18wjMaD

MAY 2013 

An Analysis of Alleged Auditor 

Deficiencies in SEC Fraud 

Investigations: 1998–2010 

Mark S. Beasley 

North Carolina State University 

Joseph V. Carcello 

University of Tennessee 

Dana R. Hermanson 

Kennesaw State University 

Terry L. Neal 

University of Tennessee

Preface 

This study examines alleged auditor deficiencies associated with SEC investigations of fraudulent 

financial reporting cases from 1998–2010 involving U.S. public companies. The research team 

examined fraud cases identified in the preparation of Fraudulent Financial Reporting:1998–2007, 

An Analysis of U.S. Public Companies (issued by the Committee of Sponsoring Organizations of 

the Treadway Commission (COSO), 2010), as well as additional SEC enforcement actions from 

2008–2010. This report provides insights into alleged auditor deficiencies associated with 87 

cases of alleged fraudulent financial reporting investigated by the SEC over a 13 year period. 

Research Team 

Authors 

Mark S. Beasley 

North Carolina State University 

Joseph V. Carcello 


Dana R. Hermanson 

Kennesaw State University 

Terry L. Neal 


Research Manager 

Lauren Reid 


Research Assistants 

Leah Muriel 

Jonathan Shipman 

Quinn Swanquist 


Funding for this research project was provided by the Center for Audit Quality. 

However, the views expressed in this paper and its contents are those of the authors 

alone and not those of the Center for Audit Quality.

Table of Contents 

1. Executive Summary ............................. 2 

2. Research Approach ............................ 5 

3. Results ...................................... 7 

4. Implications .................................. 21 

5. Summary .................................... 26 

6. Research Team ................................ 27 

APPENDIX ..................................... 28 

An Analysis of Alleged Auditor Deficiencies in SEC Fraud Investigations: 1998–2010

May 2013 

The Center for Audit Quality (CAQ) and the public company auditing profession share with academics, audit 

committees, investors, preparers and regulators the goal of robust and healthy capital markets supported by audited 

financial statements that promote investor confidence. Chief among the many threats to high quality financial reporting 

and audit quality is the risk of material financial fraud. 

In 2010 the Committee of Sponsoring Organizations of the Treadway Commission (COSO) published a report, 

Fraudulent Financial Reporting: 1998–2007, An Analysis of U.S. Public Companies. This study examined U.S. Securities 

and Exchange Commission (SEC) enforcement actions, and analyzed the nature, extent and characteristics of fraudulent 

financial reporting, as well as the negative consequences for investors and management. The CAQ commissioned the 

2010 report authors, Mark Beasley, Joseph Carcello, Dana Hermanson and Terry Neal, to review the enforcement actions 

included in their 2010 study and provide a descriptive analysis of those investigations where the SEC sanctioned either the 

auditor or the audit firm. The authors expanded the study period to include enforcement actions through December 2010. 

Over this 13 year study period, from 1998–2010, there were 87 instances where the SEC leveled sanctions against the 

external auditor in connection with instances of alleged fraudulent financial reporting by publicly traded companies. 

Approximately 9,500 entities file financial statements with the SEC on an annual basis. Eleven of the 87 instances 

occurred in periods of 2003 or later, which represents years following the passage of the Sarbanes-Oxley Act (SOX) in 

July 2002. However, it should be noted that there is a time lag between when an infraction occurred and when the SEC 

releases an enforcement action, thus the number of instances is subject to change. 

SEC allegations of financial reporting fraud are rare events when considering the thousands of public companies filing 

audited financial statements each year with the SEC. However, the CAQ believes that taking a critical look at these 

situations can provide valuable lessons for the future. 

Indeed, the root cause drivers related to audit deficiencies involving fraudulent financial reporting cases citing the auditor 

that are highlighted in the study are areas where, in recent years, the profession and the CAQ have focused efforts for 

further improvements. The CAQ’s related initiatives and projects include the funding of academic research on professional 

skepticism and financial reporting fraud deterrence and detection; the 2010 publication Deterring and Detecting Financial 

Reporting Fraud — A Platform for Action; and the Anti-Fraud Collaboration — a major, ongoing combined effort launched 

in 2010 by the CAQ, Financial Executives International, The Institute of Internal Auditors and the National Association 

of Corporate Directors. Key resources recently published by the Anti-Fraud Collaboration to enhance fraud deterrence 

efforts include the Hollate Manufacturing Case Study, which examines a potential material fraud at a fictional company 

to raise awareness of environments in which financial reporting fraud might flourish; and the Skepticism Webinar Series, 

which highlights the importance of skepticism as applied by external auditors, financial executives, internal auditors and 

audit committee members. 

In summary, while there will never be a silver bullet solution to prevent fraud, we feel this research contributes to the 

knowledge base for financial reporting fraud deterrence efforts. The public company auditing profession, the CAQ and 

our member firms, together with other members of the financial reporting supply chain, will continue to advance efforts 

to mitigate the risk of fraud. 

Sincerely, 

Cynthia M. Fornelli

1. EXECUTIVE SUMMARY 

This study examines U.S. Securities and Exchange Commission (SEC) sanctions against auditors 

over the period 1998–2010 that are related to instances of alleged fraudulent financial reporting 

by U.S. publicly traded companies. During that time period, there were 87 separate instances 

where the SEC imposed such sanctions, and this report summarizes our analysis of alleged 

auditor deficiencies noted by the SEC in these 87 cases. 

In considering the results contained in this report, it is important to appreciate that SEC allegations of fraudulent 

financial reporting are rare, with 347 cases examined by the SEC from 1998–2007 out of thousands of U.S. public 

companies. 1 Despite the small number of fraud-related SEC enforcement actions, we believe that analysis of these 

87 cases involving auditor sanctions by the SEC provides important insights for auditors and others concerned with 

improving audit quality, especially in the context of detecting material financial statement misstatements due to fraud. 

Thus, we highlight key findings related to the audits underlying these 87 cases. 

The primary results of our analysis are as follows: 

• From 1998–2010, we identified 87 instances of SEC investigations of fraudulent financial reporting leading 

to sanctions against auditors. Based on companies with available information for these 87 SEC investigations, 

the associated registrant companies were primarily small (median revenues and assets under $40 million) and 

concentrated in four key industries (over 40 percent of the sample is in financial services / insurance, general 

manufacturing, telecommunications, or consumer goods manufacturing). 

• Based on available information for these 87 SEC investigations involving auditors, 58 percent of the audit 

reports issued for the last fraudulently reported financial statements included an unqualified opinion with no 

additional report modifications. The other 42 percent of the companies received unqualified audit opinions 

on the last fraudulently reported financial statements, but those reports included explanatory paragraphs that 

addressed other issues noted by the auditor, such as highlighting changes in accounting principle or going 

concern issues. 

• For purposes of our study, we categorized the Big Six/Big Four international firms and the next tier of global 

network or national firms as “national firms.” 2 Here is a summary of the 87 instances we examined: 

Total instances of SEC investigations examined in this study 87 

SEC sanctions involving audits performed by non-national firms 46 

SEC sanctions involving audits performed by national firms 35 

Bogus audits 3 where auditor did not perform procedures 6 

Of the 35 national firm cases, nine involved audits performed by Arthur Andersen. There were six instances 

where the auditor prepared the financial statements or did not perform any meaningful level of audit 

procedures. We refer to these six instances as “bogus audits.” 

1 For example, the 2006 Final Report of the Advisory Committee on Smaller Public Companies indicates that, as of 2005, there were 9,428 publicly traded companies on 

the NYSE, AMEX, NASDAQ, and OTC Bulletin Board. 

2 The reference to Big Six/Big Four reflects the fact that during the 13 year period examined there were six international firms (Arthur Andersen, Coopers & Lybrand, 

Deloitte & Touche, Ernst & Young, KPMG, and Price Waterhouse). In 1998, Coopers & Lybrand merged with Price Waterhouse to form PricewaterhouseCoopers, resulting 

in the Big Five. When Arthur Andersen went out of business in 2002, only four large firms remained. The next tier of four national firms includes Grant Thornton, LLP, BDO 

Seidman, LLP (now BDO), Crowe Chizek and Company LLC (now Crowe Horwath), and McGladrey & Pullen, LLP (now McGladrey). 

3 The term “bogus audits” refers to those cases where the auditor prepared the financial statements or did not perform any meaningful level of audit procedures. In those 

instances, there was no underlying audit performed, suggesting the audit was “bogus”. 

2 Beasley, Carcello, Hermanson, and Neal. 2013.

• In Accounting and Auditing Enforcement Releases (AAERs) involving sanctions against auditors, the SEC 

typically alleges that the auditor either (a) violated the anti-fraud statutes (e.g., by participating in the fraud) or 

(b) performed a negligent audit that allowed the fraud to occur (without the auditor actively participating in 

the fraud). Among the 81 cases examined (excluding the six bogus audits noted above), the SEC charged the 

auditor for violating the anti-fraud statutes in 24 cases. The remaining 57 cases were limited to allegations of 

deficient audits unrelated to anti-fraud statutes. 

• Among these 81 cases, the SEC issued sanctions against individual auditors in 80 cases and sanctions against 

the audit firm in 27 instances (26 cases involved sanctions against both individual auditors and the audit firm, 

with the SEC sanctioning only the audit firm in one case). 

