Case 4-9 PwC Mischaracterizes Nonaudit Services

PwC violated SEC rule 2-02(b) of Regulation S-X and PCAOB Rule 3525 by engaging in improper professional conduct in violation of the independence rules on audit clients. This case is unique because the firm had mischaracterized certain nonaudit services as part of the audit engagement to skirt its ethical responsibilities under SEC and PCAOB rules.

In 2014, PwC performed nonaudit services for an audit client concerning Governance Risk and Compliance (GRC) software. According to AAER No. 4084, GRC systems are used by companies to coordinate and monitor controls over financial reporting, including employee access to critical financial functions. The client intended to use the GRC software to generate information as part of the companys control environment and to provide data to assist personnel in forming conclusions regarding the effectiveness of internal controls related to financial information systems. At the time, the GRC system was being implemented, it was intended to be subject to the internal control over financial reporting audit procedures.

As stated in AAER No. 4084, the SEC rules prohibit independent auditors from designing and implementing systems such as GRC where the software aggregates source data or generates information significant to the clients financial statements or other financial systems as a whole. Designing, implementing, or operating systems affecting the financial statements can result in the accountant auditing his or her own work or attesting to the effectiveness of internal control systems designed or implemented by that accountant. The independence rules also prohibit an independent auditor from performing management functions.

Communications between PwC and its audit client show that the clients head of internal audit was concerned whether the firm could provide an implementation proposal and inquired about auditor independence. Brandon Sprankle, who was the partner responsible for supervising the performance of prohibited nonaudit services, violated SEC Rule 2-02 when he responded that we are absolutely permitted to implement so there will be no issues. . ., even though he was aware that the firms independence policies did not allow it or him to implement the GRC system.

Communications with the client show the disconnect between the clients expectations and how PwC was describing its information systems services ostensibly to skirt the requirement not to perform certain nonaudit services for audit clients. An e-mail from the then head of internal audit of the client, who objected to the description of services contained in the draft engagement letter, informed PwC that the proposed work was an implementation project thats been outsourced to the firm.

The final engagement letter described the work on the GRC project as performing assessments and high-level recommendations even though an internal PwC communication had characterized the engagement as a design and implementation project. Exhibit 1 summarizes key communications over time.

EXHIBIT 1

Timeline of PwCs Design and Implementation of the Financial-Related Information System. In seeking internal authorization to perform the nonaudit GRC work, Brandon Sprankle drafted an engagement letter for approval by PwCs Risk Assurance Independence (RAI) group, an independencereviewer within his business unit. In the draft engagement letter, Sprankle described the proposed services as assessing multiple areas, and providing observations and recommendations, as opposed to designing and implementing the GRC project. This description was inconsistent with Issuer As expectation that PwC would conduct a design and implementation project as previously communicated to Sprankle.

Internal Auditors Objections

In early June 2014, Issuer A again puts Sprankle on notice that it expected PwC to design and implement a GRC solution for Issuer A and to manage the project. After Sprankle sent the draft engagement letter, Issuer As then-Head of Internal Audit objected to the description of the services contained in the draft engagement letter. In the e-mail, he informed Sprankle that the proposed work was an implementation project thats been outsourced to PwC. Sprankle thereafter met with the then-Head of Internal Audit, who understood from speaking with Sprankle that PwC would substantially design and implement the GRC module and would perform project management functions. At the time, PwC was continuing its audit of Issuer A for fiscal year 2014 and, due to Issuer As prior accounting errors, performing additional audit work for fiscal years 2011 and 2012. The Head of Internal Audit was concerned that PwC would be performing internal audit-type services.

The final engagement letter for the GRC project described the work as performing assessments and high-level recommendations. However, as internal PwC communications reflect, certain PwC employees characterized the engagement as a design and implementation project. For example, in a July 2014 e-mail, a PwC manager communicated his view to Sprankle that the project involved the implementation of a financial-related information system.

In August 2014, PwC began the GRC work. To start the work, another PwC manager, who Sprankle supervised, instructed a PwC associate to prepare a design document: I need you to immediately begin working on creating a design document for how [the GRC module] will be built for the [GRC] rules we already know about. Below are the SOD [Segregation of Duties, an internal control concept allocating duties among employees] rules we know we need to build . . . .

Management of the Project

From August through mid-October 2014, PwC employees under Sprankles supervision managed the project, performed substantial design work, configured the design on a nonproduction server, and provided oversight and direction for the implementation to a live environment. According to its senior manager for IT Internal Audit: Issuer A had little involvement in the assessment and design phase of the project; further, Issuer A lacked the technical expertise to configure the system; and, although Issuer A ultimately had to approve the work, Sprankle and PwC employees under his supervision exercised decision-making authority in designing and configuring the GRC module.

As the project progressed in September 2014, the PwC manager e-mailed the senior manager for IT Internal Audit at Issuer A, who had oversight of the project, and copied Sprankle, about problems with the GRC server and application that needed to be addressed before PwC could perform development work: We identified some critical issues that need to be resolved before we can get in there and do the development.

Throughout the course of the GRC engagement, Issuer A considered PwC to be the system implementer and deferred to PwC on best practices for settings that needed to be included in the system. Further, according to the senior manager for IT Internal Audit, Issuer A allowed PwC to make those decisions for us and, although an Issuer A employee would technically have his hands on the keyboard, a PwC employee, under Sprankles supervision, managed the process and directed the Issuer A employee on what actions to take.

SEC/PCAOB Rule Violations

The firm agreed to pay over $7.9 million to settle charges with the SEC that it performed prohibited nonaudit services during an audit engagement including exercising decision-making authority in the design and implementation of software relating to an audit clients financial reporting and engaging in management functions.

The firm violated PCAOB Rule 3525 by failing to describe in writing to the audit committee the scope of work, discuss the potential effects of work on independence, and document the substance of the independence discussion. These actions deprived the issuers audit committee of information necessary to assess PwCs independence. The violations occurred due to breakdowns in PwCs independence-related quality controls, which resulted in the firms failure to carefully review and monitor whether nonaudit services for audit clients were permissible and approved by clients audit committee.

This case illustrates a concern that in some cases audit firms are misrepresenting nonaudit services as part of the audit services to get around the rules that prohibit certain nonaudit services for audit clients. Purposely doing so misleads the users of financial statements about the independence of the client.

Please read case 4-9 above, answer the questions below (at least 250 words), and create one multiple choice question based on the case with four answer choices. Include the correct answer.

1. Identify any threats to independence that existed in this case. Explain how and why PwC ignored those threats to independence.
2. How would you characterize this case from the perspective of corporate governance at PwC and implementation of its own quality controls?
3. What ethical norms did PwC partner Brandon Sprankle violate?