- Email: [email protected]
Reporting practices: potential lessons from Cendant Corporation
Pergamon
PII:
European Management Journal Vol. 18, No. 3, pp. 328–333, 2000 2000 Published by Elsevier Science Ltd. All rights reserved Printed in Great Britain S0263-2373(00)00014-1 0263-2373/00 $20.00
Reporting Practices: Potential Lessons from Cendant Corporation WANDA WALLACE, College of William and Mary, Virginia A case analysis of Cendant, the American business and consumer services corporation, generates guidelines for enhancing managers’ evaluation of risk. Specific hints of problem areas that can be addressed through future control design are detailed. Of particular import to managers are risk exposures associated with non-recurring ‘opportunities’ for mis-statement and the use of outsourcing within the accounting and reporting process. 2000 Published by Elsevier Science Ltd. All rights reserved
useful future ‘red flags.’ Yet, far more important, are the apparent opportunities for top management to enhance control environments in future monitoring activities as implied by the case study of Cendant.
Keywords: ‘Red Flags’, Monitoring, Control design, Risk exposure, Cendant, Benchmarking, Reporting practices
Many researchers into past reporting violations, as reflected in the Accounting and Auditing Enforcement Releases (AAERs) of the Securities and Exchange Commission, have profiled key problem areas; an example appears in Table 1 and Figure 1. The allegations associated with Cendant parallel many of these key problem areas. Specifically, Cendant is reported to have had a history of reporting problems which included: (1) regulators’ attention to a 1989 practice of spreading recruiting of new members’ costs over three years, in contrast to expensing such items; and (2) a challenge by the SEC as to the completeness of filings, leading to amendments, in 1991. Examples of various allegations can be linked to simple guidelines for management to follow in order to facilitate the detection of ‘red flags.’
Cendant, the business and consumer services corporation, in its Form 8-K, dated August 28, 1998, describes the results of an investigation by the Audit Committee as to various allegations associated with reporting practices. The media has likewise described the unfolding tale of Cendant’s activities (see, as examples, The Wall Street Journal, 1998)). While the litigation process may well take years, even at this relatively early stage of allegations, top management and directors can learn from the Cendant experience. Building on the discovery process to date, as set forth from public sources, simple guidelines emerge as
Allegations
Table 1 Cendant-based allegations
171 AAER accounting violations profile (Bremser et al., 1991)
SEC disagreed on accounting Non-GAAP errors Bogus revenue Fictitious accounts receivable Premature revenue recognition Delayed recognition of insurance claims...
Negligence, insider trading, false testimony before SEC: 31% Insufficient control: 20% Books and record problems fraught with omissions and false data: 24% Disclosure associated with management representations: 52% Disclosure of related parties: 19% Revenue recognition: 62% Liability valuation: 12% Asset valuation: 70%
328
European Management Journal Vol 18 No 3 June 2000
REPORTING PRACTICES: POTENTIAL LESSONS FROM CENDANT CORPORATION
Figure 1 171 AAER Accounting Violations Profile (Bremser et al., 1991)
Simple Guidelines Seven simple guidelines might have heightened awareness of risk exposures associated with Cendant at an earlier date. The idea is to consider each guideline and then to evaluate the holistic picture of risk. Table 2 outlines the guidelines and provides a Cendant-based allegation that appears to tie to each of these steps.
The first admonition relates to the importance of applying due diligence in any participatory arrangement. The problem highlighted relates to mergers within one’s own industry. Issues of proprietary interests are frequently invoked due to the potential fall-out if a merger is not completed among competitors. However, a management team that permits less than the usual level of due diligence because of this complicating factor is accepting a heightened risk level and needs to explicitly incorporate this element
Table 2 Simple guidelines
Cendant-based allegations: examples
Apply due diligence involved in participatory arrangements
EVENT: Cendant reports merger 12/17/97 $14 billion — limited access to non-public information by HFS — CONCERN for proprietary information if merger not consummated because both competed in resort time-sharing Evaluate and minimize potential for misplaced trust in History of problems at CUC: 1989 spread recruiting of new monitoring members’ costs over 3 years vs expense; 1991 SEC challenged completeness of filings, leading to amendments Be wary when unusual commitments are made and monitor CUC International and HFS Inc. merged, yet ‘insistent upon’ new business relationships separate accounting — wanted consolidation: ‘not getting necessary cooperation or information’ 2/98 and deferred change in accounting to the 10-K of 1st quarter Monitor competitors’ knowledge and departure of key Improper use of merger reserves — delayed recognition of employees cancellations and credit-card rejections...3 months behind in bookings...industry norms...prompted 4/15/98 ‘discovery’ Consider the possibility of fictitious transactions parallel to CUC 1995: $100 million; 1996: $150 million; 1997: $250 million actual: benchmark bogus revenue; 1997 Net income decline $100–$115M expected per audit committee report Respect confidentiality of monitoring tools and include external Reversals in fourth quarter of bogus sales due to concern gauges they’d be found by auditors; replaced with reserve charges Understand management, incentive, and reporting context Managers received ⬎ base salaries, bonuses, better severance benefits, more stock options, and immediate vesting of certain options through merger; as well as a lapse of restrictions on restricted stock and accelerated lump sum payments under Senior Executive Retirement Plan
