Fraud in company financial statements is a problem that affects users in most countries today, and some believe that this problem is only getting worse. While independent auditors render opinions that give investors confidence in the accuracy of a company’s reported financial performance, when fraud is uncovered, resulting litigation often focuses on the independent auditors’ conduct – in particular, on what the independent auditors reviewed and how they reached their conclusions. This article lays out five important “bright line” principles about generally accepted auditing standards (GAAS) that will assist lawyers who either defend or prosecute claims against accounting professionals.
Independent auditors play a vital role in our capital markets system. A third party opinion on the representations made in a company’s financial statements serves as assurance of accuracy and transparency, and builds investor confidence. However, when investors learn of securities fraud or other financial statement misrepresentations, ensuing litigation often focuses highly critical attention on the quality and sufficiency of the information auditors obtained, and how they processed that information in reaching audit conclusions.
Demonstrating audit failure often depends heavily upon the documentation of the planning and conduct of the examination. On the other hand, in both civil malpractice and white collar criminal defense cases, the accused’s legal team may find in the audit working papers the basis for a defense, founded on the auditors having “done the right things,” even if fraud or misconduct occurred and was not uncovered.
Before advocating for either plaintiffs or defendants regarding allegations of audit malpractice, securities fraud or other misconduct, attorneys should clearly understand five important facts about generally accepted auditing standards (GAAS).1
- It is not the auditors’ responsibility to identify all fraudulent activity in the organization.
Fraud, sadly enough, is a commonplace occurrence. In fact, Andrew Fastow, former CFO of bankrupt energy-trading firm Enron, recently told Accounting Today that the problem of fraud is ten times worse now than it was when his company collapsed.2 Auditing standards, however, have never and do not now place primary obligations for detection of fraud on the independent accountants.Professional standards do require auditors to opine on their client’s compliance with generally accepted accounting principles (GAAP). In order to do so, auditors are required to plan and perform their audits to obtain reasonable assurance that financial statements are free from material misstatements, whether due to error or fraud. Thus, fraud that is material to the financial statements should be uncovered during the performance of typical audit procedures, but an audit does not and cannot provide absolute assurance that this will happen.
- Management is responsible for the financial statements.
Auditors are engaged to give their opinion on financial statements.3 They are not the authors of the financial statements, nor can they be. In fact, auditors are strictly prohibited from performing certain tasks, such as certain bookkeeping services. They are also barred from making management decisions that would impair their independence and preclude their ability to give unbiased opinions on the financial statements.Oftentimes, auditors accused of professional malpractice stemming from fraudulent financial reporting by a client will cite, as their first line of defense, the observation that management is fully responsible for the financial statements. Although no respected auditing expert would disagree with this statement, per se, it remains the auditors’ duty to conduct effective audits that bring fraud and misconduct to light.
On the other hand, it is also true that management often relies heavily on the knowledge and experience of their auditors to help resolve technical accounting issues, and this can create at least the appearance of excessive involvement by auditors in managerial decision-making. When this occurs, good auditors will carefully document the fact that the ultimate decisions on the financial statements were made by management, and they may incorporate this assertion into the management representations that must be memorialized before the audit report is delivered, documenting that the auditors’ role was limited to technical research done to provide management with the information needed to select from among multiple available reporting options.
Management alone must make the financial reporting policy decisions, and qualified auditors will carefully document this in their working papers.
- Uncorroborated management assertions are not audit evidence.
Management is required to submit an afore-noted “management representation letter” to the auditors, which generally contains assertions regarding the company’s accurate, complete disclosure of information to the auditors, as well as various declarations regarding contingent obligations, related party transactions, and other matters affecting the company’s financial statements. While these representations are made during, and are material to, the conduct of the audit, they cannot substitute for the appropriate application of audit procedures. Indeed, the mandatory application of “professional skepticism” is quite akin to President Reagan’s admonition to “trust but verify” – but, in contravention of this mandate, some accountants do rely too heavily on management’s assertions.4
For example, in its report on the 2007 inspection of a Big Four firm, the Public Company Accounting Oversight Board (PCAOB, which oversees auditors of U.S.-listed publicly held companies) decried “a firm culture that allows, or tolerates, audit approaches that do not consistently emphasize the need for an appropriate level of critical analysis and collection of objective evidence, and that rely largely on management representations.”5
Commonly, in the event of litigation against accountants, defense attorneys will attempt to cite the management representation letter as evidence that the auditors were in fact the victims of management deception, as demonstrated by untruths in the representation letters, and thus are not guilty of malfeasance. However, the correct application of the audit standards would have precluded reliance solely on these representations, and therefore the assertions made in the client representation letter will be of limited value as part of a defense strategy.
