When the history of audit reform is written, it will record that the government responded to a series of devastating corporate accounting scandals by creating a new regulator to protect investors.
It will record that, to eliminate conflicts of interest, the government prohibited audit firms from marketing an array of other services to the companies they audit.
It will record that the architects of this new system congratulated themselves and declared the problem solved.
And it will record that, decades later, it all proved to have been a dismal disappointment.
That’s what happened in the United States in the aftermath of accounting frauds and financial meltdowns at a long list of major companies—most famously, Enron and WorldCom.
It remains to be seen whether the United Kingdom repeats that history or learns from the American experience.
Based on proposals the British government has drafted, the outlook is not encouraging.
The U.K. is now at a crossroads much like the one the United States faced about 20 years ago. Reeling from corporate frauds, it is trying to overhaul its audit system.
So that U.K. policymakers might avoid some of the same pitfalls, we’d like to summarize what went wrong in the United States, where a supposedly new and improved overseer for corporate auditors proved feckless and feeble and was essentially captured by the audit industry.
Our interest is not entirely selfless. Ideally, the U.K. will adopt reforms that will not only benefit its own people but also lead to better auditing in other countries and serve as a model for the United States.
A lot is riding on the outcome. The public depends on auditors to make sure corporations don’t mislead us about their financial health and to confirm that they have sound internal controls. The public depends on regulators to make sure auditors are doing their job.
When the system fails, workers can lose jobs. Investors can lose money, including savings invested in 401(k) accounts and other individual retirement plans. Pension funds for teachers, firefighters, and other large groups can take a hit. And all manner of other people whose lives and livelihoods are connected to the affected company—in ways they may not even realize—can suffer.
At the risk of repeating ourselves, we’ll begin with some background. In our long-running coverage, we’ve said much of this before.
A History of Problems Since Enron
If you consider auditing in the United States over the past two decades to have been a sterling success, consider some highlights—or, more accurately, lowlights.
In the years since it reformed oversight of corporate auditors, the United States plunged into the financial crisis of 2008, the worst since the Great Depression. The economy tanked, and many families lost homes and jobs.
Subsequently, much of the U.S. mortgage industry proved to be operating with catastrophically shoddy controls. For example, banks were systematically foreclosing on homeowners based on invalid paperwork. In 2012, to make amends to injured borrowers, companies such as Bank of America, Citi, JP Morgan Chase, and Wells Fargo reached a $26 billion settlement with state and federal authorities.
“The settlement required the banks to accomplish a massive undertaking—changing their broken system of servicing loans into one that is functional,” a group of state attorneys general who negotiated the settlement wrote.
Those chapters in financial history revealed a combination of bad auditing, weak policing of auditing, and rules that demanded too little of auditors.
There was, for instance, the Wall Street firm Lehman Brothers, which used allegedly fraudulent transactions at the end of fiscal quarters to create the appearance that its financial condition wasn’t as precarious as it actually was. Lehman’s fall was one of the dominoes that drove the international financial system to the brink of collapse.
There was also Colonial Bank, whose parent company was bankrupted by fraud—in part because it bought loans that didn’t exist or had already been sold to others, according to a 2010 court filing. Backstopping Colonial cost a federal insurance fund $2.4 billion.
More recently, Wells Fargo, one of America’s biggest banks, was exposed as abusing its customers anew—for example, by opening hundreds of thousands of accounts and applying for tens of thousands of credit cards in the names of consumers who never asked for them (Wells Fargo later identified 3.5 million potentially unauthorized accounts), collecting unauthorized interest and fees, and damaging victims’ credit scores.
Auditor KPMG had vouched for Wells Fargo’s internal controls over financial reporting.
In a 2016 response to questions from members of the U.S. Senate, KPMG acknowledged knowing about the abuses but essentially said they didn’t affect the audit reports the accounting firm issued on the company.
KPMG said it “became aware of instances of unethical and illegal conduct by Wells Fargo employees, including incidents involving these improper sales practices,” and was “satisfied that the appropriate members of management were fully informed with respect to such conduct.”
The “improper sales practices did not involve key controls over financial reporting,” and the “effects were not financially significant,” KPMG added.
Based on Wells Fargo’s conduct, the Federal Reserve imposed restrictions on the bank’s business. The scandal hurt Wells Fargo’s stock price, taking a toll on investors. And, in February 2020, Wells Fargo agreed to pay a $3 billion fine.
