THE LEGAL ASPECTS OF AUDITING (or Your Survival Skills in Today's Litigious World)
Ralph Kolts, Audit Manager ATK Thiokol Inc. P.O. Box 707 Brigham City, UT 84302-0707
ABSTRACT The trends for corporate litigation, fines, enforcement actions, and even convictions are rising. The legal exposure for our employers, and ourselves, will continue to grow and become more complex. As auditors, we must be aware of this legal risk; as professionals, we must ensure our auditing practices avoid or reduce legal exposure. To do this, auditors must be keenly aware of the conditions that create legal exposure. We expect our audits to ensure compliance and enhance integrity; but, by conducting audits poorly or not following professional standards, we can actually create, rather than negate, legal risk.
To avoid risk, sound auditing practices must be understood and followed. These practices involve: 1) risk assessment, 2) work papers, 3) evidential matter, 4) audit findings, 5) corrective action, 6) ethical standards, 7) audit quality assurance, 8) audit management, 9) due professional care, and 10) the auditor's relationship with legal staff.
By being aware of the legal risks and following sound auditing practices, the auditor's product will stand up under the most critical scrutiny.
TRENDS IN LITIGATION We are called a litigious society. Americans, in unprecedented numbers, are elbowing up to the legal crap table and giving the dice a throw. The risk is small with potentially significant rewards. For American corporations (who are often the deep pocket target in this legal lottery) a lawsuit is costly, time consuming, and potentially devastating. Recent trends make this even more troubling. Consider that in the last two decades:
Product liability lawsuits have increased fivefold, from 2,400 to about 12,500 suits annually. Commercial litigation involving contract cases increased 232 percent. Civil judgments and settlements in cases involving fraud against the government have increased from $12 million to over $340 million annually. The average award for lawsuits against corporate officers exceeded $3 million each, while the average cost to defend against a suit was almost $600,000.
1 Tort cases involving business relations grew 128 percent. Overall, tort costs have grown four times faster than the national economy.
Many would argue these trends are causing America's competitive decline. Insurance costs are soaring and innovation is stifled due to the fear of liability. Many companies and industries have been profoundly affected. The future is still uncertain; legislative and regulatory reform is receiving serious debate. The trends in litigation are sobering and should be a cause for serious reflection by the professional auditor.
AUDITS ROLE IN THIS LITIGIOUS AGE Well-managed companies are taking proactive measures to minimize liability. They have recognized the importance of continually monitoring their practices through audit oversight. As auditors we are part of the corporate insurance policy—and I mean this in the best sense. We are in a truly unique position to contribute to our company's success while protecting management and our fellow employees.
To do this, our mission must be twofold. First, we must ensure all applicable laws and regulations are followed. As they say, the one thing better than winning a lawsuit is to have no lawsuit at all. Secondly, when confronted with a lawsuit, a strong and effective audit program can demonstrate a company's commitment to self-governance and vigilance in combating noncompliance. This can mitigate the penalties sought or imposed.
In times of litigation, the audits we have performed contain a wealth of information regarding practices and compliance (or noncompliance). This information can be highly prized. If tested in court, will our audits be evidence for the prosecution or the defense? Will the audit program be a benefit to the entity or become a liability? We must ensure our audits prevent, rather than create, additional legal liability. To do this we must be aware of some legal exposures.
AWARENESS OF LEGAL EXPOSURES WHEN AUDITING The following examples illustrate how audits can be involved in legal exposure. These are hypothetical cases, based however on real life circumstances. As you read these examples, ask yourself several rhetorical questions: What is the nature of the legal exposure? How was it created? How could it be avoided? And most importantly—could this happen to me? We will discuss some of these issues later.
Case #1 Product Liability - You are an auditor for a company that produces actuators used in aircraft. Several months ago there had been a crash involving a small commercial airliner. All of the crew and passengers were killed. The airline and the families of the passengers have brought suit against your company. It is alleged the actuators were substandard and had not
2 undergone all qualification tests before being certified for flight. All quality records, certifications, and audit records have been subpoenaed and you have been called to testify. As you review a past audit report in preparation to testify you read the following finding: "The system for maintaining serial number traceability is seriously flawed. This could result in uncertified parts being installed in a flight assembly. Several problems and inconsistencies were noted and require improvement." You are unsure if the problems you found have been corrected.
Case #2 Contractual Issues - While performing a supplier audit, you observe that a test console is calibrated once every six months. You are concerned that the console may experience drift between calibrations and would prefer a method that accomplished calibration more frequently. You believe this could result in nonconforming items being accepted or conforming items being rejected. You decide to note this as an audit finding. During the closing conference, you direct the supplier to recalibrate the console after fifty test cycles, rather than every six months. Subsequently, the supplier bills your company for $220,000 as reimbursement for the additional calibration costs that have been incurred. The supplier's legal counsel states the auditor has changed the terms of the contract.
Case #3 Conflict of Interest - Your Company will be awarding a substantial contract. Two potential suppliers are being considered. These suppliers are equal as far as price and delivery; contract award will be based on quality. You will audit each supplier and recommend which supplier is superior. The weekend before submitting your recommendation, you are observed attending a Chief's football game with the QA Manager for one of the competing firms. After the game, you are both observed in the parking lot where the QA Manager gives you a brown envelope that you place in your inside coat pocket. A procurement officer from your company observed the entire incident. He has alleged that you accepted a kickback from the supplier in return for favorable treatment.
Case #4 Third Party Audits - You own a consulting firm that specializes in performing various audits. One of your best clients has asked you to perform a two-day, due diligence audit of a small manufacturing facility they plan to acquire. You will be expected to alert the client to any concerns that could have an impact on the acquisition. The audit will be performed for your standard fee of $2000 per day plus expenses. You suggest to the client that for an additional fee you could also take soil samples to determine if any environmental liabilities exist that may require remediation. The client insists this additional cost will not be required. Several years after the acquisition is completed, you are served with a lawsuit from your client's investors and creditors. The suit alleges you were negligent in not detecting environmental shortcomings that have threatened the solvency of the client firm. The suit
3 seeks to recover $66 million, a portion of the environmental damages. You carry liability insurance, but this suit exceeds the amount of your coverage by $65 million.
These cases illustrate litigations that are happening every day. No industry is safe. Some legal considerations are painfully obvious, but others can be much more subtle. In real life, the legal exposures can come from untold directions. Law libraries are filled with cases that would stagger our senses, and there are many more volumes yet to be written. We cannot predict all possible legal exposure, but two things can be guaranteed: 1) our audit reports and records can be subpoenaed, and 2) we may be compelled to testify.
These cases are meant to heighten your awareness. Next we must ask—what can we do to help ensure our audits withstand legal review?
TEN AUDITING TIPS TO MINIMIZE LEGAL EXPOSURE The following tips will help strengthen the audit program. If diligently followed, they can provide the auditor a suit of armor for protection from legal pummeling.
Tip #1 Audit Planning Based on Risk Assessment — Our first defense is to have a carefully planned audit program prepared using risk assessment. Performing audit risk assessment assures that we spent our time auditing the most critical areas, areas that have the most potential for something to go wrong. Just like it is impossible to read all the books in a library, we cannot audit all possible areas. So we must be selective, reading only those books of interest and auditing only those areas that pose abnormal risk.
There are two aspects of risk assessment. First, risk assessment should be used when selecting the audit subjects, such as when we create an annual audit plan or schedule. Secondly, when we begin an audit we must decide what verifications, tests, samples, or elements will be examined to form an audit opinion. There are no cookbooks for doing this. You must consider the legal (and business) risks that are unique for your company. In the first case example, the company produced critical flight components. Components that, if they fail, could have serious consequences. Given the brief facts of the case we could surmise that functional testing, reliability, redundancy, and certifications are high-risk areas. Has the audit function assessed these critical elements?
Tip #2 Work Papers Prepared to Support Third Party Review — In Case #1 we can see that audit documentation and work papers can be subpoenaed. These documents are powerful evidence. Accordingly, we must use the utmost diligence when assembling audit work papers with the expectation they will be subject to legally compelled access. The overriding legal consideration is to ensure audit records provide sufficient documentation to allow a third party to interpret the results properly and concur with the conclusions. A
4 simple checklist with columns checked "yes" or "no" is not sufficient. Instead, adequate evidential matter must support the indications of compliance, noncompliance, recommendations, and conclusions of our audit.
