FTX—The Plausbility of an Unmodified Audit Opinion on an Organization That Lacks Internal Control; A Deep Dive into the Standards ()
1. Introduction
FTX Trading LTD. and related entities filed for Chapter 11 Bankruptcy on November 17th, 2022. John J. Ray III submitted the petition and pleadings. Mr. Ray was appointed CEO on November 11, 2022 after Sam Bankman-Fried, former CEO and founder, resigned amid allegations of fraud and financial misconduct.
According to court documents Mr. Ray refers to FTX and related entities as “four groups of businesses…silos”. These silos include:
1) …the “WRS Silo”, which includes the businesses known as “FTX US”, “LedgerX”, “FTX US Derivatives”, “FTX US Capital Markets”, and “Embed Clearing”, among other businesses;
2) …the “Alameda Silo”;
3) …the “Ventures Silo” a group composed of Debtor Clifton Bay Investments LLC, Debtor Clifton Bay Investments Ltd., Island Bay Ventures Inc. and Debtor FTX Ventures Ltd.; and
4) …the “Dotcom Silo”, a group composed of Debtor FTX Trading Ltd. and its Debtor and non-Debtor subsidiaries, including the exchanges doing business as “FTX.com” and similar exchanges in non-U.S. jurisdictions.
These Silos together are referred to…as the “FTX Group” (FTX Trading LTD. et al., 2022) .
The WRS Silo and the Dotcom Silo are majority owned by Mr. Bankman-Fried but have third party investors. Outside investors of the WRS Silo comprise 22.5% of the equity while the Dotcom Silo is comprised 25% by third parties. “The FTX Group received audit opinions on the consolidated financial statements for two of the Silos—the WRS Silo and the Dotcom Silo—for the period ended December 31, 2021.” (FTX Trading LTD. et al., 2022) .
According to the bankruptcy filing, the WRS Silo had total assets of $1,360,665,000. Included in this figure is $71,563,000 of Related Party Accounts Receivable and Loans Receivable (to a related party) of $250,000,000. These related party balances account for over 23% of the assets. The Dotcom Silo was in a similar position with total assets of $2,258,734,000 which included $188,155,000 of related party accounts receivable (8.3%).
Within the bankruptcy filing, Mr. Ray outlines the complete lack of internal control within the Group. “Never in my career have I seen such a complete failure of corporate controls and such a complete absence of trustworthy financial information as occurred here. From compromised systems integrity and faulty regulatory oversight abroad, to the concentration of control in the hands of a very small group of inexperienced, unsophisticated and potentially compromised individuals, this situation is unprecedented.” (FTX Trading LTD. et al., 2022) . In addition he stated, “The FTX Group did not maintain centralized control of its cash. Cash management procedural failures included the absence of an accurate list of bank accounts and account signatories… The Debtors did not have the type of disbursement controls that I believe are appropriate for a business enterprise. For example, employees of the FTX Group submitted payment requests through an on-line ‘chat’ platform where a disparate group of supervisors approved disbursements by responding with personalized emojis”. “The FTX Group’s approach to human resources combined employees of various entities and outside contractors, with unclear records and lines of responsibility. At this time, the Debtors have been unable to prepare a complete list of who worked for the FTX Group as of the Petition Date, or the terms of their employment.” (FTX Trading LTD. et al., 2022) .
The purpose of this paper is not to rehash what went wrong, how and where. That will come to light in the coming months as Mr. Ray and his team pour through the transactions to create a true financial picture of the company. Rather, this paper calls into question the ability for a public accounting firm to issue an unmodified opinion on the financial statements of FTX. I will explore the relevant auditing standards and guidance provided to auditors to determine the appropriateness of issuing an unmodified opinion.
2. Audit Opinions under Gaas
Auditors are required to follow Generally Accepted Auditing Standards (GAAS) when conducting an audit of financial statements. “An auditor is associated with financial information when the auditor has applied procedures sufficient to permit the auditor to report in accordance with GAAS.” (AU-C 200.02). GAAS requires that auditors form an opinion on whether the financial statements are presented fairly, in all material respects, in conformity with the applicable financial reporting framework (AU-C 200.04). In the United States, for most companies, the applicable financial reporting framework is Generally Accepted Accounting Principles (GAAP) (AU-C 200.14). The Financial Accounting Standards Board (FASB) establishes the accounting standards for financial reporting known as GAAP.
An auditor has several options when issuing a report on the financial statements. The accounting firm may issue an Unmodified Opinion, A Qualified Opinion, An Adverse Opinion or a Disclaimer of Opinion as detailed in the standards below.
The Unmodified Opinion—“The auditor should express an unmodified opinion when the auditor concludes that the financial statements are presented fairly, in all material respects, in accordance with the applicable financial reporting framework” (AU-C §700.A13).
