Edition 05  ·  30 Jun 2026  ·  The Pattern

Who Audits the Auditors?

An interlude. Four editions have asked how nobody saw the fraud. This one turns to the people whose job was to see it — and why, across four decades and four firms, they so often didn't.

Mahesh Ramanujam, FCA, DISA(ICAI) · R. Mahesh & Associates, Chennai · Enron → Evergrande
This Edition — A Step Back
FormatNot a single case — the pattern that runs underneath the single cases we have covered
The firmsDeloitte, EY, KPMG, PwC — the "Big Four" that audit most of the world's large listed companies
The questionWhy the statutory auditor — the control specifically built to catch this — so often does not
The India hookSatyam, and the jurisdictional tangle over who is even allowed to discipline an auditor
ScopeCommentary on matters already in the public domain; regulator findings, not the author's assertions

Why this edition breaks the pattern

For four editions this newsletter has done one thing: take a single case, open the file, and trace how a misstatement was built and why nobody stopped it. ADM and the intersegment rebates. Rajesh Exports and a journal entry that turned aged receivables into African gold mines. Each time, the same closing question — how did nobody see it?

This week, a different cut at the same question. In almost every one of these cases there was a statutory auditor in the room. A firm whose entire reason to exist is to look at the numbers and tell everyone else whether they can be trusted. So before we open the next file, it is worth asking the uncomfortable structural question: when the fraud runs for years, where is the auditor — and why is the answer so often "right there, signing"?

The profession's founding wound

There used to be five large firms, not four. Until 2002, Arthur Andersen sat among the elite. Then Enron went bankrupt, the fraud became public, and the auditor went down with its client — at the time, the biggest audit failure on record. Andersen dissolved.

What grew out of that wreck is the oversight architecture we now take for granted. The United States created a dedicated audit regulator, the PCAOB, and passed the Sarbanes-Oxley Act to tighten corporate governance and auditor independence. The whole edifice rests on a single admission the profession does not enjoy making out loud: the people who check the books need checking themselves.

The same failure, on four continents

If Enron were a one-off, we could file it as bad luck. It is not. In the two decades since, each of the four surviving firms has signed off on a company that later fell over, or been sanctioned for how it did its work.

2001 Enron · Arthur Andersen (US). The collapse that ended the Big Five and created modern audit oversight.
2009 Satyam · Pw India. Over US$1bn in fictitious assets and cash that was never there — "India's Enron." SEBI later found the auditor had ignored anomalies no reasonable professional should have missed.
2018 Carillion · KPMG (UK). The construction giant's collapse pulled in its auditor; a UK parliamentary committee called the regulator overseeing the firms "toothless."
2020 Wirecard · EY (Germany). €1.9bn that was meant to be in escrow did not exist. The auditor's partners ended up under criminal investigation.
2023 Tax-leaks affair · PwC (Australia). The firm used confidential government tax plans its own partner had helped draft to win client work; a Senate inquiry followed.
2024 Evergrande · PwC (China). A six-month suspension and a record fine; the regulator said the firm went past failure — it covered up and even condoned the fraud after auditing the developer for close to fourteen years.
Recurring Exam-cheating · KPMG (cross-border). The most awkward of all, because it strikes the one thing the profession sells: staff caught cheating on the very integrity and competency tests meant to certify them.

Different countries, different mechanisms, the same outline every time: a fraud the statutory auditor was positioned to catch, and didn't — or, in the regulators' harsher findings, chose not to.

The Indian footnote — who is even allowed to punish an auditor?

Satyam is worth pausing on, because what happened after the fraud is its own small study in policy absurdity.

SEBI banned the audit firm from auditing listed companies for two years. On appeal, the Securities Appellate Tribunal threw the ban out — ruling that SEBI had no business disciplining auditors at all, that the power belonged only to the ICAI. The Supreme Court then stayed that ruling, handing the reach back to SEBI. So while the underlying fraud sat on the record, a meaningful stretch of the enforcement era was spent litigating not the fraud, but who was allowed to hold the pen.

The fraud was settled in years. The question of who could even punish the auditor took nearly as long.

India eventually answered the structural question by creating a dedicated audit regulator — the National Financial Reporting Authority (NFRA) — in 2018. Roughly a decade after Satyam. The gap between identifying the problem and building the machinery to address it is, itself, one of the quieter red flags in this whole story.

