TERM PAPER:
Fraud Prevention: Are Existing Deterrents Working
Kevin B. Hoover
ACC 630 – Professor Sheila Vagle
University of Maryland University College

Introduction I recently read the following quote posted by an anonymous person on Facebook:
“I had ADHD when I was a kid too, but when I saw my father taking off his belt, I was healed”. I share that not just because it is true in my case, but because it is a fairly humorous and spot on example of a deterrent. Deterrence is a critical element of the effort to prevent a particular behavior. People have to have a reason not to act that way. When I was a kid, I didn’t know what a deterrent was, but I sure knew that the possibility of a whipping was reason enough not to lose my mind. What deters people working in the business and financial worlds from committing fraud? The Sarbanes-Oxley Act of 2002 perhaps? Fear of prosecution? One would hope so, but it is certain that the answer is more complex than that. In fact, it could be argued that the answer is nothing deters people from committing fraud because fraud is still happening. Therein, lies the aim of this paper. This paper will take a look at financial fraud and the deterrents in place since 2002, and offer the opinion that the deterrents are not working. A history of the issues as they relate to this opinion will be given. Further, recommended solutions to the perceived problems will be put forth. It is worthy of mention that deterrence and prevention are treated as synonymous from this point forward. No effort will be made to distinguish a difference between the two concepts.

Problem Statement Simply put, fraud deterrents in place are not working. I don’t believe the penalties for being found guilty of fraud are harsh enough, nor do I believe that the government has any real interest in improving deterrents to fraud.
History of the Issues Before any discussion of the history of the issues, it will serve the paper well to cover what current literature (defined for purposes of this paper as 2008-Present day) says about deterring fraud. The idea is to give an overview of the current opinions on fraud deterrence so readers can keep those opinions in mind while analyzing the “history of the issues” put forth following the overview. According to Law (2011), the American Institute of Certified Public Accountants (AICPA) has identified three criteria to deter fraud: 1. Culture of honesty and strong ethics (tone at the top); 2. Managerial responsibility; and 3. Audit Committee oversight. (p. 503)
Interestingly, there is no specific mention of internal controls. Wells (2008) says that if you were to ask a group of typical accountants what deters fraud, they would respond in unison: “Internal Control!” (p. 6). Wells says that using this logic, companies with adequate controls would not have fraud. But they do, time and again. Bryan (2012) also advocates tone at the top and a strong ethical culture to deter fraud (pp. 22-23). A concept Bryan introduces (not mentioned by the AICPA) is that of professional skepticism. Developing healthy skeptics helps build critical thinking skills which can provide benefits when developed in all groups of employees (p. 23). The idea is that employees develop the trust that it is okay for them to ask questions of other employees. Leaders must also let subordinates know it is ok to ask questions of them. Verschoor (2015) mostly echoes what Bryan stated, in that he advocates a strong commitment to ethical behavior from the top management and skepticism in the organization (p. 18). Verschoor adds that robust communication amongst participants in financial reporting is an important aspect of deterrence (p. 23). People involved in financial reporting should be able to talk throughout the process, question decisions (skepticism) and ask for clarification on any decisions they were not a part of. In summary of current literature, it is clear that a strong ethical culture or “tone from the top” and healthy skepticism up and down the organization are thought to be key tenets to prevent fraud. I couldn’t agree more such assessment. It absolutely starts at the top. There is no way to effectively control fraud in your organization if the top level managers don’t exude strong ethical behavior. I realize that the word skepticism has a certain negative connotation to it, but I also believe healthy skepticism is necessary for the organization to thrive. Sometimes it might as easy as asking a boss to explain a given decision. Whatever it is or isn’t, healthy skepticism certainly isn’t going to lead to anarchy or mutiny. Internal controls aren’t mentioned as prominently but perhaps that is because if the tenets above are followed, a strong internal control system would be implied to exist in such an organization. I will touch on some of these concepts again after I cover a “history of the issues”. The starting point for any discussion of financial fraud in the modern era has to begin with the collapse of Enron and to a lesser extent, the fraudulent activities at Adelphia, WorldCom and Tyco. In total, those cases resulted in nearly $500 billion in losses to investors (Ugrin, 2008, p.1). Enron, however, seems to be the scandal that gets singled out for being responsible for the passing of the 2002 Sarbanes-Oxley act (hereafter, SOX). SOX is where the discussion starts for me. SOX was the single most important piece of financial legislation since the Securities and Exchange Act of 1934. The Enron disaster had happened. Adelphia and WorldCom bankruptcies also happened prior to the passage of SOX, but the legislation was in its final stages before passage by the time those scandals came to fruition. I believe that is why the Enron scandal gets the credit for being the reason SOX was dreamed up in the first place. Ugrin (2008) writes that SOX was about restoring investor confidence in the U.S. Capital markets by improving corporate governance, the quality of audits, the strength of internal controls, increasing the severity of sanctions that can potentially be leveled against management for inaccurate financial reporting, and by imposing regulations requiring increased assessments of internal control by auditors (p. 2). Over the course of my educational career, I’ve written 3 papers on SOX and can attest to the fact that truly thorough analysis of SOX in its entirety is outside of the scope of this paper. I would, however, like to touch on some sections of SOX that have what I feel are the most relevance to the discussion of fraud deterrence.

