• Accounting News Roundup: Big 4 Fines, SEC Hack, EY and Equifax | 10.03.17

    By | October 3, 2017

    Fines & Punishment

    Paying financial penalties is a cost of doing business for Big 4 firms. That cost of doing business has been more expensive of late, most notably the U.K.’s Financial Reporting Council fines of PwC this year and the PCAOB’s $8 million fine of Deloitte Brazil from late last year. Still, some people wonder why the levies are so small:

    Erik Gordon, assistant professor at the University of Michigan’s Ross School of Business, said: “It is surprising [accountancy firms] are not more severely penalised than they currently are. The damage to investors, including retirees, [of misconduct] is far larger than the fines imposed.

    Some people will tell you that the damage to the audit firm’s reputation is what’s really significant in these situations. And sure, the firms suffer some embarrassment, but the audit market is so concentrated that even if companies wanted to switch auditors, conflicts of interest make it difficult or impossible to do so. Firms get away relatively unscathed.

    So what to do? Larger fines of course: “Fines that would be large enough to eliminate partner bonuses for five years would be more effective,” Prof Gordon told the FT. And bans, either of the firms from accepting new clients or partners from serving public companies seem to be a couple of popular ideas. Whatever the punishment is, it has to be more severe than the value of lucrative client relationships. Until that happens, the incentives will always lead a firm back to doing what its client wants.

    Hacks

    Here’s a small development to last month’s news that the SEC had joined the “we were hacked some time ago and we thought everyone should know about it” club:

    Hackers who broke into a U.S. regulatory database that stores market-moving corporate information also accessed personal details about two people, including their names, dates of birth and Social Security numbers.

    The Securities and Exchange Commission revealed the theft of personal information stemming from a 2016 breach of its Edgar system in a statement released Monday. The SEC’s analysis of the breach is playing out in real time as the regulator scrambles to understand the scope of damage from the incident.

    Following the typical playbook for these situations, the SEC has offered to pay for identity theft protection and credit monitoring service for anyone affected.

    EY and Equifax

    Elsewhere in hacks, Francine McKenna writes at MarketWatch about EY’s role in the Equifax debacle:

    EY was already aware that the SEC had scrutinized Equifax for inadequate disclosures of its cyberrisk and poor overall disclosure controls. That’s based on correspondence reviewed by MarketWatch between the SEC and the Equifax CEO and CFO dating from 2011 to 2014.

    In January of 2014, the SEC asked Equifax’s CEO about inadequate disclosures regarding a material weakness in internal controls over financial reporting in 2013. In its response Equifax provided the SEC with a detailed timeline of its evaluation of the control weaknesses—and concluded that its interim quarter disclosure controls were also ineffective.

    (EY audit partner for Equifax, Joseph King, was copied on the response to the SEC from the company’s controller, along with the rest of the company’s top executives.)

    In September of 2012, Equifax was asked to add more information in future filings about cyberattacks, security breaches or other similar events it had experienced in the past, in order to “provide the proper context” for the disclosure.

    Even if they’ve largely escaped scrutiny for now, it’s hard to imagine a scenario where EY is excluded from this mess completely. One expert quoted says that despite the large audit firms’ belief that “cybersecurity risks is outside the scope of a financial statement and ICFR audit” that won’t protect them because the general IT controls “are not typically managed or controlled separately” from the access and patch controls that led to the breach.

    Previously, on Going Concern…

    In Open Items, someone wants to know if other people hate both audit and tax.

    In other news:

    Get the Accounting News Roundup in your inbox every weekday by signing up here.

    See something we missed? Have a correction, comment, or complaint? Email us at [email protected].

    • Big4Veteran

      “Some people will tell you that the damage to the audit firm’s reputation is what’s really significant in these situations.”

      Bullshit. If one of the firms is a screw up and the other three were consistently boy scouts, then I could believe that the damage to the screw up firm’s reputation might have a significant impact on their business. But the reality is that all four firms regularly screw up. None of their reputations take too big a hit because the other three firms have similar screw ups. This is a case where the constant screw ups by all the firms actually helps all the firms.

      ““Fines that would be large enough to eliminate partner bonuses for five years would be more effective,” Prof Gordon told the FT.”

      Yeah, ok. When the firms are looking for costs to cut, I don’t think partner bonuses and comp are ever near the top of the list.

      The fact is that the four remaining firms are each too big to fail. If you take out one more firm, there will not be enough firms to service large corporations due to independence issues. Having four firms is barely enough firms as it is.

    • Point and Clique

      “The damage to investors, including retirees, [of misconduct] is far larger than the fines imposed.”

      Yes, let’s ignore Goldman Sachs and the litany of other arbitrageurs and hedge funds out there that have left wastelands in their wake, swallowing up all gains and leaving a pittance of a return for institutional investors and pensioners. The whole system is rigged against “retirees” and the public at large. Accounting scandals are scapegoats for wealth capture.