It isn't bad luck. It's the structure.

The pattern repeats across too many jurisdictions to blame on a handful of bad partners. Three structural problems turn up nearly every time. The first is the one most worth drawing out, because it is invisible in any single audit file.

1 · Audit and consulting under one roof

The firms long ago moved into advisory and tax work, which pays far more than the audit itself. When the same firm earns large advisory fees from a client, the audit relationship stops being the prize and becomes the thing that protects the prize. A whistleblower at one firm alleged exactly this dynamic — audits softened to keep management comfortable and the broader engagement intact.

How Independence Erodes Under One Roof
Step 1
Firm is appointed as statutory auditor — a modest fee
Step 2
Same firm sells the client advisory & tax work — the larger fee
Step 3
Losing the client now means losing both income streams
Step 4
Challenging management hard becomes a cost to the firm

2 · Selling the schemes they later vouch for

The firms do not only miss problems; in the tax arena they build and market the structures. Document leaks such as LuxLeaks tied every major firm to avoidance engineering at industrial scale. It is difficult to audit a client's tax position with full independence when your own firm sold them that position.

3 · The regulators are often old colleagues

The people who police the firms are frequently former insiders. Former partners have sat on — and chaired — the very committees meant to review audit quality. There are few genuinely neutral voices in the room, which is part of why reform proposals debated for two decades have moved so little.

~50% Audits with significant deficiencies at the worst-performing firm in recent PCAOB inspections · regulators reported a range from roughly a fifth to as high as a half

The defense, and its limit

The firms have a real argument, and it deserves stating plainly. An audit is verification of what management represents, not a forensic fraud investigation. A determined conspiracy among the people running a company can defeat even competent procedures. Anyone who has done the work knows this is true — the auditor is not a detective, and the engagement is not designed as one.

But the defense thins quickly. When cash that should be in the account is simply not there, when regulators describe the red flags as too obvious to miss, and when the deficiency rate on inspected files climbs toward half, "we could not have known" stops sounding like an explanation and starts sounding like a position.

None of this is a morality tale. It is an incentive structure doing what incentive structures do.

The firm earning the advisory fee is the firm signing the audit. The regulator across the table was often a partner last year. Until that changes, the honest way to read an audit opinion is the way this newsletter reads every set of accounts: as a useful signal, not a guarantee.

What to Watch For

Next: Edition 06 returns to the file — one case, opened line by line. Same series. Same question. How did nobody see it? Only this time, we already know where to look first: at the signature on the audit report.

Sources

US Public Company Accounting Oversight Board (PCAOB) — annual inspection reports on Big Four audit deficiency rates  ·  China Securities Regulatory Commission (CSRC) ruling on PwC Zhong Tian re: Evergrande / Hengda Real Estate (Sep. 2024)  ·  German prosecutors and contemporaneous reporting on EY and the Wirecard collapse (2020 onward)  ·  UK Financial Reporting Council (FRC) fines re: Carillion, BHS and Babcock; UK House of Commons committee findings  ·  Australian Senate inquiry into the PwC tax-leaks matter and Deloitte Australia  ·  SEBI order; Securities Appellate Tribunal and Supreme Court of India rulings in the Price Waterhouse / Satyam matter; SEC and PCAOB settlements; establishment of the NFRA (2018)  ·  US SEC and PCAOB sanctions on KPMG concerning exam-cheating and related conduct  ·  LuxLeaks disclosures (ICIJ).

This newsletter is published for general information and educational purposes only. It is commentary on matters already in the public domain, drawn from official regulatory filings, court records, and press releases. Several matters referenced involve allegations or findings that have been settled without admission, are under appeal, or remain under investigation; references to any firm or individual reflect what regulators or courts have stated and are not assertions of guilt or wrongdoing by the author. Where firms settled, they did so without admitting or denying the findings. This content does not constitute professional, legal, tax, accounting, audit, or investment advice and creates no client or advisory relationship. Views expressed are the author's own.  ·  Red Flags & Footnotes is written by Mahesh Ramanujam, FCA, DISA(ICAI), ICAI Member No. 206817, proprietor of R. Mahesh & Associates, Chartered Accountants, Egmore, Chennai – 600 008. © 2026 R. Mahesh & Associates. All rights reserved.

Found this useful?

Subscribe on LinkedIn — new edition every Monday.

Subscribe on LinkedIn