Preventing Financial Reporting Fraud Due to the Delayed

Preventing Financial Reporting Fraud Due to the Delayed Reporting of Adverse Events IIA Fraud Conference – LA Chapter – April 11, 2018 Robert Conway Professional Practice Director

Session Overview • Examples of Fraud from Delayed Reports of Adverse Events • Financial Reporting Fraud • Insider Trading • Root Causes • Preventive Techniques • Disclosure Committee Dashboard Monitoring • Integrate Dashboard Monitoring with Officer 302 Certifications • Integration with Enterprise Risk Assessment • “What Could Sink the Ship!” • Process Enhancements / Best Practices 2

What Do The Following Events Have in Common? • • Cybersecurity breaches Product defects / recalls Early payment defaults on new mortgages Legal / regulatory matters • Tax authorities, EPA, FCPA, AML, OSHA, EEOC, etc. • Declining software license renewal rates Answer: Can result in fraudulent financial reporting if not reported timely. 3

A Deeper Dive into Real Life Events • • Yahoo Security Breach Equifax Security Breach General Motors Ignition Lock Defect and Recall New Century Decreasing Loan Quality These companies all had Disclosure Committees, yet all suffered losses rooted in untimely reporting of adverse events. 4

Yahoo Security Breach • Breaches occurring in 2013 and 2014 were not reported until 2016. • Initial report: 500 million user names, email addresses, birthdates, and phone numbers were accessed. • Estimate increased to 1 billion users, then 3 billion users (after Verizon’s acquisition of Yahoo). • The SEC opened an investigation in June 2017. • Disclosure controls and procedures will likely come under considerable scrutiny. 5

Yahoo Security Breach – Internal Investigation "It appears certain senior executives did not properly comprehend or investigate, and therefore failed to act sufficiently upon, the full extent of knowledge known internally by the Company's information security team. [. . . ] However, the Independent Committee did not conclude that there was an intentional suppression of relevant information. Nonetheless, the Committee found that the relevant legal team had sufficient information to warrant substantial further inquiry in 2014, and they did not sufficiently pursue it. " 6

Financial Cost of Yahoo Breach • News of the breach surfaced during Verizon’s negotiations to buy Yahoo. • Purchase price was adjusted downward by $350 million due to the cybersecurity breach. • After acquisition closed, scope of breach expanded from 500 million users to 3 billion users! Ouch! 7

The Equifax Cybersecurity Breach • July 29, 2017 – Equifax learns of mid-May 2017 breach (2 days after 10 -Q filing). • Impact – 143 million people lost confidentiality of: • Social security numbers • Birthdates • Address and driver’s license numbers • 200, 000 credit card numbers were also stolen. • September 7, 2017 – Breach is disclosed to the public. 8

Fallout from Equifax Breach • $113 million in internal costs to investigate and remediate. • $50 million cost of free credit monitoring offered. • Numerous class action lawsuits and investigations have ensued, including alleged violations of the securities laws. • Claims assert the failure to timely notify investors and the failure to apply suitable controls. • Three Equifax executives also busted for insider trading. • $1. 8 million in securities sold prior to announcement of cybersecurity breach. 9

General Motors Ignition Switch Defect • 2012 -- GM Engineers realized faulty ignition switches could cut off power (including air bag power), endangering passengers in a bad accident. • GM concealed the defect from NHTSA and the public, taking the matter offline and outside of the recall process. • GM Accounting not informed of issue until Nov. 2013. • Defect and recall announced in February 2014. 10

Fallout from GM Ignition Issue • $2 billion in fines and settlements (and growing) • $900 million settlement paid to DOJ over failure to fix deadly ignition switch defect, which caused 120 deaths • January 2017 – SEC issues cease and desist order against GM, noting that: “Deficient controls prevented the Company from assessing the potential impact on its financial statements of a defective ignition switch found in certain vehicles. ” 11

New Century – Orange County Based Sub-Prime Lender • 2006 -- $100 million pre-tax earnings/quarter for first 3 qtrs. • • $100 million in dividends/quarter for first 3 qtrs. $66 million in common stock repurchased • February 2007 -- Need to restate announced • April 2, 2007 – Declared bankruptcy and failed to survive Bankruptcy examiner’s report chronicles a failure of Disclosure Controls and Procedures and Governance. 12

Basic Background Information on Mortgage Sales New Century was obligated to buy back sold or securitized loans with interest if: 1. The borrower failed to make the first three payments (early payment default), or 2. The documentation in the loan file was found to be deficient (so called “kickouts”). 13

