In Brief
Financial statement fraud is often thought of as an “inside job,” something perpetrated by the management or employees of the organization being audited. Occasionally, however, fraud is perpetrated by an external party—sometimes without an organization’s knowledge—and these frauds are no less serious. The author examines some recent and historical cases of external-party financial statement fraud, identifies common threads, and provides lessons from these examples for today’s auditors and management.
***
Fraud perpetrated by external parties—outside of management or employees—remains a neglected and unmitigated risk for many organizations. One in three organizations, according to the 2018 White-Collar Crime and Fraud Risk Survey conducted by Utica College and the consulting firm Protiviti, lacked a high level of confidence concerning oversight of external parties, whose actions account for a disproportionate number of fraud-related incidents, including vendor fraud, kickbacks, and cybercrime, as well as violations of the Foreign Corrupt Practices Act (FCPA) and other anticorruption statutes (http://bit.ly/2OLvASu). One of the five most scandalous fraud cases of 2018, as reported in the Association of Certified Fraud Examiners’ (ACFE) Report to the Nations, was a $2 billion fraud at Punjab National Bank (PNB) perpetrated by an external party—a prominent customer, Nirav Modi, sometimes referred to as “jeweler to the stars” (http://bit.ly/2tMj1z1).
Since the 1960s, third or external parties have perpetrated frauds against organizations that have materially misstated their financial statements; the danger of such frauds, however, is often not adequately recognized by managements, internal auditors, or independent auditors in their risk assessments and consideration of internal controls. This article uses the term “external party” rather than “third party” because the latter is the legal term for identity theft, synthetic identity, and account takeovers in which a fraud is committed without the knowledge of the person whose identity is used. The aim of this article is to explain the nature of frauds by external parties that result in material misstatement of financial statements, review key examples of that type of fraud, and highlight lessons to be learned.
Examples of Major External-Party Fraud
An external fraud scheme is committed by an outside entity against an organization, often with the collusion of an organization’s employees. Garden-variety external fraud schemes, such as kickback schemes and other types of vendor or procurement fraud, typically do not reach a level that materially misstates an organization’s financial statements, even though the cumulative loss can be significant. There have, however, been major frauds, such as the following outstanding examples, that serve as reminders of the necessity for careful consideration of the risks of material misstatement of financial statements from this type of fraud.
The following discussion highlights the typical features of external-party frauds by identifying—
- the defrauded entity;
- the external-party perpetrator;
- any colluding employees of the defrauded entity;
- any control deficiencies and other risk factors; and
- the fraud mechanism that misstated the defrauded entity’s financial statements.
These key features (Exhibit 1) are explained in detail below.
Exhibit 1
Key Features of External-Party Fraud
Punjab National Bank (PNB).
In 2018, PNB disclosed that a prominent customer (Nirav Modi), in collusion with two junior employees at its Brady House Branch in Mumbai, perpetrated a $2 billion fraud against the bank. The Mumbai branch issued unauthorized guarantees called letters of undertaking (LOU), similar to letters of credit, to overseas branches of other Indian banks. These overseas branches made local currency advances to Modi’s designated bank accounts, ostensibly to pay suppliers of stones for his international jewelry operations.
The LOUs were sent over the Society for Worldwide International Financial Telecommunication (SWIFT) interbank messaging system. The fraud continued for seven years, but apparently escaped detection because the SWIFT activity was either never reconciled with the bank’s record of LOUs issued, or that control was overridden. Also, there were inadequate controls to prevent or detect the issuance of LOUs by bank employees without receipt of the normally required documentation, collateral, and supervisory review and approval.
Petrobras.
