Report ofthe National Commission on Fraudulent Financial

Report ofthe National Commission on Fraudulent Financial Report ofthe National Commission on Fraudulent Financial Report ofthe National Commission onFraudulent Financial ReportingOctober 1987 Copyright (c) 1987 by theNational Commission on Fraudulent Financial Reporting National Commission on Fraudulent Financial ReportingCOMMISSIONERSChairmanHugh L. MarshJames C. Treadway, Jr.DirectorExecutive Vice President andInternal AuditGeneral CounselAluminum Company of AmericaPaine Webber IncorporatedThomas I.S torrsWilliam M. BattenChairman of the Board (Retired)Chairman (Retired)NCNB CorporationNew York Stock ExchangeDonald H.T rautleinWilliam S.K anagaChairman and Chief ExecutiveChairman of the Advisory BoardOfficer (Retired)Arthur Young & CompanyBethlehem Steel CorporationSTAFFExecutive StaffG. Dewey ArnoldE, xecutive DirectorJack L. Krogstad,R esearch DirectorCatherine Collins McCoyD,e puty Executive Director and General CounselProfessional and Technical StaffSenior ConsultantsJoseph 7>A. AdamsLawrence C. BestAngela L.A vantAllan WearLouis BisgayMark P. ConnellyEditorial ConsultantPaul C. CurtisCarol Olsen DayGeorge F. DalyJoseph J. DonlonAdministrative StaffMichael DoyleMichael R.F underburgAlma FaganLaura S.G reensteinCatherineF onfaraJohn F. HarrisVicki JohnstonEllen DowneyH ylasSandra RingerJoseph JanellaScott J. LudwigsenLawrence DM. orriss, Jr.Timothy G. O'ConnorGary A.R ubinShirleyS underlandiii ADVISORY BOARD MEMBERSDonald W. BakerP. Norman RoyVice President-ControllerExecutive Vice PresidentSouthwire CompanyBarry Wright Corporation(National Association of Accountants) (Financial Executives Institute)William G. Bishop, IIIRobert J. SackExecutive Vice PresidentChief AccountantCorporate Audit DepartmentDivision of EnforcementShearson Lehman Bros., Inc.Securities & ExchangeCommission(Institute of Internal Auditors)Philip B.C henok A.ClarenceS ampson, Jr.President & Chief Staff OfficerChief AccountantAmerican Institute of CertifiedSecurities & ExchangeCommissionPublic AccountantsFrank S, SatoWilliam J. Duane, Jr.Inspector GeneralGeneral AuditorVeterans AdministrationManufacturers Hanover Trust Company(Institute of Internal Auditors)Jerry D. SullivanPartnerJames J. LeisenringCoopers &L ybrandDirector of 5>Research &(Chairman, Auditing StandardsBoard)Technical ActivitiesFinancial Accounting Standards BoardDoyle Z. WilliamsDean, School of AccountingRichard M. PhillipsUniversity of Southern CaliforniaKirkpatrick &Lo ckhart(American AccountingAssociation)(American Bar Association)iv TABLE OF CONTENTSIntroduction1Summary of Recommendations11Chapter One:Overview of the Financial Reporting System and FraudulentFinancial Reporting17Chapter Two:Recommendations for the Public Company31Chapter Three:Recommendations for the Independent Public Accountant49Chapter Four:Recommendations for the SEC and Others to Improve theRegulatory and Legal Environment63Chapter Five:Recommendations for Education79Appendices87v LIST OF APPENDED MATERIAL AppendixABiographies of Commissioners and Executive Staff91BSummary of External Research Program95CSummary of Research Reports ande fBinrig Papers Prepared by Commission Staff109DPersons Consulted by the Commission121EComposite Case Studies in Fraudulent Financial Reporting,Harvard Business School125FGood Practice Guidelines for Assessing the Risk of Fraudulent Finanpcoiartli nRge153GStandards for the Professional Practice of Internal Auditing, The Institute ofInternal Auditors165HNew York Stock Exchange Listed Company Manual, Section 3, CorporateResponsibility-Audit Committee177IGood Practice Guidelines ftohre Audit Committee179JGood Practice Guidelines for Management's Report183KGood Practice Guidelines for Audit Committee Chairman's Letter187vi INTRODUCTIONThis report presents the findings, conclusions, and recommendations of the National Commission onFraudulent Financial Reporting (the Commission), From October 1985 to September 1987, theCommission studied the financial reporting system in the United States. Our mission was to identifycausal factors that can lead to fraudulent financial reporting and steps to reduce its incidence.Fraudulent financial reporting is indeed a serious problem. Infrequent though its occurrence arguablymay be, its consequences can be widespread and significant. Although fraud in any form can be difficultto deter, fraudulent financial reporting can be reduced, perhaps substantially, if each party for whom wemade recommendations takes the steps we recommend. The Commission's recommendations embracethe top management and boards of directors of all public companies, independent public accountantsand the public accounting profession, the SEC and other regulatory and law enforcement bodies, and theacademic world.6>As background to the Commission and its work, this introduction discusses the Commission's sponsors,members, and advisors, the definition of fraudulent financial reporting that the Commission used, theCommission's objectives, the scope of the study, and the research program.Following this background information is a discussion of the major conclusions that guided theCommission in developing the recommendations presented in this report.I. The CommissionSponsors, Members, and AdvisorsThe Commission was a private-sector initiative, jointly sponsored and funded by the American Institute ofCertified Public Accountants (AICPA), the American Accounting Association (AAA), the FinancialExecutives Institute (FEI), the Institute of Internal Auditors (IIA), and the National Association ofAccountants (NAA).The six-member Commission was independent of the sponsoring organizations. The chairman of theCommission was James C. Treadway, Jr., formerly a Commissioner of the Securities and ExchangeCommission (SEC), and presently Executive Vice President, General Counsel, member of the ExecutiveGroup, and a Director of Paine Webber Incorporated. William M. Batten is the immediate past Chairmanof the New York Stock Exchange and the former Chief Executive Officer (CEO) of J.C. Penney Co.William S. Kanaga is Chairman of the Advisory Board of Arthur Young & Company, and served asChairman of that firm and of the AICPA. Hugh L. Marsh is the Director-Internal Audit for ALCOA,responsible for its worldwide audit activities. He also is a past Chairman of the IIA. Thomas 1. Storrs isthe immediate past Chairman and CEO of NCNB Corporation, a bank holding company, and continues toserve as a Director of NCNB. Donald H. Trautlein recently retired as Chairman and CEO of BethlehemSteel and was formerly a partner with the accounting firm of Price Waterhouse. Appendix A includesbiographies of the Commissioners and the Executive Staff.1 An Advisory Board, representing a broad spectrum of experience and points of view, assisted theCommission.Definition of Fraudulent Financial ReportingFor purposes of this study and report, the Commission defined fraudulent financial reporting asintentional or reckless conduct, whether act or omission, that results in materially misleading financialstatements. Fraudulent financial reporting can involve many factors and take many forms. It may entailgross and deliberate distortion of corporate records, such as inventory count tags, or falsifiedtransactions, such as fictitious sales or orders. It may entail the misapplication of ac- counting principlespany employees at any level may be involved, from top to middle management to lower-levelpersonnel. If the conduct is intentional, or so reckless that it is the legal equivalent of intentional conduct,and results in fraudulent financial statements, it comes within the Commission's operating definition ofthe term fraudulent financial reporting.Fraudulent financial reporting differs from other causes of materially misleading financial statements,such as unintentional errors. The Commission also distinguished fraudulent financial reporting from othercorporate improprieties, such as employee embezzlements, violations of environmental or product safetyregulations, and tax fraud, which do not necessarily cause the financial statements to be materiallyinaccurate.ObjectivesThe Commission had three major objectives:1.Consider the extent to which acts of fraudulent financial reporting undermine the integrity of financialreporting; the forces and the opportunities, environmental, institutional, or individual, that maycontribute to these acts; the extent to which fraudulent financial reporting can be prevented ordeterred and to which it can be detected sooner after occurrence; the extent, if any, to whichincidents of this type of fraud may be the product of a decline in professionalism of corporatefinancial officers and internal auditors; and the extent, if any, to which the regulatory and lawenforcement environment unwittingly may have tolerated or contributed to the occurrence of thistype of fraud.2.Examine the role of the independent public accountant in detecting fraud, focusing particularly onwhether the detection of fraudulent financial reporting has been neglected or insufficiently focused onand whether the ability of the independent public accountant to detect such fraud can be enhanced,and consider whether changes in auditing standards or procedures -- internal and external -- wouldreduce the extent of fraudulent financial reporting.3. Identify attributes of corporate structure that may contribute to acts of fraudulent financial reportingor to the failure to detect such acts promptly.Scope: Public CompaniesThe Commission's study focused on public companies. The term public company generally includescompanies owned by public investors. Several types of companies fall within the Commission's definitionof public company: (1) public companies that report to the SEC; (2) certain publicly owned banks,savings and loan associations, and other financial institutions that are subject to the disclosure provisionsof the federal securities laws but report to one of the financial institution regulatory agencies; and (3)certain mutual thrift institutions.2 The Commission included public companies of this third type for several reasons. The same federalagencies that regulate the publicly owned financial institutions regulate these mutual thrift institutions.Their ownership by depositors resembles public ownership since these companies accept public funds ascapital and give depositors equity-like interests. A number of cases of fraudulent financial reporting haveoccurred in these institutions, with far-reaching impact.The Commission's focus should not imply that fraudulent financial reporting occurs only in publiccompanies or that only in these companies is its impact noteworthy. On the contrary, fraudulent financialreporting has occurred, often with serious consequences, in entities that are outside the express scope ofthe Commission's study and recommendations.Among the ;non-public company; entities that are at risk of fraudulent financial reporting are someentities, such as mutual insurance companies, that may in fact accept public funds as capital. Others atrisk include state-regulated banks, private defense contractors and private companies in general, as wellas various government and quasi-government entities. In the Commission's estimation, the overall thrustof the recommendations-especially the emphasis on top management's responsibility-is relevant andapplies to all these ;non-public company; entities.Applied with proper reflection, foresight, and ingenuity, many of the Commission's recommendationsshould prove practicable, cost-effective, and suitable for these other entities to implement. Accordingly,the Commission urges ;non-public company; entities to use the recommendations in forming individualor collective responses to the problem of fraudulent financial reporting.Research Program and InterviewsA thorough understanding of the environment in which fraudulent financial reporting occurs is aprerequisite to identifying appropriate responses. Too often, the subject has been considered from anarrow 2>perspective. The Commission placed a high priority on going deeper than the obvious inidentifying the many forces and opportunities that may contribute to financial reporting fraud.To this end, the Commission directed an extensive research program. Outside experts who conductedresearch projects for the Commission considered professionalism and codes of corporate conduct,corporate pressures, surprise writeoffs, internal control, internal auditing, the role of the SEC, litigationagainst public accountants, the independence of the public accountant, computer fraud, and businessand accounting education. In addition, the Commission's staff completed more than 20 research projectsand briefing papers, including analyses of SEC enforcement actions, pressures within public accountingfirms, AICPA self- regulatory programs, and the legal and regulatory environment. Significant findings ofthe research efforts are incorporated into the text of the report, and Appendices B and C summarize theresearch.To supplement this research program, the Commission reviewed previous and current related studiesand interviewed numerous experts. The related studies the Commission reviewed are listed in AppendixC. The Commission interviewed the Chairman of the SEC, the Chairman of the Federal DepositInsurance Corporation, the Comptroller of the Currency, the Comptroller General of the United States,the Chairman of the AICPA, the Chairman of the Auditing Standards Board, the Chairman of the AICPA'sSEC Practice Section's Public Oversight Board, the Chairman of the IIA, the President of the FEI, thePresident of the NAA, the President of the National Association of State Boards of Accountancy, severalmembers of the Commission's Advisory Board, and many other independent public accountants,government regulators, corporate executives, and university professors. Appendix D lists the persons theCommission consulted.3 Exposure Draft, Public Comment, and Congressional HearingsThe Commission first voted on the recommendations in October 1986. Thereafter, members of theCommission and the staff delivered several speeches airing the Commission's initial findings andconclusions to ;pre-expose; the Exposure Draft of the report and thus start the comment process inadvance of the draft's publication in late April 1987.In addition to those who conveyed their reactions, suggestions, and opinions informally during the pre-exposure period, approximately 50 interested organizations and individuals expressed their points ofview in written comments. The Commission considered all the comments-positive, negative, and neutral-in its deliberations. In a number of areas, the recommendations in the Exposure Draft bore the imprint ofthese comments.The Commission's five sponsoring organizations distributed over 