An Audit Quality Inspection Scandal: Ethical Lapses in a Misguided Attempt to Alleviate Regulatory Scrutiny John D. Keyser Case Western Reserve University

Jason L. Smith University of Nevada, Las Vegas

Nathaniel M. Stephens Brigham Young UniversityHawaii ABSTRACT: In 2017, KPMG discovered that several high-ranking partners in its Department of Professional Practice (DPP) had surreptitiously obtained highly confidential information on upcoming PCAOB inspections. In obtaining this information, these KPMG partners were able to anticipate and prepare for PCAOB inspections, causing the firms inspection deficiency rate to plummet and its executives to tout the success of their efforts to improve audit quality. Once the firm discovered the scandal, the individuals involved were terminated, and six of them were ultimately convicted of felonies. This case study introduces students to relevant auditing standards, audit quality concepts, and facilitates discussion of a number of ethical issues. Learning objectives for this case include obtaining an understanding of the PCAOB and its inspection program, understanding audit documentation standards, demonstrating the ability to evaluate ethical issues, applying the fraud triangle in a unique setting, and assessing responsibility for the various parties involved. Keywords: PCAOB inspections; Auditing Standard 1215; confidential information; audit quality.

I. CASE

A Rising Star at KPMG

fter graduating from his hometown University of Cincinnati in 1987, David Middendorf began his career as an auditor with Peat, Marwick, Mitchell & Co., known today as KPMG.1 He was assigned to work on the audit engagement for one of the largest retail companies in the United States, Federated Department Stores (known today as Macys), where he gained valuable experience and knowledge about the retail industry.

We appreciate helpful comments and suggestions provided by Melissa Carlisle, Chad Simon, and students and instructors who used the case in their classes. Professor Keyser is grateful for support provided by the Weatherhead School of Management at Case Western Reserve University. Professor Smith gratefully acknowledges support of an EY Faculty Fellowship at the Lee Business School at the University of Nevada, Las Vegas. Professor Stephens is grateful for the support of the Jon M. Huntsman School of Business at Utah State University and the Faculty of Business and Government at Brigham Young UniversityHawaii. All errors are our own. John D. Keyser, Case Western Reserve University, Weatherhead School of Management, Cleveland, OH, USA; Jason L. Smith, University of Nevada, Las Vegas, Lee Business School, Las Vegas, NV, USA; Nathaniel M. Stephens, Brigham Young UniversityHawaii, Faculty of Business and Government, Laie, HI, USA. Supplemental materials can be accessed by clicking the links in Appendix D. Editors note: Accepted by Elizabeth Dreike Almer. Submitted: January 2021 Accepted: September 2021 Published Online: January 2022

1 Unless otherwise cited, the details of this case are obtained from the trial transcripts (United States of America v. David Middendorf and Jeffrey Wada 2020) and the SEC Enforcement Action against KPMG (SEC 2019). 109 Middendorf moved to New York City in 1997 to complete a two-year national office rotationa rite of passage for high- performing senior managers that is designed to enhance their technical skills before an anticipated promotion to partner. After being promoted to partner during his rotation in New York, Middendorf returned to Cincinnati in 1999 to serve as lead audit engagement partner for Federated Department Stores, which had grown to become the nations largest retail company. When Congress passed the Sarbanes-Oxley Act of 2002, it included a requirement that the lead engagement partner rotate off an audit every five years (U.S. House of Representatives 2002). As a result, Middendorf was forced to step down as lead engagement partner for Federated Department Stores after the 2003 audit. In July 2004, KPMG reassigned him to Dallas to serve as the lead engagement partner for JCPenney. At the end of his five-year tenure with that engagement, Middendorf moved to Atlanta in 2009 to become the lead engagement partner for The Home Depot, Inc. (Home Depot). In addition to his responsibilities for Home Depot, Middendorf began a five-year term on the KPMG Board of Directors and was named the Business Unit Professional Practice Partner for the Mid-South, consisting of Georgia, Alabama, Tennessee, and Mississippi. As his five-year limit as engagement partner for Home Depot approached, KPMG promoted Middendorf in June 2014 to the National Managing Partner of Audit Quality and Professional Practice. By demonstrating an admirable work ethic, effective leadership, and a willingness to be a team player, Middendorf was trusted to be ultimately responsible for audit quality for all of KPMG, one of the worlds largest public accounting firms.

