SEC Fines KPMG $50 Million for Unlawful Use of PCAOB Data and Cheating on Training Exams

[31819]

June 21, 2019 TO: ICI Members
ICI Global Members
Internal Audit Committee
International Internal Audit Advisory Committee SUBJECTS: Audit and Attest RE: SEC Fines KPMG $50 Million for Unlawful Use of PCAOB Data and Cheating on Training Exams

 

The United States Securities and Exchange Commission (SEC) recently published an order imposing administrative sanctions on KPMG, LLP based on findings that, from 2015-2017, the firm violated its fundamental duty as an auditor to act with integrity.[1]  This finding was based on two separate courses of misconduct by KPMG, one of which involved the use of confidential information unlawfully obtained from the Public Company Accounting Oversight Board (PCAOB); the other of which involved cheating on required audit training.  The facts underlying each of these violations are briefly summarized below. 

Related Criminal Proceedings

In addition to the SEC’s action against KPMG, six individuals who were involved in KPMG’s unlawful conduct were criminally indicated for committing wire fraud and engaging in a conspiracy in violation of federal law.  Of these six, three have pled guilty, two were convicted, and one is awaiting trial.  While the SEC had also pursued administrative sanctions against each of these individuals,[2] the SEC’s action was stayed when the multi-count indictment against them was returned by a grand jury in the Southern District of New York in January 2018.  The stay was based on the fact that the criminal case and the SEC’s administrative proceeding implicated the same individuals, share common allegations and questions of law and fact, and many of the same witnesses, documents, and other evidence would be germane to both proceedings.[3]  As a result, continuation and disposition of the SEC’s administrative action would substantially prejudice and hinder the criminal prosecution because it would provide the Respondents in the SEC’s proceeding (i.e., the defendants in the criminal action) a preview of certain witnesses’ testimony to which they would not otherwise be entitled to in the criminal proceeding and it would result in the creation of multiple statements from the same witnesses.[4] 

KPMG’s Misconduct Involving the Unlawful Use of PCAOB Information

According to the Order, the PCAOB was created as part of the Sarbanes-Oxley Act of 2002 to oversee audits of public companies that are subject to the federal securities laws.  The purpose of the PCAOB is to protect the interests of investors and ensure the preparation of informative, accurate, and independent audit reports.  The PCAOB fulfills its mission by inspecting audits of public companies conducted by registered public accounting firms.  These inspections enable the PCAOB to assess the audit firms’ compliance with the law and professional standards governing the accounting profession.  According to the Order, the PCAOB “typically selects the audit engagements it will inspect based on confidential internal analyses and thereafter notifies firms of which audits it will inspect.”[5]  To ensure the integrity of its inspection process, the PCAOB closely guards the confidentiality of both its inspection targets and the manner in which they are selected.

In 2014, prior to the facts underlying the SEC’s Order, the PCAOB had issued a report based on its 2013 review of 50 KPMG audits.  This report found that 23 of the firm’s 50 audits reviewed – or 46% – had deficiencies.  This was 12% higher than KPMG’s deficiency rate for the prior year.  According to the Order, David Mittendorf (Mittendorf), who then oversaw KPMG’s National Office’s audit quality and professional practice work, understood that the SEC’s Office of the Chief Accountant had been highly critical of KPMG’s worsening inspection results.  In an effort to improve these results, KPMG hired Brian Sweet (Sweet), who, prior to his hiring, was a PCAOB employee.

Sweet had been employed by the PCAOB starting in 2009.  His area of expertise was inspecting banking issuers.[6]  While he was at the PCAOB, he was on the team assigned to inspecting KPMG and their audits. Although KPMG began recruiting Sweet in 2014, he did not join the firm until 2015.  He remained with KPMG until 2017.  During his time with the firm, he focused on KPMG’s banking clients and he reported to Thomas Whittle (Whittle).  Whittle, in turn, reported to Mittendorf.  Prior to leaving the PCAOB, Sweet copied confidential information onto a personal hard drive that he took with him when he left the PCAOB.  When he joined KPMG, Sweet transferred all the information from the hard drive on his personal computer to his computer at KPMG.  In addition to this information, he also removed from the PCAOB documents containing confidential PCAOB information such as: inspection planning information; inspection guides and manuals; and drafts of confidential inspection comment forms.  These documents also included a confidential list of KPMG audit engagements that the PCAOB intended to inspect in 2015, the focus areas for such inspections, and a list of all the quantitative and qualitative criteria the PCAOB used to decide which KPMG audit engagements to inspect. 

