I have been criticized for “defending” Grant Thornton, the auditors of Koss Corp, which has suffered a fraud loss of at least $31 million at the hands of the company’s Vice President of Finance, Sue Sachdeva. In fact, my comments relating to this case are not a defense of Grant Thornton, in the least. They are meant to point the finger squarely at Koss management, which is wholly responsible for this fraud.
I’m not saying that Grant Thornton did a bang-up job when it comes to Koss. I couldn’t possibly know that without knowing exactly how the fraud was carried out (Koss still hasn’t said) and without seeing GT’s workpapers and taking a good look at what they actually did. What I am saying is that audits have so little usefulness and are so awful at detecting fraud, that it’s a given that a woman like Sue Sachdeva would easily be able to get away with a massive theft.
How often do we see an executive running off with a company’s money while auditors were hovering? We see it all the time. Enron, WorldCom, and Tyco brought fraud by management to light, and the problem still exists several years later. Legislation such as Sarbanes-Oxley hasn’t cured the problem, in fact, a recent study by the Association of Certified Fraud Examiners found that the problem is even worse than before SOX. This is a persistent problem, one that auditors clearly haven’t been able to eradicate, so to suggest that Grant Thornton should have stopped the fraud (when all the other large auditing firms have failed to find fraud at their clients too) is nonsense.
My respected colleague Francine McKenna did a great deal of research and writing about why Grant Thornton shouldn’t get a pass in the Koss case. She’s found a lot of interesting information about Koss Corp., its finance function, its auditors, and its management in general. But instead of proving why this makes Grant Thornton guilty, it only seems to prove my original theory: that management alone is to blame for this fraud.
Francine points out the following notable facts:
- NASDAQ, where Koss was listed, does not require an internal audit function in companies. Koss did not have internal auditors.
- Grant Thornton’s planning of their audit work required them to assess the company’s internal audit function, or in this case, Koss’s lack of internal auditors.
- The auditors were required to adjust their substantive testing (read: do more) based on the risk factors Koss presented per SAS 109 (AU 314), Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement.
Clearly there were issues with how Koss was managed. Francine writes:
If they had performed a proper SAS 99 review (AU 316), Consideration of Fraud in a Financial Statement Audit, it would have hit’em smack in the face like a _______ . (Fill in the blank.) Management oversight of the financial reporting process is severely limited by Mr. Koss Jr.’s lack of interest, aptitude, and appreciation for accounting and finance. Koss Jr., the CEO and son of the founder, held the titles of COO and CFO, also. Ms. Sachdeva, the Vice President of Finance and Corporate Secretary who is accused of the fraud, has been in the same job since 1992 and during one ten year period worked remotely from Houston!
How do you audit a company like Koss which apparently had little to no substantive internal controls over the financial reporting process? Well you could examine every single transaction for the year. But obviously no company is ever going to pay an auditor the type of fee it would require to do this. So the auditors instead do some “extra” testing. If the extra testing turns out okay, all is deemed happy in auditland.
Sounds laughable, doesn’t it? But that’s what auditing is, whether we like it or not. Audits test. Audits sample. They hope they catch the big stuff, but often they do not. Check out the number of articles returned by Google for a search for “auditor” and “lawsuit” for the last year.
There were obvious problems with the finance function at Koss. But at the end of the day, an audit needs to be done and someone is going to do it. No matter how awful a company’s management is, there is always an auditing firm willing to step up to the plate. Trainwreck Overstock.com is a great example of this. After numerous instances of financial reporting irregularities were pointed out by a variety of journalists and bloggers, Overstock fired Pricewaterhouse Coopers (PwC) and hired Grant Thornton. More issues, and Grant Thornton was fired less than a year later. And KPMG has stepped up to take over this financial reporting mess.
How often do auditors make “Management Recommendations” to companies? Every single year, the auditors complete their work and tell their clients where they could improve. Probably on the most frequently recommended list are better internal controls, better segregation of duties, and better ways to prevent the head of the finance function from overriding controls. And often companies ignore these recommendations, citing the fact that they haven’t had any problems (yet!) or that changes would cost too much.
I could suggest that auditors “man up” and refuse to work with clients unless they became more diligent about their internal controls, but doesn’t often happen. Some auditing firm is all too happy to accept a client recently fired by their auditors. And the auditors are reluctant to tell one another the real reasons why they quit or were fired. It’s just not good for business.
Frankly, I don’t know why any accounting firms even do audits anymore, especially of publicly traded companies. There is not enough insurance in the world to protect them from situations like this. Grant Thornton’s reputation will be tarnished in the Milwaukee business community for years to come, and there will likely be effects in other markets as well. Is it really worth it to do audits when this type of liability exists?