In 2015, Petrobras, a Brazilian government-controlled oil and gas company, disclosed a write-off of over $2.5 billion of capitalized costs representing estimated overpayments that inflated property, plant, and equipment (PP&E). External parties—large construction companies—colluded with operating division heads to rig the bidding for goods-and-services contracts in exchange for kickbacks. The construction companies used the overpayments to bribe division executives, politicians, and political parties. The external-party fraud materially misstated Petrobras’s financial statements in its annual report filed with the SEC and is believed to have continued for over eight years. A representative example of the overpayments involved Petrobras’s acquisition of a Texas oil refinery in 2005 from a Belgian oil company. Petrobras paid almost 30 times the $42.5 million the seller had paid in the same year, ultimately paying approximately $1.2 billion for the nearly century-old refinery.
Control deficiencies in Petrobras’s procurement policies and procedures included significant incompatible functions or lack of segregation of duties. The same executives had authority to both award and approve contracts, as well as to amend existing contracts without review by the legal department. Senior management also permitted bidding and contracting procedures outside those established by the procurement manual. Petrobras’s Form 20-F for fiscal year-end December 31, 2015, disclosed material weaknesses that included an inadequate tone at the top, failure to communicate ethical values, and lack of an effective whistleblower program, in addition to the specific procurement-related control deficiencies.
Colonial/TBW.
The Colonial/TBW fraud is a landmark case of external-party fraud. In 2018, a federal judge found the Colonial BancGroup, Inc. (CBG) auditor liable to the FDIC, as receiver, for professional negligence and ordered it to pay $625 million in damages. From 2002 to 2009, Lee Farkas, the chairman of Taylor Bean & Whitaker Mortgage Corporation (TBW), perpetrated a fraud against Colonial Bank, at the time one of the 25 largest banks in the United States, with assets of approximately $26 billion. Colonial was owned by CBG, a publicly traded bank holding company. The fraud occurred within the bank’s mortgage warehouse lending division (MWLD). The MWLD provided short-term, secured funding to mortgage originators, such as TBW, its largest customer. Concealment was achieved with the collusion of Catherine Kissick, who ran the MWLD, and others reporting to her.
The fraud passed through several phases. The first phase began in the first quarter of 2002, when Farkas overdrew TBW’s operating account by approximately $10 million that could not be repaid. Immediately before the daily overdraft report was generated, Kissick had funds transferred from an investor funding account into the overdrawn operating account; she then reversed the process after the report was generated, thus keeping the overdraft off the report. By late 2003, the amount of the concealed overdraft grew to $120 million, and the second phase of the fraud began.
Instead of continuing to juggle internal overdraft reports, the fraudsters began to disguise the overdrafts as an advance of funds under the COLB Facility, a mortgage loan purchase facility started by Colonial in 2002 to continue lending to mortgage originators after they reached their lending limit. Under this arrangement, Colonial received a 99% participation interest in individual mortgages originated by its customers, which was accounted for as a sale by those mortgage originators to Colonial under Statement of Financial Accounting Standards (SFAS) 140, Accounting for Transfers and Servicing of Financial Assets and Extinguishments of Liabilities, and classified as individual borrowers’ loans held for sale on CBG’s balance sheet. In a portion of these transactions with TBW, referred to by the fraudsters as “Plan B,” Colonial did not receive the normal collateral for a mortgage loan (i.e., the original promissory note and copy of the individual mortgage).
The fraudsters never created false promissory notes or mortgages that Colonial was to hold in custody pending sale to a secondary market investor, typically a government-sponsored entity (GSE) such as Fannie Mae or Freddie Mac. Colonial received only a data tape of information (e.g., names, addresses, Social Security numbers) on loans to individual borrowers for Plan B loans that TBW had already sold to others. COLB loans were supposed to have a takeout commitment from an end investor before sale to Colonial, and thus were expected to be held for relatively short periods, typically 30 days. To continue the concealment, the fraudsters periodically refreshed the Plan B loans with new data files for the growing amount of the fake asset.
In 2005, concealment of the fraud was achieved by a new tactic using another lending facility referred to as AOT, which stood for “assignment of trade.” Under the AOT facility, Colonial was ostensibly purchasing a 99% participation interest from TBW in a pool of mortgage loans in the process of being securitized as GSE-issued mortgage-backed securities (MBS) that TBW was supposed to have already sold on a tobe-issued basis to secondary market participants, primarily securities dealers.
