No Good Deed Goes Unpunished? Recent Evidence on the Effects of Identifying and Investigating Fraud Risks on Auditors' Litigation Exposure Free

In this article, I summarize a recent study titled “Can Identifying and Investigating Fraud Risks Increase Auditors' Liability” (hereafter, “the study” or “my study”) (Reffett 2010). Specifically, I discuss the study's motivation, method, primary results, and implications. I then consider several important questions the study raises regarding the effects of the current legal system on the audit process. I begin the article by discussing why, from my perspective, it was important to examine whether identifying and investigating fraud risks could, in certain situations, increase auditors' exposure to litigation.

Following the major audit failures of the early 2000s, the Auditing Standards Board of the AICPA enacted Statement on Auditing Standard (SAS) No. 99, Consideration of Fraud in a Financial Statement Audit (AICPA 2002). SAS No. 99 instructs auditors, among other requirements, to conduct fraud brainstorming sessions in which audit team members (staff through partner) identify general and specific fraud risks that are potentially present within their client's organization. After identifying potential fraud risks, auditors then assess the severity of each identified risk and modify the nature, timing, and extent of their planned audit procedures according to the significance of the identified risks. While regulators believe these procedures will help auditors detect fraud, several publications either imply or directly assert that identifying and investigating fraud risks could also increase auditors' exposure to litigation, particularly in the event of an undetected fraud.

First, a SAS No. 99 practice aide advises auditors to avoid documenting the specific fraud risks they identify during the required fraud brainstorming sessions because doing so may provide unnecessary litigation exposure to the firm (AICPA 2004).¹ Second, a forensic accounting guide, created by a partner in a Big 4 forensic accounting practice, warns that enhancing audit procedures to meet the public's heightened expectations of auditors to detect fraud may further raise expectations and the accompanying risk of litigation (Golden et al. 2006). Finally, John Coffee (Columbia Law School professor and noted securities law scholar) claims that a common auditor defense in cases of undetected fraud is ignorance, such that auditors have an incentive not to inquire too closely—lest one acquire information to put one on notice (Coffee 2004; Reffett 2010).

While these publications are troubling, none provides empirical evidence to support the stated concerns over the legal hazards of identifying and investigating fraud risks. As such, the motivation for my study was to provide empirical evidence to indicate whether identifying and investigating fraud risks can, in certain situations, increase auditors' exposure to litigation. More specifically, my study examined whether evaluators (e.g., jurors) in auditor negligence lawsuits stemming from undetected fraud are more likely to find auditors negligent and/or award larger damages to plaintiffs when the auditors identified the perpetrated fraud as a fraud risk and performed audit procedures to investigate for the fraud (but failed to detect the fraud), relative to when the auditors neither identified the perpetrated fraud as a fraud risk nor investigated for the fraud (and did not detect the fraud). My study also examined several factors that affect evaluators' liability assessments in cases of undetected fraud.

To examine these questions, I conducted an experiment that asks participants (229 non-business school undergraduate students) to serve in the role of jurors in an auditor negligence lawsuit stemming from undetected fraud. Prior to beginning the experiment, participants were randomly assigned to an experimental condition (see next paragraph for description of experimental conditions) and given the first of three experimental packets to read and complete.² The first experimental packet provides background information on the nature and purpose of financial statements and the external audit process, the details of an audit of a fictional mining company, the details of a financial statement fraud the auditors failed to detect, and the transcript from a subsequent auditor negligence lawsuit. The undetected financial statement fraud pertains to the mining company's intentional understatement of its environmental restoration liability. The company perpetrated the fraud, in part, by misrepresenting to the auditors the cost it expected to incur to reclaim one of its inactive mines.

The content of the first experimental packet varied according to participants' assigned experimental condition. The packet given to participants assigned to the first experimental condition indicates that the auditors in the case did not identify the perpetrated fraud as a fraud risk and did not perform audit procedures to investigate for the fraud (no investigation condition). The packet for the second condition indicates the auditors identified the perpetrated fraud as a fraud risk during a SAS No. 99 fraud brainstorming session and investigated for the fraud exclusively by making inquiries of the company's president (low investigation condition). The packet for the third condition indicates that the auditors identified the perpetrated fraud as a fraud risk, made inquiries of the company's president, and hired a geology firm to test soil from a sample of the company's quarries for hazardous materials that could increase the client's restoration liability (high investigation condition).³ After reading the case, participants decided whether the auditors they read about were negligent and, if so, the amount of damages they should pay to the plaintiff.

