Autonomy and Deloitte: Lessons to be learned
The £15m fine imposed on Big Four firm Deloitte reflected the scale of its shortcomings as auditor for Autonomy. Julia Penny delves into the case report to highlight the underlying danger signals for other accountants
Autonomy, once a FTSE 100-listed company, has been in the press ever since Hewlett-Packard (HP) accused Autonomy founder and CEO Mike Lynch and CFO Shushovan Hussain in 2014 of fraud. HP bought Autonomy for $11bn in 2011, but after writing down its investment by $8.8bn, the company alleged that $5bn of this was tied to accounting misrepresentations.
A criminal case against Hussain resulted in a five-year prison sentence in the US. Lynch is waiting on a hearing in late January to find out if he will be extradited to face similar charges, even though the UK Serious Fraud Office dropped its accounting misrepresentation case in 2015 after concluding that there was insufficient evidence. There are also outstanding civil suits relating to the alleged fraud.
The auditor’s role
The profession’s disciplinary mechanisms have not been idle, either. After an extensive investigation, the Financial Reporting Council (FRC) imposed a £15m fine on Deloitte, plus costs of £5.6m in September 2020. The audit engagement partners (two were involved over the relevant periods) were also fined and the primary auditor, Richard Knights, was banned from the profession for five years. His colleague, Nigel Mercer, was given a severe reprimand.
Earlier this month, the FRC published a report setting out its detailed findings on misconduct in the Autonomy audits for the financial years ended 31 December 2009 and 2010.
The level of detail offers a fascinating glimpse of how a reputable firm like Deloitte can go astray. But if senior auditors were lured into such misconduct at Autonomy, are there lessons other auditors could learn to avoid similar failings in the future? After trawling through the 270-poage report, I picked out seven relevant lessons.
Background to the case
Deloitte and its partners faced five main allegations based on their failure to challenge Autonomy’s accounting of the “pure hardware” purchases and sales to value-added resellers (VARs), and failing to ensure the accounting treatments were consistent with the company’s accounting policies.
Both Knights and Mercer failed to correct misleading statements to the Financial Reporting Review Panel (FRRP) in 2010 and 2011 respectively; and Knights lost his objectivity during his engagement with the firm during the 2009-10 financial years.
The Autonomy audit was run out of Deloitte’s Cambridge office and was the only FTSE 100 company audit performed there. As the local engagement partner wrote to a senior member of Deloitte: “At a personal level the Autonomy relationship is critical to the financial success of the Office… We have set ourselves a target of increasing revenues to this FTSE company by >20%”
The comments immediately flag up potential threats to independence. The FRC Ethical Standard sets limits on the percentage of fees from a particular client compared to overall fees, but this might have little impact for such a large firm. Rather, following the spirit of the independence rules, if the relationship with the audited entity is critical to the office and there is a target to substantially increase fees from the audited entity, where is the engagement partner’s focus?
To focus on anything other than audit quality is likely to weaken the ability to be sceptical, to challenge management and ultimately to issue a qualified audit report if necessary.
Any audit firm could fall into this trap. Auditors are, after all, running a business. But one where their independence from the audited entity (let’s call them that rather than clients to emphasise that the true clients are the shareholders) is paramount. Of course the firm must ultimately be profitable and make decisions about getting and keeping work, but must do this in a way that maintains independence.
Lesson number 1 – Consider and guard against commercial pressures for the firm that might cause a loss of independence.
Hardware sales treatments
Autonomy was a pure software business that could generate very high increases in its bottom line if further revenue was added, because it could be delivered at little extra cost. Many of the key findings in the FRC report refer to how hardware were not accounted for in a way that reflected the true nature of the transactions.
The Autonomy accounts for the years in question showed gross margins in the region of 90%. In reality, the company was selling hardware, often at losses, and was using those sales figures to plug shortfalls against expected revenue estimates.
Some of the cost of purchasing such hardware was charged to sales and marketing and in some cases to R&D rather than to cost of goods sold (COGS) - an apparent departure from IFRS. Clearly the margin was unaffected by this very different category of sales, but Deloitte and its partners, while noting in 2010 that the cost allocation was inappropriate, did not consider that the 2009 financial statements, done on the same basis, might need restatement.
