This week I am in Cambridge UK, co-teaching the Audit module with Professor Mike Willis for the Cambridge Judge Business School Executive Master of Accounting Programme.
The Dig is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.
In all I do, whether teaching, guest lecturing, or speaking to groups, I promise to follow a "ripped from the headlines" approach. I apply concepts and principles, and my opinions, to what's happening today to the companies and professional services firms I cover.
So, it was truly exciting to hear last week from the staff of Senator Richard Blumenthal (D-Conn.) about the Senate's Permanent Subcommittee on Investigations Minority Staff Report on KPMG's role and responsibility regarding its three audit client banks that failed in spring of 2023. I received an embargoed version of the report to review in detail. I am now providing you a final version this morning, with my comments on its findings and recommendations.
Thanks for reading The Dig! This post is public so feel free to share it.
On May 4 Bloomberg reported that Senators are now asking KPMG questions.
Sens. Richard Blumenthal (D-Conn.) and Ron Johnson (R-Wis.) sent a letter to KPMG CEO Paul Knopp Wednesday asking for “all communications,” records “referring or relating to” the firm’s audits and advisory work, and a “complete list of all advisory work” between KPMG and Silicon Valley Bank, Signature Bank, and First Republic Bank.
2023 05 03 Blumenthal And Johnson Request To Kpmg 1
I am not optimistic about any meaningful response.
At that time Sen. Blumenthal was still Chairman of the Permanent Subcommittee on Investigations in the Senate. The November 2024 election changed everything and now he is in the minority. And, yet, that did not stop him from taking on what has been a 28-month inquiry, based on over 400,000 pages of documents and nearly 100 hours of briefings and interviews with KPMG partners and official, regulators and other subject matter experts.
They got workpapers! They got emails! They even got instant messages!
It reminds me of when a time long ago — September 2014 — Sen. Carl Levin called global audit firms PricewaterhouseCoopers LLP and Ernst & Young LLP in to testify about their roles in supporting tax avoidance and alleged tax evasion by multinationals like HP, Microsoft, Google, Apple, Caterpillar, and Starbucks.
Both EY and PwC embarrassed themselves with disingenuous responses to Senator Levin’s questions. There are obvious auditor independence conflicts for both firms who continue to serve dual roles as HP’s and Caterpillar’s “independent” audit firms as well as tax avoidance strategy advisors. An auditor is supposed to be independent and objective, but advisory services, and especially lobbying, compromises that independence. This is not new since Enron and the Sarbanes-Oxley law. SEC v. Arthur Young, a decision in 1984, states, “[i]f investors were to view the auditor as an advocate for the corporate client, the value of the audit function itself might well be lost.” The SEC recently sanctioned EY for being a paid lobbyist for two audit clients.
If anyone tells you that a Senator or Representative is helpless, unable to do anything, without the clout of being the majority party they are wrong. And if anyone tells you the Big 4 global public accounting firms are untouchable, they are also very wrong. From the Report:
Sen. Blumenthal proved me wrong and, although Sen. Blumenthal's ability to hold hearings is limited, the report itself is monumental. As it plainly states, it's much more than any regulator has done on the subject of KPMG and the banks.
“KPMG ignored the warning signs that Silicon Valley Bank, Signature Bank, and First Republic Bank were unstable—justifying their patterns of risky and questionable decisions to issue clean audits in the days leading up to their failures. Our PSI report exposes KPMG’s willful blindness and stresses that significant reforms to the auditing industry are needed to promote transparency and better protect consumers.” Sen. Richard Blumenthal
I doubt Sen. Blumenthal, a Yale Law School graduate who was Editor of its Law Review, uses the term "willful blindness" simply for dramatic effect. Section 10(b) civil case law, especially post-PSLRA, finds courts defining recklessness, the kind that can translate into intent/scienter, in a continuum of risk-awareness, referring to it in various cases as inadvertence, willful blindness, conscious recklessness, deliberate recklessness, and extreme recklessness. The report is a lot of spadework that may lend support to litigation against KPMG.
In Ernst & Ernst v. Hochfelder, the Supreme Court held that actions under Section 10(b) of the Exchange Act and Rule 10b-5 require an allegation of "`scienter'—intent to deceive, manipulate, or defraud." The “scienter” requirement, necessary to sustain allegations against the auditors in a securities claim under Section 10(b), is notoriously difficult to meet.
If there's anything of substance in a claim against auditors the case usually settles before the facts are made public. New Century Trustee v. KPMG is an early crisis mortgage originator case, cited several times in this decision. However, those facts will never be heard in open court. In spite of - or perhaps because of - very particular examples of reckless behavior by the auditor documented by the bankruptcy examiner, the case was settled.
The Ernst & Ernst v. Hochfelder decision left open the question of "whether, in some circumstances, reckless behavior is sufficient for civil liability under § 10(b) and Rule 10b-5." However, since Ernst, most courts have concluded that recklessness can satisfy the requirement of “scienter” in a securities fraud action against an accountant.
"Recklessness" in a securities fraud action against an accountant is defined as, “highly unreasonable [conduct], involving not merely simple, or even inexcusable negligence, but an extreme departure from the standards of ordinary care, and which presents a danger of misleading buyers or sellers that is either known to the defendant or is so obvious that the actor must have been aware of it.”
That standard requires more than a misapplication of accounting principles. Plaintiffs must prove that the accounting practices were so deficient that the audit amounted to no audit at all, or "an egregious refusal to see the obvious, or to investigate the doubtful," or that the accounting judgments which were made were such that no reasonable accountant would have made the same decisions if confronted with the same facts.
In case you have forgotten, here is a quick summary of what happened in March and April of 2023 when three banks failed in a matter of weeks:
On March 8, 2023, Silicon Valley Bank shocked the financial world with its efforts to raise emergency capital, sparking imminent concerns about its stability.1 Within forty-eight hours, panicked depositors tried to withdraw over $140 billion and the bank collapsed.2 Fear rippled across the banking industry as depositors and investors searched for signs of contagion spreading to other banks, creating a chain reaction that would lead to the failures of Signature Bank and First Republic Bank, create volatility in Treasury markets, and threaten the stability of the American economy.3 Ultimately, the federal government extended over $300 billion in loans to other banks impacted by deposit flight and spent approximately $40 billion insuring depositors at failed banks in order to restabilize the financial system.4
Collectively, the three banks that failed in early 2023 held more assets than the 25 banks that collapsed in 2008 during the mortgage crisis.5 Beyond the risk to customer deposits, the bank collapses in early 2023 wiped out $54 billion in stocks and bonds as the banks declined in value until they became worthless, with one pension fund losing nearly $700 million after First Republic Bank collapsed.6 Within days of the collapse of Silicon Valley Bank, $108 billion of deposits flowed out of smaller banks as 16 percent of Americans moved their money in anticipation of further failures.7
Silicon Valley Bank, Signature Bank, and First Republic Bank had more in common than their failures. They all had the same auditor: KPMG. By law, independent auditors have a “fundamental obligation” to protect investors by providing “informative, accurate, and independent” assessments of the information companies report to the public about their finances.8
KPMG issued an audit opinion for Silicon Valley Bank 14 days before it collapsed, Signature Bank 11 days before it collapsed, and First Republic Bank 61 days before it collapsed, representing KPMG’s assessment that the banks’ respective financial statements were fairly and accurately presented.9 Indeed, in each instance, KPMG publicly certified that the bank’s financial statements “present fairly, in all material respects, the financial position of the [bank]” and that each bank “maintained, in all material respects, effective internal control over financial reporting.”10 These audit opinions, signed by KPMG, left many depositors and investors with the impression that each bank was financially sound.11
The report is 291 pages and covers the timeline of all three banks failures as well as background on two more related bank failures that occurred right before and right after: Silvergate Bank, which was not audited by KPMG and Credit Suisse, which had been a KPMG audit client until just a few years prior.
The report provides an excellent primer on what auditors are supposed to do, what the Securities and Exchange Commission and the PCAOB are supposed to do to make sure auditors are doing their job, and how auditors, the SEC, and the PCAOB interact with banking regulators when the audited entity is a financial institution.
The Senate Permanent Subcommittee on Investigations Minority Staff Report identified the following key takeaways:
1. KPMG had years-long awareness of the problems at the banks that precipitated each bank’s eventual failure, but either ignored or justified these concerns, leaving the depositors and investors unaware of the banks’ deficient recordkeeping, troubled risk management, and other concerning practices. Such omissions included:
• KPMG did not acknowledge at least six factors known to the firm that could threaten Silicon Valley Bank’s survival as it finalized its audit 14 days before the collapse.
• KPMG ignored a credible whistleblower’s allegations of widespread fraud at Signature Bank before it collapsed and justified deficiencies in the bank’s recordkeeping.
• KPMG did not alert First Republic Bank’s board of directors to concerns the auditor had about the bank’s ability to survive, even as the bank published its quarterly earnings release seven days before it collapsed.
Another key takeaway is that the auditing industry is "significantly underregulated and in need of reform." In addition, rather than blaming the PCAOB for not yet acting to discipline or sanction KPMG for these failures, the report authors believe the auditing industry regulator "has been undermined by the deeply entrenched auditing industry from its creation. In practice, auditors create their own standards and follow their own rules."
Using the principles of organizational economics, we assess the quality of the organizational architecture of the Public Companies Accounting Oversight Board (PCAOB). We use the Four Pillar Framework developed in Brickley, Smith, and Zimmerman (2000) to understand why—according to the SEC’s Chairman Gensler and other stakeholders—the PCAOB may not have entirely realized its mission of investor protection. Our analysis is enabled by the transcripts of the 2019 criminal trial U.S. v. Middendorf and Wada (i.e., PCAOB-KPMG “steal the inspection data” scandal), which for the first time exposed the inner workings of the PCAOB.
Our analysis of the transcripts is augmented by other publicly available documents. Our primary conclusion is that the functioning of the PCAOB has been significantly hampered by misalignment of its tasks (in particular in relation to the SEC), sub-optimally designed performance measurement and employee compensation, and weaknesses in the PCAOB’s organizational culture. These misalignments created an environment susceptible to PCAOB employees’ criminal misconduct which enabled the PCAOB-KPMG “steal the inspection data” scandal and other Board governance and leadership challenges.
In its conclusion to its Executive Summary, the Minority Staff Report authors make the first of two mentions of my writing on this subject:
KPMG billed over 40,000 hours and charged Silicon Valley Bank $10.9 million for the work of more than 250 KPMG employees as part of the bank’s 2022 audit, a 10 percent increase over 2021.454 At its conclusion, KPMG’s 2022 audit of Silicon Valley Bank resulted in an unqualified audit opinion.455 From the initial scoping of the audit to its issuance, KPMG’s audit of Silicon Valley Bank determined that “foundational weaknesses” in the bank’s risk management were inconsequential to the bank’s financial statement.456
456 Federal Reserve Bank of San Francisco, Meeting Summary, Quarterly RCM Meeting with KPMG (Apr. 19, 2022), FRB_SVB_PSI_000012 at 14; see Francine McKenna, Part 1: Where was KPMG while Silicon Valley Bank, and the rest, were teetering? THE DIG (May 13, 2023). https://thedig.substack.com/p/where-waskpmg-while-silicon-valley.
So many issues, so little interest from KPMG
The Minority Staff Report on KPMG and the banks details the key issues for each bank, many of which were reported on by others after the collapses. They include the lack of going concern warnings, downplaying significant deficiencies and material weaknesses in internal controls, and the lack of critical audit matters.
See my first report that focused on Silicon Valley Bank's failure for my views on the going concern and critical audit matters issues.
There are also allegations of KPMG neglecting to conduct an independent investigation of whistleblower allegations as they pertain to financial statement risk and reports of being too cozy with management, in particular because all three banks employed a revolving door of former KPMG auditors.
KPMG was so cozy with Silicon Valley Bank executives that when word came round that the Board had raised the possibility of considering putting the audit out for tender, in part as a result of all the regulatory concerns, the response for KPMG was one for the record books:
On January 17, 2023, approximately one month before Silicon Valley Bank issued its financial statement with KPMG’s 2022 audit opinion, the bank’s board of directors met for a closed session to discuss KPMG’s performance.774 After asking KPMG to leave the virtual meeting, the board approved KPMG as the bank’s auditor for 2023 while raising the prospect of accepting bids for a new auditor for the first time since KPMG first started auditing the bank in 1994.775
The chair of the audit committee, Mary Miller, indicated she would inform the bank’s CFO, Daniel Beck, about their decision.776 Three days later, on January 20, 2023, Ms. Miller emailed Jack Pohlman, KPMG’s lead audit partner for Silicon Valley Bank with Mr. Beck copied, informing KPMG of the board’s decision to seek bids for the audit.777 Ms. Miller stated that she did not want KPMG to be “caught off guard,” but the board had grown concerned with “the very long tenure of KPMG – over two decades – without conducting competitive review.”778 Additionally, Ms. Miller mentioned the desire to ensure Silicon Valley Bank had audit resources appropriate to the increased level of scrutiny the Federal Reserve would be placing on the bank as it grew “into a larger and more complex bank.”779
Within an hour, Mr. Pohlman emailed KPMG’s Chief Operating Officer, Laura Newinski, saying he was “completely caught off guard.”780 Mr. Pohlman wrote to Ms. Newinski that he thought the board’s move was a response to regulatory criticism from the Federal Reserve and a desire “to demonstrate strong governance and oversight.”781 Ms. Newinski, who was on a flight back from the World Economic Forum in Davos, Switzerland, responded to say the decision was “so disappointing” and that Ms. Miller “has been a hard one to understand/manage.”782 Ms. Newinski stated that she was surprised that the other audit members would go along with the plan and suggested approaching them individually.783
On January 24, 2023, Mr. Pohlman emailed Silicon Valley Bank’s CEO, Greg Becker, for his perspective on the matter.784 Mr. Becker responded that he personally saw “no issues” with KPMG as an auditor, but that the board of directors “just feels for proper governance this is the right thing to do.”785 Mr. Becker followed up on the same email thread two hours later suggesting KPMG could sponsor a women’s cycling team he was associated with.786
Figure 20: January 25, 2023 Email from Silicon Valley Bank CEO to KMPG Silicon Valley Bank Lead Audit Partner Regarding Charity Associated with Silicon Valley Bank
Source: Email from Silicon Valley Bank CEO Greg Becker to KPMG Silicon Valley Bank Lead Audit Engagement Partner Jack Pohlman (Jan. 25, 2023), KPMG-SVB-PSI-0000028784 (on file with the Subcommittee).
According to the promotional materials Mr. Becker sent to KPMG, becoming a title sponsor would cost between $3 to $4 million for a two-year commitment.787 Later that afternoon, Ms. Newinski responded to say that KPMG “would very much like to open the door to a conversation between our two teams,” and copied a KPMG marketing representative.788 Mr. Pohlman told the Subcommittee that the bank collapsed before the conversation about sponsoring the cycling team reached a conclusion.789
The Subcommittee Report authors write that in many cases, when confronted with issues and concerns and asked about the judgments involved in their decisions, "they relied on a technical view of auditing standards that abdicated them of responsibility for considering the bank’s overall risk profile."464
From the Minority Staff Report:
KPMG’s lead audit partner for Silicon Valley Bank told the Subcommittee that assessing a client’s “risky or even reckless business strategy” was not KPMG’s responsibility, a sentiment with which each of the other lead audit partners told the Subcommittee they agreed.18 The Subcommittee’s review shows how that mindset persisted, even as KPMG encountered credible evidence of mounting risks in the final weeks before these banks collapsed.
Internal Audit: An Entity Level Control
I want to focus on one discussion that I am very glad appears in the report. It concerns the failure of KPMG to address an ineffective internal audit function at Silicon Valley Bank. The weak Silicon Valley Bank internal audit function was not covered by mainstream media — but was highlighted in my May 2023 reports here at The Dig.
What's special about auditing banks— where KPMG is the dominant firm in the US — and how would KPMG know about what the Fed and California regulators were concerned about, for example with regard to weaknesses in Silicon Valley Bank's internal audit function?
How would KPMG have known what the Fed and California DFPI were telling SVB about weaknesses in its risk management and internal audit functions, among many other operational and management weaknesses?
I explained that almost ten years to the day of this current crisis, on March 13, 2013 for Forbes after the JPM "Whale" trades debacle.
Between July and December 2012, the OCC issued six Supervisory Letters covering the problems detected as a result of the "Whale" trade losses. The Supervisory Letters include 20 Matters Requiring Attention (MRAs) which the bank must address with corrective action.
The Federal Deposit Insurance Act Section 36(h) requires each bank and savings institution to provide its independent auditor with copies of the institution's most recent call report and examination report. Banks “must also provide the auditors with any MOU or other written agreement between the institution and any federal (or state) banking agency, and any report of any action initiated or taken by any federal (or state) banking agency.”
PwC should have received all OCC reports on the bank and been fully aware of all of the OCC’s concerns about JPMorgan, not just related to the “Whale” trades, and especially during 2012.
We'll talk more about this example, and one other that involves KPMG, that point directly to what can happen at a systemically important bank if internal audit is ineffective and if executives are not paying attention, in particular to internal audit.
Later in that piece I get into detail about KPMG's obligations under the standards with regard to internal audit. I wrote:
2. Internal Audit
AS 2201 describes the internal audit function as an entity-level control, critical to a properly functioning control environment and tone at the top. MRIA # 3, Internal Audit, came out ofthe joint examination concluded on April 8, 2022. The DFPI and the FRBSF jointly communicated this finding and the ones regarding the bank's overall governance and risk management function to SVB via a supervisory letter on May 31, 2022, well before KPMG had completed its audit for 2022 and signed its opinion on February 24, 2023.
The assessment showed that SVB’s governance and risk management practices were below supervisory expectations. As such, the supervisory letter outlined MRIAs, Matters Requiring Immediate Attention.
SVB’s internal audit was not effective at holding senior management accountable or providing sufficient information for the SVB’s Audit Committee to fulfill its oversight responsibilities. In addition, SVB failed to subject known areas of weakness to the audit.
AS 2605 describes how the external auditor should assess the company's internal audit function to assess the company's control environment and to determine to what extent it can rely on the internal audit function's work and reports to management and the Audit Committee in its own work, if possible.
AS 2605: Obtaining an Understanding of the Internal Audit Function
.04 An important responsibility of the internal audit function is to monitor the performance of an entity's controls. When obtaining an understanding of internal control,3 the auditor should obtain an understanding of the internal audit function sufficient to identify those internal audit activities that are relevant to planning the audit. The extent of the procedures necessary to obtain this understanding will vary, depending on the nature of those activities.
.05 The auditor ordinarily should make inquiries of appropriate management and internal audit personnel about the internal auditors'—
a. Organizational status within the entity.
b. Application of professional standards (see paragraph .11).
c. Audit plan, including the nature, timing, and extent of audit work.
d. Access to records and whether there are limitations on the scope of their activities.
In addition, the auditor might inquire about the internal audit function's charter, mission statement, or similar directive from management or the board of directors. This inquiry will normally provide information about the goals and objectives established for the internal audit function.
In addition, the auditor must frankly assess the competence and objectivity of the internal auditors.
Competence of the Internal Auditors
.09 When assessing the internal auditors' competence, the auditor should obtain or update information from prior years about such factors as—
§ Educational level and professional experience of internal auditors.
§ Professional certification and continuing education.
§ Audit policies, programs, and procedures.
§ Practices regarding assignment of internal auditors.
§ Supervision and review of internal auditors' activities.
§ Quality of working-paper documentation, reports, and recommendations.
§ Evaluation of internal auditors' performance.
Objectivity of the Internal Auditors
.10 When assessing the internal auditors' objectivity, the auditor should obtain or update information from prior years about such factors as—
§ The organizational status of the internal auditor responsible for the internal audit function, including—
o Whether the internal auditor reports to an officer of sufficient status to ensure broad audit coverage and adequate consideration of, and action on, the findings and recommendations of the internal auditors.
o Whether the internal auditor has direct access and reports regularly to the board of directors, the audit committee, or the owner-manager.
o Whether the board of directors, the audit committee, or the owner-manager oversees employment decisions related to the internal auditor.
§ Policies to maintain internal auditors' objectivity about the areas audited, including—
o Policies prohibiting internal auditors from auditing areas where relatives are employed in important or audit-sensitive positions.
o Policies prohibiting internal auditors from auditing areas where they were recently assigned or are scheduled to be assigned on completion of responsibilities in the internal audit function.
Assessing Competence and Objectivity
.11 In assessing competence and objectivity, the auditor usually considers information obtained from previous experience with the internal audit function, from discussions with management personnel, and from a recent external quality review, if performed, of the internal audit function's activities. The auditor may also use professional internal auditing standards4 as criteria in making the assessment. The auditor also considers the need to test the effectiveness of the factors described in paragraphs .09 and .10. The extent of such testing will vary in light of the intended effect of the internal auditors' work on the audit. If the auditor determines that the internal auditors are sufficiently competent and objective, the auditor should then consider how the internal auditors' work may affect the audit.
I took a look at the SVB CAE on LinkedIn, John Peters, and noticed he had a long tenure with SVB. There are remarks on Glass Door about how SVB's internal audit is one department at the bank to avoid. In particular, the critique is that there is no career path. That perception can become a reality when one guy holds the top job for nearly 17 years.
The Committee's report also notes that John Peters, the Silicon Valley Bank Chief Auditor, "worked as an auditor at KPMG for more than nine years prior to working for Silicon Valley Bank, where he oversaw the bank’s internal audit department."
The Minority Staff report summarizes the Silicon Valley Bank internal audit issue like this:
Silicon Valley Bank
• Awareness of Internal Audit Weakness: The Federal Reserve alerted KPMG to “foundational weaknesses” in Silicon Valley Bank’s internal audit department in April 2022.19 However, KPMG was already aware the department was struggling to produce sufficient, timely information.20 In fact, when the Federal Reserve again raised concerns about the bank’s internal audit department in January 2023, KPMG told the regulator it had not relied on information the department produced in over three years.21
During the meeting at which KPMG presented the 2022 audit plan to Silicon Valley Bank’s Board of Directors, KPMG identified and communicated several potential risks, including risks of error and fraud in how the bank accounted for potential losses on loans and credit in the coming year.219 The presentation did not reference any issues with the bank’s risk management or internal audit department, factors the Federal Reserve flagged to KPMG throughout the audit.220
KPMG and the Federal Reserve met for a quarterly check-in regarding Silicon Valley Bank in April 2022.237 At that time, the Federal Reserve flagged that it was nearing the end of its review of the bank’s risk management, which included a specific assessment of the bank’s risk and internal audit departments, and noted that examiners had “significant concerns” about the bank’s risk management practices relative to the Federal Reserve’s expectations for a large financial institution, as the bank had experienced expansive growth since 2020.238
According to meeting minutes from the Federal Reserve, KPMG asked whether the “level of oversight and findings is typical of a transitioning firm,” to which the regulator replied, “to a degree but the level of concern is above average and shows foundational weaknesses.”239
Generally, internal auditors are responsible for “providing analyses, evaluations, assurances, recommendations, and other information to the entity’s management and board.”240 PCAOB standards direct auditors to obtain an understanding. of the internal audit function, and, if its work is relevant to the financial statement audit, assess the “competence and objectivity” of the internal audit function.241 If the independent auditor “concludes that the internal auditors’ activities are not relevant to the financial statement audit, the auditor does not have to give further consideration to the internal audit function.”242
In May 2022, following the examination, the Federal Reserve escalated its concerns about the bank’s risk management and issued a Matter Requiring Immediate Attention to Silicon Valley Bank based on problems with the bank’s internal audit department.243 A Matter Requiring Immediate Attention directs a bank to focus on and remediate “important or lingering weaknesses,” that could impact the bank’s safety and soundness or otherwise face an enforcement action.244
The Federal Reserve’s May 2022 Matter Requiring Immediate Attention stated:
Internal audit effectiveness—The internal audit (IA) department’s methodology and programs do not sufficiently challenge management, provide the audit committee with sufficient and timely reporting, or ensure the timely analysis of critical risk-management functions and the overall risk management program. The deficiencies in IA’s processes and reporting negatively affected its ability to provide timely, independent assurance that the firm’s risk management, governance, and internal controls were operating effectively.245
KPMG analyzed the May 2022 Matter Requiring Immediate Attention and its impact on the audit and drafted a memo that detailed its conclusions on August 1, 2022.246 KPMG’s memo concluded “[t]here is a lack of a formal framework for the Board [of Directors] to evaluate risk events,” such as “fraud events, wire issues, longstanding regulatory or audit findings, or failed project implementations, etc.”247
Nevertheless, after completing its review, KPMG determined the problems with the bank’s internal audit department, as identified by the Federal Reserve, had no impact on KPMG’s planned audit approach, as “there is no [internal audit] work used for audit evidence supporting KPMG conclusions.”248 In an interview with the Subcommittee, Mr. Pohlman acknowledged that the bank’s internal audit department had “a lot of work to be done,” but denied that the issues identified by the Federal Reserve (i.e., timely information and analysis) could have impacted the “quality or accuracy of information KPMG might receive during the course of its work.”249 KPMG told the Subcommittee it did not rely on Silicon Valley Bank’s internal audit function during the engagement because it “did not focus on internal controls over financial reporting,”250
In January 2023, the Federal Reserve again raised Silicon Valley Bank’s internal audit department (referred to as “internal audit”) with KPMG at a quarterly meeting, expressing concerns about the “audit execution” considering that “KPMG has some reliance on internal audit.”251 The regulator asked again “whether KPMG has any concerns on relying on internal audit’s work.”252 According to the meeting minutes, Mr. Pohlman replied that KPMG had not relied on anything from Silicon Valley bank’s internal audit department in three to four years, and instead depended on other departments for needed information.253 Mr. Pohlman told the Subcommittee he knew that KPMG had stopped relying on Silicon Valley Bank’s internal audit department before he began working on the Silicon Valley Bank engagement, however he never inquired why.254
Mr. Pohlman told the Subcommittee that practices vary from one engagement to another, and while many audit teams rely on a company’s internal audit department for needed information, it was not unusual for audit teams to rely on other departments at their client for information.255
Both in KPMG’s workpapers and in the Subcommittee’s discussions with KPMG auditors, KPMG reiterated its position that the bank’s issues with governance and controls had no direct effect on internal controls over financial reporting or the bank’s financial statements.256 Going a step further, KPMG documented that the risk department did not pertain to the audit because the Federal Reserve’s “findings in the report do not relate to the sufficiency of internal audit’s plan or their effectiveness at performing their work.257
In interviews with the Subcommittee, two of the four auditors for Silicon Valley Bank, including the lead audit partner, maintained that they did not rely on information from the bank’s internal audit department to obtain information for KPMG’s independent audit, while a senior audit manager told the Subcommittee that there was “certain test work” for which the engagement team relied on internal audit.258 Further, Mr. Pohlman told the Subcommittee that while the audit team did not depend on information from the internal audit department to complete their audit, they nevertheless reviewed documents produced by the department to determine whether they related to the audit.259
Despite KPMG’s position that it did not rely on information from the internal audit department, documents reviewed by the Subcommittee show that the firm reviewed 170 reports from the bank’s internal audit department between March 2022 and February 2023 that identified risks ranging from missing policies for identifying and reporting fraud at the bank to risk models that lacked key information and did not comply with standard documentation requirements.260
KPMG’s workpaper on the matter concluded that all 170 reports it received from the bank’s internal audit department did “not have direct effect on” the bank’s internal controls over financial reporting or its financial statement and therefore the “engagementteam [did not] alter [its] existing audit approach.”261
According to Mr. Pohlman, just as KPMG was aware of concerns with the bank’s internal audit department, the firm was similarly aware of issues with the bank’s risk division, which had also been criticized by the Federal Reserve.262 In April 2022, the bank’s Chief Risk Officer left her position and was not replaced until January 2023.263
Mr. Pohlman told the Subcommittee that he understood the Chief Risk Officer left her position due to regulatory criticism of the bank’s risk function.264 Concerns about the bank’s risk division were presented at meetings of the bank’s board of directors, for which KPMG was either present or reviewed meeting minutes afterwards.265 For instance, in September 2022, according to board meeting minutes reviewed by KPMG, the bank’s efforts to improve its risk division were “off track and behind schedule.”266 In the same meeting, a bank executive reported to the bank’s board of directors that approximately 40 percent of the division’s controls were failing testing, a fact which Mr. Pohlman confirmed KPMG was aware of.267
In its May 2022 supervisory letter, the Federal Reserve said: “The deficiencies in [internal audit’s] processes and reporting negatively affected [the bank’s] ability to provide timely, independent assurance that the firm’s risk management, governance, and internal controls were operating effectively.”377
The regulatory scrutiny of the bank’s governance continued, and, on August 17, 2022, the Federal Reserve sent a follow-up supervisory letter stating its intent to escalate to an enforcement action.378 KPMG confirmed to the Federal Reserve during a quarterly meeting on January 17, 2023, that it had received the supervisory letters the regulator had sent to the bank.379
Ultimately, the bank failed before the regulator initiated an enforcement action.380 However, the looming enforcement action had the potential to stress the bank at a particularly vulnerable time.381 Beyond monetary penalties, enforcement actions often force banks to change their business models and carry serious reputational risks.382 Despite frequent interactions with the Federal Reserve in which KPMG received updates about the regulator’s ongoing inquiries into the bank’s risk and internal audit functions, including a pending enforcement action, KPMG did not identify “Regulatory inquiries or investigations into the entity’s operations or financial reporting.”383 Mr. Pohlman told the Subcommittee that “in the context [of the question], the response is correct.”384
Auditor Independence
The issues of auditor independence — KPMG's independence from all three banks — was covered fairly well by major media at the time. Severlal outlets noted the long tenure of KPMG at each bank and the revolving door between the firm and the banks.
One item I do not recall is a mention that someone went from one of the banks back to KPMG!
Relationships between former auditors who leave to work for banks they once audited can also threaten auditor independence.731 While auditing regulations cover some aspects of these types of conflicts, such as imposing “cooling off” periods or restricting certain types of financial or romantic relationships between auditors and their clients, they do not exhaustively consider the cumulative effect that the revolving door between auditing firms and their clients can have on the independence of audits.732 Research indicates that auditors tend to prefer hiring individuals who previously worked at their firm, even if they did not know each other prior to the audit engagement.733 One analysis of hiring practices found that clients are 30 percent more likely to hire executives who had previously worked for their current auditor.734 This overlap can cause auditors to be more deferential to alumni of their firm.735
A 2018 study found that 76 percent of auditors were more willing to adopt a client’s position on a conjectural accounting matter if the client’s CFO was an alumni of their firm, as opposed to only 39 percent who were willing to accept the position if they had no indication of the CFO’s prior work history.736
In examining the relationship between KPMG and its client banks, the Subcommittee observed at least ten instances during KPMG’s 2022 audits of Silicon Valley Bank, Signature Bank, and First Republic Bank in which KPMG engaged with individuals at the banks who had previously worked for KPMG, and one instance where a KPMG auditor for the First RepublicBank audit had previously worked for the bank, as follows...
I'll let you read the report for the details, if interested.
The Report concludes with some hard statements about the state of the auditing profession and the business of the audit firms:
The Subcommittee’s review demonstrates how common practices in the auditing industry can erode public trust in the financial reporting of publicly traded companies. Indeed, PSI’s review of KPMG’s 2022 audits of Silicon Valley Bank, Signature Bank, and First Republic Bank showed that the auditing firm was aware of risks and mismanagement that contributed to the public loss of faith in these institutions so abruptly in early 2023.812 However, KPMG determined that the problems it discovered were not related to each bank’s financial reporting.813 Each of the lead audit partners told the Subcommittee that auditors are not obligated to opine on poor risk mismanagement and excessive financial risk, but only to make sure any such risk is reflected in the company’s financial statement.814 KPMG seemed to interpret PCAOB guidance in such a way as to absolve KPMG of responsibility for incorporating the inherent risk within a client’s business into the scope of an audit, much less disclosing it.
