The 9th International Anti-Corruption Conference
COSO STUDY ON FRAUD IN FINANCIAL REPORTING
Carlo di Florio
I have been asked to address the topic of fraud in financial reporting
generally and what is known as the COSO Report in particular. During
the course of the discussion, we'll explore the U.S. experience in
dealing with this issue through the perspective of the private-sector
Commission - COSO - established to study fraud in financial reporting
and make recommendations. At the end of the day, the aim is to discuss
an overall framework for "good" corporate governance and internal
control and highlight examples of how this is being implemented in the
U.S. The intent is to place the discussion in the context of a larger
international dialogue on private sector financial accountability and
I. Overview of COSO
- At its core, corruption involves fraudulent financial reporting.
Whether through slush funds, shell companies or kickback schemes, the
bribe payment is generally disguised and fraudulently reported.
- Experience shows that these violations of law, regulations and
policies are generally the result of deficiencies in corporate
governance and internal controls.
- It was in the 1940s that a discussion of internal control
methodologies first appeared in U.S. audit literature and practice.
But it was the period from 1972-76 which brought the issue to centre
stage. Then, saw the Watergate scandal unfold in the United States,
and subsequent investigation revealed that companies were engaged in
questionable political campaign finance practices and clear foreign
corrupt practices. The ensuing scrutiny by the SEC and Congress
contributed greatly to the enactment of campaign finance laws and the
1977 FCPA, which criminalised transnational bribery and required
companies to implement internal control programs.
- Indeed, in the immediate several years following, the SEC and the
American Institute of Certified Public Accountants introduced
proposals that management be required to report on the condition of
internal control in publicly held companies. Between 1978 and 1985,
the AICPA issued a number of Statements on Auditing Standards which
related to internal controls.
- Regulatory and standard proliferation, however, is replete with
headlines about frauds and corruption in major corporations,
"surprise" losses, business failures, and lawsuits from the investing
public against boards of directors and senior management.
- In response, a private-sector initiative, called the National
Commission on Fraudulent Financial Reporting (commonly known as the
Treadway Commission) was formed in October 1985. It had as its major
objective to identify the causal factors of fraudulent financial
reporting and to make recommendations to reduce its incidence. The
Commission was jointly sponsored and funded by 5 main professional
accounting associations and institutes. [the American Institute of
Certified Public Accountants (AICPA), American Accounting Association
(AAA), the Financial Executives Institute (FEL), The Institute of
Internal Auditors (IIA) and the Institute of Management Accountants
- The Commission issued its initial report in 1987, and among other
initiatives, recommended that the organisations sponsoring the
Commission work together to develop integrated guidance on internal
- Consequently, the Committee of Sponsoring Organisations (COSO) was
formed and it commissioned Coopers & Lybrand to study the issues and
author the report.
- It is worthy to note that a number of separate and unrelated events
underscored the importance of the need for such an integrated
framework. In 1991, Congress passed a law requiring management of
large financial institutions under FDIC oversight to issue annual
reports on the effectiveness of their internal control systems. That
same year, the U.S. Sentencing Commission adopted guidelines for use
in assessing penalties for businesses found guilty of so-called "white
collar crimes." The Guidelines permit significant reduction in
penalties for entities which have in place an effective system for
detecting and preventing violations of laws, such as the FCPA.
II. COSO - Internal Controls
- The COSO study took more than three years and involved extensive
research and discussion with corporate leaders, legislators and
regulators, auditors, academics, outside directors, lawyers and
consultants. Despite differences of orientation and agenda, opposing
interests came together to solve a common problem.
- The result was the COSO Report entitled "Internal Control -
Integrated Framework." The COSO Report does two important things: I)
it presents a common definition of internal control, and 2) it
provides a framework against which entities can assess and improve
their internal control systems. Related to corruption in particular,
the COSO standard has become one of the principle benchmarks which
U.S. companies use in evaluating their compliance with the U.S. FCPA.
- Internal Control Integrated Framework - COSO broadly defines
internal control as a process, effected by an entity's board of
directors, management or other personnel, designed to provide
reasonable assurance regarding: 1) the efficiency of operations; 2)
the reliability of financial reporting; and 3) compliance with
applicable laws and regulations.
