Should companies use Big 4 audit firms to implement enterprise financial software?

Regulatory action is the least of the huge risks companies take when using the Big 4 to implement financial software

My old friend Vinnie Mirchandani published a two-part interview with me over at his blog, Deal Architect.  I’ve known Vinnie for many, many years, as a result of my former life as a Managing Director for KPMG Consulting and Bearing Point, leading the Industrial, Automotive and Transportation consulting practice in Latin America for the firms from 1999 to 2001. My responsibility included leading business development and project teams that implemented SAP, Oracle and related software like Ariba at some of the largest multinationals headquartered and operating in the region.

Vinnie, founder of his firm also called Deal Architect, is a former technology industry analyst (with Gartner), outsourcing executive (with PwC, now part of IBM) and entrepreneur (founder of sourcing advisory firm, Jetstream Group). He is a thought leader on trends in software, outsourcing and offshoring.

Vinnie asked me to talk about the auditor independence series I published here at The Dig, in particular what issues are raised by the SEC’s recent enforcement action against PwC for companies who might consider or are using global public accounting firms, the Big 4, as systems integrators.

We also talked about the impact of ongoing automation trends on the consulting sides of the Big 4 — Deloitte, Ernst & Young, KPMG, and PwC— compared to their efforts to further automate the delivery of audit services.

Share The Dig

Part 1 - Auditor Independence and ERP/CRM projects - a conversation with Francine McKenna

Francine, I read your story about the SEC’s recent auditor independence enforcement against PwC and thought, "What are some of the risks that companies that use accounting firms may be exposing themselves to on their consulting projects?" 

Part 2 - Accounting firms and automation of ERP practices - a conversation with Francine McKenna

The world has done over a million ERP, CRM, other enterprise software projects. With cloud implementations, it's like a second wave of projects. It still seems like there's very little automation of projects. You have many consultants who come on site, who fly a lot. It's not just the labor intensiveness, the travel expenses, the staff turnover when you have so many people, and the related quality issues haven't gone away. You'd think, as an industry, we'd be much smarter because we had such major overruns and failures around the '90s and early 2000s with ERP projects.

How automated is the audit side of the profession? Can the consulting side learn from it?

As I discussed in the interview with Vinnie and in this newsletter, the SEC’s enforcement action against PwC for violating auditor independence 19 times at 15 different client engagements tells us clearly that audit firms are still performing prohibited systems design, development and implementation services for audit clients, despite a prohibition against providing these non-audit services for auditor in the U.S. established in 2002 with the passage of the Sarbanes-Oxley law.

Several other recent cases show that the Big 4 play so many roles, even SEC lawyers can’t figure out whether what they’re doing lately violates rules enacted in 2002 that didn’t contemplate sophisticated tax avoidance consulting like PwC’s activities in LuxLeaks, strategy consulting, or governance risk and compliance services that have proliferated post-crisis.

Navistar is in the news again for alleged accounting fraud.

A whistleblower lawsuit alleges that Navistar International Corp. bilked the government out of nearly $1.3 billion by "wildly" inflating prices for military vehicles used in Afghanistan and Iraq.

The suit alleges that executives at the Lisle, Illinois-based company (NYSE: NAV), including the president and vice president, knew about the scheme, which allegedly used forged invoices, fabricated catalog prices, and other fraudulent and misleading documents to perpetuate a fraud that cost the government $1.28 billion.

The inflated costs were added to the company's production of Mine-Resistant, Ambush-Protected (“MRAP”) vehicles, which were used by the U.S. military.

The whistleblower in the suit is Duquoin Burgessis, who worked for the contract management department for Navistar Defense in Warrenville, Illinois and then in Lisle, and who filed the suit in 2013. The U.S. government intervened in the case this year.

The new stories reminded me that Navistar was paying Deloitte to be its auditor when it ran into big accounting fraud trouble back in 2005, and eventually had all four of the largest global audit firms, and some Arthur Andersen alumni, on its vendor list. 

Navistar did fire Deloitte in April 2006 and then hired KPMG as its new auditor. The company then sued Deloitte for letting it make the errors and commit the fraud it was accused of, in some instances because Deloitte helped Navistar hire many of its accounting and finance executives.

That’s a well-trod path for the Big 4, as we saw in the Mattel disclosures about its lead engagement partner Joshua Abrahams that I wrote about here at The Dig.

Navistar also hired a slew of consultants and other experts including former Arthur Andersen professionals at Huron Consulting, Callaway Partners (now owned by Huron), PricewaterhouseCoopers to provide accounting standards technical expertise, and Ernst & Young as Navistar’s internal audit co-source partner.

Coincidentally, or maybe not, Dave Marino is Navistar’s lead engagement partner out of KPMG’s Chicago office.  Marino is also the partner that KPMG whistleblower Diana Kunz consulted with when she found out about KPMG partners getting confidential information about PCAOB inspections in advance.

It was Dave Marino who threatened to report the issue to the KPMG Vice Chair of Legal and Compliance at KPMG, Sven Holmes, according to the Department of Justice sentencing memo for David Middendorf.

When all four of the Big 4 global audit firms are feeding at a company’s trough, who can shareholders trust to give them independent, objective answers?

The HP – Autonomy fraud mess is a similar example of every Big 4 firm’s hand out. I wrote in December 2012:

When HP announced its intention to acquire Autonomy, the British data analysis firm now mired in accusations of serious fraud, Deloitte probably shed some enormous tears of joy. Deloitte was more than happy, I’m sure, to rid itself of the Autonomy audit albatross. That may surprise some of you, since Deloitte UK was the long time auditor of Autonomy, and would lose that job and its nice fees, to HP’s auditor Ernst & Young.

To the victor’s auditor go the audit spoils.

I reported at Forbes that KPMG performed the due diligence for the deal on behalf of HP and PwC was hired by HP later to investigate the fraud and required goodwill write down.

It may be difficult for PwC to find fault with Deloitte's work, though. In addition to potentially sharing in any reputational risk to the industry if professional malpractice is alleged and indirectly feeling the impact of any eventual Deloitte financial settlement  - the Big Four are jointly self-insured via an offshore captive insurance structure - PwC Global Chairman Nally does not believe it is the auditors' job to find fraud.

Just this past October, the Financial Times reported that U.K. regulators found that Deloitte partners, as Autonomy’s auditors, had been way too cozy with the company:

The Financial Reporting Council said Richard Knights, the former Deloitte partner in charge of auditing Autonomy, “consciously lost his objectivity” during a five-year relationship with the FTSE 100 company, and was “reckless” and “seriously misleading” in reports to regulators. The FRC’s comments came on the first day of an eight-week tribunal on Thursday in which it is bringing disciplinary proceedings against Deloitte, Mr Knights and ex-partner Nigel Mercer over alleged misconduct in their audits of Autonomy between 2009 and 2011.

Mr Knights retired from Deloitte last year, while Mr Mercer left the firm in 2016.

Also in the U.K. there’s another great example of the Big 4 global auditor firms being everywhere in the Carillion case:

The parliamentary inquiry into Carillion’s demise said KPMG was “complicit” in the outsourcer’s aggressive accounting policies as it failed to challenge the company’s management and missed warning signs in its financial statements in relation to contract revenue and goodwill.  The MPs’ inquiry also ordered rival Big Four firms EY, PwC and Deloitte to provide details on services provided to the Carillion over the past decade.

In particular, some question conflicts for PwC, which will act as the insolvency manager.

PwC is the “special manager” appointed to the windup process by the Insolvency Service, causing anger among politicians, given its former role also as an adviser to Carillion. Schools, hospitals, local authorities and special purpose vehicles delivering private finance initiative contracts are now locked in a dispute over a 20 per cent premium they are being charged by the Insolvency Service to handle the cost of the liquidation, according to a National Audit Office report released today. They are also disputing outstanding invoices from Carillion.

Frank Field, chair of the work and pensions committee, said: “As special managers, with a contract to print money awarded without any competition, PwC will draw £50m for six months’ work.” Mr Field said he had written to PwC requesting further information over how “PwC’s conflicts of interest arising from their long history of work on Carillion are being managed”.

It gets worse.  The Big 4 in the U.K. are accused of colluding to avoid having to appear before Parliament on the anniversary of the Carillion’s failure that occurred January 15 of 2018.

News of another alleged accounting scandal reaches City Insider. It’s not connected to a botched audit, or an incident of sexual harassment. This time the Big Four stand accused of heinous collusion. When Rachel Reeves, who chairs the Business, Energy and Industrial Strategy select committee, summoned the heads of the firms before MPs, the preferred date for the hearing was January 15.

The accountants are canny folk, though, and rumbled the idea: that day is the first anniversary of the collapse of outsourcing group Carillion, a low point for the lambasted auditor KPMG, and would have given parliamentarians a great opportunity to maximise the media impact of the inquisition. Among themselves, one senior accountant told City Insider, several Big Four executives resolved to be “busy” on that date, plumping instead for January 30 for the expected “drive-by shooting.”

And then, again, there’s PwC and its design, development and implementation of Disney’s SAP financial reporting system while also acting as Disney’s auditor.

I reported in August 2019 at MarketWatch.com:

Sandra Kuba, formerly a senior financial analyst in Disney’s revenue-operations department who worked for the company for 18 years, alleges that employees working in the parks-and-resorts business segment systematically overstated revenue by billions of dollars by exploiting weaknesses in the company’s accounting software.

What started as an accumulation of errors and unintentional misstatements became intentional inflation of revenue in Disney’s Parks and Resorts business segment, according to Kuba, as she told me while I was reporting the August 2019 story for MarketWatch.com. Kuba has alleged in two whistleblower complaints filed with the U.S. Securities and Exchange Commission that Disney personnel began exploiting weaknesses in a new accounting system beginning in 2003.

My sources say the SEC and others are actively investigating Kuba’s tips and additional information they have received.

I see over and over that the Big 4 global accounting firms apparently continue to violate auditor independence rules, including designing, developing and implementing software that impacts financial reporting and affects the auditor’s ability to independently and objectively come back and audit the company’s financial information produced by those systems.

Violations of auditor independence rules by the Big 4 are ongoing and the regulators do little to enforce existing laws, many of which go back to before Sarbanes-Oxley.

As Barbara Roper said in Part 4 of my auditor independence series:

Enforcement of all auditor independence rules, including SOx rules, has been inconsistent and weak since 2002. Why? Regulators say they can’t run the risk of putting another big firm like Arthur Andersen out of business.  But by being unwilling to hold the firms fully accountable for repeatedly defying the law and compromising the integrity of audits, regulators like Jay Clayton, send the message the Big 4 firms can operate with impunity. They are truly too few to call to account.

(Disclosure:  I worked as a consultant to Navistar’s Internal Audit Department in 2007 and early 2008 supporting their Sarbanes-Oxley effort.  My former client sued the company in a Sarbanes-Oxley whistleblower suit.)

Please sign up for stories available only to paid subscribers. Tomorrow I’ll write more on how PwC professionals designed, developed and implemented Disney’s SAP financial reporting software while acting as the company’s auditor and, later, after PwC’s consultancy was sold to IBM.