Last week, payments firm Wirecard admitted that €1.9bn of its cash probably never existed — and then it collapsed. It turns out that the German group’s auditors had failed for at least three years to request crucial account information from a Singapore bank where Wirecard said it had up to €1bn. Instead, EY relied on documents and screenshots provided by a third-party trustee and Wirecard itself.
To some, the story sounded remarkably familiar. In 2003, questions were swirling about Parmalat, a big Italian food group. Back then, Bank of America said that a document purporting to show that one of Parmalat’s offshore affiliates held €3.9bn in its account had been forged. Days later, Parmalat went into administration. Deloitte, the group’s main auditor from 1999 until its collapse, later agreed to pay $149m to the company and $8.5m to investors.
But that was not the only time a big auditor had displayed a remarkable lack of curiosity about how and where big companies keep their money. In 2010, JPMorgan Chase admitted to mixing up to $23bn in client money with its own funds in an unsegregated account for seven years. Auditor PwC, which had repeatedly certified that the bank was properly handling client money, was later fined £1.4m, a record for a UK accountancy firm at the time.
Meanwhile, the UK branch of the fourth member of the Big Four, KPMG, has been mired in scandal over its work for failed construction group Carillion. It was sanctioned in 2018 by the UK’s accounting watchdog for an “unacceptable deterioration” in audit quality.
It is easy to blame the auditors after the fact. In Wirecard’s case, EY says “third parties, with a deliberate aim to deceive, provided EY with false documentation in connection with its 2019 Wirecard audit . . . Professional standards recognise that even the most robust and extended audit procedures may not uncover a collusive fraud”.
But short sellers had been raising questions about the company for years and James Freis, Wirecard’s new chief executive, is said to have told board members that basic checks should have been enough to undercover the scandal.
The profession does have a built-in problem. The vast majority of transactions are legitimate, and most managers are basically honest. Usually, executives and investors want audits done quickly and cheaply, with minimum fuss, so that the company can release its results and move on.
“The Big Four consider it a successful audit if they can run some checks and sign off. They want to find no problems, argues Richard Brooks, author of Bean Counters. “They refer to their audit practices as ‘assurance’ — that’s what they want to provide.”
The structure of the audit business exacerbates this problem. Firms are hired and paid by the companies they audit — rather than by investors or regulators who might prefer a more sceptical approach. For the Big Four, audit is also just one arm of a larger business that provides lucrative consulting and tax services to the same companies that are potential audit clients.
There have been several efforts since the early 2000s to reduce these conflicts of interest. The UK and US have tried limiting the other work that can be done for audit clients. The Financial Reporting Council, the UK watchdog, has also asked the Big Four to voluntarily ringfence the costs and profits of their audit work from the rest of the business. But that plan, and the legislation that would give a new audit regulator the power to force a break up, have been put on hold during the coronavirus pandemic.
The Wirecard scandal suggests that the problems go well beyond the Anglo-American sphere. And splitting audit from consulting will not fundamentally change the incentives that prompt auditors to cut costs and corners, and accept management’s word.
“If you are going to audit a brewery, you don’t just count the barrels of beer. You should wiggle them to see if they are full,” says Sharon Bowles, former chair of the European Parliament’s economic and monetary affairs committee. “But no one thinks they will be the unlucky one and get caught out.”
I am tired of reading these stories. It is time to rethink the whole model. We already know that when bank regulators become captured, the public pays the price. Auditors are never going to willingly bite the hands that feed them.