Tip #3 Conclusions Supported by Evidential Matter — Evidential matter is that information gathered by observation, document review, or interview upon which the audit opinions are based. Evidential matter must be reliable meaning it is reasonably free from error or bias and faithfully represents the facts. Evidential matter must also be relevant. That is, directly connected with and supportive of the audit objective or opinion. Work papers should not include copies of every document that may have been examined—only the relevant items. When it is not practical to include copies, we should provide sufficient notation to allow traceability to the item observed, document reviewed or person interviewed. A complete explanation should be recorded if an audit element is not applicable or not performed. Evidential matter is required not only for items of noncompliance, but for evidence of compliance as well.
Tip #4 Carefully Written Audit Findings — We should ensure free and open discussion when communicating audit findings with auditees. However, when findings are recorded (or communicated to anyone outside the immediate organization), the words must be carefully selected. The overriding legal consideration is to ensure audit findings describe the facts with accuracy and clarity. The operative words being—facts and accuracy. Certain words, by their very nature, can never meet this test of factual accuracy and should not be used. This includes extreme or inflammatory words such as: alarming, negligent, appalling, incompetent, careless, intentional, criminal, serious, significant, or willful. Also, avoid absolutes or vague generalities such as: always, never, few, some, many, several, or sometimes. Audit findings should not overstate or misstate the facts. Nor should they rely on hearsay or conjecture. Let us look back to the finding described in Case #1 to see how well that finding met these guidelines:
"The system for maintaining serial number traceability is seriously flawed (seriously flawed, hmm, that seems inflammatory). This could result in uncertified parts being installed in a flight assembly (it could result, it doesn't say it did result, seems like conjecture rather than fact). Several problems and inconsistencies were noted and require improvement (just what does that mean? Seems awfully vague. I think I'd love to be the prosecuting attorney with this one.)."
Let's rewrite that finding based on what the auditor actually observed:
"The armature and weld filler serial numbers were not evident for unit #23 (it
5 may be just that simple to report the facts accurately)."
Tip #5 Closed-loop Corrective Action — If a defect or deficiency is identified during an audit, it needs to be corrected or adequately addressed. If not, the legal stakes go up since this can be viewed as willful intent or negligence. Company management knew the problem existed, but willfully neglected to make corrections. This becomes criminal rather than civil action. Our audits must have a strong and effective corrective action cycle. Corrective action must be closed-looped, meaning after the corrections have been implemented, verification is performed. Verification of closure must ensure that corrections have been carried out and that those corrections have been effective in fixing the condition originally noted. Our hapless auditor in Case #1 is not sure if the problems had been corrected. This could make his testimony difficult.
Tip #6 Ethical Standards Governing Auditor Conduct — As professional auditors, and especially certified auditors, we are governed by ethical standards. Many of you will be familiar with the Code of Ethics for Members of the American Society for Quality Control. We should take these standards seriously. Think back if you will to Case #3 that involved an apparent conflict of interest. If you remember the auditor was observed placing an envelope in his coat pocket. The appearance was that a payoff was being accepted. But the incident may have been harmless; the two were old friends and the envelope contained family photos. The auditor was still in error by not disclosing this relationship; this created the appearance of wrongdoing and violated ethical standards. The professional auditor is guided by honesty, objectivity, diligence, impartiality, loyalty, and independence—never knowingly being a party to any illegal or improper activity. Such professional standards are the foundation upon which the reliability, trust, and confidence in our work is built. And sturdy it must be, particularly in times of doubt that can be caused by litigation.
Tip #7 Quality Assurance Principles Applied to Audits — As we perform audits, we expect certain controls to exist that will provide assurance of quality. We may look for the existence of procedures governing the function, personnel who are qualified and trained for the function, resources that support quality objectives, internal controls or inspections should be evident, and quality measurements in place. We should expect nothing less for the audit function. The application of basic quality controls (procedures, trained personnel, controls, and measurements) should apply to audits. If you performed a critical audit of yourself, would you pass or fail? Audit quality assurance ensures high standards are met and the work product is credible. Do not wait for a lawsuit to assure yourself of such credibility.
