Please ensure Javascript is enabled for purposes of website accessibility
January 31, 2023

Accounting News Roundup: Big 4 Fines, SEC Hack, EY and Equifax | 10.03.17

ernst young equifax

Fines & Punishment

Paying financial penalties is a cost of doing business for Big 4 firms. That cost of doing business has been more expensive of late, most notably the U.K.’s Financial Reporting Council fines of PwC this year and the PCAOB’s $8 million fine of Deloitte Brazil from late last year. Still, some people wonder why the levies are so small:

Erik Gordon, assistant professor at the University of Michigan’s Ross School of Business, said: “It is surprising [accountancy firms] are not more severely penalised than they currently are. The damage to investors, including retirees, [of misconduct] is far larger than the fines imposed.

Some people will tell you that the damage to the audit firm’s reputation is what’s really significant in these situations. And sure, the firms suffer some embarrassment, but the audit market is so concentrated that even if companies wanted to switch auditors, conflicts of interest make it difficult or impossible to do so. Firms get away relatively unscathed.

So what to do? Larger fines of course: “Fines that would be large enough to eliminate partner bonuses for five years would be more effective,” Prof Gordon told the FT. And bans, either of the firms from accepting new clients or partners from serving public companies seem to be a couple of popular ideas. Whatever the punishment is, it has to be more severe than the value of lucrative client relationships. Until that happens, the incentives will always lead a firm back to doing what its client wants.


Here’s a small development to last month’s news that the SEC had joined the “we were hacked some time ago and we thought everyone should know about it” club:

Hackers who broke into a U.S. regulatory database that stores market-moving corporate information also accessed personal details about two people, including their names, dates of birth and Social Security numbers.

The Securities and Exchange Commission revealed the theft of personal information stemming from a 2016 breach of its Edgar system in a statement released Monday. The SEC’s analysis of the breach is playing out in real time as the regulator scrambles to understand the scope of damage from the incident.

Following the typical playbook for these situations, the SEC has offered to pay for identity theft protection and credit monitoring service for anyone affected.

EY and Equifax

Elsewhere in hacks, Francine McKenna writes at MarketWatch about EY’s role in the Equifax debacle:

EY was already aware that the SEC had scrutinized Equifax for inadequate disclosures of its cyberrisk and poor overall disclosure controls. That’s based on correspondence reviewed by MarketWatch between the SEC and the Equifax CEO and CFO dating from 2011 to 2014.

In January of 2014, the SEC asked Equifax’s CEO about inadequate disclosures regarding a material weakness in internal controls over financial reporting in 2013. In its response Equifax provided the SEC with a detailed timeline of its evaluation of the control weaknesses—and concluded that its interim quarter disclosure controls were also ineffective.

(EY audit partner for Equifax, Joseph King, was copied on the response to the SEC from the company’s controller, along with the rest of the company’s top executives.)

In September of 2012, Equifax was asked to add more information in future filings about cyberattacks, security breaches or other similar events it had experienced in the past, in order to “provide the proper context” for the disclosure.

Even if they’ve largely escaped scrutiny for now, it’s hard to imagine a scenario where EY is excluded from this mess completely. One expert quoted says that despite the large audit firms’ belief that “cybersecurity risks is outside the scope of a financial statement and ICFR audit” that won’t protect them because the general IT controls “are not typically managed or controlled separately” from the access and patch controls that led to the breach.

Previously, on Going Concern…

In Open Items, someone wants to know if other people hate both audit and tax.

In other news:

Get the Accounting News Roundup in your inbox every weekday by signing up here.

See something we missed? Have a correction, comment, or complaint? Email us at [email protected].

Latest Accounting Jobs--Apply Now:

Have something to add to this story? Give us a shout by email, Twitter, or text/call the tipline at 202-505-8885. As always, all tips are anonymous.

Comments are closed.

Related articles

a dog wearing VR

Monday Morning Accounting News Brief: Deloitte on Microtransactions; More EY Split Roadblocks; Have You Become Irritable? | 11.28.22

Happy Monday! Here’s some stuff that’s going on. Several US audit firms told the Financial Times that they had elevated some or all of their crypto-related clients to the status of “high risk”, triggering a more thorough audit that will take longer and lead to higher bills; some clients could ultimately be dropped altogether. KPMG […]

woman working on a laptop with a dog beside her

Monday Morning Accounting News Brief: The Leadership Void; KPMG Gets Fined (Again); PwC Ups Leave | 10.3.22

Deloitte launches Global Sustainability & Climate learning program that aims to enhance skills and capabilities of Deloitte people to help address a global societal challenge. Dubai’s financial regulator has provisionally fined KPMG and one of its former partners $2 million over the firm’s auditing of Abraaj, the emerging markets private equity group that collapsed in […]