moneydrainI’ve been talking here, at DailyFinance.com, and to the media about the massive fraud at Koss Corp. and how I think it may have been committed and covered up. The time has come to get more specific about how I think it happened, and why I think the auditors did not find it.

Disclaimer: I have no inside knowledge of the situation at Koss. I have never worked for or with them, and I have never worked for or with Grant Thornton, the auditors. I haven’t seen anything other than what’s been released publicly by the press. I am merely speculating.

The contention has been made that the auditors should have found this fraud, as they are required to consider fraud in planning and performing their audits. Further, the fraud is at an estimated $31 million (my guess is it will end around $50 million), which is clearly material to Koss.  “Material” generally means it’s big enough to matter to the overall financial picture of the company. With annual sales hovering around $40 million a year at Koss Corp., $31 million (or more) stolen over a 5+ year period is certainly material.

So how did the auditors miss it? That’s easy. Three simple steps by Koss VP of Finance Sue Sachdeva could prevent the auditors from encountering evidence pointing them to the fraud.

Again, it’s important to point out that I have no idea whether the auditors failed in their role. I have no idea whether things were uncovered in their audits that should have been investigated further, and which would have exposed the fraud if they had been investigated.

For purposes of this discussion, I’m asking you to assume the auditors did the right thing. Assume they properly planned and carried out their audits, even in light of the poor internal controls it appears Koss had. Pretend the auditors were diligent and thorough. How, then, might Sachdeva commit her fraud so that no one would discover it?

All it takes are three steps to make this fraud nearly undetectable in a company in which the other members of the executive team aren’t paying attention. (And don’t worry, dear readers, that I may be giving away any secrets to committing fraud and covering it up. Any serious fraudster already knows these three things.)

  1. Keep the fraud off the balance sheet.
  2. Keep all transactions below the scope of testing by the auditors.
  3. Don’t commit fraud during the last month of the fiscal year and the first month of the following fiscal year.

Can it really be this simple? Yes, and here’s how.

Keep the fraud off the balance sheet: The substantive testing of the auditors focuses very heavily on the balance sheet. Probably 80% or more of the auditors’ work is spent testing balances on the balance sheet. The focus on the income statement is minimal because the theory goes that if the balance sheet is right, the bottom line profit is also right and a lot of testing does not need to be done on the profit and loss statement.

How could Sachdeva keep the fraud off the balance sheet? We’ve been told she used company funds to pay her own massive credit card bills. The accounting entry would credit the bank account (so that the account will always be balanced to the bank statement and not draw attention) and debit an expense account. Normally, paying a bill would require using accounts payable, a balance sheet account. But by skipping that step and going right to the income statement, this generally keeps the fraud off the balance sheet.  (Except of course for the use of the bank account, which I’ll address in point #3.)

Where on the income statement do you hide the theft? Ideally you would split it up between a number of line items. Cost of Goods Sold is probably one of the best areas to dump the theft because it’s likely one of the largest line items, and everyone agrees that material costs can vary in manufacturing. It’s easy to explain away an increase in COGS. Payroll will be a larger item too, so some of the fraud might be dumped there. Generally, you should consider using 5 or 10 of the biggest line items which won’t draw scrutiny if they increase.

Here is how Koss has said Sachdeva’s fraud was broken out between fiscal years, based on information available last week:

2005 – $2,195,477
2006 – $2,227,669
2007 – $3,160,310
2008 – $5,040,968
2009 – $8,485,937
2010 – $10,243,310 (two quarters)

With the company selling about $40 million of products per year, you can see how easy it would have been to conceal $2 million or $3 million on the income statement. As long as that amount is broken up across several line items, it likely won’t be noticed.

The dollar figures in the last three years were obviously much larger and probably a bit more difficult to conceal.  But remember…. By 2007, $3 million in theft was concealed in the income statement. That means in 2008, only $2 million of the total $5 million stolen needs to be hidden. The first $3 million in theft would already be in line with the prior year’s expenses and wouldn’t draw scrutiny.

The same thing goes for 2009. Presumably $5 million in theft was already concealed in 2008 and integrated into the income statement. Only $3 million extra (of the $8 million total theft) needs to be concealed in 2009.

Keep all transactions below the scope of testing by the auditors: Most of the audit work involves testing transactions. They can’t possibly look at all the transactions for the year, so they examine transactions on a test basis. If the testing turns out right (the numbers were recorded correctly, they add up the way they should, and the accounting rules were followed when recording the transactions), then the untested items are also deemed to be correctly recorded.

The auditors rely heavily on their “scope.” They’ll determine a number which guides the transactions they’ll test. Let’s pretend that $50,000 is the scope on an audit. When testing transactions, the auditors are generally going to look at transactions $50,000 and above. Any transactions of an amount lower than this are almost certainly not going to be tested.

It’s simple math that guides the scope of the testing. By testing the larger dollar amounts, the auditors get greater “coverage” in their audit. They can say they tested ___% of the dollars on the balance sheet. The higher the percentage of dollars tested, the more thorough the audit work looks. So by testing larger dollar items, the auditors get better coverage.

A CFO or VP of Finance (and many others in the accounting department) are well aware of the scope of the auditors. The auditors are not supposed to tell the client what the scope is, but it’s pretty easy to figure out when every request for documentation is above a particular dollar figure.

Suppose the scope at Koss was $50,000 (again, this is a completely made up number). Sachdeva would have to keep her transactions well below that figure to almost guarantee herself that the auditors would not look at those transactions. So she either needs to do wire transfers to her bank account of less than $50,000 at a time, or if she does wire transfers at or above $50,000, the transfers need to be recorded on the books in pieces smaller than $50,000. Obviously, the lower she keeps the recorded transactions, the less of a chance of detection by the auditors. (And it’s also advisable to record these transactions as odd dollars and cents – – such as $27,352.23 – – rather than large round numbers like $30,000 which are more likely to draw the attention of the auditors.)

