Macy’s on Monday reported that it needed to delay its earnings announcement, itself a stunning move that public companies try to never make, because a lone employee manipulated the retailer’s accounting systems for three years, hiding as much as $154 million.
Macy’s announced, “a single employee with responsibility for small package delivery expense accounting intentionally made erroneous accounting accrual entries to hide approximately $132 to $154 million of cumulative delivery expenses from the fourth quarter of 2021 through fiscal quarter ended November 2, 2024.” Macy’s clarified to CIO that it meant to say “$132 million to $154 million.”
The Macy’s statement continued, “there is no indication that the erroneous accounting accrual entries had any impact on the company’s cash management activities or vendor payments. The individual who engaged in this conduct is no longer employed by the company. The investigation has not identified involvement by any other employee.”
Macy’s said little else to clarify what happened and how it happened, but accounting specialists said that its brief statement offered many clues as to what likely happened. For example, the statement did not include the typically obligatory sentence that law enforcement had been notified. That might suggest that no criminal intent was discovered.
Although that might seem at odds with the company’s use of the term “hidden,” one likely scenario is that the employee could have been using creative accounting to make the numbers look better, without realizing that such actions were not permitted by the Securities and Exchange Commission (SEC).
Macy’s declined a CIO request for an interview.
JR Kunkle, an auditor and GRC specialist who runs his own consulting firm, Kunkle Consulting, said that there is a reason why auditors hate it when companies log financials as accrual, as Macy’s said it did, rather than cash.
“Accruals is one of the ‘favorite’ areas (for auditors) because businesses will play around with it. You can move money up and down as the quarter goes,” Kunkle said. “What reasoning did you use to come up with this number? It’s a hard area to audit.”
More to the point for CIOs, it’s also a very difficult area for enterprise software to track, and to know when money movement is permitted under standard accounting rules and when it is not.
Kunkle and several accounting experts said the likely motivation of this employee was to make the company’s financials look better, probably to earn a better bonus for their division.
For a retailer as large as the $24 billion Macy’s, accounting mechanisms are especially complex.
“It’s likely that someone was meant to have accrued this, but they were looking for ways to reallocate it so that they didn’t have to show those numbers,” said Stefan van Duyvendijk, an industry principal with accounting software vendor FloQast. “You would be surprised how long vendor payments can be delayed. They can say that they are prepaying the vendor so the numbers don’t hit the quarter and nothing hits the P&L [profit and loss statement]. You can also allocate expenses to different businesses, divisions.”
As for the defenses of Macy’s and other enterprises, he said these accounting tactics are often not discovered. “ERPs are really not designed to detect this. What technology finds difficult is nuance,” and accounting tactics are full of nuance. “[Macy’s auditor] KPMG didn’t identify it, either,” van Duyvendijk said.
“ERPs and most reporting software are not designed to catch erroneous accounting, let alone intentionally fraudulent accounting,” van Duyvendijk said. Although “they do have some key controls in place, they are limited, which is why account teams focus so much time on the month-end close process to identify and correct those mistakes.”
Another accounting specialist, Emburse CFO Adriana Carpenter, had some specific guesses as to what happened.
“What has been disclosed is that cash flows are not impacted, just the P&L. This leads me to hypothesize that the accountant changed the coding of these delivery transactions to charge the payments to a balance sheet account versus a P&L account. As a result, while the payments were appropriately recorded as cash outflows payments, the expense was never reported,” Carpenter said. “This coding could have happened at the time the transaction occurred, meaning it was tied to the transaction itself, or it could have been initially recorded to the P&L and a second journal entry was then posted to reverse the charge and move it to the balance sheet.”
Carpenter suggested that enterprises could prevent this with some procedural changes. Accounting could require that purchases have to be approved and an account code assigned “before the spend or transaction occurs. In this scenario, when the transaction actually happens, it has already been pre-assigned to be recorded as a P&L expense. That would prevent someone coming in and putting in another account coding, such as to a balance sheet account.”
Frank Dickson, the group VP of security and trust at IDC, was one of the few who thought that the employee’s actions likely went beyond aggressive accounting and were criminal. And he speculated that the lack of a reference to law enforcement was merely to allow Macy’s to control the situation a little bit longer.
Macy’s “now has control of this. If they report it as a criminal act, the company loses control,” Dickson said. “If someone intentionally changes their accounting principles to get a better bonus, that’s criminal.”
The Macy’s situation also illustrates the problem of insider activity. “When you have a malicious insider, they know the systems better than the company knows its systems,” Dickson said.
For example, he said, every company is going to watch for financial deviations of varying amounts. If an insider knows the exact thresholds, they could consistently operate right below that level. “In a company that size, what will go unnoticed? They do this in the rounding errors, in the edges. What are the limits? Where can I hide things?”
From the IT perspective, much of this problem is not necessarily in the weakness of various accounting systems, but in cracks that form between those systems.
“The problem is at the intersection of two systems: ERP and financial accounting. What can CIOs do to prevent this problem? Double down on your governance risk and compliance practices,” Dickson said. “Break down the walls between groups, such as ERP and accounting systems and cybersecurity. There are going to be gaps between those silos. What happens in those gaps is complexity. That’s where noise becomes signal.”
Another analyst, Moor Insights & Strategy VP Robert Kramer, echoed that “ERP systems will not have the ability to catch things like this. The only way you can really fix it is to strengthen your internal controls with things such as multi-employee workflows.”
Macy’s “could have had an overreliance on manual components. And they might have a very complex delivery expense system,” Kramer said.
Read More from This Article: Macy’s 4 million ‘hidden’ accounting mess shows the limits of today’s audit, GRC, and accounting systems
Source: News