Waste Management, Inc. 1998 Fraud Scandal

Summary

Waste Management, Inc. is a wide-range waste company that was founded by Larry Beck in 1894. The company did not go public until 1971 but they were already generating approximately $82 million in revenue by 1972. They offered their services to millions of customers in America, Canada, and Puerto Rico. In the 1980's, Waste Management, Inc. became the largest waste management and environmental services company in the United States. Between 1992 and 1997, the company experienced multiple fraud crimes. There were several executives and senior officers involved with these crimes including the Founder and Chief Executive Officer (Dean Buntrock), Former President (Phillip Rooney), Chief Administrative Officer (Thomas Hau), Chief Financial Officer (James Koenig), General Counsel (Herbert Getz), and the Vice President of Finance (Bruce Tobecksen). 

The key fraud actions that happened was dodging depreciation expenses by assigning and inflating salvage values and extending the useful lives of the garbage trucks that the company possessed. The depreciation expense is required to be on the company's financial statement every year. It should state that the assets owned do not have their original value because they have been used. Another fraud action that happened with the accounting books was that the officers were not recording expenses for any decreases on the landfill values. Since they were doing this, it would ultimately state less expenses for any decreases of the landfill values. Then, the officers also rejected to record necessary expenses to write off the costs of unsuccessful projects for landfill development. All of this added up to the company being able to claim less expenses for the company when it should have been a massive amount more. Also, the officers allocated salvage values to assets that didn't have any salvage values before. Simply put, this would increase the residual value of an asset when it did not previously have any value. Waste Management, Inc. enlarged environmental reserves to dodge unneeded operating expenses, which completely removed operating costs of approximately $490 million. Another fraud activity (yes, there is more!) included the company not properly capitalizing a majority of expenses, which would would defer expenses on the company's books. Waste Management, Inc. even utilized geography entries to transfer millions of cash between randomized line items on their income statement. All together, they had profits that were falsified put into false assets, retained earnings, and all without an increase in liabilities on their financial statements.

I believe the craziest part of this scandal is that since the company is publicly traded, they were required to audit their accounting books. They hired Arthur Andersen, an accounting firm, to perform the audit. Here is the interesting piece, James Koeing, the Chief Financial Officer of Waste Management, Inc., was trained as an auditor at Arthur Andersen. He was a partner at Andersen for thirty years so he obviously had connections that were still in contact. Thomas Hau the Waste Management, Inc. audit engagement partner along with being the head of the Arthur Andersen audit division for the account of Waste Management, Inc. The Vice President of Finance at Waste Management, Inc., Bruce D. Tobecksen, was the audit manager of audits being done by Arthur Andersen including the Waste Management, Inc. audit. Initially, Arthur Andersen came in like any other auditor would and they were able to find many errors in the Waste Management Inc.'s accounting book and provided methods that could fix them. Waste Management Inc. was not planning on correcting their mistakes and decided to BRIBE Arthur Andersen to pretty much keep their mouth shut and let it all go. Arthur Andersen stupidly accepted this bribe and ignored the ongoing fraud to put a little money in their pocket. When everything came rolling downhill and the fraud was discovered, Arthur Andersen ended up being fined around $7 million for their part in the scandal. 

(Source: https://ensscpa.com/waste-management-inc-1998-fraud-scandal/, accessed 5/30/2019)

(Picture Source: https://www.slideshare.net/SaurabhMaloo3/accounting-scandal-waste-management-inc, accessed 5/30/2019)

How and Why Risk Management relates to the Fraud

You need to be able to understand what risk is to be able to manage it. Risk is simply put as the likelihood that a negative event can occur. Something as simple as walking on an icy sidewalk has risk involved since there is a chance that you can slip and fall on your butt! Once you have identified the risk, you have to determine a way to mitigate or avoid the risk, which is where risk management comes into the spotlight. On our example with the icy side, we can manage this risk by walking slowly and extra carefully. This will vastly reduce our chance of falling, which means we are able to get to our destination without hurting ourselves.

