|EXECUTIVE SUMMARY |
| DEBATE HAS RAGED FOR YEARS i n financial and accounting circles over issues of independence, auditing and accounting standards, and corporate governance. In the event of an auditing malfeasance trial, a juror—unaware of this larger context—must arrive at a verdict based on what he or she learns about accounting standards in a relatively brief time.
PROTECTIVE FUNDAMENTALS INCLUDE performing thorough due diligence on the client before taking it on and crafting carefully worded engagement agreements.
IF A PRIVATE-COMPANY CLIENT requests a “PCAOB audit,” CPAs should ask what business aim the client is trying to achieve. Voluntary compliance with PCAOB auditing standards may not be in the client’s best interest and outcomes may differ from what the client expects.
CPAs WHO APPLY PCAOB AUDITING STANDARDS and GAAS must accept responsibility for performing the audit according to both sets of standards and be aware that the PCAOB piece is an add-on in terms of risk. Although the audit report, with its definition of which standards were followed, is the CPA’s final line of defense should he or she be sued for malpractice, an aggrieved client may claim it was unclear.
BECAUSE THE PUBLIC EXPECTS CPAs to produce a successful result—that is, to “get it right”—CPAs will find themselves more exposed to liability if they don’t. If a disappointed client or third party can demonstrate it was confused about the CPA’s services, a jury will be more likely to punish the CPA.
COMMUNICATING THE NATURE OF the audit services in a way the client will understand, and documenting those communications with the client, are essential risk management practices.
|RIC R. ROSARIO, CPA, CFE, is vice-president of risk management and SUZANNE M. HOLL, CPA, is director of loss prevention for CAMICO Mutual Insurance Co., a national provider of professional liability insurance for CPAs. Their e-mail addresses are firstname.lastname@example.org and email@example.com , respectively. |
here could be potential trouble in store for auditors whose private-company clients ask them to apply both PCAOB auditing standards and generally accepted auditing standards (GAAS). While the boundaries between the PCAOB’s auditing standards for public companies and generally accepted auditing standards for nonpublic entities are clear, nonissuers and those who govern them sometimes are confused about what the differences are and which standards apply when. The public—from which juries are drawn—may be confused, too. When you mix in hungry trial lawyers, you’ve got the makings of a “perfect storm.” This article will discuss some differences between the two sets of standards and the steps auditors should take to minimize confusion and the consequent risk of messy litigation if a private company client asks them to apply both PCAOB auditing standards and GAAS.
High-profile accounting lapses and more than 1,500 restatements from major corporations over the past four years have resulted in the most dynamic, negatively charged financial reporting environment in more than 70 years. Public perception of CPAs—specifically of their roles and duties as auditors—has been buffeted as a result. For perspective on how that could pose a danger, imagine that auditing malfeasance has been alleged against you and a jury has been selected to hear the case. Now imagine you’re an average working person who has been impaneled as a juror. How do the professional issues look from that point of view?
As a CPA, you’re aware that in financial and accounting circles debate about issues of independence, auditing and accounting standards and corporate governance has raged for years. The juror in the jurors’ box doesn’t know that, though. He or she has been inoculated by recent business scandals and those still making headlines today. Moreover, in the course of an auditing malfeasance trial, jurors—to arrive at a verdict—will be expected to acquire a working understanding of the issues and of two complex sets of accounting standards in a very short time. The average person likely will begin to weigh a decision as a choice between nuanced calculations or a more simply expressed complaint by a business owner or other plaintiff.
|Private Company Standards
As of 2003 the Auditing Standards Board (ASB) has had jurisdiction to promulgate auditing, attestation and quality control standards relating to the preparation and issuance of audit reports for private companies. Failure to follow ASB standards in auditing a private company is a violation of rule 201 and/or 202 of the AICPA’s Code of Professional Conduct.
Source: “GAAS and PCAOB Standards: Applicability and Integration,” The Practicing CPA (May04), AICPA.
BACK TO BASICS
To help avoid potential misunderstandings that might lead to litigation, private company auditors should apply these solid practice management fundamentals:
Be selective about the clients you accept. AICPA Practice Alert no. 2003-03, Acceptance and Continuance of Clients and Engagements, describes some crucial policies and procedures CPAs should follow when deciding whether to accept or continue a client relationship or to perform a specific engagement. The guidelines help a firm gauge its competency to perform an engagement, its independence and objectivity, the client’s integrity and competence, the client’s commitment to internal control and generally accepted accounting principles, and the client’s financial viability. Assess the client’s financial literacy, too.
Do thorough due diligence on all prospective clients. Perform a background check on the client’s key decision makers in all significant engagements. This is especially important when the company is considering a public stock offering, is seeking to acquire another company, may itself become an acquisition target or is anticipating involvement in other significant transactions.
Craft carefully worded engagement agreements before taking on a client. After discussing all the details of the potential engagement with the client, put your understanding in writing before you start.
APPLYING BOTH STANDARDS UPS THE RISK
Pay attention to liability-control strategies as you deal with audit clients and with third-party users of your firm’s other attest work products.
Probe the client to learn who the work product end users will be. If a private-company client says it wants you to use “some” PCAOB auditing and related professional practice standards instead of GAAS or in addition to them, you need to know what the client is trying to achieve. Ask who, besides your client, will use the work product: Will it be banks or other financial institutions, creditors, investors, supply chain vendors or governments? Each type of end user has a specific need. Note that third-party end users also may be confused about the new regulations. It’s as easy for them to conclude a PCAOB audit is in some way superior to a GAAS audit as it is for people who are not well-versed in financial reporting. Be cautious and focus on making an appropriate match between your firm, the client and the end user of your attest work.
If a privately held client requests an audit pursuant to PCAOB audit standards, be alert to the issues involved if you comply. For example, a private company considering going public doesn’t need a PCAOB-type internal control audit, but it might believe that one would enhance its perceived value—or it may want to see how such an audit would affect its operations. Another example might be a public company considering acquiring a private company; both parties may want to see how the target company measures up to PCAOB audit standards. Clients making such requests may not be financially sophisticated or aware of the ramifications of using different audit standards—one reason why they rely on a CPA firm.
Some clients may say they are interested in “some PCAOB procedures” but not in having the audit performed in accordance with “all” PCAOB standards because of the expense and effort required. Even third parties such as banks and creditors may think certain practices that mirror PCAOB audit procedures are appropriate, such as having the client CEO and CFO certify internal control or other Sarbanes-Oxley-related procedures. You need to discover why the client is making the request. If the client’s basic goal is rational but the method it suggests is unnecessary, then inform the client what is and isn’t appropriate.
Educate the client. Private-company requests for PCAOB audits give you an opportunity to educate clients about GAAS and PCAOB standards and the requirements of each. Inform the client that private companies are not required to use PCAOB standards and that GAAS are still the norm. Clarify the audit options available for privately held companies. Explain the differences between an audit conducted in accordance with “the auditing standards of the Public Company Accounting Oversight Board” (PCAOB auditing standards) vs. an audit conducted in accordance with GAAS.
Audit reports representing that the audit was conducted in accordance with PCAOB audit standards and GAAS, but which are later found not to be in compliance with all applicable PCAOB auditing standards, may be deemed substandard by the AICPA peer review program, depending on the severity of the deficiencies. If a private company decides it wants its auditor to follow and report using PCAOB auditing standards, the auditor must follow both GAAS and all PCAOB auditing standards (see “ A Standard by Any Other Name ”).
Inform the client that voluntary compliance with some variation of PCAOB standards in an audit is not necessarily in its best interest. Let the client know that the expense and effort of complying may well outweigh the potential benefits it is seeking, and the outcomes may differ from what the client expects. For example, a private company may find implementing the new reporting requirements under section 404 of the Sarbanes-Oxley Act imposes a significant burden that diminishes the entity’s viability or attractiveness.
To make sure a private-company client has a well-grounded understanding of all of the issues involved and is able to make informed decisions, you may have to “push back.” If a lender or creditor has requested an audit in compliance with PCAOB auditing standards, communicate to the client—and the lender, if the client authorizes you to—that, although you would like to comply with the request, your services are limited to an audit according to GAAS (or other standards) if that’s what you think is appropriate. (For more information, go to http://www.pcaobus.org/Standards/Staff_Questions_and_Answers/index.aspx .)
Audit and attest standards team
This AICPA Web site, www.aicpa.org/members/div/auditstd/index.htm , provides members, free of charge, content such as the following:
Authoritative standards for auditors of nonissuers, www.aicpa.org/members/div/auditstd/Auth_Lit_for_Nonissuers.htm .
Recently issued audit and attestation interpretations, www.aicpa.org/members/div/auditstd/announce/index.htm .
Auditing Interpretation no. 18, “Reference to PCAOB Standards in an Audit Report of a Non-Issuer,” of SAS no. 58, www.aicpa.org/members/div/auditstd/announce/index.htm .
Auditing Standards Board exposure drafts, including recently issued proposed statements on defining professional requirements in statements on auditing standards (SASs) and in statements on standards for attestation engagements (SSAEs), as well as a proposed SAS on audit documentation, www.aicpa.org/members/div/auditstd/2005_02_28_prof_req.asp .
Annual Accounting and Auditing Update Workshop (2005 edition), self-study text (# 736181JA); DVD (# 187189JA); VHS (# 187089JA).
Auditing Update: A Review of Recent Activities, self-study text (# 732771JA).
AICPA Codification of Statements on Auditing Standards (# 057194JA).
AICPA Professional Standards, paperback (# 005104JA); CD-ROM (# DPS-XXJA); online (# WPS-XXJA); looseleaf (# PS-XXJA). This publication provides all professional standards in one codified source, including GAAS and PCAOB standards.
PCAOB Standards and Related Rules (including SEC-approved releases and PCAOB Q&A guidance), paperback (# 057195JA). This compilation has a detailed reference table and narrative explaining the applicability of the PCAOB standards—and the differences between PCAOB standards and GAAS.
Practice Alert no. 2003-03, Acceptance and Continuance of Clients and Engagements, www.aicpa.org/download/secps/pralert_03_03.pdf .
For more information about these resources or to order, go to www.cpa2biz.com or call the AICPA at 888-777-7077.
PCAOB auditing and related attestation, quality control, ethics and independence standards and rules are available free of charge at www.pcaobus.org/standards/index.asp .
Always document discussions with the client. If a client makes an informed decision to request an audit that adheres to GAAS and the auditing standards of the PCAOB, be clear in the engagement letter and the audit report that the client requested an audit performed “in accordance with generally accepted auditing standards as established by the AICPA Auditing Standards Board and in accordance with the auditing standards of the Public Company Accounting Oversight Board (United States),” as recommended by Interpretation no. 18, “Reference to PCAOB Standards in an Audit Report of a Nonissuer,” to SAS no. 58. In the engagement letter, list the client’s reasons for using both sets of standards.
If a client who normally has a GAAS audit decides to request additional audit procedures that could be construed as PCAOB procedures, state clearly in the engagement letter that the audit should not be construed as following PCAOB audit standards and that the use of the procedures should not be construed as an upgrading of the level of service.
Be careful if you apply both standards. If you apply both PCAOB auditing standards and GAAS, know that you must accept responsibility for performing the audit according to the two sets of standards, which adds risk to the engagement.
Educate everyone in the firm—especially younger staff members—about all auditing standards. Institute a formal training program that covers compliance issues with the specific auditing and related professional practice standards, including (audit and other) PCAOB standards. Remember to cover the new rules and the need for staff to be careful in their conversations with clients. Teach them to document all conversations and to recognize when they are being asked to do something outside the scope of an engagement.
Ensure partners and staff are equally well-informed. Partners of your firm need to be well-versed in all standards to advise a client about what is most appropriate.
Communicate early and often with clients. An auditor’s primary defense consists of frequent, documented communication with the client, coupled with a signed engagement letter that addresses and describes in limiting language the standards applied in the audit. Cultivate frequent communication about the facets of the engagement with clients. Document all conversations with them. Send follow-up e-mails that restate the conversations. Include safe-harbor language (provisions that demonstrate good faith and reduce liability). In conversations with clients, describe in detail what each set of standards requires, what each is intended to do and what each will not do. Clearly communicate that auditing the financial statements of private companies in accordance with PCAOB standards does not mean the engagement will be subject to the inspection or disciplinary processes of the PCAOB.
Know that your audit report’s statement of the methods and standards used won’t absolutely prevent litigation. All final reports and letters that accompany an audit refer to the methods and standards used to perform the engagement. Many CPAs mistakenly think such acknowledgement is specific enough to protect them from malpractice litigation. It is not; unfortunately people often hear—or infer—what they want to.
Although an audit report, with its definition of which standards were followed, is your final line of defense should you be sued for malpractice, an aggrieved client may claim it is unclear. Audit report users may believe that an audit performed in accordance with PCAOB auditing standards complies with the entire PCAOB system of regulation, including all internal control checks and other procedures such as inspection by the PCAOB. However, the PCAOB enforces compliance for auditors of public companies only, not private companies. The engagement will be subject to the AICPA peer review program, which, if you are selected, will review the engagement for compliance with PCAOB auditing standards as well as GAAS (see “ Work-Product Documentation ,” and “ Peer Review Is Stronger and Better Now, ” JofA , Apr.05, page 44).
An auditor does not need to be registered with the PCAOB to apply PCAOB auditing standards to private companies. However, the primary qualification for any auditor is competence, and clients, third-party users and the public expect auditors to produce successful results—that is, “to get it right.” In the event of an unsuccessful result, the auditor who has used PCAOB auditing standards but is not registered with the PCAOB may be at risk.
Collect additional fees to offset added risk. If you perform the audit according to both PCAOB standards and GAAS, don’t be timid about collecting appropriate fees for the additional work and risk.
Get ready before the next round of upheaval. Just as all the confusion surrounding auditing standards is hitting CPAs, another wave soon will hit the profession from a similar problem: the possible emergence of differing standards related to generally accepted accounting principles (GAAP) in public entities vs. privately owned companies (sometimes referred to as “baby GAAP”). Many of the issues that have emerged in auditing also will surface in the looming debate on GAAP.
PERCEPTION IS YOUR REALITY
As if all this isn’t enough to contend with, there is a higher standard being applied to the evaluation of CPAs’ work: public review through juries and the courts. Not long ago, a national survey asked potential jurors about their perceptions of the accounting profession and the responsibilities of CPAs. The results showed the public holds accountants to standards much higher than it did before the recent financial reporting scandals. For instance, the percentage of the public expecting accountants to uncover fraud in a review engagement has gone up to 70% from about 40%. Such expectations can have major implications for an auditor facing litigation.
Public expectations and perceptions constitute what are called jury or claims standards, which every CPA should consider in his or her daily work. Because the public expects CPAs to produce a successful result, CPAs will find themselves more exposed to liability in the event they do not get it right. If a disappointed client or third party can demonstrate it was confused about the CPA’s services, a jury will be more likely to punish the CPA. Communicating the nature of the audit services in a way the client will understand—and documenting those communications with the client—are therefore essential risk management practices.
|CASE STUDY |
A Standard by Any Other Name
P ost-Sarbanes-Oxley, users as well as auditors are grappling with standards confusion. The issue: Do private company financial statement users understand the difference between what is required when auditing public companies vs. private companies? At Gifford, Hillegass & Ingwersen, LLP (GHI), most of our clients want to know, in simple terms, what affects them and what doesn’t. We take every opportunity to discuss the significant changes in the audit and accounting environment with our clients, but other financial statement users also would benefit from some explanation.
Auditing Standards Board Interpretation no. 17 (AU section 9508 of AICPA Professional Standards ) clarifies the applicability of GAAS and provides optional language to include in a privately held company audit report where an opinion on the effectiveness of the company’s internal control over financial reporting isn’t required. A CPA should consider modifying the standard report’s second paragraph by adding the optional language:
“We conducted our audit in accordance with auditing standards generally accepted in the United States of America. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatements. An audit includes considerations of internal controls over financial reporting as a basis for designing audit procedures that are appropriate in circumstances, but not for purposes of expressing an opinion on the effectiveness of the Company’s internal control over financial reporting. An audit also includes…”
Special audit report language is needed when a nonissuer requests a PCAOB audit. Under PCAOB standards an audit of an issuer’s internal controls over financial reporting is inherent, so if a nonissuer engages a CPA to conduct a PCAOB audit and the client’s internal controls are not audited, it’s necessary to disclose that in the audit report. Instances in which a nonissuer might request an audit in accordance with both PCAOB auditing standards and GAAS are when
A private company is being acquired by a public company.
A private company is preparing to go public.
AICPA Auditing Standards Board Interpretation no. 18, paragraph 92 (AU section 9508), issued in June 2004, illustrates the appropriate wording: “Following is an example of additional language that may be included in the auditor’s report to indicate that an audit was conducted in accordance with both generally accepted auditing standards and the PCAOB’s auditing standards, and to clarify that the purpose and extent of the auditor’s testing of internal control over financial reporting was to determine the auditor’s procedures and was not sufficient to express an opinion on the effectiveness of internal control.”
For a PCAOB report on a nonissuer, here is language to show that an internal control audit was not required for a nonissuer and to clarify the level of internal control work that was done:
[ After same first paragraph as the standard report. ]
“We conducted our audit in accordance with generally accepted auditing standards as established by the Auditing Standards Board (United States) and in accordance with the auditing standards of the Public Company Accounting Oversight Board (United States). Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement. The Company is not required to have, nor were we engaged to perform, an audit of its internal control over financial reporting.
“Our audit included consideration of internal control over financial reporting as a basis for designing audit procedures that are appropriate in the circumstances, but not for the purpose of expressing an opinion on the effectiveness of the Company’s internal control over financial reporting. Accordingly we express no such opinion. An audit also includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements, assessing the accounting principles used and significant estimates made by management, as well as evaluating the overall financial statement presentation. We believe that our audit provides a reasonable basis for our opinion.” We conclude with the standard report opinion paragraph.
Audit report language is not a panacea for user confusion. However, it does alert the user that there is a difference and it can open the door for the CPA to provide additional explanation. Our profession is known for its ability to organize, analyze and disseminate data. The profession must be proactive in applying this ability to the changing audit standards environment.
—Cindy Ethridge, CPA
Gifford, Hillegass & Ingwersen, LLP, Atlanta