After new allegations at KPMG of cheating on internal training tests, audit committees now have another area of questioning for their external auditors.

How do you know your auditors know what they are doing? What internal controls do you have in place to assure auditors are complying with testing requirements? How do you know they aren’t cheating?

It’s an odd kind of turnabout, really, as audit firms have chased management on internal control details to demonstrate to regulators they are complying with standards around internal control auditing. Now, audit committees must turn the internal control questions back to auditors regarding their own adherence to standards—whether controls are in place, whether they are well-designed, and whether they are operating effectively.

The Securities and Exchange Commission extracted what is believed to be its largest-ever monetary penalty against an audit firm when KPMG agreed to a $50 million settlement and admitted to facts in the SEC’s order describing extensive activity at all seniority levels on two separate fronts to circumvent regulatory scrutiny. The firm not only admitted to facts surrounding the 2018 revelation of internal use of information stolen from the Public Company Accounting Oversight Board, but also to newly revealed details of extensive cheating on professional training exams.

If that weren’t alarming enough, the SEC said some of the testing circumvented by KPMG auditors relates to additional training required by the SEC as part of an enforcement order that KPMG settled in 2017 over audit failures for a client in the oil and gas business.

That’s a significant escalation of the allegations, says Herb Chain, an accounting professor at St. John’s University, who teaches ethics. “Cheating is not appropriate, but that’s one thing,” he says. “When you have an agreement with the SEC to respond to an issue, that elevates it to a much more serious thing.”

The firm acknowledged it violated PCAOB standards that require it to maintain integrity and agreed to comply with detailed remedial actions, including the retention of an independent consultant to review and assess the firm’s ethics and integrity controls. The firm is also required to continue an investigation into test cheating and take appropriate employment action, the SEC said.

KPMG responded to the enforcement order with a statement indicating the firm learned “important lessons” from the experiences. In an annual voluntary report, the firm says it has taken a number of actions in recent years to address culture, including appointing new leadership, implementing a new code of conduct, and adding independent directors to its board.

“We are a stronger firm as a result of the actions we are taking to strengthen our culture, our governance, and our compliance program,” a spokesman said. “As we move forward, we are committed to delivering the highest quality and fulfilling our important role in the capital markets.”

The SEC’s co-director of enforcement, Steven Peikin, described the misconduct in the enforcement order as “astonishing,” especially for a Big Four firm that is meant to provide trust and confidence in capital markets. The SEC says its investigation is continuing.

“It’s just appalling,” says Doug Carmichael, a former chief auditor at the PCAOB and now a professor at Baruch College, “The ethical culture there must be just nonexistent.”

On the inspections front, the SEC order details what has been public knowledge since early 2018—that five former members of audit leadership at KPMG improperly obtained and used, beginning in 2015, confidential information from the PCAOB to doctor audit files ahead of inspections. The firm had hired an independent consultant to help predict which of its audits would be selected for inspection as part of an effort to improve its performance in inspections. The plan extended to illegally obtaining and using confidential information from the PCAOB.

“Cheating is not appropriate, but that’s one thing. When you have an agreement with the SEC to respond to an issue, that elevates it to a much more serious thing.”

Herb Chain, Accounting Professor, St. John’s University

The SEC says audit leaders involved in the plan included David Middendorf, KPMG’s former national managing partner in charge of audit quality, who is appealing a criminal conviction on charges of fraud and conspiracy. Five others, including a now former PCAOB inspections leader, have pled guilty or are still facing criminal charges. The SEC has also charged the same group individuals, but those actions will follow the completion of criminal proceedings, said Peikin.

As the SEC announced its $50 million settlement over the illicit use of PCAOB inspection information, it revealed another culture bombshell. Auditors at all levels, including lead engagement partners, had either shared answers or manipulated results to get by internal testing of their knowledge of accounting principles and other regulatory requirements. KPMG discovered the activity and reported it to the SEC.

The SEC says KPMG partners sent answers by e-mail, by text, and by hard copy to colleagues. Partners shared answers with other partners, and they solicited answers from and shared answers with subordinates, the SEC says.

In another scheme, someone altered the hyperlink that led to an exam to change the score required to pass the test, the SEC says. As many as 28 auditors used that link at least four or more times, according to the SEC. The link provided a passing grade for scores as low as 25 percent. Peikin said the number of auditors involved in test cheating is not yet known as the investigation continues.

The cheating allegations following the revelation of circumventing inspections suggest a serious culture problem, says Chain, who adds he would not be surprised to see fraud allegations spill out of the continuing investigation.

It’s not clear whether the SEC or any other body could or would pursue additional disciplinary actions against individuals. Although the SEC has settled with the firm, Peikin declined to comment on whether the SEC might bring any kind of charges against individuals. The PCAOB is prohibited from discussing investigations or pending enforcement actions as a result of the privacy afforded to auditors under Sarbanes-Oxley.

The National Association of State Boards of Accountancy did not respond to a request for comment, and the American Institute of Certified Public Accountants and the Center for Audit Quality declined to discuss the case.

Nancy Reimer, a partner at law firm Freeman Mathis & Gary, said she would expect state accountancy boards to conduct their own investigations, and they could consider suspending or revoking licenses—depending on the seriousness of allegations. “It’s a clear ethics violation,” she said.

Carmichael says the SEC could still bar individual auditors even after reaching a settlement with the firm. “A referral to the Department of Justice for any really egregious, intentional, fraudulent conduct is also possible,” he says.

The issue could also lead to a new area of inquiry in PCAOB inspections, says Audrey Gramling, accounting professor at Oklahoma State University. The PCAOB has already said it plans to look more closely at firms’ systems of quality control in upcoming inspections. “Will they do a deeper dive with respect to that in one firm?” she asks.

Gramling says audit committee members should plan to question their auditors about the issue. “If I were an audit committee chair or member, I’d want to know who is on my engagement,” she says. “The exam scandal went to all levels of the firm. What have my auditors actually completed in terms of their continuing education requirements? From a competence and integrity perspective, I would not want those people on my audit.”