The Regulators Are Swinging a Big Hammer
Audit Firms Need to Be Ready

BY JAY MORONEY, CONSULTING PRINCIPAL, LEMME, A DIVISION OF EPIC

Quick Facts

As evidenced in recent publications and as reiterated at the recent ALI CLE Accountant’s Liability Conference (the “Conference”) held in Washington D.C., PCAOB and SEC regulators are intensifying their scrutiny over the auditing profession. To paraphrase one regulator at the conference, the regulators view themselves as “a hammer, looking for a nail.” You do not have to think hard about who the nail is. In PCAOB Release No. 2023-001, dated March 28, 2023, regulators have proposed revisions to the PCAOB Auditing Standards (the “Proposed Revisions”) to put teeth into this scrutiny. The tone directed to the accounting firm profession from the regulatory side has been fairly direct recently. My interpretation is the messaging from regulators to the accounting profession can be summed up as:

1. Your audit quality has slipped;
2. We are raising the bar on quality expectations;
3. We are not giving you the benefit of the doubt;
4. We have, and will continue to, increase penalties;
5. We will hold firm management responsible for lapses; and
6. If you don’t improve audit quality, the role of private firms in the financial audit process may end.

This article will look at six areas of regulatory focus and how each of them translates into risk areas for professional liability claims.

Six Areas Regulators are Focusing on in Evaluating Accounting Firm Performance

1) Tone at the Top. “Tone at the Top” was mentioned multiple times by multiple regulators at the conference. Tone at the Top was a hot topic for many firms in the aftermath of the Enron scandal and the demise of Arthur Andersen. This period saw the passage of Sarbanes Oxley and the birth of the PCAOB. With the dissolution of Arthur Andersen fresh in the minds of management and line partners, accounting firms refocused on quality control and invested in people and systems to improve quality. A large part of this emphasis was “Tone at the Top” messaging on the importance of audit quality. This ushered in a period of time where audit quality (and professional liability claims) improved. Regulators are once again signaling that, in their view, there has been a backsliding on audit quality and firms need to recalibrate their messaging throughout their organization to bring audit quality back to the forefront. Regulators are stressing the overarching principle that accounting firms are the public’s gatekeepers functioning to ensure high-quality financial reporting. This is a critical role to protect investors and the integrity of our financial system. To stay on the good side of regulators (or the best side possible), firm management needs to embrace the gatekeeper role and, most importantly, continually emphasize this internally and the resulting need for a focus on strict adherence to the firm’s quality control systems and the auditing standards. In fact, regulators seemed to suggest that they will be investigating whether there appears to be issues affecting multiple offices across a firm and/or the appearance that the firm’s culture is lending itself to, or not preventing ethical violations, warranting investigations of the firm’s National Office. Firms should anticipate that the regulators will increase their scrutiny of senior management. When management is seen as lacking in the essential “Tone at the Top,” it is likely the enforcement hammer will swing harder when something goes wrong.

2) Professional Skepticism, on Steroids. Professional skepticism has been a focus for many years. At the Conference, the regulators clearly signaled their view that the profession needs to improve and that they will be looking critically at auditors’ performance in this area. When inspections reveal deficiencies in the quality of an audit, lack of sufficient professional skepticism is often a root cause. In an article published in October of 2022, Paul Munter, the Chief Accountant of the Office of the Chief Accountant at the SEC, wrote, in reference to professional skepticism, that “trust but verify” may be an inadequate mindset for an auditor as it “may represent potential bias if it is anchored in the belief that management is honest and has integrity.”^{[ 1 ]} I think this is a bit of a twisting of Ronald Reagan’s phrase, but the point is made. As stated by one regulator at the Conference, for the capital markets to work, investors need to believe auditors are acting with the requisite professional skepticism to fulfill their role as public watchdogs. Firms must have a culture of integrity and embrace their role as gatekeepers charged with protecting the investing public. Turning to civil liability, professional skepticism (or the apparent lack thereof) is a common theme in claims made against auditors. For example, in cases involving a significant fraudulent scheme that goes undetected for several years, plaintiff attorneys often seek to present evidence to demonstrate that the auditors were not sufficiently skeptical and overly relied on management in the planning and conduct of audit procedures. And, that as a result of the auditors’ negligent performance of the audit, they failed to detect and disclose the fraud. The catch phrase for auditors should now be –“anticipate fraud, test, adapt, question, verify, review again and document.”

