Auditing has been a profession often viewed as boring, tedious, and only being done by the IRS if you have not been paying tax. More recently, audit has had an exciting news cycle as Big Four auditing firms: Price Waterhouse Cooper (PWC), Deloitte, Ernst & Young (EY), and KPMG, has come under fire once again for their roles in the collapse of companies after issuing unqualified opinions for the financial reports right before their collapse. Coincidentally enough, this round of recent bank failures – Silicon Valley Bank, First Republic Bank, and Signature Bank – were all audited by KPMG, and the media is quick to point out that the auditors are in need of reform as these company failures – not just KPMG or in the banking industry as the other Auditors have also been caught in collapses and other scandals. For example, PWC’s Australian Tax Advisory was caught giving tax advice relating to an upcoming regulation change to their clients before it was made public, but that one is not Audit’s fault as these Big Four firms operate in three big categories – Audit, Tax, and Advisory – so it’s Tax’ fault for this one. Now, before we go to more finger pointing it would be wise to do the boring part first and confirm two things: what are the Auditor’s responsibilities, and should they be held liable if the auditors give a failed company an unqualified audit opinion right before their collapse.
An audit (as performed by either internal (we’ll go more into this later) or external audit (e.g., KPMG, PWC, EY, Deloitte, etc.) functions) is defined as providing an independent and objective assessment of an organization’s financial statement for both a specific point in time (meaning the reporting date) and a specific duration in time (meaning the reporting year leading up to the reporting date). It is an auditor’s responsibility to report on whether the information presented in publicly submitted financial reports are true and represents a fair view of the organization’s financial position, cash flows, and performance. In the case of the US, auditors assess the banks using generally accepted accounting principles (GAAP) and is regulated by a slew of government and non-government bodies: some acronyms are familiar like the Fed and SEC but there are a host of other acronyms involved you may not be familiar with such as PCAOB, FASB, AICPA, and OCC. All audit opinions must be written with these regulators’ rules in mind.
That seems to be a whole lot of regulatory stakeholders for the auditors to just straight up take the blame by issuing an unqualified audit opinion to three banks, one of which the Fed has issued their findings on. The Fed has released its report on Silicon Valley Bank’s (SVB) collapse last 28 April 2023 and summarized the Bank’s cause of failure to be the fault of the following SVB’s board of directors and management failed to manage their risks (shocking) and the Supervisor’s (in this case the Fed) inability to adapt to SVB’s growth in the 2010s and to enforce/follow up on mitigating steps for SVB’s identified vulnerabilities. No mention of external audit results in the Fed’s report at all as the unqualified audit opinion issued by KPMG at the time before SVB’s collapse represented opinions on outdated regulatory policies and processes. This is to be expected, as it isn’t the Fed’s responsibility to point fingers at the auditors but to see how the supervisory landscape can change to prevent such events from happening again. Which is odd, since the Fed’s report on SVB mentions audit findings related to risk management that should have been flagged by external audit since SVB’s internal audit function pointed out that running the Bank without a Chief Risk Officer for parts of 2022 was a clear violation of enhanced prudential standards (EPS) which SVB falls under as it passed USD 50 Billion in assets during their stellar growth in most of 2010s.
These are all issues that should have come to light as KPMG audited SVB throughout the fiscal year of 2022, but as KPMG’s audit complied with the current standards set forth by the relevant supervisors, they were allowed to issue an unqualified audit opinion which implies that the information on SVB’s financial statements were true and accurate. Which they were, just that they were true and accurate only to a certain degree and as at the latest reporting date SVB was fine until a Bank Run was triggered and an investigation to SVBs failure made it clear – they were grossly mismanaged, and no fancy DCF files or audit work plans would’ve saved SVB from a Social Media post that sparked their demise. Does that put the
Auditors off the hook though? Yes, it does. Since the auditors will maintain that they provided their unqualified auditor’s opinion within the rules and standards set by US regulators and are therefore not liable. That doesn’t mean they shouldn’t be considered as not accountable though, as the Fed has admitted responsibility and has laid out plans to mitigate/contain the risks of SVB’s collapse and the rest of the regulators (PCAOB, SEC, AICPA, YMCA, etc.) come up with their own plans for reform, the auditors will now revise their audit plan on how to provide an opinion that follows those new set of rules until another failure occurs, then it will be time for an even newer audit plan.