An Analysis of Alleged Auditor Deficiencies in SEC - Ernst & Young

An Analysis of Alleged Auditor Deficiencies in SEC Fraud Investigations: 1998–2010

Mark S. BeasleyNorth Carolina State University

Joseph V. CarcelloUniversity of Tennessee

Dana R. HermansonKennesaw State University

Terry L. NealUniversity of Tennessee

M AY 2 0 1 3

Preface

This study examines alleged auditor deficiencies associated with SEC investigations of fraudulent

financial reporting cases from 1998–2010 involving U.S. public companies. The research team

examined fraud cases identified in the preparation of Fraudulent Financial Reporting:1998–2007,

An Analysis of U.S. Public Companies (issued by the Committee of Sponsoring Organizations of

the Treadway Commission (COSO), 2010), as well as additional SEC enforcement actions from

2008–2010. This report provides insights into alleged auditor deficiencies associated with 87

cases of alleged fraudulent financial reporting investigated by the SEC over a 13 year period.

Research Team

Authors

Mark S. BeasleyNorth Carolina State University

Joseph V. CarcelloUniversity of Tennessee

Dana R. HermansonKennesaw State University

Terry L. NealUniversity of Tennessee

Research Manager

Lauren ReidUniversity of Tennessee

Research Assistants

Leah MurielJonathan ShipmanQuinn SwanquistUniversity of Tennessee

Funding for this research project was provided by the Center for Audit Quality. However, the views expressed in this paper and its contents are those of the authors alone and not those of the Center for Audit Quality.

An Analysis of Alleged Auditor Deficiencies in SEC Fraud Investigations: 1998–2010

Table of Contents

1. Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

2. Research Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

3. Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

4. Implications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

5. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

6. Research Team . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

APPENDIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

May 2013

The Center for Audit Quality (CAQ) and the public company auditing profession share with academics, audit committees, investors, preparers and regulators the goal of robust and healthy capital markets supported by audited financial statements that promote investor confidence. Chief among the many threats to high quality financial reporting and audit quality is the risk of material financial fraud.

In 2010 the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published a report, Fraudulent Financial Reporting: 1998–2007, An Analysis of U.S. Public Companies. This study examined U.S. Securities and Exchange Commission (SEC) enforcement actions, and analyzed the nature, extent and characteristics of fraudulent financial reporting, as well as the negative consequences for investors and management. The CAQ commissioned the 2010 report authors, Mark Beasley, Joseph Carcello, Dana Hermanson and Terry Neal, to review the enforcement actions included in their 2010 study and provide a descriptive analysis of those investigations where the SEC sanctioned either the auditor or the audit firm. The authors expanded the study period to include enforcement actions through December 2010.

Over this 13 year study period, from 1998–2010, there were 87 instances where the SEC leveled sanctions against the external auditor in connection with instances of alleged fraudulent financial reporting by publicly traded companies. Approximately 9,500 entities file financial statements with the SEC on an annual basis. Eleven of the 87 instances occurred in periods of 2003 or later, which represents years following the passage of the Sarbanes-Oxley Act (SOX) in July 2002. However, it should be noted that there is a time lag between when an infraction occurred and when the SEC releases an enforcement action, thus the number of instances is subject to change.

SEC allegations of financial reporting fraud are rare events when considering the thousands of public companies filing audited financial statements each year with the SEC. However, the CAQ believes that taking a critical look at these situations can provide valuable lessons for the future.

Indeed, the root cause drivers related to audit deficiencies involving fraudulent financial reporting cases citing the auditor that are highlighted in the study are areas where, in recent years, the profession and the CAQ have focused efforts for further improvements. The CAQ’s related initiatives and projects include the funding of academic research on professional skepticism and financial reporting fraud deterrence and detection; the 2010 publication Deterring and Detecting Financial Reporting Fraud — A Platform for Action; and the Anti-Fraud Collaboration — a major, ongoing combined effort launched in 2010 by the CAQ, Financial Executives International, The Institute of Internal Auditors and the National Association of Corporate Directors. Key resources recently published by the Anti-Fraud Collaboration to enhance fraud deterrence efforts include the Hollate Manufacturing Case Study, which examines a potential material fraud at a fictional company to raise awareness of environments in which financial reporting fraud might flourish; and the Skepticism Webinar Series, which highlights the importance of skepticism as applied by external auditors, financial executives, internal auditors and audit committee members.

In summary, while there will never be a silver bullet solution to prevent fraud, we feel this research contributes to the knowledge base for financial reporting fraud deterrence efforts. The public company auditing profession, the CAQ and our member firms, together with other members of the financial reporting supply chain, will continue to advance efforts to mitigate the risk of fraud.

Sincerely,

Cynthia M. Fornelli

2 Beasley, Carcello, Hermanson, and Neal. 2013.

1. EXECUTIVE SUMMARY

This study examines U.S. Securities and Exchange Commission (SEC) sanctions against auditors

over the period 1998–2010 that are related to instances of alleged fraudulent financial reporting

by U.S. publicly traded companies. During that time period, there were 87 separate instances

where the SEC imposed such sanctions, and this report summarizes our analysis of alleged

auditor deficiencies noted by the SEC in these 87 cases.

In considering the results contained in this report, it is important to appreciate that SEC allegations of fraudulent financial reporting are rare, with 347 cases examined by the SEC from 1998–2007 out of thousands of U.S. public companies.1 Despite the small number of fraud-related SEC enforcement actions, we believe that analysis of these 87 cases involving auditor sanctions by the SEC provides important insights for auditors and others concerned with improving audit quality, especially in the context of detecting material financial statement misstatements due to fraud. Thus, we highlight key findings related to the audits underlying these 87 cases.

The primary results of our analysis are as follows:

• From1998–2010,weidentified87instancesofSECinvestigationsoffraudulentfinancialreportingleadingto sanctions against auditors. Based on companies with available information for these 87 SEC investigations, the associated registrant companies were primarily small (median revenues and assets under $40 million) and concentrated in four key industries (over 40 percent of the sample is in financial services / insurance, general manufacturing, telecommunications, or consumer goods manufacturing).

• Basedonavailableinformationforthese87SECinvestigationsinvolvingauditors,58percentoftheauditreports issued for the last fraudulently reported financial statements included an unqualified opinion with no additional report modifications. The other 42 percent of the companies received unqualified audit opinions on the last fraudulently reported financial statements, but those reports included explanatory paragraphs that addressed other issues noted by the auditor, such as highlighting changes in accounting principle or going concern issues.

• Forpurposesofourstudy,wecategorizedtheBigSix/BigFourinternationalfirmsandthenexttierofglobalnetwork or national firms as “national firms.”2 Here is a summary of the 87 instances we examined:

Total instances of SEC investigations examined in this study 87

SEC sanctions involving audits performed by non-national firms 46

SEC sanctions involving audits performed by national firms 35

Bogus audits3 where auditor did not perform procedures 6

Of the 35 national firm cases, nine involved audits performed by Arthur Andersen. There were six instances where the auditor prepared the financial statements or did not perform any meaningful level of audit procedures. We refer to these six instances as “bogus audits.”

1 For example, the 2006 Final Report of the Advisory Committee on Smaller Public Companies indicates that, as of 2005, there were 9,428 publicly traded companies on the NYSE, AMEX, NASDAQ, and OTC Bulletin Board.

2 The reference to Big Six/Big Four reflects the fact that during the 13 year period examined there were six international firms (Arthur Andersen, Coopers & Lybrand, Deloitte & Touche, Ernst & Young, KPMG, and Price Waterhouse). In 1998, Coopers & Lybrand merged with Price Waterhouse to form PricewaterhouseCoopers, resulting in the Big Five. When Arthur Andersen went out of business in 2002, only four large firms remained. The next tier of four national firms includes Grant Thornton, LLP, BDO Seidman, LLP (now BDO), Crowe Chizek and Company LLC (now Crowe Horwath), and McGladrey & Pullen, LLP (now McGladrey).

3 The term “bogus audits” refers to those cases where the auditor prepared the financial statements or did not perform any meaningful level of audit procedures. In those instances, there was no underlying audit performed, suggesting the audit was “bogus”.

An Analysis of Alleged Auditor Deficiencies in SEC Fraud Investigations: 1998–2010 3

• InAccountingandAuditingEnforcementReleases(AAERs)involvingsanctionsagainstauditors,theSECtypically alleges that the auditor either (a) violated the anti-fraud statutes (e.g., by participating in the fraud) or (b) performed a negligent audit that allowed the fraud to occur (without the auditor actively participating in the fraud). Among the 81 cases examined (excluding the six bogus audits noted above), the SEC charged the auditor for violating the anti-fraud statutes in 24 cases. The remaining 57 cases were limited to allegations of deficient audits unrelated to anti-fraud statutes.

• Amongthese81cases,theSECissuedsanctionsagainstindividualauditorsin80casesandsanctionsagainstthe audit firm in 27 instances (26 cases involved sanctions against both individual auditors and the audit firm, with the SEC sanctioning only the audit firm in one case).