European Management Journal Vol 18 No 3 June 2000
329
REPORTING PRACTICES: POTENTIAL LESSONS FROM CENDANT CORPORATION
when evaluating the attractiveness of a potential acquisition or investment. The second guideline relates to trustworthiness. Ask the question of whether there are adverse signals pertaining to the integrity of reporting practices and the reputation of a proposed acquiree among regulators. CUC had a history of problems which were accessible in the public domain, had the acquirer explored this risk indicator. The third guideline specifies the need to accord attention to any unusual commitments extracted during negotiations. Interestingly enough, at the merger phase, insistence on separate accounting groups appears to have facilitated a longer time period in which various alleged mis-statements were perpetrated. The familiar concept of synergy and economies of scale create an expectation that administrators and staff will be blended and often downsized as a result of a merger. The prohibition of such a natural step should trigger alarms as to the ‘why’ of the commitment extracted and the potential nefarious dimensions of the negotiated practice that might result. The fourth guideline recognizes the power of analytics in monitoring. Specifically, if industry statistics suggest that a certain rate of rejection for credit cards should be expected and a potential candidate for investment is well under that rate, the question has to be posed of whether the difference is a substantive high-performance indicator or in fact a red flag to mis-reporting. Similarly, if a mass exodus is witnessed of key mid-level and top-level managers, the question of why should be raised, alongside some debriefing steps with the departing employees. The ethics literature describes a common tendency for those facing problem settings to implement a socalled ‘exit strategy’ whereby they fail to report their concerns and simply find a new job. Often these individuals would like to be offered a forum that is legally palatable to share their concerns or suspicions. If a prospective investor or acquirer can obtain legal rights to interview former employees, with safe harbor protection of those individuals, there may be associated discovery of risks that raise acute issues going forward for the control environment and the investment prospects. The fifth guideline again invokes analytics, only this time from a time-series perspective within the company, rather than relative to the industry benchmarks available. Large fluctuations in reported numbers and discrepancies in expected versus actual outcomes are telltale signs of risks. The sixth guideline recognizes the role of external auditors, the transparency of tools they apply, and the need for gauges that detect differences in first three quarter and fourth quarter recording practices. It appears from the public record to date that those 330
involved in the alleged activities suspected they would be detected in the fourth quarter if the bogus sales from earlier periods were not replaced with some other recording device. Indeed, they purportedly replaced bogus sales with reserve charges to avoid detection. One recent proposal by the Big Five CPA firms is that they will require quarterly reviews as a facet of new attest engagements, apparently as a risk control factor. Managers of existing audit clients may want to consider the wisdom of such a continuous audit context as one tool for averting the fourth quarter transformation practice that appears to have occurred with Cendant. Moreover, the external auditors would seem well advised to focus on reversals among quarters, particularly as they relate to revenue recognition. In addition, the transparency of audit tools should be decreased as a mechanism to deter intentional practices by auditees to gear mis-statements to areas deemed not as auditable. In other words, special attention to reserve charges is suggested as necessary and would likely be more effective if associated audit steps are not transparent to the auditees. The seventh guideline relates to the context in which an investment is being made. If an acquiree has compensation arrangements that are tied to accounting numbers or stock prices, then the possible incentive effects on reporting need to be evaluated as a dimension of risk. Elements of ‘golden parachutes’ for departing employees may also be a risk indicator, since short-term emphasis can particularly plague exiting management’s decision-making.
10 Hints That Something is Awry While the seven guidelines help in identifying red flags, among the lessons from Cendant are a set of circumstances that cannot only hint to problem areas but can be reflected in future control design. In other words, by understanding such hints, and according attention in monitoring and control practices, top management can reduce the risk level for the operating environment.
Information Made Available to the Board In the allegations surrounding Cendant, evidence exists that the information provided to the Board of Directors may have had ‘holes.’ This same problem has been cited in past media events, such as those surrounding reporting practices of Woolworth and other entities. Too often when annual data are shared with directors, they do not receive budgeted comparatives, and as a result, they cannot easily reconcile actual to planned results. Yet, analytical procedures of demonstrated use in various settings include comparisons of budgets to actual and exploration of trends. The lesson for the control environment is that European Management Journal Vol 18 No 3 June 2000
REPORTING PRACTICES: POTENTIAL LESSONS FROM CENDANT CORPORATION
a sort of template for reporting to boards and audit committees should likely be adopted, without permitting any managers to stray from a core set of necessary information. Such an approach ensures oversight by the corporate governance arrangements in place by permitting complementary disclosures across time but no substitution for the core information set routinely provided as to budgets, actual performance, and trends.
