Auditor liability and malpractice, stemming from allegations of failure to appropriately respond to clients’ risk of material misstatements due to fraud, is an area ripe for litigation, specifically when fraud and material misstatements are subsequently revealed to have affected the financial statements. Although a “clean” audit report is not an absolute guarantee of accuracy, auditors are required to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether due to error or fraud. Litigators defending auditors or representing clients claiming to have been harmed by auditors’ failing to meet these requirements need to understand – or better yet, have an expert on hand who understands – auditing standards pertaining to these obligations.
In the U.S., for example, the Sarbanes-Oxley Act of 2002 created the PCAOB to oversee the accounting profession in its role as auditors of publicly-held companies. PCAOB’s duties include regular inspections of CPA firm performance. Its publicly distributed reports provide myriad findings of audit deficiencies that deserve to be kept on the radars of both litigators and counsel to firms that are being audited. The PCAOB’s February 2013 report, on the results of its 2007-2010 inspections of 578 domestic firms that audit 100 or fewer public companies, describes the inspection findings, and some significant audit deficiencies, from the 1,801 individual audits that were inspected, which constituted a sample of all audits conducted by these firms during that period.
According to this report, the rate of significant audit performance deficiencies decreased from the preceding inspection period, which of course is a positive development. However, of concern to the PCAOB, as it also should be to auditors, is the persistence of certain pervasive deficiencies in audits performed by these firms. These deficiencies most notably represent instances in which the inspection staff found that the auditors issued their opinion that the financial statements were presented fairly in all material respects in conformity with U.S. generally accepted accounting principles (“GAAP”), when in fact, the auditors had not fulfilled their fundamental responsibility to obtain evidence sufficient to provide reasonable support for such opinions. Obtaining “sufficient appropriate” audit evidence is one of the ten generally accepted auditing standards, as also is the requirement to gain an understanding of the client’s control environment, in particular to assess the risk that the financial statements could be affected by material fraud. Based on the authors’ experiences, the same pattern of problems would likely affect financial reporting under any other major accounting regime, such as IFRS.
Auditors are required to evaluate whether the information obtained during their risk assessment procedures indicates that fraud risk factors are present. As part of those risk assessment procedures, the auditors should obtain an understanding of the company and its environment in order to understand the events, conditions (including economic and other externally-imposed conditions), and company activities (such as entering emerging markets) and pressures (such as a perceived need to “meet” Wall Street earnings forecasts), that might reasonably be expected to have a significant effect on the risks of material misstatement.
In addition, when the auditors have determined that a significant risk, including fraud risk, exists, they should evaluate the design of the company’s controls that are intended to address fraud risks and other significant risks, and then determine whether those controls have been implemented. The standard specifically directs that the auditors should presume that there is a fraud risk involving improper revenue recognition, and therefore in every engagement they should evaluate which types of revenue, revenue transactions, or assertions may give rise to such risks.
The auditors’ responses to risks of material misstatement due to fraud should influence the conduct of the audit in three ways. First, there should be a response involving general considerations on how the overall audit is conducted. Second, auditors’ response to identified risks should involve considering the nature, timing, and the possibly increased extent of the auditing procedures to be performed. And third, auditors should perform certain procedures to further address the risk of material misstatement due to fraud involving management override of controls, given the varied and unpredictable ways in which such overrides could occur.
Auditors have, unfortunately, been frequently found to treat risk assessment as a part of preliminary audit planning, which, once completed, is never revisited during the course of the ensuing examination. This is incorrect: planning must continue throughout the audit, since new information coming to the auditors’ attention, at any point in the engagement, has to be considered for possible impact on planned audit procedures. The auditor’s assessment of the risks of material misstatement due to fraud should be ongoing throughout the audit and is not a “one time” procedure to be employed, checked off a list, and forgotten.
The PCAOB’s findings demonstrate that some of the basic precepts of auditing still need to be reinforced for the profession. In a worst-case scenario, this reinforcement takes place, if at all, only during auditor liability litigation.