Dr Barry Jay Epstein

Dr Barry Jay Epstein, Accounting Expert at Epstein + Nach LLC


Gaining an understanding of an entity’s system of internal control is a critical component of conducting an audit. The American Institute of Certified Public Accountants mandates in the body of professional guidance known as Generally Accepted Auditing Standards (“GAAS”) — specifically, within Field Work Standard No. 2, that auditors perform this fundamental exercise at the outset of each audit. It should be noted the professional standards do not exempt auditors who have served as members of the client’s prior years’ audit team or on similar engagements from renewing and confirming their prior evaluation of an auditee’s system of internal control. (Under provisions of the Sarbanes-Oxley Act of 2002, audit standard-setting for publicly-held companies in the U.S. is now conducted by the Public Company Accounting Oversight Board [PCAOB], but to date its rules have mostly borrowed from U.S. GAAS, although it professes an intent to promulgate a complete set of its own standards. Auditing rules in other nations either follow unique national standards or, much more frequently, the International Standards on Auditing set by the Auditing and Assurance Standards Board of the International Federation of Accountants.)

The above-stated position is justified because, unless auditors adequately perform this step, they simply will not have the requisite knowledge to properly plan the nature, timing, and extent of tests to be performed if, for example, an entity’s operations or business environment has changed. Therefore, failure by auditors to gain an understanding of an entity’s system of internal control can outright violate, or at a minimum severely jeopardize the ability of the audit engagement to be considered as conforming to, GAAS — and thus place the auditors at risk for litigation.

There are several types of legal claims an audit client may bring against its auditors when an audit is poorly performed or not conducted in conformity with GAAS. This article will focus on causes of action based on professional negligence and malpractice deriving from an auditors’ failure to properly assess a client’s system of internal control, thereby breaching Field Work Standard No. 2. To be successful in a professional negligence or malpractice action, the plaintiff must establish “1) the relevant standard of care in the circumstances; and 2) that the defendant deviated from the standard of care and that the deviation caused harm to the plaintiff.”[1]

The case of Curtis Packaging Corporation v. KPMG[2] will be utilized to illustrate the standard of care auditors are held to when performing an audit. This case will also be used to demonstrate how auditors can reduce the risk of litigation and of a judgment ordering the payment of significant consequential damages to an audit client by fully abiding by professional standards, including by completing a full assessment of each auditee’s system of internal control during the conduct of each audit.

Basic Background of Curtis Packaging Corporation v. KPMG

In this case, the plaintiff, Curtis Packaging Corporation (“Curtis”), is a manufacturer of high quality folding cartons. Curtis engaged the defendant, KPMG, LLP (“KPMG”) in the 1950s and retained KPMG as its independent external auditor until ending the relationship in 1999. In 2002, Curtis filed a complaint against KPMG in the Superior Court of Connecticut, Judicial District of Waterbury, for tort and contract damages. In its complaint, Curtis claimed that “KPMG was negligent in the performance of its professional duties owed to Curtis, and breached its contractual obligations to Curtis by failing to detect an ongoing scheme whereby Payroll Express, as Curtis’ outsourced payroll service, stole approximately $2.5 million during the 1990s from Curtis’ payroll account.”[3]

Before analyzing KPMG’s audit failures it will be beneficial to explain Curtis’ relationship with Payroll Express.

Initially, Curtis hired Payroll Express in the late 1980s to perform a few payroll related tasks including the preparation of its W-2 forms. In 1991, Curtis came to rely entirely on Payroll Express for its payroll function needs. Due to the nature of this arrangement, Curtis depended on Payroll Express to notify Curtis of the amount of funds that needed to be deposited in a particular bank account designated as Curtis’ payroll account in order for Curtis to satisfy its payroll and tax obligations. Curtis also trusted that once the funds were deposited into the payroll account that Payroll Express would utilize pre-signed checks, Curtis had given and authorized Payroll Express to use, to disburse the payroll and remit withheld taxes to federal and state authorities on behalf of Curtis. Hence, Payroll Express also maintained a check register for Curtis’ payroll account.