Soft Close An explanation reportedly offered by Cendant to its auditors for various discrepancies detected was that a soft close had been performed earlier, since the entity was ‘in a hurry’ to use interim numbers but had no time for a hard close. In a sense, the notion is that ‘I didn’t have time to do it right, so excuse the discrepancy.’ The problem with such a notion is that it becomes a ‘barn door’ through which large misstatements can pass, excused, at interim dates, and thereby facilitate the creation of potentially material mis-statements — be they errors or intentional defalcations. The lesson for the control environment is that ‘soft close’ practices should largely be abolished. If a company wants to defer certain practices to year-end, these should be codified and checked as to materiality to decision-making. In this technological age, few if any justifications exist for other than proper closing practices at interim dates. The elimination of the excuse of ‘soft close’ can be expected to enhance the overall quality of reporting practices for an entity.
Non-GAAP Reports While generally accepted accounting principles (GAAP) may have their problems, they do provide a set of guidelines which can be understood and evaluated as to comparability, consistency, and fineness of measurement. Yet, in the Cendant case as well as other matters, allegations include the sharing of socalled non-GAAP cash budgets with certain individuals and reports marked ‘For Your Eyes Only’. This set of circumstances at Cendant has two dimensions potentially: (1) by providing non-GAAP reports, steps can be taken to camouflage the substance of economic transactions and (2) by restricting access to certain non-GAAP reports, one may prepare a parallel set of books that facilitates a monitoring of the consequences of certain false reporting practices. The first problem permeates any management report that chooses to adopt a reporting base that is not generally understood. The second problem highlights a fact that when mis-reporting arises, one expects that those involved need to monitor the consequences in order to both know the scope of the mis-reporting and to avoid detection. The very presence of a potential ‘backup’ system for a defalcation raises questions of how these reports can either be precluded, increasEuropean Management Journal Vol 18 No 3 June 2000
ing the risk to any mis-statement, or if prepared, can be detected. The first control environment implication of these practices is that any report prepared on other than a GAAP basis might be required to include a reconciliation to GAAP and clearly state what aspects of GAAP are being ignored. This would tend to communicate more consistently and help to avoid effective camouflaging of the substance of reporting. The second control environment implication is that restricted report access be a dimension of a reporting framework that is itself monitored. In other words, if read-only access is not granted, there should be some monitoring as to why that is the case, and if there is no reason for such secrecy, the sunshine may well deter the creation of such a back-up or, alternatively, disclose its presence, and permit detection.
Appearance of Propriety The allegations surrounding Cendant describe an initial effort by those asked to distort underlying records to record adjustments as round numbers. Apparently, a supervisor pointed out the impossibility of such an outcome and required that pennies be displayed within such records. The idea behind the supervisor’s alleged action was that the appearance of propriety needed to be created in the records. Assuming not all supervisors might have taken the step described, one control implication is that monitoring practices look for the mere appearance of impropriety. Apparently, at least for some period of time, the rounded numbers were in the records. However, more importantly, a tool is available to check whether the appearance of propriety that might be manufactured comports with usual naturaloccurring outcomes. Specifically, digital analysis, based on Benford’s Law permits a comparison of digits in the records to the expected occurrence of digits as a tell-tale sign of potential defalcations (an EXCEL-based approach is described by Banks, 1999).
The Importance of Formulas That Create Reports A particularly interesting aspect of the Cendant case that has been described within the 8-K filing is the practice of one individual who was asked to alter the books: that individual maintained a sort of ‘audit trail’ as to which entries were bogus and which were real. The way this was reportedly accomplished was by simply writing in the cell of the spreadsheet the formula of the real number plus the bogus number. Indeed, the existence of this spreadsheet made it easy to estimate the scope of the defalcation upon discovery. The control environment implication is similar to the long-recognized fact by those involved in monitoring that one cannot treat technology as a ‘black box’ and focus merely on input and output. The process by which the output is created is of sub331
REPORTING PRACTICES: POTENTIAL LESSONS FROM CENDANT CORPORATION
stantial relevance. Had a control practice involved random sampling of spreadsheets leading to reports on which managers are relying, the unusual presence of an unexpected formula might have triggered the necessary inquiry to uncover the problems at Cendant at an earlier date. While easy to call up a worksheet and examine the cells or to print a version of the worksheet in formula form, the problem is the apparent absence of such a control step in the company’s own monitoring.
Disaggregation Should be Expected and Monitored The media has long reported on defalcations or abuses of control systems via disaggregation. For example, if a snow removal contract with a related party exceeds the level requiring City Council approval, multiple contracts that individually fall below that level have been created as a means of circumventing the prescribed approval process. Similarly, when problems arise in casinos, often they appear among smaller transactions, since the large items are understood by defrauders to undergo more intensive scrutiny. In the Cendant matter, descriptions of events include initial large amounts to be improperly recorded which were disaggregated into far smaller amounts as multiple entries. A common practice of scanning might not easily discern the similarities among disaggregated entries. The control implication is that those monitoring should link similar types of entries, re-aggregate, and consider their combined reasonableness. Expect that those involved in mis-statement will spread the problem across entries and that the effect may need to be ‘built back up’ into an aggregate effect, in order to be properly assessed as to their import.
