The Anti-Fraud Collaboration issued a new report Tuesday on the most common financial statement fraud themes noted in Securities and Exchange Commission (SEC) enforcement actions between January 2014 and June 2019. The study’s objective was to identify the areas of higher fraud risk and provide insights for those responsible for financial reporting.

The report, “Mitigating the Risk of Common Fraud Schemes: Insights from SEC Enforcement Actions,” analyzed 204 enforcement actions related to financial statement frauds, from which 140 fraud schemes were identified. Its findings and commentary on fraud deterrence and detection are particularly timely because of the increased risk of financial reporting fraud amid the coronavirus pandemic.

“There are three takeaways from the report,” said Julie Bell Lindsay, executive director at the Center for Audit Quality (CAQ). “First, the risk of financial statement fraud at public companies is real, and fraud risk has only increased due to COVID-19. Second, the strongest fraud deterrent and detection requires extreme vigilance from all participants in the financial reporting ecosystem: internal and external auditors, audit committees, public company management, and regulators. Finally, public companies can effectively fight fraud by continuously exercising professional skepticism, focusing their attention on high-risk areas across companies and company-specific risks and conducting regular quantitative and qualitative risk assessments.”

“Companies must acknowledge what they don’t know and engage advisors to counsel them in the moment to understand fraud risks and make decisions about resources. They may not be able to rely on past experiences about the kinds of fraud schemes to watch out for and how to strengthen controls.”

Brad Preber, CEO, Grant Thornton

The types of business challenges noted in the report’s enforcement cases include reduced demand; higher supplier costs; and pressures to meet forecasts and analyst expectations, all of which are present and heightened in the current environment. The SEC’s Division of Enforcement opened 150 COVID-related investigations and recommended several COVID-related fraud actions in the period from mid-March to September 2020 alone.

The report’s analysis of SEC data found the most common types of financial statement fraud were improper revenue recognition (43 percent), reserves manipulation (24 percent), inventory misstatement (11 percent), and loan impairment issues (11 percent).

Improper revenue recognition appeared as the most prevalent fraud area in almost every year of the study, resulting from timing, valuation, fictitious revenues, and use of the percentage of completion method. In the area of reserve manipulation, the report highlights how the new accounting requirements for measurement of credit losses under ASC 326 (CECL) require more judgment from senior management and encourage companies to consider additional potential fraud risks as they adopt the new accounting model.

“These two areas both require management judgments to make estimates, which makes them so susceptible to fraud,” said Grant Thornton CEO Brad Preber, co-chair of the Anti-Fraud Collaboration Steering Committee. “And they often are not based on facts that can be fully substantiated, or the facts can be manipulated to disguise judgments to look reasonable or supportable when they are not.”

False or intentionally incomplete financial statement disclosures, internal control material weaknesses, and unsupported journal entries were also observed to be significant areas for fraud.

How fraud risks pervade

External auditors play an important role in deterring and detecting fraud. The report notes they are one link in the financial reporting chain, and current business challenges and remote audits create enhanced risks for auditors.

“One thing that isn’t generally fully appreciated is that auditors are required to test management’s representations to provide reasonable assurance about whether there are material misstatements in the financial statements due to fraud or error. But the external auditor does not have an enhanced responsibility to detect fraud,” Preber said. “Fraud is intentionally designed to hide the transaction from external detection, and collusion makes it more difficult to find if management is not being truthful with the auditors.”

The report highlights the industries in which fraud was most frequently noted in enforcement actions. These include technology services companies (17 percent), finance (13 percent), energy (11 percent), and manufacturing (9 percent). There was a parallel between the most common types of fraud and these industry sectors; for example, technology services companies have complex revenue recognition issues and finance and energy firms struggle with reserve and loan impairment.

The findings were based on SEC filers of all sizes. Seventy-nine of the analyzed enforcement actions (39 percent) were against companies with market cap under $250 million, 44 (22 percent) were against small-cap companies, and 22 (11 percent) were against mid- and large-cap companies.

Public company chief financial officers (54 percent) were the most commonly charged employees, followed by chief executive officers (31 percent). Factors and root causes that can contribute to fraud include the tone set by company management, business challenges in a high-pressure environment, and inexperienced personnel.

“It’s important to have discussions about values and the need for ethical behavior in this environment,” Preber said. The report highlights the significance of tone at the top, including boards of directors and senior management. For big companies, tone in the middle also has a significant impact on fraud risk. “Middle managers are closest to financial reporting employees and must push down communication about corporate culture and values, especially in a remote environment,” Lindsay said.

Employees lacking experience and training are less able to identify and address fraud, according to the report. This can include complex accounting standards, internal controls, and awareness of fraud schemes perpetrated by others. “This is especially important for smaller companies,” Lindsay said. “If they don’t have the right people, they need to get them.”

Areas of deficiencies must also be evaluated. “Companies must acknowledge what they don’t know and engage advisors to counsel them in the moment to understand fraud risks and make decisions about resources,” Preber said. “They may not be able to rely on past experiences about the kinds of fraud schemes to watch out for and how to strengthen controls.”

According to the report, public companies can effectively fight fraud by exercising professional skepticism through independent thinking, having a questioning mindset throughout the financial reporting process, focusing attention on potential high-risk areas for the company and its industry, and conducting both quantitative and qualitative risk assessments on a regular basis. “The CAQ recommends fraud prevention should not be an afterthought in crisis planning and response—it should be the starting point,” Lindsay said. Companies are urged to remain vigilant and focused on the financial reporting fundamentals of controls and processes over recordkeeping and decision-making.

Preber recommends companies adopt a common-sense approach to risk management.

“Most businesses undertake an enterprise risk management exercise once a year, but the facts and circumstances have changed and require a more diligent and periodic review of risks with the right expertise,” he said. “Does the company have sufficient controls, policies, and procedures to mitigate fraud risk to an acceptable level? If not, they should give necessary resources to the board, internal audit, and middle management to address risks in a responsible way and not wait until after the fact.”