Posted by Latha Do NADARAJAN, Year 3 undergrad at the School of Accountancy, Singapore Management University
Imagine an external auditor in this situation. In the course of a financial statement audit, unequivocal evidence of a fraud is uncovered. The auditor confronts the client with evidence; the client admits to the fraud and agrees to make the requisite adjustments in the firm’s financial statements. The auditor also notifies the client’s audit committee of the fraud. However, the committee comes to the decision that no further action is necessary.
Despite that the client attempted to commit fraud (a fact that might be relevant to investigators or regulators), the adjustments remove any material misstatements. The auditor, at this point, has no further recourse but to issue an unqualified opinion.
Has the accounting profession created a situation in which the auditors’ ethical behavior is impaired by their professional obligations? The audit profession has come under significant criticism during the past decade about the ethical conduct of auditors and their roles in abetting (or, at least, failing to prevent) a variety of financial scandals, such as Enron, Tyco and WorldCom. The heightened attention has led to the creation of the Sarbanes-Oxley Act of 2002 (SOX) and revised professional standards, such as SAS No. 99, which provide better guidance for the consideration of fraud during an audit. However, at the same time that legislators and the audit profession are attempting to guide auditors’ behavior, the profession’s standards of client confidentiality might be working to limit the ethical choices of accountants.
The restricted nature of audit opinions, together with the American Institute of Certified Public Accountants’ (AICPA) client confidentiality rule, places the auditor in the position of having to choose between earning a livelihood or making a proper ethical choice. Professional codes for U.S. accounting ethics are more restrictive than those of most professional associations, even those for which the client-practitioner privilege is well-recognized. Moreover, the concept of accountant-client privilege has never been supported by the federal courts including a number of U.S. Supreme Court decisions, which failed to find such a right. Changes in professional standards regarding confidentiality are necessary to better serve the public and the investors whose interests are unprotected by current statements of responsibility.
This is not to say that client confidentiality should be abolished. On the contrary, pledges of confidentiality are critical when gathering full disclosures of company information, which can be sensitive and/or proprietary. However, disclosure in limited circumstances, such as when a fraud is discovered, might help to prevent future harm without compromising the quality of financial audits.
CLIENT CONFIDENTIALITY AND REPORTING FRAUD: WHAT’S AN ACCOUNTANT’S RESPONSIBILITY?
Accountants have traditionally asserted the right of confidentiality, which is articulated most plainly in Rule 301 of the AICPA Code of Professional Conduct (Confidential Client Information): A member in public practice shall not disclose any confidential client information without the specific consent of the client. (AICPA, 1993, Section 301)
The same principle of confidentiality is invoked by auditors when fraud is uncovered during an audit. SAS No. 99 states that disclosure of fraud to parties other than the client and its audit committee “… would be precluded by the auditor’s ethical and legal obligations of confidentiality.” Although the protection of a client’s private disclosures is an important tenet of the profession, the assertion of a privileged accountant-client relationship is difficult to justify, particularly in the audit function. Moreover, even if we assume such a privileged relationship exists between accountants and their clients when a financial crime is uncovered, but not reported, it is difficult to justify the protection of confidentiality – either in the broader context of privileged information or, more specifically, in the context of accounting.
Privileged communication grows out of common law and the belief that certain relationships (e.g., spouses, clergy, legal counsel, and physicians) would be irreparably damaged if those seeking advice were at risk of having their confidences revealed in testimony. Similar claims are sometimes made for “accountant-client” privilege.
Normally, courts use four criteria – the so-called “Wigmore test” – to determine whether claims of privilege apply to persons in a given relation. According to J. Wigmore’s “A Treatise on the System of Evidence in Trials at Common Law, including the Statutes and Judicial Decisions of All Jurisdictions of the United States, England, and Canada,” the four criteria are: 1) the communications must originate in a confidence that they will not be disclosed 2) this element of confidentiality must be essential to the full and satisfactory maintenance of the relation between the parties 3) the relation must be one that, in the opinion of the community, ought to be sedulously fostered 4) the injury that would inure to the relation by the disclosure must be greater than the benefit thereby gained for the correct disposal of litigation. In general, the situation must address all four criteria for privilege to apply.
Using such criteria, the federal government has failed consistently to recognize any privilege between accountants and their clients. The U.S. Supreme Court has made compelling arguments against accountant-client privilege in both Couch v. United States (1973) and United States v. Arthur Young & Co. (1984), noting in the latter that an accountant’s “public watchdog” function demands that the accountant maintain total independence from the client at all times and requires complete fidelity to the public trust. Following the second criterion set forth in Wigmore’s test, there’s reason to question whether complete confidentiality is essential to the accountant-client relationship. Indeed, given the public reporting nature of public accountancy, the accountant’s primary duty is to protect the public from improper reporting rather than to protect the client from disclosure of wrongdoing.
Even assuming that accountant-client privilege has merit, it’s difficult to assert that it would preclude an auditor from reporting an instance of financial crime to proper, outside authorities.
