KPMG agreed to pay a $50 million penalty and review its ethics and integrity controls as a settlement with the Securities and Exchange Commission (SEC) for charges that the firm altered past audit work papers after illegally obtaining information from the Public Company Accounting Oversight Board (PCAOB).
KPMG admitted that it received leaked information from former PCAOB employees who had joined or were seeking employment with KPMG. Five partners then illegally obtained a list of audit targets in an effort to review and repair any potential deficiencies before they could be found. The partners were aiming to improve over a 2013 audit where PCAOB found more than half of the inspected KPMG audits to be deficient.
KPMG also admitted to charges that some of its employees cheated on internal training exams that were required by a prior SEC order for the firm’s previous audit failures. The charges alleged that employees who passed the exam shared answers with their colleagues. Additionally, professionals at the firm hacked into the server and changed the minimum score required to pass the exam, passing even employees who had final scores of only 25 percent.
Importance of Due Diligence Investigations
This case demonstrates that even large and reputable firms sometimes have bad actors that can place the company and its clients at risk. In order to protect your firm and clients from this type of activity at third-party service providers, financial service firms should have robust initial due diligence investigations and annual due diligence reviews.
All types of financial services firms are required to perform initial and annual due diligence investigations on third-party service providers. All initial investigations should include inquiries into the firm’s background and qualifications, including the background and qualifications of firm management, current or previous litigation or compliance violations, policies and procedures, conflicts of interest, privacy and cybersecurity policies, business continuity plans, and insurance coverage. Further questions should then be customized depending on the type of services provided.
Performing Thorough and Efficient Due Diligence Investigations
To protect your firm and clients in a case like this one, asking due diligence questions about company structure, tone at the top, company culture, policies and procedures and system information security controls (both internal and external) will highlight how the service provider will respond to incidences where its employees are found to have been in violation of regulations or laws. It is critical that service providers have plans to respond to such violations.
It is also important that your risk management team include your firm’s subject matter experts to help to ensure all necessary questions are included in due diligence investigations. For example, when performing due diligence for an information technology provider, the questions should be developed, and responses reviewed in collaboration with your firm’s information technology officer or team.
For more information on due diligence, listen to Core Compliance’s CCO Buzz podcast episode on the due diligence where Senior Compliance Consultant, Kurt Nuñez discusses best practices in developing policies for your firm.
If your firm needs assistance developing a due diligence program that is comprehensive, effective, and efficient, Core Compliance and our team of experts may advise you on developing policies and procedures, questions to consider and documents that will be helpful in both meeting regulations and mitigating risk for your firm. Contact us today for assistance.