In case you missed it! Here’s the replay and transcript of my remarks.
Here’s a link to the video, including Q&A.
Here’s a transcript of my extended remarks.
We are here to talk about the role of the external auditor and why investors should care about their work and work product. It’s important because the old Big 4 firms just ain’t what they used to be.
In my opinion, the largest global firms — Deloitte, EY, KPMG, and PwC— and the largest next tier firms such as Grant Thornton, BDO, and RSM, are less focused on performing their public duty of auditing and more interested in playing all sides of client opportunities to optimize their payday.
That includes employing slick language about “trust” to suggest their interest in quote-unquote “auditing” ESG disclosures, non-GAAP numbers, cybersecurity, or even stablecoin reserves is about enhancing statutory financial audits.
It is not. It’s a play to sell more consulting services.
Audit firms claim they can wall off conflicts when providing tax, consulting and other advisory services — whether to audit clients or non-audit clients. But they are pulling your leg. Instead, the consulting push repeatedly compromises the independence and integrity of their audits, destroys professional skepticism, and poisons the professionalism of their entire firms.
In a speech in 2014, PCAOB Board Member Steve Harris explained that as a result of SOx auditor independence rules, approximately 24% of the market on average [in 2014], is out of bounds for any given firm’s consulting and advisory practices. Unbridled growth of consulting revenue inside what is supposed to be primarily an audit firm with a public duty can lead to audit firm instability. That’s what caused the split-up at Arthur Andersen even before Enron hit it like a ton of bricks. Harris said, “as the advisory practice grows, this prohibition may grow from a nuisance to a business obstacle.”
It’s not much of an obstacle though because the SEC and PCAOB, in the US, and the FRC in the UK are playing whack-a-mole when they try at all to rein in the violations.
Contrary to popular misconceptions about the Sarbanes-Oxley Act of 2002, the law does not forbid an audit firm from providing non-audit services to its U.S. listed audit clients.
Some potential services that create independence conflicts such as strategy consulting and what is now called “governance, risk & compliance” were not even addressed in 2002. Strategy was thought to be the domain of McKinsey and Bain and Booz. But all the firms do strategy now. PwC bought Booz and renamed it Strategy& in 2014, the same year of Steve Harris’ speech. Seems he did not deter anyone.
For some services like tax, the law is quite vague, leaving plenty of room to rationalize. Therefore, audit firms rarely ask for permission, and instead typically ask for forgiveness when occasionally called out. In the U.S. lobbying efforts to relax auditor independence rules, especially for services provided to pre-IPO companies, were highly successful during the Trump-era SEC, leading to almost unlimited latitude to do everything even as an auditor.
GRC came into its own after the financial crisis, when there was a boom in non-prosecution and delayed prosecution agreements against the banks. The Big 4 stepped in to fill the need for audit-like services for compliance remediation and monitoring.
You would have been right most of the time if you guessed, during and immediately after the financial crisis, that if a Big 4 audit firm was not auditing a particular bank it was likely consulting to it. But in many cases auditors never stopped doing work for bank clients that went way beyond the work required to give an opinion on the financial statements. Banks spend more on non-audit services with their auditors than any other industry.
I am going to talk about three recent cases of accounting and securities fraud — Theranos, Autonomy-HP, and Carillion — because they involve at least three and even all four of the largest global audit firms providing several different services in addition to audit.
(Another example with global reach I don’t have time to get into, the Malaysian sovereign wealth fund case 1MDB, also implicates all four Big 4 audit firms. If you want to learn more, the book Billion Dollar Whale has lots about the accounting and audit issues, which is unusual for business books these days.)
When you’re pre-IPO for 15 years and don’t have an approved, commercial product, you’re in the business of raising money from investors.
What is the auditors’ duty in this case?
To protect investors, and the public markets from the company!
I wrote in March of 2018 that ultra-wealthy investors in private company Theranos had abandoned basic due diligence and never requested audited financial statements before handing over hundreds of millions. If the investors who gave Elizabeth Holmes money 2008 had asked for audited financial statements — and we confirmed during Holmes’ recent trial that they had not — those investors would have been disappointed. There were reportedly, none to be had except in its earliest years. EY did give opinions on Theranos’ 2006, 2007 and 2008 financial statements. But then, for some reason, Holmes dumped EY and hired KPMG.
And we also found out during Holmes’ trial that KPMG planned to audit Theranos’ 2009 and 2010 financials and produce one report to cover the two years. However, KPMG disagreed with Holmes about the valuation of stock options and believed Theranos was understating its stock option compensation expense. So KPMG changed its mind about being an auditor and, instead, hung around until 2015 to help lend “credibility” to financial information that was provided to Theranos investors.
