Auditors currently are caught in the battle over fair value accounting, which has been blamed by financial institutions for causing extreme market volatility, huge write-downs, and the credit crisis.  Moreover, the issuance of the risk assessment standards  (SAS No. 104 - SAS No. 111), the new quality control standard (SQCS No. 7), and amendments to the accounting and review services standards (SSARS No.17), sets a higher bar and requires more judgment by those who provide audit, review, and compilation services. 

Based on the past history of the AICPA Professional Liability Insurance Program, the volume of accounting malpractice claims tends to increase following the onset of an economic downturn.  Amid significant changes to accounting and auditing standards, the timing of the current recession compounds risks for firms that audit, review, or compile financial statements of distressed businesses.  Maintaining an effective system of quality control is essential to managing these risks.

Under the AICPA professional standards, firms are required to establish a system of quality control for its accounting and auditing practice.   A firm should monitor compliance by owners and employees with its quality control policy.   Exceptions to the policy should require approvals by those charged with monitoring compliance. 

Acceptance or Continuance of Clients and Engagements

The recession has increased financial distress on both large and small businesses, resulting in bankruptcies and closures.  National CPA firms have been terminating riskier large clients while competing with smaller firms for healthy mid-market clients. 

Most CPA firms have a written policy on the acceptance of new audit clients. However, SQCS No. 7 applies to both accounting and auditing practices, and requires the establishment of policies and procedures for the acceptance and continuance of both client relationships and specific engagements.

While determining the breadth of these policies and procedures is up to the discretion of firm management, it is important to note that most accounting and auditing malpractice claims do not arise from newly engaged clients, but rather from long-term clients. Effective policies should consider equally the risks associated with both acceptance and continuance of client relationships and specific engagements.

When performing due diligence on prospective clients, scrutinize their financial condition carefully.  Besides checking for threats to independence or conflicts of interest, it is important to acquire an understanding of the prospective client’s business and industry and evaluate the firm’s qualifications to provide requested services. In investigating client integrity, evaluate the principal owners, key management, related parties and those charged with governance. Evaluate their industry experience and reputation, as well as their history with other businesses and professional service providers. Consider performing civil and criminal background checks if the parties and business can not be vetted through industry and professional contacts well known to the CPA firm.

Furthermore, evaluate the financial condition and related risks of existing clients prior to agreeing to render a previously performed service or to accept an engagement to perform a new service.  Many firms wrestle between loyalties to financially-troubled clients and heightened risk exposure from continuing the professional relationship.  Claims experience indicates that long-term clients do sue their accounting firms for business reasons, regardless of long term or personal relationships. Moreover, when a client’s business fails, malpractice claims often are filed by the client’s lenders or shareholders, or in bankruptcies, by the bankruptcy trustee. Historically, approximately 30% of all audit-related claims are made by such third parties.

Clients may try to reduce costs by changing financial statement services from audit to review or compilation.  A firm should evaluate the risks associated with the expectations of and reliance by client and third parties on the firm’s work.  Conversely, clients may want to change the service from compilation or review to audit.  The firm should get an understanding of the purpose of this change and evaluate any increase in risk exposure because of the change.  In addition, independence may be threatened or impaired if financially stressed audit clients request the auditor to reduce necessary audit procedures in order to cut its fees , or have unpaid fees .  In these situations, the firm should evaluate if fees are commensurate with the risks of association with such clients and may have to consider terminating the professional relationship with these clients.

As a result of the engagement quality control review requirement under SQCS No. 7, sole practitioners are seeking other firms to conduct a second review of their audits.  Although this may be regarded as a consulting engagement by the reviewing firm, the firm should understand that there is risk associated with such engagements. SQCS No. 7 requires documentation of the engagement quality control review.     As this documentation will be contained in the working papers of the auditor, it is subject to discovery in the event of litigation against the auditor.  The reviewing firm should conduct due diligence on the sole practitioner (e.g., knowledge and experience, quality of work, reputation, etc.) and perform risk assessment on the engagement prior to acceptance of the client or engagement.

Distressed Clients

Allegations of failure to evaluate going concern  or subsequent events  are growing during the economic downturn.  Clients that are in financial distress may pressure their auditors not to include a going concern modification to the report.  These clients may also resist the auditor’s recommendation to write down asset values (e.g., accounts receivables, inventory, or leases).  Auditors need to document their evaluations of both going concern and subsequent events, and explanations for their decision to omit or include a going concern modification in the report.  The inclusion of adequate disclosures about significant contingencies in the financial statements or footnotes to same is the responsibility of client management, but is also important in minimizing the risk of malpractice claims against external auditors. 

Similarly, documentation of consideration of going concern and subsequent events should be made before the compilation or review report is issued.  If the accountant determines that management’s conclusions on these matters are unreasonable, the disclosure of the uncertainty regarding the entity’s ability to continue as a going concern is not adequate, or the subsequent event is not adequately accounted for in the financial statements or disclosed in the notes, the accountant should follow the guidance contained in SSARS in issuing their report. 

Increasingly, lenders are reluctant to waive violations of loan covenants, as was the practice prior to the economic downturn.  Consequently, a distressed client may request that the auditor delay issuing the report while the business continues to draw down the loan.  Auditors remain responsible for considering  “…events or transactions …subsequent to the balance-sheet date, but prior to the issuance of the financial statements, that have a material effect on the financial statements and therefore require adjustment or disclosure in the statements.” 

Additionally, to the extent that issuance of the auditor’s report is delayed and equity and debt holders ultimately experience losses resulting from business failure, they may attempt to sue the auditors, alleging that their recovery from the business liquidation would have been more if the business had closed sooner — particularly if the same or similar issues affecting going concern existed in prior period audited financial statements. Delaying issuance of the report for reasons other than awaiting information needed to complete field work creates elevated risk to auditors, and pressure by clients to delay issuance to avoid disclosure of loan covenant violations and the like should be resisted.  

Distressed clients may also pressure their auditors to attend loan negotiation meetings before the auditor’s report is issued.  Participating in loan discussions with lenders can place accountants in privity of contract with the lender, exposing the firm to claims alleging that their credit decision was based on representations made by the accountant at the meeting. 

Increase in Risks of Fraud and Thefts

Thefts, Ponzi schemes, and other types of fraud are often discovered during recessions due to lack of new investors and insufficient cash flow.  Clients and third parties who are unable to recover their losses from the culprits may sue their accountants or auditors, alleging failure to discover the fraud or theft.  The firm should:

 

• conduct mandatory annual fraud training, reminding all professionals of the need to maintain professional skepticism;
• perform required risk assessments, including consideration of fraud ;
• document testing and procedures carefully;
• require timely reporting of any fraud or theft suspicions to the person-in-charge of engagement;
• adequately document all communications regarding possible evidence of fraud or theft with those charged with governance;  
• ensure adequate partner supervision of the auditing team from planning to completion; and 
•  conduct thorough engagement quality control review.

These are examples of some critical accounting and auditing quality controls, but are not all inclusive.  Firms should be committed to regular monitoring of quality control compliance.  For example, if a checklist is used to document procedures performed during the audit, each item should be carefully considered before checking the box.  If an item on the checklist is not applicable or if there is a reason the procedure was not performed, an effective quality control procedure will require an explanation or reference in the working papers. Failure to include such documentation in the working papers will complicate the defense of the work performed in the event of a claim. 

In addition, from a risk control perspective, concerns that come to the attention of the auditor during field work should be reported immediately to all members of the audit committee, board of directors or those charged in governance, not just to a member of management or the chairman of the board of directors. This discussion should be documented in writing. This includes, for example, discovery of improper accounting practices, internal control deficiencies, and evidence of possible theft or fraud. 

