My column at American Banker last week focused on the latest PCAOB inspection report for KPMG.
I’ve written quite a bit since 2007 on the subject of repurchase risk reserves, legal contingencies, and the use of loan loss reserves by banks to manage earnings.
In its most recent report on KPMG, issued last month, the PCAOB inspection team found twelve deficiencies that were serious enough to be considered audit failures. That’s out of 52 audits KPMG conducted in 2010, the same percentage of deficiencies, 23%, as in 2009. The names of the companies whose audits were faulty are not named, per the Sarbanes-Oxley statute. KPMG audits Citigroup and Wells Fargo, as well as several other large banks such as Deutsche Bank, HSBC, Trustmark and PacWest.
This latest inspection report also included more than one significant deficiency for audit failures related to IT general controls testing. It’s about time. Ten years after SOx was passed and we are finally getting around to looking again at whether companies have sufficient controls over their informant technology, the backbone of any medium to large size public company and quite a few new issues. There have been some pretty big technology intensive companies IPOing lately. Here’s an example of what’s wrong with ITGC testing and documentation at KPMG. (These are three different companies out of the twelve of 52 where deficiencies were found.):
- The Firm failed to sufficiently test ITGCs and, as a consequence of this failure, the Firm’s reliance on certain system-generated reports, automated application controls, and information technology (“IT”) dependent manual controls was excessive.
- As a consequence of the Firm’s failure to sufficiently test the controls described above, the Firm’s reliance on certain system-generated reports, automated application controls, and IT-dependent manual controls was excessive.
- Due to the deficiencies described below, the Firm’s conclusion that it could rely on ITGCs was not supported. As a result, the Firm’s testing of certain automated application controls, IT-dependent manual controls, and system-generated reports, on which it relied for its control testing, was insufficient.
An “audit failure”, as defined by the PCAOB, is the failure of the auditor to fulfill its fundamental responsibility – to obtain reasonable assurance about whether the financial statements are free of material misstatement. The audit firms don’t like that definition. In fact, they and many of my commenters say that there’s no audit failure unless a company is forced to restate. But, given the decrease in restatements in the past few years, I think that’s bunk. There are huge disincentives for the company to restate and so it happens less and less on purpose.
The more aggressive clawback provisions mandated under Dodd-Frank require all executive officers, not just the CFO and CEO, to return performance-based compensation for the prior three years, regardless of fault or misconduct, if it was paid based on an error that was corrected by a restatement. External auditors, however, may allow clients to report more material corrections as current year adjustments rather than restatements to help minimize the threat of clawbacks. Service providers such as outside counsel and external auditors often make the final call on a restatement, but some won’t bite the hand that feeds them by forcing the issue if it can be avoided.
Executives use a “revision” restatement or characterize a misstatement as a current period “correction” to mitigate the impact of the Sarbanes-Oxley Section 409 real-time disclosure requirement. Downplaying the misstatement also supports an argument to the SEC and the company’s board that the flub was a one-time, isolated, honest error even when a restatement is filed. Executives often aren’t forced to return incentive compensation for “honest mistakes” even when paid based on proven erroneous results.
Auditors, in addition to having to perhaps be sued almost immediately by class action plaintiffs after an announcement of a restatement, take an even bigger hit from the clients if they missed the error or fraud in the first place – they might get fired. Certainly they get an “F’ instead of a “D” grade from the PCAOB if the material error or misstatement that prompts the restatement was missed by the auditors because they didn’t follow the auditing standards.
So, given the amount of influence auditors have over the decision to restate or not, I don’t think it’s valid to say a serious deficiency in an auditor’s performance is not an audit failure if there’s no restatement.
The PCAOB adamantly agrees with me.
When it comes to the banks and ALL and repurchase risk reserves, I have suspected shenanigans for a while.
In this year’s inspection report, however, the focus was on the risk that KPMG auditors weren’t sufficiently scrutinizing loan loss reserves and repurchase reserves or pushing back on executives using them to manage earnings. I’ve been saying for a long time that auditors are not forcing full disclosure of banks’ potential losses and repurchase demands, as well as the related legal contingencies. Inspectors found loan loss reserves at one bank that were seven times more than a previous period with nothing but management’s word to back them up. At another bank, loans had been reclassified to fool the models that calculate reserves. Inspectors cited more than one case where banks booked unallocated reserves with little or no explanation demanded by auditors.
I’ve written about KPMG client Citigroup’s use of loan loss reserves as a “cookie jar” to manipulate earnings each quarter. Although Citigroup claims it uses complex models to estimate additions to and releases from loan loss reserves, in reality all loan loss reserves are held in an unallocated top-level account and are available for losses in any category, anywhere across the globe. It’s a number that can be manipulated to plug a hole in earnings in any period…We’ve got three more “Big Four” inspections reports to come – Ernst & Young, Deloitte and PwC. Don’t be surprised if you see the same focus on loan loss and repurchase reserves and the same kinds of auditor deficiencies. If only we knew which big banks’ financial statements were being fudged.
Read the rest at American Banker.
John Carney of CNBC’s wrote about how I was early and strong on the repurchase or “putback” risk issue.
But it was the unexpected endorsement of my most recent column on Forbes.com, “Bank of America Buys Time Via Buffett Effect,” that I wanted you to see today. I have never “pitched” John. I have never asked him to notice my work and he doesn’t have to ask me to notice his. He’s just the kind of guy who does things like this without being asked, cajoled, bribed, or for any other reason than that he is watching the news closely and, every once and a while, sees my take on it as worthy of notice.
If you read one thing about Bank of America today, I hope it will be Francine McKenna’s fine column in Forbes.
She notes that the Bank of America bulls, including the estimable John Hempton of Australia’s Bronte Capital, seem to be counting on is: 1) that the government will backstop any bank as big as Bank of America and 2) that accountants will never make Bank of America deliver seriously bad news about the value of its assets or the likely costs of its legal liabilities…
If you’d like to read more about banks’ reluctance to book reserves for litigation contingencies, including lawsuits over repurchase or “putback” risk, this post sums up all my writing on that subject until recently.