When CPAs Lose Their Moral Compass: Lessons From KPMG’s US Scandal

Fourteen years after Singapore established the Accounting and Corporate Regulatory Authority in 2004, Hong Kong is finally ready to set up its own independent audit watchdog. The city has just tabled a bill to empower the Financial Reporting Council, created in 2006, to evaluate the audit work done on listed companies and discipline the accounting firms concerned, if warranted.

The wrongdoing at the PCAOB and KPMG is a cautionary tale that holds lessons for regulators and accounting firms, and provides due-diligence tips to CFOs and other finance professionals

The Singapore overseer and its Hong Kong would-be counterpart (and other audit regulators in Asia), the region’s accounting firms and the companies they audit, all can learn lessons from the recent experience of America’s Public Company Accounting Oversight Board (PCAOB). Established in 2002, the older regulator has figured in a scandal involving wrongdoing by former employees – and other high-ranking CPAs in KPMG.

Can it happen in Asia? It’s not inconceivable. When regulators start to really crack the whip and are given the means to make it hurt – Hong Kong’s FRC will have the power to levy fines of up to HK$10 million (US$1.3 million) – the temptation to game things also intensifies. The wrongdoing at the PCAOB and KPMG is a cautionary tale that holds lessons for regulators and accounting firms, and provides due-diligence tips to CFOs and other finance professionals.

A Regulator Crosses Over

The Department of Professional Practice group in KPMG LLP, the US member firm of KPMG International, was under pressure. In 2014, the PCAOB issued a report that found the regulator considered 23 of 50 audits undertaken by KPMG were deficient. That represented a 46% deficiency rate in 2013, compared with just 34% the previous year and worse than the performance of two other Big Four firms. Something needed to be done.

The key course of action the KPMG member firm hit upon was to hire Brian Sweet, now 40, who was an Associate Director at PCAOB responsible for KPMG inspections. The recruitment is a “top priority,” KPMG’s Vice Chair of Audit made clear, according to an administrative proceeding order against Sweet by the US Securities and Exchange Commission (among other actions, the SEC stripped from the CPA the privilege of appearing or practicing before the commission).

It is not illegal to recruit from the regulator ranks. Sweet was to be responsible for conducting internal inspection of KPMG audits, drawing on his knowledge and experience to make sure they comply with PCAOB regulations. But he was also put to work to help an outside consultant model which KPMG audit engagements are likely to be inspected by the PCAOB. Sweet was told to provide the consultants with information about the regulator’s selection process, which could possibly mean sharing confidential data with them.

And indeed, according to the commission, Sweet copied various confidential inspection-related materials from the PCAOB database to his personal hard drive, took hard copy documents and retained other documents he had previously brought home. “These documents included PCAOB inspection planning information, inspection guides and manuals, and drafts of confidential inspection comment forms,” the SEC said.

Inside KPMG

Sweet joined KPMG in May 2015. On his first day, he had lunch with David Middendorf, National Managing Partner for Audit Quality and Professional Practice, David Britt, Banking and Capital Markets Group Co-Leader, and others in KPMG. Middendorf asked Sweet whether PCAOB planned to inspect a specific KPMG banking client in 2015. “Without answering directly, Sweet indicated the PCAOB planned to do so,” according to the SEC.

Several days later, Thomas Whittle, National Partner-in-Charge for Inspections, asked Sweet to provide him a list of the PCAOB’s planned inspections for 2015. Sweet showed him a planning document that identified 46 KPMG audits that the PCAOB intended to inspect that year, including the confidential areas of focus for the inspections. The next day, Whittle emailed Sweet asking him to have an assistant “scan and send me the banking selection list,” referring to KPMG’s bank-holding-company audit clients.

The SEC personnel expressed concerns about the firm’s audit quality and questioned whether KPMG was addressing the issues

“Sweet complied by sending Whittle the complete list of planned inspections and asked Whittle to exercise discretion given the nature of the information,” according to the SEC. Whittle forwarded the list to Middendorf, writing in the email: “The complete list. Obviously very sensitive. We will not be broadcasting this.” Sweet also identified for Britt, the banking co-leader, a number of KPMG banking clients the PCAOB planned to inspect.

“Sweet shared the information he had taken from the PCAOB with his new colleagues to benefit himself and the firm,” said the SEC. “He believed, based on comments Middendorf and Whittle made to him, that his position as a partner at KPMG was not secure. Sweet believed it would help him in his position at KPMG if he were perceived as a team player working to help the firm.”

The Rot Spreads

After KPMG offered to make Sweet a partner, Whittle asked him for a list of PCAOB employees that the accounting firm should consider hiring. Sweet had a discussion with his friend Cynthia Holder, an inspections leader at PCAOB who also worked on KPMG audit engagements, about working in KPMG. On his first day at KPMG, Sweet informed Holder he would be meeting with Whittle to push for her hiring, and later promised to hand-carry her resume to Whittle.

A day after that communication, Sweet asked Holder to send him a confidential document containing Sweet’s comments about KPMG’s audits while he was with the PCAOB. She not only did as Sweet asked; Holder also sent him additional confidential information related to a planned inspection of a KPMG client. Holder, 51, became executive director in KPMG’s Department of Professional Practice in August 2015.

In March 2016, she got to know the names of 12 KPMG clients that the PCAOB planned to inspect from PCAOB inspections leader Jeffrey Wada, who was disgruntled about being passed over for a promotion and decided to also seek employment with KPMG. Wada had previously performed work on KPMG inspections, but had been reassigned to another audit firm. He accessed the KPMG-related internal database and called Holder to read her the names.  

