Due Professional Care in Cases of High Engagement Risk
By Elizabeth Venuti, Mark P. Holtzman, and Anthony Basile
Audit lessons from Andersen and Enron
The Enron–Andersen debacle makes for a case study on exercising due professional care on high-risk audit engagements. Auditing issues that the Enron case highlights include going-concern assessments; related-party disclosures; subsequent discovery of facts; auditor independence; audit documentation; and loss contingency disclosures. The authors examine these high-risk areas and discuss how auditors can avoid audit failures by due professional application of auditing standards.
The media scrutiny of the Enron-Andersen case has obscured relevant auditing and accounting issues. Although apparent loopholes in the application of accounting standards may have enhanced Enron’s ability to manipulate earnings, shortcomings in and the application of auditing standards may have reduced the effectiveness of Andersen’s audit.
Many of Enron’s complex, related-party transactions involved off–balance sheet financing arrangements guaranteed by Enron’s stock. Additionally, the company’s stock price depended on earnings growth and continued access to capital. Combined, these circumstances created a high-risk environment from an audit perspective.
“Going Concern” Issues
SAS 59, The Auditor’s Consideration of an Entity’s Ability to Continue as a Going Concern, requires the auditor to evaluate conditions or events discovered during the engagement that raise questions about the validity of the going-concern assumption. The auditor is not required to design specific audit procedures to identify such conditions and events. Instead, when evaluating the results of the overall audit, the auditor should consider whether certain conditions or events discovered during the course of the audit contradict the going-concern assumption. The projection of the going-concern concept is defined as not exceeding one year beyond the date of the audited financial statements. The current standard places the responsibility for identifying any exceptions to the going-concern assumption with the auditor.
Because a going-concern opinion may cause stockholders and creditors to lose confidence in the company and ratings agencies to downgrade the debt, leading to an inability to obtain new capital and an increase in the cost of existing capital, auditors are extremely cautious in giving such opinions. Because Enron had debt guarantees tied to its credit rating, a going-concern opinion could have sealed the company’s fate even sooner.
If Andersen had included a going-concern paragraph in its opinion on Enron’s 2000 financial statements, its fate might have been very different. Auditors, however, cannot predict the future. Failure to issue a going-concern opinion is not sufficient evidence of an audit failure, and the absence of a going-concern qualification should not be viewed as providing assurance. Post–SAS 59 research shows that 40% to 50% of failed companies do not receive going-concern qualifications in the year immediately preceding bankruptcy. Of three recent high-profile bankruptcy filings—Enron, K-Mart, and Global Crossing—none received a going-concern opinion.
The Auditing Standards Board (ASB) has revisited the going-concern issue. The original standard, SAS 34, The Auditor’s Considerations When a Question Arises About an Entity’s Continued Existence (1981), was superseded by SAS 59 in 1988. While the current audit guidance for considering the going-concern assumption is widely acknowledged to be problematic, neither the ASB nor FASB has addressed this item.
SAS 96, Auditing Documentation, would augment the documentation requirements of SAS 59 by requiring an auditor to document the conditions or events that lead it to believe there is substantial doubt about a company’s ability to continue as a going concern. The documentation must also describe the work the auditor performed to evaluate management’s plans. The auditor should document its conclusion as to whether there is substantial doubt about the company’s ability to continue as a going concern for a reasonable period of time, as well as how that conclusion will affect the financial statements, disclosures, and audit report.
In its final report, the Panel on Audit Effectiveness recommended that “the ASB provide expanded guidance and specific examples of the auditing procedures to be performed and the audit evidence to be obtained when considering management’s plans for mitigating the adverse effects of conditions and events that raised the auditor’s substantial doubt about the entity’s ability to continue as a going concern” and that audit firms provide specific guidance and practice aids for considering management’s plans. Their most controversial recommendation was that the FASB codify a definition of the going-concern concept. The panel’s opinion was that management has the responsibility to evaluate and report on the entity’s ability to remain a going concern, similar to International Accounting Standard (IAS) 1—a recommendation that shifts the focus from an auditing issue to an accounting issue, and is in direct conflict with the auditor’s present responsibilities.