The fourth criterion in Wigmore’s test notes that there are balancing interests in society between confidentiality and societal harm. Thus, the law recognizes cases in which the damage to members of society outweighs client confidentiality. Physicians and other health-care workers, for example, are required to report cases of suspected child abuse. Similarly, mental health professionals have an obligation to report client information to law enforcement personnel if they have reason to believe the client will engage in actions that could result in injury – either to the client or others.
This isn’t to suggest that fraud is as heinous a crime to society as child abuse or murder. However, the willful misstatement of public financial statements is probably the most serious breach of trust within the context of the accounting practice. Given the seriousness of the crime in this context and the “ultimate allegiance” to investors and creditors asserted by the court, accountants would be hard-pressed to demonstrate that greater damage results from breaching client confidentiality than from reporting a suspected fraud to outside parties.
THE CASE AGAINST CHANGING CONFIDENTIALITY STANDARDS
It’s common, however, to hear strong protests from practitioners against changing client confidentiality standards, even in cases of client fraud. Proponents of complete confidentiality normally assert one or more of the following arguments:
1. Breaching client confidentiality in matters of fraud will undermine the willingness of clients to cooperate.
2. Faced with the possibility of exposure, clients will engage in yet more devious methods to hide the fraud, which the auditors will be unable to find.
3. The damage to firms that are suspected of fraud, but later found not to be responsible, will be significant and unwarranted either as a result of the accusation.
The seriousness of financial crimes and confidentiality breaches requires us to consider these objections in some detail.
Loss of client cooperation
There’s no question that an audit requires the examination of large amounts of material that the client provides willingly. Lacking subpoena power, there’s no other way an auditor could obtain this material. However, to suggest that clients would fail to cooperate if confidentiality wasn’t required ignores the reality of the audit process. Publicly traded companies by law must be audited and CPAs are the only professional group allowed by law to conduct audits. Companies have no option but to comply with auditors’ requests; otherwise, no opinion would be issued. Moreover, because most clients are honest and auditors will still be strongly constrained concerning the information they can release, the majority of audits should be unaffected.
This professional monopoly protects the accounting profession and obligates it to consider the well-being of society while exercising its duties. Indeed, the granting of a professional monopoly is a recognition of the profession’s expertise in a given arena, but in return society expects a pledge of ethical behavior.
More devious audit schemes
This argument that changing confidentiality standards will result in frauds that are more difficult to detect seems to be based on two principles. The first is that firms that are engaged in fraud aren’t making their best efforts to avoid detection. The second is that if firms are forced to become better at fraud, auditors will be unable to detect it. These assertions are difficult to justify logically and ethically.
First, if firms are engaged in fraud, it behooves them to be as secretive and competent as possible. The consequences of fraud extend beyond adverse audit opinions to job loss, fines and jail time. And the means of discovery can include employee whistle-blowers, audits and irate creditors.
Second, allowing clients to commit illegal acts without consequences, simply because those acts were easy to detect and correct, is ethically bankrupt. We might actually encourage clients to attempt fraud if the potential gains are high and there aren’t adverse consequences if the attempts are discovered.
Finally, this mindset says little about the audit profession’s competence (particularly in light of SAS No. 99 and other standards) if practitioners doubt their ability to uncover fraud. Some highly complex and collusive frauds might go undetected, but auditors are granted their monopoly based on their superior expertise in these matters. If auditors are truly unable to deal with the schemes of dishonest clients (which seems unlikely), then the profession needs to reexamine why it has been granted the exclusive right to conduct audits, or indeed what the value of an independent audit is.
Damage to clients suspected of fraud
There’s no question that damages resulting from a reported financial crime are significant, and these reports shouldn’t be made frivolously. Specific guidelines for auditors reporting financial crime are beyond the scope of this article. However, there’s ample evidence that such guidelines can be created. Numerous professions (e.g., medicine, law, and clergy) with significantly more stringent confidentiality mandates have developed workable criteria for reporting crimes uncovered in the line of service.
These specific objections notwithstanding, many auditing professionals cite the passage of SOX as a remedy for reporting financial misconduct discovered during audits. Although SOX deals with a variety of ethical issues, such as auditor independence and the composition of audit committees, its ability to deal with conflict between client confidentiality and an auditor’s ethical decisions is problematic.
WILL SOX FILL THE GAP?
In July 2002, SOX was signed into legislation. The act addresses matters of auditor independence and oversight and makes changes in reporting responsibilities for management, auditors, and the audit committee. SOX is notable (among numerous provisions) for mandating both the creation of competent audit committees and disclosing fraud to those committees. While we can assume that this will deal effectively with some (or even most) financial misconduct, there are still two obvious gaps in the process: 1) The auditor never makes his or her determination of suspected fraud available to anyone outside the audit committee. Deficiencies in internal control will no doubt be noted in the auditor’s report, but the disclosure is indirect and passive. The initiative to follow up and investigate further is left to the consumers of the opinion. 2) The audit committee isn’t required to pursue the fraud charges with regulatory or law enforcement organizations. We might expect such a course of action from an independent party; however, this is open to question, given the small percentage of corporate crime that’s actually reported.
