Auditor Independence and ERP/CRM projects - a conversation with Francine McKenna

Francine McKenna is a prolific commentator on the accounting, audit, and corporate governance issues affecting public and pre-IPO private companies. Since 2006, McKenna has been an investigative reporter and feature writer for publications including Dow Jones MarketWatch, Forbes, American Banker, Financial Times, Chicago Booth Review, Accounting Today, and Boston Review. At MarketWatch she monitored and reported on public company accounting, fraud and financial investigations, and the often questionable financial reporting practices of pre-IPO companies. McKenna spent more than 20 years in public accounting and consulting, including for KPMG/BearingPoint in the U.S. and Latin America, and at PwC. She is also an adjunct professor of international business in the MBA program at American University’s Kogod School of Business. She speaks often at universities, conferences and other forums. You may also know her from her blog, reTheAuditors.com. She also writes an online newsletter, The Dig.

I had a chance to talk to her a bit about the history of auditor independence issues and some of the risks of using accounting firms as implementation partners on ERP and other enterprise software projects. In part 2 tomorrow we will talk about differences in automation in the audit and consulting practices of such firms.

Francine, I read your story about the SEC’s recent auditor independence enforcement against PwC and thought, "What are some of the risks that companies that use accounting firms may be exposing themselves to on their consulting projects?" Talk in terms of something around an ordinary business executive, not necessarily a CPA would be able to relate to.

The rise in ERPs and the large software vendors like SAP and Oracle mirrors the rise of the Big Four public accounting firms involvement in consulting, especially systems implementation, design and implementation consulting. When you think about when Enron happened and when Arthur Andersen collapsed, if you go back to the late nineties, you had the emergence of ERP software. They started to work with systems implementers like the Big Five auditors including Arthur Andersen and other systems integrators.

Then, unfortunately, you had Enron's bankruptcy and the collapse of Arthur Andersen. There was a push already to look at how the rest of the Big Four public accounting firms were addressing or working with issues around doing both audit and consulting, in particular systems design and implementation consulting, for the same client. The firms were already under pressure.

A lot of people think that three of the four Big Four firms sold off their consulting arms because of Enron but, actually, the pressure was on them before that. They were already being criticized for potentially compromising the integrity, objectivity of audit work because of their disproportionate focus on consulting and consulting revenues from the same clients.

When Enron occurred, there were already, I think, at least two of the four had already sold their consulting arms. EY sold to Capgemini, KPMG spun off BearingPoint, and PwC eventually sold their consulting arm to IBM. Deloitte, uniquely, never sold. It's not that they weren't planning on doing it but they actually just never got to it. I think I've written more than once that they never ended up doing it because, once the other three sold their consulting arms and Deloitte saw that even though they hadn't, no one was coming after them. There was no significant enforcement of new auditor independence rules enacted as part of the Sarbanes-Oxley Act of 2002. There were no new enforcement actions at least in terms of significant scrutiny over whether they were doing consulting, systems integration, and design implementation work in their audit clients. The actions the SEC did take related to actions prior to 2002 that were egregious violations of exiting rules.

The SEC and the new audit regulator, the PCAOB, never really aggressively implemented or enforced the new rules that were put in place to try to prevent that kind of combo audit and consulting work that was blamed for Arthur Andersen’s mistakes with Enron.

Deloitte, I think, just decided, "Hey, let's hold onto it and keep going." They ended up being able to build on that base and now pretty much dominate the consulting business in the Big Four, although PwC is a pretty close second.

When I think about the conflicts of interest inherent in being a public accounting firm, Accenture got out of that issue a long time ago. When the consulting arm of Arthur Andersen split off and became Accenture, they eliminated that worry. Accenture can do any projects for anybody they want. Certainly, Accenture can have conflicts of interest like any other professional service firm, but they eliminated the inherent conflict of interest that a public accounting firm has when you're an auditor for a large public company.  In that case you're restricted, in particular now, post the Sarbanes-Oxley Act of 2002, from doing audits and financial reporting-related systems design and implementation at an audit client. Sarbanes-Oxley is the law that came into effect in reaction to the conflicting priorities issues that people thought had occurred at Enron, WorldCom, HealthSouth, and some of the other corporate frauds that occurred during that period.

The SOX auditor independence rules prohibit an auditor from doing systems design and implementation work at an audit client. It's strictly prohibited. What's happened is that those services, that software, that activity, which are the kinds of things companies want from big consulting firms has grown, changed, and developed. Now we have lots of different modules for all of the different large ERP systems and many of them can arguably not be tied directly to financial reporting, the direct financial reporting and financial statement preparation, which is where the prohibition comes into play. In other words, the auditors are not supposed to be designing and implementing software, implementing the controls, the internal controls and the configuration, developing the training and the user instruction associated with how you use those systems if they're going to go back, turn around, and go back and supposedly independently audit the company's use of those systems.

