Guidance on auditing high-risk clients.
Although Ernst & Young ultimately decided to retain Bally as a client, it made several attempts to reduce its risk, according to the SEC Accounting and Auditing Enforcement Release (AAER-3087; www.sec.gov/divisions/enforce/friactions/friactions2009.shtml). It delivered a terms-of-engagement letter to Bally's CFO that outlined conditions for the firm to remain on the engagement. It rotated in an engagement partner with the ability to "deliver tough messages" and instructed the new engagement partner to "fix this situation to reduce the firm's risk." When the new engagement partner was not willing to sign off on the 2003 financial statements because the accounting for reactivation fees was "more aggressive than he was willing to accept," senior-level partners, including the managing partner of the office and the head of Ernst & Young's U.S. professional practice directors, met with Bally in June 2003 and insisted that Bally record the numerous accounting errors that had historically been placed by Ernst & Young on the summary of audit differences. Ultimately, Ernst & Young was successful in getting Bally to discontinue the procedures for recording reactivation revenue.
The events to follow, however, were not favorable for Ernst & Young. In the end, the SEC settled charges of accounting fraud with Bally as a result of Bally's overstatement of its 2001 stockholder's equity by $1.8 billion and understatement of net losses by $92.4 million and $90.8 million in 2002 and 2003, respectively. In December 2009, Ernst & Young agreed to pay $8.5 million to settle charges against six partners for failing to exercise appropriate professional skepticism. The SEC barred five of these partners from practicing before the SEC for periods ranging from nine months to three years and censured the sixth partner. Robert Khuzami, director of the SEC's Enforcement Division, called the settlement one of the highest paid by an auditor and said, "This case is a sharp reminder to outside auditors that they must carry out their duties with due diligence."
During that meeting in June 2003, Ernst & Young offered to permit Bally to write off the reactivation accrual over several quarters, therefore violating GAAP. Ernst & Young also agreed to provide Bally with a preferability letter stating that the proposed change was "a more preferable method of accounting" as opposed to "a correction of an error that required restatement because Bally's original accrual procedures violated GAAP." Furthermore, only several months prior to the meeting with Bally, Ernst & Young had issued an unqualified opinion for 2002, despite the reactivation revenue issue.
A key point is that, despite Ernst & Young's awareness of the high-risk nature of this engagement and, despite its attempts to minimize this risk, Ernst & Young was nevertheless sanctioned by the SEC. This is not the first time a Big Four firm designated a client as high risk, took additional measures, and later settled charges with the SEC for unprofessional conduct. Within the past five years, there have been others.
Findings of Unprofessional Conduct
In 2008, PricewaterhouseCoopers agreed to pay $2.4 million to settle charges in connection with its audit of the Warnaco Group Inc. PricewaterhouseCoopers internally assessed the risk of fraudulent financial reporting as a five out of six and identified significant risk factors. It concluded that a $145 million restatement of prior three years' financials resulted from an overstatement of inventory caused by an antiquated and defective accounting system. PricewaterhouseCoopers identified significant errors in inventory accounts during prior audits and, accordingly recommended that senior management take measures to correct Warnaco's standard cost system. The auditors met with senior management for two days and convinced Warnaco to restate its financials. The auditors, however, ultimately did not object when Warnaco issued a press release, as well as a note in its annual report, that misleadingly characterized the overstatement as startup-related costs that could be written off pursuant to adoption of a new accounting pronouncement.
In 2008, an Andersen partner settled SEC charges initiated in 2002 and was suspended for five years in connection with audits of HBO & Company (HBOC) and Ebix.com Inc. for failing to appropriately consider and assess the risk of material misstatement due to fraud and fraud risk factors. Andersen considered HBOC to be a high-risk client during 1997 and a maximum-risk client during 1998. Despite this assessment, the engagement partner did not design review and audit procedures commensurate with the level of risk, given the red flags that HBOC's management did not comply with GAAP. It continued to recognize revenue on contracts with contingent terms for software sales to customers in side letters. On three separate occasions, the partner met with HBOC's audit committee, but did not report concerns that the company was failing to conform with GAAP, nor did he report disagreements with management over revenue recognition or problems with internal controls.
