RSM US’s $950,000 Fine Is a Reminder That Performing Non-Audit Services for Audit Clients Can Get You Into Trouble

You’d think a firm like RSM US would know this by now, but guess not.

The Securities and Exchange Commission today charged public accounting firm RSM US LLP with violations of the agency’s auditor independence rules in connection with more than 100 audit reports involving at least 15 audit clients.

Yes, auditor independence is a joke. So is deciding a tied FIFA World Cup championship match with penalty kicks. But neither of those rules are going away anytime soon.

So until auditor independence rules are changed, audit firms aren’t allowed at any point during the engagement to have an employment relationship with an audit client, and it can’t provide certain non-audit services to an audit client, like payroll processing, financial information system design or implementation, and broker-dealer, investment adviser or investment banking services.

Because RSM US got into some sticky situations with audit clients, Adams & Co. settled with the SEC today for $950,000 without having to admit or deny the allegations.

The SEC alleges that RSM US repeatedly represented that it was “independent” in audit reports issued on the clients’ financial statements, when according to securities regulations, the firm really wasn’t.

[T]he SEC found that from 2014 to 2015, RSM US or its associated entities, including other member firms of the RSM International network, provided non-audit services to, and had an employment relationship with, affiliates of RSM US audit clients, which violated the SEC’s auditor independence rules. The prohibited non-audit services included corporate secretarial services, payment facilitation, payroll outsourcing, loaned staff, financial information system design or implementation, bookkeeping, internal audit outsourcing, and investment adviser services.

The audit clients included funds of eight registered investment advisers seeking to comply with the SEC’s Custody Rule, the employee benefit plans of three public companies that filed reports with the SEC on Form 11-K, two broker-dealers, and two public companies.

RSM US has this thing called Client Central, a database the firm has used since 2011 to keep information on all things client, like all work billed to clients, both audit and non-audit, across all RSM US offices. RSM US engagement teams are required to search Client Central as part of client acceptance and continuance procedures, according to the SEC.

And prior to 2017, all RSM US audit engagement teams were required to complete a computer-based questionnaire called the McGladrey Risk Assessment Model (MRAM) to assess potential engagement risks related to auditor independence. BUT! Prior to 2014, the MRAM didn’t prompt audit engagement teams to perform searches in Client Central to identify affiliate relationships.

OK, now that we’ve got all that out of the way, let’s see what kinds of trouble RSM US (then known as McGladrey) got itself into, despite having these independence controls in place:

For example, for fiscal years 2012 through 2014, RSM US was engaged to audit the financial statements of two private funds of Registered Investment Adviser A to satisfy the requirements of the Custody Rule. In late 2012, RSM US consulting personnel were engaged to provide prohibited financial software consulting services to one portfolio company of the funds; in 2013, to an additional portfolio company; and, in 2014, to a third portfolio company. These services were provided during 2013 and 2014. … [P]rior to the requirement to complete the MRAM, the consulting teams were not required to search for audit services provided to affiliates of their clients. In 2014, the prohibited services were unrecognized because consulting personnel improperly entered their clients’ names into Client Central and did not tag their clients as related to Registered Investment Adviser A. Additionally, two of the consulting teams failed to complete MRAMs, and the consulting team that did complete the MRAM inaccurately responded that its client was not majority owned by Registered Investment Adviser A. By failing to identify the prohibited non-audit services, RSM US issued audit reports for fiscal year end 2013 while not independent. RSM US identified the issue in early 2015 and did not issue audit reports for fiscal year end 2014.

In addition, the SEC said a tax partner from an RSM International member firm in Australia served on a voluntary basis as a non-discretionary member on the board of an affiliate of a RSM US issuer audit client, thus breaking auditor independence rules regarding employment relationships.

These independence violations remained undetected until 2016, the SEC stated.

As part of the settlement, RSM US was ordered to cease and desist from future violations, and the firm agreed to engage an independent consultant to evaluate its current quality controls for complying with auditor independence requirements for non-audit services.