• ThetopfiveareascitedbytheSECinthese81casesinvolvedthefollowing:

1. Failure to gather sufficient competent audit evidence (73 percent of the cases)

2. Failure to exercise due professional care (67 percent)

3. Insufficient level of professional skepticism (60 percent)

4. Failure to obtain adequate evidence related to management representations (54 percent)

5. Failure to express an appropriate audit opinion (47 percent)

• Mostofthe81casesinvolvedmultipleallegeddeficiencies.4 For example, 58 of the cases cited more than one of the top three deficiencies, and 42 cases cited the top three deficiencies.

• Themostcommondeficiencieswerequitesimilarfornationalfirmsandnon-nationalfirms.Thetopfour issues are consistent across these two groups (with a slightly different ranking), and 11 of the top 14 deficiencies appear in both the national firm and non-national firm lists.

Based on findings contained in this report, we explore implications for the audit process centered around four key themes. To that end, we explore challenges associated with each of the four themes found in the analysis:

1. Failure to Exercise Due Professional Care: Some of the deficiencies cited suggest a failure on the part of the auditor to discharge responsibilities with competence and diligence to the best of the auditor’s ability, including the performance of procedures generally expected to be performed in an audit. This suggests that there may be opportunities for additional training and education on the fundamentals of the audit process. Also, there may be opportunities for additional analysis to better understand root causes that led to failures in the execution of those fundamentals in a particular audit engagement, so as to strengthen the competence and diligence of the performance of the audit.

2. Insufficient Levels of Professional Skepticism: Similarly, some of the cases examined highlight challenges in maintaining appropriate levels of professional skepticism that affect the auditor’s mindset. Interestingly, the concept of professional skepticism has been embedded in auditing standards for decades; however, in some cases auditors may have struggled in maintaining an appropriate mindset throughout the various stages of the audit process. This challenge has implications for training and helps to motivate analyses such as the present study to understand root causes of failures in applying professional skepticism consistently. Additional research is needed to determine if these challenges may be exacerbated by differences in cultural norms that will be increasingly realized as the audit process continues to be affected by globalization or as new generations of audit professionals emerge who may apply professional skepticism differently than today’s audit professionals.

3. Inadequate Identification and Assessment of Risks: The findings noted in this report also have implications regarding the risk assessment process, given that all cases examined in the study involved undetected instances of fraudulent financial reporting. While auditing standards have been risk-based for a number of years, more recent developments in the risk management arena,5 including the emerging discipline of enterprise risk management,

4 Throughout this report, for ease of exposition, we often use the term “deficiencies” to mean “alleged deficiencies”.

5 In August 2010, the PCAOB issued a suite of eight auditing standards widely referred to as the “risk assessment standards” that became effective for audits of fiscal years beginning on or after December 15, 2010.


are revealing a number of complexities associated with any risk identification and risk assessment task. Any improvement in risk assessment skills that can be identified will help enhance audit quality and improve the recognition of fraud risk. The audit profession, including undergraduate and graduate accounting programs, may want to leverage insights that are emerging in other risk management disciplines to better train and educate audit professionals in risk identification and risk assessment tasks.

4. Failure to Respond to Identified Risks with Appropriate Audit Responses to Gather Sufficient Competent Audit Evidence: In some cases, the auditor failed to adjust audit procedures to gather sufficient competent evidence in light of risks identified and documented by the audit team. While this type of deficiency may be the result of the first three concerns noted above, it may also be triggered by failure to adequately link audit procedures to underlying risks. Because prior research has shown that this type of linkage can be a difficult task, perhaps greater emphasis on quality control review of these linkages may be beneficial, or new tools and techniques may be needed to facilitate this difficult linkage task. Training and education on the use of those tools may be warranted as well.

The next section discusses the research approach, and Section 3 presents the results of our analysis. Section 4 develops the implications of the analysis, and Section 5 profiles the research team. The Appendix presents the detailed findings underlying the tables presented in the monograph.


2. RESEARCH APPROACH

The fraudulent financial reporting cases addressed in this study come from two sources. First,

as part of our work on Fraudulent Financial Reporting: 1998–2007, An Analysis of U.S. Public

Companies (issued by the Committee of Sponsoring Organizations of the Treadway Commission,

2010, the “COSO study” by Beasley, Carcello, Hermanson, and Neal),6 we identified 78 cases

where SEC allegations of fraudulent financial reporting also involved sanctions against auditors.

These 78 cases comprise 23 percent of the relevant fraud cases examined in the COSO study.

For the present study, we eliminated three observations where the company had public debt,

but not public equity, leaving 75 observations from the COSO study for analysis in the present

study. Second, we analyzed SEC Accounting and Auditing Enforcement Releases (AAERs) from

2008-2010, finding another 12 instances in which SEC allegations of fraudulent financial reporting

also involved sanctions against auditors. Together, these 87 cases of alleged fraudulent financial

reporting are the subject of the present study.

In identifying the cases of alleged fraudulent financial reporting, we relied on the language and allegations in the AAERsandonlyincludedcasesallegedbytheSECtoinvolveviolationsoftheSEC’santi-fraudstatutes(Rule10(b)-5 of the 1934 Securities Exchange Act or Section 17(a) of the 1933 Securities Act). We did not make any judgments about the SEC’s allegations of fraud; we simply relied on the SEC’s judgments about the presence of fraudulentfinancialreportingasdocumentedintheAAERs.Wethenexaminedthesubsetofthosecaseswherethe SEC sanctioned the auditor in connection with the SEC’s investigation of the underlying fraudulent financial reporting. The 87 cases examined in this study represent those where the SEC alleged auditor deficiencies associated with the audits of the financial statements involving SEC allegations against the registrant company for fraudulent financial reporting. Thus, all 87 cases examined involve instances where the registrant company was accused of issuing fraudulent financial statements.

For our study, we collected and synthesized data from the 87 cases, focusing specifically on allegations of audit deficienciesmadebytheSECinitsAAERs.WedevelopedadetailedtemplatetoguidethecollectionandanalysisoftheAAERdataonauditdeficiencies,andwesynthesizedtheinformationfromthe87casesthatarethesubjectofthisstudy.7

In addition, the research team gathered available data on fundamental company characteristics (financial information andindustry)forthe87companies.TheteamusedtheCOMPUSTATandCRSPdatabases,aswellascompanyForm10-KsontheSEC’sEDGARdatabase,toattempttofindsuchinformation.Consistentwithpreviousresearchstudies involving examinations of instances of fraudulent financial reporting, various data points were missing for some companies in our sample, which may be due to the fact that a number of them represent extremely small companies that are not tracked by certain external databases or due to the time period involved. It is important to keep in mind that the sample companies allegedly engaged in fraudulent financial reporting and may not have filed certain documents with the SEC. As a result, we were only able to report a company’s characteristics when we could locate the underlying data for the company. For each table included in this report, we indicate the number of companies where we could locate the relevant data.

SECAAERsarecommonlyusedinacademicandprofessionalresearchasarichsourceofinformationaboutfraudulentfinancialreporting,aswellasauditordeficienciesrelatedtothosecases.TheuseofAAERsispartlydue

6 Download the full COSO Study at www.coso.org.

7 This template builds on and adapts a previous template used in the preparation of Fraud-Related SEC Enforcement Actions Against Auditors: 1987–1997 (AICPA, 2000, Beasley, Carcello, and Hermanson).


to the lack of other publicly available fraud-related measures of accounting and auditing quality. However, there are threeimportantlimitationstohighlight.First,analysesofAAERstypicallyinvolvesignificantprofessionaljudgment.We conferred within our team about numerous such judgments during the course of the project and attempted to be consistent in the judgments made. Second, the data rely on the outcome of the SEC’s enforcement process that is documentedbytheSECstaffintheAAERs.TheextentofdetailprovidedintheAAERscanvarysignificantlyacrossSEC investigations. Thus, to the extent there are imperfections or biases in the SEC’s enforcement process, including howtheydocumenttheirfindingsintheAAERs,thoseimperfectionsorbiasesmayaffecttheresultsofthestudy.Forexample, it is possible that the nature of negotiations between the SEC and named parties may influence the amount andtypeofinformationultimatelyincludedintheAAERs,thusreducinguniformityinreportingacrossAAERs.Finally,theAAERspresentallegations of auditor deficiencies, with the audit professional and/or audit firm typically neither admitting nor denying the allegations. As a result, our goal is to present what was summarized by the SEC in theAAERstoprovideinsightsforreaderstomaketheirownconclusionsabouttherelativeperformanceofauditorsinthose cases examined by the SEC.


3. RESULTS

COMPANY CHARACTERISTICS

Financial Characteristics of Sample Companies

From 1998–2010, we identified 87 instances of SEC investigations of fraudulent financial reporting leading to sanctions against auditors. We attempted to gather financial data for the 87 sample companies, using the “last clean” financial statements, which we define as the last annual financial statements issued before the beginning of the fraud period.

We located relevant financial statement information for 67 of our 87 companies. Table 1 presents the financial profile of those 67 companies, and provides the reader some perspective on the size of public companies underlying the analysis in this study of alleged auditor deficiencies. Given the variability in size of the companies, it is most meaningful to focus on median values reported in Table 1. These companies are relatively small, with median assets and revenues under $40 million. In addition, many of the companies are near break-even, with median net income of only $351,000. The large differences between the means and medians indicate the presence of a few very large companies in the sample.