After completing the first packet, participants received a second packet, which asked a series of follow-up questions intended to examine the factors that affected their liability assessments. After completing the second packet, participants received a third experimental packet to complete. The third packet asked participants to read several different scenarios describing how other auditors, under identical circumstance as the auditor described in the first packet, could have performed the audit differently but still failed to detect the fraud. After reading each scenario, participants provided liability assessments for the auditors described in each scenario.

The setting provided in the third packet is unrealistic in the sense that it is unlikely that real-world jurors would be able to compare alternative actions of multiple auditors under identical circumstances.⁴ Thus, results from the first packet provide a better indication than results from the third packet as to the effect of investigating fraud risks on real-world jurors' verdicts in cases of undetected fraud. Results from the third packet, however, are useful in that they indicate whether participants' responses in the first packet are intentional (Kahneman and Tversky 1996). That is, examining evaluators' relative liability assessments from a setting where evaluators directly compare auditors who investigated for the fraud versus other auditors who, under identical circumstances, did not investigate for the fraud, will indicate whether evaluators consciously believe that auditors who investigate for (but fail to detect) fraud are more negligent than auditors who do not investigate for (and do not detect) fraud, all else equal.

Results from the first packet indicate that when auditors are sued for failing to detect fraud, evaluators provide more severe assessments of auditor liability when the auditors investigated for the fraud, relative to when the auditors did not (see Figure 1). Specifically, when evaluating auditors individually, participants were more likely to find the auditors negligent in the high investigation condition (72.4 percent) than in the no investigation condition (39.5 percent). In addition, the average monetary damages awarded to the plaintiff were greater in the high investigation condition ($3.56 million) than in the no investigation condition ($1.94 million). Participants were also more likely to find the auditors negligent in the low investigation condition (70.1 percent) than in the no investigation condition (39.5 percent). Similarly, monetary damages awarded to the plaintiff were greater in the low investigation condition ($3.82 million) than in the no investigation condition ($1.94 million) (See Table 1). Therefore, the study's results consistently indicate that in cases of undetected fraud, evaluators' assessments of auditor liability are more severe when the auditors performed audit procedures to investigate for the fraud, relative to when the auditors did not investigate for the fraud.⁵

Supplemental analysis indicates that one reason for the results described above is that it is easier for evaluators in cases of undetected fraud to imagine counterfactual thoughts of what the auditors could have done differently to detect the fraud when the auditors investigated for the fraud, relative to when the auditors did not investigate for the fraud. That is, when the auditors performed procedures to investigate for, but failed to detect, a fraud, evaluators can easily imagine specific adjustments to the auditors' procedures (e.g., increasing sample sizes) that would have allowed the auditors to detect the fraud. Imagining such adjustments to the auditors' procedures, however, is more difficult when the auditors did not investigate for the fraud. This is important because evaluator awareness of specific actions that, if implemented, would have allowed the auditors to detect the fraud increases evaluators' belief that the fraud should have been detected (McMullen et al. 1995; Roese 1997), which increases the severity of their assessments of auditor liability (Kadous 2000; Reffett 2010).

Finally, results from the less realistic third packet indicate that evaluators in cases of undetected fraud do not intentionally punish auditors for having performed more extensive fraud detection procedures. Specifically, when evaluators simultaneously compare and evaluate multiple auditors who, under identical circumstances, either investigated for the fraud or did not investigate for the fraud, evaluators are less likely to find the auditors negligent, and award smaller damages to the plaintiff when the auditors investigated for the fraud (see Table 2). Thus, results from the third packet indicate that, contrary to the judgments made when evaluating auditors individually, evaluators in cases of undetected fraud do not consciously believe that auditors who investigated for the fraud are more culpable than auditors who did not, and, in fact, believe the opposite.

