Saturday, July 30, 2011

A Clerk Rips off Sloan-Kettering Cancer Institute


“A former employee of Manhattan's Memorial Sloan-Kettering Cancer Center pleaded guilty Tuesday to stealing more than $1.5 million[1] from the hospital in the form of printer toner.
Marque Gumbs, 33 years old, pleaded guilty to grand larceny and prosecutors are expected to recommend a far more lenient prison term than the up to 25 years he faced if convicted at trial.
He will be sentenced next month in state Supreme Court in Manhattan. The Wall Street Journal first detailed the allegations against Mr. Gumbs in December.
According to prosecutors, Mr. Gumbs was employed by Memorial Sloan-Kettering at its main outpatient campus on East 53rd Street as a receiving clerk who was responsible for ordering, receiving and stocking ink cartridges for the printers at the facility. In that role, he had password-protected access to a computer used to order the toner supplies from Office Depot.
Once the toner cartridges were ordered, Mr. Gumbs allegedly instructed drivers from Office Depot to call him and he would meet them in the street to accept the delivery before it reached the normal receiving area. None of the ink toner cartridges were compatible with any machines at the campus, prosecutors said.
Between September 2007 and August 2010, Mr. Gumbs ordered and diverted more than $1.5 million toner, prosecutors said. The proceeds were used to finance purchases from designer stores, travel and stays at expensive hotels and a 2011 BMW X6. He rented a $2,250 a month apartment at the Trump Plaza in New Rochelle.
His actual income from the hospital was $37,800 a year. A Sloan-Kettering spokeswoman said Mr. Gumbs had been employed there since 1999, but was fired after his arrest.
Mr. Gumbs will be sentenced on Aug. 8, when the Manhattan District Attorney's office is expected to recommend 2½ to 7½ years in prison, in addition to the forfeiture of gains from the scheme. Mr. Gumbs would have faced between 8 1/3 and 25 years in prison if he was convicted at trial.”
Controls

Sloan-Kettering is a world renowned cancer institute.  I’ve never been involved with Sloan-Kettering and I do not have any knowledge about its system of internal control within the Finance Office. However, based on my 37 years of audit experience, I suspect the Finance Office operates in a traditional manner with a number of clerks involved in the paper pushing that gets a transaction from the request of the operating units to the check to the vendor.

In the traditional finance office, purchasing involves the following documents:

  •           Purchase request
  •       Purchase order
  •         Receiving report
  •         Invoice
  •         Voucher
  •         Payment – electronic or check


Mr. Gumbs was a $37,000 a year clerk, so it is a good guess management chose to use clerks and not professionals to manage the finance office.
Clerks take the paper that is produced and move it from one stage to the next. They assure the paperwork is complete and internally consistent. They assure the process is followed.

What they don’t do is get off their duff and go to the field to see, if in fact, the items purchased were actually received and if they are of the quality that was actually ordered.

This failure to verify the substance of the underlying transaction allows frauds, such as the one committed by Mr. Gumbs, to continue for extended periods of time.

Clerks also do not spend time studying the incredible amount of data that exists over the purchasing process. If someone had been analyzing toner purchases (which we know is a real temptation to employees), they should have been able to detect the high level of purchases that would warrant further review.

Data analysis also might have detected that the toner purchased was not consistent with the type of toner needed by the printers used at Sloan-Kettering.

Many finance offices operate in an obsolete and outdated manner. They do not rely on the modern, sophisticated data analysis and data mining tools that will allow for the early detection of improper practices.


The Auditors Role

As I read audit reports of the activities over financial activities, I do not see recommendations to revamp the underlying approach of the finance office. Instead, I see traditional recommendations for strong controls, including more documentation and more segregation of duties.

What’s really needed is people with different skills who can analyze data and can go out to the operating locations to be sure the organization received what it paid for.

We don’t need people looking at paper. In fact, in a real cutting edge office, most of the transactions would be electronic. There would be minimal paper.


Conclusion

The fraud at Sloan-Kettering could have been detected sooner, and stopped, if the staff in the finance office were trained and skilled in data analysis. The more data systems that are available to finance office staff, the more they can modernize the operations of the finance office, and the more they can add real value to the financial affairs of the organization for which they work.

Managers within an organization should not jump to the whims of an auditor unless the recommendation is truly cutting edge and adds real value to the process. 

Too often, auditors recommend strong controls, but they are the wrong controls.


[1] Other papers reported the total cost of the fraud at $3.8 million. $1.2 million was for the period October 2009 to August 2010.

Saturday, July 23, 2011

COSO's Internal Control - Integrated Framework Update Project

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has decided to update its original report Internal Control - Integrated Framework. This important document has guided government agencies and public companies since it was issued in 1992. While not required by Sarbanes Oxley, it is an appropriate framework to evaluate internal controls in publicly listed companies.
The federal government requires all agencies to use the framework as it is embodied in the US Comptroller General’s guidance on internal controls for federal agencies.
Finally, many states, such as New York, have laws requiring internal control systems for state agencies and the guidance provided mirrors the COSO concepts. There are other internal control frameworks around the world that are worth examining, including:
In 2004, COSO issued another document called Enterprise Risk Management — Integrated Framework. This report though fogged up the concepts, so most people reading it, give up. I can’t find many people who have read, and are implementing, the concepts. That’s too bad.
Plans for the New Document
COSO says it plans to “Mak[e] more crisp and concise those areas of lengthy discussion in the original Framework that have become institutional knowledge.” If they do so, they should be congratulated. They have to keep it simple if they want it to be accepted and implemented. Here’s what else they may do:
  • Reflect the increased use of IT in business operations (e.g., ERP systems, other automation tools, internet);
  • Expand the financial reporting objective to include consideration of management reporting and external reporting more broadly (not intended to affect the scope of Sarbanes-Oxley compliance which remains focused on internal controls over financial reporting), (e.g., enabling reporting on sustainability and various third party standards);
  • Provide more detail around key governance principles (e.g., responsibilities of the audit committee, compensation committees, and alignment of incentives);
  • Explain the linkages between Internal Control and Enterprise Risk Management frameworks to enable more effective and integrated application in practice;
  •  Expand the discussion on risk assessment
  • Reflect changes in business models (e.g., increased use of outsource providers, increased rationalization of supply chain and infrastructure management)
  • Consider the nature and broader impact of fraud in the business environment (e.g., inappropriate use of assets, intentional misrepresentation) and
  • Incorporate core aspects of the 2006 Internal Control over Financial Reporting Guidance for Smaller Public Companies and the 2009 Guidance on Monitoring Internal Control Systems.

COSO supposedly has a survey for your input that remains open through September 1, 2011, but if you try to use the web site, the link is broken. But, you could write to this e-mail address and maybe someone will respond: icif@us.pwc.com – I haven’t tried it, so I don’t promise you will get through.  You could also contact Scott McCallum at  scott.mccallum@theiia.org to express your views on the internal control framework.
I did respond to the survey when it first came out. I think it is a good document that is relatively easy to understand. Mucking it up isn’t going to help.
The projected publication date of the updated Framework is mid-2012 and COSO expects the five components of the framework will remain relatively unchanged.  

Saturday, July 16, 2011

Chinese Audits – More Scrutiny on the Way For Auditors

As a follow-up to my blog last week on Sino-Forest Corp. I read where Thomson Reuters reported,

“U.S. regulators, reeling from a series of scandals over U.S.-listed Chinese companies, will head to Beijing to discuss launching audit inspections while regulators in Canada announced a probe of foreign issuers.

“U.S. audit watchdog PCAOB and the SEC confirmed they would send a delegation to talk to authorities in Beijing about the oversight of China-based auditors. Neither said when the meetings would take place, but Bloomberg News reported from Beijing they would take place on July 11 and 12.

“Meanwhile, the Ontario Securities Commission on Tuesday said it would review companies listed on Canadian exchanges with significant business operations in emerging markets. It said it would focus on the roles played by auditors and underwriters and would take enforcement actions as needed.

“Concern about Chinese companies has risen in the United States and Canada where stocks have been de-listed, trading has stopped, share prices have collapsed, auditors have resigned and regulatory probes have been launched.”


As one more example of the need for auditors to step up their efforts to find fraud, The Securities Exchange Commission announced that it has obtained a court order freezing the assets of China Voice Holding Corp., which trades in over-the-counter markets and has claimed to have a portfolio of telecommunications products and services in both the U.S. and China. The SEC alleges that China Voice's co-founder and his two associates are operating an $8.6 million Ponzi scheme and misusing its proceeds, in part, to help fund the company's operations.


The SEC alleges that David Ronald Allen, who also was China voice's chief financial officer, and his associates Alex Dowlatshahi and Christopher Mills promised investors in a series of offerings of limited partnerships that they would earn returns of at least 25 percent on their investments. Investors were falsely told that their money would be loaned to companies with a demonstrated track record and large profit margins. Instead, Allen and his cohorts used investor funds to pay back investors in earlier partnerships and funneled investor money to China Voice and a complicated web of other companies that Allen controls. Allen and his associates also siphoned investor money to enrich themselves and family members.


In light of this enforcement action, I wondered what the auditor had said?

In our opinion, the consolidated financial statements referred to above present fairly, in all material respects, the financial position of China Voice Holding Corp. and subsidiaries as of June 30, 2009 and 2008 and the results of its operations and its cash flows for the years ended June 30, 2009 and 2008, in conformity with accounting principles generally accepted in the United States of America.

The accompanying consolidated financial statements have been prepared assuming that the Company will continue as a going concern. As discussed in Note 2 to the consolidated financial statements, the Company has incurred net losses of approximately $6,370,697 and $5,277,203 for the years ended June 30, 2009 and 2008, respectively.  Additionally, during the years ended June 30, 2009 and 2008, the Company has used cash flow in operations of approximately $2,519,395 and $4,170,590 in 2009 and 2008, respectively.  Accumulated deficit amounted to $29,576,504 and $22,483,047 as of June 30, 2009 and 2008, respectively. These factors raise substantial doubt about its ability to continue as a going concern. Management’s plans concerning these matters are also described in Note 2. The accompanying consolidated financial statements do not include any adjustments that might result from the outcome of this uncertainty.

/S/JIMMY C.H. CHEUNG & CO
Certified Public Accountants

Hong Kong

Date:  October 27, 2009


Audit fees for the years ended June 30, 2008 and 2009, and review of financial statements for the initial Form 10Q for the period ended December 31, 2008 and the Form 10Q for the Quarter Ended March 31, 2009 totaled $376,970.


The following year the Company has not been able to produce an audit because of material uncertainties regarding its viability and asset valuations.


Audit fees for the years ended June 30, 2009 and 2010, and review of quarterly financial statements totaled $353,431.


Good for the auditor to have the courage to not issue an opinion! Unfortunately, the auditors were again not able to find the fraud that existed and it took the efforts of an outside regulator to uncover the potential fraud.


But wasn’t there at least one red flag that the auditor should have spotted and pursued? When the CFO promises investors in a series of offerings of limited partnerships that they would earn returns of at least 25 percent on their investments – shouldn’t all sorts of bells gone off for the auditors?


I learned that simple concept when I was in college and I brought an investment opportunity I was considering to my friend, a former vice-president of Merrill Lynch. He said the rate of return was too good to be true and to steer clear of this fraudulent transaction. Shortly thereafter, he was proven right!


Auditors have to listen and to increase their level of professional skepticism if they have any hope of finding the fraud that may exist in the companies they audit.

Saturday, July 9, 2011

Sino-Forest Corporation – The Auditor’s Opinion – Is It Enough?

Sino-Forest is a commercial forest plantation operator in China. Its principal businesses include owning and managing plantation forests, the sale of standing timber and wood logs and manufacturing engineered-wood products. The majority of the tree plantations and operations are located in southern and eastern China, primarily in inland regions suitable for large-scale replanting.