There are phases of risk management:

• Everything gets inventoried
• Locate threads on the inventory
• Determine what threats pertain to what assets
• Estimate impact of threats
• Take a look at mitigation alternatives or controls
• Analyze economics where they are applicable
• Some of these controls may be required by law 
• Deploy appropriate controls

You always have to begin with the assets because without the knowledge of the assets involved, it is not possible to do a risk analysis effectively. The assets that were involved with the Waste Management, Inc. fraud were the land fills along with the garbage trucks. They were not updating the accounting books with the decreases in value on the landfills and were dodging the depreciation expenses on the garbage trucks. The hired auditors, Arthur Andersen, actually did their job well when they were able to locate these risks on the assets and did report them up with mitigation alternatives. They provided executive management with adjustments and methods that would work towards mitigating the risks. The fraud was identified at Waste Management, Inc. and should have been to a stop there, but Arthur Andersen accepted a dirty bribe to turn their back on their responsibility as an auditor.

(Picture Soure: https://hpaudit.co.za/how-to-improve-risk-management-in-your-business/, accessed 5/31/2019)

What was the Threat?

In the Waste Management, Inc. fraud, there was a threat that is more common than most people even realize. This type of threat is called Insider Threat. Anyone within the company could be a potential insider threat. It could be someone with high level access controls on a database, an accountant performing financial reports, or even the security guard that buzzes you into the building. What makes them an insider threat is if they intend on performing malicious activities within the organization. 

There are three types of insider threats:

1. Malicious insiders - Personnel who use their power or access to impose damage on the organization.
2. Negligent insiders - Personnel who make mistakes or ignore company policies, ultimately creating risk in their organization.
3. Infiltrators - External personnel who acquire access to what they are not authorized.

Dean Buntrock, the founder and Chief Executive Officer, partook in a majority of the fraud which makes him a malicious insider. The whole Waste Management, Inc. scandal was just a sad effort to meet predetermined earning targets by increasing profits and avoiding expenses. When Dean Buntrock realized that the revenues were not matching up to what was going to be expected, he began to pursue fraudulent means to make it look like it was happening. Earnings for the Chief Information Officer and stakeholders depends upon company earnings, which was not looking well in their eyes. These types of cases make you open your eyes and realize that there can be an insider threat anywhere within an organization. 

(Picture Source: https://haystax.com/nispom-2-adds-insider-threat-rule-but-does-it-go-far-enough/, Accessed 5/31/2019)

What was the Vulnerability? 

A vulnerability can be simply defined as an asset (relationships, IT systems, hardware, data) that has a flaw that can be potentially exploited. The were a couple of vulnerabilities involved in the Waste Management, Inc. fraud and the first would deal with the comfortable relationship that Waste Management, Inc. had with the Arthur Andersen firm. Arthur Andersen continually issued audit reports that were unqualified from the company's falsified financial statements. The next vulnerability was allowing the Chief Executive Officer and the Chief Financial Officer to manipulate financial statements with "top-level adjustments", when they simply should have been approving the statements. 

The Cost

When the new CEO took over in 1997, he issued a review of the accounting practices for Waste Management, Inc. from 1992 to 1997. This review led to the restatement of financial statements of the company in February 1998. Waste Management, Inc. acknowledged that its pre-tax earnings were misstated by around $1.7 billion. At the time that this occurred, this was the largest restatement in corporate history. There are items that the restatement cost does not include which are things like lawyer fees, fines, and most importantly their reputation.

(Source: https://slideplayer.com/slide/12623332/76/images/5/TIMELINE+OF+EVENTS+%28+%29+1965+Solid+Waste+Disposal+Act+WM+goes+public..jpg, accessed 5/30/2019)
(Source: https://www.sec.gov/news/headlines/wastemgmt6.htm, accessed 5/30/2019)

The Controls

It is difficult to say what standard controls could have been put in place to prevent this fraud since the fraud was an inside job at the upper executive level. I believe there should have been a policy or procedure put in place when submitting the company's financial statements when it came to depreciation expenses and accounting books to catch that mathematical errors that were input. There is also the main concern that the CEO and CFO were manipulating the financial statements last minute to hide their fraud. There were improper segregation of duties and transaction authorization controls put in place to prevent these financial documentation alterations from being done behind closed doors. There shouldn't ever be a reason that a high level executive would need to change financial statement data after it having gone through multiple experts before reaching their desk. Another control that should have been put in place would have been to not allow Waste Management, Inc. to have a closely involved firm audit their company. There should have a stakeholder or member of the audit committee that saw their close relationship and requested a different firm to audit Waste Management, Inc.