KPMG’s position was that a poorly managed, risk-prone bank can nevertheless earn an unqualified audit opinion wherein an auditor opines on the integrity of its financial reporting.
The Report also reminds us that another KPMG banking client, Wells Fargo, was also in quite a bit of trouble recently. KPMG took no responsibility for warning investors and customers about those issues either:
This approach to the role of an auditor echoes the arguments that KPMG made in the course of its audits of Wells Fargo during the years when that bank faced scandal for generating fake accounts.815 KPMG later publicly acknowledged that it was aware of evidence of fake accounts in the course of auditing Wells Fargo, but did not disclose that evidence in its audit opinions at the time.816 Going back to 2005, six out of ten KPMG auditors interviewed by the Subcommittee had previously worked as a member of the audit team for Wells Fargo.817
Footnote 816 here is a citation to work I produced with my friend and former colleague Andrea Riquier, at MarketWatch:
816 See Francine McKenna & Andrea Riquier, Where was KPMG, Wells Fargo’s auditor, while the funny business was going on?, MARKETWATCH (Aug. 21, 2017), https://www.marketwatch.com/story/where-waswells-fargos-auditor-kpmg-while-the-funny-business-was-going-on-2017-08-17. On July 25, 2025, KPMG told the Subcommittee: “The letter speaks for itself but leaves no doubt about one thing: the engagement teams on the Wells Fargo audits satisfied their professional obligations by performing the required audit procedures which included:
[1] KPMG analyzed the potential impact on the financial statements of setting up unauthorized accounts, whether caused by an improper sales practice or otherwise.[2] KPMG concluded that the potential impact of any such errors would likely be insignificant. [3] KPMG received additional support for this conclusion when an outside consultant calculated the potential financial impact of the improper sales practices. That consultant concluded the fees associated with unauthorized accounts were less than $5 million, and that amount had accumulated over a five-year period. KPMG’s audit team, however, did not limit their consideration to the numbers. [4] KPMG also looked at who was involved in the improper sales practices. None worked in financial reporting or had the ability to influence the financial reporting process.” Letter from Couns. for KPMG to the Hon. Richard Blumenthal, Chairman, Permanent Subcomm. on Investigations, Appendix A, 73 (July 25, 2025) (on file with the Subcommittee).
The Report includes five recommendations. I will list them here but will address them, and some other details in the report, in a later newsletter once I return home.
I. Congress Should Reform How the Auditing Industry is Regulated
II. Congress Should Require Increased Competition for Audit Firm Engagements
III. Congress Should Clarify that It is Entitled to Receive Inspection Information
IV. Congress Should Require Enforcement Actions in the Auditing Industry Be Made Public
V. Congress Should Create an Office of the Whistleblower to Provide Actionable Information Regarding Auditors
Given the recent criticisms of the PCAOB and the efforts by the current administration, and others to defang or even completely dismantle it, I will leave you with this final thought from the conclusion of the report.
While the leadership and staff of the PCAOB has strained to direct the industry toward greater standards of investor protection, the agency is limited by the tools it has been provided. Given this historical context, critics argue that auditors act with “impunity” because the PCAOB is, by design, unable to more forcefully.
I reached out to KPMG spokesman and its attorney for this matter, Alicia O’Brien from King and Spalding, for a response to the Report. KPMG commented that the Report’s authors themselves say this on Page 6 of the report:
“No regulatory assessment suggested that KPMG played a role in the failures of the banks, and the Subcommittee does not take a position regarding whether KPMG’s audits of Silicon Valley Bank, Signature Bank, and First Republic Bank did or did not violate auditing standards, as currently exist.”
KPMG spokesman Russ Grote also provided this statement.
Statement
“The Minority staff report is a misguided and erroneous opinion that stands as an outlier from the multiple investigations that have been conducted on these banks, none of which point to an auditor role in the failures.
The report repeatedly calls for auditors to go beyond current PCAOB standards in a way that misrepresents the auditor role and threatens financial stability.
We audit to the standards, because that’s our role in the financial system and it’s the role we are trained and resourced to do effectively. Going beyond the auditing standards and our expertise, undermines the role of regulators, management, and boards in mitigating enterprise risk.
The Minority staff report also contains errors and draws wrong conclusions, often by omitting critical context.
Importantly, however, after two years, this Minority staff report expressly does not question the accuracy of KPMG audit opinions and concedes that ‘no regulatory assessment suggested that KPMG played a role in the failures of the banks’ or violated auditing standards.
KPMG stands by our audit opinions, and we are proud of our audit quality track record.
We maintain the lowest rate of material restatement in the Big 4 since 2021."
