Online Exclusive

Key considerations in post-incident financial statement audits



Imagine an organization in the middle of an accounting investigation related to the recording of fictitious revenues. The organization’s external auditors have now come to perform the year-end audit and opine on the current year’s financial statements. The organization, as it should, informs the external auditors of the investigation. These auditors naturally begin to ask questions about the investigation. The auditors inform the organization that their opinion on the current financial statements will be delayed until their questions about the investigation and the circumstances leading to it are satisfactorily answered. How can the organization handle this situation without jeopardizing the investigation? Could the organization have taken any steps to prevent the delay of the opinion on the current financial statements?

Dealing with the consequences that arise from a corporate internal investigation into alleged misconduct often raises myriad issues, and fact finding is just the start. A company’s external auditors, for example, will likely want to consider how the results and implications of the investigation will affect present and past financial statements. Here we address frequent issues companies might face after an investigation related to external auditors’ opinions on those financial statements.

To fulfill their professional obligations and opine on the company’s financial statements, auditors must ask questions when they consider a company’s post-incident financial statements: Are the transactions in question accounted for correctly and disclosed properly in the current financial statements? Should previously issued financial statements be restated? Can they rely on the representations of current management? Has the company performed a root-cause analysis? What’s the company’s remediation plan, if any? Does the company have any growing concerns that stem from the possible assessment of fines, disgorgement or other penalties?

To waive or not to waive?

External auditors will add forensic procedures to their usual audit procedures to understand and test the investigation team’s work and conclusions. The auditors might also request that their forensic team shadow the forensic investigators. This can be a delicate balance because companies must consider how and to what degree to involve the auditors without waiving the legal privilege that protects against public disclosure of the investigation findings.

When time is of the essence, investigators should regularly update the auditors, solicit their concerns and areas of focus, and ensure the investigation addresses them. Companies may also consider asking for the auditors’ input on key decisions and direction. For example, auditor input on keyword search terms can help identify additional relevant terms or phrases which could result in further investigative findings. If a search isn’t broad enough, say, in a procurement fraud case, investigators might not discover that other vendors were involved in the scheme.

An organization should also work with its legal counsel to determine which information, if any, it can share with the auditors. Counsel might ultimately conclude that the company should waive the privilege in dealing with regulators and auditors, which could open the door for discovery of findings to potential future class action plaintiffs seeking redress on the grounds they were harmed by the events causing the investigation and regulators. On the other hand, complete transparency at all stages of the investigation with the audit firm could mean the audit is completed more quickly and streamline interactions with regulators. Including former external auditors who understand the concerns of the current auditors on the investigation team increases the likelihood that the investigation will be sensitive to the auditors’ needs.

Be proactive, organized and responsive

Management should seek the help of the investigative team in preparing for auditor issues by requesting they:

  • Identify the total extent of misconduct. Has the organization discovered all misconduct and identified all involved? Has it quantified the financial impact of the possibly illicit conduct and, if so, has it materially affected current or prior period financial statements?
  • Create timelines to identify the periods of misconduct. Timelines help the organization and its auditors determine the impact of the misconduct over relevant reporting periods.
  • Determine management involvement. Were any current or former members of management involved? If current management is involved, can its integrity be relied upon for representations in past, present and future financial statements? If former management was involved, consider if the organization needs to restate prior financial statements presented in current filings.
  • Quantify the range of fines, penalties and other financial consequences. Can the company estimate the amount of any potential fines or penalties? Will the possible penalties trigger the violation of any debt covenants? Will the company be required to disgorge any prior profits?
  • Review disclosures. Financial statement disclosures are critical because many interested stakeholders, including regulators and probably the securities litigation plaintiff bar, will examine them. Even if no reserves are required to be recorded for potential future fines, are disclosures required? What if the organization hasn’t completed the investigation by a financial reporting due date? The organization should work with counsel to determine the amount, nature and type of the disclosures required related to the investigation.
  • Material weaknesses in financial reporting controls. In any investigation and restatement, it’s likely that the investigation team, management and the board will conclude — and that the auditors will agree — that material weaknesses in internal controls existed. The organization should prepare to provide additional disclosures on underlying weaknesses, a remediation plan and regular status updates on the remediation steps.
  • Examine root causes. What are the root causes and the defects in controls (design and operating effectiveness) that enabled, permitted or didn’t detect the misconduct? Companies should work with the investigative team to prepare a root-cause analysis that addresses the symptoms that led to the need for an investigation, e.g., breakdowns in controls that might have led to or allowed the transaction(s) to be completed.
  • Develop and implement a remediation plan. Has the organization remediated the problems? Or has it launched a remediation plan to address the identified control failures? Closely consider remediation efforts and how those will serve to prevent the issues from recurring. Begin these efforts long before the investigation’s completion.

Working together

Appropriately providing auditors with timely and adequate information will ultimately help stem delays in issuing current period financial statements and avoid the prospect of having the auditors withdraw from the engagement. No organization wants to find replacement auditors when it’s suffering through an investigation.

If an organization has to restate prior financial statements, it’s much less expensive to retain the current auditors than to engage a new audit firm that will require a complete re-audit of all the years presented.

Any investigation into alleged misconduct can be taxing and distracting for a company; post-investigation issues are no less onerous. Making decisions without adequate consideration to the post-incident audit and financial statements will compound difficulties. Post-incident management must work with the investigation team, counsel and forensic accountants to mitigate post-investigation audit pitfalls.

Roger Siefert, CPA, ABV, CFF, is a principal with StoneTurn, a forensic accounting, corporate compliance and expert services firm. He can be reached at: rsiefert@stoneturn.com.

Jamal Ahmad, J.D., CFE, CPA, CFF, ACAMS, is a managing director with StoneTurn, a forensic accounting, corporate compliance and expert services firm. He can be reached at: jahmad@stoneturn.com.