Could an alleged $31 million fraud at a company that reported $38 million in sales last year quash claims that internal-controls checks don’t matter?

Sarah Johnson – CFO.com | US

A finance executive’s alleged embezzlement of as much as $31 million over five years from headphone-maker Koss Corp. could serve as fodder for critics of legislation that would permanently exempt smaller publicly traded companies from fully complying with the Sarbanes-Oxley Act.

Observers of the case believe that Koss, which reported $38.3 million in sales last year, wouldn’t be starting off 2010 in reputation-repair mode if it had had better internal controls in place to notice that money was continually moving out of the company’s bank account, allegedly to pay off an executive’s personal credit-card charges. Small companies like Koss have not been required to comply with Sarbox audit requirements.

Just before Christmas, the company fired Sujata Sachdeva, its vice president of finance and secretary, after U.S. attorneys filed a criminal complaint against her, claiming she used more than $4.5 million of the company’s money to buy clothing, fur, and jewelry at various luxury stores in Milwaukee over the past two years. “It seems from everything I have heard, this vice president of finance had an awful lot of autonomy to do her own thing,” says Tracy Coenen, a fraud examiner and forensic accountant who has been following the case.

Koss has since disclosed that the monetary fallout could be worse than the amount cited in the criminal complaint. An internal investigation has uncovered additional unauthorized transactions, as far back as five years ago, whose total exceeds $31 million. As a result, Koss plans to restate its financial records for the past three fiscal years and may go back to 2005 to make corrections. In the meantime the company’s stock is in limbo, since Nasdaq halted its trading on December 21. At least one law firm has opened up an investigation for a possible shareholder lawsuit.

Moreover, the company fired its accounting firm, Grant Thornton, on New Year’s Eve. The auditor’s response has been to highlight the fact that Koss is one of the companies that are not yet subject to Sarbox’s Section 404(b), which requires an auditor sign-off of internal controls. “The company did not engage Grant Thornton to conduct an audit or evaluation of internal controls over financial reporting,” says a spokesperson for the accounting firm. “Establishing and maintaining effective internal control is management’s and the board’s responsibility.”

Koss’s management claimed the company did have effective internal controls for fiscal years ending June 30, 2009, and June 20, 2008. Still, the management report, enclosed in its most recent 10-K, acknowledged in boilerplate language that “because of the inherent limitations in all control systems, no evaluation of controls can provide absolute assurance that all control issues and instances of fraud, if any, within the company have been detected.”

The Securities and Exchange Commission has allowed non-accelerated filers — companies with market caps below $75 million — to only self-report on the effectiveness of their internal controls for the past two years. But the regulator has continually delayed the auditor-attestation portion of 404 for those filers. If there are no more delays or exemptions, companies like Koss will have to get their auditors to review their internal controls starting this summer, depending on their fiscal year-end.

However, the major regulatory-reform bill passed by the House in mid-December would permanently exempt small businesses from 404(b). Small-business proponents have pushed for the exemption, saying audits of internal controls over financial reporting are disproportionately costly and perhaps even unnecessary since, individually, small companies represent only minuscule blips of total market capitalization in the United States.

Still, it’s debatable whether small businesses will get the exemption after the Senate works on its version of the bill later this month. Investor advocates are hoping they won’t. “Investors believe that auditor’s expertise can provide management with additional perspective on the quality of its system of internal control, which can have a positive impact on the quality of a company’s financial reporting,” wrote four investor groups, including the CFA Centre for Financial Market Integrity, in a recent letter to House members. The Koss case could bolster such arguments against the exemption.

According to the complaint against Sachdeva, neither Koss’s auditors nor itsexecutives uncovered the alleged fraud. Rather, American Express alerted the company’s CEO, Michael Koss, to several large wire transfers made from a Koss Corp. bank account to Sachdeva’s personal credit card. The purchases in question included $382,400 at two jewelry stores and $1.4 million spent at one clothing boutique. Michael Koss did not respond to CFO’s request for comment.

According to the complaint, Sachdeva told FBI agents that she had authorized an assistant to make the wire transfers, which she later concealed by falsifying the balance in Koss’s bank account. The complaint does not explain how she allegedly made these changes or why they were not detected sooner. Her attorney, Martin Kohler of Kohler & Hart LLP, told CFO he was unable to comment on the case.

From an outsider’s point of view, it appears that Koss had control issues, namely in the area of segregation of duties. “If someone can have access to cash and the books, they can, on an ongoing basis, perpetuate fraud without getting caught,” says Bob Benoit, president and director of SOX Research at consultancy Lord & Benoit.

Without more detail on the alleged fraud, it’s hard to know whether an internal-control audit would have uncovered the problems. However, the knowledge of having an auditor come in for the extra review could have prevented Sachdeva from perpetuating the fraud, contends James Pratley, president of the Association of Certified Fraud Examiners, which has been actively protesting the proposed 404(b) exemption. Still, “management bears the ultimate responsibility for not noticing her lavish lifestyle and the auditors for not noticing anomalies in the company’s financial reporting,” he tells CFO.

Coenen is critical of the other executives and Koss’s board for not picking up on the alleged fraud sooner. The company could have been alerted to the problems by having a fraud hotline and giving employees (such as Sachdeva’s assistant) a way to raise suspicions, she says.

Based on his company’s outreach to potential clients, Benoit believes many small companies are not complying with 404(a), even though their managements say they have effective internal controls in their annual reports. “It appears many outside auditors are looking the other way” and not verifying that internal-control assessments are getting done, he says.

While Michael Koss certified the company’s financials and internal controls in the latest annual report under his dual titles as CEO and CFO, Sachdeva signed the 10-K as the company’s principal accounting officer. She had been working at Koss since at least 1997, when she praised the merits of telecommuting to CFO. At the time, she was managing a nine-person finance department from her home in Texas, 1,200 miles from Koss’s Milwaukee headquarters. She later moved closer to the company but was known to take work home with her. The government’s complaint says she made the questionable wire transfers from her office at Koss, where the CEO apparently found several piles of clothing with the price tags — totaling over $2,000 — still attached.