The unmodified opinion requires that the financial statements are not only fairly presented in accordance with GAAP but also that they are useful and not misleading to users of such statements. As stated in FASB Concept Statement No. 8; “the objective of financial reporting is to provide financial information about the reporting entity that is useful to existing and potential investors, lenders, and other creditors in making decisions about providing resources to the entity.” To add emphasis to this matter, AU-C §700.A13 states “a fair presentation financial reporting framework not only requires compliance with the requirements of the framework but also acknowledges explicitly or implicitly that it may be necessary for management to provide disclosures beyond those specifically required by the framework”.
The Modified Opinion—“For purposes of generally accepted auditing standards, the following terms have the meanings attributed as follows:
Modified opinion. A qualified opinion, an adverse opinion, or a disclaimer of opinion on the financial statements.
Pervasive. A term used, in the context of misstatements, to describe the effects on the financial statements of misstatements or the possible effects on the financial statements of misstatements, if any, that are undetected due to an inability to obtain sufficient appropriate audit evidence. Pervasive effects on the financial statements are those that, in the auditor’s judgment,
• are not confined to specific elements, accounts, or items of the financial statements;
• if so confined, represent or could represent a substantial proportion of the financial statements; or
• regarding disclosures, are fundamental to users’ understanding of the financial statements.” (AU-C §705.06)
“The decision regarding which type of modified opinion is appropriate depends on the following:
1) The nature of the matter giving rise to the modification, that is, whether the financial statements are materially misstated or, in the case of an inability to obtain sufficient appropriate audit evidence, may be materially misstated.
2) The auditor’s judgment about the pervasiveness of the effects or possible effects of the matter on the financial statements” (AU-C §705.02).
“The auditor should modify the opinion in the auditor’s report when
1) the auditor concludes that, based on the audit evidence obtained, the financial statements as a whole are materially misstated or;
2) the auditor is unable to obtain sufficient appropriate audit evidence to conclude that the financial statements as a whole are free from material misstatement” (AU-C §705.07).
“…If the auditor is unable to obtain sufficient appropriate audit evidence, the auditor should determine the implications as follows:
1) If the auditor concludes that the possible effects on the financial statements of undetected misstatements, if any, could be material but not pervasive, the auditor should qualify the opinion.
2) If the auditor concludes that the possible effects on the financial statements of undetected misstatements, if any, could be both material and pervasive so that a qualification of the opinion would be inadequate to communicate the severity of the situation, the auditor should
a) disclaim an opinion on the financial statements or withdraw from the audit, when practicable.” (AU-C §705.13).
In summary, when an auditor concludes that there are both material and pervasive errors in the financial statements, an adverse opinion must be expressed. However, a disclaimer of opinion should be expressed when the auditor is unable to obtain sufficient, appropriate evidence to support neither an unqualified or an adverse opinion on the financial statements (AU-C §705.09-10).
An auditor may also choose to add an Emphasis of Matter paragraph to the opinion—“If the auditor considers it necessary to draw users’ attention to a matter appropriately presented or disclosed in the financial statements that, in the auditor’s professional judgment, is of such importance that it is fundamental to users’ understanding of the financial statements, the auditor should include an emphasis-of-matter paragraph in the auditor’s report” (AU-C §706.08).
“…the following are examples of circumstances in which the auditor may consider it necessary to include an emphasis-of-matter paragraph:
• An uncertainty relating to the future outcome of unusually important litigation or regulatory action.
• A significant subsequent event that occurs between the date of the financial statements and the date of the auditor’s report.
• A major catastrophe that has had, or continues to have, a significant effect on the entity’s financial position or results of operations.
• Significant transactions with related parties” (emphasis mine) (AU-C §706.A4).
“When the auditor includes an emphasis-of-matter paragraph in the auditor’s report, the auditor should do the following:
1) Include the paragraph within a separate section of the auditor’s report with an appropriate heading. When key audit matters are communicated in the auditor’s report, the heading should include the term Emphasis of Matter.
2) Include in the paragraph a clear reference to the matter being emphasized and to where relevant disclosures that fully describe the matter can be found in the financial statements. The paragraph should refer only to information presented or disclosed in the financial statements.
3) Indicate that the auditor’s opinion is not modified with respect to the matter emphasized.” (AU-C §706.09).