It’s Not My Job The Cendant matter involves an apparent disconnect between decentralized units and the corporate office. The decentralized units appear at times to have adopted the position that ‘it’s not my job’ and merely accepted various mandates from corporate office. Yet, an embedded personal responsibility culture is essential for an effective control environment. As an example, if a decentralized unit is told to book an entry which disagrees with what that manager knows to actually apply to his or her unit, then that manager needs to resist merely following instructions. To establish accountability, a control structure can be created, whereby challenges posed by decentralized managers to corporate instructions are forwarded to an independent intermediary for oversight and follow-through, on behalf of the corporate governance structure. Hotlines for ethical dilemmas have grown in acceptance, but with increased mergers and growth to international operations, companies may need to consider a hotline for the decentral332
ization phenomenon. Accountability has to be established throughout the organization, in order that the decentralized manager will not feel he or she is vindicated simply because corporate instructions were issued.
Form Vs Substance Closely linked to the decentralization phenomenon is the role of substance versus form. The Cendant case reportedly led to some of the decentralized operating managers asking for support and documentation for the journal entries they were instructed to book. While this is a step in the right direction, the problem is that these individuals appear to have accepted the ‘form’ of documentation, even though that support appears to have lacked ‘substance.’ Specifically, postfacto reading of the documentation suggests nonsensical reasoning which, on its face, would not be expected to constitute effective support of the requested entry. The control implication is that substance has to be demanded, not merely form, when pursuing documentation of entries onto the books. In other words, just a signature won’t do! The evaluation of the reasoning and documentation is a professional’s duty. The demand for substantial support for implementing instructions from corporate is a control practice that could easily be linked to the sort of hotline structure detailed for decentralized operations.
Use of Temporary Employees Outsourcing has received a great deal of attention in the professional literature and media in recent times. It is well recognized as a practice that requires careful contracting, monitoring, and control. However, the Cendant account contains a slightly new wrinkle. Specifically, it appears that temporary employees were used for recording practices instead of knowledgeable employees, in part to preclude the individual from being able to draw upon experience to assess the reasonableness of the context in which an entry was being recorded, and in part to preclude the need for collusion. In other words, had a permanent employee with experience been asked to make certain entries, one might expect those entries to be questioned and possibly reported. However, by displacing such a knowledge base with a temporary employee who lacked context, such a challenge was essentially avoided. It is extremely risky to circumvent the knowledge and experience of professionals employed over the longer term with an entity, capable of evaluating reasonableness, within the accounting and reporting process. The control environment implication is that outsourcing should not be an alternative for positions in a company that involve judgment and require context for proper evaluation. A critical check-and-balance presumed within an accounting framework is lost if outsourcing European Management Journal Vol 18 No 3 June 2000
REPORTING PRACTICES: POTENTIAL LESSONS FROM CENDANT CORPORATION
is used, particularly in the critical closing process for a public company.
scriptions and prospective tools are best assessed through application, facilitating future research into their performance in fraud prevention, deterrence, and detection.
Non-recurring ‘Opportunities’ Perhaps the most apparent pattern among some of the recently publicized debacles, including the Cendant allegations, is the presence of a key event that serves as a non-recurring ‘opportunity’ for mis-statement. For Cendant, the event was a merger which had associated reserves of material proportions, accessible for camouflage of alleged mis-reporting. In other cases, the non-recurring event is often restructuring, downsizing, or physical moves. Such key events definitionally are expected to involve material expenditures and often have no internal benchmark against which to calibrate the reasonableness of numbers being recorded. The implication is that by definition a non-recurring event is high risk. Extra monitoring steps have to be taken to explore the exact nature of the charges recorded and to strive to access external benchmarks as to others’ experiences with similar events.
Synopsis: Learning from the Past Research of an inductive nature has led the way to numerous enhancements of understanding and application across the fields of science and the social sciences. Efforts to assemble past experiences, so that we can learn from our past and not repeat lessons that were painful in yesteryear is a premise upon which much prescriptive literature is based. This case-based analysis of both red flags and hints regarding risk exposures, combined with active steps that can be taken to address such risks is intended as a prescription based on alleged past events at Cendant. The wisdom and effectiveness of these pre-
European Management Journal Vol 18 No 3 June 2000
References Banks, D.G. (1999) Benford’s law made easy. The White Paper 13(5), 19–21. Bremser, W.G., Licata, M.P. and Rollins, T.P. (1991) SEC enforcement activities: a survey and critical perspective. Critical Perspectives on Accounting 2(2), 185–199. The Wall Street Journal (1998) 7/17/98, pp. B1, B5; 8/13/98, pp. A1–A8; 9/2/98, p. A4; 9/10/98, p. B16; 8/28/98, pp. A3, A5.
WANDA A. WALLACE, College of William and Mary, School of Business Administration, Williamsburg, Virginia 23185, USA. E-mail: [email protected] Wanda A. Wallace is the John N. Dalton Professor of Business Administration at the College of William and Mary in Williamsburg, Virginia. Dr Wallace, the author of Handbook of Internal Accounting Controls (Prentice-Hall) and Performance Measurement and Risk Monitoring (WGL/RIA) has an ongoing interest in forensic auditing and implications for entities’ control environment and monitoring practices. Dr Wallace has authored over 170 articles in journals such as Harvard Business Review, Scandinavian Journal of Management, Financial Executive, and The European Management Journal.
