Failure to Design Audit to Detect Fraud Can Lead to Liability

by Jonathan S. Ziss, JD | Mar 16, 2021
Pennsylvania CPA Journal
Insightful lessons can be learned by reviewing professional liability issues. With this in mind, Arthur J. Gallagher & Co. provides this column for your review. For more information about liability issues, contact Irene Walton at

On Dec. 28, 2017, a federal court in Alabama ruled in favor of the Federal Deposit Insurance Corporation (FDIC) in a case against PwC arising from a bank failure after a massive fraud was discovered between a bank and one of its customers. This was the second case against PwC related to the failure of Colonial Bank.

The judge presiding over this bench trial had much to say about the auditor’s duty to detect fraud and how that duty was breached. Likewise, the judge was unflinching in her criticism of the fraudsters, finding that their scheme intentionally misled auditors.

PwC acted as Colonial Bank Group’s independent external auditor from 2002 to 2005, and in 2008. The fraud was exposed in mid-2009. PwC was engaged to provide an integrated audit of Colonial Bank Group’s financial statement and its internal controls over financial reporting. The engagement letters required PwC to perform its audit work under established auditing standards in accordance with Public Company Accounting Oversight Board (PCAOB) standards. As is familiar to any auditor, PwC was required to plan and perform its audits to obtain reasonable assurance about whether the financial statements were free of material misstatement, and about whether effective internal control over financial reporting was maintained in all material respects. The engagement letters also noted that because “of the inherent limitations of internal control over financial reporting, including the possibility of management override of controls, misstatements due to error or fraud may occur and not be detected.” Thus, PwC was required to design its audits “to obtain reasonable, but not absolute, assurance of detecting errors or fraud that would have a material effect on the financial statements as well as other illegal acts having a direct and material effect on the financial statement amounts, and of identifying material weaknesses in internal control over financial reporting.”

The engagement letters further provided that Colonial Bank Group was responsible for “informing [PwC] about all known or suspected fraud affecting the entity involving (a) management, (b) employees who have significant roles in internal control over financial reporting, and (c) others where the fraud could have a material effect on the financial statements.”

While the scope of the audit engagements can be thought of as ordinary, the underlying fraud was truly extraordinary.

The fraud occurred in Colonial Bank’s Mortgage Warehouse Lending Division (MWLD), and was orchestrated by the chair of Taylor, Bean & Whitaker Mortgage Corp. (TBW) along with a senior vice president at Colonial and several other Colonial employees. The fraud was exposed through a dramatic FBI raid in August 2009 – after the fraudsters had diverted more than $2 billion in assets over seven years.

In 2002, TBW began overdrawing its operating account with Colonial. To conceal the overdrafts, employees in the MWLD began sweeping money from TBW’s investor funding account to TBW’s operating account, using a credit facility known as the AOT facility. The funds were then swept back into the investor funding account after the overdraft report was generated. TBW’s overdraft, known as “the hole” by the fraudsters, had grown to about $120 million by 2003, at which point it was moved to another credit facility (the COLB facility) within the MWLD, necessitating a new fraud tactic: TBW “sold” Colonial participation interests in mortgages that had already been sold to other investors.

The FDIC alleged that PwC breached its professional duties with respect to its audit of both the AOT and COLB facilities.

Concerning the COLB facility, the FDIC alleged that PwC failed to inspect the physical documents that were supposed to evidence the COLB transactions, and failed to gain alternative reliable evidence of the COLB asset. As it happened, PwC did not inspect or request any TBW COLB loan documents, “despite identifying in its workpapers that a potential risk of fraud in the MWLD was that the loan documents Colonial relied on as collateral did not exist,” and despite noting at the time that the “specter of fraud” was creeping in as the mortgage market weakened. PwC had reviewed the MWLD’s pipeline reports, tested the COLB controls, and obtained confirmation of the COLB assets – from the lead fraudster. The court found this perplexing, given that PwC had identified fraud by a loan originator client as MWLD’s biggest risk.

Concerning the AOT facility, the court found that PwC failed to gain an adequate understanding of this $600 million asset; did not test for the physical existence of the AOT asset; and failed to obtain other competent evidence of the AOT asset’s existence.

At trial, a witness for PwC, an audit partner, testified that failure to design audit procedures to detect fraud would be a violation of PCAOB standards. But at a trial of a prior suit brought by the receiver of TBW against PwC, this same witness had testified that PwC “audits are not designed to detect fraud.”

Having previously testified that they had no duty to detect fraud and did not design audits to detect fraud, the court in the Colonial Bank Group trial concluded, consistent with the auditor’s prior testimony, that PwC did not design its audits to detect fraud, thereby violating the auditing standards. PwC challenged the interpretation of the prior testimony, contending that the court misunderstood the witnesses, who “simply meant that PwC was not a guarantor against the possibility of material fraud.”

During the trial PwC had effectively deployed an armada of affirmative defenses. In the end, though, it was just one critical legal ruling that was PwC’s undoing. This should be of considerable interest to any auditor, whether or not he or she is handling SEC clients.
First, the breach of contract claims were defeated by the bank’s own breach of its contractual duties. That is to say, it didn’t keep up its end of the deal.

Second, the court found that Colonial’s employees had intentionally interfered with the audits by recycling or “refreshing” mortgage data and by creating wire transfers to make it appear to the auditors that TBW collateral mortgages had been paid off.

Third, PwC argued that the intentional wrongful acts of Colonial Bank should preclude it from compensation in accordance with the defense of in pari delicto, which stops a wrongdoer from seeking legal redress for its own misdeeds.

Having successfully pressed these defenses, why was PwC found liable for damages?
The answer ties back to an earlier legal ruling by the trial judge, holding that the wrongdoing of the bank’s employees could be imputed to the bank, but that under Alabama law it remained an open question as to whether the same misconduct should also be imputed to the receiver. “Courts in other jurisdictions,” the judge wrote, “have not been universal in refusing to impute a failed institution’s misconduct and/or negligence to the receiver.”

Assuming that this case is tried to a ruling on damages, PwC is almost certain to appeal the imputation ruling.

The lesson to be learned here is that while every audit is a world unto itself, the professional standards remain constant. The auditor must gain an understanding of the client’s business, and due skepticism must never be abandoned – not in year one nor in year 10. Furthermore, whether auditors are responsible to plan and perform audits so as to provide reasonable assurance, or are responsible to actually detect fraud, is mostly a question for the courtroom, not the conference room. If auditors fail to detect fraud, no matter how their engagement letters read, judges and juries will struggle mightily to understand how that happened.

Yes, there are legal defenses that pin blame on the fraudsters in a way that insulates the auditor. But these defenses are not always successful, even in jurisdictions where they are welcome – and they are not welcome in every jurisdiction.

Jonathan S. Ziss, JD, is a partner with Goldberg Segalla LLP in Philadelphia. He can be reached at
Thousands of CPE Courses  

With the highest quality CPE and thousands of options for online, self-study, and in-person learning, PICPA's CPE meets all of your professional education needs.

Search Courses
Read It Your Way

digital edition

Read the latest edition of the Pennsylvania CPA Journal via the web or digital edition. 

Read Now
Member Benefit

The Pennsylvania CPA Journal is a PICPA member benefit. Receive quarterly editions of the Journal delivered to your doorstep.