Anatomy of a failure: Credit Suisse, PwC, and KPMG, too
When Switzerland's Credit Suisse went down in flames over the weekend of March 18-19, 2023, few were thinking about its auditors. Except me.
Axios' Felix Salmon wrote on Monday morning March 20 that Credit Suisse had failed, "or at least it would have, were it not too big to fail. Instead, Switzerland's banking regulators cobbled together an emergency solution that leaves nobody happy — but at least prevents a catastrophe for the global financial system."
Switzerland's other big bank, UBS, was forced to buy Credit Suisse for negative $14 billion. Credit Suisse shareholders will get $3.2 billion but Swiss regulators wiped out $17.2 billion of the bank's liabilities, leaving the CoCo bondholders with nothing. (They are fighting back!)
When the deal goes through PwC will lose a big audit client, one it just recently gained, since that is how it works in most acquisitions — the victor's auditor inherits the client.
The Credit Suisse audit mandate was first given to KPMG in 1989. Although Credit Suisse, since it is headquartered in Switzerland, is not subject to mandatory external audit firm rotation requirements, its Audit Committee decided in 2018 to pursue an audit rotation. EU rules do require some rotation and Credit Suisse’s has significant subsidiaries in Germany and the Netherlands. Following the evaluation and selection process in 2018, Credit Suisse announced PricewaterhouseCoopers AG (PwC) would be Credit Suisse’s new statutory auditor to succeed KPMG AG (KPMG) at the Annual General Meeting on April 30, 2020. The appointment was effective for the fiscal year ending December 31, 2020.
Lead audit partners are subject to periodic rotation requirements everywhere, including the U.S. even prior to Sarbanes-Oxley. KPMG's Nicholas Edmonds had been the Credit Suisse Group Engagement Partner since 2016 and Credit Suisse disclosed that Anthony Anzevino, a US partner based in Switzerland, had been the Global Lead Partner since 2012. Anzevino of KPMG returned to the U.S. in 2020 to become a member of the KPMG global leadership team. PwC's Matthew Falconer took over as Lead Engagement Partner in 2020 and is still engaged in that role, according to the PCAOB's Form AP records.
It was an interesting time for a very large KPMG bank audit client to be considering dropping the firm. As we discussed in Part 1 and 2 of my analysis of KPMG's role in the failures of three more banks in the US during this same month of March, KPMG was weathering a serious scandal with criminal indictment implications in the U.S..
[n]early a year after KPMG disclosed the partners' regulatory data theft and their separation from the firm, SEC Chairman Jay Clayton reiterated KPMG's [January 2017] contention that the issues did not impact any of the firm’s audit opinions or any client’s financial statements.
On January 22, 2018, in Clayton's statement corresponding to the announcement of the SEC and DOJ charges against the KPMG and PCAOB individuals, Clayton advised KPMG clients, investors, and the markets that he did not believe the charges against the six individuals would “adversely affect the ability of SEC registrants to continue to use audit reports issued by KPMG in filings with the Commission or for investors to rely upon those required reports.”
Clayton also reassured investors and the markets that he did not expect the indictments to cause interruptions in the “orderly flow of financial information to investors and the U.S. capital markets, including the filing of audited financial statements with the Commission”.
Former SEC Chairman Clayton was explicitly asking KPMG's audit clients not to flee the firm and for investors in those companies, in many cases systemically important banks, to remain calm and not put pressure on the banks to drop KPMG.
Few clients abandoned KPMG, and the ones that did such as Credit Suisse and another long and strong KPMG audit client Deutsche Bank in Germany had the EU auditor rotation rules to blame. GE, another company that ditched KPMG after more than 110 years of paying billions in fees, had its own serious troubles and a long record of investors asking for KPMG to also be held accountable way before the PCAOB data theft scandal became public.
I guess reputation risk is not what it used to be...
PwC took over the Credit Suisse audit for fiscal year 2020 and almost immediately had to clean up some trash. In its December 31, 2021, 20-F (the foreign filer equivalent of a 10-K) filed with the SEC on March 10, 2022 — only the second year PwC was on the job — Credit Suisse disclosed:
In connection with ongoing internal control processes, the Group identified accounting issues.
The bank characterized the corrections for these issues as a "revision" not a "restatement" since they "were not material individually or in aggregate to the prior period financial statements.
