Collusion takes place when management, employees, or third parties work together to conceal fraud, thereby defeating the internal controls and rendering them ineffective. Analysis of SEC Accounting and Auditing Enforcement Releases (AAER) has shown that 89% of fraudulent financial reporting involves the CEO, CFO, or both (COSO, “Fraudulent Financial Reporting: 1998–2007; An Analysis of U.S. Public Companies,” 2010, Because top executives do not manage the accounting records, these types of fraud require collusion with others in the organization. Independent auditors must enhance their application of risk assessment procedures to become more effective in detecting such collusion.

When documenting internal control over financial reporting (ICFR), auditors must obtain an understanding of all five components of internal control identified by the Committee of the Sponsoring Organizations of the Treadway Commission (COSO, “Improving Organizational Performance and Governance: How the COSO Frameworks Can Help,” 2014). More specifically, PCAOB Auditing Standard (AS) 12, Identifying and Assessing Risks of Material Misstatement, as well as AU section 316 (adopted by the PCAOB in April 2003) and AU-C section 240, stress that an auditor must understand the entity and its environment.

All too often, auditors use a standardized questionnaire or checklist to document ICFR. The questionnaire or checklist may remain unchanged year after year, becoming less and less effective with each audit. Auditors also document ICFR using a flowchart; however, this usually consists only of steps to be followed in a procedure. Statement on Auditing Standards (SAS) 99, Consideration of Fraud in a Financial Statement Audit, states that an auditor should evaluate “other information,” but what additional sources can an auditor use to obtain it? Network analysis is one diagnostic and investigative tool that can enhance an auditor’s understanding of an organization’s environment, and especially possible ties that could indicate collusive fraud.

SAS 99 and Collusion

The AICPA issued SAS 99 in October 2002 to provide additional guidance on the evaluation of fraud risk. SAS 99 integrated fraud risk factors with the fraud triangle theory, thus incorporating psychology and sociology into the auditing literature. Despite this guidance, collusive fraud continues to occur.

SAS 99 describes how collusion might occur, but does not specifically offer guidance on evaluating the risk of collusion. It states that when fraud perpetrators attempt to conceal fraud from auditors, certain conditions may be present. Auditor judgement is still required for this evaluation, as additional risk factors with varying significance may exist, and merely reviewing the list of fraud risk factors may not raise any red flags. In addition, SAS 99 suggests that the presence of one risk factor might not be a positive indicator of fraud and recommends that fraud risk factors be evaluated as a whole when performing the fraud risk assessment.

This creates the need for continuous collusive fraud risk assessment (S. E. Silver, A. S. Fleming, and R. A. Riley Jr., “Preventing and Detecting Collusive Management Fraud,” The CPA Journal, October 2008, pp. 46–48). In developing a viable framework for such, the profession should look to the field of criminology for additional diagnostic and investigative tools. By using network analysis in the search for fraud risk factors, auditors can evaluate the risk of collusion more effectively while still maintaining a cost-effective, focused, and flexible audit strategy.

Network Analysis and Corporate Fraud

The fraud triangle theory adopted in SAS 99 provides an adequate framework for explaining occupational frauds, such as embezzlement. The theory has been criticized, however, as ineffective in explaining group fraud (R. Tillman, “Reputations and Corporate Malfeasance: Collusive Networks in Financial Statement Fraud,” Crime, Law, & Social Change, April 2009, vol. 51, nos. 3–4, pp. 365–382). Tillman reported that financial statement fraud often involved collusion between top executives and others. Although financial statement fraud is the least common type of fraud, the losses resulting from such collusion greatly surpass those of other types.

Michael Levi believes that since financial statement fraud is by nature conspiratorial, auditors should evaluate the risk of fraud by examining the networks of communication—that is, both social and professional ties (“Organized Frauds and Organizing Frauds: Unpacking Research on Networks and Organization,” Criminology & Criminal Justice, November 2008, vol. 8, no. 4, pp. 389–419). Criminologists have for several years used network analysis for just this purpose.

Network analysis provides a visual model for analyzing and evaluating employee and organizational relationships. While flowcharts document procedures, network analysis takes this to another level, documenting and identifying relationships between people and organizations. This has been depicted in popular media with the “evidence wall,” such as when a police detective maps out clues and suspects and links them with an array of crisscrossing strings. Just as network analysis aids criminal investigators, it can also be valuable to an auditor, giving a broader perspective of the total organizational environment.

