SEC and PCAOB regulations impose stringent requirements to ensure that auditors of SEC registrants are independent of their audit clients. In addition to prohibiting a wide range of financial relationships and non-audit services, SEC regulations require firms to have a “quality control system in place that provides reasonable assurance ... that the accounting firm and its employees do not lack independence....” Similarly, PCAOB rules provide that a registered accounting firm "shall have a system of quality control for its accounting and auditing practice,” including “[p]olicies and procedures ... to provide the firm with reasonable assurance that personnel maintain independence (in fact and in appearance) in all required circumstances....” These requirements apply to all firms, wherever located, that audit SEC registrants.
Historically, SEC and PCAOB enforcement activity relating to independence standards has focused on discrete instances of independence violations relating to prohibited financial relationships or the provision of prohibited non-audit services to audit clients. Several recent enforcement actions by both regulators, however, appear to signal an increased focus on the second prong of independence by imposing sanctions on firms for failure to maintain adequate internal quality controls to ensure independence from audit clients. These enforcement actions also suggest a new focus on non-U.S. affiliates of major international accounting firm networks and their systems of quality control over independence.
PCAOB enforcement orders highlight independence control deficiencies, including at non-U.S. audit firms
On August 1, 2019, the PCAOB announced a $100,000 civil monetary penalty as well as prospective compliance obligations against the Mexican member firm of a major international accounting network. The PCAOB’s disciplinary order not only identified specific instances of independence violations (relating to prohibited financial relationships with an unnamed bank client) but also sanctioned the firm for “fail[ure] to comply with PCAOB quality control standards” by failing to “suitably design, effectively apply, and appropriately monitor quality control policies and procedures to provide reasonable assurance” with respect to independence. The PCAOB noted that the firm had failed to detect three prohibited financial relationships between the firm’s partners and the audit client at the time of the initial engagement. Moreover, even after the firm had detected and remediated those relationships, it failed to discover that three other partners had prohibited financial relationships with the audit client for more than two years, calling into question the effective monitoring and application of the firm’s quality controls.
Similarly, on September 10, 2019, the PCAOB imposed sanctions on two prominent U.S. firms. In each case, the PCAOB not only cited specific conduct that was inconsistent with independence (hosting forums at which the firms allegedly promoted their audit clients to investors) but also sanctioned the firms for failing to “implement, effectively apply, and appropriately monitor quality control policies and procedures sufficient to provide reasonable assurance concerning the Firm's independence.” With respect to the quality control breach, the PCAOB order specifically noted that senior partners of the firms were aware of the prohibited conduct but failed to prevent it. In an unusual step, one of the PCAOB orders also imposed personal sanctions on the accounting firm’s partner in charge of independence for his role in the firm’s failure to maintain independence and adequate quality controls.
Recent SEC enforcement actions also reflect a focus on independence control systems and non-U.S. member firms of international networks
On February 13, 2019, the SEC entered into a cease-and-desist order with the Japanese member firm of a major international accounting network, as well as the member firm’s CEO and the firm’s head of independence, pursuant to which the firm paid a $2 million penalty and the individuals agreed to be suspended from practicing before the SEC. Notably, in addition to individual instances of prohibited financial relationships with the banking subsidiary of an audit client, the SEC alleged that the firm failed to maintain the required quality controls over independence, citing “systemic deficiencies” in the international member firm’s independence control system; inadequate staffing, training and supervision of the firm’s Office of Independence; and a policy of not disclosing the identities of independence violators, either internally or to audit clients, which allegedly impeded the ability to identify and correct violations.
Most recently, on September 23, 2019, the SEC entered into a cease-and-desist order with a major U.S. accounting firm, including a $3.5 million civil monetary penalty and $3.8 million disgorgement, in which the SEC alleged repeated violations of independence rules relating to prohibited services, circumvention of rules requiring Audit Committee approval of non-audit services, and failure to maintain adequate quality controls over independence as required by Rule 2-01 of Rule S-X. The SEC’s order identified four “breakdowns” in the firm’s quality control system that contributed to the underlying independence violations, including failure to properly evaluate the permissibility of non-audit services, particularly those presenting a high risk of independence violations; failure to review proposed audit services to ensure they did not include impermissible services; failure to monitor audit engagement teams to ensure they were not providing prohibited non-audit services to audit clients; and failure to ensure that proposed non-audit services were disclosed to clients’ Audit Committees.
Clients — including non-U.S. firms who audit SEC registrants — should ensure that their quality controls over independence are thoroughly documented, monitored and implemented
The recent SEC and PCAOB enforcement actions above highlight both agencies’ increased focus on systemic independence control issues, their willingness to impose sanctions on individuals charged with oversight of independence quality controls, and their increased scrutiny of non-U.S. firms that audit SEC registrants. These enforcement actions demonstrate that merely creating a system of quality control over independence can be insufficient — for example, if the firm fails to sufficiently monitor its system for potential violations and take firm, proactive measures to remediate known violations, to sufficiently identify potential violations, and to impose consequences for violations in appropriate cases. This is particularly important in the case of non-U.S. firms subject to SEC and PCAOB independence rules, which are facing increasing regulatory scrutiny of their independence controls. In short, the SEC and the PCAOB are looking beyond the independence quality control systems that exist on paper and scrutinizing all firms’ commitment to implementing those controls in practice. While all of these cases turn on their own facts and circumstances, increased vigilance in this area is prudent for affected audit firms.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.