An Auditor's Dilemma: To Consent or Not to Consent?

Have you ever been asked by an audit client for consent to include an audit report in a public or private securities offering? Irrespective of whether the offering is subject to registration with the SEC or state securities regulators or exempt from registration requirements1, there are professional liability risks associated with granting consent.

By including the CPA firm's audit report in the offering document, third party users of the financial statements, and the audit report, may assert that a duty of due care was created to them in addition to the duty of care owed to the firm's client2. If the client subsequently defaults on its debt or its securities lose value, investors who suffer losses may bring a claim against the CPA firm, alleging their losses resulted from reliance on the financial statements and audit report in making an investment decision. In addition, an auditor that includes misstatements of fact or that fails to disclose all material facts may also be sued under the anti-fraud provisions of state or federal securities statutes3.

As a result, when being asked for consent, a number of issues must be considered before responding to such requests. 

Risk Control Considerations

If an audit report is included in an SEC filing, the company's offering document must include both the audited financial statements and the auditor's consent. The offering cannot proceed in the absence of these documents. In a private offering, however, the auditor's consent is not typically required. However, he or she may provide such consent after evaluating the risks associated with this service (see Interpretation No. 3 of AU §711, Filings Under Federal Securities Statutes, paragraph .016-.017). 

Client/Engagement Acceptance

As part of client and engagement risk assessment and acceptance procedures, ask the client whether the audit report will be used in a securities offering in the near future. If the client indicates this is a possibility, assess the risks of association with the client and engagement, including an evaluation of the firm's competence to perform an audit in connection with an offering before accepting the engagement. The client assessment should include, for example, the following questions:

  • What is the objective of raising capital? Is the entity's business plan for growth or expansion sound?
  • What is the entity's financial condition and performance trend?
  • Will the entity be able to generate expected returns to equity investors or make interest and principal payments to bondholders?
  • Is the entity able to produce reliable financial statements for outside users?
  • Does the entity have adequate internal controls?
  • Are there significant contingencies or pending litigation?
  • Is there evidence of management fraud or illegal acts in the past? Does the pressure to acquire capital heighten fraud risks?

Even for a continuing client, consider performing client screening and background check procedures as though a new client is seeking your services. If a client or former client asks for a consent to include a previously issued audit report in a securities offering, consider whether there were any problems encountered in prior audits such as disagreements with management or multiple internal control deficiencies. 

Engagement Letter Considerations

If the engagement is accepted, clearly document the anticipated use of the audit report in the engagement letter to avoid misunderstandings with the client. Restrict the use and distribution of the audit report so that it cannot be used in connection with a securities offering or SEC filing without the firm's written consent. Inform the client that the offering document and related materials must be presented for review prior to granting consent. In addition, the CPA must be given the opportunity to proofread these materials before printing and distribution4. Also communicate that work performed in connection with consent issuance will be considered a separate engagement subject to an additional fee.

Consent Procedures

Subsequent Event Procedures

For securities subject to registration with the SEC, the CPA is required under AU §711 to evaluate subsequent events from the date of the audit report up to the effective date of the registration statement5. Additionally, auditors associated with an offering document containing false or misleading information can be sued under the anti-fraud provisions in the federal or state securities statutes. To help mitigate this risk, CPAs should evaluate whether any events subsequent to the date of the audit report will require adjustment or disclosure in the financial statements6. Obtain management representations regarding subsequent event disclosures to ensure the offering document is not misleading. If consent is requested by a former client, obtain a letter of representation from the successor auditor regarding their awareness of any matters subsequent to the date of the audit report that might have a material effect on the financial statements pursuant to which the audit report was issued. Assess subsequent developments that may have a material adverse impact on the company's financial position and business viability and whether this potential effect requires disclosure to prospective investors. While the subsequent event procedures specified in AU §711 and AU §9711, Auditing Interpretations of Section 711, are related to consent procedures for filings under federal securities law, such procedures may also be applied to consents issued in connection with a private securities offering or to one exempt from federal registration. 

