After a quieter period, the Securities & Exchange Commission has renewed its focus on financial-reporting fraud. KPMG’s Pamela Parizek and Howard A. Scheck address this shift in emphasis in SEC oversight and enforcement from their vantage point as forensic accountants who perform independent investigations and support audit engagement teams.
MCC: Why the renewed focus on financial-reporting fraud by the U.S. Securities and Exchange Commission?
Pam Parizek: Financial statement fraud has always been a core focus of the SEC’s enforcement program. It was overshadowed by other priorities in response to the financial crisis in 2012, but recently, there have been several indicators that there may be a renewed focus. First, historical trend analysis and comparative economic cycles in the mid- to late 1990s suggests that opportunities to commit financial fraud around the time of the financial crisis may just be coming to light.
In the wake of Arthur Levitt’s 1999 “Numbers Game” speech, for example, we had a similar economic cycle. Usually during downturns you have opportunities and incentives for the manipulation of financial statements. The schemes usually start pretty small. Over time, the magnitude of the fraud will increase the likelihood of detection. If you look at historical economic and enforcement trends over the past few decades, there are some parallels that we are seeing in the current time frame.
A second factor influencing the increased focus on financial statement fraud is criticism from Congress and the investing public about the relatively low number of financial statement fraud matters over the past five years. Whenever you have that level of scrutiny, there tends to be a response by the SEC. There is certainly a need for increased focus in this area, but due to other legitimate priorities, resources were taken away from some of the core programs and put into investigations involving the financial crisis. Now that many of those investigations have concluded, there seems to be a renewed focus on financial statement fraud.
Third, there has been an increase in whistleblower reports regarding corporate disclosures and potential financial statement irregularities. Those reports sometimes turn into enforcement matters. There is also the potential for new leads coming out of whistleblower hotlines and other sources – both internal and external, originated in the U.S. or abroad.
Fourth, we have seen increased enforcement activity by foreign regulatory authorities. Certainly in the FCPA space, foreign regulators have been very active. Over the past few years, we’ve started to see some activity by foreign regulators involving financial statement irregularities, and some of those matters have implications for U.S. companies.
Finally, the SEC has adopted new investigative approaches to target financial statement fraud in response to some of these pressures.
MCC: Why have the number of financial-reporting cases brought by the SEC been so low in recent years? Certainly in the FCPA space, foreign regulators have been very active. We’ve started to see some activity by foreign regulators into financial statement investigations, and some of those involve U.S. public companies.
Howard Scheck: Historically, the accounting-auditing enforcement releases, which are the SEC’s way of characterizing the financial-reporting cases, were about 25 percent of the enforcement actions filed every year. This peaked at about 31 percent of the cases in 2007. Since then, the cases dropped dramatically until 2013, when it went down to 10 percent. Now, they’re starting to trend back up. In 2014, it was around 12 percent, and 2015 is about 16 percent.
The primary reason is the Sarbanes-Oxley Act of 2002, which ushered in a wave of regulations designed to improve financial reporting by enhancing a number of areas, including corporate governance and oversight by audit committees and enhanced audit quality via the formation of the PCAOB (Public Company Accounting Oversight Board) to oversee the audits of public companies. There were also a lot of new rules related to internal control and disclosure requirements, as well as criminal penalties – a whole host of things that I think of as enhancing financial reporting.
There are other factors, too. Restatements are down, and historically, the SEC has targeted cases primarily by self-reporting and restatements. Also, the credit crisis had an impact. During that time, there was a focus on valuation cases, not revenue recognition cases. It just wasn’t the fraud du jour because people weren’t trying to cook the revenues or do earnings management. Revenue recognition cases had historically been about 25 percent of the accounting cases that the Commission filed.
Last, the SEC itself was focused on other issues such as Ponzi schemes post-Madoff, and financial institutions during the credit crisis. All of that had an impact on the number of cases.
MCC: How is the SEC targeting financial-reporting cases?
Scheck: The SEC targets financial-reporting cases through a combination of reactive and proactive approaches. On the reactive front, the main drivers are restatements, issuer self-reporting (where companies come in and report something to the SEC) and complaints from investors. Whistleblower complaints are in the neighborhood of 800 financial-reporting-related whistleblower tips a year. There are about 4,000 tips altogether, so about 20 percent are for financial reporting. Some of them are good; some of them are not so good. The good ones get picked up by attorneys and investigated right away. The not-so-good ones will likely get dropped, and the ones that may require further evaluation go to Fraud Task Force.
