The United Kingdom has seen several high-profile corporate failures and accounting mishaps in the past few years. From the insolvency of BHS in 2016 to the downfall of Carillion two years later, followed by the 2019 collapse of Thomas Cook and Patisserie Valerie and the implosion of NMC Health in 2020. Similarly, the large-scale accounting fraud at German payment services provider Wirecard remains fresh in the minds of German politicians and investors globally.
A common denominator for all these corporate calamities was the severe lack of reliability of the financial reporting – and this despite the auditors, more often than not, having signed off on the accounts without any reservation.
As a consequence, the audit profession has come under scrutiny, and there now seems to be a general consensus that reform is required. Against this backdrop, two recent developments in the UK have caught the eye.
Revision of ISA 240
The International Standard on Auditing (UK) 240 (“ISA 240”) sets out the auditor’s responsibilities relating to fraud when performing an audit of the financial statements of a company. In May 2021, the Financial Reporting Council (“FRC”) (the UK’s audit regulator) published a revised version of the ISA 240 (“Revised ISA 240”). The Revised ISA 240 is not a complete overhaul of the previously applicable standard. It mainly clarifies certain responsibilities incumbent on auditors when performing their tasks and aims at making the auditors’ obligation to detect fraud more robust.
The Revised ISA 240 now expressly provides that the auditor is obligated to “obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement due to fraud”.
While this may seem obvious, it is a welcome addition which, at least to some extent, closes the gap between the public’s expectation of the scope of the audit and the actual tasks of the auditor. In several corporate scandals revealed over the last years, when confronted with their responsibilities, the auditors responded that it was not their job to search for fraud – eloquently summarized by Sir Donald Brydon as the “concept of the auditor as watchdog rather than bloodhound”.
Under the Revised ISA 240, the auditor bears the responsibility to plan and perform the audit to obtain reasonable assurance as to the absence of fraud. Reasonable assurance is defined as “a high, but not absolute, level of assurance”. This implies that there is still latitude. Auditors are not expected to spot every fraud, provided they perform the necessary checks. Given that “reasonable” is a rather flexible notion, the question then remains: where do you draw the line?
Interestingly, the Revised ISA 240 also includes guidance on how to assess whether a misstatement is material, stating that both qualitative and quantitative considerations are involved in this assessment.
“For example, an identified fraud or suspected fraud by a key member of management may be considered material even if the potential misstatement is less than materiality determined in quantitative terms for the financial statements as a whole (e.g., where it gives rise to concerns about the integrity of management responsible for the entity's system of internal control or the controls relevant to the preparation of the financial statements).”
This is interesting in that it acknowledges that the importance or materiality of fraud within an organization should not be judged merely based on the quantum involved. Even fraud involving relatively small or insignificant amounts can be an indicator for a material weakness in oversight, deficient control systems, or a bad corporate culture, providing fertile ground for future frauds to flourish.
Proposals on corporate governance and audit reform
A few weeks before the publication of the Revised ISA 240, the UK government published a whitepaper titled “Restoring trust in audit and corporate governance” (the “Whitepaper”). The Whitepaper contains a large number of proposals to reform the audit and corporate governance regime and is largely inspired by the findings of the independent reviews by the FRC and the Competitions and Markets Authority (“CMA”).
The array of proposals includes increased liability for company directors in relation to the accuracy of the accounts, broader powers for the audit regulator to enforce against both auditors and directors, and a formal procedure for shareholders to escalate concerns to the auditors as part of the audit.
One of the objectives of the proposals is to increase competition in the UK audit market. Indeed, more than 95% of FTSE 350 companies are audited by one of the Big Four audit firms. This lack of competition is deemed detrimental to the quality of the audit. However, despite the affirmed intention to remedy the Big Four’s quasi oligopoly, the Whitepaper has not adopted the CMA’s recommendation to impose joint audits for FTSE 350 companies, wherein a Big Four firm would need to team up with a smaller outlet – a requirement which has been in place for listed companies in France since the 1960s.
The Whitepaper is currently the subject of a consultation round which ends on 8 July 2021. The implementation of proposed measures into legislation is not expected to occur before the end of 2022.
Private enforcement remains a blind spot
Despite its broad scope and wide range of proposals, the Whitepaper remains silent on one (important) topic: the auditor’s liability towards third parties, such as investors.
The audited financial statements are a useful source of information for investors when buying shares in a listed company. If the auditor issued an unqualified audit opinion, investors are entitled to rely on this opinion and may reasonably assume that the financial statements correctly reflect the company’s financial situation.
However, there have been numerous instances of large-scale accounting fraud despite the company receiving the auditor’s rubberstamp year after year. In such a situation, one cannot blame an investor for looking to the auditor to recover a part of the losses suffered.
Under English law, this has proven to be quite challenging. Unlike other countries, the UK does not have a statutory regime for auditors’ liability towards third parties. The principles which apply to auditor liability have been developed in case law developed by English courts.
In Caparo Industries v. Dickman, the House of Lords in 1990 ruled that the auditors, in principle, owe their duties to the company or its corporate bodies, not to individual shareholders or investors. Such third parties will only have a claim against the auditor if the auditor assumed personal responsibility towards these third parties (“proximity”). This is not the case for the statutory audit of annual financial statements. The purpose of the audited statements is to fulfil the auditor’s duties to the client and its corporate bodies, not to individual shareholders or (prospective) investors.
This requirement makes it very difficult to hold the auditor liable for losses suffered by investors, even in cases where the auditor’s negligence would be fairly easy to establish.
Given that the Whitepaper does not include a proposal to introduce a statutory liability regime, it appears the situation will, unfortunately, remain status quo for investors.