The Plot Thickens – Price Waterhouse India Plausibly Culpable
Reports published by The Times of India and The Business Standard say that India’s Serious Fraud Investigation Office (SFIO) has found the Price Waterhouse auditors involved in the Satyam account:
“knowingly certified the inflated and forged balance sheets prepared based on forged FDRs and other data..”
The CBI chargesheet says that both the auditors after facilitating projection of falsified data made “misleading” presentations to the audit committee of Satyam about the financial health of the company.”
This finding was a surprise to Price Waterhouse, according to press reports, since firm leadership supposedly thought that the statement of the Satyam CFO, clearing the auditors of involvement, would be enough to get them out of jail. Obviously they do not watch Law and Order: Criminal Intent. When a guilty party makes a statement, it lacks credibility and often has an ulterior motive. The Price Waterhouse partners are still in jail.
As with many other examples of “alleged” negligence and complicity by auditors, such as in the recent lawsuit against KPMG in the New Century case, there are often others both in the company and in the firm who tried to tell the audit partners that there was a problem, only to be ignored. The partners in both Price Waterhouse re: Satyam and KPMG re: New Century allegedly deliberately ignored their own experts in order to please their clients and, therefore, continue to receive the millions of dollars of fees for the certification of financial statements that proved to be worthless to investors and regulators.
“…these two auditors ignored the findings of even their internal checking team. The Head of Information Systems Audit of Price Waterhouse in the course of an ‘information technology general check’ found a staggering 180 deficiencies. This was communicated to the audit team who were told that the IT systems in existence in Satyam were “not fully integrated and subject to manipulation,” the chargesheet says.Gopalakrishnan and Talluri were told that “in the light of the above deficiencies substantial and elaborate examinations of the financials should be conducted.” But the two at different points of time did not make any change in their audit plans.”
“PricewaterhouseCoopers is overhauling its operations in India two months after starting an investigation into fraud at one of its Indian clients.
The auditor, which has nine offices and thousands of clients in India, said Thursday that it would make sweeping changes to “re-emphasize quality.” They include adding a five-member advisory board in India, appointing a new head of risk management from outside India to oversee work in the country and a new auditing team in India, and changing the management in its office in Hyderabad.”
“The crisis has forced PwC to take a closer look at its global processes and procedures to make critical changes, wherever necessary. “For our clients, stakeholders, regulators and to protect our integrity, we have done an extensive review of our processes globally. We are looking at our own standards to see if there need to be some changes. We are not taking this lightly,” said DiPiazza. The changes, which are in the process of being implemented, include review of audits, training of partners, periodic rotation of partners, among other things. On the Satyam scam, DiPiazza said: “What we understand is that this was a massive fraud conducted by the (then) management, and we are as much a victim as anyone. Our partners were clearly misled.”While the firm has little control over the case, it is trying to salvage the situation by instilling confidence among its clients and demonstrating its commitment to the highest standards.”
“Accountancy firm Pricewaterhousecoopers (PwC) will bring in partners from abroad to audit Indian clients after its image was tarnished by the Satyam swindle, a report said Wednesday.
PwC said it was acting after its audit arm Pricewaterhouse signed off on Satyam Computer Services’ accounts, which were later found to have been falsified for years.
“We want to convince our stakeholders that the processes at PwC are of the highest quality,” global chief executive Samuel DiPiazza was quoted by The Economic Times as saying…
The partners who will independently audit PwC’s clients in India will be brought in from its international affiliates in a move to preserve PwC’s position in the fast-growing and competitive Indian market, the newspaper said.”
It seems that Mr. Di Piazza, the Chairman of PricewaterhouseCoopers International Limited, has quite a bit more control and influence over the Indian firm, even though,
“PricewaterhouseCoopers refers to the network of member firms of PricewaterhouseCoopers International Limited, each of which is a separate and independent legal entity.”
All the work Di Piazza is doing to fix the problems in India actually negates their long-held contention and previously handy and convenient legal defense:The global firms don’t have control over the operations of their “member firms” worldwide.
Which is it, Mr. Di Piazza?
The lawsuits, pending now and to be filed, will most assuredly accuse the International umbrella firm of negligence in the same way that the Deloitte Parmalat suit filed by Stuart Grant, the KPMG New Century case filed by Steven Thomas, and the pending case against BDO International, also by Mr. Thomas, have done, which is to say essentially that,
“KPMGI specifically represented that it would ensure that member firms’ work, including their audits, would meet professional standards and regulatory requirements: “[KPMGI] has established policies and procedures to which member firms must adhere to help ensure that the work performed by member firm personnel meets the professional standards, regulatory requirements and the member firm’s quality requirements applicable to their respective Audit, Tax or Advisory services engagements.” Via these policies and procedures, KPMGI promised the public it would “maintain the quality and integrity of the accounting profession [that] is vital to the confidence in our global capital markets.”
