KPMG fined $25m over exam cheating at audit firm’s Dutch arm

The PCAOB has issued the largest civil money penalty in its history.

In the largest fine it has ever imposed, the US audit regulator – the Public Company Accounting Oversight Board (PCAOB) – has fined the Dutch arm of Big Four firm KPMG and its former head of assurance for widespread answer-sharing when taking mandatory internal training exams.

The PCAOB announced the civil penalty yesterday, citing violations of accounting and quality control rules related to widespread cheating on exams. The agency cited the firm’s violations of rules and standards relating to the firm’s internal training program and monitoring of its system of quality control.

The regulator also singled out former head of assurance and member of the management board, Marc Hogeboom, stating that he directly and substantially contributed to the violations and assessing a $150,000 penalty and permanent bar from the industry.

A pair of Deloitte affiliate firms in Indonesia and Philippines agreed to separate $1m penalties for similar allegations – PCAOB violations stemming from instances of staff sharing answers on internal training exams, the PCAOB said.

The partner in charge of digital learning at Deloitte Philippines was accused of sharing answers with audit partners at the firm and agreed to a $10,000 individual penalty and a three-year bar, the regulator said.

PCAOB rules on quality control

PCAOB rules require that a registered public accounting firm comply with the Board’s quality control standards, which provide that a registered firm “shall have a system of quality control for its accounting and auditing practice”.

“Today’s orders demonstrate that an inadequate tone at the top, particularly with regard to issues of integrity and personnel management, can permeate all levels of a firm.”

Robert E Rice, Director of Enforcement & Investigations, PCAOB

As part of a firm’s system of quality control, “policies and procedures should be established to provide the firm with reasonable assurance that … personnel participate in general and industry-specific continuing professional education and other professional development activities that enable them to fulfill responsibilities assigned, and satisfy applicable continuing professional education requirements of … regulatory agencies.”

Widespread cheating, leadership failure

The PCAOB says the exam cheating at KPMG went on for five years, from 2017 to 2022, and involved hundreds of professionals, reaching as far as partners and senior firm leaders, including Hogeboom.

The breadth of exam cheating in this case was enabled by the firm’s failure to take appropriate steps to monitor, investigate, and identify the potential misconduct, the PCAOB said, and during the agency’s investigation the firm submitted – and failed to correct – multiple, inaccurate representations to the PCAOB.

Citing one example, the PCAOB said KPMG claimed to have no knowledge of answer-sharing prior to a 2022 whistleblower report. Yet, this could not have been true because members of the firm’s Management Board and Supervisory Board who signed off on that submission to the PCAOB had, in fact, cheated themselves.

“But it doesn’t end there,” said PCAOB Chair Erica Williams in a statement about the landmark fine. “KPMG Netherlands’ CEO learned the submissions were inaccurate and failed to inform anyone until months later, when a second whistleblower came forward. Only then did the firm correct the inaccurate representations to investigators.”

At Deloitte Philippines, as described in the PCAOB’s orders, audit partners and other personnel engaged in widespread answer sharing from 2017 to 2019 – either by providing answers or using answers – or received answers without reporting such sharing in connection with tests for mandatory firm training courses.

“We set a record in 2022. We broke that record in 2023. And we are breaking it again today.”

Erica Y Williams, PCAOB Chair

Former National Professional Practice Director at that location responsible for e-learning compliance, Wilfredo Baltazar, directly and substantially contributed to Deloitte Philippines’s violations by (on at least six occasions) sharing answers to training assessments with other audit partners at the firm.

“Today’s orders demonstrate that an inadequate tone at the top, particularly with regard to issues of integrity and personnel management, can permeate all levels of a firm,” said Robert E Rice, Director of the PCAOB’s Division of Enforcement and Investigations.

An invigorated PCAOB

Since 2021, the PCAOB has sanctioned nine registered firms for exam cheating. And as of yesterday, the PCAOB has imposed $34m in penalties in 2024 alone, Williams pointed out. “We set a record in 2022. We broke that record in 2023. And we are breaking it again today,” she said, noting that impaired ethics “erode trust and threaten the investor confidence our system relies on”.

In December 2022, the PCAOB announced its findings that KPMG staff in Colombia, India and the UK shared answers to mandatory internal training courses. At KPMG Resource Centre Private Limited, an Indian operation which supports UK audit work, and at KPMG UK, the cheating involved hundreds of staff members and took place between 2018 and 2021.

The PCAOB’s actions against those KPMG entities in 2022 followed its actions against KPMG Australia for exam answer sharing in 2021 – and a 2019 SEC finding that was related to exam cheating at KPMG in 2017.

Staff at Ernst & Young in the US were also caught cheating in exams with EY being handed a $100m fine by the SEC in 2022.

Another Big Four audit firm was fined this past December: PwC affiliates in Hong Kong and China and another Chinese audit firm settled disciplinary orders for violations of federal securities laws and PCAOB rules and standards. They were the first enforcement settlements with mainland Chinese and Hong Kong firms since the PCAOB secured access to inspect and investigate firms headquartered in China and Hong Kong in 2022.

GRIP Comment

The fact that this behavior continues, even after regulators have caught and started levying steeper fines, holding individuals personally responsible, should be of real concern to leadership teams at audit firms.

It could easily make anyone wonder what else the firm cuts corners on, plus how seriously its personnel values education and training and their leaders’ commitment to ethical standards of business conduct in general.

Paul Munter, Acting Chief Accountant at the SEC, has emphasized the incredibly important role that gatekeepers such as auditors play in the viability and trustworthiness of the US financial system.

“Any perceived erosion of auditor independence or the profession’s ethics or integrity breaks down the critical gatekeeper role of public accountants and can, over time, lead to diminished investor confidence,” he said.

US regulators have brought enforcement actions against gatekeepers who engage in wrongdoing themselves or attempt to cover up wrongdoing, participate in conduct that crosses a clear line, or fail meaningfully to implement compliance programs, policies and procedures for which the gatekeeper had direct responsibility. 

And they have stressed how accountants, auditors, underwriters and lawyers share responsibility for protecting investors and play critical roles in the capital markets as the first lines of defense against misconduct.

A company’s reputation rests on the integrity of its people and their actions and inactions. Something like cheating on exams, which we don’t stand for at the grade-school level, erodes the bedrock of integrity a business tries to build through the years with the public, can lower employee morale, and distract the business from its central mission.

Which is why prompt, harsh disciplinary measures should be considered in these circumstances, regardless of the level of seniority of the individuals involved. It sends a message that no general statement from an executive could (although these disciplinary measures and the firm’s remediation of deficient policies and procedures should be in some executive-level statement) to the workforce and public.

Promotions, raises, bonuses and the like must be based on more than knowledge and skill; they are necessary ingredients for a successful auditor to possess, but not sufficient to be the kind of financial professional who would never think of cheating on e-learning. These firms need to make being a person of high character an integral feature of performance reviews.

And then there is additional surveillance and control that could enhance a business’s educational initiatives – and of course technology can help. Most types of employee monitoring software in the market now make it possible to see everything inputted into an employer-provided computer or mobile phone in real-time – from keystrokes, browsing activity, emails, chat apps… 

If some people are more likely to engage in dishonesty when they’re under stress and pressure, which has been documented, maybe those stressors (long hours, not enough support) need to be addressed too. More dialogue about that, and why e-learning courses could be tipping already too-high stress levels and burnout, should be encouraged, but not in a way that downplays the significance of education and professional development.

Finally, use enforcement actions (directed toward you or another entity) as an opportunity to send out a message about the attention your business is paying to this issue specifically. More generally, on the subject of workplace integrity, the fact that adherence to ethical standards is a performance metric (hopefully it is), and how internal reporting channels can help limit any misconduct before it leads to a first-ever-sized fine should also be emphasized.