Accounting News Roundup: Big 4 Fines, SEC Hack, EY and Equifax | 10.03.17

By | October 3, 2017

Fines & Punishment

Paying financial penalties is a cost of doing business for Big 4 firms. That cost of doing business has been more expensive of late, most notably the U.K.’s Financial Reporting Council fines of PwC this year and the PCAOB’s $8 million fine of Deloitte Brazil from late last year. Still, some people wonder why the levies are so small:

Erik Gordon, assistant professor at the University of Michigan’s Ross School of Business, said: “It is surprising [accountancy firms] are not more severely penalised than they currently are. The damage to investors, including retirees, [of misconduct] is far larger than the fines imposed.

Some people will tell you that the damage to the audit firm’s reputation is what’s really significant in these situations. And sure, the firms suffer some embarrassment, but the audit market is so concentrated that even if companies wanted to switch auditors, conflicts of interest make it difficult or impossible to do so. Firms get away relatively unscathed.

So what to do? Larger fines of course: “Fines that would be large enough to eliminate partner bonuses for five years would be more effective,” Prof Gordon told the FT. And bans, either of the firms from accepting new clients or partners from serving public companies seem to be a couple of popular ideas. Whatever the punishment is, it has to be more severe than the value of lucrative client relationships. Until that happens, the incentives will always lead a firm back to doing what its client wants.

Hacks

Here’s a small development to last month’s news that the SEC had joined the “we were hacked some time ago and we thought everyone should know about it” club:

Hackers who broke into a U.S. regulatory database that stores market-moving corporate information also accessed personal details about two people, including their names, dates of birth and Social Security numbers.

The Securities and Exchange Commission revealed the theft of personal information stemming from a 2016 breach of its Edgar system in a statement released Monday. The SEC’s analysis of the breach is playing out in real time as the regulator scrambles to understand the scope of damage from the incident.

Following the typical playbook for these situations, the SEC has offered to pay for identity theft protection and credit monitoring service for anyone affected.

EY and Equifax

Elsewhere in hacks, Francine McKenna writes at MarketWatch about EY’s role in the Equifax debacle:

EY was already aware that the SEC had scrutinized Equifax for inadequate disclosures of its cyberrisk and poor overall disclosure controls. That’s based on correspondence reviewed by MarketWatch between the SEC and the Equifax CEO and CFO dating from 2011 to 2014.

In January of 2014, the SEC asked Equifax’s CEO about inadequate disclosures regarding a material weakness in internal controls over financial reporting in 2013. In its response Equifax provided the SEC with a detailed timeline of its evaluation of the control weaknesses—and concluded that its interim quarter disclosure controls were also ineffective.

(EY audit partner for Equifax, Joseph King, was copied on the response to the SEC from the company’s controller, along with the rest of the company’s top executives.)

In September of 2012, Equifax was asked to add more information in future filings about cyberattacks, security breaches or other similar events it had experienced in the past, in order to “provide the proper context” for the disclosure.

Even if they’ve largely escaped scrutiny for now, it’s hard to imagine a scenario where EY is excluded from this mess completely. One expert quoted says that despite the large audit firms’ belief that “cybersecurity risks is outside the scope of a financial statement and ICFR audit” that won’t protect them because the general IT controls “are not typically managed or controlled separately” from the access and patch controls that led to the breach.

Previously, on Going Concern…

In Open Items, someone wants to know if other people hate both audit and tax.

In other news:

Get the Accounting News Roundup in your inbox every weekday by signing up here.

See something we missed? Have a correction, comment, or complaint? Email us at [email protected].