What happened after the financial meltdown? Did that have any effect on the accounting firms? Was there any scrutiny after that?

Yeah, absolutely. Actually, the financial crisis was a boon for them. Let's go back a little bit. One of the big reasons why Deloitte and PwC dominate in this arena as opposed to KPMG and Ernst & Young is that BearingPoint, the KPMG consulting firm that spun off and went public, ended up going bankrupt in February 2009. PwC and Deloitte split that carcass. Deloitte bought the federal services portion, so all of the big public sector clients of KPMG consulting, which became BearingPoint, and PwC took all the commercial clients. Those two firms got a really big head start in the midst of the crisis, which was approximately right after PwC’s non-compete clause with IBM expired.

The crisis deepened. The crisis root cause analysis really didn't focus on the accounting firms.  The perception was the financial crisis was about this cataclysmic economic event that no one could control, it wasn't perceived initially as a sort of broad kind of a corporate fraud-related crisis. It wasn't the auditor's fault, in other words, at least at first.

Later, when it became apparent that there had been a lot of fraud related to subprime mortgage origination and securitization, mortgage and foreclosure processing, mortgage servicing, how people who went through or were threatened with foreclosure and were charged multiple fees, in error in many cases, then that sparked or was a catalyst for a whole new area of consulting called GRC, Governance Risk & Compliance. Many of the biggest banks and many other financial firms ended up on the wrong side of regulators in terms of how they had addressed those issues. In order to get out of civil and criminal liability for those issues, they signed settlements and consent decrees that said they were going to go back and fix those problems. They were going to calculate what the damage was to consumers and find a way to repay consumers for that damage.

This Big Four firms stepped into that arena in a huge way, in particular in a process called the foreclosure reviews that were ordered by the Fed and the Office of the Controller of the Currency. Three of the Big Four firms participated in the process in addition to Promontory, which was an independent consulting firm and now is part of IBM, and a couple of other smaller firms.

They did these humongous projects at the banks, which were essentially sort of hybrid audits. They went in looked at systems, looked at compliance with agreements and they tried to develop and extrapolate calculations of damages to consumers from having been inappropriately foreclosed on or inappropriately charged fees or other kinds of penalties related to mortgage servicing and processing.

Deloitte made out big, but PwC was the biggest winner in that arena. For everybody that PwC or Deloitte or EY didn't audit, they could do that foreclosure review. Deloitte, however, did a big project at JP Morgan that focused on mortgages at Bear Stearns and Washington Mutual that JP Morgan bought in a forced acquisition, essentially a bailout of those firms. Deloitte had been the auditor of Bear Stearns and Washington Mutual. PwC and Promontory did almost everyone else. Ernst & Young did a few small ones.

The only one who didn't really do much on that was KPMG. That created an enormous opportunity to do that kind of work in many other realms later. Any time a company is charged with some kind of a regulatory issue, whether it's anti-money laundering or something, like in the banks, related to their processing of some kind of consumer loans or something like the subprime loans, you have an opportunity for someone to be appointed as a monitor or as some kind of a consultant after the fact to help that organization correct the issues, often systems related issues.  The Big 4 consultant or monitor then also does the work to calculate the number used to repay customers for the damages that occurred from the violation.

The firms have cleaned up on GRC. And it’s a whole new area of software that Oracle and SAP have incorporated into the ERP systems that’s required by regulators.  The Big 4, especially Deloitte and PwC, now partner with Oracle and SAP to implement the software on behalf of clients.

What I'm seeing is that a lot hasn't changed since the time when I actually was last working in a Big 4 firm. The last firm I worked for was PwC in 2005 and 2006. At that point, I was part of an internal team looking at how well PwC was responding to the new rules under Sarbanes-Oxley, things like auditor independence and making sure that they were prepared to respond to inspections of audits under the new independent regulator the PCAOB, established by Sarbanes-Oxley.

There were things that I was concerned about then, things I looked at and said, "Hmm. You know, I don't think that some of the people in the firm understand that they can't do these things anymore." The ability of the large global public accounting firms to control partners, to monitor partners' activities, and to actually have good governance to make sure that there's a structure that identifies and addresses when somebody wants to go rogue or do something that is against the rules is always, always a challenge. The bigger they grow, the harder it is, especially because they're global firms.

Tell us your opinion about the recent SEC enforcement action against PwC

I looked at the recent SEC enforcement action against PwC that covered almost a five-year period from 2013 to 2016 and it said there was one person responsible for implementing governance risk and compliance systems from Oracle in multiple audit clients. PwC, as a firm was charged with violating the auditor independence rules in 15 different clients 19 different times during that short period and seemingly attributable to one partner. The SEC said one partner was the cause of these violations.

That one partner was a hybrid IT audit partner, who participated in the audits with as a specialist, with expertise around IT general controls and other IT controls. He was also a partner who was responsible for identifying opportunities for advisory or consulting projects related to Oracle ERP products.

That sort of hybridization of partners, with a dual incentive structure, is inevitably going to lead to potential conflicts and will present a constant challenge to try to interpret the rules, and for somebody to actually be willing to say, "No, you can't do that." When you say, "No, you can't do that," you're forcing the partner to turn down revenue. I saw that that was going to be a challenge for some partners to comply back in 2006, and it seems like PwC has not implemented any better rules or governance structures in all this time. PwC had one partner running around doing this over and over and over again and obviously without any real, effective constraints.

Given that, now talk about two audiences - the clients and the software vendors. When a company is implementing packaged software, it could be ERP, CRM, whatever. They look at consulting firms and they end up hiring a Deloitte or a PwC, an accounting firm. Are they exposing themselves to some risks?

They're exposing themselves to multiple risks, and not just the risk that a regulator is going to decide to crack down on this and they're going to be left without a consultant or having to change consultants suddenly, mid-project. When the rules were implemented in 2002, we saw companies come down into two different camps, and they're kind of distinct. One is the company that loves, loves, loves their auditor, that's been with them for 99 years and has built their whole professional services relationship around that firm. Usually, it's obviously one of the Big Four and if it's one of the Big Two, PwC or Deloitte, it’s a special problem because of their ubiquity in consulting.

Companies still get full service from that firm. They look for every opportunity to use that firm whenever possible. They know that there are some things that are prohibited. But if the firm and someone else within the company, in their board of directors audit committee, can find a rationalization or can find a way to interpret the rules such that that audit firm can do the work, that company will always choose the audit firm to do the work.

On the other hand, you have companies that only tolerate low risk. They're very much oriented around following the rules and not buying anything beyond the audit. It's so obvious, it's so stark, the comparison between the two kinds of public companies.

These companies have very, very, very strict rules that the audit firm can do nothing but the plain vanilla audit. But then those companies are faced with, whenever they want to do something else, any kind of systems implementation, any kind of upgrade to an existing system, any kind of evaluation of internal controls, any kind of enhancement of any kind of operational system, they put out a tender, entertaining bids and reviewing RFP responses, doing the whole vendor demo thing, and being forced to select from another firm. Then obviously, they have to work with another large firm on something financial or accounting related, negotiate another big professional services contract and vendor relationship and manage all the complexity that entails.

They've signed up for the fact that they're going to have to manage multiple, significant professional services vendor relationships and they do that because they want to keep everything nice and clean and legal. They don't want any trouble with the SEC, and maybe they don't want to let any one vendor get too much power over them. There are advantages and disadvantages to both approaches.

In the Big 4 firms, obviously, individual partners are rewarded for getting what we used to say way back in the '90s at KPMG, “A bigger portion of the client wallet.” That's not changed. Even though it might be frowned upon for the audit partner or anybody else to get a bigger piece of the client wallet for the firm by selling more consulting or tax work, in the end, the Big 4 firms have become these very large organizations with gray lines between the various practices.

From a customer's perspective, though, there's no legal risk. The risk is what?

There is somewhat of a legal risk. For example, if the audit committee and the company executives are not aware of the auditor independence rules, do not fully evaluate those rules when contemplating opportunities for the vendor to do certain kinds of work, and they choose the auditor despite the fact that that work will violate the auditor independence rules, the SEC can sanction the company or sanction its officers or its audit committee. That happens rarely – rarely, rarely.

In the case that I wrote about with PwC, what happened was it all came down on PwC and on that partner in particular. They didn't even name the names of the companies that were subject to these 15 engagements and 19 different instances. They don't want to embarrass the companies because they want to make the assumption that it's the auditor's responsibility to fully inform the client and, in particular, as cited in the PwC case, if the auditor or the audit partner fudge the information in the scope of services, in the engagement letters in order to kind of get in under the wire or fool somebody, then the SEC really holds the auditor and the audit firm responsible.

