SEC Imposes Largest-Ever Audit-Firm Penalty in Exam-Cheating Case

Imposes Unique Compliance Consultant to Investigate Firm’s Response to SEC Inquiry

July 6, 2022

On June 28, 2022, the SEC announced a $100 million settlement with Ernst & Young (“EY”) in which the audit firm admitted that numerous audit professionals cheated on required professional tests. 

EY also admitted that after it responded to an SEC Enforcement Division inquiry by suggesting that EY did not have ongoing problems with cheating, it did not correct this response when it shortly afterward received a tip and launched an investigation that found extensive cheating.  The penalty is the largest-ever by the SEC in an audit-firm case, and the SEC also took the unusual step of imposing two independent compliance consultants on EY, one of whom will pursue a novel, privileged investigation of the response to the SEC’s inquiry by EY’s senior lawyers and management, with an eye toward recommending personnel action to EY, including termination.  The case has important ramifications not just for audit firms, but for any entity responding to an SEC inquiry.

The SEC’s Allegations

Certified public accountants are required to pass a series of tests to obtain their CPA license, and are required to pass periodic continuing professional education tests thereafter, many of which can be administered internally by their employers.  A critical period in the EY case began on June 17, 2019, when the SEC announced a settlement with a different audit firm, based on conduct that included admitted cheating on professional exams.[1]  Two days later, EY’s U.S. Managing Partner sent a message to U.S. personnel notifying them of the case involving the other audit firm and stressing that sharing exam answers was “highly unethical” and “will not be tolerated.”  On the same day, June 19, 2019, the SEC’s Enforcement Division sent EY a “formal request asking whether EY had received any ethics or whistleblower complaints regarding” professional testing.  As requested by the SEC, EY responded promptly the next day with a written narrative describing prior incidents involving exam cheating or similar misconduct, potentially creating the impression that cheating incidents were in the past and had been appropriately addressed.  While the SEC’s settlement with EY is vague on this front, it appears that, based on EY’s response, the Enforcement Division did not investigate further. According to the admitted allegations, at the same time these events were unfolding, an EY employee reported to a manager on June 19, 2019 that a member of the audit group had emailed the employee answers to a CPA ethics exam.  By the end of the day, the human resources group had been notified, and by no later than June 21, “[v]arious senior EY attorneys,” who had also reviewed the Enforcement Division’s request and EY’s response, were made aware of the employee’s June 19 tip.  As EY admitted, while the tip caused the firm to begin an extensive investigation, EY did not “correct” its submission to the SEC to draw attention to it. According to the SEC, by the fall of 2019, EY’s “robust” investigation found that at least 91 audit professionals in multiple offices had improperly shared and used answer keys to cheat on ethics and other exams after the firm’s U.S. Managing Partner’s June 2019 warning not to do so, in addition to hundreds of professionals who had cheated before that time.  EY admitted that in October 2019, top EY leadership decided to broaden the investigation and inform EY’s primary regulator, the Public Company Accounting Oversight Board, or PCAOB, but only after “the extent of the misconduct within the Firm was clearer and EY had a credible plan in place to address the problem.”  EY notified the PCAOB four months later, and the PCAOB later notified the SEC.  The SEC went on to allege—but EY did not admit—that EY’s June 20, 2019 submission to the SEC was misleading, and that by “withholding information about misconduct that EY knew SEC staff was investigating,” EY had “hindered” the SEC’s ability to enforce the securities laws.

