Embed Size (px)
DESCRIPTION
Litigation and Audit
Citation preview
BUSINESSRISK ANDTHE AUDITPROCESS.Should the risk oflitigation, sanctionsor an impairedreputation affect theconduct of an audit?by Craig A. Brumfield, Robert K. Elliottand Peter D. Jacobson
Business risk is the probability that an auditorwill suffer a loss or injury to his professionalpractice. It differs from audit risk, which isthe probability that an auditor will issue anunqualified opinion on materially misstatedfinancial statements. For example, an auditormay be sued (business risk) whether or not theaudit and the financial statements complywith professional standards (audit risk).
Audit risk can infiuence business risk be-cause an inappropriate opinion can be a sig-nificant factor in the events that lead to loss orinjury to an auditor's professional practice.Conversely, business risk may, within limits,influence the auditor's assessment of the ac-ceptable level of audit risk.
The concept of audit risk is directly relatedto the third standard of fieldwork, which re-quires the auditor to gather evidential matter
CRAIG A. BRUMFIELD, CPA, is a senior manager at Peat,Marwick, Mitchell & Co.. New York. Mr. Brumfield is amember of the American Institute of CPAs and the FloridaInstitute of CPAs. ROBERT K. ELLIOTT, CPA, is a partnerof PMM&Co. A former chairman of the AICPA statisticalsampling subcommittee, Mr. Elliott is a member of the Insti-tute's auditing standards board and the materiality and auditrisk task force. PETER D. JACOBSON, Ph. D., is an editor inthe department of professional practice-accounting and audit-ing at PMM&Co.
sufficient to support the opinion. It followsfrom the concept of sufficiency that a mini-mum level of audit work, or evidence gather-ing, is required on every audit conducted inaccordance with generally accepted auditingstandards. Although this is obvious, it must beaccepted that the concept of a required mini-mum level of audit work is basically unde-fined and the concept of audit risk unmeasura-ble with current techniques. The auditor useshis judgment (recognizing certain specific re-quirements established by standard-settingbodies) to strike a balance between theamount of audit work necessary to satisfy thepublic, which would tend to opt for completeand accurate information (because it doesn'tperceive that it directly bears the cost), andthat which would satisfy client pressures forcost-effectiveness.
However, an auditor, knowing that addi-tional work (i.e.. more evidence gathering)will reduce the likelihood of an incorrect opin-ion, may choose to do more work than therequired minimum to lessen the possibility ofdamage to his professional practice. In otherwords, an auditor may start with the maxi-mum level of audit risk permitted underGAAS and, if he chooses, subjectively reducethat risk to a level at which he believes he hasappropriately addressed the business risk in-herent in the particular engagement. The rea-lities of our current environment are such that,for this and other reasons, auditors often domore audit work than judgment would indi-cate necessary to satisfy GAAS. The relation-ship of business risk to determining the maxi-mum level of audit risk acceptable to theauditor is the basic subject explored in thisarticle.
The Principal Elementsof Business RiskThe discussion in this article applies to thefollowing elements of business risk:D Litigation.D Sanctions imposed by public or privateregulatory bodies (e.g., the Securities and Ex-change Commission, the American Instituteof CPAs and other professional societies).D Impaired professional reputation, whichcan occur as a result of litigation, sanctions oradverse publicity.
60 Journal of Accountancy, April 1983
Each of these elements may cause injury orloss to a professional auditing practice in avariety of ways. Litigation, which can be ini-tiated either by clients or third parties, caninvolve a number of injurious costs: attor-neys' fees, out-of-pocket expenses, courtawards of damages or expensive settlementsand foregone revenues resulting from lostchargeable hours. Sanctions can curtail thepractice (e.g., a prohibition from acceptingany new SEC clients for a stated period) orincrease costs (e.g., a requirement for addi-tional peer reviews). An impaired reputationcan damage practice development efforts, re-sult in lost clients and injure recruiting effortsand the morale of firm personnel.
Relationship betweenBusiness Risk and Audit RiskEach audit should supply at least the level ofaudit assurance required by GAAS, and eachauditor's opinion^ should imply at least thislevel of assurance. The minimum level direct-ly relates to the auditor's assessment of theacceptable level of audit risk, and the intensityof the audit procedures performed is a directfunction of this assessment. The auditor'sopinion is a "standardized" statement andmust convey, each time it is issued, the mes-sage that at least the implied level of assuranceis supplied.^
If there was no such minimum, a reader ofthe opinion would find it extremely difficult tojudge the reliability of the financial state-ments. Therefore, even though the minimumlevel of assurance currently is unquantifiable,the requirement to provide it serves the inter-ests ofthe users of audit reports. The policy ofusing subjective assessments of the level ofbusiness risk to reduce the level of audit riskimplicit in GAAS is also consistent with theinterests of the users of audit reports becauseof the increased assurance provided. Con-versely, however, subjective assessments ofthe level of business risk can't be used toincrease the auditor's assessment of accept-able audit risk to a level in excess ofthe maxi-mum permitted by GAAS.