Table 1 – Financial Characteristics of Companies from “Last Clean” Financial Statements (n = 67 companies)

Total Assets Total Revenues Net Income (Loss)Stockholders’ Equity (Deficit)

Mean $4,598,154 $2,505,462 $139,765 $1,352,163

Median $37,906 $28,900 $351 $14,135

Minimum Value $0 $0 ($852,241) ($1,253,881)

1st Quartile $6,275 $1,030 ($673) $108

3rd Quartile $911,083 $472,778 $17,282 $278,635

Maximum Value $98,903,000 $39,090,000 $4,089,000 $55,409,000


Table 2 presents industry information for 69 of the 87 sample companies where we could locate reliable industry information, and provides the reader an overview of the types of industries included in the analysis. A broad range of industries is represented, with financial services and general manufacturing having slightly more instances than other industry sectors.

Table 2 – Industry of Sample Companies (n = 69 companies)

Industry Number Percentage

Financial service providers and insurance 8 11.6%

General manufacturing (excludes consumer goods or technology) 8 11.6%

Telecommunications 7 10.2%

Consumer goods manufacturing 6 8.7%

Retail trade 5 7.2%

Wholesale trade 5 7.2%

Mining / Oil and gas 4 5.8%

Computer software services 4 5.8%

Healthcare products and services 4 5.8%

Other service providers 4 5.8%

Technology manufacturing 4 5.8%

Transportation / Sanitary services 2 2.9%

Miscellaneous / Conglomerate / Shell companies 8 11.6%

Total 69 100.0%

Audit Reports

As part of the data collection effort, we gathered the audit reports issued on the last set of fraudulent financial statements; we were able to locate the reports for 74 companies. As shown in Table 3, the majority of the audit reports (58 percent) were standard unqualified audit reports. Forty-two percent of the audit reports included unqualified opinions, but the reports were modified from the standard report format primarily to highlight changes in accounting principle or going concern issues.


Table 3 – Audit Reports on Last Fraudulent Financial Statements (n = 74 companies)

Type of Audit Report Number Percentage

Standard unqualified opinions 43 58%

Modified reports

Change in accounting principle 10 14%

Going concern 9 12%

Note addressing unaudited schedules, statements, or paragraphs 4 5%

Other explanatory paragraphs including issues surrounding investment valuation and variation in international accounting standards from U.S. GAAP

3 4%

Note addressing restatements 2 3%

No specific information available 3 4%

Total modified reports 31 42%

Number of audit reports available for review 74 100%

Company Characteristics and Audit Reports – Comparison to 2010 COSO Study

To provide a frame of reference, we compared the companies in the present study (87 companies where the auditor was sanctioned in connection with a case of alleged fraudulent financial reporting) to the 347 fraud companies examined in Fraudulent Financial Reporting: 1998–2007, An Analysis of U.S. Public Companies (COSO, 2010). The COSO study examined all cases of fraudulent financial reporting alleged by the SEC from 1998–2007, whether or not the auditor was sanctioned. The primary difference between the two studies relates to company size. In the COSO study, the companies had median assets and revenues of $93 million and $72 million, respectively, versus $38 million and $29 million, respectively, in the present study. Therefore, the SEC registrants involved in the present study (where the auditor was sanctioned) are much smaller. Although the industry groupings are somewhat different in the two studies, it appears that the present study’s sample is somewhat more concentrated in retail / wholesale and financial services / insurance and somewhat less concentrated in computer hardware / software and healthcare than the COSO study sample. Finally, audit opinions issued on the last fraudulent financial statements were more likely to be unqualified without any other report modifications in the present study (58 percent) compared to the COSO study (43 percent).


ALLEGED AUDIT DEFICIENCIES

Alleged Auditor Involvement in the Frauds

Table 4 provides an overview of the 87 cases based on the type of auditor deficiency and type of audit firm. Six of the 87 cases involve “bogus audits” where the auditor prepared the financial statements or did not perform any meaningful level of audit procedures. The other 81 cases related to actual, but allegedly deficient, audits. Of these 81 cases, 35 involved national firm auditors and 46 involved non-national firm auditors.

Table 4 – Alleged Auditor Involvement by Auditor Type (n = 87 companies)

Type of CaseNumber of Cases Naming

National Firm AuditorsNumber of Cases Naming

Non-National Firm AuditorsTotal

Bogus audit 0 6** 6

Actual audit, but audit was deficient 35* 46*** 81

Total 35 52 87

* Nine of the 35 cases were audits performed by Arthur Andersen, which ceased performing public company audits in 2002. Also, the 35 cas-es include one instance in which a national firm and a non-national firm performed a joint audit. This case was coded as a national firm case (only the national firm paid a fine to the SEC).

** In one instance, there were two non-national audit firms named because the fraudulent financial statements included multiple years that were “audited” by two different firms.

*** In four instances, there was more than one non-national firm named, generally because the fraud spanned multiple years that were audit-ed by different auditors due to auditor changes during the fraud period.


Bogus Audits

Table 5 summarizes the six cases involving “bogus audits,” where no underlying audit procedures were performed. Most of these cases resulted in fraud charges against the auditor (four cases), forced repayment of gains8 generally obtained through audit fees charged and payment of interest (four cases each), and bars from practice before the SEC (four cases). Two cases involved civil fines (totaling $255,000), and in one case the auditor was criminally prosecuted, resulting in an 18-month prison sentence.

Table 5 – Bogus Audits (n = 6 companies)

Item Result

Fraud charges against the auditor In 4 cases (violation of antifraud statutes (Rule 10(b)-5) by auditor)

Auditor disgorged gains generally related to audit fees received In 4 cases (total of $96,500)

Auditor prejudgment interest In 4 cases (total of nearly $35,000)

Barred from SEC practice In 4 cases (one permanent bar, one for 4 years, two for 3 years)

Auditor paid civil penalty In 2 cases (total of $255,000)

Criminal prosecutionIn 1 case (18-month imprisonment with 2 years of supervised release thereafter)

Alleged Audit Deficiencies in Actual Audits

The other 81 cases represent instances in which an actual audit was performed, but the SEC alleged that the audit was deficient. The following tables present the results of analyzing these 81 cases:

•Table6–OverviewofActualAuditsandSanctions(n=81)

•Table7–PrimaryDeficienciesinActualAudits(n=81)

•Table8–PrimaryDeficienciesinNationalFirmActualAudits(n=35)

•Table9–PrimaryDeficienciesinNon-NationalFirmActualAudits(n=46)

•Table10–OtherAuditorDeficienciesCitedbytheSEC(n=25)

•Appendix–DetailedListingofAllegedAuditDeficienciesbyAuditArea(n=81)

8 The SEC uses the term “disgorgement” of gains.


Table 6 presents an overview of the 81 actual audit cases. Twenty-four of the cases involved the SEC charging the auditorforviolatingtheSEC’santifraud(Rule10(b)-5)provisions.Ofthese24cases,9wereagainstnationalfirms(six of the 9 were against Arthur Andersen), and 15 were against non-national firms. The other 57 cases involved allegations of negligent audits — 26 against national firms (three of the 26 were against Arthur Andersen) and 31 against non-national firms.9

Table 6 – Overview of Actual Audits and Sanctions (n = 81 companies)

Item Result

Type of violation

24 antifraud violations (Rule 10(b)-5): 9 against national firms (6 of these were against Arthur Andersen)15 against non-national firms

57 citations for negligent audits:26 against national firms (3 of these were against Arthur Andersen)31 against non-national firms

Firm vs. individual sanctionsIn 54 cases only individual auditors were sanctionedIn 26 cases both individual auditors and the audit firm were sanctionedIn 1 case only the audit firm was sanctioned

Auditor barred from SEC practiceIn 73 cases (19 permanent bars; other bars averaged approximately 3 years, with a range of 6 months to 10 years)

Civil penaltiesIn 16 cases (total fines over $92 million, average of $5.8 million, median of $687,500, with a range of $20,000 to $50 million)

Disgorgement of gainsIn 10 cases (total disgorged gains over $10.6 million, average of $1.1 million, median of $43,598, with a range of $3,000 to $9.8 million)

Criminal prosecution In 1 case (for falsification of records)

Audit firm change in two years before fraud or during the fraud period

An audit firm change had taken place in 15 of 56 cases (27%) containing enough information to evaluate

Company was new or audit in question was initial audit

In 13 cases (16%)

Former auditor worked as the company’s CEO and CFO

In 1 case (a number of the company’s managers were former audit partners, including the CEO and CFO)

In the majority of cases (54 cases), only individual auditors were sanctioned, while both individuals and firms were sanctioned in 26 cases. Just one case involved only sanctions against an audit firm.

In terms of penalties, the most typical consequence was barring auditors from SEC practice (73 cases). Nineteen cases involved permanent bars, while the other cases, on average, involved bars of approximately three years. Civil penalties (16 cases, total fines of over $92 million) and disgorgement of gains (10 cases, total disgorgement of over $10.6 million) were much less common. One case led to criminal prosecution of the auditor for falsifying records.

