The inspection information leak that led to dismissals at KPMG and the Public Company Accounting Oversight Board raises big questions about how the audit regulator is assuring fair and transparent inspection results for all Big 4 firms.
KPMG and the PCAOB were quick to condemn those involved in the transfer of confidential information that enabled some audit partners to know before routine inspections which of their audit files would be inspected. The leak is problematic because it creates a huge opportunity for a partner to take a final look at a given audit file to assure it contains all the right documentation and evidence to support the audit opinion.
It’s not at all clear, however, whether inspections were performed based on that improper advantage, or whether the PCAOB changed up its inspection plan to select other audits. And if the latter, might that have given those KPMG auditors an advantage of a different sort?
The PCAOB typically dispatches inspectors in the springtime to begin poring over audit files for the most recently completed round of audits, so inspectors should be ramping up now for their study of year-end 2016 financial statements audits. That will make up the content of firms’ 2017 inspection reports when those are published — and that typically takes a year or more.
KPMG says it learned of the breach in late February and reported it to the PCAOB and the Securities and Exchange Commission right away. The firm doesn’t say, however, when the breach occurred. And neither the PCAOB or KPMG has answered questions on how, if at all, it affected or will affect inspections.
Consider the possible scenarios. Maybe the breach happened before inspections in 2016 and the firm only recently learned about it. If so, that means the firm’s 2016 inspections, the results of which are not yet published, were tainted. Will the PCAOB go back and inspect new audits to even out the playing field with other Big 4 firms before finalizing those reports?
What if the breach occurred in 2015? Reports for that round of inspections have already been published. How would the PCAOB rectify that? Performing new inspections on old audit files is probably not all that productive or informative, unless perhaps there’s a reputation effect and a fairness factor to take into account. Is there a historic record that deserves to be set straight? Isn’t the reputation effect at least part of the reason for doing these inspections and publishing reports on them in the first place?
KPMG’s inspection results for 2015 and 2014 were the most disappointing of all the Big 4 firms. Its rate of audit failure for the 2014 inspection cycle was 54 percent, the only time inspectors have found more bad audits than good ones at a Big 4 firm. In 2015, that deficiency rate fell to 38 percent, but that still easily surpassed the other three global firms. Might those results have been even worse if not for the possibility of an information leak that enabled auditors some advance warning?
Here’s another scenario to ponder. What if the breach of inspection confidentiality were more recent? Say, before the 2017 round of inspections are set to begin?
That presents the PCAOB with a different problem. Presumably, the PCAOB could go back and select new audits for inspection, but then the question becomes whether the firm gets a softer inspection result through that approach as well.
The PCAOB has developed and honed a risk-based approach to choose for inspection those audits that are most likely to contain problems. Each of the past several years, the board has identified audits numbering in the mid-50s at all the Big 4 firms for inspection.
If KPMG had some advance notice on a handful of those 50-or-so audits that would be selected, the board could presumably knock those few out of the inspection pool and go down the list — to less risky audit files — to select new audits for inspection. Does not that simple adjustment to the audit plan now expose KPMG to less inspection risk, even if only incrementally?
Now suppose KPMG’s auditors had advance notice of more than a handful of audits that would be inspected. That pushes the inspection plan even further down the list into audits that are perhaps less likely to contain problems.
And what if KPMG had possession of the entire list of audits selected for inspection? Does that mean all 50-or-so of KPMG’s riskiest audit files should be exempt from inspection? One can’t help but wonder how audit partners at Deloitte, EY, and PwC would regard the fairness of such a fix to the KPMG information leak.
The PCAOB and KPMG both said they have taken measures internally to prevent such a misstep from occurring in the future, although neither has specified what those steps include The PCAOB has not answered questions, however, about how it will remedy the regulatory process to assure this breach of information has not or will not tainted the information provided to investors and audit committees.
That leave stakeholders who rely on those inspection reports only to wonder what value they are actually getting out of the PCAOB's inspection process.