Will 404 Really Prevent Financial Reporting Fraud?

Last month we looked at the benefits and related costs of Sarbanes-Oxley, with a skeptical eye on whether section 404 really makes sense. While I believe the column to be thoughtful and insightful, at least one reader feels that I just don’t get it.

He writes: “I agreed totally with your statement when you concluded that independent and qualified audit committees, codes of conduct and whistleblower channels ‘are the most significant results of Sarbanes.’ However, [you] might have [said] they [are] the only significant results. Let's remember who actually perpetrated [the] heinous acts of fraud and deception. It was [not] the A/P clerk or the cash management specialist. It was the C-level executives . . . [and] very little of what was implemented as a result of Section 404 will prevent Ken Lay or Andrew Fastow from colluding to commit fraud.” (For the record, Mr. Lay has pleaded not guilty to the charges against him.)

With these comments and others having expressed similar notions (see for example Compliance Week’s July 20, 2004 article on the subject), it’s worth looking at what internal control is and what it can do. By the way, throughout this column we’re talking about internal control over financial reporting based on COSO’s Internal Control—Integrated Framework.

Frankly, getting to the bottom of this issue centers to a significant extent on terminology. When I speak at conferences typically I’ll listen to other presenters, and while I often find them interesting and insightful, I cringe at incorrect usage of key terms and misperceptions on the topic of internal control. Some may believe the importance of using the right words in communicating is overstated, but we’ve seen too often that using key terms of art incorrectly results in miscommunication, talking at cross-purposes, and resulting actions that are inefficient at best and ineffective at worst. And in this highly litigious society, miscommunication can have even more serious affects on all participants.

Common “Misspeaks”

If you’ve attended any of my presentations, you may have heard me say, “I never make a mistake, but I may sometimes misspeak.” Well, here are some of the most common misspeaks on internal control:

The control environment. So often we hear even knowledgeable people speak of the “control environment” when they actually mean the entirety of internal control. The control environment is only one of the five components of internal control. The whole enchilada is simply internal control, or a company’s internal control system. Is this important? You bet it is, especially when actions taken as a result focus on only one part of a company’s internal control instead of the entire system.

Internal controls. Another misuse occurs when the term “internal controls” is used to mean what actually is only one component of internal control, namely the control activities component. In fact, controls exist throughout all of the five components.

Monitoring. This term has specific meaning, identifying one of the five components of internal control, but frequently is used to mean certain control activities. While there is some overlap between the two components—control activities and monitoring—too often the term “monitoring” is used in a way that’s either confusing or wrong.

We could go on with other communication problems, but let’s get to the more significant stuff: what internal control can really do to prevent the kinds of major frauds that have occurred in the not-to-distant past, and indeed have been occurring for many decades and longer.

What Really Matters

The premise put forth above is that qualified audit committees, codes of conduct and whistleblower channels are relevant to protect against fraudulent financial reporting, but internal control isn’t -- on the basis that top management is above the fray, and can pretty much do what it wants to present desired reported results.

Let’s take a closer look at what really matters:

The audit committee. A well-qualified, capable, serious and diligent audit committee undoubtedly is among the most important elements of preventing fraudulent financial reporting—or, for that matter, erroneous reports. Audit committees have become emboldened and empowered, and feeling the heat of the spotlight thanks to recent debacles, Sarbanes-Oxley, tighter stock exchange listing standards, and the like. While the audit committee continues to be an oversight body and doesn’t conduct audits itself, by executing its responsibilities effectively it serves as a vital line of defense.

Code of conduct. Whether restricted to those in the financial-reporting process as required by law, or (as many companies have done) expanding the code to cover all company personnel, the code is a cornerstone in preventing fraudulent reporting. Many organizations have also concluded that a code by itself won’t do the job; it must be complemented by the right messages and actions from all levels of management, effective training, and two-way communication to determine the extent to which the code is understood and embraced throughout the organization.

Whistleblower channel. With this long-standing best practice now mandated, a mechanism exists by which employees who know of fraudulent reporting can blow the whistle. This, too, justifiably is seen as important to preventing bad reporting, especially of the type where senior officials mask reality by overriding established controls, concocting transactions, or manipulating reports at the highest levels.

So, yes, those who forcefully argue that these things really prevent bad reporting are absolutely right. The list, however, is not complete. Other critical factors aid in preventing fraudulent reporting, including the following:

Integrity and ethical values. Obviously, managers and all personnel with high levels of integrity and sound ethical values form a basis for “doing the right thing” in all respects, including financial reporting. As elements of the right kind of corporate culture, these attributes drive behavior at all levels. While “legislated” integrity and ethics have often been called impossible to achieve, they nonetheless are key drivers of reliable reporting.

Incentives and temptations. Avoiding the wrong kind of incentives and unhealthy temptations also helps prevent improper financial reporting. Appropriate motivations for achievement are part of sound business practices, but pressure to meet unrealistic performance targets, extreme rewards based on reported financial results, and poor or non-existent segregation of duties all contribute to an unhealthy environment.

Management’s philosophy and operating style. Management's attitude toward financial reporting, conservative or aggressive selection from available alternative accounting principles, conscientious development of accounting estimates, and attitudes toward data processing and accounting functions and personnel all help determine the reliability of financial reporting.

Internal audit. A well-qualified and effective internal audit function can both be a deterrent to fraudulent financial reporting and detect it when it does occur. Certainly those corporate whistleblowers who graced the cover of Time several years ago are good examples of how important internal audit can be.

External audit. Audits of financial statement audits and internal control can detect, and have detected, fraudulent financial reporting, and also serve as a deterrent to prevent improprieties by those concerned about discovery.

This list is not complete, as other factors also serve as preventive measures—but let’s get to the main point.

Guess What!

As an astute reader and informed on the subject of internal control, you may know what’s coming next: The point is that all of these factors, including an effective audit committee, code of conduct and whistleblower channel are actually part of a company’s system of internal control (except for external audits, which we’ll come back to in a moment). So, while some individuals decry the lack of internal control’s relevance and depict it as meaningless low-level activity, reality is that internal control has many components and elements that work together. The fact is, when effective, internal control does a great deal to prevent fraudulent financial reporting.

The external audit, while it can deter or detect fraudulent financial reporting, is not part of a company’s internal control system. But certainly it continues to be an important element in the overarching system to ensure that reliable information is provided to investors in the capital markets. Additionally, while the audit itself is not part of the internal control system, how a company’s management uses information provided by the external auditor is indeed a part of internal control.

Internal control is about much more than preventing fraudulent financial reporting, as outlined in my last month’s column. Indeed, the benefits are significant—as are the costs of assessment, and I do believe the assessment process can be improved. But when looking at what prevents fraud in reporting, internal control is high on the list.

One final thought. It’s always dangerous for any speaker or writer to harp on precision in use of words, as I’ve done here. So, my request is that is if anyone goes back through my speeches or writings and finds misuse of words, please be sure to remember that it’s not a mistake, but simply a possibility that I misspoke!