Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Get updates on Compliance Week offerings, including new features, databases, research, and other resources, along with announcements of upcoming Webcasts, conferences, seminars, CPE/CLE opportunities and more.

Published every Thursday, Compliance Week Europe offers a condensed summary of risk, audit, and compliance news either originating in Europe, or of special interest to European compliance professionals. This newsletter will follow developments by the European Commission, as well as those of national governments across the region, or any U.S.-based news that might have consequence across the Atlantic. Frequency: weekly; Thursday a.m.

A fresh edition of Compliance Week delivered via e-mail and online every Tuesday morning, relentlessly focused on the disclosure, reporting and compliance requirements of our 25,000+ paying subscribers.

Published every Friday, Compliance Weekend was launched at the behest of subscribers, and offers a quick Plain English review of the week's key developments. We hope you enjoy this supplement to Compliance Week's Tuesday edition.

SEC Pursues Small Company Over Lax Internal Controls

Tammy Whitehouse | November 22, 2011

The Securities and Exchange Commission is sending another warning about fraud prevention by pursuing top executives at a small company for failing to stop a massive fraud, although legal experts are divided on whether it sends the right message.

Koss Corp., which produces consumer electronics, and its president and CEO, Michael Koss, recently settled an enforcement action with the SEC for an embezzlement and accounting fraud of more than $30 million. Koss, however, was not the perpetrator; former finance vice president Sujata Sachdeva and her senior accountant, Julie Mulvaney, carried out the scheme.

Michael Koss, who remains president and CEO, agreed to pay back bonuses totaling more than $450,000 in cash and 160,000 options. The company faced no monetary penalty. Sachdeva is already serving 11 years in prison for helping herself to more than $30 million from corporate accounts beginning in 2005 to support her lavish personal spending.

The SEC charged that the company and its CEO didn't maintain a system of internal controls that would have reasonably assured accurate and reliable financial reporting. The scope of the embezzlement scheme was significant compared to the company's sales and retained earnings, according to the SEC. In 2009—the first of two fiscal years and three subsequent quarters that Koss restated as a result of the fraud—Sachdeva skimmed $8.5 million in corporate funds on sales of $41.7 million and retained earnings of $17.1 million. Sachdeva and Mulvaney hid their embezzlement through an accounting fraud.

As an example, the SEC said Koss policy required Michael Koss to approve invoices of $5,000 or more for payments, but required no such approval for wire transfers or cashier's checks. That allowed Sachdeva, with Mulvaney's help, to use wire transfers of about $16.3 million and cashier's checks of some $15.5 million to pay Sachdeva's personal creditors and credit card bills, the SEC said. To cover their tracks, Sachdeva and Mulvaney made post-closing changes to the books, relying on an antiquated, 30-year-old computer system that could not lock out the accounting systems at the end of the month, the enforcement order says. (Koss Corp. and Michael Koss did not respond to requests for comment.)

The SEC's clawback of Michael Koss's bonus sends a message to all smaller reporting companies that are not required under Sarbanes-Oxley to have their internal control assessment audited, says Cynthia Krus, a partner and co-leader of the corporate practice group at law firm Sutherland Asbill & Brennan. “It's a shot across the bow,” she says. “The SEC wants to make sure companies understand that regardless of whether you are getting your auditors to sign off on controls, you need to be taking it seriously.”

“It's a shot across the bow. The SEC wants to make sure companies understand that regardless of whether you are getting your auditors to sign off on controls, you need to be taking it seriously.”

—Cynthia Krus,
Sutherland Asbill & Brennan

After long delays and an eventual exemption under the Dodd-Frank Act, companies the size of Koss have never been required to have their internal control environment scrutinized by external auditors under Sarbanes-Oxley Section 404(b). The Koss fraud could serve as a great example of why Section 404(b) should be applied to all public companies, says Jacqueline Wolff, a partner with law firm Manatt, Phelps & Phillips. “Some of this might have been glaring if they had done a full 404(b) audit,” she says.

Koss's audit firm, Grant Thornton, was dismissed from a class-action suit related to the fraud, but still faces litigation from Koss directly. The SEC declined to say whether it is pursuing any action against the audit firm, and the Public Company Accounting Oversight Board is forbidden under Sarbanes-Oxley to disclose investigations until cases are settled or appeals are exhausted.

Keith Bishop, a partner in the corporate and securities practice at law firm Allen Matkins, is disturbed by the SEC's pursuit of the company and its CEO. “It smacks of punishing the victim and second guessing,” he says. “I have a concern that the SEC is using this as a message case without really recognizing that no matter how well you have designed internal controls, they only provide reasonable not absolute assurance that there won't be fraud.”