This is where it makes sense to split up the transactions between several expense accounts. Again, focus on the expense accounts for which an increase could be easily explained and unlikely to be examined further.

Don’t commit fraud during the last month of the fiscal year and the first month of the following fiscal year: I keep getting asked why the auditors didn’t see these apparently large transfers to American Express on the bank statements. The answer is simple: They most likely weren’t looking at all of the bank statements, which is common in an audit. When auditing a bank balance on the balance sheet, the auditor is trying to determine whether the ending balance on the financial statement is correct. The ins and outs throughout the year don’t matter because of other testing done during the audit (or so the theory goes). The test is whether or not the ending balance is fairly stated, so that auditors are only going to look at the last bank statement of the year.

They will also look at the first bank statement of the next year, as they will do some work related to checks written and deposits made at the very end of the year, but which didn’t clear the bank until the next month. There are some other tests in various parts of the audit that may require the auditors to look at that first bank statement of the year.

So the trick is to keep the theft off the last bank statement of the year, and the first bank statement of the next year.

A disclaimer again: I do not have any information about how Sachdeva committed her fraud or covered it up. I’m speculating liberally here, and offering my theory as to how it could have been concealed from the auditors.

12 Comments

  1. Francine McKenna 01/20/2010 at 11:45 am - Reply

    Interesting ideas and spot in in a typical situation. But this situation is hardly typical. I have some completely different ideas about how this was done.

    But I’m not giving them away. 🙂

  2. Tracy Coenen 01/20/2010 at 12:30 pm - Reply

    There are other ways, of course, but the problem with them is that they get too messy. And the mess accumulates each year the fraud continues, so it’s hard to see how it could go undetected fro 5 or 6 years with another method.

  3. Going Concern 01/20/2010 at 3:45 pm - Reply

    Fooling Auditors Is So Easy, a Caveman Could Do It…

    In the spirit of O.J. Simpson, Tracy Coenen explains today, that if Sue Sachdeva stole $31 million and spent most of it on some high-end threads and then sold the crap she didn’t want, it would’ve been a snap. We’re……

  4. […] fraud seemed to be going along fine until Sachdeva got too greedy. The amount of theft gradually increased each year, which probably made it easier to hide. Then in late 2009 (which is fiscal 2010 for Koss) she got greedy and stole much more in a six month […]

  5. Steven Sharp 01/29/2010 at 7:53 am - Reply

    I like your posts Tracey. I’m from the UK (and an auditor), but everything you’ve said above rings perfectly true with how I would commit fraud (If I wanted to) and avoid UK auditing procedures finding out.

    Auditors are only concerned with the balance sheet, but then, it’s all we’ve got to go on. We couldn’t audit the transactions in the year. It would take three months to audit the company otherwise. Hence, hide things in the ten months of the year us auditors barely glance at.

  6. Jonathan Mitchell 01/29/2010 at 10:09 am - Reply

    After reading the article highlighting Foresnsic Accounting in the Journal Sentinel last week, I ordered your first book “Essentials of Corporate Fraud.” I found it interesting how the book focused on the exact type of fraud which occured at Koss.

    The segregation of duties over the credit cards at Koss appears to be appalling based on the information that has been released. In my opinion, the person reconciling the credit card statements should not have a credit card of their own if at all possible. If this is not feasible, you need to have compensating controls. Either there needs to be a low limit on that particular card, with the limit being controlled by another person, or those reconciliations need to be reviewed by a superior on a regular basis. You would still have the ability for collusion between 2 or more staff members, but you would certainly reduce the opportunity for this type of fraud.

    I would be interested to know how Grant Thornton evaluated those internal controls in relation to the credit card statements, perhaps there were additional controls in place that were being circumvented while the fraud was taking place.

    This should be another reminder to companies that the external auditors are not hired to seek and discover fraud being committed. As you discuss in your book, fraud analysis needs to be a focused, ongoing, internal effort in order to be the most successful at preventing and detecting fraud.

  7. […] Even if Grant Thornton had been required to take a harder look at the internal controls at Koss, I doubt that the fraud committed by Sachdeva would have been discovered sooner. Maybe it would have. But that’s not a foregone conclusion. Sachdeva likely knew exactly what the auditors were looking for each year, and hid her fraud accordi…. […]

  8. […] Tilly to sign off on a filing that included the above language about the controls in place while Sachdeva was committing her fraud. Are we really expected to believe that the controls in place were good? Can Baker Tilly possibly […]

  9. […] sentencing memorandum in the criminal case against Sujata Sachdeva (the woman who stole more than $34 million from her employer, Koss Corp.) was released.  It had a number of items of interest. Prior to sentencing, the prosecution and the […]

  10. […] a local case of fraud at Koss Corp., the VP of Finance Sue Sachdeva stole $34 million from the company. It has been said that one of […]

  11. […] There are several theories about how Sachdeva hid her $31 million theft for more than five years. In my opinion, the most likely scenario was that she expensed the theft, most likely using cost of goods sold accounts because those would be some of the largest accounts and a variance in them is easily explained. This is also attractive because it does not create a need for additional accounting entries after the theft was booked. It’s not messy and it has a pretty good chance of going unnoticed by the auditors if it is done right. […]

  12. […] Companies (and government agencies) rely on whistleblowers to help uncover these kinds of fraud. Without someone on the inside, it is difficult to find the wrongdoing, especially since fraudsters are often so adept at covering their tracks. […]

Leave a Reply to Tracy CoenenCancel reply