The PCAOB has found that KPMG staff in Colombia, India and the UK shared answers to mandatory internal training courses. At KPMG Resource Centre Private Limited, an Indian operation which supports UK audit work, and at KPMG UK the cheating involved hundreds of staff members and took place between 2018 and 2021.
In Colombia answers to tests were shared from “at least 2016 to 2020” and the extent of the cheating is not yet clear. As a result the firm “will be required to complete a further investigation under the supervision of an independent consultant” to determine its full extent as well as “appropriate remedial action”.
The PCAOB’s actions against these KPMG entities follow on its findings against KPMG Australia for exam answer sharing last year and a 2019 SEC finding connected to exam cheating at KPMG in 2017. Staff at EY in the US and PwC in Canada have also been caught cheating in exams with EY being handed a $100m fine by the SEC earlier this year.
It seems that cheating has been endemic at the large firms for a number of years and it is not unlikely that further regulatory action will be forthcoming in this area. The fact that this behaviour continued even after regulators caught and started levying fines will be of real concern to both regulators and management.
Uncovering the underlying motivational factors behind the cheating (eg highly competitive environment, inadequate time allowed for study, or worse a cultural tolerance of cheating) seems essential in order to truly address the roots of the problem.
Quality control deficiencies at KPMG Colombia and KPMG India
Audit firms are supposed to have adequate policies, processes and systems in place to protect the integrity of audit documentation. If documents can be tampered with they can no longer be relied on by stakeholders as trustworthy, which defies the purpose of audit work. The PCAOB found problems in this area at KPMG Colombia and KPMG India.
A PCAOB inspection at KPMG Colombia in 2016 revealed that the firm did not have an effective system in place to retain documents or protect these from improper changes. And although the firm took steps to address these failings by the time of the next inspection in 2019, these were not adequate and did not fully address the problems. According to the PCAOB findings KPMG was aware of the problematic practice, but did not take adequate steps to prevent it.
In effect they knew that the audits potentially fell short of the regulators’ expectations and attempted to “improve” on these in order to cast their own work as well as the firm in a better light.
The document control and retention shortcomings enabled the firm’s staff to alter documentation. As a result, three of its staff, a partner, manager and senior, have been sanctioned for altering and backdating documents “in anticipation of a PCAOB inspection”. In effect they knew that the audits potentially fell short of the regulators’ expectations and attempted to “improve” on these in order to cast their own work as well as the firm in a better light. But the result was exactly the one they were trying to avoid, which was to draw attention to the fact that the firm still lacked adequate document safeguards.
In India the PCAOB found a similar lack of control over documentation and supervisory failures. These led to a partner and other members of the firm’s engagement team signing off “on dozens of blank work papers” before an audit had actually been documented and completed. According to the PCAOB this demonstrated that KPMG India did not establish adequate policies, procedures or safeguards that would have prevented or detected contravention of the stringent rules that apply to audit documentation.
Finally, according to the PCAOB disciplinary order issued against KPMG UK, the firm allowed a Romanian affiliate, KPMG Audit, which was not properly registered with the PCAOB, to play a substantial role in four audits it had performed for one of its public company clients.
It is easy to see how a situation such as this occurred. Things were busy at KPMG UK and the Romanian affiliate’s work was of a very high standard. It was very easy to relegate the work to them and, soon enough, KPMG Audit had “incurred 74% of the total audit hours”. Someone at KPMG UK must have realised that this was a problem because they failed to tell the client’s audit committee that KPMG Audit had done a substantial part of the audit work and in 2020 went so far as to tell the audit committee that it was KPMG Romania (registered with the PCAOB, but a holding company at the time) that “would be participating in the audit”.
In addition, according to the PCAOB, KPMG Audit, as well as other unregistered firms, was also involved in the audits of three other public company clients. But in those instances its involvement did not exceed a threshold which would have made its audit role a substantial one. So under the rules KPMG was only censured for not disclosing its involvement.
While on the surface each of these disciplinary actions zeroes in on a very specific scenario, what binds them together is that failings in policies, processes and systems are connected to and, in a high pressure environment, often prevent firms from supervising critical aspects of an operation effectively. In the case of inadequate systems in particular, their very inadequacy can directly lead to issues because problems and infractions are not flagged, monitoring is difficult and escalation lines unclear.