THE LEGAL ASPECTS OF AUDITING
(or Your Survival Skills in Today's Litigious World)
Ralph Kolts, Audit Manager
ATK Thiokol Inc.
P.O. Box 707
Brigham City, UT 84302-0707
ABSTRACT
The trends for corporate litigation, fines, enforcement actions, and even convictions are
rising. The legal exposure for our employers, and ourselves, will continue to grow and
become more complex. As auditors, we must be aware of this legal risk; as
professionals, we must ensure our auditing practices avoid or reduce legal exposure. To
do this, auditors must be keenly aware of the conditions that create legal exposure. We
expect our audits to ensure compliance and enhance integrity; but, by conducting audits
poorly or not following professional standards, we can actually create, rather than negate,
legal risk.
To avoid risk, sound auditing practices must be understood and followed.
These
practices involve: 1) risk assessment, 2) work papers, 3) evidential matter, 4) audit
findings, 5) corrective action, 6) ethical standards, 7) audit quality assurance, 8) audit
management, 9) due professional care, and 10) the auditor's relationship with legal staff.
By being aware of the legal risks and following sound auditing practices, the auditor's
product will stand up under the most critical scrutiny.
TRENDS IN LITIGATION
We are called a litigious society. Americans, in unprecedented numbers, are elbowing up
to the legal crap table and giving the dice a throw. The risk is small with potentially
significant rewards. For American corporations (who are often the deep pocket target in
this legal lottery) a lawsuit is costly, time consuming, and potentially devastating. Recent
trends make this even more troubling. Consider that in the last two decades:




Product liability lawsuits have increased fivefold, from 2,400 to about 12,500 suits
annually.
Commercial litigation involving contract cases increased 232 percent.
Civil judgments and settlements in cases involving fraud against the government
have increased from $12 million to over $340 million annually.
The average award for lawsuits against corporate officers exceeded $3 million
1

each, while the average cost to defend against a suit was almost $600,000.
Tort cases involving business relations grew 128 percent. Overall, tort costs have
grown four times faster than the national economy.
Many would argue these trends are causing America's competitive decline. Insurance
costs are soaring and innovation is stifled due to the fear of liability. Many companies and
industries have been profoundly affected. The future is still uncertain; legislative and
regulatory reform is receiving serious debate. The trends in litigation are sobering and
should be a cause for serious reflection by the professional auditor.
AUDITS ROLE IN THIS LITIGIOUS AGE
Well-managed companies are taking proactive measures to minimize liability. They have
recognized the importance of continually monitoring their practices through audit
oversight. As auditors we are part of the corporate insurance policy—and I mean this in
the best sense. We are in a truly unique position to contribute to our company's success
while protecting management and our fellow employees.
To do this, our mission must be twofold. First, we must ensure all applicable laws and
regulations are followed. As they say, the one thing better than winning a lawsuit is to
have no lawsuit at all. Secondly, when confronted with a lawsuit, a strong and effective
audit program can demonstrate a company's commitment to self-governance and
vigilance in combating noncompliance. This can mitigate the penalties sought or
imposed.
In times of litigation, the audits we have performed contain a wealth of information
regarding practices and compliance (or noncompliance). This information can be highly
prized. If tested in court, will our audits be evidence for the prosecution or the defense?
Will the audit program be a benefit to the entity or become a liability? We must ensure
our audits prevent, rather than create, additional legal liability. To do this we must be
aware of some legal exposures.
AWARENESS OF LEGAL EXPOSURES WHEN AUDITING
The following examples illustrate how audits can be involved in legal exposure. These
are hypothetical cases, based however on real life circumstances. As you read these
examples, ask yourself several rhetorical questions: What is the nature of the legal
exposure? How was it created? How could it be avoided? And most importantly—could
this happen to me? We will discuss some of these issues later.
Case #1 Product Liability - You are an auditor for a company that produces
actuators used in aircraft. Several months ago there had been a crash
2
involving a small commercial airliner. All of the crew and passengers were
killed. The airline and the families of the passengers have brought suit against
your company. It is alleged the actuators were substandard and had not
undergone all qualification tests before being certified for flight. All quality
records, certifications, and audit records have been subpoenaed and you have
been called to testify. As you review a past audit report in preparation to testify
you read the following finding: "The system for maintaining serial number
traceability is seriously flawed. This could result in uncertified parts being
installed in a flight assembly. Several problems and inconsistencies were
noted and require improvement." You are unsure if the problems you found
have been corrected.
Case #2 Contractual Issues - While performing a supplier audit, you observe
that a test console is calibrated once every six months. You are concerned
that the console may experience drift between calibrations and would prefer a
method that accomplished calibration more frequently. You believe this could
result in nonconforming items being accepted or conforming items being
rejected. You decide to note this as an audit finding. During the closing
conference, you direct the supplier to recalibrate the console after fifty test
cycles, rather than every six months. Subsequently, the supplier bills your
company for $220,000 as reimbursement for the additional calibration costs
that have been incurred. The supplier's legal counsel states the auditor has
changed the terms of the contract.
Case #3 Conflict of Interest - Your Company will be awarding a substantial
contract. Two potential suppliers are being considered. These suppliers are
equal as far as price and delivery; contract award will be based on quality.
You will audit each supplier and recommend which supplier is superior. The
weekend before submitting your recommendation, you are observed attending
a Chief's football game with the QA Manager for one of the competing firms.
After the game, you are both observed in the parking lot where the QA
Manager gives you a brown envelope that you place in your inside coat
pocket. A procurement officer from your company observed the entire
incident. He has alleged that you accepted a kickback from the supplier in
return for favorable treatment.
Case #4 Third Party Audits - You own a consulting firm that specializes in
performing various audits. One of your best clients has asked you to perform
a two-day, due diligence audit of a small manufacturing facility they plan to
acquire. You will be expected to alert the client to any concerns that could
have an impact on the acquisition. The audit will be performed for your
standard fee of $2000 per day plus expenses. You suggest to the client that
for an additional fee you could also take soil samples to determine if any
environmental liabilities exist that may require remediation. The client insists
this additional cost will not be required. Several years after the acquisition is
3
completed, you are served with a lawsuit from your client's investors and
creditors. The suit alleges you were negligent in not detecting environmental
shortcomings that have threatened the solvency of the client firm. The suit
seeks to recover $66 million, a portion of the environmental damages. You
carry liability insurance, but this suit exceeds the amount of your coverage by
$65 million.
These cases illustrate litigations that are happening every day. No industry is safe.
Some legal considerations are painfully obvious, but others can be much more subtle. In
real life, the legal exposures can come from untold directions. Law libraries are filled with
cases that would stagger our senses, and there are many more volumes yet to be written.
We cannot predict all possible legal exposure, but two things can be guaranteed: 1) our
audit reports and records can be subpoenaed, and 2) we may be compelled to testify.
These cases are meant to heighten your awareness. Next we must ask—what can we do
to help ensure our audits withstand legal review?
TEN AUDITING TIPS TO MINIMIZE LEGAL EXPOSURE
The following tips will help strengthen the audit program. If diligently followed, they can
provide the auditor a suit of armor for protection from legal pummeling.
Tip #1 Audit Planning Based on Risk Assessment — Our first defense is to have a
carefully planned audit program prepared using risk assessment. Performing audit risk
assessment assures that we spent our time auditing the most critical areas, areas that
have the most potential for something to go wrong. Just like it is impossible to read all the
books in a library, we cannot audit all possible areas. So we must be selective, reading
only those books of interest and auditing only those areas that pose abnormal risk.
There are two aspects of risk assessment. First, risk assessment should be used when
selecting the audit subjects, such as when we create an annual audit plan or schedule.
Secondly, when we begin an audit we must decide what verifications, tests, samples, or
elements will be examined to form an audit opinion. There are no cookbooks for doing
this. You must consider the legal (and business) risks that are unique for your company.
In the first case example, the company produced critical flight components. Components
that, if they fail, could have serious consequences. Given the brief facts of the case we
could surmise that functional testing, reliability, redundancy, and certifications are highrisk areas. Has the audit function assessed these critical elements?
Tip #2 Work Papers Prepared to Support Third Party Review — In Case #1 we can see
that audit documentation and work papers can be subpoenaed. These documents are
powerful evidence. Accordingly, we must use the utmost diligence when assembling
4
audit work papers with the expectation they will be subject to legally compelled access.
The overriding legal consideration is to ensure audit records provide sufficient
documentation to allow a third party to interpret the results properly and concur with the
conclusions. A simple checklist with columns checked "yes" or "no" is not sufficient.
Instead, adequate evidential matter must support the indications of compliance,
noncompliance, recommendations, and conclusions of our audit.