In this third phase, in exchange for advancing funds to TBW, the sole AOT customer, Colonial was to receive a participation certificate, a list of the loans in the pool, the related mortgage collateral documents, and a trade assignment document evidencing TBW’s assignment of the trade of the to-be-issued MBS to an end investor (i.e., securities dealer) with an attached takeout commitment from that investor. Repayment of the advance to TBW was to come from the end investor, who had to agree to assignment of the obligation to deliver the securities to Colonial, along with the right to receive the proceeds. Of all the required supporting documentation, the only false document created by TBW was a trade assignment unsigned by the end investor.
The fraud was discovered in August 2009 when special agents of the FBI and Treasury Department raided Colonial and TBW’s offices as part of an investigation initiated because of concerns surrounding Colonial’s application to the Troubled Asset Relief Program (TARP).
Madoff feeder funds.
The external-party fraud that Bernard Madoff perpetrated against the feeder funds that placed substantially all of their investors’ money with him is the largest of its type. Madoff’s Ponzi scheme in effect misappropriated the assets of the feeder funds and materially misstated their financial statements. The final account statements of the feeder funds and other investors reported fictional investments of approximately $65 billion. The two largest feeder-fund groups, Fairfield Greenwich Group (FGC) and Tremont Group Holdings (TGH), had issued audited financial statements that overstated assets by over $10 billion.
This external-party fraud was facilitated by the control deficiencies that resulted from the feeder funds’ outsourcing of substantially all investment activities to Madoff, who initiated trades, making the decisions on when and what to buy and sell using his own investment strategy; executed the transactions, clearing his own trades and preparing related records; was responsible for holding securities in safe-keeping; and serviced the securities, collecting interest, dividends, and sales proceeds. Madoff provided fake confirmations of trades and monthly statements to his investors, including the feeder funds, with the computer-aided assistance of several employees of his advisory firm. These coconspirators also created fake trading terminals and Depository Trust and Clearing Corporation (DTCC) screens for the rare occasions when executives of feeder funds visited his offices. Madoff furthered the concealment by employing an auditor, Friehling & Horowitz, that lacked independence and failed to perform an audit in accordance with professional standards.
Risk assessments by management and auditors need to include consideration of risks at every level that can foster external-party fraud.
Madoff blew the whistle on himself in December 2008 when he was unable to meet withdrawal requests during the financial crisis and lawsuits were filed against the auditors of the feeder funds. Some were settled, and others dismissed, but one went to trial, resulting in a finding against the auditor. The primary deficiencies in the audit in that case likely mirrored those in all the feeder fund audits: unwarranted reliance on the confirmation process and failure to investigate Friehling & Horowitz. The Auditing Standard (AS) applicable at the time (2503.20) noted that the nature, timing, and extent of substantive procedures for investments are affected if a service organization initiates transactions as an investment advisor and also holds and services securities (this same standard was in effect during the time of the Madoff fraud for both public and private entities as AU section 332.20).
DeAngelis/American Express.
In what has come to be known as “the great salad oil swindle,” Anthony DeAngelis inflated inventory quantities to deceive a large group of financial organizations, particularly American Express’s field warehouse subsidiary, and ultimately jeopardized the functioning of the New York Stock Exchange (NYSE). DeAngelis created the Allied Crude Vegetable Oil Refining Corporation (Allied) in 1955 by leasing a huge field of petroleum storage tanks in the port section of Bayonne, N.J., cleaning the tanks to store edible oil, and storing and refining crude vegetable oil.
