What should the auditor do first if an illegal act is discovered during the audit of a publicly company?

Securities Exchange Act: Review of Reporting Under Section 10A (03-SEP-03, GAO-03-982R). This report responds to Representative John Dingell's request that GAO update our February 4, 2000, report on reporting under Section 10A of the Securities Exchange Act of 1934. Section 10A requires reporting to the Securities and Exchange Commission (SEC) when, during the course of a financial audit, an auditor detects likely illegal acts that have a material impact on the financial statements and appropriate remedial action is not being taken by management or the board of directors. In addition to reporting on the number of Section 10A reports submitted to the SEC and the status of SEC actions pertaining to Section 10A reports, we also agreed with Rep. Dingell's office to report on the current initiatives by the accounting profession pertaining to the auditor's responsibility for detecting fraudulent financial reporting. On October 1, 2002, we briefed his office on the number of Section 10A reports submitted to the SEC since our last report. This report responds to his February 25, 2003, request that we update that work, which we have updated to reflect Section 10A reports submitted to the SEC through May 15, 2003. -------------------------Indexing Terms------------------------- REPORTNUM: GAO-03-982R ACCNO: A08299 TITLE: Securities Exchange Act: Review of Reporting Under Section 10A DATE: 09/03/2003 SUBJECT: Auditing standards Auditors Corporate audits Crimes or offenses Financial statement audits Fraud Regulatory agencies Reporting requirements ****************************************************************** ** This file contains an ASCII representation of the text of a ** ** GAO Product. ** ** ** ** No attempt has been made to display graphic images, although ** ** figure captions are reproduced. Tables are included, but ** ** may not resemble those in the printed version. ** ** ** ** Please see the PDF (Portable Document Format) file, when ** ** available, for a complete electronic file of the printed ** ** document's contents. ** ** ** ****************************************************************** GAO-03-982R United States General Accounting Office Washington, DC 20548 September 3, 2003 The Honorable John D. Dingell Ranking Minority Member Committee on Energy and Commerce House of Representatives Subject: Securities Exchange Act: Review of Reporting Under Section 10A Dear Mr. Dingell: This report responds to your request that we update our February 4, 2000, report1 on reporting under Section 10A of the Securities Exchange Act of 1934. As you know, Section 10A requires reporting to the Securities and Exchange Commission (SEC) when, during the course of a financial audit, an auditor detects likely illegal acts that have a material impact on the financial statements and appropriate remedial action is not being taken by management or the board of directors. In addition to reporting on the number of Section 10A reports submitted to the SEC and the status of SEC actions pertaining to Section 10A reports, we also agreed with your office to report on the current initiatives by the accounting profession pertaining to the auditor's responsibility for detecting fraudulent financial reporting. On October 1, 2002, we briefed your office on the number of Section 10A reports submitted to the SEC since our last report. This report responds to your February 25, 2003, request that we update that work, which we have updated to reflect Section 10A reports submitted to the SEC through May 15, 2003. Results in Brief The Section 10A reporting requirements first became effective for fiscal years beginning on or after January 1, 1996. Since our February 2000 report, the SEC has received an additional 23 10A letters, bringing the total received since the requirement was implemented through May 15, 2003, to 29. Of the 29 SEC registrants named in the reports, 10 are currently subjects of active SEC enforcement investigations, 8 have had actions brought against them by the SEC, and 11 of the Section 10A reports were closed without formal action being taken by the SEC. According to SEC officials, all Section 10A reports are investigated. In some instances, the SEC took no formal action. However, the registrants, as a result of discussions with the SEC, took remedial action that the SEC found satisfactory. Through May 15, 2003, the SEC had filed seven actions against auditors for alleged violations of Section 10A for 1 U.S. General Accounting Office, Securities Exchange Act: Review of Reporting Under Section 10A, GAO/AIMD-00-54R (Washington, D.C.: Feb. 4, 2000). GAO-03-982R Review of 10A Reporting failing to report likely illegal acts materially impacting on a company's financial statements. Six of these cases have been settled with the majority of the auditors agreeing to suspensions from practicing before the SEC for periods ranging from 1 to 10 years. The remaining case was filed in January 2003 and is currently in litigation. In 2002, the American Institute of Certified Public Accountants (AICPA) issued a new audit standard for detecting fraud, Statement on Auditing Standards (SAS) 99: Consideration of Fraud in a Financial Statement Audit. The AICPA believes SAS 99 will substantially change auditor performance, thereby improving the likelihood that auditors will detect material misstatements in financial statements due to fraud by placing an increased focus on exercising professional skepticism throughout the audit. The new standard calls for auditors in planning and performing the audit to identify and consider risks of material misstatement due to fraud through brainstorming among audit team members, inquiring of management, performing analytical procedures, considering inappropriate reporting of revenue and management override of internal controls, evaluating internal controls that address the identified risks of fraud, and assessing throughout the audit and at the completion of the audit the risk of fraud based on the results of auditing procedures. The new standard also requires auditors to communicate about fraud to management, the audit committee, and others, and to document the auditors' consideration of fraud. SAS 99 has been adopted on an interim basis by the Public Company Accounting Oversight Board (PCAOB) for audits of public companies registered with the PCAOB. However, upon completion of its review of SAS 99, the PCAOB may modify, repeal, replace or adopt permanently the standard for audits of registered public companies. The Sarbanes-Oxley Act of 2002 also contains a number of provisions aimed at improving the quality of audits of public companies including more audit committee involvement with the auditor, a requirement for auditors to attest to management's assessment of internal controls over financial reporting, a requirement for audit partner rotation, prohibition of certain nonaudit services to audit clients, prohibition of providing audit services to a company that employs as a top official a previous member of the audit engagement team, and greater penalties for failure to report fraud. We believe these new provisions should enhance the auditor's ability to comply with the requirements of the auditing standard for detecting and reporting fraud. We requested comments on a draft of this document from the SEC and the AICPA. The SEC and the AICPA provided us with some technical suggestions which we incorporated as appropriate. Background The Private Securities Litigation Reform Act of 1995 (Public Law 104- 67) added Section 10A to the Securities Exchange Act of 1934 (15 U. S. C. 78j- 1). The requirements of Section 10A first became effective for fiscal years beginning on or after January 1, 1996.2 Section 10A requires a company's board of directors or its auditor to notify the SEC about possible illegal acts under certain conditions. Specifically, if the auditor detects or otherwise becomes aware that an illegal act has or may have occurred, the auditor is to inform the 2 For registrants not required to file quarterly financial data with the SEC, the requirements apply to annual reports for any fiscal year beginning on or after January 1, 1997. appropriate level of management as soon as possible and ensure that the board of directors or the audit committee is adequately informed. Section 10A also requires that auditors report conclusions directly to the board of directors or audit committee if they conclude the following: (1) the likely illegal act has a material effect on the financial statements, (2) senior management has not taken proper and timely remedial action, and (3) failure to take remedial action is reasonably expected to result in a departure from a standard audit report or the auditor's resignation.3 A board of directors or audit committee that receives such a report shall inform the SEC within 1 business day of receiving the report and send the auditor a copy of the notice provided to the SEC. If the auditor does not receive a copy of the notice within the required 1 business day, the auditor is to furnish a copy of the report to the SEC not later than 1 business day following the failure to receive a copy of the notice. Rule 240. 10A-1 states that reports under Section 10A shall be submitted to the SEC's Office of the Chief Accountant.4 The report must be in writing and identify the registrant and the auditor and the date that the registrant received the Section 10A report from the auditor. In addition, the report must include either a copy of the auditor's report or a summary of the report including a description of the act that the auditor has identified as a likely illegal act and the possible effect of that act on the financial statements. The rule is based on the premise that the reports under Section 10A are to assist the SEC in performing its enforcement responsibilities and therefore, the reports are nonpublic. After receiving and logging the Section 10A reports, the Office of the Chief Accountant forwards the reports to the Division of Enforcement, which conducts investigations into possible violations of federal securities laws and prosecutes the SEC's cases. The reports are also forwarded to other divisions within the SEC, including the Division of Corporation Finance, which reviews the financial statements and other financial reports filed by SEC registrant companies. The Office