In December 2007, I was appointed as the Inpsector General of the Securities and Exchange Commission and served in that capacity until January 2012. An IG is an internal watchdog for a governmental body with its primary purpose being to identity and reduce waste, fraud, and abuse in the agency. IGs supervise both internal audit and investigative units.

During my tenure as IG of the SEC, I oversaw audits and investigations of many high-profile matters, including: the SEC’s oversight of Bear Stearns analyzing what led to its collapse in March of 2008; the SEC’s failure to uncover the $50 billion Ponzi scheme perpetrated by Bernie Madoff; the SEC’s failure to uncover the $7 billion fraud perpetrated by Allen Stanford; an SEC settlement of an enforcement action against Bank of America that was rejected by the federal court; and the alleged SEC coordination with Congress and the White House concerning the timing of the bringing of an enforcement action against Goldman Sachs to ensure passage of Dodd-Frank in April 2010. 

H. David Kotz will be speaking on this topic at the SuperStrategies 2016 Conference taking place in Las Vegas from Sept. 27 to 29. Click here for more information or to register to attend.

These investigations and audits led to different findings and conclusions as in several cases I was critical of SEC’s failures (such as the failure to identify red flags concerning the Bear Stearns collapse and the Madoff and Stanford frauds), and in others I found the allegations against the SEC to be unsubstantiated, such as the alleged SEC coordination with the White House.    

Lessons Learned from These Investigations

After these many investigations and audits, I concluded that there were four factors that led to the SEC failing to perform adequately in its own investigations and examinations of registered entities.  These lessons learned can be helpful for internal auditors as well. 

Lack of aggressive oversight
In the Bear Stearns scenario, the SEC had the information and ability to pressure Bear Stearns but simply did not exert sufficient influence. This also came up in the Madoff case, as the SEC examiners and investigators never believed that Madoff could be operating a Ponzi scheme despite the evidence they had in front of them. Similarly, in Stanford, several senior-level SEC officials did not prioritize bringing an Enforcement action even though many at the SEC believed he was perpetrating a fraud.

Lack of skills and competence
In the Madoff case, the SEC examiners and investigators simply failed to conduct competent exams and investigations of Madoff and his companies. One or two calls or communications with the right outside entity by the SEC would have uncovered the scheme immediately. The Bear Stearns investigations also revealed glaring failures to follow up and in Stanford, merely initiating an Enforcement investigation sooner could have uncovered the fraud before any U.S. investors lost money.  

Lack of accountability
No SEC employees were fired over the lapses in the Madoff and Stanford cases. 

Greater-than-achievable mandates
The response to the SEC’s failure to uncover these large frauds was to give it more responsibility through the Dodd-Frank Act. There were also situations in which the SEC was given additional responsibilities without the funding and resources to perform them adequately. 

How Auditors Can Prevent Fraud

Companies, and particularly auditors, can learn from the SEC’s mistakes as follows:

  • Establish and maintain strong internal controls that are continuously strengthened. An aggressive culture of compliance can be accomplished by senior management’s control environment (tone at the top) and buy-in from the top executive. A code of conduct must be in place and must be adhered to strictly.
  • Ensure adequate segregation of duties involving custody, authorization, and control of source documents and records.  The lack of proper segregation of duty policies is most often the root cause of fraud events in companies without strong internal controls in this area.
  • Ensure competence through training, communication, and education on values. Companies must ensure that employees are properly trained and educated.
  • Hold employees accountable and reinforce proper behavior. Companies must hold their employees accountable for complying with the code of conduct.
  • Learn how to identify and spot red flags of potential fraud.  The following are common fraud indicators:
  • Secretive behavior, Refusal to answer questions, Working constantly, Spending lavishly, Overriding controls, and Unusual transactions.

Internal auditors also have many responsibilities with respect to potential fraud including: Being attuned to potential red flags; Professional skepticism; Evaluating if controls are in place and working to detect fraud; Document and report possible fraud incidents; Conducting preliminary investigations.

Heeding the lessons learned above and ensuring that fraud indicators are identified and tracked quickly can help internal auditors to fulfill their responsibilities to assist in the detection and prevention of fraud. 

The opinions expressed here are those of the author and do not represent the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates. The information provided by this article should not be construed as financial or legal advice. The reader should consult with his or her own advisers.