As Congress debates whether to exempt non-accelerated filers permanently from internal control audits—and that debate may take much longer than many expect—lawmakers might want to ponder the breathtaking fraud at Koss Corp. and its implications for external auditors’ role in preventing and detecting management deception.
Koss, a maker of stereo headphones in Milwaukee with a market capitalization of $32 million, fired its longtime vice president of finance and secretary, Sujata Sachdeva, last month after she was indicted by the Federal Bureau of Investigation on six counts of wire fraud. Sachdeva is accused of helping herself to $31 million over the course of five years to pay for clothing, furs, purses, jewelry, cars, china, furniture, home improvements, and more. American Express tipped off the FBI when it noticed corporate funds were being used to pay her personal credit card bills.
Without question, the $31 million is chump change compared to history’s larger corporate frauds—but in relative terms, the amount is huge. Allan Bachman of the Association of Certified Fraud Examiners calls it “a staggering amount for such a small organization.” The company’s internal investigation so far suggests fraud losses in several reporting periods equaled or even exceeded corporate earnings.
The plot thickens. Days after firing Sachdeva, Koss also fired its independent audit firm, Grant Thornton, and replaced it with Baker Tilly Virchow Krause, a regional firm in the Chicago area. Grant Thornton had audited Koss financial statements since fiscal year 2006 after Koss dismissed PricewaterhouseCoopers from the audit work but retained PwC for tax purposes.
Now recriminations are flying back and forth between Koss and Grant Thornton, shining a fierce spotlight on the problem of weak internal controls at small companies, and exactly who is responsible for raising what alarms about them.
As a public company with a market cap well below $75 million, Koss is a non-accelerated filer and therefore not yet subject to Section 404(b) of the Sarbanes-Oxley Act, which requires an external auditor’s review of internal controls over financial reporting. The company must perform its own review of controls and assert in its financial statements whether those controls are adequate (that is Section 404(a) of SOX), but they are not required to get an auditor’s opinion on those controls.
Grant Thornton was quick to point out that fact in a statement immediately following its dismissal, trying to distance itself from the Koss meltdown. “The fraud was apparently conducted by a long-time, trusted senior financial executive who was hired and supervised by senior management,” Grant Thornton said through a spokesman. Koss “did not engage Grant Thornton to conduct an audit or evaluation of internal controls over financial reporting. Establishing and maintaining effective internal control is management’s and the board’s responsibility.”
The audit firm is correct that Koss is ultimately responsible for policing its ranks and maintaining control over finances, says Peter Kyviakidis, managing director for consulting firm LECG. But that doesn’t mean an audit firm can ignore a client’s internal controls, even if not required by law or hired by the client to audit them.
“The second standard of fieldwork specifically requires the auditor to obtain an understanding of an entity’s internal control in a manner sufficient to plan the audit engagement,” Kyviakidis says. “This is a necessary and required part of every financial statement audit.”
Who Is Responsible for What
Kyviakidis contends that the basic principle is as old as auditing itself, although the standard, SAS 109, was updated by the American Institute of Certified Public Accountants in 2006. The Public Company Accounting Oversight Board does govern public company audits, but the earlier, similar version of the AICPA standard was embraced by the PCAOB when it adopted existing professional standards as its interim standards in 2003.
“A person interested in committing fraud can pull it off if they want to. The oversight of the external auditor is not an absolute guarantee .”
Association of Certified Fraud Examiners
After assessing and considering the control environment, auditors are then required to plan their audit with the soundness of controls in mind, Kyviakidis says. If the auditor deems that controls in a given area are inadequate, then he or she must do more substantive testing on account balances.
Jay Thibodeau, professor of accountancy at Bentley University, and Jack Paul, professor of accounting at Lehigh University, agree that an understanding of controls is fundamental to every audit engagement, whether subject to SOX requirements or not. Other professional standards also require auditors to consider the possibility of fraud and to signal management if internal controls are deemed inadequate. These requirements generally are described in the PCAOB’s AU Section 300 standards governing fieldwork.
Tracy Coenen, a forensic accountant and fraud examiner at Sequence Inc. who has been following the Koss spectacle closely, notes that Koss had no formal internal audit function, and that certainly could have been a red flag to Grant Thornton that the quality of controls would be suspect. But there’s no way to know from publicly available documentation what the auditor thought of Koss’s controls.
Coenen says the audit fees Koss paid to Grant Thornton were low enough ($151,300 in fiscal 2009 but only $71,400 in 2008) that one can’t help but wonder how much audit work actually occurred. Kyviakidis, on the other hand, says auditors have enough pressure about fees and legal liability these days that the amount paid may not reflect the amount of work that truly went into the audit.
Below is an excerpt of an FBI statement on its indictment of Former Koss Corp. Executive Sujata Sachdeva
United States Attorney James L. Santelle announced that a grand jury sitting in Milwaukee returned a six-count indictment charging Sujata Sachdeva (46) of Mequon, who is also known as Sue Sachdeva, with six counts of wire fraud. Ms. Sachdeva is the former Vice President of Finance, Secretary, and Principal Accounting Officer for Koss Corporation, a publicly traded company located in Milwaukee, Wisconsin.
