Charges of fraud and conspiracy around audit regulation have not only rocked the audit profession. They’ve also shaken trust in the integrity of the regulatory process, leaving audit committees with an even bigger job to vet audit firms.

The U.S. Department of Justice is pursuing criminal charges against five former audit leaders at KPMG, two of whom worked previously for the Public Company Accounting Oversight Board, plus one former inspections staff member at the PCAOB. The Securities and Exchange Commission is pursuing civil charges as well. Five of the six individuals are contesting the allegations, while one has settled and is cooperating with authorities.

According to federal authorities, KPMG leaders David Middendorf and Thomas Whittle began recruiting Brian Sweet in 2014 to join the firm and help KPMG improve its dismal performance record in PCAOB inspections. Sweet was a staff inspector at the PCAOB assigned to inspect KPMG’s work. Middendorf was KPMG’s national managing partner for audit quality and professional practice, and Whittle was national partner-in-charge for inspections.

KPMG’s inspection results were among the worst recorded for Big 4 firms during that time frame. KPMG’s report in 2012 showed deficiencies in 34 percent of audits selected for inspection. In 2013, that jumped to 46 percent, and in 2014 it exceeded 50 percent. Audit firms were, and still are, under significant pressure from regulators to identify the causes of audit deficiencies and address them.

Based on the PCAOB’s publishing of “part 2” inspection findings, where the board can expose quality control criticisms if firms have not addressed them in timely fashion, it would appear the board was not impressed with KPMG’s remediation efforts after inspections in 2011 and 2012. In 2014, the PCAOB re-published KPMG’s reports for both of those years to call out concerns about auditors’ failures to sufficiently evaluate evidence that would seem to contradict management assertions.

KPMG attached a letter, signed by Chairman and CEO James Veihmeyer and Audit Vice Chair James Liddy, to those re-published inspection reports to explain its commitment to audit quality. “KPMG has established a culture that is built on an absolute commitment to performing consistently high-quality audits and meeting our responsibilities to investors and other participants in the capital markets system,” they wrote.

Sweet accepted a position at KPMG and began work there in May 2015. Federal authorities say that before he left the PCAOB, Sweet downloaded documents to a personal device and took some hard copy documents that he thought would be helpful to him in his new role. Those documents reportedly included internal PCAOB manuals and guidance, comment forms issued in connection with inspections on which Sweet had worked, a planning spreadsheet—and the Holy Grail: a list of KPMG audits that would be inspected by the PCAOB in 2015.

In his first few days on the job, Sweet had lunch with Middendorf, David Britt (who led the firm’s banking group), and others, the Justice Department says. There, Sweet apparently faced questions about which of KPMG’s audits would be selected for inspection. He “implicitly acknowledged” that the audit of an identified issuer would be inspected but did not respond to further questions,” the indictment says.

In separate conversations within days, audit leaders began pressuring Sweet for information, authorities say. Middendorf allegedly told Sweet “to remember where Sweet’s paycheck came from and to be loyal to KPMG.” After asking Sweet for the list of engagements to be inspected, Whittle told Sweet that he “was most valuable to KPMG at that moment and would soon be less valuable,” the indictment says.

Soon after, Sweet showed Whittle the list, then e-mailed it to him, according to the Justice Department. The timing was too late, after audit work papers were already closed to further documentation, to enable partners to review their work; but it gave them time to prepare for inspections in other ways, the DoJ says.

“What happened at KPMG could be but one part of a much larger problem. I think that’s what people at public companies need to be concerned about.”
Lynn Turner, Former Chief Accountant, SEC

The indictment says Sweet kept in touch with his former colleagues at the PCAOB and received indicators about regulatory inspection plans that he passed along to his new colleagues at KPMG. Meanwhile, KPMG had also retained the services of a data analysis firm, unnamed by authorities, to help predict which engagements would be selected for inspection. Middendorf reportedly directed Sweet to work with the firm and share whatever information he had.

In July 2015, KPMG also hired Cynthia Holder away from the PCAOB, where she also worked as an inspection staffer assigned to KPMG. Authorities say Sweet had advocated for Holder’s hire, sharing with Whittle that Holder had been the source for additional confidential information that he had earlier provided. Holder also copied confidential information to a personal device before departing her PCAOB position, the indictment says.