PCAOB Inspections and Audit Quality Concerns Following a series of high-profile accounting frauds in the late 1990s and early 2000s, Congress passed the revolutionary Sarbanes-Oxley Act (SOX) in 2002. Among other things, SOX created the Public Company Accounting Oversight Board (PCAOB) to oversee the audit of public companies ... in order to protect the interests of investors and further the public interest in the preparation of informative, accurate, and independent audit reports (U.S. House of Representatives 2002). One of the key mandates that Congress gave the PCAOB was to regularly inspect the quality of audits being performed for publicly traded companies. The PCAOB inspects KPMG and other large accounting firms each year by selecting audits from among the firms more challenging engagements.2 After firms complete their audits, the PCAOB notifies the firms which audits will be inspected. The PCAOB inspectors generally focus on higher-risk areas of an audit, looking for any evidence that the firm failed to perform necessary or required audit procedures or that it failed to obtain or evaluate sufficient appropriate evidence. Because the general results of these inspections are reported to the public, firms feel significant pressure to achieve relatively high marks for the quality of their selected audits.3 Research has documented the pressure felt by auditors, through surveys of practicing audit partners that reveal the auditors believe their exposure to litigation risk is higher due to PCAOB inspection reports (Houston and Stefaniak 2013), and from interviews of practicing audit partners that document a fear of enforcement action by the PCAOB against firms with poor inspection outcomes (Johnson, Keune, and Winchel 2019). At the time that Middendorf took over as Managing Partner of Audit Quality, KPMG was not performing well during its PCAOB inspections. For example, PCAOB inspectors had identified severe deficiencies in 48 percent (23 out of 48) of the audits they inspected in 2013 (PCAOB 2014). Inspection results were even worse in 2014, when the deficiency rate increased to 55 percent (28 of 51, PCAOB 2019). To make matters worse, KPMGs disappointing inspection results were publicly criticized in the press, including an article that contrasted the firms declining performance (i.e., 55 percent deficiency rate) against the overall improvements being made by other Big 4 audit firms (i.e., against their average deficiency rate of 39 percent) (Rapoport 2015). Because KPMG audits more large banking institutions than any other public accounting firm, it was especially concerning that many of KPMGs deficiencies related to the firms banking clients and, specifically, their estimated allowances for loan losses. Two months after the 2014 PCAOB inspection report was issued in October 2015, KPMG leadership met with all five PCAOB Board members. Members of the Board harshly criticized KPMG for its poor inspection results and its failure to swiftly remediate identified deficiencies. A few months later, in February 2016, KPMG was called to meet with leaders at the Securities and Exchange Commission (SEC) in what was referred to by some in the SEC as a come to Jesus meeting due to the serious concerns regarding the performancethe inspection, performance, and the responsiveness of the firm (United States of America v. David Middendorf and Jeffrey Wada 2020). During this meeting, the Chairwoman of the SEC and the SEC Chief Accountant criticized KPMGs inspection results, performance, and responsiveness. In order to protect KPMGs reputation and his own career, David Middendorf knew he needed to reverse the negative trend in inspection findings.

2 Firms auditing more than 100 U.S. public companies are inspected each year. Firms auditing 100 or fewer public companies are inspected at least once every three years. 3 See a detailed overview of PCAOB inspections at: https://pcaobus.org/oversight/inspections/basics-of-inspections Improving Audit Quality: Any Means to an End Following the severe criticisms of regulators that had the authority to censure or bar the firm from performing public- company audits, Middendorf implemented several strategies to reduce the deficiency rates as identified in PCAOB inspections. One of these strategies was to recruit and hire former PCAOB inspectors to work in KPMGs national office. Once hired by KPMG, these former PCAOB inspectors were assigned to consult with engagement teams and perform in-flight reviews of audit engagements. In other words, they reviewed audit workpapers while the audit was ongoing and provided suggestions to engagement teams to better comply with PCAOB standards and to increase the likelihood of successfully passing an inspection, if that engagement was ultimately selected by the PCAOB. KPMG used this strategy to hire several former PCAOB inspectors before and during Middendorfs tenure. Any employee KPMG hired who had been employed by PCAOB remained subject to compliance with the PCAOB Ethics Code, a requirement of employment with the PCAOB. Ethics Code No. 9 imposes a lifetime prohibition on disclosure of confidential PCAOB information. Ethics Code No. 9 states: Unless authorized by the Board, no Board member or staff shall disseminate or otherwise disclose any information obtained in the course and scope of his or her employment, and which has not been released, announced, or otherwise made available publicly. The provisions of this Section shall continue in effect after the termination of employment or Board membership. (PCAOB 2016)