During Sweet’s first week at KPMG, Sweet attended a welcome lunch with Middendorf and David Britt (Britt) among others.  During this lunch, Middendorf asked Sweet (1) whether a particular banking issuer, that was a KPMG client, would be the subject of a PCAOB inspection and (2) which KPMG audits would be subject to inspection that year by the PCAOB.  Sweet, without answering directly, indicated that the PCAOB planned to inspect the banking issuer but he did not, at that time, share information regarding the audits the PCAOB planned to inspect that year.  The day after this luncheon, Middendorf told Sweet that he needed (1) “to share insight and add value and be fully open when it came to that type of information;” (2) “remember where [his] paycheck came from;” and (3) “be completely loyal to KPMG and KPMG only.”[7]

A couple of days following the welcome lunch with Middendorf, Sweet attended another welcome lunch.  Returning from this lunch, Whittle, out of earshot of others, asked Sweet for the list of engagements the PCAOB planned to inspect in 2015.  According to the Order, Mittendorf had directed Whittle to ask Sweet for this information.  In response to the request, Sweet provided Whittle the information “and asked Whittle to exercise discretion given the nature of the information.”[8]  Whittle, in turn, provided this information to Mittendorf writing “the complete list.  Obviously very sensitive.  We will not be broadcasting this.”[9]  Whittle next instructed Sweet to speak to certain of KPMG’s engagement partners that were responsible for audits that were on the PCAOB’s 2015 list.  Sweet was asked to explain to these partners the reasons for the selection of these audits so the partners could better respond to any PCAOB’s questions about the audits and mitigate any PCAOB concerns. 

In April 2015, KPMG engaged an outside consultant to help it predict which audit engagements the PCAOB would inspect in 2016.  Middendorf and Whittle directed Sweet to share with the outside consultant everything he knew about how the PCAOB selects audits to inspect.  Sweet complied with this request and also spoke directly with the consultant to provide more details about the PCAOB’s processes.

Sweet also provided confidential PCAOB information to a KPMG audit partner who was preparing a client pitch for a Spanish bank’s audit business.  Securing this business was a high priority for KPMG.  The confidential information Sweet shared included confidential PCAOB comment forms related to the audit of the bank by a KPMG competitor.  This information discussed specific ways in which the bank’s auditors had failed to adequately test certain valuations relating to loan and lease losses. 

Sweet also asked one of his former colleagues at the PCAOB, Cynthia Holder, to send him confidential PCAOB information after he joined KPMG.  This information was to assist KPMG in putting together a presentation it would be making to the PCAOB on the root causes of its audit deficiencies.  Holder provided Sweet this information and also informed him that the PCAOB had decided to cancel its inspection of a particular KPMG audit client in 2015.  At the time Sweet requested this information, he was encouraging KPMG to hire Holder and he was keeping her apprised of his efforts on her behalf.  In July 2015, Holder was offered a job by KPMG, which she accepted.

Sweet and Holder were not the only PCAOB employees who shared confidential PCAOB information with KPMG.  In early March 2016, a friend of Holders, Jeffrey Wada (Wada), who was working for the PCAOB, became disgruntled when he did not get a promotion.  Later that month, he called Holder to provide her confidential information regarding thirteen KPMG clients the PCAOB planned to inspect.  Holder provided this information to Sweet, who in turn provided it to Middendorf, Whittle, and Britt and let them know that it came from a current employee of the PCAOB.  The Order notes that this confidential information was provided to KMPG “at a critical time.”[10]  This is because Middendorf and other members of KPMG’s leadership team had recently met with staff from the SEC’s Office of the Chief Accountant.  During the meeting, the staff had “expressed significant concerns about [KPMG’s] audit quality and questioned whether KMPG was adequately addressing these issues.”[11] 

The information Wada provided enabled KPMG to review and revise workpapers from recent audits prior to the PCAOB inspecting them.  Middendorf, Whittle, and Britt agreed to have Sweet and others conduct an additional review of the workpapers from the audits on the list provided by Wada “to determine whether anything could be done to minimize the risk of receiving inspection comments from the PCAOB.  Middendorf and Whittle instructed that no one in the briefing should disclose that they had obtained confidential PCAOB information.”[12]  Britt falsely told others at KPMG that they were performing this work in the ordinary course of business.  Reviews by Sweet, Holder, and other KMPG partners or managing directors of the banks on the list provided by Wada resulted in them suggesting to the engagement teams various edits and proposed revisions.  These efforts resulted in KPMG receiving positive comments from the PCAOB following its inspection.  According to the Order, “the level of improvement in the inspection results led Whittle to be concerned that if KPMG could not obtain confidential PCAOB information from the next inspection cycle, there could be a return of audit deficiencies that would be difficult to explain.”[13]

In January 2017, Wada provided Holder a preliminary list of PCAOB inspection targets for 2017.  This information was provided to Sweet, Whittle, Britt, and Middendorf.  Sweet contacted the engagement partners for two audits on this list to warn them of the potential inspections.  In February 2017, Wada provided Holder information regarding the final list of inspection targets for 2017, the areas that these inspections would focus on, and the PCAOB’s list of KPMG engagement partners with poor performance evaluations.  This information, too, was provided to Sweet, Middendorf, Whittle, and Britt.  The Order notes that, “unlike the prior lists of PCAOB inspection targets, the audits on the February 2017 list were ongoing, thus providing substantially greater ability to improve the audit workpapers.”[14]  Whittle instructed Sweet to warn certain engagement partners about the impending inspections, but to be circumspect in his communications.  It was at this point that one of the engagement partners he contacted suspected that the firm had received confidential PCAOB information and reported her concerns to her supervisor, who reported them to KPMG’s Office of the General Counsel (OGC).  In response, KPMG began an investigation and reported the matter to the PCAOB.[15] 

KPMG’s Conduct Involving Cheating on Required Exams

As accountants licensed by state accountancy boards, audit professionals are required to complete a number of continuing professional education (CPE) courses periodically – typically 120 hours every three years.  In addition to these state requirements, KPMG imposed additional CPE requirements on its audit professionals.  Interestingly, these additional requirements were imposed, in part, to settle an SEC enforcement action in 2017.  In settling that action, KPMG agreed, among other things, to ensure that for a 15-month period beginning May 1, 2017, all audit personnel would be provided an additional 12 hours of training comprised of 4 hours of training in each of the following areas: valuation, specialist training, and fraud training.[16] 

KPMG administers its own set of online training programs that qualify for CPE or training credit.  At the completion of these training programs, KPMG requires its audit professionals to pass an examination and professionals are given three chances to pass.  If the professional is unable to pass after two attempts, the Performance Leader is notified.  After three failed attempts, the professional is required to retake the training, prohibited from conducting audit work until they pass the exam, and their compensation may be reduced.

Unrelated to its unlawful use of confidential PCAOB information, the Order also finds that KPMG’s audit professionals improperly shared answers to the training exams they were required to pass to satisfy their CPE and training requirements.  “This conduct was committed by audit professional at all levels of seniority, including lead audit engagement partners who were responsible for compliance with PCAOB standards in auditing their clients’ financial information.”[17]  Upon learning of this cheating, KPMG leadership alerted the SEC staff and began an internal investigation.  The Order notes that “prior to the firm’s investigation, no one reported the improper sharing of exam answers to the firm’s Ethics and Compliance Hotline.”[18]

