An Analysis of Alleged Auditor Deficiencies in SEC Fraud Investigations:

Transcription

1 MAY 2013 An Analysis of Alleged Auditor Deficiencies in SEC Fraud Investigations: Mark S. Beasley North Carolina State University Joseph V. Carcello University of Tennessee Dana R. Hermanson Kennesaw State University Terry L. Neal University of Tennessee

2 Preface This study examines alleged auditor deficiencies associated with SEC investigations of fraudulent financial reporting cases from involving U.S. public companies. The research team examined fraud cases identified in the preparation of Fraudulent Financial Reporting: , An Analysis of U.S. Public Companies (issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO), 2010), as well as additional SEC enforcement actions from This report provides insights into alleged auditor deficiencies associated with 87 cases of alleged fraudulent financial reporting investigated by the SEC over a 13 year period. Research Team Authors Mark S. Beasley North Carolina State University Joseph V. Carcello University of Tennessee Dana R. Hermanson Kennesaw State University Terry L. Neal University of Tennessee Research Manager Lauren Reid University of Tennessee Research Assistants Leah Muriel Jonathan Shipman Quinn Swanquist University of Tennessee Funding for this research project was provided by the Center for Audit Quality. However, the views expressed in this paper and its contents are those of the authors alone and not those of the Center for Audit Quality.

3 Table of Contents 1. Executive Summary Research Approach Results Implications Summary Research Team APPENDIX An Analysis of Alleged Auditor Deficiencies in SEC Fraud Investigations:

4

5 May 2013 The Center for Audit Quality (CAQ) and the public company auditing profession share with academics, audit committees, investors, preparers and regulators the goal of robust and healthy capital markets supported by audited financial statements that promote investor confidence. Chief among the many threats to high quality financial reporting and audit quality is the risk of material financial fraud. In 2010 the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published a report, Fraudulent Financial Reporting: , An Analysis of U.S. Public Companies. This study examined U.S. Securities and Exchange Commission (SEC) enforcement actions, and analyzed the nature, extent and characteristics of fraudulent financial reporting, as well as the negative consequences for investors and management. The CAQ commissioned the 2010 report authors, Mark Beasley, Joseph Carcello, Dana Hermanson and Terry Neal, to review the enforcement actions included in their 2010 study and provide a descriptive analysis of those investigations where the SEC sanctioned either the auditor or the audit firm. The authors expanded the study period to include enforcement actions through December Over this 13 year study period, from , there were 87 instances where the SEC leveled sanctions against the external auditor in connection with instances of alleged fraudulent financial reporting by publicly traded companies. Approximately 9,500 entities file financial statements with the SEC on an annual basis. Eleven of the 87 instances occurred in periods of 2003 or later, which represents years following the passage of the Sarbanes-Oxley Act (SOX) in July However, it should be noted that there is a time lag between when an infraction occurred and when the SEC releases an enforcement action, thus the number of instances is subject to change. SEC allegations of financial reporting fraud are rare events when considering the thousands of public companies filing audited financial statements each year with the SEC. However, the CAQ believes that taking a critical look at these situations can provide valuable lessons for the future. Indeed, the root cause drivers related to audit deficiencies involving fraudulent financial reporting cases citing the auditor that are highlighted in the study are areas where, in recent years, the profession and the CAQ have focused efforts for further improvements. The CAQ s related initiatives and projects include the funding of academic research on professional skepticism and financial reporting fraud deterrence and detection; the 2010 publication Deterring and Detecting Financial Reporting Fraud A Platform for Action; and the Anti-Fraud Collaboration a major, ongoing combined effort launched in 2010 by the CAQ, Financial Executives International, The Institute of Internal Auditors and the National Association of Corporate Directors. Key resources recently published by the Anti-Fraud Collaboration to enhance fraud deterrence efforts include the Hollate Manufacturing Case Study, which examines a potential material fraud at a fictional company to raise awareness of environments in which financial reporting fraud might flourish; and the Skepticism Webinar Series, which highlights the importance of skepticism as applied by external auditors, financial executives, internal auditors and audit committee members. In summary, while there will never be a silver bullet solution to prevent fraud, we feel this research contributes to the knowledge base for financial reporting fraud deterrence efforts. The public company auditing profession, the CAQ and our member firms, together with other members of the financial reporting supply chain, will continue to advance efforts to mitigate the risk of fraud. Sincerely, Cynthia M. Fornelli

