FTX – another warning shot for crypto audits?

The aftermath of the collapse of crypto-exchange FTX has seen its auditors facing claims by at least one customer in the US, with more legal action expected to follow. As one US expert put it, "You can’t get blood from a turnip, but you can get money out of an audit firm."

This in turn has led to a number of firms reassessing the risks of auditing businesses in the crypto-sector.

The Institute of Chartered Accountants in England and Wales (ICAEW) has published an insight on auditing cryptocurrency, which stresses the difficulties associated with these audits and the lack of official guidance. It specifically refers to the privacy and secrecy inherent in the sector, and states that the volatility of cryptocurrencies and potential for fraud results in a high risk of material misstatement in the accounts.

Expectation gap on auditor's role

However, even outside of the world of crypto, it is often difficult for auditors to bridge the expectation gap between the auditor's actual role under International Standard on Auditing (ISA) 240 (The Auditor's Responsibilities Relating to Fraud in an Audit of Financial Statements) and what the public expects of auditors.

Auditors will now be familiar with the changes to ISA 240 brought in in May 2021 (and updated in May 2022), but the auditor's fundamental concern in relation to fraud remains fraud or suspected fraud that causes a material misstatement in the financial statements (our emphasis). 

ISA 240 confirms that: 

• the primary responsibility for the prevention and detection of fraud rests with those charged with governance and management;
• although the auditor may suspect or, in rare cases, identify the occurrence of fraud, the auditor does not make legal determinations of whether fraud has actually occurred; and 
• the inherent limitations of an audit mean that there is an unavoidable risk that some material misstatements of the financial statements may not be detected, even though the audit is properly planned and performed in accordance with the ISAs (UK).

The expectation gap is particularly apparent where an auditor fails to detect fraud because, with the benefit of hindsight, and long after the audit has completed, creditors can (and often do) allege that the fraud should have been obvious at the time of the audit – even if it was not in fact obvious at the time and was not even detected by innocent members of management.

The Osborne Clarke team saw this in a recent case, in which it acted for an audit firm defending an audit negligence claim brought by the administrators of an insolvent offshore investment fund. The fund had been defrauded by the group's founder, who had used a complex group structure with offshore subsidiaries to conceal the removal of funds. One important issue in play was the expectation gap between what the administrators (and the fund's investors) perceived the role and obligations of the auditor to be and what is actually required of an auditor under the audit standards. 

The approach of regulators does not always help this expectation gap. While accepting the changes to ISA 240 did not alter the scope of audits in respect to fraud, the Financial Reporting Council (FRC), in particular, seems to be pushing risk to audit teams in circumstances where the wrongdoing lies with the management team that has concealed the fraud. 

Osborne Clarke comment

These issues are particularly relevant when considering audits in high-risk, technically complex sectors such as crypto, where the risk of fraud is high. Given the trends in audit claims more generally, it would be surprising if firms did not see more noise from the crypto sector over the next few years.

If you are interested in discussing these issues further, please get in touch with your usual Osborne Clarke contact, or one of our experts listed below