Case Study: Enron
Enron Corporation was a U.S.-based energy company that at one point was the seventh-largest company in the United States and the largest trader of natural gas and electricity in the country. Enron came about in the mid-1980s, focusing on the natural gas market. By the 1990s, it had pursued a diversification strategy to achieve growth. Subsequently, Enron got involved with trading and ownership in electric, coal, steel, paper, water, and broadband capacity.
Enron collapsed in 2001 and filed bankruptcy, which at the time was the largest bankruptcy in history. The collapse was a result of a complex and methodical accounting scandal. The fallout was massive, resulting in thousands of employees who were laid off and who lost their life savings plans that were tied to the company’s stock. In addition, shareholders saw a loss of $11 billion. Economically, the disaster perpetuated a lack of trust in the stock market and eroded public confidence.
NOTE
WorldCom would go on to surpass Enron as the largest bankruptcy. Ultimately, it was the Enron fiasco that led to the downfall of Arthur Andersen as one of the largest auditing and consulting firms.
Enron’s auditing firm, Arthur Andersen, had attested to Enron’s financial health for years, despite widespread fraud and hidden losses at Enron. In addition, the auditing and consulting firm assisted Enron in deal structuring and other consultative practices. Enron paid Arthur Andersen a combined $52 million in consulting fees in the year 2000 alone. Arthur Andersen was eventually convicted of obstruction of justice as a result of shredding paper documents and destroying electronic documents related to their client. Arthur Andersen’s involvement with Enron also led to the discovery of other audit discrepancies, including those at WorldCom.
Although complex and occurring over a period of many years, investigative findings discovered that Enron used several complicated and questionable accounting methods, including the following:
• Enron had reduced its tax payments and inflated its income and profits.
• Enron had increased its stock price and credit ratings.
• Enron had hidden losses in off–balance sheet subsidiaries.
• Enron employees funneled money to themselves and acquaintances.
• Enron’s financial condition was misrepresented in public reports.
The Enron board of directors was faulted on several accounts. One of these was not being involved in the examination of terms related to moving debt off the company’s balance sheets. They missed the chance to uncover fundamental flaws in the accounting practices at the company. A report written by the special committee investigating Enron described what went wrong with management: “We found a systematic and pervasive attempt by Enron’s management to misrepresent the Company’s financial condition.” Enron’s culture was one that seemed to cast aside traditional controls. In fact, the investigating committee also stated that Enron had an “across-the-board failure of controls and ethics at almost every level of the company.” The report continued, describing “a flawed idea, self-enrichment by employees, inadequately designed controls, poor implementation, inattentive oversight, simple (and not so simple) account mistakes, and overreaching in a culture that appears to have encouraged pushing the limits.”
Enron has become in many ways the premier symbol of fraud, corruption, and audit failure. The scandal also resulted in a host of new regulations and legislation being enacted, including the Sarbanes-Oxley Act. This act addresses many of the shortcomings and lessons learned from the Enron scandal.
The following are some questions for further thought and discovery:
• How do a company’s acquisitions relate to risk management and governance?
• The Enron scandal resulted in steps to improve standards, controls, and accountabilities. How much do morals contribute to such events and what can be done to address this issue?
• What financial incentives may have been in place for Enron’s consulting firm to perhaps have lax auditing standards?
• Given the large sums paid on consultancy fees, is it possible that talented auditors are focused on consulting while less-experienced employees audit?
• How might a control framework for IT that is more closely aligned with business processes have prevented this?
• How could adequate controls on IT systems and financial applications have helped?
• Do you think that controls designed to prevent or detect fraud were in place? How important is the monitoring of such controls, and how should access be controlled?
Case Study: WorldCom
Prior to filing bankruptcy in 2002, WorldCom was the second largest telecommunications company in the world. It handled Internet data traffic globally and accounted for more international voice traffic than any other company.
WorldCom grew quickly from its modest beginning in 1983, and achieved its tremendous growth through 65 acquisitions. In the 1990s, the company made some large acquisitions, including MCI Communications. Through this period, WorldCom spent approximately $60 billion and accumulated approximately $41 billion in debt. The MCI acquisition was the largest merger in U.S. history at the time.
