The PCAOB, the audit industry regulator, shamed global audit firm Deloitte recently when they exposed the private portion of the inspection report of the firm’s 2006 audits. It was the first time that had happened to one the Big Four audit firms, the largest firms that audit the vast majority of publicly listed firms in and out of the U.S..
I’m sure Deloitte, and the rest of the Big Four, thought the PCAOB would never have the nerve.
re: The Auditors has seen a confidential, internal Deloitte training document, prepared this past summer, that reveals the firm expects the worst when the inspection reports for their 2009, 2010, and 2011 audits are published by the PCAOB. The 2009 report should be out by the end of this year. The training document also shows how difficult it is for Deloitte leadership to steer the largest global firm away from the “audit failure” iceberg.
It seems audit competence and capacity to audit complex topics are in short supply at all the firms, based on PCAOB inspection results for audits conducted during the financial crisis period and the reports for 2010 audits at PwC and KPMG released recently. Deloitte has been particularly hard pressed to maintain audit quality since the firm lost several engagements that would have helped to grow specialized knowledge and retain experts. Big clients like Merrill Lynch, Bear Stearns, and Washington Mutual helped pay the bills for subject matter experts and quality control but those revenues were lost to financial crisis failures and forced combinations with better capitalized, non-audit client banks.
I think the PCAOB decided to publicly criticize Deloitte for two reasons.
- The firm has been piling on the negatives via a $1,000,000 fine/disciplinary sanction as a firm for a previous issue, two high level insider trading scandals (Flanagan and McClellan), the failures and frauds of Deloitte China clients CCME, Longtop and now Focus Media, and the specific failures of major clients during the crisis (Bear Stearns, Merrill Lynch, WaMu, Taylor Bean & Whitaker, American Home, and Royal Bank of Scotland, to name a few).
- Deloitte was resistant to the inspections, resistant to the criticisms, and unwilling to make changes based on the PCAOB’s requests. If you can’t fix something that’s one thing. If you won’t and thumb your nose at the regulator, you are getting close to Arthur Andersen-like behavior. We know how that story ended.
If they did nothing, the PCAOB risked having a new major failure of a Deloitte client expose their lack of push on the firm to even respond, let alone improve.
I wrote in American Banker about the special risks to financial services firms when the regulated, like Deloitte, resist the regulator:
The PCAOB’s decision to make the Deloitte 2006 quality control criticisms public, and the fact that the Securities and Exchange Commission allowed it to do so, tell me Deloitte is still fighting the regulators. The deadlines for Deloitte to fix or sufficiently respond to criticisms in the 2007 and 2008 inspection reports have passed. We could soon see previously nonpublic information from those reports, too.
The risk for banks in a situation like this is that an auditor that brazenly irritates its regulator may draw unwanted attention to its clients from their regulators. For example, PCAOB spokeswoman Colleen Brennan reminds me that the SEC knows the names of every company whose audit deficiencies are mentioned in a PCAOB auditor inspection report.
These risks apply to all of Deloitte’s clients and to all public companies if the rest of the firms – KPMG, PwC, and Ernst & Young – are also playing chicken with the regulator.
A little more than a month after releasing the Deloitte private report, the PCAOB released the inspection reports for audits performed by PwC and KPMG in 2009. The Financial Times’ Kara Scannell summarizes the findings:
The Public Company Accounting Oversight Board’s findings from an annual inspection revealed that years after the financial crisis both auditing firms were not adequately challenging companies’ valuations of certain assets when the market for them dried up…
The board reviewed 71 audits completed by PwC in 2010 and 52 audits done by KPMG in 2010.
The Wall Street Journal’s Michael Rapoport tells us how bad the results really were:
The government’s auditing regulator found deficiencies in 28 audits conducted by PricewaterhouseCoopers LLP and 12 audits by KPMG LLP in its annual inspections of the Big Four accounting firms.
The Public Company Accounting Oversight Board said many of the deficiencies it found in its 2010 inspection reports of the two firms, released Monday, were significant enough that it appeared the firms didn’t obtain sufficient evidence to support their audit opinions.
The regulator hasn’t yet issued its yearly reports on its inspections of the other Big Four firms, Ernst & Young LLP and Deloitte LLP.
KPMG’s response to the PCAOB was not quite as belligerent as Deloitte’s persistent irritation at having their “professional judgment second-guessed”. But, it was not exactly conciliatory.