• The top five areas cited by the SEC in these 81 cases involved the following: 

1. Failure to gather sufficient competent audit evidence (73 percent of the cases) 

2. Failure to exercise due professional care (67 percent) 

3. Insufficient level of professional skepticism (60 percent) 

4. Failure to obtain adequate evidence related to management representations (54 percent) 

5. Failure to express an appropriate audit opinion (47 percent) 

• Most of the 81 cases involved multiple alleged deficiencies. 4 For example, 58 of the cases cited more than one 

of the top three deficiencies, and 42 cases cited the top three deficiencies. 

• The most common deficiencies were quite similar for national firms and non-national firms. The top 

four issues are consistent across these two groups (with a slightly different ranking), and 11 of the top 14 

deficiencies appear in both the national firm and non-national firm lists. 

Based on findings contained in this report, we explore implications for the audit process centered around four key 

themes. To that end, we explore challenges associated with each of the four themes found in the analysis: 

1. Failure to Exercise Due Professional Care: Some of the deficiencies cited suggest a failure on the part of the 

auditor to discharge responsibilities with competence and diligence to the best of the auditor’s ability, including 

the performance of procedures generally expected to be performed in an audit. This suggests that there may be 

opportunities for additional training and education on the fundamentals of the audit process. Also, there may 

be opportunities for additional analysis to better understand root causes that led to failures in the execution of 

those fundamentals in a particular audit engagement, so as to strengthen the competence and diligence of the 

performance of the audit. 

2. Insufficient Levels of Professional Skepticism: Similarly, some of the cases examined highlight challenges in 

maintaining appropriate levels of professional skepticism that affect the auditor’s mindset. Interestingly, the concept 

of professional skepticism has been embedded in auditing standards for decades; however, in some cases auditors 

may have struggled in maintaining an appropriate mindset throughout the various stages of the audit process. This 

challenge has implications for training and helps to motivate analyses such as the present study to understand root 

causes of failures in applying professional skepticism consistently. Additional research is needed to determine if 

these challenges may be exacerbated by differences in cultural norms that will be increasingly realized as the audit 

process continues to be affected by globalization or as new generations of audit professionals emerge who may apply 

professional skepticism differently than today’s audit professionals. 

3. Inadequate Identification and Assessment of Risks: The findings noted in this report also have implications 

regarding the risk assessment process, given that all cases examined in the study involved undetected instances of 

fraudulent financial reporting. While auditing standards have been risk-based for a number of years, more recent 

developments in the risk management arena, 5 including the emerging discipline of enterprise risk management, 

4 Throughout this report, for ease of exposition, we often use the term “deficiencies” to mean “alleged deficiencies”. 

5 In August 2010, the PCAOB issued a suite of eight auditing standards widely referred to as the “risk assessment standards” that became effective for audits of fiscal 

years beginning on or after December 15, 2010. 

An Analysis of Alleged Auditor Deficiencies in SEC Fraud Investigations: 1998–2010 3

are revealing a number of complexities associated with any risk identification and risk assessment task. Any 

improvement in risk assessment skills that can be identified will help enhance audit quality and improve the 

recognition of fraud risk. The audit profession, including undergraduate and graduate accounting programs, may 

want to leverage insights that are emerging in other risk management disciplines to better train and educate audit 

professionals in risk identification and risk assessment tasks. 

4. Failure to Respond to Identified Risks with Appropriate Audit Responses to Gather Sufficient Competent 

Audit Evidence: In some cases, the auditor failed to adjust audit procedures to gather sufficient competent 

evidence in light of risks identified and documented by the audit team. While this type of deficiency may be the 

result of the first three concerns noted above, it may also be triggered by failure to adequately link audit procedures 

to underlying risks. Because prior research has shown that this type of linkage can be a difficult task, perhaps greater 

emphasis on quality control review of these linkages may be beneficial, or new tools and techniques may be needed 

to facilitate this difficult linkage task. Training and education on the use of those tools may be warranted as well. 

The next section discusses the research approach, and Section 3 presents the results of our analysis. Section 4 develops 

the implications of the analysis, and Section 5 profiles the research team. The Appendix presents the detailed findings 

underlying the tables presented in the monograph. 


2. RESEARCH APPROACH 

The fraudulent financial reporting cases addressed in this study come from two sources. First, 

as part of our work on Fraudulent Financial Reporting: 1998–2007, An Analysis of U.S. Public 

Companies (issued by the Committee of Sponsoring Organizations of the Treadway Commission, 

2010, the “COSO study” by Beasley, Carcello, Hermanson, and Neal), 6 we identified 78 cases 

where SEC allegations of fraudulent financial reporting also involved sanctions against auditors. 

These 78 cases comprise 23 percent of the relevant fraud cases examined in the COSO study. 

For the present study, we eliminated three observations where the company had public debt, 

but not public equity, leaving 75 observations from the COSO study for analysis in the present 

study. Second, we analyzed SEC Accounting and Auditing Enforcement Releases (AAERs) from 

2008-2010, finding another 12 instances in which SEC allegations of fraudulent financial reporting 

also involved sanctions against auditors. Together, these 87 cases of alleged fraudulent financial 

reporting are the subject of the present study. 

In identifying the cases of alleged fraudulent financial reporting, we relied on the language and allegations in the 

AAERs and only included cases alleged by the SEC to involve violations of the SEC’s anti-fraud statutes (Rule 

10(b)-5 of the 1934 Securities Exchange Act or Section 17(a) of the 1933 Securities Act). We did not make any 

judgments about the SEC’s allegations of fraud; we simply relied on the SEC’s judgments about the presence of 

fraudulent financial reporting as documented in the AAERs. We then examined the subset of those cases where 

the SEC sanctioned the auditor in connection with the SEC’s investigation of the underlying fraudulent financial 

reporting. The 87 cases examined in this study represent those where the SEC alleged auditor deficiencies associated 

with the audits of the financial statements involving SEC allegations against the registrant company for fraudulent 

financial reporting. Thus, all 87 cases examined involve instances where the registrant company was accused of issuing 

fraudulent financial statements. 

For our study, we collected and synthesized data from the 87 cases, focusing specifically on allegations of audit 

deficiencies made by the SEC in its AAERs. We developed a detailed template to guide the collection and analysis of 

the AAER data on audit deficiencies, and we synthesized the information from the 87 cases that are the subject of this 

study. 7 

In addition, the research team gathered available data on fundamental company characteristics (financial information 

and industry) for the 87 companies. The team used the COMPUSTAT and CRSP databases, as well as company 

Form 10-Ks on the SEC’s EDGAR database, to attempt to find such information. Consistent with previous research 

studies involving examinations of instances of fraudulent financial reporting, various data points were missing for some 

companies in our sample, which may be due to the fact that a number of them represent extremely small companies 

that are not tracked by certain external databases or due to the time period involved. It is important to keep in 

mind that the sample companies allegedly engaged in fraudulent financial reporting and may not have filed certain 

documents with the SEC. As a result, we were only able to report a company’s characteristics when we could locate the 

underlying data for the company. For each table included in this report, we indicate the number of companies where 

we could locate the relevant data. 

SEC AAERs are commonly used in academic and professional research as a rich source of information about 

fraudulent financial reporting, as well as auditor deficiencies related to those cases. The use of AAERs is partly due 

6 Download the full COSO Study at www.coso.org. 

7 This template builds on and adapts a previous template used in the preparation of Fraud-Related SEC Enforcement Actions Against Auditors: 1987–1997 (AICPA, 2000, 

Beasley, Carcello, and Hermanson). 


to the lack of other publicly available fraud-related measures of accounting and auditing quality. However, there are 

three important limitations to highlight. First, analyses of AAERs typically involve significant professional judgment. 

We conferred within our team about numerous such judgments during the course of the project and attempted to 

be consistent in the judgments made. Second, the data rely on the outcome of the SEC’s enforcement process that is 

documented by the SEC staff in the AAERs. The extent of detail provided in the AAERs can vary significantly across 

SEC investigations. Thus, to the extent there are imperfections or biases in the SEC’s enforcement process, including 

how they document their findings in the AAERs, those imperfections or biases may affect the results of the study. For 

example, it is possible that the nature of negotiations between the SEC and named parties may influence the amount 

and type of information ultimately included in the AAERs, thus reducing uniformity in reporting across AAERs. 

Finally, the AAERs present allegations of auditor deficiencies, with the audit professional and/or audit firm typically 

neither admitting nor denying the allegations. As a result, our goal is to present what was summarized by the SEC in 

the AAERs to provide insights for readers to make their own conclusions about the relative performance of auditors in 

those cases examined by the SEC. 


3. RESULTS 

COMPANY CHARACTERISTICS 

Financial Characteristics of Sample Companies 

From 1998–2010, we identified 87 instances of SEC investigations of fraudulent financial reporting leading to 

sanctions against auditors. We attempted to gather financial data for the 87 sample companies, using the “last clean” 

financial statements, which we define as the last annual financial statements issued before the beginning of the fraud 

period. 

We located relevant financial statement information for 67 of our 87 companies. Table 1 presents the financial 

profile of those 67 companies, and provides the reader some perspective on the size of public companies underlying 

the analysis in this study of alleged auditor deficiencies. Given the variability in size of the companies, it is most 

meaningful to focus on median values reported in Table 1. These companies are relatively small, with median assets 

and revenues under $40 million. In addition, many of the companies are near break-even, with median net income 

of only $351,000. The large differences between the means and medians indicate the presence of a few very large 

companies in the sample. 