40,000 copies of the Exposure Draft.Requesting and welcoming public comment, the Commission received over 200 letters in reply. Theseresponses represented the views of substantially more than 200 interested parties, since many of thempresented the collective comments of members of professional and trade organizations, including theCommission's five sponsoring organizations, as well as large national accounting firms, state and federalagencies, leading financial service institutions, and Fortune 500 companies.The process of reviewing, analyzing, and considering the comment letters was indispensable to theCommission in completing and issuing the report. The overwhelming majority of responsescomplimented the Commission on its overall effort and were generous in their support of theCommission's recommendations. Those who expressed selective disagreement or raised particularconcerns with regard to one or more of the recommendations made many insightful comments andconstructive suggestions. The report includes a number of changes made to reflect the commentators'suggestions, criticisms, and other viewpoints. The comment letters, part of the permanent record of theCommission's work, are available to the public on request through the offices of the AICPA in New York.Finally, the Commission appeared twice before the House Committee on Energy and Commerce'sSubcommittee on Oversight and Investigations, as part of the Subcommittee's continuing inquiry into theadequacy of auditing, accounting, and financial reporting practices under the federal securities laws.II. Major Guiding ConclusionsThe Commission's recommendations, taken together, form a balanced response to fraudulent financialreporting. The Commission cannot overemphasize the importance of evaluating its recommendations intheir totality; no one is meant to be singled out from the rest. Indeed, the Commission withheldendorsement of any recommendation under consideration until the research and briefing papers forsubstantially all recommendations had been completed and the Commission could see the web ofrelationships among the proposed recommendations.From the outset, the Commission's goal was to develop recommendations that would be practical,reasonable in the circumstances, justified by the benefits to be achieved, and would lend themselves toimplementation without undue burden. Guiding the Commission in this task were a number ofconclusions.4 AccountabilityWhen a company raises funds from the public, that company assumes an obligation of public trust and acommensurate level of accountability to the public. If a company wishes access to the public capital andcredit markets, it must accept and fulfill certain obligations necessary to protect the public interest. Oneof the most fundamental obligations of the public company is the full and fair public disclosure ofcorporate information, including financial results.The independent public accountant who audits the financial statements of a public company also has apublic obligation. As the U.S. Supreme Court has recognized, when the independent public accountantopines on a public company's financial statements, he assumes a public responsibility that transcendsthe contractual relationship with his client, The independent public accountant's responsibility extends tothe corporation's stockholders, creditors, customers, and the rest of the investing public. The regulationsand standards for auditing public companies must be adequate to safeguard that public trust and auditorsmust adhere to those standards.The Need for ImprovementThe extensive financial reporting by public companies is the most 1>critical component of the full and fairdisclosure that ensures the effective functioning of the capital and credit markets in the United States.The financial reporting system in the United States is the best in the world, a model for other developednations. The Commission nonetheless concluded that it should examine the system objectively becauseit is so important and is such a model. Our examination caused us to conclude that steps need to betaken to improve our financial reporting system, despite its present excellence.Quantifying the ProblemThe Commission sought to quantify the problem of fraudulent financial reporting. That quantificationproved to be impossible. We found no way to gauge either the amount or the significance of undetectedfraudulent financial reporting or the number of cases detected but, for a variety of reasons, not pursuedby law enforcement officials. As a result, estimating the true extent of the problem is not simply a matterof comparing, for example, the number of fraudulent financial reporting cases brought by the Securitiesand Exchange Commission (SEC) with the total number of publicly filed financial reports.Three Relevant FactorsEven though precise quantification proved to be impossible, the Commission concluded that three otherfactors are relevant: (1) the seriousness of the consequences of fraudulent financial reporting, (2) the riskof its occurring in any given company, and (3) the realistic potential for reducing that risk.Consequences of Fraudulent Financial Reportin.g First, when fraudulent financial reporting occurs,serious consequences ensue. The damage that results is widespread, with a sometimes devastatingripple effect. Those affected may range from the immediate victims-the company's stockholders andcreditors-to the more remote-those harmed when investor confidence in the stock market is shaken.Between these two extremes, many others may be affected: employees who suffer job loss or diminishedpension fund value; depositors in financial institutions; the company's underwriters, auditors, attorneys,and insurers; and even honest competitors whose reputations suffer by association.5 Risk of Occurrence. To assess the risk that fraudulent financial reporting may occur, the Commissionanalyzed its causes. We concluded that the causal factors, the forces and opportunities that were presentin numerous SEC enforcement cases, are present to some extent in all companies. No company,regardless of size or business, is immune from the possibility that fraudulent financial reporting willoccur. That possibility is inherent in doing business.Realistic Potential for Reducing Risk .We believe a realistic potential exists for reducing the risk offraudulent financial reporting, provided the problem is considered and addressed as multidimensional.The problem's multidimensional nature becomes clear when we merely consider the many participantswho shape the financial reporting process: the company and its management, the independent publicaccountant, regulatory and law enforcement agencies, and even educators. Each one has the potential toinfluence the outcome of the financial reporting process. Thus we believe that a multidimensionalapproach that analyzes and addresses the role of each participant has the maximum potential forreducing the incidence of fraudulent financial reporting.Participants in the Financial Reporting ProcessThe responsibility for reliable financial reporting resides first and foremost at the corporate level. Topmanagement-starting with the chief executive officer-sets the tone and establishes the financial reportingenvironment. Therefore, reducing the risk of fraudulent financial reporting must start within the reportingcompany.We have identified a number of practices already in place in many companies that can help all publiccompanies meet their responsibilities and reduce the incidence of fraudulent financial reporting. One keypractice is the board of directors' establishment of an informed, vigilant and effective audit committee tooversee the company's financial reporting process. Another is establishing and maintaining an internalaudit function.Prior efforts to reduce the risk of fraudulent financial reporting have tended to focus heavily on theindependent public accountant and, as such, were inherently limited. Independent public accountantsplay a crucial, but secondary role. They are not guarantors of the accuracy or the reliability of financialstatements. Their role, however, can be enhanced, particularly with respect to detecting fraudulentfinancial reporting, and financial statement preparers and users should be made to understand theenhanced role.At the same time, however, management's primary responsibility for reliable financial reporting should beemphasized, so that public understanding of the relative and complementary obligations of corporatemanagement and independent public accountants is improved.Regulatory and law enforcement agencies provide the deterrence that is critical to reducing the incidenceof fraudulent financial reporting. The SEC, through its financial fraud enforcement program, already hassignificantly raised corporate awareness of the problem and of the potential for detection andpunishment. But improvements can and should be made, both at the state and the federal level.Although educators are not generally considered participants in the financial reporting process, they havean important role in helping to reduce the risk of fraudulent financial reporting. Education can preparebusiness and accounting students to recognize the factors that can contribute to this type of fraud andthe ethical values and good business practices necessary to guard against it.6 Improvements Needed in All AreasOur analysis of the role of each participant in the financial reporting process led us to conclude that noone answer to the problem of fraudulent financial reporting exists. Rather, improvement is needed in allareas. The Commission's recommendations can be implemented within the existing structure ofcorporate governance and regulation. As a consequence, the Commission's report presents a unified setof complementary recommendations to be carried out by a number of persons and entities. Fewer thanone-third of the recommendations require regulatory or legislative 4>action. In the Commission'sestimation, alternatives to this approach would entail more drastic measures, requiring a restructuring ofcorporate governance and greater regulatory intrusion, with no evidence that greater results wouldobtain.In referring to the recommendations in this report as a ;unified set of complementary recommendations,;the Commission emphasizes that the recommendations have been formulated to work togethersynergistically. Yet the Commission does not offer its recommendations as an ;all or nothing; propositionto be accepted or rejected as a whole. Clearly, implementing some of the recommendations would bebetter than adopting none of them. Furthermore, success in implementing these recommendations doesnot hinge on the exclusive effort of a single participant or group of participants. Rather, success dependson a significant effort by all participants doing their part to make the financial reporting process workbetter.In some cases, making the process work better requires the participants to initiate new practices; inothers, it necessitates improving the present practices. In fact, some public companies and publicaccounting firms are already doing many of the things we recommend, as a matter of good businesspractice.Legal, Financial, and Other AdvisorsThe professional and technical skills of several other groups within the business and professionalcommunity enable them to work closely with key participants in the financial reporting process. Amongthese groups are lawyers, investment bankers, financial analysts, business advisors, and those in chargeof systems for securing company assets. Whether they operate from inside or outside the publiccompany, these advisors are uniquely situated to influence the tone set by the top management ofcorporations. Through the advice and opinions they extend to top management or the board of directors,these advisors can affect the outcome of the financial reporting process.In fact, past incidents of fraudulent financial reporting have revealed many patterns of behavior throughwhich these types of advisors add to the pressures and the opportunities that may lead to this kind ofwrongdoing. Lawyers who adopt a strictly legalistic approach may counsel clients to achieve desiredends through means that are too close to the fine line between what is legal and what is not. Investmentbankers may exploit gaps or ambiguities in accounting standards to devise questionable financingtechniques and transactions. Financial analysts, through myopic notions of profitability and otherindicators of company financial health, may pressure top management to focus all their efforts onachieving short-term gains. Through such conduct, legal, financial, and other advisors become part ofthe problem of fraudulent financial reporting.Although the Commission's recommendations do not specifically target them, these critical advisorsshould recognize the extent to which they contribute to and collaborate in activity that can lead tofraudulent financial reporting. If these advisors do not embrace the spirit behind the Commission'srecommendations, they could hinder certain key participants in the financial reporting process fromsuccessfully implementing the recommendations directed to them. Accordingly, the Commission urgeslegal, financial, and other advisors to support its recommendations and to consider them in forming theirown response to the problem of fraudulent financial reporting.7 The efforts of these advisors to form a response to the problem of fraudulent financial reporting willnecessarily entail reassessing their legal and professional responsibilities and accountability, not only totheir clients, but also to the public and to the system of which they are a part. Of remarkable relevance tothis endeavor is a message that the late Supreme Court Chief Justice Harlan F. Stone delivered morethan a half-century ago to members of the legal community:Today antisocial business practices which have not yet met with our refusal to countenance them,are equally in the public thought. It is true that the parallel to the earlier era is not precise, for manyof these practices are still within the law, and to stand against them it is necessary that we do morethan defend legal rights; it is needful that we look beyond the club of the policeman as a civilizingagency to the sanctions of professional standards which condemn the doing of what the law has notyet forbiddenH. (arvard Law Revie,w Volume 48, page 13, 1934)Overall BenefitsIn developing our recommendations, we weighed the costs and other burdens they would impose againstthe benefits they would achieve. We recognize that there are limits to the ability to prevent or detectfraud, no matter how much cost is incurred. We believe our recommendations are cost-effective.Taken collectively, the recommendations can:?? Improve the financial