There are also referrals from the division of corporation finance, which reviews SEC filings to look for potential accounting and disclosure issues, and referrals from other regulators, including foreign regulators and the PCAOB, which the SEC enforcement folks work closely with on auditing matters.
On the proactive front, there are two primary ways that the Commission goes about identifying cases. One is through risk-based investigations; those are usually led by the chief accountant in enforcement. During 2010 when I was there, we identified issues with respect to China-based companies that were committing accounting fraud. Ultimately, the SEC filed fraud cases against more than 65 foreign issuers or executives and deregistered the securities of more than 50 companies. The Commission also started targeting gatekeepers through Operation Broken Gate, which looked at severely deficient audits and drive-by audit situations in which there was almost no audit done at all—typically involving microcap companies.
Second, and probably the hotter topic, is the creation of the Fraud and Audit Task Force in late 2013, which the Commission formed to enhance its enforcement capabilities in proactively identifying fraud.
MCC: What technology tools are being deployed by the SEC to identify violations?
Scheck: As a whole, the division is looking at a variety of data analytic tools to uncover fraud and market abuse. This is especially the case in the insider trading and market manipulation areas, where enforcement can use tools that can process and analyze enormous amounts of trading information to ID potential insider trading or market manipulation.
With respect to financial fraud, it’s much harder to identify accounting fraud through the use of technology and analytic tools, although the Commission has been trying to do that. When I was at the Commission, I was working with the division of economic risk and analysis in its development of its AQM (Accounting Quality Model) tool. It was designed to identify improper earnings management by looking at specific risk factors, risk inducers and risk indicators. At the time, we were working on text analytics to identify potential deception in SEC filings. With respect to AQM, there were a lot of false positives. It was only looking at earnings management, not other types of accounting fraud. Now the Division of Economic and Risk Analysis (DERA) is developing a number of algorithms to identify potential outliers. I think the SEC is going to continue to try to find ways to utilize technology to identify accounting fraud.
It’s also using a slew of dashboards and tools for which it doesn’t disclose the proprietary algorithms, but they’re used to monitor high-risk companies, as well to try to get in front of the companies that might need looking at.
MCC: What is the role of the SEC’s Financial Reporting Task Force, aka the Fraud Squad?
Scheck: It was formed in late 2013, and it fits within the Enforcement Division, which has a bunch of specialized units to investigate various program areas: insider trading, FCPA asset management, among others. This task force was not designed to do investigations. Instead, it is more of a think tank that helps the division identify financial-reporting issues to investigate.
Parizek: This is one of the problems with the task force. It was formed for the purpose of identifying potential financial-reporting matters. The problem is that investigative work is required to determine if there’s a case. So the other challenge is getting people to actually run the investigations. Maybe that group needs to be reconfigured so there is an ability to assign cases or push the ones that have greater potential.
It can sometimes be frustrating to get people to take these cases. They’re very labor intensive, they’re very demanding, and there’s so much activity in the other program areas that will require a dedicated effort to get this done. And remember, the SEC has pretty limited accounting resources. It certainly has an accounting group within enforcement, but it doesn’t have the resources that we have when we conduct financial-reporting investigations. So in terms of developing the evidence to bring a case, or even fully developing a lead, there is a resource constraint.
Scheck: To put it in context, there are about 100 accountants in the SEC enforcement division across the country, and they’re working on the day-to-day accounting investigations. Separately, this task force is supposed to help identify other investigations. The normal way it works is through tips, complaints, referral systems and restatements – basically the reactive side. Anything that is a major restatement, a high-profile company that looks like there might be fraud or fraud risk factors related to the restatement, or a complaint that has some meat on the bones – that stuff is going to get picked up and normally referred out to attorneys to investigate right away. Following through on that investigation is something the accounting group would do, whether to help do them, provide advice and guidance, or determine if anything was falling through the cracks.
