United States: The PCAOB Brings First Failure-to-supervise Case

On April 5, the Public Company Accounting Oversight Board levied a $100,000 fine against Scott Marcello, the former Vice Chair of Audit at KPMG. The penalty is noteworthy for two reasons: (1) it is the largest monetary penalty ever levied by the PCAOB in a case settled with an individual; and (2) it is the first matter in which the PCAOB has sanctioned someone for failure to reasonably supervise, despite being authorized to impose sanctions on this basis under the Sarbanes-Oxley Act of 2002 (SOX).¹

Background

The failure-to-supervise case is the most recent and probably the final enforcement action arising from the scandal involving the PCAOB and KPMG. The PCAOB inspects audits conducted by PCAOB-registered audit firms like KPMG. The inspections are meant to be conducted on a surprise basis, in the sense that the audit firms are not supposed to know which of their audits will face inspector scrutiny.

This is because if audit firms had advance knowledge of which clients' audits would be inspected, they could review the audit files and shore up any deficiencies. As the SEC previously put it, this would be tantamount to stealing the exam.

KPMG had experienced increasingly disappointing inspection results from 2010 to 2014 and sought to improve upon them. Many of the deficiencies pertained to audits of financial institutions.

Two PCAOB inspectors left the PCAOB and went to work at KPMG. The two former PCAOB inspectors downloaded confidential information while at the PCAOB regarding PCAOB plans for inspections of KPMG audits, and passed the stolen information along to KPMG. A third PCAOB inspector conveyed confidential PCAOB information while seeking employment with KPMG. This enabled KPMG to review the audit files and correct errors in an effort to avoid negative inspection findings.

The confidential information was conveyed to senior personnel in KPMG's national office. The senior officials determined to use the stolen data in an effort to improve inspection results. KPMG used the information in connection with a review of the audits of seven banking clients. Also, at least one of the KPMG higherups instructed the others not to disclose their possession of the improperly obtained inspection plans.

The misconduct occurred between 2015 and February 2017. KPMG and the PCAOB terminated the wrongdoers. Six CPAs were criminally prosecuted and sanctioned by the SEC under Rule 102(e) of the SEC's Rules of Practice, barring them from appearing or practicing as accountants before the SEC. And KPMG itself paid a $50 million civil penalty to resolve charges with the SEC.

The failure-to-supervise case

In March 2016, while he was head of KPMG's audit practice, Marcello learned of the receipt of confidential information about PCAOB inspections. As mentioned, between 2015 and 2017, KPMG personnel used the improperly obtained information to inspect audit work papers for seven banking clients, hoping to improve KPMG's inspection results with the PCAOB.

Initially, Marcello did nothing in response upon learning of these misdeeds despite being a "supervisory person" under SOX § 105(c)(6). He understood that the inspections had not yet occurred and that KPMG staff planned to use the stolen information to shore up the audit files. According to the PCAOB, he should have known that use of the information would be improper. Yet he failed to elevate the matter and failed to instruct his subordinates not to use the information.

In 2017, he was again informed of the receipt of confidential PCAOB information and again did nothing. He only reported the issue to KPMG's in-house counsel after two KPMG audit partners informed him that if he did not elevate the issue, they would do so.

Before he elevated the issue, he also learned that KPMG's Chief Auditor had reacted negatively to upon learning that KPMG had the list of inspections, as had a KPMG professional practice partner. KPMG then conducted an internal investigation and took various actions, including terminating Marcello in April 2017.

The end result was that six KPMG auditors had their careers tainted with federal wire fraud and related charges, as well as bars from appearing or practicing before the SEC. In addition to the financial sanction, Marcello was censured under SOX § 105(c) and PCAOB Rule 5300(a)(5) for his failure to supervise. But he was not prohibited from being affiliated with a PCAOB-registered firm.

The absence of a bar is perhaps the result of settlement negotiations and Marcello's apparent position that he did not know of the impropriety of having the information. As the PCAOB said, he "should have recognized" that obtaining this type of information from a PCAOB database "was inappropriate."

The takeaway

The egregiousness of the KPMG scandal was noteworthy and it is certainly possible that the PCAOB's use of the failure-to-supervise provision was primarily due to the gravity of Marcello's nondisclosure. The misconduct was obviously an embarrassment not only to KPMG, but to the PCAOB itself. That fact may help explain the supervisory failure charge.

But if this matter is any indication, the PCAOB may well intend to aggressively pursue audit-firm officers who fail to reasonably supervise audit personnel and appropriately report any violations. Whether this action proves to be unique or the start of a larger enforcement trend remains to be seen.²

Footnotes

1. See Section 105(c) of the Sarbanes-Oxley Act of 2002 (SOX).

2. The PCAOB's press release and a link to the order imposing sanctions are available here: https://bit.ly/3rCb1eF 

This article was published on Westlaw Today on April 20, 2022.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.