Entries in Audit (4)

Saturday
May262012

The Elusive Audit Cure

DateSaturday, May 26, 2012 at 04:51PM

As someone who is following the current travails of JP Morgan Chase thinking about the audit challenges, I’ve been looking at ideas for improving an auditor’s ability to detect defects in internal controls.  This is an area getting much thoughtful attention, but it’s also a tough nut to crack.   

A piece written in March of this year by Keith L. Johnson suggests that auditors should try to take a more diagnostic approach to their tasks.  He suggests that current audit procedures focused on financial and operational metrics are doomed to miss things because they don’t consider how organizations and humans actually behave.  He recommends a medical exam paradigm that would think of the current audit testing as similar to lab test results.  Then he would add the financial equivalent of behavioral and genetic risk factors.  He also wants some forward-looking evaluations of ongoing health and sustainability. 

Frankly it sounds more like what a stock analyst is tasked with doing than what an auditor does.  I don’t think the track record of stock analysts is such that anyone thinks they would increase the reliability of audits.  What audits already have in common with medicine is a requirement that you design testing so that it can be replicated.  The outcomes of sampling and testing can be manipulated either on purpose or in error.  However, with proper documentation, one can determine where the potential for bias and error was introduced.  That seems an area where the model already works.

Audit reports are based on a sum of the investigatory results, which are then used to form an opinion. Simply adding more opinions to the mix isn’t going to help build clarity.  Auditors are tasked with using professional judgment, which could be another way of articulating some of the considerations raised by this “medical model”.   

Joshua Ronen proposes the use of an insurance product associated with the financial statements.  His theory is to provide a market based incentive to get at the truth of the matter.  As an alumni employee of a bond insurance company I’m concerned that execution of this approach would also be very difficult to do effectively. 

One of my favorite nuggets of time management is that you need to prioritize between what is urgent and important.  Unfortunately, finding a more consistently effective method for auditing financial statements appears to meet both criteria. So I’ll keep reading…. 

AuthorJudith Herron-Arango | CommentPost a Comment |
tagged , , , in ,
Saturday
May192012

There's a Whale in the Fish Tank!

DateSaturday, May 19, 2012 at 05:25PM

While no one can put a number to the JP Morgan trading problem yet, in the vocabulary of auditors, the results likely will be material.  Using the word material in this context means that it would influence the decisions of folks relying on the financial statements.   Coming in the midst of efforts to improve both regulatory and financial controls for banks, it points out how much work remains to be done on the topic of appropriate risk management and reporting.

 It strains credibility that the bank’s CEO started to realize they had a problem when he read about the “London Whale” on the front page of the Wall Street Journal.  The trade was executed as part of what was supposed to be the bank’s risk management strategy.  If there’s a whale in your fish tank it shouldn’t take a third party to make you notice. 

While JP Morgan messed up in many ways here, you have to give them credit for keeping the conversation focused on how risky and complex the trade was.  No one can dispute that the speed and complexity of global financial transactions make them difficult to manage.  However, this focus misses the point that the bank is supposed to have internal control infrastructure that doesn’t allow them to get into a place where they make trades that have indeterminate impact.  

Anyone who has worked in a big organization knows that risk culture doesn’t change quickly in either direction.  There must be senior people at the bank today who didn’t have to read the Wall Street Journal to find out there was a problem.  Apparently the Treasurer’s position at the bank wasn’t filled during the time much of the controversial trading was going on.  However, before he left the bank, the person in the role apparently was concerned.  This is someone who was reporting the bank’s CFO.  GMI, an independent corporate ratings agency gave JP Morgan Chase an “F” for corporate governance policies in advance of the loss being made public.  This grade is typically given to less than 5% of the companies they rate.  GMI also ranked JP Morgan’s financial statements lower than 92% of comparable firms in terms of accounting and governance risk. 

Group On auditors’ found the company had a material weakness in its internal controls.  The tools are available today to highlight when controls don’t appear to be in good condition.  An error of the scale that occurred at JP Morgan Chase should not happen in an effective internal control environment.  It is hard to believe the deterioration of these controls happened suddenly since the last audit report.