Individual characteristics interact through relationships to create a culture. Network theory follows criminologist Edwin Sutherland’s differential association theory, whereby criminal behavior is learned from others. In 1998, D. J. Brass, K. D. Butterfield, and B. C. Scraggs used network analysis to determine that ethical and unethical behavior permeate corporate culture (“Relationships and Unethical Behavior: A Social Network Perspective,” Academy of Management Review, January 1998, vol. 23, no. 1, pp. 14–31). They reported that using a network perspective to examine relationships could identify two important factors in an organizational environment: influence and management attitude. This is consistent with other explanations of fraud, such as the fraud diamond (David T. Wolfe and Dana R. Hermanson, “The Fraud Diamond: Considering the Four Elements of Fraud,” The CPA Journal, December 2004, pp. 38–42), where influence plays a significant role. Analysis of a company’s relational and communication structure can provide auditors with an understanding of who has control over procedures, as well as those who are influential in the network. Because network analysis is primarily visual, fraud risk factors might appear more prominent and relevant to the particular situation. This makes identifying occurrences of fraud and communicating findings to the audit team more efficient.

Applying Network Analysis

Developing background information is a crucial step for auditors, and inquiries to management and personnel must be thorough. It is important to question both financial and nonfinancial managers, as this might reveal inconsistencies in applying accounting principles. Auditors should also search for known and suspected relationships with other executives, both internally and externally. Brass et al. (1998) found that individuals linked by strong ties, as well as those in top management positions, will have similar attitudes, thus constituting the “tone at the top.” After completing the inquiries, auditors can glean other information from accounting transactions and documents, revealing relationships with significant customers, relevant communications and emails, and the minutes of board meetings. An auditor can then begin to evaluate the communication environment.

While flowcharts document procedures, network analysis takes this to another level, documenting and identifying relationships between people and organizations.

In network analysis, auditors can evaluate communications among individuals, organizations, or accounting transactions. This evaluation can utilize several perspectives: known or suspected ties, the strength of the ties, or even the direction of the ties. Brass et al. (1998) found that the type of relationship also contributed to unethical behavior, describing these relationship types according to strength, status, direction, frequency, and business/personal.

After an auditor evaluates the communications, the next step is to translate known ties and suspected ties into an association matrix. A simple table of rows and columns, the matrix lists all participants along the left-hand side and across the top. Each identified relationship is represented by a mark in the square where the participants intersect.

Next, an auditor uses the association matrix along with investigative accounting tools to construct the network diagram. Exhibit 1 shows several examples of network analysis programs available for this purpose. In the network diagram, each individual, organization, or process is represented as a node; lines connecting the nodes depict the relationships. Auditors can then analyze all the relationships at once and answer several questions:

  • ▪ Who is communicating with whom?
  • ▪ Who is central to the network?
  • ▪ Who is most active?
  • ▪ Which types of relationship exist?
  • ▪ What is the direction of communication within each relationship?
  • ▪ Is any relationship confrontational?


Network Analysis Programs

RFFlow; UCINET; Analyst's Notebook;

Using this information, auditors can examine the reasons for any abnormal relationships and follow up with further inquiries: for example, does the CEO issue directives, or does he accept input from other managers? Clandestine relationships might also become more apparent. Finally, an auditor can compare the network evaluation with other fraud risk factors and evaluate their overall significance.

Case Studies: How Network Analysis Could Have Caught Fraudsters in the Act

Several notorious cases of fraud can be analyzed using network analysis and examination of fraud risk factors. Such analysis could have alerted auditors to the fraud while it was being committed. These cases demonstrate the danger of improper relationships within and between organizations, as well as within processes.

Relationships within an organization—WorldCom.

Before its collapse in 2002, WorldCom was the second largest long-distance telecommunications provider in the United States and was growing rapidly through aggressive acquisitions. During this time, management employed questionable accounting practices that resembled a classic Ponzi scheme (D. Moberg and E. Romar, “WorldCom Case Study,” Santa Clara University, 2003). As WorldCom grew, management wrote down assets acquired by the company; this one-time charge would lower earnings for the current quarter, while subsequent quarterly earnings would appear to increase. At the same time, management would increase goodwill by the same amount in order to maintain asset valuation. When the U.S. government stopped WorldCom from acquiring Sprint in 2000, the Ponzi scheme fell apart, and management dealt with the ensuing financial problems by employing still more improper accounting practices. Management’s most blatant move was capitalizing expenses that should have been recorded as operating expenses.

Exhibit 2 shows a network analysis of employees and associates of WorldCom. WorldCom personnel who knew about the accounting fraud included the CEO, CFO, and the controller. In addition, the CFO and wireless business manager were involved in a dispute over recording an allowance for uncollectible customer accounts. Finally, an analyst for Salomon Smith Barney, the underwriter of WorldCom’s bond issue, gave the CEO and CFO preferred access to “hot” IPOs, from which they profited enormously. The relationship between this analyst and the WorldCom CEO was not covert, as the analyst often touted their association.