What were the issues? First, there's a description of the issues identified from the 2020 period, PwC's first as auditor:
The Group identified accounting issues with respect to the netting treatment relating to the presentation of a limited population of certain securities lending and borrowing activities. As a result, balance sheet and cash flow positions for both assets and liabilities relating to these activities were understated. For the year ended December 31, 2020, “Central bank funds sold, securities purchased under resale agreements and securities borrowing transactions”, “Total assets”, “Central bank funds purchased, securities sold under repurchase agreements and securities lending transactions” as well as “Total liabilities” in the consolidated balances sheets were revised by CHF 13,143 million.
For the year ended December 31, 2020, “(Increase)/decrease in central bank funds sold, securities purchased under resale agreements and securities borrowing transactions” and “Net cash provided by/(used in) investing activities” were revised by a credit of CHF 70 million in the consolidated statements of cash flows and “Increase/(decrease) in central bank funds purchased, securities sold under repurchase agreements and securities lending transactions” and “Net cash provided by/(used in) financing activities” were revised by a debit of CHF 70 million. Due to the increase in total assets the Group’s leverage exposure increased by the same amount and reduced the related leverage ratios by 10 basis points.
Then, Credit Suisse identifies issues for 2019, the final year of KPMG's tenure as auditor:
Separately, in the consolidated statements of cash flows share-based compensation expenses, net were previously included in net cash provided by/(used in) financing activities, but are now separately included in net cash provided by/(used in) operating activities. The Group also expanded the elimination of non-cash exchange rate movements related to certain operating, investing and financing activities.
In addition, the presentation of certain cash flow hedges were reclassified. In aggregate for these matters for the year ended December 31, 2020, “Net cash provided by/(used in) operating activities” were revised by a debit of CHF 483 million, “Net cash provided by/(used in) investing activities” were revised by a credit of CHF 2,294 million and “Net cash provided by/(used in) financing activities were revised by a debit of CHF 1,811 million.
In aggregate for these matters for the year ended December 31, 2019, “Net cash provided by/(used in) operating activities” were revised by a debit of CHF 1,086 million, “Net cash provided by/(used in) investing activities” were revised by a credit of CHF 1,033 million and “Net cash provided by/(used in) financing activities were revised by a credit of CHF 53 million.
So, despite the fact that Credit Suisse, in consultation with its current auditor PwC, disclosed a revision to prior period financial statements for two years, because the bank and its auditor did not characterize these fixes as material, PwC did not cite any material weaknesses in internal controls over financial reporting.
PwC did not believe that any serious holes in controls had led to these misstatements. But as they say in baseball, the game's not over until the last out, and not everyone with an opinion on the issue had stepped up to the plate and took their swings, yet.
A year later, on March 9, 2023, Margot Patrick and Jean Eaglesham at the WSJ reported:
Credit Suisse Group AG delayed its annual report to address a late-night request from the U.S. Securities and Exchange Commission for more information on how the bank recorded its cash flows in the past.
The Swiss banking giant said the SEC called late Wednesday for more information on its consolidated cash flow statements from 2019 and 2020, which the bank later revised.
Credit Suisse in its 2021 annual report said its internal controls led it to make several revisions to the cash flow statements. The SEC’s request focuses on the bank’s “technical assessment” of those previously disclosed revisions.
In July of 2022, the SEC began a comment letter correspondence with the bank's CFO regarding what looked like a routine review of Credit Suisse's Form 20-F for year ended December 31, 2021 and asked about the prior period "revision" of its Statement of Cash Flows, and a few other things.
Notes to the consolidated financial statements
Note 1 - Summary of significant accounting policies
Revisions of prior period financial statements, page 292
3.We note your disclosures that you identified “accounting issues” pertaining to: (i) netting treatment in the presentation of a limited population of certain securities lending and borrowing activities; and (ii) reclassification and other changes to the consolidated statements of cash flows in the years ended December 31, 2020 and 2019. Please provide us with a full and detailed description of the errors, including, but not limited to, who identified them, when, and how, and whether they were the result of control deficiencies. In addition, provide us with your assessment of materiality supporting your conclusion that they are immaterial both individually and in the aggregate.
