Auditors Are Asleep at the Switch on Banks' Risk Controls

Register now

The Big Four auditors may not be catching errors and frauds at financial companies because they'd like to keep the business.

Those firms – Deloitte, Ernst & Young, KPMG and PricewaterhouseCoopers – are too busy trying to maintain longstanding relationships and selling consulting services to raise their hands about accounting manipulation and illegal activities.

Even a retired Ernst & Young Global Vice Chairman is worried the auditors are losing focus.

"I am personally worried about audit firms trying to get you to spend money with them on consulting," Roger Dunbar, now chairman of Silicon Valley Bank, told the audit profession regulator, the Public Company Accounting Oversight Board, at a recent forum on auditor rotation. "It's a risk."

Only two firms audit the four largest U.S. banks. The 20 banking and financial services institutions that pay the highest audit fees, according to Audit Analytics, spent nearly $1 billion with those vendors in 2011. Wells Fargo has worked with KPMG for more than eighty-one years. Citigroup and KPMG have been together since 1969.  PwC audits Bank of America and JP Morgan, as well as Goldman Sachs, MF Global, Barclays and PNC. These five engagements accounted for more than $300 million in fees in 2011 not including additional audits of non-consolidated subsidiaries and funds, which double that number.

After almost four years, investors thought we were approaching the beginning of the end of the financial crisis. Instead of a return to normal, the banks' bad decisions about mortgages are now costing shareholders billions in settlement costs and very expensive mandated regulatory reviews. At the same time, big banks are suffering from new control weaknesses— and acknowledging old ones  —  that will weigh on profit margins for years to come as litigation and compliance costs are paid and losses are recognized.

Auditors kept mum about weak or nonexistent controls over riskier activity at JPMorgan and MF Global and about regulatory compliance issues like anti-money laundering faults at HSBC and Libor manipulation at Barclays and at least 12 other banks including JPMorgan.

JPMorgan CEO Jamie Dimon admitted on May 10 that the "portfolio hedge"put on by his bank's chief investment office was "flawed, complex, poorly reviewed, poorly executed and poorly monitored."Dimon also said that controls existing in other parts of the bank were not in place in the CIO. JPMorgan announced Friday that losses on the CIO's synthetic credit portfolio as of the end of the second quarter totaled $4.4 billion. The bank also warned first-quarter results will be restated because traders "mis-marked"their positions on these trades.

Yet auditor PwC gave JP Morgan a clean opinion on its internal controls over financial reporting for 2011.

PwC also missed increased risk and deterioration controls under CEO Corzine at MF Global. In addition, MF Global's chief banker, JPMorgan, and MF Global broke rules on segregation of customer funds. (PwC client Barclays and Lehman, audited by Ernst & Young, did too.)

According to regulators, Barclays had no specific internal controls or procedures, written or otherwise, regarding how Libor submissions should be determined or monitored, and Barclays also did not require documentation of the submitters' Libor determinations. Auditor PwC also gave Barclays clean opinions on internal controls over financial reporting.

The Office of the Comptroller of the Currency said in October 2010 that KPMG client HSBC had multiple deficiencies in its anti-money laundering compliance program. HSBC said in February that several law enforcement agencies and Congress were investigating its US bank for noncompliance with U.S. anti-money laundering laws, the Bank Secrecy Act, economic sanctions and tax and securities laws. According to Morgan Stanley analysts' calculations, HSBC may also pay a potential penalty of up to $350 million related to the Libor investigation. KPMG earned $51 million for its clean opinion of the financial statement of HSBC in 2011.

Bankers seem blasé about the auditors' inability to catch high risks and weak controls. Even though long tenures and big fees may be diluting their objectivity, independence and professional skepticism, change costs too much.

Richard Levy, an executive vice president and the controller at Wells Fargo, in fact, doesn't think the concentration of service providers for financial services firms is a problem at all and doesn't want to be forced to switch auditors.

He told the PCAOB forum, "There is a practical limit to the number of viable replacement audit term candidates. Large, complex, multinational companies are realistically limited to using only one of the Big Four accounting firms. … We believe only two of the Big Four accounting firms would be viable candidates for our company and our large bank peers."

Levy's bank has used KPMG since 1931 and Levy himself is an alumnus of Coopers & Lybrand, which merged with Price Waterhouse to form PwC, so I suspect the firms he likes best are those two.  Levy did not respond to my request for comment.

Auditors and the banks they audit tell regulators that audit quality has improved since the Sarbanes-Oxley law was enacted in 2002 and that audit partners are too fearful of sanctions, litigation and damage to their own reputations to risk going easy on their clients.

Given what recent bank audits have missed or chosen to ignore, I suggest you judge for yourself whether this is really true.

Francine McKenna writes the blog re: The Auditors, about the Big Four accounting firms. She worked in consulting, professional services, accounting and financial management for more than 25 years.

For reprint and licensing requests for this article, click here.