When Voluntary Means Mandatory and Forever: Statement on In the Matter of Ernst & Young LLP
June 28, 2022
I could have supported an enforcement action against Ernst & Young LLP (“EY”) based on the cheating by EY audit professionals on various examinations necessary to earn and maintain their Certified Public Accountant (“CPA”) licenses. Today’s settlement, however, also quietly sets the precedent that failing to correct a response to a voluntary information request received from the Securities and Exchange Commission (“SEC” or “Commission”) might be a strict liability offense punishable with outsized penalties and other costly remedial measures. Setting aside whether the remedies are commensurate to the alleged failure, the source and scope of this purported duty to correct—a duty that, if it exists, likely has profound consequences—is altogether unclear. Accordingly, I dissent.
Cheating by audit professionals on continuing education testing undermines the integrity that is core to their important role in our capital markets. Hundreds of EY personnel across multiple offices cheated over several years by, among other things, sharing answer keys and manipulating testing software. That some CPAs cheated on the ethics component of CPA examinations is particularly troubling. Moreover, despite an EY code of conduct requirement to report unethical conduct, many EY employees who knew of the cheating did not report it. Although the firm investigated reported misconduct and disciplined some cheaters, the cheating did not stop. EY also failed to have adequate policies and procedures to provide its audit staff with the ethical and technical training required and to monitor for, deter, and detect these violations. In sum, there is a solid case against EY based on the widespread cheating and failure of its quality control system, and I could have supported an enforcement action and settlement focused on that conduct.
This strong case involving plain misconduct, however, is paired with distinct allegations of wrongdoing by EY. The genesis of these distinct allegations requires some explanation. On June 17, 2019, a different large audit firm settled with the Commission based on cheating on CPA exams and improper information sharing by former PCAOB personnel. On June 19, 2019, the SEC sent and EY received a voluntary request for information about “any ethics or whistleblower complaints regarding testing associated with any EY training program or continuing professional education course.” The SEC requested that EY respond to the request by June 20, the next day. EY met this aggressive deadline, and on June 20 sent a submission to the SEC that disclosed five incidents responsive to the request.
On the same day the SEC sent its voluntary request, an EY employee reported to a manager that “a professional in the firm’s audit group had emailed the employee answers to a CPA ethics exam.” The manager, on the afternoon of June 19, relayed the report to “an EY human resources employee” who in turn, at some unspecified point in time, relayed it “to others in EY’s human resources group.” The “senior EY attorneys” who “reviewed EY’s June 20” submission responding to the SEC’s voluntary June 19 request “were apprised of the employee’s June 19” report “[n]o later than June 21.” (Emphasis added.) Given this sequence, it is unsurprising that EY’s June 20 submission did not include the June 19 report. Yet according to today’s Order, “EY’s June 20 submission was materially misleading” because it did not include the June 19 report, the omission of which “created the impression that EY did not have current issues with cheating.” The Order further faults EY for failing to correct the June 20 submission.
Yet EY did not simply sit on its hands after receiving the June 19 report; rather, it commenced an internal investigation and uncovered “significant misconduct” and “confirmed that audit professionals in multiple offices cheated on CPA ethics exams.” Nine months later, once it had completed its internal investigation and developed a plan to address the problem, EY reported the results of its investigation to its primary regulator, the Public Company Accounting Oversight Board (“PCAOB”), which in turn notified the SEC.
It is quite evident, though, that EY’s decision to undertake an internal investigation and self-report to the PCAOB without also correcting in the June 20 submission was not, in the Commission’s view, the right course of action. The Order draws a direct link between the cheating and the failure to correct the submission to the SEC: “Just as many of its audit professionals failed to report their colleagues’ cheating as required, EY withheld this misconduct from the SEC during an investigation about cheating at the firm.” The Order further states that “despite the message from EY’s U.S. Chair and Managing Partner only two days earlier about the importance of integrity and honesty, EY did not correct its submission to the SEC’s Enforcement Division.” EY’s initial failure to correct, presumably combined with its conducting of an internal investigation without providing updates to Commission staff, metastasizes into “withholding information about misconduct that EY knew SEC staff was investigating” and “continued misrepresentations to the SEC’s Division of Enforcement [that] significantly hindered the SEC’s ability to take action that would protect investors” from cheating audit professionals.
The Order concludes that the sum of EY’s conduct—the widespread cheating, policies and procedures deficiencies, and the failure to correct the June 20 submission—violated PCAOB Rule 3500T, constituted a failure to comply with AICPA Code of Professional Conduct 1.400.001, and contravened the requirements of PCAOB Quality Control Standard 20 (“QC 20”). While there is a logical connection between each of these provisions and the cheating by audit professionals and related policies and procedures deficiencies, it is not at all clear which of these provisions relate to EY’s failure to correct the June 20 submission. As the Order notes, QC 20 requires EY to “have a system of quality control for its accounting and auditing practices.” This standard seems inapposite given the lack of any apparent logical nexus between EY’s “accounting and auditing practices” and its processes for responding to voluntary requests for information from the SEC, particularly when those requests are not related to any specific audit. Similarly, PCAOB Rule 3500T applies only to conduct undertaken “[i]n connection with the preparation or issuance of any audit report.” Again, the Order does not explain how and why senior EY attorneys responding to a voluntary request for historical information unrelated to any particular audit constitutes conduct related to the preparation or issuance of an audit report. Also unexplained is how failing to correct the June 20 submission violated AICPA Code of Professional Conduct 1.400.001, which simply states that “[a] member shall not commit an act discreditable to the profession.” Indeed, other than its curt references to compliance “with ethics standards” and “maintain[ing] integrity”, the Order fails to offer any analysis of whether and how EY’s failure to correct the June 20 submission violated any of the cited provisions. One is simply left adrift in a sea of accounting standards, wondering how lawyers responding to voluntary requests for information are to navigate using the polestars of ethics and integrity.
