A $50 million fine against KPMG LLP for its use of stolen regulatory information to cheat on audit inspections wasn’t a surprise: The Wall Street Journal warned last week that the Securities and Exchange Commission was ready to impose such a move, and the scandal had been known about for more than a year.
The record fine was a solid jab but no knockout punch. But then came a left hook out of nowhere.
The SEC revealed Monday a much larger scandal than was previously known: KPMG auditors, including some senior partners in charge of public company audits, cheated on internal tests related to mandatory ethics, integrity and compliance training, sharing answers with other partners and staff to help them also attain passing scores. In addition, for a period of time up to November 2015, some audit professionals, including one partner, manipulated the system for their exams to lower the scores required to pass.
Twenty-eight of these auditors did so on four or more occasions. Certain audit professionals lowered the required score to the point of passing exams while answering less than 25% of the questions correctly, the SEC says.
“The new test-cheating scandal suddenly seems more alarming than the ongoing PCAOB ‘steal the exam’ scandal because the unethical behavior went on longer and is potentially more widespread,” Matt Kelly, editor of the Radical Compliance newsletter and a longtime observer of corporate governance and compliance issues, told MarketWatch.
“There’s plenty of evidence of chronic, widespread and intentional illegal behavior by senior partners including some leading public company audits for the firm,” Kelly said. “And yet, prosecutors can’t really impose criminal charges against the firm.”
Five former KPMG officials – including its former national managing partner for audit quality and professional practice – and one former PCAOB official were charged last year in a case that alleged they schemed to interfere with the PCAOB’s ability to detect audit deficiencies at KPMG. The SEC said the senior KPMG partners sought and obtained confidential PCAOB lists of inspection targets and then led a program to review and revise certain audit work papers after the audit reports had been issued in order to reduce the likelihood of deficiencies being found during inspections.
Three have pleaded guilty, two were found guilty and one is still pending trial.
The SEC’s order says KPMG must “cease and desist” violating the securities laws and is required to evaluate its quality controls relating to ethics and integrity and identify audit professionals that violated ethics and integrity requirements in connection with training examinations within the past three years. KPMG must also hire an independent consultant to review and assess the firm’s ethics and integrity controls and its investigation of the cheating scandal.
KPMG admitted the SEC’s allegations. Calls to KPMG for comment were not returned.
Largest SEC fine is small compared with other punishments
This latest fine ties the largest ever imposed by the SEC on an audit firm, but is dwarfed by other recent fines and settlements absorbed by audit firms with no hiccup.
In 2003, KPMG and five of its partners – including the head of the firm’s department of professional practice – paid a $22 million fine in connection with the 1997-2000 audits of Xerox Corp. . That same month, the SEC announced that Deloitte & Touche LLP would pay $50 million – the largest fine the SEC had ever obtained from an audit firm at that time – to settle charges stemming from its year 2000 audit of Adelphia Communications Corp.
The Justice Department fined Deloitte $149.5 million in early 2018 for allegations of False Claims Act violations related to its audit of bankrupt mortgage issuer Taylor Bean & Whitaker, despite no criminal complaint filed. It’s one of the largest audit-related fines, settlements or damages awards ever against an audit firm but got very little media coverage.
In March, the Federal Deposit Insurance Corporation agreed to a $335 million settlement with PricewaterhouseCoopers LLP for professional negligence claims it brought related to the audits of Colonial Bank which failed in 2009. The settlement came after a federal judge held PwC liable for professional negligence for its audit of Colonial Bank after a bench trial and on July 2, 2018, awarded damages of $625 million to the FDIC for its losses. PwC had said it planned to appeal the verdict.
See also: The auditor of Citi, Credit Suisse and Deutsche Bank was tipped off before regulatory inspection
Jim Peterson, a former attorney for defunct global audit firm Arthur Andersen in Europe and author of “Count Down: The Past, Present and Uncertain Future of the Big Four Accounting Firms,” told MarketWatch: “It’s overdue to get the discussion of financial fragility of the global audit firms on the table. There’s no point in talking about a larger penalty. If you made it $1 billion likely KPMG could not raise the money from its own network or outside sources. Between the two violations, and at the scale of $50 million, it seems we are in ‘too vital to kill’ territory.”
The test cheating related to a variety of subjects relevant to the professionals’ audit practices, including additional training required by a 2017 SEC enforcement action that charged KPMG with engaging in improper professional conduct in the audit of the financial statements of an oil and gas client that caused reporting violations. As part of the settlement, the SEC ordered KPMG to ensure its audit staff complete specific training programs in various technical accounting areas and to cough up the audit fees it earned plus interest of $5.1 million.
Will the penalty even matter?
MarketWatch asked SEC officials on a media call if there were any more details on investigations of the impact of both scandals on the audits of public companies. An SEC official would not provide any details about ongoing investigations but instead directed those on the call to SEC chairman Jay Clayton’s statements to the public when the “steal the exam” scandal broke in January 2018.
“Based on discussions with the SEC staff,” Clayton wrote at the time, “I do not believe that today’s actions against these six individuals will adversely affect the ability of SEC registrants to continue to use audit reports issued by KPMG in filings with the Commission or for investors to rely upon those required reports.”
Read: KPMG indictment suggests many who weren’t charged knew regulator data was stolen
“The more details that emerge, the more difficult it is to keep believing Jay Clayton’s early statements that investors have nothing to worry about,” said Kelly. “The SEC has provided no details about its investigation of actual impact on issuers, so it strains credulity to think that this egregious behavior wouldn’t affect audit quality somehow.”
“The conduct outlined in the order is so egregious, detailing a culture which is completely unmoored from any ethical foundation, that any company using KPMG as an auditor must ask some very serious questions about not only the quality of the services they have received but also the very foundation of those services,” Tom Fox, an attorney and independent consultant who assists companies with anticorruption and antibribery compliance, wrote on his blog.
“If these partners and staff are willing to lie, cheat and steal to defy the PCAOB and the SEC, what must they be willing to do to please clients and generate more profits?” Fox told MarketWatch in an interview.
Read also: KPMG won BBVA audit with stolen data about rival’s inspections
For more: KPMG turned to Palantir to help predict which audits would be inspected
In the 2017 case, KPMG also violated Sections 4C and 21C of the federal securities laws, which means they did not possess “the requisite qualifications to represent others,” and were “lacking in character or integrity, or to have engaged in unethical or improper professional conduct” and “willfully violated, or willfully aided and abetted the violation of, any provision of the securities laws or the rules and regulations.”
However, in 2014 the SEC had also ordered KPMG to “cease-and-desist” violating the same securities laws it said it violated in 2017 and that the firm violated again in Monday’s order, Sections 4C and 21C of the Securities Exchange Act of 1934.
In the 2014 case, the firm also violated Rule 102(e), which requires auditor independence. For that it was fined $8.2 million, and also ordered, as in 2017 and in Monday’s order, to hire an independent consultant and conduct a review of its weaknesses, including developing new policies and procedures and training to address staff knowledge deficiencies.
KPMG also received an SEC censure each time.
Peterson told MarketWatch that we’ve perhaps run out of effective penalties for the global audit firms.
“If you can’t take penalty steps that include a criminal indictment or a financial penalty that is truly a deterrent, you have consider imposing a forced change in firm leadership. Can the SEC force out an audit firm CEO? Would they?” asked Peterson.