Chapter 7

---

Financial Reporting Fraud

Howard A. Scheck
Timothy P. Hedley

In the early 2000s, the financial reporting scandals involving companies such as Enron, WorldCom, and HealthSouth captured the news headlines. In an effort to curb similar abuses, the U.S. Sarbanes-Oxley Act was passed in 2002, which led to a wave of enforcement surrounding financial reporting fraud. Much of the action targeted such wrongdoing as improper revenue and expense recognition, earnings management, stock options backdating, and misstated loan losses. Since then, the wave of enforcement actions has receded. While there had been an uptick in SEC accounting-related enforcement actions in 2014 and 2015, the number of such cases had declined from 31 percent in 2007 to 10 percent in 2013. Practitioners attribute much of the decline to improvements in financial reporting and corporate governance spurred by Sarbanes-Oxley, which has led to fewer (and less severe) restatements.¹

Statements made since 2013 by Mary Jo White, the SEC chair, and Andrew Ceresney, the SEC’s director of enforcement, however, have indicated a desire to refocus enforcement efforts on financial reporting. In a speech in 2014, for example, Chair White said, “Good financial reporting and vigilant auditing obviously go to the heart of the integrity of our markets and strong investor protection, which is why we have again intensified our focus on this area.”² Ceresney warned about the potential loss of investor confidence, saying, “The importance of pursuing financial fraud cannot be overstated. Comprehensive, accurate and reliable financial reporting is the bedrock upon which our markets are based because false financial information saps investor confidence and erodes the integrity of the markets.”³

It is true that most public companies disseminate accurate and transparent financial statements. However, when allegations of financial reporting fraud surface, investors tend to suffer losses and other serious market repercussions may occur. Even if allegations are later found to be immaterial or unfounded, companies face significant reputational, legal, monetary, and collateral consequences. The effects include delayed SEC filings, class action lawsuits, and significant investigation costs. When restatements are required, other consequences may follow, such as changes in management, significant remediation costs, and possible civil and/or criminal actions.

Financial Statements

Understanding financial reporting fraud requires an understanding of the way financial statements are used and how they are falsified. Financial statements are intended to provide users with information about a company’s financial condition. There are four main financial statements to analyze when making judgments about a company’s current financial condition and future prospects:

• Balance Sheet—a snapshot of assets/liabilities and equity on a particular date
• Income Statement—revenues, expenses, gains, losses, and net income for a given period
• Statement of Cash Flows—a summary of inflows and outflows of cash from operating, investing, and financing activities for the period
• Statement of Changes in Equity—dividends, stock issuances, and other items causing assets and liabilities to change due to transactions with owners during the period

These financial statements are interrelated, and all are necessary to provide users with the relevant information.⁴ A complete set of financial statements also includes footnotes that disclose quantitative and qualitative information not reflected in the financial statements themselves. Misstatements occur when transactions are not accounted for in conformity with U.S. Generally Accepted Accounting Principles (GAAP), International Financial Reporting Standards (IFRS), or other relevant accounting standards.⁵ By contrast, misleading disclosures omit or misrepresent material information, typically to mask poor performance or declining trends.

Chair White has stressed the importance of financial reporting: “At its core, financial reporting, using accounting standards adopted by the FASB, is a critical component of communication between a company and its investors. Financial reporting can and should provide investors with a clear picture of a company’s financial condition to help them make an informed investment or voting decision.”⁶ These benefits are lost when public companies disseminate false financial information.

Channels of Distributing Financial Information

Public companies distribute financial information in many ways, including SEC filings, earnings press releases, calls with securities analysts, materials published on their websites, and communications by the investor relations department.⁷ The primary avenue for distributing financial statements is by means of annual and quarterly reports filed with the SEC on Forms 10-K and 10-Q.⁸ Form 10-K is an annual report containing audited full-year financial statements, and Form 10-Q is a quarterly report containing unaudited financial statements.⁹

These SEC filings also contain important disclosures that are not technically part of the financial statements, such as Management’s Discussion and Analysis of Financial Condition and Results of Operations (MD&A), which highlights significant events, trends, uncertainties, and so on. The MD&A is necessary because while financial statement footnotes provide useful information, they do not explain the business activities underlying the numbers. The MD&A helps to bridge this gap by providing insights to investors as if they were “seeing the company through the eyes of management.”¹⁰

Management Stewardship of Financial Statements

As the MD&A suggests, management is responsible for preparing financial statements. It sets accounting policies and establishes internal controls over financial reporting (ICFR) and disclosure controls and procedures (DC&P) to ensure that transactions are accounted for according to GAAP and that reliable financial statements are prepared and disseminated in SEC filings. Key management personnel include the chief financial officer (CFO) and chief accounting officer (CAO). Both of them certify the accuracy of a company’s financial statements by signing SEC filings and providing certifications in accordance with Section 302 of Sarbanes-Oxley. Management is also responsible for maintaining effective ICFR and DC&P and for reporting conclusions concerning ICFR effectiveness (and material changes thereto), pursuant to Section 404 of Sarbanes-Oxley.

Section 302 requires signing officers to certify that they reviewed the filing, that it contains no omissions or misleading or “untrue statements,” and that the financial statements and other information “fairly present” in all material respects the issuer’s financial condition, results of operations, and cash flows. They also certify that they reported any significant ICFR changes or other factors that could significantly affect ICFR subsequent to the date of their evaluation. Additionally, they certify that all significant internal control deficiencies and material weaknesses have been disclosed to the company’s audit committee and auditors. For DC&P, signing officers certify that they are responsible for establishing and maintaining controls designed to ensure that material information is made known to them and that such controls are effective.

