By Tom Snelling, partner at Signature Litigation and David Entwistle, a regulatory lawyer and legal risk specialist
The collapse of Wirecard has led to fresh concerns about the effectiveness of auditor regulation and how corporates and responsible individuals within them can be held accountable for making misleading financial statements. Following this latest scandal, criminal sanctions and civil litigation are anticipated while calls for more robust oversight of auditors become ever louder.
Predicting the full extent to which the Wirecard debacle will result in criminal prosecutions, and in which jurisdiction(s), is premature. It has been reported that criminal complaints have already been filed in Germany against two current and one former EY audit partners.
In a case with sufficient UK connection, senior individuals within a company embroiled in an accounting scandal may be charged with several offences. For example, the FCA recently instituted criminal proceedings against several (reportedly senior) Redcentric employees in the wake of its public censure for market abuse, following publication of misleading final year results. Alongside false accounting, false representation and false or misleading statement offences, it is interesting to note that in the mix was a charge of making “a false or misleading statement to an auditor” (an offence under s.501 of the Companies Act 2006). When facing civil action in cases of accounting irregularity, well-advised auditors will want to see such charges being brought, and no doubt will work the evidence faster than prosecutors.
Should they knowingly or recklessly cause a report “to include any matter that is [materially] misleading, false or deceptive…” (an offence under s.507 of the 2006 Act), auditors themselves risk sanction. Given the increased focus on conflicts of interest within accounting firms, and the perceived risk of soft-pedalling when audit outcomes threaten consultancy revenue, this provision will inevitably concern them. Equally concerning will be ancillary offences: a US conviction for obstruction of justice precipitated Arthur Andersen’s downfall following the Enron scandal. In the UK, inchoate crimes such as conspiracy or encouragement and assistance might come into play in the context of accounting fraud.
Criminal charges against corporates in accounting cases are rare. In part, this is due to the contentious problem of attributing mens rea to a corporate under the “identification doctrine“. However, they cannot be entirely ruled out where, for instance, a CEO and a CFO are both charged with accounting-related fraud offences based on identical evidence.
One interesting possibility would be an extension of the UK’s “Failure to Prevent” regime, as used under the Bribery Act 2010 and the Criminal Finances Act 2017. These are effectively strict liability offences designed to avoid attribution problems and are only applicable to corporates. Since their corresponding statutory defences are based on adequate systems and controls, it is possible to envisage how accounting failures could appropriately form the basis of a new corporate crime along the lines of “failure to prevent a false or misleading statement of accounts“. The potential deterrent effect of such an offence is less clear: a company which fails to prevent the facilitation of tax evasion may survive prosecution, whereas a company caught massaging a material hole in its accounts may not.
Three civil litigation factors of increasing importance to auditors are flagged by Wirecard and other recent judgments of the London High Court.
First, investor class actions have become an international (rather than US-specific) phenomenon, making global audit practices increasingly susceptible to large-scale negligence claims. The Big Four are acutely aware of how their international footprint exposes them to collective civil liability claims on new, and potentially multiple, fronts. EY is already facing a US investor class action as a co-defendant alongside Wirecard and several of its officers. The allegations centre on false and misleading statements which violate the Securities Exchange Act of 1934. An uncomfortable jury trial may beckon. In addition to the criminal complaints which have reportedly been filed (see above), EY also faces a possible investor class action in Germany. The Berlin-based lawyer behind it does not pull his punches: “It is frightening how long Wirecard was able to operate without being objected to by the auditors… It was always clear that something was wrong.”
Second, on the basis that local businesses are not subject to central supervision and control, the Big Four’s attempts to ‘air lock’ areas of their global practice will be increasingly challenged. In outlier cases, they may be found wanting – as recently experienced by EY when Kerr J agreed with a former audit partner that EY Dubai and other locally based organisations were subordinate to EY Global. Accordingly, the defendant entities at the apex of EY owed a duty to take reasonable steps to prevent the partner from suffering financial loss by reason of the defendants’ failure to perform the “assurance audit” in question in an ethical and professional manner.
