Close

Are you in compliance?

Don't miss out! Sign up today for our weekly newsletters and stay abreast of important GRC-related information and news.

Will KPMG pay for Rolls-Royce’s corruption?

Tom Fox | May 7, 2017

The fallout from the global bribery and corruption resolution, led by the U.K. Serious Fraud Office, involving Rolls-Royce continues, now in an unexpected manner. Reports indicated that the U.K. Financial Reporting Council (FRC) is now investigating the worldwide auditing entity over its audits of Rolls-Royce from 2010-2013. With its $892 million settlement with the United Kingdom, the United States, and Brazil, the Rolls-Royce matter is the third largest bribery and corruption resolution of all time. Of course, this is a continuing series of negative publicity for KPMG, which was the auditor for Wells Fargo and which was castigated by Senator Elizabeth Warren for failing to spot the fraud at that organization.

What is the role of external auditors in Foreign Corrrupt Practices Act, U.K. Bribery Act, or similar anti-corruption compliance? How far should auditors go in their efforts to uncover bad behavior? Most generally, it is to obtain reasonable assurance that a company’s accounts are free of material misstatement. However, when the fraud is on the massive scale of a Rolls-Royce, Odebrecht, or other large corporate scandal, one does wonder about the role of an external auditor. For its part, KPMG said it “was confident in the quality of all the audit work we completed for Rolls-Royce.”

One obvious response is that external auditors are only charged with seeking out “material” issues. Often the evidence of bribery and corruption is buried in marketing expenses, charitable donations, or other deceptions. Since the amounts are not considered material, they are not tested by external auditors. Under the FCPA, there is no materiality standard, so the failures of KPMG are likely to be endemic to external auditors, as they are simply not looking into a granular enough level.

One answer is more robust internal controls, which would act as a trip wire for the detection prong of a compliance program. Another mechanism is to more fully operationalize compliance into the fabric of an organization. A third response could be the technological solution of data analytics going forward. While these alternative approaches may help companies, they may be of little comfort to KPMG going forward.