Many companies have developed a system of obtaining subcertifications (“subcerts”) from other employees involved in financial reporting. For example, controllers of subsidiaries and other members of the company’s accounting department may provide subcerts, designed to further ensure the accuracy and reliability of the information. Subcerts also provide a mechanism for communicating any potential financial reporting issues up the chain of management so they can be addressed at a senior level.

Role of Public Company Independent Auditors

Independent auditors conduct quarterly reviews of public companies and opine on year-end financial statements after annual audits. Unqualified audit reports state that financial statements present fairly, in all material respects, the financial position of the company and the results of operations and its cash flows in accordance with GAAP. For larger public companies, auditors also render a year-end opinion that the company has maintained effective internal controls over financial reporting.

Audit reports emphasize that management is responsible for the financial statements and that the auditor’s responsibility is to express an opinion on them based on the audit. Auditors do not examine all transactions and company records. Instead, they review materials on a test basis in accordance with the Public Company Accounting Oversight Board (PCAOB) auditing standards that require a reasonable assurance about whether the financial statements are free of material misstatement.

Regarding fraud, PCAOB auditing standards require auditors to perform certain procedures. These include conducting fraud brainstorming sessions that are designed to assess fraud risks and risk factors, as well as to develop audit responses to such risks. Audit responses may change the nature, timing, and extent of audit procedures and may include steps such as journal entry testing, performing surprise procedures, making targeted oral inquiries of customers or suppliers, disaggregating data to perform analytic procedures, and interviewing personnel involved in risky areas. If auditors uncover or become aware of potential accounting fraud, or other illegal acts, they must comply with Section 10A of the Securities Exchange Act requiring them to assess whether the errors are material and if so whether the audit committee has been advised and has taken appropriate remedial measures. In circumstances where the company fails to take appropriate remediation, the auditor is required to report the matter to the SEC. In 10A situations, audit firms typically monitor or “shadow” the investigative procedures done by the company and its legal and forensic advisors to determine the impact on the financial statements and the ability to accept management representations. Depending on the circumstances, restatements may occur, and the auditor, if deemed appropriate, will issue an audit report on the corrected financial statements. In some instances, the auditor may resign and be replaced by a new audit firm that will be responsible for the audit report.

Definition of Financial Reporting Fraud

Financial reporting fraud under the federal securities laws means intentionally or recklessly disseminating materially false or misleading information in financial statements or other disclosures. As both materiality and intent are required for financial reporting misstatements to be fraudulent, it is important to understand these concepts.

Materiality

Under case law, errors are generally “material” when investors would have considered the information important enough to influence their investment decisions.¹¹ Accountants generally consider an error to be material based upon the magnitude of the inaccuracy—that is, a quantitative measure of its significance. Quantitative materiality factors are assessed by calculating percentages of important GAAP and non-GAAP financial measurements, such as net income, revenue, and EBITDA (earnings before interest, taxes, depreciation, and amortization).

Auditors must also consider qualitative factors that could render small errors important to investors. Examples of qualitative factors include an error that enables a company to meet or exceed analysts’ revenue or earnings expectations, comply with debt covenant agreements, or meet regulatory requirements. Other qualitative factors include errors that have converted a loss to a profit or enabled a favorable trend to continue.¹²

SEC guidance, including Staff Accounting Bulletin 99¹³ addressing materiality, indicates that there is no rule of thumb regarding the magnitude necessary for an error to be material (or to be presumed immaterial), as both quantitative and qualitative factors must be taken into account. Case law suggests that materiality determinations will involve “delicate assessments of the inferences that a ‘reasonable shareholder’ would draw from a given set of facts.”¹⁴ Whenever errors are discovered or allegations arise, materiality will be assessed by the company, its auditors, and regulators investigating the matter, as well as class action plaintiff that have sued the company.

Fraudulent Intent

Under the federal securities laws, fraudulent intent—referred to as “scienter”—includes both intentional and reckless conduct.¹⁵ The clearest indication of intentional fraud comes from personal admissions. Admissions are sometimes made when perpetrators confess after the fact during an internal investigation interview or SEC enforcement testimony. In some cases, the intent to evade known accounting principles or disclosure requirements is reflected in contemporaneous communications (e.g., e-mails and accounting memoranda) drafted at the time when the financial statements were being prepared or underlying transactions done. At Satyam Computer Services,¹⁶ for example, the SEC alleged a fraud in 2011 in which the chairman of the India-based company admitted that he intentionally inflated revenue and profits because promoters held a small percentage of the equity and because he feared that public knowledge of the company’s poor performance would result in a takeover. The SEC’s complaint quotes the chairman as stating that “it was like riding a tiger, not knowing how to get off without being eaten.”¹⁷

Without admissions or other direct evidence showing actual intent, prosecutors may allege “recklessness,” which means that the person recklessly disregarded accounting or disclosures rules.¹⁸ Recklessness is inferred by showing that the persons acted with “conscious disregard” for the inaccuracy of the information and is established through evidence that a person was aware of red flags. This means that the person understood the proper way to account for the relevant issues, but through irresponsible actions, permitted or enabled the incorrect accounting or misleading disclosure to be disseminated.