Finally, we gathered information on certain characteristics of the audit engagements. Of the cases with available information, there had been an audit firm change during the period from two years before the fraud began to the end of the fraud period in 27 percent of the cases. Also, in 13 cases (16 percent) the company was recently formed or the engagement in question was the first time the financial statements had been audited. We found only one case where the relatedAAERsindicatedexplicitlythatformerauditfirmpersonnelwereemployedasthecompany’sCEOandCFO.

Table 7 presents the 16 primary audit deficiencies explicitly cited by the SEC in the 81 actual audit cases.10 We have captured as much information as we can from the disclosures provided by the SEC about the auditor deficiencies. In

9 Our reference to, for example, “national firms” means that the SEC sanctioned a national firm or individual auditors in a national firm. See details in the right-hand column of Table 6 for information on firm-level versus individual-level sanctions.

10 We judgmentally decided to present the top 16 deficiencies to highlight those with the greatest frequency (deficiencies cited in more than 10 of the 81 cases).


some cases, the SEC’s descriptions of the deficiencies are fairly broad and involve a number of audit processes. In other cases, the SEC’s description of the deficiencies is more specific. To the extent possible, we have attempted to glean as much as we can about deficiencies in the audit from the SEC’s disclosures in the related enforcement actions. Note, however,thatwearelimitedtotheextenttheSECdescribedtheauditdeficiencyintheAAERs.

ThethreemostcommondeficienciesdescribedbytheSECintherelatedAAERswere:(a)failuretogathersufficientcompetent audit evidence (73 percent of the cases), (b) failure to exercise due professional care (67 percent), and (c) insufficient level of professional skepticism (60 percent). Each of these items reflects a deficiency related to the General Standards within the framework of the 10 Generally Accepted Auditing Standards (GAAS), which establish the basis for the audit process that is built on audit evidence, collected and evaluated with due care and professional skepticism.

Many of the 81 cases cited multiple deficiencies. For example, 66 cases cited more than one of the top 10 deficiencies, 60 cases cited more than two of the top 10, and 56 cases cited more than three of the top 10. Similarly, 58 of the cases cited more than one of the top three deficiencies, and 42 cases cited the top three deficiencies.

Table 7 – Primary Deficiencies in Actual Audits (n = 81 companies)

Problem AreaPercentage

(Number) of Cases

1. Failure to gather sufficient competent audit evidence 73% (59 cases)

2. Failure to exercise due professional care 67% (54)

3. Insufficient level of professional skepticism 60% (49)

4. Failure to obtain adequate evidence related to management representations 54% (44)

5. Failure to express an appropriate audit opinion 47% (38)

6. Incorrect/inconsistent interpretation or application of requirements of GAAP 37% (30)

7. Inadequate consideration of fraud risks 33% (27)

8. Inadequate planning and supervision 31% (25)

9. Failure to adequately address audit risk and materiality 21% (17)

10. Inadequate preparation and maintenance of audit documentation 20% (16)

11. Failure to adequately communicate with the audit committee 17% (14)

12. Failure to recognize / ensure disclosure of key related parties 15% (12)

12. Failure to adequately perform audit procedures in response to assessed risks 15% (12)

12. Inappropriate confirmation procedures 15% (12)

12. Failure to evaluate adequacy of disclosure 15% (12)

16. Internal control-related issues including over-reliance on internal controls, failure to obtain an understanding of internal control, and failure to obtain an understanding of the entity and its environment

14% (11)*

* The number of individual internal-control related audit deficiencies sums to 12 in the Appendix; however, one firm was cited for two of these deficiencies. Thus, in this Table, we report the total number of cases in which internal control-related issues were noted.

Note: When two or more problem areas have the same rate of occurrence, we report those as a tie. For example, four problem areas tied for the 12th rank in the rank-ordered list of the top 16 deficiencies shown above.


The first three deficiencies in Table 7 address concerns related to the three General Standards within the framework of 10 GAAS standards. The SEC often cited these three deficiencies to note an overarching observation about the auditor’s lack of professionalism and due care, without reference to violations of specific Statements on Auditing Standards (SASs) or related PCAOB Auditing Standards. Said differently, any lack of compliance with a specific SAS or PCAOB Auditing Standard would by default also trigger a violation of the General Standards within the GAAS framework. Thus, it is not surprising that these three deficiencies are cited most in the 81 cases examined.

To provide some insight about the concerns noted related to these three overarching deficiencies, we have provided someexamplesoftheunderlyingauditdeficienciesnotedbytheSECintheAAERs.Detailedreviewoftheunderlyingdeficiencies suggests that there appeared to be an overriding concern that the auditor’s lack of exercising due professional care and failure to maintain an overall level of appropriate professional skepticism resulted in the auditor failing to obtain sufficient competent evidence to support amounts in the financial statements. Thus, it is helpful to consider these three deficiencies in combination.

Examples of Failure to Gather Sufficient Competent Audit Evidence:11

• Despitethefactthattheauditfirmhadpreviouslycommunicatedtomanagementandtheauditcommitteeconcerns about management’s comprehensive analysis of its inventory balances and despite noting material year-end book to physical differences in inventory, the audit firm over-relied on management’s inventory reports when analyzing slow moving or obsolete inventory without testing the reliability of the reports.

• Theauditfirmfailedtosupportunderlyingestimatesthatwereusedtoestablishfinancialstatementbalancesand failed to obtain additional evidence about estimates used when concerns were noted about potential bias in those estimates.

• Theauditfirmfailedtosubstantiatepricesusedinasoftwarevaluationcalculation.

• Theauditfirmfailedtoperformadditionalprocedureswhenconfirmationsreturnedcontainedambiguousinformation. In the same audit, the audit firm also failed to obtain supporting evidence to substantiate an inventory obsolescence reserve and failed to substantiate management’s calculation of revenue. Instead, the audit firm relied on management representations.

Examples of a Failure to Exercise Due Professional Care:

• Despitedocumentingthatclientaccountingpracticeswere“highlyaggressive”and“unusual”,theauditfirmfailed to adjust its audit procedures in light of these noted risk concerns.

• Theauditfirmfailedtoplanandproperlysupervisetheaudit,andthefirmfailedtoconsidertheunderlyingaudit risk.

• Whilethefirmrequestedtheclienttopresentdocumentationtosupportamaterialamountinthefinancialstatements, the audit firm failed to conduct further audit procedures when management claimed the documentation was unavailable.

• Theauditfirmfailedtoactwithdueprofessionalcarewhenmultiplepiecesofdocumentationsuggestedtheclient’s accounting records were held open beyond the fiscal year end, and the audit firm ignored the client’s failure to record depreciation expense.

ExamplesofaFailuretoMaintainaSufficientLevelofProfessionalSkepticism:

• Theauditorfailedtoassessdocumentshesuspectedmighthavebeenfabricatedbytheclientanddidnotquestion the authenticity of those documents.

• Despitebeingconfrontedwithanumberoffactorsthatshouldhaveheightenedtheauditor’sprofessionalskepticism in regards to a number of risks of material misstatement, the auditor’s procedures did not appear to be modified in light of these risk concerns.

11 The language used to describe these examples is adapted from the relevant AAERs, but does not necessarily represent an exact quotation of language in the AAER.


• Theauditorfailedtorespondtoinformationthatsuggestedaccountvaluationswereoverstated,andtheauditor failed to verify certain representations made by management.

• Theauditfirmfailedtorespondtonumerousredflagsandinconsistenciesandignoredanumberofspecificaudit program steps.

The remaining items in Table 7 typically reflect more specific audit issues. The fourth most common deficiency was the failure to obtain adequate evidence related to management representations (54 percent). In such cases, the SEC alleged that the auditor placed too much reliance on management’s explanations or representations without adequate corroborating evidence. Some examples of audit failures noted by the SEC when they alleged this deficiency include the following:

• Managementmadecertainrepresentationsaboutdiscrepanciesbetweeninventorybookandphysicalbalances,but the auditor failed to request evidence supporting the reconciliation.

• Theauditorreliedonmanagementrepresentationsaboutcertainkeyestimatesandreliedonoralrepresentations about accruals on unbilled receivable balances.

• Assumptionsassertedbymanagementtosupporttop-sideaccountingentrieswerenottestedbytheauditor.

The fifth most common issue was the failure to express an appropriate audit opinion (47 percent). As indicated in the Appendix, the majority of these cases involved the auditor issuing an unqualified opinion when the financial statements did not conform with GAAP and the auditor did not adhere to GAAS. This particular deficiency was often cited by the SEC as an overarching deficiency triggered by other underlying deficiencies in the audit. Examples of auditfailureswhentheSECallegedthisdeficiencyintheAAERincludesituationswhere:

• Theauditorissuedanunqualifiedopinioneventhoughthefirmhadknowledgethattheaccountingforamaterial acquisition was not complete.

• Theauditorfailedtomodifytheauditreporteventhoughtherewerematerialscoperestrictionswherebytheauditor failed to corroborate written representations by management and the auditor knew that a material portion of the receivables did not have any supporting documentation.

