Essay Extract - Financial auditing and the circumstances surrounding its implementation.
Paul Polishan apparently dominated Leslie Fay’s accounting and financial reporting functions and the individuals who were his subordinates. What implications do such circumstances pose for a company’s independent auditors? How should auditors take such circumstances into consideration when planning an audit?
A company in which one person is dominating all the accounting and financial reporting would imply that the company may have weak internal controls. When one person is essentially in charge of all the transactions in two departments, it would definitely indicate a set of weak internal controls. Weak internal controls can lead to employees perpetrating fraud, as it did in the Leslie Fay case. Management of the company, not the auditors, are responsible for internal controls. Section 404 of Sarbanes-Oxley requires that all public companies issue a report on internal control containing: 1) a statement that they are responsible for establishing and maintaining the controls and 2) an assessment of the effectiveness of those controls. Recall also that the second GAAS fieldwork standard states that “The auditor must obtain a sufficient understanding of the entity and its environment, including its internal controls…” the internal control framework followed by most U.S. companies is the Committee of Sponsoring Organizations of the Treadway Commission (COSO). More specific to this case, the audit team would have to assume that these circumstances would imply a weak internal control over classes of transactions. Auditors often are more concerned with the transactions rather than the account balances because the transactions will weigh heavily into the correctness of the account balances.
The third component of internal control under COSO is control activities. There are several relevant factors under this component. For starters, there was probably not adequate separation of duties. It was said that Polishan ruled the accounting and finance departments. The person whom is responsible for putting out the financial statements and showing the public the financial position of the company should not be the one booking entries. Also, was there proper authorization of transactions and activities? Every transaction had to be run through Paul Polishan, the CFO. This sounds like adequate controls; the problem was that Polishan’s word was final on everything. No one else had any say because of Mr. Polishan’s total authority. Mr. Polishan also had near total authority on financial reporting. The real problem here is when someone has total control over both these functions, opportunities for fraud start to appear. With no one willing to question his positions, he was free to authorize transactions that made the books look better but obviously did not reflect economic actuality. Another aspect is independent checks. Basically, this is reviewing the other areas of control activities. There were likely no checks done in the case of Leslie Fay because Polishan had the final say on all transactions. Even if checks were in place, they were likely done by Polishan. The person responsible for performing the checks should be independent of the person originally responsible for performing the data. Obviously Polishan cannot be independent of himself. It was also mentioned that Mr. Polishan’s overall compensation was tied to the financial performance of the company. He had the motive, ability and means to cover up his fraudulent activity.
Another key factor leading to weak internal control was the fact that Polishan’s department was in an entirely different physical location. A lot of the major accounting and financial decisions for this company were being made at a separate building, far away from other key management personal.
Now how should auditors take into consideration these circumstances when planning the audit? The audit team will need to obtain and document their understanding of the company’s internal controls. This can be done using a narrative, flowchart, or questionnaire. A narrative seems it would be best if applied here because it will help identify the separation of duties factor. The auditors may then want to perform a walkthrough to make sure what has been written down in the narrative is actually what is preformed. In a walkthrough, the auditor selects a few documents and traces them from beginning to end. This way, the auditor can see the entire process involved in every transaction. This type of control may have helped the auditor see just how much influence Polishan had over the accounting area. It could have easily, however, been covered up. However, having the understanding that he had significant influence over finance, and that he oversaw all accounting matters should have raised a red flag. It would be very easy for someone to commit fraud in accounting knowing that they also controlled finance. It seems that the fraud perpetrated in this case would be hard for an auditor to uncover. One person had control over two key departments. He himself never “got his hands dirty”, yet, always instructed subordinates to follow his instructions.
After obtaining proper understanding of internal controls, the auditors must then assess control risk. This involves identifying audit objectives, identifying existing controls, associating controls with related audit objectives and, evaluating control deficiencies, significant deficiencies and material weaknesses. A control deficiency exists if the design or operation of controls does not allow a company to prevent or detect fraud on time. When a control is well designed yet is not carried out well, an operational deficiency exists. In this case, the controls would appear to be in place. All transactions are done at the appropriate level, and are vouched for by the CFO. However, the CFO (Polishan) was forcing incorrect and fraudulent entries. Polishan would force his subordinate Donald Kenia to make then erroneous entries. The process would appear to be appropriate, but in this case fraud was committed at top levels.
In general, the independent auditors should see this multi tiered level of control and it should raise a red flag. They should set some type of testing, such as the walkthrough or narratives to better determine if there is potential for fraud. So much being done and controlled by one man is a red flag. The fact that Leslie Fay was able to maintain high sales and profits while others in the industry struggled was another red flag. These were all key factors that point to poor internal control and potential fraud.
