Deloitte fined for turning back the audit clocks

In a statement, CPA Ontario said that between November 2016 and May 2018, a number of Deloitte auditors in Ontario changed the date and time settings on their computer clocks to manually override controls in Deloitte's audit software and backdate audit working paper sign-offs. 

According to the regulator, at least 35 auditors backdated more than 930 audit working papers on at least 39 audit engagements between the two dates, breaching two codes which specifically apply to the conduct of firms.

According to CPA Ontario, the matter first came to light in February 2018, when a whistleblower at the firm raised concerns with senior management about the practice, and Deloitte began an internal investigation. The Big Four firm then self-reported the backdating to the watchdog in September 2019, with a settlement reached last week.

As a result, Deloitte will pay a fine of $900,000 and costs of $695,000 to CPA Ontario for the investigation and prosecution of the case.

The regulator stated that Deloitte failed to have the necessary policies and procedures in place, and failed to take appropriate action to address potential issues of audit quality once it became aware that its practitioners had engaged in backdating audit working papers. During its own investigation, the firm also failed to adequately consider and address the risk of ethical issues arising from deliberate backdating.

"Backdating obscures when and what work was performed and reviewed," said Janet Gillies, executive vice president of regulatory and standards at CPA Ontario. “It creates questions about the accuracy or timeliness of audit documentation and the quality of the audit.”

Lack of communication

A decision document about the case outlines that during the backdating period, Deloitte was using Engagement Management System (EMS) as its audit software system. Prior to 7 November 2016, EMS permitted a user to manually select a sign-off date for an audit working paper. 

In October 2016 following a separate incident where archived audit documentation had been improperly altered, Deloitte issued an audit practice alert to all audit staff indicating that the ability to choose a sign-off date in EMS would be removed in November 2016. After the change, the date a sign-off was physically entered into EMS would be limited, by default, to the date of the user’s computer clock.

Despite identifying that the new restrictions could potentially be bypassed by a user changing their computer clock, Deloitte’s national office decided not to expressly address this in its communications. This was based on the concern that any such message could ‘socialise’ inappropriate conduct if it were made known that clock adjusting to backdate sign-off dates remained possible.

However, according to the document, certain Deloitte audit practitioners identified the opportunity to bypass the new limits and began adjusting the clock on their computers to backdate the sign-off dates of audit working papers while performing assurance engagements for private and public entities.

In February 2018, a firm audit partner raised a concern with senior firm personnel about the practice. The firm took action in early March 2018 by removing the ability to change the date settings on staff computers and issuing an audit practice-wide communication reminding all auditors of the accepted procedures around sign-off. In spite of this, at least one audit partner continued to backdate sign-offs until May 2018.

Investigations and penalties

Deloitte initiated a firm-wide investigation into the backdating in March 2018, ending in the Spring of 2019. The internal investigation concluded that although the auditors’ conduct was contrary to firm guidance and warranted discipline, the backdating was not done with malicious or fraudulent intent but rather to more accurately reflect the date the work was actually performed. 

It also found that the backdating by its auditors was not unethical and those involved were attempting to document when work was actually done and therefore “tried to do the right thing but in the wrong way” – although a range of disciplinary actions were taken against the individuals.

In September 2019, Deloitte reported the backdating practice to CPA Ontario, which began its own investigation, resulting in the penalties outlined above.

While the regulator acknowledged Deloitte’s cooperation in the investigation, the fact that it had self-reported the issue and had undertaken steps to ensure it could not happen again, it also criticised the firm’s investigation.

The regulator cited a lack of documentary evidence, the fact that engagement partners and audit leadership were not informed of the investigation, and that the issue was not specifically identified as an ethics-related matter, and the ethics review team were not involved.

In a statement given to the Toronto Star, a spokesperson from Deloitte wrote: “Deloitte Canada serves its clients with integrity. We work ethically, stand by our credibility, and have worked hard to earn and maintain the trust of clients, regulators, and the public.”

No surprise

“It’s a reflection of the state of the market more than anything,” commented John Toon, technology lead at Beever and Struthers. “Audit teams at many firms operate in a highly pressurised environment where staff are actively encouraged to move from one engagement to another and sign them off as quickly as possible.

“It should be no surprise that these sorts of practices have occurred as many will see it as a relatively low-risk activity. This also reflects badly on the state of the audit software market that the sign-offs could be backdated in this way – a situation that still persists in some cases.”

9 November 2023: This article was amended to add a quote