Previously mentioned that AU-C 505.07 requires auditors to look at the address used on confirmations.
Here are three illustrations of how things can go sour when sending bank confirmations: PFGBest, Parmalat, and a small company in North Carolina:
PFGBest – Peregrin Financial Group
The organization’s CEO was sentenced to 50 years in prison and ordered to pay restitution of $215.5 million.
That is approximately the amount he stole from his customer money over the course of a 20 year scam.
He was brilliant, in the way that evil can sometimes be brilliant, in the steps he took to cover up the thefts.
He had the unopened monthly bank statements left on his desk so he could review them for unusual items.
Hey, that’s a great internal control! I recommend it to my clients.
Unfortunately, he created unusual items instead of looking for them. He took the statements, scanned them, altered critical information, and then printed clean, neat statements that appeared to be originals. Then gave the altered documents to the staff to reconcile the accounts.
He gained control over the P.O. box used by the bank after they stopped using it. He put that address on statements. That is of course the address used by the auditors to send the confirms. He intercepted the confirms at the box he controlled, signed them, and mailed them back.
He had a fax number set up that regulators used for confirmation work.
Above comments are summarized from my post here which was based on quotes from his suicide note.
Quite an amazing scheme. I think gaining control over a P.O. Box that had previously been controlled by the bank is the most astounding & impressive part. How do you pull that off?
And as you laugh at the auditors and regulators who he deceived for a couple of decades, answer me this: What procedures in your audit would have detected that fiasco?
Parmalat
A huge Italian food and dairy corporation had a massive scandal that unwound in 2003 & 2004. For short summary of the story, go to Wikipedia here
The part of the story relevant to this post is that one of many subsidiaries, Bonlat, had a lot of cash in a Cayman Island bank account. That’s a lot, as in €3.95 billion. As in, about US$5.25 billion. With a “b”.
My recollection of reading at the time (sorry, couldn’t find a cite after several minutes of searching) is that the auditor of the sub mailed a confirmation to the bank (name doesn’t matter) in the Cayman Islands. The fraudsters intercepted the confirm (through a dummy mailing address if memory serves correctly), signed it (obviously), and mailed it back to the auditors in Italy.
Confirm ties. Sign off the audit step. Cash area is done. On to the next area.
Only problem is that dummy account is where Parmalat was hiding much of their losses. Other big area was unrecorded loans payable.
The bank announced that the cash confirmation was a fraud. There wasn’t an account with billions of Euros just sitting around while Parmalat was borrowing huge amounts on the bond market.
So, this is another cash confirm fraud that hid a collapsed company.
Materiality
What really astounded me is the materiality.
Look at the 2004 financial statements, which contain the comparable data for 2003.
I recast the 12-31-03 balance sheet as follows, which is after the fraud was discovered and all balances corrected:
- €4,204M – total assets
- €3,632M – liabilities other than long-term debt
- €13,713M – long term debt & borrowings
- €17,345M – total liabilities
- <€13,140M> – deficit in stockholders equity
Check out these key amounts in the 2003 income statement:
- €5,742M – total revenue
- €11,397M – extraordinary loss – presumably most if not all of the fraud losses
- <€15,119M> – net loss
Assuming the only adjustment to assets was the €3.95B fake bank account, that would have put total assets at 12-31-03 at about €8.15B if the fraud hadn’t been discovered.
Here is the staggering question. In the context of an €8B balance sheet, the auditor of a subsidiary (not the auditor of the consolidated parent but a sub) mails a paper confirm for one bank account with a balance of €3.9B to an address in the Cayman Islands? That’s roughly in the ballpark of the size of consolidated revenue.
In case you didn’t see my jaw on the floor, that is a confirm equal to US$5,250,000,000 when consolidated revenue is about US$10,830,000,000.
My advice? Do a few extra steps when the idle cash at a bank is roughly equal to total revenue. Oh, that one bank account is the largest item on the consolidated balance sheet.
A mere $6 million scheme
My friend Charles Hall, who blogs at CPA-Scribo, calls our attention to another scam in North Carolina. He discusses the issue in his post, Fake Bank Confirmation Responses. The whole scam is a rounding error compared to PFGBest or Parmalat. That actually brings it down to something that could happen at a client of the CPAs reading this blog, which also makes it more frightening.
The FBI press release is here.
You will probably recognize the core of the scheme from this paragraph. From the FBI:
According to filed documents, Shepherd [the owner who agreed to plead guilty to securities fraud] was able to obtain the Independent Auditor’s Report each year by tricking the accountant who provided it. According to common practice at the time, the accountant would send a letter of inquiry to the bank the fund held its account, requesting the fund’s cash balance. On each occasion, the accountant sent the inquiry letter to the bank’s P.O. Box address provided by Shepherd and to the attention of “Charles Fisher,” who was purportedly working at the bank. In each instance, records show that the accountant would then receive a letter or fax confirmation from Charles Fisher verifying the Major Play Fund’s bank balance, as well as a copy of the bank statement confirming the cash balance of the fund. In reality, court documents indicate, Charles Fisher was a fictitious bank employee. Shepherd would forge the name Fisher on a fake bank letter and send forged bank statements with fake balances. Shepherd generated the fraudulent bank statements using a version of Adobe Acrobat that enabled him to type false numbers over true bank statements. Shepherd also controlled the P.O. Box the accountant’s letters were mailed to and controlled the fax number that supposedly belonged to Charles Fisher at the bank.
It’s the now-typical scheme of controlling a dummy account to intercept the confirmation along with altering bank statements.
It’s not just cash
These scams involved faked bank confirmations and altered statements. The same issue applies anytime you use confirmations in areas such as notes receivable, accounts receivable, grants receivable, investments, accounts payable, notes payable, sales, and donor contributions.
Thus, it makes perfectly good sense to be far more careful with confirmations. New comment in AU-C505.07 makes this a requirement. See previous post on that point.
Pingback: Journalist falling for teen claiming $72M in stock market profits is object lesson for auditors | Attestation Update - A&A for CPAs
Pingback: Fraud based on faked bank deposit at Parmalat settled by Grant Thornton for $4.4 million | Attestation Update - A&A for CPAs