333
PII:
European Management Journal Vol. 18, No. 3, pp. 328–333, 2000 2000 Published by Elsevier Science Ltd. All rights reserved Printed in Great Britain S0263-2373(00)00014-1 0263-2373/00 $20.00
Reporting Practices: Potential Lessons from Cendant Corporation WANDA WALLACE, College of William and Mary, Virginia A case analysis of Cendant, the American business and consumer services corporation, generates guidelines for enhancing managers’ evaluation of risk. Specific hints of problem areas that can be addressed through future control design are detailed. Of particular import to managers are risk exposures associated with non-recurring ‘opportunities’ for mis-statement and the use of outsourcing within the accounting and reporting process. 2000 Published by Elsevier Science Ltd. All rights reserved
useful future ‘red flags.’ Yet, far more important, are the apparent opportunities for top management to enhance control environments in future monitoring activities as implied by the case study of Cendant.
Keywords: ‘Red Flags’, Monitoring, Control design, Risk exposure, Cendant, Benchmarking, Reporting practices
Many researchers into past reporting violations, as reflected in the Accounting and Auditing Enforcement Releases (AAERs) of the Securities and Exchange Commission, have profiled key problem areas; an example appears in Table 1 and Figure 1. The allegations associated with Cendant parallel many of these key problem areas. Specifically, Cendant is reported to have had a history of reporting problems which included: (1) regulators’ attention to a 1989 practice of spreading recruiting of new members’ costs over three years, in contrast to expensing such items; and (2) a challenge by the SEC as to the completeness of filings, leading to amendments, in 1991. Examples of various allegations can be linked to simple guidelines for management to follow in order to facilitate the detection of ‘red flags.’
Cendant, the business and consumer services corporation, in its Form 8-K, dated August 28, 1998, describes the results of an investigation by the Audit Committee as to various allegations associated with reporting practices. The media has likewise described the unfolding tale of Cendant’s activities (see, as examples, The Wall Street Journal, 1998)). While the litigation process may well take years, even at this relatively early stage of allegations, top management and directors can learn from the Cendant experience. Building on the discovery process to date, as set forth from public sources, simple guidelines emerge as
Allegations
Table 1 Cendant-based allegations
171 AAER accounting violations profile (Bremser et al., 1991)
SEC disagreed on accounting Non-GAAP errors Bogus revenue Fictitious accounts receivable Premature revenue recognition Delayed recognition of insurance claims...
Negligence, insider trading, false testimony before SEC: 31% Insufficient control: 20% Books and record problems fraught with omissions and false data: 24% Disclosure associated with management representations: 52% Disclosure of related parties: 19% Revenue recognition: 62% Liability valuation: 12% Asset valuation: 70%
328
European Management Journal Vol 18 No 3 June 2000
REPORTING PRACTICES: POTENTIAL LESSONS FROM CENDANT CORPORATION
Figure 1 171 AAER Accounting Violations Profile (Bremser et al., 1991)
Simple Guidelines Seven simple guidelines might have heightened awareness of risk exposures associated with Cendant at an earlier date. The idea is to consider each guideline and then to evaluate the holistic picture of risk. Table 2 outlines the guidelines and provides a Cendant-based allegation that appears to tie to each of these steps.
The first admonition relates to the importance of applying due diligence in any participatory arrangement. The problem highlighted relates to mergers within one’s own industry. Issues of proprietary interests are frequently invoked due to the potential fall-out if a merger is not completed among competitors. However, a management team that permits less than the usual level of due diligence because of this complicating factor is accepting a heightened risk level and needs to explicitly incorporate this element
Table 2 Simple guidelines
Cendant-based allegations: examples
Apply due diligence involved in participatory arrangements
EVENT: Cendant reports merger 12/17/97 $14 billion — limited access to non-public information by HFS — CONCERN for proprietary information if merger not consummated because both competed in resort time-sharing Evaluate and minimize potential for misplaced trust in History of problems at CUC: 1989 spread recruiting of new monitoring members’ costs over 3 years vs expense; 1991 SEC challenged completeness of filings, leading to amendments Be wary when unusual commitments are made and monitor CUC International and HFS Inc. merged, yet ‘insistent upon’ new business relationships separate accounting — wanted consolidation: ‘not getting necessary cooperation or information’ 2/98 and deferred change in accounting to the 10-K of 1st quarter Monitor competitors’ knowledge and departure of key Improper use of merger reserves — delayed recognition of employees cancellations and credit-card rejections...3 months behind in bookings...industry norms...prompted 4/15/98 ‘discovery’ Consider the possibility of fictitious transactions parallel to CUC 1995: $100 million; 1996: $150 million; 1997: $250 million actual: benchmark bogus revenue; 1997 Net income decline $100–$115M expected per audit committee report Respect confidentiality of monitoring tools and include external Reversals in fourth quarter of bogus sales due to concern gauges they’d be found by auditors; replaced with reserve charges Understand management, incentive, and reporting context Managers received ⬎ base salaries, bonuses, better severance benefits, more stock options, and immediate vesting of certain options through merger; as well as a lapse of restrictions on restricted stock and accelerated lump sum payments under Senior Executive Retirement Plan
European Management Journal Vol 18 No 3 June 2000
