= Subscriber content; or subscribe now to access all American Banker content.

Auditors Are Asleep at the Switch on Banks' Risk Controls

The Big Four auditors may not be catching errors and frauds at financial companies because they'd like to keep the business.

Those firms – Deloitte, Ernst & Young, KPMG and PricewaterhouseCoopers – are too busy trying to maintain longstanding relationships and selling consulting services to raise their hands about accounting manipulation and illegal activities.

Even a retired Ernst & Young Global Vice Chairman is worried the auditors are losing focus.

"I am personally worried about audit firms trying to get you to spend money with them on consulting," Roger Dunbar, now chairman of Silicon Valley Bank, told the audit profession regulator, the Public Company Accounting Oversight Board, at a recent forum on auditor rotation. "It's a risk."

Only two firms audit the four largest U.S. banks. The 20 banking and financial services institutions that pay the highest audit fees, according to Audit Analytics, spent nearly $1 billion with those vendors in 2011. Wells Fargo has worked with KPMG for more than eighty-one years. Citigroup and KPMG have been together since 1969.  PwC audits Bank of America and JP Morgan, as well as Goldman Sachs, MF Global, Barclays and PNC. These five engagements accounted for more than $300 million in fees in 2011 not including additional audits of non-consolidated subsidiaries and funds, which double that number.

After almost four years, investors thought we were approaching the beginning of the end of the financial crisis. Instead of a return to normal, the banks' bad decisions about mortgages are now costing shareholders billions in settlement costs and very expensive mandated regulatory reviews. At the same time, big banks are suffering from new control weaknesses— and acknowledging old ones  —  that will weigh on profit margins for years to come as litigation and compliance costs are paid and losses are recognized.

Auditors kept mum about weak or nonexistent controls over riskier activity at JPMorgan and MF Global and about regulatory compliance issues like anti-money laundering faults at HSBC and Libor manipulation at Barclays and at least 12 other banks including JPMorgan.

JPMorgan CEO Jamie Dimon admitted on May 10 that the "portfolio hedge"put on by his bank's chief investment office was "flawed, complex, poorly reviewed, poorly executed and poorly monitored."Dimon also said that controls existing in other parts of the bank were not in place in the CIO. JPMorgan announced Friday that losses on the CIO's synthetic credit portfolio as of the end of the second quarter totaled $4.4 billion. The bank also warned first-quarter results will be restated because traders "mis-marked"their positions on these trades.

Yet auditor PwC gave JP Morgan a clean opinion on its internal controls over financial reporting for 2011.

PwC also missed increased risk and deterioration controls under CEO Corzine at MF Global. In addition, MF Global's chief banker, JPMorgan, and MF Global broke rules on segregation of customer funds. (PwC client Barclays and Lehman, audited by Ernst & Young, did too.)

According to regulators, Barclays had no specific internal controls or procedures, written or otherwise, regarding how Libor submissions should be determined or monitored, and Barclays also did not require documentation of the submitters' Libor determinations. Auditor PwC also gave Barclays clean opinions on internal controls over financial reporting.

The Office of the Comptroller of the Currency said in October 2010 that KPMG client HSBC had multiple deficiencies in its anti-money laundering compliance program. HSBC said in February that several law enforcement agencies and Congress were investigating its US bank for noncompliance with U.S. anti-money laundering laws, the Bank Secrecy Act, economic sanctions and tax and securities laws. According to Morgan Stanley analysts' calculations, HSBC may also pay a potential penalty of up to $350 million related to the Libor investigation. KPMG earned $51 million for its clean opinion of the financial statement of HSBC in 2011.

Bankers seem blasé about the auditors' inability to catch high risks and weak controls. Even though long tenures and big fees may be diluting their objectivity, independence and professional skepticism, change costs too much.

Richard Levy, an executive vice president and the controller at Wells Fargo, in fact, doesn't think the concentration of service providers for financial services firms is a problem at all and doesn't want to be forced to switch auditors.

He told the PCAOB forum, "There is a practical limit to the number of viable replacement audit term candidates. Large, complex, multinational companies are realistically limited to using only one of the Big Four accounting firms. … We believe only two of the Big Four accounting firms would be viable candidates for our company and our large bank peers."

Levy's bank has used KPMG since 1931 and Levy himself is an alumnus of Coopers & Lybrand, which merged with Price Waterhouse to form PwC, so I suspect the firms he likes best are those two.  Levy did not respond to my request for comment.

Auditors and the banks they audit tell regulators that audit quality has improved since the Sarbanes-Oxley law was enacted in 2002 and that audit partners are too fearful of sanctions, litigation and damage to their own reputations to risk going easy on their clients.

Given what recent bank audits have missed or chosen to ignore, I suggest you judge for yourself whether this is really true.