If all of that doesn’t amount to a failure on the part of KPMG, it’s an indictment of the regulatory system that makes KPMG’s defense possible.
Then there’s General Electric, another KPMG client, which in the not-too-distant past was one of America’s most respected companies. The company, also known as GE, can trace its history to inventor Thomas Edison.
In 2009, the U.S. Securities and Exchange Commission (SEC) charged GE with accounting fraud. The SEC said GE misled investors—for example, by booking more than $370 million of revenue from “sales of locomotives that had not yet occurred.” GE agreed to pay a $50 million penalty.
You might assume GE learned a lesson. If it did, it seems to have learned an unintended one.
In December 2020, GE settled charges that it again misled investors about its finances. By the SEC’s math, in 2017 and 2018, when some of the problems came to light, GE’s stock fell by almost 75%. Within the company, one of the financial reporting practices at issue was described as a “drug” because the company had to keep using it to sustain the effect, the SEC said. The SEC also said GE had inadequate internal accounting controls. The company agreed to pay a $200 million penalty.
In both cases, GE neither admitted nor denied wrongdoing.
We know of no enforcement action against KPMG in connection with the problems at GE or Wells Fargo. In case we missed something, we asked KPMG, the SEC, and the Public Company Accounting Oversight Board (PCAOB) if there has been any. As if to demonstrate its approach to public accountability, KPMG declined to comment. The SEC and the PCAOB didn’t answer.
It’s possible that there have been improvements in U.S. auditing over the years. It’s possible that, out of the public eye, auditors have stood up to their clients and prevented problems. It’s also possible that problems have gone undisclosed.
One thing that’s clear is that, year after year, regulatory inspections of big audit firms have found that large percentages of the audits examined were defective—so flawed or inadequate that the audit firm had no basis to vouch for a company’s internal controls or financial statements.
Many concerned observers are sounding an alarm. In a June 2021 letter to the chairman of the Securities and Exchange Commission, dozens of critics—including professors, former regulators, and investor advocates—called for bold action to fix a failing system.
Institutional failures “are recreating the conditions that led to the massive wave of accounting scandals that rocked the markets two decades ago,” they wrote.
As the British government lays out proposed reforms, it seems to be placing a lot of stock in a couple of strategies that are likely to fall short.
Separating Auditing from Consulting
First, the U.K. government is trying to separate auditing from other services. In other words, it’s trying to make sure auditors are focused on auditing.
To an extent, the U.S. has been there and done that. As reforms go, it’s overrated. In the U.K., it appears to be raising false hopes.
Before and after Enron imploded, the United States confronted the same issue. As this reporter wrote in the Washington Post in 2001:
Major accounting firms often make more money from selling clients advice than they do from auditing their books. The accounting firms help businesses pick computer systems, lobby for tax breaks, even evaluate takeover targets. Auditors have been graded and rewarded based on how much other business they win from their audit clients.
To be sure, it doesn’t help the public if auditors are using their privileged role to shake down their clients for consulting contracts, or if audits become a means for auditors to get their foot in the door and sell other services. The roles of salesman and watchdog are incompatible.
It’s also problematic if auditors are so involved in a client’s business that they end up auditing their own work, such as schemes to avoid taxes.
But separating the auditors from the consultants is only an incremental improvement. Far from making accounting firms independent from the companies they audit, it would leave them entirely dependent on their audit clients for their audit revenue.
The Sarbanes-Oxley Act of 2002, Washington’s watershed reform legislation, greatly limited the range of services auditors can perform for the publicly traded corporations they audit.
Sign up to stay informed!
Find out how you can get involved and stay up to date with our work.
The U.K. could and should draw even tighter limits than the United States on non-audit services. It should resist any pressure to condone inappropriate services on the grounds that they are “audit-related.”
But it should have no illusion that doing any of that will solve the problem.
Second, with the overwhelming majority of large public companies audited by one of four big accounting firms—Deloitte & Touche, Ernst & Young, KPMG, and PricewaterhouseCoopers (PwC)—the British government seems intently focused on creating more competition.
