It only took five years, but Scott Marcello finally received some sort of punishment for what happened in KPMG’s audit practice several years ago as partners were working with PCAOB insiders to illegally receive advanced notice of the PCAOB’s inspection plans for KPMG audits. Marcello, KPMG’s former vice chair of audit, was fined $100,000 today by the PCAOB under a new disciplinary category—“supervisory failures”—regarding KPMG getting and using confidential PCAOB inspection information. The $100,000 fine is the largest monetary penalty ever imposed by the PCAOB on an individual in a settled case.
“This ‘first of its kind’ disciplinary action demonstrates that the PCAOB is committed to sanctioning top-level personnel at the largest firms when they fail to take sufficient supervisory steps aimed at preventing violations by their subordinates,” PCAOB Chair Erica Williams said in a statement. “Following the Department of Justice’s and the Securities and Exchange Commission’s actions against the perpetrators of the scheme, the board believes it is important to hold Mr. Marcello accountable as their supervisor for contributing to a culture that led to this serious misconduct.”
Why Marcello was not named in the criminal indictment or never faced any discipline from the SEC or federal authorities, unlike five of his co-workers at KPMG, is one of the main unanswered questions in the KPMG/PCAOB scandal. After all, as the PCAOB noted today in its order, Marcello failed in his duty to supervise senior members of KPMG’s audit practice who unlawfully obtained and used that confidential PCAOB information. The PCAOB said:
Under Marcello’s supervision, several of his subordinates, including his direct report, KPMG’s National Managing Partner for the Professional Practice Group [that would be David Middendorf], obtained confidential lists of the audits that the PCAOB would select for review during its 2016 and 2017 inspections of KPMG. Marcello’s subordinates used the 2016 confidential information to enhance the audit documentation for the engagements on those lists in an attempt to improve KPMG’s inspection results. The conduct of Marcello’s subordinates violated PCAOB rules and securities laws related to the preparation and issuance of audit reports and the obligations and liabilities of accountants, including Commission rules.
For those of you who aren’t familiar with the scandal, the PCAOB does a nice job summarizing it in its order. And as you read through it, it really makes you scratch your head why Marcello wasn’t among those indicted. First, the PCAOB sets the stage for the fraud, and it all started because of how badly KPMG was sucking at auditing:
Between 2010 and 2014, the rate of deficiencies that the Board identified in the KPMG audits that it reviewed increased each year. More specifically, the percentage of inspected audits in which the Board found that KPMG had failed to obtain sufficient evidence to support its audit opinions (or had failed to fulfill the objectives of its role when it was assigned work by another auditor) steadily increased, from 22 percent in the 2010 inspection to 54 percent in the 2014 inspection.
Many of the deficiencies the Board identified during its inspections concerned KPMG’s audits of banks and, in particular, the KPMG engagement teams’ evaluation of allowances, i.e., reserves, that KPMG’s banking clients had recorded for potential losses in their loan portfolios.
In light of this inspection history, KPMG determined to take various steps to attempt to improve its results in future PCAOB inspections. One of those steps was to recruit to the Firm personnel from DRI [PCAOB Division of Registration and Inspections], including individuals who had participated in inspections of KPMG and had identified deficiencies in certain of the Firm’s audit work. In May 2015, KPMG hired Brian Sweet as a partner. Immediately prior to joining KPMG, Sweet worked in DRI. While at the PCAOB, Sweet, who had experience auditing and inspecting the audits of banks, was part of the team that inspected KPMG.
Marcello, who was deputy leader of KPMG’s Financial Services practice, was appointed vice chair of audit in July 2015, two months after Sweet joined KPMG from the PCAOB. In his new role, Marcello supervised KPMG’s audit practice, which included the Department of Professional Practice (DPP), headed by Middendorf. DPP included an inspections group responsible for overseeing KPMG’s participation in PCAOB inspections. Thomas Whittle, who reported to Middendorf, headed this inspections group. David Britt, another partner in KPMG’s DPP and the co-leader of the firm’s Banking and Capital Markets group, reported to KPMG’s chief auditor, who, in turn, reported to Middendorf.
Sweet also became part of DPP’s inspections group, and he recruited Cynthia Holder, a former colleague from the PCAOB, to join him at KPMG. And so the malfeasance begins:
Between 2015 and February 2017 (both before and after Marcello became Vice Chair of Audit), Middendorf, Whittle, Britt, Sweet, and Holder obtained and used confidential PCAOB inspection information to improve KPMG’s inspection results, including for banking clients. The scheme included using an employee at the PCAOB to provide confidential lists of PCAOB inspection selections and inspection focus areas so that KPMG could target resources to those audits in advance of PCAOB inspections.
In March 2016, Holder obtained from a PCAOB inspector, Jeffrey Wada, a list of several KPMG issuer clients, mostly banks, whose audits the PCAOB intended to review as part of its 2016 inspection of the Firm. Holder shared the 2016 Inspection List with Sweet, who, in turn, informed Middendorf, Whittle, and Britt of it.
Upon receiving that confidential information, Middendorf, Whittle, and Britt instructed Sweet and others to perform examinations of the audit work papers for seven banking clients on the 2016 Inspections List outside of KPMG’s normal processes. The reviews consisted of partners outside of the engagement teams re-reviewing the audit work papers of the seven banking clients after KPMG’s audit reports had been issued for those clients, but before the respective documentation completion dates for the audits. The re-reviews uncovered problems with audit documentation as well as concerns about substantive audit issues, which Middendorf, Whittle, and the others attempted to have addressed in hopes of improving KPMG’s inspection results.