329
REPORTING PRACTICES: POTENTIAL LESSONS FROM CENDANT CORPORATION
when evaluating the attractiveness of a potential acquisition or investment. The second guideline relates to trustworthiness. Ask the question of whether there are adverse signals pertaining to the integrity of reporting practices and the reputation of a proposed acquiree among regulators. CUC had a history of problems which were accessible in the public domain, had the acquirer explored this risk indicator. The third guideline specifies the need to accord attention to any unusual commitments extracted during negotiations. Interestingly enough, at the merger phase, insistence on separate accounting groups appears to have facilitated a longer time period in which various alleged mis-statements were perpetrated. The familiar concept of synergy and economies of scale create an expectation that administrators and staff will be blended and often downsized as a result of a merger. The prohibition of such a natural step should trigger alarms as to the ‘why’ of the commitment extracted and the potential nefarious dimensions of the negotiated practice that might result. The fourth guideline recognizes the power of analytics in monitoring. Specifically, if industry statistics suggest that a certain rate of rejection for credit cards should be expected and a potential candidate for investment is well under that rate, the question has to be posed of whether the difference is a substantive high-performance indicator or in fact a red flag to mis-reporting. Similarly, if a mass exodus is witnessed of key mid-level and top-level managers, the question of why should be raised, alongside some debriefing steps with the departing employees. The ethics literature describes a common tendency for those facing problem settings to implement a socalled ‘exit strategy’ whereby they fail to report their concerns and simply find a new job. Often these individuals would like to be offered a forum that is legally palatable to share their concerns or suspicions. If a prospective investor or acquirer can obtain legal rights to interview former employees, with safe harbor protection of those individuals, there may be associated discovery of risks that raise acute issues going forward for the control environment and the investment prospects. The fifth guideline again invokes analytics, only this time from a time-series perspective within the company, rather than relative to the industry benchmarks available. Large fluctuations in reported numbers and discrepancies in expected versus actual outcomes are telltale signs of risks. The sixth guideline recognizes the role of external auditors, the transparency of tools they apply, and the need for gauges that detect differences in first three quarter and fourth quarter recording practices. It appears from the public record to date that those 330
involved in the alleged activities suspected they would be detected in the fourth quarter if the bogus sales from earlier periods were not replaced with some other recording device. Indeed, they purportedly replaced bogus sales with reserve charges to avoid detection. One recent proposal by the Big Five CPA firms is that they will require quarterly reviews as a facet of new attest engagements, apparently as a risk control factor. Managers of existing audit clients may want to consider the wisdom of such a continuous audit context as one tool for averting the fourth quarter transformation practice that appears to have occurred with Cendant. Moreover, the external auditors would seem well advised to focus on reversals among quarters, particularly as they relate to revenue recognition. In addition, the transparency of audit tools should be decreased as a mechanism to deter intentional practices by auditees to gear mis-statements to areas deemed not as auditable. In other words, special attention to reserve charges is suggested as necessary and would likely be more effective if associated audit steps are not transparent to the auditees. The seventh guideline relates to the context in which an investment is being made. If an acquiree has compensation arrangements that are tied to accounting numbers or stock prices, then the possible incentive effects on reporting need to be evaluated as a dimension of risk. Elements of ‘golden parachutes’ for departing employees may also be a risk indicator, since short-term emphasis can particularly plague exiting management’s decision-making.
10 Hints That Something is Awry While the seven guidelines help in identifying red flags, among the lessons from Cendant are a set of circumstances that cannot only hint to problem areas but can be reflected in future control design. In other words, by understanding such hints, and according attention in monitoring and control practices, top management can reduce the risk level for the operating environment.
Information Made Available to the Board In the allegations surrounding Cendant, evidence exists that the information provided to the Board of Directors may have had ‘holes.’ This same problem has been cited in past media events, such as those surrounding reporting practices of Woolworth and other entities. Too often when annual data are shared with directors, they do not receive budgeted comparatives, and as a result, they cannot easily reconcile actual to planned results. Yet, analytical procedures of demonstrated use in various settings include comparisons of budgets to actual and exploration of trends. The lesson for the control environment is that European Management Journal Vol 18 No 3 June 2000
REPORTING PRACTICES: POTENTIAL LESSONS FROM CENDANT CORPORATION
a sort of template for reporting to boards and audit committees should likely be adopted, without permitting any managers to stray from a core set of necessary information. Such an approach ensures oversight by the corporate governance arrangements in place by permitting complementary disclosures across time but no substitution for the core information set routinely provided as to budgets, actual performance, and trends.