Tip #3 Conclusions Supported by Evidential Matter — Evidential matter is that information
gathered by observation, document review, or interview upon which the audit opinions are
based. Evidential matter must be reliable meaning it is reasonably free from error or bias
and faithfully represents the facts. Evidential matter must also be relevant. That is,
directly connected with and supportive of the audit objective or opinion. Work papers
should not include copies of every document that may have been examined—only the
relevant items. When it is not practical to include copies, we should provide sufficient
notation to allow traceability to the item observed, document reviewed or person
interviewed. A complete explanation should be recorded if an audit element is not
applicable or not performed. Evidential matter is required not only for items of
noncompliance, but for evidence of compliance as well.
Tip #4 Carefully Written Audit Findings — We should ensure free and open discussion
when communicating audit findings with auditees. However, when findings are recorded
(or communicated to anyone outside the immediate organization), the words must be
carefully selected. The overriding legal consideration is to ensure audit findings describe
the facts with accuracy and clarity. The operative words being—facts and accuracy.
Certain words, by their very nature, can never meet this test of factual accuracy and
should not be used. This includes extreme or inflammatory words such as: alarming,
negligent, appalling, incompetent, careless, intentional, criminal, serious, significant, or
willful. Also, avoid absolutes or vague generalities such as: always, never, few, some,
many, several, or sometimes. Audit findings should not overstate or misstate the facts.
Nor should they rely on hearsay or conjecture. Let us look back to the finding described
in Case #1 to see how well that finding met these guidelines:
"The system for maintaining serial number traceability is seriously flawed
(seriously flawed, hmm, that seems inflammatory). This could result in
uncertified parts being installed in a flight assembly (it could result, it doesn't
say it did result, seems like conjecture rather than fact). Several problems
and inconsistencies were noted and require improvement (just what does
that mean? Seems awfully vague. I think I'd love to be the prosecuting
attorney with this one.)."
5
Let's rewrite that finding based on what the auditor actually observed:
"The armature and weld filler serial numbers were not evident for unit #23 (it
may be just that simple to report the facts accurately)."
Tip #5 Closed-loop Corrective Action — If a defect or deficiency is identified during an
audit, it needs to be corrected or adequately addressed. If not, the legal stakes go up
since this can be viewed as willful intent or negligence. Company management knew the
problem existed, but willfully neglected to make corrections. This becomes criminal rather
than civil action. Our audits must have a strong and effective corrective action cycle.
Corrective action must be closed-looped, meaning after the corrections have been
implemented, verification is performed. Verification of closure must ensure that
corrections have been carried out and that those corrections have been effective in fixing
the condition originally noted. Our hapless auditor in Case #1 is not sure if the problems
had been corrected. This could make his testimony difficult.
Tip #6 Ethical Standards Governing Auditor Conduct — As professional auditors, and
especially certified auditors, we are governed by ethical standards. Many of you will be
familiar with the Code of Ethics for Members of the American Society for Quality Control.
We should take these standards seriously. Think back if you will to Case #3 that involved
an apparent conflict of interest. If you remember the auditor was observed placing an
envelope in his coat pocket. The appearance was that a payoff was being accepted. But
the incident may have been harmless; the two were old friends and the envelope
contained family photos. The auditor was still in error by not disclosing this relationship;
this created the appearance of wrongdoing and violated ethical standards. The
professional auditor is guided by honesty, objectivity, diligence, impartiality, loyalty, and
independence—never knowingly being a party to any illegal or improper activity. Such
professional standards are the foundation upon which the reliability, trust, and confidence
in our work is built. And sturdy it must be, particularly in times of doubt that can be
caused by litigation.
Tip #7 Quality Assurance Principles Applied to Audits — As we perform audits, we expect
certain controls to exist that will provide assurance of quality. We may look for the
existence of procedures governing the function, personnel who are qualified and trained
for the function, resources that support quality objectives, internal controls or inspections
should be evident, and quality measurements in place. We should expect nothing less
for the audit function. The application of basic quality controls (procedures, trained
personnel, controls, and measurements) should apply to audits. If you performed a
critical audit of yourself, would you pass or fail? Audit quality assurance ensures high
standards are met and the work product is credible. Do not wait for a lawsuit to assure
6
yourself of such credibility.
Tip #8 Audit Management — The overall audit function should be carefully managed.
The leadership of the function should be mindful that they set the moral and professional
climate. Audit leadership should ensure that audits are properly planned, conducted, and
reported. The audit should have certain checkpoints at critical phases to ensure
standards are being met. This also provides an opportunity to assess any legal
considerations. Leadership is also responsible to ensure each auditor is properly trained
in auditing, communication and interpersonal skills, and appropriate technical subjects.
