Patisserie Valerie: a case for internal audit

BDO looks at the Patisserie Valerie fraud and the perils of neglecting independent assurance

In October 2018, the AIM market was shaken by the news that shares in Patisserie Holdings Plc had been suspended following the revelation of a black hole in the finances of the business of around £40m. In a statement to the market the Board confirmed that “there is a material shortfall between the reported financial status and the current financial status of the business. Without an immediate injection of capital, the directors are of the view that that is no scope for the business to continue trading in its current form.”

PwC was appointed by the Board to undertake a forensic investigation. Following the initial investigation, the Board confirmed that “historical statements on the cash position of the company were misstated and subject to fraudulent activity and accounting irregularities”.
Then, hours later, the Board made the fresh announcement that it had just become aware of the winding-up petition by HMRC for £1.14m against Stonebeach Limited, a key trading subsidiary of the business.

From winning IPO of the year in 2015, a business valued at around £450m one day before the shares were suspended was now unable to confirm whether it could meet its liabilities.
Despite considerable efforts to save the business – including the injection of £20 million by the founder and a further £15m raised from institutional investors – Patisserie Holdings Plc went into administration in January 2019 and the business was sold the following month.
Details of the nature of the fraud have begun to emerge as the initial findings of the PwC investigation have been leaked to the media. It is alleged that the accounting records contain thousands of fraudulent entries going back several years, including fabricated invoices, double-counting of voucher sales and manipulation of cheque payments between accounts to inflate working capital at year end.

Board resolutions and directors’ signatures had also been allegedly forged to provide the authority necessary to open ‘secret’ bank accounts and overdrafts that had not been included in the accounting records.

The fraud therefore appears to have involved a comprehensive manipulation of the financial records of the business. The volume of fraudulent transactions and the extent of the deception required the collusion of several individuals with access to the accounting systems. The Finance Director of the business was arrested within days of the fraud coming to light. The Serious Fraud Office has opened an investigation into his conduct and recent media reports suggest that a further five members of staff are also being investigated.

Why was the fraud not detected?
It seems remarkable that a fraud of this scale could have been committed in an AIM listed company required to report regularly to the market – a company that had adopted many of the recommended features of effective financial governance including financial reporting to the Board, an Audit Committee and an annual external audit.

The Board and management must take much of the responsibility, and those innocent directors and managers who have been caught up in this are probably asking themselves why they didn’t challenge the financial reporting with more rigour, or act upon any suspicions that they may have had. More importantly, the financial governance framework established and relied upon by the Board appears to have failed in a number of key respects.

Much of the focus has been upon the role of the external auditors, given that the accounts for the business had been consistently signed off with unqualified audit opinions. This has been the subject of numerous articles in the media and follows on from recent highly publicized business failures including BHS, Carillion and Conviviality.

The Financial Reporting Council is currently investigating the audits of Patisserie Holdings Plc undertaken for the past three years. There will be considerable interest in their findings once these are published.

The Audit Committee has also rightly come under the spotlight, with questions raised as to how it met its primary responsibility for monitoring the quality of internal controls and ensuring that the financial performance of the group was properly measured and reported on.

Internal controls do not appear to have been challenged sufficiently and whistle-blowing procedures – another area of Audit Committee responsibility – also appear to have been entirely ineffective.

The Committee comprised three individuals who certainly had the skills to challenge and question the controls over the business effectively. One was a qualified accountant and two had considerable industry expertise, including the Executive Chairman and founder of the business. Two of the Committee members were non-executive directors (NEDs).

However, with hindsight it appears that the Committee took more comfort than was appropriate from the work of the external auditors in respect of the financial controls of the business. It also accepted representations from management without seeking independent assurance. The Committee had not established an internal audit function to provide this assurance.

Had corporate governance best practice been followed in full and an Audit Committee comprising three fully independent NEDs been appointed, a more robust challenge of controls may have taken place.

Internal audit and identifying fraud
An internal audit function may well have been able to identify that fraudulent activity was taking place. The existence of such a function within the business may also have acted as a deterrent. However, the fraud appears to have been well concealed with extensive collusion.

The internal audit function would have needed to be well-supported by the Audit Committee and the Board, independent and properly resourced in order to overcome the likely challenges and efforts made by the finance team to prevent or restrict its access to the financial systems and controls.

Without the full backing of the Audit Committee it may well have been successfully diverted away from reviewing financial controls at all or its scope of work restricted to only those areas that the fraudsters wished it to see.

Internal audits and best practice
In the US, it is requirement of NYSE listing rules for all listed companies to establish an internal audit function. Although it is recommended under the UK Corporate Governance Code and the Quoted Companies Alliance Code, the establishment of an internal audit function is not mandatory.

Instead, Audit Committees are only required to explain in the company’s annual report why an internal audit function has not been established and to describe the other sources of internal controls assurance obtained. As a result, there is a danger that many Audit Committees – like the Committee at Patisserie Holdings Plc – may rely too much on management representations about the operation of controls instead of gaining independent assurance over those representations.

As Patisserie Holdings Plc has demonstrated, for a business with a market capitalisation of £450m, operating a cash based business across 180 stores, reliance on management assurance alone is not sufficient and left the business and its shareholders seriously exposed. NEDs and Audit Committee members elsewhere should now be reconsidering the arrangements in place at the companies where they have responsibility to make sure that they are receiving all the assurances that they require to fulfil their duty to monitor the quality of internal controls.

Where an internal audit function is in place, Heads of Internal Audit should be reviewing their plans to make sure that the risk of fraud has been considered sufficiently.

• Thanks to BDO for this article