Title IV of SOX is entitled Enhance Financial Disclosures and has many different sections. Section 404 is generally the one that causes most of the discussion and considerable debate in the accounting community. Section 404 gives the requirements for Management Assessment of Internal Controls as follows (US Code, 2002):
(a) RULES REQUIRED- The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)) to contain an internal control report, which shall--
(1) state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
(2) contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting.
(b) INTERNAL CONTROL EVALUATION AND REPORTING- With respect to the internal control assessment required by subsection (a), each registered public accounting firm that prepares or issues the audit report for the issuer shall attest to, and report on, the assessment made by the management of the issuer. An attestation made under this subsection shall be made in accordance with standards for attestation engagements issued or adopted by the Board. Any such attestation shall not be the subject of a separate engagement. Section 404 has caused and continues to cause debate because of the burdens it places on both management and auditors alike. Management has to issue a report on the state of their company’s internal control system, which to me has never made a great deal of sense. There is more than one way which I can see that such reports aren’t going be as accurate as SOX intends for them to be. First, I suspect many managers would have stated they had a more than adequate system even if they didn’t. Another way to skew such a report would be to self-report some minor deficiencies in the hope that nothing that was really wrong would be discovered. Look here, we did a thorough and honest job because we reported some deficiencies and are already working on fixes. I know that the auditors issuing reports on the financial statements of the company must also attest to the management report and issue a report of their own on the internal controls. I know that some people would use that as a counterpoint to the possibility management might skew their internal report. Think about that. One of the main complaints from the auditing world is the amount of extra time and cost that must be spent attesting to and reporting on the internal controls – cost that must be passed on to their client. Am I to believe that zero auditors took what management reported and just accepted it as fact? While it bothers me to have negative opinions about people in the accounting profession, I have no problem believing that this went on and continues to go on. Title IX of SOX is entitled White Collar Crime Penalty Enhancements. I, for one, would not argue in the least that penalty enhancements were needed. Section 906 of Title IX covers Corporate Responsibility for Financial Reports and generated the majority of the heartburn in the business world. Section 906 reads as follows (US Code, 2002):
(a) IN GENERAL- Chapter 63 of title 18, United States Code, is amended by inserting after section 1349, as created by this Act, the following:
Sec. 1350. Failure of corporate officers to certify financial reports
(a) CERTIFICATION OF PERIODIC FINANCIAL REPORTS- Each periodic report containing financial statements filed by an issuer with the Securities Exchange Commission pursuant to section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m(a) or 78o(d)) shall be accompanied by a written statement by the chief executive officer and chief financial officer (or equivalent thereof) of the issuer.
(b) CONTENT- The statement required under subsection (a) shall certify that the periodic report containing the financial statements fully complies with the requirements of section 13(a) or 15(d) of the Securities Exchange Act pf 1934 (15 U.S.C. 78m or 78o(d)) and that information contained in the periodic report fairly presents, in all material respects, the financial condition and results of operations of the issuer.