In early February 2017, Holder again received from Wada a confidential list, this time the entire list, of the KPMG audits that the PCAOB intended to review as part of its 2017 inspection of the Firm (the “2017 Inspections List”). Holder shared the 2017 Inspections List with Sweet, who promptly informed Middendorf, Whittle, and Britt of it.
Both times (2016 and 2017) Holder received the inspection lists from Wada, who also hoped at the time to be a KPMGer one day, Middendorf told Marcello about it. And both times Marcello turned a blind eye to what was going on, and what was about to happen, until people he confided with told him what they were doing was crazy and wrong:
In March 2016, Marcello learned from Middendorf that KPMG had obtained advance information about certain PCAOB inspection selections of KPMG audits. Specifically, Marcello understood that KPMG had obtained information about PCAOB inspection selections or potential selections through Sweet’s contacts at the PCAOB, which Marcello should have recognized was inappropriate. At the time, Marcello also understood that for all of the selections, which included the Firm’s audits of several banks, the documentation completion date for the final assembly of work papers had not passed. Marcello further understood that KPMG personnel intended to review the work papers for those audits and could enhance the documentation in an effort to improve inspection results.
Despite knowing that Middendorf and others had received advance notice of certain inspection selections and intended to review and could enhance work papers for those audits, Marcello failed to take appropriate action in response. Marcello did not report or escalate the matter, or instruct Middendorf and other subordinates to refrain from using the PCAOB’s confidential information. In failing to take action in response to learning about the receipt and intended use of confidential information in 2016, Marcello missed an opportunity to change the tone at the top of the Firm, which could have helped prevent further violations.
On February 7, 2017, Middendorf reported to Marcello that Sweet had obtained a list of 2017 PCAOB inspection selections. Marcello understood that the list had come from someone inside the PCAOB. Marcello, however, again failed to respond appropriately, including by failing to promptly report the receipt of that highly confidential information to anyone at KPMG or the PCAOB. Instead, over the course of a week, he and Middendorf had several conversations about the list and what to do with the information, though they agreed that no one should use the information while they decided what to do with it.
Marcello ultimately reported the receipt of the confidential information, but only after he learned of others’ negative reaction to KPMG having the information. First, Marcello learned from Middendorf that KPMG’s Chief Auditor had a very negative reaction to learning that Sweet had obtained the confidential inspection information. Second, Marcello also learned from Middendorf that a professional practice partner likewise had a very negative reaction to learning that KPMG had obtained confidential PCAOB inspection information. Finally, two partners who had learned of the issue from the professional practice partner informed Marcello of additional details concerning the situation and that they were troubled by KPMG having the list and would report the issue themselves if Marcello did not. After that meeting Marcello escalated the issue, reporting it to KPMG’s in-house counsel on February 14, 2017, a week after learning of KPMG’s receipt of the confidential 2017 Inspections List.
At that point, the whole scheme began to crumble. Before the confidential information from the 2017 inspections list could be used, one of the engagement partners, Diana Kunz, who had been informed by Sweet that the PCAOB was planning to review her audit, recognized that KPMG shouldn’t be in possession of this information. Kunz then contacted a supervisor, who told somebody else, and ultimately, KPMG’s Office of General Counsel was informed and began an internal investigation.
Marcello, Middendorf, Sweet, Holder, Whittle, and Britt were all fired from KPMG on April 11, 2017. Then on Jan. 22, 2017, everyone except Marcello, who we have nicknamed “the KPMG 5,” were indicted for their roles in the scandal. Wada, the leaker from the PCAOB, also was indicted.
Holder pleaded guilty to one count of conspiracy to defraud the United States, one count of conspiracy to commit wire fraud, and two counts of wire fraud on Oct. 16, 2018. She was sentenced to eight months in federal prison on Aug. 9, 2019 .Holder reported to jail on Oct. 15, 2019, and served her sentence at a minimum security federal prison camp for women in Bryan, TX. She was released from custody on June 13, 2020.
Middendorf was sentenced on Sept. 11, 2019, to one year and one day in federal prison, exactly six months after he was convicted by a jury on three counts of wire fraud and one count of conspiracy to commit wire fraud. Middendorf is currently appealing his conviction.
Whittle pleaded guilty to wire fraud and conspiracy charges on Oct. 29, 2018. He was sentenced in December 2020 to two years of supervised release.
Britt pleaded guilty to one count of conspiracy to commit wire fraud on Oct. 3, 2019. He was sentenced in October 2020 to six months of home confinement which was completed on June 6, 2021.
Sweet was sentenced on Nov. 20, 2020, to time served, three years of probation, and had to pay “significant” restitution of an unknown amount. He pleaded guilty in 2018 to conspiracy and wire fraud charges as part of a plea deal with the government.
Wada was given a nine-month jail sentence in October 2019 after he was found guilty by a jury in March 2019 of one count of conspiracy to commit wire fraud and two counts of wire fraud. He also appealed his conviction.
In June 2019, KPMG paid a $50 million penalty to the SEC for illegally using the PCAOB inspections information, as well as for auditors cheating on training exams, which was a whole separate mess. KPMG also had to pay a $1.3 million fine to the California Board of Accountancy for both of those transgressions.
So as you can see, Erica Williams has done more in her three months as PCAOB chair than William Duhnke did in three and a half years in that role.