In addition to sharing exam answers, the Order finds that certain audit professionals also manually changed the scores required to pass certain exams.  As explained in the Order: 

For a period of time up to November 2015, certain audit professionals, including one partner, altered the URLs for their exams to lower the scores required to pass.  Twenty-eight of these auditors did so on four or more occasions.  Certain audit professionals lowered the required score to the point of passing exams while answering less than 25 percent of the questions correctly.[19]

The SEC’s Findings

Based on the above conduct relating to the confidential use of PCAOB information and testing improprieties, the SEC found that KPMG willfully violated PCAOB Rule 3500T, which requires auditors to comply with ethics standards, including those requiring them to maintain integrity as described in the AICPA Code of Professional Conduct when performing any professional service in connection with the preparation or issuance of any audit report.  The SEC also found that KPMG engaged in conduct that provides a basis for the SEC to impose remedies against the firm pursuant to Section 4C(a)(2) of the Exchange Act and SEC Rule of Practice 102(e)(1)(ii).  These provisions authorize the SEC to sanction persons who commit any act discreditable to the audit profession.

The Sanctions Imposed

The SEC censured KMPG, ordered it to cease and desist from committing any additional violations of PCAOB Rule 3500T, and ordered it to pay a $50 million fine within 10 days of the Order.  It additionally required KPMG to comply with an extensive list of undertakings that, among other things, requires the firm to:[20]

• Conduct a detailed review of the sufficiency and adequacy of its quality controls relating to ethics and integrity;  

• Provide the SEC a detailed written report of its review;

• Have a KMPG Special Committee, comprised of independent members of KPMG’s board and non-audit partners, identify and detail the extent to which audit professionals violated ethics and integrity standards over the past three years in connection with the CPE exams;

• Provide KPMG’s Board of Directors and Chief Executive Officer (CEO) a detailed report of the findings of the Special Committee and remedial steps the Committee recommends be taken;

• Retain, at KPMG’s expense, an Independent Consultant to perform an in-depth review of KPMG’s operations relating to ethics and integrity;

• Provide the SEC the written report prepared by the Independent Consultant;

• Adopt as soon as practicable all the Independent Consultant’s recommendations;

• Ensure that all audit professionals complete a minimum of 12 hours of ethics and integrity training each year with at least 3 hours of such training occurring every 3 months;

• Subsequent to the SEC receiving a copy of the Independent Consultant’s report, KPMG’s CEO must certify to the Commission that KMPG has adopted and implemented (or has plans to implement) all recommendations of the Independent Consultant and that the Independent Consultant agrees with KPMG’s implementation of its recommendations;

• Refrain from invoking the attorney-client privilege in connection with any of the Independent Consultant’s activities or information provided to it;

• Inform its audit professionals of the terms of the Order within 10 business days of its entry;

• Within 15 months of the Order, have its CEO certify in writing compliance with all provisions in the undertakings, supplemented by documentary evidence of such compliance; and

• For calendar years 2020 and 2021, KPMG’s CEO must certify the adequacy of KPMG’s policies and procedures relating to ethics and integrity.  Such certification must be compliant with conditions imposed in the undertaking portion of the Order. 

In imposing these sanctions, the Order acknowledges the remedial efforts of KPMG.  These efforts included reporting the above discussed matters to the Commission and/or to the PCAOB; initiating an investigation of the testing matter; cooperating with the Commission staff; and undertaking various remedial measures such as retaining an advisory firm to conduct an independent cultural assessment and retaining a learning and development consultant to conduct a current assessment.

 

Tamara K. Salmon
Associate General Counsel

 

endnotes

[1]  See In the Matter of: KPMG, Respondent (the “Order”), which is available at: https://www.sec.gov/litigation/admin/2019/34-86118.pdf.  The SEC’s press release announcing settlement of this proceeding is available at: https://www.sec.gov/news/press-release/2019-95.

[2]  See https://www.sec.gov/litigation/admin/2018/34-82556.pdf for the SEC’s Order Instituting Public Administrative Proceedings against such persons. 