(c) CRIMINAL PENALTIES- Whoever--
(1) certifies any statement as set forth in subsections (a) and (b) of this section knowing that the periodic report accompanying the statement does not comport with all the requirements set forth in this section shall be fined not more than $1,000,000 or imprisoned not more than 10 years, or both; or
(2) willfully certifies any statement as set forth in subsections (a) and (b) of this section knowing that the periodic report accompanying the statement does not comport with all the requirements set forth in this section shall be fined not more than $5,000,000, or imprisoned not more than 20 years, or both.'. I agree with the spirit of this section which I paraphrase as: CEOs are on the hook now for the validity and integrity of the financial reports and will be penalized for certifying “misleading, dishonest…etc.” whether they unknowingly or willfully did so. Absolutely, the CEOs should always have been on the hook for the validity of financial reports. My problem with how Section 906 is worded is when it says fined not more than $1,000,000 and/or imprisoned for a maximum of 10 years and so on. How many of the CEOs are worried about a 1-5 million dollar fine? How many of them have been getting both a fine and a prison sentence? How many of them believe that anybody convicted is ever going to get close to the maximum sentence? A good percentage of them don’t because fraud is still happening. I’ll address that later in the recommended solutions of the paper. I could certainly share many more sections of SOX and hammer away at what, if anything, I feel is wrong with them. However, I suspect that will be a bit tedious for readers. I’ve made it clear I don’t like the parts of SOX that are intended to be deterrents to fraud. I certainly don’t believe that all of SOX was bad. I think in some way, shape, or form that SOX was necessary. I believe in the parts of it that make CEOs accountable and I believe in the parts of it that make auditors more accountable. If those two groups of people had the market cornered on integrity, SOX would never have been necessary. The question as time has gone forward Post-SOX is has SOX done what the Government intended it to do? Fraud has been eliminated or at least reduced to minimal levels, hasn’t it? We haven’t had any financial issues, major frauds, or meltdowns since SOX was issued have we? I ask those questions knowing full well readers know they are being asked tongue-in-cheek. I don’t even think a SOX that I supported 100% would have eliminated fraud. However, I’ve got to believe that SOX was intended to avoid the financial meltdown in 2008. There was a confluence of financial disasters that came together in 2008 to create a crisis the likes of which we hadn’t seen in this country since the Great Depression. Big banks and investment brokerage houses failed. The reasons those events happened and perhaps whose fault they were is best left for a dissertation. The point in bringing it up here is to mention the Dodd-Frank Act. The Dodd-Frank Act, or the Wall Street Reform and Consumer Protection Act as it is also referred declared in its text that it would end “too big to fail” and “promote financial stability” (Hensarling, 2015, Jul 20). Those banks and institutions that were thought to be too big to fail have not in fact disappeared. Big banks are bigger and smaller banks seem to be disappearing. Hensarling (2015, Jul 20) states that government figures confirm we are losing community banks in the US at a rate of one per day. Dodd and Frank and their political party would have us believe that the entire 2008 financial meltdown was due to deregulation of the financial industry. Naturally then, the answer is regulation. This leads me to my final point/discussion with relation to the history of the issues. I stated earlier that I don’t think the government, especially the current administration doesn’t have any interest in the deterrence of fraud in the financial sector. I will go so far as to say that I think it suits people like Barney Frank, Chris Dodd and Barack Obama better if fraud continues. Every single time a big company has failed since 2008, they’ve been bailed out our basically taken over (General Motors for example). That seems to be the goal. Take something over, regulate the hell out of it and run it into the ground. They don’t like capitalism and our free-market system. They aren’t going to offer any deterrence of anything except for people to actually disagree with them. Better not be in the Tea Party or the IRS will tear you to shreds. Don’t disagree with Obama, or you’re racist. That diatribe aside, I’d like to point out a couple things about the current administration that are more relevant to the issue of deterrence. One of the key things mentioned earlier that most folks agree sets an organization up to succeed and avoid fraud is the idea that strong ethical behavior starts at the top and permeates throughout an organization. I agree, but such a statement doesn’t bode very well for the current executive or legislative branches of our government. The current Senate Majority leader is lying to people from his party to get them to vote his way. The POTUS has been lying for 6 years now. He ramrodded an act through to being a law that is laughingly is called the Affordable Care Act, yet doesn’t do one single thing to positively affect the price of healthcare. The Department of Veteran Affairs is a joke. Their leadership did unspeakable damage to our veterans, but look at the leadership at the top of the government. What sort of ethical culture did the VA leadership have to live up to? The point of this portion of the talk for me is this: Who the heck is the current administration to tell any group of people, be they CEOs, CPAs or MDs and JDs how to run their businesses? Why would we want a group of people who can’t produce a budget (I’ve given up hoping for a balanced budget) as is required by law, to regulate our businesses? Obama can’t seem to do anything but continue to increase the national debt to historic levels. I want his and everyone other government finger out of the business of regulating our CEOs and CPAs.