Deloitte was aware of the importance of revenue and gross margin to the share price. The FRC report lists examples when scepticism was applied to the figures presented by Autonomy, but where concerns existed, such as those over hardware sales, they were not adequately followed up with robust evidence.
Where the partner or members of the team highlight issues that don’t make sense or contradictory evidence comes to light, the query must be properly resolved. Digging more deeply into the evidence may blow the audit budget or upset the audited entity, but these obstacles are well worth overcoming if the alternative is to be dragged through the mud in disciplinary proceedings and handed a big fat fine!
Deloitte failed to consider evidence that the hardware sales were being used to meet sales targets because of external pressure on Autonomy to live up to expectations. This is a classic incentive for fraud, and a classic audit risk that all auditors should guard against.
Lesson number 2 – Focus on fraud risks, such as pressure to meet targets and resolve any points that don’t make sense, even in the face of external pressures.
Software sales to resellers
There were also issues involved in accounting for software sales to resellers that aroused the regulator’s concerns over the substance of the transactions.
The question was whether software sales to resellers for specific customers should have been booked as sales in Autonomy’s accounts in the relevant periods. These doubts arose because there was little evidence of whether a sale by the VAR to the end-user would occur and, in the absence of that sale, whether the VARs could pay for the software themselves.
It appeared as if a sale to a VAR was essentially a way of accelerating revenue recognition when the “real” sales to end-users had not been finalised by the period ends.
The substance was that Autonomy had not yet made the sale to the end-user. A sale to a VAR would be valid, however, as long as there was sufficient evidence that it was a genuine sale where payment of the debt due was reasonably expected.
The tribunal noted that red flags were apparent. The debt from a sale to a VAR in Q1 of 2009 was later written off as irrecoverable when it became apparent in Q2 of 2009 that there was no contract between the VAR and the end-user, and this affected substantially the ability of the VAR to pay any debt to Autonomy.
Deloitte’s own testing approach included checking contracts and debt recoverability, which should have identified potential issues with the sales to this and other VARs.
Lesson number 3 – Make sure the substance of transactions or arrangements are shown in the accounts and the evidence supports the treatment.
Too involved with client
The FRC illustrated the lack of scepticism issue with an email Richard Knights sent to Autonomy in October 2009 setting out his thoughts on the questionable accounting for a $45.4m hardware transaction with a reseller known as “TP42”.
The memo takes the form of a draft paper for the client to complete and is quoted at length in the FRC report: “After a glass or two of red wine and a plate ful of Mrs K medieval pasta i've had a stab at writing the Autonomy paper on TP42 – This needs to come form [sic] you to us. I need it to sqaure [sic] the position on COGS allocation - i've still not seen anything from TP42.”
The email sets out the need to beef up Autonomy’s ideas on the accounting treatment and elaborate on any sales and marketing or “product development stuff” Autonomy’s sales partner might be able to provide.
“Please improve this,” Knights wrote. “Together with the TP42 email I’m hoping this will move to where it needs to be. I do need to run through this with [the above individual at Autonomy] as well tomorrow. As mentioned above this was rattled out pretty quickly and fortified with a few liveners so as a modest bookkeeper it would benefit from the cutting edge of you software gurus …..!!”
As well as the content, the style and form of the email suggest a relationship where the engagement partner is happy to write to the audited entity after having drunk enough alcohol to impair his typing ability if nothing else.
A compromised audit partner is probably not going to realise that they have lost their objectivity, so you need other team members to step up. An engagement quality control reviewer (EQCR) might be well advised to look at the tone of communications with the audited entity to understand whether there is undue “familiarity” with the management.
The further information requested from Autonomy to make sense of the intended allocation of costs was not followed up and other, contradictory evidence suggested the allocation of the hardware sales costs between COGS and sales and marketing was not appropriate.
