What we have done once, we are likely to do again; that is, acts tend to recur. Acts repeated form habits; and habits crystallize into character, which is the cause of subsequent acts.
- Aaron Schuyler, Systems of Ethics, Jenning & Pye, 1902, p. 11
Management's integrity is a key element in the efficacy of an audit conducted in accordance with generally accepted auditing standards (GAAS) as practiced in the United States. When management's integrity is in question, the underpinning of a GAAS audit may be destroyed. This can occur because a GAAS audit does not contemplate an examination of the accounting for every economic event affecting the enterprise. Instead, the performance of a GAAS audit involves the use of verification and evaluation techniques and other procedures that focus on a limited number of transactions, as well as financial ratios and analytics, rather than doing the more extensive verification generally associated with a fraud or internal audit. Moreover, an enterprise's financial statements are management's representations, and the embodied assertions that are tested in a GAAS audit are management's assertions. Management's integrity is the critical element in determining if an independent auditor can rely on the many oral and written representations made by management during the auditing process. An independent auditor must decide whether to accept or reject management's explanation of nonroutine transactions - matters requiring the application of judgment and, in some instances, representations concerning future actions. These situations often represent the greatest risk areas in an audit.
Accordingly, an independent auditor's assessment of management's integrity becomes one of the most important exercises of judgment that one must make in the performance of a GAAS audit. As stated in Montgomery's Auditing: "The assertions of management that are embodied in a set of financial statements are the subject matter of an audit of those statements" (O'Reilly et al., Wiley, 2001). Failing to make a critical assessment of management's integrity - or worse, proceeding with an audit in the face of evidence calling management's integrity into serious question without performing sufficient additional audit procedures - can result in a consequent impairment of the audit's effectiveness, putting the independent auditor at the risk of ethical sanction and legal liability.
Moreover, GAAS states that management integrity concerns can, in certain instances, cause the independent auditor to reach the conclusion that the risk of management misrepresentation in the financial statements is so great that a GAAS audit cannot be performed and that the independent auditor may need to withdraw from the engagement.
What Is Management Integrity?
Management integrity is the essential concern articulated in the professional standards and the internal control and risk guidance from the Committee of Sponsoring Organizations of the Treadway Commission (COSO). COSO defines integrity as: 'The quality or state of being of sound moral principle; uprightness, honesty and sincerity; the desire to do the right thing, to profess and live up to a set of values and expectations." Another similar definition is found in Management Ethics: Integrìty at Work, by Joseph A. Petrick and John F. Quinn (Sage Publications, 1997): "Management integrity is the individual process of repeated alignment of moral awareness, judgment, character, and conduct that demonstrates balanced judgment and promotes sustained moral development at all levels of managerial practice."
Who Is Management?
The FASB Accounting Standards Codification, in its master glossary, defines "management" as including those individuals who are responsible for setting the objectives and policy for an enterprise and having the authority to make the decisions necessary to achieve those objectives. Management would include the principal owners, the board of directors, the chief executive and operating officers, officers in charge of principal business functions, and any other person who performs similar policy-making functions. Management is not limited in the standards and literature to only those officers having responsibility for financial accounting and reporting. Many of an enterprise's senior management - and its board of directors - can affect the recording of transactions and their summarization, characterization, display, and disclosure in the enterprise's financial statements. The senior officers and board are primarily responsible for setting the "tone at the top" - the ethical culture of the organization.
Quality Control Standards and Risk
The AICPA' s Statements on Quality Control Standards (SQCS) state that continuing consideration of the integrity of a client's management is an important element in client acceptance and continuance.
The SQCSs require that policies and procedures must be in place to decide whether to accept or continue a client relationship. The established policies and procedures should provide CPAs with reasonable assurance that their association with an enterprise whose management lacks integrity is minimized. This acceptance/retention process does not imply that a CPA affirms the integrity or reliability of a client's management, nor does it suggest that CPAs have a duty to any other person or entity regarding the acceptance, rejection, or retention of their clients.
This guidance concerning management integrity is consistent with CPAs' various codes of conduct, which articulate broad ethical considerations for both a CPA' s exercise of professional judgment and the enhancement of the reputation of the profession. They are the same except for the designated party - CPA versus client management. Nonetheless, the failure of any entity due to a breakdown in management's integrity and ethics - that is, fraud - will lead to scrutiny of an auditor's judgment and assessment of management's integrity. Any determination that an independent auditor's assessment procedures were substandard, or worse, that the independent auditor proceeded with the audit without sufficient safeguards in the face of evidence of management's lack of integrity, may carry with it both legal liability and professional sanction.
Virtually all of the codes governing CPAs' conduct, whether promulgated by licensing authorities or self-regulatory agencies, deem the failure to conduct an audit in accordance with applicable standards as constituting "unprofessional conduct." Furthermore, a more robust sharing of information among these agencies and authorities has been implemented over the past decade. Thus, a determination by any such agency or authority that an auditor failed to adequately assess management's integrity is much more likely to result in severe professional sanctions against an auditor than ever before. These sanctions range from public admonishment to fines to suspension or even revocation of one's professional license.
In the legal context, these "audit failures" often manifest themselves in the auditors being named as defendants in civil fraud litigation, which entails myriad other issues. Civil allegations typically involve claims that the auditors aided and abetted management's fraud, or were actively involved in the fraud by recklessly ignoring management's misbehavior. These allegations of active involvement, if proven, take the auditors' potential liability out from under the coverage of professional liability insurance, which universally excludes coverage for "intentional misconduct." Moreover, while a common defense to such claims relies on the in pan delicto doctrine (i.e., management's misbehavior is imputed to the entity and thus precludes the entity's pursuit of claims against its auditors and other professional advisors), there are a number of states where jurisprudence severely limits the availability of this defense.
The in pari delicto defense only applies in cases where the audited entity, or its successor representatives (such as a bankruptcy trustee), asserts claims against the auditors. It does not apply in cases where the plaintiffs are third-party users of the audited financial statements alleging that they were directly deceived by the auditors' reports. In those cases, however, the burden of proof is heightened, and plaintiffs must prove, by clear and convincing evidence, that they were deceived by the auditors' actual or reckless misrepresentations, and that they "justifiably" relied on those misrepresentations. The "justifiable reliance" element of the claim brings into question the credibility of the financial statement user, thus opening a similar inquiry as to the plaintiff's own behavior.
Continual Evaluation of Management Integrity
As the auditor performs planned audit procedures, the audit evidence obtained may cause the auditor to modify the nature, timing, or extent of other planned audit procedures. Information may come to the auditor's attention that differs significantly from the information on which the risk assessments were based. (AICPA Technical Practice Aid, Practice Alert 03-3, Acceptance and Continuance of Clients and Engagements, December 2003, pars. 33-42)
While client acceptance procedures address the need to perform background investigations of management before agreeing to perform an audit, auditing is an integrated, continuous, iterative process, and the assessment of management's integrity, likewise, is an ongoing process throughout an audit. The professional literature requires that, as evidence is accumulated during the performance of an audit, an independent auditor should continuously reassess initial and previous judgmental evaluations, including that of management's integrity, and confirm or reject prior conclusions and, if necessary, redesign the audit procedures in light of the findings. Thus, the failure to do so may constitute a departure from the standard of due care.
Conduct of Management and Corporate Culture
If an independent auditor determines that she cannot rely on management's representations because she believes that there is a serious and endemic lack of management integrity, then the auditor cannot properly perform a GAAS audit. An auditor must remain critical of management's involvement and behavior throughout the audit process and must be prepared to challenge management if she senses that management is less than forthright.
Management, in all the various disciplines of the business, set the ethical tone throughout their organization. The integrity of the enterprise's owners is also part of the evaluation because, as members of management, they have the same ability to influence the culture and operations of the enterprise.
SAS 99, Consideration of Fraud in a Financial Statement Audit, echoes the other standards emphasizing that ethical corporate behavior begins with the tone at the top and the values established by senior management. COSO also found that "integrity must be accompanied by ethical values, and must start with the chief executive and senior management and permeate the organization." GAAS requires that an independent auditor consider the environment in assessing internal controls and the risk of fraud and misconduct.
As previously stated, the professional standards and literature focus on the integrity of an enterprise's senior management, not only on its financial management. Senior management is responsible for establishing the tone of ethical behavior within the entity, in both actions and words. Because senior management is in a unique position to override internal controls and manipulate transactions, professional standards dictate that an auditor should be alert to indications that management lacks integrity. The lack of integrity transcends the actions relating to financial issues and includes every area of a manager's character.
The control environment is the foundation of an internal control system. Established by management, it sets the fundamental ethical tone of an entity and influences the behavior of the personnel within the entity. COSO defines internal control as a process affected by people. The competence, attitudes, behavior, and actions of people determine the success or failure of the internal control process. It is the responsibility of management to exert a positive influence on the mindset of people through its philosophy and operating style - the demonstration of moral and ethical values. COSO' s Report of the National Commission on Fraudulent Financial Reporting, issued in October 1987, states: "The tone set by top management - the corporate environment or culture within which financial reporting occurs - is the most important factor contributing to the integrity of the financial reporting process."
What are the indications of a lack of management integrity? While the SQCSs discuss the importance of management integrity in the acceptance and continuance process, little is said about what actions, past and present, of the members of management need to be evaluated in the process of assessing management's behavior in order to determine if management lacks integrity. The standards simply say that management integrity should be considered in the acceptance process and continually reassessed throughout the audit. The factors that the standards say should be evaluated include the nature and business practices of the enterprise and the attitude of its principal owners, key management, and those charged with coiporate governance toward matters such as aggressive interpretation of accounting standards and internal control over financial reporting. This certainly is too basic an evaluation to form the foundation for assessing a prospective client's management's integrity.
Throughout GAAS, there are references to management's integrity and findings made during the audit, such as in the analysis of the possibility of fraud and the determination of materiality from the perspective of quality versus quantity; that is, even a small amount, if it reflects poorly on management integrity, may be material. Nowhere is a listing given of more than two or three of the indicators of management' s lack of integrity. For that matter, there is no definition of management integrity in the standards themselves.
Other parts of the professional literature and examples from auditing programs give some guidance in this area. Among the factors mentioned - and others observed by the authors - to consider when assessing management's integrity are the following:
During the acceptance and continuance process
* The reputation of the principal owners, directors, and top management;
* Regulatory investigations involving the enterprise, past and present;
* Allegations of fraud contained in prior or current litigation against the enterprise;
* Using litigation more to apply pressure than to redress a perceived wrong;
* Prior criminal charges, convictions, or pleas;
* Prior SEC action against the individual owners, directors, or members of top management;
* Failure to pay personal taxes, resulting in civil actions by the IRS against the individual; and
* Low moral character.
During the auditing process
* Aggressive application of accounting principles without proper support that, in the vast majority of instances, results in increased revenue or decreased expenses, always resulting in increased net income;
* Implication in fraudulent activity, whether material to the financial statements or not;
* Willingness to accept poor internal control over financial reporting;
* Failure to correct significant weaknesses in internal control over the financial reporting process not supported by a costbenefit analysis;
* Representations that are refuted by corroborating evidence;
* Failing to cooperate with the requirements of the audit process;
* Frequent errors in schedules prepared to assist the auditor that tend to support a favorable application of GAAP, or management's judgment in an estimate; and
* Conflicting answers to inquiries that are "reconciled" by additional "clarification."
It is important to recognize that some of these indicators may be present but may not be the determining factors in the judgment of management's overall character. In addition, the level of management involved is considered when making any judgment on management's integrity. Senior management's reaction to any integrity weakness uncovered in lower levels of management is considered in reaching a conclusion. Moreover, additional or more intense audit procedures may isolate any offending management involvement with the audited assertions, allowing the auditor to render an opinion.
The evidence reflecting on management's integrity needs to be properly assessed. Each situation is different, and individual instances are not necessarily conclusive in an overall determination. Many adverse findings can be muted by applying more or different auditing procedures. Nevertheless, if an assessment results in a determination that management's lack of integrity is so compelling or pervasive that additional auditing procedures will not compensate for it, an independent auditor would have to conclude that he cannot continue with the audit and must resign from the engagement.
Withdrawal from an Engagement
According to professional standards - including those for professional ethics, quality control, and auditing - an independent auditor is justified in withdrawing from a GAAS audit engagement when it is concluded that a GAAS audit cannot be performed in conformity with the required professional standards and guidelines. When, in an auditor's judgment, she cannot rely on management's representations after considering alternative procedures to resolve the issue, there is an obligation to terminate the audit and any other services being performed for the client. The client's behavior in these instances has interfered with the independent auditor's ability to conduct an attestation engagement to the extent that the independent auditor is unable to render an opinion.
This obligation to withdraw exists regardless of when in the audit process an independent auditor, in his professional judgment, determines that he cannot continue to be associated with the enterprise. The more prevalent withdrawal situations occur when the independent auditor cannot rely on management because of issues relating to its integrity, or when there are threats of litigation against the auditor by the client. Whenever an independent auditor concludes that he needs to withdraw from an engagement, the independent auditor should consult with legal counsel before taking any action.
GAAS requires an auditor to evaluate management's integrity before, during, and after conducting an audit. Whenever an auditor determines that management's integrity is of such a nature that she cannot rely on management's representations and is no longer in a position to render an opinion on the enterprise's financial statements or other data, she should, after consultation with legal counsel, withdraw from the engagement and give serious consideration to withdrawing any prior reports that had been issued. Management integrity is central to a GAAS audit because the financial statements are, in total, management's, and all of the amounts displayed on the face of the financial statements and the disclosures in the statements and notes rely, in great part, on management's determinations. An engagement letter or a course of conduct may create a contract. Consequently, an auditor should consult an attorney before any action is taken, and the reason for the withdrawal should be properly documented in the workpapers and files.
It is the responsibility of management to exert a positive influence on the mindset of people through its philosophy and operating style- the demonstration of moral and ethical values.
Vincent J. Love, CPAJCFF, CFE, is managing director at the Finance Scholars Group, New York, N. Y, and a member of The CPA Journal Editorial Board. Thomas R. Manisero, JD, is a partner at Wilson Elser Moskowitz Edelman & Dicker LLP, White Plains, N. Y., specializing in professional malpractice defense.