On February 13, the Securities and Exchange Commission (SEC) announced that it had settled charges against Deloitte's Japanese member firm and two of its executives for repeated and numerous violations of independence involving depository accounts held at a subsidiary of the firm's audit client, a financial holding company headquartered in Tokyo, Japan. The rule in question - Rule 2-01(c)(1)(ii)(B) of Regulation S-X - prohibits covered persons and their immediate families from having a checking, savings, or similar account at a bank that exceeds the amount insured by the Federal Deposit Insurance Corporation (FDIC) or a similar insurer.
Initial violation discovered. The firm first discovered that the CEO violated this rule in 2014 when he was selected for an internal independence inspection of his compliance with the rules. The firm took no action on the CEO's reported violation, which he said was caused by a lump sum deposit of partnership compensation. He also said he would change banks. The violation was not reported to the engagement team or the client. Completion of the CEO's inspection was delayed for several months due, in part, to a shortage of staff in the Independence Office. Upon conclusion of the inspection, the Director of Independence (at that time) issued the CEO a reprimand.
Disclosures of initial violation. Later in 2014, the Independence Office communicated several violations, including the CEO's, to the audit engagement team. Names of violators were not disclosed in keeping with the Japanese firm's policy; instead, they were referred to as "covered persons". In January 2015, the firm sent a semi-annual PCAOB rule 3526 letter to the client's audit committee, which included a statement about covered persons' independence violations. The fact that one of the violators was in the firm's chain of command was not disclosed until the firm issued its second PCAOB rule 3526 semi-annual letter in July 2015.
Additional violations discovered. In 2015, the firm learned that the CEO had other personal financial independence violations and voluntarily reported these and the other known violations to the SEC. The firm also engaged a law firm to conduct an independent investigation into the CEO's violations and why they were occurring. They conducted extensive, additional testing to see if other violations existed and learned that at various times between 2012 and 2016, eighty-eight (88) Deloitte Japan covered persons (including the CEO and the Reputation and Risk Leader / Director of Independence, had personal financial relationship violations with this client. Several of the violations resulted from partnership compensation distributions. The testing also uncovered violations of the SEC's rule for outstanding credit card balances.
Quality controls over independence. Given these events, the SEC concluded that Deloitte Japan's system of quality controls concerning independence did not provide reasonable assurance that the firm and its covered persons were complying with independence requirements, which they characterized as systemic deficiencies because the firm:
- failed to take corrective action after the first violations were discovered, which caused additional violations;
- failed to adequately supervise, train and staff the Independence Office; and
- had an internal policy of not disclosing the names of persons who violated the independence rules.
Findings. The SEC concluded that Deloitte Japan's failure to meet the requirements of Rule 2-01 of Regulation S-X constituted improper professional conduct under the Exchange Act and the Commission's Rules of Practice, as did the CEO and Director of Independence by personally violating the rules and failing to correct or disclose violations in a timely manner.
In total, these violations (the cause of which the SEC attributed to the CEO and Director of Independence) impacted the client's annual reports on Form 20-F for fiscal years 2013 through 2016.
In setting the terms of the settlement offer to the firm, the SEC considered the high level of cooperation the firm provided, which helped to expedite the SEC's investigation, and remedial actions the firm had already taken by, for example:
- barring covered members from having bank accounts with audit clients or their subsidiaries
- restructuring and significantly bolstering the staffing in the Independence Office
- ending its practice of keeping the names of violators secret in communications
- adopting stronger sanctions against violators of independence rules
- enhancing independence training and communications throughout the firm
- enhancing independence compliance quality controls, including monitoring activities
The SEC sanctions against the firm and the two executives included:
- a cease and desist order (all);
- denial of the privilege of practicing before the Commission as an accountant (both executives), with reinstatement a possibility after 2 years (CEO) and 1 year (Director of Independence);
- disgorgement, prejudgment interest and a civil money penalty totaling approximately $2,000,000 (firm); and
- censure (firm).