Small Filers Struggle With Internal Controls Over Fraud


Compliance WeekMelissa Klein Aguilar

A large school of thought has developed to support the argument that non-accelerated filers should be exempt from compliance with Section 404(b) of Sarbanes-Oxley, which requires external auditors to review and attest to the strength of a company’s internal controls.

But as much as non-accelerated filers denounce the burden of Section 404(b) compliance, they’re still confronted with one stubborn counter-argument: fraud happens.

The $31 million fraud uncovered this winter at Milwaukee-based Koss Corp.—small in dollar numbers, but huge relative to Koss’s $32 million market capitalization—is a powerful reminder that fraud can menace investors in small public companies just as much as it does to investors in large ones. Congress is still debating whether to exempt small filers from Section 404(b) compliance permanently; the latest deadline has small filers starting compliance for fiscal years ending on or after June 15, but regardless of that debate, experts say small filers still have ample reason to examine their internal controls—and easy ways to improve them without breaking the bank.

Numerous studies indicate that small companies are particularly vulnerable to fraud. The Association of Certified Fraud Examiners’ “Report to the Nation” on occupational fraud estimates that U.S. organizations lose 7 percent of their annual revenues to fraud. Those with fewer than 100 employees suffered the highest median loss, $200,000.

Even without Section 404(b) compliance forcing a stern look at internal controls over financial reporting, “There are plenty of things Koss’s management could have done to look at its internal controls and procedures,” says Tracy Coenen, a forensic accountant and fraud examiner at Sequence Inc. “No one was stopping them. It’s clear that its executives were asleep at the wheel.”

Coenen says the types of fraud that might affect small companies do slightly differ from those at large companies. Still, overall fraud risks are largely the same between the two, she says. “The major difference is that smaller companies have less wherewithal to absorb a fraud.”

One of the most common frauds at smaller companies is simple asset misappropriation—that is, theft, usually of company money. Especially in today’s poor economy, “scams that put cash in people’s pockets, such as direct embezzlements or kickback schemes, are typically the biggest category of fraud,” says Jonathan Turner, managing director at investigative consulting firm Wilson & Turner.

Smaller companies are also more likely to have fewer controls in place to prevent fraud. A recent study of 24 U.S. non-accelerated filers (roughly 0.5 percent of the 5,000 non-accelerated filers out there) by consulting firm Lord & Benoit found that all of them had at least two means of embezzling funds without being detected except by chance, including check signing, wire transfers, cash receipts, and fictitious employees. In all, the study, “Frauds in U.S. Non-Accelerated Filers,” found a whopping 1,338 control deficiencies even in that small sample—an average of 56 per company.

Bob Benoit, president of the firm, says the top fraud risk among the group was a single person’s power to both sign checks and enter accounting transactions—for example, a bookkeeper who has the freedom to write checks to himself and cover it up in the bank reconciliation. At large filers those two tasks would be split between two employees, but small companies say they lack enough personnel for such segregation of duties. Poor segregation of duties also created a similar risk for electronic fund transfers, Benoit says.

Coenen, for one, doesn’t buy the argument that small companies can’t sufficiently segregate accounting duties. “If you have three people—an owner, a bookkeeper and an outside accountant—you can segregate duties and it won’t cost any money,” she says.

Surprise reviews of records and documentation are another effective control that won’t cost much money, Coenen says. Ideally they should be done several times a year by an outside auditor, but even spot-checks by management can work, she says; just making employees aware that someone might inspect their work helps.

A third option is job rotation, which works well as a check in accounting departments with at least five employees. Each employee in the group is cross-trained to do some tasks done by another, with group members periodically swapping duties.

Benoit and others admit that control recommendations for smaller companies require “creativity.” The Committee of Sponsoring Organizations (COSO) acknowledged as much in 2006, when it published an internal control framework specifically for small companies. “Suggestions need to be right-sized and relevant to the size of the accounting department and the industry,” he says. “A top-down approach is absolutely essential to architecting an effective control structure in a smaller public company.”

Experts also warn that applying Section 404(b) to smaller companies—assuming Congress does let that happen, which is not at all clear—won’t be a panacea to prevent fraud anyway.

“There is simply no way to eliminate fraud,” Turner says. “Well-designed systems will minimize its impact and identify a scheme faster, but no combination can stop it.”

While a legislative mandate such as Section 404(b) does provide a push for some companies to pay more heed to internal control than they otherwise might, Coenen says diligent companies will take steps to strengthen their controls regardless of any rule obligating them to do so. Conversely, when an executive is intent to commit fraud, “SOX means nothing. They’ll find a way around it,” she says. “Ethical behavior and a corporate culture of integrity have to be demanded by shareholders and other stakeholders. Regulation won’t fix that.”

Coenen says the downside is that SOX may have lulled investors into a false sense of security that fraud isn’t a concern because the law will protect them.

Turner says SOX is helpful in requiring executives to reassess their fraud risks regularly, since smaller organizations and the risks they face can change rapidly. At the same time, however, a small company’s need to be dynamic and responsive to fast-changing market conditions also increases the risk that its employees will view compliance as a go-through-the-motions exercise, he warns.

“At smaller companies with limited time and resources and tons of things on their plate, the odds go up that it becomes a checklist instead of a useful tool for critical examination,” he says.

Leave a Reply