Ensure your response addresses qualitative and quantitative factors and provides an objective assessment of materiality from the perspective of a reasonable investor, including your consideration of guidance in ASC 250, SAB 99, and management’s assessment of the design and effectiveness of ICFR.
Credit Suisse responded to the SEC on August 22, 2022 — citing a side conversation to ask for an extension to file its response between SEC Staff and Sebastian Sperber of Cleary Gottlieb Steen & Hamilton LLP, its counsel, on August 17, 2022 — and in its response appeals to its higher authority, auditor PwC:
The impacts of the three cash flow matters described above are unique to the cash flow statement and do not affect other statements or notes. The adjustments revise line items of comparative periods but do not change either the direction of the cash flows or their proportional relationship to each other (see Exhibit A). Consequently the impact to the Group and the 2021 Form 20-F as a whole is immaterial.
We considered the following qualitative factors in our evaluation of the misstatements...While the quantitative factors exceed 5% of the impacted line items, based on the qualitative factors, we do not consider the change to the comparative periods for this disclosure to be material to the users of the financial statements. This conclusion was discussed with our external auditors, PwC.
But the SEC was not satisfied with that answer, PwC or no PwC. The SEC wrote back to Credit Suisse on October 20, 2022:
We note your SAB 99 materiality analysis and the quantitative data provided in Exhibit A as part of your response to comment 3. We also note that you acknowledge in your response that the statement of cash flows errors exceed 5% of the impacted line items, but based on qualitative factors, you do not consider the changes to the comparative periods to be material to users of the financial statements.
Please address the items below.
•Your materiality analysis briefly addresses the qualitative factors enumerated in SAB 99, but SAB 99 also states “this is not an exhaustive list of the circumstances that may affect the materiality of a quantitatively small misstatement.” Tell us whether you considered other qualitative factors in concluding that the errors were not material, including any quantitative or qualitative metrics or disclosures related to liquidity and cash flows.
•Your materiality analysis quantifies the impact of the statement of cash flow errors on the years ended December 31, 2020 and 2019. Please tell us how far you believe the errors go back and whether you quantified the impact on periods prior to December 31, 2019.
Additionally, please clarify whether you evaluated the impact of the errors on your quarterly consolidated statements of cash flows filed on Forms 6-K, and, if so, provide the results of that analysis.
•Your response addresses the quantitative impact of the errors on an aggregate basis but does not address the quantitative impact on an individual basis. Provide us with an analysis that quantifies the individual impact for all of the cash flow error adjustments described in your response for all applicable periods.
Credit Suisse continued to debate the SEC, posting a response on November 18, 2022. The SEC says not quite and, as a result of Credit Suisse's intransigence, now gets to the meat of its concerns: Why didn't management and PwC cite any internal control deficiencies, material weaknesses in ICFR, back in the 2021 20-F as a result of these issues?
We note your response to prior comment 2 discusses how you evaluated the severity of each of the identified control deficiencies. It appears your analysis primarily focused on the actual size of the errors identified rather than the potential magnitude. For each control deficiency identified, please respond to the following:
•Describe the factors that affected the magnitude of the misstatement that might result from the deficiency, including (i) the total monetary amount of transactions exposed to the deficiency and (ii) the volume of activity in the account balance or class of transactions exposed to the deficiency in the current period or that is expected in a future period.
•Quantify the magnitude of the potential misstatement for each of the identified control deficiencies.
•Explain whether the qualitative factors also included considerations of other impacts, such as regulatory requirements and other ratios.
4. We note your response to prior comment 2, which states that, as it related to the mapping deficiency, the likelihood of the potential misstatement was remote and the magnitude of the potential misstatement was not material. In addition, the response states that, for the nonfunctional currency gains and loss deficiency, the likelihood of potential misstatement was reasonably possible, but the magnitude of the potential misstatement was not material. Please explain in more detail how you performed the severity analysis for each of the control deficiencies related to the errors. As part of your response, please address the following:
•Explain in more detail how you supported the conclusions outlined above related to the likelihood of potential misstatements and the potential magnitude for each deficiency.
•Since the control deficiencies remained un-remediated for multiple years, tell us how this was considered in the evaluation of the severity of the control deficiencies.