Soft Close An explanation reportedly offered by Cendant to its auditors for various discrepancies detected was that a soft close had been performed earlier, since the entity was ‘in a hurry’ to use interim numbers but had no time for a hard close. In a sense, the notion is that ‘I didn’t have time to do it right, so excuse the discrepancy.’ The problem with such a notion is that it becomes a ‘barn door’ through which large misstatements can pass, excused, at interim dates, and thereby facilitate the creation of potentially material mis-statements — be they errors or intentional defalcations. The lesson for the control environment is that ‘soft close’ practices should largely be abolished. If a company wants to defer certain practices to year-end, these should be codified and checked as to materiality to decision-making. In this technological age, few if any justifications exist for other than proper closing practices at interim dates. The elimination of the excuse of ‘soft close’ can be expected to enhance the overall quality of reporting practices for an entity.
Non-GAAP Reports While generally accepted accounting principles (GAAP) may have their problems, they do provide a set of guidelines which can be understood and evaluated as to comparability, consistency, and fineness of measurement. Yet, in the Cendant case as well as other matters, allegations include the sharing of socalled non-GAAP cash budgets with certain individuals and reports marked ‘For Your Eyes Only’. This set of circumstances at Cendant has two dimensions potentially: (1) by providing non-GAAP reports, steps can be taken to camouflage the substance of economic transactions and (2) by restricting access to certain non-GAAP reports, one may prepare a parallel set of books that facilitates a monitoring of the consequences of certain false reporting practices. The first problem permeates any management report that chooses to adopt a reporting base that is not generally understood. The second problem highlights a fact that when mis-reporting arises, one expects that those involved need to monitor the consequences in order to both know the scope of the mis-reporting and to avoid detection. The very presence of a potential ‘backup’ system for a defalcation raises questions of how these reports can either be precluded, increasEuropean Management Journal Vol 18 No 3 June 2000
ing the risk to any mis-statement, or if prepared, can be detected. The first control environment implication of these practices is that any report prepared on other than a GAAP basis might be required to include a reconciliation to GAAP and clearly state what aspects of GAAP are being ignored. This would tend to communicate more consistently and help to avoid effective camouflaging of the substance of reporting. The second control environment implication is that restricted report access be a dimension of a reporting framework that is itself monitored. In other words, if read-only access is not granted, there should be some monitoring as to why that is the case, and if there is no reason for such secrecy, the sunshine may well deter the creation of such a back-up or, alternatively, disclose its presence, and permit detection.
Appearance of Propriety The allegations surrounding Cendant describe an initial effort by those asked to distort underlying records to record adjustments as round numbers. Apparently, a supervisor pointed out the impossibility of such an outcome and required that pennies be displayed within such records. The idea behind the supervisor’s alleged action was that the appearance of propriety needed to be created in the records. Assuming not all supervisors might have taken the step described, one control implication is that monitoring practices look for the mere appearance of impropriety. Apparently, at least for some period of time, the rounded numbers were in the records. However, more importantly, a tool is available to check whether the appearance of propriety that might be manufactured comports with usual naturaloccurring outcomes. Specifically, digital analysis, based on Benford’s Law permits a comparison of digits in the records to the expected occurrence of digits as a tell-tale sign of potential defalcations (an EXCEL-based approach is described by Banks, 1999).
The Importance of Formulas That Create Reports A particularly interesting aspect of the Cendant case that has been described within the 8-K filing is the practice of one individual who was asked to alter the books: that individual maintained a sort of ‘audit trail’ as to which entries were bogus and which were real. The way this was reportedly accomplished was by simply writing in the cell of the spreadsheet the formula of the real number plus the bogus number. Indeed, the existence of this spreadsheet made it easy to estimate the scope of the defalcation upon discovery. The control environment implication is similar to the long-recognized fact by those involved in monitoring that one cannot treat technology as a ‘black box’ and focus merely on input and output. The process by which the output is created is of sub331
REPORTING PRACTICES: POTENTIAL LESSONS FROM CENDANT CORPORATION
stantial relevance. Had a control practice involved random sampling of spreadsheets leading to reports on which managers are relying, the unusual presence of an unexpected formula might have triggered the necessary inquiry to uncover the problems at Cendant at an earlier date. While easy to call up a worksheet and examine the cells or to print a version of the worksheet in formula form, the problem is the apparent absence of such a control step in the company’s own monitoring.
Disaggregation Should be Expected and Monitored The media has long reported on defalcations or abuses of control systems via disaggregation. For example, if a snow removal contract with a related party exceeds the level requiring City Council approval, multiple contracts that individually fall below that level have been created as a means of circumventing the prescribed approval process. Similarly, when problems arise in casinos, often they appear among smaller transactions, since the large items are understood by defrauders to undergo more intensive scrutiny. In the Cendant matter, descriptions of events include initial large amounts to be improperly recorded which were disaggregated into far smaller amounts as multiple entries. A common practice of scanning might not easily discern the similarities among disaggregated entries. The control implication is that those monitoring should link similar types of entries, re-aggregate, and consider their combined reasonableness. Expect that those involved in mis-statement will spread the problem across entries and that the effect may need to be ‘built back up’ into an aggregate effect, in order to be properly assessed as to their import.