3) It’s the Principles, not just a Checklist. At the conference and in Paul Munter’s article cited above, there was an emphasis on the need for auditors to make sure they understand and consider the principles behind the auditing rules and apply those principles throughout the conduct of an audit. A rote application of the rules in a checklist format is inadequate. The message was clear; to perform a quality audit, the auditor is expected to understand both the rules and the principles behind them and apply the principles when planning and conducting an audit. In professional liability claims, we often see plaintiff attorneys argue that the auditor simply applied a “checklist mentality” to just get through an audit causing the auditors to miss red flags.

4) Doggedly Chase the Red Flags. Once a red flag appears, regulators expect the auditor to investigate the red flag and perform additional procedures to either find a misstatement or to obtain further audit evidence to back up the financial statements as presented by management. Merely asking the client to confirm facts is not sufficient to obtain appropriate audit evidence that the financials are not misleading. The auditor needs to find adequate evidence to justify the accounting in order to render a clean opinion on the financial statements. Failure to follow-up on red flags will draw the attention of regulators and plaintiff attorneys alike. In professional liability claims, plaintiff attorneys will emphasize to juries that a fraud remained undetected because red flags were present, but the auditor failed to react and obtain further audit evidence. This is a common fact pattern in larger dollar civil liability claims.

5) Document Meticulously and Contemporaneously. Regulators articulated the expectation that auditors clearly document the planning and conduct of the audit and do so contemporaneously. Waiting until after the fact to document the audit workpaper file is not favored, and the failure to document those audit procedures performed is generally perceived as the auditor having not performed such procedures at all. The failure to properly document the audit procedures performed can also result in a firm receiving a negative comment on its inspection reports, or worse, a referral to the enforcement division for further investigation. It is important to note that the Proposed Revisions will tighten the time period to complete and archive the final set of audit documentation from 45 days to 14 days after the report release date. The lack of documentation is also used in civil cases as strong evidence that the auditor did not perform a critical step in the conduct of the audit.

6) Train, Supervise and Review. Regulators expressed concern that accounting firm staff are not being properly trained and supervised before and during the conduct of an audit. Understanding the principles behind the rules is not only important for the partners but also the junior members of the engagement team. Ultimately, it is the engagement partner who is responsible for the audit, and review and supervision are a critical parts of that responsibility. As stated in the Proposed Revisions, changes to AS 1201 and AS 2101 will clarify “that even when the engagement partner seeks assistance from other engagement team members, the engagement partner retains the primary responsibility for the engagement and its performance.” For this reason, partners need to prioritize staff training, ensure appropriate level staff are assigned to the engagement, and undertake a careful review with questioning, seasoned eyes on the audit evidence supporting the audit opinion.

Conclusion

While the above six areas are not exclusive (think of them as principles, not a checklist) strong attention to these areas will help a firm in future encounters with regulators. Moreover, strong focus in these six areas will also help in preventing and mitigating professional liability claims against accounting firms. Focusing resources on the Tone at the Top, training, and enhanced quality control and supervision has a cost and needs to be appropriately balanced with a risk/ reward analysis. The regulators are clearly looking to add more cost to the scales for those firms that fail to enhance these areas. Regulators in general can sometimes be overly burdensome. Nonetheless, in the case of audit quality, on balance the regulatory framework is a net benefit to all constituents. Regulators may not always be “right” or “fair,” but holding all firms to a high standard of conduct will benefit those firms that rise to the occasion and have a reputation for performing high-quality audits, improve the integrity of the financial statements, and protect the investing public. The firms that focus time and resources on quality will be winners in the long term – better clients will gravitate to you, it will help you avoid and mitigate professional liability claims, underwriters will give you better pricing, and will lead you to improved profits by avoiding bad clients, regulatory costs and lawsuits.

^{[ 1 ] On pg. 24, the Proposed Revisions document states “further, the proposed standard specifies that the auditor would exercise professional skepticism by … avoiding assumptions that management is honest or dishonest. In addition, in exercising professional skepticism, the auditor would consider the impact of management bias and the auditor’s own bias that could affect the auditor’s own judgments. For example, the tendency to seek confirming information can lead the auditor to seek audit evidence that is only consistent with management’s explanations, or to favor conclusions that are consistent with the auditor’s initial beliefs. In exercising professional skepticism, the auditor could mitigate such bias by being aware of “confirmation bias,” considering alternatives provided by others, and seeking contradictory information as evidence….”}

EPIC offers this material for general information only. EPIC does not intend this material to be, nor may any person receiving this information construe or rely on this material as, tax or legal advice. The matters addressed in this document and any related discussions or correspondence should be reviewed and discussed with legal counsel prior to acting or relying on these materials.

DOWNLOADABLE RESOURCES

LEMME Accounting Alert (PDF)