Relationships Within WorldCom and Fraud

In addition, several significant fraud risk factors were apparent at WorldCom: a domineering CEO, a code of conduct deemed unimportant, the involvement of nonfinancial management in accounting transactions, a loan to the CEO at less than market rate, significant management estimates, and unusual rapid growth. Combining these fraud risk factors with a thorough relationship analysis could have given auditors fruitful insight into the potential for malfeasance within the company.

Relationships within a process—mortgage origination fraud.

The subprime mortgage origination process was rife with toxic relationships. The process involved many participants, including mortgage brokers, appraisers, banks, sellers, and buyers. In one fraud scheme, a buyer would purchase multiple properties from the seller at an inflated price. As an independent operator, a mortgage broker could direct the flow of each of buyer’s several mortgage applications to different banks (T. Nguyen and H. Pontell, “Mortgage Origination Fraud and the Global Economic Crisis,” Criminology and Public Policy, August 2010, vol. 9, no. 3, pp. 591–612). In addition, the broker and the seller would use one appraiser for all of the properties, who would “rubber-stamp” the selling price of the property. Buyer, left none the wiser, took on more debt than they could handle, and eventually banks foreclosed on such properties.

The analysis in Exhibit 3 reveals several abnormal ties and red flags. First, sellers had ties to appraisers, while buyers did not, the exact opposite of how legitimate sales should operate. Also, buyers could only contact the banks through the mortgage broker. Finally, the network diagram reveals the mortgage broker’s central role in carrying out the scheme, tied to every other actor like a spider in the center of a web.


Relationships Within The Mortgage Origination Process and Fraud

Relationships across organizations—NutraCea.

The revenue fraud schemes that occurred at NutraCea, a manufacturer of health food products, make a strong argument for network analysis. According to the SEC, NutraCea executives engaged in a false sales scheme and a bill-and-hold scheme (SEC Litigation Release 21819, “Securities and Exchange Commission v. NutraCea, et al.,” 2011). The participants at NutraCea included the CEO (who was determined to meet sales goals at all costs), the CFO, the controller, the director of financial services, a senior vice president, and a former COO.

When revenue at NutraCea fell short of expectations in 2007, the CEO devised a scheme to record $2.6 million in false sales by conspiring with a customer to create a false sale. The deal was financed through a $1 million loan from the former COO to Bi-Coastal Pharmaceutical Corporation, which then used the loan as a deposit for the purchase. The CEO even convinced Bi-Coastal’s president to falsify its financial statements to conceal the fraud. In the second scheme, the CEO instructed the senior vice president to obtain documentation from another customer, ITV Global Inc., verifying that they would complete a sale by the end of 2007. The controller and the director of financial services participated in both schemes by inappropriately recording revenues; the CFO falsified revues, lied to the auditors, and certified false and misleading financial statements to the SEC.

The network analysis in Exhibit 4 reveals a suspected tie between the CEO and Bi-Coastal. As Brass et al.’s model predicted, linkage by weak ties contributed to collusion. Because of previous disputes with its auditors over revenue recognition, NutraCea’s large sale to Bi-Coastal should have been a red flag. Confrontational discussions regarding revenue recognition between NutraCea’s president and the auditors should have raised suspicion about the company’s revenue transactions for the year. Also, the auditors should have further investigated the CEO’s aggressive efforts to meet sales goals, as they had previously refused to comply with his attempts to improperly record revenue in the first quarter of 2007. Several other fraud risk factors were present: an unethical tone at the top, employees’ fear of being terminated, and nonfinancial management’s involvement with recording accounting transactions. Comparing these factors with the results of network analysis could have given the auditors early warning of fraud.


NutraCea’s Internal/External Relationships and Fraud

The organizational perspective provided by network analysis can improve fraud risk assessment, especially where collusion among members of senior management, employees, or third parties is concerned.

Digging Deeper

Understanding internal controls and evaluating fraud risk, including that of collusion, are crucial parts of risk assessment. Incorporating network analysis into examination of ICFR enables auditors to identify potentially abnormal or inappropriate relationships; auditors can then integrate this information with other evidence provided by more common audit procedures. Digging a little deeper can yield valuable insights. The organizational perspective provided by network analysis can improve fraud risk assessment, especially where collusion among members of senior management, employees, or third parties is concerned. After all, as the saying goes, forewarned is forearmed.

Cynthia Waddell, PhD, CPA is an adjunct professor at Ivy Tech Community College, Indianapolis, Ind., a visiting professor at DeVry University’s Keller Graduate School of Management, Oak Brook, Ill., and a professor at Kaplan University, Fort Lauderdale, Fla.