Then the information train shifted to Jeffrey Wada, another PCAOB staffer who wanted to jump ship and join KPMG, especially when he learned he’d been passed over for a promotion, the Justice Department says. By early 2016, KPMG audit leadership was getting heat from the Securities and Exchange Commission over audit quality concerns, especially with respect to the firm’s work on allowances for loan and lease losses.

When Sweet obtained the list of engagements the PCAOB planned to inspect in 2016, that reportedly set in motion the effort to shore up audits that would face inspection. Middendorf reportedly instructed the group to prioritize audits that were subject to KPMG’s internal monitoring programs to protect those initiatives. “While any failed inspection of a particular audit would be bad, a failed inspection for an audit subject to a monitoring program would demonstrate that the monitoring programs were not working and would represent a systemic failure,” the DoJ said.

In 2016, the opportunity to re-review completed audits was more extensive because audit files were still open to a “documentation period,” under auditing standards. That gave the group time to check over audits that would be inspected to ensure they were up to the scrutiny, the indictment says.

The re-review process identified problems, the DoJ said. The indictment describes an internal control opinion that needed to be withdrawn because the engagement team failed to secure information on the controls of a third-party vendor, an audit performed at least in part based on information from the wrong year and revisions to an audit file that were not properly documented as occurring after the opinion was issued.

Ultimately, the DoJ determined, “in both 2016 and 2017, the accounting firm acted in order to avoid negative inspection results and to give the appearance to the SEC, the PCAOB, and the general public that the accounting firm had performed well in these inspections while concealing that they had obtained confidential PCAOB information regarding which audits would be inspected.”

Questions for audit committees to ask their auditors

In her remarks to audit firms, Helen Munter, director of inspections and registration at the Public Company Accounting Oversight Board, posed a number of questions to audit firms to consider how equipped they are to take audit quality improvements to the next level. Those same questions might prove useful for audit committees to explore with their external audit firms.
Does your firm have in place a system of quality control that provides it with reasonable assurance that its personnel comply with applicable professional standards and the firm's own standards of quality?
How do you know audits are being performed in a quality manner on a consistent basis? What are the controls you rely on? How quickly would someone coming to your organization understand those controls and be able to become part of that system? Does staff at all levels understand those controls?
Does your firm approach PCAOB inspection results by remediating individual problems or by addressing systemic issues identified through either internal or external reviews?
Does your firm exhibit a tone at the top that emphasizes the importance of the role of the audit to the financial markets—an attitude of serving the investor? Are you cultivating a culture where due care, including professional skepticism, is rewarded throughout the firm as part of a firm strategy?
Do you hold audit leaders, not just the lead engagement partner, accountable for audit quality? Engagement quality reviewers? Managing partners? Partners assisting in multi-location audits? Do you incorporate audit quality goals and metrics into partner performance evaluations?
Does the firm have policies in place to assure that they are assigning personnel with the technical expertise to successfully complete audits, providing necessary training, and advancing personnel with the appropriate qualifications?
How do you manage an engagement team’s workload to assure sufficient time is allocated to perform the audit? How do you assure your engagement quality reviews are allocated sufficient time and comply with standards?
What are your policies and procedures with respect to consultations with the national office? Are your audit teams encouraged to pursue consultations in complex or subjective areas? Are there barriers that prevent teams from seeking consultations?
How do you monitor the firm’s system of quality control? How do you identify and assess root causes of audit deficiencies where they are identified, either through internal or external reviews?
How do you assure compliance with auditor independence requirements?
How are you remediating deficiencies in the key areas commonly called out in inspections, including assessing and responding to risks of material misstatement, auditing internal control over financial reporting, and auditing accounting estimates, including fair value measurements?
Source: Helen Munter speech, AICPA Conference

Both the criminal indictments and the civil charges indicate interactions with unnamed partners and an outside consultant, who in some cases were aware of the origin of the inspection information. It was one such unnamed partner, in fact, who became suspicious about what was happening and reported concerns to the firm’s general counsel.

