As you well know, the quality of work performed by Big 4 auditors has been called into question aloud on a regular basis since the fall of 2008. Oh sure, you might say that ever since there was a Final 4 (circa 2002) there have been haters, but since we all came to the brink nearly four years ago, the complaints seem to have gotten louder and increasingly justified.
There probably isn't a better example of deteriorating audit quality than that of Deloitte. This has been illustrated by the firm's own internal findings, the release of Part II of its 2008 PCAOB inspection report (the first ever for a Big 4 firm), and an extraordinary number of deficiencies in the 2010 inspection report. And it doesn't end there! A couple of weeks ago, we were tipped off about an AICPA peer review report for Deloitte that had been prepared by Ernst & Young. Here's what we were told at the time:
Deloitte's peer review has been completed by E&Y and sent to the AICPA. Deloitte is the first Big 4 Firm to have a non-clean report in the history of the Big 4. E&Y had one deficiency that will be noted in the peer review report, which covers private company audits from 2008 through 2010. Probably becomes public next week.
The timing was a little bit off (we received the tip in late June; the report came out last week and can be viewed below) and the period covered is only "for the year ended March 31, 2011) but everything else seems is correct including the bolded portion (our emphasis) above.
But before we get to the report, we'll cover a little bit about the AICPA's peer review process. Here are some details from the "Summary of the Nature, Objectives, Scope, Limitations of, and Procedures Performed in System and Engagement Reviews and Quality Control Reviews" from the AICPA:
- Firms enrolled in the AICPA peer review program are required to have a review once every three years "of their accounting and auditing practice related to non-Security and Exchange Commission (SEC) issuers covering a one-year period."
- There are two types of peer review: System Review and Engagement Reviews. Per the AICPA's summary, "System Reviews focus on a firm’s system of quality control, while Engagement Reviews focus on work performed on particular selected engagements."
- The peer review process is designed "to monitor a CPA firm’s accounting and auditing practice" and its purpose is "to promote quality in the accounting and auditing services provided by the AICPA members and their CPA firms."
Check out the summary if you want more details on each type of review.
We also spoke with James Brackens, the AICPA's VP of Ethics & Practice Quality, about a few more details including the performance of the firms that participate in the peer review process. There are three different findings in the AICPA's peer review process: Pass; Pass with Deficiency; Fail. Mr. Brackens provided us with the averages from 2008 to 2010:
- Pass - 90%
- Pass with Deficiency - 8%
- Fail - 2%
Mr. Brackens also confirmed that Deloitte's finding of "Pass with Deficiency" was the first by a Big 4 firm. If you're interested in perusing past peer review reports, you can search by firm here.
As for the details of E&Y's letter, let's start with the deficiency:
Deficiency - Effective for the year covered by this report, the firm adopted new policies and procedures for performing audits accompanied by interpretive guidance, practice aids and specified training. The new audit policies and procedures were designed to be "principles based" to emphasize the use of professional judgment as compared to the prior more prescriptive policies and procedures. The firm experienced some implentation challenges and we noted that the specificity of certain audit policies and procedures adopted and related training was not sufficient to ensure consistent performance and documentation of all necessary procedures on its non-SEC issuer audit engagements. As a result we noted the firm did not consistently demonstrate that sufficient procedures were performed and/or documented in certain substantive areas. For certain audit engagements, the firm subsequently supplemented its procedures and/or prepared additional documentation to support its opinions. In one instance, the related financial statements were restated.
This deficiency resulted in a recommendation from E&Y and this final sentence: "Deloitte & Touche LLP has received a peer review rating of pass with deficiency." To put this in further perspective, since the report is "for the year ended March 31, 2011" the timing correlates with Deloitte's subpar performance in the PCAOB's report. However, it is not known whether the deficiency noted by E&Y was also applicable to the SEC issuer audit engagements, and thus, the PCAOB inspections.
Deloitte responded to the findings in its own letter (also below) and it's mostly canned. Here's the second paragraph:
We continually update our risk-based audit methodology, policies, guidance and tools in order to address matters identified through monitoring activities. We have provided enhanced tools related to auditing management's estimates and to the performance of many types of audit procedures for use on all engagements. For example, we have provided more comprehensive libraries of examples, of the risks of material misstatement at the assertion level and substantive procedures to be performed in response to risks of material misstatement for relevant assertions and account balances, including income taxes. Management's estimates have been included in our training sessions for all levels and these topics will be included in 2012 training efforts. For example, our recent training sessions included specific focus on enhancing procedures for auditing data and assumptions used in the evaluation of management's estimates.
Doesn't exactly give you the warm-fuzzies, does it?
It will be interesting to see what the findings of other firms will be, especially those that had PCAOB reviews that were of the same caliber of Deloitte (ahem, McGladrey). We'll be watching.