Year 1: 2015 In May 2015, KPMG hired a former PCAOB inspector named Brian Sweet, who had been assigned to the KPMG inspection team while at the PCAOB. Given his experience and KPMGs objective of improving its performance during annual PCAOB inspections, the firm immediately granted Sweet the rank and title of partner. Just prior to leaving to join KPMG, Sweet downloaded confidential information from the PCAOBs computer network that he thought might be beneficial to him in his career at KPMG. The confidential information he downloaded included inspection-planning information, inspection guides and manuals, lists of inspection-selection criteria, and the list of KPMG engagements selected for inspection in 2015. After he downloaded this confidential information, Sweet transferred the files to his personal computers hard drive. On his first day of employment at KPMG, Sweet went to lunch with several of the firms partners, including, among others, David Middendorf and David Britt. The partners expressed interest in Sweets experiences at the PCAOB and asked questions about his time as an inspector. At one point, Middendorf speculated that the PCAOB had selected Wells Fargo for upcoming inspections, a suspicion that Sweet confirmed. Middendorf was so happy that he slapped the table and said, I knew it! (United States of America v. David Middendorf and Jeffrey Wada 2020, 3116). The next day, Middendorf suggested that Sweet could add more value to the firm by being fully open with inspection- selection information. He also reminded Sweet that his paychecks now came from KPMG and that he needed to be completely loyal to the firm. Later that week, Tom Whittle, KPMGs National Partner-In-Charge for Quality Measurement, asked Sweet to provide the list of planned inspections for 2015. Sweet complied. After receiving Sweets email, Whittle forwarded the list to Middendorf with the message, The complete list. Obviously, very sensitive. We will not be broadcasting this (United States of America v. David Middendorf and Jeffrey Wada 2020, 3119). Separately, David Britt contacted Sweet to obtain the list of bank audits selected for inspection. Earlier in 2015, KPMG had hired Palantir, a data analytics firm, to help KPMG predict which of the firms audit engagements would most likely be selected for PCAOB inspection. Once Brian Sweet joined the firm, Middendorf and Whittle asked him to meet with Palantir and to share everything he knew about PCAOB inspection-selection criteria in order to improve the effectiveness of Palantirs prediction models. Sweet shared the confidential inspection-selection factor information he took from the PCAOB with Palantir, and he read portions of a PCAOB planning document that contained those factors to the KPMG partner in charge of leading the predictive analytics project with Palantir. One of Brian Sweets former colleagues from the PCAOB was Cynthia Holder. Before he left the PCAOB to join KPMG, Sweet discussed the possibility of Holder also coming to join the firm. In Sweets second week with KPMG, he remembered a document he had written while at the PCAOB and felt it would be useful to his new employer. Since he had not downloaded it, he requested the document from Holder. She emailed the confidential document to Sweet using her personal email account. Holder contacted Sweet on several other occasions to provide updates on inspection selections. She also consulted with him about whether to write a critical comment on a KPMG engagement that was under inspection. When Sweet advised her not to, she left the critical comment out of the inspection report. A few months later and following a personal recommendation by Brian Sweet, KPMG hired Cynthia Holder as Executive Director in its inspections group. Just as he had done when he left the PCAOB, Sweet advised Holder to download additional confidential PCAOB information prior to leaving the regulator to join KPMG. Year 2: 2016 After leaving the PCAOB in July 2015, Cynthia Holder remained in contact with her friend and former colleague at the PCAOB, Jeffrey Wada. Wada also desired a position at KPMG, but he wanted to wait for an anticipated promotion at the PCAOB before applying, believing he would receive a higher salary and a more prestigious position with KPMG if he waited until after his promotion. In an apparent attempt to ingratiate himself to KPMG, he secretly shared a partial list of the PCAOBs 2016 inspection selections with Cynthia Holder in March 2016, referring to it as his grocery list (United States of America v. David Middendorf and Jeffrey Wada 2020, 37). Holder shared Wadas grocery list with Sweet who, in turn, shared the information with Whittle, Britt, and Middendorf. Sweet told them the information came from a former colleague who was still employed by the PCAOB. Compared to the 2015 inspection information shared previously by Brian Sweet, this 2016 information came much earlier in the annual audit cycle. For many of the selected audits, the engagements were still within the 45-day documentation assembly period, which allowed the firm time to modify workpaper documentation related to the audits.4 Based on Wadas grocery list, Middendorf, Whittle, and Britt agreed to have Sweet and others conduct additional reviews of the workpapers for several of the selected engagements. Because the KPMG partners did not want to reveal that they were in possession of confidential PCAOB information, they informed firm personnel that they would be performing proactive additional reviewsreferred to in court testimony as stealth reviews (United States of America v. David Middendorf and Jeffrey Wada 2020, 933)on all 35 bank audits in KPMGs ALLL (Allowance for Loan and Lease Losses) monitoring program. In reality, they only reviewed workpapers for the banks that they knew had been selected for PCAOB inspection. As a result of these stealth reviews, additional documentation was added to the workpaper files to provide stronger support for their documented conclusions. These stealth reviews proved effectivethe PCAOB did not identify any deficiencies in the audits of the allowance for loan losses for the selected engagements.5 In addition to adding documentation to the workpaper files, the stealth reviews led to at least one instance in which the audit team identified a deficiency in the audit (i.e., insufficient sample size on third-party confirmations) and performed additional audit procedures to avoid a related comment during the upcoming PCAOB inspection. These stealth reviews were so effective that the PCAOB identified two of the selected audits as positive quality events, an accolade KPMG had never before received for an inspected bank audit. On the one hand, this was a welcome change; on the other hand, Thomas Whittle worried that results would deteriorate in subsequent years in the absence of inside, advance warning about PCAOB inspection selections.