reporting environment in the public company in several important respects andthus help to reduce the incidence of fraudulent financial reporting?? Improve auditing standards, the standard-setting process, and the system for ensuring audit quality,to detect fraudulent financial reporting earlier and perhaps thus deter it?? Enhance the regulatory and law enforcement environment to strengthen deterrence?? Enhance the education of future participants in the financial reporting process.Inherent Limitations and Need for Continued EffortsOur recommendations are by no means the final answers, Fraud is as complex as human nature, and associety changes, the financial reporting system will change. As fraudulent financial reporting likewiseevolves, so must counter responses. The Commission urges all participants in the financial reportingsystem to implement these recommendations as the next step in the continuing process of responding tofraudulent financial reporting. Implementing our recommendations will require additional guidance in theform of rulemaking by regulators and through authoritative pronouncements by other interested andknowledgeable parties.Yet, implementing all 49 of the Commission's recommendations would still not guarantee that fraudulentfinancial reporting will disappear. Similarly, failure to implement some or all of the recommendationsshould not automatically establish liability if fraudulent financial reporting occurs. Those who allege thatfraud has occurred must still offer affirmative proof of any actual wrongdoing.A further word of caution also is in order. While increased awareness of fraudulent financial reportingwithin the business and professional community and among the investing public generally is important, itis equally important that public expectations not be raised unduly because even full implementation ofthe Commission's recommendations will not completely eradicate fraudulent financial reporting.Fraudulent8 financial reporting must not be assumed merely because a business fails. The public must recognize andunderstand the clear line that distinguishes the failure of top management to manage well from theintentional or reckless conduct that amounts to fraud. We hope that our report will serve as a frameworkfor action now and as a springboard for future efforts to reduce fraudulent financial reporting.9 10 SUMMARY OF RECOMMENDATIONSThis summary is a synopsis of the organization and content of the Commission's recommendations,which appear in Chapters Two through Five of the report. The Commission urges readers to consider therecommendations along with the accompanying text, which explains, adds guidance, and in certaincases makes ancillary recommendations.I. Recommendations for the Public Company (Chapter Two)Prevention and earlier detection of fraudulent financial reporting must start with the entity that preparesfinancial reports. Thus the first focus of the Commission's recommendations is the public company.These recommendations, taken together, will improve a company's overall financial reporting processand increase the likelihood of preventing fraudulent financial reporting and detecting it earlier when itoccurs. For some companies, implementing these recommendations will require little or even no changefrom current practices; for other companies, it will mean adding or improving a recommended practice.Whether it means adding or improving a practice, the benefits justify the costs. The Commission'srecommendations for the public company deal with (1) the tone set by top management, (2) the internalaccounting and audit functions, (3) the audit committee, (4) management and audit committee reports,(5) the practice of seeking secondopinions from independent public accountants, and (6) quarterly reporting.The Tone at the TopThe first three recommendations focus on an element within the company of overriding importance inpreventing fraudulent financial reporting: the tone set by top management that influences the corporateenvironment within which financial reporting occurs. To set the right tone, top management must identifyand assess the factors that could lead to fraudulent financial reporting; all public companies shouldmaintain internal controls that provide reasonable assurance that fraudulent financial reporting will beprevented or subject to early detection-this is a broader concept than internal accounting controls-and allpublic companies should develop and enforce effective, written codes of corporate conduct. As a part ofits ongoing assessment of the effectiveness of internal controls, a company's audit committee shouldannually review the program that management establishes to monitor compliance with the code. TheCommission also recommends that its sponsoring organizations cooperate in developing additional,integrated guidance on internal controls.Internal Accounting and Audit FunctionsThe Commission's recommendations turn next to the ability of the participants in the financial reportingprocess within the company to prevent or detect fraudulent financial reporting. The internal accountingfunction must be designed to fulfill the financial reporting responsibilities the corporation has undertakenas a public company. Moreover, all public companies must have an effective and objective internal auditfunction. The internal auditor's qualifications, staff, status within the company, reporting lines, andrelationship with the audit committee of the board of directors must be adequate to ensure the internalaudit function's effectiveness and objectivity. The internal auditor should consider his audit findings in the11 context of the company's financial statements and should, to the extent appropriate, coordinate hisactivities with the activities of the independent public accountant.The Audit CommitteeThe audit committee of the board of directors plays a role critical to the integrity of the company'sfinancial reporting. The Commission recommends that all public companies be required to have auditcommittees composed entirely of independent directors. To be effective, audit committees shouldexercise vigilant and informed oversight of the financial reporting process, including the company'sinternal controls. The board of directors should set forth the committee's duties and responsibilities in awritten charter. Among other things, the audit committee should review management's evaluation of theindependence of the public accountant and management's plans for engaging the company'sindependent public accountant to perform management advisory services. The Commission highlightsadditional important audit committee duties and responsibilities in the course of discussing otherrecommendations affecting public companies.Management and Audit Committee ReportsUsers of financial statements should be better informed about the roles management and the auditcommittee play in the company's financial reporting process. The Commission recommends amanagement report that acknowledges that the financial statements are the company's and that topmanagement takes responsibility for the company's financial reporting process. The report should includemanagement's opinion on the effectiveness of the company's internal controls. The Commission alsorecommends a letter from the chairman of the audit committee that describes the committee's activities,Both of these communications should appear in the annual report to stockholders.Seeking a Second Opinion and Quarterly ReportingFinally, the Commission's recommendations for the public company focus on two opportunities tostrengthen the integrity of the financial reporting process. Management should advise the auditcommittee when it seeks a second opinion on a significant accounting issue, explaining why theparticular accounting treatment was chosen. The Commission also recommends additional publicdisclosure in the event of a change in independent public accountants. Furthermore, the Commissionrecommends audit committee oversight of the quarterly reporting process.II.Recommendations for the Independent Public Accountant(Chapter Three )The independent public accountant's role, while secondary to that of management and the board ofdirectors, is crucial in detecting and deterring fraudulent financial reporting. To ensure and improve theeffectiveness of the independent public accountant, the Commission recommends changes in auditingstandards, in procedures that enhance audit quality, in the independent public accountant'scommunications about his role, and in the process of setting auditing standards. On February 14, 1987,the Auditing Standards Board (ASB) exposed for comment a series of proposed auditing standards thataddress many issues the Commission considered. The Commission commends the ASB for its efforts inthese exposure drafts, some of which are responsive to Commission concerns.12 Responsibility for Detection and Improved Detection CapabilitiesGenerally Accepted Auditing Standards (GAAS) should be changed to recognize better the independentpublic accountant's responsibility for detecting fraudulent financial reporting. The standards shouldrestate this responsibility to require the independent public accountant to take affirmative steps to assessthe potential for fraudulent financial reporting and design tests to provide reasonable assurance ofdetection. Among the affirmative steps recommended is assessment of the company's overall controlenvironment along with improved guidance for identifying risks and designing audit tests. In addition, theindependent public accountant should be required to make greater use of analytical review procedures,to identify areas with a high risk of fraudulent financial reporting. The independent public accountant alsoshould be required to review quarterly financial data before its release, to improve the likelihood of timelydetection of fraudulent financial reporting.Audit QualityImproved audit quality increases the likelihood of detecting fraudulent financial reporting. In this regard,the Commission makes three recommendations. The first two are designed to improve two aspects ofthe profession's existing quality assurance program. Peer review should be strengthened by addingreviews, in each office reviewed, of all first-year audits performed for public company clients that werenew to the firm. Concurring, or second partner, review should be enhanced by adding more explicitguidance as to timing and qualifications. In the third recommendation, the Commission encouragesgreater sensitivity on the part of public accounting firms to pressures within the accounting firm that mayadversely impact audit qualitymunications by the Independent Public AccountantIndependent public accountants need to communicate better to those who rely on their work. Theauditor's standard report can and should convey a clearer sense of the independent public accountant'srole, which does not include guaranteeing the accuracy of the company's financial statements. Thestandard audit report should explain that an audit is designed to provide reasonable, but not absolute,assurance that the financial statements are free of material misstatements arising as a result of fraud orerror. It also should describe the extent to which the independent public accountant has reviewed andevaluated the system of internal accounting control. These two steps will promote a better appreciationof an audit and its purpose and limitations and underscore management's primary responsibility forfinancial reporting.Change in the Process of Setting Auditing StandardsFinally, the Commission recommends that the process of setting auditing standards be improved byreorganizing the AICPA's Auditing Standards Board (ASB). The Commission believes that the setting ofauditing standards should involve knowledgeable persons whose primary concern is with the use ofauditing products as well as practicing independent public accountants, Such individuals would haveparticular sensitivity to the operating implications of auditing standards and to emerging policy issuesconcerning these standards. The recommendation contemplates a smaller ASB, composed of equalnumbers of practitioners and qualified persons not presently engaged in public accounting and led by twofull-time officers, that would look beyond the technical aspects of auditing and set an agenda reflecting abroad range of needs, serving public and private interests, The agenda would be implemented byauditing standards of continuing high technical quality, and the ASB would adopt these standards on thebasis of their technical quality and their addressing these public and private needs.13 III.Recommendations 9>fo rthe SEC and Others to Improve theRegulatory and Legal Environment (Chapter Four )Strong and effective deterrence is essential in reducing the incidence of fraudulent financial reporting.While acknowledging the SEC's significant efforts and achievements in deterring such fraud, theCommission concludes that the public- and private-sector bodies whose activities shape the regulatoryand law enforcement environment can and should provide stronger deterrence. The Commission'srecommendations for increased deterrence involve new SEC sanctions, greater criminal prosecution,improved regulation of the public accounting profession, adequate SEC resources, improved federalregulation of financial institutions, and improved oversight by state boards of accountancy. In addition,the Commission makes two final recommendations in connection with the perceived insurance andliability crises.New SEC Sanctions and Greater Criminal ProsecutionThe range of sanctions available to be imposed on those who violate the law through fraudulent financialreporting should be expanded. Congress should give the SEC additional enforcement tools so that it canimpose fines, bring cease and desist proceedings, and bar or suspend individual perpetrators fromserving as corporate officers or directors, while preserving the full range of due process protectionstraditionally accorded to targets of enforcement activities. Moreover, with SEC support and assistance,criminal prosecution for fraudulent financial reporting should be made a higher priority.Improved Regulation of the Public Accounting ProfessionAnother regulatory function, the regulation of the public accounting profession, seeks to reduce theincidence of fraudulent financial reporting through ensuring audit quality and thereby enhancing earlydetection and prevention of such fraud. The Commission studied the existing regulation and oversight,which includes the profession's quality assurance program, and concluded that additional 'regulation-particularly a statutory self-regulatory organization-is not necessary, provided two key elements areadded to the present system. The first element is mandatory membership: all public accounting firms thataudit public companies must belong to a professional organization that has peer review and independentoversight functions and is approved by the SEC. The SEC should provide the second element:enforcement actions to impose meaningful sanctions when a firm fails to remedy deficiencies cited by aquality assurance program approved by the SEC.Adequate SEC ResourcesThe Commission directs many recommendations to the SEC, the agency with primary responsibility toadminister the federal securities laws. In that regard, the SEC must have adequate resources to performits existing functions, as well as additional functions, that help prevent, detect, and deter fraudulentfinancial reporting.Improved Federal Regulation of Financial InstitutionsFederal regulatory agencies, other than the SEC, have responsibility for financial reporting by certainpublic companies that are banks and savings and loans. The Commission recommends that these otheragencies adopt measures patterned on the Commission's recommendations for the SEC. To enhanceefforts to detect fraudulent financial reporting within financial institutions, the Commission also14 recommends that these federal agencies and the public accounting profession provide for the regulatoryexaminer and the independent public accountant to have access to each other's information aboutexamined financial institutions.Improved Oversight by State Boards of AccountancyState boards of accountancy can and should play an enhanced role in their oversight of the independentpublic accountant. The Commission recommends that these boards implement positive enforcementprograms to review on a periodic basis the quality of services rendered by the independent publicaccountants they license.Insurance and Liability CrisesFinally, the Commission's study of fraudulent financial reporting unavoidably has led to certain topicsbeyond its charge or ability to address. The perceived liability and insurance crises and the tort reformmovement have causes and implications far beyond the financial reporting system. They are trulynational issues, touching every profession and business, affecting financial reporting as well. Thosecharged with responding to the various tort reform initiatives should consider the implications for long-term audit quality and the independent public accountant's detection of fraudulent financial reporting.Moreover, the SEC should reconsider its long-standing position, insofar as it applies to independentdirectors, that corporate indemnification of officers and directors for securities law liabilities is againstpublic policy and therefore unenforceable.IV.Recommendations for Education (Chapter Five)Education can influence present or future participants in the financial reporting system by providingknowledge, skills, and ethical values that potentially may help prevent, detect, and deter fraudulentfinancial reporting. To encourage educational initiatives toward this end, the Commission recommendschanges in the business and accounting curricula as well as in professional certification examinationsand continuing professional education.Business and Accounting CurriculaThe complexity and serious nature of fraudulent financial reporting led the Commission to conclude thatany initiatives encouraged by its recommendations should permeate the undergraduate and graduatebusiness and accounting curricula. The Commission first recommends that business and accountingstudents gain knowledge and understanding of the factors that cause fraudulent financial reporting and ofthe strategies that can lead to a reduction in its incidence. To enable students to deal with risks of suchfraud in the future at public companies, the Commission recommends that business and accountingcurricula convey a deeper understanding of the function and the importance of internal controls and theoverall control environment within which financial reporting takes place. Students should realize thatpractices aimed at reducing fraudulent financial reporting are not simply defensive measures, but alsomake good business sense.In addition, part of the knowledge students acquire about the financial reporting system should be anunderstanding of the complex regulatory and law enforcement framework that government and private-sector bodies provide to safeguard that system and to protect the public interest. As future participants inthat system, students should gain a sense of what will be expected of them legally and professionallywhen they are accountable to the public interest.15 The Commission recommends that the business and accounting curricula also fosteor ptmhee ndte voeflskills that can help prevent, detect, and deter such fraud. Analytical reasoning, problem solving, and theexercise of sound judgment are some of the skills that will enable students to grapple successfully in thefuture with warning signs or novel situations they will encounter in the financial reporting process.Furthermore, the ethical dimension of financial reporting should receive more emphasis in the businessand accounting curricula. The curricula should integrate the development of ethical values with theacquisition of knowledge and skills. Unfortunately, the lack of challenging case studies based on actualincidents of fraudulent financial reporting is a current obstacle to reform. The Commission thereforerecommends that business schools give their faculty a variety of incentives and opportunities to developpersonal competence and suitable classroom materials for teaching about fraudulent financial reporting.Business school faculty reward systems should acknowledge and reward faculty who develop suchcompetence and materials.Professional Certification Examinations and Continuing Professional EducationThe Commission makes two additional recommendations relating to education. Both professionalcertification examinations and continuing professional education should emphasize the knowledge, skills,and ethical values that further the understanding of fraudulent financial reporting and promote areduction in the incidence of such fraud.Five-Year Accounting Programs and Corportae InitiativesThe makes no recommendation with regard to th-dei smcuscshed Commission proposal to expand theundergraduate accounting curriculum from 4 to 5 years. Rather, the Commission offers a number ofobservations based on its research and deliberations. Similarly, the Commliisnseiosn s omute of thenumerous opportunities for public companies to educate their direcatogresm, menatn, and employeesabout the problem of fraudulent financial reporting.16 Chapter OneOVERVIEW OF THE FINANCIALREPORTING SYSTEM ANDFRAUDULENT FINANCIAL REPORTINGI. Background to the ReportBefore developing recommendations responsive to fraudulent financial reporting, the Commissionsought to understand how and why it occurs. The financial reporting system is so complex, however, thatthe Commission began by examining the many components and functions of the system itself. Havinggained an understanding and appreciation of the complex system in which this type of fraud takes place,the Commission then could examine instances where the system broke down.Similarly, this chapter provides background information to facilitate an understanding of therecommendations that appear in Chapters Two through Five. The chapter briefly explains the financialreporting system and illustrates its components and functions, then summarizes the Commission'sanalysis of fraudulent financial reporting's causes, perpetrators and means.Finally, the chapter takes a mor-ed einpth look at the extent and effect of fraudulent financiianlg r,eportits evolutionary nature, and the need fo-re cffoescttive responses. These are among the fundamentalconclusions that guided the Commission in developing its recommendations.II. Financial Reporting System for Public CompaniesThe financial reporting system for public companies has many components, broadly organized into threemajor groups:?? Companies?? Independent public accountants?? Oversight bodies.The following exhibits illustrate the functional relationships among these components.Exhibit 1-1,page 18, illustrates the relationships of the three major groups in the financial reportingsystem to one another and to those who use publicly reported financial information.The company and its management are the key players in the financial reporting system; they bear theprimary responsibility for the preparation and c-ofn theen t financial statements. Financial statementsare management's representation as to the company's financial position and results of operations.Several oversight bodies that establish financial reporting standards and monitor compliance With thosestandards influence the reporting function. The company engagpesn dienndte public accountants torender an opinion as to whether the financial reports fairly present the company's financial position andresults of operations in conformity with established standards.17 EXHIBIT 1-1FINANCIAL REPORTING SYSTEMPUBLIC COMPANYOVERSIGHT OF FINANCIAL REPORTING?? SECURITIES AND EXCHANGECOMMISSION?? FINANCIAL INSTITUTIONINDEPENDENTREGULATORY AGENCIESPUBLIC?? FINANCIAL ACCOUNTINGACCOUNTANTSTANDARDS BOARD?? STATE AUTHORITIES?? NATIONAL ASSOCIATION OFSECURITIES DEALERS ANDSTOCK EXCHANGES?? ACCOUNTING PROFESSION?? COURTSFINANCIALREPORTSUSERS OFFINANCIAL REPORTS18 EXHIBIT 1-2THE PUBLIC COMPANYINTERNAL CONTROL ENVIRONMENT – “CORPORATE CULTURE”AUDIT COMMITTEEOF THEBOARD OF DIRECTORSBOARD OF DIRECTORSCHIEF EXECUTIVE OFFICER?? INTERNAL?? CHIEF FINANCIAL OFFICER?? LEGALAUDIT?? CONTROLLERDEPARTMENTFUNCTION?? ACCOUNTING DEPARTMENT- INTERNAL ACCOUTINGCONTROLS- ACCOUNTING SYSTEMFINANCIALREPORTS19 Exhibit 1-2, page 19, expands on Exhibi-t 1I , illustrating the components within the company that playroles in preparing financial statements.The company's accounting department actually prepares the financial statements. The chain ofcommand supervising this function typically proceeds from the controller through ntahnec icahlief fiofficer (CFO) to the chief executive officer (CEO). The legal department, or office of the general counsel,typically plays a key role in reviewing disclosure documents for compliance with applicable laws andregulations. The legal department also assists management in establishing and maintaining internalcontrols to prevent and detect noncompliance with other laws and regulations. The internal auditfunction, if present, performs an appraisal function within the company to examine, analyze, and makerecommendations on matters affecting the company's intetrrnoalsl . cTohne board of directors has aresponsibility to the company's shareholders to oversee management's performance. The board ofdirectors generally delegates its responsibility to oversee the company's financial reporting process to anaudit committee. All these participants and the functions they perform are part of the company's internalcontrol environment for the financial reporting system.Exhibit 1-3, page 21, illustrates the numerous organizations and agencies whose oversight, throughstandard-setting and compliance activities, affects the company's preparation of financial statements.The SEC is the federal agency primarily responsible for administering the federal securities laws, and itestablishes disclosure requirements for public companies. The SEC traditionalelyg ahtaesd d meluch ofits responsibility for setting standards for financial reporting to the private sector, retaining a role largelyof oversight. Accordingly, in preparing its financial statements, the public company looks to accountingprinciples set by the Financial Accounting Standards Board (FASB) as well as to SEC rules andpronouncements. If a federal banking or financial institution regulatory agency administers a publiccompany's disclosure obligation under the securities laws, tphaen yc omlooks to that agency'spronouncements rather than to those of the SEC. In addition, the stock exchanges and the NationalAssociation of Securities Dealers (NASD) set certain disclosure and other standards as requirements forlisting securities for trading. State securities or othmeri scsoiomns may impose regulations on financialreporting at certain times, such as in initial public offerings, or on companies in certain industries, suchas insurance. With the exception of the FASB, each of these parties participates to varying degrees withthe company's independent public accountant in overseeing the company's compliance with establishedstandards. In addition, the courts participate when the adequacy of a company's financial reporting is thesubject of a judicial proceeding.20 EXHIBIT 1-3OVERSIGHT OF FINANCIAL REPORTING BY PUBLIC COMPANIESSTANDARD SETTINGCOMPLIANCESECSEC?? SETS DISLCOSURE RULES?? REVIEWS FILINGS ANDAND STANDARDSINTERPRETS STANDARDS(REGULATIONS S-K, -X)?? ENFORCES COMPLIANCE?? OVERSEES PRIVATE SECTORSTANDARD S SETTINGPROCESSFINANCIAL INSTITUTIONREGULATORY AGENCIES?? REVIEW FILINGS ANDFASBINTERPRET STANDARDS?? ENFORCE COMPLIANCE?? ESTABLISHES GENERALLYACCEPTED ACCOUNTINGNASD AND STOCK EXCHANGESPRINCIPLES (GAAP) FOR ALLREPORTING ENTITIES?? REVIEW AND ENFORCECOMPLIANCE WITHSTANDARDS, RULES, ANDREGULATIONSFINANCIAL INSTITUTIONREGULATORY AGENCIESFed FHLBBSTATE GOVERNMENTOCC FSLICSECURITIES COMMISSIONS,FDICLEGISLATURES, ETC?? ESTABLISH SPECIFIC?? REVIEW AND ENFORCEREPORTING ANDCOMPLIANCE WITHDISCLOSURE REQUIRE-ESTABLISHEDMENTS FOR FINANCIALREQUIREMENTSINSTITUTIONSCOURTSNASD AND STOCK EXCHANGES?? ADJUDICATE?? ESTABLISH STANDARDS,GOVERNMENT ANDRULES AND REGULATIONSPRIVATE ACTIONS FORFOR DEALERS, MEMBERS,NONCOMPLIANCEAND MEMBER FIRMS?? INTERPERET LAWS ANDRULESSTATE GOVERNMENTSECURITIES COMMISSIONS,LEGISLATURES, ETCINDEPENDENT PUBLICACCOUNTANTS?? INTERPRET/SET STATELAWS, RULES, AND?? AUDIT AND ISSUEREGULATIONS ADDRESSINGREPORTS ON FINANCIALDISCLOSURE AT STATESTATEMENTS’LEVELCONFORMITY WITHREPORTING STANDARDSPUBLIC 2C1OMPANY EXHIBIT 1-4OVERSIGHT OF INDEPENDENT PUBLIC ACCOUNTANTSSTANDARD SETTINGCOMPLIANCEAICPA – AUDITING STANDARDS BOARDSEC(ASB)?? INDIRECTLY OVERSEES ASB?? ESTABLISHES GENERALLYTHROUGH REGULAR LIASONACCEPTED AUDITING STANDARDS?? EXERCISES AUTHORITY TO ISSUE ITS(GAAS) FOR ALL AUDITORSOWN REGULATIONS?? INDEPENDENTLY EVALUATES THEPEER REVIEW PROCESSAICPA DIVISION FOR CPA?? INDIRECTLY OVERSEESFIRMS – SECPSACCOUNTING PRONOUNCEMENTS,INFORMAL MEETINGS WITH FASB?? ESTABLISHES DISCLOSURE RULES?? ADMINISTERS THE PROFESSION’SQUALITY ASSURANCE PROGRAM,AGAINST WHICH THE AUDITORSTHE FOUNDATION OF WHICH ISMEASURE THE CORPORATION’STHE PEER REVIEW PROGRAMFINANCIAL REPORTS FORCOMPLIANCE?? MEMBERSHIP IS VOLUNTARYSPECIAL INVESTIGATIONS COMMITTEE(SIC)PUBLIC OVERSIGHT BOARD?? REVIEWS ALLEGATIONS OF AUDITFAILURE AND CONSIDERS THE?? MONITORS AND EVALUATES THENEED FOR CORRECTIVE ACTIONACTIVITIES OF THE SEC