of the Chief Accountant and the Division of Enforcement monitor the progress on any investigation initiated or facilitated by a Section 10A report. In addition, the Division of Enforcement is developing a computer tracking system for referrals of Section 10A reports, as well as complaints concerning possible financial reporting violations. The SEC has current, ongoing monitoring efforts to identify potential Section 10A reporting situations where a report has not been submitted. The Office of the Chief Accountant monitors letters received from the AICPA's SEC Practice Section (SECPS)5 member auditors when the client-auditor relationship is terminated6 and other correspondence, as described later in this section, to identify potential Section 10A reporting situations. In 3 If the auditor resigns, the requirements of Section 10A are still applicable. 4 The Chief Accountant is the principal advisor within the SEC on accounting and auditing matters arising from the administration of federal securities laws. 5 The SECPS is a self-regulatory group whose objective is to improve the practice of certified public accounting firms. The AICPA bylaws require that all members that engage in the practice of public accounting with a firm auditing one or more SEC clients are required to join the SECPS. 6 When a SECPS member firm has been the auditor for an SEC registrant and has resigned, has declined to stand for reelection, or has been dismissed, SECPS requirements state that the firm shall report in writing the fact that the client auditor relationship has ceased directly to the client with a simultaneous copy to the Office of the Chief Accountant of the SEC within 5 business days. addition, officials from the Division of Corporation Finance explained that they look for potential enforcement cases, including potential Section 10A reporting cases, when reviewing information reported to the SEC on Form 8-K, Item 4, "Changes In Registrant's Certifying Accountants." An SEC registrant must submit a Form 8-K within 5 business days of the date that its auditor resigns, declines to stand for reelection, or is dismissed. Item 304 of Regulation S-K, which is incorporated into the Form 8-K, Item 4, requires registrants to state, among other things, whether there were any disagreements between the auditor and the registrant on any matter of accounting principles or practices, auditing scope or procedures, or financial statement disclosures in connection with the audits of the financial statements for the 2 most recent fiscal years, and any subsequent interim period. Item 4 also requires disclosure of any instance within the applicable time period where the former auditor advised the registrant that (1) the internal controls necessary for developing reliable financial statements did not exist, (2) information had come to the auditor's attention that led him to no longer rely on management's representations, (3) there was a need to expand significantly the scope of the audit and the scope had not been expanded, and (4) information had come to the auditor's attention affecting the reliability of past audit reports or financial statements, or the financial statements issued or to be issued covering the periods subsequent to the date of the last audit report, and the issue had not been resolved to the auditor's satisfaction. According to the SEC, it received approximately 2,800 Forms 8K with Item 4 disclosures during fiscal year 2002.7 The Division of Corporation Finance reviews all Item 4 Forms 8-K and requests additional information from the registrant as needed to clarify matters reported. When the Division of Corporation Finance identifies significant potential violations of SEC laws and regulations, the matters are considered for forwarding to the Division of Enforcement for further investigation. The Division of Enforcement advised us that it processed approximately 600 enforcement cases during its last fiscal year, of which approximately 23 percent involved accounting and/or auditing issues. In addition to referrals from the Division of Corporation Finance, the Division of Enforcement becomes aware of potential enforcement cases through various means, including news articles, letters, and referrals from other agencies such as the Department of Justice or the stock exchanges. When investigating cases, the Division of Enforcement considers violations of any federal securities laws and regulations, including Section 10A reporting requirements. Objectives, Scope, and Methodology Our objectives were to determine (1) the number of Section 10A submissions through May 15, 2003 and the status of the SEC actions on those reports, and (2) the current initiatives being taken by the accounting profession pertaining to the auditor's responsibility for detecting fraudulent financial reporting. To meet the above objectives, we interviewed officials from the SEC's Office of the Chief Accountant, Division of Enforcement, and Division of Corporation Finance. We requested information from the SEC regarding the 7 According to SEC officials, approximately half of the item 4 disclosures were submitted because a change of auditor was necessary when Arthur Andersen, LLP ceased practicing before the SEC