Auditor Malpractice: How to Sue an Audit Firm and Win


Last week, Reuters printed an interesting and enlightening interview with Steven Thomas, the managing partner of Thomas, Alexander & Forrester … an attorney known for suing large auditing firms for malpractice… and winning!

Recent big wins include $520 million and $130 million judgments against BDP Seidman, on behalf of Espirito Santo and Batchelor Foundation, respectively. Auditors Ernst & Young (E&Y) and KPMG have been on the losing sides of large cases, and Deloitte, E&Y, KPMG, and McGladrey & Pullen are all current defendants.

So how does Thomas (or any plaintiff’s attorney) win a case against an auditing firm when there is a sizeable fraud (such as the Koss Corp. embezzlement) or the collapse of a Ponzi scheme (such as the Bernie Madoff case)?

Thomas points out that simply because there is a fraud, a business failure, or a pyramid scheme collapse, the auditors are not necessarily at fault. I agree. The auditors may have carried out their professional responsibilities to a T, but simply not uncovered the fraud.

How does a fraud go undetected by auditors? The first thing to remember is that audits are not designed to find fraud, so they rarely do. Equally important, is the fact that frauds are deliberately (and often effectively) covered up by those perpetrating them. Particularly in the case of executives embezzling or perpetrating financial statement fraud, they are keenly aware of exactly how the auditors do their work, and take careful steps to avoid detection.

In discussing court decisions in audit malpractice cases, Thomas seems to say that auditors are supposed to find fraud:

Now other state courts have looked at it and said in pari delicto shouldn’t apply to an auditing firm because it’s an auditing firm’s duty to detect fraud. In pari delicto says if there’s a fraud, you get off. If it’s your job to detect fraud, it shouldn’t be the fraud itself that absolves you of your responsibility.


Florida has held specifically that it’s an accounting firm’s duty to detect fraud and therefore in pari delicto, or a defensive claim of fraud against the client, would not be viable.

Technically speaking, auditors are not engaged to find fraud. They are engaged to give an opinion on the financial statements, and whether they are fairly stated. The auditors are required to perform certain procedures related to fraud, essentially assessing the risk of fraud and increasing the testing of the financial statements as there is a greater perceived risk of fraud. The auditors are not specifically engaged to (or expected to) find fraud, under the current auditing standards.

However, the auditors are still required to carry out their professional responsibilities and complete all testing properly. If they didn’t carry out these responsibilities, then we have to determine whether that failure affected their ability to find fraud. We must assess whether they would have found the fraud if they had fulfilled all their duties.

Here is an example from a case on which I was retained to examine the auditors’ working papers and files to determine whether or not they failed to fulfill their professional responsibilities…

An organization had a large theft of cash receipts from donors.  The first question I asked as a forensic accountant and expert witness was, “How could the auditors have discovered the fraud?” There were several areas of the audit to investigate, and I ended up zeroing in on the testing of cash receipts. What I turned up was disastrous for the auditors.

Typically the testing of cash receipts is fairly straightforward and difficult to screw up. Not so for these auditors. In this case, there was documentation regarding the amount of cash collected. The auditors attempted to trace those cash collections to the bank statements to verify that the funds received were actually deposited.

What the auditors didn’t know was that the bookkeeper retained the records which accurately showed the amount of cash received. She stole the cash, and therefore didn’t deposit the cash to the bank. She didn’t alter or destroy any records, however. A simple comparison of the cash receipts records and the bank statements showed that there was missing cash.

The auditor saw that the cash receipts records did not match the bank statement and asked the bookkeeper why. She told him that sometimes they combined more than one day of cash receipts when making deposits, so the amounts didn’t match. He accepted this explanation and did no further testing or verification.

The auditors had a duty to verify the representation of the bookkeeper in some way, but they did nothing more. If they had examined things more closely, they would have seen the following:

Cash receipts records Day 1: $15,000

Cash receipts records Day 2: $21,000

Bank deposit that week: $9,500

You can see that the bookkeeper’s explanation can’t possibly be true. The bank deposit that week was less than  any single day’s cash receipts, so it is obvious that none of the cash receipts could have been combined.

In this case, the auditors were clearly responsible for missing the fraud. Had they discovered the fraud during their first audit after the embezzlement scheme started, the organization would have lost far less to this dishonest employee.

(Note too, that even if the auditors do everything right when they’re auditing something like cash, a fraud may still go undetected.)

Of course, determining whether auditors have any liability for a botched audit isn’t always so easy. Depending on where in the financial statements a fraud is buried, there may be many factors that come into play when assessing liability. For example, overstatement of certain assets or manipulation of reserve accounts might not be so easy to prove, since the balances of these accounts often rely on estimates, assumptions, and the judgment of management. These fall into a gray area in which it is not so simple to assign blame.

Tracy Coenen, CPA, CFF has been retained both by plaintiffs and defendants in auditor malpractice cases, and has provided testimony in such cases in both state and federal courts. Attorneys representing auditing firms or victims of fraud can contact Tracy for a confidential evaluation of issues related to auditor malpractice by calling her at 312.498.3661 or emailing her at [email protected].

3 thoughts on “Auditor Malpractice: How to Sue an Audit Firm and Win

  1. Gail

    should a CPA recommend an audit in certain instances. What if the office manager is unable to reconcile the bank accounts year after year but the CPA doesn’t tell the employer. Then one day the employer discovers that the office manager has been embezzling.

  2. Tracy Coenen

    I personally would never recommend an audit because they generally do not find fraud and are not terribly useful. I only recommend an audit if a company is required to have one due to financing or regulatory requirements.

Leave a Reply