6 min read

FRC sanctions against KPMG offer clues as to its approach towards enforcement generally

Read more

By Richard Highley & Julian Bubb Humfryes


Published 30 April 2020


While the headlines are dominated by COVID-19, the world of Public Interest Entity ("PIE") audit takes a back seat.  However, the two are interlinked.  COVID-19 is wreaking havoc with the financial statements of large corporates, and high-profile corporate collapses have always been a priority for FRC investigation.  COVID-19 looks likely to claim its casualties amongst household names, with all that this entails.

The FRC's latest settlement with a Big 4 firm will be read by other audit firms' professional risk teams  with a mixture of trepidation and resignation.  "Misconduct" is no longer the benchmark for sanctions.  Sanctions now follow a "breach of relevant requirements", which in lay terms means simply where there are serious, or several, breaches of audit standards.   


Re “an Unnamed company”: The findings

The FRC has sanctioned KPMG, and one of its partners, for audit failures in connection with a single audit year.  The FRC characterised these failings as, broadly, (i) a failure to exercise sufficient professional scepticism, and (ii) a failure to obtain sufficient appropriate audit evidence. The FRC handed down headline fines of £700,000 and £45,000 against the firm and individual respectively. (Both fines were then discounted by 35% for early settlement.)

The adverse findings related to audit work on the (unnamed) audit client's method for accounting for supplier rebates.  There were two forms of rebate. One was a discount where there was promotional activity, and which required no accounting judgement.  The other form of rebate was calculated over a longer period and was based upon such measures as volume of sales. This did require accounting judgment. 

In summary, KPMG admitted failings related to what went onto – or, rather, what was missing from – the audit file. So there was insufficient evidence that the auditor had differentiated the two forms of rebate.  And although the company had correctly accounted for the rebates within cost of sales, the FY 2016 audit file contained "incorrect references" to the rebates as "income" in the revenue section of the audit file.  The FRC Decision Notice records their inclusion within revenue as "incorrect and misleading to a reader of the FY 2016 Audit File".

The finding of a lack or professional scepticism focused on one particularly large customer rebate, which the FRC thought the auditor should have looked into.

From a regulatory perspective, there are the clues which this case offers to the approach the new-look FRC is taking under the Audit Enforcement Procedure ("AEP").



1. This case would never have previously been brought

The failings, while no doubt real, were notably less significant than almost any we have ever seen in a Decision Notice. The failings concerned only one audit year.  There was no question that the company’s accounts were anything other than correct.  There is no indication that any class of vulnerable stakeholders might have suffered as a result of the failings.  The breaches of Relevant Requirements were not intentional, dishonest, deliberate or reckless.  The breaches, which mainly concerned lack of audit evidence, were not pervasive.

So, why has KPMG and one of its partners faced these fines?

2. Professional scepticism

When commenting on the Decision Notice, the FRC’s deputy Executive Counsel, Claudia Mortimore, said: “Professional scepticism remains at the core of an auditor’s duty and the FRC will take appropriate action where it has been lacking”.  This is a key issue for the FRC.


3. Fines, Track record and AQR findings

The fines were also significant ones, which seems to be for two reasons. First, KPMG has faced a succession of sizeable fines recently from its regulator. Second, the audit partner in question was senior within the audit practice and had herself received four adverse findings from the Audit Quality Review team ("AQR") - two '2bs' ('acceptable overall with improvements required') and two '3s'. The FRC has a real focus on 'tone from the top', and has in the past focused on the management of regional audit practices.

We can expect to see AQR findings as against a partner featuring more and more in future Decision Notices. Firms with previous sanctions and poor AQR findings can expect repeated investigations and sanctions.  Changing that dynamic will require changing the FRC’s view of the firm, which is easier said than done.  An audit partner with an adverse AQR finding on their record needs to take especial care.  Conversely, we suspect that a partner with an immaculate AQR record is likely to find their regulator much more forgiving of a single lapse.  The AQR, it transpires, is a process with real bite.


4.Keep an eye on the FRC’s priorities

In the Decision Notice, the FRC pointed to recent publications it had made to the industry which emphasised the importance of professional scepticism and the need for especial care and attention towards complex supplier arrangements, such as rebates. The FRC does not have unlimited resources to devote to enforcement. The FRC will focus on those failings which it has identified as ‘hot button’ issues.

It can be difficult to keep track of FRC statements, priorities and points coming out of thematic reviews.  But it is vital to do so.  Training for all audit staff on FRC statements is a necessary part of risk management.  That will not, of course, prevent historic issues. But apart from reducing the risk of investigation and sanctions going forward, it will be good evidence of remediation – a key focus of the FRC when it decides the level of fines.

And potential respondents should also take note that a lack of evidence on the audit file will continue to be a problem in an investigations context. It means that a respondent is necessarily starting off on the back foot. The respondent has the burden of proof in showing that it actually performed the relevant audit procedures (and it may well have done – good audit work is often done without being properly recorded). But even introducing evidence of what was, in effect, sound audit work means accepting a breach of standards for failure to document that audit work appropriately on the file.


5. Monitoring and remediation

The audit partner in this case did not just face the usual sanctions (fine, reprimand).  She was required to undertake remedial training.  The training was in a format to be agreed with the FRC – the FRC’s involvement did not end at the Decision Notice.  This is at the heart of the FRC’s approach in today’s audit world.  A more active pursuit of enforcement is coupled with a focus on driving up standards, rather than simply a focus on the deterrence offered by fines. 


6. Mere cooperation is not enough

These respondents cooperated with the investigation.  But under the AEP, that is now assumed as a baseline.  Only ‘exceptional’ cooperation is a mitigating factor meriting an additional discount to any fine.  That generally means conducting a thorough root cause analysis, identifying and accepting failings (i.e making admissions), and pursuing remediation.  Conversely, failing to meet the FRC’s new expected baseline of cooperation will be an aggravating factor, resulting in increased fines.

In a post-AEP, post-AQR world, the FRC can and will pursue enforcement in a much wider range of situations in order to drive up standards. The FRC will focus on auditors with poor AQR records to their name, and will deal more severely with firms that have negative findings to their name. We expect to see many more cases of this kind.