The economic downturn has produced a lot of stress on companies for obvious reasons, but there is one significant risk that companies often overlook: fraud.  A recent study from the Association of Certified Fraud Examiners (ACFE) found that employee fraud has risen in the last 12 months and that financial pressures were the biggest contributing factor.  The recession has given employees as well as managers in key roles the opportunity, motivation/pressure, and rationalization to commit theft and fraud.  However, the problem isn’t just identifying fraud; it’s knowing what to do once it’s discovered.

And, when fraud is discovered often times there is no one to turn to.  The FBI Financial Crimes Section at the moment has over 400 corporate fraud cases that they’re working through and pursuing only 3-6 new cases per month.  They are primarily focused on significant fraud against individuals, businesses, and industries, or organized crime activities that are international, national or regional.  State and local police departments are very busy as well.  I was recently told by a client that the police department from a large city (a population over three million) would not take her case if she couldn’t provide hard evidence worth over $40,000.  Translation: the skill set to execute the Internal Audit function just expanded to include forensic accounting, internal investigations, financial fraud investigations, SEC enforcement matters, and extensive compliance reviews.

Again, the factors that lead to fraud are opportunity, motivation/pressure, and rationalization.  The opportunity to commit fraud can consist of workers being stretched out to cover more roles, giving them more access to more areas of the company and fewer supervisors to oversee operations.  Smaller businesses are more prone to the opportunity risk as they have limited resources to provide adequate segregation of duties. Motivation can spring from anywhere, but in times like these the pressures of the recession, a spouse’s job loss, or a reduction in pay are sufficient motivators.  People can always rationalize their wrongdoings when there is enough pressure and stress to skew their sense of logic and ethics.  Despite these factors there are ways for any business despite their size to prevent or detect fraud and ways to appropriately recover your losses.

The first and cost effective step to help safeguard your company is to develop a good control environment.  By developing comprehensive policies and procedures, setting good examples of actions and accountability from the top down, establishing an anonymous whistle blower hotline, and a clear organizational structure, a company can reduce the threat of fraud.  The next step is to implement a system of internal controls to further limit the risk of fraud.  This usually consists of the following five areas: segregation of duties, proper authorizations, adequate documentation and records, physical controls over assets, and independent checks.  These two steps are a great start to preventing and detecting fraud and keeping your company afloat in a time of uncertainty.

In a time of recession the need to find ways to address fraud proactively and cost effectively is a key priority.

Here are some links for more information on this topic:
The Institute of Internal Auditors (IIA) Main Website
IIA Upcoming events (Fraud)
IIA Fraud resources
Association of Certified Fraud Examiners (ACFE) Main Website
ACFE Upcoming events

I would imagine that business valuation proposals start out the same way as other service related assignments;

     1. Define the scope;
     2. Estimate the process by which you will arrive at a conclusion;
     3. Figure out a budget of time needed to complete the work; and
     4. Determine a range of fee to bid the work.

The work is then won on reputation, brand, recommendations, fair pricing and other key qualitative and quantitative inputs that clients use in making a decision to go with one firm over the other. Sounds fair, right? Yes, if you compete in an ideal business environment where the price is not the number one “utility” that differentiates service providers. But, at the same time that business valuation evolves its status as a profession, disruptive competitors have won recent battles by focusing on a low price, high volume approach.

I have found that unless there is a strong recommendation from an auditor, board member, investor, lawyer or other advisor for getting our firm involved, the sale process will almost always default to our fee and there is always someone out there that is lower. I believe that in the world of selling, it is always easiest to defend the lowest price, especially if you argue that there is no correlation between price and quality. So selling a higher fee for a product that may be perceived by the buyer as a commodity is simply a tough sell.

As I mentioned in my last blog, in addition to selling the quality of our platform and brand, we frame our service as part of a bigger solution and focus on “all-in” fees. This focus allows us to fight a perception of fundamental valuation as a commodity and introduce the real and time related costs associated with a lack of quality. In doing so, our argument is based on a simple assumption that more often than not, you get what you pay for. This assumption may be unfair to some service providers who provide good work at lower fees, but it is based on my experiences with auditors who bring us into a situation after they have kicked out a low-cost provider’s work product for a lack of quality.

So, now back to ROI. We make a simple case for a higher ROI for our solution by first highlighting the investment in fees (tangible) and management time (intangible) instead of focusing on the return. In most cases, the return for such an engagement should always be the same; sign-off on our valuation and the assurance (or rather insurance) that our report will stand up to scrutiny of current (Board and auditors) and future (the IRS, the SEC) readers and reviewers. So if the return remains relatively constant regardless of the provider, the focus on “all-in” fees clearly drives the ROI. Any firm with a high quality product and strong audit relationships should be able to win this argument on all-in fees.

