Partner Tom Snelling and David Entwistle, a regulatory lawyer and legal risk specialist, discuss renewed concerns about both auditor regulation and when corporates and responsible individuals are held to account for misleading financial statements, following the recent Wirecard scandal, in Thomson Reuters.
Tom and David’s article was published in Thomson Reuters Regulatory Intelligence, 16 July 2020, and can be found here. Tom also commented in relation to this in London Loves Business and Edward Fennell’s Legal Diary, here and here respectively. A similar version of Tom and David’s article was published in Finance Digest, 6 August 2020, and can be found here.
Wirecard’s collapse has renewed concerns both about the adequacy of auditor regulation and the means by which corporates and responsible individuals within them can be held to account for misleading financial statements. Criminal sanctions and civil litigation are expected to follow this latest scandal, as calls for muscular oversight of auditors get louder daily.
It is too early to determine the full extent to which the Wirecard debacle will result in criminal prosecutions and, if so, where. However, criminal complaints have reportedly already been filed in Germany against two current and one former EY audit partners.
In a case with sufficient UK nexus, senior individuals within a company embroiled in an accounting scandal may be charged with a number of offences. The FCA has recently instituted criminal proceedings against several (reportedly senior) Redcentric employees on the back of its public censure for market abuse, following publication of misleading final year results. Along with the predictable false accounting, false representation and false or misleading statement offences, it is interesting to see in the mix a charge of making “a false or misleading statement to an auditor“(an offence under s.501 of the Companies Act 2006). Well-advised auditors facing civil action in cases of accounting irregularity will want to see such charges being brought, and will no doubt be working the evidence faster than prosecutors.
Auditors themselves risk sanction should they knowingly or recklessly cause a report “to include any matter that is [materially] misleading, false or deceptive…” (an offence under s.507 of the 2006 Act). Given the heightened interest in conflicts of interest within accounting firms, and the perceived risk of soft-pedalling when audit outcomes threaten consultancy revenue, this provision will be of concern to such firms. Also of concern will be ancillary offences; conviction for obstruction of justice in the US brought about the downfall of Arthur Andersen in the wake of Enron. In the UK, inchoate crimes such as conspiracy, and encouragement and assistance might come into play in the context of accounting fraud.
Criminal charges against corporates themselves in accounting cases are rare beasts, partly due to the much-debated difficulty of attributing mens rea to a corporate under the “identification doctrine“. However, the possibility cannot be ruled out where, for instance, a CEO and a CFO are both charged with accounting-related fraud offences based on the same facts.
An interesting possibility would be an extension of the UK’s “Failure to Prevent” regime, as currently deployed in the Bribery Act 2010 and the Criminal Finances Act 2017. Applicable only to corporates, these are, in effect, strict liability offences designed to avoid attribution problems. With their corresponding statutory defences based on adequate systems and controls, it is possible to see how accounting failures could appropriately form the basis of a new corporate crime along the lines of “failure to prevent a false or misleading statement of accounts“. The deterrent power of such an offence is less clear: a company failing to prevent the facilitation of tax evasion may, with a fair wind, survive the scandal; a company caught massaging a material hole in its accounts may not.
Wirecard, and recent judgments of the High Court in London, flag three civil litigation factors of increasing importance to auditors.
First, investor class actions are now an international (rather than US-specific) phenomenon, increasing the susceptibility of global audit practices to large-scale negligence claims. The Big Four is acutely aware of the way in which its international footprint exposes it to collective civil liability claims on new, and sometimes multiple, fronts. EY is already facing a US investor class action as co-defendant alongside Wirecard and a number of its officers. Allegations centre around false and misleading statements violating the 1934 Securities and Exchange Act. An uncomfortable journey in the direction of a jury trial beckons. In addition to the German criminal complaints which have already been reportedly filed (noted above), EY also faces a possible investor class action in Germany. The Berlin-based lawyer behind it is not pulling his punches: “It is frightening how long Wirecard was able to operate without being objected to by the auditors… It was always clear that something was wrong.”
Second, attempts by the Big Four to ‘air lock’ parts of their global practice, arguing that local businesses are not subject to central supervision and control, will be increasingly tested and – in outlier cases – may be found wanting. EY experienced this recently when Kerr J agreed with a former audit partner that EY Dubai and other locally based organisations were subordinate to EY Global. This meant the defendant entities at the top of the EY power pyramid owed a duty to take reasonable steps to prevent the partner from suffering financial loss by reason of the defendants’ failure to perform the “assurance audit” in question in an ethical and professional manner.