If GAAS didn't establish a conceptualmaximum audit risk, there would be the possi-
For purposes of this article the terms opinion and report referto the standard, unqualified auditor's report,^ h e evolution of auditors' reports is discussed in Chapter 2."Evolution of Report Categories." of Auditing ResearchMonograph no. I. The Auditor's Reporting Obligation, byD. R. Carmichael (New York: AICPA. 1972).
bility of little or no assurance implicit in theauditor's opinion. An auditor who perceivedlittle or no business risk might choose to signan opinion after having done little or no auditwork. This obviously wouldn't be in the inter-ests of report users, who should always beable to assume at least a minimum level ofassurance.
Conceivably, with a maximum risk require-ment under GAAS, a firm might introduce anorderiy approach to business risk by recogniz-ing, on a uniform basis, different levels ofbusiness risk for different classes of compa-nies (e.g., smaller companies, highly regulat-ed companies and public companies) and byassessing the acceptable level of audit risk(and, therefore, the intensity of the audit pro-cedures to be performed) for those companiesbased on their relative risk classifications. Aspreviously stated, it wouldn't be proper to usesuch an approach to increase audit risk abovethe conceptual maximum because the audi-tor's opinion wouldn't consistently convey atleast a minimum level of assurance, nor couldthe implied level of assurance be evaluated bya reader.^ If, in situations in which the audit
T'he desirability of minimum levels of assurance is consistentwith a conclusion in the Commission on Auditors' Responsi-bilities. Report. Conclusions, and Recommendations (NewYork: CAR. 1978. p.xiii): "All users of audited financialstatements should be able to assume that the same standardsapply to all audits, regardless of the size of the entity auditedor the number of its shareholders." In addition, the commis-sion rejected the contention that different groups use the assur-ance provided by an independent audit in different ways.
Journal of Accountancy. April 1983 61
risk had been increased above the maximumpermitted by GAAS and users of the reportwere unaware that such a policy had beenadopted, they would be misled by the assump-tion that all similar opinions carry at least aminimum level of assurance. On the otherhand, if users knew that such a policy hadbeen adopted but not how it was being ap-plied, they would be forced to interpret thelevel of assurance implicit in the phrase in ouropinion based on their individual interpreta-tions of the business risks associated with thetypes of companies being reported on.
Business risk affects the auditor's business,not the public's interest in information usefulfor decision making. If GAAS requirementsdidn't include a maximum level of acceptableaudit risk, the social utility of the audit pro-cess would be subject to a new challenge.Critics could charge that a firm provided a lowlevel of assurance to certain investors simplybecause there was a low risk of the firm'sbeing sued. The perennial complaint thatcompanies shop around for "easy" auditorswould be bolstered by the acknowledgmentthat auditors could reduce their audit effortswithout limitation based solely on their as-sessment of business risk. Undesirable com-petition among firms might grow, based onwhose ^'clean" opinion could be obtained forthe least amount of audit work and, conse-quently, the least cost. No such problemsarise when an auditor uses assessments ofbusiness risk to increase the intensity of auditprocedures above the "GAAS minimum" be-cause a higher level of assurance than thatsuggested by GAAS is provided to report us-ers.
Classifying companies by typical levels ofbusiness risk may be extremely difficult, ifnot impossible. The factors that indicate lev-els of business risk don't always do so consis-tently. Moreover, because the factors are in-terdependent, levels of business risk alwaysdepend on individual circumstances. For ex-ample, a company that has a management ofquestionable reputation and that is located in asmall community may have significantlymore business risk than it would if it waslocated in a large city. This is because therelative importance of a given factor (here,management's reputation) varies according tothe influence of other factors (here, the loca-tion of the company). Fortunately, this diffi-culty shouldn't adversely affect the users ofaudit reports because any modifications of au-
dit procedures would be designed to reduceaudit risk. An audit performed in accordancewith GAAS would always have to provide atleast the minimum level of assurance implicitin GAAS. Although the auditor may, for rea-sons of business risk, provide a higher level ofassurance, he couldn't provide a lower levelwithout violating GAAS.
