As Auditing Evolves, New Litigation Threats Emerge

Stay up-to-date with the latest developments in securities law through access to both news and all statutes and regulations. Find relevant corporate filings through a searchable EDGAR database. And...

Matthew Bosher

By Matthew P. Bosher

Matthew Bosher is a litigation partner with Hunton & Williams LLP. His practice concentrates on financial reporting and corporate governance with a particular emphasis on accounting issues and the audit process.

The audit function is changing rapidly. Audit firms are integrating data analytics, machine learning and other modern technology in audit work, changing the breadth and depth of audits and clients’ expectations. Meanwhile, regulators now envision an audit report dramatically different than the form of report that has existed for decades. This new proposed report would reveal details about many of the auditor’s processes and judgments.

The history of litigation teaches that where auditing goes, plaintiffs’ lawyers follow. As the audit function and related disclosures evolve, new litigation threats will emerge. This article addresses two of those threats.

A. Malpractice Claims Second-Guessing the Use (or Non-Use) of Audit Data Analytics

Data analytics are everywhere. Analytics and big data inform many aspects of our everyday lives: what we buy, what news we read, and even whom we date.

Data analytics are now a big part of audit work as well. As the Executive Director of the Center for Audit Quality noted last year, “Data analytics, natural language processing, and artificial intelligence are no longer science fiction for auditors—they are being incorporated into the audit process.” ( The Audit of the Future,” Accounting Today (August 29, 2016) (quoting Cynthia M. Fornelli).)

A white paper prepared by the AICPA’s Assurance Services Executive Committee, “Reimagining Auditing in a Wired World,” provides a useful definition of audit data analytics:

  • Audit data analytics (ADA) is the science and art of discovering and analyzing patterns, identifying anomalies, and extracting other useful information in data underlying or related to the subject matter of an audit through analysis, modeling, and visualization for the purpose of planning or performing the audit. ADA includes methodologies for identifying and analyzing anomalous patterns and outliers in data; mapping and visualizing financial performance and other data across operating units, systems, products, or other dimensions for the purpose of focusing the audit on risks; building statistical (for example, regression) or other models that explain the data in relation to other factors and identify significant fluctuations from the model; and combining information from disparate analyses and data sources for the purpose of gaining additional insights.
( AICPA Assurance Services Executive Committee, Emerging Assurance Technologies Task Force White Paper dated August 2014, entitled “Reimagining Auditing in a Wired World.” )

There is a general consensus among standard setters and leaders of the profession that the benefits of using data analytics in audit work are significant.

Public Company Accounting Oversight Board member Steven Harris recently noted that data analytics, in many cases, enable auditors “to examine 100 percent of a client’s transactions, track and analyze trends, as well as anomalies and risks, to identify problematic areas or transactions, and benchmark a company’s financial information against others based on industry, geography, size or other factors.” ( Steven Harris, member, PCAOB, address at Conference of New York State Society of CPAs (October 25, 2016). )

The ASEC White Paper contemplates similar advantages:

  •   “Technology can be used to achieve the same level of assurance but more efficiently at a lower cost, or it can be used to achieve a higher level of assurance via a more effective audit at similar cost.”
  •  “Traditionally, such tests [on client transactions and balances] were performed on a small sample of items. . . . With computerized data and file interrogation audit software, however, many tests can be performed on 100 percent of the population.”
  •  “Audit Data Analytic techniques together with the ability to analyze and correlate vast amounts of data have revolutionized fraud detection. Patterns and connections that might never have been discovered in the past can be much more easily identified, analyzed, and visualized.”
The view from the U.K. is the same. In January, the Financial Reporting Council stated that the “[audit data analytics] we have seen in practice offer the potential to improve audit quality in a number of ways,” including:
  •  “deepening the auditor’s understanding of the entity”;
  •  “facilitating the focus of audit testing on the areas of highest risk through stratification of large populations”;
  •  “enabling the auditor to perform tests on large or complex datasets where a manual approach would not be feasible”; and
  •   “identifying instances of fraud.”
( “Audit Quality Thematic Review – The Use of Data Analytics in the Audit of Financial Statements,” Financial Reporting Council Thematic Review (January 2017). )

And according to one firm leader, “traditional techniques can be limited by being too prescriptive and unfocused, reducing insights delivered to auditors and their clients. Modern technology-enabled data analytics can improve the risk assessment process, the depth of substantive procedures, and the focus of tests of controls.” (“The Audit of the Future,” see supra (quoting Brian Miller of BDO USA).)