More competition could help. It’s hard to hold audit firms accountable when they are too big to fail and, in a manner of speaking, too few to jail. The concentration of power gives them a measure of impunity. What’s more, corporations inclined to switch audit firms can face even fewer alternatives if they have business relationships with other members of the Big Four; those could present disqualifying conflicts of interest.
But competition alone is no answer.
At the height of the U.S. savings and loan crisis of the 1980s and 1990s, when the S&L industry required a massive taxpayer bailout and auditors failed to protect the public from rampant fraud or warn of looming insolvencies, the Big Four were still the Big Eight. Several of them paid a combined total of more than $1 billion to settle government claims that they shared liability for the debacle.
An article in the Atlantic during that era included a warning about competition among auditors:
There’s an old joke in the accounting profession about a businessman who wanted to hire an auditor. He set up interviews with representatives of several leading CPA firms. “How much is two plus two?” the businessman asked each applicant. The first three applicants gave the correct answer and were promptly dismissed. The fourth applicant, who got the engagement, pondered the question and then replied, “How much do you want it to be?”
More important than the number of competitors are the terms on which they are competing.
Are they engaged in a race to the bottom, or a race to the top?
Are they vying to protect the public, or to accommodate their clients?
What are their incentives?
The Fundamental Problem
That brings us to the heart of the matter.
Though these firms are called independent auditors, that’s a lie.
Audit firms are hired, fired, and paid by the companies they audit. In the United States, the arrangement makes them beholden to their clients, and it gives them an overriding financial incentive to ingratiate themselves to their clients. It makes it hard for well-intentioned auditors to do an honest job.
As far as we can tell, the U.K. government’s proposal would not alter this fundamental fact. The government has said it is open to revisiting the issue in the future.
The U.K. seems to be counting on corporate directors to act as independent overseers of the outside auditors. It’s hoping to make directors more effective and accountable. That would be great if it works. From our vantage point, it would be a welcome surprise.
In the United States, audit committees of corporate boards choose and oversee outside audit firms. But, as a practical matter, corporate boards have relied heavily on corporate management. They are often aligned closely with management, and so are their incentives—such as boosting the share price. That means they may not provide the kind of checks and balances the public needs.
For a measure of their independence, take a look at the executive compensation packages they approve.
To avoid misleading the public or contributing to a false sense of confidence, the government should stop calling the auditors “independent.”
As we said in a December open letter to the incoming Biden administration, “unless and until the government eliminates the conflict of interest inherent in having companies hire their own auditors, any reforms will be fighting the tide. Sooner or later, the levees will fail.”
Rotating Audit Firms
The U.K. government seems to be taking a pass on one of the more promising ways to create a significant counter-incentive: requiring more frequent rotation of audit firms.
As we said in our open letter to Biden’s transition team, once an audit firm puts its stamp of approval on financial statements that contain fraud or error, “it has a perverse incentive not to force a correction. Disclosing the fraud or error could expose the audit firm to liability. However, a new audit firm could have the opposite incentive. Unless it forces a reckoning, it, too, could own the problem.”
Here, the U.K. is already ahead of the United States. It forces companies to replace audit firms at 20-year intervals if not sooner.
When GE’s audit committee decided last year to replace KPMG as the company’s auditor, KPMG and its predecessor firms had been auditing GE for more than a century.
The U.S. Audit Regulator
Short of eliminating perverse incentives, creating a strong regulator is a worthy goal.
On that front, the premiere U.S. audit regulator is a model—of what not to do.
Even as the U.K. follows in American footsteps by setting out to strengthen oversight of auditors, the U.S. government is confronting the shortcomings of its post-Enron reforms.
A new chairman of the Securities and Exchange Commission, appointed by President Joe Biden, is sweeping out the leadership of the Public Company Accounting Oversight Board, a subordinate agency responsible for overseeing corporate auditors. In a recent statement, SEC Chairman Gary Gensler—who was present at the creation of the PCAOB—acknowledged a gap between what was expected of the audit overseer and what it has delivered.
The U.S. audit overseer “has an opportunity to live up to Congress’s vision,” Gensler said in a June 4 statement.
Gensler said he was trying to “set it on a path to better protect investors by ensuring that public company audits are informative, accurate, and independent.”
He was referring to the vision Congress articulated in 2002, when it established the audit overseer, and the path on which Congress supposedly set the agency way back then.
Thus far, Gensler is talking about personnel changes rather than any major restructuring of the U.S. audit regulator.
But the problems run deeper. They were baked in.
Amid the wreckage of Enron, the chairman of a key Senate committee set out to create a new regulator for corporate auditors. However, the audit industry and its political allies resisted. To advance the Sarbanes-Oxley legislation that now bears his name, the late Senator Paul Sarbanes, a Maryland Democrat, made compromises that largely defeated his purpose. In some ways, they made matters worse.
Before Sarbanes-Oxley, audit firms inspected each other through so-called “peer reviews.” The peer reviews looked like exercises in “mutual back-scratching.” After Enron disclosed that it had overstated years of earnings, its outside auditor, the now-defunct Arthur Andersen firm, passed a peer review by Deloitte.
(Against that backdrop, it’s worrisome that the U.K. government has even been considering
a role for peer reviews.)
How an Agency You've Never Heard of Is Leaving the Economy at Risk
The Public Company Accounting Oversight Board, which was created in the aftermath of the Enron and WorldCom scandals to police audit firms and to protect everyone who has a stake in the stock market, has proven a feckless enforcer of its own rules.Read More
The Sarbanes-Oxley Act tasked the new U.S. regulator with inspecting audits. But the law all but ensured that many of the problems PCAOB inspections found would never be disclosed to the public. Meanwhile, when disclosing inspection findings, the PCAOB has withheld from the public the names of the companies whose audits were found to have been defective.
The PCAOB was empowered to write new auditing rules. Previously, the industry had written its own rules, and the rules were written in ways that made it difficult to hold auditors accountable. But, after all these years, many of the old rules remain in place.
The PCAOB was tasked with enforcing audit rules. But, as a matter of law, its enforcement cases play out in secret. Instead of exposing alleged wrongdoing, it often serves to hide it.
When the PCAOB files contested charges against auditors and holds hearings that are the functional equivalent of trials, the public is none the wiser. The existence of an enforcement case remains confidential unless and until, having run its course at the PCAOB, it results in a disciplinary order.
That makes PCAOB enforcement less transparent than enforcement actions by other U.S. regulators, not to mention civil or criminal court proceedings.
The PCAOB was given the power to fine audit firms and individual auditors for violating audit rules. But the enforcement actions the PCAOB has disclosed against Big Four auditors are rare, and the fines assessed are generally small. As we wrote in a 2019 report on the agency:
Since the audit cop opened for business in 2003, its inspection reports have cited 808 instances in which the U.S. Big Four performed audits that were so defective that the audit firms should not have vouched for a company’s financial statements, internal controls, or both.
Yet, despite those 808 alleged failures, the audit cop has brought only 18 enforcement cases against the U.S. Big Four or employees of those firms. Those cases involved a total of 21 audits.
If the 808 audits cited as fatally flawed in the inspection reports were as bad as the reports said, it appears that the audit cop could have fined the audit firms more than $1.6 billion—that’s billion, with a “b.”
Yet, since it began working the beat, the audit cop has fined the U.S. Big Four a total of just $6.5 million, POGO found. That’s million, with an “m.”
That’s less than one half of one percent of the potential fines.
The same pattern applies to enforcement actions against individual accountants:
In its entire history, the audit cop has fined individuals at U.S. Big Four firms a total of $410,000, POGO found. (That includes a fine of $85,000 that was overturned by a federal court on procedural grounds.)
That cumulative total is less money than one partner at a big accounting firm can make in one year.
To put the fines in further perspective:
In one year alone, fiscal year 2018, companies that were registered with the Securities and Exchange Commission disclosed paying the Big Four audit fees and associated fees totaling $13.6 billion, according to data compiled for POGO by the research firm Audit Analytics. That total does not include fees identified as going to foreign affiliates of the Big Four.
The U.S. audit regulator has become largely a creature of the industry it oversees. Two of the five seats on its governing board are reserved for accountants. One current board member is a veteran of Deloitte. Another, the acting chairperson, previously worked for Deloitte and Arthur Andersen.
Nothing prevents other board seats from being occupied by people close to industry—for instance, a lawyer who had represented audit firms or a former Ernst & Young partner who was a consultant rather than an accountant.
