Canada: Deloitte Auditors Got Caught Changing Their Computer Clocks to Backdate Workpapers
November 1, 2023
This is not the kind of behavior we expect from our friends in the north!
CPA Ontario announced yesterday Deloitte will be paying $1.59 million ($1.15 million USD) in fines and costs for breaches of the CPA Ontario Code of Professional Conduct (Rule 501 and 502). 501 covers a firm’s maintenance of policies and procedures for compliance with professional standards and 502 a firm’s maintenance of policies and procedures: competence and conduct of firm members.
The press release says:
A number of Deloitte auditors in Ontario changed the date and time settings on their computer clocks to manually override controls in Deloitte’s audit software and backdate audit working paper signoffs between November 2016 and May 2018. During this period over 930 audit working papers were backdated in at least 39 audit engagements.
The settlement agreement gives a bit more info:
Certain Deloitte audit practitioners identified the opportunity to bypass the new limits imposed by the November 7, 2016 EMS update and began adjusting the clock on their computers to Backdate the sign-off dates of audit working papers.
A number of students, staff, managers, engagement partners, and engagement quality control review partners in the audit practice changed their computer clocks to Backdate sign-offs in the course of performing assurance engagements for private and public entities. This conduct continued until March 2018.
During this period at least 35 Deloitte CPA Ontario members engaged in Backdating, and in some cases instructed others to do so, in over 930 audit working papers in 39 audit engagements.
Sign-off dates were changed from after the date of the audit report to a date prior to the audit report, or before the date of the audit report to an earlier date, or after the audit report date to another date after the audit report date.
According to the settlement agreement, it was the firm themselves that tipped off CPA Ontario that a number of its partners and professional staff had changed the sign-off dates in numerous audit working papers. The investigation began in September 2019 and concluded with the settlement reached in September. Prior to 2016, Deloitte Canada’s engagement management system allowed users to manually select a sign-off date for an audit working paper.
The settlement gives us the backstory on the change, explained below.
In response to findings by the Public Company Accounting Oversight Board of an incident where archived audit documentation had been improperly altered outside of Canada, DTTL required all its global members, including Deloitte, to conduct a mandatory conference call focused on audit quality and integrity with all audit partners before the end of October 2016.
Prior to debuting the new procedure that would default sign-offs to the date on a user’s computer, Deloitte National Office held a call with partners informing them off the change.
Leading with the script National Office was given by DTTL, the National Office first set out the regulatory context of the call, referencing:
(a) the emphasis placed by the PCAOB on integrity, and PCAOB’s recent public statements about how integrity was “as important, if not more important, than audit quality issues;”
(b) many discipline orders issued by PCAOB to date involving a failure to cooperate included the improper alteration of documents;
(c) that PCAOB inspectors uncovered evidence of the creation of documents shortly before or during a PCAOB inspection which were then backdated and provided without disclosing when they were created, resulting in firm sanctions for improperly deleting, adding, or altering documentation in connection with an inspection.
The National Office then expressed Deloitte’s zero tolerance policy for the type of behavior found by PCAOB, focused on recently introduced DTTL quality processes for archiving and forensics, and informed call participants that:
“Going forward we are enhancing EMS such that the undocumented alteration of a previously archived engagement file will be identified as part of a process prior to the provision of a file for inspection.
Effective immediately, ‘back-dating’ of working papers is not allowed. DTTL is mandating that this function be discontinued at each DTTL member firm, so that it will no longer be available.”
The National Office script did not make it clear that backdating of all sign-off dates, and not just those that might be under scrutiny during a regulatory inspection, was not permitted and was conduct which violated professional standards and the Code. This omission led, at a minimum, to confusion, with some call participants understanding that the prohibited “back-dating” referred specifically to archived working papers, rather than the broader focus of the pending Engagement Management System change to disable the selection of working paper sign-off dates.
On October 26, 2016, Deloitte issued an audit practice alert to all audit staff, indicating, among other things, that the ability to choose a sign-off date in EMS was being removed.
The EMS update was released on November 7, 2016, disabling a user’s ability to use the software to both choose the date of their sign-off and the ability to sign-off on someone else’s behalf.
On November 7, 2016, a second audit alert email was issued indicating that the EMS changes would be pushed to users’ laptops that day to disable the “edit signoff date” and “sign-off on behalf” features.
Certain personnel in the Firm’s National Office were aware of a risk that the new software restrictions could potentially be bypassed by individuals manually changing the date and/or time on a user’s computer clock . They took steps to determine if it was possible to detect or prevent any effort to avoid the new EMS functionality, and they concluded that there was no solution available. LOL.
Having identified that the new EMS restrictions could potentially be bypassed by a user changing their computer clock, the National Office considered whether to expressly address this issue in its communications, and to be explicit that doing so was prohibited. Instead, the National Office decided not to communicate this message on the basis that such communication could instead “socialize” inappropriate conduct if it were made known that Clock Adjusting in order to Backdate sign-off dates remained possible.
No messages were conveyed by the National Office between November 2016 to February 2018 to communicate that: it was inappropriate for auditors to bypass the function of the audit software by changing the computer clock; highlighting why the EMS sign-off date edit function had been disabled; or that Backdating was unacceptable and contrary to the Code.
Deloitte incorrectly assumed that the two practice alerts sent October 26 and November 7, 2016, about the changes to EMS were sufficient communication to the audit practice, and that no additional communication was required about the changes to the ADG in November 2016.
In early 2017, two Ontario audit partners learned that audit practitioners were engaging in the practice of Backdating. Both partners communicated to members of their respective audit teams that the practice was not acceptable. Neither partner took steps to address the issue with other partners or with Firm leadership. Moreover, a number of audit partners took part in the practice themselves. LOL again.
So here we are. Per the settlement, Deloitte will pay a fine of $900,000 ($649k USD) and costs of $695,000 to CPA Ontario for its troubles.