Compliance into the Weeds is the only weekly podcast which takes a deep dive into a compliance related topic, literally going into the weeds to more fully explore a subject. In this episode, Matt Kelly (the coolest guy in compliance) and I take things in a different direction as we welcome Francine McKenna, reporter at MarketWatch and blogger extraordinaire at Re: The Auditors. After one full week of writing, thinking and talking about the SEC enforcement action against KPMG, we provide our initial reflections on the burgeoning scandal.
Take a listen via the link above.
The Securities and Exchange Commission settled charges with KPMG LLP on Monday June 17 for altering past audit work after receiving stolen information about inspections of the firm that would be conducted by its regulator, the Public Company Accounting Oversight Board or PCAOB.
In an even more egregious violation of public trust, the SEC’s order also finds that numerous KPMG audit professionals cheated on internal training exams by improperly sharing answers and manipulating test results. Five former KPMG officials were charged last year in the case that alleged they schemed to interfere with the PCAOB’s ability to detect audit deficiencies at KPMG. Two have pleaded guilty, two were found guilty and one is still pending trial.
The SEC’s order finds that KPMG audit professionals, including lead audit engagement partners sent exam answers related to mandatory continuing professional education, ethics and integrity, and training mandated by a prior SEC order finding audit failures to other partners, and also solicited answers from and sent answers to their subordinates to help them also attain passing scores.
It’s not clear from the order how KPMG found out about the latest scandal but the SEC’s settlement document says, “Prior to the firm’s investigation, no one reported the improper sharing of exam answers to the firm’s Ethics and Compliance Hotline.”
In addition to paying a $50 million penalty, KPMG is required to evaluate its quality controls relating to ethics and integrity, identify audit professionals that violated ethics and integrity requirements in connection with training examinations within the past three years, and comply with a cease-and-desist order. The SEC’s order requires KPMG to retain an independent consultant to review and assess the firm’s ethics and integrity controls and its investigation.
Many are asking me now, “What about KPMG?”
Why shouldn’t the SEC and/or the Department of Justice now sanction, or in some way criminally penalize, KPMG the firm for the PCAOB data theft “steal the exam” scandal?
To bring you up to date…
On March 11, 2019, David Middendorf, KPMG’s former national managing partner for audit quality and professional practice, was convicted by a federal court in Manhattan of four of five criminal charges, including conspiracy and wire fraud. Jeffrey Wada, a former employee of the Public Company Accounting Oversight Board, the post- Sarbanes-Oxley audit industry regulator was also convicted on three of four charges, including conspiracy and wire fraud.
Middendorf and four of his former KPMG colleagues—Thomas Whittle, Brian Sweet, David Britt, and Cynthia Holder—were were accused of using confidential PCAOB information about which KPMG clients’ audits the regulator would be inspecting.
On October 29 former KPMG partner Thomas Whittle,KPMG’s then-national partner-in-charge for inspections, changed his plea, to guilty from not guilty on all five counts in the case of the alleged use of stolen confidential regulator information to subvert KPMG’s regulatory inspection process. Whittle, and Sweet, cooperated with prosecutors.
The conspiracy to commit wire fraud and wire fraud charges each carry a maximum prison term of 20 years. Middendorf and Wada were each acquitted of one count of conspiracy to defraud the United States (Count One) referring to defrauding the SEC.
KPMG also used the data to its competitive advantage to win a new audit of a Spanish bank, the Department of Justice and SEC alleged in their complaints. “KPMG won BBVA audit with stolen data about rival’s inspections,” published June 21, 2018, describes how Brian Sweet, a former PCAOB executive who joined KPMG as a partner, used his contacts at the PCAOB to obtain highly confidential data about the audits of BBVA and Banco Santander, which were audited by rival firms. A local partner in Spain used the information to prepare a successful bid for KPMG Spain to take over the BBVA audit.
One good reason you won’t see anything of substance from the SEC, in particular, is that that the regulator, and its chairman Jay Clayton, have gone out of their way to say, “Move along, nothing to see here.” (Of course, the PCAOB has no moral authority to fine or sanction KPMG in this case.)
