My friend Francine McKenna wrote an article for Forbes recently, in which she had a lot more to say than I did about the FDIC's recent lawsuit against PricewaterhouseCoopers and Crowe Horwath based upon those firms' alleged malpractice as, respectively, outside and internal auditors of the failed Colonial Bank. Francine, a former big-firm audit professional-turned-critic, is not a fan of large audit firms.
Francine thinks that the FDIC's allegations against Crowe are "unusual."
PwC’s work papers give the FDIC a peek into PwC’s opinion of the quality of Crowe’s work. Regardless of what PwC thought, it seems the FDIC believes PwC did not do enough to compensate for any failings or verify the assertions about internal controls Crowe made on behalf of Colonial management.
Crowe is being held to the AICPA’s standards for consulting which, while stringent as an accountant’s code of ethics and interesting as a consulting standards framework, do not carry the force of law that the Sarbanes-Oxley Act and the PCAOB auditing standards do. You typically see the AICPA consulting standards cited when an audit firm performs technology consulting engagements that blow-up.
The FDIC says Crowe should have followed the professional standards promulgated by the Institute of Internal Auditors, an international professional organization for internal auditors. Would an internal audit function staffed by Colonial employees instead of an outside vendor have been sued under the same circumstances? Why isn’t the FDIC also naming the Internal Audit Liaison Manager who Crowe, as a vendor, reported to? Employees, though, are usually protected from litigation at least up to some level of negligence.
The FDIC, however, is asserting gross negligence by Crowe. There clearly was concealment and collusion to perpetrate a fraud within the bank and from outside forces. According to a source who is an expert in internal audit services to public companies, internal controls are not very effective when executives collude and conceal information. This limitation is mentioned in the COSO internal control model and also, according to my source, should mitigate the liability of a consultant that wasn’t part of the scheme.
Francine also finds it strange that none of the audit partners involved in the alleged malpractice have been named in the FDIC's complaint.
It’s a wonder to me, though, that in three cases against PwC that allege professional malpractice and breach of duties, the partners responsible for the engagements at Colonial Bank and MF Global are not named nor is anyone willing to give them up. Two prominent plaintiffs lawyers, who try cases against the audit firms often, told me that this is highly unusual. The audit firms may not want to publicize the names of the partners involved in failures and professional malpractice but the plaintiffs almost always name them in the lawsuits and should have no interest in protecting them.
These two partners are still out there auditing. That doesn’t bode well for investors.
That might be a tad harsh. On the other hand, being a tad harsh is something to which I can relate. I trust Francine will stay on the case and eventually discover why the FDIC chose to pursue "unusual" claims against an outsourced internal audit firm while simultaneously taking of the "unusual" step of failing to name individual audit partners in the complaint. I can speculate as to Why the FDIC might wish to protect individual audit partners, but I'll take the highly "unusual" step of restraining myself.
Finally, Francine makes a point that I made about this lawsuit: the FDIC is angling for a settlement, and wants to survive the in pari delicto defense the defendants will raise for a sufficient amount of time to extract it. As Ms. McKenna so bluntly puts it, "...there will be settlements. Auditors never go to trial."