6 1. EXECUTIVE SUMMARY This study examines U.S. Securities and Exchange Commission (SEC) sanctions against auditors over the period that are related to instances of alleged fraudulent financial reporting by U.S. publicly traded companies. During that time period, there were 87 separate instances where the SEC imposed such sanctions, and this report summarizes our analysis of alleged auditor deficiencies noted by the SEC in these 87 cases. In considering the results contained in this report, it is important to appreciate that SEC allegations of fraudulent financial reporting are rare, with 347 cases examined by the SEC from out of thousands of U.S. public companies. 1 Despite the small number of fraud-related SEC enforcement actions, we believe that analysis of these 87 cases involving auditor sanctions by the SEC provides important insights for auditors and others concerned with improving audit quality, especially in the context of detecting material financial statement misstatements due to fraud. Thus, we highlight key findings related to the audits underlying these 87 cases. The primary results of our analysis are as follows: From , we identified 87 instances of SEC investigations of fraudulent financial reporting leading to sanctions against auditors. Based on companies with available information for these 87 SEC investigations, the associated registrant companies were primarily small (median revenues and assets under $40 million) and concentrated in four key industries (over 40 percent of the sample is in financial services / insurance, general manufacturing, telecommunications, or consumer goods manufacturing). Based on available information for these 87 SEC investigations involving auditors, 58 percent of the audit reports issued for the last fraudulently reported financial statements included an unqualified opinion with no additional report modifications. The other 42 percent of the companies received unqualified audit opinions on the last fraudulently reported financial statements, but those reports included explanatory paragraphs that addressed other issues noted by the auditor, such as highlighting changes in accounting principle or going concern issues. For purposes of our study, we categorized the Big Six/Big Four international firms and the next tier of global network or national firms as national firms. 2 Here is a summary of the 87 instances we examined: Total instances of SEC investigations examined in this study 87 SEC sanctions involving audits performed by non-national firms 46 SEC sanctions involving audits performed by national firms 35 Bogus audits 3 where auditor did not perform procedures 6 Of the 35 national firm cases, nine involved audits performed by Arthur Andersen. There were six instances where the auditor prepared the financial statements or did not perform any meaningful level of audit procedures. We refer to these six instances as bogus audits. 1 For example, the 2006 Final Report of the Advisory Committee on Smaller Public Companies indicates that, as of 2005, there were 9,428 publicly traded companies on the NYSE, AMEX, NASDAQ, and OTC Bulletin Board. 2 The reference to Big Six/Big Four reflects the fact that during the 13 year period examined there were six international firms (Arthur Andersen, Coopers & Lybrand, Deloitte & Touche, Ernst & Young, KPMG, and Price Waterhouse). In 1998, Coopers & Lybrand merged with Price Waterhouse to form PricewaterhouseCoopers, resulting in the Big Five. When Arthur Andersen went out of business in 2002, only four large firms remained. The next tier of four national firms includes Grant Thornton, LLP, BDO Seidman, LLP (now BDO), Crowe Chizek and Company LLC (now Crowe Horwath), and McGladrey & Pullen, LLP (now McGladrey). 3 The term bogus audits refers to those cases where the auditor prepared the financial statements or did not perform any meaningful level of audit procedures. In those instances, there was no underlying audit performed, suggesting the audit was bogus. 2 Beasley, Carcello, Hermanson, and Neal

7 In Accounting and Auditing Enforcement Releases (AAERs) involving sanctions against auditors, the SEC typically alleges that the auditor either (a) violated the anti-fraud statutes (e.g., by participating in the fraud) or (b) performed a negligent audit that allowed the fraud to occur (without the auditor actively participating in the fraud). Among the 81 cases examined (excluding the six bogus audits noted above), the SEC charged the auditor for violating the anti-fraud statutes in 24 cases. The remaining 57 cases were limited to allegations of deficient audits unrelated to anti-fraud statutes. Among these 81 cases, the SEC issued sanctions against individual auditors in 80 cases and sanctions against the audit firm in 27 instances (26 cases involved sanctions against both individual auditors and the audit firm, with the SEC sanctioning only the audit firm in one case). The top five areas cited by the SEC in these 81 cases involved the following: 1. Failure to gather sufficient competent audit evidence (73 percent of the cases) 2. Failure to exercise due professional care (67 percent) 3. Insufficient level of professional skepticism (60 percent) 4. Failure to obtain adequate evidence related to management representations (54 percent) 5. Failure to express an appropriate audit opinion (47 percent) Most of the 81 cases involved multiple alleged deficiencies. 4 For example, 58 of the cases cited more than one of the top three deficiencies, and 42 cases cited the top three deficiencies. The most common deficiencies were quite similar for national firms and non-national firms. The top four issues are consistent across these two groups (with a slightly different ranking), and 11 of the top 14 deficiencies appear in both the national firm and non-national firm lists. Based on findings contained in this report, we explore implications for the audit process centered around four key themes. To that end, we explore challenges associated with each of the four themes found in the analysis: 1. Failure to Exercise Due Professional Care: Some of the deficiencies cited suggest a failure on the part of the auditor to discharge responsibilities with competence and diligence to the best of the auditor s ability, including the performance of procedures generally expected to be performed in an audit. This suggests that there may be opportunities for additional training and education on the fundamentals of the audit process. Also, there may be opportunities for additional analysis to better understand root causes that led to failures in the execution of those fundamentals in a particular audit engagement, so as to strengthen the competence and diligence of the performance of the audit. 2. Insufficient Levels of Professional Skepticism: Similarly, some of the cases examined highlight challenges in maintaining appropriate levels of professional skepticism that affect the auditor s mindset. Interestingly, the concept of professional skepticism has been embedded in auditing standards for decades; however, in some cases auditors may have struggled in maintaining an appropriate mindset throughout the various stages of the audit process. This challenge has implications for training and helps to motivate analyses such as the present study to understand root causes of failures in applying professional skepticism consistently. Additional research is needed to determine if these challenges may be exacerbated by differences in cultural norms that will be increasingly realized as the audit process continues to be affected by globalization or as new generations of audit professionals emerge who may apply professional skepticism differently than today s audit professionals. 3. Inadequate Identification and Assessment of Risks: The findings noted in this report also have implications regarding the risk assessment process, given that all cases examined in the study involved undetected instances of fraudulent financial reporting. While auditing standards have been risk-based for a number of years, more recent developments in the risk management arena, 5 including the emerging discipline of enterprise risk management, 4 Throughout this report, for ease of exposition, we often use the term deficiencies to mean alleged deficiencies. 5 In August 2010, the PCAOB issued a suite of eight auditing standards widely referred to as the risk assessment standards that became effective for audits of fiscal years beginning on or after December 15, An Analysis of Alleged Auditor Deficiencies in SEC Fraud Investigations:

8 are revealing a number of complexities associated with any risk identification and risk assessment task. Any improvement in risk assessment skills that can be identified will help enhance audit quality and improve the recognition of fraud risk. The audit profession, including undergraduate and graduate accounting programs, may want to leverage insights that are emerging in other risk management disciplines to better train and educate audit professionals in risk identification and risk assessment tasks. 4. Failure to Respond to Identified Risks with Appropriate Audit Responses to Gather Sufficient Competent Audit Evidence: In some cases, the auditor failed to adjust audit procedures to gather sufficient competent evidence in light of risks identified and documented by the audit team. While this type of deficiency may be the result of the first three concerns noted above, it may also be triggered by failure to adequately link audit procedures to underlying risks. Because prior research has shown that this type of linkage can be a difficult task, perhaps greater emphasis on quality control review of these linkages may be beneficial, or new tools and techniques may be needed to facilitate this difficult linkage task. Training and education on the use of those tools may be warranted as well. The next section discusses the research approach, and Section 3 presents the results of our analysis. Section 4 develops the implications of the analysis, and Section 5 profiles the research team. The Appendix presents the detailed findings underlying the tables presented in the monograph. 4 Beasley, Carcello, Hermanson, and Neal

9 2. RESEARCH APPROACH The fraudulent financial reporting cases addressed in this study come from two sources. First, as part of our work on Fraudulent Financial Reporting: , An Analysis of U.S. Public Companies (issued by the Committee of Sponsoring Organizations of the Treadway Commission, 2010, the COSO study by Beasley, Carcello, Hermanson, and Neal), 6 we identified 78 cases where SEC allegations of fraudulent financial reporting also involved sanctions against auditors. These 78 cases comprise 23 percent of the relevant fraud cases examined in the COSO study. For the present study, we eliminated three observations where the company had public debt, but not public equity, leaving 75 observations from the COSO study for analysis in the present study. Second, we analyzed SEC Accounting and Auditing Enforcement Releases (AAERs) from , finding another 12 instances in which SEC allegations of fraudulent financial reporting also involved sanctions against auditors. Together, these 87 cases of alleged fraudulent financial reporting are the subject of the present study. In identifying the cases of alleged fraudulent financial reporting, we relied on the language and allegations in the AAERs and only included cases alleged by the SEC to involve violations of the SEC s anti-fraud statutes (Rule 10(b)-5 of the 1934 Securities Exchange Act or Section 17(a) of the 1933 Securities Act). We did not make any judgments about the SEC s allegations of fraud; we simply relied on the SEC s judgments about the presence of fraudulent financial reporting as documented in the AAERs. We then examined the subset of those cases where the SEC sanctioned the auditor in connection with the SEC s investigation of the underlying fraudulent financial reporting. The 87 cases examined in this study represent those where the SEC alleged auditor deficiencies associated with the audits of the financial statements involving SEC allegations against the registrant company for fraudulent financial reporting. Thus, all 87 cases examined involve instances where the registrant company was accused of issuing fraudulent financial statements. For our study, we collected and synthesized data from the 87 cases, focusing specifically on allegations of audit deficiencies made by the SEC in its AAERs. We developed a detailed template to guide the collection and analysis of the AAER data on audit deficiencies, and we synthesized the information from the 87 cases that are the subject of this study. 7 In addition, the research team gathered available data on fundamental company characteristics (financial information and industry) for the 87 companies. The team used the COMPUSTAT and CRSP databases, as well as company Form 10-Ks on the SEC s EDGAR database, to attempt to find such information. Consistent with previous research studies involving examinations of instances of fraudulent financial reporting, various data points were missing for some companies in our sample, which may be due to the fact that a number of them represent extremely small companies that are not tracked by certain external databases or due to the time period involved. It is important to keep in mind that the sample companies allegedly engaged in fraudulent financial reporting and may not have filed certain documents with the SEC. As a result, we were only able to report a company s characteristics when we could locate the underlying data for the company. For each table included in this report, we indicate the number of companies where we could locate the relevant data. SEC AAERs are commonly used in academic and professional research as a rich source of information about fraudulent financial reporting, as well as auditor deficiencies related to those cases. The use of AAERs is partly due 6 Download the full COSO Study at 7 This template builds on and adapts a previous template used in the preparation of Fraud-Related SEC Enforcement Actions Against Auditors: (AICPA, 2000, Beasley, Carcello, and Hermanson). An Analysis of Alleged Auditor Deficiencies in SEC Fraud Investigations:

10 to the lack of other publicly available fraud-related measures of accounting and auditing quality. However, there are three important limitations to highlight. First, analyses of AAERs typically involve significant professional judgment. We conferred within our team about numerous such judgments during the course of the project and attempted to be consistent in the judgments made. Second, the data rely on the outcome of the SEC s enforcement process that is documented by the SEC staff in the AAERs. The extent of detail provided in the AAERs can vary significantly across SEC investigations. Thus, to the extent there are imperfections or biases in the SEC s enforcement process, including how they document their findings in the AAERs, those imperfections or biases may affect the results of the study. For example, it is possible that the nature of negotiations between the SEC and named parties may influence the amount and type of information ultimately included in the AAERs, thus reducing uniformity in reporting across AAERs. Finally, the AAERs present allegations of auditor deficiencies, with the audit professional and/or audit firm typically neither admitting nor denying the allegations. As a result, our goal is to present what was summarized by the SEC in the AAERs to provide insights for readers to make their own conclusions about the relative performance of auditors in those cases examined by the SEC. 6 Beasley, Carcello, Hermanson, and Neal

11 3. RESULTS COMPANY CHARACTERISTICS Financial Characteristics of Sample Companies From , we identified 87 instances of SEC investigations of fraudulent financial reporting leading to sanctions against auditors. We attempted to gather financial data for the 87 sample companies, using the last clean financial statements, which we define as the last annual financial statements issued before the beginning of the fraud period. We located relevant financial statement information for 67 of our 87 companies. Table 1 presents the financial profile of those 67 companies, and provides the reader some perspective on the size of public companies underlying the analysis in this study of alleged auditor deficiencies. Given the variability in size of the companies, it is most meaningful to focus on median values reported in Table 1. These companies are relatively small, with median assets and revenues under $40 million. In addition, many of the companies are near break-even, with median net income of only $351,000. The large differences between the means and medians indicate the presence of a few very large companies in the sample. Table 1 Financial Characteristics of Companies from Last Clean Financial Statements (n = 67 companies) Total Assets Total Revenues Net Income (Loss) Stockholders Equity (Deficit) Mean $4,598,154 $2,505,462 $139,765 $1,352,163 Median $37,906 $28,900 $351 $14,135 Minimum Value $0 $0 ($852,241) ($1,253,881) 1st Quartile $6,275 $1,030 ($673) $108 3rd Quartile $911,083 $472,778 $17,282 $278,635 Maximum Value $98,903,000 $39,090,000 $4,089,000 $55,409,000 An Analysis of Alleged Auditor Deficiencies in SEC Fraud Investigations:

12 Table 2 presents industry information for 69 of the 87 sample companies where we could locate reliable industry information, and provides the reader an overview of the types of industries included in the analysis. A broad range of industries is represented, with financial services and general manufacturing having slightly more instances than other industry sectors. Table 2 Industry of Sample Companies (n = 69 companies) Industry Number Percentage Financial service providers and insurance % General manufacturing (excludes consumer goods or technology) % Telecommunications % Consumer goods manufacturing 6 8.7% Retail trade 5 7.2% Wholesale trade 5 7.2% Mining / Oil and gas 4 5.8% Computer software services 4 5.8% Healthcare products and services 4 5.8% Other service providers 4 5.8% Technology manufacturing 4 5.8% Transportation / Sanitary services 2 2.9% Miscellaneous / Conglomerate / Shell companies % Total % Audit Reports As part of the data collection effort, we gathered the audit reports issued on the last set of fraudulent financial statements; we were able to locate the reports for 74 companies. As shown in Table 3, the majority of the audit reports (58 percent) were standard unqualified audit reports. Forty-two percent of the audit reports included unqualified opinions, but the reports were modified from the standard report format primarily to highlight changes in accounting principle or going concern issues. 8 Beasley, Carcello, Hermanson, and Neal

13 Table 3 Audit Reports on Last Fraudulent Financial Statements (n = 74 companies) Type of Audit Report Number Percentage Standard unqualified opinions 43 58% Modified reports Change in accounting principle 10 14% Going concern 9 12% Note addressing unaudited schedules, statements, or paragraphs 4 5% Other explanatory paragraphs including issues surrounding investment valuation and variation in international accounting standards from U.S. GAAP 3 4% Note addressing restatements 2 3% No specific information available 3 4% Total modified reports 31 42% Number of audit reports available for review % Company Characteristics and Audit Reports Comparison to 2010 COSO Study To provide a frame of reference, we compared the companies in the present study (87 companies where the auditor was sanctioned in connection with a case of alleged fraudulent financial reporting) to the 347 fraud companies examined in Fraudulent Financial Reporting: , An Analysis of U.S. Public Companies (COSO, 2010). The COSO study examined all cases of fraudulent financial reporting alleged by the SEC from , whether or not the auditor was sanctioned. The primary difference between the two studies relates to company size. In the COSO study, the companies had median assets and revenues of $93 million and $72 million, respectively, versus $38 million and $29 million, respectively, in the present study. Therefore, the SEC registrants involved in the present study (where the auditor was sanctioned) are much smaller. Although the industry groupings are somewhat different in the two studies, it appears that the present study s sample is somewhat more concentrated in retail / wholesale and financial services / insurance and somewhat less concentrated in computer hardware / software and healthcare than the COSO study sample. Finally, audit opinions issued on the last fraudulent financial statements were more likely to be unqualified without any other report modifications in the present study (58 percent) compared to the COSO study (43 percent). An Analysis of Alleged Auditor Deficiencies in SEC Fraud Investigations:

14 ALLEGED AUDIT DEFICIENCIES Alleged Auditor Involvement in the Frauds Table 4 provides an overview of the 87 cases based on the type of auditor deficiency and type of audit firm. Six of the 87 cases involve bogus audits where the auditor prepared the financial statements or did not perform any meaningful level of audit procedures. The other 81 cases related to actual, but allegedly deficient, audits. Of these 81 cases, 35 involved national firm auditors and 46 involved non-national firm auditors. Table 4 Alleged Auditor Involvement by Auditor Type (n = 87 companies) Type of Case Number of Cases Naming National Firm Auditors Number of Cases Naming Non-National Firm Auditors Total Bogus audit 0 6** 6 Actual audit, but audit was deficient 35* 46*** 81 Total * Nine of the 35 cases were audits performed by Arthur Andersen, which ceased performing public company audits in Also, the 35 cases include one instance in which a national firm and a non-national firm performed a joint audit. This case was coded as a national firm case (only the national firm paid a fine to the SEC). ** In one instance, there were two non-national audit firms named because the fraudulent financial statements included multiple years that were audited by two different firms. *** In four instances, there was more than one non-national firm named, generally because the fraud spanned multiple years that were audited by different auditors due to auditor changes during the fraud period. 10 Beasley, Carcello, Hermanson, and Neal

15 Bogus Audits Table 5 summarizes the six cases involving bogus audits, where no underlying audit procedures were performed. Most of these cases resulted in fraud charges against the auditor (four cases), forced repayment of gains 8 generally obtained through audit fees charged and payment of interest (four cases each), and bars from practice before the SEC (four cases). Two cases involved civil fines (totaling $255,000), and in one case the auditor was criminally prosecuted, resulting in an 18-month prison sentence. Table 5 Bogus Audits (n = 6 companies) Item Fraud charges against the auditor Result In 4 cases (violation of antifraud statutes (Rule 10(b)-5) by auditor) Auditor disgorged gains generally related to audit fees received In 4 cases (total of $96,500) Auditor prejudgment interest In 4 cases (total of nearly $35,000) Barred from SEC practice In 4 cases (one permanent bar, one for 4 years, two for 3 years) Auditor paid civil penalty In 2 cases (total of $255,000) Criminal prosecution In 1 case (18-month imprisonment with 2 years of supervised release thereafter) Alleged Audit Deficiencies in Actual Audits The other 81 cases represent instances in which an actual audit was performed, but the SEC alleged that the audit was deficient. The following tables present the results of analyzing these 81 cases: Table 6 Overview of Actual Audits and Sanctions (n = 81) Table 7 Primary Deficiencies in Actual Audits (n = 81) Table 8 Primary Deficiencies in National Firm Actual Audits (n = 35) Table 9 Primary Deficiencies in Non-National Firm Actual Audits (n = 46) Table 10 Other Auditor Deficiencies Cited by the SEC (n = 25) Appendix Detailed Listing of Alleged Audit Deficiencies by Audit Area (n = 81) 8 The SEC uses the term disgorgement of gains. An Analysis of Alleged Auditor Deficiencies in SEC Fraud Investigations:

16 Table 6 presents an overview of the 81 actual audit cases. Twenty-four of the cases involved the SEC charging the auditor for violating the SEC s antifraud (Rule 10(b)-5) provisions. Of these 24 cases, 9 were against national firms (six of the 9 were against Arthur Andersen), and 15 were against non-national firms. The other 57 cases involved allegations of negligent audits 26 against national firms (three of the 26 were against Arthur Andersen) and 31 against non-national firms. 9 Table 6 Overview of Actual Audits and Sanctions (n = 81 companies) Item Type of violation Firm vs. individual sanctions Auditor barred from SEC practice Civil penalties Disgorgement of gains Criminal prosecution Audit firm change in two years before fraud or during the fraud period Company was new or audit in question was initial audit Former auditor worked as the company s CEO and CFO Result 24 antifraud violations (Rule 10(b)-5): 9 against national firms (6 of these were against Arthur Andersen) 15 against non-national firms 57 citations for negligent audits: 26 against national firms (3 of these were against Arthur Andersen) 31 against non-national firms In 54 cases only individual auditors were sanctioned In 26 cases both individual auditors and the audit firm were sanctioned In 1 case only the audit firm was sanctioned In 73 cases (19 permanent bars; other bars averaged approximately 3 years, with a range of 6 months to 10 years) In 16 cases (total fines over $92 million, average of $5.8 million, median of $687,500, with a range of $20,000 to $50 million) In 10 cases (total disgorged gains over $10.6 million, average of $1.1 million, median of $43,598, with a range of $3,000 to $9.8 million) In 1 case (for falsification of records) An audit firm change had taken place in 15 of 56 cases (27%) containing enough information to evaluate In 13 cases (16%) In 1 case (a number of the company s managers were former audit partners, including the CEO and CFO) In the majority of cases (54 cases), only individual auditors were sanctioned, while both individuals and firms were sanctioned in 26 cases. Just one case involved only sanctions against an audit firm. In terms of penalties, the most typical consequence was barring auditors from SEC practice (73 cases). Nineteen cases involved permanent bars, while the other cases, on average, involved bars of approximately three years. Civil penalties (16 cases, total fines of over $92 million) and disgorgement of gains (10 cases, total disgorgement of over $10.6 million) were much less common. One case led to criminal prosecution of the auditor for falsifying records. Finally, we gathered information on certain characteristics of the audit engagements. Of the cases with available information, there had been an audit firm change during the period from two years before the fraud began to the end of the fraud period in 27 percent of the cases. Also, in 13 cases (16 percent) the company was recently formed or the engagement in question was the first time the financial statements had been audited. We found only one case where the related AAERs indicated explicitly that former audit firm personnel were employed as the company s CEO and CFO. Table 7 presents the 16 primary audit deficiencies explicitly cited by the SEC in the 81 actual audit cases. 10 We have captured as much information as we can from the disclosures provided by the SEC about the auditor deficiencies. In 9 Our reference to, for example, national firms means that the SEC sanctioned a national firm or individual auditors in a national firm. See details in the right-hand column of Table 6 for information on firm-level versus individual-level sanctions. 10 We judgmentally decided to present the top 16 deficiencies to highlight those with the greatest frequency (deficiencies cited in more than 10 of the 81 cases). 12 Beasley, Carcello, Hermanson, and Neal