In August of 1998, as a result of a U.S. Internal Revenue Service (“IRS”) investigation, Curtis became aware that Payroll Express had purposefully taken advantage of its delegated authority to prepare Curtis’ tax withholding forms, IRS form 941, to steal money from Curtis’ payroll account. It was discovered that Payroll Express had been preparing “two different 941 forms, one being the correct form, which was provided to Curtis, and a second set of forms that reported a lower total wage and withholding amount, which was sent to the IRS, without a copy to Curtis.”[4] As Payroll Express had access to pre-signed checks as well as responsibility to maintain a check register, it was able to write checks directly to itself for the differences between the amounts on these two forms. In addition, Payroll Express purposefully changed the address on the Curtis’ tax forms so that any IRS notice of underpayment would be sent directly to Payroll Express, and not to Curtis. In total, Payroll Express underpaid the IRS, and improperly paid itself, $2.5 million. In October of 1998, Curtis was able to negotiate a compromise on this amount, which it was liable for, with the IRS.

GAAS is the Relevant Standard of Care for Auditors Conducting Audit Engagements

The court in Curtis found, consistent with longstanding precedent, that the “standard of care for the accounting profession is GAAS.”[5] This meant that whether KMPG met GAAS requirements would be dispositive of both its breach of contract and negligence claims. Curtis’ expert was of the opinion that KPMG had violated a general standard, all three field work standards, and a reporting standard under GAAS. In its opinion, the court appeared to place the greatest amount of weight on KPMG’s failure to gain an understanding of Curtis’ internal controls pertinent to payroll, in violation of Field Work Standard No. 2, which consequently resulted in the performing of inadequate testing, in reaching its final decision.

KPMG’s duties regarding Curtis’ internal controls are set forth by the following generally accepted auditing standard:

Standards of Field Work – 2. A sufficient understanding of internal control is to be obtained to plan the audit and to determine the nature, timing, and extent of tests to be performed.

It is important to point out that KPMG was not required to rely on Curtis’ system of internal controls. However, auditing standards required KPMG to develop and document its understanding of its clients’ internal controls over the financial reporting process, both as designed and as placed in operation. To satisfy Standard of Field Work No. 2, KPMG should have obtained a sufficient understanding of each of the five components of internal control to plan its audits during the years when Payroll Express served as Curtis’ payroll administrator.

KPMG could have accomplished this by performing procedures to understand the design of policies and procedures relevant to audit planning and determining whether they have been placed in operation. Generally, the policies and procedures that are relevant to an audit pertain to the entity’s ability to record, process, summarize, and report financial data consistent with the assertions embodied in the financial statements. The auditors then assess control risk for the assertions embodied in the account balance, transaction class, and disclosure components of the financial statements. As an entity’s operations become more complex and sophisticated, auditors need to devote more attention to have an enhanced understanding of the internal control structure elements not just in audit planning, but also in designing effective substantive tests.

Examples of KPMG’s Departures from GAAS, Specifically Field Work Standard No. 2

In its opinion, the court included several examples of what it viewed to be evidence that KPMG violated GAAS, which would be deviations from Field Work Standard No. 2. Those examples include:

  1. KPMG made no reference to Payroll Express in its working papers

The court pointed out that KMPG made “no reference in the audits to the outsourcing of Curtis’ payroll system to Payroll Express beginning on April 1, 1991.”[6] The absence of meaningful documentation of awareness of the Payroll Express arrangement suggested that KPMG would not have the knowledge necessary to effectively plan or perform tests in this area. This was also significant to the court because KPMG assed inherent risk[7] as being low for payroll and payroll tax transactions without providing any further explanation.

  1. KPMG obtained insufficient evidence to conclude that payroll presented a low level of risk

The court took note that it appeared “KPMG only evaluated Curtis’ control environment, and not its accounting system or control procedures.”[8] The court believed KPMG’s actions constituted a GAAS violation because there was no evidence that KPMG obtained evidential matter about the effectiveness of the design or operation of Curtis’ internal control structure or policies to warrant its judgment that a low level of risk existed.