Year 3: 2017 In early January 2017, Jeffrey Wada provided a new preliminary list of planned inspection selections to Cynthia Holder. Once Holder shared it with him, Brian Sweet used this list to alert the lead engagement partners for the audits that he predicted were likely to be selected for PCAOB inspection. Although he did not disclose that his predictions were actually based on inside information that came directly from the PCAOB, he did mention that he had been talking with a former colleague at the PCAOB. A few weeks later, Wada provided the final list of inspection selections to Cynthia Holder. In addition to the list of firms to be inspected, he even provided the specific focus areas for each selected engagement. Wada also provided a list of KPMG partners whom the PCAOB viewed as poor performers. Holder passed this information to Sweet, who reached out and scheduled a conference call with Middendorf and Whittle later that week. As he left a dinner appointment a few days later, Middendorf hopped into a cab and joined the scheduled conference call with Whittle and Sweet. Sweet recited the list as Middendorf took notes on his cell phone. He told Sweet, Hey Brian, this is information thats too good not to use (United States of America v. David Middendorf and Jeffrey Wada 2020, 1068). When he got home, Middendorf verified that all of the companies on the list were actually KPMG audit clients. The next morning, Middendorf reached out to tell his bossScott Marcello, Vice Chair of Audit for KPMGthat he had the list of audit engagements that the PCAOB was going to select for inspection, and most of those engagements were still active and open.