But there’s a whole host of issues that might be getting picked up through the task force or the referral system in which it’s not quite clear whether an investigation ought to be done. We coined a term when I was there: “incubating the case.” What the accounting group, and also the Fraud Task Force, will do is incubate situations. They might go out and kick the tires, gather information from a company, do some outside research to see if there really is something to investigate. That’s very labor-intensive. There’s a lot of judgment involved. If it’s not a clear-cut violation, the task force or accounting group might have problems referring that to attorneys to investigate. That’s why, right now, the task force is focused on monitoring high-risk companies to stay on top of identifying the next Enron or WorldCom before it happens. It is working with DERA to develop data analytic tools and is trying to incubate cases as necessary.
Parizek: If you’re chasing broken windows, then you have to provide the resources to bring some of those smaller, less high-profile cases. Instead of chasing the next Enron, maybe resources need to be devoted to some of the smaller financial infractions. If you look back, the task force that was formed at the height of the earnings management enforcement activity in the early 2000s was very different. It was empowered to act. Enforcement staff were dedicated to a financial reporting task force to run with the investigations, not just incubate potential leads. Maybe that old model ought to be reconsidered.
Scheck: My prediction would be that the Commission will be reluctant to form a specialized unit for financial fraud, even though, as Pam said, it would be useful, in some respects, to have it.
MCC: What types of financial-reporting issues – earnings management, disclosure issues, high-risk companies versus companies that are gaining small advantages with minor infractions – are on the SEC’s radar screen?
Scheck: There were 134 cases filed in 2015 in the financial fraud area. About half of those were for fraud and the other half for books and records and internal controls. One way to look at it would be that not only is the SEC focused on the fraud cases but it’s looking specifically for violations of the internal controls or books and records divisions. So the SEC wants to send a message to public companies that if there’s a risk of a material misstatement or a material error that might impact the numbers and disadvantage investors, companies should enhance their internal controls and make sure that they’re doing everything they can to get the numbers right, regardless of whether there’s fraud going on.
A lot of judgment takes place on the SEC enforcement side over whether to bring an internal controls case when there’s no evidence of fraud. Technically, the SEC can bring an enforcement action if there’s a restatement or a material error, even if there isn’t fraud. It simply doesn’t have the resources or appetite to bring an enforcement action every single time there’s a restatement. There’s judgment there. It looks at what kind of message the case is going to bring, what fraud risk factors might be related to it. Sometimes the reason something’s brought as a nonfraud case versus a fraud case has to do with litigation risk on the SEC side. Rather than litigate something the Commission might think is high risk, it’s more efficient to resolve it on a nonfraud basis.
Right now there is not a pervasive accounting abuse that has been identified. Backdating stock options is an example of a particular issue that was pervasive across multiple public companies and industries under investigation. Or an issue like the China-based companies – that could be hundreds of companies.
We are seeing an uptick in the revenue-recognition cases, as Pam alluded to earlier, as the economy starts to improve. The Commission is always looking at disclosure cases. Some of the credit crisis cases are still running through the pipeline. The Commission’s enforcement is really going to try to get ahead of areas it thinks might be ripe for manipulation because of the improving economy.
MCC: Have you seen an uptick in financial fraud allegations in forensic work?
Parizek: We’ve seen a modest, but growing, rise in allegations of potential financial statement irregularities. Some are relatively small; others could be more serious. Sometimes there’s smoke but no fire; sometimes you’re dealing with a disgruntled employee whose allegations are not substantiated by the facts. With respect to the more serious allegations, it may be necessary to undertake a formal investigation.
MCC: How should companies respond to allegations of financial-reporting fraud?
Parizek: The most important thing is to respond as soon as possible to any allegation that could potentially impact the financial statements. Sometimes companies will kick the tires informally; other times there may be a special committee of the board tasked with conducting an independent investigation. It really depends on the facts and circumstances.
With respect to whistleblowers, there is always a risk that there could be a whistleblower someplace in the background. In the old days, there would be different types of investigations, depending upon whether there was a known whistleblower or a known regulatory enforcement action versus something that was initially detected by the company. With the enactment of the bounty program for whistleblowers, that’s changed a great deal. Today we see more companies conducting investigations that are more akin to an audit-committee-led investigation, even when management conducts the investigation itself. We also see companies conducting investigations and implementing remedial measures on a dual track, so by the time the investigation is completed, remedial measures are already in place. The prompt implementation of remedial measures can be very helpful when seeking resolution of a matter with the government.