AuthorJudith Herron-Arango | CommentPost a Comment |
tagged , , , , in ,
Sunday
Mar252012

Social Fraud

DateSunday, March 25, 2012 at 04:05PM

Thought I’d take a break from tax topics to talk about a growing area of employee fraud --  social media related fraud.  A new survey by Robert Half shows that internal auditors at large companies list this subject as their top concern.  Worse yet, this topic gets priority based on a  combination of high inherent risk for fraud combined with an acknowledgement that companies aren’t paying attention to how and when social media is actually being utilized.

Not only are companies not aware of what is going on, the Robert Half report goes on to say that a set of best practices for monitoring social media use by employees doesn’t appear to exist.  Conversely, statistics indicate that best practices for circumventing company security to use social media are commonplace – a 2010 Trend Micro survey shows one in ten employees say they do this regularly.  In the same survey, half of the users said they disclosed confidential company information through a social media outlet.  The survey also showed unauthorized use of social media growing.  Interestingly, when Trend Micro talked about the impact of this with large companies, what they found was an increased incidence of fraud related to security breakdowns that weren’t intentional on the part of the original offender.  Apparently criminals target social media interactions associated with corporate computers to gain access to data that allows them to commit crimes against the organization.

This isn’t just a big business problem.  Small companies should confront this aggressively as soon as possible.   As with every other type of fraud prevention, you start with defining what the problem looks like for your company.  The next step is to engage your staff by making the risks clear to them.  A Globe Scan survey done last year showed 87% of employees thought they should be allowed to use social media at work.  Explaining why it’s a fraud related problem is a good starting point for limiting use.  You’ll also want to engage the people responsible for your tech security to get protection.  Presumably this will create a toolkit for working with employees to discuss acceptable and nonacceptable use of cloud and social media applications. 

Gartner consulting says by 2014 one in five people will use social media to the full exclusion of e-mail for communications.  That means you can’t eliminate the problem, you can just manage the risk. Starting sooner is your best bet for financial fraud prevention.

AuthorJudith Herron-Arango | CommentPost a Comment |
tagged , , , in
Sunday
Nov132011

Give or Take $600MM

DateSunday, November 13, 2011 at 02:15PM

I spent most of last week in audit training classes.  It’s no secret that the nuts and bolts of audit work are not exciting.  Unfortunately, the relevance of the task at hand was in the news.  I agree with  Lynne Turner, former head accountant at the SEC, on the missing money at MF Global.

 "It's like it just vanished into thin air and the fact that people today can't tell us where the $600 million went is not a good sign. The fact that they were held in custodial accounts that someone should have been on top of only further complicates the issue and makes it even more concerning."

Whether it was for meeting margin calls or going to a personal account in the Cayman Islands is still TBD, but that’s where the boring work that I was studying  is really important.  It may not be material for a new TV series, (CPA: Miami ??) but trained forensic accountants are the best chance for finding the needle in the haystack.

It’s important to note here that in a forensic engagement, where the task is finding the missing $600 million, the work is structured to find the needle.  However, in an audit, that level of detail work would cost too much money.  So the guys at PwC were just looking for potential misstatements that are material.  In accounting, something is material if it would cause a user of the financial statements to make a different decision about the company. 

In this case, MF Global had structured the sovereign debt deal so they could, in compliance with accounting rules, move the debt off their balance sheet.  Would investors have made a different decision if the debt were sitting in the liabilities section of the financial statements?  We’ll never know that, but FINRA regulators did find the accompanying disclosure of “off balance sheet arrangements and risk” inadequate. (My word, not theirs – I didn’t read the FINRA notice.) So with full disclosure it could have been just “caveat emptor” to investors.  You have to wonder about the judgment call to do a deal of that size and expect no one would care about the detail of a massive increase in leverage. 

Of course, the guiding light of that judgment was Jon Corzine.  One thing that’s always discussed in audit classes is how the person who is least likely to commit fraud is the one the auditors should be most worried about.   While Corzine doesn’t have the kind of financial motivation that say a bookkeeper has, clearly he sanctioned decisions that can only be described as rationalizing illegal behavior.  The fraud triangle is motivation, rationalization and opportunity.  Corzine had all three.  Who knows, this could be material for the first episode of CPA & Order….    

AuthorJudith Herron-Arango | CommentPost a Comment |
tagged , , , , , in , ,

The items mentioned that are related to taxes on http://www.followthemoney.squarespace.com  are informational only and are not meant as tax advice.   Consult with your tax advisor to determine how any item applies to your situation.