AUDITOR’S LEGAL, ETHICAL & PROFESSIONAL
RESPONSIBILITIES PART 2
AUDITOR’S RESPONSIBILITY IN RELATION TO FRAUD AND FOR THE ENTITIES COMPLIANCE WITH LAWS AND REGULATIONS
An auditor’s main concern in an audit is the risk of a material misstatement in the financial statements. These material misstatements can arise from fraud or error.
An error is an unintentional misstatement in the financial statements, whether an omission of an amount or a disclosure. It can be a mistake in gathering or processing data for the accounts, an incorrect accounting estimate or a mistake in the application of accounting principles.
Fraud is an intentional act by one or more individuals among management, employees or third parties, involving the use of deception to obtain an unjust or illegal advantage.
Auditors do not make legal determination of whether fraud has actually occurred; the auditor is concerned to the extent that fraud has caused a material misstatement in the financial statements. Responsibility
ISA 240 the auditor’s responsibility to consider fraud in an audit of financial statements, states quite clearly in paragraph 240.13 that the primary responsibility for the prevention and detection of fraud rests with the management and those charged with governance of the entity. It is their responsibility to establish a control environment to assist in achieving the orderly and efficient conduct of the entity’s operations. It is up to them to put a strong emphasis on fraud prevention.
The auditor does not have a specific responsibility to prevent or detect fraud, but he must consider whether it has caused a material misstatement in the financial statements. Types of fraud
There are two types of intentional misstatement:
- Fraudulent financial reporting
- Misappropriation of assets
Fraudulent financial reporting
This may be accomplished by the following:
- Manipulation, falsification, or alteration of accounting records or supporting documentation from which the accounts are prepared
- Misrepresentation in, or intentional omission from, the accounts of events, transactions or other significant information
- Intentional misapplication of accounting principles relating to amounts, classification, manner of presentation or disclosure.
Misappropriation of assets
This involves the theft of a company’s assets. While management are in a position to be able to disguise or conceal misappropriations in ways that are difficult to detect, small and immaterial amounts misappropriated are often perpetrated by employees.
Misappropriations can be accomplished in a number of ways:
- Embezzling receipts
- Stealing physical assets or intellectual property
- Causing an entity to pay for something they never received
- Using an entity’s assets for own personal use.
The misappropriation of assets is often accompanied by false or misleading records or documents in order to conceal the fact that the assets are missing. Why is there fraud
Fraud occurs because:
- There is an incentive or pressure to commit fraud A perceived opportunity to do so
- Rationalisation of the act.
- Individuals may be living beyond their means
- Management is under pressure to reach targets
- An individual may believe internal controls can be over-ridden.
The auditor identifies the risks of fraud, relates the identified risks to what can go wrong at the assertion level and considers the likely magnitude of a potential misstatement. Finally, he should respond to those risks.
The auditor should communicate to the appropriate level of management any identified fraud.
Where the fraud involves management or key employees in internal control operations, the auditor should communicate as soon as possible any such fraud to those charged with governance.
The auditor may have a statutory duty to report fraudulent behaviour to a regulator outside the entity for example the police authorities.
Law and Regulation
Companies are statutorily bound to comply with laws and regulations. Some of the laws and regulations affecting companies are:
- Company law
- Health and safety regulations
- Employment law
- Civil law, both tort and contract
- Environmental law and regulation
The auditor should identify the laws and regulations that an entity operates within.
ISA 250 consideration of laws and regulations in an audit of financial statements establishes standards and guidance on the auditor’s responsibilities to consider laws and regulations in an audit of financial statements.
ISA 250.2 states that when designing and performing audit procedures and in evaluating and reporting the results thereof, the auditor should recognise that non-compliance by the entity with laws and regulations may materially affect the financial statements.
So the auditor’s responsibility is to plan and perform the audit to obtain reasonable assurance that the company has in fact complied with relevant laws and regulations.
An audit cannot be expected to detect non-compliance with all the laws and regulations applicable to a company. Detection, regardless of materiality, requires consideration of the implications for the integrity of management or employees and the possible effect on other aspects of the audit.
Non-compliance is a legal determination and is beyond the auditor’s professional competence and while an auditor’s experience and training may well provide a basis for recognition, ultimately, it can only be determined by a court of law.
The further removed the non-compliance is from the events and transactions normally reflected in the financial statements, the less likely the auditor is to become aware of it or recognize non-compliance.