After an internal investigation, the firm took action in early 2017 to dismiss six people—the five who have been charged and the vice chair of audit services, Scott Marcello. KPMG also reported the matter to the SEC, and the PCAOB revealed it had dismissed one person.

KPMG said in a statement it has cooperated with the government investigation. “KPMG took swift and decisive action, including the engagement of outside legal counsel to conduct a detailed investigation and the separation of involved individuals from the firm,” the statement said. The firm also says it has taken “remedial actions” to guard against any such conduct in the future.

As one of his earliest public duties in his new role as chairman of the PCAOB, William Duhnke also issued a statement to say the PCAOB had cooperated with, and appreciated, the government’s actions to address the integrity of the PCAOB’s oversight process. “Immediately upon learning of the alleged misconduct last year, the PCAOB board and staff reviewed and reinforced the PCAOB’s safeguards against the improper disclosure of confidential information,” he said. With the installment of all new PCAOB members in 2018, the new board will review the organization’s protocols for information technology, security controls, compliance, and ethics to assess their effectiveness, he said.

A PCAOB spokesman said the board also has revised its policies with respect to employment changes for its personnel. The PCAOB’s ethics code had included a cooling-off period for staff and board members on practicing before the PCAOB. “After this incident, we imposed a new one-year bar on senior inspections staff seeking employment with the firm that they inspect,” the spokesman said. “In addition, we’ve implemented new controls related to departing employees.”

Despite whatever measures KPMG and the PCAOB may have taken, questions remain about the magnitude of the alleged operation to use illegally obtained information to subvert the inspection process. Who else at KPMG knew of the operation, and why aren’t they facing charges? What has the PCAOB or the SEC done to remediate inspection findings that were compromised by the incident? Is anything similar happening at other firms?

Lynn Turner, former chief accountant at the SEC, believes such questions are fair. “What happened at KPMG could be but one part of a much larger problem,” says Lynn Turner, former chief accountant at the SEC. “I think that’s what people at public companies need to be concerned about.”

Richard Chambers, chairman and CEO of the Institute of Internal Auditors, says the nature of the charges is disheartening to those in the profession. “You want to think of the profession, particularly accounting and auditing, as immune to those kinds of things, but that’s probably impractical,” he says.

The situation is especially disturbing because it cuts to the core of the regulatory process, says Chambers. “It’s presumed that inspections will be carried out free of any kind of impairment or interference, so these allegations would undermine that confidence to a certain extent,” he says.

Chambers said he would assume the PCAOB and/or the SEC will have re-checked audits that might have been affected by any illicit use of confidential information.

SEC Chairman Jay Clayton said in a statement that he does not believe the situation “will adversely affect the ability of SEC registrants to continue to use audit reports issued by KPMG in filings with the Commission or for investors to rely upon those required reports.”

Clayton doesn’t say—and the SEC won’t comment on—whether the SEC or PCAOB have done anything to remediate KPMG’s 2016 inspection. The PCAOB also has declined to comment on that question. The PCAOB and SEC have said the alleged operation was discovered before 2017 inspections were performed, giving the board time to re-plan its inspections accordingly.

KPMG’s 2015 report was published in early December 2016, showing the firm had indeed improved from the year before, reducing a 54-percent deficiency rate in 2014 to a 38-percent rate in 2015. It was not exactly cause for celebration, however, as inspectors still found problems in more than one-third of the audits it checked.

Results for the firm’s 2016 inspection have not yet been published. The PCAOB has been slow to publish results on any of the major firms, holding reports until late into 2017 before the earliest ones emerged. The board so far has published results for Deloitte, EY, and PwC, but not KPMG.

That puts the onus on audit committees to question their external auditors on inspection outcomes and quality control measures. “The audit committee has a very explicit responsibility to oversee the work of the external auditor,” says Chambers. “One of the questions I’d always expect an audit committee to be asking is: What kind of controls does the firm have with regard to quality assurance?”

In addition to the usual questions audit committees should ask of their external auditors, Turner suggests winding down the inquiry with one, final catch-all question: “Is there anything going on that you’re aware of that would cause an investor concern?”