Distinguishing Fraud from Non-fraud

It may be difficult, in practice, for prosecutors to determine whether financial reporting decisions resulting in material errors were made in good faith, were unreasonable, or were reckless. Aggravating factors suggesting “bad faith” (rather than lack of prudence) include participation in circumventing controls, fabricating documents, or concealing information from auditors. Those accused of financial reporting fraud often put forth “defenses” that may affect the ability of prosecutors to conclude that fraud occurred (or may add significantly to their litigation risks). Typical arguments made by potential defendants include that they were unaware of material facts and/or that they relied on advice from accountants and lawyers about the relevant accounting and disclosures. They might also argue the applicable accounting standards were unclear or permitted substantial interpretative leeway.¹⁹ Additionally they may argue that the errors were quantitatively immaterial and that market reaction to a restatement was negligible.

The ultimate determination as to fraudulent intent will depend on all the facts, circumstances, and available evidence. However, fairness dictates that the unintentional accumulation of errors made while compiling financial statements²⁰ (and “good-faith” mistakes made when exercising well-documented accounting judgments), even if later found not to conform with GAAP, should be distinguished from fraud. And while there may be legal consequences for nonfraudulent accounting errors (e.g., books and records, internal controls), this is different from persons evading GAAP with fraudulent intent.

---

Common Motives for Engaging in Financial Reporting Fraud

• Masking declining trends or poor financial performance. Perpetrators disseminate misleading disclosures or “engineer” accounting results to disguise deteriorating financial health.²¹
• Meeting or exceeding Wall Street analysts’ revenue or EPS expectations—this is usually done to maintain trends and to avoid a significant decline in the share price if expectations are not met.²²
• Income “smoothing” to even out volatile or inconsistent earnings results. While certain earnings management may be legitimate (e.g., reducing costs), other conduct (e.g., arbitrary reserve releases and unreasonable assumptions) may be abusive.
• Maintaining required financial ratios or credit ratings—e.g., leverage or capital ratios—to avoid defaults, regulatory responses, or otherwise.²³
• Meeting internal financial performance measures needed for employees to earn monetary compensation (e.g., stock options or bonuses tied to net income, revenue, EBITDA).²⁴
• Self-dealing and misappropriation of funds.²⁵

---

In SEC enforcement matters, conclusions about intent are made after investigations are completed, at which time the SEC either drops its case or initiates the process for filing an enforcement action. The SEC may settle financial reporting actions on a nonfraud basis, due to a lack of scienter or other factors such as litigation risks and resource constraints. If not settled, both the SEC and defendant “roll the dice” on the level of intent that will be established in litigation.

Representative SEC Financial Reporting Enforcement Actions²⁶

Having explained what financial reporting fraud entails, it is useful to understand the wide range of schemes that public companies have used to mislead investors. There are many “recipes” that can be used to “cook the books.”

Fictitious transactions involve frauds where the financial statement amounts are simply made up. The “transactions” have no basis in reality and do not require any interpretation of accounting rules because they never occurred. Thus, fictitious revenue would not involve real transactions with real customers and fictitious assets would not be observable or legitimately confirmed. The methods for recording such amounts involve false accounting entries, fabricating documents to support the sales, and possibly orchestrating fake shipments to company-owned warehouses.²⁷

Transactions with no economic substance are done with third parties and have little or no legitimate business purpose other than to artificially engineer accounting results. Examples include “round-trip transactions,” which are simultaneous, prearranged sales transactions often of the same product in order to create a false impression of business activity.²⁸

Improper revenue recognition involves techniques to accelerate or defer revenue from legitimate business transactions into accounting periods before or after it is permitted to be recognized under accounting rules.²⁹ Accelerated revenue involves actual transactions with real customers, but the associated revenue recognition is improper because “strings attached” to the transactions make revenue recognition inappropriate. These schemes may involve customer participation through a false confirmation to the company’s independent auditors. Improperly deferred revenue involves schemes to delay recognition to future accounting periods, possibly because the deferred revenue might be needed in subsequent periods to achieve objectives.

Improper bill and hold involves recognizing revenue on sales even though the company has not shipped the goods to the customer. Bill-and-hold transactions may be legitimate, but there are numerous criteria that have to be met to ensure that such transactions comply with GAAP.³⁰

Holding the books open involves artificially extending the length of a 90-day quarter to 91 days or longer. The practice pulls revenue that should be recorded in the next quarter into the current quarter.³¹

Side agreements with customers involve undisclosed verbal or written agreements that reflect unaccounted for contingencies relating to the sale, such as rights of return or extended payment terms until the customer can resell.³²

Multiple element arrangements create opportunities for accelerating revenue when companies improperly frontload revenue from certain elements into earlier quarters.³³

Improper expense recognition involves a variety of schemes that may understate or overstate expenses and that typically involve the improper capitalization or deferral of expenses.³⁴

Improper capitalization and deferral of expenses prevents expenses from appearing in the income statement in the current period and therefore from decreasing net income during the present quarter. The costs related to the expenditures, however, must be recorded somewhere in the company’s accounts; fraudulent schemes typically involve making false entries to improperly “capitalize” costs, which means increasing an asset account instead of an expense account. This was the basis for WorldCom’s accounting fraud.³⁵ Improper deferral of expenses involves the failure to allocate legitimately recorded asset costs to “expenses” over a period of time. For example, fixed assets (such as plant, property, and equipment) and intangible assets (such as patents, trademarks, or copyrights) must be depreciated or amortized over the life of the asset. Companies may intentionally overstate the useful lives of such assets in order to stretch out the period of time over which the assets are depreciated or amortized.³⁶