Responsibility of Management
It is management’s responsibility to ensure that the entity’s operations are conducted in accordance with laws and regulations. The responsibility for the prevention and detection of non-compliance rests with management.
In larger companies, policies and procedures may be supplemented by an internal audit function and an audit committee possibly split between a legal department and a compliance function.
Directors of the company have responsibility to provide information required by the auditor, to which he/she has a legal right of access. Such legislation also provides that it is a criminal offence to give the auditor information or explanations which are misleading, false or deceptive.
The auditor’s consideration
The auditor cannot be held responsible for preventing non-compliance, although an annual audit may act as a deterrent.
Even though an audit is properly planned and performed in accordance with standards, there is the unavoidable risk that some material misstatements will not be detected in the financial statements.
ISA250.13 states that auditors should plan and perform the audit with an attitude of professional scepticism recognising that the audit may reveal conditions or events that would lead to questioning whether an entity is complying with laws and regulations.
The auditor would test for compliance with specific laws and regulations only if engaged to do so as otherwise outside the scope of his audit.
ISA250.18 lays out that the auditor should design procedures to help identify possible or actual instances of non-compliance with the laws and regulations, which are central to the entity’s ability to conduct its business and hence to its financial statements.
Further, the auditor should obtain sufficient, appropriate audit evidence about compliance with those laws and regulations, which the auditor recognises as having an effect on the determination of material amounts and disclosures in the financial statements.
Some of the laws and regulation include ones which prohibit a company from making distributions except out of distributable profits and laws which require the auditor to expressly report on non-compliance such as maintenance of proper books of account or disclosures of directors’ remuneration.
The auditor should obtain written representations from management that they have disclosed to the auditor all known actual or possible non-compliance with laws and regulations whose effects should be considered when preparing the financial statements. In addition, where applicable, the written representations should include the actual or contingent consequences which may arise from the non-compliance.
In the absence of audit evidence to the contrary, the auditor is entitled to assume the entity is in compliance with these laws and regulations.
The auditor’s responsibility in expressing an opinion on financial statements does not extend to determining whether the entity has complied in every respect with tax legislation. The auditor only needs sufficient audit evidence to give a reasonable assurance that the tax amounts in the financial statements are not materially misstated.
What to do when non-compliance is discovered
When the auditor becomes aware of non-compliance, the auditor should obtain an understanding of the nature of the act and the circumstances in which it has occurred, and sufficient other information to evaluate the possible effect on the financial statements.
The auditor must consider:
- The potential financial consequences such as fines, penalties and/or litigation.
- Whether the potential financial consequences require disclosure.
- Whether these consequences are so serious they call into question the truth and fairness of the accounts.
Reporting of non-compliance
As soon as possible, the auditor should communicate with management, or obtain audit evidence that management are appropriately informed, regarding non-compliance that comes to the auditor’s attention. If in the auditor’s judgment, the non-compliance is intentional and/or material, the auditor should communicate without delay.
If the auditor suspects senior management, then he should communicate to the next higher level, such as the audit committee. Failing that, he should seek legal advice.
In the case of money laundering it may be appropriate to report the matter directly to the appropriate authority.
Audit report implications
- If the auditor concludes that the non-compliance has a material effect on the accounts and has not been properly reflected, he should express a qualified or adverse opinion.
- If the auditor has not been able to obtain sufficient evidence to evaluate whether a material non-compliance has occurred, he should qualify his report or issue a disclaimer of opinion on the basis of a scope limitation.
Third part reporting
Although the auditor has a duty of confidentiality, where non-compliance gives rise to a statutory duty to report, the auditor should do so without undue delay.
AUDITOR’S RESPONSIBILITIES DEFINED BY CASE LAW ARISING FROM NEGLIENCE AND RELATED EXPOSURE AND
Auditors may have professional liability under statute law and in the tort of negligence. Statute law
There are occasions when auditors have professional liability under statute law:
- In insolvency legislation, the auditor could be found to be an officer of the company and thus could be charged with a criminal offence in connection with the winding up of the company.
- An auditor could be found to be guilty of insider dealing, which is a criminal offence.
- Auditors could be found guilty of a criminal offence in respect of money laundering issues as to their failure to report any known suspicions to the proper authority.
- Failure to report issues that are required under company law such as those mentioned on the audit report.