Would a Risk Management Assessment have identified this?

I believe that if there was an adequate risk management assessment performed, it would have identified that many of pieces of this fraud puzzle could have been possibly been prevented. The risks would have been able to be identified and then the controls for them would have been put into review. They would have hopefully come out with the controls I previously mentioned, and hopefully a lot more. It's not surprising that complete risk management assessments were not done since the executives that usually partake in initiating them, were involved with the scandal.

In Closing

The Waste Management, Inc. should open everyone's eyes that fraudulent actions can be performed by anyone at any level of a corporation. There is mandatory training every year at companies like 'Cyber Awareness' and 'Fraud Prevention' to teach employees how to keep an eye out for these types of things. Not every executive was involved with the Waste Management, Inc. fraud scandal, so that means that there were several executives and stakeholders that turned a blind eye on the actions that were being taken by the Chief Executive Officer, Chief Financial Officer, and the others. The same thing can be said about Arthur Andersen since their firm reported invalid auditing reports that aided Waste Management, Inc. in continuing their fraud long after it was discovered. I can only hope that this blog post has influenced you to gain more knowledge on how to identify fraud within your own organization. For more information on this, here are a couple of websites that can assist you:

https://www.forbes.com/sites/forbesleadershipforum/2012/04/18/how-to-find-and-stop-fraud-within-your-organization/#c1929585b12b

https://i-sight.com/resources/41-types-of-fraud-and-how-to-detect-and-prevent-them/

(Picture source: https://www.worshiphousekids.com/childrens-worship-backgrounds/22630/see-you-next-week-1, Accessed 5/31/2019)

Breaking Down the COSO Framework 

  

The History of COSO 

  

(Source: https://www.coso.org/documents/COSO%20McNallyTransition%20Article-Final%20COSO%20Version%20Proof_5-31-13.pdf,  accessed 5/17/2019) 

  

            Throughout the middle of the 1970’s, there were untrustworthy financial acts being performed that dealt with political or foreign practices. This became concerning to corporations in 1977 and a solution became sought after. The U.S Congress, along with the U.S. Securities and Exchange Commission (SEC), released the Foreign Corrupt Practices Act (FCPA). The FCPA mandated that companies deploy programs for internal control along with outlawing transnational bribery. 

The Treadway Commission were not alone on this journey as they had five accounting associations sponsors which were happy to assist with funding. The five associations were American Accounting Association (AAA), Institute of Internal Auditors (IIA), Financial Executives International (FEI), Institute of Management Accountants (IMA), and the American Institute of Certified Public Accountants (AICPA). With their support, the Treadway Commission created the Committee of Sponsoring Organizations (COSO) in 1985. 

The COSO’s original purpose was to aide the National Commission on Fraudulent Financial Reporting. They were to study and report what they discovered on corporate financial frauds and ultimately create a framework dealing with the inner workings of internal control. With the help of Certified Public Accounting (CPA) firm, Coopers & Lybrand, they were able to release Internal Control – Integrated Framework in 1992. This was of vast importance since it provided companies with a framework on how internal control should be conducted within a company. 

            From 2000-2002 there were mass volumes of financial scandals happening to companies. An energy company, Enron, had one of the largest accounting scandals to occur within this time frame. The U.S. Congress acted upon this threat and to reduce the amount of fraud incidents, they released the Sarbanes-Oxley (SOX) Act in 2002. The SOX act is a federal law that has public corporations in it's cross-hairs. This act ensured actions would be taken by these organizations including the CEO and CFO certifying their financial reporting along with management being responsible for assessing internal controls annually. 