“Holder provided this information to Sweet, who then immediately relayed the list to Whittle, Middendorf, and Britt, informing them that it had come from a former colleague at the PCAOB,” said the SEC. The information came at an opportune time. In February, Middendorf and others in KPMG’s leadership team met with the SEC’s Office of the Chief Accountant. The SEC personnel expressed concerns about the firm’s audit quality and questioned whether KPMG was addressing the issues.

The information from Wada also arrived at a time when KPMG could still access and change audit workpapers related to the 12 engagements. Though the firm had already issued the audit reports, it was still within the 45-day period beyond which the audit workpapers would be locked from editing. Middendorf, Whittle and Britt agreed among themselves to have Sweet and others conduct additional examination of the audit workpapers of seven banks on the list Wada provided.

One engagement partner suspected that KPMG may have received confidential PCAOB information. The firm began an investigation after the Office of General Counsel learned of her concerns

The Plot Unravels

Why just seven? These banking clients were part of KPMG’s ALLL monitoring program, which was created in 2015 in response to the numerous deficiencies the PCAOB had identified in the area of allowances for loan and lease losses (hence the acronym ALLL). “The success of the ALLL monitoring program was especially important to KPMG because the firm had promoted it as proof of the seriousness with which it was working to improve its audit quality,” says the SEC.

Over the next few weeks, Sweet, Holder, and various partners and managing directors in the Department of Professional Practice reviewed the audit workpapers of the seven banks. Edits and changes were proposed to the engagement teams that conducted the audit, which had the prerogative to decide whether and which amendments to incorporate in the final workpapers.

The engagement teams and others in KPMG appeared to be unaware that something was amiss. According to the SEC, “Middendorf and Whittle instructed that no one in the briefing should disclose that they had obtained confidential PCAOB information.” Britt told the engagement partners that the department was performing work on all 35 banking engagements in the ALLL monitoring program as part of the “wrap up and reporting of the results.”

Meanwhile, Wada was still steaming over being passed over for promotion at the PCAOB. In early January last year, he provided Holder with a preliminary list of the regulator’s inspection targets for 2017. Sweet, Whittle and Britt discussed the information. After the meeting, Sweet contacted the engagement partners of two of the audits to warn them about the potential inspection.

On January 10, Wada sent Holder his resume. In February, he sent her two text messages: “Okay, I have the grocery list” and “All the things you need for the year.” The next day, Wada called Holder and read off 47 ticker symbols that Holder understood to be the final list of 2017 inspections. Wada also provided PCAOB’s list of KPMG engagement partners with “poor performance evaluations.”

Then the first crack appeared. Sweet informed the engagement partners about the impending inspections and one of them suspected that KPMG may have received confidential PCAOB information. The firm began an investigation after the Office of General Counsel learned of her concerns. The panicked conspirators agreed to tell the probers that Holder had received a list of ticker symbols by mail with no return address or other identifying information.

Lessons Learned

It was a laughable ruse. All five KPMG employees were fired in April last year. Wada also left the PCAOB. They were all arrested this month (except for Sweet, who has turned state witness) and charged by the US Department of Justice in a Manhattan court with conspiring to defraud securities regulators and for misuse of confidential auditing information. 

“KPMG has zero tolerance for such unethical behavior,” said Lynne Doughtie, the Chairman and CEO of the US member firm. “KPMG is committed to the highest standards of professionalism, integrity and quality, and we are dedicated to the capital markets we serve. We are taking additional steps to ensure that such a situation should not happen again.”

It would be easy to exhort the PCAOB and KPMG to be more careful about recruiting finance professionals, implying that the six CPAs are inherently bad people whose evil character was not detected by HR. That’s a stretch

What are the lessons learned? One is that moral compasses, even of CPAs, can go haywire in proximity to the magnet of higher pay and the prestige of working in a Big Four accounting firm. This is a truism that should not be lost on Hong Kong’s FRC as it prepares to transform itself into an organization that is closer to the PCAOB in powers and functions, if not in approach.

The FRC’s headcount currently stands at 22 and its budget in 2016 was HK$29.4 million (US$3.8 million). The PCAOB has a headcount of 876 and a budget of around US$258 million. Under the bill being considered by Hong Kong’s legislature, the FRC’s budget will rise to HK$90 million (US$11.5 million). The question to ask is whether that extra funding is enough to recruit more people and set their compensation levels at par or higher than those paid by the audit firms they investigate.

Should revolving-door recruitment be disallowed? That’s not a practical option, however attractive, given the limited supply of qualified finance professionals across Asia. And arguably, having ex-regulators on staff should help accounting firms improve the quality of their audits – provided that is the reason for recruiting them. Unfortunately, in KPMG’s case, that does not appear to be the real motive.

It would be easy to pontificate and exhort the PCAOB and KPMG to be more careful about recruiting finance professionals, implying that the six CPAs are inherently bad people whose evil character was not detected by HR. That’s a stretch. It is more likely that they are flawed people, as we all are, who cracked under tremendous pressure to perform (the KPMG actors) or when tempted with career-making opportunities (the PCAOB regulators).

It is unclear what “additional steps” KPMG is taking, but it is to be hoped they include closer monitoring of what is being done to correct audit deficiencies, clear communications that shortcuts will not be tolerated, and recognition on the part of top leaders that the task cannot be accomplished overnight. For their part, regulators should strengthen talent retention and information controls, knowing that their people are attractive targets for those they oversee.

One comforting thought is that one CPA in KPMG had the wits to suspect that something was wrong and the courage to air her suspicions in the proper forum. This engagement leader could easily have turned a blind eye to potential wrongdoing (after all, she was not directly involved) and used the information for her own and KPMG’s advantage.

That she chose the more difficult road shows that not every CPA’s moral compass could be easily turned askew.

About the Author

Cesar Bacani is Editor-in-Chief of CFO Innovation.