Case in point; a low-cost provider who is NOT kicked out of a situation by an auditor will eventually get audit sign-off. However, the means to that end will involve significant (and at times uncapped) fees that the auditors incur by getting their valuation team comfortable with a low quality valuation. My last blog mentioned that these reviews more often than not take the form of “replicating and reconciling” rather than testing. Therefore, when the audit firm is not comfortable with the quality of a valuation report, the client is, in effect, paying for two valuations and the additional step of reconciliation. I have heard from clients that their review fees have been a multiple of the original valuation fee.

So battles may be won on price but in the end, the war is won on quality and focusing in on all-in fees. The takeaways here are simple but strong;

     1. Good work at fair prices creates opportunities to do more good work;
     2. Any service that depends on the knowledge of an expert is not a commodity; and
     3. If a low price sounds too good to be true, it probably is.

Two important questions asked by management in today’s economic climate are, “How do we know if our Internal Audit (IA) department is functioning effectively?  Is it providing the most possible value?”

A good place to start is a review of the Internal Audit department infrastructure.  The infrastructure includes the department’s roles and responsibilities and its authority.  IA should be independent from management with direct access to the audit committee.  Typically, the Chief Audit Executive (CAE) reports administratively to the CFO and formally to the audit committee chairman.   The IA charter provides formal clarity regarding the department’s authority to access company records, execute the annual audit plan, and the department’s vision.  The charter should be reviewed and approved by the audit committee and the CFO at least annually.

Other key questions to evaluate IA include:

• Are audits conducted in compliance with the International Standards for the Professional Practice of Internal Audit?
• Does IA have a quality assurance program and are the results reported?
• Has an external quality assessment been performed in the past five years?
• Is there an audit client feedback process?
• Does IA have the tools and resources it needs to complete the annual audit plan?
• Has the IA team acquired professional designations to demonstrate competency?

If the answer is yes to all of the questions, chances are the IA department is on the path to create value.  Nos identify areas for potential improvement that could lead to positive change for both the department and the organization.

As an investment banker, I was never subject to external review of my work other than the public’s response to the value of an M&A deal or IPO pricing.  However, as a fundamental valuation expert, external review is an important and respected part of the process, specifically when an opinion of value is used for financial reporting purposes.  Over the past few weeks, I have had the unique opportunity of being on both sides of an audit review and found the experience both interesting and challenging.

The process of audit review of valuation reports is one of identifying and reconciling “red flags” in terms of both inputs and outputs.  Is a subjective input supported by quantitative analysis and management discussion?  Does the conclusion make sense relative to prior valuations, company growth, increased market concern or the decline in public markets?  The ASA’s culminating Business Valuation course (BV204) focuses on the reconciliation of methods and making sense of an answer.

In support of our audit team, I recently reviewed two reports that opined to values of common stock and found myself asking the same questions I ask during an internal review of our own valuations.  My recent experience in creating and responding to these questions left me with the following takeaways;

1. Tone defines the question.  Reviews go much easier when the reviewer doesn’t go into a review discussion with a strong opinion of what the value “should” be.  Once that feeling of “this is what I think you should have done” comes across, I start to become defensive and the conversation starts to get terse with “yes” and “no” answers.
2. Stay away from asking too many questions.  The most frustrating reviews for me have been when the auditors ask every question from their template without reviewing the report and answering and eliminating these questions prior to a discussion.  For me, the most frustrating response to a review question is “see page xx of the report.”  That response leads me to believe that the auditors have not read the report and just reviewed the exhibits.
3. The wording of the questions means everything.  My worst experiences with review from the valuation expert side occurred when I felt like the word “dummy” should have been at the end of every question.  I have always used the term that valuation is a “grey science;” not black and white.  I also believe that if you put 10 valuation experts in a room with the same information, they will come up with 10 different but defendable answers.  If a question is worded in a way that makes the assumption that the conclusion or input is wrong, the eventual conversation will more often than not head south from the start.
4. The goal on the audit side is comfort.  I believe that in order to get comfortable with a report, you need to ask quantitative AND qualitative questions.  You should ask about a cost of debt but also ask how the conversations went with management and if the expert talked to other groups within their firm or colleagues about key inputs.  I also believe that the goal on the audit side is not to run up fees, ever.  I may do some quantitative testing if my comfort level is low about a certain input but I will never default to recreating a valuation and testing for materiality or how different my valuation is from the one I am reviewing.  That process just reinforces the “dummy” experience above when I feel that the audit review team needs to recreate a valuation in order to get comfortable.
5. Leave on good terms.  I know that I will never be on the other side of a review with an independent valuation firm that is not part of an accounting firm.  Still, a simple thank you for walking me through your report and “I appreciate your time” goes a long way in creating a strong on-going relationship.
6.  Picking up the phone does wonders.  I find that calls, not emails, work the best in communicating with each other.  Context and tone are left for interpretation in email and phone calls break through any mysterious intent that may be hidden in emails.
7. Preventative maintenance does wonders.  Knowing that a report will be reviewed and having a call between the two parties PRIOR to a valuation makes for a much smoother process that eventually will benefit the client in terms of speed of process and “all-in” fees for the valuation or the cost for the valuation plus the review.  Strong relationships within the industry have a way of negating all of the negative possibilities above.

In the end, reviews benefit everyone involved and they don’t need to be painful.  But when they get painful, it can be the worst part of the day.  I try to keep an open mind to review and find that this “high road” works the best for everyone involved.

With the constant expansion of technology and outsourcing of resources, more and more businesses are establishing an international presence. Even if your organization does not have a physical presence outside of the United States, it is not uncommon to have key affiliates located outside of the nation’s borders. Furthermore, it is hard to avoid noticing the large number of resources that are manufactured outside of the country.

With locations in 165 different countries and territories, The Institute of Internal Auditors (IIA) is keeping pace with the growing international needs of businesses. In fact, this past May the IIA held an international conference in South Africa, which brought together over 2000 members from all over the world.

Of course, such a large international presence requires that key standards are established in order to maintain comparability and understanding among internal audit professionals from all areas of the world. Fortunately, the IIA has done just that. The International Professional Practices Framework (IPPF) established by the IIA broadcasts a conceptual framework to all IIA members around the world. With the assistance of the IIA, the internal audit profession has clearly responded to the growing global needs of its clients.

To continue with my last post about cost effective solutions I want to address a tool that’s used by many of my clients, Microsoft Access. Rather than the purchase of an additional application the supped up version of Excel can be a cost effective, flexible solution to prepare accruals, manage inventory, or to store sensitive employee information. Nobody ever thinks about internal controls when the application is small or can easily be recreated, but the potential for something to go wrong is significant and only increases with the importance of it’s use. By the time you need controls it’s usually too late. The saying, “an ounce of prevention is worth a pound of cure” has never been truer. Consider these points when using Access.

1. Backup. Are backup and recovery controls in place and if so, are they preformed often enough? One common backup method is to store the application on a shared drive that is currently being backed up by IT departments.
2. Database Controls. There are two types: user access controls and development tools controls. User access controls prevent unauthorized access to data tables and queries and are established by simply using passwords to access the data. Development tools controls restrict or removes access from any unauthorized user to change the design view of the application.
3. Input controls. These protect the integrity of data and ensure accuracy. There are two basic types of input controls: preventive and detective. For preventive controls, one can create data validation at the input level. Detective controls may include the creation of batches or automated checks against validation criteria.
4. Processing controls. To avoid any errors and ensure the accuracy, completeness and consistency of the data processed, users need to manually implement processing controls. Unfortunately, Access doesn’t have any such tool to help.
5. Output controls. These controls restrict access to the completed product. By assigning user-level permissions individually, only authorized users have access to view and use the information.

Most of the ideas outlined above are straightforward. If implemented the controls can in increase the likelihood that something bad won’t happen to a key process.

As the recession progresses, leveraging your professional network is a key to achieve success. Here are a few ideas to help.

LinkedIn’s discussion groups that include Internal Audit Professionals, Risk Management Executives & Professionals, The Institute of Internal Auditors, DataShaping Advanced Analytics and industry specific groups, such as Retail Management, for example, are new resources. The upside is connecting with a broad range of professionals and gaining access to a lot of information. The downside is sometimes the information’s quality is lacking (i.e. job requests) or the amount of information is too much to digest. Facebook and Twitter have joined the fray, but in my humble opinion, are less professional and sometimes don’t yield results from the time spent socializing.

Many auditors are aware of the two main Internal Audit professional organizations, the Institute of Internal Auditors (IIA), and the Information Systems Audit and Control Association (ISACA). However, there are some added resources like the IIA’s Member Exchange, industry discussion groups, and research products that are free and expand your reach to the 150,000 IIA members.