Typical Charges, But Unique Remedies

The SEC found that EY’s conduct: (1) violated a PCAOB rule requiring EY and its personnel to comply with ethics standards and “maintain integrity” in professional services; (2) was “discreditable to the profession” in violation of professional standards; and (3) showed a failure to establish a “system of quality control” in violation of a PCAOB rule.  Just as the other audit firm did in its 2019 settlement, EY acknowledged the first violation but not the others. More unusual was the relief ordered by the SEC.  EY was ordered to pay a $100 million penalty, twice what the other audit firm paid, and EY agreed to the imposition of two independent compliance consultants, an unusual step in SEC enforcement cases.  First, EY agreed to hire an independent consultant to review its ethics policies and procedures and issue recommendations for remedial action.  Second, EY agreed to retain an independent consultant to conduct an unusual privileged investigation of EY attorneys and executive management for the failure to correct EY’s SEC response.  In this novel arrangement, the consultant will have an attorney-client relationship with EY, allowing the consultant to gather evidence that would otherwise be privileged.  This signals that the SEC may have tried to investigate EY’s SEC response, but ran into roadblocks created by privilege assertions that will not be available as to the consultant.  Notably, the consultant is expected to make recommendations to an EY Special Committee, and will have the last say on what remedial measures are required, up to and including termination.


  • This case sends a clear message about the Enforcement Division’s focus on the role of “gatekeepers,” and is the second time in a month that the agency has imposed independent consultants with sweeping mandates on an audit firm.[2]
  • Perhaps more notable is that the SEC purported to equate the conduct of EY’s lawyers and executives in responding to the SEC inquiry to the cheating committed by its audit professionals, with Enforcement Director Gurbir Grewal calling it “equally shocking” that EY “hindered our investigation of this misconduct.” The SEC’s order focuses more on EY’s response to the SEC inquiry than on the actual cheating, and claims that EY’s failure to correct its submission and self-report sooner demonstrated a failure to maintain integrity under professional rules—a novel claim since the response seems to have been managed mostly by lawyers, not auditors.  As Commissioner Hester S. Peirce noted in a statement dissenting from the settlement, the settlement could be read as setting the precedent that the recipient of a voluntary information request from the SEC has an ongoing duty to correct their response, a duty that “likely has profound consequences.”  Commissioner Peirce warned that “the source and scope of this purported duty to correct …is altogether unclear.”[3]
  • Entities that receive SEC inquiries should take great care in crafting their responses and should evaluate whether subsequent events warrant updating or correcting a response—even where the request is presented in a manner that is less formal than a subpoena, as was the case here. The case also is a reminder that entities must assess whether a decision not to self-report, under the circumstances, could be viewed by the SEC as “hindering” their efforts.
  • As Commissioner Peirce noted, the $100 million penalty is “puzzling” when compared to the other audit firm’s $50 million settlement, which involved not only cheating but a scheme to steal and use PCAOB audit inspection plans, leading to multiple criminal convictions of former audit partners.[4] The EY case underscores that prior precedents may provide an imprecise indicator of the penalties the current Commission will seek.
  • Commissioner Peirce found it “particularly troubling” that the independent consultant has “an implicit directive to find attorneys and compliance personnel to blame.” It remains to be seen whether this action will have a chilling effect on entities’ willingness to respond to voluntary requests for information in SEC cases.[5]


[1] KPMG Paying $50 Million Penalty for Illicit Use of PCAOB Data and Cheating on Training Exams

[2] SEC Imposes Penalties and Sweeping Independent Consultant on CohnReznick for Alleged Audit Failures in Case Underscoring SEC’s Focus on “Gatekeepers”

[3] When Voluntary Means Mandatory and Forever: Statement on In the Matter of Ernst & Young LLP

[4] In addition, in 2021 and 2022, the foreign affiliates of two large audit firms settled cases involving alleged exam and training misconduct with the PCAOB and paid fines of under $1 million.  See Order Instituting Disciplinary Proceedings, Making Findings, and Imposing Sanctions; Order Instituting Disciplinary Proceedings, Making Findings and Imposing Sanctions.

[5] It also remains to be seen whether this case marks a departure from the SEC’s historical practice of exercising caution in seeking sanctions against lawyers for their conduct in representing clients in SEC investigations or enforcement actions. See Remarks before the Spring Meeting of the Association of General Counsel.