DeAngelis financed his activities with negotiable warehouse receipts. Allied leased a portion of the tank farm to a field warehousing subsidiary of American Express, which issued warehouse receipts for quantities of stored oil. Allied was losing money, but DeAngelis managed to stay in business for some time by inflating the quantities of oil in the tanks of the field warehouse to obtain negotiable warehouse receipts. He also persuaded brokerage firm Ira Haupt & Company to accept warehouse receipts on fake oil for original margin and margin calls on soybean futures. When DeAngelis was ultimately forced to put Allied into bankruptcy in 1963, Allied’s creditors attempted to take possession of the oil backing their warehouse receipts, but learned that a supposed 1.8 billion pounds of oil was fake. American Express, faced with sizable obligations to the holders of warehouse receipts, put the field warehousing subsidiary into bankruptcy, while Haupt’s losses on DeAngelis’s futures contracts purchased on margin put it in violation of the NYSE’s net capital requirements. Due to concern about a loss of investor confidence if Haupt’s customers were harmed, the NYSE agreed to liquidate Haupt and provide its own funds to reimburse its customers. This was extraordinary because Haupt’s losses on futures contracts were not related to trading on the NYSE or Haupt’s custodial responsibility to customers.
American Express’s subsidiary was included in its audited consolidated financial statements, but did not own the oil held in custody; thus, the oil and the related custodial responsibility did not appear in its financial statements. Nevertheless, its audited financial statements were materially misstated by the external-party fraud due to the undis-closed contingent liability.
Lessons Learned
Management and auditors can learn many lessons from the major external-party frauds recounted above, as well as the similar, more frequent frauds of lesser scale. These lessons are summarized in Exhibit 2 and explained in more detail below.
Exhibit 2
Lessons Learned
- Increase awareness of external-party fraud
- Identify and evaluate country, business, and entity risks
- Do not ignore or dismiss risks because of the prominence of the perpetrator
- Focus on the “opportunity” aspect of the fraud triangle
- Include the potential for external-party fraud in the brainstorming session
- Challenge the quality of evidence from confirmation with a potential external-party perpetrator
Increase awareness of external-party fraud.
First on the list of lessons is the need for increased awareness of this type of fraud and the dangers it presents. Management’s efforts to prevent, and auditors’ efforts to detect, fraud may be too singularly focused on fraudulent financial reporting to intentionally mis-state earnings and misappropriation of assets by lower-level employees. This can result in inadequate attention to the serious risks that external parties pose for the unauthorized acquisition, use, or disposition of an organization’s assets that have a material effect on its financial statements. In all of the major cases reviewed in this article, organizations suffered significant harm, resulting in bankruptcy, major loss of assets, or reputational damage.
Identify and evaluate country, business, and entity risks.
Risk assessments by management and auditors need to include consideration of risks at every level that can foster external-party fraud. Many such risks were apparent in the major cases reviewed here. PNB’s LOU process had an obvious inherent risk of fraud that called for controls to anticipate fraud by the bank’s customers, but such controls were nonexistent. Petrobras operated in a country with a well-known history of corruption. In the Colonial/TBW matter, the greatest and most well-known risk in the mortgage warehouse lending industry was fraud by mortgage originators, including selling loans already sold to others. Farkas, Colonial’s largest mortgage-originator customer, had been terminated by Fannie Mae in circumstances that raised suspicion of fraud.
An article in Barron’s catalogued oddities about Madoff’s secretive investment advisory activities (Erin Arvedlund, “Don’t Ask, Don’t Tell,” May 7, 2001, http://bit.ly/31QzYEY), and Harry Markopolis repeatedly brought these matters to the attention of the SEC, presenting the commission with a detailed and sophisticated quantitative analysis of Madoff’s returns that pointed to a Ponzi scheme. Among the red flags concerning Madoff were impossibly consistent returns, volume trading that left no trace in stock or options markets, clearing his own trades, sending out his own paper trade confirmations, moving to investments entirely in T-bills at year-end, and using a small, unknown auditing firm. The latter was particularly significant given the exposure of the use of a fictitious auditor in the Bayou Group Ponzi scheme in 2005.