MCC: Should financial fraud investigations be run by management or the audit committee?
Parizek: From a regulatory perspective, independent investigations conducted at the direction of the board by outside counsel and/or independent accountants tend to be more credible with the government. While management-led investigations may be feasible in some situations, allegations that could impact the financial statements should be investigated by independent parties under board supervision. For smaller matters, in which it may not be clear that there is an actual violation, you could potentially develop a targeted plan led by management, and sometimes we do see internal audit working with general counsel to conduct these more targeted investigations. The problem is there may be challenges to claims of privilege, where you may not have the protection that you would have in a more formal investigation under the direction of independent counsel. The other issue is that there could be individuals in management, or in the chain of command, who are potentially implicated in the scheme, which makes it more challenging to conduct a management-led investigation.
MCC: What should companies be doing to prevent, detect and deter financial statement fraud?
Parizek: Public companies spend a great deal of time performing internal audits and testing internal controls. In our experience, companies could spend more time brainstorming about fraud risk. General consideration of fraud risk is required as part of the audit process but beyond that, there should be a fraud-specific risk assessment. The risk assessment is important because it identifies areas across the entire corporate organization that may be susceptible to fraud. Specifically, there are assessments of financial-related fraud risk that also address potential management override of internal control, among other things.
Companies should also be looking across the entire compliance program, not just into policies, procedures and internal controls but also into investigation, remediation and accountability protocols to govern the conduct of an investigation, should it be necessary to conduct one. Once an investigation is underway, with so many moving parts, it’s really too late. You need to get ahead of that by having the controls in place, so you know who your first responder will be, who you have onboard, who you have on retainer, what other resources you have lined up to mobilize quickly in response to a financial statement fraud allegation.
Scheck: In some ways, it’s having a good understanding of the fraud risk factors related to different types of accounting fraud – the red flags related to, say, revenue recognition or valuation, or things like whether the company is engaging in transactions that look like it’s trying to engineer an accounting result or transactions that might lack economic substance. Do the disclosures look like the company is trying to hide results because they’re so vague and lack transparency? There are also issues with respect to materiality. If an error is quantitatively material, meaning the magnitude is large enough that anyone would say that it’s important, there aren’t too many issues there. But with qualitative materiality, whether an investor would care about certain transactions or certain disclosures is an issue that companies’ compliance programs need to address.
MCC: What advice do you have for companies if and when an investigation is necessary?
Scheck: It’s important for companies to maintain good communication with the independent auditors. Make sure that the auditors, especially if there’s a risk of a material misstatement or there’s an investigation, are aware of the situation and can shadow the investigation.
Parizek: Communication with the external auditors is critical. It’s important to have a discussion early on and get their input before the investigation is concluded. The last thing you want is for an outside party to conduct an internal investigation, not have a conversation with the external auditor, who probably has as good an insight as anyone into certain financial accounts of the company, and then have the investigator come back and say, “You need to do this over because you forgot steps A, B, and C.”
We’ve learned from conducting investigations and working with external auditors, as well as supporting our own audit teams, that when an investigation impacts our audit clients, communication among the investigation team, the audit team and the forensic team is critical. Of course, there has to be sensitivity to privilege and waiver issues, but those obstacles can be overcome with careful planning and coordination.
It is also critical to preserve electronic records and hard-copy documents wherever they may reside. Investigation protocols should include the designation of a point person to lead an internal investigation, issuance of a document preservation notice in all relevant jurisdictions, and a short list of go-to outside counsel and forensic accountants, preferably in an on-call arrangement where terms and conditions are previously agreed. Depending on the nature and scope of the investigation, it may also be prudent to form an oversight committee for management-led investigations or a special committee of the board for independent investigations. Most importantly, if the government comes knocking, be certain that management cooperates and external service providers have the credibility and expertise to conduct a thorough investigation, adequately document their procedures and report their findings in an objective fashion.
Pamela J. Parizek, CPA, Advisory partner in KPMG’s forensic practice in Washington, D.C. firstname.lastname@example.org
Howard A. Scheck, CPA, Partner in KPMG’s forensic practice in Washington, D.C. email@example.com