|EXECUTIVE SUMMARY |
| CPAs CAN USE DATA ON AUDIT MALPRACTICE claims filed with CNA, which underwrites 22,000 CPA firms in the AICPA professional liability insurance program, to help them avoid high-cost claims when they audit nonpublic entities such as private companies, governments or NPOs.
MOST NONPUBLIC AUDIT CLAIMS ARISE FROM technical standards violations, failure to detect defalcations and failure to include appropriate disclosures on the face of the financial statements or in the footnotes. For example, of the 63% of nonpublic audit claims that arose from technical standards violations, almost half involved improper inventory valuation and more than one-third involved accounts-receivable errors.
MANY CLAIMS INVOLVED CPA FIRMS WITH NO PRIOR audit experience in the client’s industry. The financial services industry is particularly hazardous for auditors lacking relevant experience—57% of audit claims involved banks and lending institutions, 34% involved insurance company audits and 9% concerned audits of securities dealers.
A CLIENT’S BANKRUPTCY AND LIQUIDATION are significant factors in audit claims. Three things can increase damage exposure: Shareholders and lenders will seek to recover their losses, the decisions of bankruptcy court judges can adversely affect the pursuit of claims against auditors and bankruptcies often increase the duration and cost of malpractice litigation.
CPA FIRMS CAN MANAGE RISK IN PERFORMING AUDITS by applying client acceptance and continuance procedures, maintaining training, supervision and professional skepticism, complying with technical and ethical standards and declining engagements they are not qualified to perform.
|SHERRY ANDERSON, CPCU, is vice-president and chief operations officer, global specialty lines claims for CNA in Chicago. Her e-mail address is Sherry.Anderson@cna.com . JOSEPH WOLFE is director of risk management, accountants professional liability group at CNA in Chicago. His e-mail address is Joseph.email@example.com .
This article should not be construed as legal advice or a legal opinion on any factual situation. As legal advice must be tailored to the specific circumstance of each case, the general information provided herein is not intended to substitute for the advice of professional counsel.
espite the high-profile lawsuits filed against auditors for revenue manipulation by company management, data on audit malpractice claims for the 22,000 CPA firms insured with Continental Casualty Co. (CNA), underwriters of the AICPA professional liability insurance program, show only 5% of all audit claims involved this type of financial statement fraud. An examination of CNA’s overall audit claims data provides CPAs with some insight into what prompts most audit claims and what steps accounting firms can take to protect themselves against liability.
|While tax practice generated almost 60% of AICPA program claims, audit claims—which occurred far less frequently—tended to be “severe” (high cost). And, although claims from public company audits generally were costly, they made up only 2% of all program claims; those from audits of nonpublic entities accounted for 14%. This article focuses on audit claims involving nonpublic entities.
|Claims Data |
Audit services generate approximately 16% of the billings of CPA firms insured in the AICPA program and 16% of all program claims.
Source: CNA Insurance Co., Chicago.
As shown in exhibit 1 nonpublic audit claims arose primarily from technical standards violations, failure to detect defalcations or failure to include appropriate disclosures on the face of the financial statements or in the footnotes.
Inventory errors. Of the 63% of audit claims from technical standards violations, almost half involved improper inventory valuation. This figure was much higher for manufacturing industries. Professional judgment is a significant factor in valuing inventory and other assets. Practitioners who lack experience with a client’s specific industry are more likely to make mistakes valuing partially completed products and projects, raw materials and intangible assets such as goodwill or technology in the research and development stage. Errors valuing obsolete inventory also are common. Many times the auditor relies too much on management representations and fails to verify their reasonableness.
Example. A CPA firm issued unqualified audit reports for three years to a client whose asset-based lending agreement was secured by unsold and presold inventory. Comments in the workpapers indicated the auditor had ongoing concerns about inventory obsolescence and late booking of returns. At the end of the third year, the client’s lender initiated foreclosure proceedings to liquidate the business’s assets when it no longer could service its debt.
|Exhibit 1: Nonpublic Audit Claims by Cause of Loss |
Source: CNA, Chicago.