Francine McKenna writes the blog re: The Auditors, about the Big Four accounting firms. She worked in consulting, professional services, accounting and financial management for more than 25 years.


(9) Comments



Comments (9)
@larry buhl

My editor suggested I at least give the rationale for audit failure and the Libor mess. This is an abbreviated version of a response to a similar comment on my site,

Barclays broke the law in several ways and that's why they are paying a fine of several hundred million dollars. In breaking the law the firm and its traders caused transactions, assets and liabilities to be recorded with false and manipulated values.

The auditor has an obligation under PCAOB audit standards to assess the risk of material misstatement, fraud or illegal acts and adjust its audit program to increase the likelihood that such issues will be detected. If the auditor identifies or becomes aware of fraud or illegal acts then they have an obligation under the Securities and Exchange Act of 1934 Section 10A to report those acts to management and the audit committee and if they are not addressed in good faith to the SEC.

The fact that Barclays had no policies, procedures and controls over its Libor submission process increased risk that there would be a material misstatement of values of transactions or fraud. Certainly the possibility for the firm to break the law by manipulating the submissions was heightened.

Materiality of a potential misstatement is judged not only in quantitative terms but in qualitative terms.

The SEC says:

"Under the governing principles, an assessment of materiality requires that one views the facts in the context of the "surrounding circumstances," as the accounting literature puts it, or the "total mix" of information, in the words of the Supreme Court. In the context of a misstatement of a financial statement item, while the "total mix" includes the size in numerical or percentage terms of the misstatement, it also includes the factual context in which the user of financial statements would view the financial statement item. The shorthand in the accounting and auditing literature for this analysis is that financial management and the auditor must consider both "quantitative" and "qualitative" factors in assessing an item's materiality. Court decisions, Commission rules and enforcement actions, and accounting and auditing literature6 have all considered "qualitative" factors in various contexts."

The external auditors have a role in identifying and testing internal controls over financial reporting and raising concerns when it is clear there was no control and that the lack of controls was being exploited to manipulate valuations for transactions, assets, or liabilities that are summarized on the balance sheet or income statement or to act in an illegal way.

Which laws were broken? From the CFTC order:

"Together, Sections 6(c), 6(d), and 9(a)(2) of the Commodities Exchange Act prohibit acts of attempted manipulation. Section9(a)(2)oftheActmakesitunlawfulfor"[a]nypersontomanipulateor attempt to manipulate the price of any commodity in interstate commerce, or for future delivery on or subject to the rules o f any registered entity . . . . " 7 U.S.C. S l3(a)(2) (2006). Section 6(c) of the Act authorizes the Commission to serve a complaint and provide for the imposition of, among other things, civil monetary penalties and cease and desist orders ifthe Commission "has reason to believe that any person ... has manipulated 01′ attempted to manipulate the market price of any commodity, in interstate commerce, 01′ for future delivery on 01′ subject to the rules of any registered entity, ... or otherwise is violating or has violated any of the provisions of [the] Act ... ." 7 U.S.C. S 9 (2006). Section 6(d) ofthe Act is substantially identical to section 6(c). See 7 U.S.C. S l3b (2006)."
Posted by Francine McKenna | Tuesday, July 17 2012 at 10:52PM ET
@larry buhl

This is an opinion column so you can safely assume that anything not stated as fact or attributed to someone else is my opinion. There is too much here in your comment that implies you haven't read this column thoroughly and with an open heart and mind nor have you read anything else I've written. So I would suggest you do both. It would take 50 thousand words to repeat what I have written elsewhere about why JPM, Libor, and HSBC, for example, are also audit failures. I"ve written it here and at Forbes and on my own site. In general, when even a retired EY Vice Chairman says that the auditors are quickly rebuilding their consulting firms and aggressively selling those services to audit clients and that this is a risk, I think you should pause and consider it may be more than even just my opinion that we have a problem again.
Posted by Francine McKenna | Tuesday, July 17 2012 at 3:35PM ET

Deloitte is not mentioned much here because they lost some big bank clients during the crisis - Washington Mutual, Bear Stearns, Merrill Lynch. They are also famous for their failure to warn the UK taxpayer about RBS. Deloitte still audits MS, which has been struggling, and several hedge funds as well as the big asset manager BlackRock. Deloitte is also now doing consulting for everyone they don't audit. Ive written here about their work for JP Morgan Chase on the foreclosure reviews quite a bit since I think that its a serious independence breach. Most of what Deloitte os reviewing there relates to their prior clients WaMu and Bear Stearns.

Deloitte also has the dubious honor of being h only Big Four firms to have the private portion of a PVCOAB inspection report made public by the regulator. That report, which deals with quality and risk amazement issues going back to 2006, was made public because Deloitte refused to acknowledge or remediate the issues to PCAOB satisfaction and instead fought the PCOAB's authority.
Posted by Francine McKenna | Tuesday, July 17 2012 at 3:29PM ET
you state "Those firms - Deloitte, Ernst & Young, KPMG and PricewaterhouseCoopers - are too busy trying to maintain longstanding relationships and selling consulting services to raise their hands about accounting manipulation and illegal activities."