Failing to accrue or underaccruing occurs when certain expenses that need to be recorded are not done so properly. Schemes may include putting invoices for expenditures “in the drawer” and simply not recording them at all (or deferring recordation to a later quarter). Other situations may involve manipulating accounting interpretations relating to accruals for contingencies. These require accrual when it is probable that a liability has been incurred and the amount can be reasonably estimated, such as liabilities for litigation damages or environmental remediation. Other examples involve understating bad debt expenses in connection with notes receivable from borrowers or accounts receivable from customers when collectability is not assured. This overstates the asset and understates expenses.³⁷

Improper earnings management refers to creating reserves or “rainy day” accruals that are excess liabilities booked when times are good and then “released” into earnings later when times are bad. It involves both the overstatement and understatement of expenses in different accounting periods to smooth income. This violates accounting principles when the buildup and releases have no basis other than to meet targets.³⁸

Overstating assets involves schemes to overvalue assets, which also results in understatements of expenses. For example, overstating accounts receivable understates bad debt expense; overstating inventory understates the cost of goods sold.³⁹ Overstated valuations can also inflate values of marketable securities owned, or they can support a company’s decision not to take certain impairment charges.

Understating liabilities involves improperly keeping liabilities off the balance sheet.⁴⁰

Misappropriations involves assets stolen from the company via a variety of methods. Schemes may include fake vendors, loans, and business expenses. When they involve self-dealing by a high-ranking executive, the amounts may become qualitatively material.⁴¹

Improper disclosure arises when there are false or misleading disclosures in the financial statement footnotes or MD&A. Disclosure violations could occur when the accounting has technically complied with GAAP, but the disclosures failed to fairly present the financial condition of the company.⁴² Examples of issues with footnotes include failing to adequately disclose information about business segments or related-party transactions.⁴³

Misleading MD&A disclosures⁴⁴ involve a failure to disclose known demands, commitments, events, or uncertainties.

Investigations of Financial Reporting Matters

The SEC is the primary government regulator that investigates and prosecutes financial reporting fraud. The U.S. Department of Justice (DOJ) also investigates allegations of fraudulent financial reporting, but it tends to do so only in the most egregious cases involving willful violations, obstruction, self-dealing, and embezzlement.⁴⁵ When matters involve interpretations of accounting or auditing standards, which may be highly judgmental, or when violations involve deficient books and records and internal controls (putting Foreign Corrupt Practices [FCPA] cases aside), the DOJ is less likely to investigate or take the lead. If the criminal authorities are involved in accounting cases, the SEC often conducts its own parallel investigation and may provide technical accounting and auditing expertise to the criminal investigation team.

The Division of Enforcement (Enforcement), the largest of the SEC’s divisions, has about 1,200 professionals, including approximately 100 accountants whose main role is to investigate financial reporting matters. The accountants work with Enforcement’s attorneys in conducting all fact-finding aspects of the investigation and also provide technical expertise on the application of GAAP and PCAOB auditing standards.⁴⁶ The Division’s chief accountant oversees accounting investigations and provides advice on strategies and technical matters and views on the charging and settlement recommendations.

Most financial reporting investigations are carried out by teams of two or three lawyers and accountants, excluding supervisory and technical support personnel from other SEC divisions.⁴⁷ These investigations may take several years to complete due to the complexities of the accounting, disclosure, and legal issues involved. Many persons from the public company’s accounting and finance departments may need to be interviewed, from lower-level accountants all the way up to the controller, the CFO, and the chief executive officer (CEO), and may include persons at subsidiaries and offices overseas. Additionally, transaction and business personnel may be interviewed as well as representatives from counterparties.

Accounting Enforcement Metrics

Figure 7.1 shows the number of Issuer Reporting and Disclosure enforcement actions filed each fiscal year from 2002 to 2015 and the percentage of total SEC enforcement actions each fiscal year. As Figure 7.1 reflects, between 2002 and 2015, the SEC filed as many as 205 Issuer Reporting and Disclosure actions (in 2007) and as few as 68 of such actions (in 2013), with an average of 136 Issuer Reporting and Disclosure actions a year.⁴⁸ The number of Issuer Reporting and Disclosure actions had declined steadily from just over 31 percent of total actions in 2007 to 10% of total actions in 2013. In 2014 and 2015 the downtrend reversed with 96 actions (12.7%) filed in 2014 and 135 actions (16.7%) filed in 2015.