Then there’s the PCAOB staff. As we wrote in a 2020 report:
Based on an analysis of profiles from the professional networking site LinkedIn, as of November 2019, it appeared that more than 40% of PCAOB employees had worked for the so-called Big Four audit firms—Deloitte & Touche, Ernst & Young (EY), KPMG, and PricewaterhouseCoopers (PwC). …
At the same time, LinkedIn profiles showed more than 160 people working for the Big Four who had previously worked for the PCAOB. Scores have gone back and forth. …
Ties like those may help explain why a supposedly strong and independent regulator has a history of bending to industry.
The U.K. should do what it can to limit any revolving door between the audit regulator and the audit firms—especially at the top of the regulatory agency, where independence, intentions, and judgment are more important than any technical background.
In the United States, the revolving door didn’t just subvert the audit regulator. It corrupted the agency.
KPMG hired PCAOB employees and used them to gain inside information about the agency’s inspection plans. The accounting firm then exploited that information to cheat on inspections. Criminal prosecutions led to convictions and guilty pleas.
In a separate settlement with the Securities and Exchange Commission, KPMG admitted wrongdoing and agreed to pay a $50 million penalty.
One participant in the scheme was former PCAOB employee Jeffrey Wada, who aspired to leap from the audit regulator to the audit firm. In 2017, when he was still at the PCAOB, he explained his goal in a late-night email to a colleague who had already made such a move.
“I am now trying to sell myself to KPMG,” Wada wrote.
Another key player was former PCAOB employee Brian Sweet, who more than doubled his pay when he went from inspecting KPMG to working for KPMG. By his own testimony, as the investigation was closing in on him, Sweet destroyed evidence in a backyard barbecue.
Establishing an audit regulator that is truly independent from the industry it oversees will be difficult. Both will draw from the same population of specialized professionals. Financially, industry will have the power to seduce and co-opt.
For those reasons and more, anything short of realigning auditing’s fundamental incentives is likely to disappoint.
Meet the New Boss
The U.S. experiment with audit reform poses a quandary: Is it better to make audit regulators politically accountable—or to protect them from politics?
Both approaches have downsides. The PCAOB may have the worst of both worlds. It has neither direct accountability to the public nor protection from political agendas that conflict with its mission.
Framers of the PCAOB set out to insulate it from politics. They didn’t trust the government agency primarily responsible for overseeing the financial disclosures of public companies—the Securities and Exchange Commission—to reform auditing. At the time, the SEC was headed by a former adviser to and defender of audit firms.
The Sarbanes-Oxley Act fashioned the PCAOB as a nonprofit corporation. Though the PCAOB does the job of a government agency, it is less transparent and less accountable than government agencies. It is not subject to the Freedom of Information Act, and as a result it can withhold from the public and the media types of records that government agencies would have to disclose.
The PCAOB’s framers also made it subordinate to the SEC, and the U.S. Supreme Court later made it more subservient to the SEC by knocking out as unconstitutional a provision that limited the SEC’s ability to remove members of the PCAOB’s governing board.
As a result, the Trump administration had ample power to replace the PCAOB’s leadership and put its distinct mark on the audit regulator. Now, the Biden administration is doing the same.
The U.K. government has said it plans to make its audit regulator subject to its national Freedom of Information Act. That’s a step in the right direction.
The U.K. government also has said it plans to make its audit regulator a “company limited by guarantee”—something akin to a U.S. nonprofit corporation. As an echo of the PCAOB, that’s cause for concern.
More troubling still: Though the U.K. government has said it is creating a new audit regulator—to be called the Audit, Reporting and Governance Authority (ARGA)—the text of its proposal suggests it is merely giving its current audit regulator, the Financial Reporting Council (FRC), an overhaul.
“The government intends to bring forward legislation to rename the existing corporate entity, impose requirements as to its governance, and make provision as to the regulator’s powers and duties,” the proposal says.
“The government considers that this approach enables ARGA to be established while minimizing the transitional costs which would be involved in setting up a new statutory corporation,” the proposal says.
With its parallels to the U.S. approach and its perpetuation of a discredited regulator, the U.K. plan brings to mind the often-quoted words of the British band The Who: “Meet the new boss, same as the old boss.”
Let’s hope “we don’t get fooled again.”
Disclosure: In October 2020, POGO received support from the Luminate Foundation in the amount of $75,000 for 18 months to build on its past investigative reporting by analyzing and proposing solutions to problems in the U.S. auditing system.