KPMG to Pay $50 Million for Using Stolen Data, Exam Cheating

SEC calls breadth and seriousness of the misconduct ‘astonishing.’

KPMG has agreed to pay a $50 million penalty to the Securities and Exchange Commission (SEC), which has charged the firm with altering past audit work after receiving stolen information about inspections that would be conducted by the Public Company Accounting Oversight Board (PCAOB). The SEC also alleged that KPMG audit professionals cheated on internal training exams by improperly sharing answers and manipulating test results. 

According to the SEC’s order, in an effort to improve the results of the annual inspections of KPMG audits, senior members of KPMG’s Audit Quality and Professional Practice group (AQPP), which oversees the firm’s system of quality control, improperly obtained and used confidential information belonging to the PCAOB.

The information obtained included lists of the specific audit engagements the PCAOB planned to inspect, the criteria the PCAOB used to select engagements for inspection, and the focus areas of the inspections. The SEC said KPMG sought the information because it had experienced a high rate of audit deficiency findings in prior PCAOB inspections and had made improving its inspection results a priority.

“The breadth and seriousness of the misconduct at issue here is, frankly, astonishing,” said Steven Peikin, co-director of the SEC’s Enforcement Division. “This settlement reflects the need to severely punish this sort of wrongdoing while putting in place measures designed to prevent its recurrence.”

In addition to using ill-gotten PCAOB data, the SEC charged KPMG audit professionals with helping their colleagues cheat on training exams. Many KPMG audit professionals are required by state accountancy boards to complete a minimum number of continuing professional education courses, which is typically 120 hours every three years. And KPMG requires its audit professionals to complete additional training in excess of state requirements.

As part of a 2017 settlement of SEC charges that KPMG failed to properly audit the financial statements of an oil and gas client, the regulator ordered KPMG audit professionals to complete a minimum of 12 hours of training in specific audit areas. To help its auditors satisfy these requirements, KPMG administers its own online training programs that also qualify for continuing professional education credit. KPMG requires its auditors to pass an examination at the conclusion of each online training program.

“On numerous occasions, KPMG audit professionals who had passed training exams sent their answers to colleagues to help them pass those exams,” said the SEC in its order. “They sent colleagues images of their answers primarily by email or printed their answers and gave them to their colleagues.”

The SEC said this was committed by audit professionals at all levels of seniority, including lead audit engagement partners who were responsible for compliance with PCAOB standards. Some lead audit engagement partners not only sent exam answers to other partners, but also solicited answers from and sent answers to their subordinates.

Additionally, the SEC charged that certain KPMG audit professionals manipulated an internal server hosting training exams to lower the score required for passing. By changing a number embedded in a hyperlink, they manually selected the minimum passing scores required for exams. On some occasions, audit professionals “earned” passing scores despite only correctly answering less than 25% of the questions.

“High-quality financial statements prepared and reviewed in accordance with applicable accounting principles and professional standards are the bedrock of our capital markets,” said SEC Chairman Jay Clayton in a statement. “KPMG’s ethical failures are simply unacceptable. The resolution the Enforcement Division has reached holds KPMG accountable for its past failures and provides for continuing, heightened oversight to protect our markets and our investors.”

On top of the $50 million penalty, KPMG is required to evaluate its quality controls relating to ethics and integrity, identify audit professionals that violated ethics and integrity requirements in connection with training examinations within the past three years, and comply with a cease-and-desist order. The SEC’s order also requires KPMG to retain an independent consultant to review and assess the firm’s ethics and integrity controls.

KPMG has admitted the facts in the SEC’s order, and has also acknowledged that its conduct violated PCAOB rules.

Related Stories:
SEC Charges Student with Running Ponzi Scheme Out of Frat House
Chinese Bank to Pay over $42 Million for Improper ADR Handling

Tags: , ,