4 For more information on the audit documentation process, see the PCAOBs (2004) Auditing Standard 1215 at https://pcaobus.org/oversight/standards/ auditing-standards/details/AS1215 5 Following the public revelation of the scandal, the PCAOB selected ten new audit engagements to replace those originally inspected with KPMGs prior knowledge. Out of the ten new engagements, the PCAOB inspection team identified severe deficiencies related to ALLL in eight (80 percent) of those engagements. The Scheme Unravels After receiving the official inspection selection list from Cynthia Holder on February 3rd, Brian Sweet began contacting some of the engagement partners for selected engagements. One of those engagement partners became suspicious that Sweet had inappropriately obtained confidential information. She contacted the leadership in her office and eventually alerted the West Region Practice Partner, who called David Middendorf to inform him of the suspicion that Brian Sweet had inappropriately obtained confidential PCAOB information. Middendorf acknowledged that he was aware of the issue and that he had told [his] boss, Scott Marcello, and we were working on it (United States of America v. David Middendorf and Jeffrey Wada 2020, 2691). The West Region Practice Partner called Middendorf to follow up on Friday, February 10.6 She was disappointed that Middendorf had not yet alerted the PCAOB about the information breach. Over the weekend, Middendorf and Marcello discussed the issue. When they spoke again on Monday, February 13, Marcello told Middendorf they needed to contact KPMGs Chief Legal Officer. When they met with the Chief Legal Officer on Tuesday, February 14, they told him about the unauthorized 2017 information that Brian Sweet had obtained.

Aftermath and Fallout On April 11, 2017, KPMG announced it had terminated six individuals in its Audit Practice who had violated the firms Code of Conduct (KPMG 2017). Although they were not named in the press release, the individuals terminated that day were Scott Marcello, David Middendorf, David Britt, Tom Whittle, Brian Sweet, and Cynthia Holder. In a related press release, KPMG CEO Lynn Doughtie said: KPMG has zero-tolerance for such unethical behavior. Quality and integrity are the cornerstones of all we do, and that includes operating with the utmost respect for the regulatory process. KPMG is committed to the highest standards of professionalism, integrity and quality, and we are dedicated to the capital markets we serve. We are taking additional steps to ensure that such a situation should not happen again. (KPMG 2017) KPMG later paid a civil monetary penalty of $50 million to settle an SEC Enforcement Action related to this and another case involving continuing professional education (SEC 2019). What had been a remarkable and highly successful career came to a sudden and jarring halt for David Middendorf. Following several months of investigation, he was arrested at 5:45 in the morning on Monday, January 22, 2018. Middendorf was later led to court in leg shackles (Eaglesham 2019) wherefollowing a four-week trial with Brian Sweet and Thomas Whittle serving as key witnesses for the prosecutionhe was convicted in March 2019 of wire fraud and conspiracy to commit wire fraud. Middendorf was sentenced in September 2019 to one year and one day in prison followed by three years of probation. His firing, arrest, conviction, and sentencing serve as a sobering final chapter and a cautionary tale of how a professionals career and reputationbuilt over decades of hard workcan be jeopardized and destroyed when integrity and moral principles are set aside for personal or professional gain. David Britt, Tom Whittle, Cynthia Holder, and Jeffrey Wada were each also arrested. Jeffrey Wada was also found guilty and in October 2019 was sentenced to nine months in prison and three years of probation (Berman 2019a). Cynthia Holder pled guilty in October 2018 and was later sentenced, in August 2019, to eight months in federal prison followed by two years of probation (Berman 2019b, 2018). She was released from prison in June 2020. David Britt pled guilty and was sentenced in October 2020 to home confinement for six months to be followed by deportation to his native country, Australia (Berman 2019c; Bramwell 2020). Thomas Whittle pled guilty, and was sentenced in December 2020 to two years of probation (Bramwell 2020). Brian Sweet, the former PCAOB inspector who brought confidential information when he left PCAOB to join KPMG, pled guilty in January 2018 and later served as a key witness in trials of Middendorf and Wada. In November 2020, Brian Sweet was sentenced to three years of probation and restitution (Bramwell 2020).

II. CASE REQUIREMENTS

1. Title I of the Sarbanes-Oxley Act created the Public Company Accounting Oversight Board. a. According to Title I, what are the four primary responsibilities of the PCAOB? b. In your opinion, which of these responsibilities is most important? Why?

