HBOS, KPMG and Their Problematic Whistleblower

My guest posting on February 19, 2009 doesn’t seem to be archived over at The Financial Times FT Alphaville site so I’m reprinting it here.

KPMG, external auditors for HBOS, are front and center in the controversy over written testimony from Paul Moore, HBOS’ former head of regulatory risk and a former KPMG partner. Mr. Moore told the Treasury Committee of Parliament that Sir James Crosby, HBOS former chief executive, fired him after he warned the HBOS board in 2004 about its potentially dangerous “sales culture”. Sir James resigned from the UK’s Financial Services Authority last week over the allegations.

KPMG “independently” investigated Moore’s firing at the request of the Board after Moore blew the whistle. As HBOS’ external auditor, they had a fiduciary duty to shareholders, but KPMG is having a hard time convincing anyone of their independence for this assignment. They had a long and very lucrative relationship with HBOS management. Since 2001, HBOS has spent more than £90m with KPMG, including significant fees for work done in its bid for Abbey National in 2004.

External auditors in the United States are severely restricted by the Sarbanes-Oxley Act of 2002 from providing most non-audit services for their audit clients. Arthur Andersen, Enron’s external auditor, had earned significantly more fees for its consulting work than for its external audit of Enron. Many blame Enron for the Sarbanes-Oxley Act and its most restrictive provisions for audit firms. But auditor independence has been a sore subject for years, due to the significant growth during the 1990’s of the consulting revenue for the largest global audit firms.

In the UK, such statutory restrictions from performing consulting work for audit clients do not exist.  Dennis Howlett, author of the blog AccManPro.com, suggests, “UK based audit professionals have always balanced the forms of service that lead to independence conflicts. There is a long tradition of intellectual separation between fiduciary responsibility and consulting engagement.”

Unfortunately, the appearance of independence conflicts for PricewaterhouseCoopers in the Bank of Ireland case – they audit the bank and, at the same time, accepted an engagement from the Irish Financial Regulator to assess the quality of the banks’ loans books in preparation for a nationalization – show that trusting audit firms to avoid conflicts in the face of gargantuan fees is naïve at best.

Global multinationals are recklessly disregarding warnings of internal auditors and risk managers more frequently. They also often ask their own external auditors to investigate serious allegations against management. Internal auditors and risk managers were ignored to the detriment of shareholders in two recent high-profile cases: AIG and Société Générale. KPMG has been an “independent investigator “ for its own audit client in the recent past, in the Siemens case.  None of these stories ended well.

According to testimony given to the US Congress, when an internal auditor questioned the head of AIG’s credit default swap insurance business in London about why he was being excluded from valuation meetings, Mr. Cassano allegedly told the internal auditor:

“…you would pollute the process.”

Chief Internal Audit Executives and Chief Risk Officers may dream of being independent-minded, objective, strong, do-or-die guys but they rarely end up, like Mr. Moore at HBOS, as either heroes or scapegoats.  They are prevented from acting ethically by Audit Committees that are not truly independent of management and by basic survival instincts and self-interest. Usually they just go along and get along.

According to annual reports, Société Générale has elaborate risk management, internal audit, and compliance functions. The 2006 Annual Report, published the year before the January 2008 Jérôme Kerviel “rogue trader” scandal, devotes quite a few pages to the subject of controls. The 2006 report on internal controls prepared and signed by the dual auditors under French law gave Société Générale a clean opinion. No exceptions were cited.

So what happened?

I think we can safely say that the façade of a strong risk management, compliance, and internal audit infrastructure at Société Générale was…

How shall we say?

Une illusion.

Un faux visage.

KPMG, who was Siemens auditor until late last year, found itself a few years ago in the middle of a very sensitive internal investigation for its client. KPMG is now accused of having been part of the problem rather than part of the solution.

US authorities fined Siemens a record $800m on December 15, 2008 to settle a long-running bribery and corruption scandal. This fine and others brought the total cost to Siemens so far to €2.5bn, including €850m in lawyers’ and accountants’ fees. It was the biggest corporate scandal ever in post-war Germany.

When the investigation of the Siemens bribery scandal first began in December of 2006, Siemens Audit Committee hired the law firm Debevoise to conduct an independent and comprehensive investigation of the compliance and control system of Siemens. KPMG was instructed to support them in their efforts.

Later that month, Debevoise hired Deloitte to help with the investigation. In May 2007, Debevoise leaked to the media that KPMG may have had a role in the fraud. In September 2007, Debevoise formally announced that KPMG was officially part of their bribery investigation. Nonetheless, KPMG issued a qualified opinion on Siemens internal controls in November 2007 as part of the annual report to the SEC. Siemens finally replaced KPMG as their auditors with EY in November 16, 2008.

Given the likelihood of accusations and lawsuits against auditors when a scandal erupts, it seems ridiculous to me, whether prohibited by law or not, for an Audit Committee to allow their external auditor anywhere near a high profile internal investigation.  When the auditors are later drawn into the scandal, their “independent” investigative work may be suspect, as has been suggested in the Siemens case. In addition, disclosure of results of investigations to auditors may breach attorney-client privilege and make confidential information vulnerable to legal discovery by a third-party in a lawsuit.