The Madoff Case
Chapter 4 of 12 · auditor-failure

Bernard Madoff and the Solo Auditor Red Flag

How one accountant in a strip-mall office certified a fictional empire

On Ross D. Fuerman · 2009 · Journal of Forensic & Investigative Accounting, Vol. 1, No. 1, pp. 1-38 · source

Drive thirteen miles north of Manhattan, past the Hutchinson River Parkway and into the village of New City, and you reach a low brick storefront at 4520 New Hempstead Road. In 2008, the building's tenant directory was short. One of the suites, no larger than a dentist's reception area, contained the practice of Friehling & Horowitz, CPAs, P.C. — a firm consisting of one active accountant, a 78-year-old retired partner living in Florida, and a part-time secretary. From that office, David G. Friehling certified the financial statements of Bernard L. Madoff Investment Securities LLC ("BLMIS"), a global broker-dealer that purported to custody tens of billions of dollars in customer assets. It is the central scandal-within-the-scandal of the Madoff affair, and it is the empirical puzzle that Ross D. Fuerman's 2009 paper sets out to formalize.

Fuerman's contribution, published in the inaugural issue of the Journal of Forensic & Investigative Accounting, is to move the Friehling story from anecdote to dataset. Anyone who looked at the New City office could see, intuitively, that something was wrong. What Fuerman does is show that the intuition was not merely aesthetic. Drawing on 396 auditor-litigation outcomes from 1996 to 2008, he asks a deceptively simple question: are solo and very small audit firms more frequently associated with audit failure than larger firms? His answer, anchored in a logistic regression, is yes — and at a statistically meaningful level. The retention of a one-person firm to audit a multi-billion-dollar broker-dealer was not just unusual. It was, ex ante, a quantifiable red flag. Ross D. Fuerman, Bernard Madoff and the Solo Auditor Red Flag, 1 J. Forensic & Investigative Acct. 1 (2009).

The dataset and what it shows

Fuerman's sample is drawn from the Stanford Securities Class Action Clearinghouse and related litigation databases, coded by the size of the audit firm and by whether the matter resolved in a way consistent with audit failure — settlements above nominal nuisance values, restatements, or SEC enforcement. The headline finding: holding the litigation environment roughly constant, audits performed by firms outside the Big 4, the second-tier nationals, and the regional mid-tier are significantly more likely to map onto outcomes consistent with deficient work. The smallest stratum — sole practitioners and two-to-three-person firms — drives most of that effect.

This is not a novel intuition in the audit-quality literature. Linda E. DeAngelo, Auditor Size and Audit Quality, 3 J. Acct. & Econ. 183 (1981), and a long line of empirical work have argued that audit quality is a joint function of competence and independence, both of which scale (imperfectly) with firm size and brand-name capital at risk. What Fuerman adds is a Madoff-era empirical anchor for the proposition. By 2008, any institutional allocator could have run a similar back-of-the-envelope analysis and seen that the base rate of trouble for firms of Friehling's size was non-trivial.

Why Friehling & Horowitz could not have been auditing BLMIS

The mechanical impossibility is its own argument. A genuine audit of BLMIS — even confined to the broker-dealer, before reaching the investment-advisory book — would have required confirmation of securities positions with the Depository Trust Company, confirmation of cash with custodians, observation of trade tickets against counterparties, valuation of options positions, testing of the firm's purported split-strike conversion executions (buying a basket of large-cap equities, selling out-of-the-money index calls, and buying out-of-the-money index puts), and review of internal controls. One CPA, a retired colleague, and a part-time secretary cannot perform that work. They cannot even staff the engagement.

This was not a secret. Friehling told the American Institute of Certified Public Accountants ("AICPA") every year, on his peer-review enrollment forms, that his firm did not perform audits. That representation was false — and publicly checkable. Fuerman emphasizes the gap between what minimal operational due diligence would have surfaced and what feeder funds, fund-of-funds, and private banks actually did. Fuerman isolates the auditor red flag; Greg N. Gregoriou and François-Serge Lhabitant locate it within a broader due-diligence failure documented in chapter [gregoriou-lhabitant-riot-red-flags]. Friehling pleaded guilty in 2009 to securities fraud and to filing false audit reports with the SEC. United States v. Friehling, No. 09-cr-700 (S.D.N.Y. 2009).

The regulatory gap Friehling exploited

PCAOB jurisdiction and the broker-dealer carve-out

For a law-student reader, the legal architecture is worth pausing on. The Sarbanes-Oxley Act of 2002, Pub. L. No. 107-204, 116 Stat. 745, created the Public Company Accounting Oversight Board ("PCAOB") and required registration and inspection of auditors of issuers. But broker-dealer auditors — even those auditing the largest non-issuer broker-dealers — were left outside that regime. Sarbanes-Oxley § 102 reached only auditors who prepared or issued audit reports for issuers as defined in § 2(a)(7), and BLMIS was not an issuer. Their audits were governed instead by 17 C.F.R. § 240.17a-5, which until 2013 cross-referenced generally accepted auditing standards rather than PCAOB standards and which imposed no peer-review or registration requirement beyond state CPA licensure.

Friehling lived in that gap. He was a licensed New York CPA; he held himself out as not performing audits to escape AICPA peer review; and no federal body had statutory authority to walk into his office and look at his workpapers. The Commission's own examiners, when they touched the BLMIS engagement, did not interrogate that posture — a failure documented at length in chapter [sec-oig-509-madoff-investigation].

The independence question

Beyond size, Fuerman gestures at the deeper problem of economic dependence. A solo auditor whose largest client is also his only meaningful source of revenue cannot, as a matter of incentive structure, exercise the professional skepticism that AU § 230 requires. The Investment Advisers Act § 206 antifraud regime, 15 U.S.C. § 80b-6, presupposes that audited financials of an advised fund convey real information; when the auditor is captured, § 206's prophylactic structure collapses at its base. The custody rule, 17 C.F.R. § 275.206(4)-2, presupposes the same.

The post-Madoff regulatory response

Fuerman's principal policy recommendations were substantially adopted. The Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, § 982, 124 Stat. 1376, 1929 (2010), amended Sarbanes-Oxley § 110 to bring broker-dealer auditors within PCAOB jurisdiction. The PCAOB then promulgated Rule 4020T, establishing an interim inspection program for registered firms auditing broker-dealers, and issued its first progress report in 2011. PCAOB, Report on the Progress of the Interim Inspection Program Related to Audits of Brokers and Dealers, PCAOB Release No. 2011-006 (Aug. 18, 2011). The Board found audit deficiencies in a majority of the broker-dealer engagements it first reviewed — an empirical vindication of Fuerman's prior. In 2013, the Commission overhauled Rule 17a-5 itself, replacing the GAAS cross-reference with PCAOB standards and requiring that broker-dealer audits be performed under the Board's authority. Broker-Dealer Reports, Exchange Act Release No. 70073, 78 Fed. Reg. 51,910 (Aug. 21, 2013).

Doctrinal takeaway

For the law-student reader, Fuerman's paper illuminates three distinct gatekeeping mechanisms that Friehling defeated, each with its own doctrinal home. First, AICPA peer review, the profession's self-regulatory backbone, contained an opt-out for firms that performed no audits — an opt-out Friehling triggered fraudulently and which the AICPA had no mechanism to verify. Second, state-level CPA licensing, the only mandatory regulatory touch on Friehling's practice, polices entry and discipline but not the substantive quality of audit work product. Third, SEC Rule 17a-5 obligated BLMIS to file audited financials but, until 2013, neither prescribed who could audit nor subjected those auditors to inspection. The Madoff fraud sat at the intersection of three regimes, each assuming another was doing the work. Dodd-Frank § 982 and Rule 4020T close the federal-inspection gap; the doctrinal puzzle of who polices the auditor's auditor, particularly for funds and feeders relying on third-party CPAs, remains live.

Further Reading

  • Ross D. Fuerman, Bernard Madoff and the Solo Auditor Red Flag, 1 J. Forensic & Investigative Acct. 1 (2009).
  • Linda E. DeAngelo, Auditor Size and Audit Quality, 3 J. Acct. & Econ. 183 (1981).
  • Dodd-Frank Wall Street Reform and Consumer Protection Act, Pub. L. No. 111-203, § 982, 124 Stat. 1376, 1929 (2010) (amending Sarbanes-Oxley § 110 to extend PCAOB oversight to broker-dealer auditors).
  • Public Company Accounting Oversight Board, Report on the Progress of the Interim Inspection Program Related to Audits of Brokers and Dealers, PCAOB Release No. 2011-006 (Aug. 18, 2011).
  • United States v. Friehling, No. 09-cr-700 (S.D.N.Y. 2009) (criminal information against David G. Friehling, CPA).

Glossary

  • AICPA Peer Review. A program in which one CPA firm periodically reviews another's audit and attest work for compliance with professional standards. Until Dodd-Frank, firms that claimed to perform no audits — as Friehling falsely did — could opt out, and the AICPA had no independent mechanism to verify the representation.
  • PCAOB. The Public Company Accounting Oversight Board, created by Sarbanes-Oxley (2002) to register, inspect, and discipline auditors of public companies. Dodd-Frank § 982 amended Sarbanes-Oxley § 110 to extend its jurisdiction to auditors of SEC-registered broker-dealers in 2010; PCAOB Rule 4020T established the interim inspection program.
  • SEC Rule 17a-5. 17 C.F.R. § 240.17a-5, governing reports filed by broker-dealers, including annual audited financial statements. Before its 2013 amendments, it cross-referenced generally accepted auditing standards rather than PCAOB standards and imposed no auditor-registration requirement.
  • Split-Strike Conversion. The options-collar strategy Madoff claimed to execute: long a basket of large-cap equities, short out-of-the-money index calls, long out-of-the-money index puts. The strategy was a fiction; no trades actually occurred. An audit competent enough to confirm options positions would have detected this.
  • Operational Due Diligence (ODD). The branch of investment due diligence concerned with a manager's non-investment infrastructure — auditor, administrator, custodian, valuation policies, controls. Verifying the manager's auditor is a minimal ODD step that BLMIS's feeders skipped.
  • Audit Failure. In the empirical literature, an audit that fails to detect or report a material misstatement, typically proxied by restatement, SEC enforcement, or a substantial litigation settlement against the auditor.