3. Internal Control
The Committee of Sponsoring Organizations of the Treadway Commission (COSO) has gained broad acceptance of its framework for “designing, implementing and conducting internal control and assessing the effectiveness of internal control” (Committee of Sponsoring Organizations, 2013) . Independent auditors should use the framework to assess the entity’s system of internal control (Committee of Sponsoring Organizations, 2013) . According to COSO, “Internal Control is a process, effected by an entity’s board of directors, management, and other personnel, designed to provide reasonable assurance regarding the achievement of objectives relating to operations, reporting, and compliance”. There are 5 components of the framework; Control Environment, Risk Assessment, Control Activities, Information and Communication and Monitoring Activities. The first principle in the Control Environment is especially applicable to FTX, “the organization demonstrates a commitment to integrity and ethical values”. The Integrated Framework expands on this principle by drawing a direct line between the integrity of management and internal control within the company. “The most effective way of transmitting a message of ethical behavior throughout the organization is by example. People imitate their leaders. Employees are likely to develop the same attitudes about what’s right and wrong—and about internal control—as those shown by top management. Knowledge that the CEO has ‘done the right thing’ ethically when faced with a tough business decision sends a strong message to all levels of the organization.” (Internal Control—Integrated Framework, 1992) . Related party receivables accounted for over 8% of one silo’s assets and over 20% in the other silo. Using the COSO guidelines, an auditor should infer that the plethora of related party transactions would, at a minimum, call into question management’s commitment to integrity and ethical values.
The Monitoring Component is comprised of 2 principles.
“The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning” and
“The organization evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate.” (Committee of Sponsoring Organizations, 2013) . Based upon Mr. Ray’s synopsis of the Group, those managing the group did not have a commitment to internal control.
When obtaining evidence for purposes of issuing an opinion, Generally Accepted Auditing Standards (GAAS) require that “the auditor must obtain a sufficient understanding of the entity and its environment, including its internal control, to assess the risk of material misstatement of the financial statements whether due to error or fraud, and to design the nature, timing, and extent of further audit procedures” (AU-C §150.02). This is expanded upon by COSO under the Risk Assessment and Control Activities components, which require management assess risk and develop actions that help mitigate the risks identified. Auditors can choose to rely on the internal controls that are in place within an entity or they can choose not to rely on the internal controls and then test the transactions and source documents (AU-C 330-04). However, an auditor may find it impossible to test transactions and source documents in a business that relies heavily on IT, such as in the FTX Group (AU-C §330.A25). In July, 2020, COSO issued “Blockchain and Internal Control, The COSO Perspective” (Burns et al., 2020) . Within this document, COSO encourages external auditors to “work within the firm and with third-party audit tool developers to develop necessary tools (e.g., to understand the internal controls and audit blockchain transactions)”.
The Public Company Accounting Oversight Board (PCAOB) sets forth additional regulations for auditors of companies that are publicly held. The auditor should have had heightened awareness about the standards issued by the PCAOB amid the debate about the regulation, (or rather lack of regulation and oversight) of the crypto industry. Ultimately, there will be one of two bodies that regulate this industry, either the SEC or the Commodity Futures Trading Commission. The PCAOB has issued AS 2110.07 which states “the auditor should obtain an understanding of the company and its environment (“understanding of the company”) to understand the events, conditions, and company activities that might reasonably be expected to have a significant effect on the risks of material misstatement. Obtaining an understanding of the company includes understanding:
1) Relevant industry, regulatory, and other external factors;
2) The nature of the company;
3) The company’s selection and application of accounting principles, including related disclosures;
4) The company’s objectives and strategies and those related business risks that might reasonably be expected to result in risks of material misstatement; and
5) The company’s measurement and analysis of its financial performance.”
In addition, “To assist in obtaining information for identifying and assessing risks of material misstatement of the financial statements associated with a company’s financial relationships and transactions with its executive officers (e.g., executive compensation, including perquisites, and any other arrangements), the auditor should perform procedures to obtain an understanding of the company’s financial relationships and transactions with its executive officers. The procedures should be designed to identify risks of material misstatement and should include, but not be limited to (1) reading the employment and compensation contracts between the company and its executive officers and (2) reading the proxy statements and other relevant company filings with the Securities and Exchange Commission and other regulatory agencies that relate to the company’s financial relationships and transactions with its executive officers” (AS 2110.10).
GAAS defines 2 types of deficiencies in internal control over financial reporting.
“A deficiency in design exists when 1) a control necessary to meet the control objective is missing, or 2) an existing control is not properly designed so that, even if the control operates as designed, the control objective would not be met.
A deficiency in operation exists when a properly designed control does not operate as designed or when the person performing the control does not possess the necessary authority or competence to perform the control effectively.” (AU-C 265.07).
In addition, GAAS defines a material weakness and significant deficiency in internal control. A material weakness is a “a deficiency, or a combination of deficiencies, in internal control over financial reporting, such that there is a reasonable possibility that a material misstatement of the entity’s financial statements will not be prevented, or detected and corrected, on a timely basis. A reasonable possibility exists when the likelihood of an event occurring is either reasonably possible or probable as defined as follows:
Reasonably possible. The chance of the future event or events occurring is more than remote but less than likely.
