Holding the Government Accountable
|
Investigation

How an Agency You've Never Heard of Is Leaving the Economy at Risk

(Illustration: CJ Ostrosky/POGO)

This piece is part of a series. See the full series, or skip ahead to the next part, Botched Audits: Big Four Accounting Firms Fail Many Inspections.

A federal watchdog you’ve probably never heard of is supposed to be protecting your financial security.

It’s supposed to be policing some of the biggest and most powerful firms in American business.

It’s supposed to reduce the risk that, as a result of fraud, error, or corporate incompetence, your financial future goes poof.

Indirectly, it’s supposed to help safeguard any savings you’ve stashed in the stock market, any stake you have in a pension or retirement fund, and maybe even your paycheck and employment benefits.

A federal watchdog you’ve probably never heard of is supposed to be protecting your financial security. But in key respects it’s been doing a feeble job.

It’s supposed to help avert man-made disasters like the financial crisis and mortgage-meltdown of a decade ago; the accounting scandals that destroyed a long list of corporations such as Enron and WorldCom almost two decades ago; and the savings and loan crisis that consumed mountains of taxpayer money in the 1980s and ‘90s—the kind of catastrophes that can cripple your community, crater the economy, or collapse the financial system.

But in key respects it’s been doing a feeble job.

Over its entire history of more than 16 years, when it comes to some of the biggest firms under its jurisdiction, it has taken disciplinary action over only a tiny fraction of the apparent violations its staff has identified. Meanwhile, the financial penalties it has imposed pale into insignificance compared to the fines it apparently could have imposed.

Those are the findings of an investigation by the Project On Government Oversight (POGO).

The obscure agency in question is the Public Company Accounting Oversight Board (PCAOB), also known by the nickname “Peekaboo.”

The Peekaboo doesn’t directly police Wall Street or corporate America. Rather, it polices the accounting firms that are responsible for auditing corporations.

It’s a watchdog over other watchdogs.

And when it comes to disciplining the biggest American dogs in the pack—the U.S. arms of Deloitte & Touche, Ernst & Young, KPMG, and PricewaterhouseCoopers, known as the “Big Four”—it’s proven feckless.

Data compiled by POGO tells a stark story.

But first, a bit of background explanation; call it “Auditing 101.”

After the stock market crash of 1929 helped usher in the Great Depression and showed that companies couldn’t be trusted to tell the truth about their financial performance, the government mandated that companies with publicly traded stock have themselves audited.

Today, the Big Four accounting firms audit almost half of all publicly traded companies in the United States and almost all the companies in the S&P 500 index of large corporations.

The accounting firms that audit publicly traded corporations have two key responsibilities. First, they issue reports publicly certifying the companies’ financial statements—which encompass potentially market-moving information such as profits, losses, revenue, and debts. Second, they audit and report on the soundness of companies’ internal controls such as computer systems, accounting procedures, and checks and balances meant to guard against fraud.

The Peekaboo audits the auditors.

One of its jobs is to annually scrutinize a sample of the audits performed by each of the Big Four and to issue inspection reports assessing the firms’ compliance with auditing rules or standards.

Another role is to write those rules.

A third responsibility of the Peekaboo is to enforce the rules—along with relevant laws. Under the 2002 act of Congress that created the Peekaboo, this audit cop was given the power to penalize audit firms as much as $2 million per violation for ordinary violations and as much as $15 million per violation for more serious violations—those that involve intentional or knowing conduct, including recklessness, or, in the wording of the law, “repeated instances of negligent conduct.” (Since 2002, the potential penalties have been ratcheted up by almost 40% to keep pace with inflation.)

But this is what POGO found when it studied more than 16 years of PCAOB records:

Since the audit cop opened for business in 2003, its inspection reports have cited 808 instances in which the U.S. Big Four performed audits that were so defective that the audit firms should not have vouched for a company’s financial statements, internal controls, or both.

Yet, despite those 808 alleged failures, the audit cop has brought only 18 enforcement cases against the U.S. Big Four or employees of those firms. Those cases involved a total of 21 audits.

If the 808 audits cited as fatally flawed in the inspection reports were as bad as the reports said, it appears that the audit cop could have fined the audit firms more than $1.6 billion—that’s billion, with a “b.”

Yet, since it began working the beat, the audit cop has fined the U.S. Big Four a total of just $6.5 million, POGO found. That’s million, with an “m.”

That’s less than one half of one percent of the potential fines.

POGO’s math assumes for purposes of illustration that the firms’ alleged failures qualified for fines of $2 million each but not $15 million each.

The audit cop also was given the power to fine individual auditors—up to $100,000 per violation for ordinary violations and up to $750,000 per violation for more serious violations (not counting subsequent inflation adjustments). That includes the power to fine people in audit firm management for failing to reasonably supervise employees who break the rules.

In its entire history, the audit cop has fined individuals at U.S. Big Four firms a total of $410,000, POGO found. (That includes a fine of $85,000 that was overturned by a federal court on procedural grounds.)

That cumulative total is less money than one partner at a big accounting firm can make in one year.

In some instances, regulatory filings show that Peekaboo fines against firms were less than the firms were paid for the allegedly botched audits.

"A Toothless Body of Law"

Pocket Change

In aggregate, the fines the accounting oversight board collected over the past decade and a half were figurative pocket change for the Big Four. In one year alone, fiscal year 2018, companies that were registered with the Securities and Exchange Commission disclosed paying the Big Four audit fees and associated fees totaling $13.6 billion, according to data compiled for POGO by the research firm Audit Analytics. That total does not include fees identified as going to foreign affiliates of the Big Four.

The $6.5 million in fines against the U.S. Big Four over more than 16 years is a “trivial” amount, said professor John C. Coffee Jr., director of the Center on Corporate Governance at Columbia Law School.