That makes two global audit firms hired to provide audit services to Theranos that gave no warning to investors or regulators of the lengths Holmes was going to grow Theranos and misrepresent its success to investors and the media.
Finally, a third firm, PwC, had no interest in providing audit services but was very interested in lucrative advisory work for the law firm defending Theranos against regulatory investigations from September 2016 to the spring of 2019. Theranos had no permanent CFO or external auditor but PwC was comfortable putting up to 40 PwC employees on site to spend more than 10,000 hours to collect text and email messages between Holmes and “Sunny” Balwani, the Theranos COO and Holmes’s former boyfriend. PwC was also paid to wind down the company’s operations starting in late 2018.
There was a really great article by the Economist’s Lane Green nearly 10 years ago called Shape shifters.
Green noted the phenomenal growth of Deloitte’s consulting and financial advisory business that year and wondered if Deloitte was “shape-shifting” into a firm with a business model that’s inconsistent with its government-sponsored mandates all over the world to do audits, mandates that create a virtual cash machine for auditors because they limit competition in exchange for focus and devotion to delivering public company audits that protect investors and markets.
Green asked Deloitte global CEO Barry Salzberg, “Do people perceive Deloitte as a consulting firm with an audit business rather than the other way round?”
Salzberg told Green: “We’re not going to take our eye off our professional responsibility with respect to either.”
Hardware firm HP announced it had acquired enterprise software firm Autonomy on October 3, 2011. HP had hired KPMG as a consultant to review Deloitte’s audits of Autonomy’s as part of its acquisition due diligence effort.
EY, HP’s external auditor, signed off on its audit opinion of HP’s full year results as of October 31, 2011 a couple of months later, on December 14.
But by early 2012 a whistleblower, a former Autonomy executive, had warned HP of the possibility it had overpaid for a fraud. HP began an investigation of the allegations in April 2012 and chose another Big 4 firm, PwC, as its independent forensic consultant to investigate the whistleblower’s claims.
HP had put PwC in a difficult spot. PwC Global Chairman Dennis Nally had told the Financial Times just the year before, in June 2011, that he did not believe it was the auditors’ job to find fraud. How could PwC say that Deloitte, or KPMG, should have caught the Autonomy fraud if that’s what it found?
If I took a poll of the average investor or public company executive and asked them which Big 4 firm audited the major banks or firms accused of securities fraud in recent years — GE, Colonial Bank, Tesla, Parmalat, Satyam, Lehman Brothers, JP Morgan — I doubt they could give me the name. It’s just a big blur for most when it comes to the auditor.
That’s why a reputational hit to one member of the oligopoly of global audit firms is a reputational hit to the whole lot of them. If PwC found professional malpractice by Deloitte or KPMG, all the largest audit firms would suffer the impact of a negative view of audit and auditors, in general, and suffer from the precedent of any fines, sanctions, or legal settlements against Deloitte or KPMG.
HP’s disclosure of the investigation and a multi-billion dollar material overstatement of goodwill and intangible assets came more than a year after its acquisition of Autonomy.
On November 20, 2012, HP said it was taking a non-cash impairment charge of $8.8 billion related to Autonomy in the fourth quarter of its 2012 fiscal year.
Should EY, HP’s auditor, have more closely scrutinized the values assigned to the assets and liabilities purchased from Autonomy that HP put on its 2011 books or on any of the 2012 quarterly statements? EY is required to review HP’s quarterly financial statements and provide a type of negative assurance that, based on their review, they are not aware of any material modifications that should be made to the statements for them to be in conformity with GAAP.
In September 2020 the UK regulator, the FRC, ordered Deloitte UK to pay a record fine for its Autonomy audit of £15 million plus the investigation legal costs of £5.6m.
The Deloitte Autonomy lead partner was banned from the accounting profession for five years and fined £500,000. Another Deloitte partner was fined £250,000 and “severely reprimanded”. They both had already “early retired” from the firm. Those fines are quite a bit larger than the ones the SEC imposed in 2019 on PwC — $8 million — and on its partner — $25 thousand— for auditor independence issues in 15 clients.
I reported at the time that Deloitte US and other Deloitte member firms played all possible angles with Autonomy – as its auditor in the UK and San Jose, CA, as a customer, as a vendor, and as an alliance partner for Autonomy software implementations. HP’s auditor Ernst & Young had also been a customer of Autonomy.