After recovering about half of the outstanding debt in liquidation, the lender sued the directors, the officers and the CPA firm. The lender alleged the second-year financial statements were materially misstated, causing it to further extend the line of credit despite the fact the client was in violation of the loan covenants. An expert the insurance company retained on the auditor’s behalf concluded inventory was overstated in all three years and returns were, in fact, improperly booked. The client’s inventory control system did not track unit costs or date of purchase, and the auditor failed to disclose this internal control weakness in either management letters or the audit reports. The parties settled the claim before trial for approximately 10% of the damages
Accounts-receivable errors. Inadequate testing and verification of accounts receivable were also common problems. Of the 63% of nonpublic entity audit claims that arose from technical standards violations, more than one-third involved accounts-receivable errors. Too often the auditors accepted management representations about the collectibility of a particular receivable or class of receivables without adequately examining past collection experience or the reasonableness of management representations in light of market and industry conditions. Expert review often revealed bad debt reserves were inadequate and the company failed to write off a significant portion of accounts receivable in prior periods. This failure resulted in material errors in past and current financial statements.
In some instances clever CFOs outsmarted experienced auditors with schemes intended to inflate the value of accounts receivable. The schemes sometimes involved third parties who intercepted and forged confirmations to help friends and family members in the client company. This sort of conspiracy is difficult for auditors to uncover.
While under the professional standards an audit normally is not designed to detect illegal acts (AU section 317.08 of AICPA Professional Standards ), trial jurors typically believe an auditor is a “watchdog” for public interests. The burden thus falls on defense counsel to establish that the auditor could not have discovered the illegal act during the audit fieldwork. CPAs can protect themselves by maintaining appropriate professional skepticism, carefully controlling the confirmation process and continually assessing management’s ethics to minimize the risk of such claims.
Example. A CPA firm audited the annual financial statements of a wholesale distributor. The business was sold. During the audit fieldwork the following year, the successor auditor discovered evidence the distributor’s CFO had orchestrated an embezzlement scheme. (The new auditor compared the confirmations side by side and immediately identified the similarity in signatures.) Drawing on his prior experience as an auditor, the CFO had created fictitious vendor accounts to cover up the theft. The vendor addresses were post-office boxes an accomplice rented. When the auditors sent out accounts-receivable confirmations, the confirmations verified the fictitious receivables, which often were returned by fax. The buyer, saying it had relied on financial statements that were materially misstated—causing it to overpay for the business—sued the CPA firm. The case was settled before trial.
To make sure they don’t find themselves in the same situation, CPAs should be on the lookout for confirmations that are faxed or have similar signatures and/or for a pattern of post-office-box addresses for accounts receivable. All are red flags of possible fraud.
Failure to detect defalcations. Of all nonpublic audit claims, 20% alleged failure to detect a defalcation. Most arose from audits of not-for-profit organizations and closely held and government entities. Despite the fact the auditors’ duty is limited to “a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud” (AU section 110.02 of AICPA Professional Standards ), the public at large—as well as clients—expect auditors to detect embezzlements.
Businesses with a high volume of cash receipts or those with poor internal controls are particularly susceptible to embezzlement schemes. They typically involve long-term employees stealing inventory or cash in increasing amounts over a long period of time. The client often seeks recovery from the auditor once it discovers its bonding coverage is inadequate to meet the loss and that pursuing the embezzler through the courts is time-consuming, burdensome and may result in only a partial recovery.
Most audit claims involving failure to detect a defalcation arise out of similar circumstances. A trusted and longtime employee in an accounting or financial management position commits theft over three to six years, in increasing amounts, typically leading to discovery of the scheme. Losses range from $100,000 to several million dollars. In approximately 35% of these cases, the amounts stolen are material to the company’s financial statement in one or more years.
Example. A CPA firm audited a manufacturer’s annual financial statements. During the fieldwork for one audit, the CEO informed the auditors the company had discovered the CFO had been embezzling funds over a number of years. The client sued the CPA firm for failing to detect the embezzlement.
The CFO committed the theft by diverting mail containing customer payments and debiting an inventory account to cover the theft. The company did not maintain a perpetual inventory and the discrepancy went unnoticed for years because production costs fell within an expected range. While the CPA firm could not have detected the theft during the audit, the absence of effective inventory and cost accounting controls constituted a reportable condition. A key issue in the subsequent lawsuit was whether the firm had adequately reported these problems and made recommendations to management about instituting appropriate controls.
Despite management’s failure to institute controls even though there was an obvious need for them in a manufacturing environment, the auditor did not document this need in a management letter to the client. Defense counsel advised the case would not be defensible at trial and recommended it be settled.
