Bankers, Beware of Auditors Who Blow Off Their Regulator

Who’s afraid of the Public Company Accounting Oversight Board? Banks and other financial institutions should be, even though the PCAOB regulates their auditors and not them.

Unlike banks, which have had federal and state regulators looking over their shoulders for more than a century, the Big Four accounting firms are still not used to having a truly disinterested party auditing their audits. Before the Sarbanes-Oxley Act, the audit industry was largely self-regulated through peer reviews coordinated by the AICPA, a trade group.

So ever since Congress created the PCAOB in the aftermath of the Enron and Arthur Andersen scandal, there’s been an underlying tension between audit partners and staff, on one side, and the regulator’s inspection teams, on the other.

This tension surfaced like a bloated dead fish last week, when the PCAOB published a private portion of the inspection report of Deloitte’s 2006 audits.

Deloitte has been playing an unprecedented game of chicken with its regulator. Until a few years ago, the largest audit firms typically responded to the annual PCAOB inspection reports, and the young agency’s “nitpicking,” with at most a polite “Thanks, but we disagree.” In the inspection report for its 2005 audits, issued in June 2007, Deloitte had simply disagreed with two findings and suggested some comments not be included in the final report. 

In December of 2007, shortly after the fieldwork for the review of 2006 audits wrapped up, the PCAOB fined Deloitte $1 million for violation of PCAOB rules and auditing standards when reviewing the financials of Ligand Pharmaceuticals. The regulator also sanctioned the partner on the audit. The firm was ordered to improve its quality control policies and procedures.

In spite of this sanction, the only one of its kind directed by the PCAOB at a Big Four auditing firm, Deloitte began to dispute the board’s inspection criticisms and protest the regulator’s “second-guessing.”

Under Sarbanes-Oxley, Deloitte had until May 19, 2009 to show a good faith effort to address concerns and fix the defects cited in the nonpublic portion of the final report for 2006.

When presented with a draft of the PCAOB’s report on the firm’s 2006 audits, Deloitte bristled. “We believe that reasonable judgments should not be second-guessed and therefore disagree with a number of comments,” the firm told the regulator in April 2008.

The same specific criticisms of Deloitte’s conduct and judgments in 2006 show up in subsequent inspection reports for its 2007 and 2008 audits: misapplication of generally accepted accounting principles and auditing standards; failures to identify departures from GAAP and a material weakness in an issuer’s internal controls.

Yet when responding to the PCAOB’s 2007 inspection report in March 2009 – little more than a month before the deadline to correct the 2006 audit deficiencies – Deloitte again refused to accept the regulator’s criticisms. This time the media caught wind of the disagreement.

Deloitte not only repeated the “second-guessing” accusation, the firm even admonished the regulator for making some of the criticisms public. “We believe such observations should not be included in the final report,” Deloitte wrote. 

The firm’s chief executive for the U.S. admitted in its 2010 report “Advancing Quality Through Transparency” that the PCAOB had again privately criticized similar quality-control shortcomings during inspections of 2007 and 2008 audits. In addition, internal Deloitte reports described more than 475 reprimands to staff and partners in 2009 for infractions such as not following policies on auditor independence.

The PCAOB’s decision to make the 2006 quality control criticisms public, and the fact that the Securities and Exchange Commission allowed it to do so, tell me Deloitte is still fighting the regulators. The deadlines for Deloitte to fix or sufficiently respond to criticisms in the 2007 and 2008 inspection reports have passed. We could soon see previously nonpublic information from those reports, too.

The risk for banks in a situation like this is that an auditor that brazenly irritates its regulator may draw unwanted attention to its clients from their regulators. For example, PCAOB spokeswoman Colleen Brennan reminds me that the SEC knows the names of every company whose audit deficiencies are mentioned in a PCAOB auditor inspection report.

“Bankers would be naive to think regulators, investors, and potential plaintiffs aren’t taking advantage of this new source of available information about public companies,” Prof. Scott Showalter of North Carolina State University, a retired partner at KPMG, told me.

A Deloitte spokesman would not discuss the situation last week and directed me to a canned statement in which CEO Joe Echevarria acknowledges there's “always” room for improvement and says the firm has been investing in improving its practices.

Make sure your audit firm is focusing on quality control and regulatory compliance. Bank executives, their audit committees and their shareholders are at risk of additional scrutiny and unwelcome publicity under the best-case scenario – and audit failures under the worst case -- if their auditor wages a protracted fight with its regulator. 

Francine McKenna writes the blog re: The Auditors, about the Big Four accounting firms. She worked in consulting, professional services, accounting and financial management for more than 25 years.