Here are a couple of stories about auditors—both internal and external—and how they can impact a company’s operations in somewhat unexpected ways. Both stories involve Big 4 auditor Deloitte—currently ranked the “biggest of the Big 4” audit and professional service firms—but there are also other players, as you shall see.

First, we want to discuss the case of two Boeing whistleblowers. Unlike the typical whistleblower we discuss on our blog, their allegations had nothing to do with violations of the False Claims Act or defective pricing. Instead, these two Internal Auditors were concerned with Boeing’s “potential Sarbanes-Oxley violations”. According to this story at ComplianceWeek.com, the two Boeing employees alleged that—

[Boeing] feared its external audit firm, Deloitte & Touche, would find a material weakness in internal control over financial reporting. The two [whistleblowers] told the court that managers created a hostile work environment and pressured internal auditors to issue positive findings.

More specifically—

The [two internal] auditors said they began expressing their concerns over potential Sarbanes-Oxley violations to supervisors in February 2007, especially their discomfort with the authority given to PricewaterhouseCoopers, which was hired to support the internal audit function. Neumann and Tides believed PwC auditors were too deep in the design and audit of controls, and they believed the software system for recording audit results wasn't adequately secure.

Apparently, Boeing did not heed their concerns. Frankly, if that’s all they had, we would have turned a deaf ear as well. If Deloitte was the external auditor, then we can’t see how having PwC (or pwc as it’s now branded) involved in the company’s SOX preparations would have caused any conflicts for Boeing.

(Though we note one of the issues was that PwC was acting both as Boeing’s outsourced internal auditor and as the company’s SOX controls documenter at the same time, which might be construed as a potential conflict of interest—but we think only if PwC was going to test the SOX controls as part of its internal audit work. Otherwise, not too big of a deal in our view.)

Having failed to persuade company management to heed their concerns, the two internal auditors next turned to the public media, “which led to a news article in July [2007] asserting the company threatened employees, manipulated audit results, and was susceptible to theft and fraud.”

We Googled the three 2007 articles in the Seattle Post-Intelligencer. What’s rather unusual about the articles is that two of them consist of Boeing’s written responses to questions posed by the reporters. Here are some links in case you are interested:

1. Boeing’s responses, Round One.

2. Boeing’s responses, Round Two.

3. The newspaper discusses 5,000 Boeing documents it reviewed

In the third Seattle P-I article linked to in the above list, the newspaper reported—

Among the problems the P-I found:

• Boeing's internal audit findings were so poor -- meaning that so many computer system controls were failing or evidence was missing -- that external auditor Deloitte & Touche decided not to rely on the results for three consecutive years.

• Boeing exposed sensitive information about computer systems' holes to employees who did not need access to all of the data, according to e-mails and interviews.

• An internal complaint was filed with the company's ethics board that audit results had been manipulated. The company decided last September that the allegation was unsubstantiated.

• Some employees involved in the compliance process perceived a threatening culture. A late 2006 internal report said that employees felt they were being told that their jobs and salaries were "on the line," and they were being pressured to produce evidence for audits "ahead of events occurring normally.

The newspaper reported that—

In 2006 alone, Sarbanes-Oxley compliance cost Boeing $55 million, according to the company -- about the list price of one new 737 plane. A lot of that money has gone to the external auditor, Deloitte, and other large accounting firms that helped with its internal audit, including PricewaterhouseCoopers and Jefferson Wells.

Despite all the fees paid (or perhaps because of the fees?), the newspaper reported that Deloitte gave Boeing’s SOX controls “a clean bill of health.” In the next breath, the newspaper noted that—

When it comes to telling shareholders all that it should, Deloitte does not have a spotless record, according to government records.

 

The Public Company Accounting Oversight Board, which was created by the Sarbanes-Oxley Act, inspects audit firms by reviewing samples of their work.

 

In the three reports the board has published on Deloitte, it has questioned dozens of decisions that made audit results appear rosier. In 2006, the board criticized one Deloitte audit for certifying information technology controls that the firm had not sufficiently tested. The company being audited was not identified, and Boeing said it was not the firm.

Based on the internal details reported in the Seattle Post-Intelligencer articles, it seems self-evident that one or more Boeing employees had provided quite a bit of company documents. The two Boeing Internal Auditors (Neumann and Tides) were fired for violating the company’s communication policy.

The Ninth Circuit Court of Appeals found that, although the Sarbanes-Oxley Act does protect whistleblowers, it only protects disclosures to certain recipients—and the public news media was not one of the three recipients listed in the statute. Thus, the two Internal Auditors could not avail themselves of the SOX whistleblower protections.

Whew. Despite the newspaper’s insinuations, we cannot find any indication that Deloitte or Boeing engaged in any wrongdoing. But stay tuned for the next story, and then we’ll try to tie it all together.

The second story also involves Deloitte. In this story, defense contractor Navistar reportedly sued Deloitte on April 27, 2001, for $500 million in damages, alleging “fraud, fraudulent concealment, breach of contract and malpractice” related to audits performed between 2002 and 2005.