“I think it is alarming because we have a watchdog who is not watching,” Coffee said. “We have a watchdog who looks increasingly like a lapdog. And if you do not have an adequate watchdog, then [corporate] managers who have every incentive to increase the stock price because that’s how they are compensated are going to increasingly bend, twist, and ignore the accounting rules.”

POGO’s investigation “suggests this is a toothless body of law,” Coffee said.

Nell Minow of ValueEdge Advisors, who advises investors on corporate governance and who served on a PCAOB advisory panel early in the board’s history, said, “The number one goal is not to bring enforcement actions and impose fines; the number one goal is to get better audits.” But Minow said the gap between the oversight board’s inspection findings and its enforcement record is “very disturbing.”

“The indications are that this is a very significant departure from what the board was set up to do,” Minow said.

“It’s disappointing,” said Kayla Gillan, who was one of the original PCAOB board members. “It just goes back to the fundamental question of accountability. If accounting firms know they can make significant errors and not suffer any consequences because of that, what’s the incentive to avoid the errors?”

POGO is not suggesting that every infraction merits the maximum fine. By way of analogy, in criminal law, convicted felons routinely receive less than the maximum sentence. Theoretically, the penalty is meant to fit the crime and provide an appropriate deterrent.

Historically, the PCAOB has just not used the full force of its office or had sufficient penalties to make the audit firms take notice. They just don’t fear the PCAOB.

Steven W. Thomas, a California attorney who specializes in suing accounting firms

However, the gap between the number of auditing violations identified in inspections of the top U.S. audit firms and the number of enforcement actions against them is immense. It’s so big that, even if we assumed the vast majority of those inspection findings were unfounded, the gap would still be huge.

The difference between the fines the audit cop apparently could have imposed and the fines it actually imposed is similarly vast. Even if we assumed that the appropriate fine for a big audit firm wasn’t $2 million per violation but rather something much smaller—say, an average of only $50,000—the difference between potential and actual fines would still be immense.

Steven W. Thomas, a California attorney who specializes in suing accounting firms, said, “Historically, the PCAOB has just not used the full force of its office or had sufficient penalties to make the audit firms take notice.”

“They just don’t fear the PCAOB,” he said.

Before the PCAOB was created, the job of policing auditors fell largely to the Securities and Exchange Commission (SEC). The PCAOB was conceived as a more specialized and effective audit cop than the SEC. However, the cases the board has brought against the biggest U.S. audit firms look small compared to the occasional cases concluded by the SEC, which oversees the board and exercises overlapping authority.

In a 2017 settlement with the SEC, KPMG agreed to pay more than $6.2 million for allegedly performing an inadequate audit of an energy company that overvalued oil and gas prospects in Alaska by hundreds of millions of dollars. Under the settlement, and without admitting or denying wrongdoing, KPMG paid a penalty and surrendered with interest the auditing fees it had received from the energy company.

In a 2016 settlement with the SEC, Ernst & Young agreed to pay more than $11.8 million for allegedly performing deficient audits of an oil field services company that was inflating its earnings. Ernst & Young neither admitted nor denied wrongdoing. The settlement in that one case exceeded by far the combined total of all the fines the PCAOB has imposed on the Big Four over the board’s entire history.

Priorities

James R. Doty, who served as chairman of the Public Company Accounting Oversight Board for seven years and left in January 2018, told POGO that the board’s enforcement division “has looked for egregious departures from the auditing standards.”

Enforcers select cases “that can be made convincingly, that can be sustained, and where the message will be a meaningful and useful message about prevention and deterrence,” Doty said in the interview.

The PCAOB also weighs the value of settling cases even if that means accepting less than the maximum fine, he said.

The oversight board’s funding mechanism—it is funded through levies on companies that issue securities—provides the necessary independence, he said.

“It gives the PCAOB financial freedom from the accounting profession, from the audit profession,” he said.

Doty said he didn’t want to comment “on whether the PCAOB has been sufficiently aggressive” in meting out fines.

Former PCAOB board member and general counsel Lewis H. Ferguson said he believes the board’s fines have been “quite effective.” For the big audit firms, it’s less the money than “the humiliation,” Ferguson said in an interview. Big firms have reacted to fines by trying to improve, he said.

In a written response to questions from POGO, accounting oversight board spokesperson Torrie Matous explained that the audit cop is selective about the enforcement cases it pursues.

“Not every inspection-related deficiency rises to such a level of severity that it should result in an enforcement investigation or the institution of an enforcement proceeding,” Matous wrote.

“The PCAOB has finite resources available to it,” Matous wrote. “It therefore must prioritize those resources to focus on the activities that will allow it to accomplish its mission most effectively and efficiently. With respect to enforcement, this means that the PCAOB must prioritize carefully the matters it investigates and the cases it ultimately pursues.”

As for fines, Matous alluded to language in federal law saying that, if the oversight board orders penalties that don’t fit the facts, the SEC can enhance, reduce, or cancel those sanctions.

“In determining whether to impose a civil money penalty” or any other sanction, Matous wrote, the board assesses whether the penalty is “necessary or appropriate” in furtherance of federal law or “is excessive, oppressive, inadequate, or otherwise not appropriate to the finding or the basis on which the sanction was imposed.”

In addition, the board encourages auditors “to provide extraordinary cooperation” with its investigations, she said, and it has rewarded cooperation with leniency.

“The Board has granted credit to firms and associated persons by reducing sanctions, and, in some cases, not instituting disciplinary proceedings, reflecting the degree of extraordinary cooperation in pending cases,” Matous said.

Peekaboo

In the early 2000s, the collapse of stock market titans Enron and WorldCom wiped out thousands of jobs and cost shareholders billions of dollars. The once soaring companies had built their success on financial illusions, and they couldn’t have done it without Arthur Andersen, the now-defunct audit firm that blessed their accounting.