Probable. The future event or events are likely to occur.
Significant deficiency. A deficiency, or a combination of deficiencies, in internal control over financial reporting that is less severe than a material weakness yet important enough to merit attention by those charged with governance”. (AU-C 265.07).
GAAS is clear that any significant deficiency or material weakness in internal control deficiencies that are discovered during the audit must be communicated with management. “The auditor should communicate in writing to those charged with governance on a timely basis significant deficiencies and material weaknesses identified during the audit, including those that were remediated during the audit.” (AU-C 265.11). “The auditor also should communicate to management at an appropriate level of responsibility, on a timely basis.
1) In writing, significant deficiencies and material weaknesses that the auditor has communicated or intends to communicate to those charged with governance, unless it would be inappropriate to communicate directly to management in the circumstances.
2) In writing or orally, other deficiencies in internal control identified during the audit that have not been communicated to management by other parties and that, in the auditor’s professional judgment, are of sufficient importance to merit management’s attention. If other deficiencies in internal control are communicated orally, the auditor should document the communication” (AU-C 265.12).
4. Related Parties
In addition to the lack of internal control, related party transactions are material and pervasive through the financial statements, as evidenced by the financial statements in the bankruptcy filing. The Financial Accounting Standards Board (FASB) has issued standards regarding related party transactions and the appropriate accounting and disclosure of such transactions. “Financial statements shall include disclosures of material related party transactions, other than compensation arrangements, expense allowances, and other similar items in the ordinary course of business. However, disclosure of transactions that are eliminated in the preparation of consolidated or combined financial statements is not required in those statements. The disclosures shall include:
1) The nature of the relationship(s) involved
2) A description of the transactions, including transactions to which no amounts or nominal amounts were ascribed, for each of the periods for which income statements are presented, and such other information deemed necessary to an understanding of the effects of the transactions on the financial statements.
3) The dollar amounts of transactions for each of the periods for which income statements are presented and the effects of any change in the method of establishing the terms from that used in the preceding period.
4) Amounts due from or to related parties as of the date of each balance sheet presented and, if not otherwise apparent, the terms and manner of settlement.” (850-10-50-1).
“Notes or accounts receivable from officers, employees, or affiliated entities must be shown separately and not included under a general heading such as notes receivable or accounts receivable.” (ASC 850-10-50-2).
“Transactions involving related parties cannot be presumed to be carried out on an arm’s-length basis, as the requisite conditions of competitive, free-market dealings may not exist. Representations about transactions with related parties, if made, shall not imply that the related party transactions were consummated on terms equivalent to those that prevail in arm’s-length transactions unless such representations can be substantiated.” (ASC 850-10-50-5). In situations like this, related party transactions are so pervasive that the financial statements may not present economic reality. As stated earlier, FASB Concept Statement No. 8; “The objective of financial reporting is to provide financial information about the reporting entity that is useful to existing and potential investors, lenders, and other creditors in making decisions about providing resources to the entity.”
Furthermore, “If the reporting entity and one or more other entities are under common ownership or management control and the existence of that control could result in operating results or financial position of the reporting entity significantly different from those that would have been obtained if the entities were autonomous, the nature of the control relationship shall be disclosed even though there are no transactions between the entities.” (ASC 850-10-50-6).
5. Conclusion
When considering which opinion to issue on the financial statements of FTX, it is clear that a modified opinion is required. These related party transactions coupled with the lack of internal control would leave the auditor unable to obtain sufficient appropriate evidence to conclude that the financial statements, as a whole, are free from material misstatement. When related party transactions and the lack of disclosures related to related party transactions are so pervasive, the financial statements do not reflect economic reality. With the lack of audit evidence available, it is also inappropriate to issue an adverse opinion stating the financial statements have material and pervasive errors. Rather, the auditor should disclaim an opinion on the financial statements of FTX. In addition to disclaiming an opinion on the financials, an Emphasis of Matter paragraph would likely be appropriate. This paragraph should highlight the material and pervasive related party transactions. This paragraph would give the readers of the financial statements an understanding that the related party transactions are so pervasive that the financial statements may not reflect economic substance. In the bankruptcy filing, Mr. Ray echoes my conclusion, “I have substantial concerns as to the information presented in these audited financial statements, especially with respect to the Dotcom Silo. As a practical matter, I do not believe it appropriate for stakeholders or the Court to rely on the audited financial statements as a reliable indication of the financial circumstances of these Silos” (FTX Trading LTD. et al., 2022) .