Relationship between Business Riskand the Components of Audit RiskThe three components of audit risk (inherentrisk, control risk and detection risk) are ex-plicitly defined and don't include eiements ofbusiness risk. This can be seen from the basicaudit risk equation:*
AR = IR X CR X DR
WhereAR = audit risk—the probability that anauditor issues an unqualified opinion on mate-rially misstated financial statements.IR = inherent risk—the probability that, inthe absence of internal accounting controls, amaterial error will occur in the accountingprocess.CR = control risk—the probability that a ma-terial error that does occur isn't prevented ordetected on a timely basis by the system ofinternal accounting control.DR = detection risk—the probability that amaterial error that does occur, and isn't de-tected or corrected by the system of internalaccounting control, isn't detected by the auditprocedures performed.
Audit risk is fully expressed in this equa-tion. Although it is possible to subdivide thecomponents of audit risk, it isn't possible toadd to them without changing the meaning ofAR. If a separate and distinct component forbusiness risk were added to the right side ofthe equation, AR would become the productof the risk that the auditor issues an inappro-
*The concepts in the equation are discussed in Statement onAuditing Standards no. 1. Codification of Auditing Standardsand Procedures (New York: AICPA. 1972). sections320A.14-.I5 (see ahoAlCPA Professional Standards, vol. 1[Chicago: Commerce Clearing House). AU sees. 320A.!4-. 15); SAS no. 39, Audit Sampling (New York: AICPA. 1981),appendix, pp. 16-18 (see aho AICPA Professional Standards.AU sec. 350.47); and the Exposure Draft. Materiality andAudit Risk in Conducting an Audit (New York: AICPA, De-cember 6, 1982).
62 Journal of Accountancy, April 1983
priate opinion and the risk that the auditor willsuffer loss or injury to his practice. Thiswould redefine the concept of the audit pro-cess in a revolutionary way because the con-cept would be incompatible with current pro-fessional standards, which nowhere give theauditor license to diminish the intensity oftheminimum audit procedures necessary to estab-lish an opinion on the financial statementsbased on perceived low levels of businessrisk. For example, nowhere in the discussionof sufficient evidential matter does authorita-tive literature mention the possibility of limit-ing the intensity of the audit procedures thatwould otherwise be necessary in the circum-stances because of business risk consider-ations. Moreover, the purpose of an audit isstrictly circumscribed by professional stan-dards: "The objective ofthe ordinary exami-nation of financial statements by the indepen-dent auditor is the expression of an opinion onthe fairness with which they present financialposition, results of operations, and changes infinancial position in conformity with general-ly accepted accounting principles."^This ob-jective requires that at least a minimum levelof assurance be provided by the auditor'sopinion, and this precludes the use of businessrisk to reduce the intensity of the audit proce-dures necessary to provide that minimum lev-el.
Although the auditor can't change the com-ponents of audit risk, audit risk itself may beset lower (more stringently) in response tobusiness risk. In other words, the auditor maywant additional protection against the risk ofissuing an incorrect opinion because of per-ceived high levels of business risk. Settingaudit risk more stringently in this way willultimately affect detection risk. This is themost important relationship between the com-ponents of audit risk and business risk, butthere is another.
Most of the factors that indicate the level ofbusiness risk are also (to varying degrees) in-dicators of the level of inherent risk. The exis-tence of common factors for business and in-herent risk is easily explained by therelationship between the two risks: the occur-rence of material errors (more likely wheninherent risk is high) can lead to inappropriateaudit reports and {say. through litigation) to
*SAS no. 1. sec. 110.01. Sec also AICPA Professional Stan-dards. AU sec. 110.01.
loss or injury to the auditor's practice. Exhibit1. page 65. lists the most prominent businessrisk factors (most of which are also indicators,to varying degrees, of the level of inherentrisk).
When a single factor infiuences both inher-ent risk and business risk, the factor operatesindependently on each risk. The independenteffects of an individual factor on inherent risk,on the one hand, and on business risk, on theother, are demonstrated by the following ex-ample. The inherent risk resulting from acompany's weak financial position and oper-ating performance is caused by the potentialreaction of company management—i.e..management may try to hide the weakness byprejudicially misstating the financial state-ments. The business risk resulting from thesame weakness is caused by potential third-party litigation—i.e., the company's financialill health may lead to financial losses by inves-tors, who then initiate legal actions claimingthe financial statements were negligently au-dited. The effect of the factor on the behaviorof investors (business risk) is clearly indepen-dent of and separable from the effect of thefactor on the behavior of management (inher-ent risk). Each of the two behavior patternscould occur in the absence of the other eventhough triggered by the presence of a singlefactor.