PRACTICEBY INDIVIDUAL FIRMSECTIONAICPA – PROFESSIONALETHICS PROGRAMSTATE BOARDS OF ACCOUNTANCY?? DEVELOPS STANDARDS ANDPROMOTES COMPLIANCE?? ENFORCE COMPLIANCE WITH??LICENSING REGULATIONS AND PRESENTS VIOLATIONS TO TRIALBOARDQUALITY ASSURANCE PROGRAMSSTATE BOARD OF ACCOUNTANCY?? ADMINISTER THE UNIFORM CPACOURTSEXAM???? ADJUDICATE GOVERNMENT AND LICENCE INDIVIDUAL CPAs?? ADMINISTER OWN QUALITYPRIVATE ACTIONS FORASSURANCE PROGRAMS (CERTAINNONCOMPLIANCE WITH GAASSTATE BOARDS)?? IN THE PROCESS, INFLUENCEPERFORMANCE STANDARDSTHROUGH INTERPRETATIONS ANDQUALITY ASSURANCE PROGRAMS OFJUDGEMENT AWARDSINDIVIDUAL CPA FIRMS?? ADMINISTER OWN QUALITYASSURANCE/ PEER REVIEWPROGRAMSINDEPENDENT PUBLIC ACCOUNTANTS22 Exhibit 1-4, page 22, illustrates the various private and government organizations that overseeindependent public accountants.The organizations and the agencies that set standards for independent public accountants include theAlCPA's Auditing Standards Board (ASB) and SEC Practice Section (SECPS) of its Division for CPAFirms, state boards of accountancy, and quality assurance programs of individual public accountingfirms. The SEC, the Public Oversight Board (POB), state boards, and the courts monitor the complianceof the independent public accountants with established standards.III.Breakdowns in the Financial Reporting System: Causes,Perpetrators, and MeansThe financial reporting system functions remarkably well. Public companies generally live up to thepublic trust by disclosing timely, complete, and relevant financial information. In addition, organizationscharged with overseeing the process of setting standards by and large dor aabnl e adjomb iofappropriately balancing the public interest and the burdens regulation imposes on business. Complianceand enforcement efforts are serious and generally effective.Yet exceptions occur, and the system occasionally breaks down. The Commission studied thosebreakdowns to determine, if possible, how and why they happened.Causes of Fraudulent Financial ReportingThe Commission reviewed both alleged and proven instances of fraudulent financial reporting, including119 enforcement actions against public companies or associated individuals and 42 cases againstindependent public accountants or their firms brought by the SEC from 1981 to 1986. A number of theSEC cases are reflected in 2 composite case studies prepared by researchers at the Harvard BusinessSchool, included in Appendix E.The Commission's studies revealed that fraudulent financial reporting usually occurs as the result ofcertain environmental, institutional, or individual forces and opportunities. These forces and opportunitiesadd pressures and incentives that encourage individuals and companies to engage in fraudulent financialreporting and are present to some degree in all companies. If the right, combustible mixture of forcesand opportunities is present, fraudulent financial reporting may occur.A frequent incentive for fraudulent financial reporting that improves the company's financial appearanceis the desire to obtain a higher price from a stock or debt offering or to meet the expectations ofinvestors. Another incentive may be the desire to postpone dealing with financial difficulties and thusavoid, for example, violating a restrictive debt covenant. Other times the incentive is personal gain:additional compensation, promotion, or escape from penalty for poor performance.Situational pressures on the company or an individual manager also may lead to fraudulent financialreporting. Examples of these situational pressures include:?? Sudden decreases in revenue or market share. A single company or an entire industry canexperience these decreases.23 ?? Unrealistic budget pressures, particularly for- tsehrmor tresults. These pressures may occur whenheadquarters arbitrarily determines profit objectives and budgets without taking actual conditions intoaccount.?? Financial pressure resulting from bonus plans that depend o-tne rsmho ertconomic perfomrance.This pressure is particularly acute when the bonus is a significant component of the individual's totalcompensation.Opportunities for fraudulent financial reporting are present when the fraud is easier to commit and whendetection is less likely. Frequently these opportunities arise from:?? The absence of a board of directors or audit committee that vigilantly oversees the financialreporting process.?? Weak or nonexistent internal accounting controls. This situation can occur, for example, when acompany's revenue system is overloaded from a rapid expansion of sales, an acquisition of a newdivision, or the entry into a new, unfamiliar line of business.?? Unusual or complex transactions. Examples include the consolidation of two companies, thedivestiture or closing of a specific operation, and agreements to buy or sell government securitiesunder a repurchase agreement.?? Accounting estimates requiring significant subjective judgment by company management. Examplesinclude reserves for loan losses and the yearly provision for warranty expense.?? Ineffective internal audit staffs. This situation may result from inadequate staff size and severelylimited audit scope.A weak corporate ethical climate exacerbates these situations. Opportunities for fraucdiuallent finanreporting also increase dramatically when the accounting principles for transactions are nonexistent,evolving, or subject to varying interpretations.Perpetrators and the Means They UseIndividuals with many different roles within a com- psaanlye s- representatives, operating amgaenrs,accountants, and executive- sh a-ve perpetrated fraudulent financial reporting. In a large majority of thecases the Commission studied, however, the company's top management, such as the CEO, thepresident, and the CFO, were the perpetrators. In some cases, the company made deliberatemisrepresentations to the independent public accountant, sometimes through falsified documents andrecords.Furthermore, the Commission's studies revealed that, while the perpetrators of fraudulent financialreporting use many different means, the effect of their actions is almost always to inflate or ”smooth;earnings or to overstate the company's assets. In addition, fraudulent financial reporting usually does notbegin with an overt intentional act to distort the financial statements. In many cases, fraudulent financialreporting is the culmination of a series of acts designed to respond to operational difficulties. Initially, theactivities may not be fraudulent, but in time they may become increasingly questionable. When the toneset by top management permits or encourages such activities, eventually the result may be fraudulentfinancial reporting.This scenario illustrates how fraudulent financial reporting can occur: The CEO, under pressure tocontinue increasing sales, has the shipping department work longer hours in the days prior to the end ofthe quarter. As the pressure mounts, he compounds the situation by delaying the recognition of salesreturns, instructing sales representatives to ;make the sales stick.; Finally, he commits a fraudulent act,by recognizing revenue from inventory shipped to a customer without authorization or from inventoryshipped24 to a public warehouse. He might also overstate sales by recognizing revenue from purported sales thatwere not consummated owing to materiallyi sufniesda tconditions; recognizing revenue from purportedfourth-quarter sales even though the msheipnts did not occur until after -yeenadr; and improperly treatingshipments consigned to salesmen as sales.Methods used to defer curr-epnetriod expenses or to overstate assets are equally diverse. They includeissuing falsified purchase orders to vendors, who then submit false invoices tlheantt lyfr aduedcureasethe cost of routine parts and increase the cost of capitalized equipment, failing to write off assets that hadbeen scrapped or could not be located, improperly changing the lives of the company's depreciableassets, failing to create an adequate reserve for known losses on obsolete inventory or delinquent loans,and recording nonexistent assets by falsifying inventory count tags.Independent Public AccountantsAlmost all the SEC's fraudulent financial reporting cases against independent public accountants allegeda failure to conduct the audit in accordance with Generally Accepted Auditing Standards (GAAS). Themost common alleged deviation from GAAS is the lack of sufficient competent evidential matter.Examples of this deficiency include failing to confirm account balangcleecst,i nnge to observeinventories, and placing undue reliance on uncorroborated managemreesnetn traetipons instead ofobtaining outside verification from third parties.In many cases, although indications of possible improprieties, or ;red flags,; existedde,n itn pduebpleicnaccountants failed to recognize or pursue them with skepticism. The SEC believed that, if theindependent public accountants had investigated these red flags, the fraudulent activity would have hada greater likelihood of being uncovered. Weak internal controls were the most commonly ignored redflag. In a number of cases, the independent public accountant knew or should have known that thecompany's internal controls were weak, but did nothing to investigate their potential impact.Although national public accounting firms audit 84 percent of public companies, 75 percent of the SECactions against independent public accountants and firms involved nonnational firms or solepractitioners. The alleged deficiencies in quality control included failure to train and supervise the auditstaffs adequately and failure to tailor audit programs to particular specialized industries. Thesedeficiencies correlate to the fact that a relatively high percentage of the SEC's cases against smaller,regional or local accounting firms and sole practitioners involved allegations doaf rsdu abusdtaitn work.IV.Extent and Effect of BreakdownsThe Commission also considered the extent to which breakdowns occur in the financial reporting systemand the effect such breakdowns have on affected parties. Both these inquiries, together with theCommission's analysis of the SEC cases, were critical to determining that the problem of fraudulentfinancial reporting should be addressed and to formulating recommendations to combat the problem.Indeterminate Number of IncidentsThe incidence of fraudulent financial reporting cannot be quantified with any degree of precision. Noanalysis yields a satisfactory result. The number of SEC proceedings against reporting companies from25 1981 to 1986 compared to the number of financial reports filed with the SEC during the same period, forexample, gives an incidence of considerably less than I percent. But this figure takes no account ofinstances the SEC did not detect, or of known or suspected instances of fraudulent financial reportingthat the SEC did not pursue because of the lack of sufficient evidence or resources. Moreover, itexcludes financial reporting by financial institutions that report to regulators other than the SEC.The Commission's reluctance to rely on the small number of SEC cases to quantify the extent offraudulent financial reporting was influenced by the views of others. The Chairman of the FDIC, forexample, contends that management fraud contributed -tthoi rdo noef bank failures. Similarly, aCommission study of bankruptcies found that 20 percent of the bankruptcies studied involved litigationagainst the independent public accountant. Half of this 20 percent (10 percent of the total bankruptciesstudied) also involved fraudulent financial reporting. All these findings indicate that any numericalestimate of the incidence of fraudulent financial reporting would be unsound.Furthermore, the Commission has concluded that such an estimate is unnecessary for its purpose.Others have found the same to be true when considering other types of securities fraud. The magnitudeof insider trading, for example, is equally difficult to quantify. SEC Chairman John Shad testified beforeCongress to that effect in June 1986 and roughly estimated that fraudulent securities activities, of whichinsider trading is only one type, amount to a fraction of I percent of the $50 billion in U.S. corporate andgovernment securities traded daily. At the same time, however, because insider trading has such adetrimental effect on public confidence in the fairness of the capital markets, Chairman Shad and theSEC recommended passage of the Insider Trading Sanctions Act of 1984 to increase deterrence of thistype of fraud, and they have pursued a well publicized enforcement program against insider trading.Although by available measures fraudulent financial reporting occurs infrequently, just as in the case ofinsider trading, when it does occur, its detrimental effects are serious and wide ranging.Victims of Fraudulent Financial ReportingPublic investors in the company's equity or debt securities are, of course, victims of fraudulent financialreporting. But they are not the only ones who suffer immediate and direct harm. The victims also includeothers who rely on the company's reported financial information:?? Banks and other financial institutions that lend funds to the company?? Depositors and shareholders of such institutions whose assets and investments, respectively, arejeopardized?? Suppliers who extend credit?? Customers who look to the company to perform on its contracts?? Merger partners who may enter into agreements based on inflated values?? Underwriters who distribute securities?? Financial analysts who give investment advice about the issuer and its securities?? The company's independent public accountants, who may find themselves named defendants or thesubject of an investigation?? Attorneys for the issuer, and perhaps for the underwriters?? Insurance companies that write directors' and officers' liability insurance and then experience largeclaims.26 Some of these victims, particularly independent public accountants, underwriters, and attorneys, not onlymay suffer losses themselves and damage to their reputations, but also may be named as defendants inprivate litigation because they represent ;deep pockets. ; When shareholders and others seek to recovertheir losses, the company, whose top management actually perpetrates the fraudulent financial reporting,is often insolvent, leading the victims to look to the accountants, underwriters, and attorneys fordamages.When the wrongdoing comes to light, people within the company who reported fraudulent financialinformation are injured as well. These employees and other insiders include:?? The company's management and directors, who may suffer loss of money as well as of reputationand standing?? Holders of large blocks of company stock, such as estates or family trusts, the value of whoseholdings may