Even after the increased regulation associated with the Sarbanes-Oxley Act (SOX) in July 2002, the audit profession continues to deal with questions of whether they are truly independent from the companies who employ them and overall audit effectiveness. A recent report commissioned by the Center for Audit Quality (“CAQ”) specifically examines Securities and Exchange Commission (SEC) enforcement actions involving fraudulent financial reporting cases where the auditor was sanctioned. The study covers the period 1998–2010, during which time there were 87 instances of SEC sanctions of this type against external auditors involving publicly traded companies.
There is much to be learned from the study, titled “An Analysis of Alleged Auditor Deficiencies in SEC Fraud Investigations: 1998–2010”. The companies associated with the 87 instances concentrate in four main industries, with over 40% in financial services / insurance, general manufacturing, telecommunications, or consumer goods manufacturing. Interestingly, the companies were also generally small, with median revenues and assets under $40 million. This could suggest on its face that the problems were not derived from the market power of the subject companies (a potential concern of independence), but from the smaller auditing budget. Of the 87 instances, six were deemed “bogus audits” where there were no meaningful audit procedures performed at all.
Accounting and Auditing Enforcement Releases (AAERs) involving sanctions against auditors typically allege that the auditor either (i) violated the anti-fraud statutes themselves or (ii) performed a negligent audit that enabled the fraud. Of the 81 actual audits examined, 24 fell into the former category, with the remaining 57 involving negligent audit work. While most of the 81 cases involved multiple failures, the top five deficiencies noted were as follows:
1. Failure to gather sufficient competent audit evidence (73 percent of the cases)
2. Failure to exercise due professional care (67 percent)
3. Insufficient level of professional skepticism (60 percent)
4. Failure to obtain adequate evidence related to management representations (54 percent)
5. Failure to express an appropriate audit opinion (47 percent)
Overall, the analysis and recommendations focused on four main themes (i) failure to exercise due professional care, (ii) insufficient professional skepticism, (iii) inadequate identification and assessment of risks, and (iv) a failure to respond to identified risks with appropriate audit responses to gather sufficient competent audit evidence.
Due professional care requires that the auditor perform “responsibilities with competence and diligence to the best of the auditor’s ability, including the performance of procedures generally expected to be performed in an audit.” It imposes a responsibility upon each professional within an independent auditor’s organization to observe the standards of ﬁeld work and reporting. Because this failure is one of execution, recommendations for improvement are focused on additional training and education on the fundamentals of the audit process.
In contrast, professional skepticism is a question of mindset. The Public Company Accounting Oversight Board (“PCAOB”) standards define professional skepticism as an attitude that includes a questioning mind and a critical assessment of audit evidence. Although it can clearly be stressed in training, it also may have root causes related to firm culture and cultural and generational norms.
The risk assessment process is a key component of any audit exercise, and auditing standards have long been risk-based. However the findings in these particular audits suggest that risk was not appropriately understood and addressed. Once again this is an area that can be improved with training, but it should also continue to be studied. The report notes that the emerging discipline of enterprise risk management is revealing a number of complexities associated with any risk identification and risk assessment task, and that the audit profession should investigate how to best leverage insights that are emerging in other risk management disciplines.
The failure to properly respond to identified risks can sometimes be explained by some combination of the prior three failures. However, it can also be caused by failure to adequately link audit procedures to underlying risks. The report cites prior research regarding the difficulty in making this linkage and suggests that either greater emphasis on quality control review of these linkages or new tools and techniques (and associated training) may be needed.
In summary, the study attempts to identify the root cause issues related to auditor related deficiencies involving fraudulent financial reporting. Although there is no comprehensive solution, the recommendations supports that a properly applied standards-based audit is an effective tool against financial statement fraud. While the study addresses 87 instances of auditor failures, it should be noted that these occurred over a 13 year period and there are approximately 9,500 entities who file financial statements with the SEC on an annual basis.