Table 1 – Financial Characteristics of Companies from “Last Clean” Financial Statements 

(n = 67 companies) 

Total Assets Total Revenues Net Income (Loss) 

Stockholders’ 

Equity (Deficit) 

Mean $4,598,154 $2,505,462 $139,765 $1,352,163 

Median $37,906 $28,900 $351 $14,135 

Minimum Value $0 $0 ($852,241) ($1,253,881) 

1st Quartile $6,275 $1,030 ($673) $108 

3rd Quartile $911,083 $472,778 $17,282 $278,635 

Maximum Value $98,903,000 $39,090,000 $4,089,000 $55,409,000 


Table 2 presents industry information for 69 of the 87 sample companies where we could locate reliable industry 

information, and provides the reader an overview of the types of industries included in the analysis. A broad range of 

industries is represented, with financial services and general manufacturing having slightly more instances than other 

industry sectors. 

Table 2 – Industry of Sample Companies 


Industry Number Percentage 

Financial service providers and insurance 8 11.6% 

General manufacturing (excludes consumer goods or technology) 8 11.6% 

Telecommunications 7 10.2% 

Consumer goods manufacturing 6 8.7% 

Retail trade 5 7.2% 

Wholesale trade 5 7.2% 

Mining / Oil and gas 4 5.8% 

Computer software services 4 5.8% 

Healthcare products and services 4 5.8% 

Other service providers 4 5.8% 

Technology manufacturing 4 5.8% 

Transportation / Sanitary services 2 2.9% 

Miscellaneous / Conglomerate / Shell companies 8 11.6% 

Total 69 100.0% 

Audit Reports 

As part of the data collection effort, we gathered the audit reports issued on the last set of fraudulent financial 

statements; we were able to locate the reports for 74 companies. As shown in Table 3, the majority of the audit reports 

(58 percent) were standard unqualified audit reports. Forty-two percent of the audit reports included unqualified 

opinions, but the reports were modified from the standard report format primarily to highlight changes in accounting 

principle or going concern issues. 


Table 3 – Audit Reports on Last Fraudulent Financial Statements 


Type of Audit Report Number Percentage 

Standard unqualified opinions 43 58% 

Modified reports 

Change in accounting principle 10 14% 

Going concern 9 12% 

Note addressing unaudited schedules, statements, or paragraphs 4 5% 

Other explanatory paragraphs including issues surrounding investment 

valuation and variation in international accounting standards from U.S. GAAP 

3 4% 

Note addressing restatements 2 3% 

No specific information available 3 4% 

Total modified reports 31 42% 

Number of audit reports available for review 74 100% 

Company Characteristics and Audit Reports – Comparison to 2010 COSO Study 

To provide a frame of reference, we compared the companies in the present study (87 companies where the auditor 

was sanctioned in connection with a case of alleged fraudulent financial reporting) to the 347 fraud companies 

examined in Fraudulent Financial Reporting: 1998–2007, An Analysis of U.S. Public Companies (COSO, 2010). The 

COSO study examined all cases of fraudulent financial reporting alleged by the SEC from 1998–2007, whether 

or not the auditor was sanctioned. The primary difference between the two studies relates to company size. In the 

COSO study, the companies had median assets and revenues of $93 million and $72 million, respectively, versus 

$38 million and $29 million, respectively, in the present study. Therefore, the SEC registrants involved in the present 

study (where the auditor was sanctioned) are much smaller. Although the industry groupings are somewhat different 

in the two studies, it appears that the present study’s sample is somewhat more concentrated in retail / wholesale and 

financial services / insurance and somewhat less concentrated in computer hardware / software and healthcare than the 

COSO study sample. Finally, audit opinions issued on the last fraudulent financial statements were more likely to be 

unqualified without any other report modifications in the present study (58 percent) compared to the COSO study 

(43 percent). 


ALLEGED AUDIT DEFICIENCIES 

Alleged Auditor Involvement in the Frauds 

Table 4 provides an overview of the 87 cases based on the type of auditor deficiency and type of audit firm. Six of the 

87 cases involve “bogus audits” where the auditor prepared the financial statements or did not perform any meaningful 

level of audit procedures. The other 81 cases related to actual, but allegedly deficient, audits. Of these 81 cases, 35 

involved national firm auditors and 46 involved non-national firm auditors. 

Table 4 – Alleged Auditor Involvement by Auditor Type 


Type of Case 

10 Beasley, Carcello, Hermanson, and Neal. 2013. 

Number of Cases Naming 

National Firm Auditors 

Number of Cases Naming 

Non-National Firm Auditors 

Bogus audit 0 6** 6 

Actual audit, but audit was deficient 35* 46*** 81 

Total 35 52 87 

* Nine of the 35 cases were audits performed by Arthur Andersen, which ceased performing public company audits in 2002. Also, the 35 cases 

include one instance in which a national firm and a non-national firm performed a joint audit. This case was coded as a national firm case 

(only the national firm paid a fine to the SEC). 

** In one instance, there were two non-national audit firms named because the fraudulent financial statements included multiple years that 

were “audited” by two different firms. 

*** In four instances, there was more than one non-national firm named, generally because the fraud spanned multiple years that were audited 

by different auditors due to auditor changes during the fraud period. 

Total

Bogus Audits 

Table 5 summarizes the six cases involving “bogus audits,” where no underlying audit procedures were performed. 

Most of these cases resulted in fraud charges against the auditor (four cases), forced repayment of gains 8 generally 

obtained through audit fees charged and payment of interest (four cases each), and bars from practice before the SEC 

(four cases). Two cases involved civil fines (totaling $255,000), and in one case the auditor was criminally prosecuted, 

resulting in an 18-month prison sentence. 

Table 5 – Bogus Audits 


Item Result 

Fraud charges against the auditor In 4 cases (violation of antifraud statutes (Rule 10(b)-5) by auditor) 

Auditor disgorged gains generally related to audit fees received In 4 cases (total of $96,500) 

Auditor prejudgment interest In 4 cases (total of nearly $35,000) 

Barred from SEC practice In 4 cases (one permanent bar, one for 4 years, two for 3 years) 

Auditor paid civil penalty In 2 cases (total of $255,000) 

Criminal prosecution 

Alleged Audit Deficiencies in Actual Audits 

In 1 case (18-month imprisonment with 2 years of supervised 

release thereafter) 

The other 81 cases represent instances in which an actual audit was performed, but the SEC alleged that the audit was 

deficient. The following tables present the results of analyzing these 81 cases: 

• Table 6 – Overview of Actual Audits and Sanctions (n = 81) 

• Table 7 – Primary Deficiencies in Actual Audits (n = 81) 

• Table 8 – Primary Deficiencies in National Firm Actual Audits (n = 35) 

• Table 9 – Primary Deficiencies in Non-National Firm Actual Audits (n = 46) 

• Table 10 – Other Auditor Deficiencies Cited by the SEC (n = 25) 

• Appendix – Detailed Listing of Alleged Audit Deficiencies by Audit Area (n = 81) 

8 The SEC uses the term “disgorgement” of gains. 


Table 6 presents an overview of the 81 actual audit cases. Twenty-four of the cases involved the SEC charging the 

auditor for violating the SEC’s antifraud (Rule 10(b)-5) provisions. Of these 24 cases, 9 were against national firms 

(six of the 9 were against Arthur Andersen), and 15 were against non-national firms. The other 57 cases involved 

allegations of negligent audits — 26 against national firms (three of the 26 were against Arthur Andersen) and 31 

against non-national firms. 9 

Table 6 – Overview of Actual Audits and Sanctions 


Item Result 

Type of violation 

Firm vs. individual sanctions 

Auditor barred from SEC practice 

Civil penalties 

Disgorgement of gains 


24 antifraud violations (Rule 10(b)-5): 

9 against national firms (6 of these were against Arthur Andersen) 

15 against non-national firms 

57 citations for negligent audits: 

26 against national firms (3 of these were against Arthur Andersen) 

31 against non-national firms 

In 54 cases only individual auditors were sanctioned 

In 26 cases both individual auditors and the audit firm were sanctioned 

In 1 case only the audit firm was sanctioned 

Criminal prosecution In 1 case (for falsification of records) 

Audit firm change in two years before fraud or 

during the fraud period 

Company was new or audit in question was 

initial audit 

Former auditor worked as the company’s CEO 

and CFO 

In 73 cases (19 permanent bars; other bars averaged approximately 3 years, with a range of 

6 months to 10 years) 

In 16 cases (total fines over $92 million, average of $5.8 million, median of $687,500, with a 

range of $20,000 to $50 million) 

In 10 cases (total disgorged gains over $10.6 million, average of $1.1 million, median of 

$43,598, with a range of $3,000 to $9.8 million) 

An audit firm change had taken place in 15 of 56 cases (27%) containing enough information 

to evaluate 

In 13 cases (16%) 

In 1 case (a number of the company’s managers were former audit partners, including the CEO 

and CFO) 

In the majority of cases (54 cases), only individual auditors were sanctioned, while both individuals and firms were 

sanctioned in 26 cases. Just one case involved only sanctions against an audit firm. 

