The Western District of North Carolina U.S. Attorney’s Office issued a press release on June 17, 2013 detailing how James Shepherd (an investment company owner) defrauded over 100 investors of approximately $6 million. How? By tricking his company’s CPA with fake bank confirmation responses.
The press release states, “Documents indicate that Shepherd built a $2 million residence in Vass, North Carolina, and used investor money to make mortgage payments on the residence.” The release goes on to say the fraud was concealed as “Shepherd sent to investors certified financial statements…accompanied by an Independent Auditor’s Report.” The fraudulent December 31, 2012 financial statement reflected a $6,041,850 cash balance, when in reality the fund had less than $100,000.
The auditor sent bank confirmations to a P.O. Box address provided by Shepherd and to the attention of a “Charles Fisher” – a fictitious bank employee also provided by Shepherd.
Who controlled the P.O. Box? Shepherd, of course.
According to the U.S. Attorney’s Office, Shepherd would receive the bank confirmations, “forge the name Fisher on a fake bank letter” and “send forged bank statements with fake balances” to the auditor. The forged bank statements were created using Adobe Acrobat.
The audit firm discovered the fraud in March 2013 when the auditors tried to confirm the bank accounts using Confirmation.com, an electronic website designed to assist with confirmation of accounts.
My friend James Ulvog (also a blogging CPA) recently brought to my attention the following clarified auditing section pertaining to designing confirmations.
AU-C Section 505 (External Confirmations) .A7, in addressing the design of confirmations, states:
Determining that requests are properly addressed includes verifying the accuracy of the addresses, including testing the validity of some or all of the addresses on the confirmation requests before they are sent out, regardless of the confirmation method used. When a confirmation request is sent by e-mail, the auditor’s determination that the request is being properly directed to the appropriate confirming party may include performing procedures to test the validity of some or all of the e-mail addresses supplied by management.
Auditors often confirm accounts using:
Regardless of how an account is confirmed, the auditor needs to verify the information provided by the auditee – at least for some of the confirmations.
Bottom line – Audit standards require that steps be taken to ensure that confirmations are sent to legitimate persons and addresses. (Makes sense to me.)
Confirmation.com is a good product to use to reduce risk related to faulty confirmations. If you don’t use a product like Confirmation.com, then consider checking street addresses by Googling them or you might call the company you are sending the confirmation to – especially for high-risk accounts.
The procedures used to verify mailing addresses, fax numbers, and email addresses should be documented in the auditor’s work papers.
Mr. Shepherd has pleaded guilty and faces a maximum of 20 years in prison and a $5 million fine.