The following excerpt from the Securities and Exchange Commission lists the regulators' complaints against Koss:

The Securities and Exchange Commission on Oct. 24, 2011, filed a complaint against, and proposed settlement with, Koss Corporation, located in Milwaukee, Wisconsin, and Michael J. Koss, its CEO and former CFO, based on Koss Corporation's preparation of materially inaccurate financial statements, book and records, and lack of adequate internal controls from fiscal years 2005 through 2009. During this period, Sujata Sachdeva, Koss's former principal accounting officer, secretary, and vice president of finance, and Julie Mulvaney, Koss's former senior accountant, engaged in a wide-ranging accounting fraud to cover up Sachdeva's embezzlement of over $30 million from Koss. The Commission's Complaint alleges that:

  • The yearly amounts stolen were significant relative to Koss's sales and shareholders' equity. For example, during fiscal year 2009, Sachdeva stole approximately $8.5 million, while Koss reported total sales of approximately $41.7 million and retained earnings of approximately $17.1 million at year-end.
  • Sachdeva and Mulvaney were able to hide the substantial embezzlements in Koss's financial records in part because Koss and Michael J. Koss did not adequately maintain internal controls to reasonably assure the accuracy and reliability of financial reporting.
  • While Koss's internal controls policy required Michael J. Koss to approve invoices of $5,000 or more for payment, its controls did not prevent Sachdeva and Mulvaney from processing large wire transfers and cashier's checks outside of the accounts payable system to pay for Sachdeva's personal purchases without seeking or obtaining Michael J. Koss's approval.
  • As a result, Sachdeva, with Mulvaney's assistance, was able both to initiate and authorize wire transfers of Koss's funds to her personal creditors totaling approximately $16.3 million, and to order cashier's checks payable to credit card companies and her designated payees totaling approximately $15.5 million.
  • Koss's computerized accounting systems were almost 30 years old and access to the accounting systems could not be locked at the end of the month and there was no audit trail. Sachdeva and Mulvaney were thus able to make undetected post-closing changes to the books and bypass an internal control requiring Michael J. Koss to authorize those changes.
  • Many account reconciliations were either not prepared or were not maintained as part of Koss's accounting records. To the extent that reconciliations were conducted, they were improperly performed by the same persons who initiated or recorded the transactions (i.e. Sachdeva or Mulvaney), enabling those persons to make modifications to the reconciliations to cover up fraudulent entries.
  • While Sachedeva provided Michael J. Koss with reporting certifications for his review, he did not conduct an adequate review of Koss's accounting in connection with these certifications.
  • Based on the fraudulent accounting books and records prepared by Sachdeva and Mulvaney, Koss prepared, and Michael J. Koss certified, materially inaccurate audited financial statements and materially inaccurate current, quarterly and annual reports.

Source: Securities and Exchange Commission.

In Bishop's view, the SEC singles out Michael Koss and criticizes him for not inspecting the general ledger trial balance, not investigating unusual or frequent journal entries, and not looking behind certifications that were provided to him. “In any environment, the person who signs the certification and the SEC reports is going to have to rely on other people,” he says. “You can't expect them to double check everything.”

Others, however, say the SEC should have gone harder on Koss. “The penalty was so insignificant,” say Tracy Coenen, a forensic accountant and founder of forensics firm Sequence. “There was absolutely no internal control in place. (Michael) Koss was signing off of the financial statements without doing any due diligence on any company records. While he may not have directly perpetrated the fraud, his inaction allowed it to go on for so long.” She expected more criminal liability for a failure to carry out basic duties to the company, she says.

Focus on Fraud

Marty Rosenbaum, a partner with law firm Maslon Edelman Borman & Brand, says companies should see the Koss case as a reminder of why internal controls are important. “Everyone has focused for the last eight or nine years on internal controls as a technical exercise under Sarbanes-Oxley,” he says. “But the other aspect of internal control—and it's been around longer but is easy to lose sight off—is preventing fraud. It's hard at smaller companies, but it's important to second guess whether the system in place can prevent fraud. This employee made it look easy.”

Coenen points out that Koss more closely resembles a family-owned business than a public company, with the majority of its shares held by family members or insiders. It helps explain why the company had a small finance and accounting staff, with very few people holding key roles in managing books and records. She worries the SEC enforcement action doesn't come down hard enough, giving companies some cause to weigh the costs and benefits of internal controls. “It almost feels like a roll-the-dice situation,” she says. “If that's the only penalty, maybe I don't have to go through the cost and trouble of shoring up controls.”

The most important lesson, says Allan Bachman, education manager at the Association of Certified Fraud Examiners, is that every executive needs to keep a healthy skepticism. “This is a big lesson in oversight and trust,” he says. “Both were violated significantly here. The numbers are astounding for a company this size. Don't assume you're not susceptible.”