Auditors or frauditors: who is liable?

As published in R3 recovery magazine, Mark Wilson, Hannah Drozdz and John Lamb explore when auditors are liable for the fraud of directors, and what office-holders can do about it.

When a company fails, people usually ask why, who or what is responsible. There have been several high-profile corporate failures (such as Carillion and Patisserie Valerie) where auditors have faced public criticism for failing to identify financial issues that could have been addressed sooner and losses minimised. With that blame comes the question of financial responsibility.

There is an expectation gap between what people think auditors do, their duties in law and the extent of their duty of care.

Many stakeholders rely on a company’s audited accounts, believing that they are a true endorsement of a company’s viability, only to be caught out when hindsight shows that the auditor’s stamp of approval was wrong and there is no right of recourse to the auditor.

In practice, the auditor’s role is neither to warrant that the accounts are free of error, nor to guarantee that there is no fraudulent activity.

This article considers the auditor’s role in the context of fraud. We look at the duties of an auditor, their responsibilities, and the standards against which they are judged. We then examine, in the context of corporate frauds, where the auditors have been negligent and/or in breach of contract, how an office-holder might bring a successful claim against the auditors for the benefit of the company’s creditors. We highlight practical obstacles likely to be encountered when bringing these claims and conclude with some thoughts for the future.

Office-holders have historically been reluctant to sue auditors. It is correct that these claims can be difficult but, with the right advice, those difficulties can be overcome for the benefit of creditors.

The duty

An auditor is not liable for ‘an indeterminate amount for an indeterminate time to an indeterminate class’ (Ultramares Corporation v. Touche (1931)). Duties to third parties, such as investors, lenders or employees, will only arise where the auditor has assumed responsibility to them by some specific act, such as making direct representations.
Contractually, an auditor’s obligations are to the company with co-extensive duties in negligence to both the company and its shareholders ‘as a body’.

Any claim would be brought by the company and, in an insolvency context, by the company acting by its agent, the administrator or liquidator.

The auditor’s role

All UK companies must undergo an audit – the process of an independent person determining, through tests and procedures, that the company’s accounts show a true and fair view – unless exempt from the requirement.

The Financial Reporting Council’s description of the auditor’s responsibilities sets out that the objective is to obtain ‘reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error’. Fraud in this context is deliberate misstatement.

The scope of the duty and standard of care is determined by compliance with the relevant accounting standards, but an illustrative quote is that an auditor is ‘a watchdog and not a bloodhound’ (Kingston Cotton Mills (1896)).
The International Standard on Auditing (UK) (ISA (UK)) 240 sets out an auditor’s responsibilities in relation to fraud. Central to it is the concept of ‘professional scepticism’. The task is one of evidence and judgement, requiring the auditor to undertake the task with a questioning mind while being alive to the potential for fraud.

Some of the examples of auditor default on cases in which we have recently advised include: accounting entries showing a $1.2bn (£882m) gold reserve note that had expired by the date of the audit and did not in any event exist (there was no gold), tens of millions of dollars of apparent credit from a Caribbean company that had no discernible assets, multiple round-sum payments to offshore entities connected to the directors, and letters of support for the purposes of going concern (ISA (UK) 570) from entities with no assets.

Bringing a claim

Increasingly, audit firms will seek to oppose requests from office-holders for audit files. The office-holders have delivery and examination powers under s234–236 of the Insolvency Act 1986. Under s234, an office-holder is entitled to delivery of property belonging to the company, which would include the audit files, save for the auditor’s working papers, which belong to the auditor. The current approach of the courts is only to exercise discretion under s234–236 to the extent the request is reasonable. This means the office-holder should forensically examine the company’s server for relevant documentation and information and begin their investigations (for example by interviewing key employees), before making what should be targeted requests for documentation and information from the company’s auditors.

Locating the auditor’s engagement letter(s) is the starting point. That will set out the contractual relationship, scope of the audit and any limitation of liability thresholds and will be relevant for ascertaining the scope of the duty that it is relevant to, among other things, causation and loss. Any limitations of liability will need to have been properly authorised in accordance with the Companies Act 2006.

Data analytics can be useful in identifying unusual transactions, key conspirators and patterns of transactions that might indicate fraud.

We generally consider all the email communication between the auditor and the company, although agreeing key word search terms with the office-holder can help identify key areas of concern. For example, in the construction industry, identifying early or optimistic recognition of income on non-performing contracts can highlight mistakes of auditors and help build a picture.

Ultimately, any particulars of claim will need to identify the auditor’s specific duties, relevant ISAs, and how those duties have been breached. Seeking an early opinion from an audit expert with experience of providing evidence in court will help to frame the claim. It also provides an opportunity for an early assessment of liability without incurring significant litigation costs although, as set out below, the main battleground will often be in relation to causation and loss.

Traps

Security for costs applications: this should be anticipated. A court might order that the company, in administration or liquidation, provide security (which could be a bond, guarantee or specific payment into court) to pay the defendant’s costs if the claim is unsuccessful.

