Get SF Weekly Newsletters
Pin It

Sleeping With the Auditor 

Why San Francisco and its outside accountants are a little too close for comfort -- and how it could threaten the city's financial integrity

Wednesday, Jun 26 2002
With the shocking financial collapse of energy giant Enron Corp. last year, the world learned a dramatic lesson in the importance of an independent auditor. The scandal became a nightmare for the accounting industry, which prides itself on its integrity, when it came to light that Enron's auditor, Arthur Andersen, had publicly diagnosed the energy company as healthy -- even as it privately fretted about damning evidence to the contrary. Andersen, it turned out, had a vested interest in attesting to Enron's health because it was being paid tens of millions of dollars a year in consulting fees by the terminally ill corporation.

The fallout has spread to other companies as well, where supposedly independent auditors have also jumped into the consulting sack with their corporate clients. But even as these conflicts of interest are being exposed in private industry, another aspect of the problem has largely escaped scrutiny: the accounting profession's relationship to its government clients.

In San Francisco, for example, KPMG LLP, a "Big Four" accounting company, has been auditing the city's books for more than 20 years -- at the same time it was pulling down millions of dollars in consulting fees. This conflict of interest, which occurred with the complicity of the city's controller, ignored the basic principles that define auditor independence. For example:

- As a consultant, KPMG sold millions of dollars in accounting software to San Francisco's controller, the official who keeps the city's books. This software, which is riddled with serious glitches, generates the financial statements that KPMG audits.

- KPMG's $140- to $350-an-hour consultants have become semipermanent fixtures at City Hall, where they supervise city employees and participate in policy-making decisions, contrary to the standards of independence.

- KPMG auditors oversaw the creation of financial data in the Assessor's Office that was later audited for accuracy by other KPMG employees.

- The city hired KPMG to investigate a department that has authority over the firm's contracts.

While there is no evidence that San Francisco's books, or KPMG's audits, are inaccurate, the company's dual roles as auditor/consultant and auditor/vendor do call into question its independence -- its ability to remain unbiased and objective, in appearance and in fact, while examining the city's financial statements for truth and accuracy. Last year, the audit company separated its consulting division from the firm, but the process is not complete.

The issues are about far more than appearances and principles. Conflicts of interest between an auditor's watchdog role and its "nonaudit" consulting jobs can undermine the credibility of San Francisco's financial statements, experts say. It could mean that an auditor's "expert" advice may be tainted by self-interest; bookkeeping mistakes, software errors, and accounting frauds could be covered up; wasteful spending could be hidden; and auditors could become responsive to political pressures. Ultimately, bond investors could lose faith in the integrity of the city's financial statements, making it prohibitive for San Francisco to borrow money and pay its bills.

To ensure that the city's books are accurate, and to guard against fraud, San Francisco hires an accounting firm each year to conduct an audit. Auditors spot-check a tiny percentage of the city's financial records for errors or cheating. They peer into the fiscal affairs of big-spending departments, such as the airport or the Public Utilities Commission. Mostly, though, they rely on the client to present them with accurate ledgers that fairly represent the financial position of the city, which they test for compliance with the rules of accounting. It takes about six months to complete the audit, called a Comprehensive Annual Financial Report. KPMG has served as San Francisco's auditor since before 1980.

KPMG reports to the city's controller, Edward M. Harrington, a former KPMG employee, who was appointed by then-Mayor Art Agnos in 1991. Mayor Willie Brown reappointed Harrington last year. As the city's chief accounting officer and internal auditor, Harrington approves more than $5 billion in payments a year, writes the checks, balances the checkbook, and, from time to time, investigates whistle-blower allegations of fraud inside city agencies.

More than any other individual, Harrington is responsible for ensuring that the billions of dollars that flow through the city's treasury do not get diverted, lost, or stolen. As the chief accountant, he is charged with consolidating the financial ledgers of 54 city departments and hiring an auditor to review the data independently, i.e., free from any and all political or economic pressures.

Controller Harrington asked for detailed questions in writing, and then declined to answer them or to comment for this story.

In addition to auditing the books, KPMG provides an array of consulting services to San Francisco -- from selling software to city managers to helping them prepare for the annual audit. In fact, consulting is far more lucrative for KPMG than its auditing services. From 1996 to 2000, the city paid the company $4.5 million for audits and $10.3 million for consulting.

"Audit fees are a loss leader for value added in consulting and software contracts," says Bart Hildreth, a technical adviser to the Governmental Accounting Standards Board, which establishes financial accounting and reporting standards for state and local governments.

