Stay up-to-date with the latest developments in securities law through access to both news and all statutes and regulations. Find relevant corporate filings through a searchable EDGAR database. And...
By Matthew P. Bosher
Matthew Bosher is a litigation partner with Hunton & Williams LLP. His practice concentrates on financial reporting and corporate governance with a particular emphasis on accounting issues and the audit process.
The audit function is changing rapidly. Audit firms are integrating data analytics, machine learning and other modern technology in audit work, changing the breadth and depth of audits and clients’ expectations. Meanwhile, regulators now envision an audit report dramatically different than the form of report that has existed for decades. This new proposed report would reveal details about many of the auditor’s processes and judgments.
The history of litigation teaches that where auditing goes, plaintiffs’ lawyers follow. As the audit function and related disclosures evolve, new litigation threats will emerge. This article addresses two of those threats.
Data analytics are everywhere. Analytics and big data inform many aspects of our everyday lives: what we buy, what news we read, and even whom we date.
Data analytics are now a big part of audit work as well. As the Executive Director of the Center for Audit Quality noted last year, “Data analytics, natural language processing, and artificial intelligence are no longer science fiction for auditors—they are being incorporated into the audit process.” ( The Audit of the Future,” Accounting Today (August 29, 2016) (quoting Cynthia M. Fornelli).)
A white paper prepared by the AICPA’s Assurance Services Executive Committee, “Reimagining Auditing in a Wired World,” provides a useful definition of audit data analytics:
There is a general consensus among standard setters and leaders of the profession that the benefits of using data analytics in audit work are significant.
Public Company Accounting Oversight Board member Steven Harris recently noted that data analytics, in many cases, enable auditors “to examine 100 percent of a client’s transactions, track and analyze trends, as well as anomalies and risks, to identify problematic areas or transactions, and benchmark a company’s financial information against others based on industry, geography, size or other factors.” ( Steven Harris, member, PCAOB, address at Conference of New York State Society of CPAs (October 25, 2016). )
The ASEC White Paper contemplates similar advantages:
And according to one firm leader, “traditional techniques can be limited by being too prescriptive and unfocused, reducing insights delivered to auditors and their clients. Modern technology-enabled data analytics can improve the risk assessment process, the depth of substantive procedures, and the focus of tests of controls.” (“The Audit of the Future,” see supra (quoting Brian Miller of BDO USA).)
Testing 100 percent of transactions, greater fraud detection, and greater efficiency all sound great, right?
The problem—and the risk for auditors everywhere—is there are still no professional standards that relate specifically to the use of data analytics in audits. That puts auditors at risk, whether they use data analytics a lot, a little, or not at all.
It is easy to see how this could play out in a lawsuit. Management engages in a fraud that goes undetected in the audit. The auditor applied conventional auditing procedures appropriate in the circumstances to afford a reasonable basis for its opinion, but those procedures did not include extensive data analytics.
In the ensuing malpractice suit, the plaintiff points to commentary that analytics have “revolutionized” fraud detection. Where these techniques are available, and other auditors are using them, the plaintiff will argue that failure to use data analytics constitutes a failure to perform sufficient procedures and a departure from professional standards.
Professional standards are evidence of the appropriate standard of care in a negligence case. New professional standards might, for example, acknowledge that data analytics may not be applicable in every audit. Where there are no clear auditing standards that relate to data analytics, the potential for second-guessing in this brave new world of technology is unlimited.
On the other hand, what about the auditor who uses data analytics extensively in an effort to improve the efficiency and effectiveness of the audit? In a Sept. 1, 2016, Request for Input relating to audit data analytics, the International Auditing and Assurance Standards Board recognized the risk to that auditor:
In a failed audit, a plaintiff will portray procedures based on data analytics as unconventional, untested, and unreliable, and the auditor may have no clear professional standards to cite for a precise standard of care.
There is also a risk that, as observers laud the usefulness of audit data analytics in fraud detection, financial statement users (and jurors) could become confused about the role of the auditor. An auditor does not, of course, ensure that financial statements are free of fraud. (AS 2401.12 (“even a properly planned and performed audit may not detect a material misstatement resulting from fraud”); Cenco, Inc. v. Seidman & Seidman , 686 F.2d 449, 454 (7th Cir. 1982) (an auditor is not a “detective hired to ferret out fraud”).) Plaintiffs’ attorneys, however, are fond of telling courts that auditors are responsible for finding the fraud. The rhetoric around the benefits of data analytics could be used to corroborate this misconception.
Data analytics are not going anywhere. To the contrary, in light of all the benefits discussed above, data analytics have (and will continue to) become an integral component of the audit process. But there will be risks to all auditors so long as there are no specific standards relating to the use of data analytics. The PCAOB has recognized that auditors are using data analytics, but there is nothing on the board’s rulemaking agenda that relates to data analytics. Some help is on the way; the AICPA intends to publish a new Audit Data Analytics Guide in the spring. The new guide, which is meant to be transitional, will replace the current AICPA Analytical Procedures Guide.
