The July issue of Accounting Today makes important points about accounting risk for failure to detect and report fraud. Sarah Ference, Risk Control Director for CNA, notes that while CPA engagements are not typically designed to detect or report fraud, most clients, and perhaps most jurors, think CPAs should always be on the lookout for fraud. 25% of claims arising from audit and attest engagements allege that the CPA failed to detect and report fraud. 6% of tax service claims also allege a failure to detect and report fraud. Ms. Ference notes the importance of engagement letters to manage expectations and, where appropriate, disclaim reliance. Mission creep, of course, can render the best engagement letter ineffective. Finally, the article suggests that anything sinister or unusual observed during the engagement should be reported in writing to the client. The disconnect between client/juror expectations and an accountant’s scope of engagement will apparently always be with us. Paying attention to potential fraud and reporting it may help your accounting firm avoid becoming a data point in the claims statistics.
Today the CPA Dailey Letter (citing CBS News and the IRS) warned against phishing attacks on accounting firm computer networks resulting in stolen data and fraudulent tax returns. We helped an unfortunate client facing this problem last year. They merged in a smaller firm in the middle of busy season and didn’t get the small firm converted to the large firm’s computer system quickly enough. Imagine a hacker getting copies of all your clients’ 2016 returns and then using your clients’ data to file fraudulent 2017 returns seeking big refunds. You and your clients learn about the problem when notices start drifting in from the IRS rejecting returns that seek 7 figure refunds. Eventually you get such a notice for every one of your tax return clients. You have to call each and every one of them to tell them that fraudsters have all their personal information from the return. Fraudulent tax returns may just be the beginning of their identity theft problems. This problem could really ruin your quarter and your year. Keep your software updates current and do some simulated attacks to protect your clients and your firm.
Earlier this week the Wall Street Journal and others reported that KPMG had hired former PCAOB staffers to reveal the secret list of KPMG audits that the PCAOB would examine. The article reported that the SEC had indicted 5 former KPMG employees including 3 former partners for fraud. KPMG apparently discovered the scheme in March of 2017 and self-reported. Allegedly almost half the 2013 KPMG audits reviewed by the PCAOB in 2014 had been found deficient and the firm felt pressure to improve its audit quality. The partners charged included those formerly in charge of national audit quality and another responsible for inspections.
A few days later GE announced an SEC probe of its accounting practices along with a restatement of its 2016 and 2017 financial results. At least part of the problem arises from revenue recognition issues in its jet engine and power turbine business. Other problems stem from charges in its long term care insurance business. Together the adjustments may total over 21 Billion dollars. KPMG has served as GE’s auditor since 1909.
These articles highlight the challenges even the largest audit firms face in detecting material misstatements in a client’s financials. We face increasing complexity in public company financials and auditors are struggling to keep up with the standards in a difficult environment.
1. Cyber Insurance is cheap and important to protect against risks not covered by E&O. Work with a knowledgeable broker and insurer and buy the coverage because the risk is real and growing.
2. Make sure your engagement letter includes:
• a specific description of the work you will do;
• limitation of damages provision where not precluded by standards;
• indemnification where not prohibited by standards;
• disclaimers where appropriate ( i.e. AUP’s);
• jurisdiction, venue and choice of law provisions; and
• a provision for the client to pay for time and expense you incur for subpoena compliance.
Watch out for client changes including cyber representations and indemnifications of any kind.
3. Evaluate the risk to your firm before responding to subpoenas or document requests. Consultation with your insurer or outside counsel may be time well spent. The risk runs from minimal to existential and different risks require different responses.
4. You save money by not engaging with bad clients. Red flags include:
• financially stressed or unprofitable clients;
• clients whose work you are not really equipped to handle;
• clients whose interests conflict with other clients; and
• clients who lack management integrity.
These all should be evaluated for disengagement. Consider firing your bottom 5 or 10% and investing those resources into developing better opportunities.
5. All of us have clients who present some special risk. Do what you can to mitigate that risk with:
• thorough client acceptance procedures;
• engagement letters;
• robust conflict analysis; and
• continuous reevaluation.
Employ detailed financial management including precise billing entries, timely billing and early AR follow-up in order to spot problems quickly.
As public offerings have gotten more complex and expensive, capital has flowed to non-public securities. Consequently, the exempt securities market has expanded and increased in complexity and risk. Issued on July 27, 2017, SAS 133 is intended to provide guidance to bring auditing consistency across offerings and increase public confidence in the presentation of financial information.
Beginning with offerings made in June 2018, this new standard will apply when audited financials are used in connection with exempt securities offerings. Common exemptions involve private placements, municipal securities, not-for-profit securities, new crowd-funding and Regulation A offerings, and franchise offerings. Thus, heightened audit procedures will be the rule rather than the exception, applying in some form to both private and public capital raising efforts.
SAS 133 will apply when an auditor is “involved” in an exempt offering. Being involved has two components: (1) the auditor’s report is included or referenced in the exempt offering document and (2) the auditor performs specific activities with respect to the offering document like reading the offering materials, offering a comfort letter, or agreeing to allow the use of the report in connection with the offering. These requirements are designed to protect auditors from fallout from the use of their audits in connection with exempt offerings without their knowledge.
Among other things, SAS 133 will import the requirements AU-C Section 720 regarding “other information in documents containing audited financial statements” and AU-C Section 560, which requires auditors to consider whether events after the report would cause the auditor to revise the report.
This new auditing standard will require auditors to pay attention to two related developments. First, auditors will have to be more attuned to which transactions count as securities. For example, the SEC recently decided that offering cryptocurrency is a securities offering requiring registration or exemption. Second, auditors will have to consider how closely to hue to GAAP and the FASB’s auditing standards, which are not yet mandatory but do influence how disappointed investors seek redress for failed investments. For more information on non-GAAP accounting and the state of the industry, see our video here.
On May 31, 2017, Former SEC Chair, Mary Jo White and former SEC Director of Enforcement, Andrew Ceresney presented a retrospective on recent enforcement trends and their insights on where the SEC might be heading. Here are a few takeaways:
1. SEC enforcement actions are on the rise. From 2013 through 2016, 2,850 enforcement actions were filed. Judgments and orders over this period totaled more than $13.8 Billion. The use of big data contributed to the enforcement division’s increase in activity.
2. The number of enforcement actions involving accounting firms and auditors is also seeing an upward trend. From 2013 through 2014, the SEC brought 37 Rule 102(e) proceedings against accountants for improper professional conduct. That number rose to 76 proceedings from 2015 to 2016. The alleged improper conduct in these proceedings arose from claims of audit failure or independence violations. The SEC sees auditors as gatekeepers and partners in protecting investors and the integrity of the markets.
3. The SEC’s numbers show a steady increase in financial reporting cases since 2013. From 2013-2014, 53 financial reporting cases were filed and 128 parties were charged. From 2015-2016, those numbers increased to 114 financial reporting cases and 191 parties charged. Despite the increase in cases, the SEC hasn’t uncovered any massive fraud cases on the level of Enron and WorldCom. Ms. White and Mr. Ceresney attribute this to improved financial reporting and internal controls promoted by Sarbanes Oxley. The SEC would likely reconcile the touted effectiveness of Sarbanes Oxley with the increase in enforcement actions by arguing that regulations have deterred major crimes, allowing the Commission to focus on enforcing other violations.
4. We can expect to see some changes with the new leadership. The new chair, Jay Clayton, appears focused on capital formation. Consistent with the overall focus on reducing regulation, Chair Clayton has expressed a desire to reduce barriers to going public. This may lead to an increase in enforcement activity around initial public offerings.