Reading Other Information included in Offering Document
In accordance with AU §550, Other Information in Documents Containing Audited Financial Statements, carefully read the offering document to identify material inconsistencies with the audited financial statements and material misstatements of fact within the other information. Consult with a securities attorney if there are questions regarding the disclosures required to comply with securities law. If the document contains material misstatements in the financial statements, material inconsistencies, or material misrepresentation or omission of facts, or if the document fails to comply with the requirements of securities law or regulations, report the matter to client management and those charged with governance. These parties should be further advised to discuss the matter with their legal counsel. If the matter cannot be resolved, consent should not be granted. 

Consent Letter Issuance
If a consent is issued, consider having a securities attorney draft or review the consent letter. If applicable law and professional standards do not require the performance of subsequent events procedures for the audit report to be included in the offering document, responsibility for consideration of subsequent events should be disclaimed in the consent letter. In addition, if the offering document contains forward-looking statements or a partial or full set of prospective financial information on which the CPA has not been engaged to report, the consent should state that the CPA has not compiled, reviewed, or audited the prospective financial information and conclude by stating it does not express any opinion or any form of assurance with respect to the information 7.

Requests for Comfort Letters
In addition to being asked to consent to include a previously issued audit report in a public securities filing with the SEC, accountants may be asked to provide a comfort letter to the securities underwriters or other parties with a due diligence obligation under federal securities law. While not mandated by the Securities Act of 1933, comfort letters are requested by underwriters or other parties with a due diligence defense. A comprehensive discussion of comfort letters is beyond the scope of this article. However, accountants should carefully consider the requirements of AU §634, Letters for Underwriters and Certain Other Requesting Parties, of the Public Company Accounting Oversight Board (PCAOB) professional standards and examine their qualifications to perform required agreed-upon procedures, as well as the risks associated with the engagement prior to agreeing to issue a comfort letter. Comfort letters may only be issued by external auditors registered with the PCAOB. Consultation with an attorney experienced in federal securities law is recommended prior to undertaking such an engagement.

Additional Considerations for Consent to Include Audit Report in an SEC filing
Private company clients may be merged with or acquired by public companies or companies that will go public upon completion of the merger or acquisition. This may require the client's audited financial statements to be included in a related SEC filing. If the firm "played a substantial role in the preparation or furnishing of an audit report" of an issuer8 or a non-issuer subsidiary, division, branch, office or other component of an issuer, the audit must be performed in accordance with the standards of the PCAOB, the CPA firm must be registered with the PCAOB, and the auditor's report must refer to the PCAOB standards. If the firm meets the "substantial role" definitionand the audit of the private company client was not performed in accordance with PCAOB standards, consent to reissue the audit report for the purpose of SEC filing should not be granted. Moreover, the audit report should not be included in the SEC filing. An issuer cannot include a previously issued audit report without the auditor's consent, and will be required to engage a firm qualified to perform a PCAOB audit of those financial statements. 

The evaluation of whether a firm played a substantial role in the audit can be complex. PCAOB Rule 2100 states that, by itself, the issuance of a consent to include a prior period audit report issued by a public accounting firm which does not currently have and does not expect to have an engagement with an issuer to prepare or issue an audit report (or to play a substantial role in the preparation or furnishing of an audit report) does not require a public accounting firm to register with the PCAOB. Due to this complexity, consultation with a securities attorney is recommended to help assess whether the audit firm of a non-issuer meets the 'substantial role' requirements. 

Whether or not to consent is not a straightforward decision. To give consent is not as simple as "doing a client a favor." Most audits of private companies are not performed with the expectation that the audit report will be included in securities offering materials and are typically not priced to reflect the enhanced vulnerability to securities-related claims that would not otherwise exist. The reality is that when a client's business fails, investors will seek deep pockets to recoup their losses. Beyond the entity's directors and officers, the deepest pocket is often the entity's external auditors. When a current or former client requests consent, carefully weigh the client's needs against the associated professional liability risks. Do not feel pressured to give consent. Consult with a securities attorney and your professional liability insurance provider to understand the potential impact of association with securities offerings prior to agreeing to consent. 


CNA logo

Updated January 2013

Accountants Professional Liability Risk Control, CNA, 333 South Wabash Ave. 36S, Chicago, IL 60604


How Helpful Was This Article?


Related Content

Related Products

This information is produced and presented by CNA, which is solely responsible for its content.

The purpose of this article is to provide information, rather than advice or opinion. It is accurate to the best of the authors' knowledge as of the date of the article. Accordingly, this article should not be viewed as a substitute for the guidance and recommendations of a retained professional. In addition, CNA does not endorse any coverages, systems, processes or protocols addressed herein unless they are produced or created by CNA.

Any references to non-CNA Web sites are provided solely for convenience, and CNA disclaims any responsibility with respect to such websites.

To the extent this article contains any examples, please note that they are for illustrative purposes only and any similarity to actual individuals, entities, places or situations is unintentional and purely coincidental. In addition, any examples are not intended to establish any standards of care, to serve as legal advice appropriate for any particular factual situations, or to provide an acknowledgement that any given factual situation is covered under any CNA insurance policy. Please remember that only the relevant insurance policy can provide the actual terms, coverages, amounts, conditions and exclusions for an insured. All CNA products and services may not be available in all states and may be subject to change without notice.

IRS Circular 230 Notice: The discussion of U.S. federal tax law and references to any resources in this material are not intended to: (a) be used or relied upon by any taxpayer for the purpose of avoiding any federal tax penalties; (b) promote, market or recommend any products and/or services except to the extent expressly stated otherwise; or (c) be considered except in consultation with a qualified independent tax advisor who can address a taxpayer's particular circumstances.

Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program.

CNA is a registered trademark of CNA Financial Corporation. Copyright © 2013 CNA. All rights reserved.

1Refer to Q&A: Small Business and SEC for types of offerings that are exempt from SEC registration. See The most common exemptions from the registration requirements include private offerings to a limited number of persons or institutions (the JOBS Act recently increased this number to 2,000 accredited investors or 400 unaccredited investors); initial public offerings of limited size (the JOBS Act recently increased this amount to $50 million); intrastate offerings; and securities of municipal, state, and federal governments. Refer to state securities commission website for state specific securities registration, notification, and exemption requirements (see for website links).

2 Note: Whether the auditor owes a duty to a non-client third party is typically decided by state statutes and case law decisions. Case law or legislation that renders CPAs liable for negligence to large numbers of third persons has dramatically increased the number of suits and the potential liability of CPAs.

3 Rule 10b-5 of the Securities Exchange Act of 1934 requires disclosure of all material facts and prohibits the omission of facts necessary to make statements not misleading, making it unlawful to employ any device, scheme or artifice to defraud another person in a securities transaction. In addition to federal securities statutes, each state has its own securities laws and rules, referred to as "Blue Sky" laws, which contain similar anti-fraud provisions to provide private action for investors who have been injured by securities fraud.

4 See AU §550, Other Information in Documents Containing Audited Financial Statements, regarding the auditor's responsibility in relation to other information in documents containing audited financial statements and the auditor's report thereon. 

5 Refer to AU §711, Filings Under Federal Securities Statutes, and AU §9711, Auditing Interpretation of Section 711, for subsequent event procedures related to the 1933 Act Filings.

6 Refer to AU §560, Subsequent Events and AU §561, Subsequent Discovery of Facts Existing at the Date of the Auditor's Report, for procedures to be followed by the auditor upon discovery of facts subsequent to the date of the audit report that may have affected the financial statements on which the auditor previously reported.

6 Refer to Prospective Financial Information – AICPA Auditing and Accounting Guide, for the appropriate disclaimer language. The Safe Harbor for forward-looking statements provided by the Private Securities Litigation Reform Act of 1995 does not apply in many situations such as initial public offerings. Therefore, appropriate language should be included in the consent to notify users that the firm is not associated with the forward-looking statements or prospective financial information.

7 PCAOB Rule 1001(i)(iii) defines the term "issuer" to include any public company, regardless of the jurisdiction of its organization or operation, that is required to file reports with the SEC or that has filed a registration statement for a public offering of securities.

8 The requirements of "substantial role" are described in PCAOB Rule 1001 (p)(i).