To achieve these objectives, effective internal control consists of
establishing five interrelated components: the control environment,
risk assessment, control activities, information and communication,
and monitoring. Let's take a brief look at each of these:
- The "control environment" is what sets the tone of an organisation
and provides discipline and structure. It includes the integrity and
competence of the entity's people; management's philosophy and
operating style; and the way management and the board assign authority
- "Risk assessment" is the identification and analysis of risks to
determine how they should be effectively managed. Once risks have been
identified, sourced and measured, steps must be taken to avoid,
transfer, or otherwise reduce the risks to acceptable levels. As an
example, to evaluate the risk of bribery and corruption in the
procurement process, one might analyse how engineering may create
specifications that favour specific vendors, how purchasing may
unfairly award contracts, and how accounting may record kickbacks.
- The "control activities" are the policies and procedures that help
ensure that management's directives are carried out. These include
such practices as authorisation, reconciliation and segregation of
duties. Such activities would permeate the entire organisation, at all
levels and in all functions. Of course they must be customised to
reflect the entity's specific control environment, objectives, and
tolerance for risks.
- "Information and communication systems" produce operational,
financial and compliance related reports, and they also notify
personnel of their role in the internal control system. These systems
must provide a means for moving important information to the very top
of the organisation and for receiving inputs from external parties. As
an example, consider information of corrupt practices coming from a
whistelblower - e.g., a marketing clerk within the organisation - or a
whistelblower - e.g. a vendor - outside the organisation. In short,
internal and external information must be identified, captured, and
communicated in a form and time frame that enables people to carry out
- Finally , "monitoring" is a process that assesses the
quality of the system's performance over time. When deficiencies are discovered,
they must be reported and appropriate remedial action taken.
All five components must be present and functioning effectively to
conclude that internal control over operations is effective.
In the interest of time, I would now like to move on and touch on
COSO's most recent study on fraudulent financial reporting.
III. COSO - Landmark Study on Fraud in Financial Reporting
- This landmark study was released in March of this year. It was based
on analysing a decade of SEC enforcement cases and it presents a
profile of the frauds committed, the companies and individuals
involved, and the consequences of the frauds. The report is
particularly useful to anyone involved in corporate governance. More
information about the study can be found on the website
www.aicpa.org of the American Institute of Certified Public
- METHODOLOGY: The study analysed 200 randomly selected cases of
alleged financial fraud investigated by the SEC. about 2/3 of the 300
SEC probes into fraud between 1987 and 1997
IV. Summary of COSO Study on Fraud in Financial Reporting -PRINCIPLE
- The study found that typical financial reporting fraud schemes
involved the overstatement of revenues and assets:
- In more than half the cases, revenues were recorded prematurely or fictitiously
- About half of the fraud involved overstating assets by understating
allowances for receivables, overstating the value of tangible assets,
and/or recording non-existent assets
- In the past decade, most fraud in financial reporting among public
companies was committed by smaller corporations, with well below $100
million in assets.
- Top senior executives were frequently involved. In 83% of the cases,
the CEO, the CFO or both were named as being associated with the
financial statement fraud.
- The boards of directors of these companies were dominated by
insiders and directors with significant equity ownership and little
apparent experience serving on the boards of other companies
- Most audit committees met only about once a year or the company had
no audit committee at all.
- Audit firms of all sizes were associated with companies committing
financial statement fraud.
- Cumulative amounts of frauds were relatively large in light of the
relatively small sizes of the companies involved. The average
misstatement or misappropriation of assets was $25 million.
- Some companies committing fraud were experiencing net losses or were
in close to break even positions in periods before the fraud.
Pressures of financial strain or distress may have provided incentives
for fraud for some of companies
- This report provides investors, financial professionals and
regulators with valuable information regarding where they might direct
their focus. For example, a regulatory focus on companies with market
capitalisation over $200 million may inadvertently fail to target
those companies most frequently engaged in fraud. The audit committee
and board practices of smaller companies may warrant particular
IV. Conclusion and Lessons Learned
The increased private sector financial accountability and transparency
initiatives described present substantial benefits to the evolution of
sound corporate governance.
- The most obvious benefit of COSO was to provide managers with a
comprehensive and integrated approach to assessing and controlling
business risks in an era where the pace of change - commercial,
political, social and regulatory -is ever increasing.
- COSO has also greatly expanded the concept of internal control, and
by providing a "common language" has facilitated multi-disciplinary
dialogues on this important topic
- As COSO has caused thousands of U.S. companies to rethink their
approach to managing and controlling risks, new basic principles of
management are emerging, setting off a paradigm shift in how corporate
governance is effected.
- As we will hear, other countries have undertaken their own
initiatives in establishing national standards for corporate
governance and internal control. To the extent these systems improve
transparency, integrity and governance, they are indeed to be
developed and embraced