The settlement with CPA Ontario is the latest in a series of settlements by the firm in connection with the practice of backdating. Deloitte has already entered into settlement agreements with both the CPAB and the PCAOB in 2021.
After criticism of audit practice by the PCAOB, which had found that documents were often created shortly before or even during an inspection and then backdated, Deloitte’s National Office in Canada signalled a “zero tolerance policy” for this type of behavior.
The firm went further to ensure compliance by its staff and amended its audit software system to tie the selection of audit sign-off dates to the user’s computer clock. In effect an auditor would no longer be able to choose the date of their sign-off on the system because that date would be tied to the computer’s own clock.
Fundamental flaw in the system
Unfortunately there was a fundamental flaw in this set-up because a user could bypass this system restriction by manually changing the date and time on their individual computer clock.
The National Office was aware of this problem, but chose not to “expressly address this issue in its communications” or explicitly state that manipulating the sign-off dates using this back door was prohibited. It was felt that sending such a message “could instead ‘socialize’ inappropriate conduct” – in other words more of the firm’s staff would become aware of the backdoor as a result of the message being circulated and so be more likely to engage in inappropriate conduct.
Two practice alerts sent to audit staff were deemed to be sufficient communication in connection with this issue and no additional training to address the audit quality and ethical risks stemming from backdating was offered by the firm.
Flaw exploited by audit staff
Naturally, this obvious route to bypassing the system was identified by some and at least 35 audit staff members engaged in backdating or instructed others to backdate their work – 930 working papers in 39 audit engagements were affected.
Two firm partners learned of the practice in early 2017 and signalled to the teams that it was unacceptable, but failed to appraise other partners or firm leadership of the potential problem. It was only in February 2018 that the issue was brought to the attention of senior members of the firm after an audit partner raised the issue of backdating at one of the firm’s offices in another province.
The firm took immediate action by removing the option of staff amending their ability to change the date settings on their computer in March 2018. An internal investigation followed and was completed in Spring 2019 and the firm reported itself to CPA Ontario, its regulator.
Firm’s investigation criticised
The regulator, in the settlement order, is critical of the firm and its investigation of the matter. It points to a number of issues including the lack of written reporting and therefore possible thoroughness in the investigation, which itself was restricted in scope by technological limitations and the resulting absence of data.
The regulator also noted that the firm accepted at face value the assertions of staff who engaged in the practice that they “had no intent to deceive”. Not all partners whose audits were affected by the practice of backdating by staff were involved in or informed of the investigation. The regulator felt that the firm “should have employed a higher level of scepticism in the circumstances”.
Throughout the process the firm approached backdating as a matter of professional standards and audit quality rather than ethics. The regulator is as scathing as it can be on this point:
|“Deloitte’s focus on Backdating as an issue of audit quality and not professional ethics in the manner described herein and not undertaking a more nuanced analysis of the participants’ motivation for engaging in such conduct detracted from the findings and conclusions made in the Deloitte Investigation in respect of the implications of Backdating on audit quality.“
Despite these findings, which cast some serious doubt on the quality of the internal investigation, the firm was given credit for its cooperation, self-reporting as well as undertaking remedial action after uncovering the problems.
If a non-compliant practice has been identified and systems and processes are being amended in order to prevent this, leaving an easy method for circumventing the new controls is imprudent and is unlikely to lead to a good outcome.
Unfortunately, the increasing complexity of systems means that this type of backdoor is more common than many suspect – particularly in an instance where multiple complex systems interact in a sophisticated tech stack. One way of addressing this organizational ‘knowledge gap’ is to offer an internal bounty to staff members operating such systems on a daily basis and who can help identify and report a flaw(s).
Clear, consistent communication and regular employee training can both be very useful lines of defence – especially if they are coupled with staff having a good understanding of the key rules that they are subject to and are required to comply with.
An internal investigation that includes comprehensive and well-organized documentation and reporting is far more likely to satisfy the regulator and result in cooperation credit. The regulator in this case seems to us to be letting Deloitte off the hook a little bit in terms of the lack of reporting connected to this reasonably complex investigation saying that “[a]ll reporting was done orally which is consistent with some investigation practices”.
Finally, internal investigations can often be undermined by the completely understandable need to try to limit the damage and protect the firm and its reputation. The unfortunate consequence of this is that it can lead to problems with the regulator with whom the information will eventually end up with. It may also cause issues further down the line because employees, observing the ‘circling of the wagons’ and a comparative lack of consequences for wrong-doers, may be more likely to break the rules themselves.