IAS 1, Presentation of Financial Statements, requires that management assess the entity’s ability to continue as a going concern. If the fundamental assumption of going concern is not sustainable, then management is required to disclose the events and conditions giving rise to the material uncertainties. IAS 570, Going Concern, requires the auditor to evaluate management’s assessment and the adequacy of the disclosures.
Currently, GAAP provides no guidance for evaluating the going-concern assumption. In 1998, the Financial Capability Working Group, composed of representatives of FASB, ASB, and AcSEC, was formed to evaluate whether accounting and auditing standards setters should undertake a project to address financial reporting and auditing issues on the topic of financial capability (i.e., going concern). The group concluded that further work on the project was unnecessary because the financial statement users with whom they spoke did not support it as a priority.
SFAS 45, Related-Party Disclosures, provides requirements for related-party disclosures, and SAS 45, Omnibus Statement on Auditing Standards—1983, provides guidance on procedures that the auditor should consider to identify related-party relationships and transactions and to satisfy the auditor concerning the adequacy of the required financial statement accounting and disclosure. To determine the scope of the work, the auditor should obtain an understanding of the corporate structure and the business purpose served by the various components of that structure. The auditor’s permanent file for the client should include information about prior relationships, and the current audit should expand on the information previously gathered.
A corporation’s business structure and operating style can be designed to obscure related-party transactions, and discovery of certain types of related-party transactions may be a warning sign of fraud. A client known to engage in significant related-party transactions carries elevated engagement risk. In such cases, the auditor should increase the scope of substantive tests to identify and understand the nature of related-party transactions and to ensure proper accounting and disclosure for such transactions.
To identify any undisclosed relationships, the professional standards recommend that the auditor review the nature and extent of business transacted with major customers, suppliers, borrowers, and lenders. Common boards of directors or corporate executives, the absence of competitive bidding, or transactions at nonmarket prices can indicate the existence of such relationships. Reviewing the invoices of law firms that have performed services might also reveal that the client sought legal advice on structuring certain transactions.
A large number of Enron’s transactions were with businesses controlled by Enron executives and friends. We know now that Enron’s financial statements inadequately disclosed related parties and the types of financial commitments and transactions that occurred, and the possibility exists that Enron management purposefully concealed from Andersen these relationships or their extent. The Sarbanes-Oxley Act of 2002 has several sections that deal with concealing items from the auditors, and it even requires attorneys to communicate problems in such a way that the auditors will learn about them if they rise to the audit committee.
Enron had more than 3,000 subsidiaries and affiliates, and identifying all material transactions subsidiaries and affiliates would have required an exhaustive, expensive audit. These complexities and the strong possibility that Enron often used the form of the transactions to conceal their substance posed hazards for the Andersen engagement team.
If the assertion in the Report of Investigation of the Special Investigation Committee of the Board of Directors of Enron Corporation that Andersen billed Enron $5.7 million for advice in connection with two of the largest related-party partnerships is true, Andersen’s consulting group provided advice to Enron on how to structure the partnership transactions in order to avoid consolidation, and then Andersen’s assurance group audited these same transactions to determine GAAP compliance. Whether this assertion is true may be less important than the appearance of compromised independence—that the firm may have been auditing transactions that it had itself designed.
In December 2001, the AICPA released Accounting and Auditing for Related Parties and Related Party Transactions: A Toolkit for Accountants and Auditors, which provides an overview of selected authoritative accounting and auditing literature, SEC requirements, and nonauthoritative best practice guidance concerning related parties and related-party transactions. It also includes guidance for accounting and auditing for SPEs and checklists and other tools to help auditors comply with the appropriate accounting and auditing standards. Andersen was among the firms that facilitated preparation of the toolkit by sharing with the AICPA their related-party practice guidance.
Risk and Fraud Assessment Issues
SAS 47, Audit Risk and Materiality in Conducting an Audit, directs the auditor to consider audit risk and materiality in planning the audit and designing audit procedures and in evaluating whether the financial statements are presented fairly and in conformity with GAAP. SAS 82, Consideration of Fraud in a Financial Statement Audit, specifically directs the auditor to assess the risk of material misstatement of the financial statements due to fraud and to consider this assessment when designing audit procedures to be performed. The auditor should consider fraud risk factors such as management’s characteristics and influence over the control environment, industry conditions, and operating characteristics and financial stability in making this assessment. As part of the annual audit, the audit engagement team should perform an engagement risk assessment in order to minimize the chances of associating with a client whose management lacks integrity.
A February 6, 2001, e-mail from Andersen partner Michael D. Jones to then–Andersen partner David B. Duncan provides insight into Andersen’s evaluation of the Enron engagement risk. During a February 5, 2001, meeting, Andersen partners discussed whether to retain Enron as a client, given the high degree of engagement risk. The partners discussed the extensive related-party transactions with an SPE run by Enron executives and audited by other firms, Enron’s aggressive transaction structuring, and whether the Andersen staff fully understood the economics and substance of the transactions. The partners concluded that they had the appropriate people and processes in place to serve Enron.
During that meeting, the partners touched on two operating characteristic risk factors specifically mentioned in SAS 82, “significant related-party transactions not in the ordinary course of business or with related entities not audited or audited by another firm,” and “significant, unusual, or highly complex transactions, especially those close to year end, that pose difficult ‘substance over form’ questions.” Because both the Report of Investigation and the Andersen memo indicate that these types of transactions occurred, Andersen had evidently concluded that the level of engagement risk was elevated but acceptable.
Whenever auditors discover suspicious acts by management, they should consider the implications on other aspects of the audit, discuss their findings with the appropriate level of management and the audit committee of the board of directors, and consider withdrawing from the engagement. Client confidentiality generally prohibits the auditor from discussing with parties outside the company. Apart from its opinion, the auditor’s only option to send a very public signal to investors comes from resigning from the engagement.
The O’Malley Report had recommended that “audit firms consider adopting sophisticated, computerized systems for identifying engagement risk that involve both quantitative and qualitative factors, including search for potentially derogatory or other information about the entity and its principal owners and officers, and integrating those systems into their audits.”
Two new auditing standards covering these topics are expected. As a result of work by the ASB Fraud Task Force, an exposure draft for a new auditing standard for detecting fraud was issued in February 2002 and adopted as SAS 99 in October 2002. SAS 99 supersedes SAS 82 with more precise guidance on auditing for material misstatements due to fraud. SAS 96, Auditing Documentation, will influence how an auditor approaches engagement risk by requiring the documentation of the nature and effect of aggregated misstatements and of their conclusion about whether those misstatements cause the financial statements to be materially misstated.
Subsequent Discovery of Facts
If the auditor discovers facts that could affect the audited financial statements after the report date, a determination whether the discovered facts are relevant to users of the audited financial statements is required. If the facts are relevant, the auditor should respond appropriately by notifying the client’s board of directors and, if necessary, communicating the problem with appropriate parties, such as the SEC. The client should issue revised financial statements, and the auditor should issue a new report as soon as practical, describing the reasons for revision. The auditor should advise the client to discuss the new disclosures or revisions with the SEC, stock exchanges, and appropriate regulatory agencies.
During the third quarter of 2001, Enron recorded a $1.1 billion charge due to an asset impairment provision, restructuring of a division, and losses associated with “certain structured financing arrangements.” In November 2001, Enron announced the restatement of its 2000 income and balance sheet. The third-quarter press release and the restatement were discussed with Andersen prior to issuing the releases. Enron and Andersen together concluded that certain SPEs lacked sufficient equity at risk to qualify for nonconsolidation. The consolidation of the SPEs and the restatement—
For SEC registrants, there are very few instances of an auditor reissuing a revised opinion on previously audited financial statements. It is difficult to determine whether Andersen should have acted or even planned to act pursuant to SAS 1; shortly after announcing the restatements, Enron terminated its relationship with Andersen.
SAS 1, Codification of Auditing Standards and Procedures, requires that the auditor be independent in both fact (objective and intellectually honest) and appearance (free from obligation to or interest in the client, its management, or its owners). Loss of the appearance of independence brings into question the integrity of the auditor’s report on the financial statements.
In the absence of regulations prohibiting them from providing auditing and consulting services to the same client and in the interest of preventing competitors from performing nonaudit services for their audit clients, auditing firms have provided both services in order to maintain a competitive market position. Revenues from assurance services shrunk during the 1990s to represent less than 50% of global revenues for four of the Big Five (data was not available for Ernst & Young).
In 1997, a joint initiative of the SEC and the AICPA formed the Independence Standards Board (ISB), whose purpose was to research, develop, and maintain independence standards applicable to all SEC registrants and to raise the level of public debate and analysis of auditor independence. After the SEC incorporated most of the ISB’s standards in its new independence rules in 2000, the ISB disbanded when the SEC acted without accepting its conceptual framework. The new SEC independence rules required disclosure of audit and nonaudit fees in the proxy statements of all public companies, and placed new limits on the types of nonaudit services that audit firms could provide.
After the events of the last 15 months, many have revisited their positions on the legislation of auditor independence. In January 2002, the U.S. General Accounting Office (GAO) released its final standards on auditor independence. These standards apply to audits of government entities as well as to not-for-profit and for-profit entities that receive federal assistance or participate in federal programs.
The GAO rules essentially preclude audit firms from providing any nonaudit services that involve performing management functions or making management decisions, and from auditing their own work or providing nonaudit services in situations where the nonaudit services are significant or material to the subject matter of the audits. The Sarbanes-Oxley Act prohibits the provision to audit clients of nine nonaudit services, which the SEC originally proposed but did not adopt as part of its final rule on auditor independence.
Individuals and organizations on one side of the debate before now find themselves crossing over. In late January 2002, PricewaterhouseCoopers announced plans to separate its consulting business from the rest of the firm’s operations. Deloitte Touche Tohmatsu announced similar plans in February. In 2000, KPMG spun off its consulting practice; Ernst & Young sold its management consulting practice to Cap Gemini; and Andersen severed all remaining ties with Accenture (formerly Andersen Consulting).
Pressure to change is also mounting from corporate America. Both Apple and Disney announced they would no longer purchase consulting services from their accounting firms, and other companies are considering shareholder proposals to limit the role of the independent auditors.
SAS 41, Working Papers, states that the auditor should prepare and maintain working papers to support the audit conclusions and that the form and content of the working papers should be designed for the specific engagement. The auditor should adopt reasonable procedures for the safe custody of the working papers, and retain the working papers for a sufficient period to meet the needs of the practice and to satisfy any specific legal requirements. Generally, the working papers should be maintained for as long as a potential legal liability exists. Neither securities regulations nor professional auditing standards provide time-specific recommendations or requirements for document retention.
SAS 96, Audit Documentation, provides an updated framework for practitioners performing audits of financial statements. The substantive improvements from SAS 41 are in the guidance provided for documenting specific audit tasks, such as preparation of a written audit program. As with SAS 41, the auditor is expected to exercise professional judgment in determining the nature and extent of audit documentation needed to comply with professional standards, and to adopt reasonable procedures to prevent unauthorized access to the audit documentation.
Working-paper retention policies vary from firm to firm and are not prescribed by the profession. In January 2002, Andersen publicly announced that it had destroyed documents, including electronic files, related to the Enron engagement. Andersen responded to the surge of criticism by making its document retention policy publicly available. Andersen has testified in Congressional hearings that the destroyed materials were nonessential documents and e-mails and that the destruction was in accordance with the firm’s document retention policy. In conformity with both SAS 41 and the proposed standard, the firm’s document retention policy required that all documentation needed to support audit conclusions should be retained for a minimum of six years.
Destruction of nonessential papers related to an audit is typically not a violation of the professional standards. Auditors frequently accumulate materials, including drafts of audit-related documents, to-do lists, and informal notes on the client, whose destruction is routine. The concern over Andersen’s document destruction, however, relates to possible obstruction of justice, not failure to maintain proper audit files. Given the pending Congressional and SEC investigations, destroying documents, electronic or otherwise, is generally prohibited and, at the very least, ill-advised. All documentation, electronic or otherwise, should be retained if there is a Congressional, SEC, or criminal investigation.
SFAS 5, Accounting for Contingencies, defines a contingency “as an existing condition, situation, or set of circumstances involving uncertainty as to possible gain (gain contingency) or loss (loss contingency) to an enterprise that will ultimately be resolved when one or more future events occur or fail to occur.” Companies are required to accrue an estimated loss from a loss contingency if information available prior to the issuance of the financial statements indicates that it is probable that a liability has been incurred as of the date of the financial statements and the amount of the loss may be reasonably estimated. If the loss is either probable or estimable, but not both, the company should disclose, in the notes to financial statements, the nature of the contingency and an estimate of the possible loss or range of loss (or a statement that an estimate cannot be made).
SAS 12, Inquiry of a Client’s Lawyer Concerning Litigation, Claims, and Assessments, directs the auditor to obtain evidential matter concerning the existence of a condition, situation, or circumstances indicating an uncertainty as to the possible loss to an entity arising from litigation, claims, and assessments. While management should be the primary source of this information, audit procedures should also include examining all documents in the client’s possession concerning such matters. While the auditing standard principally focuses on inquiries of the client’s lawyers concerning litigation, claims, and assessments, the spirit is to ensure that all potential claims against the client’s assets are reported to shareholders, either through recognition, if appropriate, or through adequate disclosure.
Public Oversight and Industry Self-Regulation
The Public Oversight Board (POB) was responsible for overseeing and reporting on the self-regulatory programs of the AICPA SEC Practice Section (SECPS). The SECPS administers the peer-review process and conducts quality-control inquiries in cases of alleged audit failure. In a public statement on the regulation of the accounting profession on January 17, 2002, then–SEC Chairman Harvey Pitt proposed a broad and rough outline to change the self-regulatory process of the accounting profession. The POB viewed this as a no-confidence vote and decided to disband, paving the way for the SEC to implement the proposed changes. The new oversight body, the Public Company Accounting Oversight Board (PCAOB), was appointed in October, in a storm of controversy that included the resignations of Pitt and SEC Chief Accountant Robert Herdman as well as the board’s first chair, William Webster.
Due Professional Care and Auditors’ Legal Liability
Auditors face potential liability under common law for breach of contract to the client’s board of directors for failing to perform their audit as per contract; to third parties, such as creditors and employees; and for ordinary negligence, gross negligence, or fraud. Ordinary negligence is a lack of “reasonable” care. Gross negligence is lack of even “minimal” care, and fraud is a “misrepresentation” of a material fact known by the auditor to be false. The auditor’s degree of liability is based on what was known, as well as what should have been known. In breach of contract suits, the auditor’s most effective defense is to provide evidence that the audit was performed in conformity with generally accepted auditing standards. The audit documentation is critical to a successful defense.
Under the Securities Exchange Acts of 1933 and 1934, an auditor has an obligation to exercise due care and caution in performance of the audit and to conduct the audit without fraud or carelessness. The 1933 Act grants unnamed third parties rights against auditors for ordinary negligence, gross negligence, and fraud. The 1934 Act allows criminal indictments to be brought against auditors for the existence of materially false or misleading statements by anyone who relied on those statements and suffered damages as a consequence. The auditor’s standard line of defense in these cases is the due diligence defense, in which the auditor must show that it performed a reasonable investigation, had a reasonable basis to believe that the statements certified were true, and followed generally accepted auditing standards when performing the audit.
In 1995, Congress passed the Private Securities Litigation Reform Act, which established the concept of proportionate liability and placed a cap on the damages that an investor may claim. In addition, it imposed a greater level of responsibility on the auditor to report the existence of illegal acts to the client’s board of directors and, ultimately, to the SEC.
On February 11, 2002, Charles Niemeier, chief accountant in the SEC enforcement division, announced that the SEC would consider a company to be in violation of securities laws if the financial statements failed to accurately reflect the company’s underlying economic condition, even though they complied with GAAP.
Auditors are instructed to exercise professional skepticism, yet growing public sentiment demands that auditors should be fraud detectives. Reasonable assurance is no longer adequate; Congress and the public demand a greater level of assurance than that offered by the current audit model. Changing the audit model alone, however, will not be sufficient to satisfy these demands and expectations without significant changes in the powers accorded to auditors and in the legal environment in which auditors practice.
The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.