Compliance Week
By Tammy Whitehouse
Now that Sarbanes-Oxley has made big progress buttoning down internal controls over financial reporting, the next great frontier for potential abuse is emerging: nonfinancial fraud.
That’s the lesson, at least, from companies like BP and State Farm, both caught up in accusations that employees manipulated nonfinancial information in ways that seemed to achieve some immediate gain for the companies.
BP, for example, either ignored or pushed the limits on pipeline maintenance, leading to the catastrophic failure of a stretch of pipeline in Alaska that caused a 270,000-gallon spill and sent oil prices soaring earlier this year. The company is under investigation not only for neglecting its duty to maintain corrosion-free pipes, but also for potential violations of safety rules and possible manipulation of propane prices.
Meanwhile, insurance giant State Farm is faced with allegations that it pressured engineers to issue reports that would minimize the claims the company would have to pay in the wake of Hurricane Katrina. (State Farm denies any wrongdoing, and describes the allegations against it as “grossly unfair.”)
And at the same time, the Securities and Exchange Commission has apparently ended its pursuit of charges against officers of oil producer Shell, which already paid a fine in 2004 for overstating proven oil and gas reserves to help boost its valuations. The SEC declined to confirm reports from Shell attorneys that the investigation is closed.
All three situations are public-relations fiascos no company would want to endure, and could lead (and in Shell’s case, did lead) to significant regulatory headaches. They also have something else in common: They are types of fraudulent behavior that SOX doesn’t address.
“SOX is good for the internal control environment,” says Bruce Gavioli, national leader of anti-fraud programs at Deloitte Financial Advisory Services. “Now the next place for people to look is for external or collusive risks. Those may not have gotten the attention they deserved through the Sarbanes process.”
The risks are as varied and as numerous as the companies that must identify them, experts say. Anywhere an operational issue becomes financially relevant, companies must examine how their documentation could be manipulated, says Chris DeGallier, assistant director of business controls at Regence, a private health insurer that adheres to SOX voluntarily.
In a manufacturing environment, for example, paperwork can be doctored to show materials have been consumed when in fact they have not, or environmental studies can be altered to reflect a reduced liability for the company. In retail settings, companies routinely struggle with theft of merchandise throughout the supply chain.
In virtually any company, electronic payroll deposits present the risk of fictitious employees drawing paychecks, DeGallier says. “It’s a good idea once in a while to hand checks to people instead of electronically depositing them, to make sure the checks match the people,” he says.
Tom Wardell, a partner in the corporate practice at the law firm McKenna Long & Aldridge, warns that any time a company is negotiating a merger or acquisition, the risk of misbehavior exists. Although those involved in negotiations are bound to secrecy and are barred from buying or selling shares in anticipation of an announced transaction, Wardell says analyses still show an otherwise inexplicable spike in trading often precedes the revelation of a deal.
“That suggests somebody knew and others didn’t,” he says. “The opportunity still exists for someone to trade.”
Zero-based assets also present a problem area for companies, Wardell says. Anytime a company has an asset on the balance sheet with no value (often the case with retired assets), the potential for abuse exists if the equipment in question still has some residual value in its parts.
“If an asset on the balance sheet is valued for less than what its parts can be sold for, there’s a chance that someone will do just that, and it won’t be on the corporation’s behalf,” he says. “That reduces the revenue that would otherwise show up on the company’s books.”
Whither The Internal Controls?
Internal controls monitored under SOX create the right tools for control, but don’t necessarily guarantee good behavior, Wardell contends. “It really still only gives a company a framework for enforcing compliance within its culture,” he says. “If that culture’s not there, people will still find their way around the controls.”
Al Vondra, a partner with PricewaterhouseCoopers, says multinational companies often face their greatest risk as a result of overseas operations, depending on where they do business. In countries where bribery and other kinds of corruption are still the norm, U.S. companies may face an internal cultural battle over how best to do business. Vondra says enforcements arising from the Foreign Corrupt Practices Act have been on the rise in recent years as SOX enforcement has exposed overseas vulnerabilities to corrupt behavior.
Gavioli says the best defense against fraud problems is a good offense. “It all comes down to having a robust anti-fraud program and controls in place,” he says. He advocates a five-part approach that follows the five components of the internal control framework published by the Committee of Sponsoring Organizations: the control environment, risk assessment, control activities, information and communication, and monitoring.
COSO’s framework is largely in place among public companies to establish the internal control environment that facilitates SOX compliance. COSO has since published an enterprise risk management framework as well for an even wider view of control and risk.
Companies need to conduct a fraud risk assessment to identify potential fraud schemes and scenarios, not just within the finance function but throughout the organization, Gavioli says. They need to establish anti-fraud control activities with both preventive and detective controls in place to discourage and identify fraud.
Companies also need to establish a system of information sharing and communication so that people know their role in helping prevent and detect fraud, Gavioli continues. Entities need to monitor the program to assure it works properly, and they need to check the tone at the top to assure the appropriate signals are being sent from the board of directors and management.
The American Institute of Certified Public Accountants even goes a step further, to say the audit committee should have responsibility for brainstorming on how management might game the internal controls to their favor and establish similar preventive and detective controls in that arena.
It’s an area more companies need to address, Gavioli says, based on Deloitte’s findings in a recent survey. The company 
asked 1,600 listeners of a recent Webcast seminar if they have such an anti-fraud program in place, and only 49 percent indicated they do. Even further, only 39 percent said they have at least performed a fraud risk assessment.
Tracy Coenen, president of the forensic accounting firm Sequence, said it’s a stretch even to assume companies have adequately tightened internal controls themselves, let alone looked beyond internal controls for other potential risks.
“A lot of companies went through the exercise of tightening controls, but it hasn’t caused as much of a shift as many people think,” she says. “They did the paperwork and now we can see how the controls really work, but the paperwork is just a document of what we do. It’s not really forcing them to fix the problems or do anything better. I think there’s so much that can still be done in internal controls that they needn’t bother (to look for other risks.)”
Tracy’s clarification: Companies should first do more to improve their internal controls to prevent fraud. After their internal controls are better, THEN they should look toward identifying and controlling non-financial risks.