- While a formal audit program and appropriate planning are required by professional standards, rigid adherence to a standard audit program and failure to consider needed modifications to it do not meet professional expectations.
The auditors’ task is not limited to execution of the audit plan, which often begins with an “off the shelf” set of procedures dictated by firm policy. Auditors are also required to assess various elements of risk, including inherent risk, control risk, and detection risk. The audit team must furthermore engage in meaningful brainstorming of fraud risk factors before they can begin their examination, which then must be tailored in clear response to these assessments. Perhaps most importantly, auditors are required to be “appropriately skeptical,” according to Margaret McGuire, a member of the SEC Financial Reporting and Audit Task Force, “…particularly in areas that involve management judgment in the preparation of financial statements and disclosures.”6
In the planning and performance of an audit, the auditor must maintain an attitude that includes a questioning mind and a critical assessment of audit evidence. This transcends mere reliance on pre-conceived audit checklists, no matter how well designed, and demands a mind-set that surpasses, but is informed by, mere technical accounting competence.
- The timing and sequence of audit procedures may reveal whether the work was properly planned and executed.
According to professional standards, the auditors’ working papers should provide a complete narrative of how they reached their opinion,7 such that an accountant with similar experience but no previous connection to the engagement can understand the auditors’ procedures, judgments, and conclusions. Individual audit working papers should be signed and dated by both preparer and reviewer, as the implied time line of the audit engagement may prove crucial in auditor litigation.If, for example, substantive procedures were performed after the audit report date, or in such proximity as to have precluded careful evaluation and audit procedure modifications before finalizing an opinion, it may be argued that this work was only performed to “paper the files” and was not timely performed in support of the audit opinion.
While erroneous or even fraudulent financial reporting can occur and escape detection even with a well-conducted audit, a failure to comply with professional standards will typically make auditors vulnerable to assertions of malpractice. Since auditing standards are largely behavioral in nature – in contrast with, say, accounting standards, which essentially consist of technical instructions – there will be more room for interpretation regarding the compliance by the auditors with the relevant standard of care in conducting audits. The matters enumerated above are among the few “bright line” principles in the realm of audit conduct, and should accordingly be given serious consideration.
In any litigation dealing with allegations of auditors’ malpractice, ultimately it will be the preponderance of the evidence regarding the auditors’ good faith, informed and competent execution of audit planning procedures and the conduct of testing and evaluation of evidence that will drive the final verdict. An understanding of auditing standards is thus needed both by those seeking to defend or to pursue claims against accounting professionals.
- AICPA Professional Standards, AU Section 150: Generally Accepted Auditing Standards http://www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AU-00150.pdf.
- Cohn, Michael. “Former Enron CFO Andrew Fastow Confronts the Fraud Examiners,” Accounting Today. June 27, 2013. Web.
- AICPA Professional Standards, AU Section 110: Responsibilities and Functions of the Independent Auditor http://pcaobus.org/Standards/Auditing/Pages/AU110.aspx.
- AICPA Professional Standards, AU Section 333, Management Representations, AU §333.03 http://www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AU-00333.pdf.
- Public Accounting Oversight Board, Report on 2007 Inspection of Deloitte & Touche LLP, May 19, 2008, at p. 17 http://pcaobus.org/Inspections/Reports/Documents/2008_Deloitte.pdf.
- Gaetano, Chris. “David Woodcock and Margaret McGuire, SEC Financial Reporting and Audit Task Force,” Trusted Professional. August 8, 2013. Web.
- AICPA Professional Standards, AU Section 339, Audit Documentation, AU §339.05 http://www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AU-00339.pdf.