The scandals spotlighted the crucial and feebly policed role of corporate auditors.

Congress and then-President George W. Bush responded by creating a new regulator to audit the auditors. Its creation was the centerpiece of the landmark Sarbanes-Oxley Act of 2002.

“There is established the Public Company Accounting Oversight Board, to oversee the audit of public companies that are subject to the securities laws, and related matters, in order to protect the interests of investors and further the public interest in the preparation of informative, accurate, and independent audit reports for companies the securities of which are sold to, and held by and for, public investors,” the act says.

The act spells out some basic requirements for the oversight board to fulfill when conducting an inspection of an audit firm’s work. One is to identify anything the firm has done or failed to do that may amount to a violation. Another is to “begin a formal investigation or take disciplinary action, if appropriate, with respect to any such violation.”

To carry out their mandate, the accounting oversight board’s top officials are each paid more than the president of the United States. While the president gets $400,000, the oversight board’s chairman receives a salary of $672,676, and the other four board members are each paid $546,891.

The PCAOB, a nonprofit corporation that answers to the SEC, oversees the accounting firms that audit corporations. For big publicly traded corporations, that generally means the Big Four accounting firms: Deloitte & Touche, Ernst & Young (also known as EY), KPMG, and PricewaterhouseCoopers (also known as PwC).

As of May 2019, those firms audited 99% of companies in the S&P 500 index of large corporations, according to Audit Analytics, a research firm.  As of March 2019, they audited about 47% of all publicly traded companies in the United States, Audit Analytics reported.

However, the vast majority of PCAOB enforcement actions have been against smaller accounting firms, foreign affiliates of the U.S. Big Four, or their personnel. While the board has disclosed 18 enforcement actions against the U.S. Big Four or auditors at those firms, as of August 21, 2019, it had posted a total of 302 enforcement actions, POGO found.

It has fined a foreign firm more than it has fined all of the U.S. Big Four combined. In a 2016 enforcement action, it fined a Deloitte affiliate in Brazil $8 million.

One of the PCAOB’s priorities has been to go after “serial bad actors,” particularly auditors of so-called penny stock companies, Ferguson, the former PCAOB board member, told POGO.

Penny stocks are the often thinly traded shares of small companies. They generally change hands outside of major stock markets and are exceptionally susceptible to fraud and manipulation. They may be audited by tiny firms that are the opposite of household names.

The PCAOB made an effort to remove from the market auditors of penny stock companies who posed a danger to investors, including auditors who did essentially no work on their audits and aided and abetted fraud, said Ferguson, who worked at the PCAOB from 2004 to 2018.

For regulators, pursuing cases against smaller firms can be easier than taking on big firms.

Big firms had the capacity “to throw almost infinite resources” into their defense, Ferguson said. In contrast, smaller firms were more likely to settle with the PCAOB both to put enforcement cases behind them “and because they really couldn’t bear the financial pressure of an extended investigation,” Ferguson said.

In the early, formative years of the PCAOB, some board members, including the original chairman, were philosophically opposed to aggressive enforcement, former board member Gillan told POGO.

William J. McDonough was for all practical purposes the oversight board’s first chairman. (A predecessor resigned under a cloud after less than three weeks on the job and before the PCAOB had opened for business.) McDonough believed enforcement should be used “sparingly, and almost in a way after you’ve given the firm multiple opportunities to correct errors on their own,” Gillan said. McDonough viewed it as more of a “last resort kind of thing,” Gillan said.

Gillan recalled debates at the PCAOB over what model of oversight the fledgling accounting board should follow—the enforcement-oriented “regulatory model” or the more collegial “supervisory model.” McDonough, who died in January 2018, had been a banker and Federal Reserve official before taking the helm at the PCAOB. He favored the supervisory model employed at the Fed, Gillan said.

That involved working with accounting firms on an ongoing basis to help them improve, Gillan said, instead of, in the original chairman’s characterization, “blasting an accounting firm with all barrels.”

Auditing the Auditors

Audit firms have a built-in conflict of interest: They are hired by the companies they audit.

That can give them a powerful incentive to let problems slide, and it helps explain why these watchdogs need watching.

Once an audit firm has signed off on financial statements that contain fraud or error, the incentive is compounded. If in later years the audit firm forces its client to disclose and correct the problems, the auditor may expose itself to liability for originally having missed or gone along with the bad accounting.

Time and again, financial disasters have raised the question: “Where were the auditors?”

From the savings and loan crisis to the dotcom bubble, from a long series of scandals at companies such as Cendant, Tyco, and Adelphia Communications to debacles at Fannie Mae and Freddie Mac, from Bernie Madoff’s Ponzi scheme to the financial crisis and mortgage meltdown that shook the world a decade ago to Wells Fargo’s alleged customer manipulations and beyond, auditors’ imprimatur on corporate financial reports has contributed to a false sense of security.

“Prior to the collapse or rescue of nine major financial institutions in 2007 and 2008, they each received unqualified audit reports within months of their demise from major accounting firms,” Senator Jack Reed (D-RI) said in a 2011 hearing he chaired on the financial crisis and the role of accounting in preventing future crises.

The auditors “sounded no distinctive and helpful alarms prior to the demise of these companies,” Reed added.

When Reed asked Doty, the chairman of the PCAOB at the time, to explain the absence of timely warnings, Doty said there were “a number of areas where auditors should have delved deeper.”

Doty cited “enduring and recurring problems in financial reporting and in auditing,” adding, “It is disturbing to us as the regulator of auditors, obviously, that auditors were not more self-reliant and did not feel that they could go to” corporate management and audit overseers on corporate boards “and start sounding an alarm early.”

