By now you might already know the news: KPMG, one of the largest audit firms in the world, has agreed to pay $50 million to the Securities and Exchange Commission to settle charges from two separate scandals at the firm — one related to KPMG partners offering jobs to audit industry regulators in exchange for inside information about upcoming inspections of KPMG work; the other about partners and staffers cheating on CPE training exams.
We already knew about the jobs-for-information scandal. That story exploded into public view last year, when the feds indicted three KPMG partners and three former staffers at the Public Company Accounting Oversight Board. The scam was that KPMG would hire the ex-staffers in exchange for them bringing along highly confidential details about which KPMG audits the PCAOB was planning to inspect. KPMG partners could then use the intel to clean up their work papers, making the audits look better and improving the firm’s inspection results.
OK, so that happened. Then on Monday, the SEC announced the $50 million fine against KPMG itself — and disclosed the cheating scandal as part of the litigation order. In that scandal, KPMG staffers who had passed CPE training exams shared the correct answers with colleagues so they could improve their scores. These tests, by the way, were required as part of a prior settlement KPMG had reached with the SEC about poor auditing practices.
The details in the SEC litigation order will leave ethics professionals speechless.
Lead engagement partners deliberately engaged in cheating on exams. Employees manipulated KPMG computer servers to lower the criteria for passing the tests. The three KPMG partners who received the stolen PCAOB inspection data led a working group to clean up dozens of audits, and while it’s not clear whether other partners working on that project understood the misconduct, at least one was suspicious enough to report her concerns to KPMG senior management — which, apparently, lit the fuse to the fireworks that continue to this day.
Meanwhile, ethics and compliance professionals have several questions we should all ponder this week.
FAQs on KPMG
First, how did KPMG’s senior leaders not know about the workpaper-fixing scandal? The people who led this misconduct worked in KMPG’s professional practices group in the firm’s national office. The scheme ran for nearly two years.
Also consider what the scandal actually was. KPMG hired two former PCAOB staffers, who leaked information about which audits would be examined in upcoming inspections — and then the professional practices team worked with other engagement partners to “review” their workpapers ahead of the inspections.
We don’t know the exact number of other partners and staff auditors involved in that misconduct, but the SEC order mentions seven banks that were KPMG clients whose audits were “reviewed.” In one instance, KPMG partner David Britt, one of the six people criminally charged in this mess, told a subordinate to do his own “stealth” review of a client’s workpapers.
In the second cycle of these review shenanigans, in early 2017, one of the partners who received word of these reviews finally suspected something fishy, and she reported her concerns to KPMG’s senior management. That was the tip that led to everything unraveling.
So how did these senior people at KPMG’s national office lead an effort to alter workpapers for two years, involving numerous other senior KPMG people — and that didn’t reach the firm’s senior leadership earlier? How did the word “stealth” not trigger concern? Why did one partner finally raise concerns, but nobody else did earlier? What does that say about KMPG’s ethical culture, or the ethical awareness of its partners?
Second, how did the cheating scandal come to light? Because from an ethical perspective, this might be the worse of the two scandals.
The cheating went on for years, and involved both audit partners and more junior staffers. People were asking for correct answers and sharing that information. They manipulated computer servers and HTML code to lower the threshold for passing the tests. That’s an extraordinary amount of conspiracy and willful misconduct.
Maybe some partners involved in altering workpapers were naive enough to believe nothing was amiss there. That excuse won’t hold with the cheating scandal. It involved more people, who had to have known they were violating the rules. So how did that misconduct finally come to light?
The SEC has been cagey on that point. The settlement order only says, “After discovering the training-related misconduct, KPMG reported the matter to Commission staff” and appointed a board committee to investigate.
Did someone under suspicion in the workpaper scandal cough up the cheating scandal to cut a deal? Did someone call KPMG’s ethics hotline to report the matter? (I assume not, because the SEC did mention a hotline call regarding the workpaper scandal, but not regarding this one.) How many people were involved in the cheating, in how many KPMG offices?
The workpaper scandal seems like it involved fewer partners, who at least tried to mask their true intent from other partners. The cheating scandal seems more widespread, and nobody could play stupid about manipulating servers or copying correct answers from others. It raises deeper alarms about KMPG’s ethical culture.
Oversight in Audit World
Third, what does this say about regulatory oversight of the audit industry overall? If misconduct like this happened at a firm in any other type of industry, that company would probably be staring at a corporate criminal indictment. Given the widespread nature of the misconduct, the seniority of people involved, and the clear intent — that would not be a far-fetched scenario.
Except, it’s a far-fetched scenario in the audit world, because a corporate criminal indictment would bar KPMG from performing audits of public companies and put the firm out of business. We would drop from the Big 4 firms to the Big 3, and that would cause huge disruptions as KPMG’s former clients try to find new audit firms that can do the work.
So nobody is going to indict KPMG, period. What does that say about our ability to police abuses at audit firms? A $50 million fine isn’t much for KPMG, which had $29 billion in revenue in 2018. Yes, an independent ethics review is part of KMPG’s settlement, and that reviewing person won’t come cheap — but so far, all I’ve seen is lots of shocked language in statements to the press, and relatively small fines. How do we punish audit firms, when the structure of the industry limits our options?