Source: https://www.a2q2.com/blog/sox/sox-404-overview-approach/  accessed 5/17/2019) 

Internal Controls Overview 

            The Committee of Sponsoring Organizations Framework is built upon internal control, which makes it such a significant concept. Internal control is best defined as a process that is “effected by plan management and other personnel, and those charged with governance, and designed to provide reasonable assurance regarding the achievement of objectives in the reliability of financial reporting."(Source:  https://www.aicpa.org/content/dam/aicpa/interestareas/employeebenefitplanauditquality/resources/planadvisories/downloadabledocuments/plan-advisoryinternalcontrol-hires.pdf, Accessed 5/17/2019) 

To simplify that a bit, it’s a process that is aimed to accomplish four objectives: 

1.      Ensure an organization’s assets are protected 

2.      Make sure that accounting records and information is reliable and accurate 

3.      Encourage effectiveness in the organization’s operations 

4.      Compliance is measured with policies and procedures that management advises 

  

The PDC Control Model Overview 

            

I believe the preventative, detective, and corrective controls play a large part in the success of your internal control within your organization. This is a three-layer defensive structure that aims to reduce the number of undesirable events occur. The first layer, preventative, is passive since it will be built upon preventative measures put in place by the organization. This layer will catch most of the events but not all of them, which is why it’s important that there are still two layers these events must make it through. It is important to note that this is the most cost effective layer than fixing problems after they occur with the detective and corrective layers.

The second layer is detective, which depends on your organization’s standard operating procedures to be able to detect events that are unwanted. This detection can be done in a multitude of ways which can be something like a cashier verifying a credit card with a driver’s license or an IT device like an Intrusion Detection System (IDS) looking for threats that bypass standard firewall rules (the firewalls would be the preventative layer in this example). 

The third layer is the corrective control and it reacts from the detective layer to take corrective action on the problem. This layer and the detective layer work hand in hand on cleaning up what the preventative layer missed. As you can see from the diagram below, the errors or problems (indicated with the downward arrows) never physically reach the corrective layer. Once the detective layer detects them, the third layer will assist in attempting to resolve the issue. It's important to understand that choosing the right corrective control is always a challenging area for organizations since there isn't always a pristine fix. 

    

The COSO Framework Overview   

The COSO framework was formed to support corporations to create, evaluate, and optimize their internal control.  There is a substantial importance to properly utilizing the framework since it allows the organization to ensure that the financial statements produced are held up to a certain quality. The use of this framework will also provide insight to weaknesses within an organization’s internal control processes so that reevaluation can take place. We will go over the five components that make up the COSO integrated framework for internal control. These components are control assessment, risk assessment, control activities, information and communication, and monitoring activities. I am going to make sure that I go through each of these in detail so that a comfortable understanding is established. 

  

(Source: https://www2.deloitte.com/content/dam/Deloitte/ng/Documents/audit/Financial%20Reporting/ng-coso-an-approach-to-internal-control-framework.pdf, accessed 5/17/2019) 

  

1)  Control Assessment 

Upper management and the board of directors create a baseline for the control environment for how the internal control will be conducted. They will provide guidance on standards and procedures that need to be upheld within the organization. Some of these will actual pertain to core values including integrity, ethics, responsibility, and authority. Management will be expected to reinforce the standards at multiple hierarchies through the organization. The board of directors will be anticipated to have oversight on all these processes while ensuring they maintain personnel that are upholding the standards. 

2)  Risk Assessment 

There are risks to every organization which can be sourced externally and even internally. Risk is basically just a measurement that determines the likelihood that an event will occur that has a negative effect. Risk assessment is exactly what it sounds like, which is where you assess the risk or risks of your organization. Your primary focus is to make sure that the most critical or high risks are avoided before you put all effort in mitigating a low risk. There is one thing that takes precedence over this and that will be proper prioritization. You will not be utilizing your resources properly if there is a risk being assessed in a higher or lower ranking than they should be put in. Management should make it their objective to communicate how these rankings should be determined along with determining how internal or external changes can affect internal controls. 

            3)  Control Activities 

This component is where action will be taking place at all levels of an organization to ensure that the procedures or policies established to properly avoid risks. There are two types of controls which are physical or Information Technology (IT). Here is a more detailed breakdown of each control: 

Physical Control 

Transaction authorization - This guarantees that there are only valid transactions processed. 