Tort of negligence
Negligence is based on common/customary law. It seeks to provide compensation to loss suffered by one due to another’s wrongful neglect.
To succeed, an injured party must prove:
- A duty of care existed
- The duty of care was breached
- The actual breach caused the loss.
Who would take an action against an Auditor
If an auditor gave an incorrect audit opinion the following parties might take an action:
- The company
- The shareholders
- The bank
- Other lenders
- Other interested third parties
The key difference between all the above mentioned parties is the nature and duty of care owed to them by the auditor. Audit client
An auditor owes a duty of care to the company as it is the audit client. The company has a contract with the audit firm. Therefore, the duty of care is automatic under law.
The company is all the shareholders acting as a body; it cannot be represented by one shareholder alone.
The standard of work of the auditor is generally defined by legislation. A number of judgements exist which have gauged the level of care as specific legislation does not exist which states clearly how an auditor should discharge his duty of care. For Example: Re Kingston cotton mills 1896 Court of Appeal, England
“.it is the duty of the auditor to bring to bear on the work he has performed that skill, care and caution which a reasonably competent, careful and cautious auditor would use. What is reasonable skill, care and caution, must depend on the particular circumstances of the case.” For Example: Re Thomas Gerrard & son Ltd 1967 Chancery Division, England
“…the real ground on which re Kingston cotton mills….is, I think, capable of being distinguished is that the standards of reasonable care and skill are, upon the expert evidence, more exacting today than those which prevailed in 1896.”
For Example: Re Fomento(sterling area) Ltd v Selsdon fountain pen co ltd 1958
“…they must come to it with an inquiring mind, not suspicious of dishonesty…..but suspecting that someone may have made a mistake somewhere and that a check must be made to ensure that there has been none.”
Auditors have to be careful in forming an opinion and they must give consideration to all relevant matters.
If an opinion reached by an auditor is one that no reasonably competent auditor would be likely to reach, then the auditor would possibly be held for negligence. Third parties
The auditor can only owe a duty of care to parties other than the audit client, if one can be established.
Third parties will include any individual shareholders, potential investors and the bank. In these cases, there is no contract with the audit firm. Therefore, there is no implied duty of care.
Case law seems to suggest that the courts have been reluctant to attribute a duty of care for third parties to the auditor.
Caparo industries plc v Dickman and others 1990 England House of Lords – Tort
Caparo relied on a set of accounts to purchase shares in a company. Subsequently, they alleged that the accounts were misleading. They argued the auditors owed a duty of care.
The House of Lords found that there was no duty of care. The audit complied with the company’s legislation and there was no mention in that legislation to suggest that auditors should protect the interests of investors.
James McNaughton paper group ltd v Hicks Anderson 1990
The position held that a restrictive approach was now adopted to any extension of the scope of the duty of care beyond the person directly intended by the auditor. In addition, all circumstances should now be taken into account in deciding on a duty of care.
However, in 1995, a high court judge made an award against BDO as their joint audit of a company in which ADT were investing was held to be a contractual relationship with ADT.
Problems however still arise after this case law. The reality is that third parties do rely on audited accounts. The perception is, if you are required to file your accounts with the Office of the Registrar General, then this information must be credible and independent.
It seems unfair that auditors should bear full responsibility for something for which they do not have the primary responsibility.
In recent times, directors of companies are required by company law not to make misleading statements to auditors.
Banks and other major lenders appear to have a more special relationship than other third parties.
Loan facilities will often contain clauses requiring audited accounts and up to date financial information on a regular basis. This may be seen to document a relationship with the auditor that establishes a duty of care.
For Example: Royal bank of Scotland v Bannerman, Johnstone Maclay and other 2002
The bank provided an overdraft facility to the company, who it is claimed misstated its position due to a fraud. It was argued that the auditors neglected to find the fraud.
The judge found that the auditors had a duty of care. They knew that the bank need audited accounts as part of the overdraft arrangement and could have issued a disclaimer to the bank. But they didn’t and this was an important factor in deciding that they did owe a duty of care.
One way of dealing with litigation is to try and avoid it.
- Have clear client acceptance procedures, screen new clients, use an engagement letter.
- Perform all audit work in accordance with standards and best practice.
- Have sensible and effective quality control procedures in place.
- Issue appropriate disclaimers. Auditors may attempt to limit their liability by issuing disclaimers, although this may not always be effective in law.
