Those in the lower level of the organization are thereby controlled. And everyone throughout the organization is expected to fully and completely abide with corporate policies and procedures—and there are many supervisors, managers, controllers, and auditors to check and make sure they do.

Recommendations

Two main themes in internal control have emerged:

The author recommends the following measures to stop management fraud:

Reflections on the Accounting Profession

Corporate management often consults the accounting profession about matters classifiable as creative accounting. The Treadway Commission referred to this consultation process as “seeking a second opinion from the public accountants.” In the process, the public accountant can either prevent or promote fraudulent financial reporting. Unfortunately, recent events show that the public accountant too often contributed to the latter activity.

In the last 10 years or so, the accounting profession became the accounting industry. For more than 50 years, critics of the accounting profession, particularly those in the academic community, have been beating the drum announcing the impending obsolescence and irrelevance of the profession. Recent events may have changed this perception. The stock market did not fall because of the irrelevance of the historical cost model or the shortcomings of our financial reporting model. Stock prices plummeted in the wake of Enron and its successors because of the investing public’s shaken confidence in the integrity and reliability of audited financial statements. In other words, the accounting profession is truly the backbone of our financial markets because of its integrity and the confidence it has earned over 100 years of protecting the public trust.

Change has always been good for the accounting profession. But a kind of change that allows accountants to be everything for everyone may not be desirable. The variety of services that the accounting profession can offer is less important to the investing public and the capitalist system than the quality of the service that ensures the reliability and integrity of financial statements.


Manuel A. Tipgos, PhD, CPA, is a professor of accounting at the school of business at Indiana University Southeast, New Albany, In.

This Month | About Us | Archives | Advertise| NYSSCPA
The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2002 CPA Journal. Legal Notices

Visit the new cpajournal.com.