On March 11, 2011, Ernst & Young issued an Independent Auditors’ Report on Sino-Forest Corporation. The auditors said, “In our opinion, the consolidated financial statements present fairly, in all material respects, the financial position of Sino-Forest corporation as at December 31, 2010 and 2009 and the results of its operations and cash flows for the years then ended in accordance with Canadian generally accepted accounting principles.”[1]

This report is the same one issued for thousands of other companies and really doesn’t tell the reader much. But, wouldn’t an interested reader want to know just what the Canadian auditors at Ernst did to check the inventory in China. What records did it inspect? How many tree plantations did the auditors visit? Who did the work – were they qualified to do it? Was it people from Ernst’s Toronto office, which signed the report, or people from a Chinese affiliate? How many auditors did the work and how quickly was it done (was it cursory or extensive)? How did they verify ownership of the underlying assets of the company?

Three months later on June 2, 2011, Muddy Waters Research issued a report that said, “As Bernard Madoff reminds us, when an established institution commits fraud, the fraud can become stratospheric in size. Sino-Forest Corp. (“TRE”) is such an established institutional fraud, becoming massive due to its early start, luck, and deft navigation. At nearly seven billion dollars in enterprise value, it will now end.” 

Now that’s an opening in a report I’m sure most readers would want to pursue reading!

The result of that report was a dramatic drop in Sino-Forest’s stock price:

Now, Muddy Waters Research is in the business of short selling stock. Depending on the size of its investment, Muddy Waters made a lot of money! But they backed up their assertion that Sino-Forest was a fraudulent company with a significant amount of information. They said:

·         The foundation of TRE’s fraud is its convoluted structure whereby it runs most of its revenues through “authorized intermediaries” (“AI”). AIs supposedly process TRE’s tax payments, which ensures that TRE leaves its auditors far less of a paper trail.
·         On the other side of its books, TRE massively exaggerates its assets. We present smoking gun evidence that TRE overstated its Yunnan timber investments by approximately $900 million.
·         TRE relies on Jakko Pöyry to produce reports that give it legitimacy.[2] TRE provides fraudulent data to Pöyry, which produces reports that do nothing to ensure that TRE is legitimate.
·         TRE’s capital raising is a multi-billion dollar ponzi scheme, and accompanied by substantial theft.

I also reviewed Jakko Pöyry’s report and was surprised at the significant disclaimers, including: “Pöyry makes no representation or warranty, expressed or implied, as to the accuracy or completeness of the information provided in this report or any other representation or warranty whatsoever concerning this report. This report is partly based on information that is not within Pöyry’s control. Statements in this report involving estimates are subject to change and actual amounts may differ materially from those described in this report depending on a variety of factors.”

Do we know if, in fact, Ernst relied, in part, on this work in making its audit opinion? Did Ernst do its own assessment of the value of the timber reported on Sino-Forests balance sheet? The reader wouldn’t know by reading the audit report.

In most government audit reports, the auditor’s report includes a description of the audit objectives, and the scope and methodology used for addressing the audit objectives. This information gives the reader an understanding of the purpose of the audit, the nature and extent of the audit work performed, the context and perspective regarding what is reported, and any significant limitations in audit objectives, scope, or methodology.

Maybe the public auditors could take a lesson from their government counterparts and provide us with more comprehensive information supporting the audit opinions that are offered today.

The Canadian Globe and Mail followed up on the Muddy Water report and said: “During two weeks of on-the-ground reporting that included interviews with Chinese government officials, forestry experts, local business operators and brokers, The Globe and Mail uncovered a number of glaring inconsistencies that raise doubts about the company’s public statements regarding the value of the assets that lie at the centre of the company’s core business of buying and selling Chinese timber rights.”

If Ernst & Young did not properly establish the value of the assets owned by Sino-Forest they failed in their audit responsibilities. If they accepted an assignment in Canada that required extensive work in China, but didn’t assign staff to do the verification work required, shame on them.

If we had a more comprehensive audit report that explained the work done, we might be better able to make more informed decisions about the validity of the auditors' work.

If it turns out that Sino-Forest is committing fraud, I feel sorry for the investors and creditors who depended on the auditors’ report.



[1] Sino-Forest is listed on the Toronto stock exchange as TRE.
[2] This report is on the valuation of China Planted Forest Crops for Sino-Forest.

New Medicaid Inspector General in New York State

The NY Post today is reporting that Jim Cox has been appointed the new Medicaid Inspector General.


