On September 23, 2019, the Securities and Exchange Commission (SEC) announced it accepted an Order of Settlement offer from PricewaterhouseCoopers, LLP (PwC or the firm) related to nineteen (19) audit and review engagements performed for fifteen (15) SEC issuer audit clients between 2013 and 2016.
The SEC Settlement Order (Order) states that PwC performed prohibited nonaudit services for “Issuer A” that involved outsourced project management and other decision-making in connection with the design and implementation of a governance, risk and controls (GRC) system during the 2014 audit and professional engagement period. The SEC’s independence rules clearly prohibit independent auditors from designing and implementing systems such as GRC where the software aggregates source data or generates information significant to the clients’ financial statements or other financial systems as a whole.
In the PwC and a separate Order, PwC Partner Brandon Sprankle, was held personally responsible for causing violations of SEC and PCAOB rules with respect to Issuer A. According to the SEC, the partner:
• orchestrated and supervised the GRC engagement,
• mischaracterized the GRC and other internal control-related services in the firm’s engagement letters as audit services,
• pursued and accepted the GRC engagement despite knowing the services violated the SEC’s independence rules, and
• simultaneously served as an Information Technology specialist on Issuer A’s audit engagement team.
Also, in 2014, the PwC partner pursued and ultimately received approval for a second consulting project to upgrade Issuer A’s enterprise software and related programs (“the R12 project”). A PwC risk management group identified the proposed engagement as potentially prohibited nonaudit service (i.e., internal audit co-sourcing) and directed the partner to obtain a formal independence consultation, which the SEC says did not occur. Rather, the partner recharacterized the services as audit services in an addendum to the audit engagement letter, bypassing the firm’s internal approval process for nonaudit services. However, the services remained nonaudit services in nature and scope. late October 2014, PwC ceased working on the R12 project because of independence concerns raised by the PCAOB regarding the GRC engagement.
The firm also violated PCAOB Rule 3525, Audit Committee Pre-approval of Non-audit Services Related to Internal Control Over Financial Reporting, with respect to all fifteen (15) audit clients. That rule requires auditors to disclose the details of services related to internal controls over financial reporting (ICFR) in writing and then discuss them with the audit committee so the committee may evaluate the potential impact on the firm’s independence. The auditor is also required to document the substance of the discussion. Instead, the services PwC included in its communications with these clients’ audit committees were mischaracterized as audit services. The SEC described other instances of prohibited nonaudit services performed for other issuers in this group of clients that the firm provided as “audit services,” e.g., GRC engagement (Issuer B) and ICFR-related services involving software design and implementation (Issuers C and D).
PCAOB Interim Standards (AICPA Code)
The Order also stated that, in connection with the GRC-related work, the partner provided material, non-public information concerning Issuer A to a software company without Issuer A’s consent. That is, when pursuing the work with Issuer A, he regularly communicated, and shared strategies and information, with a third-party GRC sales representative, which violated PCAOB Rule 3500T, Interim Ethics and Independence Standards, specifically AICPA ethics standard requiring he perform professional services integrity.
Quality Control System
According to the SEC, the “breakdown” in the firm’s system of quality controls caused PwC’s failure to:
• adequately evaluate the nature and scope of proposed non-audit service engagements for permissibility,
• properly characterize work as audit or non-audit services,
• review and monitor non-audit work being performed for audit clients to confirm the services were permissible, and
• properly describe to audit committees of SEC-registrant clients the nature of the audit and non-audit services to be provided.
Ethics and Independence Violations
The SEC found that the firm and partner violated:
• SEC and PCAOB rules (as described above);
• Rule 2-02(b)(1) of Regulation S-X, by stating the firm was independent when it was not.
• Section 4C of the Exchange Act and Commission Rule of Practice 102(e)(1)(ii), by engaging in improper professional conduct.
Recognizing remedial actions already taken by the firm and its cooperation in the investigation, the SEC Order requires PwC to:
• provide all audit personnel a copy of the Order; and
• undertake actions to enhance policies and procedures related to the performance of nonaudit services in accordance with SEC and PCAOB independence rules and submit written reports as detailed in the Order to the SEC’s enforcement division regarding these actions and improvements.
The SEC sanctions on PwC and/or the partner were:
• Cease and desist from committing or causing any violations or future violations of Rule 2-02 of Regulation S-X and from committing or causing any violations or future violations of Section 13(a) of the Exchange Act (both).
• Censure (both).
• Comply with the undertakings to improve its independence policies and procedures as described in the Order (PwC).
• Deny the partner the privilege of appearing or practicing before the Commission as an accountant (as preparer or reviewer of public company’s financial statements or an independent auditor) for at least four (4) years, after which he may request reinstatement.
• Disgorgement of $3,830,213, plus prejudgment interest of $613,842, and a civil money penalty in the amount of $3,500,000 (PwC) and a $25K civil money penalty on the partner.