The sixth issue, incorrect/inconsistent interpretation or application of the requirements of GAAP (37 percent), reflects technical accounting issues. As shown in the Appendix, 10 of the 30 cases involved revenues, which is consistent with the predominance of revenue overstatements in the population of fraud cases (Fraudulent Financial Reporting: 1998-2007, An Analysis of U.S. Public Companies).Reserves,includingwarrantyreserves,wereinvolvedinfourcases.Several remaining cases involved areas including (two cases each): debt; restructuring charges / nonrecurring expenses; capitalized expenses; deferred taxes; timber / real estate; and acquisitions.

The SEC cited inadequate consideration of fraud risks in 33 percent of the cases (the seventh most frequent issue). In terms of fraud risks, auditors may have ignored or not appropriately responded to perceived red flags or other client risks. Examples of situations where the SEC cited this deficiency include the following:

• TheonlyactiontheauditortooktoassesstheriskoffraudwastoasktheCFOandotheraccountingstaffatthe issuer whether they had any knowledge of fraud.

• Theauditorfailedtoappropriatelyrespondtonotablefraudrisks,includingfailuretoadjustauditprocedureswhen the auditor learned that a significant sale occurred in the last days of the fiscal year.

• Procedurestoassesstheriskofmaterialmisstatementduetofraudweredocumentedintheworkingpapersthree months after the issuance of the audit report.


The SEC cited inadequate planning and supervision in 31 percent of the cases (the eighth most frequent issue). Four of the deficiencies related to planning and supervision involved a fundamental failure to write an audit program. Other examples of deficiencies related to this issue include the following:

• Theauditpartnerfailedtosupervisethepersonperformingtheaudit,andthatpersonwasnotanaccountantand had no audit experience.

• Therewasminimalpartnerinvolvement,andtheauditmanagerwhowasonthewestcoastoftheU.S.supervised by telephone the audit staff who were on the east coast of the U.S. A different manager was asked to review the audit work when that manager had never worked on the engagement and had no knowledge of the client’s operations or audit issues.

• Certainworkpaperspreparedbyseniorstaff,includingplanningareasandhighriskaccounts,werenotreviewed.

The ninth most common deficiency was the failure to adequately address audit risk and materiality. Typical deficiencies included:

• Theauditfirmfailedtoimplementappropriatefollow-upprocedurestoensurethatplannedauditresponseswere performed to address certain audit risk areas and that concurring and special review partners functioned effectively for the high risk client.

• Theauditordidnotunderstandtheclient’sinternalcontrols,didnotcompetentlyidentifyauditrisks,andfollowed a generic audit program obtained off the Internet.

The tenth most cited deficiency related to inadequate preparation and maintenance of audit documentation. Here are some examples of what transpired:

• Nearlyoneyearaftercompletingtheauditandsubsequenttothefilingofalegalsuitagainsttheauditfirm,firm personnel added additional workpapers to their audit documentation to mask deficiencies.

• Auditdocumentationfailedtoidentifywhatauditprocedureswereperformedandwhatconclusionswerereached, and the documentation failed to show that accounting records reconciled with the financial statements.

As shown in the Appendix, seven of the 16 cases related to audit documentation involved intentional alteration and/or destruction of workpapers.

The remaining issues in Table 7 each were cited in 17 percent or fewer of the 81 cases. These issues involved communication with the audit committee, related party transactions, responses to assessed risks, confirmations, evaluation of disclosures, and internal control-related issues.

While the time period examined in our study ranges from 1998–2010, we found that only 11 of the cases involve fraudulent financial reporting in periods 2003 or later, which represents years following the passage of the Sarbanes-Oxley Act (SOX) in July 2002. Among the 11 cases, one audit was performed by a national firm, and 10 were performed by non-national firms. The median size of the issuer companies ($5.4 million in assets and $10.7 million in revenues) was smaller than the full sample as reported in Table 1. Only one of the 11 cases was an accelerated filer that required an audit of internal control over financial reporting. In that case, the auditor’s opinion on internal control over financial reporting was unqualified. While the post-SOX sample is quite small, we did analyze the deficiencies for the 11 cases. The results are very similar to those reported in Table 7. Eleven of the top 13 deficiencies associated with the post-SOX sample also appear in Table 7. We caution the reader to interpret these findings carefully, given the small sample and significant time lag in SEC enforcement.

Tables 8 and 9 present the 14 primary deficiencies12 in the 35 cases involving actual audits by a national audit firm (Table 8) and 46 cases involving actual audits by a non-national firm (Table 9). Although national and non-national

12 We judgmentally decided to present the top 14 deficiencies in Tables 8 and 9 to highlight those with the greatest frequency (present in 15 percent or more of the national or non-national cases).


firms may have very different client bases and oversight challenges, the results across the two groups of firms are very similar in many respects. The top four issues are consistent across the two groups (with a slightly different ranking), and 11 deficiencies appear in both the national firm and non-national firm lists.

Three deficiencies appear only in the national firm list (Table 8): (a) failure to adequately perform audit procedures in response to assessed risks; (b) failure to evaluate adequacy of disclosure; and (c) internal control-related issues including over-reliance on internal controls, failure to obtain an understanding of internal control, and failure to obtain an understanding of the entity and its environment.

Three deficiencies appear only in the non-national firm list (Table 9): (a) failure to recognize / ensure disclosure of key related parties, (b) over-reliance on / failure to obtain work of specialists, and (c) inappropriate confirmation procedures. With respect to specialists, eight of the nine total deficiencies in this category related to non-national audit firms. This may reflect the greater likelihood that national firms have the resources to involve specialists in a greater number of particularly technical areas.

Table 8 – Primary Deficiencies in National Firm Actual Audits (n = 35 companies)


(Number) of Cases

1. Failure to exercise due professional care 69% (24 cases)

2. Failure to gather sufficient competent audit evidence 66% (23)







8. Failure to adequately perform audit procedures in response to assessed risks* 23% (8)


8. Failure to evaluate adequacy of disclosure* 23% (8)



14. Internal control-related issues including over-reliance on internal controls, failure to obtain an understanding of internal control, and failure to obtain an understanding of the entity and its environment*

17% (6)

* Problem area does not appear in the Table 9 list for non-national firms.

Note: When two or more problem areas have the same rate of occurrence, we report those as a tie. For example, four problem areas tied for the 8th rank, and two tied for the 12th rank in the rank-ordered list of the top 14 deficiencies shown above.


Table 9 – Primary Deficiencies in Non-National Firm Actual Audits (n = 46 companies)


(Number) of Cases

1. Failure to gather sufficient competent audit evidence 78% (36 cases)

2. Failure to exercise due professional care 65% (30)








10. Failure to recognize / ensure disclosure of key related parties* 20% (9)

11. Over-reliance on / failure to obtain work of specialists* 17% (8)


13. Inappropriate confirmation procedures* 15% (7)


* Problem area does not appear in the Table 8 list for national firms.

Note: When two or more problem areas have the same rate of occurrence, we report those as a tie. For example, two problem areas tied for the 11th rank, and two problem areas tied for the 13th rank in the rank-ordered list of the top 14 deficiencies shown above.


Table 10 presents a list of other deficiencies cited by the SEC in 25 of the 87 total cases. The most common were inadequate reviews of the interim (quarterly) financial statements (16 cases) and inadequate review of documents containing audited financial statements (four cases). The other items in Table 10 cover a range of issues, including alleged perjury and insider trading. Those additional items were noted in one case each.

Table 10 – Other Auditor Deficiencies Cited by the SEC (n = 25 companies)

Inadequate reviews of quarterly financial statement information (16 cases)*

Inadequate review of documents containing audited financial statements (4 cases)

Auditor committed perjury by failing to reveal to an SEC officer that his criminal history included several arrests and convictions

Auditor failed to adhere to its quality control policies

Auditor engaged in illegal insider trading and shared proprietary acquisition plans

Auditor caused the client to overstate its assets in offering documents

Auditor failed to discuss percentage-of-completion estimates with project managers

Auditor allowed the client to conceal the managerial role of a convicted felon

* Because this deficiency relates to interim review procedures rather than audit procedures in the audit of annual financial statements, we excluded it from the list of the top 16 audit deficiencies reported in Table 7.

We have also presented all the deficiencies noted by the SEC in the Appendix, categorized using the GAAS Framework ofGeneral,Fieldwork,andReportingStandards.