The third factor is the only one in favour of defendant auditors: the difficulties (and cost) of evidencing auditor negligence claims are almost as infamous as the mountaineer’s knee in SAAMCO. An opening skirmish in what is likely to become a full on auditor negligence battle, Carillion’s liquidator failed to obtain pre-action disclosure from KPMG, their former auditors. This raised the thorny issue of auditor working papers, which Carillion argued were core documents in any future case. Although Jacobs J accepted this, he nevertheless denied pre-action disclosure concluding that it was not warranted to enable Carillion to reach a concluded view of the extent to which KPMG had been negligent. Mindful of the rounds ahead, the judge also wished to “put an end to expensive and undesirable “shadow boxing”“.
The policing of corporate behaviour operates through a combination of criminal law and, where applicable, regulation (e.g. the Senior Managers and Certification Regime for FCA-regulated firms). But the framework for auditor oversight is less well-defined.
Many jurisdictions allow auditors to self-regulate. This applies in Germany through the Financial Reporting Enforcement Panel. Although the UK’s Financial Reporting Council (FRC) may be “independent“, it has no statutory footing and is funded by the audit profession. Plans exist in both jurisdictions to tighten-up auditor oversight. The proposed replacement of the UK’s FRC with a genuinely independent, statute-based Audit, Reporting and Governance Authority (ARGA) has been well publicised. This followed official investigations into the HBOS, BHS and Carillion scandals, during which the FRC was described as “feeble“, “timid” and “chronically passive“. Nevertheless, the FRC is still in operation more than a year later. In the wake of Wirecard, the German financial regulator, BaFin, quickly assumed the power to investigate companies’ financial reporting from the Financial Reporting Enforcement Panel. As the German deputy finance minister recently put it, “self-regulation by the auditors doesn’t work properly“.
Steps taken by the US in 2002, following the Enron and WorldCom crises, provide another useful comparison. The inadequacy of auditors’ self-regulation led to the creation of an independent audit watchdog, the Public Company Accounting Oversight Board, supplemented by the Sarbanes-Oxley Act.
As yet another scandal emerges, the US response of almost twenty years ago has become the renewed focus of attention in London. Commissioned by the UK Government, the 2019 Brydon Report into the audit profession recommended raising standards to require auditors to “endeavour to detect material fraud in all reasonable ways“. This is contrary to the previous refrain, such as in the wake of Patisserie Valerie’s collapse, that an audit is “not designed to look for fraud“. EY has put this issue at the heart of its Wirecard defence by asserting that “even the most robust audit procedures may not uncover this kind of collusive fraud”.
A recent flurry of activity shows that auditor oversight is now taking centre stage. Recent findings of “serious and serial audit failings” by Deloitte, which faces a record fine of up to £15m (plus costs of £5.6m) for its audits of Autonomy and has been ordered to produce a “root cause” analysis of its misconduct, characterise the unfolding drama for accountancy firms. Simultaneously, the FRC fined Grant Thornton, reprimanding them for breaching “firm-wide” audit ethical and control standards. Furthermore, the FRC has published a 22-point plan for operational separation in accounting firms (primarily aimed at the Big Four, who were reportedly dragged into an emergency FRC ‘virtual summit’).
Most recently, the FRC’s sanction imposed on BDO (albeit for a more technical and specific standards breach than those discussed above) maintains the ongoing momentum in the auditor oversight space. This will be accelerated by a notably candid FRC Annual Enforcement Review on 31 July 2020 that reports concerns over a “tickbox” culture to audit testing and “auditor/ management relationships that are too close to enable auditors to exercise sufficient professional scepticism“.
UK regulators and legislators may decide to increase the liability of corporates and key executives, including a corporate “failure to prevent” offence. Meanwhile, audit and consultancy work could finally be ring-fenced from each other. Ultimately, however, independent assurance provided by auditors is the principal protection for investors and the wider economy against fraud and negligence in preparing company accounts. Litigation against auditors is a recourse after the event, not a preventative control. Better oversight and enhanced standards therefore remain key. Despite the FRC upping the ante recently, this necessitates the creation of ARGA to replace the FRC, as recommended by Brydon. Paradoxically, to do this requires legislative attention from a UK government that remains distracted by the Covid-19 crisis, which could itself exacerbate audit risks, thereby reinforcing the need for ARGA. Whatever happens in ‘Wirecard-gate’, change seems inevitable.
 Amjad Rihan v Ernst & Young Global Limited & Others  EWHC 901 (QB).
 South Australia Asset Management Corporation v York Montague Limited  AC 191.
 Deloitte has sought to reduce the fine, including on the basis that the fine should be calculated only by reference to Deloitte’s audit (rather than wider) revenues.