Because an auditing firm's chief asset is it reputation, it is vital that the public perceive that it is free of bias and conflicts of interest. Therefore, auditors are bound to avoid even the appearance of a conflict of interest -- whether or not a conflict exists in fact.

The appearance of independence is key, stresses Brett Trueman, professor of accounting at the Haas School of Business at UC Berkeley. "No one can get inside the mind of an auditor, so we must rely upon the outward signs of independence. Even separating auditing from consulting may not go far enough in terms of perception. The danger is that the public will not believe the audited financial statements, and [investors] will stay away from [a government's] bonds."

To preserve the public's confidence, government regulators and the accounting industry evolved two overarching principles during years of acrimonious debate:

- Audit organizations should not provide nonaudit services that involve performing management functions or making management decisions.

- Audit organizations should not audit their own work or provide nonaudit services in situations where the nonaudit services are significant or material to the subject matter of the audit.

A year before the Enron-Andersen scandal hit the front pages, the Securities and Exchange Commission clarified the overarching principles. The agency ruled that, "The greatest assurance of auditor independence would come from prohibiting auditors from providing nonaudit services to clients." Responding to pressure from the accounting industry, several federal agencies that oversee accountants stopped short of making a blanket prohibition against nonaudit consulting, instead publishing a list of don'ts for audit organizations:

- Do not maintain, prepare, or construct financial records.

- Do not provide internal audit services.

- Do not design, install, or operate the client's information technology system (auditors are limited to providing routine advice only).

- Do not prepare annual budgets or strategic plans or participate in management and policy decisions.

- "Avoid situations that could lead reasonable [people] ... to conclude that the auditor is not able to maintain independence in conducting audits. Remember: The independence standard is principles-based and should be applied using a substance over form approach" (emphasis in original).

"The overarching principles were always there," says Relmond Van Daniker, executive director of the National Association of State Auditors, Controllers, and Treasurers. "The problem started in the 1990s. If an auditor came in and said, 'Look at this!' a chief financial officer might think, 'Who better to fix the problem than people who reported it?' Auditing became commoditized; consulting was a way to expand the business. The auditors argued that since different divisions did the work, there was a wall between auditors and consultants. But it was not independent in appearance; maybe in fact, but perception becomes reality."

In looking over several years' worth of internal documents between KPMG and the city's controller, it is clear that KPMG has violated virtually every one of the feds' don'ts for independent auditors.

As the issue of auditor independence was becoming increasingly controversial, KPMG LLP created a separate U.S. corporation, called KPMG Consulting Inc., to contain the bulk of its American consulting business and to shield itself from charges of nonindependence. "As a result, we will no longer have to comply with the rules and regulations governing the independence of auditors from their clients," KPMG Consulting told the SEC.

That would be true if KPMG Consulting were totally separated from KPMG International, the Swiss-based association of which KPMG LLP is the dominant member. Reports on file with the Securities and Exchange Commission show, however, that several of KPMG LLP's associate firms own shares in KPMG Consulting.

A spokesman for KPMG LLP said the company will not discuss its partners' holdings, but SEC records show that, when the companies separated, individual partners were allowed to put KPMG Consulting equities into blind trusts "in order to comply with the Auditor Independence Rules."

"You're not supposed to own a spinoff," says Van Daniker. "If they do [have stock], they've got to get rid of it."

A spokesperson for KPMG Consulting says that the firm's parent company no longer "has an investment stake in us."

The two organizations may be divorced in name, but they are still a couple. They cohabit in an office headquarters complex in McLean, Va. Last year, the two companies shared $234 million worth of space and "basic administrative, clerical and processing services ... accounting and payroll support, technology support, human resources, employee benefits, marketing and office support," according to KPMG Consulting's annual report.

Nor has KPMG LLP stopped consulting; the two companies have a "noncompetition" agreement, which states that they will meet to divvy up possible consulting contracts. Both KPMG-monikered firms have arrangements with major corporations, including Qwest, Cisco, Oracle, and Microsoft, that are worth hundreds of millions of dollars and are based on the KPMG group's ability to "resell" software to its clients.

The Governmental Accounting Standards Board's Hildreth says, "The spinoff could alleviate the appearance of nonindependence to the extent that they are legally separate." He says he is aware that KPMG LLP maintained an ownership stake in KPMG Consulting. "That's why I said 'legally separate,'" he explains. "And legal separation helps, but does not prevent all unethical behavior."

Sharon Russell, who is an executive with the state of Alabama's Department of Examiners of Public Accounts, as well as an adviser to the Governmental Accounting Standards Board, was blunt: "If to most people it looks like they are not divested, then they are not a separate spinoff."

