How the Risk-Based Approach to Auditing Should Have Detected
WorldCom and Other Recent Frauds

Larry E. Rittenberg
University of Wisconsin, Madison

Bradley J. Schwieger
Saint Cloud State University

"WorldCom Internal Probe Uncovers Massive Fraud" ($3.8 billion in expenses improperly booked as capital expenditures.)

Identifying business risk should be a component of every audit. It can help identify situations that indicate a high potential for corporate financial reporting fraud. We firmly believe that taking this approach would have caught the WorldCom fraud.

We argue that the risk-based approach to auditing can be effective in detecting corporate fraud on the scale of WorldCom, as proper risk assessments would have taken into account CEOs with fraudulent intent. The problem with the audits of companies such as WorldCom is that the risk-based approach to auditing is not being appropriately integrated into the total audit process. As we look at the recent hearings before Congress that focus on corporate fraud, it appears that there are two failings in practice with regard to risk:

  1. Auditors are failing to fully evaluate controls, especially the "tone at the top" component of the internal control framework. (You will see this material emphasized in Chapters 5, on internal control, of our book.1)
  2. Practice fails to understand that risk analysis is not designed to "avoid" work, but instead is designed to point the auditors to areas that need more work.

If the external auditors of Worldcom had used the approach emphasized in our book, they would have done the following:

  • They would have evaluated control risk as high. Many factors lead to high control risk, including (a) rapid expansion, (b) high financial leverage, (c) high dependency on stock compensation, (d) huge amount of loans made to the CEO, (e) financial difficulties in the industry, and (f) falling stock prices.

  • They would have been aware of ways that income can be manipulated when control risk is high. These ways include improper revenue recognition, overvalued inventory and other assets, and misclassification of expenses as assets.

  • They would have evaluated whether the controls are working effectively (again, see Chapter 5). At a minimum, there should have been some testing of classification controls done by taking a small sample of capitalized items, or even a subjective sample of unusual items. Given the magnitude ($3.8 billion) of the WorldCom fraud, even a small sample would have highlighted the problem.

  • They would have performed analytical procedures that would have shown high variances in expenses, assets, and cash flow. The analytical procedures should have signaled the need for more audit testing.

We believe that following a risk-based approach such as the one we outline in our book would have detected WorldCom's misclassifications.

Improper Revenue Recognition: A Major Financial Reporting Fraud Risk Area
Revenue recognition is an area of extremely high risk, as identified by the SEC and the accounting profession. A study was conducted by the Committee of Sponsoring Organizations of the Treadway Commission of 200 instances of fraudulent financial reporting occurring between 1987 and 1997. In over half of these instances, revenues were overstated by recording revenues prematurely or fictitiously. This practice appears to be continuing, as indicated in the following recent headlines and information from The Wall Street Journal:

"Justice Department Launches Criminal Investigation of Qwest"
The use of "swap" transactions - selling long-term capacity on its fiber network to another carrier, buying the same amount of fiber on another carrier's network and then booking the contract as revenue--boosted Qwest's revenue by more than $1 billion in 2001.
"Merck Recorded $12.4 Billion In Revenue It Never Collected"
Revenue included co-payments collected by pharmacies from patients, even though Merck's Medco unit doesn't receive those funds.
Accounting policies treated cost overruns on construction jobs as revenue, regardless of whether its customers agreed to pay part of the over-budget costs.
"Lawsuit Provides Fresh Details of Rite Aid's Accounting Woes"
Rather than booking $82.4 million in one-time gains from the sale of 189 stores, Rite Aid put that amount into an internal reserve account and used it to absorb future operating expenses and inflated reported operating income.
"Bristol-Myers Faces SEC Probe Into 'Channel-Stuffing' in 2001"
The SEC is investigating whether the New York drug maker improperly inflated revenues in 2001 by as much as $1 billion. Revenue may have been inflated by offering drug wholesalers special incentives to pack their warehouses with extra inventory, a form of "channel stuffing."
Client revenue recognition policies should be given particularly close attention. Chapter 9 in our book outlines the steps that should be taken related to revenue transactions, including the following:

  1. Analyze business risk for potential motivations to misstate sales (inherent risk) and determine the most likely methods that sales might be misstated.
  2. Understand the controls over revenue recognition and test them to determine if they are operating effectively. Be alert to the potential of management override of those controls.
  3. Perform analytical procedures to help identify unusual changes in revenue, particularly at the micro level - by product line by month - as compared to prior periods and years.

Indications of possible revenue misstatements should lead to extensive substantive testing of the related account balances - Sales, Sales Returns and Allowances, and Accounts Receivable.

Risk-Based Approach: Back to the Basics
It is important to reemphasize that the risk-based approach to auditing does not mean that auditors don't do traditional audit work. It does mean that they think about what they are seeing and then adjust the audit procedures to make sure they are covering areas that are most susceptible to misstatement (both error and fraud) in more detail.

Consulting and audit services are often performed by the same firm. From this larger perspective comes a larger problem with the external audit teams involved in the recent large fraudulent transactions. It is not that they used (or didn't use) the risk-based approach to auditing, but that they did not audit. They believed management did not and would not lie. Or they spent time trying to find ways to satisfy management to keep the account and the related non-audit services. As one internal auditor put it, "It is hard to put your foot down when you are on your knees."

In the end, we argue that our risk-based approach to auditing leads the audit firms back to the basics of effective audits.

Larry E. Rittenberg, Ph.D., CPA, CIA, is the Ernst & Young Professor of Accounting & Information Systems at the University of Wisconsin-Madison, where he teaches courses in auditing and computer and operational auditing.

Bradley J. Schwieger, DBA, CPA, is the G.R. Herberger Distinguished Professor of Business and Accounting at St. Cloud State University.

1Larry E. Rittenberg and Bradley J. Schwieger, Auditing: Concepts for a Changing Environment, Fourth Edition (South-Western, 2003).

Copyright © 2005 South-Western. All Rights Reserved.