The Public Company Accounting Oversight Board imposed its largest ever penalty of $25 million against KPMG’s firm in the Netherlands, in addition to $2 million in fines against Deloitte’s firms in Indonesia and the Philippines, accusing the firms Wednesday of cheating on exams and sharing answers.

In the KPMG Netherlands case, the PCAOB posted two settled disciplinary orders sanctioning KPMG Accountants N.V. in addition to its former head of assurance, Marc Hogeboom, accusing them of violating the PCAOB rules and quality control standards pertaining to the firm’s internal training program and monitoring of its quality control system. The PCAOB said it found widespread improper answer sharing happening at the firm over a five-year period and that the firm made multiple misrepresentations to the PCAOB about its knowledge of the misconduct. The PCAOB learned of the exam cheating through a whistleblower report it received in 2022. 

“The growth and breadth of exam cheating in this case was enabled by the firm’s failure to take appropriate steps to monitor, investigate and identify potential misconduct,” said PCAOB chair Erica Williams during a press conference Wednesday. “Furthermore, during the course of our investigation, the firm submitted and failed to correct multiple inaccurate representations to the PCAOB. For example, the firm claimed to have no knowledge of answer sharing prior to the 2022 whistleblower report. Yet this could not have been true because members of the firm’s management board and supervisory board who signed off on that submission to the PCAOB have in fact cheated themselves. But it doesn’t end there. KPMG Netherlands’ CEO learned the submissions were inaccurate and failed to inform anyone until months later, when a second whistleblower came forward. Only then did the firm correct the inaccurate representations to investigators. This misconduct reveals an inappropriate tone at the top and a complete failure of firm leadership to promote an ethical culture worthy of investors’ trust.”

The sanctions imposed by the PCAOB included a $25 million civil money penalty on KPMG Netherlands — the biggest fine ever levied by the PCAOB — along with a permanent bar and $150,000 civil money penalty on Hogeboom.

KPMG Netherlands acknowledged the problems at the firm and its CEO apologized. The investigation revealed that from at least October 2017, over 500 people at the firm were involved in some form of improper conduct, including sending or receiving answers to training tests and providing or receiving assistance in taking such tests. The firm said the settlement reflects that KPMG Netherlands violated a number of PCAOB rules. 

“The conclusions are damning, and the penalty is a reflection of that,” said KPMG Netherlands CEO Stephanie Hottenhuis in a statement. “I deeply regret that this misconduct happened in our firm. Our clients and stakeholders deserve our apologies. They count on our quality and integrity as this is our role in society, with trust as our license to operate.”

The firm said that after the investigation, people, at all levels of seniority, who participated in answer sharing have been sanctioned, and some of them had to leave the firm. After the second whistleblower notification, with regard to a member of the management board, all members of the board of management and supervisory board were subject to additional personal investigations into their involvement in answer sharing. The investigation led to the departure of the former head of assurance as a partner in the firm. The chairman of the supervisory board resigned after admitting he had received assistance in completing a training test.

The PCAOB and the Dutch Authority for the Financial Markets conducted parallel investigations, and the Dutch AFM separately imposed enhanced supervision measures under Dutch law to prevent recurrence of such behavior.

KPMG Netherlands said it has now taken several targeted remedial measures and is working on further improvements in policies and procedures relating to the assessment of mandatory training and internal culture. The remediation process is under the enhanced supervision of the AFM. The supervisory board of KPMG Netherlands will also monitor this closely.

“It is a hard lesson, and we are learning from this,” said Hottenhuis. “We have reviewed our approach to mandatory testing and made meaningful changes to our learning and development programs. We also have implemented controls to monitor whether training tests are being completed appropriately and will continue to do so going forward. We will continuously improve, and we must ensure we do our training sessions appropriately, sustainably.”

