Wednesday, June 29, 2022

Ernst & Young's $100M penalty for ethics exam cheating is largest ever

By Rodney F. Tonkovic, J.D.

Ernst & Young will pay a $100 million penalty after admitting that its employees cheated on CPA ethics exams and that it hindered the SEC's investigation of the misconduct. The firm admitted that audit professionals cheated on various courses required to maintain CPA licenses. Ernst and Young also disclosed some misconduct to the Division of Enforcement but gave the misleading impression that there were no current issues with cheating and further failed to correct the submission after recurring cheating was confirmed. In addition to the penalty, Ernst & Young agreed to review its ethics policies and to retain two independent consultants to review both those policies and the firm's disclosure failures. The Commission notes that the penalty in this matter is the largest imposed against an audit firm to date (In the Matter of Ernst & Young LLP, Release No. 34-95167, June 28, 2022).

Software flaw exploit. In 2014, an internal whistleblower reported that a software flaw allowed continuing professional education exams to be passed without the required number of correct answers. Between 2012 and 2015 over 200 audit professionals in multiple offices had exploited this flaw, which allowed a passing score with as little as one correct answer. In addition to disciplining those who engaged in the misconduct, EY added prominent warnings to the exams and reminded its personnel that cheating violated the firm's Code of Conduct.

Despite these actions, audit personnel continued to cheat. In 2016, professionals in EY's Denver office shared answer keys; the staff of this office received a warning from their managing partner. After learning of more cheating in 2017, EY issued a warning to U.S. personnel that cheating on exams could lead to disciplinary action including termination. EY continued to warn its personnel not to cheat, but did not implement additional controls to detect misconduct.

No disclosure of recurring cheating. In June 2019, the SEC announced a $50 million penalty against another audit firm, KPMG, partially in connection with cheating on internal training exams. EY's U.S. Chair and Managing Partner then sent a message to all U.S. personnel regarding that matter. Soon afterwards, the Division of Enforcement formally asked whether EY had received any ethics or whistleblower complaints regarding testing. In response, on June 20, 2019, EY submitted a description of five matters "related to cheating or other misconduct on training programs and assessments."

EY's submission, however, created a misleading impression that there were no ongoing issues with cheating, and this was not the case. The order relates that on the day before the submission, an employee reported that they had received an email from a professional in the firm's audit containing the answer key to a CPA ethics exam. By June 21, senior EY attorneys had become aware of this tip, but EY's submission to the SEC was not corrected to include it.

By late 2019, an internal investigation had uncovered significant ongoing misconduct, confirming cheating by audit professionals in multiple offices. In addition to sharing answers for CPA ethics exams, the professionals cheated on a wide range of continuing professional education courses. These individuals acknowledged that they knew their conduct violated the Code of Conduct, but asserted that they cheated because of work commitments or because they could not pass after multiple attempts. The order emphasizes that 91 audit professionals cheated after they learned of the enforcement action by KPMG. Others who knew of the cheating, but did not themselves cheat, failed to report any misconduct, stating that they either did not realize that sharing exam answers was cheating or that they did not want colleagues to get into trouble.

By this time, EY's senior management and attorneys knew that cheating was still a problem and that this had not been disclosed to the SEC. The firm instead opted to inform the PCAOB, but not until four more months had passed. The SEC did not learn about the issue until March 2020, when the PCAOB notified the Commission about EY's disclosure.

Violations. The Commission found that EY conducted a robust internal investigation and had taken remedial steps to reduce the risk of recurring misconduct. But, the order says, "EY did not self-police, self-report, remediate, or cooperate in the Commission's investigation." Instead, EY withheld information and hindered the SEC's ability to take action. The Commission found that EY violated PCAOB rule 3500T, which requires firms and personnel to maintain integrity. EY admitted the facts underlying the findings and will pay a $100 million penalty and engage in extensive undertakings, including retaining two consultants to separately review the firm's policies and procedures and its conduct regarding the disclosure failures.

"This action involves breaches of trust by gatekeepers within the gatekeeper entrusted to audit many of our Nation's public companies. It's simply outrageous that the very professionals responsible for catching cheating by clients cheated on ethics exams of all things," said Gurbir S. Grewal, Director of the SEC's Enforcement Division. "And it's equally shocking that Ernst & Young hindered our investigation of this misconduct. This action should serve as a clear message that the SEC will not tolerate integrity failures by independent auditors who choose the easier wrong over the harder right."

The release is No. 34-95167.