CPAs can protect themselves from claims alleging failure to detect defalcations by explaining to clients the scope of audit services and taking care to point out an audit is limited in scope and designed only to detect material misstatements. Even an appropriately designed and executed audit plan often will not result in the auditor’s detecting fraud involving collusion by client management. An audit under GAAS is not a forensic audit. Taking a few minutes to explain this to clients, especially to the board of directors, can help CPAs avoid expectation gap problems later. Providing a client with written materials explaining what an audit entails can serve as valuable evidence the firm appropriately informed the client on this issue.
Inadequate financial statement disclosures. Another problem area is failure to include appropriate disclosures on the face of the financial statements or in the footnotes. Some 13% of nonpublic audit claims alleged this was the principal error leading to a loss. In most circumstances the dispute concerned classification and disclosure of the nature of a security the client held, such as derivatives or loans to related parties. An auditor has explicit duties in auditing investments (AU section 332 of AICPA Professional Standards ). It’s difficult to defend claims where the adequacy of disclosures about client investments is in question, especially when the investments are material to the financial statements.
Example. A CPA firm audited the annual financial statements of a government entity. The client had made substantial investments in derivatives, which eventually led to significant portfolio losses. The client sued the audit firm, alleging it had failed to sufficiently describe the nature of the investments in the footnotes. The suit also argued the firm knew of the risks associated with these investments and that the client was relying on the income stream to fund ongoing operations. Despite this, the firm failed to alert the entity’s governing board of the risks.
The investigation indicated the footnotes did not sufficiently describe the securities. The client’s governing board had directed the auditor to work though the entity’s financial manager and in-house counsel, both of whom lacked expertise on derivatives. Although the auditor identified the risks of derivatives to these parties, this information did not reach the governing board.
This case highlights the need for CPAs to communicate their concerns to both client management and any governing board and to investigate the background, experience and qualifications of any party whose expertise the auditor relies on during an audit. CPAs also should advise clients to require all professional advisers to provide proof they maintain professional liability insurance commensurate with the damage exposure associated with the advice they provide.
Engagement letters. In contrast to other areas of practice, CPAs issued engagement letters in approximately 85% of all audit engagements resulting in claims. Where the CPA had no engagement letter, the client typically was a closely held business, an employee benefit plan or an NPO. Engagement letters can serve as critical evidence in disputes about the scope of services or the date services began. For instance audit claims by lenders sometimes allege the bank would not have extended the client a line of credit if the auditors had issued their report in a timely manner. The CPA firm can use the engagement letter to establish when audit work began and to create a timeline showing it did render services in a timely manner and that the lender did not rely on the audit reports in making its credit decisions. It’s essential for CPA firms to obtain signed engagement letters annually before performing audit services to help defend itself in disputes about the mutual responsibilities and limitations of an audit engagement. Even for the 85% of audit claims that had engagement letters, one-third were not signed.
Manufacturers, retailers, pension plans and financial services firms typically need audits to obtain financing or to comply with government regulations. However, industry statistics the Department of Labor compiled for 1990 through 1999 revealed some interesting correlations: Manufacturing represented only 5.4% of all businesses; yet 25% of nonpublic audit claims arose from this sector. Financial services represented 8.5% of all businesses but 12% of nonpublic audit claims. Audit claims in these two industries indicated CPAs can minimize overall claim risk with heightened client acceptance and retention procedures along with careful quality control (especially second partner reviews).
|Exhibit 2: Nonpublic Audit Claims by Client Industry |
Source: CNA, Chicago.
As shown in exhibit 2 certain industries generate a higher incidence of audit claims than others, due in part to volatility within the industry as well as to the fact claims often are made against CPA firms that lack expertise in the client’s industry. Careful client screening can identify the specialized expertise the firm will need to perform an audit and companies in financial distress or with a history of frequent management changes and other potential problems. Discussions with the predecessor auditor, as required under AU section 315 of AICPA Professional Standards, can help identify many of these concerns. Companies in financial distress ultimately may become good, long-term clients, but CPA firms should exercise extra caution when undertaking these engagements.
Manufacturing. In audit claims of manufacturers, 60% concerned overvaluation of assets in the financial statements, 17% a failure to detect defalcations, 17% inadequate disclosures and 6% withdrawing from the engagement without issuing a report.
Example. A CPA firm audited the financial statements of a manufacturer that relocated to a municipality which provided low-interest loans to finance the move. Within a year the company went bankrupt, liquidating its remaining inventory to pay creditors for less than 25% of the value reflected in the financial statements.
