Accounting firm RSM US probably thought it had good controls for detecting if it was unknowingly providing prohibited services to an audit client or an affiliate of an audit client.
After all, it had a domestic U.S. database (“Client Central”) that auditors and consultants could search to find all work billed to clients. The firm also had a global relationship tracker database of work performed by member firms internationally. Finally, audit engagement teams were required to complete a questionnaire called the McGladrey Risk Assessment Model to determine engagement risks related to auditor independence.
All that, however, didn’t prevent RSM US from violating the Securities and Exchange Commission’s auditor independence rules, for which the firm was charged on Tuesday. The SEC said RSM violated the rules in connection with more than 100 audit reports involving at least 15 audit clients during 2014 and 2015.
According to the SEC’s order, RSM US repeatedly represented that it was “independent” in audit reports issued on the clients’ financial statements, which were included or incorporated by reference in public filings with the SEC or provided to investors.
However, RSM US or associated entities, including other member firms of the RSM International network, provided non-audit services to, and had an employment relationship with, some affiliates of RSM US audit clients. The prohibited non-audit services included corporate secretarial services, payment facilitation, payroll outsourcing, loaned staff, financial information system design or implementation, bookkeeping, internal audit outsourcing, and investment adviser services, the SEC said.
In one instance, RSM provided financial software consulting services to three portfolio companies of two private funds of a registered investment adviser that it was auditing. It also served as U.S. auditor of a company that had an Australia subsidiary for which an RSM International tax partner was serving as a non-discretionary board member.
RSM US — which audited 62 of the Russell 3000 companies in fiscal 2018, according to a recent Audit Analytics report —consented to the SEC’s order without admitting or denying the findings and agreed to pay a $950,000 penalty and be censured.
“The SEC’s auditor independence rules specifically prohibit audit firms from providing certain non-audit services,” said Carolyn M. Welshhans, associate director of the SEC’s division of enforcement. “Audit firms must put in place procedures, training, and systems that provide a reasonable assurance of independence, and they must monitor for independence on an ongoing basis.”
The SEC said that RSM’s procedures and training during the relevant period were insufficient to provide a reasonable assurance of independence and to adequately monitor for independence on an ongoing basis.
For example, when using the Client Central database, engagement teams did not always uniformly enter client names or properly complete entries such that affiliates were identified in the system, the SEC said. Some audit and consulting engagement teams also failed to search Client Central adequately or to understand the search results generated. “Consequently, certain non-audit services provided by RSM US to affiliates of audit clients were undetected for one or more years,” according to the SEC.
RSM agreed to engage an independent consultant to evaluate its current quality controls for complying with auditor independence requirements for non-audit services. It also implemented several remedial measures, including increasing training on SEC independence rules, disciplining employees who failed to proactively identify independence violations, and establishing a “conflicts-check” team “to centralize the process of and aid in identifying professional services that RSM US and RSM International member firms provide to RSM US clients and their affiliates.
In addition to violating federal securities laws, the SEC found that RSM US engaged in improper professional conduct within the meaning of Rule 102(e) of the SEC’s Rules of Practice.