Auditor Fraud Scandal Further Highlights Need to Properly Vet Audit Firms
Key Highlights
- Conducting due diligence on audit firms prior to engaging them remains more important than ever for all audited companies, including public companies, broker-dealers and investment advisers.
- In May, the Securities and Exchange Commission (SEC) fined and permanently suspended a Colorado audit firm for running a “sham auditing mill” that failed to meet Public Company Accounting Oversight Board (PCAOB) standards.
- The SEC also since provided guidance for existing clients of the audit firm, with a focus on selecting a replacement auditor and determining whether previous SEC filings need to be corrected.
- Additional enforcement developments are expected.
On May 3, 2024, the U.S. Securities and Exchange Commission (SEC) announced it had fined and permanently suspended a small Colorado-based auditing firm (Firm) and its owner for allegedly running a “sham auditing mill” and perpetrating “one of the largest wholesale failures by gatekeepers in our financial markets.”[1] In light of this Order, public company issuers that utilized the Firm must decide upon a replacement auditor and whether previous SEC filings need to be corrected, and others should consider conducting a basic due diligence review of their selected auditor to understand whether any similar risk exists.
According to the SEC’s Order, the Firm allegedly failed to meet Public Company Accounting Oversight Board (PCAOB)[2] standards by (i) failing to properly prepare and retain audit documentation; (ii) failing to supervise and review the audit engagement team; (iii) failing to obtain audit engagement quality reviews; and (iv) fraudulently signing off on over 1,500 financial and registration statements—in a two-year period—without properly reviewing them. The charges included “falsely representing to their clients that the Firm’s work would comply with PCAOB standards; fabricating audit documentation to make it appear that the Firm’s work did comply with PCAOB standards; and falsely stating in audit reports included in more than 500 public company SEC filings that the Firm’s audits complied with PCAOB standards.”
The SEC’s Order references that these failures caused the Firm’s clients – which are public issuers and broker-dealers – to violate their own reporting obligations when they submitted materials to the SEC that were not in accordance with PCAOB standards. Although the SEC has not brought any actions against those clients based on the failures, the SEC’s increased scrutiny of auditors and the regulatory and other risks associated with an auditor’s failures, as illustrated by the SEC’s Order against the Firm, underscores the importance of properly selecting and overseeing an external auditor.
SEC’s Increased Scrutiny of Auditors
The SEC’s action against the Firm was neither unprecedented nor unexpected. Below are several examples of the regulator’s public comments reflecting its focus on gatekeepers:
- In 2022 Gurbir Grewal, the SEC’s Director of Enforcement, explained that failures by gatekeepers, such as audit firms, harm investors and the integrity of the markets. He highlighted the SEC’s “focus on gatekeeper accountability” and discussed a $100 million penalty assessed against a large accounting firm for audit professional exam cheating. To be sure, in 2023 the SEC brought 11 such actions,[3] and the SEC’s action against the Firm was the fourth this year.
- In April 2024, Ryan Wolfe, the SEC’s Chief Enforcement Accountant, reaffirmed that gatekeeper accountability remains an enforcement priority for the SEC and that strong top-down governance, such as a well-functioning board of directors and audit committee, is essential to protecting investors.
- The focus on auditor top-down governance was echoed in a statement on May 15, 2024, by the SEC’s Chief Accountant, Paul Munter. In his statement, Munter suggests audit firms (i) incorporate professional integrity and ethics in the promotion and/or compensation process; (ii) promote candor and transparency by sharing survey results and empowering employees to anonymously report misconduct; and (iii) utilize corporate structures that comply with auditor independence requirements. In his view, these practices prioritize integrity and professionalism over profit and growth.
The SEC’s focus on audit firms all but guarantees there will be additional enforcement actions involving auditors as the SEC seeks to hold gatekeepers accountable.
SEC’s Guidance for Affected Clients
On May 3, 2024, the SEC published guidance to issuers impacted by the Order in a rare statement from the SEC’s Division of Corporate Finance. Entities that relied on the Firm or have a current engagement with it must take immediate steps to ensure compliance with SEC regulations. Affected entities must file an Item 4.01 Form 8-Kwithin four days of the auditor’s dismissal, engage a new accountant for Exchange Act filings post-May 3, 2024, and consider amending previous reports due to the SEC’s Order. Public company issuers must also amend pending Securities Act registration statements, retain a new accountant for nonpublic review registration statements, ensure prospectus accuracy for Securities Act registration statements, and follow similar guidance for Regulation A offerings previously audited by the firm. Entities that did not engage the Firm should nevertheless take this opportunity to review their auditor engagements.
On May 20, 2024, the SEC published an Exemptive Order to provide additional time to file quarterly and transition reports onForm 10-Q for clients of the Firm that previously filed Form 12b-25. According to the SEC, it “will provide affected SEC reporting companies with an additional period of time to hire a new, qualified, independent, PCAOB-registered public accountant and file with the SEC, financial information that complies with the requirements of the federal securities laws.”
