Moral Hypocrisy: The KPMG / PCAOB Scandal

Auditors aren't that great at detecting fraud and sometimes claim their audits aren't designed to detect it. It looks like they may not be that great at committing it, either (though not for lack of effort).

PWC Held Responsible for Not Detecting Fraud

The Wall Street Journal published an article explaining that PricewaterhouseCoopers (PWC) was held responsible for failing to detect fraud in their independent audits of Colonial Bank. Colonial Bank collapsed in 2009 and, according to the Tampa Bay Times, was the sixth largest bank failure in history. The articles estimate that PWC may be responsible for damages totaling hundreds of millions of dollars.

This is an interesting case because the audit firm has had some individuals claim, in court, that auditors are not responsible to detect fraud. The court rejected this claim and said auditors who don't design audits to detect fraud are not following their own auditing standards. Here are some details from the FDIC order related to the case:

“While there are numerous auditing standards that are implicated in this case,...the overarching standard that governed the PWC audits is that: “[t]he auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatements, whether caused by error or fraud.” AU § 110.02; AU § 316. PCAOB Auditing Standard No. 2 states that “[a]lthough not absolute assurance, reasonable assurance is nevertheless a high level of assurance.” Id. at ¶ 17. To that end, a PCAOB 2007 release clarified that “[t]he auditor should, therefore, assess risks and apply procedures directed specifically to the detection of a material, fraudulent misstatement of the financial statements." (emphasis added). The Engagement Letters between PWC and CBG acknowledged this responsibility by stating that PWC would “design [the] audits to obtain reasonable, but not absolute, assurance of detecting errors or fraud.” See, e.g., A4 at 3. Indeed, Mr. Westbrook, one of the PWC audit partners, testified at trial that PWC had a duty to design audit procedures to detect fraud. Tr. 817:25-818:7 (Westbrook). He further testified that if PWC failed to design its audit procedures to detect fraud, it would be a violation of PCAOB standards. Tr. 822: 19-22 (Westbrook). 

However, PWC voiced a very different tune just a few years ago with respect to another lawsuit that stemmed from this fraud. TBW’s bankruptcy trustee also filed suit against PWC, alleging that PWC breached its duties when it failed to detect the fraud. That lawsuit proceeded to trial in August 2016 before it settled mid-trial. As part of that lawsuit, many of the same PWC engagement partners, audit managers, and audit staff who are involved in this case gave deposition testimony under oath in the TBW trustee’s case. During that testimony, these individuals repeatedly admitted that PWC did not design its audits to detect fraud. For instance, Mr. Westbrook testified that PWC “audits are not designed to detect fraud.” Tr. 358:6-7 (Westbrook) (quoting Westbrook TBW Dep. at 23:7-12). Likewise, Mr. Jackson, the PWC engagement partner, testified that “I would point out that our audit procedures were not designed to detect fraud.” Tr. 1027:1-10 (TBW Dep. at 31:17-20). Similarly, Wes Kelly, PWC’s audit manager for the 2003-2005 and 2008 CBG audits, testified that PWC “did not design audit procedures to detect fraud.” W. Kelly TBW Dep. 45:608 (Ex. P3120). Finally, Mr. Rivers, a PWC audit associate assigned to the CBG audit, testified that PWC had no obligation to look for fraud. Rivers TBW Dep. at 66:17-23. 

At trial, PWC attempted to explain away this testimony by arguing that these individuals simply meant that PWC was not a guarantor against the possibility of material fraud because the auditing standards recognize that “even a properly planned and performed audit may not detect a material misstatement resulting from fraud.” Ex. A400 at 7-8 (AU § 316.12); Tr. 821:25-822:24 (Westbrook stating that in order to provide a guarantee against fraud, auditors would “need a lot more tools like lie detector tests and subpoena power and guns and badges and all those kinds of things.”). This Court does not find this explanation credible, nor is it consistent with the previous testimony from the TBW trustee’s lawsuit. This Court heard Mr. Westbrook and Mr. Rivers testify for hours and is convinced that these gentlemen are more than capable of saying what they mean. If they had intended to say that PWC audits were not a guarantee against the possibility of material fraud, they would have testified accordingly. However, that was not their testimony. Instead, they clearly stated that PWC had no duty to detect fraud and did not design its audits to detect fraud. The Court concludes that PWC did not design its audits to detect fraud and PWC’s failure to do so constitutes a violation of the auditing standards. 

What I find interesting is that practicing auditors admitted that they don’t design their audits to detect fraud even though auditing standards clearly say that auditors are responsible to provide reasonable assurance that there are no material misstatements due to (error or) fraud. Over the past decade, including as recently as 2016, I’ve asked several audiences of auditors to answer the following true-false question: “Auditors have the responsibility to provide reasonable assurance that there are no material misstatements due to fraud.” These auditors range from staff to partners and, on average, about 50% incorrectly answer false. This is pretty disheartening to me...

Unfortunately, my experience suggests that most auditors don’t put in a lot of effort to detect material fraud. Fraud may be discussed briefly in the required brainstorming session but then quickly forgotten as the audit team gets focused on ticking and tying and trying to get some sleep during busy season. 

There are many things that auditors could do but, unfortunately, it's rare to find an auditor who is thinking beyond what they did last year. If I were king for a day, I would require auditors to do interviews with lower level people in an organization with the goal of discovering aggressive accounting or business practices. Combining interviews with strategic reasoning would potentially help auditors provide the reasonable assurance they are responsible for. For example, if strategic reasoning leads the auditors to believe revenue recognition and shipping cutoff is ripe for financial reporting fraud, auditors trained in interviewing could meet with shipping / warehouse personnel about the end of the year. Well designed questions could reveal information that could help identify control weaknesses and potential fraud. 

In any case, this case and other experiences with auditors reminds me of the 1980s when auditors put it in their engagement letters that they weren’t responsible for providing assurance for fraud. Back then, and now, the courts don’t appear to share that view. In the end, both the auditing profession and audit users end up suffering when auditors are weak in fulfilling this responsibility.

Whose Job is it Anyway? Are Auditors Expected to Detect Fraud?

A recent article in The Wall Street Journal details what could be one of the only legal cases from the great recession to actually go to trial. Taylor Bean & Whitaker Mortgage Corp. is suing PriceWaterhouseCoopers LLP (PWC) for $5.5 billion dollars claiming that PWC was negligent in auditing one of their clients. While PWC didn’t audit Taylor Bean, they did audit a bank with which Taylor Bean did frequent business--Colonial Bank (Colonial). Taylor Bean overdrew its accounts with Colonial for several years to cover cash shortfalls, then sold fake pools of mortgages to Colonial in order to cover up the fraud. Taylor Bean claims PWC was negligent in auditing Colonial, and that the collapse of Colonial led to them losing billions of dollars. The real question is how liable should auditors be for detecting fraud?

Advances in Technology for Auditing Firms: KPMG to Announce Deal with IBM Watson

A recent article in The Wall Street Journal discussed the technological improvements among auditing firms (KPMG in particular). KPMG is expected to announce an alliance with IBM to use their artificial-intelligence technology, IBM Watson, which will allow KPMG to audit all of the data for their clients rather than only samples of the data. The technology is not meant to replace human auditors, but will help them know where abnormalities may exist in the client’s books.

A Fraudster's Paradise

Sam Antar writes about society's vulnerability to fraud. Here are a few points that stood out to me.

On stiff punishments serving as a deterrent to fraud:

...white-collar criminals don't listen to the rhetoric of prosecutors. No white-collar criminal discovers ethical behavior and stops doing crime because another criminal ends up in prison. While white-collar criminals take precautions against failure, they do not plan on ever ending up in prison.

Sam implies that the expected punishment for fraudsters is no punishment. This suggests a need for stronger prevention and detection mechanisms. How about auditors?

Traditional financial statement audits of public and private companies are not designed to find fraud. What accounting firms call an “audit” of financial reports is really a compliance review designed to find unintentional material errors in financial reports by examining a limited sample of transactions.

In discussions I've had with auditors, I get the sense that most would like to do more to focus on fraud, but they feel like such a focus would be too expensive and would essentially price them out of the market. While I'm not completely satisfied with that explanation (e.g., firms could, at low cost, use computerized forensic tools to search for red flags), it suggests a need for either regulatory changes that require auditors to focus more on fraud or increased demand by investors for audits that specifically focus more on fraud. The latter is unlikely to occur as long as most investors continue to believe that audits are focused primarily on fraud.

In fairness to auditors, Sam's point about deficiencies identified via PCAOB inspections omits the fact that the PCAOB does not inspect audits randomly, but instead focuses primarily on the audits it believes have the highest risk of deficiencies. This means that even though 49% of E&Y's inspected audits had deficiencies, we would expect the actual rate at which deficiencies occur to be substantially lower. Even that lower overall deficiency rate may not be that informative about how effectively auditors conduct their audits. Still, that's primarily a distraction from Sam's main point, which is that audits primarily focus on unintentional errors rather than focusing on fraud.

If audits aren't particularly effective in preventing/detecting fraud, what about government agencies?

As a nation, we devote far more resources fighting blue-collar crime or street crime, than we do battling white-collar crime. For example, the NYC Police Department employs approximately 34,000 cops in uniform battling street crime. However, the FBI employs approximately 13,600 special agents, the IRS Criminal Investigative Division employs approximately 2,600 special agents, the SEC employs approximately 3,958 people, and the US Postal Inspectors Office employs approximately 1,500 postal inspectors. The NYC Police Department has more man power directly battling street crime than those four federal law enforcement agencies combined have fighting nationwide white-collar crime.

While it would be nice to have some estimates of the economic cost of white-collar vs. blue-collar crime, Sam's point still serves as a good illustration of the relative lack of funding oriented toward white-collar crime. Right now, the government seems to have outsourced most of the prevention and detection work to the private sector (e.g., auditors). Until standards or market forces change so that those parties increase their focus on fraud, we appear to be living in a fraudster's paradise.

More on the Cheating Scandals in Public Schools

Imagine if the response to Enron and WorldCom was to say that business leaders are set up to commit fraud because the market is too interested in accounting information so we should have businesses report less economic data about their performance. According to an article in The New Republic, that is essentially the reaction by some in education to the recently reported cheating scandals in Atlanta and elsewhere. Here are a few quotes: