| Preventing Confirmation Fraud Brian Fox, CPA, CFE, Capital Confirmation Inc. |
|
Until recently, few people focused on confirmations. Confirmations, now a hot topic, once was considered a simple, relatively low-risk procedure requiring little effort and even less thought. This oversight has been identified by fraudsters, posing a tremendous challenge for CPAs, and providing opportunities for a unique set of fraud schemes that need to be understood by all who participate in the process. At over $5 billion, the Parmalat fraud is now the largest cash and investment confirmation fraud ever recorded; however, this is not the first time that this type of fraud scheme has been used to falsify financial reports. The infamous ZZZZ Best Carpet Cleaning Company paid a friend $10,000 to use his address for audit confirmations. Just last year, the Director of Apparel Sales for Adidas America pled guilty to committing confirmation fraud. Motivated by future sales to Just for Feet, he confirmed to Just for Feet’s auditors that Adidas owed $2.2 million, when in reality Adidas owed approximately $40,000. Below, I will describe how my experience as an auditor has led me to develop a process aimed at preventing confirmation fraud. During my first year as an auditor for a Big 5 firm, I was content to copy, mail, fax, carry supplies, and perform the typical duties of a first-year staff auditor. As a second-year staff auditor, I sought more responsibility and I was anxious to learn. In fact, I relished knowing that the interns and first-year auditors would be assigned the audit engagement’s most mundane and menial audit tasks, one of the worst being confirmations. I was disappointed when both the intern and first-year auditors on my largest client were reassigned because our office was short-staffed and needed those resources elsewhere. Consequently, I had to perform confirmations—again. As a second-year staff auditor, I began the three-week process of performing confirmations for my largest client; however, I also wanted to understand the purpose of my task. I took solace in our firm’s advances in technology—that year Business 2.0 had named us the accounting profession’s leader in technology adoption, estimating that we had a two-year lead over our closest competitor. We were very proud of our achievement and I was sure that, with the recent adoption of our electronic audit workpapers and the rapid rise of the Internet, it was only a matter of time before we would perform confirmations electronically. However, that year we still completed them manually. So, as I recreated my confirmation log from the prior year, handed my client a stack of paper forms to fill out as they had done in every year prior, folded paper, stuffed envelopes, and dropped the letters in the mailbox, I began to question what I was doing. The year before, I was taught that strict procedures must be adhered to when performing confirmations: I could not let the client mail them for me—I had to physically put the letters in a U.S. mailbox myself; the client could not receive the responses, our office must receive them; when I needed to fax a request to get a quick response, if I was at the client site I had to stand over the fax machine and actually watch the form come through the machine for fear that client personnel might intercept the fax and alter the response. Why did we go to all these lengths to protect the integrity of the confirmation process when the client was the one who provided us the mailing address and contact name and we never attempted to validate that information? A client could have given us a relative’s address and we never would have known. False information could have been sent back and we were placing full reliance on the information—we should not have. Later, as a consultant for another Big 5 firm, I was asked to act as the audit senior on a number of audit engagements because of my background in auditing. The firm had just rolled out its electronic audit workpapers and, as before, I considered the same issues in the confirmation process and again thought some auditor surely will put a stop to this opportunity for fraud. However, it was not until I attended business school at Vanderbilt that I decided to try to solve the problem myself. With the help of my classmates and professors, I researched the market and developed the business plan. For my internship between my first and second years, instead of the traditional internship, I asked my family and friends for start-up capital and launched Capital Confirmation Inc. to control confirmation fraud. With those resources, we built the first prototype and beta-tested the service in the market with the assistance of some very forward-thinking bankers and accounting professionals who understood our goal. What has emerged from those first trials is a secure, third-party confirmation service that integrates with a firm’s electronic workpapers where all participants to the confirmation are independently authenticated, and the average turnaround time is 24 hours instead of four weeks. Through our research, we found that our service also provides a benefit for the respondents. Respondents tell us that, with the paper-based confirmation process, it is impractical for them to validate the signatures on confirmation requests, just as it is impractical for banks to validate the signature on the thousands of personal checks they encounter every day. Having a trusted source pre-authenticate the CPAs that request confirmations reduces the opportunity for sensitive client information to be inadvertently given to someone posing as a CPA and sending in a false confirmation request. ABOUT THE AUTHOR Prior to Capital Confirmation Brian worked for Ernst & Young LLP and PriceWaterhouseCoopers LLP. He received an M.B.A. from Vanderbilt’s Owen Graduate School of Management and a B.B.A. in Accounting from SMU’s Cox School of Business. Brian is a member of the AICPA and The Tennessee Society of CPAs where he sits on the Accounting and Auditing Symposium Committee for the Society. He writes and reviews fraud articles and is often a guest lecturer at Vanderbilt. His email address is: brianfox@cashconfirm.com. Brian Fox |