It is not unheard of for auditors to assist with drafting papers for audited entities that support a particular accounting treatment, but when they start to side with the audited entity and guide them on what evidence is needed, there is obvious potential for a lack of scepticism. This is a particularly easy trap to fall into where the audited entity lacks the technical understanding of the relevant accounting standards. However, it is a dangerous trap, as the auditor starts to think of themselves as supporting the “client” rather than answering to the shareholders via the audit report.
Lesson number 4 – When you start arguing the case for an audited entity, you have probably lost your objectivity or are on the way to losing it. Stop, and work out what steps to take to restore objectivity.
Deloitte believed it made appropriate professional judgements and that none of what it did in this respect amounted to misconduct. However, the FRC Executive Counsel submitted that Deloitte failed during its audit planning to consider the risk of deliberate manipulation (by asking what might go wrong) or to plan audit work to meet that risk.
The report cited Knights’ comment in a January 2010 planning meeting, “No instances noted, likely to meet/exceed analyst expectations so no pressure to take aggressive positions for the results” as evidence of his loss of objectivity.
The comment was extraordinary, given that Autonomy had only met market revenue expectations in Q3 09 by selling $36.6m of pure hardware, which it was unwilling to disclose to the market, and would have had to report a gross margin of 71% but for the allocation of $28m of the hardware costs to sales and marketing.
The tribunal found that there was no objective basis for Knights to accept the inadequate evidence supplied by Autonomy that significant amounts of the hardware costs were in fact sales and marketing costs. The report concludes: “The decision to approve the allocation bears all the hallmarks of having been made in a hurry under client pressure.”
Lesson number 5 – Don’t cave in when you run out of time. If you need more evidence, then keep asking for it; if you have conflicting evidence, resolve the conflict.
The issues in the financial statements were further compounded by misleading statements in the annual report highlighting that Autonomy had a pure software model and that increased sales and marketing spend were primarily due to increased advertising, additional headcount and an increase in sales commissions.
The auditor has a duty to report on statements within other information that are either inconsistent with the accounts or are misleading.
Lesson number 6 – Don’t forget about the importance of the “other information”. Is it misleading? Is it inconsistent? Have you been independent in considering these questions?
Autonomy’s responses to the FRRP
Deloitte and the disciplined audit partners were also found culpable of a lack of integrity in failing to correct Autonomy’s misleading statements to the FRRP. The panel had asked Autonomy for further information on the nature of its sales and Autonomy’s response was that it was a pure software company with less than 5% of its revenue coming from services.
There was no mention of the importance of hardware sales in meeting market expectations. Knights felt the statement was not misleading, but the tribunal took a different view: “But she [Executive Counsel] submits that Mr Knights’ motivation was that he knew that Autonomy did not want to disclose that it sold pure hardware; and that if he corrected what [Autonomy] had said, that would make it very difficult for Autonomy to justify not disclosing those sales in the future, upset his client and damage his good relations with it.”
Lesson 7 – It isn’t acceptable to stay silent when you know the audited entity is, or is likely to be, misleading another party, especially a regulator.
Throughout the disciplinary process Deloitte maintained that its judgements were appropriate and that its auditors had challenged Autonomy’s treatment of amounts in the accounts. In mounting this defence, the firm did not seem to accept that mistakes had been made, which surely is an important step in guarding against similar issues in the future.
But perhaps the internal view is not the same as the public stance taken in public. As part of the FRC sanctions package the firm must undertake a root cause analysis of the reasons for the misconduct and to assess whether the current processes would lead to a different outcome.
If done properly, root cause analysis is a powerful tool that should be applied if your firm identifies quality failings. The IAASB recently issued a new suite of quality management standards (ISQM 1, 2 and Revised ISA 220), which should help firms to focus on where things can go wrong and how to stop it happening.
Although the standards are not mandatory until December 2022, early adoption is encouraged. Perhaps the final lesson from the Autonomy example should be to start addressing the requirements of ISQM 1 and the related standards now.
You might also be interested in
Julia Penny is the principal of JS Penny Ltd which provides technical and training consulting on anti-money laundering procedures, auditing and financial reporting. Julia is a member of ICAEW Board and Council, chair of the ICAEW Ethics Advisory Committee and past chair of the ICAEW...