[3]  See https://www.sec.gov/litigation/apdocuments/3-18346-event-4.pdf.

[4]  The documents relating to the criminal action against the persons implicated in the SEC’s action against KPMG include the following:

• The criminal indictment against the five defendants (i.e., Cynthia Holder, Jeffrey Wada, David Middendorf, Thomas Whittle, and David Britt):  http://online.wsj.com/public/resources/documents/middendorfetal.pdf;

• Documents relating to the stay of the SEC’s administrative proceeding during the pendency of the criminal proceeding: https://www.sec.gov/litigation/apdocuments/ap-3-18346.xml;

• The Department of Justice’s announcement of a guilty plea by Defendants Holder in the criminal case: https://www.justice.gov/usao-sdny/pr/former-pcaob-inspections-leader-and-kpmg-executive-director-pleads-guilty-scheme-steal;

• The Department of Justice’s announcement of Defendants Middendorf and Wada being convicted of four counts and three counts, respectively, of wire fraud and conspiracy in March 2019: https://www.justice.gov/usao-sdny/pr/former-kpmg-executive-and-former-pcaob-employee-convicted-wire-fraud-scheme-steal-and;

• In October 2018, defendant Thomas Whittle pled guilty to five conspiracy and wire fraud charges.  He is expected to be sentenced to a lengthy prison term in September 2019: https://economia.icaew.com/news/october-2018/third-kpmg-us-partner-pleads-guilty-to-fraud;

• A March 2019 article noting that Defendant Britt’s trial is scheduled for September 2019: https://www.secactions.com/kpmg-partner-pcaob-official-guilty-stealing-board-inspection-schedules/; and

• A February 2019 article naming the KPMG auditor who reported the unlawful conduct to KPMG when she found out about it: https://goingconcern.com/ex-kpmg-partners-fraud-trial-what-david-middendorf-allegedly-said-once-the-scheme-started-to-unravel/.              

[5]  Order at ¶ 17. 

[6]  Some of the information included in this summary can be found in the criminal indictment of the individuals involved in KPMG’s unlawful conduct.  See fn. 4, above, for a link to the indictment.

[7]  Order at ¶ 23.

[8]  Order at ¶ 25.

[9]  Id.

[10] Order at ¶ 39. 

[11]  Order at ¶ 39.

[12]  Order at ¶ 41.

[13]  Order at ¶ 44.

[14]  Order at ¶ 48.

[15]  According to Paragraph 85 of the indictment, at this point, Holder informed Sweet that she planned to tell the OGC that she had received the confidential information anonymously in the mail.  She asked Sweet to tell the same lie to the OGC and she counseled him on how he should respond to the OGC’s inquiries.   The indictment goes into additional details about how Holder and Sweet continued to mislead the OGC and destroy evidence related to their unlawful acts.

[16]  These sanctions were imposed after KMPG and one of its managing partners was found to have issued an audit opinion in 2011 in which they failed to exercise the requisite degree of due professional care and skepticism.  The audit was of an energy company that, in 2010, acquired certain oil and gas interests for $4.5 million and then reported those assets on its 2010 financial statements as worth $480 million.  Notwithstanding this, KPMG issued an audit report containing an unqualified opinion on the firm’s financial statements.  In addition to being required to satisfy additional training requirements, the firm was fined $1 million and the managing partner was fined $25,000 and denied the privilege of appearing or practicing before the SEC as an accountant.  The firm also agreed to certain undertakings.  See KMPG LLP and John Riordan, CPA, SEC Release No. 34-81396 (Aug. 15, 2017), which is available at: https://www.sec.gov/litigation/admin/2017/34-81396.pdf

[17]  Order at ¶ 53.

[18]  Order at ¶ 54. 

[19]  Order at ¶ 58.

[20] Some of these undertakings mirror those imposed on the firm in 2017 when it was found to have failed to exercise the requisite degree of due professional care and skepticism in connection with its audit of an energy firm.  See fn. 16, above.