In the meantime, audit firms can:
Auditors have enjoyed a period of relative quiet on the private securities class action front. After seeing dozens of federal securities class actions filed against Big Four firms every year from 2002 to 2009, fewer than 10 such cases have been filed against Big Four firms in the last three years combined.
The reasons for the slowdown include clarification and general acceptance of two legal principles. First, for purposes of disclosure claims under Section 10(b) of the Securities Exchange Act and SEC Rule 10b-5, an auditor is responsible only for the statements in the audit report. ( See, e.g., Janus Capital Group, Inc. v. First Derivative Traders, 131 S. Ct. 2296, 2301 (2011) (liability limited to the “maker of a statement” – that is, “the person or entity with ultimate authority over the statement, including its content and whether and how to communicate it”); Special Situations Fund III QP, L.P. v. Deloitte Touche Tohmatsu CPA, Ltd., 33 F. Supp. 3d 401, 429 (S.D.N.Y. 2014) (“the Court finds that [auditor’s] audit opinions are the only potential basis for its liability under Section 10(b) and Rule 10b-5 because they are the only statements over which [auditor] had ultimate authority.”).) Second, audit reports are statements of opinion, not statements of fact. ( See, e.g., Querub v. Moore Stephens Hong Kong, 649 Fed. Appx. 55, 58 (2d Cir. May 20, 2016) (“Audit reports, labeled ‘opinions’ and involving considerable subjective judgment, are statements of opinion”); Buttonwood Tree Value Partners, LP v. Sweeney, 910 F. Supp. 2d 1199, 1208 (C.D. Cal. 2012) (“Plaintiffs must plead subjective falsity because an auditor’s GAAS and GAAP assertions are statements of professional judgment and opinion, not verifiable fact.”).) It is much more difficult to state a claim under the federal securities laws based on an opinion.
The threat to this relative peace comes from the PCAOB’s May 11, 2016 re-proposal to make sweeping changes to the auditor reporting model. ( PCAOB Release No. 2016-003, which followed a Concept Release in June 2011 and the first proposal in August 2013.)
The heart of the proposed new standard is a requirement that the audit report include a discussion of “critical audit matters,” or “CAMs.” A CAM is a matter arising from the audit that (i) was communicated, or required to be communicated, to the audit committee, (ii) relates to accounts or disclosures that are material to the financial statements, and (iii) involved especially challenging, subjective, or complex auditor judgment. Under the proposal, the audit report would identify the CAM and describe (i) the principal considerations that led the auditor to determine that a particular matter is a CAM, (ii) how it was addressed in the audit, and (iii) the relevant financial statement accounts and disclosures. If there are no CAMs, the auditor would be required to state that determination in the auditor’s report.
According to PCAOB Chairman James Doty, the goal of the proposal is to “make the auditor’s report more useful and informative to investors and other financial statement users,” and the new report would provide investors “a better understanding of the judgments that go into an opinion.” ( James R. Doty, Chairman, PCAOB, “The Role of the Bar and the Audit in Shareholder-Director Relationships,” Address at the 19th Annual Vanderbilt Law School Law & Business Conference (Oct. 7, 2016). ) It appears the proposal is meant to strengthen the link between the report and the idea advanced by Doty that “Auditors were intended to be the eyes through which both directors and investors look for the truth.” ( Id.)
More auditor disclosure in the audit report means greater risk of lawsuits under the federal securities laws. As succinctly stated by the Center for Audit Quality in its August 15, 2016 letter commenting on the proposal, “an auditor can be liable under the federal securities law for the statements it makes in the auditor’s report, and enhanced auditor reporting inevitably increase the risk of litigation over liability.”
Under the proposed regime, an investor who loses money on a stock will claim that he relied on the auditor’s statements about CAMs in the audit report. The plaintiff-investor will claim that the auditor (i) made a material misstatement about its evaluation of a CAM, or (ii) omitted material information by not including a CAM in the audit report.
In addition to requiring auditors to say more in the audit report, plaintiffs will argue that the nature of the new disclosures—identification of a CAM, description of the principal considerations that led the auditor to determine that the matter is a CAM, and how the auditor addressed the CAM—are statements of fact, not opinions. That would, in effect, lower the bar to stating a disclosure claim against the auditor.
These concerns have been raised with the PCAOB, but it appears likely that some form of the CAM proposal will be adopted. While the proposal has been under discussion for more than five years, the PCAOB has recently suggested that a final standard and adopting release will be circulated this quarter. Audit firms should begin to prepare for the new audit report and, in particular, consider how CAM-related disclosures will be formulated.
Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)