Tip #8 Audit Management — The overall audit function should be carefully managed. The
6 leadership of the function should be mindful that they set the moral and professional climate. Audit leadership should ensure that audits are properly planned, conducted, and reported. The audit should have certain checkpoints at critical phases to ensure standards are being met. This also provides an opportunity to assess any legal considerations. Leadership is also responsible to ensure each auditor is properly trained in auditing, communication and interpersonal skills, and appropriate technical subjects. Each auditor should have an ongoing professional development plan. Further, good project management techniques should be used for each audit. This includes clearly defined audit objectives, purpose, and scope; detailed project schedules; and periodic status reports to monitor progress. Proper management of the audit function ensures objectives are satisfied and emerging problems, legal or otherwise, are addressed.
Tip #9 Exercising Due Professional Care — An auditor's job is to collect and assimilate information and draw conclusions regarding the adequacy of the subject being evaluated. I have heard auditors described as "professional skeptics"; my preference is to be described as "naturally curious, level-headed, and clear-thinking." However you look at it, this position of trust demands the auditor use due professional care while conducting audits. Due professional care encompasses all the skill, knowledge, judgment, prudence, and competence the auditor brings to each task. It implies reasonable care that is appropriate to the complexities of the audit being performed; it does not mean the auditor is infallible. Such care distinguishes the professional from the amateur and becomes our stamp of pride. This is certainly important when faced with legal questions.
Tip #10 The Auditor's Relationship With Legal Staff — Auditors epitomize the generalist, which is both a strength and a weakness. A smart auditor must know when they are stepping beyond their area of responsibility or knowledge and when to call in the experts. I think this is where the auditor in Case #2 errored. Supplier audits are more complex because they involve a contractual relationship (and therefore contract law). This auditor did not realize the contractual implications and failed to involve the contract experts. The auditor in the final case involving third party audits could no doubt use some legal advice also. This legal advice could have assisted in clearly defining the scope of the engagement and taking contractual steps to limit the extent of liability.
If we want our audit program to mitigate legal risk, we must cultivate a strong working relationship with our company's legal counsel. Company attorneys should be involved in developing the overall audit strategy and long-range audit planning. During an audit, we should consult with counsel whenever we have questions or touch upon legally sensitive areas. It may be appropriate to have a legal review of final audit reports to ensure the language is appropriate. Legal Counsel should be aware of audit results, by providing audit reports or a year-end compilation. If appropriate, sensitive audits may be performed
7 under attorney - client privilege so the work product can be protected from access.
CONCLUSION The preceding ten tips are not profound. These are just good, sound auditing practices and they make good business sense. There are no magical formulas for avoiding legal exposure. By being aware and following good audit practices we can protect ourselves, our company, and minimize, as best we can, legal exposure.
In closing, I would like to leave you with a caution. Do not let litigation paranoia govern your decision making—but maintain a healthy awareness of the risks. I have seen bad decisions made and opportunities lost due to litigation fear, and this is sad. We do not conduct audits for the singular purpose of avoiding lawsuits. Your company must decide its strategic purpose for doing audits based on business needs. Let me urge you to stay focused on that purpose. By doing so, and following professional standards, you will also support a strong legal position for your company.
BIBLIOGRAPHY Galanter, Marc and Charles R. Epp, "A Beginner's Guide to the Litigation Maze," Business Economics, Vol 27, No. 4, pp. 33-38, October 1992.
Harrison, Lee, Environmental, Health, and Safety Auditing Handbook, McGraw-Hill Inc., New York, 1995.
Helms, Marilyn M. and Betty A. Hutchins, "Poor Quality Products: Is Their Production Ethical?" Management Decision, Vol 30, No. 5, p. 35, 1992.
Massin, Scott S. and Norman M. Brothers, "Surviving the Litigious '90s: What Corporate Officers and Directors Can Do to Minimize the Risks of Lawsuits," Advanced Management Journal, Vol. 59, No. 4, p.27, Autumn 1994.
Markiewicz, Dan, "Audit Findings: Handle with Care," Industrial Safety & Hygiene News, April 1995.
Root, Steven J., Internal Auditing Manual, Warren, Gorham, and Lamont, Boston, 1995, p. D1-3.
Sawyer, Lawrence B., Sawyer's Internal Auditing, The Institute of Internal Auditors, Altamonte Springs, FL, 1988, p. 56.
Stewart, Larry S., Prepared Testimony on S. 565, "The Product Liability Fairness Act of 1995" Before the Subcommittee on Consumer Affairs, Foreign Commerce, and Tourism of the Committee on Commerce, Washington, D.C., April 3,
8 1995.
9