In his keynote address to Securities Enforcement Forum West 2020, SEC Enforcement Co-Director Steven Peikin discussed some of the efforts of the Division of Enforcement to detect misconduct arising out of the COVID-19 pandemic and related market disruption, including the formation of a steering committee to proactively identify and monitor areas of potential misconduct. Of particular interest here are the focus on insider trading and financial and disclosure-related fraud.
Are we just reading the wrong newspapers and reports or does it seem that auditors—although they spend hours and hours performing audits—rarely identify instances of fraud? Most companies rely on their auditors to uncover irregularities and breathe a sigh of relief when the audit comes up “clean.” Is that reliance misplaced? Probably so, according to this article from CFO.com. “Audits almost never find fraud,” the author writes; the data shows that “external audits find it 4% of the time, and internal 15%.” Instead, the author suggests, to detect fraud, management should look in a different direction.
It’s not just Dodd-Frank that has been roundly disparaged in some quarters, SOX 404(b)—the requirement to have an auditor attestation and report on management’s assessment of internal control over financial reporting—has also recently been much maligned. For example, at a recent House subcommittee hearing devoted to the reasons for the decline in the number of IPOs and public companies, a majority of the subcommittee members attributed the decline largely to regulatory overload, with a number of the witnesses training their sights directly on SOX 404(b). (See the SideBar below.) And then there are the legislative efforts to limit the application of SOX 404(b), such as the provision in the Financial Choice Act to allow certain time-lapsed EGCs another five-year exemption from the audit-attestation requirement. (See this PubCo post.) Whether you view these efforts as heavy-handed or not enough of a good thing, the notion that internal controls might diminish fraud risk remains controversial: some maintain that they are a strong deterrent, while others challenge that contention in light of management’s ability to override controls. A recent study by academics in Texas analyzed whether the strength of internal control significantly affects fraud risk. The result: the study found “a strong association between material weaknesses and future fraud revelation,” leading to the authors’ conclusion that “control opinions that do cite material weaknesses provide a meaningful signal of increased fraud risk.”