Floyd Norris of the New York Times:
Normally these letters say something like what KPMG wrote:
“We conducted a thorough evaluation of the matters identified in the draft report and addressed the engagement-specific findings in a manner consistent with PCAOB auditing standards and KPMG policies and procedures.”
You may note that said nothing about whether the firm accepted the board’s conclusions or not. That is better than what Deloitte did a few years ago, when it essentially said the board did not know what it was talking about.
PwC, on the other hand, met the regulator more than half way according to Norris:
PwC’s letter addressed that issue, saying that while there were cases where it differed with the board’s conclusions, “they generally related to the significance of the finding in relation to the audit taken as a whole, and not to the substance of the finding.”
“Accordingly,” wrote the PWC officials, “the overall PCAOB inspection results, as well as the results of our internal inspections, were important considerations in formulating our quality improvement plan,” which it then describes.
PwC’s spokesperson sent me this additional statement:
“PwC is built on our reputation for delivering quality. We also recognize that the role we play in the capital markets requires consistent, high-quality audit performance. We therefore are focused on the increase in the number of deficiencies in our audit performance reported in the 2010 PCAOB inspection over prior years. We are working to strengthen and sharpen the firm’s audit quality, including making investments designed to improve our performance over both the short- and long-term.”
Did the quality of the auditing really deteriorate for KPMG and PwC or is the PCAOB getting tougher, and maybe better, at what they do?
We’ll have to see what the upcoming Ernst & Young and Deloitte reports show. Ernst & Young has been criticized for the Groupon multiple S-1 issue, as well as questions about accounting at future IPOs Zynga and Facebook. Now we have Olympus, too. And, of course, the jury is still out on the firm’s role in Repo 105 and Lehman Brothers.
And what about the Deloitte improvement plan for prior years? Has Deloitte accepted the PCAOB’s criticisms and moved on or are they still fighting the regulator? Is Deloitte working hard to get ahead of their 2009, 2010, and 2011 results and avoid the embarrassment or worse – sanctions – if the PCAOB has to publish another private report?
The confidential internal training report, intended to brief Subject Matter Resources (SMR), is called, “FY 2012 Engagement Quality Activities”.
The Audit Quality Activity Plan for FY2012 has been socialized with:
- – The OAQ Steering Committee
- – The Audit Quality Council
- – The RMPs
- – The NPPDs
- – The RILs
- – Leaders in the PPN
- – Extended Leadership Team
- – CFO / CEO
Yeah, that’s a lot of acronyms. And I’m not sure anymore – maybe I’ve been out of the firms too long or maybe I was never in them enough – what “socializing” a quality plan means. Suffice to say, the document, one hundred and eighty-one very dense PowerPoint pages, has tons of information for the SMRs to absorb and pass on to engagement teams like now.
But, by this summer, it was too late to make a difference in the inspection reports for the 2009 and 2010 audits.
- Response submitted on May 4
- Total of 98 comments (56 engagements inspected)
- Expect about 25 engagements to appear in Part I
- Draft report has not yet been issued
- 33 engagements selected to date
- Focus areas
– Continue to include: fair value and impairment determinations; internal controls – Also focusing more on revenue recognition
- 16 completed
– 5 with no written comments
- Total of 24 comments on 11 completed inspections
If Deloitte sent their response to the PCAOB for the 2009 audits on May 4th, why are we still waiting for the final report? Given the PCAOB’s decision to release Part 2 of the inspection report for Deloitte’s 2006 audits last month, I believe Deloitte was still treating PCAOB comments as an affront to partners’ professional judgments.
What are the root causes for so many negative PCAOB comments, according to Deloitte?
When evaluating “what didn’t work” for the various engagement activities, the consistent refrains outlined in the training document are “started too late”, “not enough time”, and “greater discipline and consistency needed”.
But there’s a bigger problem when it comes to audit failures around complex topics like goodwill, deferred tax asset impairment, fair value determination of thinly traded securities, and management estimates of loan loss reserves. There’s a huge intellectual divide between the audit teams and the subject matter specialist teams.
Professionals who are experts in tax or valuation of complex derivatives, for example, are not experts in auditing standards. The auditors, and the education they receive in universities and in the firms, focuses on the technical aspects of accounting – they know GAAP chapter and verse but not GAAS. That’s how we ended up with a defense of Repo 105 from Ernst & Young that the treatment meets the GAAP requirements with no appreciation for the more subtle GAAS disclosure expectations. Until recently, the firms didn’t think the PCAOB would push them to meet such high standards for auditing as long as the accounting was, subject to “professional judgment”, right enough.