Belatedly, some auditors discover that a fraud has been perpetuated by management by overriding internal controls, and certain board members blindly support management despite the information provided by the auditor.  Ensuring that all board members receive the same information at the same time significantly mitigates risks to the auditor, as the board members have a fiduciary duty to act on the information provided.

Risk Control

A strong commitment to quality control is both required to comply with SQCS No. 7 and to mitigate the risk of both errors and malpractice claims. Quality control principals should monitor compliance with the firm’s quality control system including, for example, training, documentation, and acceptance and continuance of clients and engagements.  The partner-in-charge of each engagement should participate in and monitor the engagement from planning to completion, including supervision. Ultimately, firm management is responsible for the firm’s system of quality control, which should set the “tone at the top”, focusing primarily on quality and secondarily on efficiency.

August 2009

CNA, Accountants Professional Liability, CNA, 333 South Wabash Ave., 39 South, Chicago, IL 60604

Resources:

• AICPA Establishing and Maintaining a System of Quality Control for a CPA Firm's Accounting and Auditing Practice
• AICPA Audit and Accounting Manual
• PPC’s Guide to Quality Control
• AICPA Small Business Audits: Best Practices Including Risk Assessment and Internal Control
• Audit Quality in Employee Benefit Plan Audits

This information is produced and presented by CNA, which is solely responsible for its content.

The purpose of this article is to provide information, rather than advice or opinion. It is accurate to the best of the authors’ knowledge as of the date of the article. Accordingly, this article should not be viewed as a substitute for the guidance and recommendations of a retained professional. In addition, CNA does not endorse any coverages, systems, processes or protocols addressed herein unless they are produced or created by CNA. CNA recommends consultation with competent legal counsel and/or other professional advisors before applying this material in any particular factual situations.

Any references to non-CNA Web sites are provided solely for convenience, and CNA disclaims any responsibility with respect to such Web sites.

To the extent this article contains any examples, please note that they are for illustrative purposes only and any similarity to actual individuals, entities, places or situations is unintentional and purely coincidental.  In addition, any examples are not intended to establish any standards of care, to serve as legal advice appropriate for any particular factual situations, or to provide an acknowledgement that any given factual situation is covered under any CNA insurance policy.  Please remember that only the relevant insurance policy can provide the actual terms, coverages, amounts, conditions and exclusions for an insured.  All CNA products and services may not be available in all states and may be subject to change without notice.

IRS Circular 230 Notice: The discussion of U.S. federal tax law and references to any resources in this material are not intended to: (a) be used or relied upon by any taxpayer for the purpose of avoiding any federal tax penalties; (b) promote, market or recommend any products and/or services except to the extent expressly stated otherwise; or (c) be considered except in consultation with a qualified independent tax advisor who can address a taxpayer’s particular circumstances.

Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program.

CNA is a registered trade mark of CNA Financial Corporation. Copyright © 2009 CNA.  All rights reserved.

1.   AU Section 161.  Refer to the article, Risk Alert: Risk Assessment Auditing Standards available at   http://www.cpai.com/members/members/access.jsp
2.   AICPA QC §10.03
3.   AICPA QC §10.100
4.   Conceptual Framework for AICPA Independence Standards, ET §100.01.17
5.   AICPA Ethics Rulings on Independence, Integrity, and Objectivity, ET §191.089
6.   QC 10.99, Documentation of the Engagement Quality Control Review
7.   AU Section 341 requires evaluation of the entity’s going concern for a reasonable time, not to exceed one year beyond the date of the financial statements being audited.
8.   AU Section 560 requires evaluation of events existed at balance sheet date or after the balance sheet date but before the auditor’s report is issued that have material impact on the financial statements and require adjustment or disclosure in the statements.
9.    SSARS No. 1
10.   AU Section 560, Subsequent Events
11.   AU Section 316 (SAS 99)