Bradley J. Schwieger
Saint Cloud State University
"WorldCom Internal Probe Uncovers Massive Fraud" ($3.8 billion in expenses improperly booked as capital expenditures.)
Identifying business risk should be a component of every audit. It can help identify situations that indicate a high potential for corporate financial reporting fraud. We firmly believe that taking this approach would have caught the WorldCom fraud.
We argue that the risk-based approach to auditing can be effective in detecting corporate fraud on the scale of WorldCom, as proper risk assessments would have taken into account CEOs with fraudulent intent. The problem with the audits of companies such as WorldCom is that the risk-based approach to auditing is not being appropriately integrated into the total audit process. As we look at the recent hearings before Congress that focus on corporate fraud, it appears that there are two failings in practice with regard to risk:
If the external auditors of Worldcom had used the approach emphasized in our book, they would have done the following:
We believe that following a risk-based approach such as the one we outline in our book would have detected WorldCom's misclassifications.
Improper Revenue Recognition: A Major Financial Reporting Fraud Risk Area
Revenue recognition is an area of extremely high risk, as identified by the SEC and the accounting profession. A study was conducted by the Committee of Sponsoring Organizations of the Treadway Commission of 200 instances of fraudulent financial reporting occurring between 1987 and 1997. In over half of these instances, revenues were overstated by recording revenues prematurely or fictitiously. This practice appears to be continuing, as indicated in the following recent headlines and information from The Wall Street Journal:
"Justice Department Launches Criminal Investigation of Qwest"
The use of "swap" transactions - selling long-term capacity on its fiber network to another carrier, buying the same amount of fiber on another carrier's network and then booking the contract as revenue--boosted Qwest's revenue by more than $1 billion in 2001.
"Merck Recorded $12.4 Billion In Revenue It Never Collected"
Revenue included co-payments collected by pharmacies from patients, even though Merck's Medco unit doesn't receive those funds.
Accounting policies treated cost overruns on construction jobs as revenue, regardless of whether its customers agreed to pay part of the over-budget costs.
"Lawsuit Provides Fresh Details of Rite Aid's Accounting Woes"
Rather than booking $82.4 million in one-time gains from the sale of 189 stores, Rite Aid put that amount into an internal reserve account and used it to absorb future operating expenses and inflated reported operating income.
"Bristol-Myers Faces SEC Probe Into 'Channel-Stuffing' in 2001"Client revenue recognition policies should be given particularly close attention. Chapter 9 in our book outlines the steps that should be taken related to revenue transactions, including the following:
The SEC is investigating whether the New York drug maker improperly inflated revenues in 2001 by as much as $1 billion. Revenue may have been inflated by offering drug wholesalers special incentives to pack their warehouses with extra inventory, a form of "channel stuffing."
Indications of possible revenue misstatements should lead to extensive substantive testing of the related account balances - Sales, Sales Returns and Allowances, and Accounts Receivable.
Risk-Based Approach: Back to the Basics
It is important to reemphasize that the risk-based approach to auditing does not mean that auditors don't do traditional audit work. It does mean that they think about what they are seeing and then adjust the audit procedures to make sure they are covering areas that are most susceptible to misstatement (both error and fraud) in more detail.
Consulting and audit services are often performed by the same firm. From this larger perspective comes a larger problem with the external audit teams involved in the recent large fraudulent transactions. It is not that they used (or didn't use) the risk-based approach to auditing, but that they did not audit. They believed management did not and would not lie. Or they spent time trying to find ways to satisfy management to keep the account and the related non-audit services. As one internal auditor put it, "It is hard to put your foot down when you are on your knees."
In the end, we argue that our risk-based approach to auditing leads the audit firms back to the basics of effective audits.
Larry E. Rittenberg, Ph.D., CPA, CIA, is the Ernst & Young Professor of Accounting & Information Systems at the University of Wisconsin-Madison, where he teaches courses in auditing and computer and operational auditing.
Bradley J. Schwieger, DBA, CPA, is the G.R. Herberger Distinguished Professor of Business and Accounting at St. Cloud State University.
1Larry E. Rittenberg and Bradley J. Schwieger, Auditing: Concepts for a Changing Environment, Fourth Edition (South-Western, 2003).
2005 South-Western. All Rights Reserved.