Figure 7.1. SEC Accounting Enforcement Actions

Source: Author; compiled using data available from the Select SEC and Market Data available at http://www.sec.gov/about/secreports.shtml

These statistics might suggest that Sarbanes-Oxley has led to fewer violations, due to improvements in internal/disclosure controls, better corporate governance, and audit quality. The possibility of criminal prosecution may also have changed the cost/benefit calculus for those preparing financial statements and certifying SEC filings. Despite the improvements since the enactment of Sarbanes-Oxley, it is possible that some financial reporting fraud remains undetected. Michael Maloney, the Enforcement chief accountant, said in January 2015 that financial fraud now “in many cases, is harder to detect than those earlier scandals, but we do get there.”⁴⁹ For his part, the director of Enforcement said in a speech in September 2013 that “I find it hard to believe that we have so radically reduced the instances of accounting fraud simply due to reforms such as governance changes and certifications and other Sarbanes-Oxley innovations. The incentives are still there to manipulate financial statements and the methods for doing so are still available.”⁵⁰

Initiation of Cases

Financial reporting investigations are initiated when information comes to the attention of the SEC about potential accounting improprieties. The reasons vary, but include when the company files a restatement or self-reports an issue to the authorities. The SEC may receive tips by whistleblowers, or information may appear in the news media. Enforcement may also receive referrals from the Division of Corporation Finance, which reviews the financial statements and disclosures of public companies. The Division may also conduct risk-based investigations to identify potential wrongdoing before it is reported to the SEC. Enforcement will consider a number of factors when deciding whether to proceed with a full investigation of a financial reporting matter. These include:

• Size of the issuer and market capitalization
• Nature of the accounting issues—such as fictitious transactions, accelerated revenue, application of GAAP, and accounting estimates
• Materiality—including both quantitative and qualitative factors
• Seriousness of the allegations—high-ranking officers or directors implicated, multiple schemes or accounting periods, prior violations, failures to remediate
• Availability of evidence—the likelihood that the allegations can be proven; for example, whether there is a credible whistleblower who can corroborate the allegations or whether evidence can be obtained from overseas

Restatements arise when a company determines that a material error existed in previously issued financial statements upon which third parties are relying. This could come about because a company identifies material errors in the course of preparing its financial statements, assessing internal controls, or conducting an internal audit. The independent auditors may identify an error during their interim or year-end procedures, or an internal whistleblower might raise allegations that are investigated and found to be credible.

Depending on the materiality and timing of the errors, companies may need to amend previous SEC filings and file a Form 8-K, notifying the public not to rely on its previously reported financial statements. In some cases, a company may correct its financial statements by revising the numbers in new SEC filings. The SEC has raised concerns about so-called “revision restatements,” and companies run the risk of receiving an enforcement inquiry as to the reason for the revision.

Self-reporting occurs when a company reports a potential violation to the authorities. The SEC encourages companies to self-report potential financial reporting violations early on in the process of evaluating whether a restatement is necessary. Companies typically hire attorneys and forensic accountants to investigate allegations that could lead to a restatement. When a restatement is likely and/or when a whistleblower may be present, companies may opt to self-report in order to demonstrate good faith and seek to avoid prosecution or reduce the charges based upon their cooperation with regulators. Companies and their attorneys often struggle to determine whether to self-report in situations where it is unclear whether errors exist at all or are likely to be immaterial.

Whistleblowers make complaints directly to the SEC or to a company’s internal hotline and sometimes to both. The SEC’s website provides a mechanism for sending in tips, complaints, and referrals. If certain criteria are met, a whistleblower may receive between 10 and 30 percent of monies recovered by the SEC. According to the SEC’s 2015 whistleblower report, it received nearly 4,000 whistleblower tips of which 17.5% related to Corporate Disclosures and Financials.⁵¹

Tips related to financial reporting are evaluated by Enforcement’s Office of Market Intelligence (OMI), which rejects many due to the lack of specificity, evidence, or credibility. Tips that appear to have a high probability of material errors are sent to an investigation team right away. Complaints that are less clear-cut may be referred to Enforcement’s chief accountant and/or the Fraud and Audit Task Force for “incubation.” Incubation can take various forms, such as gathering additional data from the company, counterparties, auditors, or whistleblowers to determine whether a full investigation is warranted.

News organizations and other public sources of information sometimes trigger an SEC investigation. For example, a newspaper may publish an article about an abrupt departure of a CFO or controller, prompting questions about foul play. SEC investigators almost always read and assess articles about suspected financial reporting fraud. Occasionally, academic studies may raise questions about financial statements. Enforcement personnel may also read reports by financial analysts, short sellers, or others who allude to potential accounting improprieties.⁵²

The SEC’s Division of Corporation Finance refers matters to Enforcement if, after commenting on SEC filings, its concerns are not adequately addressed by an issuer, or when an issuer appears to be obstructing it.

Proactive measures are used by Enforcement to identify financial reporting areas to investigate. These measures include risk-based inquiries and data analytics.⁵³ Risk-based inquiries (RBIs) are initiated when Enforcement has concerns that there may be financial statement errors regarding a certain issue, but few or no restatements have occurred. An RBI is used to search for evidence of financial reporting fraud. The SEC conducts RBIs sparingly, due to the resources required and the sensitivities of subjecting a public company to an enforcement inquiry without specific evidence of a material misstatement.

An example of a risk-based inquiry involved a China-based reverse merger of companies in 2010. A risk-based inquiry was initiated by the Enforcement Accounting Group in light of a number of indicators suggesting that certain China-based companies might have financial reporting issues.⁵⁴ Due to the potential risk for investors, Enforcement took the initiative to obtain information from the accounting firms that audited certain China-based companies and later from certain companies directly.⁵⁵ Upon pressing the auditors and companies, the SEC began receiving notifications through 8-K forms and 10A letters indicating that previously issued financial statements could no longer be relied upon.