The field warehousing industry also has inherent risks because the ware-houseman is accountable for the inventory in storage for which warehouse receipts are issued, but typically performs accountability tests using personnel leased from the owner of the storage location, who receives the warehouse receipts. DeAngelis had been charged with cheating the federal government, and thus could not obtain a bank loan, but was able to persuade customers and suppliers to advance funds based on negotiable warehouse receipts that they in turn pledged as collateral for bank loans. The DeAngelis personnel leased by American Express falsified inventory in storage by methods that have since become legendary in the annals of inventory frauds (see Exhibit 3).
Exhibit 3
Inventory Falsifications to Overstate Quantities in DeAngelis Salad Oil Fraud
- Slender metal cylinders installed below a tank’s access hatch while the rest of the tank was filled with water.
- DeAngelis employees on loan to American Express Field Warehouse subsidiary called out the wrong distance of the tape dropped into a tank to measure the quantity of oil, or otherwise manipulated the length of the tape.
- Salt water was pumped into tanks so oil floated on top.
- Tanks were connected by a network of pipes that permitted pumping oil among tanks during the count.
- Numbers on the sides of tanks were changed to include some tanks not subleased to American Express.
Ignore the prominence of the potential perpetrator.
A critical lesson for management and auditors is not to dismiss risks of fraud by external parties because of their prominence or stature. Modi, Farkas, and Madoff all lived lavish lifestyles and appeared successful; Madoff was even chairman of Nasdaq in the early 1990s. The size and length of the frauds they perpetrated is a helpful reminder not to be deterred in responding to risks by the image of financial and business success. These frauds highlight the fallacy of assuming that fraud risk factors are in any way mitigated by the potential perpetrator’s stature or reputation.
Recognize the limitations of the fraud triangle.
While the term itself is not used, the “fraud triangle’s” three elements—incentive/pressure, opportunity, and rationalization—have been enshrined in auditing standards (AS 2110.52, .65 and .66; AS 2401.02, .07, and .85; AU-C 240.15, .24, and A.30). The foundation for these three conditions, identified by the auditing standards as “generally present” when fraud occurs, is research conducted 60 years ago by Donald Cressey, a sociologist and criminologist. Cressey interviewed imprisoned embezzlers to develop his theory on why people embezzle; his work was extended by Steve Albrecht and others who attached the label “fraud triangle” and revised the description of the three conditions to fit additional types of financial fraud.
The fraud triangle has been challenged as dated, incomplete, and composed of elements that, other than opportunity, are largely unobservable before a fraud occurs. The methodological flaw is that the individuals studied had already engaged in fraudulent behavior; thus, the research results cannot prove that all people experiencing the three conditions will commit fraud, and there are frequent false positives.
Auditing standards, in fact, include sometimes-overlooked admonitions that recognize these limitations. The standards note that the auditor cannot assume that all three conditions are required, that the inability to observe one or two of the conditions in the fraud triangle does not mean there is no risk of material mis-statement due to fraud, and that observing that an individual has the required attitude to rationalize committing fraud is difficult at best (AS 2110.66 and AUC 240.30). In other words, circumstances that indicate an opportunity to commit fraud, with no significant observable information on the incentive or attitude conditions of the fraud triangle, are enough to trigger an audit response.
Focus on the opportunities for fraud created by control deficiencies.
The major external-party frauds described above highlight the importance of focusing on the one element of the fraud triangle that falls squarely within the expertise of accountants and auditors—the opportunities created by control deficiencies. In each case, there were material weaknesses in controls, but the opportunity for external-party fraud did not receive sufficient attention.
PNB’s LOU process was ripe for fraud because SWIFT and the internal authorization and recording system for LOUs were separate and not reconciled, and basic controls such as separation of functions and mandatory vacations were not enforced. Petrobras also had a lack of separation of the functions of awarding and approving contracts and amending contracts, as well as failure to enforce procurement policies and procedures on bidding and contracting.
Colonial’s controls over mortgage warehouse loans were geared to the traditional warehouse line-of-credit loans to mortgage originators, such as TBW. These controls were not tailored to the more complex features of COLB, and especially not to the AOT transactions executed exclusively with TBW. Controls designed to establish the accountability for individual loans did not function for the mortgage loan pools, which in fact had no underlying mortgages backing them.
The feeder funds’ own internal controls related to the trades in derivatives and securities executed by Madoff were virtually nonexistent. Madoff functioned as a service organization, initiated trades as an investment advisor, and held and serviced the securities. All of the information available to management of the feeder funds, as well as their auditors, was based on information from Madoff. The managers of the feeder funds and their auditors had to rely on controls on Madoff’s premises, such as separation of the department providing advisory services from the department holding and servicing securities and an independent reconciliation of the information in each department, but the only evidence was Madoff’s own representations.
Field warehousing requires control procedures beyond routine controls over receiving, storing, and delivering goods common to terminal warehousing applied at both the field location and warehouseman’s central office. The internal controls were deficient at both points, particularly in the examination of the DeAngelis warehouse operations by the central office. The publicity surrounding the DeAngelis fraud caused the AICPA to undertake a study of controls and safeguards and audit procedures applicable to the warehousing industry. The resulting special report, Public Warehouses—Controls and Auditing Procedures for Goods Held, was issued as Statement on Auditing Procedure (SAP) 37 in 1966. The primary focus of SAP 37 was on recommendations for the auditor of the warehouseman, especially operators of a field warehouse. Auditors records relating to the warehouseman’s accountability for all goods in custody and outstanding warehouse receipts, and to observe physical counts of goods in custody and reconcile test counts with records of accountability. Physical observation was necessary even though the assets and related custodial responsibility did not appear in the field warehouseman’s financial statements.
Brainstorm fraud potential and challenge quality of evidence from confirmations.
Prior lessons are applicable to both management and auditors, but there are some with special significance for auditors. Auditing standards require a discussion among key members of the engagement team that encompasses brainstorming about how and where the financial statements may be susceptible to material misstatement due to fraud, how assets could be misappropriated, and known external and internal factors that affect the entity and that may provide the opportunity for fraud to be perpetrated (AS 2110.52 and AU-C 240.15). This required discussion should include an identification of circumstances in which there is heightened susceptibility to misappropriation of assets by an external party. All of the prior lessons learned are relevant.
A critical lesson for management and auditors is not to dismiss risks of fraud by external parties because of their prominence or stature.
Another lesson for auditors is to challenge whether confirmation provides a sufficient quality of evidence under the circumstances. Auditing standards provide direction on evaluating the relative reliability of audit evidence. Some auditors maintain that confirmation is the most reliable form of audit evidence because the evidence should come directly to the auditor from an independent source, but careful consideration of auditing standards and the facts of the DeAngelis, Madoff, and Colonial/TBW frauds indicate to the contrary. Auditing standards indicate that the reliability of audit evidence depends upon the nature and source of the evidence and the circumstances under which it is obtained, and note that evidence from an independent source is more reliable than that obtained only from internal sources (AS 1105.08, AU-C 500.A32). The standards also, however, require that an auditor exercise heightened professional skepticism about a confirmation respondent’s objectivity or freedom from bias, for example when the respondent is the custodian of a material amount of the audited entity’s assets (AS 2310.27).
Another important indicator of the reliability of audit evidence identified by auditing standards is that evidence obtained directly by the auditor is more reliable than evidence obtained indirectly (AS 2310.27). The auditor’s physical examination of inventory, securities, or mortgage collateral generally can provide more reliable evidence of existence than confirmation. Confirming the existence of assets with a DeAngelis, Madoff, or Farkas is not the same as confirming the entities’ own record of cash with a well-known custodian financial institution.
Vigilance Is the Watchword
The risk of external-party frauds is a reminder of the need in audit planning to apply professional skepticism and evaluate the quality of evidence provided by planned procedures. In this regard, challenging the use of the confirmation procedure for existence of assets is particularly important. SAP 37 anticipated this issue by noting that confirmation with the warehouseman may require “supplementation” by observation of the physical inventory. Management and auditors need to focus increased attention on controls and audit procedures aimed at detecting errors and fraud by an external party.