Recommended Solutions I started this paper with a story about a child who was deterred from losing his mind by his father’s willingness to take his belt off and “educate” the child. I’m not a fan of hitting children with a belt, but no one can deny that it is an indisputably great deterrent to unwanted behavior. Obviously, financial fraud is also unwanted behavior. Too many people count on the financial reports and financial dealings of an organization to have integrity and above all, accuracy. I’m not going to suggest we start having a sergeant at arms around multi-billion dollar organization to threaten possible fraudsters with a whooping. However, speaking more figuratively, the fear of the consequences of fraud has to greatly and completely outweigh the perceived benefits of committing fraud. That being the case, my first recommended solution has to do with the penalties mentioned in Section 906 of SOX. As was discussed, the fine and/or possible prison sentence for CEOs and CFOs varies between 1-5 million dollars and 10-20 year maximum sentences. The variance is based on the level of involvement in misstating the financial reports (i.e. whether they willfully and knowingly signed bad reports). I’m sure anybody that has never lost money due to a fraud probably thinks those sentences are on the edge of harsh. I’m here to say they aren’t harsh enough. To begin, I’ll say they are two sides as implied by Section 906: unknowingly and knowingly signing bad reports. If a CFO and/or CEO “unknowingly’ signs bad reports, I’d assess a fine in the amount of half their yearly salary at a minimum. In addition, if either one benefitted from signing the bad reports (stock price shot up and they made millions), they must forfeit any financial advantage gained therein. I struggle with the prison sentence for an executive that got duped into signing reports. But, if there are situations that call for it, I’d say they ought to publish a minimum sentence. In other words, no matter how many sweet nothings the lawyer mumbles to the judge, a guilty finding is a minimum 3-5 year sentence. Somehow, these executives have to be motivated to act with the utmost integrity. These recommendations are harsh, but good deterrents need to be. If a CFO and/or CEO are found to have willingly and knowingly signed bad reports, I believe the fine should triple. Further, no more maximum sentence that never gets handed out. 10 year minimum sentence up to a 30 year maximum. As I said, the way you deter them is by ensuring the deterrent exceeds the benefit of committing the fraud. A 10 year minimum sentence is going to deter a lot more fraudsters than an allegedly tough maximum sentence that is never given out in the first place. As was discussed, much of the deterrent literature out there states that organization have to have a strong ethical culture that starts at the top and permeates the entire organization. I agree wholeheartedly, but the problem I see with this is the business world doesn’t seem to have gotten any better at hiring high-ethics, high-integrity executives. Graduates from a particular Ivy League school seem to get hired regardless of ethics/integrity. I don’t have an ironclad way to ensure only the most ethical people become leaders, but I do have a suggestion. There needs to be a think-tank developed and perhaps it could be funded with the money paid in fines. This think-tank needs to develop a test that all accept as a measure of the integrity and ethics of executives. I remember back in the service, there were different security clearance levels. To get a Top Secret Clearance, you had to pass an investigation based on a security questionnaire you completed. The questionnaire was extensive and the investigation into you was exhaustive. One negative answer from a reference anywhere along the way and no Top Secret Clearance for you. While I don’t think this integrity/ethics “test” needs to be quite that extensive, I think it would shine a bright light on any organization who insisted on hiring an executive who didn’t do so well on the test. What other professional doesn’t have to pass some kind of test to be certified in their field? CPAs, CFAs, JDs, PhDs, MDs….all have additional schooling and some sort of exam. I think the CEOs and CFOs should have one too and it should be centered on ethics and integrity. I think all the continuing education that goes with the professionals I listed should be created & mandatory for CEOs and CFOs; yearly ethics training and the like. I think a version of the training, tailored toward managers and employees not at the executive level in the organization should be given to the employees yearly as well. I’m sure lots of organizations do that