•Given that a restatement of previously issued financial statements for a correction of an error is an indicator of a material weakness, explain how you considered the restatement of previously issued financial statements to reflect the correction of these errors, as described in Note 1 of your 2021 Form 20-F, in your evaluation of whether the control deficiencies represented a material weakness.
•Provide management’s aggregation analysis of all control deficiencies identified for the period.
Let's step back for a minute to appreciate how long this conversation went on before the SEC was forced to make a midnight phone call to Credit Suisse to stop the presses and force a delay in the 2022 20-F filing.
On Feb 13, Credit Suisse is still sending letters disagreeing with the SEC and citing COSO. Again, there was a side conversation between SEC Staff and Credit Suisse counsel to ask for an extension to respond.
On March 10, the SEC says we are still not there yet, even after three days of discussion — on March 8, 9, and 10 — with Credit Suisse. The SEC is now saying that a material weakness may still exist as of the end of 2021 and 2022!
We have reviewed the response you provided on February 13, 2023 in response to our comment letter dated January 17, 2023. We also have considered the discussions on March 8-10, 2023 with the Company and would like to better understand how you concluded that a broader monitoring entity-level control material weakness did not exist as of December 31, 2022 and 2021. For the un-remediated control deficiencies, the following items remain unclear as to how you arrived at the conclusions in your analysis...
Which brings us back to the WSJ story published on March 9, referencing a "late night request" from the SEC that delayed the 20-F filing. The comment letter on March 10, is clear that the situation was still not resolved.
Credit Suisse, and PwC, finally capitulated and the 20-F was filed on March 14 with the material weakness in internal control over financial reporting related to the prior restatements. PwC was then forced to provide an adverse opinion on the bank's ICFR.
The SEC filed a short closing letter to its correspondence on the same day.
Four days later Credit Suisse was forcibly acquired by UBS.
Given the involvement of not one but two auditors in this fiasco, you might ask what the PCAOB was doing all this time. To go down this path we have to make the assumption that PCAOB inspections measure and promote audit quality.
What does research say, in particular about foreign filers? Let's look at Lamoreaux (2016):
Does PCAOB inspection access improve audit quality? An examination of foreign firms listed in the United States
I find that auditors subject to PCAOB inspection access provide higher quality audits as measured by more going concern opinions, more reported material weaknesses, and less earnings management, relative to auditors not subject to PCAOB inspection access. There is no observable difference between the two sets of auditors prior to the PCAOB inspection regime. The positive effect of PCAOB inspection access on audit quality is observed in jurisdictions with, and without, a local audit regulator. Overall, the results are consistent with PCAOB inspection access being positively associated with audit quality.
As discussed earlier, by 2014 and 2015 the PCAOB was pushing KPMG very hard to improve its bank audits. In 2010, PCAOB had conducted an inspection of KPMG U.S. for its 2009 fiscal year audits, audits conducted in the midst of the financial crisis. Of course there were a lot of auditing deficiencies cited related to the biggest issues in banks and financial services firms — of which KPMG audited many.
In seven audits, due to deficiencies in testing the fair value measurements of, and the disclosures related to, financial instruments without readily determinable fair values ("hard-to-value financial instruments"), including private debt securities, collateralized mortgage obligations, and other mortgage-backed securities, the Firm failed to obtain sufficient appropriate audit evidence to support its audit opinions.
In 2011, the PCAOB conducted an inspection of KPMG U.S. for audits it performed in 2010. KPMG continued to receive deficiencies from the PCAOB for bank and financial services related issues regarding available for sale securities, auditing fair value measurements and disclosures, loans receivable and allowance for loan losses or ALL.
The PCAOB then published Part 2, overall firm quality control comments, for the 2010 and 2011 inspection years because KPMG had failed to address them within the time limit for keeping them secret. The PCAOB made this foundational issue from both reports public in October 2014:
Failure to Evaluate Contrary Evidence
In prior inspection reports, the Board expressed concerns regarding the application of various aspects of professional skepticism by the Firm's personnel. The nature of the deficiencies in a broad range of audit areas led the Board to believe that the Firm's personnel did not consistently exercise appropriate professional skepticism. In response to discussions between Division of Registration and Inspections leadership and Firm leaders in 2008, the Firm committed to make significant improvements in its system of quality control.
In 2010, [in certain audits with identified deficiencies, the inspection team identified instances], one of which is included in Part I.A, where the Firm appears to have overemphasized evidence that supported the issuer's conclusion, without evaluating contrary evidence that seemed to be readily available to engagement team personnel at the time of the audit.
KPMG's letter responses to the PCAOB were polite, but behind the scenes its top audit and National Office leaders responded to the PCAOB's criticisms, first, by appealing to the SEC.
In 2015 and 2016, as KPMG managed its growing disputes with the PCAOB regarding its audit quality issues, the SEC willingly met with KPMG leadership separately, without PCAOB officials present (U.S. v. Middendorf and Wada, 2019). SEC Deputy Chief Accountant at the time Wes Bricker — now audit top dog in the U.S. for PwC — testified at the Middendorf/Wada trial in 2019 that the goal of the meetings was “to better understand whether there was a problem with SEC rules as a possible explanation, whether there was a problem with the KPMG audit methodology as a second type of explanation, or whether there was some problem with the [PCAOB] inspection process as a possible third explanation” (U.S. v. Middendorf and Wada, 2019, p. 177, emphasis added).
Th conclusion of the meetings, according to Middendorf's testimony, was that there was no problem with SEC rules or the KPMG audit methodology and that the SEC supported KPMG's resistance to the PCAOB. So, KPMG did not prioritize improving its audit methodology and training, or tightening the discipline for partners who fell short. In fact, KPMG replaced its incentive program that punished audit partners for poor PCAOB inspections with one that rewarded them for clean inspections.
In 2015 KPMG hired Brian Sweet and others from the PCAOB's inspection staff. Sweet proceeded to illegally obtain the list of audits that were on the PCAOB's lists to be inspected in advance of official notification to the firm for each of the following three years: 2015 for 2014 audits, 2016 for 2015 audits and 2017 for 2016 audits.
Guess which banks were on those lists? I wrote about them for MarketWatch in June 2018:
Court filings made June 8 by lawyers for two of the KPMG partner defendants spells out the audit clients caught up in the scandal. They’re mostly financial companies: Citigroup , Credit Suisse , Deutsche Bank , Banc of California, BBVA, Chemical Financial Corp. , Ambac , Phoenix Life, and NewStar Financial as well as C&J Energy Services.
So, we know Credit Suisse was originally on the list of banks to be inspected by the PCAOB in 2016. But was it inspected?
The answer is available to anyone who undertakes a detailed analysis of the Middendorf/Wada trial docket and transcripts. There are several places where it is discussed. The Credit Suisse audit is led and signed by the Swiss firm with additional participation of member firms in Singapore and the U.K. as well as Sao Paulo, Brazil in 2017 and prior, according to the PCAOB's Form AP records.
Here's one of the prosecutors asking Brian Sweet to explain why the U.S. was worried about a Swiss firm audit.
Prosecutor Kramer: What is a component audit in the U.S.? What does that mean?
Sweet: It really just means a subsidiary audit. So, for like Credit Suisse, which is a big bank headquartered in Switzerland, KPMG Switzerland issues the audit opinion for the financial statements for Credit Suisse as a whole in Switzerland. But, as part of that, because Credit Suisse is such a big international bank, audit teams around the world including the United States -- KPMG U.S. -- have to do work for the component or the subsidiary portion of Credit Suisse that exists in the U.S.
And here's Ms. Kramer asking Brian Sweet about how KPMG planned to address the possibility Credit Suisse would be inspected in 2016:
Prosecutor Kramer: What did John Amraen e-mail you on March 9, 2016?
Sweet: He emailed me kind of a summary of the selections that Palantir, this third-party data analytics firm had made, compared to the predictions that I had made.
Prosecutor Kramer: And let's look at your response. What did you say to John Amraen in your response in the first two sentences, or three sentences?
Sweet: I wrote: John, this is excellent. Thank you. One final edit, if possible. Would you consider adding Wells Fargo and the Credit Suisse U.S. and Deutsche Bank U.S. and components? I communicated those to Dave/Tom separately as I expected them to also get picked, and so they were also added to the monitoring program as a result.
Prosecutor Kramer: What led you to have the understanding that Credit Suisse U.S. and Deutsche Bank U.S. would be selected for inspection?
Sweet: Cindy Holder had found out from Jeff Wada at the end of 2015 that the PCAOB was planning to do big banking inspections in both Switzerland and Germany in 2016.