What happens then? You have to look at the company, you have to look at its audit committee, and you have to look at sort of the company executive who is the purchasing executive or the one that's responsible for hiring, evaluating the vendor, and say, "How could they not know? They know what they want to have done and they are allowing for a contract or scope of services to not accurately state the work that's going to be done." What's going to happen then if there's a dispute?

In order to get in under the wire and be able to use the auditor as a vendor, the SEC enforcement action against PwC implied that there were executives at some of these companies that knew very well that they were fudging the information in the contracts, scope of services, and invoicing. That presents a very significant risk to the company if they do that and then there's a dispute.

Certainly, if the SEC wanted to come back to the company or come back to the audit committee, they could if they thought that there was some kind of collusion in order to create an opportunity, let's say, for a particular official to get some kind of kickback or if there was some other kind of illegality involved. You could have a situation where an official of a company or of a board of directors allowed for this kind of a situation to occur in return for some kind of an illegal payment.

How about software vendors? Do they have any liability given these situations? You look at Salesforce or Infor or whoever has these as partners. Do they have any risks?

As you know, most often when these types of big projects occur, the Big Four firm, the consulting firm, whether it's Accenture or whether it's one of the public accounting firms, they take the lead as the prime contractor. They might have subcontractors and the software vendor is the subcontractor. To that extent, they may be sort of "see no evil; hear no evil" in that situation. It may be that, as a subcontractor, they're doing their part and they're not responsible for the other piece.

What was stated in this SEC enforcement action against PwC is that there was an ongoing relationship between this PwC partner and the Oracle rep. There was probably an ongoing multiple engagement relationship and the vendor provides all kinds of other monetary and nonmonetary benefits to PwC as a strategic partner, an implementation partner, and also to this specific partner potentially on a personal and a professional level. In the end, the SEC said the partner actually provided nonpublic material, nonpublic information to the software vendor about at least one client.

That's public knowledge?

Yes, that's in the SEC enforcement action. I'm assuming that if this partner felt compelled to provide nonpublic material, nonpublic financial information to the software vendor, it was probably so that that software vendor could evaluate pricing or creditworthiness of particular clients. That to me is not very kosher.

What other risks does a software vendor have when they evaluate an accounting firm as a partner?

Well, certainly, if the accounting firm is fudging the information in the scope of services or in the contract in order to get it under the auditor independence wire and they're a subcontractor, if for some reason someone in the company or someone at a regulator determines that that's not allowed, prohibited, and tells them they have to stop the project, well, the software vendor is going to have a break in the project. They're going to have a delay. They might have the contract canceled and have to start all over again with a different integrator or, potentially, have some kind of a breach of contract with regard to the software licensing because the whole contract is canceled if the system integrator has breached some kind of terms.

That's hypothetical, right?

Right.

You don't know of any that have gone to that extent.

Well, in the case of one of the clients cited in the SEC enforcement action, PwC bid on two different projects at one client. I identified that client as Logitech. In that case, PwC had to resign as the auditor because of these independence issues.

Now, in some sense, that might actually be a blessing in disguise because, once you resign as auditor, then you're free to do the consulting work. But the question is, did that cause a stoppage of the project or were the projects delayed because these issues are being fleshed through and potentially there's a lot of back and forth and issues around whether or not the contract is going to go forward or whether or not the contract is going to be completed.

What else should buyers of consulting projects, implementation projects be aware of when they look at accounting firms?

Well, I think the biggest lesson from the PwC enforcement action was that audit committees either are still not aware of these prohibitions against the auditors doing certain kinds of work or they're willfully kind of trying to deflect the understanding or appreciation for those rules to other people. In other words, executives and board members, including audit committee members, claim plausible deniability or delegate the responsibility for evaluating auditor independence.  Sometimes they delegate it to the auditor itself.

When you ask the audit firm itself to evaluate whether it's independent in providing services, you're basically giving the fox access to the henhouse. The vendor is not the one who is supposed to be evaluating whether or not providing those services presents an auditor independence risk to the company.

I would say the biggest lesson was that audit committees, in particular, and executives who are hiring the firms for these types of projects really need to get better acquainted and take more seriously these prohibitions. They are on the books. Whether or not the SEC or the audit regulator, the PCAOB enforce them at any point in time doesn't mean that they can't come back later and doesn't mean that a sudden spike in enforcement action or scrutiny is not going to disrupt the project for the company as a whole and cause a lot of money and a lot of delays on perhaps a mission-critical project.

I'm sure some people will say, “She is a little too alarmist.” I think it's healthy – it's important to look at a segment of the market from different eyes.

Tomorrow, we will talk about how the audit and consulting arms of the accounting firms have evolved differently when it comes to automation.