Further investigations by Enforcement’s Cross-border Working Group resulted in the SEC filing fraud cases against more than 65 foreign (primarily China-based) public companies and their executives, and the deregistration of more than 50 entities.⁵⁶ Many of the companies recorded fictitious sales and lied about their cash and accounts receivable. Other cases involved misappropriations via undisclosed related-party transactions.

Data Analytics

The SEC is using data analytics to identify insider trading, market manipulation, and other irregularities. For financial reporting abuses, the Division of Economic Risk and Analysis (DERA) has publicly discussed its Accounting Quality Model (AQM), a computer program that analyzes large amounts of companies’ financial data looking for outliers. As initially designed, the model was geared toward identifying discretionary accounting accruals to improperly manipulate financial results. The model looked at various fraud risk indicators and fraud inducers while layering on traditional analysis of financial ratios to identify potential anomalies.

DERA has also stated that it is developing text analytic tools to identify potential deception in SEC filings or other public information. These new methods appear so far to need further enhancements to minimize false positives and differentiate fraudulent accounting/disclosure from outlying results arising from poor business performance. SEC officials indicated that since AQM was announced in 2012, it has been extensively revised.⁵⁷ They say the model was “always envisioned as a tool to identify companies we might focus on,” rather than a form of automated enforcement. David Woodcock, the former head of the SEC’s Financial Reporting and Audit Task Force, said that while “these kinds of tools are only going to get better,” human judgment is ultimately needed to bring actual cases.⁵⁸

Given the difficulty in identifying financial reporting fraud from the outside, Enforcement is likely to continue to rely on restatements, self-reporting, and whistleblowers as primary sources for initiating accounting investigations. Restatements are the most logical source because the company has already admitted that the accounting was incorrect. The Division will likely scrutinize more restatements in order to try to increase the number of accounting-related enforcement actions.⁵⁹

Fraud and Audit Task Force

In mid-2013, SEC Enforcement created a Fraud and Audit Task Force to enhance the Division’s proactive capabilities relating to financial reporting fraud. With the deployment of additional staff to focus on identifying such conduct and the ability to “incubate” specific situations until they are ripe for full investigation, the Task Force has enhanced efforts that the Division’s accountants and lawyers have traditionally undertaken (e.g., risk-based inquiries, assessing restatements, class action complaints, news, and so on). The Task Force has focused on whether “revision” restatements (those without amending previous SEC filings) were appropriate, identifying and monitoring emerging issues, and continuing to work with other SEC offices to develop data analytics tools designed to detect red flags of potential reporting fraud.

Conducting the Investigation

Once an investigation team decides to commence a full financial reporting investigation, there are generally five primary objectives:

• Determine the extent of any misstatements or misrepresentations
• Figure out who was responsible
• Assess their intent⁶⁰
• Determine whether violations occurred, and if so, which ones
• Evaluate what remedies should be sought

The approach to reaching these objectives is to focus on understanding the relevant business transactions and how the company accounted for and disclosed them. It also aims to evaluate any deviations from GAAP or SEC reporting requirements and assess the nature and effectiveness of relevant internal controls over financial reporting and disclosure controls.

Evidence

Investigators obtain evidence by gathering information from the company, its independent auditors, counterparties, and others. This includes transaction documentation, accounting records and memoranda, correspondence (including e-mail and other electronic media), and audit working papers. Testimony will normally include interviewing under oath transaction personnel and financial reporting personnel to understand the nature of the transactions and the basis for the accounting positions taken. The objective is to develop a chronology of who knew what and when about each relevant accounting issue.

The investigators try to piece together possible gaps in knowledge, the level of GAAP research and analysis, and any input that came from the controller, CFO, and others signing or certifying the SEC filings. Other issues include whether employees circumvented or overrode internal controls over financial reporting or disclosure controls, or fabricated documents. They may have changed assumptions without adequate support or lied to others within the company or to independent auditors.

Wells and Settlement Process

Once the evidence is gathered and analyzed, Enforcement will make preliminary conclusions regarding securities laws violations, including whether material financial reporting errors occurred. Enforcement staff will also determine the intent, and may issue a “Wells Notice” to the company and any individual potential defendants/respondents about its intended recommendations. In response, counsel for such persons and entities typically will make a Wells submission to the SEC, explaining why the charges should be dropped or reduced. Enforcement will often grant meetings attended by Enforcement and persons from other divisions.

Sometimes this process occurs before an official Wells notice is issued, whereby the company or individuals may submit white papers supporting their positions. They may also have meetings with the SEC to discuss the issues or a potential settlement. Whether an official Wells notice is issued or not, a large proportion of companies and individuals resolve the issue through settlement, but some matters are litigated in federal district court or before an SEC administrative law judge.⁶¹ In recent years, the number of settlements with only nonfraud charges has increased, as has the number of defendants choosing to litigate.

Prevention, Detection, and Response

Misstatements may arise in companies with the best controls and where boards, management, and employees are generally acting in good faith due to honest mistakes. Alternatively, they may be the result of rogue employees or senior management circumventing or overriding controls. Whatever the case, the best way to avoid or mitigate a potential financial reporting fraud is to develop an effective system of financial control.

Preventative Controls

Tone from the Top. Although audit committees are not immune from ethical lapses themselves, they may be in the best position to set the proper tone to help prevent financial reporting frauds. They can affect and assess the tone across an organization, monitor the activities of high-ranking officers, and interact with independent auditors. They can have robust discussions about critical accounting policies, judgments, estimates, disclosures (including non-GAAP information), internal controls, key transactions, and areas of SEC focus. And they can investigate allegations if they arise.

