Audit Malpractice Defense: Four Key Issues

When a major fraud is discovered in a company, one of the key targets of litigation is usually the independent auditors. Two well-publicized cases in which management or shareholders suing the auditors after fraud was uncovered involve Koss Corp. (auditors Grant Thornton) and Navistar International Corp. (Deloitte & Touche).

Plaintiffs look to the auditors for potential recovery since the auditors typically have deep pockets and large insurance policies. Auditors (and their attorneys) need to know how to defend themselves in these suits.  Naturally, the auditors recognize that audits are supposed to provide reasonable assurance that the financial statements are fairly stated.

The auditors do not provide absolute assurance on the financial statements. And they certainly do not guarantee that they will detect fraud in the financial statements. Audits are not designed to detect fraud, but we don’t want to hang our hat solely on that distinction, because you can never be sure how a jury will see that issue.

Company management is responsible for preventing and detecting fraud within the company, and the auditors remind everyone of that throughout the audit process. However, this is another issue that you don’t want to count on singularly, since you don’t know how a jury will react to it.

Below are four of the key considerations that may help successfully defend a lawsuit alleging auditor malpractice.

1. Was the audit done in accordance with professional standards?

Generally Accepted Auditing Standards (GAAS) and Statements on Auditing Standards (SAS) are the most extensive rules, but other professional standards may apply as well.

When auditing a small company, or one with very straightforward financial statements, this question may be easily answered. It is not so easily answered when operations are complex, the valuation of assets and liabilities involves the judgment of management, or the company just has unusual situations that don’t fit neatly into the auditing box.

Specifically, you must address SAS 99, Auditors Responsibility for Fraud Detection. This standard outlines the process auditors must go through as they consider the possibility that fraud could occur within the company. Was the issue of fraud appropriately considered, and were audit procedures designed accordingly? Did the audit team thoughtfully consider the issue of fraud and thoroughly examine any possible issues before deciding on a scope of work as it relates to fraud.

The rest of the auditing standards must be considered in defending the case of audit malpractice, but SAS 99 should be the starting point in assessing whether anything went wrong in the audit.

Do the working papers show that the auditors completed all the procedures suggested by the audit program?

Auditors do have some latitude in designing audit procedures, based on their evaluation of the risks facing the company and the results of testing. This is an area in which the auditors are likely to get tripped up in a lawsuit, however.

It is important to determine whether any problems discovered during audit testing were dealt with appropriately. For example, if the auditors’ testing revealed that documentation did not support numbers in a certain area of the financial statements (or documentation was not available), then the auditors must follow this with additional analysis and/or procedures.

This article demonstrates a case in which I was retained as an expert witness.  The auditors made major mistakes in a key area of the audit. Had they followed up on an explanation that didn’t coincide with the documentation in their hands, they would have immediately uncovered a fraud.

Did staff, managers, and partners sign off on the work programs appropriately?

We want to ensure that in addition to performing all the appropriate audit procedures, the auditors also documented this work (and relevant issues to consider) in the work programs. Do the work programs reflect the work actually done? Was a box checked or a space signed only if the work was actually done? This can be a tedious thing to analyze, as the expert must go through all of the work programs in conjunction with the workpapers, and make sure that the representations in the work programs match the documented work.

Did the participants in the fraud take careful steps to ensure the auditors would not discover it?

The work of a fraudster is not limited to just committing a fraud (stealing money or manipulating the financial statements for some direct or indirect benefit). The fraud also involves the cover-up. When the fraudsters take careful steps to ensure their schemes are not detected by the auditors, this may help the auditors win the malpractice case. When there is someone (or a group of employees) actively taking steps to ensure the auditors will not discover the fraud, the auditors may have a very strong defense in a malpractice lawsuit.

Tracy Coenen, CPA, CFF has been retained both by plaintiffs and defendants in auditor malpractice cases, and has provided testimony in such cases in both state and federal courts. Attorneys representing auditing firms or victims of fraud can contact Tracy for a confidential evaluation of issues related to auditor malpractice by calling her at 312.498.3661 or emailing her at [email protected].


  1. Tracy,

    As usual, an excellent summary. As audit reports make clear, you are absolutely correct when you say “The auditors do not provide absolute assurance on the financial statements.”

    To clarify one point, the statement, “Audits are not designed to detect fraud,” is not correct, at least with respect to frauds which cause the financial statements under audit to become materially misstated. By definition, this includes financial statement fraud.

    From SAS No. 47, Audit Risk and Materiality in Conducting an Audit (see AU §312, Audit Risk and Materiality in Conducting an Audit,” at .03.):

    “The auditor’s responsibility is to plan and perform the audit to obtain reasonable assurance that material misstatements, whether caused by errors or fraud, are detected.”

    SAS No. 1, Codification of Auditing Standards and Procedures has nearly identical language (see AU §110, Responsibilities and Functions of the Independent Auditor, at .02):

    “The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud.” [footnote omitted]

    SAS No. 99, Consideration of Fraud in a Financial Statement Audit, (See AU §312, Audit Risk and Materiality in Conducting an Audit, at .05.) says:

    “For those illegal acts that are defined in that Statement [SAS No. 1] as having a direct and material effect on the determination of financial statement amounts, the auditor’s responsibility to detect misstatements resulting from such illegal acts is the same as that for errors, or fraud.” [reference omitted]

    The unqualified statement, “Audits are not designed to detect fraud,” appears to be untrue where financial statements are materially misstated due to fraud.

    Keith Mautner

  2. Tracy Coenen

    Audits are designed to detect material misstatements, but they are not designed specifically to detect fraud. The proof of that lies in the fact that audits almost never detect fraud. On this point, we shall politely disagree with one another, I think. Thanks for commenting, Keith.

Leave a Reply