Recent allegations that General Electric has cooked its books put corporate accounting in the spotlight once again. Harry Markopolos, an analyst who famously saw through Madoff’s fraud and tried to expose it, recently issued a report alleging that GE has engaged in a $38 billion accounting fraud that is “bigger than Enron and WorldCom combined.” 

GE has denounced the allegations as meritless, saying it “operates at the highest level of integrity.”

This isn’t the first time GE’s accounting has been challenged. In 2009, the SEC charged GEwith fraudulently misleading investors—for example, by reporting more than $370 million of revenue from locomotive sales that had not yet occurred. Without admitting or denying those allegations, GE agreed to pay a $50 million penalty.

KPMG, which has audited GE for more than a century, is confident that its audits “were appropriately performed in accordance with applicable professional standards,” KPMG spokesperson Robert Wade said by email.

Auditors are required to follow a body of rules. One of their basic responsibilities is to carry out audits with “due professional care.” That includes exercising “professional skepticism.” Plainly stated, they’re supposed to check information instead of taking the word of the companies they are auditing. They’re also supposed to obtain “reasonable assurance.” That means checking enough information.

Without naming the companies whose audits were involved, PCAOB inspection reports typically list and describe instances in which “the deficiencies identified in the inspection were of such significance that the inspection team determined that the Firm issued an opinion without obtaining sufficient appropriate audit evidence.”

Translation: In those cases, the PCAOB inspectors determined that the audit firm should not have certified the company’s financial statements, internal controls, or both.

POGO counted 808 instances that fit that description. In many of those cases, the inspection reports list multiple “deficiencies” or ways the auditors “failed,” meaning the number of violations detected by PCAOB inspectors and theoretically subject to fines could be much higher than 808.

The finding that an audit firm shouldn’t have put its stamp of approval on a company’s financial statements does not mean the audit firm missed any fraud or error in the company’s books. It means the audit firm did its job so poorly that it could have missed serious problems.

As the PCAOB has said, it means “the auditor issued an opinion without satisfying its fundamental obligation” and represents “a failure to accomplish the essential purpose of the audit."

PCAOB inspection reports have faulted auditors for lapses such as:

  • Failing to adequately test a company’s “allowance for loan losses”—which reflects the ability of a company that makes loans to withstand defaults.
  • Doing too little probing, and verifying too few of a company’s records or transactions, even where the auditor had spotted a risk of fraud.
  • Failing to adequately consider a company’s “ability to continue as a going concern,” which is accounting-speak for “stay in business.”

Inspection reports also include disclaimers such as the following:

“Any references in this report to violations or potential violations of law, rules, or professional standards are not a result of an adversarial adjudicative process and do not constitute conclusive findings of fact or of violations for purposes of imposing legal liability.”

In other words, inspection reports are not necessarily the last word. But inspections are one of the main sources of leads for the PCAOB investigations that can result in enforcement actions and sanctions.

Bastion of Integrity?

Unlike enforcement actions, inspection reports are technically toothless. They serve to publicize audit firms’ shortcomings. But partners and others at the big audit firm KPMG have taken them so seriously that, according to the Justice Department, they went to criminal lengths to “cheat” on inspections.

The Justice Department alleged that between 2015 and 2017 KPMG partners hired people from the PCAOB, pumped them for confidential information on which audits the PCAOB planned to inspect, and got them to extract similar information from colleagues at the PCAOB.

Though auditing is supposed to be a bastion of integrity, the case described high-level corruption at KPMG: One of the KPMG defendants, David Middendorf, was the firm’s national managing partner for audit quality and head of its national office, the Justice Department said.

Middendorf was convicted on fraud charges in March 2019, along with former PCAOB employee Jeffrey Wada.

Two of the other defendants charged in the alleged conspiracy had gone from working on the PCAOB’s inspections of KPMG to working for KPMG and helping it cheat, according to an indictment. Each of them has pleadedguilty.

In a related settlement with the Securities and Exchange Commission, KPMG recently agreed to pay a penalty of $50 million. KPMG admitted that the SEC’s charges were true. Among the charges: KPMG auditors cheated on training exams mandated by the SEC as part of the remedy in an earlier enforcement action.

Meanwhile, in January 2019, the PCAOB released its inspection report on KPMG for 2017. The inspection found that KPMG botched 26 of 52 audits inspectors examined.

Compared to its U.S. peers, KPMG had the highest percentage of botched audits in its most recent annual inspection report and the highest number of botched audits for all inspection years combined.

Yet KPMG ranked lowest in PCAOB fines. Its grand total: Zero.

"A Violation of Auditing Standards"

Damages

On a summer morning in 2009, federal agents raided offices of Colonial Bank, one of the 25 largest in the country. In a matter of days, state authorities in Alabama closed Colonial, the bank was placed in receivership with the Federal Deposit Insurance Corporation (FDIC), and the bank’s parent company, Colonial BancGroup, sought bankruptcy protection, as a federal judge later recounted.

Over the ensuing decade, while a costly financial scandal unfolded in plain view, one party was conspicuous by its invisibility: the Public Company Accounting Oversight Board.

Colonial had been devastated by a massive mortgage loan fraud. Within a year of the FBI raid, the former chairman of a mortgage company that did business with Colonial was indicted on charges of defrauding the bank. The indictment said Colonial had bought “what amounted to fictitious assets”—including loans that didn’t exist or had already been sold to others. 

In 2011, the former mortgage company chairman, Lee Bentley Farkas, was sentenced to 30 years in prison. The prosecution of Farkas was one of the most prominent to emerge from the nation’s mortgage meltdown.

Colonial’s collapse unleashed a raft of other legal proceedings, including lawsuits against the firm that had audited Colonial BancGroup, PricewaterhouseCoopers (PwC).

In December 2017, a federal judge found that PwC had violated its professional duties by performing audits negligently. 

In July 2018, for the audit firm’s share of the liability, the judge ordered PwC to pay the FDIC damages of $625.3 million. In March 2019, PwC settled with the FDIC for $335 million.

This was no victimless scandal, the judge explained.

By the time the fraud was shut down, the fraudsters had diverted over $2 billion dollars’ worth of assets from Colonial, ensnared multiple financial institutions, including government-sponsored enterprises … and cost thousands of innocent employees their livelihoods.

U.S. District Judge Barbara Jacobs Rothstein, in her December 2017 decision

“By the time the fraud was shut down, the fraudsters had diverted over $2 billion dollars’ worth of assets from Colonial, ensnared multiple financial institutions, including government-sponsored enterprises … and cost thousands of innocent employees their livelihoods,” U.S. District Judge Barbara Jacobs Rothstein said in her December 2017 decision.

By the end of 2018, Colonial Bank’s failure had cost an FDIC insurance fund $3 billion.

If the judge’s opinion is a reliable guide, this was the kind of disaster the PCAOB was created to prevent—and, if prevention failed, the kind of case Congress and President George W. Bush had given the audit cop a mandate to pursue.

“Defendant PWC acted as CBG’s [Colonial BancGroup] independent, external auditor during all of the years that Colonial was victimized by the fraud, yet PWC never discovered it,” the judge wrote.

“The Court concludes that PWC did not design its audits to detect fraud and PWC’s failure to do so constitutes a violation of the auditing standards,” the judge wrote.

In support of that conclusion, the judge cited the testimony of PwC witnesses.

One of those witnesses was James Wesley “Wes” Kelly, who testified that he worked on PwC’s audits of Colonial for about 10 years and rose to be manager and senior manager of those audits.

In a 2015 deposition, Kelly was asked: “Sir, as part of your audits of Colonial, did you try and find or detect fraud?”

Kelly answered: “We considered fraud in our risk assessment … but we did not design audit procedures to detect fraud because it’s not a requirement under the auditing standards.”

In fact, it was a requirement under the auditing standards, the judge later wrote.

Though the judge’s opinion didn’t delve into it more deeply, Kelly’s testimony included mixed messages. “Detecting a fraud is not a responsibility of an auditor,” he stressed. However, he also echoed the auditing standard the judge cited, saying PwC “planned and performed the audit to obtain reasonable assurance about whether the financial statements are free of material misstatements, whether caused by error or fraud.” He said that, from his standpoint, at the time PwC issued its audit—though years of audits were involved, he used the singular—PwC had obtained that reasonable assurance.

The judge concluded otherwise. 

For example, she wrote, PwC never inspected or asked to inspect a single one of the loan documents for mortgages that served as collateral for hundreds of millions of dollars of funding advanced by the bank. That was despite the fact that PwC was working in the same building where the documents were supposedly stored, the judge wrote. It was also despite the fact that the audit firm had identified as a risk the possibility that the collateral did not exist, the judge wrote.

The judge said one of the key participants in the fraud “testified that if PWC had asked to see even just ten loan files ‘[t]he jig would be up.’”

Kelly was not a defendant in the FDIC’s lawsuit against PwC; the suit named no individual auditors as defendants.

Kelly declined to comment for this story, and PwC did not respond to questions from POGO.

When Kelly gave his deposition in 2015, he testified that, at that time, he was employed as a professional accounting fellow at the SEC.

In response to a deposition question, he confirmed that he was supposed to sever all ties with PwC as a condition of his work at the SEC. After initially claiming he didn’t know who was paying his lawyers, he confirmed that PwC was paying them and said an SEC ethics officer told him it was okay, according to a transcript.

An online bio that apparently dated to his time at the SEC said his role at the agency included overseeing the PCAOB.

“He is primarily responsible for providing oversight of the Public Company Accounting Oversight Board (PCAOB) on auditing policy related matters and also participates in the development of the Commission’s rule proposals,” the profile posted by the Practising Law Institute said.

It appears that, after going from PwC to the SEC, Kelly spun back through the revolving door to PwC.

Currently, a LinkedIn profile lists a Wes Kelly at PwC in New Jersey. The profile says he spent 15 years at PwC, attaining the rank of senior manager, then two years and four months as a professional accounting fellow at the SEC, and then rejoined PwC in 2016. The profile lists him as a PwC partner, which would represent an elevation from senior manager.

What if anything did the nation’s main audit cop do about PwC’s auditing of Colonial?

Lynn Turner, who had a special vantage point, told POGO that he saw no indication that either the SEC or the PCAOB investigated PwC’s auditing of Colonial BancGroup.

Turner, a former chief accountant at the SEC and former auditor at one of the firms that merged to form PwC, helped draft the law that created the PCAOB. He also served as a paid expert witness against PwC in one of the civil suits over the Colonial audits. The suit was settled on undisclosed terms during what was meant to be a break in his time on the witness stand. In preparation for the trial, Turner reviewed related records.

Based on the evidence presented in that case and the judge’s opinion in the FDIC case, Turner said by email he believes “the PCAOB should have brought an enforcement action against the auditors.”

The SEC took no such action. SEC spokesperson John Nester declined to say whether the SEC in any way prevented the PCAOB from doing so.

There is no public record of PCAOB enforcement action against Kelly, PwC, or other PwC auditors over the Colonial BancGroup audits.

The PCAOB wouldn’t say why.

Fees Exceed Fines

The PCAOB doesn’t disclose anything about the many cases in which it refrains from taking enforcement action. However, the rare enforcement actions it has taken against the U.S. arms of the Big Four are revealing.

A case against Deloitte & Touche shows how PCAOB fines for botching audits can be smaller than the fees audit firms are paid for the allegedly defective audits.

In May 2018, the oversight board issued a disciplinary order against Deloitte over three annual audits of banking software company Jack Henry & Associates.

At the end of each of those audits, without any qualification, Deloitte had blessed Jack Henry’s financial statements and “internal control over financial reporting.” In the jargon of accounting, Deloitte had issued “unqualified opinions.”

However, there were problems with Jack Henry’s accounting: The company had claimed revenue from software contracts before it was entitled to count the revenue, the PCAOB charged.

In the planning stages of its audits, Deloitte identified risks that Jack Henry would get that accounting wrong. But Deloitte didn’t detect the problems until the PCAOB came calling, according to the disciplinary order.

Subsequently, the software company was forced to correct its financial statements for fiscal years 2012, 2013, and 2014. The corrections reduced the company’s previously reported revenues by $68.1 million and its previously reported profits by $26.3 million, the PCAOB order said.

When Jack Henry corrected its financial statements, it also acknowledged that it had suffered from a “material weakness”—meaning a significant one—in its internal controls. For its part, Deloitte revised one of its audit reports to indicate that, contrary to its original conclusion, the software company did not have effective internal controls, the disciplinary order said.

The three allegedly botched annual audits apparently represented at least three violations, which—even absent findings of recklessness, intentional or knowing conduct, or, as the law puts it, “repeated instances of negligent conduct”—could have triggered fines of $2 million each, for a total of $6 million. In addition, the allegedly failed audits of the financial statements and internal controls apparently represented separate violations. But the PCAOB’s allegations went further. The board said Deloitte failed to comply with several auditing standards.

The board settled for a fine of $500,000.

That was less than Deloitte was paid for the audits.

For the three years in question, the software company paid Deloitte auditing fees totaling $1,834,493 and audit-related fees totaling $2,042,752, according to SEC filings.

Deloitte’s alleged violations were all the more glaring because the oversight board had flagged similar deficiencies several years earlier, when it inspected Deloitte’s audit of Jack Henry’s financial statements for fiscal year 2004. Deloitte failed to appropriately address the problems identified in that earlier inspection, the PCAOB order said.

What’s more, Deloitte failed to assign an auditor to the 2012 through 2014 Jack Henry audits “who possessed sufficient industry-specific experience and knowledge” to audit the software revenue, the PCAOB said.

The PCAOB’s disciplinary action against Deloitte in the Jack Henry matter held no Deloitte employees accountable by name.

Under the settlement, Deloitte neither admitted nor denied wrongdoing.

It’s unclear why, given its allegations, the PCAOB did not accuse Deloitte of “repeated instances of negligent conduct,” which would have exposed the firm to bigger fines.

Disciplinary Disconnect

In another case against Deloitte & Touche, the accounting oversight board found that Deloitte’s “violations”—plural—met the conditions for the highest penalties: “intentional or knowing conduct, including reckless conduct … or repeated instances of negligent conduct.”

The PCAOB stated that explicitly in a 2013 disciplinary order.

For misconduct that serious, the Sarbanes-Oxley Act of 2002 empowered the PCAOB to fine audit firms as much as $15 million per violation. (Subsequent inflation adjustments have ratcheted up the maximum to $20.9 million per violation.)

Instead, the oversight board settled the 2013 case for $2 million.

Moreover, the case involved conduct that was especially egregious. The board accused Deloitte of violating a disciplinary order issued in an earlier case.

In the earlier case, in 2008, the board suspended a Deloitte accountant named Christopher E. Anderson from being “associated” with an audit firm under the board’s jurisdiction for one year.

In the 2013 case, the PCAOB accused Deloitte of violating that suspension.

During the year he was supposed to be suspended, Deloitte assigned him to a unit in its national office where he developed general auditing guidance for the firm and provided advice to specific audit teams that included how to comply with PCAOB standards, the PCAOB order said.

The PCAOB faulted Deloitte’s Leadership Oversight Committee for its handling of the matter. The PCAOB described the involvement of senior firm officials.

None of those people were named in the oversight board’s disciplinary order.

Under the settlement, Deloitte neither admitted nor denied wrongdoing.

Anderson has not responded to phone messages for this story.

In an interview with POGO, former oversight board chairman Doty said that, at the time the 2013 enforcement action was taken, it “might have been regarded as bold and forceful.”

“This is a case in which the warning to the regulated industry … is a very strong warning,” Doty said.

The message, Doty said, “would have been seen as … more important than the dollars.”

High Stakes Screw-Up

In an audit of Merrill Lynch for 2014, PricewaterhouseCoopers missed a potentially catastrophic problem, according to a PCAOB disciplinary order.

The giant brokerage firm had placed tens of billions of dollars of its customers’ assets in accounts that were subject to liens by third parties, the PCAOB order said. Liens give creditors a claim on property to enforce an obligation such as a debt. If Merrill Lynch had gone bankrupt, its customers could have lost their investments to Merrill’s creditors, a related federal action against Merrill explained.

“PwC was aware of the magnitude of customer … securities that Merrill held in accounts at third-party institutions in 2014, and was aware of the risks to Merrill’s customers if those accounts were subject to liens,” the PCAOB disciplinary order said.

The alleged screw-up was all the more egregious because the 2011 collapse of another brokerage firm, MF Global, should have alerted auditors and brokerage firms alike to the importance of keeping customers’ investments separate and secure. In the MF Global case—a major news story at the time—hundreds of millions of dollars of customers’ assets went missing and had to be tracked down. MF Global had used customers’ funds to cover its own cash shortfalls, a government investigation found.

Like Merrill, MF Global had been audited by PwC. PwC settled two lawsuits accusing it of malpractice in its auditing of MF Global. The terms of one settlement were not disclosed. In the other, although PwC denied wrongdoing, it agreed to a settlement of $65 million.

More than eight years after MF Global sought bankruptcy protection, the PCAOB’s public case file includes no enforcement action against PwC related to that brokerage firm.

For PwC’s allegedly botched 2014 audit of Merrill Lynch, the accounting oversight board and PwC settled on a fine of $1 million. PwC neither admitted nor denied the board’s charges. The disciplinary action named no individual PwC auditors.  

Big Four

For this story, POGO asked the U.S. arms of each of the Big Four for an interview. None granted one. POGO also sent written questions.

Deloitte provided a two-sentence statement. “Deloitte is proud of the high quality audits we perform in service to the capital markets, and we continuously look for ways to improve and enhance the quality and value of our work,” Deloitte spokesperson Jonathan Gandal wrote. “Our continued positive trajectory of regulatory inspection results reflects the large investments we are making to leverage innovative technologies and enhance the skillsets of our talent to prepare them for a digitally driven future,” he added.

“We are not commenting for this story,” PwC spokesperson Mao-Lin Shen said by email.

“Regarding your note … we respectfully decline to participate,” wrote Robert Wade, executive director of audit communications at KPMG.

Ernst & Young provided no answers.

During the PCAOB inspection process, the oversight board gives firms a chance to comment in writing on drafts of the inspection reports, and it includes the firms’ response letters in the final reports. At times, firms have written that they disagreed with PCAOB findings.

For example, in a March 2009 letter, Deloitte said “reasonable and highly competent professionals may differ as to the sufficiency of auditing procedures performed and evidence obtained.” The firm said that, in a number of instances cited by the PCAOB, Deloitte believed its audit team “made and documented well reasoned and supported judgments.”

“In our view, such reasonable judgments should be respected and not second-guessed,” Deloitte added.

"Deprived of Critical Information"

Secrecy

The PCAOB was meant to subject auditors to stronger oversight. However, in at least some ways, it appears to have made enforcement weaker.

The board can be a black hole in which evidence of auditing malpractice disappears—if not forever then for a long time.

Before the PCAOB was created, the accounting industry largely policed itself and, at the national level, was overseen by the SEC.

That turned out badly.

A long series of corporate accounting frauds took a toll on investors. Auditors in those cases were exposed as having been at best ineffectual and at worst complicit. Then, as now, they were hired and paid by the companies they were responsible for auditing. That arrangement has given them strong incentives to ingratiate themselves with their clients.

For decades, the big accounting firms resisted stricter supervision. But when the Enron and WorldCom scandals unfolded in rapid succession, Congress and President George W. Bush produced the PCAOB.

Yet the PCAOB has been largely hobbled by compromises struck during the drafting of the Sarbanes-Oxley Act.

As a matter of law, while the PCAOB is litigating charges against auditors, investors are left in the dark. Unless the accused consents, the charges and the ensuing PCAOB proceedings are not publicly disclosed.

In contrast, when the SEC files charges in an enforcement action, the charges are made public. That puts investors on notice. Similarly, in the criminal justice system, indictments are a matter of public record before defendants go on trial, and the trials themselves unfold in open court. That’s despite the fact that the accused are presumed innocent until proven guilty. Transparency is supposed to promote fairness and accountability—for prosecutors, defendants, and the system.

The secrecy at the PCAOB protects the careers and reputations of accountants who may be wrongly accused and who will ultimately be exonerated. It can allow them to continue conducting business as usual while cases against them are pending. It can also leave investors at risk—and unaware of ongoing dangers.

Years ago, the oversight board asked Congress to amend the law to make its disciplinary proceedings public. Legislation to achieve that, including a bill that Senators Jack Reed (D-RI) and Chuck Grassley (R-IA) have introduced in each congressional session since 2011, has gone nowhere.

“Litigation postpones—often for several years—the day on which the public learns that the Board has charged the auditor or firm,” Daniel Goelzer, who was acting chairman of the PCAOB, said at a 2010 board meeting.

That delay “is very much … in the interest of the accounting firms,” attorney Russell Duncan, a former PCAOB enforcement official who now defends accounting firms, said in an interview with POGO.

In a 2010 speech, Claudius B. Modesti, who was then the PCAOB’s director of enforcement, said the secrecy is harmful.

The secrecy gives auditors an incentive to drag out disciplinary proceedings, and that consumes resources that could be used to investigate other cases, Modesti said.

“Contesting the allegations rather than seeking a settlement allows respondents to continue with their public company audit practice without any disclosure to clients or investors of the Board's charges for as long as the litigation is ongoing,” he said.

“This nonpublic nature of Board disciplinary proceedings has serious adverse consequences for the investing public, audit committees [of corporate boards of directors], the auditing profession, the Board, and other interested parties, such as Congress,” Modesti said.

Modesti cited another downside:

The public “is deprived of critical information necessary to evaluate the Board's enforcement program,” he said.

Modesti, who headed the PCAOB enforcement division for 14 years and left last year amid a wave of executive departures under a newly appointed board, declined to be interviewed for this story and did not respond to written questions.

“I am not in a position to help you with this article,” Modesti said by email.

Modesti’s current position is partner at the corporate law firm Akin Gump, where he defends auditors.

“The one and only PCAOB enforcement director to enter private practice, Claudius Modesti counsels and defends accounting firms, regulated entities, corporations and individuals in regulatory investigations and enforcement proceedings involving the PCAOB and the SEC, in addition to advising on other federal or state criminal investigations,” the law firm’s website says.

Behind the Curtain

POGO wondered if the PCAOB’s veil of secrecy was hiding an abundance of ongoing enforcement actions, enough to close the gap between the many auditing failures identified in inspection reports and the few cited in enforcement actions that have been made public.