Comparison of Results to Beasley et al. (2000)

In 2000, three of the authors conducted a similar analysis of a sample of SEC allegations against auditors associated with fraudulent financial reporting cases from 1987–1997, Fraud-Related SEC Enforcement Actions Against Auditors: 1987–1997 (AICPA, 2000, Beasley, Carcello, and Hermanson). The previous study examined 45 actual, but allegedly deficient, audits. The most frequently cited of the alleged audit deficiencies in the 1987–1997 report were (p. 2):

• Failuretogatheradequateauditevidence[80%ofthe45actualaudits]

• Lackofdueprofessionalcare[71%]

• Lackofappropriateprofessionalskepticism[60%]

• MisinterpretationormisapplicationofGAAP[49%]

• Inadequateauditplanning[44%]

• Over-relianceoninquiryasaformofevidence[40%]

• Failuretoobtainadequateevidenceinsupportofmanagementestimates[36%]

• Inadequateconfirmationofaccountsreceivable[29%]

• Failuretorecognizeordisclosekeyrelatedparties[27%]

• Over-relianceoninternalcontrols[24%]


• Lackofindependence(generallyduetotheauditorperformingaccountingormanagementfunctionsfortheclient)[22%]

• Inadequatesupervisionandreview[22%]

• Inadequateorinconsistentworkingpapers[22%]

The top three deficiencies, related to inadequate audit evidence, lack of due professional care, and lack of appropriate skepticism, are identical across the two studies. These issues relate to fundamental audit deficiencies that are at the heart of effective fraud risk assessment and fraud detection. Many of the other most common deficiencies are cited in both studies. One notable shift is the increased incidence of failure to adequately communicate with the audit committee — 14 cases in the present study versus only two in the 1987–1997 analysis.


4. IMPLICATIONS

The analysis of deficiencies noted by the SEC provides insights that can help contribute to

continued improvements in the audit process. The types of deficiencies in Tables 7–10 appear to

center collectively around four overarching themes of root-cause drivers:

1. Failure to Exercise Due Professional Care

2. Insufficient Levels of Professional Skepticism

3. Inadequate Identification and Assessment of Risks

4. Failure to Respond to Identified Risks with Appropriate Audit Responses to

Gather Sufficient Competent Evidence

In considering the results contained in this report, it is important to appreciate that SEC allegations of fraudulent financial reporting are rare, with 347 cases examined by the SEC from 1998–2007 out of thousands of U.S. public companies. Despite the small number of fraud-related SEC enforcement actions, we believe implications from the analysis of these 87 cases provide important insights for auditors and others concerned with improving audit quality, especially in the context of detecting material financial statement misstatements due to fraud.

This section briefly explores implications suggested by these overarching themes that are core to the audit process.

Failure to Exercise Due Professional Care

In some of the cases reviewed, the SEC’s alleged audit deficiency involved auditors who failed to perform procedures generally accepted as appropriate and expected in most audits. In many of those instances, the deficiency did not appeartoinvolveoverlycomplexauditdecisionsastowhatGAASmightrequireinthecircumstances.Rather,thedeficiency was sometimes linked to a failure to perform procedures generally understood to be core to any audit. In essence, the auditor failed to do what a prudent auditor should know is expected in an audit. For example, auditors were cited for audit deficiencies because they failed to obtain evidence about estimates used to value an account, failed to obtain documentation supporting reconciliations, did not supervise the engagement team or did so remotely, accepted documentation that they knew was unreliable, failed to confirm receivables, etc.

Failures such as these may be due to a lack of understanding of the underlying requirements contained in GAAS, which can be addressed through education, training, hiring, and performance evaluation assessments. However, it is possible that such deficiencies were triggered by an execution failure whereby the auditor may have had knowledge of what is expected to be done in the audit, but failed to ensure that the required procedures were carried out in an effective manner. The latter challenge may be the result of several root causes, such as time pressure concerns in completing the audit, multi-tasking across a number of audit engagements, or inadequate quality control review procedures at the engagement level.

To address the concern related to a failure to exercise due professional care, audit firms and the profession may benefit from conducting deep-dive analyses of instances detected within the firms’ own quality control reviews or peer reviews where generally understood audit procedures are not being performed to determine the root-cause issue leading to a failure to perform required procedures. Such an analysis may identify areas where education and training are warranted, or it may identify areas where firm culture or personnel-related issues are causing members of the engagement team to not perform procedures generally understood as core to any audit engagement. In the spirit of continual efforts to improve audit quality, firms may benefit from surveys of current employees and exit interviews of former employees who may shed insight into issues affecting the exercise of due professional care. Addressing concerns related to exercising due professional care helps to strengthen one of the front-line defenses against audit failure.


Insufficient Levels of Professional Skepticism

Another front-line defense against issues that might lead to audit failure is an appropriate level of professional skepticism. A lack of an appropriate questioning mindset and a failure to critically evaluate audit evidence create opportunities for a number of audit deficiencies to be present across all aspects of an audit. While the SEC tends to include this general deficiency in most of its sanctions against auditors, it is helpful to consider concerns noted by the SEC about the lack of sufficient professional skepticism to see if there are additional insights that might contribute to the profession’s continual efforts to improve auditor skepticism.

The critical nature of professional skepticism is a core theme in the Center for Audit Quality’s Deterring and Detecting Financial Reporting Fraud: A Platform for Action (October 2010). In that report, the CAQ noted that skepticism is

…an essential element of the professional objectivity required of all participants in the financial reporting supply chain. Skepticism throughout the supply chain increases not only the likelihood that fraud will be detected, but also the perception that fraud will be detected, which reduces the risk that fraud will be attempted…For both internal and external auditors, skepticism is an integral part of the conduct of their professional duties, including the consideration of the risk of management override of internal controls. (p. vii)

Within that CAQ report, Chapter 3, “Skepticism: An Enemy of Fraud,” provides a rich discussion of the critical role of exercising appropriate professional skepticism and highlights the realities of how biases impact all individuals as they make judgments and decisions. The chapter highlights the natural tendency that all players in the financial reporting process, including auditors, tend to believe that the organizations they serve and leaders with whom they are aligned have integrity. That belief predisposes auditors and boards of directors to trust other players in the financial reporting process. Such bias towards trust may lead to a lack of asking probing questions and a failure to critically assess audit evidence.

To help address this tendency, auditing standards, including the standards related to auditor consideration of fraud in the financial statement audit, emphasize the importance of all members of the engagement team recognizing the reality that the risk of fraud is present in every audit. That is, no audit is devoid of the risk that certain incentives/pressures, opportunities, or inappropriate attitudes or rationalizations may exist that affect the likelihood of fraud being present. Additionally, those standards also recognize that the risk of management override of internal control is also present in all audits. Despite this explicit recognition in auditing standards, the SEC concluded that in many cases examined in this study the auditor apparently struggled to recognize the risk of fraud throughout the performance of the entire audit engagement.

Academic research on the topic of professional skepticism suggests that there are six characteristics of skepticism:13

1. Questioning mindset – A disposition to inquiry, with some sense of doubt.

2. Suspension of judgment – Withholding judgment until appropriate evidence is obtained.

3. Search for knowledge – A desire to investigate beyond the obvious, with a desire to corroborate.

4. Interpersonal understanding–Recognitionthatpeople’smotivationsandperceptionscanleadthemtoprovide biased or misleading information.

5. Autonomy – The self-direction, moral independence, and conviction to decide for oneself, rather than accepting the claims of others.

6. Self-Esteem – The self-confidence to resist persuasion and to challenge assumptions or conclusions.

The challenging issue for auditors and the audit profession as a whole is that the concept of professional skepticism has been a fundamental aspect of auditing standards for decades. Therefore, the question becomes, “Despite recognition

13 See “Development of a Scale to Measure Professional Skepticism,” by R. Kathy Hurtt, Auditing: A Journal of Practice & Theory, May 2010.


that professional skepticism has been fundamental to the audit process for decades, what leads to problems in exercising sufficient levels of professional skepticism on a day-to-day basis during an audit?”

It is unclear what issues exist that lead to missteps in an auditor’s ability to apply a sufficient level of professional skepticism in the audit. Perhaps in some cases it is a lack of awareness of our human tendencies to place too much trust in others when we have seen no evidence to the contrary. If it is a lack of awareness of our human judgment and decision-making capabilities, then additional training and education about the realities of how biases affect our judgmentsanddecision-makingtasksmayprovebeneficial.Remindersaboutthecharacteristicsofskepticismnotedabove may be a start.

The PCAOB Staff Audit Practice Alert No. 10, Maintaining and Applying Professional Skepticism in Audits, also provides guidance to assist auditors in applying professional skepticism in their audits. That Alert provides examples of instances where the auditor did not appropriately apply professional skepticism, and it alerts auditors to common impediments to sufficient skepticism. The Alert also highlights the importance of the audit firm’s system of quality control and supervision in promoting professional skepticism.14

The COSO thought paper, Enhancing Board Oversight: Avoiding Judgment Traps and Biases,15 may be another useful reference tool. The guidance in that paper provides a helpful reminder to all participants in the financial reporting process, including auditors and boards of directors, of concerns about their own biases that they should monitor as they make key judgments and decisions.

Unfortunately, training will not solve all the limitations in the ability to exercise appropriate levels of professional skepticism. Most likely, many of the audit deficiencies documented in this study involve individual auditors who understood intellectually the importance of exercising appropriate professional skepticism, but for some reason failed to execute on that while performing the audit. Auditors may benefit from reminders of the importance of exercising appropriate levels of professional skepticism, and those reminders may need to be made multiple times in multiple ways during an engagement. Assessments and accountabilities of how individual members are aligning with skepticism characteristics may need to be explicitly measured at multiple stages during an audit engagement. Quality review assessments may need to be enhanced to explicitly assess evidence of appropriate levels of professional skepticism in the conduct of individual audit engagements. Training, reminders, and assessments of the presence of these pitfalls during an audit engagement may provide some initial first steps in enhancing capabilities of maintaining appropriate levels of professional skepticism.

Hindsight analyses of instances where a lack of professional skepticism is detected in the normal audit review process, including peer reviews, inspections, and actual cases of audit failure, might begin to identify patterns of behaviors where professional skepticism is lacking. Once those patterns are identified, then audit firms and the profession as a whole will be in a better position to respond to root-cause drivers of inappropriate levels of professional skepticism. Better insight as to root-cause drivers may create opportunities for audit firms to embed periodic checks of professional skepticism within the scope of an audit to proactively identify situations where skepticism is lacking so that it can be corrected in real time.

The profession may also need to explore how differences in cultures across geographic regions of the world and generational differences impact how skepticism is developed and applied in an audit. For example, appreciation for the importance of professional skepticism may differ for individuals residing in different countries, and we may find that future generations of audit professionals develop and exercise professional skepticism differently than today’s audit professionals.Researchiswarrantedtobetterunderstandtheseandotherpotentialfactorsaffectingtheexerciseofprofessional skepticism.

14 See PCAOB Staff Audit Practice Alert No. 10, “Maintaining and Applying Professional Skepticism in Audits” (December 4, 2012), www.pcaob.org.

15 Download this thought paper at www.coso.org.


The CAQ’s Deterring and Detecting Financial Reporting Fraud: A Platform for Action (October 2010) (p. 25) includes a number of suggestions related to professional skepticism for auditors that warrant further review. Here is an overview of several considerations noted in that report for external auditors:

1. Based on the fraud risk assessment developed in planning the audit, proactively suggest questions that the board and audit committee may want to ask management.

2.Regularlyevaluatetheauditfirm’sinternalcommunicationsandtrainingprogramstoconfirmthattheyadequately address the exercise of professional skepticism and the assessment of fraud risk.

3.Reinforcetheimportanceofinterviewingandinquiryskillsintheauditprocess,includingconsiderationofnon-verbal communications.

4. Emphasize the value of corroboration as a means of obtaining sufficient audit evidence, and provide guidance on mechanisms and methodologies such as company communications for obtaining corroborative information.

5. Consider including in the brainstorming sessions individuals outside of the engagement team with industry expertise and those who have experience with situations involving financial reporting fraud.

6. Consider face-to-face meetings to obtain information, in order to encourage open discussion and assess non-verbal communications.

7. Encourage the academic community to strengthen the auditing curriculum’s focus on professional skepticism and techniques for fraud detection.

That report also contains several suggestions for audit committees and internal auditors in regards to fraud risk assessments. While those suggestions are tailored to audit committees and internal auditors, they can easily be adapted for consideration by external auditors to help strengthen their application of professional skepticism.

Inadequate Identification and Assessment of Risks

The failure to exercise due professional care and the failure to maintain sufficient levels of professional skepticism are natural precursors to an inadequate identification and assessment of risks of material misstatement in the audit, including the risk of fraud. In some of the cases examined in this study, the audit firm failed to conduct required audit risk assessment procedures, such as procedures to perform fraud risk assessments. In other cases, the auditor failed to respond to risk conditions previously identified by the auditor. The situations examined in this study illustrate how the lack of due professional care and insufficient levels of professional skepticism can lead to inadequate risk assessments or responses to noted risks. So, addressing those root-cause drivers will have a direct impact on an auditor’s identification and assessment of risks.

However, there are likely other causes that help to explain why deficiencies are noted in the auditor’s risk assessment process. While auditing standards have been risk-based for a number of years, some may oversimplify the risk assessment process. That is, the extent of training on the fundamentals of risk management and risk assessment may be lacking in helping auditors to understand factors that affect the quality of any risk assessment task.

Morerecentlytherehasbeenanincreasedemphasisontheimportanceofenterpriseriskmanagement(ERM)asan emerging business paradigm important to overall corporate governance. As that business paradigm continues to develop, executives are realizing that more education and training related to risk identification and risk assessment tasks are needed. And, as thought papers about assessing enterprise-level risks have emerged, complexities surrounding the ability to properly identify and assess risks across complex enterprises are now being recognized. For example, the Harvard Business Review article, “The Big Idea: Before You Make that Big Decision…,” highlights how a number of pitfalls, such as groupthink, saliency bias, confirmation bias, and the halo effect, among others, can impact the quality of our decisions, including decisions related to risk identification and assessment.16 An article in The Conference Board

16 See “The Big Idea: Before You Make that Big Decision…,” by Daniel Kahneman, Dan Lovallo, and Olivier Sibony, Harvard Business Review, June 2011.


Review, “The Dark Side of Optimism,” illustrates how optimism, which is widely seen as a virtue of American culture that stresses looking at the bright side of an issue and de-emphasizing the problematic, is impacting our ability to make realistic, objective assessments.17 Furthermore, COSO’s thought paper, Risk Assessment in Practice, outlines best practices related to risk assessment tasks, including the importance of considering a number of dimensions in addition to traditional considerations of a risk’s probability and impact.18

Collectively, these and other thought papers suggest that the risk identification and risk assessment process is more complex than it may seem and therefore subject to a number of pitfalls.

The profession may benefit from taking a closer look at the process of identifying and assessing risks to see what more we can learn about the complexities associated with any risk assessment task. In some circumstances, auditors may be ill-equipped to adequately assess risks from a probability perspective — that is, some auditors may be overly optimistic about the likelihood that a client is not engaging in fraud, and auditors’ lack of experience in seeing actual cases of fraud may cause us to underestimate the likelihood that material misstatements may be present. Most undergraduate or graduate accounting programs contain minimal coverage of risk management concepts, and firm-level training programs often presume auditors understand what is meant by “assess the risk of material misstatement.” More sophisticated training on fundamental risk management principles may be warranted to help auditors avoid common pitfalls already understood by risk management professionals.

Failure to Respond to Identified Risks with Appropriate Audit Responses to Gather Sufficient Competent Evidence

The ability to design and perform audit procedures to gather evidence to address risks of material misstatement due to fraud is contingent on the combined execution of exercising due professional care, maintaining a sufficient level of professional skepticism, and identifying and assessing risks. That is, due professional care, professional skepticism, and risk assessment are necessary conditions for designing and performing appropriate audit risk responses. Until those challenges are addressed, auditors are subject to limitations in their abilities to appropriately design and perform audit procedures to address risks of material misstatement.

In some of the cases examined in this study, the auditor failed to perform audit procedures generally expected to be performed in any audit, such as sending confirmations of receivables, obtaining evidence to support estimates, or corroborating management’s oral representations. In other cases, the auditor failed to adjust audit procedures in light of documented risk conditions and merely conducted procedures in a generic audit program or similar to procedures performed in prior years. These examples suggest there may be difficulties associated with a lack of exercising due professional care or maintaining sufficient levels of professional skepticism.

Other instances highlight challenges of linking risks and responses. In some situations, the underlying audit deficiency suggested a failure in adequately linking documented risks to audit procedures being performed and a failure in considering the appropriateness of the audit response to the risk noted, which is a finding that has been observed in other research. In the spirit of continual quality improvement, perhaps greater emphasis on the importance of linking audit procedures to underlying risks and heightened review of those linkages may help auditors to identify areas where the response is not commensurate with the risks identified. Tools and techniques that help auditors make these linkages may need to be developed, and, if they already exist, perhaps additional training as to the purpose and benefits of those tools may be warranted.

17 See “The Dark Side of Optimism,” by Susan Webber, The Conference Board Review, January/February 2008.

18 Download this paper from the COSO website (www.coso.org).


Other Implications

As summarized in Tables 7–10, there are deficiencies noted that lead to other implications about areas for improvement related to the audit process that should be considered. In the prior pages of this report, we have addressed these four overarching themes given that improvement in each of these aspects has the potential for engagement-wide impact on other more specific deficiencies noted in this study. However, further analysis of some of these more specific audit deficiencies may identify opportunities for improvements in our understanding of potential factors that impact audit quality.

5. SUMMARY

Financial reporting fraud is a serious concern for all capital market participants, and its deterrence and detection are important responsibilities of all participants in the corporate governance process. While the driver of financial reporting fraud is the perpetrator who conceals fraudulent actions, auditing standards do place a responsibility on auditors to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud. Given that responsibility, it is important that the profession invests in the consideration and analysis of prior instances of alleged audit failures, such as the present study, to identify opportunities to learn from these mistakes and to strengthen the entire audit process. We hope the analysis summarized in this report provides a springboard for opportunities to enhance understanding of the audit process and strengthen the execution of procedures performed to lower the incidence of undetected fraudulent financial reporting.