At the last minute, Credit Suisse was dropped from the inspection roster for Deutsche Bank instead, accordng to trial testimony.
While KPMG leadership still believed Credit Suisse would be inspected in 2016 based on the intel Brian Sweet was getting from PCAOB professionals still at the regulator, there was significant discussion about the need to review earlier PCAOB criticisms of its audit of Credit Suisse. (There are a total of 31 mentions of Credit Suisse in the complete transcripts.)
Prosecutor Kramer: Who is John Klinge or what role did he have at the time?
Sweet: John Klinge was a very senior banking partner.
Prosecutor Kramer: And what role did Robert Finn have at the time?
Sweet: Rob Finn was also a very senior banking partner that was
working in the national office.
Prosecutor Kramer: What is the subject line of this calendar invitation?
Sweet: Discuss Credit Suisse PCAOB comments 12/31/12 audit year.
Prosecutor Kramer: What did you understand the PCAOB comments -- withdrawn. Where did you understand the PCAOB comments from the 12/31/12 audit year to have come from?
Sweet: These were the comments that KPMG had received from the PCAOB back in its prior inspection back in 2013.
Prosecutor Kramer: When was this meeting scheduled to take place?
Sweet: January 13, 2016.
Prosecutor Kramer: Did you have an understanding of what was to be discussed at the meeting?
Sweet: Yes.
Prosecutor Kramer: What was that understanding?
Sweet: That the purpose of the meeting was to work through the past comments that the audit engagement team had KPMG had received from the PCAOB back in the last inspection, back in 2013, and that the purpose was to discuss those issues to make sure that the national office was ensuring that that engagement team was not making the same mistakes in 2016. So, that it was going to do, that it was going to have done enough audit work team was not making the same mistakes in 2016. So, that it was going to do, that it was going to have done enough audit work to address these issues so that when the PCAOB came back or if they came back, they wouldn't get repeat comment forms again.
Prosecutor Kramer: What was your understanding about whether the Credit Suisse U.S. audit was complete as of January 2016 for 2015?
Sweet: I knew that it was not a complete audit yet so the audit was still live.
Prosecutor Kramer: And with a live audit, can an engagement team perform new procedures without any special documentation or did they have to document new procedures?
Sweet: New work can be done without any sort of special documentation.
Prosecutor Kramer: As of January 2016, had the PCAOB notified KPMG that it planned to inspect Credit Suisse?
Sweet: No.
I would suspect that the U.S. firm work on the Credit Suisse engagement had not been inspected by the PCAOB since the 2012 audit and that it was not inspected for the 2015 audit year in 2016, either. However, KPMG put a lot of time into performing "stealth reviews" of Credit Suisse and the banks to make sure that if they came up, they would be clean.
So, let's circle back now to the issues that Credit Suisse, and PwC, had to finally acknowledge as material weaknesses related to the 2020 and 2019 audit years. Did the PCAOB identify any deficiencies in inspections of 2008-2020 audit years that would have pointed to why KPMG missed these issues?
In the inspection report that was issued in 2016 for the 2014 audit year, the PCAOB identified three cash flow related deficiencies. One was related to an issue with auditing the Statement of Cash Flows, just like Credit Suisse, but the issuer is not identified as a financial services industry firm. Another combines available-for-sale securities issues and cash flow issues and is identified as a financial services industry client.
Did KPMG perform deficient audits of Credit Suisse's Statement of Cash Flows in 2019 and perhaps prior years, too? KPMG clearly missed holes in Credit Suisse controls, and then PwC allowed them to continue, through 2020 and, if the SEC is correct, through 2021 and 2022, leading to restatements. Those restatements should have been characterized as material and led to a material weakness in internal controls over financial reporting at the time, according to the SEC.
Sadly, the situation was not acknowledged by anyone soon enough to prevent a filing delay at the critical period when a bunch of banks were failing in the U.S. and, then, four days before Credit Suisse collapsed, too. Who is at fault for Credit Suisse's failure?
There's plenty of blame to go around. But, you must admit, KPMG has been doing deficient bank and financial services audits all over the world for a long time. More than one "watchdog" has not been barking.
© Francine McKenna, The Digging Company LLC, 2023