SEC Chairman Jay Clayton also put out a statement on Monday, specifically addressing any concerns that KPMG audits may have to be withdrawn because of the alleged fraudulent manipulation of audit workpapers and post-audit additional work to cover up errors based on the illegal early warnings about inspections.
“Based on discussions with the SEC staff,” wrote Clayton, “I do not believe that today’s actions against these six individuals will adversely affect the ability of SEC registrants to continue to use audit reports issued by KPMG in filings with the Commission or for investors to rely upon those required reports.”
In addition, the SEC also did not want me to name the clients affected by the manipulation of workpapers based on the illegal tip-offs when I did so in June. They expressed what is now clearly shortsighted faux outrage at potential market disruption and, tut-tut, undeserved notoriety for those companies. Those issuer names and more, including more KPMG personnel and the whistleblower name, have all become public during the Middendorf/Wada trial.
It took the KPMG tax shelter scandal in 2005 to bring regulators to the uncomfortable realization there is no contingency plan. The audit firms will continue to push the envelope on legality, ethics and self-interest with impunity even with a new regulator, the PCAOB, in town. We can no longer depend on “professional” disdain for reputation risk to promote self-policing within the firms and within the accounting profession.
In fact, the moral hazard may have even gotten worse, despite new evidence of the systemic corruption of KPMG after the criminal indictment four top U.S. audit practice partners, and conviction/guilty pleas of three of them, a director, and an employee from the PCAOB, as well as termination of the top U.S. audit partner.
While the US Treasury, via the IRS, was scaring the living daylights out of KPMG over tax shelter abuses in 2005 and the Department of Justice was considering indicting the firm, KPMG was busily auditing the Department of Justice and the US Mint. In 2007 and 2008 KPMG also audited the Department of Treasury’s Financial Management Service.
KPMG is negotiating with the Department of Justice about its troubles while Department of Justice is negotiating with KPMG, their auditors, regarding their audits of DOJ financial statements… in addition to the “too few to fail” doctrine at work here, there was also an attitude on the part of KPMG of, “Hey DOJ losers, who are you to call us a mismanaged, uncontrolled mess?”
At the last moment, the Department of Justice changed their mind deciding against putting KPMG effectively “out of business” over the tax shelter fraud. Who made that decision? Deputy Attorney General James Comey and Attorney General Alberto Gonzales.
Details of the deal were announced at a Gonzales news conference on Aug. 29, 2005. The resolution, Gonzales said, “reflects the reality that the conviction of an organization can affect innocent workers and others associated with the organization, and can even have an impact on the national economy.”
Now you know where Eric Holder got the idea.
In fact, there was an explicit discussion about “debarment,” the potentially devastating consequence of anything short of full support and endorsement for KPMG by every branch of the government involved in determining whether the firm would be indicted in 2005.
Discussion Relating to Suspension/Debarment
[KPMG and its Skadden Arps attorney Robert] Bennett said that KPMG would like the Department of Justice (“DOJ”) as part of the resolution to issue a statement affirming that it would continue to use the Firm as its auditor. [David N.] Kelley responded by saying that he did not think DOJ had much of a choice but to continue with its contract with KPMG. He added that, if DOI says nothing to the contrary, then KPMG’s continued role as DOJ auditor would be a signal to the marketplace. [Joseph I.] Loonan [of KPMG LLP] said that KPMG wanted to get an agreement from General Services Administration (“GSA’ that the fact the Firm had entered into a deferred prosecution agreement would not prevent it from being deemed “presently responsible” for purposes of federal contracting.
Kelley responded that there were so many agencies that he did not think KPMG could get all of the assurances it was seeking prior to entering into an agreement. Loonan said that the key was having GSA onboard. He suggested expediting GSA’s time frame for consideration of the issue. Kelley indicated that he would ”hear it out as it unfolds.” [Judge Sven Erik Holmes, who KPMG hired to provide support in its negotiations] added, “We just want to front-run it a little bit. Kelley replied by saying that he would let us know if we could go ahead and have discussions with GSA.