Each auditor should have an ongoing professional development plan. Further, good
project management techniques should be used for each audit. This includes clearly
defined audit objectives, purpose, and scope; detailed project schedules; and periodic
status reports to monitor progress. Proper management of the audit function ensures
objectives are satisfied and emerging problems, legal or otherwise, are addressed.
Tip #9 Exercising Due Professional Care — An auditor's job is to collect and assimilate
information and draw conclusions regarding the adequacy of the subject being evaluated.
I have heard auditors described as "professional skeptics"; my preference is to be
described as "naturally curious, level-headed, and clear-thinking." However you look at it,
this position of trust demands the auditor use due professional care while conducting
audits. Due professional care encompasses all the skill, knowledge, judgment, prudence,
and competence the auditor brings to each task. It implies reasonable care that is
appropriate to the complexities of the audit being performed; it does not mean the auditor
is infallible. Such care distinguishes the professional from the amateur and becomes our
stamp of pride. This is certainly important when faced with legal questions.
Tip #10 The Auditor's Relationship With Legal Staff — Auditors epitomize the generalist,
which is both a strength and a weakness. A smart auditor must know when they are
stepping beyond their area of responsibility or knowledge and when to call in the experts.
I think this is where the auditor in Case #2 errored. Supplier audits are more complex
because they involve a contractual relationship (and therefore contract law). This auditor
did not realize the contractual implications and failed to involve the contract experts. The
auditor in the final case involving third party audits could no doubt use some legal advice
also. This legal advice could have assisted in clearly defining the scope of the
engagement and taking contractual steps to limit the extent of liability.
If we want our audit program to mitigate legal risk, we must cultivate a strong working
relationship with our company's legal counsel. Company attorneys should be involved in
developing the overall audit strategy and long-range audit planning. During an audit, we
should consult with counsel whenever we have questions or touch upon legally sensitive
7
areas. It may be appropriate to have a legal review of final audit reports to ensure the
language is appropriate. Legal Counsel should be aware of audit results, by providing
audit reports or a year-end compilation. If appropriate, sensitive audits may be performed
under attorney - client privilege so the work product can be protected from access.
CONCLUSION
The preceding ten tips are not profound. These are just good, sound auditing practices
and they make good business sense. There are no magical formulas for avoiding legal
exposure. By being aware and following good audit practices we can protect ourselves,
our company, and minimize, as best we can, legal exposure.
In closing, I would like to leave you with a caution. Do not let litigation paranoia govern
your decision making—but maintain a healthy awareness of the risks. I have seen bad
decisions made and opportunities lost due to litigation fear, and this is sad. We do not
conduct audits for the singular purpose of avoiding lawsuits. Your company must decide
its strategic purpose for doing audits based on business needs. Let me urge you to stay
focused on that purpose. By doing so, and following professional standards, you will also
support a strong legal position for your company.
BIBLIOGRAPHY
Galanter, Marc and Charles R. Epp, "A Beginner's Guide to the Litigation Maze,"
Business Economics, Vol 27, No. 4, pp. 33-38, October 1992.
Harrison, Lee, Environmental, Health, and Safety Auditing Handbook, McGraw-Hill Inc.,
New York, 1995.
Helms, Marilyn M. and Betty A. Hutchins, "Poor Quality Products: Is Their Production
Ethical?" Management Decision, Vol 30, No. 5, p. 35, 1992.
Massin, Scott S. and Norman M. Brothers, "Surviving the Litigious '90s: What Corporate
Officers and Directors Can Do to Minimize the Risks of Lawsuits,"
Advanced Management Journal, Vol. 59, No. 4, p.27, Autumn 1994.
Markiewicz, Dan, "Audit Findings: Handle with Care," Industrial Safety & Hygiene News,
April 1995.
Root, Steven J., Internal Auditing Manual, Warren, Gorham, and Lamont, Boston, 1995,
p. D1-3.
Sawyer, Lawrence B., Sawyer's Internal Auditing, The Institute of Internal Auditors,
Altamonte Springs, FL, 1988, p. 56.
8
Stewart, Larry S., Prepared Testimony on S. 565, "The Product Liability Fairness Act of
1995" Before the Subcommittee on Consumer Affairs, Foreign Commerce,
and Tourism of the Committee on Commerce, Washington, D.C., April 3,
1995.
9