drop dramatically?? Employee stockholders, who may have purchased the issuer's securities directly or throughemployee benefit plans?? Employees, frequently at middle and lower levels, who become scapegoats for ;toeing the companyline;?? Honest employees and managers, whose careers may suffer from guilt by association.Even if fraudulent financial reporting does not actually come to light, or even take place, the companywith weak internal controls and other deficiencies does its employees a disservice by exposing themunduly to temptation.Fraudulent financial reporting also has a more remote, potentially more damaging impact: loss of publicconfidence. Widespread media attention to even a single instance of fraudulent financial reporting canshake public confidence in the integrity of financial reporting by a whole industry or, worse, by all publiccompanies. Public confidence in the fairness of financial reporting is critical to the effective functioningof the securities markets. The U.S. securities markets rely on full and ' fair disclosure, and financialinformation is an essential element of this disclosure. Also, loss of public confidence can increase thecosts of capital for companies that have not been involved in fraudulent financial reporting. Consumersultimately may bear these increased costs.V.Evolutionary Nature of Fraudulent Financial ReportingThe forces and opportunities that can lead to fraudulent financial reporting evolve as society changes, asdo the methods by which fraudulent financial reporting occurs. The Commission's recommendationstherefore cannot stand for all time as the most appropriate responses to the problem. Continued studiesof fraudulent financial reporting and its prevention and detection will be necessary.Two examples of societal changes that can affect fraudulent financial reporting are the Tax Reform Actof 1986 and developments in computers and information systems.Tax Reform Act of 1986The corporate alternative minimum tax provision of the Tax Reform Act of 1986 introduces newpressures that illustrate the evolutionary nature of fraudulent financial reporting. In the past, companiescould report earnings to the SEC and their shareholders that did not necessarily relate to earningsreported for tax27 purposes. The new tax law requires corporations to compute a minimum tax liability based on theirfinancial statement income. This change may affect financial reporting to shareholders by introducing taxissues into the setting of Generally Acceptecdou Ancting Principles (GAAP) and by givinorgp ocrationstax incentives to consider in connection with their publicly reported earningsputers, Information Systems, and Audit TrailsThe increasing power and sophistication of computers and co-bmapseudte rinformation systems maycontribute even more to the changing nature of fraudulent financial reporting. The last decade has seenthe decentralization and the proliferation of computers and information systems into almost every part ofthe company. This development has enabled management to make decisions more quickly and on thebasis of more timely and accurate information. Yet by doing what the-yp ladcoi nbge svtast quantities ofdata within easy rea-chomputers multiply the potential for misusing or manipulating information,increasing the risk of fraudulent financial reporting.On the other hand, advances in computers and information systems can improve the means ofpreventing and detecting fraudulent financial reporting. Auditors can use the computer's speed andpower to test more transactions or calculations than otherwise possible. Management and internalauditors can identify unauthorized access attempts, unusual transactions, or deviations from normalprocessing more easily.Using computer technology effectively to prevent, detect, and deter fraudulent financial reporting is achallenge that requires foresight, judgment, and cooperation among computer specialists, management,and internal auditors. For example, companies now can monitor financiatilo ntrsa ncsoanctinuously byusing auditing software modules embedded in the system. Whenm aant ioinnf osrystem is developed,the company should build in an audit trail. To ensure that controls are in place and to integrate fraudprevention and detection methods in the system itself, internal auditors should be involved when acompany develops computerized accounting applications.Developments in computers and information systems have a fundamental and pervasive impact on allthe participants in the financial reporting process. The Commission's conclusion that all participants inthe financial reporting process need to understand co-mbapsuetde rinformation systems is fundamentalto many of the recommendations in this report. Management needs to understand current computertechnology to be able, for example, to make informed decisions about the required level of security.Internal auditors and independent public accountants need this knowledge to be able to review andevaluate the adequacy of internal controls for computerized accounting systems. Also, with a knowledgeof information systems, they will be better equipped to audit using the computer rather than relying onuser departments' manual controls and direct tests of ending balances. The audit committee needssufficient understanding of computers and information systems to exercise its oversight responsibilities.VI.Need for Cost-Effective ResponsesThe need for co-setffective responses has been paramount in the Commission's deliberations.Accordingly, the Commission has limited its responses to recommendations that are reasonable in thecircumstances and that companies can implement realistically, with costs and burdens justified by the28 benefits to be achieved. This approach is particularly important because, although the known number offraudulent financial reporting cases is small, the number of companies that these recommendations mayaffect is large.At the same time, the Commission agrees with a position the SEC noted in-b tehnee cfiot satnalysis of arecent rulemaking action:It is fundamental to the capital formation process that investors who fund new enterprises betreated fairly and be given reasonable information concerning the businesses in which theyinvest. Moreover, requiring small businesses to live with appropriate regulations as a quid proquo for access to public markets will doubtless have the salutary side effect of accustoming theirmanagers to an ordered approach to the conduct of their businesses, thus facilitating their futureaccess to the capital markets. (From comment letter of American Bar Association, quoted inSEC Release No. 34- 23789, November 10, 1986.)The Commission recognizes that the -cboesntefit issue will be of concern to some people. The cost ofimplementing the Commission's recommendations will vary greatly because of tfheere wncidees dthifatexist in public company sizes as well as in current policies and practices. Many public companies andpublic accounting firms will incur little or no additional cost because they already have most of therecommendations in place as a matter of good business practice. Companies and firms that need toimprove present practices to accomplish things the Commission recommends may incur some slightadditional cost.On the other hand, companies and firms that do not have a substantial number of thed areticoonmsmenin place will face considerable s-hteormt implementation costs. The Commission's studies indicate thatfor smaller, newly public companies and smaller public accounting firms, these costs may be especiallysignificant. Yet, these entities may have a disproportionately greater risk of fraudulent financial reportingand thus may reap proportionately greater benefits. For these smaller entities and larger ones as well,the long-term benefits of implementihneg Ctommission's set of recommendations include enhancedcorporate control and ethical business conduct.Costs must be viewed in two ways. The cost of implementation can be quantified. Thet hoeth ceors ctost of failing to implement these recommend-aisti oimnspossible to quantify, yet it may be far larger andmore important. This cost is the potential loss of confidence of investors and the public in corporatemanagement and in the financial reporting system. Our capital markets and our private enterprisesystem cannot bear the loss of the public's trust and confidence in the integrity of the financial reportingsystem.The Spirit of the RecommendationsThe Commission urges all participants in the financial reporting process to implement both the substanceand the spirit of its recommendations. The Commission nonetheless recognizes that the resources toimplement its recommendations in smaller public companies and smaller public accounting firms maynot always be available. In rare situations where implementation of the substance of a recommendationis not possible the Commission urges companies and firms to introduce procedures that respond to itsspirit.The next four chapters present the Commission's recommendations for the participants in the financialreporting proce-stshe public company, the independent public accountant, and the SEC and otherregulatory and legal bod-iaess well as for educators of present and future participants.29 30 Chapter TwoRECOMMENDATIONS FOR THEPUBLIC COMPANYI.The Responsibility of the Public Company for Financial ReportingThe federal securities laws require public companies to disclose complete and accurate financialinformation regularly. The law imposes this obligation when a company begins the process of becominga public company, and the obligation continues in effect as long as the company maintains public status.Implicit in this obligation is the requirement that the company's financial statements be complete and notmisleading in any material respect.Congress itself identified financial statements as an essential component of the disclosure system onwhich the U.S. securities markets are based. So important is financial statement disclosure, in fact, thatCongress in enacting the Foreign Corrupt Practices Act (FCPA) in 1977 imposed direct regulationdesigned to ensure that public companies can meet their financial disclosure obligations. This addedstatutory obligation requires public companies to keep books and records that reflect their transactionsand assets accurately and fairly and to maintain a system of internal accounting control that enablesthem to prepare financial statements in conformity with Generally Accepted Accounting Principles(GAAP).The public company has the initial and the final responsibility for its financial statements. Within thecompany lies the greatest potential for reducing fraudulent financial reporting. Thus the Commission firstlooked to the public company when developing its recommendations, beginning by exploring the forcesand opportunities that can lead to fraudulent financial reporting.The Commission found that no company, regardless of size or line of business, is immune from thepossibility that fraudulent financial reporting will occur; that possibility is inherent in doing business. Theforces and opportunities that appeared in numerous SEC enforcement cases are present to some extentin all companies. The Commission also found that companies have a number of practices already inplace to help them deal with these forces and opportunities. All companies would benefit from adoptingsimilar practices to reduce the incidence of fraudulent financial reporting.Addressing the Problem at Two LevelsThe Commission's recommendations will reduce the incidence of fraudulent financial reporting byaddressing the problem at two levels. Top management should:Level 1. Establish the appropriate tone, the overall control environment in which fciniaalnreporting occursLevel 2. Maximize the effectiveness of the functions within the company that are critical tothe integrity of financial reporting: the accounting function, the internal auditfunction, and the audit committee of the board of directors.The first three recommendations in this chapter are aimed at the first level, the tone set by topmanagement. All the recommendations that follow depend on these recommendations. Topmanagement31 first must establish the proper environment, one in which fraudulent financial reporting is less likely tooccur and, if it does occur, Js more likely to be detected.The section of the chapter that addresses the tone at the top suggests a framework for improving thecorporate environment or culture. The framework includes three steps: identifydienrgs tand iunng thefactors that can lead to fraudulent financial reporting, assessing the risk of this type of fraud, anddesigning and implementing internal controls. The Commission then recommends that every publiccompany develop and enforce a written code of corporate conduct as a tangible embodiment of the toneat the top.The chapter next turns to the second level, maximizing the effectiveness of the functions within thecompany that are critical to the integrity of financial reporting. The Commission first addresses two keyfunctions within the comp-athney accounting function and the internal audit function. Next, theCommission's recommendations concern the role of another critical component in the financial reportingprocess: the audit committee of the board of directors. This section discusses ways the audit committeecan be more effective in preventing and detecting fraudulent financial reporting.The chapter then concentrates on the need for top management and the audit committee tocommunicate their respective responsibilities to financial statement users. The Commission presentsrecommendations for a management report and an audit committee chairman's letter, both as part of theannual report to stockholders. The chapter then looks at two specific areas for improvement: seeking asecond opinion from another public accounting firm, and the role of the audit committee in quarterlyreporting. The focus of the final section of the chapter is the Commission's recommendation for itssponsoring organizations to cooperate in developdinitgoi naadl, integrated guidance on internal controls.The Commission has distinguished fraudulent financial reporting from other corporate illegal acts thatcan cause a company's financial statements to be misleading. The Commission's primary objective wasto identify causal factors that can lead to fraudulent financial reporting and to develop recommendationsto reduce its incidence. While other kinds of corporate illegality, such as noncompliance with variouslaws and regulations, may have a material effect on financmiale nstsa,t ethe misleading financialstatements are a -bpyroduct or a result, rather than the objective, of the illegal acts. The Commissionnonetheless believes that implementation of the recdoamtimonesn this