The third factor – and the only one of the three in favour of defendant auditors – is that the difficulties (and cost) of evidencing auditor negligence claims are nearly as notorious as the mountaineer’s knee in SAAMCO. In an amuse bouche to what is likely to be a full course auditor negligence battle, Carillion’s liquidator has failed to obtain pre-action disclosure from KPMG, the former auditors. This engaged the thorny issue of auditor working papers. Carillion argued that KPMG’s working papers were core documents in any future case. Jacobs J accepted this but nevertheless denied pre-action disclosure. It was not warranted to enable Carillion to reach a fully informed or concluded view of the extent to which KPMG had been negligent. Mindful of the bouts yet to come, the judge also wished to “put an end to expensive and undesirable “shadow boxing”“.
Whilst policing corporate behaviour depends on a combination of criminal law and (where applicable) regulation (e.g. the Senior Managers and Certification Regime for FCA-regulated firms), the framework for auditor oversight is less settled.
In many jurisdictions, auditors are self-regulated. In the UK, the Financial Reporting Council (FRC) is “independent“, but lacks a statutory footing and is funded by the audit profession. In Germany, the audit profession self-regulates through the Financial Reporting Enforcement Panel. In both jurisdictions, there are plans to tighten-up auditor oversight. Plans to replace the UK’s FRC with a truly independent, statute-based Audit, Reporting and Governance Authority (ARGA) are well publicised. They were devised in the wake of official investigations into the HBOS, BHS and Carillion scandals, in the context of which the FRC was described variously as “feeble“, “timid” and “chronically passive“. However, the FRC remains in place over a year after this announcement. In Germany, the financial regulator, BaFin, almost summarily assumed the power to investigate companies’ financial reporting from the Financial Reporting Enforcement Panel in the wake of Wirecard. In the recent words of the German deputy finance minister, “self-regulation by the auditors doesn’t work properly“.
The steps taken in the US in 2002, in the wake of the Enron and WorldCom crises, offer an instructive comparison. The inadequacy of the then-current self-regulation arrangements for auditors led to the creation of an independent audit watchdog, the Public Company Accounting Oversight Board, backed by the Sarbanes-Oxley Act.
That the US took this action almost two decades ago has not gone unnoticed in the UK as yet another scandal emerges. There are, however, signs of life. The 2019 Brydon Report into the audit profession, commissioned by the UK Government, recommended raising standards to require auditors to “endeavour to detect material fraud in all reasonable ways“, despite the prior refrain, such as in the wake of the Patisserie Valerie collapse, that an audit is “not designed to look for fraud“. A recent flurry of activity shows renewed focus on auditor oversight.
Last week’s findings of “serious and serial audit failings” by Deloitte, which is facing a record fine of up to £15m (plus costs of £5.6m) for its audits of Autonomy, and being ordered to produce this November a “root cause” analysis of its misconduct, capped a dramatic few days for accountancy firms. At the same time, the FRC fined and reprimanded Grant Thornton for breaching “firm-wide” audit ethical and control standards and published a 22-point plan for operational separation in accounting firms (aimed at the Big Four – who were reportedly then dragged into an emergency FRC ‘virtual summit’).
The UK may increase the liability of corporates and key executives, including with a corporate “failure to prevent” offence. Effective ring-fencing of audit work from consultancy practices should finally become a reality. Ultimately, though, the independent assurance provided by auditors is the principal protection for investors and the economy as a whole against fraud and negligence in preparing company accounts. Litigation against auditors is a recourse after the event, not a control. Better auditor oversight and enhanced standards remains key. Despite recent FRC teeth-baring, this necessitates the introduction of ARGA. Paradoxically, doing so requires legislative attention from a UK Government understandably distracted by the Covid-19 crisis, when that crisis could itself exacerbate audit risks, reinforcing the need for ARGA. However ‘Wirecard-gate’ unfolds, change seems inevitable.
– – – – – –
 Amjad Rihan v Ernst & Young Global Limited & Others  EWHC 901 (QB).
 South Australia Asset Management Corporation v York Montague Limited  AC 191.
 Deloitte has sought to reduce the fine, including on the basis that the fine should be calculated only by reference to Deloitte’s audit (rather than wider) revenues.
3 August 2021
3 August 2021