The saying in Washington is that it’s not the crime that ruins you; it’s the coverup. Ernst & Young is learning this week how true that is, with the Securities and Exchange Commission’s $100 million fine against the firm for cheating on CPA exams and then failing to be forthcoming about the breadth of that misconduct.
By now you might have heard the basic story, which the SEC announced on Tuesday. Dozens of E&Y staffers had cheated on the ethics portion of CPA exams over the course of years, typically by sharing answer keys; and hundreds more staffers knew about the cheating but never reported the misconduct to senior firm management.
If all that sounds familiar, that’s because fellow Big 4 audit firm KPMG admitted to its own cheating scandal in 2019. That incident led the SEC to ask other audit firms whether they were aware of any similar misconduct in their own firms, which brings us to the real scandal here.
E&Y told the SEC no, it wasn’t aware of any ongoing issues about employee cheating. Except, E&Y management had just received internal reports of ongoing cheating — and then the firm never corrected its previous declaration to the SEC, even as managers quickly determined that the employee cheating scandal was significant, and investigated the misconduct for another nine months.
That decision not to be more forthcoming is the part that drove the SEC bananas. It’s also the part most relevant to compliance professionals, since it drives at the ethical and legal duties of the people who serve as gatekeepers for their corporations.
Which would be you.
Duties of a Gatekeeper
The SEC clearly believes that gatekeepers — lawyers, auditors, compliance officers, and other professionals whose job is to help clients or employers behave ethically — have a higher duty to speak up about misconduct when it happens. In a prepared statement, SEC enforcement chief Gurbir Grewal was emphatic that the commission will take a hard line against gatekeepers shirking their duties:
This action involves breaches of trust by gatekeepers within the gatekeeper entrusted to audit many of our nation’s public companies. It’s simply outrageous that the very professionals responsible for catching cheating by clients cheated on ethics exams of all things. It’s equally shocking that Ernst & Young hindered our investigation of this misconduct. This action should serve as a clear message that the SEC will not tolerate integrity failures by independent auditors who choose the easier wrong over the harder right.
Moreover, as part of its settlement, E&Y also agreed to hire an independent consultant to review its disclosure failures. Specifically, that consultant will review “whether any member of EY’s executive team, general counsel’s office, compliance staff, or other EY employees contributed to the firm’s failure to correct its misleading submission.”
The word “contributed” is doing a lot of work in that last sentence. To contribute to a disclosure failure, does a compliance professional expressly need to say, “Let’s not disclose this since nobody asked about it”? Or does the mere act of not saying, “We should disclose this” qualify as contributing to the failure?
The SEC believes it’s the latter. Go back to what Grewal said: “Ernst & Young hindered our investigation of this misconduct.” To be precise, E&Y only hindered the SEC’s investigation by not correcting a previous statement that was later proven to be wrong. The firm let the SEC labor under false impressions.
For gatekeepers such as lawyers and compliance officers, even that passive form of hindering an investigation is enough to trigger the SEC’s wrath.
Or, to put matters more simply: when an organization discovers that it submitted an incorrect statement to the SEC, it has a duty to correct that mistake promptly — and gatekeepers should know that, Grewal says, because advocating for integrity and high ethical behavior is part of their job.
How Does This Work in Practice?
In a moral sense, I agree with Grewal’s position that gatekeepers have a higher duty to behave with ethics and integrity. That means when you see a mistake and have the power to fix that mistake, you should fix it — even when the law might not necessarily compel you to do so.
For example, Republican commissioner Hester Peirce dissented from the E&Y penalty specifically because the SEC’s inquiry about cheating was only a voluntary request for information. E&Y provided an incorrect answer, and that was unfortunate, Peirce said, but the firm had no legal obligation to correct the matter. “Treating the failure to take the prudent and cautious path as though it is a strict liability violation of some affirmative legal obligation is not supported by the law,” she wrote.
That argument rings hollow. Indeed, more than anything, it sounds like another of the tired arguments that compliance functions should be subordinate to legal functions. Ethical duties are about more than what’s legally required. If gatekeepers such as compliance officers are stewards of the organization’s integrity, then they have a duty that goes beyond Peirce’s narrow view. Moreover, if they don’t affirmatively embrace that duty — by, say, allowing an erroneous voluntary statement to the SEC go uncorrected — that’s a failure of integrity. It’s a failure.
Still, we shouldn’t let Grewal completely off the hook. He might be right in a moral and ethical sense, but in the practical world of real corporations, real misconduct, and real people, compliance officers (and other gatekeepers) are still in a precarious position here.
Far too often, ethics and compliance officers are trying to do the right thing. They see how the organization should act with integrity and want to take that action; but they simply get threatened, shouted down, or otherwise cowed into silence by general counsels, CEOs, and other senior executives who don’t want to do the right thing. They want to keep quiet and hope regulators never discover the misconduct.
So what do gatekeepers do then?
It’s easy for regulators to say that compliance officers could always contact regulators directly; in practice such a move is rife with career risk. Will the SEC penalize gatekeepers who don’t speak up because other gatekeepers told them to shut up? Will the SEC bring enforcement against general counsels who give advice that was legally permissible but ethically sketchy? (See Peirce, Hester; statement above.)
Within the confines of E&Y and its preposterous behavior, the SEC’s enforcement action and Grewal’s exhortations about gatekeepers is justified. Widen the lens to other gatekeepers overall, however, and we quickly get into tricky situations. I hope Grewal understands that.