Internal audit, legal, and compliance personnel are also instrumental in deterring financial reporting fraud and in potentially discovering issues through their daily activities, examinations, or reviews. Due to their potential culpability for false Sarbanes-Oxley Section 302 certifications, certifying officers may be more inclined to create a positive culture to protect themselves from liability. It is clearly important for public companies to hire competent financial reporting personnel to handle the complexities of SEC financial reporting requirements and to provide sufficient resources for preparing accurate and reliable quarterly and annual financial statements and SEC periodic reports.

Risk Assessment. In preparing to participate in a fraud risk assessment, it is useful to peruse relevant internal and external information about the company’s business and operations to identify issues. For example, have there been any published reports that have alleged accounting or disclosure issues relating to the company? Have any officers, directors, or employees sold large amounts of stock or unexpectedly left the company?

Risk assessment should consider any fraud risk factors that are present (such as incentives, pressures, and rationalizations) and how improper revenue recognition (or other schemes) may come about, how they may be attempted, and what controls might be easiest to evade. Incentives that may increase the risk of fraud include bonuses and performance-based compensation for meeting financial targets. Pressures may include the desire to meet analyst expectations, maintain earnings trends or debt covenant ratios, or raise capital. Rationalizations may involve minimizing qualitative materiality factors or concluding that the independent auditors do not need to know about certain facts and circumstances.

Risk areas for the particular industry sectors should also be taken into consideration. For example, risk areas for financial institutions include loan loss reserves and the valuation of securities; for manufacturers, inventory and cost of goods sold; for large government contractors, the percentage of completion estimates.⁶² Additionally, certain behavioral risk factors should be considered that may signal that something is amiss with a particular employee, such as an overly lavish lifestyle or a reluctance to take vacations.

Participants in assessing fraud risks should include every person within a company that is responsible for, or interested in, financial reporting accuracy, including accounting, compliance, internal audit, legal, and members of the board of directors. Leading the effort should be the controller or CFO and members of the financial reporting process who can best understand the risks of financial reporting misstatements. A fraud risk assessment is done at least annually in connection with a public company’s evaluation and report on the effectiveness of their ICFR with their filing of the SEC Form 10-K as required by Section 404 of Sarbanes-Oxley. Companies should consider whether facts and circumstances exist to conduct such risk assessments on a quarterly basis in connection with the filing of the SEC Form 10-Q. Most important, company personnel should be aware of the specific types of financial reporting schemes that can be used to commit fraud within their organizations and understand the red flags associated with them.

Detective Controls

Detecting fraud could come about in a variety of ways including internal whistleblowers that may have observed improper conduct, internal audit examinations, independent auditors’ testing, or anomalies that arise from well-designed ICFR or DC&P. Federal securities laws require public companies to maintain accurate books and records and have internal controls designed to enable companies to disseminate accurate financial statements. But Section 404 of Sarbanes-Oxley (Regulation 308) does not require a specific framework to be used, only that it be disclosed. Many public companies use the Internal Control—Integrated Framework, issued by the Committee of Sponsoring Organizations (COSO) of the Treadway Commission.⁶³

The COSO framework has five components and 17 principles to ensure accurate and reliable financial reporting, with principle 8 focusing on the fraud risk assessment as an aid in detecting fraud. Whether COSO or otherwise, assessing fraud risks is an important way to prevent fraud, and public companies must tailor their approach and design programs and controls that are calibrated to the organization and the level of risk.

Ongoing Activities and Monitoring. When management cannot provide adequate explanations or cannot otherwise address the audit committee’s concerns, then further follow-up may be needed. Audit committees should be particularly sensitive to cases where management is:

• Ignoring a lack of manpower in the financial reporting department
• Pressuring internal audit to change the scope of an examination
• Failing to give key financial reporting matters robust consideration
• Reluctant to implement recommendations by independent auditors
• Reluctant to investigate irregularities
• Downplaying materiality factors relating to accounting errors
• Reluctant to delay an SEC filing while there is an investigation taking place

Responsive Controls

Initial Assessment and Investigation Approach. When allegations of fraudulent financial reporting arise, companies must be in a position to demonstrate to independent auditors and potentially to regulators that they handled the issues appropriately. This involves making an initial assessment of the issues to determine the best way to investigate the matter and reach conclusions. Depending on the circumstances, it may be appropriate for a company’s internal legal department, along with assistance from internal audit (or uninvolved financial reporting personnel) to investigate. In other instances it is better for the audit committee to hire independent counsel and forensic accountants to conduct an investigation, which is the method preferred by regulators. In some instances the independent auditors may insist that an independent investigation be conducted.

If the company learns of the issue from an SEC Enforcement request letter or an internal whistleblower or others allege material errors by high-ranking company officials, it may be best for the audit committee to hire independent counsel. If the allegations involve lower-level employees and seemingly immaterial errors, then the internal Office of General Counsel (OGC) approach may suffice. Some companies take a middle-ground approach whereby the company, rather than the audit committee, hires outside counsel to conduct an investigation and also potentially serve as defense counsel if the regulators become involved. Ultimately, the participants in the investigation, including who will direct the investigation, will depend on the facts and circumstances.