chapter presents will providebenefits to public companies beyond the increased prevention of fraudulent financial reporting, as it hasdefined that term. The appropriate tone set by top management should enhance a company'scompliance with laws and regulations as well as reduce the incidence of fraudulent financial reporting.Similarly, a properly designed system of internal control to reduce the incidence of fraudulent financialreporting will inherently increase the prevention and detection of noncompliance with laws andregulations.II.Tone at the TopThe tone set by top managem-tehnet corporate environment or culture within which financial reportingoccurs-is the most important factor contributing to the integrity of the fipnoarnticniagl prreocess.Notwithstanding an impressive set of written rules and procedures, if the tone set by management is lax,fraudulent financial reporting is more likely to occur.The measures a company can take to establish the right tone at the top include a wide range of options.But, to be effective, each option must include certain steps. The Commission suggests the following32 framework to help public companies incorporate these steps into their efforts to prevent and detectfraudulent financial reporting.FrameworkThe Commission's recommended framework includes three steps:Step 1.Identify and understand the factors that can lead to fraudulent financial reinpgo,rtincluding factors unique to the companyStep 2.Assess the risk of fraudulent financial reporting that these factors create winiththe companyStep 3.Design and implement internal controls that will provide reasonable assurancethat fraudulent financial reporting will be prevented or detected.Steps 1 and 2.Identifying, Understanding, and Assessing the Risk of Fraudulent FinainaclReportingRecommendation: For the top management of a public company to discharge its obligationto oversee the financial reporting process, it must identify, understand, and assess thefactors that may cause the company's financial statements to be fraudulently misstated.The process of identifying, understanding, and assessing the factors that may create a risk of fraudulentfinancial reporting in a company is vital. This assessment enables a company to design and implementinternal controls to minimize the risks it identifies.The process of assessing the risk of fraudulent financial reporting requires judgment and insight. Ratherthan entailing a separate effort or project, this process entails bringing to regumlaer nmt aancatigveitiesa heightened awareness of and sensitivity to the potential for fraudulent financial reporting. Accordingly,it is not intended that this process involve costly documentation, such as that which many companieshave undertaken in response to the FCPA. Top management's judgment dictates the extent and thenature of the assessment appropriate to the particuplaarn cyo.mIndividuals at all levels of the company, including operating management, attorneys, financial managers,and internal auditors, participate in the assessment, -bleuvte tl ocporporate manamgent, such as theCEO and the CFO, must supervise the process. In addition, the audit committee of the board of directorsshould review periodically the company's risk assessment process and management's responses tosignificant identified risks.The Good Practice Guidelines for Assessing the Risk of Fraudulent Financial Reporting, presented inAppendix F, illustrate some of the factors that can influence fraudulent financial reporting and can serveas a frame of reference for understanding and assessing the risk of fraudulent financial reporting.Step 3.Designing and Implementing Internal ControlsRecommendation: Public companies should maintain internal controls that providereasonable assurance that fraudulent financial reporting will be prevented or subject to earlydetection.The role of internal control in preventing and detecting fraud, well recognized in practice for many years,was recognized in federal legislation in 1977. The FCPA requires each SEC registrant to devise andmaintain a system of internal accounting control sufficient to provide reasonable assurance that (1)33 transactions are authorized by management, (2) transactions are recorded as necessary to permitpreparation of the financial statements and to maintain accountability for assets, (3) access to assets ispermitted only with management's authorization, and (4) existing assets are compared with recordedaccountability, and appropriate action is taken with respect to any differences.Internal accounting controls are generally interpreted to include the company's accounting system andspecific control procedures. The accounting system consists of the methods and the records that thecompany uses to identify, assemble, classify, and record its transactions. The company's specific controlprocedures are its individual policies for processing transactions such as clerical checks, documentcomparisons, reconciliations, and independent assets counts. Internailn agc counntrtols are directedprimarily at systematically recorded transactions th-alte vloewl ermployees generally perform.Fraudulent financial reporting continues to occur despite the FCPA's statutory requirement thatcompanies maintain adequate internal accounting controls. A Commission study of 119 fraudulentfinancial reporting actions brought by the SEC from 1981 to 1986 found that management in thosecompanies repeatedly had been able to override systems of internal accounting control. Other instancesof fraudulent financial reporting involved transactions under management's direct control and not part ofthe system of internal accounting controls, such as those requiring significant estimates and judgments,Therefore, internal controls broader than the internal accounting controls contemplated under the FCPAare necessary to reduce the incidence of fraudulent financial reporting.The broad term internal control is often used to describe both controls over operational tasks like productquality assurance, production, and plant maintenance and controls over the financial reporting process.Although operational or administrative controls are an essential element of managing a company'saffairs, some do not affect financial reporting directly and therefore are beyond the scope of this report.Controls that affect financial reporting directly include more than internal accounting controls. They alsoinclude elements not generally considered part of internal accounting controls, such as the internal auditfunction and the audit committee of the board of directors. These control elements and all othercomponents of the overall corporate control environment, together with the internal accounting controls,comprise the internal controls that can prevent and detect fraudulent financial reporting.The corporate control environment is the atmosphere in which the internal accounting controls areapplied and the financial statements are prepared. A company's control environment includesmanagement philosophy and operating style, organizational structure, methods of communicating andenforcing the assignment of authority and responsibility, and personnel management methods. Thecontrol environment has a pervasive impact on the entire process by which a company's financial reportsare prepared.Well-run public companies have effective systems of internal control not just because internal control isthe first line of defense against fraud, but because a strong system of internal control makes goodbusiness sense and is co-estffective.Each company must design its internal controls according to its own unique circumstances, weighing thebenefits of each control in relation to its cost. Every public company, however, should have a writtencode of corporate conduct as a prerequisite to an effective system of internal control, and to establish theappropriate tone at the top and throughout the company.34 Code of Corporate ConductRecommendation: Public companies should develop and enforce written codes of cor-porate conduct. Codes of conduct should foster a strong ethical climate and openchannels of communication to help protect against fraudulent financial reporting. As apart of its ongoing oversight of the effectiveness of internal controls, a company's auditcommittee should review annually the program that management establishes to monitorcompliance with the code.A strong corporate ethical climate at all levels is vital to -tbhei nwge ollf the corporation, all itsconstituencies, and the public at large. Such a climate contributes importantly to the effectiveness ofcompany policies and control systems and helps influence behavior that is not subject to even the mostelaborate system of controls. Consequently, a strong corporate ethical climatseiz inegmphaaccountability helps to protect a company against fraudulent financial reporting.A written code of corporate conduct strengthens the corporate ethical climate by signaling to allemployees standards for conducting the company's affai-rdse. fWineldl ethical standards and guidelinesfor acceptable behavior promote ethical de-cmisaiokning at all levels of the organization and helpresolve ethical dilemmas that arise.To succeed, a code of corporate conduct must have the full support of management and the board ofdirectors. The most influential factors in determining the code's effectiveness are the attitude and thebehavior of the top officers and directors, who set the example for the entire company. The CEO, inparticular, has a special role; his attitude, behavior, and expectations of others strongly influence theactions of other upp-leervel managers.The development of a corporate code is not an overnight task. A company must invest the necessarytime, energy, and resources to ensure that the code is tailored to its circumstances. Since thosecircumstances will evolve to meet changing demands, the company must update the code periodically.Finally, the full support of management and the board is needed to ensure that the code receiveswidespread understanding and support. Employees representing all levels of the corporation should beencouraged to participate in the code's development and evolution in an appropriate fashion. Suchcollaboration can minimize cases of noncompliance due to lack of understanding and can promoteacceptance and adherence. In addition, the code and any amendments must be publicized throughoutthe corporation.A code of corporate conduct also can help establish an environment where open communication isexpected, accepted, and protected. Management needs a free flow of information to assist it in directingthe company's operations, especially in a large, decentralized business. This need is critical in assessingthe risk of fraudulent financial reporting. An atmosphere of open caotmiomn uanlliows an employee,when confronted with suspected fraud, to bring the problem to the attention of those high enough in thecorporation to solve it without fear of reprisal.The code also must provide an accessible internal complaint and appeal mechanism. aTnhisism mechshould be designed to facilitate internal disclosures, particularly those involving allegations of fraudulentfinancial reporting or other misconduct. The mechanism could take a variety of forms, such as the use ofan ombudsman.Such internal procedures offer a number of advantages. They allow management to correct inadvertentmistakes and mistakes that may result from bad judgment or failure to recognize a problem. They also35 encourage employees to act in good faith and tend to ensure the validity of any complaint. In addition,effective internal action may make external disclosures to government authorities or other third partiesunnecessary.The code of corporate conduct should protect employees who use these internal procedures againstreprisal. Failure to adopt guarantees against reprisal as well as to provide an effective internal complaintprocedure could undermine the vitality of codes of conduct, and encourage a call for anti-retaliatorylegislation, for which there is ample precedent at the state and the federal level.The Commission has observed a great deal of diversity in written codes of corporate conduct. Some aregeneral, others specific in their content and direction. Corporate management should develop a code thatfits the particular circumstances of their business. Nearly all codes of conduct, however, should include aconflic-tof-interest policy, to prevent actual or apparent improprietiesn eicnt iocno nwith businesstransactions; a corporate policy of compliance with domestic and foreign laws affecting its business,including those laws relating to financial disclosures; and a policy of confidentiality relating to thecompany's proprietary information.Yet another element is indispensable to the success of a code of conduct: adequate monitoring andenforcement mechanisms. Management is responsible for determining how best to establish adequatemonitoring and enforcement mechanisms and for implementing these mechanisms. This responsibility istypically carried out through the legal department, internal audit department, or a separate ombudsmanfunction. The board of directors should be responsible through its audit committee for reviewing theprogram that management establishes to monitor compliance with the code of conduct. Employees at alllevels should understand that violation of the law or compromise of the company's code of conduct canresult in serious disciplinary actions (including dismissal and criminal or civil proceedings whereappropriate) and that no employee is exempt from the code.Written codes of corporate conduct have further advantages. Such codes foster a strong ethical climate,helping to create a work environment that appeals to company personnel at all levels. With an effectivecode, a company's employees may be more highly motivated, and the company may be able to attractand retain better employees. In an era when loyalty between organizations and their customers seemsless enduring, a company's concern for a strong ethical climate also may generate a positive imageoutside the organization, which can lead to increased business opportunities.III. Two Key Functions: Accounting and Internal AuditAs the company acts to set an environment that is a strong deterrent to fraudulent financial reporting, italso must address fraudulent financial reporting at a second level by maximizing the effectiveness of twocritical functions within the company: the accounting function and the internal audit function.A.Accounting Function and Chief Accounting OfficerRecommendation: Public companies should maintain accounting functions that are de-signed to meet their financial reporting obligations.A public company's accounting function is an important control in preventing and detecting fraudulentfinancial