The bankruptcy trustee sued the CPA firm, alleging the statements materially overstated the inventory due to the auditor’s failure to consider obsolescence and the inventory’s physical condition. The investigation revealed the firm had not done adequate testing to determine inventory value and did not verify the cost of component parts included in work-in-process calculations. These problems led to a settlement before trial.
Financial services. The financial services industry is particularly hazardous for auditors lacking relevant experience. Fully 57% of audit claims in this area involved banks and lending institutions, 34% arose from insurance company audits and 9% from audits of securities dealers.
Bank failures are rare today. As a result of the savings and loan crisis in the 1980s, federal and state regulators closely monitor the fiscal management of national banks and other large lending institutions. The shareholders of small community banks and credit unions, however, increasingly look to external auditors to alert them to fiscal mismanagement and fraud. Some 33% of financial institution audit claims alleged inadequate reporting or disclosures, 33% errors in reviewing loan files or testing loans, 20% material misstatements in financial statements and 14% failure to detect defalcations.
Unlike larger insurance companies, which are subject to federal regulatory oversight, smaller insurers (unless they are part of a public company) are subject only to state regulation—and the laws vary from state to state. Due in part to this disparity in state regulations, smaller insurers are more likely to fail due to mismanagement, resulting in “high-severity” claims against the external auditors. Of the insurance company audit claims, 42% alleged the financial statements were materially misstated or management fraud went undetected. (Insurance regulators—state guaranty funds or insurance-department-appointed receivers—brought all these cases and made seven-figure damage claims.) In other cases some 33% alleged failure to detect a defalcation and 25% said claim reserves were misstated.
Common themes in these claims included allegations the insurance company had set aside inadequate reserves by improperly classifying claims or making inaccurate actuarial estimates. (To do business in a state, insurance carriers must comply with its regulations on minimum capital requirements). When regulators liquidate an insurance company, they typically seek recovery from the company’s directors and officers, the actuarial firm and the external auditors. Small insurance companies frequently maintain little or no directors-and-officers insurance coverage, and most directors and officers have limited assets worthy of pursuit. The actuaries often are uninsured, leaving the external auditors the deep-pocket target.
For this reason, only CPA firms with extensive training in auditing insurance companies should accept such engagements. A firm should heighten client acceptance, retention and quality control procedures in comparison with those it applies to other industries and conduct thorough background checks of an insurance company’s principals and other consultants such as actuarial firms. When in doubt, pass on the audit. It may not be worth the risk.
NPOs. Claims for these entities tend to be less severe than those involving other industries because the entities being audited themselves are smaller. With poorly organized accounting records and weak to nonexistent internal controls, these clients sometimes rely on their auditor to make sure accounting records are accurate.
When planning and performing the audit, therefore, CPAs need to evaluate the state of client records and the skill level of the employees who provide the entity’s bookkeeping services. Because NPOs frequently have deadlines for submitting audit reports to obtain grants and other funding, CPAs need to do this evaluation well in advance of the date they expect to begin fieldwork. In some cases the client may not have staff members qualified to do basic bookkeeping functions and may need to hire another CPA firm to perform this service to preserve the auditor’s independence. Auditors should identify weaknesses in internal controls and make recommendations for correcting them in management letters supplied to both management and the board of directors.
Example. A CPA firm audited a charity’s annual financial statements. The firm enjoyed the public relations benefit of serving a prominent local charity despite the fact the engagement was not profitable. Like many small charities, the client had weak internal controls. The auditor alerted the board of directors that controls for handling cash and vendor payments were weak and recommended it institute a second signature procedure for large vendor payments. The client did follow this recommendation; however, it also received substantial noncash contributions.
The firm issued unqualified opinions each year. Shortly after it issued one audit report, the charity’s local director resigned and moved out of the region. The client’s parent organization informed the CPA firm the director had embezzled substantial funds by selling contributed goods. The charity sued, alleging that inventory was materially misstated and that had the firm planned the audit correctly it would have discovered the ongoing misappropriation of assets. This case was tried by a jury, which was sympathetic to the client’s situation and awarded substantial damages. A key issue concerned the auditor’s compliance with SAS no. 82, Consideration of Fraud in a Financial Statement Audit.
A client’s bankruptcy and liquidation can result in high audit claims. Of the claims CPAs reported from 1995 to 2000, 28% involved clients in bankruptcy. Three factors increase CPAs’ potential damage exposure.
Shareholders and lenders seek to recover their losses. An independent auditor is a convenient target when losses on equity and debt investments are not fully recoverable in liquidation.