in August 2002. number of Section 10A reports submitted through May 15, 2003, and the status of any related enforcement issues associated with all Section 10A cases. In addition, we made inquiries of the AICPA about the accounting profession's actions to address recommendations concerning fraud related to the studies identified in our February 4, 2000, report. We requested oral comments on a draft of this report from the AICPA's Director of Professional Standards and Services - Washington D.C. and from the principal representatives we met with at the SEC. The Chief Counsel in the SEC's Office of the Chief Accountant provided us with oral comments that also incorporated the views of the Division of Enforcement and Division of Corporation Finance. Their comments are discussed at the end of this report. We conducted our work from February 2003 through May 2003 in accordance with generally accepted government auditing standards. Section 10A Reports Received by the SEC Section 10A reporting requirements first became effective for fiscal years beginning on or after January 1, 1996.8 In our February 2000 report, we stated that six Section 10A reports had been submitted through December 14, 1999. Records from the SEC's Office of the Chief Accountant show that during the period December 15, 1999, through May 15, 2003, an additional 23 Section 10A reports were submitted. Therefore, since the inception of the 10A reporting requirement through May 15, 2003, a total of 29 Section 10A reports have been submitted to the SEC. The reports cover a variety of potential illegal acts, including improper revenue recognition, unusual capital transactions relating to stock warrants, inadequate financial statement disclosures, and failure to disclose expenses relating to stock options. Although the AICPA has not specifically studied Section 10A reporting, representatives from the AICPA continue to attribute the low level of 10A reporting to the reasons they cited as stated in our previous report, the most likely being that in most cases, management or the board of directors, often with the participation of internal or external counsel, take timely and appropriate action to address a situation involving an illegal act when it is brought to their attention. According to SEC officials, all Section 10A reports are investigated. Of the 29 SEC registrants named in the reports, 10 are currently subjects of active SEC enforcement investigations, 8 have had actions brought against them by the SEC, and 11 were closed without formal action being taken by the SEC. Injunctive actions and administrative proceedings were filed in 8 cases alleging violations such as (1) failure to disclose transactions in public statements to shareholders and the SEC, (2) inclusion of fraudulently-valued assets on financial statements filed with the SEC, (3) underreporting the value of inventory resulting in an understatement of expenses and liabilities and an overstatement of income, and (4) improper revenue recognition and understatement of expenses. A violation reported under Section 10A may be closed without formal action being taken by the SEC for such reasons as the registrant is no longer publicly traded, has a very small dollar amount of assets, or is no longer doing business. In certain instances, after discussions with the SEC, the registrants took remedial action, which the SEC found satisfactory, such as obtaining a review of the registrant's quarterly financial statements filed with the SEC. 8 See footnote 2. On October 31, 2000, the SEC filed its first actions against auditors for violating Section 10A reporting requirements, which call for auditors to report to the SEC when, during the course of a financial audit, they detect likely illegal acts that have a material impact on the financial statements and appropriate remedial action is not being taken by management or the board of directors. As previously stated, through May 15, 2003, the SEC had filed seven actions against auditors for alleged violations of Section 10A for failing to report likely illegal acts materially impacting on a company's financial statements. These actions were both civil actions in federal court seeking, among other remedies, injunctive relief, and SEC administrative proceedings against auditors seeking cease and desist orders and auditor suspensions from practicing before the SEC. In addition to the auditor's failure to submit a 10A notification, in some cases injunctive actions and administrative proceedings were filed against auditors for other alleged violations such as engaging in fraud by falsely representing to the public that the financial reporting was in accordance with generally accepted accounting principles or failure to comply with generally accepted auditing standards. Six of these cases have been settled with five of the auditors agreeing to suspensions from practicing before the SEC for periods ranging from 1 to 10 years. In the sixth case, monetary penalties were assessed against the auditors. The remaining case, which was filed in January 2003, is still in litigation. Current Initiatives by the Accounting Profession Related to Detection of Fraudulent Financial Reporting In October 2002, the AICPA issued