Compliance Week – Tammy Whitehouse
As Congress debates whether to exempt non-accelerated filers permanently from internal control audits—and that debate may take much longer than many expect—lawmakers might want to ponder the breathtaking fraud at Koss Corp. and its implications for external auditors’ role in preventing and detecting management deception.
Koss, a maker of stereo headphones in Milwaukee with a market capitalization of $32 million, fired its longtime vice president of finance and secretary, Sujata Sachdeva, last month after she was indicted by the Federal Bureau of Investigation on six counts of wire fraud. Sachdeva is accused of helping herself to $31 million over the course of five years to pay for clothing, furs, purses, jewelry, cars, china, furniture, home improvements, and more. American Express tipped off the FBI when it noticed corporate funds were being used to pay her personal credit card bills.
Without question, the $31 million is chump change compared to history’s larger corporate frauds—but in relative terms, the amount is huge. Allan Bachman of the Association of Certified Fraud Examiners calls it “a staggering amount for such a small organization.” The company’s internal investigation so far suggests fraud losses in several reporting periods equaled or even exceeded corporate earnings.
The plot thickens. Days after firing Sachdeva, Koss also fired its independent audit firm, Grant Thornton, and replaced it with Baker Tilly Virchow Krause, a regional firm in the Chicago area. Grant Thornton had audited Koss financial statements since fiscal year 2006 after Koss dismissed PricewaterhouseCoopers from the audit work but retained PwC for tax purposes.
Now recriminations are flying back and forth between Koss and Grant Thornton, shining a fierce spotlight on the problem of weak internal controls at small companies, and exactly who is responsible for raising what alarms about them.
As a public company with a market cap well below $75 million, Koss is a non-accelerated filer and therefore not yet subject to Section 404(b) of the Sarbanes-Oxley Act, which requires an external auditor’s review of internal controls over financial reporting. The company must perform its own review of controls and assert in its financial statements whether those controls are adequate (that is Section 404(a) of SOX), but they are not required to get an auditor’s opinion on those controls.
Grant Thornton was quick to point out that fact in a statement immediately following its dismissal, trying to distance itself from the Koss meltdown. “The fraud was apparently conducted by a long-time, trusted senior financial executive who was hired and supervised by senior management,” Grant Thornton said through a spokesman. Koss “did not engage Grant Thornton to conduct an audit or evaluation of internal controls over financial reporting. Establishing and maintaining effective internal control is management’s and the board’s responsibility.”
The audit firm is correct that Koss is ultimately responsible for policing its ranks and maintaining control over finances, says Peter Kyviakidis, managing director for consulting firm LECG. But that doesn’t mean an audit firm can ignore a client’s internal controls, even if not required by law or hired by the client to audit them.
“The second standard of fieldwork specifically requires the auditor to obtain an understanding of an entity’s internal control in a manner sufficient to plan the audit engagement,” Kyviakidis says. “This is a necessary and required part of every financial statement audit.”
Who Is Responsible for What
Kyviakidis contends that the basic principle is as old as auditing itself, although the standard, SAS 109, was updated by the American Institute of Certified Public Accountants in 2006. The Public Company Accounting Oversight Board does govern public company audits, but the earlier, similar version of the AICPA standard was embraced by the PCAOB when it adopted existing professional standards as its interim standards in 2003.
After assessing and considering the control environment, auditors are then required to plan their audit with the soundness of controls in mind, Kyviakidis says. If the auditor deems that controls in a given area are inadequate, then he or she must do more substantive testing on account balances.
Jay Thibodeau, professor of accountancy at Bentley University, and Jack Paul, professor of accounting at Lehigh University, agree that an understanding of controls is fundamental to every audit engagement, whether subject to SOX requirements or not. Other professional standards also require auditors to consider the possibility of fraud and to signal management if internal controls are deemed inadequate. These requirements generally are described in the PCAOB’s AU Section 300 standards governing fieldwork.
Tracy Coenen, a forensic accountant and fraud examiner at Sequence Inc. who has been following the Koss spectacle closely, notes that Koss had no formal internal audit function, and that certainly could have been a red flag to Grant Thornton that the quality of controls would be suspect. But there’s no way to know from publicly available documentation what the auditor thought of Koss’s controls.
Coenen says the audit fees Koss paid to Grant Thornton were low enough ($151,300 in fiscal 2009 but only $71,400 in 2008) that one can’t help but wonder how much audit work actually occurred.Kyviakidis, on the other hand, says auditors have enough pressure about fees and legal liability these days that the amount paid may not reflect the amount of work that truly went into the audit.
“Oftentimes with smaller entities, if the audit requires more time than you thought it might have taken, sometimes you don’t get to recover that because the clients are not willing to pay you for over-runs,” he says.
It’s also not clear whether a full audit of internal control as required by Section 404(b) would have caught the alleged Koss fraud anyway, says Bachman of the ACFE. But at the least, “It would have been harder for [the fraud] to go on,” he says.
But even with a Section 404(b) audit, testing takes place only on samples and not every transaction, he says. That leaves the possibility that fraud might still go on undetected. “A person interested in committing fraud can pull it off if they want to,” he says. “The oversight of the external auditor is not an absolute guarantee.”
Jim DeLoach, managing director at Protiviti, agrees that auditors are required to consider the possibility of fraud as they plan their audits, but that doesn’t imply a guarantee that a fraud will always be uncovered. “Audit procedures have their limitations when there’s massive collusion and deception,” he says.
DeLoach also struggles with the question of whether Section 404(b) audits in general make it more likely that a fraud will be detected or prevented. “In theory, I’d like to say yes, but I really have no empirical base to draw on,” he admits. “It’s an important question because frankly if the answer was no, then you kind of wonder what are we doing this for?”
That’s the question being asked on Capitol Hill these days—with members of Congress reaching no clear consensus so far. As part of financial regulatory reform, some members of Congress called for a permanent exemption for smaller companies. The House did pass a measure that called for further study of the cost and benefit of Section 404(b). The Senate Banking Committee originally planned to tackle regulatory overhaul last fall, but the bill proposed by Sen. Christopher Dodd fell flat, and the arrival of newly elected Sen. Scott Brown, R-Mass., doesn’t make consensus any easier to achieve.
Meanwhile, the Securities and Exchange Commission is sticking with its plans to require Section 404(b) compliance for non-accelerated filers starting with annual reports for fiscal years that end on or after June 15, 2010. If Congress does not act by then, small filers may well have an answer to Section 404(b)’s usefulness whether they like it or not.