KPMG, as auditor of the Department of Justice and the US Treasury, was concerned about debarment, a ban from working for the government. The ‘no debarment” deal was cut because, as [David] Kelley said, DOJ had no choice. KPMG was not debarred and continued unabated with all Fed government contracts. Later, after the crisis, KPMG would continue as auditor of Citigroup even after US owned almost all of the bank and could have forced a change.
This decision cemented the US government and general global regulatory posture of “too few to fail” with regard to the largest audit firms.
KPMG also remained auditor of Citi, the combined Wells Fargo and Wachovia where it had audited both banks, and Deutsche Bank, to name just the most notorious financial crisis bailout recipients who went on to more ignominy. Certainly the same “debarment” discussion takes place anytime one of the Big 4 audit firms skates close to the line, potentially subject to strong sanctions by the SEC or PCAOB, or maybe even civil damages a federal agency can control.
The “too few to fail” premise is the primary reason penalties are tough but not nearly anything close to anything that would stop the Big 4 train.
So what else hasn’t changed? (Even former Judge Sven Holmes is still around, playing a central role in the latest crisis.)
KPMG remains auditor of the Department of Justice. KPMG recently told the DOJ, the same DOJ that is prosecuting its partners, that it the agency has a significant deficiency related to inadequate financial statement preparation and review controls.
To facilitate its accounting of the Department’s daily activities, during fiscal year (FY) 2018 the DOJ continued the multi-year implementation of its new Unified Financial Management System (UFMS). Due to competing priorities faced by DOJ personnel in supporting the conversion of nine component organizations within the Offices, Boards, and Divisions (OBDs) reporting component to UFMS and planning for the conversion of the remaining five OBD component organizations in FYs 2019 and 2020, we noted that the emphasis placed on the Department’s financial statement preparation and review processes had not achieved the full level of rigor that is necessary to prepare timely and accurate financial statements in accordance with generally accepted accounting principles, and OMB Circular No. A-136, Financial Reporting Requirements. During our FY 2018 audit, the Department detected or we brought to the attention of the Department the following errors, for which the underlying causes were similar and pervasive.
Arguably KPMG would be forced to resign the Department of Justice audit—due to the sudden adversarial relationship with an audit client—the minute the agency filed any kind of charges against the firm, even if it did not result in a complaint, let alone an indictment.
(BTW, Deloitte did pay a hefty negotiated fine for DOJ allegations of False Claims Act violations related to Taylor Bean & Whitaker, despite no complaint filed, let alone an indictment. It’s the only regulatory action against either PwC or Deloitte or any of their partners for the TBW/Colonial Bank joint fraud. At $149.5 million it’s one of the largest audit related fines or settlements or damages awards ever against an audit firm and it got little to no media coverage.)
- a significant deficiency in internal control over cash management information systems and a significant deficiency in internal control over Federal debt information systems at the Bureau of the Fiscal Service, collectively representing a significant deficiency for Treasury as a whole;
- a significant deficiency in internal control over unpaid tax assessments and a significant deficiency in internal control over financial reporting systems at the Internal Revenue Service, collectively representing a significant deficiency for Treasury as a whole;
- two Anti-deficiency Act violations where the Treasury Departmental Offices expended amounts that were in excess of the available fund balance in fiscal year 2015;
- and noncompliance with requirements of FFMIA related to Federal financial management systems requirements.
KPMG replaced Deloitte as auditor of the Federal Reserve beginning in 2015. There are no publicly available records on the change but a source told me that Deloitte’s contract was for a 5-year term for the financial statement audits for calendar years 2007 through 2011, throughout the financial crisis, with five 1-year optional extensions. The Board exercised three 1-year optional extensions, then rebid the contract in 2014 awarding it to KPMG.
Does that look like a U.S. Federal Government that is willing to live without KPMG?