Duty segregation - This works towards preventing one person from having too much power to commit some type of fraud by themselves. An easy to understand example of this would be having one person responsible for taking inventory at a warehouse and then another person that takes the inventory at the delivery location. If just one person was able to take inventory at both places, there is a possibility that inventory could go missing.  

Supervision - Not all organizations are able to segregate all of their duties due to their limited size, so some personnel wear multiple hats. This is where supervision comes in handy because it is a compensating control for these types of companies.  

Accounting records - These are any kind of item that provide some sort of audit trail. For example, these could be documents, journals, emails, ledgers, etc. 

Access controls - This ensures that a firm's assets are only accessed by authorized personnel. 

Verification procedures - These are checks independently done to locate errors or mistakes in the accounting system. 

IT Control 

Application controls - This makes sure that financial transactions are complete, accurate, and valid.  

General controls - These apply to all of the systems which can include many things including least privilege access to systems or databases, application or development, network infrastructure, or a chance control system. 

Both types of control are necessary to make sure this component is used                correctly. 

  

            4)  Information and Communication 

  

Communication is a vital piece of any organization since it will allow sharing of information. If communication is not being utilized correctly, then there will be plenty of information that is unknown to parties that could substantially benefit from it. For basic workflow of an organization, this could also hinder operations which can cause a multitude of problems. For example, if IT Operations are waiting for financial to sign off on an equipment refresh purchase simply because financial was not properly communicated that their signature would be required. This can potentially prolong a project past its due date and cost the organization valuable resources and time. Communication is also required between the internal organization along with external parties to make sure workflow is being slowed down. This is especially vital when working with third parties on items like audits, projects, deployments, and more.

           5)   Monitoring Activities 

This component’s main goal is to make sure the organization is constantly evaluating how it’s using the five components of integrated framework of internal control. These should be done by either ongoing or separate assessments which will have a varying frequency and focus. Some things that would be checked would be if each component is being used to its full potential or it could be something like determining if a component is being missed in the process entirely. Overall, this component is just ensuring that internal control and operations are being used effectively.

  

  

        (Source: http://controlsframework.com/coso_images.php, accessed 5/17/2019) 

  

The 2013 COSO Framework Overview 

  

They updated the COSO framework in 2013 and actually simplified it into 17 principals that act as a checklist to determine whether your organization is effective when it comes to financial reporting. Your organization can be viewed as not being adequate with the standard, just by simply missing just one of these principals. In the 2013 COSO figure 1, you can see the summarized versions of the principals. The 2013 version also has more emphasis on the role of the board of directors and management of an organization. You can see in the 2013 COSO figure 2 below where it demonstrates their summarized COSO principals and their points of focus for each principal. COSO officially deemed the 1992 framework as superseded by the 2013 version as of December 2014.  

  

  

2013 COSO Figure 1 

(Source: https://deloitte.wsj.com/riskandcompliance/2014/03/13/the-2013-coso-framework-and-the-audit-committee/ accessed 5/17/2019) 

  

2013 COSO Figure 2 

(Source: https://deloitte.wsj.com/riskandcompliance/2014/03/13/the-2013-coso-framework-and-the-audit-committee/ accessed 5/17/2019) 

  

  

Why do we use COSO in our company? 

  

            We continue to utilize the COSO framework at our company because it provides us with multiple benefits that are too good to turn down. The first being that it optimized our internal controls to better mitigate risks and have information that is required to provide quality business decisions. The next benefit is that it vastly improves our cyber security, which has become one of the biggest threats of the 21st century. When our company has IT audits, the COSO framework ensures that we have met the requirements in this digital age to prevent cyber attacks. There are other benefits like the cost savings and positive reputation our company gains because we are dedicated to using the COSO framework as our most important tool. 

  

*** This blog has summarized information about the Committee of Sponsoring Organization’s integrated framework and if you are wanting more information on the topic, please refer to their website at https://www.coso.org. 

  

  

(Source: https://www.a2q2.com/blog/sox/sox-404-overview-approach/, accessed 5/17/2019)