KPMG, however, believes the two companies are independent. "There are no conflicts of interest," a spokesperson for KPMG Consulting says.

This corporate name game is relevant to San Franciscans because it raises these questions: Would the city's auditor blow the whistle on, or make recommendations that would negatively affect, its spinoff's consulting business? Would it make recommendations based on benefiting its own business partners?

Nowhere is the line between auditing and consulting blurrier than in KPMG's managing of the city's accounting software, called FAMIS.

For many years, KPMG has used its auditing relationship with the San Francisco Controller's Office as leverage to obtain consulting and software sales contracts. "KPMG's knowledge of the city's internal structure and operations is virtually unmatched," the firm wrote to Harrington in a job proposal, "as well as our longstanding financial statement audit relationship."

After winning an open competition in 1994, KPMG LLP signed a software consulting contract that was "not to exceed" $455,000. That contract, which KPMG LLP "assigned" to KPMG Consulting when the companies were split last year, has grown to nearly $12 million. Most of the money has gone to buying and maintaining KPMG's proprietary FAMIS software.

KPMG's selling of the software to the city it audits was by itself a violation of basic accounting tenets, say several experts. The rules of the American Institute of Certified Public Accountants, which KPMG promises to abide by in its city contracts, say, in no uncertain terms: "If the audit organization has been responsible for designing, developing, and/or installing the entity's accounting system, or is operating the system and then performed a financial statement audit of the entity, the audit organization would clearly be in violation of the two overarching principles of the independence standard."

Van Daniker, of the National Association of State Auditors, Controllers, and Treasurers, states point-blank that audit firms should not sell software to their clients. "Whether it is an independent action in fact or not -- it looks bad," he asserts.

Gregory Newington, the chief of enforcement for the California Board of Accountancy, which licenses certified public accountants, says it is more than a conflict of independence: It could be against the law.

"There is a law in California that expressly forbids audit firms from recommending products, such as Hewlett-Packard or Oracle, to their audit clients when they receive financial remuneration from the sale."

Ethics aside, KPMG's outdated software is apparently also riddled with problems. For many years, KPMG auditors and consultants have been finding terrible flaws in FAMIS and then recommending that the controller buy "upgrades" from KPMG. For instance, FAMIS has trouble "effectively" accounting in the general ledger for capital expenses, especially federal grants, according to KPMG's reports to the controller. Last year, the auditor found that, for some departments, "The existing general ledger payment data are based on contracted amounts and may not match actual expenditures," which means, rather shockingly, that the city may not be accurately accounting for projects that go over budget -- as many contracts do, including KPMG's. Harrington's response has been to pump more money into FAMIS, instead of looking for a superior system.

In April 2000, a KPMG LLP partner, Marc S. Diamond, drafted a report asserting that the city's financial information often had to be transferred from one database to another by hand. He questioned whether FAMIS "is capable of capturing financial data that is of a sufficiently high degree of resolution to support an effective capital management reporting capability."

Diamond revealed that, throughout the city, finance officers had set up "shadow systems," essentially second sets of books, in an attempt to keep track of transactions that FAMIS missed. The shadow systems, Diamond wrote, "can result in degradation of the integrity of the financial and management reporting process ... as transaction data travels in a circuitous route throughout the various systems employed by ... the city." Diamond asked for $480,000 to keep working on the problem.

Diamond's report seemed to infuriate a manager in the Controller's Office, Harold Guetersloh, who, in an amazingly frank e-mail to KPMG LLP, asked for "evidence that FAMIS can't be trusted or assure me that you will remove that statement from your report. It is possible that whoever you talked to had productive [work] to do so they decided to set up a competing set of books." Guetersloh, who recently retired, blamed humans for FAMIS's shortcomings.

"I can give you hundreds of examples where PUC, DPW, and DPT engineers charge jobs which have been completed for months," Guetersloh wrote. "Project Managers never catch these errors. It is left to the accountants to clean the messes up. I do, however, realize that online updating of salaries is sexy and highly desirable to the engineers."

The computer system's troubles left plenty of room for financial shenanigans. Last year, KPMG Consulting's Dwayne McKinley sent a long list of FAMIS glitches to the Controller's Office. He said FAMIS has difficulty correlating revenue and expense data; the system is clogged with duplicate data; it is unable to process some contract payments and cost overruns; some information must be transferred by hand within the system's databases, instead of by automated processes; and FAMIS cannot track cash payments by contract number or vendor name. In other words, city officials cannot use the general ledger software to determine how much money has been paid out over any period of time for a particular contract, or to a particular person, company, or nonprofit organization.

(McKinley did not propose a solution; he did recommend that the controller pump up his firm's consulting budget.)