Audits are now more likely to uncover fraud, but unless such information is made available to investors and regulators, accounting will face continued criticism that it favors clients to the detriment of the investing public. Moreover, the nature of the accountant-client relationships and the grievous harm that results to investors when financial misconduct is allowed to occur make it difficult to support the profession’s claim of confidentiality in the face of fraud.
At the very least, the accounting profession needs to reexamine the balance between client confidentiality and public trust. We can be sure that in the absence of serious self-examination and industry regulation, legislators are willing to act. The result, such as SOX, is likely to be more onerous and less informed than what the accounting profession would choose for itself.
Can auditors be trusted to detect fraud?
AS LONG as there is money to be made, dishonest businessmen have tried every conceivable means to manipulate financial statements to give a false impression of their company’s health.
There are many ways to deceive investors, the end-consumer of financial statements. They range from relatively mild “window- dressing” techniques to mask falling revenues or excessive expenses, to outright fraud by faking receipts and documents.
Every year, a listed company’s financials are subject to review by an external auditor. This is to give the investing public additional assurance that a company’s financial statements are reliable.
An audit is a costly and time-consuming process. Audit fees can run from the tens of thousands of dollars for a small private company to the hundreds of thousands for a larger listed company, to millions of dollars for the bigger listed firms reporting billions of dollars in revenue.
Auditors, for example, might have to spend time interviewing management, visiting company store outlets, counting inventory, and checking bank statements to verify claims.
In practice, however, it is impossible to check every statement, receipt, voucher or bill. And auditors don’t do that; they go through a sample of source documents, rather than every one.
Also, if auditors are given well-forged documents to pore through, as they have in past scandals, nothing may smell fishy.
If you have friends who are auditors, they might tell you that their work is an art as well as a science. Passing an opinion on a company’s statements requires judgment on whether the statements are compatible with accounting frameworks.
If there are improperly presented numbers, one also has to decide whether the misstatement is material or not, in the context of the company’s earnings, debt situation or cash flows.
Sometimes, misstatements deemed too small to matter might even be offset against each other such that no change needs to be made to a company’s financial statements.
The profession is also susceptible to conflicts of interest. Sure, auditors have reputations to keep and are not likely to shy away from pointing out fraudulent practices just for the sake of some fees.
But auditors are also incentivised to want continued business from a client year after year. Over time, they also become closer to management.
Any issues with financial statements could be worked out behind the scenes. Auditors might not want to object to every questionable practice, especially if it is minor.
At the extreme, auditors might freely allow aggressive accounting techniques.
A famous case in history involves energy giant Enron, which perpetuated accounting fraud and went bankrupt in 2001. Its auditor, Arthur Andersen, was caught up in the scandal and convicted of criminal charges.
Even though the conviction was later overturned, most of its customers had left the audit giant by then. The damage to its brand name proved too much for the firm to recover from.
Regulators have tried ways to increase auditor independence. One of the most contentious is the institution of mandatory audit rotation.
Supporters of the rule argue that it will allow a fresh set of eyes to spot issues, and avoid the risk of an incumbent audit firm losing objectivity by being too close to the audited company.
The knowledge that a new audit firm will take over the audit will cause the incumbent firm to be more careful with its work to avoid being embarrassed, goes the argument.
A few months ago, the European Parliament voted in favour of rules to force European-listed companies to appoint new auditors every 10 years. However, a similar effort in the US failed to gain traction.
Over here, the Monetary Authority of Singapore (MAS) put out rules in 2002 to require local banks to change auditors every five years. But they suspended those rules in 2008 amid the global financial crisis to avoid market disruption.
Some audit firms are against being compulsorily rotated. An Ernst & Young report in 2013 argued that audit firms can best perform when they have a long-term working relationship with the company.
They can better understand their clients’ business, which can be in a specialised industry. Changing auditors for companies with complex global operations can be costly and inefficient if the existing audit firm has already established a network.
By staying on for longer, auditors can gain their clients’ respect and trust to better resolve issues with management, Ernst & Young argued.
It is also important to note that, contrary to popular perception, auditors stress that their job is not to detect fraud.
As they remind investors in every report, their responsibility is to express an opinion on whether financial statements are free from material misstatement.
It is the management’s responsibility to prepare financial statements to give a true and fair view in accordance with laws and regulations.
Auditors also point out that it is the management’s responsibility to have a system of internal controls to protect assets against unauthorised use.
Auditors are, however, required to obtain an understanding of a company’s internal controls relevant to their audit of the company, when identifying and assessing the risks of material misstatement.
Unstated, perhaps, is the age-old dictum of caveat emptor: Let the buyer beware.
Ultimately, the onus is on investors to read through the disclosures given by a company in its financial statements and annual reports, and to make their own judgement on whether the company can be trusted.
As The Economist magazine put it in a December 2013 article: “Auditors have a conflict of interest at the heart of their business – they are paid by the companies they are supposed to assess objectively. Unless that changes, there will be no substitute for investors doing their own due diligence.”
Falling profits, pressure to meet investor expectations, lucrative management stock options, combined with a complicated business model, are just some of the conditions under which fraud could occur.
Let the investor beware.