The fact that several individual factors af-fect the level of both business risk and inher-ent risk has a very important consequence. Ata given level of audit risk, when the level ofinherent risk is assessed and this assessment isused in determining detection risk (and, there-fore, the nature, timing or extent of audit pro-cedures), the level of detection risk will, byvirtue of the existence of the common factors,coincidentally refiect some measure of busi-ness risk. Therefore, an auditor will do moreaudit work to support his opinion for engage-ments with more business risk because suchengagements would also have more inherentrisk.
These interrelationships don't, of course,apply to factors that indicate only the level ofbusiness risk (i.e., those that don't also indi-cate the level of inherent risk). These factorshave no place in the model of audit risk be-cause they in no way pertain to the detectionof material financial statement error. Consid-er, for example, the business risk aspects of"ownership ofthe company." (Any inherentrisk aspects, such as the increased risk that an
64 Journal of .A.ccoLintancy. .April
Exhibit 1
Business risk factors*
Factor
The economy in which the companyoperates.
The industry in which the companyoperates.
The company's management philosophywith regard to both operational andaccounting matters.
The company's control environment,including the possibility of managementoverride.
The company's previous audit history.
Rate of turnover for top management andthe board of directors.
The company's financial position andoperating performance.
The company's existing or potentiallitigation.
The business reputation of the company'smanagement and principal owners.
The relevant experience ofthe company'smanagement and principal owners.
Ownership of the company.
Client understanding ofthe auditor'sresponsibilities.*
Conflicts of interest, regulatory problemsor auditor independence problems.
The location ofthe company.
The level of business acuity orsophistication within the community inwhich the company operates.
Level of business risk
Lower
Healthy.
Established; stable;relatively uninfluenced byexternal conditions.
Conservative.
Strong administrativecontrols; control-consciousmanagement; lowpossibility of managementoverride.
Unqualified opinions forprevious audits; no priordisagreements withauditors; few adjustments.
Low.
Strong.
Insignificant.
Good.
High.
Nonpublic.
Clear.
Insignificant.
Large city.
Low.
Higher
Depressed; stagnant.
Relatively new; unstable;greatly influenced byexternal conditions.
Aggressive.
Weak administrativecontrols; management isn'tcontrol conscious; highpossibility of managementoverride.
No prior audit history;qualified or adverseopinions for previousaudits; prior disagreementswith auditors; numerousadjustments.
High.
Weak.
Significant.
Poor.
Low.
Public.
Unclear.
Significant.
Small community.
High.
•Because the terms used in this exhibit arc genera!, (he risk levels indicated may be subject to individual interpretation. Inaddition, many of the listed factors may also indicate the level of inherent or control risk-•^Misundcrstanding the auditor's responsibilities could lead a client to sue or fire ihc auditor.
Journal of Accountancy. April 1983 65
owner-manager would understate assets tominimize taxes, would have been consideredin assessing inherent risk.) The identificationof this factor is based on the proposition thatbusiness risk is generally lower tor a privatecompany than for a public company becauselitigation and adverse publicity are less likely.The public company's greater exposure to liti-gation and adverse publicity is independent ofwhether there is an error in the financial state-ments. This is because, as previously stated,litigation can occur when the audit and the
'... under no circumstances shouldan assessment of low business
risk lead an auditor to do less workthan that suggested by the
GAAS minimum."financial statements comply with professionalstandards—in other words, when the auditorhas done what is necessary to detect materialfinancial statement error and therefore to issuean appropriate opinion. Even if the auditorcould do a perfect audit, reducing audit risk tozero, business risk arising solely because theauditee is a public company wouldn't beeliminated.
Relationship of ReviewProcedures to Audit Risk
One ofthe responses to audit risk is to performreview procedures in order to reduce the riskof an incorrect opinion, i.e., to reduce auditrisk by reducing the achieved level of detec-tion risk. However, it should be recognizedthat reviews by themselves don't reduce theachieved level of detection risk. Although itmust be assumed that a review procedure thatuncovers an inadequately performed auditprocedure will lead to a follow-up procedure,it should be clear that it is the follow-up proce-dure, not the review alone, that reduces theachieved level of detection risk.
Audit procedures {as contrasted with re-view procedures) are designed to reduce de-tection risk to a predetermined level, and, as
has been pointed out. the achieved level ofdetection risk contributes to achieving a de-sired level of audit risk. Review procedures,on the other hand, are designed to ensure thatthe audit procedures achieve their intendedpurpose. Unaccompanied by follow-up, re-view procedures are, in effect, quality controlprocedures. They can identify when audit pro-cedures can't achieve their desired purpose{review of planned procedures) or haven'tachieved their desired purpose (review ofcompleted procedures), but they don't bythemselves reduce the achieved level of detec-tion risk. If an ineffectively planned or per-formed audit procedure {which could allowdetection risk to exceed the desired level) isidentified, the achieved level of detection riskisn't reduced by the identification. It can bereduced only by effectively performing an-other audit procedure or by correctly reper-forming the original audit procedure.