  1. KPMG failed to give the payroll account, which was material to Curtis’ financial statements, proper attention

The court declared in its opinion that “KPMG had no basis for treating Curtis’ payroll account so lightly” especially given the “fact that payroll had been outsourced to an unknown (no SAS 70 audit) payroll service.”[9] In addition, “[p]ayroll was Curtis’ second largest expenditure, after purchasing, and it had a material effect on the financial statements.”[10] Based on these, and likely other observations, the court concluded that KPMG was required to rate Curtis’ payroll as having a high control risk.[11] Had KPMG evaluated payroll to have a high control risk it could have, and should have, expanded the scope of its testing.

  1. KPMG did not appreciate that Payroll Express was in a position to commit theft

The court believed if KPMG had made any sort of assessment of Curtis’ internal control structure with respect to Curtis’ payroll account, as was necessary for KPMG to properly plan and perform the audit, it would have revealed that:

“Payroll Express made the payroll tax calculation from data in its own computer, not Curtis’; Payroll Express signed checks with a facsimile signature for checks intended for payment of payroll taxes to the federal government and the States of Connecticut, New York, and New Jersey; Payroll Express delivered the checks to the recipients or the bank depository (Union Trust) for the federal government; Payroll Express delivered a check register to Curtis listing the numbers of each check and the amount of each check; Payroll Express prepared the payroll tax returns for Curtis, including form 941 with respect to the federal withholding taxes; and Payroll Express signed Curtis’ 941s with a facsimile signature and filed them with the federal government on Curtis’ behalf.”[12]

Clearly, the court thought if had KPMG understood and properly assessed Curtis’ internal control structure that that KPMG “would have recognized that Payroll Express was in a position to initiate unauthorized transactions, and there were no adequate safeguards over Payroll Express’ access to and use of the payroll account.”[13] KPMG should have been prompted by this understanding to devise a proper audit plan that included sufficient testing to determine whether this arrangement undermined assertions made in Curtis’ financial statements. KPMG, however, made no such alterations to its audit plan.

  1. KPMG did not recognize substantial evidence of theft in the materials it examined

The court deemed “KPMG’s failure to detect Payroll Express’ scheme of thievery [was] attributable to KPMG’s decision to forego performance of significant substantive testing of the Curtis payroll cycle.”[14] The court indeed describes what substantive testing KPMG did perform on Curtis’ payroll cycle to be nominal and consisting merely of “confirming the cash balance in the payroll account; comparing the current year’s payroll and payroll tax expense to the prior year’s expenses; performing daily bank reconciliations for April of each audit year; and calculating Curtis’ year-end accruals for accord payroll and unaccrued payroll tax.”[15]

Beyond the quantity of testing, the court was also quite dismayed regarding the quality of KPMG’s testing. KPMG apparently did not recognize, and certainly did not act on, substantial evidence of theft in the materials it did examine. The court made specific reference to the fact that:

“Checks that cleared the payroll account did not appear on Curtis’ check registry (the checks to Payroll Express), while checks appearing on Curtis’ check register did not clear the bank. In the month of March 1996 alone, four checks written to Payroll Express cleared the bank, none of which appeared on Curtis’ check register. …Twelve checks appearing on Curtis’ check register in March 1996 never cleared the bank (the checks reportedly written to Union Trust and the States of Connecticut and New York).”[16]

KPMG’s Deviations from GAAS and Particularly Field Work Standards No. 2 Harmed Curtis

Ultimately, the court decided that, “KPMG did not understand Curtis’ internal control structure as it related to the payroll account, and thus, was not able to identify potential misstatements, evaluate risk, and design substantive testing.”[17] These failures, which highlight deviations from requirements of Field Work Standard No. 2 and other audit guidance, amounted to inexcusable GAAS violations. As a result, the court agreed with Curtis that KPMG had, in addition to breaching its contract with Curtis, committed professional negligence/malpractice that caused harm to Curtis.

