PCAOB Disclosure Of Deloitte Private Report: A Regulatory Inflection Point?

My American Banker column on Tuesday focused on the risks to banks, their audit committees, and shareholders of an auditor who blows off its regulator. Deloitte’s ongoing conflict with the PCAOB poses the risk of undue scrutiny by other regulators and unwanted publicity to all its clients.

I’m surprised there hasn’t been more speculation about who the issuers are in all of Deloitte’s inspections reports. Wouldn’t it be nice if all the issuers in all the inspection reports were disclosed?

Every once and a while someone accuses me of being harder on one firm than another. Typically he/she thinks I’m being too hard on PwC, since I worked there last.  Someone even swore I must have worked for RSM McGladrey given the one or two times I wrote critically about that firm. And there’s a host of folks that think I alternately hate KPMG or Ernst & Young more than the rest.

Deloitte has a special place in my heart. Their office here in Chicago is a really big one. The firm bought my beloved BearingPoint Public Services practice when my employer from my Latin America days went bankrupt. And Deloitte generated probably the most active commenter forums on my blog during their recurring layoffs between 2007-2009.

Right now Deloitte may look like the worst of the Big Four but only because Deloitte is the most publicly incorrigible. That could change at any time. It would be easy to make a case that any of the four largest global firms was on the brink of being put out of their misery, not by an SEC or DOJ charge, but by a preponderance of private legal actions that have become a time and money sinkhole. Deloitte is the current example of a firm – like Ernst & Young is because of Lehman – that’s preoccupied with litigation. They’ve taken their eye off the audit quality ball.

Enron was the catalyst for the U.S. Department of Justice to criminally indict global audit firm Arthur Andersen causing its collapse. But it wasn’t Enron alone that forced DOJ to act. Arthur Andersen made a number of promises to regulators to improve and never sin again that were, over and over, not kept.

In October of 2008, the SEC and FINRA – not Deloitte – caught a Deloitte Vice Chairman trading on insider information in several Fortune 500 clients, including audit clients. Each of those Deloitte audit clients – Berkshire Hathaway among them – was forced to conduct an internal investigation to confirm Deloitte’s independence before Deloitte could continue as the auditor.

The same specific audit engagement criticisms as 2006 show up in subsequent inspection reports for Deloitte’s 2007 and 2008 audits.

• In 2007, application of generally accepted accounting principles and generally accepted auditing standards pertaining to hedge accounting for interest rate swaps, including the failure to identify two related departures from generally accepted accounting principles
• In 2007 and 2008, application of generally accepted accounting principles and generally accepted auditing standards pertaining to the accounting for deferred tax assets, including in one case a failure to identify a departure from generally accepted accounting principles
• In 2008, failure to identify a material weakness in an issuer’s internal controls over its allowance for doubtful accounts

The Deloitte U.S. CEO admitted in its “2010 Advancing Quality Through Transparency Inaugural Report”, that the PCAOB again privately criticized similar quality control issues during inspections of 2007 and 2008 audits. In addition, internal Deloitte reports described more than 475 reprimands to staff and partners in 2009 for infractions such as not following policies regarding auditor independence.

In December of 2010 another Deloitte partner was accused of insider trading.

Many of the audit risk issues described in earlier Deloitte inspection reports show up again in a summary prepared by the PCAOB of its inspectors’ observations during the financial crisis. (The PCAOB says the inspection report for Deloitte’s 2009 audits should be issued by the end of 2011.)

In April of 2011, Navistar – a client for almost 100 years until it fired Deloitte in 2005 – sued Deloitte for fraud, fraudulent concealment, negligent misrepresentations, and professional malpractice amongst other claims. The suit, for 2002-2005 audits, is pending and its merits have not yet been judged. But it raises some interesting issues about the use of the PCAOB’s inspection reports in private litigation, including the non-public portion once it is disclosed.

According to Navistar, the PCAOB selected the company as one of the Deloitte audits to review in 2003 and found several deficiencies. Deloitte audit partners for a Navistar subsidiary,  Christopher Anderson and  Thomas Linden, were sanctioned by the PCAOB. Navistar’s lawsuit claims that Deloitte had a duty to disclose to their audit committee the full scope of what the company says were the PCAOB’s concerns about the auditor’s quality controls. The lawsuit refers to the private portion of Deloitte’s inspection report for 2004 audits.

Why does it take so long for the PCAOB to publish the inspection reports and the public portion of the private report after the firm’s time to respond is up? It’s been five years since the 2006 audits, three years since the inspection report was published, two years since the twelve-month window for Deloitte to make corrections closed.

SEC Rule 104(h)(1), adopted quietly with no comment or press release in the fall of 2010, builds in an additional delay before publishing potentially controversial reports. Although the rule keeps the SEC process private, and the PCAOB is not allowed to discuss whether any particular audit firm appealed to the SEC over its report, the delay allows time for an audit firm to seek SEC redress.

Sources close to the issue tell me Deloitte definitely appealed the PCAOB’s threat to go public.

Keep in mind that while Deloitte bickers with the PCAOB, the audit firm charges hundreds of millions to produce auditor opinions for banks and systemically important companies that were bailed out, forcibly acquired on the brink of failure, or effectively nationalized.

Deloitte was the auditor for Bear Stearns, Merrill Lynch, Washington Mutual, Taylor Bean & Whitaker, American Home, and Beazer. None of these, except Beazer, is still standing. Deloitte has been sued for its audits of all of them.

Deloitte is still the auditor for Fannie Mae, GM and GMAC, and Morgan Stanley. All of these companies received bailouts.

Deloitte also audits the entire Federal Reserve system, and Berkshire Hathaway and BlackRock – two of the major players that supported the recovery of financial system during and after the crisis.

Jim Doty, Chairman of the PCAOB since January, said in a recent speech that the Board was disappointed in the audit firms’ approach to disclosing the results of PCAOB inspection reports to clients. “We hear that auditors are often less than forthcoming with audit committees that try to elicit information about inspection results…”

Here’s a short excerpt from my column on Tuesday at American Banker, “Bankers, Beware An Auditor That Blows Off Its Regulator”.

The PCAOB’s decision to make the 2006 quality control criticisms public, and the fact that the Securities and Exchange Commission allowed it to do so, tell me Deloitte is still fighting the regulators. The deadlines for Deloitte to fix or sufficiently respond to criticisms in the 2007 and 2008 inspection reports have passed. We could soon see previously nonpublic information from those reports, too.

The risk for banks in a situation like this is that an auditor that brazenly irritates its regulator may draw unwanted attention to its clients from their regulators. For example, PCAOB spokeswoman Colleen Brennan reminds me that the SEC knows the names of every company whose audit deficiencies are mentioned in a PCAOB auditor inspection report.

Please read the rest at American Banker.