EXECUTIVE SUMMARY |
|
MARK S. BEASLEY, CPA, PhD, is associate professor of accounting at North Carolina State University in Raleigh. His e-mail address is . JOSEPH V. CARCELLO, CPA, PhD, is Stokely Scholar and associate professor of accounting at the University of Tennessee in Knoxville. His e-mail address is . DANA R. HERMANSON, CPA, PhD, is director of research—Corporate Governance Center and associate professor of accounting at Kennesaw State University in Atlanta. His e-mail address is . |
Monitoring SEC Activity
To gain additional insights into possible audit deficiencies, CPAs can track key SEC enforcement actions at www.sec.gov/enforce.htm .
Our analysis is based on a report we completed in 2000 for the AICPA ASB titled Fraud-Related SEC Enforcement Actions Against Auditors: 1987–1997. Our research initially involved 56 cases. However, 11 of those 56 cases involved a bogus audit or auditor where either the audit never took place or a non-CPA posed as an auditor and issued a phony opinion. In the remaining 45 cases the SEC alleged deficiencies in performing one or more “attempted” audit engagements. These cases form the basis for our analysis.
All of the cases involved public companies, most of which engaged in fraudulent financial reporting (or “cooking the books”). Only a few engaged in misappropriation of assets or defalcation (stealing). While the audit deficiencies described here may help CPAs detect or prevent either type of fraud, with private companies—where stealing is the more pervasive risk—auditors face an entirely different set of considerations.
Top Audit Deficiencies in SEC Enforcement Actions: 1987–1997
Problem area | Percentage (Number) of cases |
1. Gathering sufficient audit evidence. | 80% (36 cases) |
2. Exercising due professional care. | 71% (32) |
3. Demonstrating appropriate level of professional skepticism. | 60% (27) |
4. Interpreting or applying requirements of GAAP. | 49% (22) |
5. Designing audit programs and planning engagement (inherent risk issues, nonroutine transactions). | 44% (20) |
6. Using inquiry as form of evidence (relying too much on this method). | 40% (18) |
7. Obtaining adequate evidence related to the evaluation of significant management estimates (failing to gather sufficient evidence). | 36% (16) |
8. Confirming accounts receivable. | 29% (13) |
9. Recognizing/disclosing key related parties. | 27% (12) |
10. Relying on internal controls (rely too much/failing to react to known control weaknesses). | 24% (11) |
COMMON AUDIT PROBLEMS
The exhibit above highlights the top 10 audit deficiencies the SEC claimed. The most common problem—alleged in 80% of the cases—was the auditor’s failure to gather sufficient evidence. In some instances, this failure was pervasive throughout the engagement; in other instances the allegations were more specific. For example, many of the cases involved inadequate evidence in the areas of
Some cases involved the auditor’s failure to examine relevant supporting documents (for example, examining a draft, instead of a final, sales contract) or failure to perform steps listed in the audit program. Overall, this failure contributed to management’s success in overstating assets, the most common fraud technique.
Due professional care. The SEC claimed that auditors failed to exercise due professional care in 71% of the enforcement cases and to maintain an attitude of professional skepticism in 60% of the cases. In general, this failure on the auditors’ part can be found throughout the sanctioned audit engagements.
Applying GAAP. In almost half of the cases, the SEC said the auditors failed to apply or incorrectly applied GAAP pronouncements. Many of the GAAP violations related to unusual assets with unique accounting valuation issues (often described in the lower levels of the GAAP hierarchy).
Audit program design. Planning the audit engagement is crucial to its success. Deficiencies in audit planning were cited in 44% of the cases. Specifically, the auditor failed to
Audit evidence. Another common deficiency the SEC alleged, present in 40% of cases, involved overreliance on inquiry as a form of audit evidence. The agency cited auditors for failing to corroborate management’s explanations or to challenge explanations that were inconsistent or refuted by other evidence the auditor had already gathered.
Failure to obtain adequate evidence relating to the evaluation of significant management estimates was present in 36% of the cases. The SEC claimed auditors failed to gather corroborating evidence and to challenge management’s assumptions and methods underlying the development of those estimates.
Accounts receivable. The SEC cited numerous deficiencies in confirming accounts receivable (present in 29% of the cases). These deficiencies included
Related parties. Another common problem (in 27% of cases) was the auditor’s failure to recognize or disclose transactions with related parties. The auditor was either unaware of the related party or appeared to cooperate in the client’s decision to conceal a transaction with this party. Such transactions often resulted in inflated asset values.
Internal controls. In 24% of the cases, the SEC alleged the auditors overrelied on internal controls. It said that they typically had failed to expand testing in light of identified weaknesses in the client’s internal controls. In other cases, the auditors seemed to implicitly assume the presence of a baseline level of internal controls, even though the auditor documented that the client essentially had no controls in place.