What’s the real issue? Well, according to the story—

‘Deloitte lied to Navistar and, on information and belief, to Deloitte's other audit clients, as to the competency of its audit and accounting services,’ the Warrenville-based truckmaker alleged in its complaint.

Deloitte, to no one’s surprise, denied the allegations. The story reported—

Jonathan Gandal, a spokesman for Deloitte, said Navistar's claims lack merit and that the firm would vigorously defend itself.

 

‘A preliminary review shows it to be an utterly false and reckless attempt to try to shift responsibility for the wrongdoing of Navistar's own management. Several members of Navistar's past or present management team were sanctioned by the SEC for the very matters alleged in the complaint.’

The U.S. Securities and Exchange Commission last year said the truck company had resolved an agency investigation into its accounting practices under which Navistar wasn't required to admit or deny the SEC's findings.

 

‘Navistar had numerous deficiencies throughout its system of internal controls during the relevant period, including fifteen material'

weaknesses during 2005-06 that were attributable, in part, to the company's failure to dedicate sufficient resources to those controls,’ according to the SEC.

Chief Executive Officer Daniel Ustian agreed to surrender to Navistar shares worth $1.3 million, while former Chief Financial Officer Robert C. Lannert consented to repay $1.05 million, each sum reflecting monetary bonuses they'd received during the restatement period, the SEC said. Four other company executives paid civil penalties without admitting liability.

To clarify, in addition to making trucks, Navistar also makes about $2 billion per year from selling mine-resistant ambush-protected (MRAP) vehicles to the DOD. In 2008, it was ranked as the 10^th largest defense contractor in America.

But let’s get back to Navistar’s allegations of Deloitte wrongdoing. In this opinion piece over at “Fraud Files,” Tracy Coenen explores the issue. She writes—

The lawyers say Deloitte lied about its competency in performing audits, and the company ultimately restated its financial statements for 2002 through 2005.  Whose fault is it that Navistar overstated its pre-tax income by $137 [million] during those years? According to them, Deloitte.

Navistar employees buried their fraud in accounts that are easy to manipulate, and the task of hiding the fraud from the auditors isn’t too hard either. The fraud was hidden in accounts such as vendor rebates, warranty reserve, vendor buybacks, and other income. …

Navistar’s story about the fraud seems to keep changing. Early on in the case, the company denied wrongdoing and said the problem was with ‘complicated’ rules under Sarbanes-Oxley. I’m not sure how SOX is to blame for management having secret side agreements with its suppliers who received ‘rebates.’ Or improperly booking income from tooling buyback agreements, while not booking expenses related to the tooling. Or not booking adequate warranty reserves. Or failing to record certain project costs.

And now the company says Deloitte is to blame. …

In the case of Navistar, each of the fraudulent accounting schemes above are nearly impossible to detect. The company failed to book items or provide information about them to the auditors, yet they are suing the auditors for failing to find the items.

Ouch! Tracy does have a way with words, doesn’t she?

Superficially, these are two stories involving (if only tangentially) Sarbanes-Oxley, Deloitte, and internal control issues. And they both involve auditors of one sort or another. But to us, the real connection is what’s missing from each of the stories.

Where was DCAA?

Boeing is the largest aircraft maker in America and one of the perennial Top 3 defense contractors. Navistar was a Top 10 defense contractor. Each had allegations of failed internal controls. Navistar had a public restatement of its financial statements and some of its executives were fined by the SEC. To us, that sounds “high risk” and, potentially, a control environment that would make one wonder how the company could qualify as a “responsible” contractor eligible for new contract awards.

We have internal auditors involved in (unprotected) whistleblowing. We have investigative journalism. We have SEC investigations. Yet we never hear or read about DCAA uncovering these (alleged) control failures or secret supplier rebates. We never hear about DCAA auditors making Form 2000 referrals to the Department of Justice. We don’t hear about suspension or debarment proceedings. In fact, POGO’s Federal Contractor Misconduct Database has zero listings regarding any fines or penalties (or settlements) related to Navistar’s DOD contracts. Nothing. There is no report of Navistar having any problems with DOD.

Just to be sure, we did a quick review of Navistar’s 2010 Annual Report, and we did not notice any listing of pending litigation related to the U.S. Government. Nada.

(And for that matter, we are unaware that DCAA has ever alleged that Boeing has an inadequate Information Technology system because of its long-lived IT control “deficiencies”. But we also have to admit we probably wouldn’t know of any issues unless they came to light during litigation.)

We see these two stories as being illustrative of huge, neon-colored red flags that one would expect would bring DCAA down on these contractors—especially Navistar—like the proverbial ton of bricks. And perhaps, in the background, DCAA auditors are even now quietly and patiently waiting for their management to give them the approval to issue the audit reports or Forms 2000 that will address these issues. But right now it seems like the DCAA auditors, whose job it is to protect taxpayers from fraud and waste connected with DOD contracts, are missing in action.