In terms of penalties, the most typical consequence was barring auditors from SEC practice (73 cases). Nineteen cases 

involved permanent bars, while the other cases, on average, involved bars of approximately three years. Civil penalties 

(16 cases, total fines of over $92 million) and disgorgement of gains (10 cases, total disgorgement of over $10.6 

million) were much less common. One case led to criminal prosecution of the auditor for falsifying records. 

Finally, we gathered information on certain characteristics of the audit engagements. Of the cases with available 

information, there had been an audit firm change during the period from two years before the fraud began to the end 

of the fraud period in 27 percent of the cases. Also, in 13 cases (16 percent) the company was recently formed or the 

engagement in question was the first time the financial statements had been audited. We found only one case where the 

related AAERs indicated explicitly that former audit firm personnel were employed as the company’s CEO and CFO. 

Table 7 presents the 16 primary audit deficiencies explicitly cited by the SEC in the 81 actual audit cases. 10 We have 

captured as much information as we can from the disclosures provided by the SEC about the auditor deficiencies. In 

9 Our reference to, for example, “national firms” means that the SEC sanctioned a national firm or individual auditors in a national firm. See details in the right-hand 

column of Table 6 for information on firm-level versus individual-level sanctions. 

10 We judgmentally decided to present the top 16 deficiencies to highlight those with the greatest frequency (deficiencies cited in more than 10 of the 81 cases).

some cases, the SEC’s descriptions of the deficiencies are fairly broad and involve a number of audit processes. In other 

cases, the SEC’s description of the deficiencies is more specific. To the extent possible, we have attempted to glean as 

much as we can about deficiencies in the audit from the SEC’s disclosures in the related enforcement actions. Note, 

however, that we are limited to the extent the SEC described the audit deficiency in the AAERs. 

The three most common deficiencies described by the SEC in the related AAERs were: (a) failure to gather sufficient 

competent audit evidence (73 percent of the cases), (b) failure to exercise due professional care (67 percent), and (c) 

insufficient level of professional skepticism (60 percent). Each of these items reflects a deficiency related to the General 

Standards within the framework of the 10 Generally Accepted Auditing Standards (GAAS), which establish the basis 

for the audit process that is built on audit evidence, collected and evaluated with due care and professional skepticism. 

Many of the 81 cases cited multiple deficiencies. For example, 66 cases cited more than one of the top 10 deficiencies, 

60 cases cited more than two of the top 10, and 56 cases cited more than three of the top 10. Similarly, 58 of the cases 

cited more than one of the top three deficiencies, and 42 cases cited the top three deficiencies. 

Table 7 – Primary Deficiencies in Actual Audits 


Problem Area 

Percentage 

(Number) of Cases 

1. Failure to gather sufficient competent audit evidence 73% (59 cases) 

2. Failure to exercise due professional care 67% (54) 

3. Insufficient level of professional skepticism 60% (49) 

4. Failure to obtain adequate evidence related to management representations 54% (44) 

5. Failure to express an appropriate audit opinion 47% (38) 

6. Incorrect/inconsistent interpretation or application of requirements of GAAP 37% (30) 

7. Inadequate consideration of fraud risks 33% (27) 

8. Inadequate planning and supervision 31% (25) 

9. Failure to adequately address audit risk and materiality 21% (17) 

10. Inadequate preparation and maintenance of audit documentation 20% (16) 

11. Failure to adequately communicate with the audit committee 17% (14) 

12. Failure to recognize / ensure disclosure of key related parties 15% (12) 

12. Failure to adequately perform audit procedures in response to assessed risks 15% (12) 

12. Inappropriate confirmation procedures 15% (12) 

12. Failure to evaluate adequacy of disclosure 15% (12) 

16. Internal control-related issues including over-reliance on internal controls, failure to obtain an understanding of 

internal control, and failure to obtain an understanding of the entity and its environment 

14% (11)* 

* The number of individual internal-control related audit deficiencies sums to 12 in the Appendix; however, one firm was cited for two of these deficiencies. Thus, in 

this Table, we report the total number of cases in which internal control-related issues were noted. 

Note: When two or more problem areas have the same rate of occurrence, we report those as a tie. For example, four problem areas tied for the 12th rank in the 

rank-ordered list of the top 16 deficiencies shown above. 


The first three deficiencies in Table 7 address concerns related to the three General Standards within the framework 

of 10 GAAS standards. The SEC often cited these three deficiencies to note an overarching observation about the 

auditor’s lack of professionalism and due care, without reference to violations of specific Statements on Auditing 

Standards (SASs) or related PCAOB Auditing Standards. Said differently, any lack of compliance with a specific SAS 

or PCAOB Auditing Standard would by default also trigger a violation of the General Standards within the GAAS 

framework. Thus, it is not surprising that these three deficiencies are cited most in the 81 cases examined. 

To provide some insight about the concerns noted related to these three overarching deficiencies, we have provided 

some examples of the underlying audit deficiencies noted by the SEC in the AAERs. Detailed review of the underlying 

deficiencies suggests that there appeared to be an overriding concern that the auditor’s lack of exercising due 

professional care and failure to maintain an overall level of appropriate professional skepticism resulted in the auditor 

failing to obtain sufficient competent evidence to support amounts in the financial statements. Thus, it is helpful to 

consider these three deficiencies in combination. 

Examples of Failure to Gather Sufficient Competent Audit Evidence: 11 

• Despite the fact that the audit firm had previously communicated to management and the audit committee 

concerns about management’s comprehensive analysis of its inventory balances and despite noting material 

year-end book to physical differences in inventory, the audit firm over-relied on management’s inventory 

reports when analyzing slow moving or obsolete inventory without testing the reliability of the reports. 

• The audit firm failed to support underlying estimates that were used to establish financial statement balances 

and failed to obtain additional evidence about estimates used when concerns were noted about potential bias 

in those estimates. 

• The audit firm failed to substantiate prices used in a software valuation calculation. 

• The audit firm failed to perform additional procedures when confirmations returned contained ambiguous 

information. In the same audit, the audit firm also failed to obtain supporting evidence to substantiate an 

inventory obsolescence reserve and failed to substantiate management’s calculation of revenue. Instead, the 

audit firm relied on management representations. 

Examples of a Failure to Exercise Due Professional Care: 

• Despite documenting that client accounting practices were “highly aggressive” and “unusual”, the audit firm 

failed to adjust its audit procedures in light of these noted risk concerns. 

• The audit firm failed to plan and properly supervise the audit, and the firm failed to consider the underlying 

audit risk. 

• While the firm requested the client to present documentation to support a material amount in the financial 

statements, the audit firm failed to conduct further audit procedures when management claimed the 

documentation was unavailable. 

• The audit firm failed to act with due professional care when multiple pieces of documentation suggested the 

client’s accounting records were held open beyond the fiscal year end, and the audit firm ignored the client’s 

failure to record depreciation expense. 

Examples of a Failure to Maintain a Sufficient Level of Professional Skepticism: 

• The auditor failed to assess documents he suspected might have been fabricated by the client and did not 

question the authenticity of those documents. 

• Despite being confronted with a number of factors that should have heightened the auditor’s professional 

skepticism in regards to a number of risks of material misstatement, the auditor’s procedures did not appear to 

be modified in light of these risk concerns. 

11 The language used to describe these examples is adapted from the relevant AAERs, but does not necessarily represent an exact quotation of language in the AAER. 


• The auditor failed to respond to information that suggested account valuations were overstated, and the 

auditor failed to verify certain representations made by management. 

• The audit firm failed to respond to numerous red flags and inconsistencies and ignored a number of specific 

audit program steps. 

The remaining items in Table 7 typically reflect more specific audit issues. The fourth most common deficiency was 

the failure to obtain adequate evidence related to management representations (54 percent). In such cases, the SEC 

alleged that the auditor placed too much reliance on management’s explanations or representations without adequate 

corroborating evidence. Some examples of audit failures noted by the SEC when they alleged this deficiency include 

the following: 

• Management made certain representations about discrepancies between inventory book and physical balances, 

but the auditor failed to request evidence supporting the reconciliation. 

• The auditor relied on management representations about certain key estimates and relied on oral 

representations about accruals on unbilled receivable balances. 

• Assumptions asserted by management to support top-side accounting entries were not tested by the auditor. 

The fifth most common issue was the failure to express an appropriate audit opinion (47 percent). As indicated in 

the Appendix, the majority of these cases involved the auditor issuing an unqualified opinion when the financial 

statements did not conform with GAAP and the auditor did not adhere to GAAS. This particular deficiency was often 

cited by the SEC as an overarching deficiency triggered by other underlying deficiencies in the audit. Examples of 

audit failures when the SEC alleged this deficiency in the AAER include situations where: 

• The auditor issued an unqualified opinion even though the firm had knowledge that the accounting for a 

material acquisition was not complete. 

• The auditor failed to modify the audit report even though there were material scope restrictions whereby the 

auditor failed to corroborate written representations by management and the auditor knew that a material 

portion of the receivables did not have any supporting documentation. 

The sixth issue, incorrect/inconsistent interpretation or application of the requirements of GAAP (37 percent), reflects 

technical accounting issues. As shown in the Appendix, 10 of the 30 cases involved revenues, which is consistent 

with the predominance of revenue overstatements in the population of fraud cases (Fraudulent Financial Reporting: 

1998-2007, An Analysis of U.S. Public Companies). Reserves, including warranty reserves, were involved in four cases. 

Several remaining cases involved areas including (two cases each): debt; restructuring charges / nonrecurring expenses; 

capitalized expenses; deferred taxes; timber / real estate; and acquisitions. 

The SEC cited inadequate consideration of fraud risks in 33 percent of the cases (the seventh most frequent issue). In 

terms of fraud risks, auditors may have ignored or not appropriately responded to perceived red flags or other client 

risks. Examples of situations where the SEC cited this deficiency include the following: 

• The only action the auditor took to assess the risk of fraud was to ask the CFO and other accounting staff at 

the issuer whether they had any knowledge of fraud. 

• The auditor failed to appropriately respond to notable fraud risks, including failure to adjust audit procedures 

when the auditor learned that a significant sale occurred in the last days of the fiscal year. 

• Procedures to assess the risk of material misstatement due to fraud were documented in the working papers 

three months after the issuance of the audit report. 


The SEC cited inadequate planning and supervision in 31 percent of the cases (the eighth most frequent issue). Four 

of the deficiencies related to planning and supervision involved a fundamental failure to write an audit program. Other 

examples of deficiencies related to this issue include the following: 

• The audit partner failed to supervise the person performing the audit, and that person was not an accountant 

and had no audit experience. 

• There was minimal partner involvement, and the audit manager who was on the west coast of the U.S. 

supervised by telephone the audit staff who were on the east coast of the U.S. A different manager was asked to 

review the audit work when that manager had never worked on the engagement and had no knowledge of the 

client’s operations or audit issues. 

• Certain workpapers prepared by senior staff, including planning areas and high risk accounts, were not 

reviewed. 

The ninth most common deficiency was the failure to adequately address audit risk and materiality. Typical deficiencies 

included: 

• The audit firm failed to implement appropriate follow-up procedures to ensure that planned audit responses 

were performed to address certain audit risk areas and that concurring and special review partners functioned 

effectively for the high risk client. 

• The auditor did not understand the client’s internal controls, did not competently identify audit risks, and 

followed a generic audit program obtained off the Internet. 

The tenth most cited deficiency related to inadequate preparation and maintenance of audit documentation. Here are 

some examples of what transpired: 

• Nearly one year after completing the audit and subsequent to the filing of a legal suit against the audit firm, 

firm personnel added additional workpapers to their audit documentation to mask deficiencies. 

• Audit documentation failed to identify what audit procedures were performed and what conclusions were 

reached, and the documentation failed to show that accounting records reconciled with the financial statements. 

As shown in the Appendix, seven of the 16 cases related to audit documentation involved intentional alteration and/or 

destruction of workpapers. 

The remaining issues in Table 7 each were cited in 17 percent or fewer of the 81 cases. These issues involved 

communication with the audit committee, related party transactions, responses to assessed risks, confirmations, 

evaluation of disclosures, and internal control-related issues. 

While the time period examined in our study ranges from 1998–2010, we found that only 11 of the cases involve 

fraudulent financial reporting in periods 2003 or later, which represents years following the passage of the Sarbanes- 

Oxley Act (SOX) in July 2002. Among the 11 cases, one audit was performed by a national firm, and 10 were 

performed by non-national firms. The median size of the issuer companies ($5.4 million in assets and $10.7 million in 

revenues) was smaller than the full sample as reported in Table 1. Only one of the 11 cases was an accelerated filer that 

required an audit of internal control over financial reporting. In that case, the auditor’s opinion on internal control 

over financial reporting was unqualified. While the post-SOX sample is quite small, we did analyze the deficiencies for 

the 11 cases. The results are very similar to those reported in Table 7. Eleven of the top 13 deficiencies associated with 

the post-SOX sample also appear in Table 7. We caution the reader to interpret these findings carefully, given the small 

sample and significant time lag in SEC enforcement. 

Tables 8 and 9 present the 14 primary deficiencies 12 in the 35 cases involving actual audits by a national audit firm 

(Table 8) and 46 cases involving actual audits by a non-national firm (Table 9). Although national and non-national 

12 We judgmentally decided to present the top 14 deficiencies in Tables 8 and 9 to highlight those with the greatest frequency (present in 15 percent or more of the 

national or non-national cases). 


firms may have very different client bases and oversight challenges, the results across the two groups of firms are very 

similar in many respects. The top four issues are consistent across the two groups (with a slightly different ranking), 

and 11 deficiencies appear in both the national firm and non-national firm lists. 

Three deficiencies appear only in the national firm list (Table 8): (a) failure to adequately perform audit procedures in 

response to assessed risks; (b) failure to evaluate adequacy of disclosure; and (c) internal control-related issues including 

over-reliance on internal controls, failure to obtain an understanding of internal control, and failure to obtain an 

understanding of the entity and its environment. 

Three deficiencies appear only in the non-national firm list (Table 9): (a) failure to recognize / ensure disclosure of 

key related parties, (b) over-reliance on / failure to obtain work of specialists, and (c) inappropriate confirmation 

procedures. With respect to specialists, eight of the nine total deficiencies in this category related to non-national audit 

firms. This may reflect the greater likelihood that national firms have the resources to involve specialists in a greater 

number of particularly technical areas. 

Table 8 – Primary Deficiencies in National Firm Actual Audits 


Problem Area 

Percentage 


1. Failure to exercise due professional care 69% (24 cases) 

2. Failure to gather sufficient competent audit evidence 66% (23) 







8. Failure to adequately perform audit procedures in response to assessed risks* 23% (8) 


8. Failure to evaluate adequacy of disclosure* 23% (8) 



14. Internal control-related issues including over-reliance on internal controls, failure to obtain an understanding of 

internal control, and failure to obtain an understanding of the entity and its environment* 

* Problem area does not appear in the Table 9 list for non-national firms. 

17% (6) 

Note: When two or more problem areas have the same rate of occurrence, we report those as a tie. For example, four problem areas tied for the 8th rank, and two 

tied for the 12th rank in the rank-ordered list of the top 14 deficiencies shown above. 


Table 9 – Primary Deficiencies in Non-National Firm Actual Audits 


Problem Area 


Percentage 


1. Failure to gather sufficient competent audit evidence 78% (36 cases) 

2. Failure to exercise due professional care 65% (30) 








10. Failure to recognize / ensure disclosure of key related parties* 20% (9) 

11. Over-reliance on / failure to obtain work of specialists* 17% (8) 


13. Inappropriate confirmation procedures* 15% (7) 


* Problem area does not appear in the Table 8 list for national firms. 

Note: When two or more problem areas have the same rate of occurrence, we report those as a tie. For example, two problem areas tied for the 11th rank, and two 

problem areas tied for the 13th rank in the rank-ordered list of the top 14 deficiencies shown above.

Table 10 presents a list of other deficiencies cited by the SEC in 25 of the 87 total cases. The most common were 

inadequate reviews of the interim (quarterly) financial statements (16 cases) and inadequate review of documents 

containing audited financial statements (four cases). The other items in Table 10 cover a range of issues, including 

alleged perjury and insider trading. Those additional items were noted in one case each. 

Table 10 – Other Auditor Deficiencies Cited by the SEC 


Inadequate reviews of quarterly financial statement information (16 cases)* 

Inadequate review of documents containing audited financial statements (4 cases) 

Auditor committed perjury by failing to reveal to an SEC officer that his criminal history included 

several arrests and convictions 

Auditor failed to adhere to its quality control policies 

Auditor engaged in illegal insider trading and shared proprietary acquisition plans 

Auditor caused the client to overstate its assets in offering documents 

Auditor failed to discuss percentage-of-completion estimates with project managers 

Auditor allowed the client to conceal the managerial role of a convicted felon 

* Because this deficiency relates to interim review procedures rather than audit procedures in the audit of annual 

financial statements, we excluded it from the list of the top 16 audit deficiencies reported in Table 7. 

We have also presented all the deficiencies noted by the SEC in the Appendix, categorized using the GAAS Framework 

of General, Fieldwork, and Reporting Standards. 

Comparison of Results to Beasley et al. (2000) 

In 2000, three of the authors conducted a similar analysis of a sample of SEC allegations against auditors associated 

with fraudulent financial reporting cases from 1987–1997, Fraud-Related SEC Enforcement Actions Against Auditors: 

1987–1997 (AICPA, 2000, Beasley, Carcello, and Hermanson). The previous study examined 45 actual, but allegedly 

deficient, audits. The most frequently cited of the alleged audit deficiencies in the 1987–1997 report were (p. 2): 

• Failure to gather adequate audit evidence [80% of the 45 actual audits] 

• Lack of due professional care [71%] 

• Lack of appropriate professional skepticism [60%] 

• Misinterpretation or misapplication of GAAP [49%] 

• Inadequate audit planning [44%] 

• Over-reliance on inquiry as a form of evidence [40%] 

• Failure to obtain adequate evidence in support of management estimates [36%] 

• Inadequate confirmation of accounts receivable [29%] 

• Failure to recognize or disclose key related parties [27%] 

• Over-reliance on internal controls [24%] 


• Lack of independence (generally due to the auditor performing accounting or management functions for the 

client) [22%] 

• Inadequate supervision and review [22%] 

• Inadequate or inconsistent working papers [22%] 

The top three deficiencies, related to inadequate audit evidence, lack of due professional care, and lack of appropriate 

skepticism, are identical across the two studies. These issues relate to fundamental audit deficiencies that are at the 

heart of effective fraud risk assessment and fraud detection. Many of the other most common deficiencies are cited 

in both studies. One notable shift is the increased incidence of failure to adequately communicate with the audit 

committee — 14 cases in the present study versus only two in the 1987–1997 analysis. 


