Financial statements are the end result of an accountant’s work
and are the responsibility of management. Proper internal controls
help the accountant determine that the financial statements fairly
present the financial position and performance of a company.
Financial statement fraud occurs when the
financial statements are used to conceal the actual financial
condition of a company or to hide specific transactions that may be
illegal. Financial statement fraud may take on many different
methods, but it is generally called cooking the
books. This issue may occur for many purposes.
A common reason to cook the books is to create a false set of a
company’s books used to convince investors or lenders to provide
money to the company. Investors and lenders rely on a properly
prepared set of financial statements in making their decision to
provide the company with money. Another reason to misstate a set of
financial statements is to hide corporate looting such as excessive
retirement perks of top executives, unpaid loans to top executives,
improper stock options, and any other wrongful financial action.
Yet another reason to misreport a company’s financial data is to
drive the stock price higher. Internal controls assist the
accountant in locating and identifying when management of a company
wants to mislead the inventors or lenders.
The financial accountant or members of management who set out to
cook the books are intentionally attempting to deceive the user of
the financial statements. The actions of upper management are being
concealed, and in most cases, the entire financial position of the
company is being purposely misreported. Regardless of the reason
for misstating the true condition of a company’s financial
position, doing so misleads any person using the financial
statements of a company to evaluate the company and its
operations.
How Companies Cook the Books to Misrepresent Their Financial
Condition
One of the most common ways companies cook the books is by
manipulating revenue accounts or accounts receivables. Proper
revenue recognition involves accounting for
revenue when the company has met its obligation on a contract.
Financial statement fraud involves early revenue recognition, or
recognizing revue that does not exist, and receivable accountings,
used in tandem with false revenue reporting.
HealthSouth used a combination of
false revenue accounts and misstated accounts receivable in a
direct manipulation of the revenue accounts to commit a
multibillion-dollar fraud between 1996 and 2002. Several chief
financial officers and other company officials went to prison as a
result.9
CONCEPTS IN PRACTICE
Internal Controls at HealthSouth
The fraud at HealthSouth was
possible because some of the internal controls were ignored. The
company failed to maintain standard segregation of duties and
allowed management override of internal controls. The fraud
required the collusion of the entire accounting department,
concealing hundreds of thousands of fraudulent transactions through
the use of falsified documents and fraudulent accounting schemes
that included revenue recognition irregularities (such as
recognizing accounts receivables to be recorded as revenue before
collection), misclassification of expenses and asset acquisitions,
and fraudulent merger and acquisition accounting. The result was
billions of dollars of fraud. Simply implementing and following
proper internal control procedures would have stopped this massive
fraud.10
Many companies may go to great lengths to perpetuate financial
statement fraud. Besides the direct manipulation of revenue
accounts, there are many other ways fraudulent companies manipulate
their financial statements. Companies with large inventory balances
can misrepresent their inventory account balances and use this
misrepresentation to overstate the amount of their assets to get
larger loans or use the increased balance to entice investors
through claims of exaggerated revenues. The inventory accounts can
also be used to overstate income. Such inventory manipulations can
include the following:
- Channel stuffing: encouraging customers to buy products under
favorable terms. These terms include allowing the customer to
return or even not pick up goods sold, without a corresponding
reserve to account for the returns.
- Sham sales: sales that have not occurred and for which there
are no customers.
- Bill-and-hold sales: recognition of income before the title
transfers to the buyer, and holding the inventory in the seller’s
warehouse.
- Improper cutoff: recording sales of inventory in the wrong
period and before the inventory is sold; this is a type of early
revenue recognition.
- Round-tripping: selling items with the promise to buy the items
back, usually on credit, so there is no economic benefit.
These are just a few examples of the way an organization might
manipulate inventory or sales to create false revenue.
One of the most famous financial statement frauds involved
Enron, as discussed previously.
Enron started as an interstate
pipeline company, but then branched out into many different
ventures. In addition to the internal control deficiencies
discussed earlier, the financial statement fraud started when the
company began to attempt to hide its losses.
The fraudulent financial reporting schemes included building
assets and immediately taking as income any projected profits on
construction and hiding the losses from operating assets in an
off-the-balance sheet transaction called special purpose
entities, which are separate, often complicated legal
entities that are often used to absorb risk for a corporation.
Enron moved assets that were
losing money off of its books and onto the books of the Special
Purpose Entity. This way, Enron
could hide its bad business decisions and continue to report a
profit, even though its assets were losing money.
Enron’s financial statement fraud
created false revenues with the misstatement of assets and
liability balances. This was further supported by inadequate
balance sheet footnotes and the related disclosures. For example,
required disclosures were ramped up as a result of these special
purpose entities.
Sarbanes-Oxley Act Compliance Today
The Enron scandal and related
financial statement frauds led to investors requiring that public
companies maintain better internal controls and develop stronger
governance systems, while auditors perform a better job at auditing
public companies. These requirements, in turn, led to the
regulations developed under SOX that were intended to protect the
investing public.
Since SOX was first passed, it has adapted to changing
technology and now requires public companies to protect their
accounting and financial data from hackers and other outside or
internal forces through stronger internal controls designed to
protect the data. The Journal of
Accountancy supported these new requirements and reported that
the results of SOX have been positive for both companies and
investors.
As discussed in the Journal of
Accountancy article,11
there are three conditions that are increasingly affecting
compliance with SOX requirements:
- PCAOB requirements. The PCAOB has increased
the requirements for inspection reports, with a greater emphasis on
deficiency evaluation.
- Revenue recognition. The Financial Accounting
Standards Board has introduced a new standard for revenue
recognition. This requirement has led to the need for companies to
update control documentation.
- Cybersecurity. Cybersecurity
is the practice of protecting software, hardware, and data from
digital attacks. As would be expected in today’s environment, the
number of recent cybersecurity disclosures has significantly
grown.
Under current guidelines, instead of the SOX requiring
compliance with just the financial component of reporting and
internal control, the guidelines now allow application to
information technology (IT) activities as well. A major change
under the SOX guidelines involves the method of storage of a
company’s electronic records. While the act did not specifically
require a particular storage method, it did provide guidance on
which records were to be stored and for how long they should be
stored.
The SOX now requires that all business records, electronic
records, and electronic messages must be stored for at least five
years. The penalties for noncompliance include either imprisonment
or fines, or a combination of the two options.