The indictment alleges that Sachdeva used her position at Koss to fraudulently obtain more than $31 million from Koss, which she used to purchase personal items and pay for personal expenses. According to the indictment, Sachdeva authorized numerous wire transfers of funds from bank accounts maintained by Koss to pay for her American Express credit card bills. In addition, Sachdeva used money from Koss’s bank accounts to fund numerous cashier’s checks, which she also used to pay her personal expenses. Sachdeva used the money she fraudulently obtained from Koss to purchase personal items including women’s clothing, furs, purses, shoes, jewelry, automobiles, china, statues, and other household furnishings. Sachdeva also used the money to pay for hotels, airline tickets, and other travel expenses for herself and others, to pay for renovations and improvements to her home, and to compensate individuals providing personal services to her and her family.
According to the indictment, Sachdeva sought to conceal her fraud by directing other Koss employees to make numerous fraudulent entries in Koss’s books and records to make it appear that Sachdeva’s fraudulent transfers were legitimate business transactions. Sachdeva directed Koss employees to conceal her fraudulent transfers as well as the fraudulent entries in Koss’s books and records from Koss’s management and auditors.
Each of the charges against Sachdeva is based on a specific wire transfer of funds from Koss’s bank account to American Express to pay for Sachdeva’s credit card bills.
The indictment also seeks the forfeiture of property alleged to have been purchased with the proceeds of Sachdeva’s fraud should she be convicted in this matter. Among this property is her residence located in Mequon, Wisconsin, a 2007 Mercedes Benz, and clothing, jewelry, art objects, and household items seized from Sachdeva’s home and two storage units she maintained in Milwaukee. In addition, the indictment seeks the forfeiture of various items of clothing, jewelry, art objects, and other items currently in the possession of five merchants in the Milwaukee area, as well as a hand-carved door and a vacation ownership interest in a resort property.
According to United States Attorney James L. Santelle “this case is one of the largest embezzlement cases ever brought in this district, and demonstrates the ongoing commitment of this office and the FBI to investigate and prosecute white collar offenses.”
Each count of the indictment carries a maximum possible penalty of up to 20 years in prison and a fine of up to $250,000. Sachdeva, therefore, faces a total maximum penalty of up to 120 years in prison and fines of up to $1.5 million, plus forfeiture of the items identified in the indictment and restitution.
This matter was investigated by the Federal Bureau of Investigation and has been assigned to Assistant United States Attorneys Matthew L. Jacobs and Scott J. Campbell for prosecution.
An indictment is only a charge and is not evidence of guilt. A defendant is presumed innocent and is entitled to a fair trial at which the government must prove guilt beyond a reasonable doubt.
The Federal Bureau of Investigation (Jan. 20, 2010).
“Oftentimes with smaller entities, if the audit requires more time than you thought it might have taken, sometimes you don’t get to recover that because the clients are not willing to pay you for over-runs,” he says.
It’s also not clear whether a full audit of internal control as required by Section 404(b) would have caught the alleged Koss fraud anyway, says Bachman of the ACFE. But at the least, “It would have been harder for [the fraud] to go on,” he says.
But even with a Section 404(b) audit, testing takes place only on samples and not every transaction, he says. That leaves the possibility that fraud might still go on undetected. “A person interested in committing fraud can pull it off if they want to,” he says. “The oversight of the external auditor is not an absolute guarantee.”
Jim DeLoach, managing director at Protiviti, agrees that auditors are required to consider the possibility of fraud as they plan their audits, but that doesn’t imply a guarantee that a fraud will always be uncovered. “Audit procedures have their limitations when there’s massive collusion and deception,” he says.
DeLoach also struggles with the question of whether Section 404(b) audits in general make it more likely that a fraud will be detected or prevented. “In theory, I’d like to say yes, but I really have no empirical base to draw on,” he admits. “It’s an important question because frankly if the answer was no, then you kind of wonder what are we doing this for?”
That’s the question being asked on Capitol Hill these days—with members of Congress reaching no clear consensus so far. As part of financial regulatory reform, some members of Congress called for a permanent exemption for smaller companies. The House did pass a measure that called for further study of the cost and benefit of Section 404(b). The Senate Banking Committee originally planned to tackle regulatory overhaul last fall, but the bill proposed by Sen. Christopher Dodd fell flat, and the arrival of newly elected Sen. Scott Brown, R-Mass., doesn’t make consensus any easier to achieve.
Meanwhile, the Securities and Exchange Commission is sticking with its plans to require Section 404(b) compliance for non-accelerated filers starting with annual reports for fiscal years that end on or after June 15, 2010. If Congress does not act by then, small filers may well have an answer to Section 404(b)’s usefulness whether they like it or not.