Friday, May 27, 2011

CityTime Payroll Scandal

CityTime is an automated payroll system for New York City employees. It’s been more than 11 years in the making, has cost over $722 million (originally estimated to cost $63 million in 1998) and six consultants have swindled more than $80 million from it according to a New York Times article.[1]

Incredibly, Karen Shaffer, an assistant commissioner of the Department for the Aging, acknowledged in a signed statement to the city's Conflicts of Interest Board that between March 2009 and August 2010 she was paid for 290 hours of work that she did not perform. 

She said she did so by manually entering false information into the CityTime automated payroll system.[2]


Finally, Officials at the contractor, Science Applications International Corp., said they will reimburse the city the $2.47 million that project manager Gerard Denault unfairly billed when he worked on the massive project to switch city employees to the system.


In a letter to the executive director of the city's Financial Information Services Agency - which now oversees CityTime - SAIC's senior vice president said it was impossible to determine how many hours Denault should have been paid for.[3]

Wrong Focus


CityTime was pushed by one powerful administration insider: the budget director, Mark Page. According to the New York Times, “Mr. Page, 62, a numbers cruncher … had become frustrated and distrustful of city workers… They described Mr. Page as “…a veteran bureaucrat and descendant of the financier J. P. Morgan -- …appointed in 2002. A dour man respected for his mastery of numbers, Mr. Page had long been frustrated by myriad union timekeeping rules.”


So we have a dour, frustrated, city bureaucrat who thinks strong controls are necessary to properly control the time keeping practices of city employees. Unfortunately, these strong controls are the wrong controls.


How many times have you observed an employee coming to work on time and leaving on time, but doing nothing during the day? Absolutely nothing!


In Albany New York, several auditors in my office observed a State employee sitting on top of a parking garage getting a tan every day. He would clock in, and then proceed to his supposedly hidden location. This went on for weeks. It took us a little time to identify the person, but our major question was – where was the supervisor?


Isn’t it more important for employees to be productive than to be clock watchers? Shouldn’t supervisors monitor productivity more than time? Personally, I value productivity over time rules.


People don’t like to be controlled. The more you control them, the more they rebel and figure out how to beat the system. Years ago, a major New York State agency required its employees to punch a time clock. One smart employee realized that Macy’s had the same time clock for its employees. So this enterprising State employee and a few of his colleagues would simply take the afternoon off and punch out at Macy’s!


Another important concept to keep in mind - most employees want to do the right thing. There are a relatively small group of liars, cheaters and people who steal. Unfortunately, management in many organizations create an environment that fosters the mistrust and distrust the dour Mr. Page was concerned about.


The CityTime system is approaching 3/4 of a billion dollars. It’s predicated on a concept that is doomed to failure as Assistant Commissioner Karen Shaffer already showed.


If managers would move to managing based on values instead of rules – the workplace would be better for it.


[1] Chen, David W., Serge F. Kovaleski, and John Eligon. "Behind troubled city payroll project, lax oversight and one powerful insider. " The New York Times (March 28, 2011)
[2] Chen, David W. "Assistant Commissioner Who Faked Time Sheets Is Demoted. " The New York Times (May 26, 2011)
[3] "CITYTIME BOSS' OWN CHEAT SHEET. " New York Post (New York, NY).  (May 26, 2011)

Tuesday, May 24, 2011

The Paradox of Control

One of the failures of the auditing profession is its inability many times to not assess properly the internal control system within an organization being audited. 

Much of the focus is on control activities. Unfortunately, auditors and regulators often place too much emphasis on the wrong control components under the misguided premise that control activities (i.e., policies and procedures) are the most critical elements of an organization's success. This misplaced focus can cause managers to respond with strong — but wrong — preventive controls over day-to-day activities, which ultimately frustrates efforts to correct an organization's real problems. It's important for students of the auditing profession to identify and implement the right controls to prevent the past practices, which have harmed major organizations involved in fraud and scandals over the years, from reoccurring.

Control activities are much more objective to assess than control environment issues. It is easy to read existing policies and procedures and to spot situations where duties should be segregated. It also is easy to review documents to determine whether policies and procedures were followed (e.g., Was an approval obtained when needed? Were bids sought when required?). However, it is much more difficult to assess management's philosophy and operating style. It is also difficult to review and estimate the integrity, ethical values, and competence of employees.

It's important to be clear on this issue because control activities — and the corresponding policies and procedures — are essential components of a good control system. Unfortunately, the focus on control activities is often for the wrong reason. Auditors routinely recommend that management segregate duties with the explanation that it is necessary to provide a check and balance on employees' duties, but the message this sends to employees is that they are not trusted.

Conversely, when an organization segregates duties, shouldn't it be to help assure efficiencies in the process and allow employees to monitor their own work as a team, correcting any errors before the transactions are complete? Employees can accept this reason much more easily than a message that says, "We don't trust you." You also accomplish several objectives, increase efficiency of operations, monitor operations, and help prevent improper activities, all while creating the right control environment.

TOO LITTLE FOCUS ON THE CONTROL ENVIRONMENT

NASA (a government agency) and WorldCom (a private sector agency) are examples of the many organizations that have confronted disasters and scandals throughout the years. By examining NASA's Columbia disaster and the WorldCom scandal, it's easy to see the drastic effect a lack of focus on the control environment can have on an organization.

Seven astronauts died when NASA's space shuttle Columbia disintegrated on its descent to Earth in February 2003. In assessing the cause of the accident, the Columbia Accident Investigation Board concluded: "Cultural traits and organizational practices detrimental to safety were allowed to develop, including:
  • Reliance on past success as a substitute for sound engineering practices, such as testing, to understand why systems were not performing in accordance with requirements.
  • Organizational barriers that prevented effective communication of critical safety information and stifled professional differences of opinion.
  • Lack of integrated management across program elements.
  • The evolution of an informal chain of command and decision-making processes that operated outside the organization's rules."