Accounting expert Hildreth says FAMIS was a state-of-the-art system in the mid-1980s, but that it is missing modern "bells and whistles." Other experts say that any decent accounting software should automatically track payments by vendor name and contract number.

"I am surprised that San Francisco has that old system," says Steve Balsam, one of the federal government's leading experts in computer accounting systems. He says FAMIS is a "legacy system"; he compares it to an old car, which will run past its prime if it is well maintained, even though it might not drive very efficiently.

Balsam tests accounting software for the Joint Financial Management Improvement Program, which is chaired by the secretary of the treasury and the comptroller general of the United States. In 1998, KPMG stopped submitting FAMIS to Balsam's agency for testing because, he says, it had become outmoded. Consequently, FAMIS is no longer approved by the federal government for use by federal agencies.

Rowan Miranda, director of research and consulting for the Government Finance Officers Association, says that FAMIS, which runs on mainframe computers, is not Internet friendly, although it can be "buttressed" with more advanced software. He also points out that Santa Clara County is scrapping FAMIS for a more modern system. (Santa Clara decided to junk FAMIS on the recommendation of KPMG Consulting, according to the county's controller-treasurer, Dave Elledge. San Francisco has yet to receive the same advice.)

In July 2001, long after FAMIS was buttressed with millions of dollars' worth of more modern software, including Oracle and Microsoft products, KPMG Consulting's Jerry Palombi wrote that FAMIS still generates "incorrect reports," and that there are "problems with the payroll system" due to the existence of "out of date information in FAMIS."

"It is not readily clear that ... a solution can be designed, but [a] 'long-term' approach is probably worth pursuing," Palombi concluded as he submitted his monthly bill.

KPMG has also chosen to overlook another overarching principle of accounting: that auditors should not be involved in making management decisions, creating budgets, and setting policies for their clients. KPMG partners chair two committees composed of high-ranking city officials charged with monitoring San Francisco's financial accounting system and making information technology policy.

Controller Harrington says there are no minutes of these committees' meetings, only agendas; nor does he have any correspondence or written records of conversations with anyone from KPMG LLP or KPMG Consulting from 1998 to the present. The record shows, however, that the controller personally approved most of KPMG LLP's and KPMG Consulting's contracts. He appears to have otherwise insulated himself from KPMG by requiring Evangeline Bruce, the director of his Accounting Operations and Systems Division, to sign off on KPMG LLP's and KPMG Consulting's contract amendments, invoices, expense reports, and, curiously, their draft reports.

"I would also like to receive copies of your draft reports before actual circulation," Bruce told KPMG. "Our interest is to ensure that no recommendations are made that conflict with any of the city's strategic directions or policies."

KPMG LLP partner Denise Price agreed to abide by this apparent restriction on her firm's ability to independently critique the city. She was hardly out of the loop, though. She often traded e-mail messages with Bruce in a joint effort to find extra money in the controller's budget to pay for KPMG's chronic cost overruns. In 2000, Bruce started paying for consulting work with money budgeted for auditing work. Then she tapped into hundreds of thousands of dollars in city money appropriated by the Board of Supervisors to pay city employees. By this point in the long relationship, the audit firm and the Controller's Office had, in many ways, merged into a single entity.

A Controller's Office organization chart, dated January 1999, details the job responsibilities of a dozen controller employees, including Bruce, and the half-dozen KPMG consultants who worked side by side with them keeping the financial accounting system up and running. The chart shows them all reporting to two KPMG LLP partners, Bill Blaustein and Price. In other words, the city official who approved payments to KPMG, Bruce, also reported to KPMG's partners. It is not just the auditor's independence from the city that is called into question by this long-term, multimillion-dollar relationship -- it is the city's ability to act independently from its auditor that is also at risk.

The city maintains a large Department of Telecommunications and Information Service that is staffed with 150 computer technicians and programmers who are, according to the agency's deputy director, available to work for the controller. City regulations prohibit San Francisco from hiring consultants to do jobs that city employees can do, unless the Civil Service Commission approves an exception. To obtain the exception, a KPMG LLP partner wrote the formal document used by the controller to justify hiring full-time KPMG workers at double the cost of city computer programmers. KPMG time sheets show that the firm charged the city for the time it spent filling out forms for the controller and lobbying him for jobs and more money.

Another overarching principle of accounting forbids auditors to audit their own work. Yet over time KPMG became so deeply enmeshed in daily operations at the San Francisco Assessor's Office that this common-sense rule seems to have fallen by the wayside.