reporting. The accounting function must be designed to allow the company and its officers tofulfill their statutory financial disclosure obligations.36 As a member of top management, the chief accounting officer helps set the tone of the organization'sethical conduct and thus is part of the control environment. Moreover, the chief accounting officer isdirectly responsible for the financial statements, and can and should take authoritative action to correctthem if necessary. He generally has the primary responsibility for designing, implementing, andmonitoring the company's financial reporting system and internal accounting controls. The controller mayserve as the chief accounting officer, or the chief financial officer also may perform the functions of achief accounting officer.The chief accounting officer's actions especially influence employees who perform the accountingfunction. By establishing high standards for the company's financial disclosures, thcoeu cnhtinegf acofficer guides others in the company toward legitimate financial reporting.Moreover, the chief accounting officer is in a unique position. In numerous cases, other members of topmanagement, such as the chief executive officer, pressure the chief accounting officer into fraudulentlymanipulating the financial statements. An effective chief accounting officer is familiar with the company'sfinancial position and operations and thus frequently is able to identify unusual situations caused byfraudulent financial reporting perpetrated at the divisional level.The chief accounting officer has an obligation to the organization he serves, to the public, and to himselfto maintain the highest standards of ethical conduct. He therefore must be prepared to take actionnecessary to prevent fraudulent financial reporting. His efforts may entail bringing matters to theattention of the CEO, the CFO, the chief internal auditor, the audit committee, or the entire board ofdirectors.The Financial Executives Institute (FEI) and the National Association of Accountants (NAA) play activeroles in enhancing the financial reporting process by sponsoring research, tecfhensisciaoln aplroguidance, and continuing professional education and by participating in the shaping of standards. Bothorganizations also have promulgated codes of conduct that strongly encourage reliable financialreporting. Public companies should encourage their accounting employees to support theseorganizations and adhere to their codes of conduct.B.Internal Audit Function and Chief Internal AuditorRecommendation: Public companies should maintain an effective internal audit functionstaffed with an adequate number of qualified personnel appropriate to the size and thenature of the company.Properly organized and effectively operated, internal auditing gives management and the auditcommittee a way to monitor the reliability and the integrity of financial and operating information. Theinternal audit function thus is an important element in preventing and detecting fraudulent financialreporting.Support of Top ManagementTo be effective, internal auditors must have the acknowledged support of top management and the boardof directors through its audit committee. The company should set forth in writing the scope ofresponsibilities for the internal audit function. The scope of responsibilities as well as any change in roleor function should be the subject of review by the audit committee. The optimal size of the internal auditfunction and the composition of its staff depend on the company's size and nature and the scope ofresponsibilities assigned to the function.37 The education, experience, and professionalism of the internal auditors help determitnivee tnhes esffecof the internal audit function. The company should encourage the development of its internal auditors byproviding continuing professional education programs and offering attractive career paths.The Commission recognizes that some smaller companies could experience a significant hardship ifcompelled to employ persons to serve exclusively as internal auditors. Thus, the Commission's use ofthe term internal auditor includes, where appropriate, persons who do not fculunscitvioenly eixn thatcapacity.IIA StandardsThe professionalism of internal auditors has been enhanced in recent years by the efforts of the Instituteof Internal Auditors (IIA), the professional organization for internal auditors. Standards of the IIA offerexcellent guidance for effective internal auditing and reflect some of the most advanced thinking onfraud prevention and detection. The Commission encourages pupbalinc iecos mwho have not done so toconsider adopting the IIA standards. These standards appear in Appendix G.The IIA's standards call for a quality assurance program to evaluate the operations of the internal auditfunction. The standards provide guidelines that describe, as suitable means of meeting the qualityassurance standard, a program that includes the following elements: supervision, internal reviews, andexternal reviews. The Commission endorses these concepts as ways to enhance the effectiveness of theinternal audit function. Confidentiality and other issues associatetde rwniathl rexviews are important inmanagement's decisions as to who should conduct such reviews, how they should be conducted, andwith what frequency they should be conducted.Objectivity of the Internal Audit FunctionRecommendation: Public companies should ensure that their internal audit functions areobjective.The effectiveness of a company's internal audit function depends a great deal on the objectivity of thechief internal auditor and his staff. Public companies should ensure that their internal auditors are free toperform their functions in an objective manner, without interference and able to report findings to theappropriate parties for corrective action. Three principal factors contribute to independence andobjectivity: the organizational positioning of the function, the corporate stature of the chief internalauditor, and the reporting relationship of the chief internal auditor to the audit committee.For day-to-day operational purposes, the chief internal auditor should report administratively to a seniorofficer who is not directly responsible for preparing the company's financial statements. The Commissionencourages an administrative reporting relationship in which the chief internal auditor reports directly tothe CEO, but acknowledges that this organizational structure may be impractical in some corporations.At a minimum, however, the chief internal auditor should have direct and unrestricted access to the CEOand the Commission encourages the CEO to conduct regularly scheduled meetings with the chiefinternal auditor, no less frequently than every quarter.The chief internal auditor should be an experienced executive, preferably with a background in auditingor a related field, and he should have the necessary business acumen to work effectively with fellowsenior officers. The chief internal auditor should occupy a position of high stature within the organization.38 In addition, the chief internal auditor should have direct and unrestricted access to the audit committeeand he should meet privately with the committee on a regular basis. He also should attend all auditcommittee meetings, reporting to the committee at regular intervals on the activities of the internal auditfunction.The internal audit function can be an important resource for the audit -cao mvamluitatbeele i-nhousesource of information and staff. The importance of the internal audit function to the audit committeeleads the Commission to believe that the audit committee should review thmee natp paonidn tthedismissal of the chief internal auditor.Impact of Nonfinancial Audit FindingsRecommendation: Internal auditors should consider the implications of their nonfinancialaudit findings for the company's financial statements.Internal auditors also provide services to the organization broader than those relating to financialauditing. Operational auditing, acquisition reviews, and special investigations are a few examples. Theseservices benefit the company substantially and give the internal a-duedpitohr kinowledge of manydifferent aspects of the company's operations. This unique perspective enables internal auditors to behighly effective in detecting fraudulent financial reporting, particularly if internal auditors systematicallyconsider the results and potential impact of the nonfinancial audits on the financial statements.Involvement at the Corporate LevelRecommendation: Management and the audit committee should ensure that the internalauditors' involvement in the audit of the entire financial reporting process is appropriateand properly coordinated with the independent public accountant.With their knowledge of the organization and its controls, internal auditors have considerable potential forpreventing and detecting fraudulent financial reporting. But the full potential often is not realized, in partbecause the role the internal auditors have in the audit of financial statements at the consolidated level isoften limited.A Commissio-nsponsored study found that internal auditors often concentrate on the review of controls atthe division, subsidiary, or other business component level, rather than at the corporate level.Independent public accountants, on the other hand, generally are responsible for the audit examinationat the corporate level. Appropriate involvement by the internal auditorsp oarta tthee lecoverl, effectivelycoordinated to avoid duplication of the independent public accountants' efforts, can help prevent anddetect fraudulent financial reporting.IV .Audit Committee of the Board of DirectorsThe audit committee of a company's board of directors can play an important role in preventing anddetecting fraudulent financial reporting. The Commission highlights important aspects of the auditcommittee's oversight function throughout this chapter in the course of its discussions of otherrecommendations. In addition, the Commission offers six specific recommendations.39 Mandatory Independent Audit CommitteeRecommendation: The board of directors of all public companies should be required bySEC rule to establish audit committees composed solely of independent directors.Primary responsibility for the company's financial reporting lies with top management, overseen by theboard of directors. To help boards of directors carry out this oversight responsibility, the Commissionrecommends that all public companies establish audit committees consisting of independent directors.Establishment of such committees, of course, does not relieve the other directors of their responsibilitywith respect to the financial reporting process.Most of the Commission's research studies emphasized the potentially positive influence of an effectiveaudit committee. One study found that, for example, while 85 percent of all public companies have auditcommittees, a significantly smaller percentage (69 percent) of the public companies involved in thefraudulent financial reporting cases brought by the SEC from 1981 to 1986 had audit committees. [Infact, the 69 percent figure is high because, in 39 of 119 cases studied, the presence of an auditcommittee was unlikely but these cases were excluded because that fact could not be verified fromavailable public sources. None of the 39 companies was listed on the NYSE (which requires auditcommittees) or filed proxy material with the SEC and many were involved in an initial public offering.]To implement the Commission's recommendation that all public companies have independent auditcommittees, an SEC rule is necessary. The SEC has long recognized the importance of independentaudit committees to the integrity of financial reporting. But the SEC has deferred to the policies andpractices of the New York Stock Exchange (NYSE) and othe-Rr eSgeulflatory Organizations (SROs).While all the SROs have considered the issue, only the NYSE requires that all its listed companies haveaudit committees composed solely of independent directors. The National Association of SecuritiesDealers (NASD) has recently required that all national market system companies establish and maintainaudit committees that have a majority of independent directors. The Commission commends the SEC fornot wishing to impose any unnecessary direct government regulation, but experience with independentaudit committee requirements desmtraotnes that it is now time for direct action by the SEC.The ultimate determination as to the SEC's authority to require independent audit committees underexisting statutes is beyond the charge of this Commission. If the SEC lacks the requisite rulemakingauthority, it should seek the legislation necessary to implement this recommendation. At the same time,the Commission notes that several potential sources of authority lie within the Securities Act of 1933 andthe Securities Exchange Act of 1934. In particular, the SEC might predicate its rule on provisions ofthose Acts which (1) impose requirements for financimal aitniofonr certeifdi by ;independent; publicaccountants, (2) grant the SEC the express power to define terms used in the Acts, including;accounting; terms, (3) require public companies to devise and maintain systems of internal accountingcontrols, and (4) grant the SEC broad ruleinmga akuthority to adopt rules and regulations necessary andappropriate to effectuate the purposes of the statutes.With respect to the SEC's broad rulemaking authority, the Commission's study of fraudulent financialreporting cases may provide a factual predicate that a rule mandating audit committees is necessary andappropriate to implement the disclosure provisions of the federal securities laws. In this regard, theCommission believes that the audit committee's role is important to the financial reporting process. Theaudit committee's assessment of the independence of the public accountant and its review of theadequacy of, and compliance with, internal accounting controls contribute significantly, as does its role inthe company's overall control environment.40 Mandating audit committees is necessary but does not go far enough. The audit committee must becomposed of independent directors to provide truly effective oversight of the company's financialreporting process. In considering ;independence,; the Commission noted that the NYSE audit committeepolicy defines an independent director, for the purpose of audit committee membership, as independentof management and free from any relationship that, in the opinion of the board of directors, wouldinterfere with the exercise of independent judgment as a committee member. Directors who are affiliatesof the company or officers or employees of the company or its subsidiaries are not ;indep