Sources had told me of at least two large client engagements where Autonomy and Deloitte Consulting worked together at the same time Deloitte UK was auditing the company. Deloitte was a “Platinum” strategic alliance technology implementation partner for HP, too.
Autonomy was a British company that listed on Nasdaq in 2000 but apparently followed the more lax British honor code, versus the Sarbanes-Oxley rules, when choosing which services besides the audit to buy from auditor Deloitte UK and Deloitte US.
The UK media didn’t miss a beat in reporting on Enron-style conflicts when the fraud allegations surfaced in 2012. Deloitte had been selling Autonomy nearly as much in consulting services such as tax compliance and due diligence for acquisitions — £4.44 million in non-audit fees over the prior four years — as they were charging for the audits — £5.422 million. The implication is that Deloitte’s independence may have been compromised.
In September of 2012, EY went to Washington DC to explain how it helped its audit client HP develop and implement a strategy to move profits offshore to avoid U.S. taxes. That Congressional testimony was given smack in the middle of HP’s Autonomy investigation, while EY likely knew PwC would find a significant overstatement of the Autonomy acquisition goodwill and that the writedown would have to be announced in less than two months. The EY tax partner for audit client HP testified in defense of HP’s tax avoidance strategy and then charged HP $2 million dollars for the trip, according to HP’s 2013 proxy.
Despite numerous reports of HP and whistleblowers reporting the findings of fraud and lack of action by auditors and advisors to the SEC, neither the SEC nor the PCAOB ever insisted on a restatement by HP and never charged Deloitte or individual partners at Deloitte US, EY, or KPMG with anything.
Finally, we have UK company Carillion, a multinational construction and facilities management services company that in January 2018 became the was the largest ever liquidation in the UK. Carillion continues to be a painful portion of the KPMG UK’s “partner matters” litigation portfolio.
On February 3, 2022, the Financial Times reported that KPMG UK had been sued for £1.3 billion by the liquidators. PwC UK was appointed by the UK High Court as Special Managers for the Official Receiver of Carillion.
Deloitte and KPMG were ruled out of the liquidation role because they were already Carillion’s internal and external auditors, respectively. EY had advised Carillion on restructuring options before its collapse.
Responses to questions posed to the firms about their Carillion work from two parliamentary Committees revealed they collected nearly £72m for work linked to Carillion in the 10 years leading up to its collapse.
Expressions like “feasting on what was soon to become a carcass” were used by MPs to describe a picture of the Big 4 thriving while exploiting its vulnerabilities as Carillion began to rot.
However, PwC had conflicts at the time of its appointment in 2018, according to the FT. Carillion’s pension trustees had engaged PwC in 2017 to advise as financial difficulties increased. The contract was ongoing since PwC would be one of Carillion’s creditors that PwC, as an agent for the receiver, is supposed to treat impartially. The Insolvency Committee claims that PwC put up “ethical walls” to prevent conflicts between all of its activities for Carillion and its creditors.
The liquidators, with PwC’s help, are now suing KPMG UK saying the firm auditor missed “red flags” that Carillion’s accounts were misstated because it was apparently insolvent for more than two years before it collapsed. Carillion had liabilities of £7 billion and just £29 million in cash when it went into liquidation.
The FT quoted one MP saying he would not hire KPMG to audit “the contents of my fridge” and posited that it was KPMG’s Carillion failure that prompted the UK’s latest round of calls for substantial reforms to UK audit and corporate governance rules.
KPMG has been investigated by the UK FRC, which is comparable to an SEC/PCAOB combined in terms of its authority over the audit firms. KPMG has voluntarily ceased bidding for UK government contracts after scandals.
Now the FRC says KPMG auditors misled regulators during inspections of their work on the Carillion audit and it threatens to “further damage the reputation of KPMG,” as if it could get any worse. Another scandal related to KPMG’s restructuring advisory activities for bedmaker Silentnight resulted in a £13 million fine in August 2021. KPMG has since sold the restructuring unit.
One good thing is KPMG’s UK chief executive Jon Holt acknowledged that it was “clear . . . misconduct has occurred [by KPMG regarding the Carillion inspections] and that our regulator was misled”.
However, Holt and his Big 4 UK colleagues are crying in their tea towels about their damaged reputations all the way to the bank.
KPMG’s UK partners took home an average of $934k last year in a booming deals market. It was the biggest payday for KPMG partners since 2014. And it is even better at the other UK Big 4 firms Deloitte partners received an average of $1.2 million last year plus an extra $267k from the sale of its restructuring division. EY and PwC partners took home a record average of $1.02 and $1.2 million, respectively.
© Francine McKenna, The Digging Company LLC, 2022