If an audit procedure is properly per-formed, a review that identifies proper perfor-mance has absolutely no impact on theachieved level of detection risk. This is be-cause the impact of an audit procedure on theachieved level of detection risk is independentof any review. If performed correctly, the au-dit procedure would accomplish its purposewhether reviewed or not. If. on the otherhand, an audit procedure is performed incor-rectly (e.g.. several sample items were treatedas correct when they were actually incorrect),the desired level of detection risk isn'tachieved. The review procedures may identi-fy the incorrectly performed audit procedureand lead to a remedy. This remedy—^reperfor-mance of the audit procedure—can reduce de-tection risk to its originally desired level.
The distinctions between audit proceduresand review procedures become clearer whenviewed in light of the nature of audit evidenceand documentation. Audit procedures provideevidence weighing for or against the validityof financial statement assertions; they are di-rected toward uncovering financial statementerror. Review procedures, on the other hand,provide evidence weighing for or against theadequacy of the audit procedures performed;they are directed toward uncovering auditorerror. Review memorandums and initials onlead schedules, detailed working papers andother memorandums document the perfor-mance of the review, its results and the re-viewer's conclusions, but they don't in them-
66 Journal of Accountancy. April 1983
selves indicate whether financial statement as-sertions are worthy of an unqualified opinion.
Addressing Business RiskThe major conclusion from the preceding ar-guments is that a perceived high level of busi-ness risk may be recognized as a factor thatcould lead an auditor to do more audit workthan would normally appear necessary to sat-isfy GAAS, but under no circumstancesshould an assessment of low business risk leadan auditor to do less work than that suggestedby the GAAS minimum. In addition, there areseveral other courses of action a firm mightconsider to address business risk. Obviously,the perceived level of business risk shouldinfluence a firm's evaluation of prospectiveclients. A firm might also consider relativeassessments of business risk in evaluating li-ability insurance coverage and determiningbilling rates.
As stated earlier, a workable model of busi-ness risk applicable to all circumstances en-countered by a firm would be extremely diffi-cult to develop because the factors whichinfluence the level of business risk interactand function uniquely in particular circum-stances. However, it might be possible to edu-cate a firm's personnel regarding the conceptof business risk and how to use the factors thatindicate relative levels of business risk so thatthey could evaluate the level associated with apotential client. Notwithstanding other con-siderations, prospective clients with per-ceived low levels of business risk could beaccepted and audited at the GAAS minimum.
Prospective clients with perceived high levelsof business risk could be either refused oraccepted. If they are accepted, the amount ofaudit work performed could be increased torespond to the high level of business risk.Once the level of business risk is assessed astoo high, the auditor could resign from theengagement.
If a firm performed some sort of businessrisk assessment for each client (or category ofclients), such assessments might be used toevaluate the business risk for a firm's practiceas a whole. The firmwide assessment could befactored into the determination of appropriateliability insurance coverage.
Billing rates for clients could be adjustedbased on the assessed level of business risk(i.e., higher rates for clients with greater busi-ness risk). Because adjusting the rate structurein this manner could affect a firm's competi-tive position, the trade-off between the poten-tial gain from adjusting rates and the potentialloss from a diminished competitive positionwould have to be considered.
In conclusion, it should be understood thatvarying the intensity of audit procedures with-in the bounds of the GAAS minimum as aresponse to business risk is permissible andmay be desirable. However, using businessrisk considerations to rationalize less auditwork than would otherwise be appropriate un-der GAAS would violate professional stan-dards with ultimate damaging consequencesto both the firm and the profession. •
Auditing's role in society
I predict [schools] will move to a beginning auditing course that is moregeneral. It will stress the fundamentals, independent of any special em-phasis on financial or nonfinancial applications. It will be scheduledsufficiently late in a student's career to take advantage of an expandedbackground in liberal arts and sciences. I would expect that the introduc-tion to the course would spell out the essence of auditing and its role andperformance in society, ail in a general setting. The importance of ac-countability would also be stressed. The necessary preconditions to per-forming an audit would be discussed.
From "Educating the Next Generationof Auditors"
by Frederick L. NeumannPrice Waterhouse Professor of Auditing
University of Illinois at Urbana-ChampaignPrice Waterhouse Review. 1982. no. 2
68 Journal of Accountancy. April