But that’s how the auditors missed, or justified looking the other way, as so many banks failed or had to be bailed out during the crisis. This attitude is evident when you read in the training document how many of Deloitte’s policies and methodologies have to be revised to now absolutely require certain tests and additional steps. The steps weren’t performed unless the firm considered them explicitly required. Unfortunately, there’s still a difference of opinion between Deloitte and the PCAOB about what the PCAOB auditing standards explicitly require.
Here’s one example from the Deloitte training document:
Auditing Standard No. 12 – Identifying and Assessing Risks of Material Misstatement
Understanding the company and its environment
Change to our Methodology: We shall consider reading public information about the company (e.g., analyst reports), observing or reading transcripts of earnings calls, obtaining an understanding of compensation arrangements with senior management, and obtaining information about trading activity in the company’s securities. (AS 12.11)
Key Takeaway: This is a more specific requirement for audits performed in accordance with the standards of the PCAOB. Previously, while we may have been considering these items in our audits, their consideration was not explicitly required by our policies or by professional standards.
How does Deloitte intend to meet this higher standard in a quick and dirty, cost effective way?
Run a report using “OneSource” that includes a company summary, corporate overview, strategic initiatives, strengths & weaknesses, competitors report, significant developments), News, Articles and Financial Statements.
Zippity doo da. You now know everything you need to know about the company.
It doesn’t help that the audit firms business model accepts high turnover of staff during the first 5 years. It’s a model that auditors got away with when issues were not as complex as they are now, especially within financial services firms.
For example, how can a senior, someone with 2-4 years experience, test a complex structured derivative for potential fraud (i.e. think of the Abacus deal) which is, in reality, an embedded derivative with multiple tranches and economic and risk characteristics that may not be aligned with the host, sitting off balance sheet, after having been passed thru an SPV sponsored by a “too big to fail” bank?
The manager, senior manager, and partner typically have no idea what the subject matter expert, a member of Deloitte’s Financial Instrument Valuation Risk Analytic team, is talking about when he says the client’s models and assumptions are insufficient, outdated, or flawed. The audit team probably doesn’t even know what a synthetic CDO is.
The most egregious recent example of a subject matter being ignored – it happened in Enron, too – is the case of KPMG’s expert on mortgage securitizations and repurchase risk being told, “We’re done here” when he warned at New Century Financial that the client’s models had obsolete assumptions. That ugly episode only came to light because of the New Century bankruptcy and a robust bankruptcy examiner’s report.
In the recently disclosed Part 2 of the 2006 Deloitte inspection report, the PCAOB told the firm that partners were ignoring experts, too.
The inspection team identified six engagements where there were deficiencies in the procedures relating to the use of the work of specialists. These deficiencies included five engagements where there was no evidence in the audit documentation, and no persuasive other evidence, that the Firm had tested certain data or assumptions that the issuer had provided to the specialist (beyond, in one instance, inquiry of management).
In the sixth engagement, as part of their tests of the issuer’s annual goodwill impairment test, the Firm’s internal valuation specialists performed various sensitivity analyses to resolve concerns the specialists had raised regarding the issuer’s method for evaluating goodwill. For some of the issuer’s reporting units, the sensitivity analyses indicated the fair value of the unit might be considerably lower, or considerably higher, than the unit’s carrying value. The Firm failed to perform further, more precise sensitivity analyses, or other procedures, to determine whether the goodwill associated with these units was impaired.
Deloitte did not use its specialized SEC reporting and GAAP/IFRS consultation group well either.
The inspection team identified complex fact patterns in significant accounting and auditing areas, which were associated with deficiencies noted in seven engagements,35/ including five engagements36/ discussed in Part I.A, where the engagement teams did not consult with the Firm’s National Accounting Research or Quality Assurance departments. In addition, * * * * engagement teams consulted in three instances at below “Level A,” and neither the engagement team nor the National Accounting Research personnel raised the issue to a higher level as allowed by the policies.
Is Deloitte truly committed to a sea change in tone as well as technique? Seems to me the firm puts an enormous burden on the “soldiers” on the front lines and not enough on the “generals”, the partners who sign the opinions.
I’m not convinced they’re committed. Based on this document, and insider reports, I believe the the firm is still resistant. The firm’s big hope is probably that the spotlight moves away from Deloitte when something happens at another firm. Perhaps it will be a new development in the New York Attorney General’s case against Ernst & Young for Lehman.
But I do think the PCAOB is getting bolder and won’t be letting up on the audit firms. The recent inspection reports on PwC and KPMG 2009 audits are proof of this.