a new auditing standard for detecting fraud, Statement on Auditing Standards (SAS) 99: Consideration of Fraud in a Financial Statement Audit,9 which became effective for audits of financial statements for periods beginning on or after December 15, 2002. While the new fraud auditing standard does not change the auditor's responsibility to detect fraud, it does provide more guidance to the auditor on how to respond to risks of material frauds and more specific fraud detection procedures. The changes to the auditor's consideration of fraud were largely in response to AICPA-sponsored academic research projects which studied the effectiveness of SAS 82 and recommendations concerning fraud from the Panel on Audit Effectiveness.10 The AICPA believes that the new standard will substantially change auditor performance, thereby improving the likelihood that auditors will detect material misstatements in financial statements due to fraud by placing an increased focus on exercising professional skepticism throughout the audit. The new standard also stresses that auditors must ask the right questions and question the answers, and obtain audit evidence that supports the answers. 9 This new SAS supersedes the AICPA's earlier fraud standard issued in 1997, SAS 82, which carried the same title. 10 In 1998, the Public Oversight Board (POB) appointed a Panel on Audit Effectiveness to examine the current audit model, including the way independent audits are performed regarding the auditor's consideration of fraud. The Panel's report, Report and Recommendations, issued August 31, 2000, contains recommendations addressed to the AICPA's Auditing Standards Board concerning fraud. The POB was an independent private sector body that provided oversight of the self-regulatory programs of the AICPA's SECPS. The POB was terminated on May 1, 2002. See U.S. General Accounting Office, The Accounting Profession: Status of Panel on Audit Effectiveness Recommendations to Enhance the Self-Regulatory System, GAO-02-411 (Washington, D.C.: May 17, 2002). Moreover, auditors who identify fraud risks must know how to change audit procedures to handle the situation. Key provisions of the new standard include the following. o As part of planning the audit, brainstorming among audit engagement personnel, including the person responsible for the audit, regarding the risks of material misstatement due to fraud. Audit team members are required to consider how and where the entity's financial statements might be susceptible to material misstatement due to fraud and reinforce the importance of adopting an appropriate mindset of professional skepticism. o Obtain the information needed to identify risks of material misstatement due to fraud through such activities as (1) inquiring of management and others within the entity about the risks of fraud, (2) considering the results of the analytical procedures performed in planning the audit, (3) considering fraud risk factors, and (4) considering certain other information. o Require specific consideration of the risks of fraud due to inappropriate reporting of revenue and management override of internal controls. o Use information gathered to identify risks that may result in a material misstatement due to fraud. o Assess the identified risks after taking into account an evaluation of the entity's programs and controls that address the identified risks of material misstatement due to fraud. o Respond to the results of the assessment of the risks of material misstatement due to fraud by applying professional skepticism when gathering and evaluating audit evidence. The auditor's response to the risks identified relates to the performance of the audit by considering (1) the overall effect on how the audit is conducted, that is, a response involving more general considerations apart from the specific procedures otherwise planned, (2) identified risks that involve the nature, timing, and extent of the auditing procedures to be performed and (3) the performance of certain procedures to further address the risk of material misstatement due to fraud involving management override of controls, such as examining journal entries and other adjustments for evidence of possible material misstatement due to fraud, reviewing accounting estimates for biases that could result in material misstatement due to fraud, and evaluating the business rationale for significant unusual transactions. o Assess the risks of material misstatement due to fraud throughout the audit, evaluating at the completion of the audit whether the accumulated results of auditing procedures (audit evidence) and other observations affect the assessment and the need to perform additional or different audit procedures, and considering whether identified misstatements may be indicative of fraud and, if so, evaluating their implications. o Communicate about fraud to management, the audit committee, and others. o Document the auditor's consideration of fraud. The new Public Company Accounting Oversight Board (PCAOB)11 has adopted on an interim basis, auditing standards issued by the AICPA's Auditing Standards Board (ASB), as they existed on April 16, 2003, for use by public accounting firms registered with the PCAOB