- PRE-APPOINTMENT PROCEDURES Advertising
ISA 200 sets out the ethical principles governing the auditor’s professional responsibilities. One of them is professional behaviour. A member is expected to comply with relevant laws and regulations and should avoid any action that discredits the profession.
Now, auditors are like anyone else in business and in business it is necessary to advertise. But this advertising should be aimed at informing the public in an objective manner and should be in good taste.
The code of ethics goes on to say that in promoting themselves and their work, members should be honest and truthful and should not make any exaggerated claims for the services they are able to offer, the qualifications they possess or the experience they have gained. In addition, they should not make any disparaging references or unsubstantiated comparisons to the work of others.
If reference is made in promotional material to fees, the basis on which the fees are calculated should be stated. The greatest care should be taken to ensure that any reference does not mislead as to the precise range of services and time commitment that the reference is intended to cover. The danger of giving a misleading impression is great when there are constraints in respect of space limits for advertisements. It is for this reason that it is generally inappropriate to advertise fees. It is probably better to advertise free consultations to discuss fee issues. Use of logos
Persons can only use the designated letters of a profession after their name such as in advertisements when they are members of the said profession. A firm should hold a practicing/auditing certificate to describe themselves as registered auditors.
Client companies can change auditors. In this regard a firm may be approached to submit a tender for an audit. When approached to tender, an audit firm must consider whether they want to do the work and they must have regard for the ethical considerations, such as independence and professional competence. In addition, they need to consider fees and other practical issues.
A member may quote whatever fee is deemed to be appropriate. The fact that one may quote a lower fee than another auditor is not in itself unethical. However, it does raise the risk of a threat to the principles of professional competence and due care in that the fee quoted may be so low as to make it appear to be difficult to perform the audit to the expected standards.
Therefore, it is wise to set out the basis of the calculation of the fee. The following factors should be considered when setting out a fee:
- What does the job involve. Is it audit and/or tax or is there some other complicated work involved.
- Which staff will need to be involved, numbers and quality. How long will they be required. Is the nature of the business complex.
- What charge out rates are to be applied.
The practice of undercutting fees has been called lowballing and can be seen in action generally where large audits are concerned. We have seen that having a lower fee may seem to have a negative impact on an auditor’s perceived independence but there are other factors to be considered:
- Auditors operate in a market like any other business where supply and demand very often dictate the price.
Fees may be lower due to reasons such as better internal audit functions and simplified group structures within client companies.
- Auditing firms have increased productivity, whether through the use of more sophisticated IT or experience gained through understanding the clients business.
It is important that the auditor also considers a number of other issues:
- Can the audit assignment be fitted in to the audit firms current work plan?
- Is suitable audit staff available?
- Will any specialist skills be required?
- What are the future plans for the company?
- Is there any training required for current staff and what will be the cost of that training?
- What work does the client actually want – Audit and/or tax?
- Is this the first time the company has been audited?
- Whether the client is seeking to change its auditors and if so what is the reason behind it?
Submitting an audit proposal
There is no set format. In fact, the client may dictate the format whether it be a written submission or a presentation to the board of directors.
Whatever the form of the tender submission, the following matters should be included in the proposal:
- The audit fee and the basis for its calculation
- An assessment of the needs of the client
- How the firm means to meet the needs of the client
- Any assumptions made to support the proposal
- The audit approach to be adopted by the firm
- A brief outline of the firm as seen by the proposer
- Details and background of the key audit staff on the proposed engagement.
Evaluating the tender
Different clients will have different ways of evaluating a tender. Some of the more general points are listed below. It is important to bear these in mind when preparing a proposal:
- Fee. This can be the most vital point. Some clients go straight to this figure and don’t even bother with the rest of the document.
Professionalism. Auditors are expected to be professional. Remember, first impressions count and the audit team and the tender documents are often the first factors.
- Proposed audit approach. Clients are always looking for the least amount of disruption to their already busy schedules, so the shortest number of days on-site may be the key to winning a tender.
- Personal service. Fostering relationships is vital. Client should always feel he is getting value for money.
You have submitted a tender. You have been successful and the client has offered you the audit. Before you accept and commence the audit you should carry out a number of procedures in order to comply with the provisions in ISQC 1 quality control (section 26 to 28).
Before accepting the assignment
- Make sure there are no ethical issues which would prevent you from accepting this assignment.