already, but I’d want it to be mandatory for all. Managers and employees should have a thorough understanding of the ethics lessons taught to CEOs and CFOs. Given that I’ve suggested some pretty steep penalties toward the CEOs and CFOs, it seems only fair I address fraud at the manager & employee level. I think penalties should be appropriately harsh for the particular circumstance. I’m more interested in the managers and employees knowing and understanding what penalties can and will be for fraudulent and unethical behavior. Further, I think they should be 100% in the know as to the idea that fraud and unethical behavior will be investigated and dealt with. They need to understand, for example, that all materials bought for a project will be accounted for and they need to know what will happen if any material “walks away”. Knowledge that those kinds of situations are be looked at, investigated and dealt with is a deterrent of its own. Perhaps the strongest deterrent I can suggest is a 100% anonymous (until testimony at trial becomes necessary) and bulletproof whistleblower program has to exist at every organization. Even if everything I’ve suggested above fails to sway a possible fraudster from becoming an actual fraudster, the idea that anyone who suspects the fraud might have taken place could turn them in, suffer no retaliation and no one might ever know who they are would seem to be insurmountable. Speaking for myself, it would tear me up inside to know that somebody could turn me in so easily. The problem in a lot of companies is the lack of any sort of whistleblower program. I will admit that affording all whistleblowers the protection I suggest might lead many folks to “cry wolf” as it were. I think the bulletproof whistleblower programs will have provisions for this. For instance, if a “wolf crier” is doing so to get somebody in trouble for some twisted reason and reports fraud they know not to exist, then the “wolf crier” must suffer penalties. You want the employees to know that they have 100% protection, but such protection extends to the falsely and maliciously accused as well.
Conclusion
My paper posits the question, are existing deterrents to financial fraud working? The answer is a resounding no. It is indisputable that fraud is still happening so ergo it should be indisputable that deterrents aren’t working. I kept charts and graphs and such out of my discussion, but I believe that one only needs to review the yearly Association of Certified Fraud Examiners Report to the Nation to understand how prevalent fraud continues to be. Has financial reporting improved since SOX? Most likely, yes, but that was not the question sought to be answered herein. I don’t dispute that SOX has done some good. I merely strongly suggest that penalties can be tweaked to the point where they are a much more daunting deterrent. I suggested that a think tank be formed and tests be developed to measure CEO/CFO ethics and integrity and perhaps those that don’t pass don’t get entrusted with such responsibility. Finally I suggested an emboldened whistleblower program that offers 100 percent protection and falsely accused the same level protection. The bottom line for me is that the current deterrents are not working.

References
Bryan, C. S. (2012). The role of leadership FRAUD IN DETERRENCE. Financial Executive, 28(2), 20-23. Retrieved from http://ezproxy.umuc.edu/login?url=http://search.proquest.com/docview/926822467?accountid=14580
Hensarling, J. (2015, Jul 20). After five years, dodd-frank is a failure. Wall Street Journal Retrieved from http://ezproxy.umuc.edu/login?url=http://search.proquest.com/docview/1697173680?accountid=14580
Law, P. (2011). Corporate governance and no fraud occurrence in Organizations. Managerial Auditing Journal, 26(6), 501-518. doi:http://dx.doi.org/10.1108/02686901111142558
Ugrin, J. C. (2008). Exploring the sarbanes-oxley act and intentions to commit financial statement fraud: A general deterrence perspective (Order No. 3311024). Available from ABI/INFORM Complete. (89230363). Retrieved from http://ezproxy.umuc.edu/login?url=http://search.proquest.com/docview/89230363?accountid=14580
United States Code (2002). Sarbanes-Oxley Act of 2002, PL 107-204, 116 Stat 745 Codified in Sections 11, 15, 18, 28, and 29 USC .
Verschoor, Curtis C,C.M.A., C.P.A. (2015). THREE PILLARS OF FRAUD DETERRENCE AND DETECTION. Strategic Finance, 96(10), 17-18. Retrieved from http://ezproxy.umuc.edu/login?url=http://search.proquest.com/docview/1672624807?accountid=14580
Wells, J. T. (2008). The real secret to fraud deterrence. The CPA Journal, 78(6), 6. Retrieved from http://ezproxy.umuc.edu/login?url=http://search.proquest.com/docview/212265747?accountid=14580