Recent civil and criminal fraud charges against partners at KPMG and staffers at the PCAOB, arising out of “their participation in a scheme to misappropriate and use confidential information relating to the PCAOB’s planned inspections of KPMG,” have led some managements and audit committee members to consider whether there is more they should be doing to ensure that their outside audit firms are not plagued by similar concerns. This article from Compliance Week sifts through a speech by Helen Munter, PCAOB director of inspections and registration, to assemble a series of questions that, in light of these recent charges, may be appropriate for audit committee members to pose to their outside audit firms.

You might recall that the charges by the SEC and the U.S. attorney’s office filed this past January alleged that former PCAOB staffers leaked to several KPMG partners the plans for PCAOB inspections of KPMG—“literally stealing the exam.” More specifically, while preparing to leave the PCAOB to join KPMG, an accountant downloaded confidential inspection-related materials that he thought would help him succeed at KPMG to reduce its audit deficiencies. After he left, he was aided in gaining access to confidential PCAOB materials by two other PCAOB staffers, who also later joined or sought employment at KPMG. Several high-level former KPMG partners were alleged to have encouraged the misconduct: according to the federal indictment, a former KPMG partner told one of the former PCAOB staffers who had joined KPMG to remember where his “paycheck came from and be loyal to KPMG.” The leaked information enabled KPMG “to analyze and revise audit workpapers in an effort to avoid negative findings by the PCAOB.” Apparently, they reviewed the workpapers for at least seven entities they were told the PCAOB would inspect. In a statement, SEC Chair Jay Clayton characterized the conduct as “disturbing,” but concluded that these actions would not “adversely affect the ability of SEC registrants to continue to use audit reports issued by KPMG in filings with the Commission or for investors to rely upon those required reports. I do not expect that these actions will adversely affect the orderly flow of financial information to investors and the U.S. capital markets, including the filing of audited financial statements with the Commission.” 

But is it possible that these types of issues are prevalent at other audit firms? According to former SEC Chief Accountant Lynn Turner, cited in the article, that’s a fair question: “‘What happened at KPMG could be but one part of a much larger problem….I think that’s what people at public companies need to be concerned about.’”

Inquiry regarding the outside auditor’s quality control and inspection results would appear to fall squarely within the ambit of the audit committee’s oversight responsibility. As presented by Compliance Week, the following questions from Munter’s speech (delivered to audit firms at an AICPA conference) may be useful for audit committees to consider asking of their audit firms as part of that inquiry (and more):

  • “Does your firm have in place a system of quality control that provides it with reasonable assurance that its personnel comply with applicable professional standards and the firm’s own standards of quality?
  • How do you know audits are being performed in a quality manner on a consistent basis? What are the controls you rely on? How quickly would someone coming to your organization understand those controls and be able to become part of that system? Does staff at all levels understand those controls?
  • Does your firm approach PCAOB inspection results by remediating individual problems or by addressing systemic issues identified through either internal or external reviews?
  • Does your firm exhibit a tone at the top that emphasizes the importance of the role of the audit to the financial markets—an attitude of serving the investor? Are you cultivating a culture where due care, including professional skepticism, is rewarded throughout the firm as part of a firm strategy?
  • Do you hold audit leaders, not just the lead engagement partner, accountable for audit quality? Engagement quality reviewers? Managing partners? Partners assisting in multi-location audits? Do you incorporate audit quality goals and metrics into partner performance evaluations?
  • Does the firm have policies in place to assure that they are assigning personnel with the technical expertise to successfully complete audits, providing necessary training, and advancing personnel with the appropriate qualifications?
  • How do you manage an engagement team’s workload to assure sufficient time is allocated to perform the audit? How do you assure your engagement quality reviews are allocated sufficient time and comply with standards?
  • What are your policies and procedures with respect to consultations with the national office? Are your audit teams encouraged to pursue consultations in complex or subjective areas? Are there barriers that prevent teams from seeking consultations?
  • How do you monitor the firm’s system of quality control? How do you identify and assess root causes of audit deficiencies where they are identified, either through internal or external reviews?
  • How do you assure compliance with auditor independence requirements?
  • How are you remediating deficiencies in the key areas commonly called out in inspections, including assessing and responding to risks of material misstatement, auditing internal control over financial reporting, and auditing accounting estimates, including fair value measurements?”

Turner suggests adding one more question to conclude the inquiry, a “final catch-all question: ‘Is there anything going on that you’re aware of that would cause an investor concern?’