While a good claim should not be stifled by lack of funding, in practice it is best to avoid this as an issue by securing appropriate after-the-event insurance (ATE) with any avoidance provisions removed. This means that an insurer will still pay out adverse costs liability even if there had been, for example, a non-disclosure to the insurer by the office-holder. So-called ‘anti-avoidance provisions’ in an ATE policy can negate the need for an additional bond.

Causation and loss

Demonstrating that the auditor fell short of what is expected might be relatively straightforward and even admitted, but pushback should be anticipated on whether it was the auditor’s failures that caused the company’s losses. Normally the defence lawyers will say that the more proximate cause of the loss was the directors’ and not the auditor’s negligence, relying on Galoo Ltd v. Bright Grahame Murray (1994).

It was generally thought that the company’s trading losses incurred after the negligent audit could not be claimed from the auditors, but recent case law, such as Assetco plc v. Grant Thornton UK LLP (2020) and Manchester Building Society v. Grant Thornton UK LLP (2021) has favoured the claimant on this point.

Contributory negligence

A common defence is that the damages that the auditor is liable to pay should be reduced on the basis that the loss suffered by the claimant (and claimed from the auditor) is partly (or wholly) the result of the claimant’s own fault. The defendant has to demonstrate that the claimant has carried out ‘an act or omission... of the kind that was blameworthy, in the sense that it involved a failure to take reasonable care for its own interests and was a contributory cause of... loss’ (MAN v. Freightliner Ltd (2005)). A company is legally responsible for the acts of its directors and employees, even if the acts are fraudulent, where those acts were carried out in the course of their office or employment.

However, an auditor is engaged to protect against the ‘very thing’ (the fraud) that the company is itself primarily responsible for. Recent cases demonstrate that the courts will investigate whether the responsibility for the loss suffered ought to be shared with a company because of management failures and/or dishonesty, reducing the damages that the court awards. Each case will turn on the facts and the seriousness of the auditor’s failings will be relevant but expect a deduction from the damages of 25% to 75% in the event of default.

The counterfactual

This is a hypothetical process of constructing a persuasive narrative as to what would have happened if the breach had not occurred, and a competent audit had taken place. It might be the set of circumstances that did occur (albeit too late in the day to stem the loss caused by the auditor’s breach) or may require careful thought as to the logical and arguable ‘would-have’ position. By way of example, had the breach not occurred, could an investigation have been instigated and a restructuring plan put in place so that a better and less costly outcome could have been achieved?

Limitation of liability

The Companies Act 2006 introduced liability limitation agreements where the amount of a liability owed to a company by its auditor may be limited by agreement. These must satisfy certain requirements, including being authorised by the members. They will only be effective where the limit on liability is no less than an amount that is fair and rea-sonable in the circumstances. Limitation clauses are normally drafted as a multiple of fees with an overall cap. There are no reported cases on limitation of liability agreements, and it will be interesting to see how the courts consider these, bearing in mind that losses can be very significant indeed and generally have no correlation to audit fees.

Reliance, attribution, and illegality: The House of Lords in Stone & Rolls v. Moore Stephens (2009) struck out a company’s claims in negligence against its auditors on the basis that the claims arose out of the company’s sole shareholder/director’s fraudulent conduct, which was attributed to the company and the company could not rely upon its own wrongdoing to bring a claim. That decision has been criticised in Bilta v. Nazir (2015) and it is not believed to be authoritative except on its own facts.

In Singularis Holdings (in liquidation) v. Daiwa Capital (2019), Lady Hale agreed with the view that there is ‘no principle of law that in any proceedings where the company is suing a third party for breach of duty owed to it by that third party, the fraudulent conduct of a director is to be attributed to the company if it is a one-man company’. These comments are not legally binding, and Stone & Rolls remains good law in the context of one-man companies, at least until the issue returns to the Supreme Court.

One approach is to see the issue in terms of reliance. Was there anyone innocent at the company who would have done something differently had they known the accounts were incorrect? Arguably an auditor should not be held liable when the entire shareholder and management body knows that the accounts are wrong because they have been fraudulent. The reality is that the auditors have caused no loss. The dissenting judgment in Stone & Rolls stated that discovering fraud was a critical aspect of an auditor’s responsibility and that there may be a duty of auditors to the creditors of the company when insolvent.

Three further thoughts

• There is likely to be a significant increase in the number of auditor liability claims brought by office-holders. The availability of litigation funding, appropriate ATE insurance and the fact that auditors are generally adequately insured make them an attractive target when there has been a fraud and the directors have disappeared or sheltered their assets. The primary period of limitation for an audit claim is six years from the breach, generally being the date at which the auditor signed the audit opinion. We believe there are likely to be a large number of cases in existing liquidations which ought to be investigated.
• The view that auditors should owe a duty of care to creditors when a company is insolvent appears sensible to us. It would mean that complicity by shareholders would not prevent a claim being brought by office-holders.
• In terms of auditor protection, liability limitation agreements are still not widely used, because of the shareholder approval requirement. Increasingly, auditors are requiring management and shareholders to validate information provided to the auditors. However, this will still not protect an auditor who has not exercised professional scepticism in undertaking its role in relation to the ‘very thing’ it was instructed to identify.