The Securities and Exchange Commission has slapped audit firm PwC with a $7.9 million penalty for violating audit firm independence rules — including PwC implementing a GRC software system for one of its audit clients.
An audit firm can’t do that, since those GRC software systems ultimately help employees assess the effectiveness of internal controls over financial reporting. Since audit firms also then audit those same controls, that leaves the audit firm testing the effectiveness of an ICFR system the firm itself designed. That’s a big conflict in the world of public accounting.
We don’t know the name of the company involved; the SEC settlement order only refers to Issuer A, a technology company that trades on the Nasdaq exchange. It seems that PwC had done audit work with Issuer A for several years.
The other character in this tale is Brandon Sprankle, 42, a partner in PwC’s San Jose offices. Sprankle was on the audit engagement team for Issuer A in 2014, when the company told Sprankle that it needed help with two projects: design and implementation of an Oracle GRC software system; and an upgrade of the company’s existing business software systems.
As detailed in the SEC settlement orders, the head of internal audit for Issuer A told Sprankle in April 2014 that the company wanted to upgrade its systems, and asked whether PwC could help. The internal audit person even asked Sprankle whether those projects would risk audit independence violations. Sprankle replied that “we are absolutely permitted to implement so there will be no issues.”
Alas, per Rule 2-01(c) of Regulation S-X, audit firms are not permitted to design or implement IT systems that are a significant part of an audit client’s financial reporting systems, or to handle any internal audit duties related to ICFR. (Doing such work for non-audit clients is fine.)
Sprankle tried to land the project anyway. He fudged a description of the work in a letter to PwC’s risk independence group, which reviews engagements for potential conflicts. When Issuer A’s head of internal audit saw that letter, he even complained to Sprankle that it didn’t reflect the full scope of work. Sprankle then called the internal audit chief, “who understood from speaking with Sprankle that PwC would substantially design and implement the GRC module, and would perform project management functions.”
The rest of the SEC settlement orders don’t portray Sprankle in any better light. Email communications between his team and Issuer A clearly show that everyone understood this was a design-and-build project, rather than PwC offering some high-level advice and observations.
As to the second software project, upgrading Issuer A’s ERP software system, Sprankle outlined an engagement where his team would provide 1,000 man-hours for the upgrade, which Issuer A’s audit committee approved. PwC’s internal risk review team, however, said a project with so many hours could be construed as Issuer A co-sourcing its internal audit function to PwC — which, again, is something audit firms are not supposed to do for audit clients.
The PwC risk review committee told Sprankle either to drop the project or seek a formal independence consultation. Instead, Sprankle changed the description of the services from a consulting project to audit procedures. That sleight of hand would then let Sprankle evade the need for a formal independence review. As the SEC said:
Issuer A’s audit committee did not authorize the project as part of any audit. As a result of Sprankle’s mischaracterizing the project as audit services and not informing the audit committee of this change, the audit committee was deprived of the opportunity to perform its responsibilities, including having an understanding of the services that were proposed and the purpose of that work…
End result: Sprankle received a personal civil penalty of $25,000 from the SEC, and is suspended from practicing before the SEC for at least four years. PwC agreed to pay disgorgement of $3,830,213, plus prejudgment interest of $613,842 and a civil money penalty of $3.5 million, and to be censured.
GRC Lessons to Learn
What’s interesting here for compliance and internal audit professionals is the nuance of exactly what help audit firms can provide to clients when you’re wrangling with internal controls.
For non-audit clients, the answer is easy: audit firms can provide a wide range of services. They can design and implement GRC systems for you; they can manage your internal audit function on some outsourced basis. There’s no conflict of interest, so they can do lots of things.
When the audit firm does perform your financial statement audit, however, those services are much more constrained. The firm can provide some counsel, but not much — and it certainly can’t design and build any systems of internal control for you, since that would be a conflict of interest. Audit firms cannot perform any “management function,” and deciding on a system of internal control is one of those things. That’s what management and the board of directors are supposed to do.
The key issue for regulators is that investors receive an objective, independent analysis of a company’s financial statements from the company’s audit firm. Hence the strict rules on what additional services an audit firm can provide to audit clients: there can be no conflict in fact or in appearance.
Issuer A’s head of internal audit seemed to know that, since he or she raised the issue with Sprankle at least twice. It’s unlikely that Issuer A itself will face regulatory consequences, although I’m sure the company’s legal team was still supremely annoyed that it got sucked into an enforcement action thanks to Sprankle’s duplicity.
All that said, it’s perfectly normal to seek consultants’ advice about internal control systems. That work is hard, and audit firms are indeed a great resource for such advice. Moreover, when you consider the SEC’s string of recent enforcement actions over the internal controls provisions of the FCPA — really, nobody should be ignoring this stuff.
Just choose your advisers wisely, and do your homework about exactly how much help they can provide.