KPMG Netherlands also plans to encourage its employees to speak up about improper behavior. “This is a significant failure in our duty to serve the public interest,” said Hottenhuis. “Trust is essential in our business, and we must learn from this and make a change in our culture and behavior. Additional programs on ethical decision making are being rolled out for all teams. This is a critical topic that will remain on the agenda of all leaders and for everyone at our firm.”

The PCAOB said that from 2017 until 2022, hundreds of professionals at KPMG Netherlands engaged in improper answer sharing — either by providing access to test questions or answers, or by receiving such access without reporting it — in connection with tests for mandatory firm training courses. The courses related to different topics, including U.S. auditing standards, professional ethics and independence. The improper answer sharing reached as far as partners and senior firm leaders, including Hogeboom (who at the time was the firm’s head of assurance and a member of the firm’s management board). The growth of this widespread answer sharing was exacerbated by the firm’s failure to take appropriate steps to monitor, investigate and identify the potential misconduct. For example, starting in June 2020, the firm was aware that answer sharing had occurred at a KPMG service delivery center serving KPMG Netherlands and KPMG LLP in the United Kingdom, and the sharing had extended to the U.K. firm’s personnel. Nevertheless, KPMG Netherlands took virtually no steps to investigate potential answer sharing among its employees until a whistleblower reported the misconduct in July 2022.

Without admitting or denying the findings, the firm and Hogeboom agreed to the PCAOB’s respective orders against them. KPMG Netherlands was censured and agreed to pay a $25 million civil money penalty. The firm also agreed to review and improve its quality control policies and procedures to provide reasonable assurance that its personnel act with integrity in connection with internal training, and to report its compliance to the PCAOB. Hogeboom was censured, permanently barred from being an associated person of a registered public accounting firm, and agreed to pay a $150,000 civil money penalty.

Attorneys for Hogenboom and KPMG Netherlands did not immediately respond to requests for comment.

Deloitte Indonesia and Philippines

In the cases involving Deloitte’s member firms in Indonesia and the Philippines, the investigations also uncovered problems with exam cheating and answer sharing on training tests and coverups at high levels of the firms.

The PCAOB announced three settled disciplinary orders sanctioning Imelda & Raken (Deloitte Indonesia), Navarro Amper & Co. (Deloitte Philippines), and the Philippines firm’s former national professional practice director, Wilfredo Baltazar, for violating PCAOB rules and quality control standards relating to the firms’ internal training programs and monitoring of their systems of quality control that led to pervasive cheating.

From 2017 to 2019, the PCAOB said Deloitte Philippines’s audit partners and other personnel engaged in widespread answer sharing — either by providing answers or using answers — or received answers without reporting such sharing in connection with tests for mandatory firm training courses. On at least six occasions, Baltazar, who was the partner who was supposed to be responsible for e-learning compliance, shared answers to training assessments with other audit partners at the firm. (He has since left the firm.) Attorneys for Baltazar and the firms did not immediately respond to requests for comment.

From 2021 to 2023, over 200 professionals at Deloitte Indonesia engaged in answer sharing. The firm’s failure to detect and deter improper answer sharing by its personnel happened despite numerous warnings from Deloitte Global and regional leadership that answer sharing was impermissible.

Without admitting or denying the findings, Deloitte Indonesia, Deloitte Philippines and Baltazar agreed to the PCAOB’s respective orders against them. Deloitte Indonesia and Deloitte Philippines were censured, and each agreed to pay a $1 million penalty. The firms also agreed to review and improve their quality control policies and procedures to provide reasonable assurance that their personnel act with integrity in connection with internal training, and to report their compliance to the PCAOB.

Baltazar was censured, barred from being an associated person of a registered public accounting firm with a right to apply to terminate his bar after three years, and agreed to pay a $10,000 civil money penalty that reflects his financial resources. The PCAOB said it would have imposed a civil money penalty of $50,000 if it hadn’t considered his financial resources.