Impact on Others
Outside of reporting company issuers, others may also be impacted by the SEC’s Order against the Firm. For example, commercial loan agreements typically require a borrower to provide annual audited financial statements, as well statements of compliance of certain conditions or covenants in the loan agreement. Broker-dealers, per Exchange Act Rule 17a-5, must file with the SEC and the Securities Investor Protection Corporation annual reports that include an auditor’s public audit opinion. Registered Investment Advisers (RIAs) that have custody of client funds and those that manage private funds are both required to have annual audits conducted by a PCAOB-registered public accountant. All of these entities should review any audit reports, certificates, opinions or other materials that may have been affected by the SEC’s Order and consider whether any such reporting needs correcting.
Selecting and Overseeing Audit Firms
Going forward, clients should adequately vet their accountants and auditors by periodically searching public records for potential red flags.[4] Below are some questions to consider:
- Basic Firm Information: What is the name and address of the firm, how long have they been in business, and how long have they been registered with the PCAOB? Are onsite client visits available? Does the firm have any references from its existing clients? Has the firm been involved in previous litigation brought by a client, and if so, how was it resolved?
- Organizational Information: What is the corporate structure of the firm? Are decisions made by a board of directors, officers or a management committee? Who conducts supervision over an audit engagement, and how is that review documented?
- Ownership and Leadership: Who are the individual owners, executives or managers of the audit firm? Do publicly available records reflect any risk concerns with respect to those individuals?
- Regulatory Oversight: Does the PCAOB have any records that reflect concerns with the firm? The PCAOB oversees audits of publicly traded companies and broker-dealers. The PCAOB inspects registered accounting firms, and portions of the inspection reports are publicly available. The registration application, annual reports and any disciplinary proceeding information are also available on PCAOB’s website. PCAOB status is also relevant to investment advisers in their SEC Rule 206(4)-2 obligations.
- Business Risks: Does the audit firm maintain written policies requiring it to comply with the PCAOB requirements? How often are those policies updated? Does it maintain audit documentation as required by PCAOB standards? Does it maintain an internal Code of Ethics, a business continuity plan or controls to maintain the privacy of client information?
- Audit Firm Engagement: Is the audit firm willing to respond to a due diligence questionnaire? Does the engagement letter with the auditor contain a limitation of liability in favor of the audit firm? Alternatively, does it provide that the audit firm will defend or indemnify the client against any losses caused by the audit firm’s services?
Conclusion
Public company issuers that had their financials audited by the Firm will need to identify whether any previous SEC filings must be corrected as well as identify a replacement auditor. For others, the SEC’s Order against the Firm provides an opportunity to learn from the circumstances and take steps now – such as conducting a basic due diligence review of their current auditors and accountants – to understand whether there is any risk of noncompliance with PCAOB standards.
If you have any questions about your company’s practices and the impact of this enforcement action, please reach out to your regular Armstrong Teasdale lawyer or one of the listed authors.
[1] Press Release, SEC Charges Audit Firm BF Borgers and Its Owner with Massive Fraud Affecting More Than 1,500 SEC Filings, Securities and Exchange Commission (May 3, 2024), available at https://www.sec.gov/news/press-release/2024-51. The entire Order against BF Borgers CPA PC and its owner (the Order) may be accessed here.
[2] The Sarbanes-Oxley Act of 2002 established the PCAOB as a new independent quasi-governmental body to regulate accounting firms providing audits of public companies. The mission of the PCAOB is to “protect investors and further the public interest in the preparation of informative, accurate, and independent audit reports.”
[3] For example, in 2023, the SEC charged a different audit firm with systemic quality control failures and violations of audit standards in connection with audit work for hundreds of clients. See Securities and Exchange Act of 1934 Release No. 97773 (June 21, 2023).
[4] The Firm had a history of public disciplinary actions against it, as well as a troubled record on PCAOB inspection reports dating back to at least 2017.
- In 2018, the Colorado State Board of Accountancy (the Board) brought a disciplinary action against the Firm’s owner for engaging a certified public accountant not licensed in Colorado who signed PCAOB audit reports for a public company in 2014, 2015 and 2016 in violation of SEC rules.
- In 2024, the Board brought another disciplinary action against the Firm’s owner for, among other things, “fail[ing] to exercise due care in the performance of professional services” and “fail[ing] to meet generally accepted accounting principles or generally accepted auditing standards in the profession.”
- PCAOB inspection reports for 2017, 2021 and 2022 showed a 100% deficiency rate in the Firm audits PCAOB reviewed. The 2017 inspection report noted that “[c]ertain deficiencies identified were of such significance that it appeared to the inspection team that the Firm . . . had not obtained sufficient appropriate audit evidence to support its opinion that the financial statements were presented fairly, in all material respects, in conformity with the applicable financial reporting framework.”
- Last year, the Association of International Certified Professional Accountants terminated the Firm in its Peer Review Program because the Firm was “found to be so seriously deficient in its performance that education and remedial, corrective actions are not adequate.”
- Earlier this year, the Canadian Public Accountability Board banned the Firm from accepting new audit clients in Canada, citing 19 significant inspection findings and multiple violations of professional and Canadian Audit Standards.