AUDITOR SOLUTIONS
Based on the deficiencies the SEC found, there are a number of areas that warrant specific attention from CPA firms that do audits and from individual auditors themselves.
Audit issues. The three most common deficiencies all reflect engagement management problems affecting many areas of the audit: a failure to gather sufficient, competent evidence, lack of due care and lack of professional skepticism. In many cases, the best remedy for such problems is for auditors to develop a properly designed and executed quality control system. Such a system creates a culture that encourages all members of the audit team to maintain a baseline acceptable level of performance, regardless of perceived day-to-day engagement and firm pressures.
CPA firms should evaluate their own quality control systems to ensure policies and procedures emphasize the importance of proper audit planning, supervision and review, including timely involvement by engagement and concurring partners. Additionally, firms should reexamine existing quality control procedures to make sure they are detailed enough to assure firm leaders that audit teams are examining appropriate documentation (final documentation, not drafts) and that teams complete all audit program steps. Those procedures should emphasize that auditors should corroborate management representations with additional evidence and not overuse management inquiry as a form of audit evidence.
The firm’s “tone at the top.” Another means of reducing office-wide audit problems is to address the attitudes at the firm’s highest levels. Here are some values a CPA firm’s managing partners should clearly communicate to their employees. Firms should
Performance measurement and compensation. Audit firms can benefit from closely examining their performance measurement and compensation systems. In many of the fraud cases, it appeared auditors simply chose not to pursue identified audit issues, perhaps fearing the time spent investigating those issues would hinder career advancement or result in penalties during salary and bonus reviews because they ran overtime budgets or missed client-imposed deadlines.
A clear message should be part of all personnel decisions (hiring, retention and promotion) that the firm values high quality audit services and that all other considerations—including time budgets, firm administration, development of nonaudit services and other practice development issues—are secondary. Firms also need to carefully evaluate whether fee and deadline pressures will have an impact on the audit team’s ability to deliver a high quality audit.
GAAP violations. CPA firms that perform audits can take a number of steps to reduce the incidence of GAAP violations among audit personnel, including
Audit planning. Auditors can best remedy audit planning deficiencies by promoting more extensive and timely involvement by partners—both engagement and concurring—and managers in planning the engagement. Such involvement increases the likelihood the auditor will correctly assess risks (both inherent and control) and modify the firm’s audit approach (nature, extent and timing of tests) as appropriate. Involving the audit team partner and manager during the planning phase will help ensure that audit plans emphasize careful scrutiny of nonroutine transactions, particularly those recorded near yearend—when management sometimes records inappropriate transactions.
Management estimates. At a minimum, auditors need to carefully review the underlying data, assumptions and methods a company’s management used to develop financial statement estimates. An adequate review hinges on auditors with an appropriate level of both general and industry-specific expertise being involved. In cases of particularly complex or unusual estimates, specialists may be needed.
Confirming accounts receivable. CPA firms need to ensure their audit teams are effectively handling the confirmation process. Firms should remind team members to
Related-party transactions. To increase the likelihood of detecting related-party transactions, the auditor should:
Once the auditor uncovers a related-party transaction, he or she has two additional responsibilities: 1) closely examine the transaction to make sure that it occurred and is correctly valued and 2) ensure the GAAP requirements (see FASB Statement no. 57, Related Party Disclosures ) are satisfied.
Reliance on internal controls. In the SEC cases, auditors sometimes relied too much on internal controls by either failing to expand testing after discovering internal control weaknesses or assuming a baseline level of internal control existed even in the absence of any controls testing. This finding has implications for firm policy and quality control procedures, which should explicitly note the prohibition in professional standards against placing any reliance on controls unless they have been adequately tested. In addition, firms should more closely link internal control evaluations to substantive audit testing (the nature, timing and extent of such tests).
BETTER AUDITS, LESS FRAUD
As financial and economic pressures tighten for corporate executives, it is more important than ever for auditors to develop sound fraud-detection audit techniques. The audit deficiencies alleged by the SEC between 1987 and 1997 are, in our view, issues the profession and individual firms can effectively address. The recommendations included in this article may help firms reduce the chance of undetected material financial statement fraud as they strive to continually improve fraud risk assessment tools. The audit deficiencies the SEC identified also have important implications for standard setters as they seek to strengthen professional standards related to the auditor’s fraud detection responsibilities.
Those interested in learning more about the study underlying this article should contact the AICPA at 1-888-777-7077 to obtain a copy of the research monograph titled Fraud-Related SEC Enforcement Actions Against Auditors: 1987–1997 (product number 990040JA).