Local IIA and ISACA chapters host monthly events attended by all department levels, including Chief Audit Executives. In addition to receiving cheap CPEs (typical cost is less than $35 for two CPEs), exchanging business cards can help you find the answer to your CFO’s most popular question,” what are other people doing?”

It’s ironic that the most valuable resources like being able to discuss an idea, locate an example or share an experience are also the cheapest.

Resources:
SF IIA Chapter: http://www.theiia.org/chapters/index.cfm/home.page/cid/9
SJ IIA Chapter: http://www.theiia.org/chapters/index.cfm?cid=79
East Bay IIA Chapter: http://www.theiia.org/chapters/index.cfm?cid=216
SF ISACA: http://www.sfisaca.org/
LinkedIn (PAIN): http://www.linkedin.com/groupInvitation?gid=44252&sharedKey=7B41D7082F9A
CISA on Facebook : http://www.facebook.com/group.php?gid=2248350440
Auditnet: http://twitter.com/auditnet

Does your organization plan to receive money as a result of the American Recovery and Reinvestment Act of 2009 (ARRA)? Regardless if the money is in the form of a contract or grant there are compliance concerns and, of course, you need to first get the money before you can spend it. Unfortunately, with the almost $800 billion coming down the pike through the different government agencies (e.g. states, localities, Department of Transportation, etc.) there is no one single application and compliance standard. Although the Office of Management and Budget (OMB) has provided guidance, it’s up to the agencies to create the compliance mechanisms and frameworks. There is still a lot of uncertainty and not everyone is on the same path.

In fact, some organizations have already bowed out because the application process is too cumbersome and confusing. For example, creating new reports to comply with requested information takes time and energy on top of just continuing to do all the normal work. Addressing compliance requirements by the most efficient means possible is paramount to unlocking the door to potential ARRA dollars.

Organizations should remember that although the ARRA money is already flowing, the bulk of it won’t hit until the next two years and continues to flow until 2016. There is still plenty of time to create effective and efficient processes and controls. After all, ARRA was passed to create jobs and get the U.S. back on track; we’re supposed to use it!

Resources:

http://www.recovery.gov/
http://www.recovery.ca.gov/
http://www.usmayors.org/recovery

Recently the U.S. Supreme Court agreed to hear a case to consider the constitutionality of the selection process for the Public Company Accounting Oversight Board (PCAOB), a key component of the 2002 SOX act. The heart of the case is to determine whether Congress overstepped its authority and violated the separation of powers when they assigned the SEC the responsibility to appoint PCAOB board members. Critics argue that only the President can appoint PCAOB board members.

Compounding the drama around the case is the recent resignation of the PCAOB Chairman, Mark Olson. According to reports, Olson is stepping down for personal reasons, but the timing is interesting. He was appointed to the position in July 2006.

The case’s outcome is uncertain, but even more nebulous is the effect the ruling may have on the overall SOX law itself. Many public companies see SOX as another burden to public file with little or no benefit to shareholders.

A decision is not expected until July 2010 with oral arguments to be held this fall.

No more extensions for non-accelerated filers.
It doesn’t look like the SEC will be offering any more extensions for the small public companies to comply with SOX. Beginning December 15, 2009 auditors are required to opine on Sarbanes-Oxley compliance for all non-accelerated companies. This is a challenging process for many enterprises and can be especially daunting for smaller businesses.

Without a good roadmap outlining the necessary steps, businesses may find themselves with more headaches than are truly necessary. A few thoughts:

1.  Risk assessment and scoping – focus on a high risk areas where a material error could occur. Many companies can eliminate small secondary locations and routine business processes from their SOX compliance effort.
2. Documentation of controls – be sure to align controls with financial reporting risks. A single, strong analytic control can mitigate several risks and reduce the sheer number of controls requiring documentation.
3. Test of effectiveness of the control structure – simplify the testing process using one set of sample documents to test several controls.
4. Evaluation and reporting – remember to evaluate deficiencies individually and in the aggregate. Any significant deficiencies must be reported to the audit committee, and material weaknesses will be reported to the SEC.

Here are few resources that will help you, including brownbag lunch or breakfast roundtable sessions we’re offering to teach best practices and provide materials. It’s free.

Register: Send requests to SOXInfo@frankrimerman.com or call 650-845-8187

SEC Guidance: http://www.sec.gov/rules/interp/2007/33-8810.pdf