6 Laurie Mullen was the West Region Practice Partner who called David Middendorf and urged him to take appropriate action. Following these events, Mullen remained with KPMG as a partner until she retired in October 2020, concluding a successful career that began with the firm in 1983. 2. Refer to the PCAOBs auditing standards and identify the one(s) outlining audit documentation requirements. Cite the standard(s) as you respond to the following questions: a. What is the report release date? b. What is meant by the term documentation completion date? c. Explain the difference between the report release date and the documentation completion date. d. How long do auditors have, after the report release date, to assemble a complete and final set of audit documentation (i.e., the documentation assembly period)? e. If circumstances require auditors to modify audit documentation after the report release date, name the actions that are permitted and what additional requirements exist during the following periods: (1) Following the report release date, but prior to the documentation completion date (i.e., during the documentation assembly period). (2) After the documentation completion date.

3. Go to the PCAOB website to access relevant information to complete the following requirements: a. Based on the website, which firms are subject to PCAOB inspection? b. How does the PCAOB determine the frequency of inspections for a particular firm? c. Read a recent inspection report. According to the inspection report, what is the PCAOBs approach to inspections of registered accounting firms? (List the titles of the parts of the report.)

4. How important is it for PCAOB inspections to be announced only after the end of the documentation assembly period? Why?

5. Read Section 1.700.001 of the AICPA Code of Professional Conduct relating to confidentiality of information. a. What responsibility do CPAs have with regard to confidential information? b. How do those rules apply in this case?

6. Read Section 0.300.040, paragraphs .01.05, of the AICPA Code of Professional Conduct relating to integrity. a. According to the Code of Professional Conduct, why should CPAs perform all professional responsibilities with the highest sense of integrity? b. According to paragraph .04 of this Section, what two questions should individuals ask themselves when facing situationslike those in this casefor which specific rules, standards, or guidance may not provide clear direction on how to act?

7. In your opinion, what was the responsibility of KPMG executives Dave Middendorf, Thomas Whittle, and David Britt when ... a. Brian Sweet disclosed confidential inspection information to them during his first week of employment with the firm? b. they became aware, during the following year, that Brian Sweet was obtaining confidential information from existing PCAOB employees? (Note: To assist you in responding to relevant case requirements, Appendix A contains biographical sketches of each individual whose role is discussed in detail in the case).

8. Under Section 206 of the Sarbanes-Oxley Act, when an auditor resigns from the firm to accept a financial reporting position at an audit client, a one-year cooling off period is required to maintain the firms independence. In your opinion, should PCAOB inspectors be allowed to join a registered public accounting firm immediately upon resigning from the PCAOB? Should there be a cooling off period? Why or why not?

9. Evaluate the relative responsibility of each of the following parties in the audit quality inspection scandal by assigning a percentage to each individual. The percentages should sum to 100%. (Note: To assist you in responding to relevant case requirements, Appendix A contains biographical sketches of each individual whose role is discussed in detail in the case.) a. David Middendorf b. Brian Sweet c. David Britt d. Thomas Whittle e. Cynthia Holder f. Jeffrey Wada g. Scott Marcello

10. What were the consequences to each of the parties mentioned above for their roles in the scandal? In your opinion, were these consequences appropriate? Why or why not?

11. Refer to PCAOB quality control standards (https://pcaobus.org/Standards/QC/) in answering the following questions. a. What are the five elements of a firms quality control policies and procedures? b. Identify deficiencies in KPMGs quality control policies and procedures at the time of the audit quality inspection scandal. c. How would you describe the tone at the top at KPMG at the time of the audit quality inspection scandal?

12. Cresseys (1953) fraud triangle theory suggests three conditions that are present when an individual or group of individuals engage in fraudulent activities. These three conditions are: pressures, opportunities, and rationalization. Consider each of the aspects of the fraud triangle in answering the following questions. (Note: To assist you in responding to relevant case requirements, Appendix A contains biographical sketches of each individual whose role is discussed in detail in the case.) a. Provide examples of specific pressures that likely contributed to the various characters behavior described in the case. (Use the list of characters in (9) above in your answer.) b. What opportunities to commit this type of fraud were apparent in the case? c. How might each party have rationalized or justified his or her actions?