“Today’s orders demonstrate that an inadequate tone at the top, particularly with regard to issues of integrity and personnel management, can permeate all levels of a firm,” said Robert Rice, director of the PCAOB’s Division of Enforcement and Investigations, in a statement.

Since 2021, the PCAOB has sanctioned nine registered firms for quality control deficiencies related to the inappropriate sharing of answers on internal training exams.

“I want to be very clear: The PCAOB will not tolerate exam cheating, nor any other unethical behavior period,” said Williams. “Impaired ethics erode trust and threaten the investor confidence our system relies on. The PCAOB will take action to hold firms accountable when they fail to enforce culture, honesty and integrity.” 

Accounting Today asked Williams during the press conference whether the new standards proposed Tuesday for firm reporting and engagement metrics would have ferreted out such conduct.

“The goal of those proposals is to provide consistent information about audit firms in their audit engagements to help bolster confidence in our markets and strengthen oversight and empower investors and audit committees as they make informed decisions in order to help drive product quality forward,” Williams responded. “As I noted yesterday, I look forward to reviewing all the input we receive and encourage anyone who’s interested to submit a comment.”

Record levels of enforcement activity

The PCAOB has been cracking down on firms and auditors alike, according to a report released Wednesday by Cornerstone Research. 

The report found the PCAOB publicly disclosed 46 total enforcement actions, 37 of which related to the performance of an audit (auditing actions), an increase of more than 28% from 2022. Twenty-nine of the 37 auditing actions were concluded in the second half of 2023, matching the total number of auditing actions for 2022. Monetary penalties totaled $19.7 million, nearly doubling the previous record of approximately $10.5 million in 2022.

“There was a notable shift in the types of respondents in 2023 auditing actions,” said Jean-Philippe Poissant, who co-authored the  report and is co-head of Cornerstone Research’s accounting practice, in a statement. “In the past, two-thirds of respondents were individuals. Yet in 2023, two-thirds of respondents were firms. This shift was the result of a substantial jump in the number of auditing actions that only involved firms.”

The great majority — 79% — of the auditing actions in 2023 included alleged violations of auditing standards. Some 60% of those actions included additional allegations related to ethics and independence standards, quality control standards or both. For the first time, the PCAOB included allegations related to critical audit matters, or CAMs, in enforcement actions, with three actions including such allegations.

Of the $19.7 million in total monetary penalties in 2023, $18.8 million were imposed on firms, nearly twice the $9.5 million imposed on firms in 2022. Some 15% of the firm respondents were required to obtain an independent consultant.

Many of the penalties involve firms outside the U.S., as in the cases today involving Big Four affiliates in the Netherlands, Indonesia and the Philippines.

“More than two-thirds of the PCAOB’s record-setting monetary penalties were imposed on non-U.S. respondents in 2023, even though non-U.S. respondents accounted for less than half of the auditing actions during the year,” said Russell Molter, a principal at Cornerstone Research and report co-author, in a statement. 

The number of respondents in auditing actions totaled 53, a 23% increase over 2022, according to the report. The PCAOB settled four actions involving three China-based firms after securing access to inspect and investigate Chinese firms in 2022.

For the second year in a row, there were no enforcement actions related to a company’s disclosure of a material weakness in internal control. In contrast, SEC enforcement actions that referred to an announced restatement and/or material weakness in internal control reached their highest levels in recent years.

Violations of quality control standards were alleged in more than half of the actions involving firm respondents. Nearly 80% of the total monetary penalties in 2023 were assessed on just six defendants. The proportion of individual respondents who were barred increased from 64% in 2022 to 85% in 2023.

Enforcement activity appears to be on course for another record-setting year in 2024.

“This board set a goal to strengthen PCAOB enforcement, and we are doing just that,” said Williams during Wednesday’s press conference. “As of today, the PCAOB has imposed $34 million in penalties this year alone, and it’s only April. We set a record in 2022. We broke that record in 2023, and we are breaking it again today.”