Prior to discussing implications, it is important to clarify that my study does not in any way indicate that auditors should avoid identifying and investigating fraud risks. Specifically, the expected litigation cost of an audit is a function of at least two factors: (1) the probability of a lawsuit and (2) the expected payout given a lawsuit. My study examines the latter but not the former, and is, therefore, silent as to the overall effect of investigating fraud risks on auditors' total expected litigation costs.

Having provided the above disclaimer, I will now discuss implications of my study. First, demonstrating that evaluators, when evaluating auditors individually, are more likely to find against the auditors in cases of undetected fraud when the auditors investigated for the fraud, validates prior concerns that expanding fraud detection procedures can create legal hazards for auditors. What is disconcerting about this finding is that, from an auditor's perspective, there does not appear to be any clear solution to this problem. In particular, it is unclear whether limiting documentation of specific fraud risks considered during the audit (as the SAS No. 99 practice aide advises) will decrease or increase litigation exposure, as a lack of documentation will not necessarily prevent jurors from learning of specific fraud risks considered during the audit. This is because either audit team members or the client's employees could divulge such information during sworn deposition or testimony. In this event, an auditor's failure to document specific fraud risks considered during the audit could give the appearance of auditor dishonesty and result in more severe judgments against the auditor. In addition, failure to document specific fraud risks considered by the auditors could adversely affect audit quality by decreasing the consideration those risks receive throughout the audit. Thus, intentionally not documenting specific fraud risks is, in my opinion, certainly a sub-optimal, and more likely a harmful, strategy for limiting litigation exposure.

The only other readily apparent strategy (beyond detecting all perpetrated frauds) to limit litigation exposure stemming from fraud detection procedures would be for auditors simply to limit the extent to which they investigate specific fraud risks. However, this is not a viable strategy as failing to investigate specific fraud risks likely will impair auditors' ability to detect fraud and, therefore, increase the probability of negligence lawsuits. Thus, regarding fraud detection procedures, auditors might find themselves in “Catch-22” type situations where, under various conditions, either expanding or not expanding fraud detection procedures can increase their litigation exposure.

This raises several important questions about the effects of the legal system on the audit process. One of the primary purposes of holding auditors accountable to the courts is to provide incentives for auditors to take actions to improve the quality of their audits. My study, along with several other publications (e.g., AICPA 2004; Golden et al. 2006; Coffee 2004), suggests that with respect to fraud detection procedures, the courts (which rely on lay evaluators) might not only fail to reward, but might “punish” certain actions that increase audit quality (e.g., investigating specific fraud risks). Thus, it is possible that the current system of auditor liability creates incentives for auditors to avoid taking certain actions that likely improve audit quality. In this sense, the legal system could have deleterious effects on certain aspects of the audit process.⁶ Thus, in my opinion, proposals to reform the current legal system (e.g., proposals to employ independent audit experts as evaluators [see Palmrose 2006]) warrant further research and consideration.

The second important implication relates to results from the less realistic third packet, which indicate that evaluators in cases of undetected fraud consciously believe that auditors who investigated for the fraud are less culpable than auditors who did not. This is important because it could assist auditors who investigated for, but failed to detect, fraud and are subsequently sued for negligence. Specifically, knowing that evaluators in cases of undetected fraud consciously believe that auditors should be rewarded for having investigated for the fraud, but do not do so (and actually do the opposite) when evaluating auditors individually, could help auditor defense attorneys shape their arguments. For example, defense attorneys in cases of undetected fraud might consider making jurors aware of their tendency to unintentionally punish auditors for having investigated for the fraud. Additional research, however, is needed to test the efficacy of this defense tactic.

In closing, my study provides an interesting set of results that indicates evaluators (e.g., jurors) in cases of undetected fraud unintentionally provide harsher assessments of auditor liability when the auditors investigated for the perpetrated fraud. It is important to note, however, that my study, as is the case with all experimental research, is subject to limitations. First, my study was conducted in a setting that differs from a real-world courtroom setting. Thus, it is not certain that the results observed in my experimental setting would also be observed in a real-world trial. Second, my study only considered one type of fraud. It is possible that when auditors fail to detect other types of fraud, particularly relatively common frauds, evaluators would be more likely to find the auditors negligent if the auditors did not investigate for the fraud.