Aside from the lack of clarity regarding the particular law EY violated by failing to correct the June 20 submission, I have a number of concerns that prevent me from supporting today’s settlement. First, I am concerned that the duty to correct that the Order implicitly imposes on EY lacks sound legal grounding and is ill-defined in scope. I am aware of no legal basis for the proposition that by responding to a voluntary request for information, a firm takes on itself a duty to correct its response based on later-learned information. The Order faults EY for “withholding information about misconduct that EY knew SEC staff was investigating,” but the applicable standard cannot be that a firm must disclose information related to misconduct the SEC is investigating, otherwise a firm would be required to report information whenever it knew of an investigation. Granted, EY knew of the investigation here because it received a voluntary request for information, but are voluntary inquiries from the staff now sources of mandatory, continuing reporting obligations on par with those imposed by the Federal Rules of Civil Procedure? Notably absent from today’s Order is any explanation of when, why, and for how long after responding to a voluntary, backward-looking request for information a firm must continue reporting to the SEC’s Division of Enforcement.
Ought EY to have disclosed the one incident that awkwardly appeared on the firm’s radar nearly simultaneous to its report to the SEC? Given the benefit of hindsight that I have, I would have preferred that EY do so. And, as a prudential matter, cautious legal counsel might say yes; however, what I might prefer and what one might do as a matter of prudence should not be confused with what one must do as a consequence of a legal obligation. Treating the failure to take the prudent and cautious path as though it is a strict liability violation of some affirmative legal obligation is not supported by the law. If we do intend responses to voluntary information requests to carry with them an ongoing obligation to correct and supplement the information provided, let us spell it out.
Second, the assertion that the June 20 submission was materially misleading is woefully misguided and patently unfair. The Order contends that the June 20 submission was “materially misleading” because it did not include a tip that came in the same day EY received the voluntary request for information, and thereby gave the staff the misimpression that EY “did not have any current issues with cheating.” But expecting tips to instantaneously traverse the distance from tipper to the firm’s headquarters in a single day is objectively unreasonable. A system designed to take tips in and process them in an orderly, but not instantaneous, manner is reasonable. Here, the tip made it to headquarters within two days. Not bad. That a tip received in one corner of a large firm was not included in a submission hurriedly put together in response to a request with an SEC-imposed 24-hour deadline does not make the resulting submission materially misleading. To the extent the Order means to assert that the June 20 submission became materially misleading as a consequence of EY’s failure to correct it (and thereby dispel the staff’s misimpression), it seems questionable for two reasons: (1) it assumes that EY was under some duty to correct, an assumption that is problematic for the reasons already discussed; and (2) it effectively requires EY to predict what impression the staff would take away from the June 20 submission.
Third, this settlement’s remedies also set a troubling precedent. To conduct an “Independent Review of EY’s Disclosure Failures,” the Order mandates that EY “designate a three-person committee of EY senior personnel” to retain an independent consultant (the “Remedial IC”). The Remedial IC, who will have full access to EY’s privileged information, will “conduct a review . . . of EY’s conduct relating to the Commission staff’s June 2019 Information Request, including whether any member of EY’s executive team, General Counsel’s Office, compliance staff, or other EY employees contributed to the firm’s failure to correct its misleading submission.” The Remedial IC’s report shall “mak[e] recommendations, as the Remedial IC deems appropriate, as to employment actions or other remedial steps.” While the three-person committee can object to the recommendations, ultimately, the Remedial IC has the final say. The upshot of this requirement is that the Remedial IC is vested with non-appealable authority to discipline or fire any EY personnel involved with responding the SEC’s June 19 request. This implicit directive to find attorneys and compliance personnel to blame for not complying with a non-existent obligation to correct the June 20 submission is particularly troubling.
Lastly, a penalty of $100 million is puzzling given that the prior audit cheating case, which also involved “altering past audit work after receiving stolen information about inspections of the firm that would be conducted by the” PCAOB, only generated a $50 million penalty. Each matter is, of course, unique, but comparisons are inevitable.
The unduly punitive terms of this settlement and its focus on imperfect compliance with a voluntary staff request for information with a one-day-turnaround detract from the central issue—pervasive cheating by audit firm employees. I am sorry that I could not support this settlement.
 In the Matter of KPMG, Rel. No. 34-86118 (June 17, 2019), available at https://www.sec.gov/litigation/admin/2019/34-86118.pdf.
 The AICPA Code of Professional Conduct Rule, which provides the substantive requirements one must meet under Rule 3500T(a), states that “[i]n the performance of any professional service, a member shall maintain objectivity and integrity, shall be free of conflicts of interest, and shall not knowingly misrepresent facts or subordinate his or her judgment to others.” Even if one were to conclude that EY “knowingly” misrepresented facts in the June 20 submission—a finding the Order does not make—Rule 3500T’s plain language defines the relevant “professional service[s]” as those performed “in connection with the preparation or issuance of any audit report.”
 See Fed. R. Civ. P. 26(e)(1) (“A party who has made a disclosure under Rule 26(a)—or who has responded to an interrogatory, request for production, or request for admission—must supplement or correct its disclosure or response: (A) in a timely manner if the party learns that in some material respect the disclosure or response is incomplete or incorrect, and if the additional or corrective information has not otherwise been made known to the other parties during the discovery process or in writing . . .”).
 KPMG Paying $50 Million Penalty for Illicit use of PCAOB Data and Cheating on Training Exams, (June 17, 2019), available at https://www.sec.gov/news/press-release/2019-95.