in the preparation and issuance of audit reports of public companies. Upon completion of its review of the standards, including SAS 99, the PCAOB may modify, repeal, replace or adopt permanently the existing standards for audits of registered public companies. Therefore, the PCAOB may determine that additional requirements and guidance are needed for auditors to be more effective in detecting and reporting fraud. The Sarbanes-Oxley Act of 2002 (the Act) also contains a number of provisions aimed at improving the quality of audits of public companies. We believe these provisions should enhance the effectiveness of the audit function, including the auditor's ability to comply with the requirements of the auditing standard for detecting and reporting fraud. For example, the Act o requires auditors to report to and be overseen by a public company's audit committee,12 not management; o requires auditors to report to the audit committee information such as critical accounting policies and practices to be used, alternative treatments of financial information within generally accepted accounting principles that have been discussed with management, ramifications on the use of alternative treatment and the auditors' preferred treatment, and other material written communications between the auditor and management; o requires auditors to attest to, and report on, the required assessment made by management on the company's internal controls over financial reporting; o requires the lead audit partner and the audit review partner to rotate every 5 years; o prohibits an accounting firm from providing audit services to a public company if one of that company's top officials was employed by the firm and worked on the company's audit during the previous year; o prohibits the auditor of the public company's financial statements from also providing certain nonaudit services; o requires the public company's audit committee to pre-approve all audit, attest, and review services and nonaudit services that are not prohibited by the Act; o creates greater penalties for those who destroy records, commit securities fraud and fail to report fraud; and 11 The PCAOB was established pursuant to the Sarbanes-Oxley Act of 2002 (Act) to oversee the audits of public companies that are subject to the U.S. Federal securities laws. As provided for by the Act, the PCAOB will set professional standards (including auditing, attestation, quality control, ethics, and independence standards) to be used by public accounting firms registered with the PCAOB in the preparation and issuance of audit reports of public companies. 12 An audit committee means a committee or equivalent body established by and amongst the public company's board of directors. If no such committee exists, then the entire board of directors shall be the audit committee. o extends the statute of limitations for the discovery of fraud to the earlier of 2 years from the date of discovery of the facts constituting the violation or 5 years after the violation. Agency Comments We received oral comments on a draft of this report from the AICPA's Director of Professional Standards and Services - Washington D.C. and from the Chief Counsel in the SEC's Office of the Chief Accountant who provided us with oral comments that also incorporated the views of the Division of Enforcement and Division of Corporation Finance. The SEC and the AICPA provided us with some technical suggestions which we incorporated in the report as appropriate. We plan no further distribution of this report until 30 days after the date of this report. At that time, we will send copies of this report to the Honorable William H. Donaldson, Chairman of the SEC, and Mr. William F. Ezzell, Chairman of the AICPA. The report will also be available at no charge on GAO's home page at http://www.gao.gov. If you have any questions, please call me at (202) 512-9406 or Julia Duquette at (202) 512- 5131. Sincerely yours, Jeanette M. Franzel Director Financial Management and Assurance (194220) This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. The General Accounting Office, the audit, evaluation and investigative arm of GAO's Mission Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site (www.gao.gov) contains abstracts and full- Obtaining Copies of GAO Reports and Testimony text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. General Accounting Office 441 G Street NW, Room LM Washington, D.C. 20548 To order by Phone: Voice: (202) 512-6000 TDD: (202) 512-2537 Fax: (202) 512-6061 To Report Fraud, Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm Waste, and Abuse in E-mail: [email protected] Federal Programs Automated answering system: (800) 424-5454 or (202) 512-7470 Public Affairs Jeff Nelligan, Managing Director, [email protected] (202) 512-4800 U.S. General Accounting Office, 441 G Street NW, Room 7149 Washington, D.C. 20548 *** End of document. ***

What is the auditor supposed to do first if he believes that an illegal act occurred?

What is the auditor's responsibility to detect illegal acts?

When an auditor becomes aware of a possible illegal act the auditor should?

What action should an auditor take if evidence of an illegal act by a client is uncovered?