This analysis focused on the real cause of the Columbia failure — issues that are not typical of the areas on which auditors focus when conducting internal control reviews in an organization. The Columbia Accident Investigation Board concluded that regarding the space shuttle disaster, the control environment at NASA was flawed.

At WorldCom, the accounting problems that occurred resulted in the largest bankruptcy proceeding in United States history. In any large organization, senior management must work through others to get things done. In WorldCom's case, senior management had to work with the accountants in the accounting department to make the fictitious entries that would result in the appearance of improved financial performance. Toward that end, accounting records were adjusted by making general journal entries that moved line cost expenses to capital accounts. If an item is to be capitalized, it has to have a useful life beyond a year, the organization must have ownership, and someone should be able to verify its existence. The accountants knew line costs at WorldCom did not have a useful life beyond a year because they really represented lease costs for lines owned by other telecommunication companies. These were simply day-to-day operating expenses.

Several accountants expressed concern to their boss about this transfer, and WorldCom even had an internal accounting policy that prohibited it. The accountants in the accounting department at WorldCom were not the only ones who knew something was wrong. After the general journal was adjusted, it became necessary for the Property Accounting and Capital Reporting Group to adjust its records to reflect the increase in capital assets. Many people in this group knew there was no supporting documentation for these entries and expressed concern but did not go outside their group with questions.

Although the nature of NASA's Columbia disaster and the WorldCom scandal were quite different, the root cause of each — the control environment — was remarkably similar. These events weren't entirely caused by the lack of policies, procedures, or segregation of duties. The failures resulted from a flawed control environment where management chose a certain course of action, including overriding otherwise effective policies and procedures.

Monday, May 23, 2011

Going from the Big 8 to the Big 0??

The auditing profession has confronted significant changes over the last several decades. The major CPA firms, considered capable of auditing the world’s largest publicly traded companies, have undergone consolidation or liquidation (Arthur Andersen). Major corporate scandals have rocked the financial markets.

Is this a sustainable activity – paying for audits that do not uncover the major frauds that are occurring? Why do the major auditing firms fail to find the frauds even though the auditing standards require the auditing firms to actively search for fraud? What would happen if the model for auditing required the insurance companies to hire the auditors before insurance for company, officer and director liability could be issued?

The issue of independence is so fundamental to an effective auditing system that brings accountability to stakeholders (creditors, shareholders, future shareholders, taxpayers, the public).

Unfortunately, independence is sacrificed far too often in the auditing profession.

Big 8 (until 1987)
1.     Arthur Andersen
4.     Ernst & Whinney (until 1979 Ernst & Ernst in the US and Whinney Murray in the UK)
5.     Deloitte Haskins & Sells (until 1978 Haskins & Sells in the US and Deloitte & Co. in the UK)
6.     Peat Marwick Mitchell (later Peat Marwick, then KPMG)
7.     Price Waterhouse
8.     Touche Ross

Big 6 (1989–1998)
1.     Arthur Andersen
3.     Ernst & Young (1989 - Ernst & Whinney merged with Arthur Young)
4.     Deloitte & Touche (1989 - Deloitte, Haskins & Sells merged with Touche Ross )
5.     KPMG
6.     Price Waterhouse

Big 5 (1998–2001)
  1. Arthur Andersen
2.     Ernst & Young 
3.     Deloitte & Touche 
4.     KPMG
5.     PricewaterhouseCoopers (July 1998 when Price Waterhouse merged with Coopers & Lybrand)

Big 4 (2002–)
1.     Ernst & Young 
2.     Deloitte & Touche 
3.     KPMG
4.     PricewaterhouseCoopers
(Enron  was audited by Arthur Andersen, which eventually was indicted for obstruction of justice for shredding documents related to its audit. The resulting conviction, since overturned, resulted in the demise of Arthur Andersen. )
**********************************
But, let’s look at the major accounting scandals over the last several decades. Everyone, except Paramalt and Bernard Madoff were audited by the one of the Big 4-8 firms.
Company
Year
Audit Firm
Country
Notes
1996
United States
1997
United States
1998
United States
1999
United States
Financial mistatements
2000
United States
2000
United States
2000
Belgium
Fictitious transactions in Korea and improper accounting methodologies elsewhere
2000
United States
Falsifying financial results
2001
Australia
2001
United States
2002
United States
2002
United States
Inflated sales
2002
United States
Inflated revenues
2002
United States
Round trip trades
2002
United tates
Round trip trades
2002
United States
Round trip trades
2002
United States
Round trip trades
2002
Bermuda
Network capacity swaps to inflate revenues
2002
United States
Improper booking of cost overruns
2002
United States
2002
United States
Misleading accounting practices
2002
United States
Conflict of interest
2002
United States
Overstated assets, understated liabilities
2002
United States
Overstated sales
2002
United States
Round trip trades
2002
Bermuda
Improper accounting, Dennis Kozlowski
2002
United States
Overstated cash flows, Bernard Ebbers
2003
Netherlands
Inflating promotional allowances
2003
Italy
Falsified accounting documents, Calisto Tanzi
2003
United States
2003
Distributed ill advised corporate bonuses to top 43 managers
2004
United States
Accounting of structured financial deals
2008
Massive Ponzi scheme.[39]
2008
Ireland
2009
India
Falsified accounts
2010
United States
Failure to disclose Repo 105 transactions to investors