KPMGI’s expansive rights of control ensure “globally consistent services” and include the most fundamental right — the right to take away the “KPMG” brand and put member firms out of business. According to KPMGI’s annual report, membership with KPMG can be terminated if a firm acts “contrary to the objectives of the KPMGI cooperative” or KPMGI’s policies and regulations. KPMGI thus can fire KPMG LLP at any time.
KPMGI also promised the public “globally consistent training for all auditors within KPMG member firms” and enforced its quality requirements through “an established set of supervisory, review and consultation standards supported by leading technology.” “
It may be, and I would bet, that Mr. Di Paizza’s decision to retire six months early from the International firm Chairmanship of PWCIL is because he expects to be named individually in the suits against PWCIL, as Mr. Copeland, Former Deloitte CEO, is in the Deloitte Parmalat suits. In that case, it’s best for him to have the time and the firm’s money available, free and clear of any leadership responsibilities, to defend himself.
Photo Credits:
a message to the big 4: please, no more screw ups. i really don’t want to end up working for the government.
This comment is not at all surprising to me:
“information technology general check’ found a staggering 180 deficiencies. This was communicated to the audit team” and “the two at different points of time did not make any change in their audit plans.”
I have seen this situation many times (and would say that 180 deficiencies is not at all unusual for a large / complex IT organization) – there is a gap between IT and audit teams and audit teams fail to recognize / understand and address issues found in IT testing. This is intended to be a statement of fact and not a judgment on audit teams (I certainly don’t understand the details of mark to market accounting!) – but it is unfortunately very common…..IMHO It is a rare time when (enlightened?) audit senior managers / partners really take IT findings on board seriously for various reasons.
There are also often gaps on the client side too – meaning that the CFO may not be up to speed on their own IT issues – which then means the audit partner does not want to be the one raising IT issues to them. So the issues get classified as minor issues “to be addressed next year” or similar to sweep them under the rug……
This does not really surprise me, though it saddens me.
PwC has focused almost exclusively on U.S. audits for many years. That’s where it thought the risks were, and that’s where it thought the money was as well. (I.e., can anybody spell SOX?) It’s international partnerships have been left to twist in the wind.
When I say PwC focused on the U.S., I really mean to say that the U.S. partnership actively disincentivized its partners and staff from working with their international counterparts to share best practices and lessons learned. When I say disincentivized I really mean to say penalized. International billable hours were suspect, and international revenues were not counted toward sales metrics. The only metrics that counted at year-end were U.S. metrics, period.
Fran, I hear what you’re saying in your post above, but I believe that PwC has actively discouraged its partnership from acting as a global firm for many years. Now it is reaping the results of such a myopic management approach.
Does this wake up the industry, that moving major parts of US AUDITS offshores to India sweatshops is the DUMBEST idea in the history of the big 4?
Now Now – PwC is using India and Argentina…
“…and a new auditing team in India, and changing the management in its office in Hyderabad.” at least they are doing some good despite fooling themselves by saying they did no wrong and the partners were misled…no one else is fooled except pwc themselves..
when will they ever change the leadership at deloitte and other big 4’s…we need a fresh outlook
@Big4 IT audit, you are right. But keep this in your mind. No one at Big4 cares about IT audit. This sounds crazy, but you know what I am talking about. As an IT auditor at Deloitte, I can tell you, that this is the worst career path you could select in big4.
First, your financial auditor peers do not care about your work. By guidelines, they have to allocate certain hours to the IT work you do, but in their mind, this is the least thing they want to do. They see absolutely no value for what you are doing for them. If you have findings, they don’t understand nor they care how the findings have impacts to the overall financial statement. They just want you to get rid of them. If the findings are significant, the audit partners would find any reason to “rationalize” the findings, and make them “not a big deal” Of course, wherever there is a fee pressure from the client, the IT part is the first one to be cut.
Second, you client does not care about your work. Remember, they pay the money for the financial statement audit. The IT part, to them, is just a value added part for their money. They would be happy to hear that there are minor findings and what they can improve. But if you tell them the finding is “significant” to the financial statement, they would make sure to work with the partners to make it “not a big deal”.