4. IMPLICATIONS 

The analysis of deficiencies noted by the SEC provides insights that can help contribute to 

continued improvements in the audit process. The types of deficiencies in Tables 7–10 appear to 

center collectively around four overarching themes of root-cause drivers: 

1. Failure to Exercise Due Professional Care 

2. Insufficient Levels of Professional Skepticism 

3. Inadequate Identification and Assessment of Risks 

4. Failure to Respond to Identified Risks with Appropriate Audit Responses to 

Gather Sufficient Competent Evidence 

In considering the results contained in this report, it is important to appreciate that SEC allegations of fraudulent 

financial reporting are rare, with 347 cases examined by the SEC from 1998–2007 out of thousands of U.S. public 

companies. Despite the small number of fraud-related SEC enforcement actions, we believe implications from the 

analysis of these 87 cases provide important insights for auditors and others concerned with improving audit quality, 

especially in the context of detecting material financial statement misstatements due to fraud. 

This section briefly explores implications suggested by these overarching themes that are core to the audit process. 

Failure to Exercise Due Professional Care 

In some of the cases reviewed, the SEC’s alleged audit deficiency involved auditors who failed to perform procedures 

generally accepted as appropriate and expected in most audits. In many of those instances, the deficiency did not 

appear to involve overly complex audit decisions as to what GAAS might require in the circumstances. Rather, the 

deficiency was sometimes linked to a failure to perform procedures generally understood to be core to any audit. In 

essence, the auditor failed to do what a prudent auditor should know is expected in an audit. For example, auditors 

were cited for audit deficiencies because they failed to obtain evidence about estimates used to value an account, 

failed to obtain documentation supporting reconciliations, did not supervise the engagement team or did so remotely, 

accepted documentation that they knew was unreliable, failed to confirm receivables, etc. 

Failures such as these may be due to a lack of understanding of the underlying requirements contained in GAAS, 

which can be addressed through education, training, hiring, and performance evaluation assessments. However, it is 

possible that such deficiencies were triggered by an execution failure whereby the auditor may have had knowledge 

of what is expected to be done in the audit, but failed to ensure that the required procedures were carried out in 

an effective manner. The latter challenge may be the result of several root causes, such as time pressure concerns in 

completing the audit, multi-tasking across a number of audit engagements, or inadequate quality control review 

procedures at the engagement level. 

To address the concern related to a failure to exercise due professional care, audit firms and the profession may 

benefit from conducting deep-dive analyses of instances detected within the firms’ own quality control reviews or 

peer reviews where generally understood audit procedures are not being performed to determine the root-cause issue 

leading to a failure to perform required procedures. Such an analysis may identify areas where education and training 

are warranted, or it may identify areas where firm culture or personnel-related issues are causing members of the 

engagement team to not perform procedures generally understood as core to any audit engagement. In the spirit of 

continual efforts to improve audit quality, firms may benefit from surveys of current employees and exit interviews of 

former employees who may shed insight into issues affecting the exercise of due professional care. Addressing concerns 

related to exercising due professional care helps to strengthen one of the front-line defenses against audit failure. 


Insufficient Levels of Professional Skepticism 

Another front-line defense against issues that might lead to audit failure is an appropriate level of professional 

skepticism. A lack of an appropriate questioning mindset and a failure to critically evaluate audit evidence create 

opportunities for a number of audit deficiencies to be present across all aspects of an audit. While the SEC tends to 

include this general deficiency in most of its sanctions against auditors, it is helpful to consider concerns noted by the 

SEC about the lack of sufficient professional skepticism to see if there are additional insights that might contribute to 

the profession’s continual efforts to improve auditor skepticism. 

The critical nature of professional skepticism is a core theme in the Center for Audit Quality’s Deterring and Detecting 

Financial Reporting Fraud: A Platform for Action (October 2010). In that report, the CAQ noted that skepticism is 

…an essential element of the professional objectivity required of all participants in the financial reporting supply 

chain. Skepticism throughout the supply chain increases not only the likelihood that fraud will be detected, 

but also the perception that fraud will be detected, which reduces the risk that fraud will be attempted…For 

both internal and external auditors, skepticism is an integral part of the conduct of their professional duties, 

including the consideration of the risk of management override of internal controls. (p. vii) 

Within that CAQ report, Chapter 3, “Skepticism: An Enemy of Fraud,” provides a rich discussion of the critical role 

of exercising appropriate professional skepticism and highlights the realities of how biases impact all individuals as they 

make judgments and decisions. The chapter highlights the natural tendency that all players in the financial reporting 

process, including auditors, tend to believe that the organizations they serve and leaders with whom they are aligned 

have integrity. That belief predisposes auditors and boards of directors to trust other players in the financial reporting 

process. Such bias towards trust may lead to a lack of asking probing questions and a failure to critically assess audit 

evidence. 

To help address this tendency, auditing standards, including the standards related to auditor consideration of fraud in 

the financial statement audit, emphasize the importance of all members of the engagement team recognizing the reality 

that the risk of fraud is present in every audit. That is, no audit is devoid of the risk that certain incentives/pressures, 

opportunities, or inappropriate attitudes or rationalizations may exist that affect the likelihood of fraud being present. 

Additionally, those standards also recognize that the risk of management override of internal control is also present 

in all audits. Despite this explicit recognition in auditing standards, the SEC concluded that in many cases examined 

in this study the auditor apparently struggled to recognize the risk of fraud throughout the performance of the entire 

audit engagement. 

Academic research on the topic of professional skepticism suggests that there are six characteristics of skepticism: 13 

1. Questioning mindset – A disposition to inquiry, with some sense of doubt. 

2. Suspension of judgment – Withholding judgment until appropriate evidence is obtained. 

3. Search for knowledge – A desire to investigate beyond the obvious, with a desire to corroborate. 

4. Interpersonal understanding – Recognition that people’s motivations and perceptions can lead them to 

provide biased or misleading information. 

5. Autonomy – The self-direction, moral independence, and conviction to decide for oneself, rather than 

accepting the claims of others. 

6. Self-Esteem – The self-confidence to resist persuasion and to challenge assumptions or conclusions. 

The challenging issue for auditors and the audit profession as a whole is that the concept of professional skepticism has 

been a fundamental aspect of auditing standards for decades. Therefore, the question becomes, “Despite recognition 

13 See “Development of a Scale to Measure Professional Skepticism,” by R. Kathy Hurtt, Auditing: A Journal of Practice & Theory, May 2010. 


that professional skepticism has been fundamental to the audit process for decades, what leads to problems in 

exercising sufficient levels of professional skepticism on a day-to-day basis during an audit?” 

It is unclear what issues exist that lead to missteps in an auditor’s ability to apply a sufficient level of professional 

skepticism in the audit. Perhaps in some cases it is a lack of awareness of our human tendencies to place too much 

trust in others when we have seen no evidence to the contrary. If it is a lack of awareness of our human judgment 

and decision-making capabilities, then additional training and education about the realities of how biases affect our 

judgments and decision-making tasks may prove beneficial. Reminders about the characteristics of skepticism noted 

above may be a start. 

The PCAOB Staff Audit Practice Alert No. 10, Maintaining and Applying Professional Skepticism in Audits, also 

provides guidance to assist auditors in applying professional skepticism in their audits. That Alert provides examples 

of instances where the auditor did not appropriately apply professional skepticism, and it alerts auditors to common 

impediments to sufficient skepticism. The Alert also highlights the importance of the audit firm’s system of quality 

control and supervision in promoting professional skepticism. 14 

The COSO thought paper, Enhancing Board Oversight: Avoiding Judgment Traps and Biases, 15 may be another useful 

reference tool. The guidance in that paper provides a helpful reminder to all participants in the financial reporting 

process, including auditors and boards of directors, of concerns about their own biases that they should monitor as 

they make key judgments and decisions. 

Unfortunately, training will not solve all the limitations in the ability to exercise appropriate levels of professional 

skepticism. Most likely, many of the audit deficiencies documented in this study involve individual auditors who 

understood intellectually the importance of exercising appropriate professional skepticism, but for some reason failed 

to execute on that while performing the audit. Auditors may benefit from reminders of the importance of exercising 

appropriate levels of professional skepticism, and those reminders may need to be made multiple times in multiple 

ways during an engagement. Assessments and accountabilities of how individual members are aligning with skepticism 

characteristics may need to be explicitly measured at multiple stages during an audit engagement. Quality review 

assessments may need to be enhanced to explicitly assess evidence of appropriate levels of professional skepticism in the 

conduct of individual audit engagements. Training, reminders, and assessments of the presence of these pitfalls during 

an audit engagement may provide some initial first steps in enhancing capabilities of maintaining appropriate levels of 

professional skepticism. 

Hindsight analyses of instances where a lack of professional skepticism is detected in the normal audit review process, 

including peer reviews, inspections, and actual cases of audit failure, might begin to identify patterns of behaviors 

where professional skepticism is lacking. Once those patterns are identified, then audit firms and the profession as a 

whole will be in a better position to respond to root-cause drivers of inappropriate levels of professional skepticism. 

Better insight as to root-cause drivers may create opportunities for audit firms to embed periodic checks of professional 

skepticism within the scope of an audit to proactively identify situations where skepticism is lacking so that it can be 

corrected in real time. 

The profession may also need to explore how differences in cultures across geographic regions of the world and 

generational differences impact how skepticism is developed and applied in an audit. For example, appreciation for 

the importance of professional skepticism may differ for individuals residing in different countries, and we may find 

that future generations of audit professionals develop and exercise professional skepticism differently than today’s audit 

professionals. Research is warranted to better understand these and other potential factors affecting the exercise of 

professional skepticism. 

14 See PCAOB Staff Audit Practice Alert No. 10, “Maintaining and Applying Professional Skepticism in Audits” (December 4, 2012), www.pcaob.org. 

15 Download this thought paper at www.coso.org. 


The CAQ’s Deterring and Detecting Financial Reporting Fraud: A Platform for Action (October 2010) (p. 25) includes a 

number of suggestions related to professional skepticism for auditors that warrant further review. Here is an overview 

of several considerations noted in that report for external auditors: 

1. Based on the fraud risk assessment developed in planning the audit, proactively suggest questions that the 

board and audit committee may want to ask management. 

2. Regularly evaluate the audit firm’s internal communications and training programs to confirm that they 

adequately address the exercise of professional skepticism and the assessment of fraud risk. 

3. Reinforce the importance of interviewing and inquiry skills in the audit process, including consideration of 

non-verbal communications. 

4. Emphasize the value of corroboration as a means of obtaining sufficient audit evidence, and provide 

guidance on mechanisms and methodologies such as company communications for obtaining corroborative 

information. 

5. Consider including in the brainstorming sessions individuals outside of the engagement team with industry 

expertise and those who have experience with situations involving financial reporting fraud. 

6. Consider face-to-face meetings to obtain information, in order to encourage open discussion and assess nonverbal 

communications. 

7. Encourage the academic community to strengthen the auditing curriculum’s focus on professional skepticism 

and techniques for fraud detection. 

That report also contains several suggestions for audit committees and internal auditors in regards to fraud risk 

assessments. While those suggestions are tailored to audit committees and internal auditors, they can easily be adapted 

for consideration by external auditors to help strengthen their application of professional skepticism. 

Inadequate Identification and Assessment of Risks 

The failure to exercise due professional care and the failure to maintain sufficient levels of professional skepticism 

are natural precursors to an inadequate identification and assessment of risks of material misstatement in the audit, 

including the risk of fraud. In some of the cases examined in this study, the audit firm failed to conduct required audit 

risk assessment procedures, such as procedures to perform fraud risk assessments. In other cases, the auditor failed to 

respond to risk conditions previously identified by the auditor. The situations examined in this study illustrate how the 

lack of due professional care and insufficient levels of professional skepticism can lead to inadequate risk assessments or 

responses to noted risks. So, addressing those root-cause drivers will have a direct impact on an auditor’s identification 

and assessment of risks. 

However, there are likely other causes that help to explain why deficiencies are noted in the auditor’s risk assessment 

process. While auditing standards have been risk-based for a number of years, some may oversimplify the risk 

assessment process. That is, the extent of training on the fundamentals of risk management and risk assessment may be 

lacking in helping auditors to understand factors that affect the quality of any risk assessment task. 

More recently there has been an increased emphasis on the importance of enterprise risk management (ERM) as 

an emerging business paradigm important to overall corporate governance. As that business paradigm continues to 

develop, executives are realizing that more education and training related to risk identification and risk assessment 

tasks are needed. And, as thought papers about assessing enterprise-level risks have emerged, complexities surrounding 

the ability to properly identify and assess risks across complex enterprises are now being recognized. For example, the 

Harvard Business Review article, “The Big Idea: Before You Make that Big Decision…,” highlights how a number of 

pitfalls, such as groupthink, saliency bias, confirmation bias, and the halo effect, among others, can impact the quality 

of our decisions, including decisions related to risk identification and assessment. 16 An article in The Conference Board 

16 See “The Big Idea: Before You Make that Big Decision…,” by Daniel Kahneman, Dan Lovallo, and Olivier Sibony, Harvard Business Review, June 2011. 


Review, “The Dark Side of Optimism,” illustrates how optimism, which is widely seen as a virtue of American culture 

that stresses looking at the bright side of an issue and de-emphasizing the problematic, is impacting our ability to 

make realistic, objective assessments. 17 Furthermore, COSO’s thought paper, Risk Assessment in Practice, outlines best 

practices related to risk assessment tasks, including the importance of considering a number of dimensions in addition 

to traditional considerations of a risk’s probability and impact. 18 

Collectively, these and other thought papers suggest that the risk identification and risk assessment process is more 

complex than it may seem and therefore subject to a number of pitfalls. 

The profession may benefit from taking a closer look at the process of identifying and assessing risks to see what more 

we can learn about the complexities associated with any risk assessment task. In some circumstances, auditors may be 

ill-equipped to adequately assess risks from a probability perspective — that is, some auditors may be overly optimistic 

about the likelihood that a client is not engaging in fraud, and auditors’ lack of experience in seeing actual cases of 

fraud may cause us to underestimate the likelihood that material misstatements may be present. Most undergraduate 

or graduate accounting programs contain minimal coverage of risk management concepts, and firm-level training 

programs often presume auditors understand what is meant by “assess the risk of material misstatement.” More 

sophisticated training on fundamental risk management principles may be warranted to help auditors avoid common 

pitfalls already understood by risk management professionals. 

Failure to Respond to Identified Risks with Appropriate Audit Responses to 

Gather Sufficient Competent Evidence 

The ability to design and perform audit procedures to gather evidence to address risks of material misstatement due 

to fraud is contingent on the combined execution of exercising due professional care, maintaining a sufficient level of 

professional skepticism, and identifying and assessing risks. That is, due professional care, professional skepticism, and 

risk assessment are necessary conditions for designing and performing appropriate audit risk responses. Until those 

challenges are addressed, auditors are subject to limitations in their abilities to appropriately design and perform audit 

procedures to address risks of material misstatement. 

In some of the cases examined in this study, the auditor failed to perform audit procedures generally expected to be 

performed in any audit, such as sending confirmations of receivables, obtaining evidence to support estimates, or 

corroborating management’s oral representations. In other cases, the auditor failed to adjust audit procedures in light 

of documented risk conditions and merely conducted procedures in a generic audit program or similar to procedures 

performed in prior years. These examples suggest there may be difficulties associated with a lack of exercising due 

professional care or maintaining sufficient levels of professional skepticism. 

Other instances highlight challenges of linking risks and responses. In some situations, the underlying audit deficiency 

suggested a failure in adequately linking documented risks to audit procedures being performed and a failure in 

considering the appropriateness of the audit response to the risk noted, which is a finding that has been observed in 

other research. In the spirit of continual quality improvement, perhaps greater emphasis on the importance of linking 

audit procedures to underlying risks and heightened review of those linkages may help auditors to identify areas 

where the response is not commensurate with the risks identified. Tools and techniques that help auditors make these 

linkages may need to be developed, and, if they already exist, perhaps additional training as to the purpose and benefits 

of those tools may be warranted. 

17 See “The Dark Side of Optimism,” by Susan Webber, The Conference Board Review, January/February 2008. 

18 Download this paper from the COSO website (www.coso.org). 


Other Implications 

As summarized in Tables 7–10, there are deficiencies noted that lead to other implications about areas for 

improvement related to the audit process that should be considered. In the prior pages of this report, we have 

addressed these four overarching themes given that improvement in each of these aspects has the potential for 

engagement-wide impact on other more specific deficiencies noted in this study. However, further analysis of some of 

these more specific audit deficiencies may identify opportunities for improvements in our understanding of potential 

factors that impact audit quality. 

5. SUMMARY 

Financial reporting fraud is a serious concern for all capital market participants, and its deterrence and detection 

are important responsibilities of all participants in the corporate governance process. While the driver of financial 

reporting fraud is the perpetrator who conceals fraudulent actions, auditing standards do place a responsibility on 

auditors to plan and perform the audit to obtain reasonable assurance about whether the financial statements are 

free of material misstatement, whether caused by error or fraud. Given that responsibility, it is important that the 

profession invests in the consideration and analysis of prior instances of alleged audit failures, such as the present study, 

to identify opportunities to learn from these mistakes and to strengthen the entire audit process. We hope the analysis 

summarized in this report provides a springboard for opportunities to enhance understanding of the audit process and 

strengthen the execution of procedures performed to lower the incidence of undetected fraudulent financial reporting. 


6. RESEARCH TEAM 

Authors 

Mark S. Beasley is the Deloitte Professor of Enterprise Risk Management and Professor of Accounting at North Carolina State 

University. He is the Director of NC State’s Enterprise Risk Management (ERM) Initiative, which provides thought leadership 

about ERM practices and their integration with strategy and corporate governance. Mark recently completed over seven years of 

service on the board for the Committee of Sponsoring Organizations of the Treadway Commission (COSO). Mark has previously 

served as President of the American Accounting Association’s Auditing Section and on several national task forces and working 

groups, including the Auditing Standards Board SAS No. 99 Fraud Task Force. His research has appeared in such journals as The 

Accounting Review, Journal of Accounting Research, Contemporary Accounting Research, Auditing: A Journal of Practice & Theory, and 

Accounting Horizons. He is a frequent speaker at national and international conferences on ERM, internal controls, and corporate 

governance, including audit committee practices. mark_beasley@ncsu.edu 

Joseph V. Carcello is the Ernst & Young and Business Alumni Professor and co-founder and Director of Research at the 

University of Tennessee’s Corporate Governance Center. He has published in such journals as The Accounting Review, Journal 

of Accounting Research, Contemporary Accounting Research, Auditing: A Journal of Practice & Theory, and Accounting Horizons. 

Joe is a member of the Public Company Accounting Oversight Board’s (PCAOB’s) Investor Advisory Group, and previously 

served six years on the Standing Advisory Group. He testified before the U.S. Treasury Department Advisory Committee on the 

Auditing Profession, and before a Congressional oversight committee related to accounting and auditing regulation. Joe served on 

COSO’s Small Business Control Guidance Advisory Group Task Force; as Vice President – Finance of the American Accounting 

Association; and as President of the Auditing Section of the AAA. He has served as an expert witness in cases involving fraudulent 

financial reporting for the U.S. Securities and Exchange Commission, and as an expert in evaluating corporate governance reforms 

instituted as part of legal settlements of shareholder claims in federal and state courts. Joe has served as a consultant on corporate 

governance, controls, and fraud to public companies and audit committees, including the audit committee of a Fortune 50 

company. jcarcell@utk.edu 

Dana R. Hermanson is Dinos Eminent Scholar Chair of Private Enterprise, Professor of Accounting, and Director of Research 

in the Corporate Governance Center at Kennesaw State University. Among the most prolific researchers in accounting, he has 

published in such journals as Contemporary Accounting Research, Auditing: A Journal of Practice & Theory, Journal of Accounting 

and Public Policy, Journal of Accounting Literature, Accounting Horizons, Behavioral Research in Accounting, Journal of Information 

Systems, and Issues in Accounting Education. Dana has served as co-editor of Accounting Horizons and was founding co-editor of 

Current Issues in Auditing. He and his co-authors received the 2008 Deloitte/AAA Wildman Medal, which recognizes research 

judged “to have made or be likely to make the most significant contribution to the advancement of the public practice of 

accountancy.” In 2010, Dana was cited by Directorship magazine as one of the “People to Watch” in corporate governance, and his 

work has appeared in such outlets as The Wall Street Journal and BusinessWeek. dhermans@kennesaw.edu 

Terry L. Neal is the Dennis Hendrix Professor of Accounting in the Department of Accounting and Information Management at 

the University of Tennessee and a Research Fellow at the University of Tennessee’s Corporate Governance Center. He also serves 

as the director of the Ph.D. program in Accounting. Terry’s research has been published in The Accounting Review, Contemporary 

Accounting Research, Auditing: A Journal of Practice & Theory, Journal of Accounting and Public Policy, Accounting Horizons, The 

International Journal of Accounting, and Corporate Governance: an international review. He currently serves or has served on the 

editorial boards of The Accounting Review, Auditing: A Journal of Practice & Theory, Accounting Horizons, and Current Issues in 

Auditing. Terry also has served as an ad-hoc reviewer for several other journals including Contemporary Accounting Research, Journal 

of Accounting and Public Policy, Journal of Accounting Literature, and Issues in Accounting Education. tneal3@utk.edu 

Research Manager 

Lauren Reid is a third year doctoral student at the University of Tennessee with research and teaching interests in auditing and 

financial accounting. She obtained a Bachelor’s degree and a Master’s degree in Accountancy from Wake Forest University. After 

acquiring professional experience in the audit practice at Ernst & Young, Lauren taught introductory and intermediate financial 

accounting courses at Wake Forest University prior to entering the Ph.D. program. She is a licensed CPA in the state of North 

Carolina. lcarse@utk.edu 


APPENDIX 

Detailed Listing of Alleged Audit Deficiencies by Audit Area 

(n = 81 Total, 35 National, 46 Non-National) 

Audit Area 

Panel A: 

Engagement Acceptance 


Number of Cases With Problems 

[Total / National Firms / Non-National Firms] 

a. Failure to conduct adequate predecessor / successor communications 4 Total / 0 National / 4 Non-National 

b. Inadequate assessment / consideration of management’s integrity 3 / 3 / 0 

Panel B: 

General GAAS Standards 

a. Inadequate training and proficiency to conduct engagement 7 / 1 / 6 

b. Lack of independence from client 8 / 3 / 5 

• 3 involved auditor performing accounting or 

management functions for client 

• 2 involved employment discussions with the client 

• 1 involved loan from the client’s CFO 

• 1 involved threat of litigation if auditor withdrew 

from the audit 

• 1 involved ownership of client stock 

c. Failure to exercise due professional care 54 / 24 / 30 

d. Insufficient level of professional skepticism 49 / 21 / 28 

e. Former audit employee serves in client management role (CEO/CFO) 1 / 1 / 0 

Panel C: 

Audit Planning – Fieldwork GAAS Standard 

a. Inadequate planning and supervision 25 / 8 / 17 

• 4 involved failure to write an audit program 

b. Failure to adequately address audit risk and materiality 17 / 7 / 10 

c. Inadequate consideration of fraud risks 27 / 12 / 15 

d. Failure to address illegal acts by clients 9 / 3 / 6 

e. Failure to recognize / ensure disclosure of key related parties 12 / 3 / 9 

f. Failure to appropriately design audit programs 3 / 0 / 3 

g. Inadequate performance of analytical procedures 1 / 0 / 1 

h. Inadequate review of engagement 9 / 3 / 6

Detailed Listing of Alleged Audit Deficiencies by Audit Area continued 

Audit Area 

Panel D: 

Understanding Internal Controls – Fieldwork GAAS Standard* 

a. Failure to obtain an understanding of the entity and its environment (including 

assessing the risk of material misstatement) 



2 / 0 / 2 

b. Failure to obtain adequate understanding of internal control 5 / 2 / 3 

c. Over-reliance on internal controls (over-relying / failing to react to known 

control weaknesses) 

3 / 2 / 1 

d. Failure to consider particular risks related to the control environment 1 / 1 / 0 

e. Failure to communicate internal control related matters identified in an audit 1 / 1 / 0 

Panel E: 

Sufficient Competent Evidence – Fieldwork GAAS Standard 

a. Failure to adequately perform audit procedures in response to assessed risks 12 / 8 / 4 

b. Failure to gather sufficient competent audit evidence 59 / 23 / 36 

c. Poor performance of substantive analytical procedures 4 / 1 / 3 

d. Inappropriate confirmation procedures 12 / 5 / 7 

• 5 involved failure to confirm 

• 5 involved failure to perform alternate procedures 

• 2 involved lax procedures leading to client falsifying 

confirmations 

e. Inadequate observation of inventories 4 / 0 / 4 

f. Failure to adequately audit derivative instruments, hedging activities, and 

investments in securities 

1 / 0 / 1 

g. Failure to obtain adequate evidence related to management representations 44 / 18 / 26 

h. Over-reliance on / failure to obtain work of specialists 9 / 1 / 8 

i. Inadequately considering responses from client’s legal counsel / attorney letters 2 / 1 / 1 

j. Inadequate preparation and maintenance of audit documentation 16 / 8 / 8 

• 7 involved intentional alteration and/or destruction 

of workpapers 

k. Failure to appropriately audit accounting estimates 4 / 3 / 1 

l. Incorrect sampling techniques (failing to project results to population) 1 / 1 / 0 


Detailed Listing of Alleged Audit Deficiencies by Audit Area continued 

Audit Area 

Panel F: 

Reporting GAAS Standards 

a. Inadequate evaluation of entity’s going concern status 1 / 0 / 1 

b. Failure to adequately communicate with the audit committee 14 / 7 / 7 




c. Incorrect/inconsistent interpretation or application of requirements of GAAP 30 / 17 / 13 

• 10 cases involved revenues, and 4 involved 

reserves (including warranties) 

d. Failure to express an appropriate audit opinion 38 / 15 / 23 

• Majority of the cases involved the auditor issuing 

an unqualified opinion on financial statements 

that did not conform with GAAP and for which the 

auditor did not adhere to GAAS 

e. Failure to evaluate adequacy of disclosure 12 / 8 / 4 

f. Failure to appropriately reference the work performed by other auditors 2 / 0 / 2 

g. Inappropriate consideration of material subsequent events 1 / 1 / 0 

h. Failure to report changes in accounting principle 2 / 1 / 1 

i. Inadequate evaluation of impact of uncertainties 1 / 0 / 1 

j. Failure to evaluate known audit differences / improperly concluding that 

“passed” audit adjustments were immaterial 

Note: Audit areas are listed only if there were alleged problems in those areas. 

5 / 5 / 0 

* The number of individual internal control-related audit deficiencies sums to 12 in the Appendix; however, one firm was cited for two of these deficiencies. 

Thus, in Table 7, the total number of cases in which internal control-related deficiencies are present is 11.

18wjMaD

Create successful ePaper yourself

Delete template?

Save as template?