The WorldCom Fraud Under A COSO Magnifier

By Hans-Ulrich Westhausen

westhausen-50x50.jpg   FraudBasics 

A close look at what went wrong at WorldCom gives CFEs a good understanding of how COSO concepts work. The COSO (Committee of Sponsoring Organizations of the Treadway Commission) framework has been recognized since the early 1990s, as the No. 1 internal control framework for any for-profit or nonprofit organization in any geographical area or culture in the world.

The framework is explicitly recommended by international standard-setting governmental, private, and professional organizations worldwide. (See sidebar below.) Furthermore, COSO can be used not only for the setup and development of an internal control system but also for the analysis and understanding of control system failures in historical fraud cases. In this column, I’ll demonstrate the effectiveness of the five COSO control components in the framework to highlight former WorldCom’s major control weaknesses, which led to the spectacular $11 billion fraud.


According to, the basic COSO concept covers three areas:

1. Organizational core objectives comprising effectiveness and efficiency of operations, reliability of financial reporting and compliance

2. Organizational processes, business units and activities, to which the core objectives have to be applied

3. Five COSO control components: control environment, risk assessment, control activities, information and communication, and monitoring


The five COSO control components are the core criteria for assessing the potential effectiveness of any internal control system and its vulnerability to fraud. But they also can take a backward look at a fraud case to analyze how it happened. And using the lessons learned, we can use them to avoid and/or detect unexpected misconduct, potential mismanagement or even fraud in the future.

WorldCom Fraud in Brief 

Before I apply COSO to WorldCom, here are some general facts about the company that ACFE Regent Cynthia Cooper, CFE, CISA, former WorldCom vice president of internal audit, wrote in her book, “Extraordinary Circumstances – The Journey of a Corporate Whistleblower.” (John Wiley and Sons, 2008; available in the ACFE Bookstore)

WorldCom caused one of the largest fraud and bankruptcy scandals in American and global corporate history. In total, more than $11 billion worth of fraudulent accounting entries and misstatements were detected, which represented 28.9 percent of total annual revenue in 2002. This fraud ratio was significantly higher than the 1.1 percent ratio of the blockbuster fraud at Enron.

All WorldCom fraudsters were sentenced. Former CEO Bernie Ebbers received 25 years in prison – a virtual life sentence because he was in his mid-60s at the time. The CFO got a five-year prison sentence and his chief controller one year and one day. In addition, the corrupt senior accountants were jailed or faced long-term probation.

Fraudulent accounting at WorldCom was a collusive action among top management and a few accountants, in conjunction with weak controls. According to the ACFE’s “2008 Report to the Nation,” the collusion “resulted in a median loss over four times higher than the amount lost in schemes committed by a single perpetrator.”

The scheme lowered line costs (the company’s largest single expense) by capitalizing them as “prepaid capacity” and reversing allowances without sufficient justification. The corporate motive for this fraud was to meet Wall Street’s expectations for growth and also to hide real, deteriorating operative results, which were caused by the bursting dot-com and telecom bubbles. But there were individual drivers also: personal financial enrichment through misappropriation of corporate assets (especially cash) and a mix of other personal targets such as the improvement of social and business status (for example, CEO, CFO), the advancement of a professional career (for example, CFO, chief controller), and job security among several senior accountants.

According to the 2007 Oversight Systems Report on Corporate Fraud, these motives parallel statistical data about why people say they commit fraud:

  • Pressure to do whatever it takes to meet goals (81 percent)
  • Personal gain (72 percent)
  • “I won’t get caught” (41 percent)
  • “I don’t consider it as fraudulent” (40 percent)
  • The belief that regulations can easily be bypassed (21 percent)

Additionally, people are subject to overestimate their capabilities with a tendency to megalomania as they become more and more successful and admired by the public, as in Ebbers’ case. His financial escapades, both business and personal, were legendary.

To find the major weaknesses at WorldCom, I screened the internal control system by applying the five COSO control components and mapping them – that is, plotting the weaknesses against the corresponding fraud exposures. See the “Control Environment,” “Risk Assessment,” “Control Activities,” and “Monitoring” charts to view my findings. 


Would the same fraud scandal have happened if Cooper had been allowed to implement COSO-based audit principles right after her start at WorldCom? If she had been granted 150 instead of only 35 internal auditors? If internal auditors at WorldCom had had access to all information they needed and not only 50 percent of the accounting system? The fraud scheme would probably have been carried out differently but carried out nevertheless. The pressure to do something was enormous and no one was there to say “no” or to reveal the truth, except Cooper and the internal auditors.

Following WorldCom’s experience, we have to accept that:

  • Any control can give only reasonable, but never absolute, assurance to reach a tracked business target.
  • Fraud is overwhelmingly detected through tip-offs or by accident instead of systematic development of internal control activities or subsequent internal auditing.
  • When fraud is conducted by collusive action of top management and their accountants, as was the case at WorldCom, almost any control can be overridden.

But apart from these discouraging facts, COSO, as the world’s No. 1 concept for internal controls, is still a reliable basis for the development and the analysis of internal control systems with special focus on risks, weaknesses, and potential vulnerabilities to fraud.

Within this context, COSO also offers great support for anti-fraud management. The ACFE, American Institute of Certified Public Accountants, and Institute of Internal Auditors jointly published “Managing the Business Risk of Fraud: A Practical Guide,” which reflects on the control concept called COSO.

Hans-Ulrich Westhausen, CFE, CIA, CISA, CCSA, is head of group auditing for Garant Schuh & Mode AG in Duesseldorf, Germany. 

COSO Formed to Sponsor Initiative that Studied Causal Factors in Fraudulent Financial Reporting 

COSO was formed in 1985 to sponsor the National Commission on Fraudulent Financial Reporting, an independent private-sector initiative that studied the causal factors that can lead to fraudulent financial reporting. It also developed recommendations for public companies and their independent auditors, for the U.S. Securities and Exchange Commission (SEC) and other regulators, and for educational institutions.

The National Commission was sponsored jointly by five major professional associations headquartered in the United States: the American Accounting Association (AAA), the American Institute of Certified Public Accountants (AICPA), Financial Executives International (FEI), The Institute of Internal Auditors (IIA), and the National Association of Accountants (now the Institute of Management Accountants [IMA]). Wholly independent of each of the sponsoring organizations, the commission contained representatives from industry, public accounting, investment firms, and the New York Stock Exchange.

The original chairman of the National Commission was James C. Treadway Jr., executive vice president and general counsel of Paine Webber Inc. and a former commissioner of the SEC, hence, the popular name “Treadway Commission.” Currently, the COSO Chairman is David L. Ladsittel, CPA.


The Association of Certified Fraud Examiners assumes sole copyright of any article published on or ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be e-mailed to: