Recent findings raise fresh questions over auditors and fraud

A stunning legal upset against PwC on December 28, 2017, provides a rare glimpse into the kinds of audit failures that regulators have been harping on for years, although its ultimate weight on the burden of auditors to find fraud is not yet clear.

PwC lost a critical legal argument in its defense against liability in the massive fraud and failure at Colonial Bancgroup in 2009 at the peak of the financial crisis. While the firm is expected to appeal—and some legal analysts believe they will win—the case rips the bandage from the long-festering wound over what duty auditors have to find fraud.

Given the age of the case and the changes the auditing profession has seen since, it also raises questions about whether investors are any better protected from such frauds today than they were a decade or two ago.

The details of the case emerge in a bench finding in a U.S. District Court in Alabama, where the Federal Deposit Insurance Corp and trustees for the bankrupt Colonial Bancgroup are holding PwC’s feet to the fire for not exposing a fraud that spanned from 2002 to 2009. The chief perpetrators, including employees of Colonial Bank and its customer Taylor, Bean & Whitaker Mortgage Corp., are already in jail.

The FDIC and Colonial trustees are suing PwC in hopes of recouping some or all of the $2.3 billion lost to an accounting scheme in which overdrawn account balances at TBW were propped up by falsified mortgages. The scheme began, as many frauds do, as a stop-gap measure to address a cash flow problem. It grew more complex over time as the magnitude of the problem only grew, leading up to the financial crisis and the collapse of mortgage-backed securities and institutions all over capital markets.

The plaintiffs fault PwC for failing to perform sufficient audit procedures to uncover the fraud. PwC says it wouldn’t have found the fraud even if it had performed a flawless audit because Colonial and TBW agents interfered with the audit.

The legal arguments, of course, are far more complex, but the case raises once again the question of exactly what an auditor is expected to achieve in performing a standard financial statement audit. Is an audit intended to find fraud?

The answer is no, and yes.

No, the purpose of a financial statement audit is not to find fraud. That’s the intent of a fraud audit, or an investigation, which is far more comprehensive, time-consuming, and costly than a routine audit. “If you want a fraud audit, it can be done, but it involves a lot more procedures, and it costs a lot more money,” says Nancy Reimer, a shareholder at law firm LeClairRyan, who often handles auditor liability cases.

“I don’t think anyone expects the auditor to provide a guarantee.”
Doug Carmichael, Professor, Baruch College

Audits provide reasonable assurance, not absolute assurance, that financial statements are free of material misstatement, whether due to error or fraud. In fact, language to that effect will soon begin appearing in audit reports under a new auditing standard that takes effect this year.

“I don’t think anyone expects the auditor to provide a guarantee,” says Doug Carmichael, a professor at Baruch College and a former chief auditor for the Public Company Accounting Oversight Board.

But yes, auditors have some responsibility with respect to fraud. Auditing standards contain plenty of directives to auditors to plan and perform audits with fraud risks in mind.

Statement on Auditing Standards No. 99 was the relevant standard, before the PCAOB formed under Sarbanes-Oxley and eventually codified SAS 99 into the present-day AU Section 316. Auditors are supposed to identify fraud risks as part of any routine financial statement audit and respond to those risks by planning and performing auditing procedures that are responsive to those risks.

“Auditors do have to be concerned about the risk of a material fraud and whether it would materially misstate financial statements,” says Carmichael. “The standards spell out very clearly that when it comes to fraud that would materially misstate the financial statements, the auditor has to obtain a high level of assurance that that hasn’t happened.”

Here’s where audit performance has been lacking the past several years, based on findings in PCAOB inspection reports, especially dating back to the period when the Colonial Bank fraud was hatched. It was 2002 when employees of Colonial and TBW initially came up with the creative accounting workarounds that were, under the most charitable logic, perhaps intended to help a good customer stay afloat during a rough patch.

The PCAOB has been hounding auditors since about 2010 to do a better job of identifying risks of misstatement, including fraud risks, and then plan and perform audit procedures that are responsive to those risks. In inspection reports, written guidance, public statements, and speeches, board members have many times criticized auditors for too quickly accepting management representations and estimates without applying some of their own independent skepticism. They also criticize audit firms for not adequately staffing audits or supervising the work of junior staff audit members.

Auditor Objectivity and Skepticism—What’s Next?

In examining the issue of professional skepticism in auditing, it is important to highlight the ultimate objective of audits—to provide an independent and objective assessment of financial reporting for the benefit of investors and the public interest.
The PCAOB professional standards make clear that objectivity and professional skepticism must be manifest in the capabilities of audit firms and staff, the judgment they apply in selecting the appropriate audit procedures and conclusions, and the conduct of the audit work.
Our inspection results all too often show that substantial progress is needed in order to more consistently achieve the appropriate application of professional skepticism throughout the audit process and across audits.
Additional efforts are needed to better understand how the framework of professional skepticism applies across varying audit situations. This may enable practitioners to find ways to monitor the application of professional skepticism and recognize and respond to its threats throughout the audit process. Finally, we need to develop a high level of awareness and attention to these issues at all levels in the profession.
The good news is that regulators, academics, and audit firms are increasingly focusing their attention on advancing the understanding and application of professional skepticism. In particular, we are seeing some exciting academic interest in this issue, and collaboration among the academic community and the profession in working to advance theory, training, and practice in this critical area.
The American Accounting Association has shown tremendous leadership over the years in promoting excellence in accounting education, research and practice, which is vital to a strong profession. I applaud the efforts of the academic community in its thought leadership and proactive work with a wide range of stakeholders — including regulators, investors, audit committees and practitioners—on the issues of professional skepticism, with a view toward improving audit quality and investor protection.
Source: Jeanette M. Franzel, PCAOB member

While PCAOB inspection reports and staff audit alerts provide only high-level descriptions of such concerns, the December judicial ruling in the FDIC’s case against PwC provides more explicit detail around what such failures can look like. The ruling says PwC failed to ask for loan documentation that could have exposed the fraud, failed to exercise any skepticism over what it saw and learned during the audit that should have raised some suspicion, and failed to staff the audit with adequate experience.

The ruling says PwC did not design its audit to detect fraud as required under standards, did not obtain sufficient evidence of key transactions used to conceal the fraud, did not inspect underlying loan documents, and did not even confirm the existence of key assets.

The court even called out as “truly astonishing” that PwC assigned a college intern to evaluate the “complex, $589 million asset” at the center of the fraud by 2005. The intern cut and pasted a description of the asset from 2004 work papers to address it in 2005 work papers. The intern’s supervisor said understanding the transactions was “above his paygrade,” the court said.

One of the key actors in the fraud scheme testified in the case that if PwC had asked to see even just 10 loan files, “the jig would be up,” according to the ruling.

PwC has not agreed to discuss the case publicly except to provide a public statement, which does not address the court’s findings with respect to the nature of the audit failures. In its statement, the firm said it looks forward to the next phase of the case, where the FDIC will have to show damages in order for it to collect any kind of award from PwC in the final outcome.

The judicial ruling says PwC defended its audit failures only by describing them as, essentially, irrelevant to the outcome of the case. The ruling says PwC contended to the court: “even if it had attempted to inspect the underlying loan documents, it would not have uncovered the fraud because the fraudsters would simply have created fake documents.”

Does that excuse auditors from even trying? “If these lawyers are arguing their clients cannot be expected to find numbers off by billions of dollars, what are these audits really worth to investors?” asks Lynn Turner, former chief accountant at the Securities and Exchange Commission. “Very little.”

Deliberately concealed fraud is understandably difficult to detect, says Tom Ray, a lecturer at Baruch College who also is a former chief auditor at the PCAOB, but auditing standards are written with that accepted fact in mind. The standards give auditors detailed guidance on assessing the risk of fraud materially misstating financial statements and responding to those risks, he says.

So, is there any legal basis for holding auditors accountable for fraud-related damages when they fail to following accepted standards to search for it? That’s what remains to be determined.

The court made an unusual ruling that allowed the FDIC’s case to go forward with a claim for damages against auditors. Few auditor liability claims ever reach that stage, as most cases are settled privately with little or no public fanfare.

In the Colonial Bank case, however, the court found that the doctrine of in pari delicto does not apply to the FDIC. That is a legal precedent that says a plaintiff who has participated in a wrongdoing may not recover damages resulting from the wrongdoing. The court ruled the doctrine applies to Colonial Bank and its trustees, but not to the FDIC, which stepped in when the bank failed to insure its losses and make account holders whole.

Normally, audit firms successfully argue the doctrine protects them from liability when a company wants to claim damages against the auditor for failing to detect fraud. In this particular case, the judge found the doctrine does not apply to the FDIC in its role as insurer, freeing the FDIC to proceed with damage claims.

The court also found PwC negligent in its performance of the audit, which clears the way for the FDIC to recover damages. In order to do so, the FDIC will have to show that PwC breached a duty to the bank and that the audit firm’s negligence caused the FDIC’s damages. That’s the next phase of the case.

The ruling in this case effectively changes the duty of auditors, says Dell. It suggests auditors can be held responsible for the wrongdoing of the employees of their clients, he says. “Audit firms are in effect becoming insurers of the conduct of their employees,” he says. “The cost of auditing would have to go up enormously.”

While the outcome of the case remains to be seen, it’s fair for audit committees and investors who rely on auditors to wonder if the magnitude of the audit failures described in the Colonial Bank case could happen today. The PCAOB through inspections has been pushing audit firms for years to shore up their audit procedures in all the key areas of failure described in the ruling against PwC, and the firms say they’ve taken considerable measures to address those concerns.

“A lot has changed,” said Reimer. “There are still lessons to be learned here about conducting an audit. As an auditor, you have to follow the program. I don’t care what year it was or what the standards were, you have to follow the standards.”