There just is no basis--legal, factual or historical--for making that comment as cause and effect. So say it's your speculation vs treating it as fact.They do want to retain clients and they do want to sell services; neither are inappropriate. They are also known historically as an honorable profession understanding their role and responsibilities. In CPA history, maybe that applied to Enron, where partners allegedly intentionally overlooked matters, but you are hard pressed to state that otherwise for major large fee SEC registrants. You can have your opinion, but...

Post SOX, the auditors are accountable to the Board via its Audit Committee. Management doesn't dictate or control the relationship where the AC is strong vibrant and capable. Strengthen Audit Commitees maybe, but rotation is an answer looking for a problem that doesn't exist.

And re the allegations that auditors kept mum, what do the auditors have to do with LIBOR deception? That wouldn't be in their scope in reporting on fair presentation of historical financial statements or financial reporting controls. You as a professional should know better about what the auditors are responsible for, rather than being inflammatory. Lehman followed disclosure and accounting then mandated. JPM screwed up their hedge; not a financial reporting control but an operating one--the accounting wasn't incorrect. The auditors are not reporting on operating risk; that's for management and the Board.
Posted by larry buhl | Tuesday, July 17 2012 at 1:15PM ET
Hi Francine, Notably missing from the picture is Deloitte. What's your take on Deloitte's auditing services? Regrettably I don't know enough about their risk management client history, but certainly they too fall under this category of auditing firms?
Posted by pkshah | Tuesday, July 17 2012 at 11:48AM ET

I agree with you 100% on all aspects of your comment. I have written about the auditors appearance before Parliament's Economic Affairs Committee. I, too, have a hard time understanding how the auditors have avoided so far a call to answer the same questions here before the US before Congress.
Posted by Francine McKenna | Monday, July 16 2012 at 2:46PM ET

I found it pretty surprising Levy would say something like that in public and then not be asked which banks he was referring to. I have sent him a copy of the column. Perhaps he will respond now.
Posted by Francine McKenna | Monday, July 16 2012 at 2:41PM ET
Is it fair to ask any of the large firms:

"If your firm is so large, complex and opaque that only two auditing firms are capable of auditing you, should you consider breaking yourself up to be smaller, less complex, and less opaque so the socialization of your risk reduces rather than increases systemic risk?"

The Big Four have not been trotted before Congress, as they have in London to Her Majesty's Economic Affairs Committee (and elsewhere -, and it is curious why this hasn't happened. There is likely as much at stake on this issue as the Ratings Agency issue that we have all come to know over the course of the last 5-years. Given the repeated failures of external audits, internal audits, risk management, regulators, rating agencies and the investment community as whole at "breaking" the black box of these large financial conglomerates, it is past time to reassess the broader reform strategy in general. Given the amount of money spent trying to manage these complex entities, shouldn't it be asked if it isn't cheaper, more efficient, and better capital allocation to reduce size and/or complexity such that the funds spent to seek to comply, and fail, are reapplied to more productive uses? What, in the end, is the real benefit of having firms so large that they are de facto "wards of the state" in times of crisis? This is "sovereign" procyclicality that is every bit as harmful as financial procyclicality within capital and liquidity rules.

Is it perhaps time to start asking better and different questions, rather than repeating the same dogma that got us into this mess in the first place?
Posted by Stentor | Monday, July 16 2012 at 2:39PM ET
"We believe only two of the Big Four accounting firms would be viable candidates for our company and our large bank peers."

Levy's bank has used KPMG since 1931 and Levy himself is an alumnus of Coopers & Lybrand, which merged with Price Waterhouse to form PwC, so I suspect the firms he likes best are those two. Levy did not respond to my request for comment."

I'm not so sure. I agree that KPMG and PwC have significant banking client bases and are fully capable to audit Wells Fargo, but EY may be a better fit considering the overall makeup of its (smaller) banking client base.

EY audits US Bancorp, State Street, Regions Financial, Capital One, TD, Citizens Republic, SunTrust, Zions, and Keycorp. All of these banks have more business lines, operations, and geographical mix similar to Wells Fargo than, say, Goldman Sachs or Barclays. They are significantly more concentrated on the US market, they have much smaller investment banking operations, and they are much more leveraged to benefit from US mortgage activity and domestic lending. They are "less risky" than most of the bulge-bracket firms. JP Morgan, Goldman, Morgan, Barclays, Citi, Deutsche, HSBC, and Credit Suisse have significantly different operating models than Wells Fargo.
Posted by crazyworld | Monday, July 16 2012 at 12:37PM ET
Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.