It’s Not My Job The Cendant matter involves an apparent disconnect between decentralized units and the corporate office. The decentralized units appear at times to have adopted the position that ‘it’s not my job’ and merely accepted various mandates from corporate office. Yet, an embedded personal responsibility culture is essential for an effective control environment. As an example, if a decentralized unit is told to book an entry which disagrees with what that manager knows to actually apply to his or her unit, then that manager needs to resist merely following instructions. To establish accountability, a control structure can be created, whereby challenges posed by decentralized managers to corporate instructions are forwarded to an independent intermediary for oversight and follow-through, on behalf of the corporate governance structure. Hotlines for ethical dilemmas have grown in acceptance, but with increased mergers and growth to international operations, companies may need to consider a hotline for the decentral332
ization phenomenon. Accountability has to be established throughout the organization, in order that the decentralized manager will not feel he or she is vindicated simply because corporate instructions were issued.
Form Vs Substance Closely linked to the decentralization phenomenon is the role of substance versus form. The Cendant case reportedly led to some of the decentralized operating managers asking for support and documentation for the journal entries they were instructed to book. While this is a step in the right direction, the problem is that these individuals appear to have accepted the ‘form’ of documentation, even though that support appears to have lacked ‘substance.’ Specifically, postfacto reading of the documentation suggests nonsensical reasoning which, on its face, would not be expected to constitute effective support of the requested entry. The control implication is that substance has to be demanded, not merely form, when pursuing documentation of entries onto the books. In other words, just a signature won’t do! The evaluation of the reasoning and documentation is a professional’s duty. The demand for substantial support for implementing instructions from corporate is a control practice that could easily be linked to the sort of hotline structure detailed for decentralized operations.
Use of Temporary Employees Outsourcing has received a great deal of attention in the professional literature and media in recent times. It is well recognized as a practice that requires careful contracting, monitoring, and control. However, the Cendant account contains a slightly new wrinkle. Specifically, it appears that temporary employees were used for recording practices instead of knowledgeable employees, in part to preclude the individual from being able to draw upon experience to assess the reasonableness of the context in which an entry was being recorded, and in part to preclude the need for collusion. In other words, had a permanent employee with experience been asked to make certain entries, one might expect those entries to be questioned and possibly reported. However, by displacing such a knowledge base with a temporary employee who lacked context, such a challenge was essentially avoided. It is extremely risky to circumvent the knowledge and experience of professionals employed over the longer term with an entity, capable of evaluating reasonableness, within the accounting and reporting process. The control environment implication is that outsourcing should not be an alternative for positions in a company that involve judgment and require context for proper evaluation. A critical check-and-balance presumed within an accounting framework is lost if outsourcing European Management Journal Vol 18 No 3 June 2000
REPORTING PRACTICES: POTENTIAL LESSONS FROM CENDANT CORPORATION
is used, particularly in the critical closing process for a public company.
scriptions and prospective tools are best assessed through application, facilitating future research into their performance in fraud prevention, deterrence, and detection.
Non-recurring ‘Opportunities’ Perhaps the most apparent pattern among some of the recently publicized debacles, including the Cendant allegations, is the presence of a key event that serves as a non-recurring ‘opportunity’ for mis-statement. For Cendant, the event was a merger which had associated reserves of material proportions, accessible for camouflage of alleged mis-reporting. In other cases, the non-recurring event is often restructuring, downsizing, or physical moves. Such key events definitionally are expected to involve material expenditures and often have no internal benchmark against which to calibrate the reasonableness of numbers being recorded. The implication is that by definition a non-recurring event is high risk. Extra monitoring steps have to be taken to explore the exact nature of the charges recorded and to strive to access external benchmarks as to others’ experiences with similar events.
Synopsis: Learning from the Past Research of an inductive nature has led the way to numerous enhancements of understanding and application across the fields of science and the social sciences. Efforts to assemble past experiences, so that we can learn from our past and not repeat lessons that were painful in yesteryear is a premise upon which much prescriptive literature is based. This case-based analysis of both red flags and hints regarding risk exposures, combined with active steps that can be taken to address such risks is intended as a prescription based on alleged past events at Cendant. The wisdom and effectiveness of these pre-
European Management Journal Vol 18 No 3 June 2000
References Banks, D.G. (1999) Benford’s law made easy. The White Paper 13(5), 19–21. Bremser, W.G., Licata, M.P. and Rollins, T.P. (1991) SEC enforcement activities: a survey and critical perspective. Critical Perspectives on Accounting 2(2), 185–199. The Wall Street Journal (1998) 7/17/98, pp. B1, B5; 8/13/98, pp. A1–A8; 9/2/98, p. A4; 9/10/98, p. B16; 8/28/98, pp. A3, A5.
WANDA A. WALLACE, College of William and Mary, School of Business Administration, Williamsburg, Virginia 23185, USA. E-mail: [email protected] Wanda A. Wallace is the John N. Dalton Professor of Business Administration at the College of William and Mary in Williamsburg, Virginia. Dr Wallace, the author of Handbook of Internal Accounting Controls (Prentice-Hall) and Performance Measurement and Risk Monitoring (WGL/RIA) has an ongoing interest in forensic auditing and implications for entities’ control environment and monitoring practices. Dr Wallace has authored over 170 articles in journals such as Harvard Business Review, Scandinavian Journal of Management, Financial Executive, and The European Management Journal.
333