Third, this is the worst one; your own group leaders (in my case, the ERS leaders) don’t care about your work either. Why, because IT support works never brought them the big money. Yes, those are stable revenue from audit, however, it won’t compare to other fancy consulting works they are selling. Plus, working on IT part of audit makes them to work under partners at financial audit side. They hate that so much. If there are significant findings, they would make sure to work with the client to make it “not a big deal”. I have been in Deloitte for many years; I have not seen any of our leaders ever had any conservation with us to discuss how to improve the work, our skill set etc. No one in the group cares about what we do. To the partners, the work just a stream of revenue for them, but they don’t see much of value for work and the people who work on those jobs. The IT audit works don’t sell…
Finally, the SOX 404 is killing the IT auditor’s career at Big4. For those who do IT work at big 4 for more than 10 years would agree with me here. Remember, the focus of SOX is only on financial statements. Therefore, anything other than financial statement is not relevant. To all IT auditors, remember the good old days, we could do whatever we wanted? We could do a detail DB2 security review; we could run a script on UNIX servers and tried to find out any hackers, we could be actually testing the integrity of the change management system… Not any more. Now all we do is to attest the stupid management assertions. We are like a compliance office more than an auditor. What is the value to the client? Zero, none!!!. My senior manager once told me a good story. When he was a staff, he found out that all users at the client’s system had read access to its payroll info. That was a great finding, and he was rewarded by his manager for that. Now, if we had the same finding, we would be shut down by the partner or the client immediately. Why? What does the read access to payroll file have to do with the financial statement?
Sad!!!
Here is my advice to all of you who wants to become an IT auditor: Don’t be one, at least don’t be one at big 4. There is no future for that. No one cares any more.
Francine:
I have followed this story closely and made some of the same points about PWC you have. It is inconceivable to me that PWC India was fooled. Further, there are many others in PWC India who knew what was going on at Satyam.
@ Anonymous 7.
I couldn’t agree more, and as an audit manager have experienced everything you mention first hand. Like you say, I think the main problem is that audit teams don’t understand the IT and IT teams don’t understand the audit. So it ends up being either – argue away any IT related issue, or just substantively audit everything. Both approaches being a nightmare.
In my firm, the IT work also seems to have been designed way, way back in the day, and I’m sure some of the partners still fondly remember hand written ledgers before all these newfangled computers made things difficult to see clearly (black box mentality). The classic example is approach to journal entries – which is a blank box in the standard audit programs to be filled in by audit team – everything in the accounting system is a journal entry, how the hell do we audit them!!! Or maybe I’m just displaying my ignorance :-/
@Sceptical:
Yup – displaying your ignorance I’m afraid…
You need to go back how things were viewed in the paper days, with the Books of Prime Entry. Tests of journal entries relate to those where the BPE is the “journal”. All other BPEs are initiated by source documents – purchase invoices for the PDB, sales invoice for the SDB, receipts/dockets for the CDB.
The _only_ effective way of auditing journals testing is through CAAT – if your firm is not requiring the use of a tool such as IDEA then the firm appears to be box ticking rather than actually providing assurance.
Few questions:
1.For 20 quarters the auditors did not receive direct confirmations from 5 banks-that makes it 100.Even if they received 1, the fraud would have been blown.Did they or did they not receive the confirmation
2.Did the auditors send requests for direct confirmation with amounts? If they did then the banks would be shocked out of their wits and immediately respond-would n’t they
3. There is evidence that the auditors received by e-mail a whistleblower’s allegation that the bank deposits did not exist-what did they do upon receipt of the mail addressed to Krishna Palepu forwarded to S Gopalakrishnan?
4.If the auditors are innocent and fresh as driven snow why has PwC suspended them? Is not unfair to suspend someone without proof of guilt?
5.What is happening to the Global Trust Bank enquiry where the bank collapsed and the investors lost their money-ditto for DSQ Software where the founder is cooling his heels in jail-both were audited by PwC
@ slightly less sceptical
So then I get a whole list of journals posted in the middle of the night, round sum journals etc etc that I have to substantively check?
Thanks for the free training here btw 😉
Skeptical,
If you’ve audited the balance sheet and audited the income statement, then you’ve substantively tested every journal entry for the period. Journal Entry testing, while required, is also redundant.
@ClownCollege:
How do you substantively test the income statement? Potentially possible to do it on sales if all sales are contracts, but on expenditure?!
@Sceptical:
Possibly shouldn’t have posted while pretty much asleep – sorry!
My favourite is more along the lines of check all the journals, net impact on sales is less than TE, on cash inconsequential —> No further work necessary.
@7 – Anonymous. Totally agree with your post. I suspect you and I have had that same discussion in person….maybe the internet isn’t that anonymous… 🙂
I concur with Anonymous #7.
If you are viewing the Big 4 as an option go with financial audit. If you were on a Computer Science or Applied Mathematics track and a big 4 recruiter approached you about IT audit ignore them and look into a career that can use your knowledge to the fullest extent.
IT audit is simply put where audit firms place people to die. We have managers who were canned from internal audit, and financial audit who have been with the firm for more than 10 years (Not senior manager yet, or director….hello what are you doing?). We have senior associates who were denied the manager position in these practices and have been with the firm seven years or more.
If you are looking to innovate and provide proactive solutions go somewhere else. Here you will be asked to do mindless testing, (the results of which do not matter), questioned by your own audit personnel whenever you DO find anything. And generally mocked and disregarded in general.