The assessor's job is to determine the value of all taxable property in the city. This task was complicated under the stewardship of Doris Ward after she spent $5 million acquiring a computer system that "lacks demonstrable financial controls and adequate audit trails," according to an insurance company report. In November 1999, KPMG LLP came to her rescue and began "assisting in producing the annual tax roll," according to the auditor's contract. The auditors apparently "directed" the entry of $17 million worth of backlogged assessments into the assessor's database. By January 2000, KPMG LLP employees, working full-time in the Assessor's Office, had billed a quarter-million dollars to "assist" the assessor in doing her job.

When KPMG's supervision of an effort to keep the city's property tax revenue flowing was described to government accounting expert Sharon Russell, she practically recoiled over the telephone. "There is an express prohibition against auditors posting any transactions," she said. "They are not allowed to supervise public employees. And working inside city government full time is prohibited as well."

Despite the independence rules, KPMG LLP subsequently contracted with Ward and the controller to "reengineer" the operations of the Assessor's Office -- for half a million dollars. "Since some past [audit] recommendations have been made but not implemented, KPMG will assume an active role," the contract stated. KPMG Consulting, which took over the contract, eventually recommended that the assessor "improve" the computer system. But the city failed to set aside the cash to pay for the report. A furious KPMG Consulting wrote to the controller last August demanding that he find $406,000 to pay the balance of the firm's bill.

In another appearance of conflict of interest, KPMG agreed to investigate a city commission charged with approving the company's contracts with San Francisco.

In early 2000, Mayor Brown appointed a blue-ribbon panel to look at the Human Rights Commission, in the wake of an FBI raid on the office. The feds were searching for evidence of wrongdoing by the agency, which wields tremendous authority over who is allowed to have a contract with the city. The panel hired KPMG LLP to provide "third-party independence and objectivity" to the panel's probe of HRC contract monitoring practices. KPMG was hardly an independent third party, though. The HRC regularly required KPMG to share its profits with specific minority-owned accounting firms as a condition of keeping its long-term audit contract.

KPMG Consulting issued the final report on the HRC, concluding that the commission's authority over city contracting should be transferred to the "independent" Controller's Office, because the commission habitually violated public contracting laws and was, also, subject to "political influence." (The recommendation was ignored by the mayor and the Board of Supervisors.) The report did not come cheap. It went a quarter-million dollars over budget, costing the city $525,241.

There are many other instances of KPMG and the city controller simply ignoring the essential principles of auditor independence.

- In 1999, Harrington directed KPMG, his "external" auditor, to work with his internal auditors to study "risky" software systems used by the city -- despite the fact that a U.S. General Accounting Office rule states, "External audit organizations would violate the overarching principles if they provide internal audit services because such services are considered a management function."

- In 2000, KPMG LLP was paid a quarter-million dollars for consulting with Muni, including doing accounting work and selling software services, at the same time it was paid $195,000 to audit the department's accounting system.

- Two years ago, the auditors contracted to supervise the cleanup of an accounting disaster at the Health Services System, which runs the city's health plan, after the department's finance staff was summarily fired. Then KPMG audited its own work.

This is not to say that KPMG did not do a good job in these situations; it is to say that it does not make sense to pay the company for auditing its own work -- nor the work of KPMG Consulting, to which the auditors have financial ties.

Although the integrity of the city's accounting system is clearly imperiled by issues of nonindependence, there do not appear to be any plans afloat at City Hall to hire a new auditor, or a new software consulting firm.

So for now the questions of accounting independence will linger, and the city will continue to run up against situations like this: When SF Weekly asked the controller how much money KPMG LLP and KPMG Consulting were paid from 1996 to the present, the answer ($19 million) was three weeks in coming. The reason for the delay, according to the controller's spokesperson, was that the information had to be extracted manually from a variety of databases and correlated into a spreadsheet by hand. In other words, the city's FAMIS accounting system, designed, built, and audited by KPMG, is incapable of answering how much money the city has paid to its own accountants.

About The Author

Peter Byrne


Subscribe to this thread:

Add a comment

Popular Stories

  1. Most Popular Stories
  2. Stories You Missed


  • clipping at Brava Theater Sept. 11
    Sub Pop recording artists 'clipping.' brought their brand of noise-driven experimental hip hop to the closing night of 2016's San Francisco Electronic Music Fest this past Sunday. The packed Brava Theater hosted an initially seated crowd that ended the night jumping and dancing against the front of the stage. The trio performed a set focused on their recently released Sci-Fi Horror concept album, 'Splendor & Misery', then delved into their dancier and more aggressive back catalogue, and recent single 'Wriggle'. Opening performances included local experimental electronic duo 'Tujurikkuja' and computer music artist 'Madalyn Merkey.'"