The market value of WorldCom continued to grow substantially through these acquisitions, and high expectations continued to be placed on the company. This generated pressure to keep the stock price at elevated levels, which in turn allowed WorldCom to continue its acquisition spree. A proposed merger in 2000 with Sprint would have eclipsed the merger with MCI; however, the merger was disapproved and WorldCom started to unravel. In an attempt to maintain its earnings, WorldCom liberally interpreted accounting rules to make its financial statements seem profitable. The company soon moved from liberal interpretation into outright fraud by creating false entries.
A team of internal auditors became suspicious over numerous financial oddities and began investigating, but the auditors encountered problems. They tried to discuss financial irregularities with WorldCom’s external auditors, Arthur Andersen, who did not fully cooperate. Responsible to the WorldCom chief financial officer (CFO) at the time, the internal audit group raised issues with the CFO but was pressured to stop. The internal auditors persisted and eventually uncovered what would become the largest account fraud in U.S. history.
How could this have happened, and what were some of the events and situations that led to this mess?
• The board of directors became simply a “rubber stamp.”
• The board of directors allowed the chief executive officer (CEO) and CFO of WorldCom to have unfettered power.
• WorldCom acquired many companies without a strategy for linking them properly.
• The board of directors approved deals worth billions of dollars with little discussion.
• Little oversight of debt accumulation existed.
• Little oversight of company loans made to the CEO existed.
• The company lacked internal controls and transparency.
• External consultants failed to apply techniques consistent with their risk rating of the company.
• Internal auditing was underqualified and focused on non auditing activities.
Consider the questions previously discussed in the Enron case. What parallels can you draw between these two disasters? How can information technology be used as a tool across all lines of business within an organization? How can IT better align with the organizational processes?
Resulting regulations have had far-reaching impacts on information technology—specifically controls and the auditing of those controls. These controls include general controls, which are embedded in IT services, as well as application controls, which are embedded in business applications. Why are these controls important? Why is the auditing of these controls important?
What If an Organization Does Not Comply with Compliance Laws?
Of course you wouldn’t break a law, right? But asking what if your organization doesn’t comply with compliance laws is a fair question. Let’s look at an example of an individual compliance issue to understand why.
It is a law to come to a complete stop at a stop sign, yet many people ignore it. This scenario is actually a form of risk management. Many people consider it an acceptable risk to approach slowly and continue on if there is no traffic, without coming to a complete stop. The threat of another car exists, yet many people feel safe enough with the slow approach and rolling stop. There is always the threat of a police officer pulling you over and issuing a ticket. Yet how often is this enforced? If it were, what is the punishment? Given the likelihood of being pulled over by law enforcement, combined with what is likely a bearable fine, many people decide the risk is low and the benefit of noncompliance outweighs the risk.
NOTE
Don’t forget about the other negative effects that noncompliance can have on an organization, beyond the threat of fines and imprisonment. For example:
• Legal fees resulting from infringements contained within many regulations
• Brand damage and lost revenue as consumers abandon a business
• Negative effect upon stock price, hurting shareholder value
• Increases in the cost of capital
Organizations have spent and continue to spend large sums of money to achieve and maintain regulatory and industry compliance. This is especially true as regulations have placed greater accountability on individuals within an organization. Noncompliance can result in huge fines as well as jail time. Some regulations are subject to strict liability. Strict liability means even if there wasn’t intent, government agencies can levy huge fines on organizations and some individuals can spend years in prison. Even greater punishments are in store where intent can be proven!
In addition to the financial and reputational consequences of noncompliance, organizations can also experience operational consequences. This can happen, for example, in the case of compliance standards imposed by the payment card industry. Potential consequences include payment card–imposed operational restrictions and even loss of card-processing privileges.
The Payment Card Industry Data Security Standard (PCI DSS) is an industry-created standard that applies to organizations that process credit cards. Companies that meet a specific threshold for large volumes of credit card transactions are required to achieve compliance. This is done via an audit by an independent Qualified Security Assessor (QSA).