It’s true a better understanding of ITGC’s would help the sudit teams, and a better understanding of the AUDIT would help IT auditors. But you’ll often find audits are either planned to:
1. Be mostly substantive thus ITGC’s do not matter much at all.
OR
2. Be control reliant and thus have a clean ITGC bill. Try posting items to the SAD in this case and see watch the fireworks….
@16:
Very true. It’s a pity that the IT skills of most auditors are so shocking.
16 – That’s really bad. I’m on the financial audit side, but it’s no secret that IT audits can easily catch an unbelievable number of breakdowns in internal control, which highly influences the degree and extent of financial audit testing.
@18 “It’s no secret” ? I would hope it would be more than that to anybody who’s read ISA330.
Please be “Skeptical” not “Sceptical”
Oh sorry, guess “Sceptical” is British
16 – Anybody who think that logic and methodology has a place in Audit does not work long enough in Audit. Most of the procedures that are performed during the audit are aimed at preventing liabilities to the audit firm, not at providing assurance to the user of the annual report (or may I dream for a moment…insight in the company). I have never seen any Quality System in the Big4 that is aimed at creating a better / more efficient or effective audit. Why not? Because a Quality System (the records) could pose a risk concerning the liability of the firm during an investigation. There is no incentive to work smarter, better or communicate more in audit teams, eventually the “product” that you deliver is a signature, so why would you improve the process to come to that signature, you can better improve the procedures to shield you from liabilities. Who will think about the risks at a firm? A senior manager with 8 years experience will facilitate the discussions about risk of 6 persons staff, who have an average age of 25, and have never worked outside audit. Please.
Some companies are too big to fail, some companies are too big to audit. Some audit firms are too big to see their mistakes.
I agree that there is a big disconnect between fin. audit and IT audit. As there is a big disconnect between risks and audit, methodology and practice, etc. The Partner model fails, It is all about making money, nobody cares.
– Cynic
@ anonymous 21 – No, its the English language.
Wow — IT audit getting a bad rap… well, I concur. I have rarely had a good experience with them.
If you have computer or applied math background though — consider Forensic. In our practice we have much more robust technical skills.
On this one I can agree… IT audit seems to be made up of people who could not cut it anywhere else. They have minimal at best computer skills and over the years have messed up my projects more often than not. I have found one one (out of say 50-100) IT audit professionals who even had a clue. I do not recommend anyone join that practice if they have any skills. But for the applied math/comp sci geeks out there — consider Forensic.
@25 – I think that is a over-generalization and offensive to the many skilled IT auditors working at the big 4. Having said that, I agree that often the IT audit standards are not what they should be. There are many reasons for it, but I believe the main thing is that the big 4 are not teaching people to be true auditors any more. They are taught to be form fillers, completing checklists and not finding issues. What’s the reward for finding a big issue at a SOX client? Hundreds of extra hours, painful meetings / calls, documentation and eventually the partner rationalizing why it’s not an issue. Why do you think the skilled IT folks don’t last in the big 4? They never use their IT skills….
You can put a good part of the blame of this on SOX which removed many key parts of the audit process for more junior staff. The days of an inquisitive auditor digging in areas that they feel are risky / of interest are dwindling. Everything is defined, planned, sanitized so much that in many cases the clients know or can guess what they are going to be asked in advance. How can you really be auditing someone if they are able to prepare all the information you need in advance of your first meeting? Post #7 captured this well too.
The scary part is that many of these folks who joined the audit world post SOX are now making it to manager etc and IMHO there are some serious skills gaps with the skills / training that they have and are providing. I have seen staff who have worked for a couple of years join a non-SOX engagement and not understand why their client didn’t have their controls documented. They were lost and didn’t know what to audit…..
@27-I agree I over generalized. But it is my experience that they (as a group and not as individuals – and all I know is my firm and region) are flat out incompetent. I have had a major issue with them this week that. I provided the query to extract data and they not only didn’t use it, but pulled incorrect data more than once. As a result my team had to pull multiple all nighters, debug the IT audit team’s code, and work all weekend. This is far from the first time this has happened. They do not check their work as a general rule. Maybe they do SOX audits well — although your comments imply to me that there are problems with the methodology not necessarily the talent pool. But they are not good at doing simple data pulls.
@28: Fair enough. In many cases the issues I have seen come down to lack of knowledge or incorrect assumptions on both sides. Sometimes the IT auditors don’t know enough about what audit teams want done and may not have the financial audit experience to ask the right questions. A financial auditor finds it second nature to tie balances and prove reports – an IT auditor probably doesn’t. On the other hand, I have seen many IT audit / data analysis procedures dismissed as simple by audit teams who don’t understand the complexities behind it. The real answer is for both sides to learn more about the other and their needs / requirements. Then the world will be a better place…. 🙂
PS – (the comment re simple procedures wasn’t directed at you – nothing personal)