Testing 100 percent of transactions, greater fraud detection, and greater efficiency all sound great, right?

The problem—and the risk for auditors everywhere—is there are still no professional standards that relate specifically to the use of data analytics in audits. That puts auditors at risk, whether they use data analytics a lot, a little, or not at all.

It is easy to see how this could play out in a lawsuit. Management engages in a fraud that goes undetected in the audit. The auditor applied conventional auditing procedures appropriate in the circumstances to afford a reasonable basis for its opinion, but those procedures did not include extensive data analytics.

In the ensuing malpractice suit, the plaintiff points to commentary that analytics have “revolutionized” fraud detection. Where these techniques are available, and other auditors are using them, the plaintiff will argue that failure to use data analytics constitutes a failure to perform sufficient procedures and a departure from professional standards.

Professional standards are evidence of the appropriate standard of care in a negligence case. New professional standards might, for example, acknowledge that data analytics may not be applicable in every audit. Where there are no clear auditing standards that relate to data analytics, the potential for second-guessing in this brave new world of technology is unlimited.

On the other hand, what about the auditor who uses data analytics extensively in an effort to improve the efficiency and effectiveness of the audit? In a Sept. 1, 2016, Request for Input relating to audit data analytics, the International Auditing and Assurance Standards Board recognized the risk to that auditor:

  • There is a risk associated with the use of new and innovative techniques for which there is not a strong framework within the standards. Challenges result for audit oversight authorities when performing audit inspections. Auditors are faced with the increased risk of getting second guessed on inspection and not having a clear basis in the auditing standards to substantiate the judgments made and procedures performed.
( “Exploring the Growing Use of Technology in the Audit, with a Focus on Data Analytics,” IAASB Request for Input (Sept. 1, 2016) .)

In a failed audit, a plaintiff will portray procedures based on data analytics as unconventional, untested, and unreliable, and the auditor may have no clear professional standards to cite for a precise standard of care.

There is also a risk that, as observers laud the usefulness of audit data analytics in fraud detection, financial statement users (and jurors) could become confused about the role of the auditor. An auditor does not, of course, ensure that financial statements are free of fraud. (AS 2401.12 (“even a properly planned and performed audit may not detect a material misstatement resulting from fraud”); Cenco, Inc. v. Seidman & Seidman , 686 F.2d 449, 454 (7th Cir. 1982) (an auditor is not a “detective hired to ferret out fraud”).) Plaintiffs’ attorneys, however, are fond of telling courts that auditors are responsible for finding the fraud. The rhetoric around the benefits of data analytics could be used to corroborate this misconception.

Data analytics are not going anywhere. To the contrary, in light of all the benefits discussed above, data analytics have (and will continue to) become an integral component of the audit process. But there will be risks to all auditors so long as there are no specific standards relating to the use of data analytics. The PCAOB has recognized that auditors are using data analytics, but there is nothing on the board’s rulemaking agenda that relates to data analytics. Some help is on the way; the AICPA intends to publish a new Audit Data Analytics Guide in the spring. The new guide, which is meant to be transitional, will replace the current AICPA Analytical Procedures Guide.

In the meantime, audit firms can:

  •  invest in technology and in staff that understands the technology, especially its limitations;
  •  educate inspection teams to be sure they are up to speed on the firm’s use of and any reliance on data analytics;
  •  when using data analytics, make sure the documentation of those procedures is susceptible to review and otherwise adequate under existing audit standards relating to documentation;
  •  engage with standard setters to assist in the formulation of appropriate standards relating to the use of analytics in audits; and
  •  remember there is no substitute for professional judgment and skepticism.

B. Federal Securities Claims Based on the New Audit Report

Auditors have enjoyed a period of relative quiet on the private securities class action front. After seeing dozens of federal securities class actions filed against Big Four firms every year from 2002 to 2009, fewer than 10 such cases have been filed against Big Four firms in the last three years combined.

