10 Feb

Failing to Find Fraud When Auditing Cash

UPDATE: In March 2011, CFO Jacky Lam of China Media Express and the auditors (Deloitte) resigned. Deloitte said they could no longer rely on the representations of management, and they suggested an investigation was in order. Ping Luo, the analyst from Global Hunter who gave CCME rave reviews resigned. Maurice Greenberg’s Starr Investments sued CCME for fraudulently inducing it to invest $13.5 million. The stock was delisted from the NASDAQ in May 2011.

Deloitte raised the following issues: questionable authenticity of bank statements, supicioius bank confirmation procedures, existence of advertisers/customers, undisclosed bank accounts and bank loans, financial filings with the State Administration of Industry and Commerce differing from information provided to auditors, questionable authenticity of tax filing documents, cash payments to employees, and double counting of buses.

Earlier this week, I posted an article about China MediaExpress Holdings (CCME) and the allegations of fraud that were leveled recently against the company. I took a look at some of the commentary out there, asked questions and made comments, and ultimately decided that I am concerned about the potential that the company is a fraud.

Supporters of CCME have questioned the reliability and authenticity of the fraud allegations, and have provided evidence of their own about why the critics of CCME should not be trusted. I haven’t looked at all of those counter arguments, but I have looked at some of them, and some appear credible. I do not discount the due diligence that has been done by a number of investors. I am sure that they found plenty of evidence to suggest that the company is completely legitimate and their numbers are reported accurately.

However, I still believe that something is wrong at the company.

Here’s why: Even if most of the fraud allegations are either improper or incorrect, I believe that at least some of them are likely to be true. Even if one or two or three of the fraud allegations are true, the company has a serious problem. In my experience, lying and fraud do not occur in a vacuum. When small lies or frauds are found, very often they are the tip of the iceberg and more dishonesty exists.

All this aside, I have been asked to explain how CCME’s reported cash balance of $170 million as of September 30, 2010 could be fraudulent. As I have explained in articles here, here, and elsewhere, financial statement audits are not designed to detect fraud, and most often the do not detect fraud. It is dangerous to assume that because financial statements have been audited, the numbers do not contain fraud.

Auditors specifically disclaim responsibility for finding fraud over and over. Although the auditing standards in the United States require auditors to consider the possibility of fraud and to follow up on red flags of fraud that they might see, they are not required to find fraud. Fraud is difficult to find because, unlike simple errors in the accounting records and financial statements, instances of fraud are willfully and systematically covered up by those committing the fraud.

Further, it is unlikely that auditors will find fraud in a company because management is usually intimately aware of exactly how an audit is performed and what procedures the auditors will do. Management knows where they will look, and therefore can be very careful to hide the fraud where the auditors will not look.

Third Party Verification

Certain types of transactions or verifications are harder to manipulate than others. When audit evidence is coming from unrelated third parties, there is often a greater level of comfort that this evidence is authentic.

However, many times the auditors don’t truly know if the third parties are unrelated or if those third parties have a secret relationship with the company that will give them a motive and opportunity to lie. In the case of auditing the cash balance, an audit confirmation from a bank is typically considered a very reliable document, as is an original bank statement.

Auditing Cash

It is important to note that in this article, I am only referring to the process of auditing cash. Companies can engage accountants and auditors to do all sorts of procedures on their books, if they so choose. However, here, we are talking about a type of service that is clearly defined between the auditors and the company. Everyone knows exactly what the company is getting when they engage a firm to do an audit. So the comments here are limited to an independent financial statement audit.

How could the CCME reported cash balance of $170 million be fraudulent?  First, it is important to understand that the cash balance of $170 million at September 20, 2010 is unaudited. That means that the auditors have not applied full audit procedures to the number. The most recent audited cash balance for China Media Express is $57 million as of December 31, 2009.  This is the figure that Deloitte Touche Tohmatsu has allegedly audited. But let’s set aside the exact dollar figure and talk about exactly why and how an auditor goes about auditing a cash balance.

Under Generally Accepted Auditing Standards (GAAS) in the United States, the auditors are testing the existence of cash. They are not specifically testing how the cash got into the bank account. Other account balances are tested in various ways throughout the audit, and those procedures are deemed to verify how the cash got into the bank account.

A typical audit work program for the cash accounts will have

Procedures Performed

The two main procedures that are done to verify the cash balance are:

  1. Examine the bank statement that includes the last day of the financial statement period
  2. Receive a confirmation directly from the bank of the bank balance on the last day of the financial statement period

As part of the examination of #1 and #2 above, the auditors will:

  1. Examine #1 and #2 above in conjunction with the general ledger balance and a client-prepared bank reconciliation which will reconcile uncleared checks and deposits (which are recorded on the books, but not yet through the bank account) to the bank.
  2. Clerical accuracy of the reconciliation should be checked.
  3. A bank statement for the period after the close of the balance sheet date should be examined to verify that reconciling items (uncleared checks and deposits) did clear shortly after year-end.

After these procedures are done, the auditor should consider whether there are any fraud risks with the client that indicate additional work should be done.

The auditors typically will not look at other bank statements from throughout the year unless there is an occasional issue that requires it. They also will not look at all of the ins and outs on the bank statements throughout the year, or even on the last bank statement of the year. Some will say it’s advisable to look at the ins and outs of the bank account, but it simply doesn’t happen that way during an audit.

In a local case of fraud at Koss Corp., the VP of Finance Sue Sachdeva stole $34 million from the company. It has been said that one of the ways she avoided detection by the auditors was through not stealing from the company in the last month of the fiscal year. Koss was audited by a very reputable firm, yet a large fraud went on for years without detection. The facts in the Koss case are different from the allegations against CCME, nonetheless the case provides a good example of how reputable auditors can be fooled.

When you consider how little work is done on the cash account – – basically only verifying the balance as of the balance sheet date – – it is easy to see how fraud could occur and not be found. The auditors are not verifying the source of the funds, only the existence of them.

Creating a Fraudulent Cash Balance

One way to create a fraudulent cash balance is to deposit funds belonging to someone other than the company in month 11 of the year (so that an unusually large deposit isn’t showing on the statement for month 12, which the auditors will most likely see), and leave the money in the account through the end of the year (and, if you want to be safe, into the first month of the next fiscal year). There is legitimate cash in the bank account at the end of the year, the bank will confirm it, and no one will be the wiser.

If someone wants to be more clever and lower the risk of detection, smaller amounts could be deposited to the bank throughout the year to mimic collections from customers.

Of course, there are other numbers on the financial statements that will have to be manipulated to cover up whatever fraud scheme you’re perpetrating. However, the question I have been asked in this case is whether Deloitte could audit cash at CCME and fail to find fraud in the bank balance. The answer is yes, and it would not be all that difficult.

Additional Procedures?

It has been said that since CCME has so few customers, it would be easy to interface with these customers and verify how much business is really being done with them and how much they have paid China MediaExpress.  I suppose that could happen, but it is not what happens in an audit. Typically the only customer contact by the auditors is during the confirmation of accounts receivable. Some customers may be contacted, and may be asked to verify the amount they owe the company as of the balance sheet date. The auditors will not ask teh customers to verify all the business done throughout the year.

What about the fact that CCME is so small, therefore the auditors could do extra procedures to verify things? Again this is possible, but it is not going to happen. Auditors have work programs outlining the procedures that should be performed, and they don’t just arbitrarily decide to do more work. An audit is a very well-defined set of procedures and verifications, and there is no incentive for Deloitte to do more.

Further, there is a bit of a catch 22 when it comes to fraud. If auditors suspect fraud, they are required to look further to determine if fraud exists. But if they do not suspect fraud… if everything looks rosy… then they won’t be looking further to find fraud. The company just has to make sure that there aren’t any blatant red flags, and then the auditors will likely not look deeper to find evidence of fraud.

Remember too that if CCME has much lower revenue than they claim, and their operations are much smaller than many expect, then there is plenty of time for management to fabricate documentation. If they don’t have real customers, then their time can be spent manufacturing customers and documentation. I am not saying that this happened at China MediaExpress, because I don’t know that this is the case, but I am suggesting that it is possible.

In conclusion, the premise that the numbers are authentic because China Media Express was audited by a Big 4 firm is misguided. The audit can be one piece of evidence in favor of management, but it is not absolute by any means. The are many, many undetected frauds in companies with reputable audit firms. Audits have never been designed to find fraud, and management actively works to cover up instances of fraud. Therefore, the vast majority of audits do not find fraud.

Lack of a fraud finding by independent auditors is not assurance that a company is free from fraud, and auditors even explicitly say this in their audit documentation and communications with the client.

Note to Conspiracy Theorists: I am writing about China MediaExpress only because a story about the company caught my eye, and it seemed like an interesting topic to write about. I am not involved in any sort of conspiracy to harm the company.

11 thoughts on “Failing to Find Fraud When Auditing Cash

  1. Tracy,
    Thank you for this detailed writeup. It is quite germane to the CCME fraud accusations, as it addresses one of the core issues under consideration.
    In the end, the only protection an investor seems to have is to understand the details of the business intimately, run the projected numbers themselves, visit the company in person, and see whether everything makes sense and the numbers add up. DD, as they call it… And even then, fraud is possible (because people can just steal from the company while the auditors aren’t looking).
    In CCME’s case, people have run the numbers, but of course there is debate about whether they add up. I tend to listen to rational arguments, so I still agree with the longs here.
    Based on this article, it sounds to me like all investing is basically gambling…seems like this sort of fraud could be perpetrated by ANY company. As I understand you to say, there are no controls or checks done at all at any company in any audit process which would actually check financial statements for deliberate, calculated, sophisticated fraud.
    This surprises me (what is the purpose of an auditor, then? Are they a glorified accountant?). But that is your whole point.
    One question I have is: Now that the fraud allegations have been made, and specific claims have been made, can we trust subsequent audits by Deloitte if they are clean? Meaning, if this next annual audit comes clean, can we be assured that Deloitte DID take many extra steps to actually follow the money trail? At that point, can we view this as a verified business, with relatively little risk?

  2. Tracy, thank you very much for this interesting article about auditing. I agree very much with Alan, that if auditors do not routinely look at the issues you mentioned, in order to try to detect fraud, then what tools can investors trust? Is there some specific check that you would advise individual small investors to perform in order to look for red flags?

    In other words, what shall we be looking at now, while we wait for next CCME annual report? All this buzz around it is 95% emotional and does not help anybody to take a rational decision.

    And I also share the same question as Alan: after all these allegations, will Deloitte take extra steps to address the issues recently raised as red flags, in the case of CCME?

    Last but not least, as you said, you got a lot of emotional responses to your articles from investors, but there are a lot of readers out here that want to hear different and contrarian views. It’s just that we don’t necessarily post comments all the time just to say thank you. But we actually need more people to tell us and argue for opposite views than ours, in order to understand better the businesses we are investing in. So, thank you and please keep posting and do not bother about emotional posting.

  3. Yes, investing is a lot like gambling because you just don’t know if management is honest or not. If management is honest, the audit process works because it focuses on checking the math and the application of the accounting rules. Very often the auditors will find unintentional errors when checking for these things, so there is value to what they do when management is honest. When management is dishonest, however, the auditors are usually of little use. Their procedures just aren’t designed to catch fraud, and management knows it.

    I do not think it is wise to trust that Deloitte is going to do more work. Here’s a great example of why: Overstock.com. For the last few years, there have been accounting fraud allegations against them on a variety of different items. But the main thrust was that management was manipulating the books. Two different sets of auditors kept signing off on clean audit opinions, year after year. Last year Overstock.com was forced to announce accounting problems that went back several years, and make adjustments in current and prior periods. These were large, reputable auditing firms that couldn’t catch fraud when people were practically telling them exactly where to find it. (And they were right!)

    One way to find fraud is to retain forensic accountants to do alternative procedures on the books and records that are directed at finding fraud. Short of that, all you can do is use your common sense. In this case, there are so many allegations that hold up and management has been unwilling to prove otherwise. Sure, some of the original allegations seem to be untrue, but many of them see true. I would stay far away from this stock. It is too risky for me.

  4. Tracy,

    “so many allegations hold up”

    Which allegations hold up?

    “too risky for me”

    Nothing ventured, nothing gained.
    Corollary: Nothing ventured, nothing lost.

    Definitely very risky….

  5. Tracy,
    Well, I guess this has now become old news. But I am still curious about the statement in your comment:
    “In this case, there are so many allegations that hold up….”

    CCME still may turn out to be a fraud. But in my analysis, I have yet to see any of the allegations hold up…is there a particular allegation that you’ve seen which has been proven to hold water?
    In any case, we’ll see how it turns out mid-March….I am approaching the date with appropriate caution and protection against catastrophic losses, though I am still long the stock.

    I guess I’m hoping that the backhanded complement the bashers make about CCME being the “most profitable company in the world” (in percentage terms by various metrics) turn out to be true….

    Thanks for your past analysis on this subject.

  6. Pingback: Sequence Inc. Fraud Files Blog

  7. Pingback: Sequence Inc. Fraud Files Blog

  8. Tracy, i came across your article about fraud and auditing and it was very helpful. I’m thinking about investing in small companies so I’m trying to do my own research to reduce the risk. It sounds like forensic due diligence would be the best choice. However, I have been told that financial due diligence is often performed. What is the difference between forensic dd and financial dd? Can you tell me the procedures performed during financial dd? Your explanation of auditing procedures was easy to understand. Thank you.

  9. Thank you for replying so quickly! I’ve read that financial dd is not an audit but it has to do with ratios and forecasting. If it’s not an audit, how is it helpful to investors? How can they check for accuracy?

Leave a Reply