Unreported Red Flags at New Century It was well known inside New Century during 2006 that: • Early payment defaults were skyrocketing by industry standards (up to 13% of loans sold or securitized). • Kickout rates were up to 15% and growing. Yet, New Century’s last public filing (the 2006 10 -Q) made no mention of these trends, and reported a repurchase provision of $5 million for the nine months (comparable to the prior year). The bankruptcy examiner later determined that the repurchase reserve was understated by $190 million. 14

New Century Observations • Internal audit did a good job elevating the issues. Those in governance appeared to have plenty of information. • A sense of denial was prevalent based on the erroneous belief that New Century’s loan quality was as good as or better than their peers. • Pressure from upper management may have been a factor in the lack of attention to loan quality issues and the absence of transparency. 15

General Observations • Effective Disclosure Controls and Procedures are essential. • Failures in these controls to operate effectively can be disastrous. • It is incumbent on internal audit to assure that the DC&P are well designed and operate effectively. This means going beyond the limited assurance that ICFR may provide. • Remember, clean ICFR opinions do not directly cover DC&P. 16

Scope of CEO and CFO Public Company 302 Certifications • No omissions or untrue statements of material facts causing 10 -Q / 10 -K to be misleading. • Financial statements are fairly presented. • Acknowledge responsibility for establishing and maintaining 1) disclosure controls and procedures, and 2) internal controls over financial reporting. • Disclosure controls are designed to ensure material information is made know to us by others within the company. 17

Scope of CEO and CFO Public Company 302 Certifications (cont. ) • Designed ICFR to provide reasonable assurance re reliability of GAAP compliant financial statements • Evaluated and reported on effectiveness of DC&P in 10 -Q / 10 -K • Evaluated ICFR and disclosed significant deficiencies and material weaknesses (including fraud whether material or not) to auditors and audit committee 18

The Use of Cascading Certifications to Support CEO and CFO Section 302 Certifications Sub-certifications are generally collected from a broad range of management across all disciplines. To be effective, sub-certifications need to be: • • Tailored to each respective area. Should explain purpose in layman’s terms. Relevance of operational adverse events. Not limited simply to matters where dollars can be quantified. 19

Effective Tailoring of Subcertifications – Examples • Sales force certifications should address existence of side agreements with customers. • IT certifications should address occurrence of cybersecurity breaches. • Product quality / warranty department certifications should address adverse events and findings. • Marketing certifications should report trends and severity of customer complaints. 20

Common Sub-certification Pitfalls • Distribution limited to control owners with focus only on operation of the control. • Insufficient description of context and importance. • Insufficient reinforcement of importance of ethic behavior and regulatory / legal compliance. • Available channels for reporting concerns. • Focus only on control operation • Absence of linkage and tailoring to enterprise risk 21

Linkage to the Enterprise Risk Assessment Process • What can sink the ship? • What are early the warning indicators? • Are the early warning indicators routinely monitored on a centralized basis? • Is there a dashboard? 22

The AICPA SOC 1 Approach to Cybersecurity A great prototype for capturing events and reporting to management. • • • Assess the risks / identify processes and controls Identify cybersecurity adverse events Assess severity Report to management Remediation plan 23

What Action Can Internal Audit Take Today? Undertake a project to evaluate the effectiveness of Disclosure Controls and Procedures: • Is composition of Disclosure Committee appropriate? • Do disclosure committee processes link to the Enterprise Risk Assessment (i. e. , “What can go wrong? ”) • Are operational early warning indicators incorporated into the process? • Is the population of sub-certifications appropriate? • Are the sub-certifications appropriately tailored to go beyond control effectiveness? 24

What Action Can Internal Audit Take Today? (continued) • Do the certifications include directions that explain the relevance and importance of the certifications? • Do the certifications reinforce the organization’s commitment to its ethics policies and legal/regulatory compliance? • Do the certifications provide a reminder of the channels available to employees to report matters of concern? • Are the processes and conclusions of the Disclosure Controls and Procedures Committee documented? 25

Questions and Discussion 26

Sanjay Sheth CNM LLP Partner Robert Conway CNM LLP Professional Practice Director Tel. 213. 321. 5314 ssheth@cnmllp. com Office. 949. 299. 5584 rconway@cnmllp. com Woodland Hills Office 21051 Warner Center Lane Suite 140 Irvine, CA 92618 Orange County Office 6 Venture Suite 365 Irvine, CA 92618