Document Preservation

Regardless of the investigation approach, companies must take immediate steps to preserve the relevant evidence, including computer files, e-mail, and other electronic media. This normally involves a preservation request or document hold to be disseminated internally and using company personnel or outside forensic experts to capture the relevant data. Government investigators will want to understand the company’s document preservation policies prior to the allegations and how they were followed once an allegation surfaced. Internal or external counsel should be involved in this process to ensure compliance with company policies and potentially respond to government document requests.

Work Plan and Investigation Activities

Investigators must develop a work plan designed to determine whether there were financial statement errors, the materiality of such errors, who was responsible, and why the errors occurred. This will entail determining which accounting records, memoranda, and spreadsheets need to be reviewed and where the information is located. Investigators must also determine which transactions and accounting personnel need to be interviewed to understand why the transactions occurred and the accounting and disclosures related to them. IT professionals and forensic experts will likely need to search company records, e-mail, and other media for relevant information, using search terms and other techniques (e.g., predictive coding).

During investigations, assessments must be made as to whether accounting complied with GAAP, whether amounts of money or information was material, and what SEC filings are involved. It is useful to understand what interactions the company and the auditors had about the specific issues under investigation before and after allegations arose. It is also useful to keep the auditors apprised of developments, and the auditors may “shadow” the work of the company or audit committee.

Decision Points

Depending on when the investigation is initiated and how long it is expected to take, the company may need to decide about disclosing the matter to the public. It may also need to consider whether it will be able to meet the upcoming SEC filing deadline for the next quarterly or annual report and whether it is necessary to file a Form 8-K regarding nonreliance on previously issued financial statements.

As a result, during the investigation process, companies will also need to assess whether to self-report to the SEC or other regulators. If illegal conduct is suspected, some companies inform the SEC very early on, while others wait until its internal investigation is more developed or a restatement is imminent. Others may not self-report at all if errors are found to be immaterial and controls are remediated. Some companies submit amended SEC filings and others file revision restatements in the hope that the SEC does not contact them. When companies do self-report early on, they may have a better chance of receiving cooperation credit from regulators.

The decision whether to self-report depends on many factors, including whether a whistleblower may have contacted the SEC, and it should be made in consultation with legal counsel. At the end of the investigation, companies must determine how to correct errors found, including whether a restatement is required and whether previous SEC filings need to be amended.⁶⁴

Investigation Pitfalls and How to Avoid Them

Among the pitfalls to avoid when conducting internal investigations related to financial reporting are the following:

• Failure to preserve and/or review relevant electronic information (e.g., e-mail)
• Delay in deciding whether to bring in independent counsel
• Delay in hiring forensic accounting assistance
• Failure to keep the independent auditor abreast of the investigation status
• Unrealistic expectations concerning whether the investigation can be completed without delaying an SEC filing or earnings release
• Failure to remove implicated personnel from the financial reporting process through firings, suspensions, or administrative leave
• Failure to communicate with SEC Enforcement personnel

Many of these pitfalls can be avoided by having frequent and frank communications among all those involved in the financial reporting investigation, including the audit committee, management, internal counsel, external counsel, independent auditors, forensic accountants, and lawyers tasked to defend or investigate the matter. Hiring competent forensic technology experts and forensic accountants that have experience conducting accounting investigations is important, as the investigation will go more smoothly when data is captured and preserved correctly. Forensic accountants can help to assess the technical accounting issues, review accounting documents, interview financial reporting personnel, analyze potential accounting errors, and facilitate discussion with the independent auditors and regulators.

The company will not be well served if the investigation has started, only to find that the scope did not meet the expectations of the independent auditors or regulators, potentially requiring additional documents to be analyzed, witnesses interviewed, or additional custodian e-mails captured and searched. Auditors will ultimately need to know that the persons conducting the investigation were competent, the scope of the investigation was adequate, all accounting issues were addressed, all errors were corrected, and all appropriate remedies were taken.

Regulators will have similar concerns but will also focus on determining which persons were responsible and whether they intentionally or recklessly evaded accounting requirements so that charging decisions can be made. Companies and counsel must be in a position to explain to auditors and regulators that the scope of their investigation was reasonable, that all material errors have been identified and corrected, that internal controls have been (or will be) remediated, that all culpable employees have been fired or adequately disciplined, and that relevant disclosures have been made. They will also need to explain how such material errors could have arisen, having previously opined that the company had effective internal controls.

Conclusion

Given the fact the SEC has renewed its focus on financial reporting fraud, there are a number of possible ways in which it may step up its enforcement actions in the future. These may include risk-based inquiries of companies and a focus on gatekeepers who have a responsibility for the integrity of the financial reporting system.⁶⁵ Enforcement has also expressed concern about an increase in the number of revision restatements, possibly to avoid Sarbanes-Oxley Section 304 clawbacks,⁶⁶ and in 2013 it began making inquiries about these.

Financial institutions may remain under close scrutiny regarding valuation issues and their level of impairment charges during and after the financial crisis. Another area of risk may include situations where a public company may be able to exert pressure on counterparties in order to achieve a desired accounting result. The SEC will continue to investigate “fair presentation” issues, even when it may not be able to prove that GAAP has been violated. As a result, it would be wise for companies to consider what investors would consider important to the total mix of information when crafting disclosures. The SEC may also target deficiencies in internal controls that may not have actually caused a material error and restatement to occur.