About a month ago, we chided RSM US for being fined $950,000 by the SEC for getting caught providing non-audit services to audit clients, saying that a firm like RSM should’ve known better. But PwC got busted today by the SEC for also doing non-audit work for audit clients, which pretty much reinforces how shady accounting firms really are.

P. Dubs agreed to pay the SEC more than $7.9 million to settle charges of improper professional conduct and violating auditor independence rules, which were mostly due to failures in PwC’s independence-related quality controls.

In addition, PwC partner Brandon Sprankle agreed to pay a penalty of $25,000 to settle charges that he was the ringleader of the firm’s independence violations. As part of the settlement, Sprankle, who is based in San Jose, CA, was suspended from appearing or practicing before the SEC, with a right to reapply for reinstatement after four years.

PwC and Sprankle settled without admitting or denying the findings and agreed to cease and desist from future violations, according to the SEC.

So, according to the SEC cease-and-desist order, all of these shenanigans went down from 2013 to 2016, involving 19 engagements for 15 SEC-registrant issuers. For one audit client, Issuer A, a multinational technology company with substantial operations in the U.S. and which trades on Nasdaq, PwC provided non-audit services that are not allowed, including “exercising decision-making authority in the design and implementation of software relating to the company’s financial reporting and engaging in management functions for the company during the 2014 audit and professional engagement period.”

But hold up, there’s more:

In addition, in connection with performing non-audit services for these fifteen SEC-registrant audit clients, PwC violated PCAOB Rule 3525, which requires an auditor to describe in writing to the audit committee the scope of the work, discuss with the audit committee the potential effects of the work on independence, and document the substance of the independence discussion. PwC failed to comply with the requirements of Rule 3525 and, on several engagements, PwC mischaracterized non-audit services as audit work, even though the services involved financial software systems that were planned to be implemented in a subsequent audit period and providing feedback to management on those systems—areas outside the realm of audit work. PwC’s failure to comply with Rule 3525 prevented the audit committees of numerous issuers from evaluating the potential effects of the non-audit services on auditor independence, including whether the services could cause PwC to lack independence. This resulted in PwC being engaged to provide non-audit services that were improperly characterized to the audit committees of numerous issuers as audit services.

Former SEC Chief Accountant Lynn Turner once told me that if a CFO or corporate controller, or in this case, an audit firm, doesn’t bring an important issue to the attention of the audit committee, “then there will not be a rock large enough for them to hide under.” Audit committees don’t like surprises; they expect transparency and open communication at all times. I expect there were some pissed-off audit committee members after learning what PwC had done.

For example, Issuer A needed a third party to design and implement a GRC (governance, risk, and compliance) software system, something that auditor independence rules prohibit independent auditors from doing. Issuer A let PwC know in early April 2014 that it was seeking help for an implementation project.

And here’s where the fun began:

At that time, in connection with Issuer A’s pursuing proposals for implementing a module of GRC software, the company’s then-Head of Internal Audit asked Sprankle whether PwC could provide an implementation proposal and inquired about auditor independence. Sprankle responded that “we are absolutely permitted to implement so there will be no issues . . . .” Sprankle, however, was aware that PwC’s independence policies did not allow the firm or him to implement the GRC system at Issuer A.

Not just “we are permitted” but “we are absolutely permitted.” LOL. Moving on:

In or around early May 2014, Sprankle forwarded a proposal to Issuer A for “assistance with implementing” the GRC module. The proposal contained numerous tasks that, taken as a whole, would not be consistent with independence rules and PwC’s policies, e.g., performing integration testing and working closely with Issuer A’s personnel to resolve integration problems, working with management to determine security configurations, and providing continuous hands-on training on how to use the software.

In early June, Issuer A selected PwC for the GRC project, even though the firm was auditing Issuer A’s financial statements and internal control over financial reporting for fiscal year 2014. And it just so happened that Sprankle participated in PwC’s audit of Issuer A as an IT specialist on the audit engagement team.

In drafting the engagement letter for approval by PwC’s Risk Assurance Independence group, Sprankle described the proposed non-audit services as assessing multiple areas and providing observations and recommendations, as opposed to designing and implementing the GRC project. But in reality, Issuer A was expecting PwC to design and implement the system.

The final engagement letter for the GRC project described the work as performing assessments and high-level recommendations, but that of course was all a ruse.

From August through mid-October 2014, PwC managed the project, performed substantial design work, configured the design on a non-production server, and provided oversight and direction for the implementation to a live environment, according to the SEC.

Throughout the course of the GRC engagement, Issuer A considered PwC to be the system implementer and deferred to PwC on best practices for settings that needed to be included in the system. Further, according to the senior manager for IT Internal Audit: Issuer A allowed PwC “to make those decisions for us” and, although an Issuer A employee would technically have his hands on the keyboard, a PwC employee managed the process and directed the Issuer A employee on what actions to take.

And according to the SEC, here’s how badly PwC failed in describing the non-audit services to the audit committee:

When PwC sought pre-approval from the audit committee, the only written description that PwC conveyed to the committee was the title for the project. This written description did not allow the committee to make an informed decision about the scope of the work and how the work might affect PwC’s independence, thus depriving the committee of its oversight responsibilities.

This is just one example. There is a pattern of PwC doing this multiple times, as described in the SEC order.

As part of the settlement with the SEC, PwC agreed to be censured, pay disgorgement of $3,830,213, plus prejudgment interest of $613,842 and a civil money penalty of $3.5 million. In addition, PwC agreed to perform a detailed set of undertakings requiring the firm to review its current quality controls for complying with auditor independence requirements for non-audit services and for evaluating its provision of non-audit services.