The problem with blaming the auditors in this case is that if we do so, then we should blame the auditors in nearly every other corporate fraud. Why? Find me a company that does not let the CFO hold the keys to the kingdom? Find me a company in which the CFO or VP of Finance isn’t able to override almost all of the controls.
Instead, we still play this game of pretend. We wish that auditors could be good at finding fraud and that they would really provide value to a business. Neither is true, and what is required is either an acceptance of this truth or a fundamental change in thinking regarding audits. Let’s accept audits for what they are, or completely change the process if we want audits to do something useful, such as find fraud.
The bottom line here is that the management of Koss Corp., and specifically wonder boy Michael Koss, is solely to blame for the $31 million fraud committed by VP of Finance Sue Sachdeva. No one was stopping Koss from asking the auditors to do more work or from hiring other professionals that could help improve internal controls and find fraud. The auditors are going to get sued, and they’ll have a hard time walking away without any liability. That’s just the way the game goes. Fraud is found, auditor has professional liability insurance, auditor gets sued, insurance company pays out at least something.
So make no mistake, I’m not absolving Grant Thornton of guilt in this situation. There is a chance that they have some liability. But the blame needs to be focused on management at Koss Corp. Audits aren’t going to start finding fraud on a wide scale any time soon. But management can do something about fraud if they choose to. Koss did not, and now they are paying the price. They put themselves into this situation, and they are to blame.
Tracy,
We are totally in synch here now. I started out writing about Grant Thornton, and to a lesser extent PwC, as auditor and former auditor. But after reading about Koss Jr. I came to the same conclusion as you do now and to the conclusions we share – Audits are worthless and self-serving corporate executives have a vested interest in keeping them irrelevant.
An audit firm with a spine could have nipped this in the bud, I’m sure. It’s obvious to me what was gong on, even all the way from Chicago. But especially in closely held smaller public companies, there’s an stubbornness and arrogance that masquerades as small business boosterism and entrepreneurial spirit. It’s just greed on a local scale.
Preliminary Analytics | 01.18.10…
• Defending Koss And Their Auditors: Just Loopy Distorted Feedback – Francine’s take on the Koss fraud. [Re: The Auditors] • Koss Corp. Fraud: Defending Grant Thornton? No. &ndsah; Tracey Coenen says Koss’ incestuous management deserv…
Tracy – I was among those who were criticizing you for seeming to defend GT in your initial blogging on the KOSS fraud. However, based on your extended discussion of the fraud issues in this commentary, that criticism should be partially withdrawn and narrowed. I agree with you completely that the full responsibility for the existence of the fraud lies with KOSS management. The lapses in management judgment and the total disregard for the concept of “trust, but verify” are almost unbelievable. Nothing that GT did or did not do reduces management’s responsibility for enabling an environment that allows this magnitude of fraud.
My point on your comments appearing to defend GT is that the firm’s responsibility potentially relates to failing to identify the effect of the fraud on the financial reports and financial condition of KOSS. Auditing standards specifically require auditors to assess the potential for financial reporting fraud and adjust the scope of the audit procedures accordingly. As you point out, it isn’t unusual for audit firms to pay little more than lip service to those standards, but they still have the responsibility to comply. Those standards cover financial reporting audits and apply whether or not the company is subject to SOX. Even though retained and paid by KOSS management, GT’s responsibility on that matter is to all shareholders, not just to the KOSS family. Based on the numbers that have been reported so far, the average monthly fraud over the 5 year period was $500k and in the last full year $670k +/-. For a company as small as KOSS, it is difficult to believe that an audit scope definition would have determined that these amounts were too immaterial to be included in detailed testing, especially when the payments were to a vendor who was clearly not a raw materials or contract manufacturing supplier. Considering the numbers reported on the KOSS fraud, in some years the amounts were in the range of 20% +/- or more of reported Cost of Sales or 50% +/- of SG&A Expense. I don’t know any reasonably skeptical auditors who would pass such amounts as being normal trends or no big deal based primarily on verbal assurance from Koss or Sachdeva. However, in the end the courts will be the ones to decide the degree of responsibility and audit failure, if any, attributable to GT.
BTW – Your comment that the ACFE report found that the fraud problem was worse than before SOX implementation may present a flawed interpretation of the report’s conclusions. In fact, the same statement, virtually word for word, appeared on several strongly anti-SOX blogs shortly after the ACFE report was released. After several of those statements appeared in blogs, I remember that the ACFE released a clarification generally refuting the interpretation that the fraud problem was worse after SOX.