The decisions of bankruptcy court judges can adversely affect claims against auditors. These judges, who generally have little professional malpractice experience, are primarily concerned with collecting as much money as possible to pay off the bankrupt company’s debts. While auditors rarely will come under the bankruptcy court’s jurisdiction, decisions to delay the resolution of bankruptcy claims can accelerate malpractice claims against them. Creditors in bankruptcy and bankruptcy trustees pursue all viable sources of recovery and often view a civil claim against an insured third-party professional service provider (the CPA firm) as the only reliable source of recovery when there are no significant assets to be liquidated.
Bankruptcies often increase the duration and cost of malpractice litigation. The plaintiff’s attorney generally cannot accurately determine malpractice damages while bankruptcy recoveries are still pending. Because the amount of future recoveries from debtors is unknown, the auditor and its insurance company typically incur significant expert witness fees defending bankruptcy claims due to the complexity of separating damages resulting from audit failure from damages caused by mismanagement.
Third parties—including lenders and shareholders—made approximately 30% of all claims arising from nonpublic audits. While tort reform has resulted in fewer frivolous third-party suits, in most jurisdictions private company lenders and shareholders can claim to be “in privity” with external auditors because, at the time of the engagement, the CPA firm knew them to be expected users of the audit report.
Typical problems with third-party claims include these:
Substantial time has elapsed between the alleged error or omission and the claim, clouding the memories of those involved and complicating the review of relevant documents.
Diverse parties that are unfamiliar with each other become the primary litigation targets. This diversity can polarize liability and settlement positions and create barriers to discussions that might facilitate rapid analysis and resolution.
Lawsuits are almost always filed in such matters, and plaintiffs tend to be suspicious of early resolution options such as mediation or other alternate dispute-resolution processes.
For CPA firms, managing risk in performing audits still comes back to the basics: Apply client acceptance and continuance procedures; maintain training, supervision and professional skepticism; comply with all technical and ethical standards; and decline engagements they are not qualified to perform. CPA firms that follow these basic tenets and learn from the lessons outlined in the box below can minimize the risk of disruptive and expensive audit malpractice claims.
|Lessons to Learn |
Insurance data can provide CPAs with insights about the types of problems that lead to audit claims and the industries that experience a higher incidence of claims. Some general themes are evident in the data:
Lack of experience and training. Many claims involve CPA firms with no prior audit experience in the client’s industry. The firm uses inappropriate audit programs, fails to plan the audit properly and relies heavily on management representations about industry ratios, seasonality, inventory costs and categorization of certain items such as long-term assets, leasehold interests and customer lists. Despite a lack of industry experience, the firm ignores research and training needs.
Complacency based on long-term client relationships. Principals in charge of audit engagements become complacent about identifying and reporting internal control problems. In many cases the auditor has addressed reportable conditions in management letters but the client takes no action. The CPA firm fails to consider this when it plans and performs subsequent audits. In other cases, the auditor simply does not maintain professional skepticism and accepts management explanations about inventory discrepancies, end-of-period adjustments or collateral securing related-party loans—“red flags” of embezzlement or fraud.
Failure to supervise. Managers who lack relevant experience plan audits, and junior staff members perform the fieldwork. The principal in charge of the engagement doesn’t supervise either the planning or performance of the engagement and reviews the work only after the audit report is already complete.
Lack of concurring partner review. While professional standards don’t require concurring partner reviews in non-SEC engagements, having another partner objectively evaluate the work can identify items requiring follow-up. Too often, a single firm partner manages both the client relationship and the engagement, and other partners perform no concurring reviews and know little about the client.
Failure to report certain audit matters to the appropriate management level. While most private companies, NPOs and government entities don’t maintain audit committees, generally boards of directors or other governing bodies do exist. In many claims the auditor hasn’t communicated to the board its findings about fraud, internal controls, disagreements with management about applying accounting principles and other significant matters. Telling management isn’t enough; in cases involving fraud and embezzlement, management frequently participates. AU sections 316 and 325 of AICPA Professional Standards address an auditor’s responsibility to communicate with the client about fraud, illegal acts and internal control problems, and provide guidance on those with whom the auditor should speak. AU section 380 discusses the auditor’s required communication with audit committees, but speaking about such matters with both management and the board—if no audit committee exists—can help prevent audit claims. A central element in claims involving reportable conditions is clients or shareholders (who often are board members) who allege they could have taken action to address the problem and prevent subsequent damage had they been informed in time.