- Make sure that you are professionally qualified to carry out the work requested and that your firm has the resources available in terms of staff, expertise and time.
- Check out references for the directors of the client firm especially if they are unknown to the audit firm.
- Consult previous auditors as a matter of professional courtesy and establish from them whether there is anything that you ought to know about this vacancy.
After accepting the assignment
- Make sure the resignation of the previous auditors has been properly carried out and that the new appointment is valid. A board resolution of the company is required.
- Submit a letter of engagement to the directors of the client company and ensure it is signed before any audit work is carried out.
ISQC 1 states that a firm should establish policies and procedures for the acceptance and continuance of client relationships and specific engagements, designed to provide it with reasonable assurance that it will only undertake or continue relationships and engagements where it:
- Has considered the integrity of the client and does not have any information that would lead it to conclude that the client lacks integrity,
Is competent to perform the engagement and has the capabilities, time and resources to do so and
- Can comply with the ethical requirements.
The firm should obtain such information as it considers necessary in the circumstances before accepting an engagement with a new client, when deciding whether to continue an existing engagement, and when considering acceptance of a new engagement with an existing client.
Where issues have been identified and the firm decides to accept or continue the relationship or a specific engagement, it should document how the issues were resolved. Integrity of client
Matters to be considered:
- Identity and business reputation of owners, key management and those charged with governance.
- Nature of the clients operations and its business practices.
- Attitude of the owners, key management and those charged with governance towards matters such as aggressive interpretation of accounting standards and the internal control environment.
- Client’s attitude to fees.
- Indications of inappropriate limitation in the scope of work.
- Indications that client may be involved in money laundering or other criminal activities.
- Reasons given for non-reappointment of previous auditors.
Information can be gathered through communications with previous auditors or other professionals who may have provided services and through other third parties such as bankers, legal counsel and industry peers.
Competence of the firm
Matters to be considered:
- Has the firm got sufficient knowledge of the relevant industry and the relevant regulatory environment?
- Are there sufficient personnel within the firm having the necessary capabilities and competence and are experts/specialists available when needed?
- Are competent individuals available to perform quality control reviews?
- Will the firm be able to complete the engagement within the reporting deadline?
- Where a potential conflict of interest is identified, the firm should consider whether it is appropriate to accept the engagement.
- Need to consider any significant matters that may have arisen during the current or previous engagements of whatever description.
Agreeing the terms
Once an engagement has been accepted it is important to agree the terms. It is essential that both parties fully understand what the agreed services are. Any misunderstanding could lead to a breakdown in the relationship and could result in legal action, loss of business and reputation
ISA 210 terms of audit engagements establishes standards and provides guidance on:
- Agreeing the terms of an engagement with the client and
- The auditor’s response to a request by a client to change those terms to one that provides a lower level of assurance.
It states that the auditor and the client should agree on the terms of the engagement. The agreed terms would need to be recorded in an audit engagement letter or other suitable form of contract. The terms should be recorded in writing.
The objective and scope of an audit and the auditor’s obligations may be established by law, but the auditor may still find that an audit engagement letter will be informative for their clients.
The main points to be clarified in the letter of engagement would include:
- Confirmation of the auditor’s acceptance of the appointment.
- The auditor is responsible for reporting on the accounts to the shareholders
- The directors of the company have a statutory duty to maintain the books of the company and are responsible for the preparation of the financial statements.
- The directors are responsible for the prevention and detection of fraud.
- The fact that because of the test nature and other inherent limitations of an audit, there is the unavoidable risk that some material misstatements may remain undiscovered.
- The scope of the audit including reference to appropriate legislation and standards.
- There should be unrestricted access to whatever books and records the auditor needs in the performance of his duties.
Other points to be included:
- Arrangements regarding the planning and performance of the audit.
- The expectation of receiving from management written confirmation regarding representations made in connection with the audit.
- Request for the client to confirm in writing the terms of the letter.
- The fee to be charged and the credit terms.
- The form of any reports or other communication of results of the engagement.
- On recurring audits, the auditor should consider whether circumstances require the terms of the engagement to be revised and whether there is a need to remind the client of the existing terms of the engagement.
- An auditor who, before the completion of the engagement, is requested to change the engagement to one which provides a lower level of assurance, should consider the appropriateness of doing so. Where the terms are changed, both parties should agree on the new terms. Note, the auditor should not agree to a change of engagement where there is no reasonable justification for doing so.