The report does not indicate a failure of SOX-related controls to reduce fraud. Page 22 of the report shows that publicly traded companies obtained the greatest benefit in detecting frauds as a result of tips and internal controls, both of which are SOX-related items. Page 38 of the report states that “Publicly traded organizations with SOX-related controls in place incurred median losses 70% to 96% lower than the corporations that had not yet implemented these controls.” On subsequent pages, the report shows that other types of organizations not subject to SOX regulation experienced similar reductions in median fraud losses if SOX-type controls were implemented. However, page 41 of the report did show that median losses from Financial Statement Fraud (i.e., manipulation of the financial statements results such as Worldcom & Healthsouth, rather than other frauds, such as the KOSS theft) were higher post-SOX and took longer to discover, even though the frequency chart on page 11 shows a 0.3% reduction in the frequency of financial statement frauds between the 2006 and 2008 reports. One logical explanation for this is the role management plays in creation and presentation of financial statements and the influence management can have in negotiations with auditors in setting the scope of audit procedures. Additionally, there are still many companies in which senior management considers their activities off-limits for internal audits and assessments of controls.
Overall, it seems a better interpretation of the ACFE report, as it relates to SOX and frauds, is that SOX controls increase the frequency of detection and reduce the magnitude of the frauds, except in areas such as Financial Reporting, where senior management has significant potential to affect outcomes.
As a side note, page 22 of the ACFE report showed that internal audits (my specialty), including fraud examinations (your specialty), were the 2nd most significant method of fraud detection in government organizations, 3rd for public companies, and 4th for Not for Profits and private companies. Not a very good result for our respective professional disciplines.
[…] So how did the auditors miss it? That’s easy. Three simple steps by Koss VP of Finance Sue Sachdeva would prevent the auditors from encountering evidence pointing them to the fraud. […]
[…] that brings us back to the issue of the auditors again. How did they miss a fraud of this size? I’ve come up with at least one scenario under which it could have easily gotten past them. If […]
[…] to sustain the Big 4’s untenable, unsustainable, obsolete business model that produces a, purported by some, worthless product. The Big 4 are bringing their best and brightest minds, from all over the world, […]
[…] also wants us to believe it had good controls in place while this fraud occurred over almost 6 years: The Company maintains a system of disclosure controls and procedures that were […]
Absolute power corrupts absolutely. Any internal control responsibility vests with the Management. The Auditors are responsible for NOT bringing forth the laxity in Internal Controls, particularly with payments of high amounts exceeding $100K. It is NOT uncommon for companies to insist on dual signatures, and counter balance on payments. Any reconciliation with Bank Statement would indicate such very high payments on a single signature is not accpetable, and the Auditors must have brought the fact that prima facie a case exists for a potential fraud with single signature rule beyond a certain amount. That is what the Audit Committee of the Board is for. If every Auditor start using softwares like IDEA for evaluating the data before completing the audit, they would have found such variations and Benford’s Law application to the data would have brought in these anomalies. Grand Thornton and PWC cannot walk away scot free as testing of Internal Controls and expressing an opinion good or bad, is the responsibility of the Auditors.. SOX was very clear about that. Thanks to Enron, we know the faults of Management Override and the risk that every company is placing themselves in the Fraud Triangle by not having adequate internal controls. Why is it that Auditing firms have not learnt their lesson after seeing Arthurn Andersen go down. How come Companies have not learnt after seeing the likes of MCI Worldcom?
Everywhere in the world, and I have travelled extensively, the Auditor will NOT sign the financial statements unless the same is signed by the Chairman of the Board, CFO (Director Finance) & the Managing Director. We are very late in USA to bring forth these rules, and now at this stage, if the board does not want to take responsibility for what they are doing, they should not be in the board.
Everyone should follow History. History is the best teacher of what not to do. In a business everyone has ideas of how to do things. Very few think of how not to do business, which, when it comes to internal control takes an over ride over how to do business.
In one of the issues of CFO magazine I read how Auditors can be distracted easily by the employees by doing small talk or taking them out for lunch and in a survey conducted, the Auditors themselves acknowledged it. Are we missing something here? Are the accountants as a body losing Independence? If the body loses independence, what really is left out?
[…] Remember that an audit is a limited examination of a company’s books and records to determine if the financial statements comply with the accounting rules. Francine McKenna gives a good summary of the auditors and the audit. An audit is not an examination of every transaction throughout the year, and even if it was, there is still no guarantee that they’d find a fraud scheme. Errors are often found during audits because they are naturally occurring and unconcealed. Fraud (sometimes called “irregularities” to pretty it up a little) is intentionally concealed from the auditors, so it is difficult (if not impossible) to find during a routine financial statement audit. […]