6. RESEARCH TEAM

Authors

Mark S. BeasleyistheDeloitteProfessorofEnterpriseRiskManagementandProfessorofAccountingatNorthCarolinaStateUniversity.HeistheDirectorofNCState’sEnterpriseRiskManagement(ERM)Initiative,whichprovidesthoughtleadershipaboutERMpracticesandtheirintegrationwithstrategyandcorporategovernance.Markrecentlycompletedoversevenyearsofservice on the board for the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Mark has previously served as President of the American Accounting Association’s Auditing Section and on several national task forces and working groups, including the Auditing Standards Board SAS No. 99 Fraud Task Force. His research has appeared in such journals as The Accounting Review, Journal of Accounting Research, Contemporary Accounting Research, Auditing: A Journal of Practice & Theory, and Accounting Horizons.HeisafrequentspeakeratnationalandinternationalconferencesonERM,internalcontrols,andcorporategovernance, including audit committee practices. [email protected]

Joseph V. Carcello istheErnst&YoungandBusinessAlumniProfessorandco-founderandDirectorofResearchattheUniversity of Tennessee’s Corporate Governance Center. He has published in such journals as The Accounting Review, Journal of Accounting Research, Contemporary Accounting Research, Auditing: A Journal of Practice & Theory, and Accounting Horizons. Joe is a member of the Public Company Accounting Oversight Board’s (PCAOB’s) Investor Advisory Group, and previously served six years on the Standing Advisory Group. He testified before the U.S. Treasury Department Advisory Committee on the Auditing Profession, and before a Congressional oversight committee related to accounting and auditing regulation. Joe served on COSO’s Small Business Control Guidance Advisory Group Task Force; as Vice President – Finance of the American Accounting Association; and as President of the Auditing Section of the AAA. He has served as an expert witness in cases involving fraudulent financial reporting for the U.S. Securities and Exchange Commission, and as an expert in evaluating corporate governance reforms instituted as part of legal settlements of shareholder claims in federal and state courts. Joe has served as a consultant on corporate governance, controls, and fraud to public companies and audit committees, including the audit committee of a Fortune 50 company. [email protected]

Dana R. HermansonisDinosEminentScholarChairofPrivateEnterprise,ProfessorofAccounting,andDirectorofResearchin the Corporate Governance Center at Kennesaw State University. Among the most prolific researchers in accounting, he has published in such journals as Contemporary Accounting Research, Auditing: A Journal of Practice & Theory, Journal of Accounting and Public Policy, Journal of Accounting Literature, Accounting Horizons, Behavioral Research in Accounting, Journal of Information Systems, and Issues in Accounting Education. Dana has served as co-editor of Accounting Horizons and was founding co-editor of Current Issues in Auditing. He and his co-authors received the 2008 Deloitte/AAA Wildman Medal, which recognizes research judged “to have made or be likely to make the most significant contribution to the advancement of the public practice of accountancy.” In 2010, Dana was cited by Directorship magazine as one of the “People to Watch” in corporate governance, and his work has appeared in such outlets as The Wall Street Journal and BusinessWeek. [email protected]

Terry L. Neal is the Dennis Hendrix Professor of Accounting in the Department of Accounting and Information Management at theUniversityofTennesseeandaResearchFellowattheUniversityofTennessee’sCorporateGovernanceCenter.Healsoservesas the director of the Ph.D. program in Accounting. Terry’s research has been published in The Accounting Review, Contemporary Accounting Research, Auditing: A Journal of Practice & Theory, Journal of Accounting and Public Policy, Accounting Horizons, The International Journal of Accounting, and Corporate Governance: an international review. He currently serves or has served on the editorial boards of The Accounting Review, Auditing: A Journal of Practice & Theory, Accounting Horizons, and Current Issues in Auditing. Terry also has served as an ad-hoc reviewer for several other journals including Contemporary Accounting Research, Journal of Accounting and Public Policy, Journal of Accounting Literature, and Issues in Accounting Education. [email protected]

Research Manager

Lauren Reid is a third year doctoral student at the University of Tennessee with research and teaching interests in auditing and financial accounting. She obtained a Bachelor’s degree and a Master’s degree in Accountancy from Wake Forest University. After acquiringprofessionalexperienceintheauditpracticeatErnst&Young,Laurentaughtintroductoryandintermediatefinancialaccounting courses at Wake Forest University prior to entering the Ph.D. program. She is a licensed CPA in the state of North Carolina. [email protected]


APPENDIX

Detailed Listing of Alleged Audit Deficiencies by Audit Area (n = 81 Total, 35 National, 46 Non-National)

Audit AreaNumber of Cases With Problems [Total / National Firms / Non-National Firms]

Panel A:Engagement Acceptancea. Failure to conduct adequate predecessor / successor communications 4 Total / 0 National / 4 Non-National

b. Inadequate assessment / consideration of management’s integrity 3 / 3 / 0

Panel B:General GAAS Standards a. Inadequate training and proficiency to conduct engagement 7 / 1 / 6

b. Lack of independence from client 8 / 3 / 5• 3involvedauditorperformingaccountingor

management functions for client • 2involvedemploymentdiscussionswiththeclient• 1involvedloanfromtheclient’sCFO• 1involvedthreatoflitigationifauditorwithdrew

from the audit• 1involvedownershipofclientstock

c. Failure to exercise due professional care 54 / 24 / 30

d. Insufficient level of professional skepticism 49 / 21 / 28

e. Former audit employee serves in client management role (CEO/CFO) 1 / 1 / 0

Panel C:Audit Planning – Fieldwork GAAS Standarda. Inadequate planning and supervision 25 / 8 / 17

• 4involvedfailuretowriteanauditprogram

b. Failure to adequately address audit risk and materiality 17 / 7 / 10

c. Inadequate consideration of fraud risks 27 / 12 / 15

d. Failure to address illegal acts by clients 9 / 3 / 6

e. Failure to recognize / ensure disclosure of key related parties 12 / 3 / 9

f. Failure to appropriately design audit programs 3 / 0 / 3

g. Inadequate performance of analytical procedures 1 / 0 / 1

h. Inadequate review of engagement 9 / 3 / 6



Panel D:Understanding Internal Controls – Fieldwork GAAS Standard*a. Failure to obtain an understanding of the entity and its environment (including

assessing the risk of material misstatement)2 / 0 / 2

b. Failure to obtain adequate understanding of internal control 5 / 2 / 3

c. Over-reliance on internal controls (over-relying / failing to react to known control weaknesses)

3 / 2 / 1

d. Failure to consider particular risks related to the control environment 1 / 1 / 0

e. Failure to communicate internal control related matters identified in an audit 1 / 1 / 0

Panel E:Sufficient Competent Evidence – Fieldwork GAAS Standarda. Failure to adequately perform audit procedures in response to assessed risks 12 / 8 / 4

b. Failure to gather sufficient competent audit evidence 59 / 23 / 36

c. Poor performance of substantive analytical procedures 4 / 1 / 3

d. Inappropriate confirmation procedures 12 / 5 / 7• 5involvedfailuretoconfirm• 5involvedfailuretoperformalternateprocedures• 2involvedlaxproceduresleadingtoclientfalsifying

confirmations

e. Inadequate observation of inventories 4 / 0 / 4

f. Failure to adequately audit derivative instruments, hedging activities, and investments in securities

1 / 0 / 1

g. Failure to obtain adequate evidence related to management representations 44 / 18 / 26

h. Over-reliance on / failure to obtain work of specialists 9 / 1 / 8

i. Inadequately considering responses from client’s legal counsel / attorney letters 2 / 1 / 1

j. Inadequate preparation and maintenance of audit documentation 16 / 8 / 8• 7involvedintentionalalterationand/ordestruction

of workpapers

k. Failure to appropriately audit accounting estimates 4 / 3 / 1

l. Incorrect sampling techniques (failing to project results to population) 1 / 1 / 0

Detailed Listing of Alleged Audit Deficiencies by Audit Area continued



Panel F:Reporting GAAS Standardsa. Inadequate evaluation of entity’s going concern status 1 / 0 / 1

b. Failure to adequately communicate with the audit committee 14 / 7 / 7

c. Incorrect/inconsistent interpretation or application of requirements of GAAP 30 / 17 / 13• 10casesinvolvedrevenues,and4involved

reserves (including warranties)

d. Failure to express an appropriate audit opinion 38 / 15 / 23• Majorityofthecasesinvolvedtheauditorissuing

an unqualified opinion on financial statements that did not conform with GAAP and for which the auditor did not adhere to GAAS

e. Failure to evaluate adequacy of disclosure 12 / 8 / 4

f. Failure to appropriately reference the work performed by other auditors 2 / 0 / 2

g. Inappropriate consideration of material subsequent events 1 / 1 / 0

h. Failure to report changes in accounting principle 2 / 1 / 1

i. Inadequate evaluation of impact of uncertainties 1 / 0 / 1

j. Failure to evaluate known audit differences / improperly concluding that “passed” audit adjustments were immaterial

5 / 5 / 0

Note: Audit areas are listed only if there were alleged problems in those areas.

* The number of individual internal control-related audit deficiencies sums to 12 in the Appendix; however, one firm was cited for two of these deficiencies. Thus, in Table 7, the total number of cases in which internal control-related deficiencies are present is 11.

Detailed Listing of Alleged Audit Deficiencies by Audit Area continued

Documents

An Analysis of Alleged Auditor Deficiencies in SEC - Ernst & Young