In 2005, Deloitte agreed to pay $25 million to settle charges in connection with its audit of Adelphia Communications Corp. and agreed to implement a number of procedures for public companies in its risk management program to more adequately address these risks. For years, the auditors designated Adelphia as the highest level of risk based on numerous pervasive risk factors, as well as specific risks associated with particular account balances. The auditors on the engagement even communicated these risks with the national office and had a special review partner review the risk assessment. In the end, Adelphia perpetrated a massive fraud involving senior management and the transfer of billions of dollars of liabilities to off-balance sheet affiliates, among other fraudulent practices. The SEC concluded that, for the 2000 audit, "notwithstanding that Deloitte had identified nine specific audit risks, Deloitte failed to do any meaningful assessment of whether those risks had been appropriately addressed."
Risk Assessment Standards
The overall risk of an auditor's association with a particular client is called engagement risk. It consists of a client's business risk (profitability and survivability), audit risk (failing to appropriately modify the opinion on financial statements that are materially misstated), and an auditor's business risk (potential litigation from audit failures). According to a survey of audit managers and partners, a client's management integrity is the most important component of engagement risk, followed by the effect of the auditor's reputation and solvency, the client's reputation, the client's solvency, and elements of fraud, among others (J. Ethridge, F. Stephen, T. Marsh, B. Revelt, "Engagement Risk: Perceptions and Strategies from Audit Partners," Journal of Business & Economic Research, April 2007, pp. 25-32).
The Public Company Accounting Oversight Board (PCAOB), AICPA, and International Auditing and Assurance Standards Board (IAASB) have all been focusing on audit risk in recent years. The Exhibit summarizes the status of the applicable standards for each of the standards-setting authorities.
EXHIBIT Status of Applicable Standards on Audit Risk from Standards-Setting Bodies PCAOB AICPA IAASB Approved August 2010. Approved January Effective date: periods Effected date: 2010. Effective date: beginning on or after periods beginning on periods beginning on December 15, 2009 or after December 15, or after December 15, 2010 2012 AS 8, Audit Risk Understanding the ISA 315, Identifying and Entity and Its Assessing the Risk of Environment and Misstatement through Assessing the Risks Understanding the Entity of Material and its Environment Misstatement - Redrafted (To supersede SAS 109) AS 9, Audit Planning Planning an Audit (To ISA 300, Planning and AS 10, Supervision of supersede SAS 108) Audit of Financial the Audit Engagement Statements AS 11, Consideration Materiality in ISA 320, Materiality in of Materiality in Planning and Planning and Performing Planning and Performing an Audit the Audit Performing an Audit (To supersede SAS 107) AS 12, Identifying and Assessing Risks of Material Misstatement AS 13, The Auditor's Performing Audit ISA 330, The Auditor's Responses to the Procedures in Responses to Assessed Risks of Material Response to Assessed Risk Misstatement Risk and Evaluating the Audit Evidence Obtained - Redrafted (To supersede SAS 110) AS 14, Evaluating Evaluation of ISA 450, Evaluation of Audit Results Misstatements Misstatements Identified Identified During the During the Audit Audit (To supersede SAS 107) AS 15, Audit Audit Evidence - ISA 500, Audit Evidence Evidence Redrafted (To supersede SAS 106) Note: The PCAOB standards will supersede six interim auditing standards: AU section 311, Planning and Supervision; AU section 312, Audit Risk and Materiality in Conducting an Audit; AU section 313, Substantive Tests Prior to the Balance Sheet Date; AU section 319, Consideration of Internal Control in a Financial Statement Audit; AU section 326, Evidential Matter; and AU section 431, Adequacy of Disclosure in Financial Statements.
In August 2010, the PCAOB approved eight auditing standards related to an auditor's assessment of and response to risk. The PCAOB revised the standards originally proposed in 2008 in response to numerous suggestions made during the comment period. Daniel L. Goelzer, acting chairman of the PCAOB, pointed out three areas that are particularly significant. According to Goelzer, the standards more fully align with Auditing Standard (AS) 5, An Audit of Internal Control Over Financial Reporting That Is Integrated with an Audit of Financial Statements. In addition, these standards more explicitly emphasize the need to evaluate financial statement disclosures as part of assessing the risk of material misstatement. They also contain additional requirements related to the auditor's responsibility to consider the possibility of fraud. These include increased emphasis on consideration of potential management bias and risks.
Theo Vermaak, director of accounting and auditing at PKF LLP in New York (and chairman of the PKF international professional standards committee), has pointed out the benefit in having a suite of standards to pull everything together. Nevertheless, a common criticism voiced by several, including Jeanette Franzel, the Government Accountability Office's (GAO) managing director, is that there is a duplication of effort between the PCAOB and other established independent auditing standards-setting organizations, such as the AICPA and the IAASB.
Prior to the PCAOB's efforts, the AICPA's Auditing Standards Board redrafted Statements on Auditing Standards (SAS) related to risk assessment in an effort to more clearly identify objectives, definitions, requirements, and applications. The original standards (SASs 104-111) had been issued in 2006 and were, collectively, referred to as the Risk Assessment Standards. The IAASB also issued clarified standards related to risk assessment to enhance the clarity of its international standards. There are many common threads throughout for all three standards-setting bodies.
An auditor should perform risk assessment procedures to provide a basis for the identification and assessment of risks of material misstatement at the financial statement and relevant assertion levels. The PCAOB, AICPA, and IAASB all define significant risk as "an identified and assessed risk of material misstatement that, in the auditor's judgment, requires special audit consideration." In exercising judgment about which risks are significant risks, the auditor should consider at least--
* whether the risk relates to fraud;
* whether the risk is related to recent significant economic, accounting, or other developments and, therefore, requires specific attention;
* the complexity of transactions;
* whether the risk involves significant transactions with related parties;
* the degree of subjectivity in the measurement of financial information related to the risk, especially those measurements involving a wide range of measurement uncertainty; and
* whether the risk involves significant transactions that are outside the normal course of business for the entity or that otherwise appear to be unusual.
An auditor's overall response to the assessed risks of material misstatement at the financial statement level includes--
* emphasizing to the audit team the need to maintain professional skepticism;
* assigning more experienced staff or those with specialized skills, or using specialists;
* providing more supervision;
* incorporating additional elements of unpredictability in the selection of further audit procedures to be performed;
* making general changes to the nature, timing, or extent of audit procedures (for example, performing substantive procedures at period-end instead of at an interim date or modifying the nature of audit procedures to obtain more persuasive audit evidence).
In addition to the above, the knowledge, skill, and ability of engagement team members with significant engagement responsibilities should be commensurate with the assessed risks of material misstatement. An auditor should also evaluate whether the company's selection and application of significant accounting principles, particularly those related to subjective measurements and complex transactions, are indicative of bias that could lead to material misstatement of the financial statements.
Risk Assessment Programs and Procedures
Partners and managers in small to midsize CPA firms indicate that the assignment of more experienced audit staff and increased substantive testing of account balances are the most predominant strategies used to mitigate risk, according to survey results from Ethridge et al. A change in the predictability of procedures is another common strategy. Auditors did not believe this strategy to be nearly as effective, however. Specialists are not often used (e.g., only 36% of respondents reported using a specialist). But when auditors have used specialists, they have been fairly effective.
Several large firms now have risk management programs in place and use formalized techniques to assess risk. Deloitte & Touche, for instance, implemented its Risk Management Program in 2005, after the Adelphia case. Deloitte Radar (DDAR) is a software tool that uses publicly available data and proprietary quantitative techniques to provide an indication of each public client's susceptibility to business failure and financial statement fraud. Deloitte & Touche uses this information to plan risk-based audit procedures and determine whether clients should be included in its risk management program. Engagements deemed "much greater than normal risk" are included, while engagements deemed "greater than normal risk" are considered for inclusion.
In addition to the engagement partner, a special review partner and a specialist in fraud-related risk are assigned to all risk management program engagements. The engagement team identifies, and the risk management department reviews, the steps to mitigate the risk factors. Clients who successfully mitigate these risk factors move out of the program. Since Deloitte & Touche's risk management program began in its current form in 2005, approximately 47% of the clients in the program have exited the program and approximately 43% are no longer audited by the firm, according to Deloitte's "Advancing Quality Through Transparency" report dated January 2010. According to Deloitte, its clients "have a significant impact on our reputation as a public company auditing firm. As a result, risk management procedures are essential in assessing and considering the companies and individuals who are or may become our clients, defining the engagement terms that are appropriate for the specified services, and identifying and addressing engagement-related risks."
In the actual SEC cases discussed above, auditors did identify significant risks during the audits. Deloitte even had both a concurring partner and a special review partner assigned to the Adelphia audit. Similarly, Ernst & Young did involve high-level audit partners to deal with the risks identified during the Bally audit. Both Deloitte & Touche and Ernst & Young also consulted with their national offices on these issues.
The SEC concluded that Deloitte & Touche performed only a cursory review of the audit plan and did not appropriately follow up on the identified risks. The SEC concluded similarly for the Andersen partner on the HBOC audit. Both of these audits predate the risk assessment standards. On the other hand, both Ernst & Young and PricewaterhouseCoopers did follow up on the identified risks. In both cases, the downfall came late in the process.
Engagement Quality Reviews
The engagement quality reviewer, also known as the concurring reviewer, plays a critical role throughout the engagement, especially at the very end. Mark W. Olson, former PCAOB chair, stated in a 2008 speech to the Association of Audit Committee Members: "A well-performed concurring partner review can provide sound support to audit quality" (pcaobus.org/News/Speech/Pages/05212008_OlsonAssociationofAuditCommitteeMembers.asp). In the case of Ernst & Young and the Bally audit, two of the six partners charged by the SEC were concurring review partners and were barred from practice for two and three years.
The PCAOB issued AS 7, Engagement Quality Review, for audits on or after December 15, 2009. (This effective date was only two days prior to Ernst & Young's settlement with the SEC for its role in the Bally audit.) Under AS 7, the role of the engagement quality reviewer is to "perform an evaluation of the significant judgments made by the engagement team." The standard addresses both the qualifications of the engagement quality reviewer and the actual review process.
With regard to the engagement quality review process, the engagement quality reviewer should--
* Evaluate the significant judgments that relate to engagement planning, including--
* The consideration of the firm's recent engagement experience with the company and risks identified in connection with the firm's client acceptance and retention process,
* The consideration of the company's business, recent significant activities, and related financial reporting issues and risks, and
* The judgments made about materiality and the effect of those judgments on the engagement strategy.
* Evaluate the engagement team's assessment of, and audit responses to--
* Significant risks identified by the engagement team, including fraud risks, and
* Other significant risks identified by the engagement quality reviewer through performance of the procedures required by this standard.
* Evaluate the significant judgments made about (1) the materiality and disposition of corrected and uncorrected identified misstatements and (2) the severity and disposition of identified control deficiencies.
* Review the engagement team's evaluation of the firm's independence in relation to the engagement.
* Review the engagement completion document and confirm with the engagement partner that there are no significant unresolved matters.
* Review the financial statements, management's report on internal control, and the related engagement report.
* Read other information in documents containing the financial statements to be filed with the Securities and Exchange Commission ("SEC") and evaluate whether the engagement team has taken appropriate action with respect to any material inconsistencies with the financial statements or material misstatements of fact of which the engagement quality reviewer is aware.
* Based on the procedures required by this standard, evaluate whether appropriate consultations have taken place on difficult or contentious matters. Review the documentation, including conclusions, of such consultations.
* Based on the procedures required by this standard, evaluate whether appropriate matters have been communicated, or identified for communication, to the audit committee, management, and other parties, such as regulatory bodies. (AS 7, pcaobus.org/Standards/Auditing/Pages/Auditing_Standard_7.aspx)
The engagement quality review process was a critical turning point for Ernst & Young in the Bally audit, as there were "judgments related to financial reporting issues and risks," "unresolved matters," and "consultations on difficult or contentious matters." The importance of the concurring review partner was addressed by the SEC several years earlier with regard to the Adelphia audit. The SEC described the role of the special review partner as overseeing the planning and design of audit procedures for audit risks identified during planning. These procedures should be specifically tailored to specific risks identified. This partner should provide additional consultation to discuss specific risk areas and plans to respond to them, consult with the engagement team and partners, review audit work-papers relating to risk areas, and review the financial statements and audit report, with an emphasis on identification of specific risk areas and report disclosures. The special review partner should review this documentation and indicate the specific and pervasive audit risks identified during planning or the engagement, the procedures to address each risk, and an explanation of why procedures adequately address each risk. The special review partner should also review significant issues to determine whether there is a need to consult with the national office.
Ernst & Young did involve a number of partners in the Bally audit. There has been some concern by members of the profession that, in this case, the sanctions imposed by the SEC may provide incentives for firms to make unfavorable changes to risk management processes. Given the wide reach of the SEC's sanctions--a total of six Ernst & Young partners involved with the client to different degrees--there is a concern that auditors not primarily involved with the audit engagement would be less motivated to play a role in the audit. "Firms may become more risk-averse and involve less people in the process," stated Vermaak. This, obviously, would be a negative outcome for the profession and would contradict the intent of the risk assessment standards.
The PCAOB's Role
There are currently more than 1,800 audit firms registered with the PCAOB. More than 800 of these firms are currently subject to inspection by the PCAOB. The inspection team uses a two-tier risk analysis to inspect CPA firms. First, it selects a sample of audit engagements for review based on an assessment of the audit risk posed by the engagement. Then, the PCAOB inspectors focus their reviews on portions of the selected audits most likely to pose the most challenging issues (e.g., the level of audit, accounting, or SEC compliance risk). The PCAOB inspectors review the audit methodology. As part of their review of audit planning, they look at risk assessment.
Over the past several years, the PCAOB inspection program has evolved to more closely examine the relationship between audit quality and a firm's approach to managing its own quality controls and risk. Olson stated in his 2008 speech: "When current market conditions began to emerge, the PCAOB initiated dialogue with auditors about potential audit risks associated with changing market conditions. The PCAOB has continued its dialogue with auditors as the risks have deepened and spread to a number of instruments."
Small to Midsize Firms
Although the SEC enforcement actions discussed above involve only large CPA firms, the concept of engagement risk is applicable to smaller firms as well. As an increasing number of larger clients move from Big Four to second-tier audit firms, auditors are increasingly exposed to more business risk and, as a result, litigation (Chris Hogan and Roger Martin, "Risk Shifts in the Market for Audits: An Examination of Changes in Risk for 'Second Tier' Audit Firms," Auditing: A Journal of Practice and Theory, November 2009, pp. 93-118). The changes in portfolios of audit clients have stemmed from recent events, such as Andersen's demise and the Sarbanes-Oxley Act of 2002. Small and midsize CPA firms are critical in this market, as these firms audit almost 80% of the more than 3,600 companies with revenues of less than $100 million, according to Olson.
Ethridge et al. raise a concern that small and medium-size CPA firms have not substantially changed their views about the importance of engagement risk in recent years. According to their survey, completed by a national sample of audit partners and managers in primarily small and medium-size firms with few or no SEC clients, 83% of respondents believe their views regarding the importance of engagement risk have changed, but only to a moderate degree. Only 64% of audit firms report classifying clients by risk categories (e.g., low to moderate to high). Of the firms that do classify clients by risk, the firms rate only approximately 58% of their clients as low. Vermaak points out that while smaller firms may have less formalized processes to address risk, these firms nevertheless have procedures in place to address risk. Robert Manzella, audit partner at Pustorino, Puglisi & Co., LLP, suggests that the expanding role of the quality control reviewer in smaller firms is one example of this increased focus on risk.
Auditing in Risky Times
In the past, the Big Four proceeded cautiously in audits of identified high-risk clients, but the audit could still result in unprofessional conduct charges leveled by the SEC. In response, standards setters have recently focused on the risk assessment area by issuing, and now redrafting, several new auditing standards. In addition, accounting firms are fine-tuning their risk management programs and procedures. The auditing profession has also addressed this area through PCAOB AS 7, which focuses audit engagement personnel on the clients' risks.
"In these increasingly risky times, managing risk has never been more difficult--or more important," stated Rick Funston and Bob Dalton in the Deloitte & Touche newsletter "Good Risk. Bad Risk" (2009). While this quote is directed at clients, it applies equally to audit firms. The accounting profession has gone to great lengths to hone the guidance available to auditors. Consider it a work in progress, as the profession continues to learn by experience.
Jill M. D'Aquila, PhD, CPA, is an associate professor of accounting, Kim Capriotti, PhD, is an associate professor of finance and accounting, Robert Boylan, PhD, CPA, is the chair of the department of accounting and finance, and Ruth O'Keefe, JD, MBA, CPA, is a professor of accounting and business law, all in the Davis College of Business at Jacksonville University, Jacksonville, Fla.
|Printer friendly Cite/link Email Feedback|
|Author:||D'Aquila, Jill M.; Capriotti, Kim; Boylan, Robert; O'Keefe, Ruth|
|Publication:||The CPA Journal|
|Date:||Oct 1, 2010|
|Previous Article:||Foreign currency forward contracts and cash flow hedging: navigating accounting and disclosure requirements.|
|Next Article:||Price protection in financing transactions may trigger fair value accounting.|