However, we learned that only a small number of PCAOB enforcement cases that had advanced to formal charges were pending and under wraps. As of August 9, 2019, there were four undisclosed, ongoing cases in which the PCAOB had charged auditors with violations, Matous, the oversight board spokesperson, told POGO by email. The undisclosed cases involved charges against three firms and five individuals, Matous said.

The board would not say how many of those cases if any involve the Big Four.

Regardless, the numbers Matous provided indicate that the gap between the number of failed audits identified in inspection reports and the number cited in publicly disclosed enforcement cases against the U.S. Big Four cannot be explained away by enforcement cases pending but undisclosed.

The SEC also has the power to take enforcement action against auditors.

In most enforcement matters against auditors, the SEC would let the PCAOB pursue the case, former PCAOB board member Lewis Ferguson told POGO. However, in very important cases—for example, ones involving major frauds—the SEC would often insist on taking the lead, he said.

POGO tried to determine whether the SEC has filled the gap between PCAOB inspection findings and PCAOB enforcement actions. We reviewed SEC disclosures known as “Accounting and Auditing Enforcement Releases”issued between May 24, 2005—the date the PCAOB issued its first enforcement action—and August 25, 2019. POGO found SEC enforcement actions against the U.S. Big Four firms or their accountants involving 35 allegedly failed audits—far too few to close the gap. The SEC website cautions that the compilation of disclosures is not necessarily a complete list of actions related to financial reporting.

POGO also wondered if the SEC has been thwarting PCAOB enforcement efforts.

The SEC has the power to veto PCAOB disciplinary orders, either on its own initiative or based on an appeal.

How often has that happened? “Almost never,” Ferguson told POGO. Ferguson said he could not recall such an instance.

Since that interview, the SEC has overturned a PCAOB enforcement action—a 2016 disciplinary order that a former KPMG partner had appealed. Unlike the PCAOB, the SEC has posted its decision online—along with other records of the appeal.

Also, last year, the SEC vacated a PCAOB disciplinary order at the behest of a federal appeals court.

According to information POGO obtained through the Freedom of Information Act, as of August 1, 2019, those were the only two cases in which the SEC had reversed a PCAOB enforcement action as a result of an appeal.

Plateau

Doty, the former PCAOB chairman, told POGO that, as he sees it, the most important force for improving audits has been sunlight—“shining a light on practices that need to be improved.”

But the PCAOB inspection reports also suffer from a lack of transparency. As dictated by the Sarbanes-Oxley Act, an entire category of inspection findings—problems involving firms’ quality control systems—must go undisclosed if the audit firm corrects them within a year. The sections of the inspection reports dealing with those have usually been withheld from the public.

In practice, the oversight board has kept uncorrected quality control problems under wraps for much longer than one year. For example, early in 2019, the PCAOB disclosed parts of its inspection reports on KPMG going back to 2015 and 2016.

The PCAOB takes the secrecy even farther. In the public portions of its inspection reports, where it describes botched audits, the board does not name the corporations whose audits were botched. It identifies them as “Issuer A,” “Issuer B,” and so on (referring to the fact that they issue securities).

That means the board refrains from warning investors which companies were audited inadequately.

The board has argued that the law prohibits it from naming the affected corporations.

Kayla Gillan, one of the first board members, told POGO that was a matter of interpretation on which the original board was divided. Gillan said she favored disclosure. The SEC, which held sway, opposed naming the affected companies and worried that naming them would hurt their stock prices, Gillan said.

“I personally thought [that] was a frivolous argument,” Gillan said.

The Sarbanes-Oxley Act says inspection reports shall be “made available in appropriate detail to the public”—subject to a section of the law discussing confidentiality “and to the protection of such confidential and proprietary information as the Board may determine to be appropriate, or as may be required by law.”

Former board member Ferguson said the law “is ambiguous.”

“I think there was a sense that the issuers themselves”—the audited companies—“would have gone berserk” if their names were disclosed, Ferguson said.

The names of the companies aren’t the only identities left out of the inspection reports. Also omitted: the names of the individual auditors responsible for the alleged auditing failures.

What the inspection reports do show is that, year after year, as the inspectors tell it, the Big Four firms in the United States have issued audit reports that they had no business issuing, and they have continued to make the same types of mistakes that they have long been making.

That’s despite whatever deterrence the oversight board’s inspections and disciplinary sanctions deliver.

Since the beginning of the Trump administration, the SEC has appointed an all-new five-member board to govern the PCAOB. In public statements, board members have said the biggest accounting firms’ performance on inspections has plateaued—with deficiencies “at an unacceptably high rate,” as board member Kathleen M. Hamm put it.

“For example, over the last several years, we have seen roughly the same percentage of audit deficiencies year over year during our inspections of the largest audit firms,” Hamm said in a November 2018 speech.

“While the picture is not yet complete, for five of the six largest global network firms with publicly reported inspection results, the deficiency rates over the past three years have ranged from 20 percent to 74 percent,” she said.

In response, the oversight board is changing its approach to inspections. Officials have said publicly that the board will focus more on quality control systems—which apparently means more emphasis will be placed on parts of inspection reports that may never see the light of day.

“Although many details remain to be finalized, we plan to move away from simply reporting the ‘failures’ we observe in individual audit engagements, to reporting more about the nature and severity of our inspections findings,” board chairman William D. Duhnke said in an October 2018 speech.

The board will also do more to publicize the positive, Duhnke added.

“To effectively prevent audit deficiencies, we need to spend as much time discussing audit ‘successes’ and what leads to them, as we do reporting about audit ‘failures’ and the deficiencies that cause them,” he said.



Former POGO Investigative Intern Kai Bernier-Chen contributed to this investigation.