I've known Jim Cox for a long time and I'm confident Jim has the skills and ability to properly carry out the functions of the Medicaid Inspector General's Office. I'm also sure if Jim is asked to compromise his integrity he will resign before doing so. I had concerns about why the prior Medicaid Inspector General was fired (http://davehancox.blogspo​t.com/2011/06/ny-medicaid-​fraud-inspector-general.ht​ml), but Jim Cox's appointment is a very positive development. I look forward to his service to the State of New York.


Governor Cuomo made a good appointment in Jim. Congratulations!

Monday, July 4, 2011

Auditors Need to Listen

Here is an article I wrote in 2003. It seems to me it is still applicable today.

The Wall Street Journal has been reporting on the fraud at HealthSouth. What occurred at HealthSouth is instructive to auditors because it shows how senior management can have a pervasive influence over transactions, how easy it is to alter invoices with the technology available to us and how difficult it is for staff to be heard when they have concerns within an organization.

The Securities and Exchange Commission has charged, "Since 1999, HealthSouth Corp. ("HRC"), one of the nation's largest healthcare providers, has overstated its earnings by at least $1.4 billion. This massive overstatement occurred because HRC's founder, Chief Executive Officer and Chairman of the Board, Richard M. Scrushy ("Scrushy"), insisted that HRC meet or exceed earnings expectations established by Wall Street analysts. When HRC's earnings fell short of such estimates, Scrushy directed HRC's accounting personnel to "fix it" by artificially inflating the company's earnings to match Wall Street expectations. To balance HRC's books, the false increases in earnings were matched by false increases in HRC's assets. By the third quarter of 2002, HRC's assets were overstated by at least $800 million, or approximately 10 percent of total assets. HRC's most recent reports filed with the Commission continue to reflect the fraudulent numbers."

As reported in the Wall Street Journal, Mr. Michael Vines, a bookkeeper in HealthSouth's accounting department, tried to alert outside auditors and others to the questionable practices in his accounting department, but his concerns fell on deaf ears.

According to the Wall Street Journal, "…Mr. Vines identified about $1 million in entries he believed were fraudulent. Mr. Vines told his immediate superior, Cathy C. Edwards, a vice president in the accounting department, that he wouldn't make such entries unless she first initialed them. "I wanted her signature on it," Mr. Vines testified.

"Ms. Edwards, according to Mr. Vines's testimony, signed off on the entries, and he logged them. Mr. Vines also testified that he saw Ms. Edwards falsifying an invoice, which according to his testimony was a way to cover up the larger fraud involving the accounts. In December 2001, Mr. Vines said on the stand, Ernst was conducting a routine review of how HealthSouth depreciated its assets. As part of the review, Ernst asked about an asset on the company's balance sheet.

"The problem: There was no invoice showing that the asset, for a facility in Kansas, had been purchased. (The court papers don't specify what the asset actually was.) So, Mr. Vines testified, Ms. Edwards ordered Mr. Vines to pull an invoice for a different purchase, for a facility in Braintree, Mass., that roughly matched the asset's price. She then scanned the invoice into her computer and altered the shipping cost and other information to make it fit the asset that Ernst was asking about, according to Mr. Vines's testimony."

Our ability to rely on the traditional documentation supporting transactions is diminishing in today's environment. Our ability to detect fraudulent documentation is limited. Instead, there are two primary forms of evidence that auditors need to focus on: analytical evidence and physical observation of the actual items purchased.

We are developing our analytical skills with our data analysis software. Now we need to put more emphasis on getting out from behind our desk and visiting agencies to examine what we are paying for. And this can be a challenge because we may not always know what we are looking at. Most of us would be hard pressed to assure that a network computer has all of the features the agency requested when it was purchased - but I'm sure there are technical staff available who can assist in making that determination. Trying to verify that consumable products were actually used by the agency is also a challenge. Here we need to rely on some analytical review to give us a clue as to reasonable usage and interviews with staff to assure they can vouch for the items used.

We can go on with all of the challenges to verifying the existence of a purchase, but these are the real issues we need to confront as we seek to meet our audit responsibilities and the expectations others have in relying on our work.