The reasons for the slowdown include clarification and general acceptance of two legal principles. First, for purposes of disclosure claims under Section 10(b) of the Securities Exchange Act and SEC Rule 10b-5, an auditor is responsible only for the statements in the audit report. ( See, e.g., Janus Capital Group, Inc. v. First Derivative Traders, 131 S. Ct. 2296, 2301 (2011) (liability limited to the “maker of a statement” – that is, “the person or entity with ultimate authority over the statement, including its content and whether and how to communicate it”); Special Situations Fund III QP, L.P. v. Deloitte Touche Tohmatsu CPA, Ltd., 33 F. Supp. 3d 401, 429 (S.D.N.Y. 2014) (“the Court finds that [auditor’s] audit opinions are the only potential basis for its liability under Section 10(b) and Rule 10b-5 because they are the only statements over which [auditor] had ultimate authority.”).) Second, audit reports are statements of opinion, not statements of fact. ( See, e.g., Querub v. Moore Stephens Hong Kong, 649 Fed. Appx. 55, 58 (2d Cir. May 20, 2016) (“Audit reports, labeled ‘opinions’ and involving considerable subjective judgment, are statements of opinion”); Buttonwood Tree Value Partners, LP v. Sweeney, 910 F. Supp. 2d 1199, 1208 (C.D. Cal. 2012) (“Plaintiffs must plead subjective falsity because an auditor’s GAAS and GAAP assertions are statements of professional judgment and opinion, not verifiable fact.”).) It is much more difficult to state a claim under the federal securities laws based on an opinion.

The threat to this relative peace comes from the PCAOB’s May 11, 2016 re-proposal to make sweeping changes to the auditor reporting model. ( PCAOB Release No. 2016-003, which followed a Concept Release in June 2011 and the first proposal in August 2013.)

The heart of the proposed new standard is a requirement that the audit report include a discussion of “critical audit matters,” or “CAMs.” A CAM is a matter arising from the audit that (i) was communicated, or required to be communicated, to the audit committee, (ii) relates to accounts or disclosures that are material to the financial statements, and (iii) involved especially challenging, subjective, or complex auditor judgment. Under the proposal, the audit report would identify the CAM and describe (i) the principal considerations that led the auditor to determine that a particular matter is a CAM, (ii) how it was addressed in the audit, and (iii) the relevant financial statement accounts and disclosures. If there are no CAMs, the auditor would be required to state that determination in the auditor’s report.

According to PCAOB Chairman James Doty, the goal of the proposal is to “make the auditor’s report more useful and informative to investors and other financial statement users,” and the new report would provide investors “a better understanding of the judgments that go into an opinion.” ( James R. Doty, Chairman, PCAOB, “The Role of the Bar and the Audit in Shareholder-Director Relationships,” Address at the 19th Annual Vanderbilt Law School Law & Business Conference (Oct. 7, 2016). ) It appears the proposal is meant to strengthen the link between the report and the idea advanced by Doty that “Auditors were intended to be the eyes through which both directors and investors look for the truth.” ( Id.)

More auditor disclosure in the audit report means greater risk of lawsuits under the federal securities laws. As succinctly stated by the Center for Audit Quality in its August 15, 2016 letter commenting on the proposal, “an auditor can be liable under the federal securities law for the statements it makes in the auditor’s report, and enhanced auditor reporting inevitably increase the risk of litigation over liability.”

Under the proposed regime, an investor who loses money on a stock will claim that he relied on the auditor’s statements about CAMs in the audit report. The plaintiff-investor will claim that the auditor (i) made a material misstatement about its evaluation of a CAM, or (ii) omitted material information by not including a CAM in the audit report.

In addition to requiring auditors to say more in the audit report, plaintiffs will argue that the nature of the new disclosures—identification of a CAM, description of the principal considerations that led the auditor to determine that the matter is a CAM, and how the auditor addressed the CAM—are statements of fact, not opinions. That would, in effect, lower the bar to stating a disclosure claim against the auditor.

These concerns have been raised with the PCAOB, but it appears likely that some form of the CAM proposal will be adopted. While the proposal has been under discussion for more than five years, the PCAOB has recently suggested that a final standard and adopting release will be circulated this quarter. Audit firms should begin to prepare for the new audit report and, in particular, consider how CAM-related disclosures will be formulated.

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Securities & Capital Markets on Bloomberg Law