17 some cases, the SEC s descriptions of the deficiencies are fairly broad and involve a number of audit processes. In other cases, the SEC s description of the deficiencies is more specific. To the extent possible, we have attempted to glean as much as we can about deficiencies in the audit from the SEC s disclosures in the related enforcement actions. Note, however, that we are limited to the extent the SEC described the audit deficiency in the AAERs. The three most common deficiencies described by the SEC in the related AAERs were: (a) failure to gather sufficient competent audit evidence (73 percent of the cases), (b) failure to exercise due professional care (67 percent), and (c) insufficient level of professional skepticism (60 percent). Each of these items reflects a deficiency related to the General Standards within the framework of the 10 Generally Accepted Auditing Standards (GAAS), which establish the basis for the audit process that is built on audit evidence, collected and evaluated with due care and professional skepticism. Many of the 81 cases cited multiple deficiencies. For example, 66 cases cited more than one of the top 10 deficiencies, 60 cases cited more than two of the top 10, and 56 cases cited more than three of the top 10. Similarly, 58 of the cases cited more than one of the top three deficiencies, and 42 cases cited the top three deficiencies. Table 7 Primary Deficiencies in Actual Audits (n = 81 companies) Problem Area Percentage (Number) of Cases 1. Failure to gather sufficient competent audit evidence 73% (59 cases) 2. Failure to exercise due professional care 67% (54) 3. Insufficient level of professional skepticism 60% (49) 4. Failure to obtain adequate evidence related to management representations 54% (44) 5. Failure to express an appropriate audit opinion 47% (38) 6. Incorrect/inconsistent interpretation or application of requirements of GAAP 37% (30) 7. Inadequate consideration of fraud risks 33% (27) 8. Inadequate planning and supervision 31% (25) 9. Failure to adequately address audit risk and materiality 21% (17) 10. Inadequate preparation and maintenance of audit documentation 20% (16) 11. Failure to adequately communicate with the audit committee 17% (14) 12. Failure to recognize / ensure disclosure of key related parties 15% (12) 12. Failure to adequately perform audit procedures in response to assessed risks 15% (12) 12. Inappropriate confirmation procedures 15% (12) 12. Failure to evaluate adequacy of disclosure 15% (12) 16. Internal control-related issues including over-reliance on internal controls, failure to obtain an understanding of internal control, and failure to obtain an understanding of the entity and its environment 14% (11)* * The number of individual internal-control related audit deficiencies sums to 12 in the Appendix; however, one firm was cited for two of these deficiencies. Thus, in this Table, we report the total number of cases in which internal control-related issues were noted. Note: When two or more problem areas have the same rate of occurrence, we report those as a tie. For example, four problem areas tied for the 12th rank in the rank-ordered list of the top 16 deficiencies shown above. An Analysis of Alleged Auditor Deficiencies in SEC Fraud Investigations:

18 The first three deficiencies in Table 7 address concerns related to the three General Standards within the framework of 10 GAAS standards. The SEC often cited these three deficiencies to note an overarching observation about the auditor s lack of professionalism and due care, without reference to violations of specific Statements on Auditing Standards (SASs) or related PCAOB Auditing Standards. Said differently, any lack of compliance with a specific SAS or PCAOB Auditing Standard would by default also trigger a violation of the General Standards within the GAAS framework. Thus, it is not surprising that these three deficiencies are cited most in the 81 cases examined. To provide some insight about the concerns noted related to these three overarching deficiencies, we have provided some examples of the underlying audit deficiencies noted by the SEC in the AAERs. Detailed review of the underlying deficiencies suggests that there appeared to be an overriding concern that the auditor s lack of exercising due professional care and failure to maintain an overall level of appropriate professional skepticism resulted in the auditor failing to obtain sufficient competent evidence to support amounts in the financial statements. Thus, it is helpful to consider these three deficiencies in combination. Examples of Failure to Gather Sufficient Competent Audit Evidence: 11 Despite the fact that the audit firm had previously communicated to management and the audit committee concerns about management s comprehensive analysis of its inventory balances and despite noting material year-end book to physical differences in inventory, the audit firm over-relied on management s inventory reports when analyzing slow moving or obsolete inventory without testing the reliability of the reports. The audit firm failed to support underlying estimates that were used to establish financial statement balances and failed to obtain additional evidence about estimates used when concerns were noted about potential bias in those estimates. The audit firm failed to substantiate prices used in a software valuation calculation. The audit firm failed to perform additional procedures when confirmations returned contained ambiguous information. In the same audit, the audit firm also failed to obtain supporting evidence to substantiate an inventory obsolescence reserve and failed to substantiate management s calculation of revenue. Instead, the audit firm relied on management representations. Examples of a Failure to Exercise Due Professional Care: Despite documenting that client accounting practices were highly aggressive and unusual, the audit firm failed to adjust its audit procedures in light of these noted risk concerns. The audit firm failed to plan and properly supervise the audit, and the firm failed to consider the underlying audit risk. While the firm requested the client to present documentation to support a material amount in the financial statements, the audit firm failed to conduct further audit procedures when management claimed the documentation was unavailable. The audit firm failed to act with due professional care when multiple pieces of documentation suggested the client s accounting records were held open beyond the fiscal year end, and the audit firm ignored the client s failure to record depreciation expense. Examples of a Failure to Maintain a Sufficient Level of Professional Skepticism: The auditor failed to assess documents he suspected might have been fabricated by the client and did not question the authenticity of those documents. Despite being confronted with a number of factors that should have heightened the auditor s professional skepticism in regards to a number of risks of material misstatement, the auditor s procedures did not appear to be modified in light of these risk concerns. 11 The language used to describe these examples is adapted from the relevant AAERs, but does not necessarily represent an exact quotation of language in the AAER. 14 Beasley, Carcello, Hermanson, and Neal

19 The auditor failed to respond to information that suggested account valuations were overstated, and the auditor failed to verify certain representations made by management. The audit firm failed to respond to numerous red flags and inconsistencies and ignored a number of specific audit program steps. The remaining items in Table 7 typically reflect more specific audit issues. The fourth most common deficiency was the failure to obtain adequate evidence related to management representations (54 percent). In such cases, the SEC alleged that the auditor placed too much reliance on management s explanations or representations without adequate corroborating evidence. Some examples of audit failures noted by the SEC when they alleged this deficiency include the following: Management made certain representations about discrepancies between inventory book and physical balances, but the auditor failed to request evidence supporting the reconciliation. The auditor relied on management representations about certain key estimates and relied on oral representations about accruals on unbilled receivable balances. Assumptions asserted by management to support top-side accounting entries were not tested by the auditor. The fifth most common issue was the failure to express an appropriate audit opinion (47 percent). As indicated in the Appendix, the majority of these cases involved the auditor issuing an unqualified opinion when the financial statements did not conform with GAAP and the auditor did not adhere to GAAS. This particular deficiency was often cited by the SEC as an overarching deficiency triggered by other underlying deficiencies in the audit. Examples of audit failures when the SEC alleged this deficiency in the AAER include situations where: The auditor issued an unqualified opinion even though the firm had knowledge that the accounting for a material acquisition was not complete. The auditor failed to modify the audit report even though there were material scope restrictions whereby the auditor failed to corroborate written representations by management and the auditor knew that a material portion of the receivables did not have any supporting documentation. The sixth issue, incorrect/inconsistent interpretation or application of the requirements of GAAP (37 percent), reflects technical accounting issues. As shown in the Appendix, 10 of the 30 cases involved revenues, which is consistent with the predominance of revenue overstatements in the population of fraud cases (Fraudulent Financial Reporting: , An Analysis of U.S. Public Companies). Reserves, including warranty reserves, were involved in four cases. Several remaining cases involved areas including (two cases each): debt; restructuring charges / nonrecurring expenses; capitalized expenses; deferred taxes; timber / real estate; and acquisitions. The SEC cited inadequate consideration of fraud risks in 33 percent of the cases (the seventh most frequent issue). In terms of fraud risks, auditors may have ignored or not appropriately responded to perceived red flags or other client risks. Examples of situations where the SEC cited this deficiency include the following: The only action the auditor took to assess the risk of fraud was to ask the CFO and other accounting staff at the issuer whether they had any knowledge of fraud. The auditor failed to appropriately respond to notable fraud risks, including failure to adjust audit procedures when the auditor learned that a significant sale occurred in the last days of the fiscal year. Procedures to assess the risk of material misstatement due to fraud were documented in the working papers three months after the issuance of the audit report. An Analysis of Alleged Auditor Deficiencies in SEC Fraud Investigations:

20 The SEC cited inadequate planning and supervision in 31 percent of the cases (the eighth most frequent issue). Four of the deficiencies related to planning and supervision involved a fundamental failure to write an audit program. Other examples of deficiencies related to this issue include the following: The audit partner failed to supervise the person performing the audit, and that person was not an accountant and had no audit experience. There was minimal partner involvement, and the audit manager who was on the west coast of the U.S. supervised by telephone the audit staff who were on the east coast of the U.S. A different manager was asked to review the audit work when that manager had never worked on the engagement and had no knowledge of the client s operations or audit issues. Certain workpapers prepared by senior staff, including planning areas and high risk accounts, were not reviewed. The ninth most common deficiency was the failure to adequately address audit risk and materiality. Typical deficiencies included: The audit firm failed to implement appropriate follow-up procedures to ensure that planned audit responses were performed to address certain audit risk areas and that concurring and special review partners functioned effectively for the high risk client. The auditor did not understand the client s internal controls, did not competently identify audit risks, and followed a generic audit program obtained off the Internet. The tenth most cited deficiency related to inadequate preparation and maintenance of audit documentation. Here are some examples of what transpired: Nearly one year after completing the audit and subsequent to the filing of a legal suit against the audit firm, firm personnel added additional workpapers to their audit documentation to mask deficiencies. Audit documentation failed to identify what audit procedures were performed and what conclusions were reached, and the documentation failed to show that accounting records reconciled with the financial statements. As shown in the Appendix, seven of the 16 cases related to audit documentation involved intentional alteration and/or destruction of workpapers. The remaining issues in Table 7 each were cited in 17 percent or fewer of the 81 cases. These issues involved communication with the audit committee, related party transactions, responses to assessed risks, confirmations, evaluation of disclosures, and internal control-related issues. While the time period examined in our study ranges from , we found that only 11 of the cases involve fraudulent financial reporting in periods 2003 or later, which represents years following the passage of the Sarbanes- Oxley Act (SOX) in July Among the 11 cases, one audit was performed by a national firm, and 10 were performed by non-national firms. The median size of the issuer companies ($5.4 million in assets and $10.7 million in revenues) was smaller than the full sample as reported in Table 1. Only one of the 11 cases was an accelerated filer that required an audit of internal control over financial reporting. In that case, the auditor s opinion on internal control over financial reporting was unqualified. While the post-sox sample is quite small, we did analyze the deficiencies for the 11 cases. The results are very similar to those reported in Table 7. Eleven of the top 13 deficiencies associated with the post-sox sample also appear in Table 7. We caution the reader to interpret these findings carefully, given the small sample and significant time lag in SEC enforcement. Tables 8 and 9 present the 14 primary deficiencies 12 in the 35 cases involving actual audits by a national audit firm (Table 8) and 46 cases involving actual audits by a non-national firm (Table 9). Although national and non-national 12 We judgmentally decided to present the top 14 deficiencies in Tables 8 and 9 to highlight those with the greatest frequency (present in 15 percent or more of the national or non-national cases). 16 Beasley, Carcello, Hermanson, and Neal

21 firms may have very different client bases and oversight challenges, the results across the two groups of firms are very similar in many respects. The top four issues are consistent across the two groups (with a slightly different ranking), and 11 deficiencies appear in both the national firm and non-national firm lists. Three deficiencies appear only in the national firm list (Table 8): (a) failure to adequately perform audit procedures in response to assessed risks; (b) failure to evaluate adequacy of disclosure; and (c) internal control-related issues including over-reliance on internal controls, failure to obtain an understanding of internal control, and failure to obtain an understanding of the entity and its environment. Three deficiencies appear only in the non-national firm list (Table 9): (a) failure to recognize / ensure disclosure of key related parties, (b) over-reliance on / failure to obtain work of specialists, and (c) inappropriate confirmation procedures. With respect to specialists, eight of the nine total deficiencies in this category related to non-national audit firms. This may reflect the greater likelihood that national firms have the resources to involve specialists in a greater number of particularly technical areas. Table 8 Primary Deficiencies in National Firm Actual Audits (n = 35 companies) Problem Area Percentage (Number) of Cases 1. Failure to exercise due professional care 69% (24 cases) 2. Failure to gather sufficient competent audit evidence 66% (23) 3. Insufficient level of professional skepticism 60% (21) 4. Failure to obtain adequate evidence related to management representations 51% (18) 5. Incorrect/inconsistent interpretation or application of requirements of GAAP 49% (17) 6. Failure to express an appropriate audit opinion 43% (15) 7. Inadequate consideration of fraud risks 34% (12) 8. Inadequate planning and supervision 23% (8) 8. Failure to adequately perform audit procedures in response to assessed risks* 23% (8) 8. Inadequate preparation and maintenance of audit documentation 23% (8) 8. Failure to evaluate adequacy of disclosure* 23% (8) 12. Failure to adequately communicate with the audit committee 20% (7) 12. Failure to adequately address audit risk and materiality 20% (7) 14. Internal control-related issues including over-reliance on internal controls, failure to obtain an understanding of internal control, and failure to obtain an understanding of the entity and its environment* 17% (6) * Problem area does not appear in the Table 9 list for non-national firms. Note: When two or more problem areas have the same rate of occurrence, we report those as a tie. For example, four problem areas tied for the 8th rank, and two tied for the 12th rank in the rank-ordered list of the top 14 deficiencies shown above. An Analysis of Alleged Auditor Deficiencies in SEC Fraud Investigations: