Compliance Week
By Tammy Whitehouse

The Securities and Exchange Commission is sending another warning about fraud prevention by pursuing top executives at a small company for failing to stop a massive fraud, although legal experts are divided on whether it sends the right message.

Koss Corp., which produces consumer electronics, and its president and CEO, Michael Koss, recently settled an enforcement action with the SEC for an embezzlement and accounting fraud of more than $30 million. Koss, however, was not the perpetrator; former finance vice president Sujata Sachdeva and her senior accountant, Julie Mulvaney, carried out the scheme.

Michael Koss, who remains president and CEO, agreed to pay back bonuses totaling more than $450,000 in cash and 160,000 options. The company faced no monetary penalty. Sachdeva is already serving 11 years in prison for helping herself to more than $30 million from corporate accounts beginning in 2005 to support her lavish personal spending.

The SEC charged that the company and its CEO didn’t maintain a system of internal controls that would have reasonably assured accurate and reliable financial reporting. The scope of the embezzlement scheme was significant compared to the company’s sales and retained earnings, according to the SEC. In 2009—the first of two fiscal years and three subsequent quarters that Koss restated as a result of the fraud—Sachdeva skimmed $8.5 million in corporate funds on sales of $41.7 million and retained earnings of $17.1 million. Sachdeva and Mulvaney hid their embezzlement through an accounting fraud.

As an example, the SEC said Koss policy required Michael Koss to approve invoices of $5,000 or more for payments, but required no such approval for wire transfers or cashier’s checks. That allowed Sachdeva, with Mulvaney’s help, to use wire transfers of about $16.3 million and cashier’s checks of some $15.5 million to pay Sachdeva’s personal creditors and credit card bills, the SEC said. To cover their tracks, Sachdeva and Mulvaney made post-closing changes to the books, relying on an antiquated, 30-year-old computer system that could not lock out the accounting systems at the end of the month, the enforcement order says. (Koss Corp. and Michael Koss did not respond to requests for comment.)

The SEC’s clawback of Michael Koss’s bonus sends a message to all smaller reporting companies that are not required under Sarbanes-Oxley to have their internal control assessment audited, says Cynthia Krus, a partner and co-leader of the corporate practice group at law firm Sutherland Asbill & Brennan. “It’s a shot across the bow,” she says. “The SEC wants to make sure companies understand that regardless of whether you are getting your auditors to sign off on controls, you need to be taking it seriously.”

After long delays and an eventual exemption under the Dodd-Frank Act, companies the size of Koss have never been required to have their internal control environment scrutinized by external auditors under Sarbanes-Oxley Section 404(b). The Koss fraud could serve as a great example of why Section 404(b) should be applied to all public companies, says Jacqueline Wolff, a partner with law firm Manatt, Phelps & Phillips. “Some of this might have been glaring if they had done a full 404(b) audit,” she says.

Koss’s audit firm, Grant Thornton, was dismissed from a class-action suit related to the fraud, but still faces litigation from Koss directly. The SEC declined to say whether it is pursuing any action against the audit firm, and the Public Company Accounting Oversight Board is forbidden under Sarbanes-Oxley to disclose investigations until cases are settled or appeals are exhausted.

Keith Bishop, a partner in the corporate and securities practice at law firm Allen Matkins, is disturbed by the SEC’s pursuit of the company and its CEO. “It smacks of punishing the victim and second guessing,” he says. “I have a concern that the SEC is using this as a message case without really recognizing that no matter how well you have designed internal controls, they only provide reasonable not absolute assurance that there won’t be fraud.”

In Bishop’s view, the SEC singles out Michael Koss and criticizes him for not inspecting the general ledger trial balance, not investigating unusual or frequent journal entries, and not looking behind certifications that were provided to him. “In any environment, the person who signs the certification and the SEC reports is going to have to rely on other people,” he says. “You can’t expect them to double check everything.”

Others, however, say the SEC should have gone harder on Koss. “The penalty was so insignificant,” say Tracy Coenen, a forensic accountant and founder of forensics firm Sequence. “There was absolutely no internal control in place. (Michael) Koss was signing off of the financial statements without doing any due diligence on any company records. While he may not have directly perpetrated the fraud, his inaction allowed it to go on for so long.” She expected more criminal liability for a failure to carry out basic duties to the company, she says.

Focus on Fraud

Marty Rosenbaum, a partner with law firm Maslon Edelman Borman & Brand, says companies should see the Koss case as a reminder of why internal controls are important. “Everyone has focused for the last eight or nine years on internal controls as a technical exercise under Sarbanes-Oxley,” he says. “But the other aspect of internal control—and it’s been around longer but is easy to lose sight off—is preventing fraud. It’s hard at smaller companies, but it’s important to second guess whether the system in place can prevent fraud. This employee made it look easy.”

Coenen points out that Koss more closely resembles a family-owned business than a public company, with the majority of its shares held by family members or insiders. It helps explain why the company had a small finance and accounting staff, with very few people holding key roles in managing books and records. She worries the SEC enforcement action doesn’t come down hard enough, giving companies some cause to weigh the costs and benefits of internal controls. “It almost feels like a roll-the-dice situation,” she says. “If that’s the only penalty, maybe I don’t have to go through the cost and trouble of shoring up controls.”

The most important lesson, says Allan Bachman, education manager at the Association of Certified Fraud Examiners, is that every executive needs to keep a healthy skepticism. “This is a big lesson in oversight and trust,” he says. “Both were violated significantly here. The numbers are astounding for a company this size. Don’t assume you’re not susceptible.”