Holding that Curtis prevailed on its claims, the court entered judgment for Curtis and awarded damages in the amount of $487,525.62. This award did not include punitive or interest damages. However, it does represent the cost Curtis proved it incurred to hire consultants to investigate the theft, to repay the IRS, to pay the legal fees for one of the law firms it engaged, and to deal with the press and adverse publicity of the theft.

Concluding Thoughts

Curtis Packaging Corporation v. KPMG exemplifies how vital adhering to GAAS, and in particular to the requirements of Field Work Standard No. 2, is to the proper performance of an audit. It also demonstrates the litigation risks that can befall a public accounting firm, and the types of accountants’ negligence/malpractice claims an auditee may assert, when an audit team omits, or perfunctorily performs, obtaining an understanding of its client’s system of internal control. Although the overall damages Curtis was awarded in this case pale in comparison to other recent awards arising from audit failures, it is a prototypical example of how such liability may arise, and of its consequences. Audits that fail to conform to GAAS, or are poorly conducted, have the potential to cause clients significant harm and result in auditees being compensated for damages that arise from the audit failure, and the corollary legal, consulting, and public relations costs that may be incurred in dealing with the faulty audit. In order to avert such costs, auditors should heed, just as auditees should confirm that their audits are being conducted in full compliance with, GAAS.

[1] Curtis Packaging Corporation v. KPMG, 2002 Conn. Super. Lexis 2663, 4 (2002), citing Pisel v. Stamford Hospital, 180 Conn. 314, 334-42, 430 A.2d 1 (1980).

[2] Curtis Packaging Corporation v. KPMG, 2002 Conn. Super. Lexis 2663 (2002).

[3] Curtis Packaging Corporation v. KPMG, 2002 Conn. Super. Lexis 2663, 1 (2002).

[4] Curtis Packaging Corporation v. KPMG, 2002 Conn. Super. Lexis 2663, 3 (2002).

[5] Curtis Packaging Corporation v. KPMG, 2002 Conn. Super. Lexis 2663, 5 (2002), citing Vosgerichian v. Commodore Int’l, 862 F. Supp. 1371, 1373 (E.D.Pa. 1994), and FDIC v. Schoenberger, 781 F. Supp. 1155, 1157 (E.D.La. 1992).

[6] Curtis Packaging Corporation v. KPMG, 2002 Conn. Super. Lexis 2663, 9 (2002).

[7] AU § 312, defines inherent risk as the susceptibility of an assertion to a material misstatement, assuming there are no related internal controls.

[8] Curtis Packaging Corporation v. KPMG, 2002 Conn. Super. Lexis 2663, 10 (2002).

[9] Curtis Packaging Corporation v. KPMG, 2002 Conn. Super. Lexis 2663, 13-14 (2002). Absent a “SAS 70 letter” from another audit firm, expressing the opinion that controls at the servicer were operating effectively, there would be no basis for such reliance.

[10] Curtis Packaging Corporation v. KPMG, 2002 Conn. Super. Lexis 2663, 14 (2002).

[11] AU § 312, defines control risk as “the risk that a material misstatement that could occur in an assertion will not be prevented or detected on a timely basis by the entity’s internal control.”

[12] Curtis Packaging Corporation v. KPMG, 2002 Conn. Super. Lexis 2663, 11-12 (2002).

[13] Curtis Packaging Corporation v. KPMG, 2002 Conn. Super. Lexis 2663, 12 (2002).

[14] Curtis Packaging Corporation v. KPMG, 2002 Conn. Super. Lexis 2663, 13 (2002).

[15] Curtis Packaging Corporation v. KPMG, 2002 Conn. Super. Lexis 2663, 12 (2002).

[16] Curtis Packaging Corporation v. KPMG, 2002 Conn. Super. Lexis 2663, 13 (2002).

[17] Curtis Packaging Corporation v. KPMG, 2002 Conn. Super. Lexis 2663, 14 (2002).

Related Posts