Professional Services Monitor: Today

Savvis, a “IT infrastructure services” provider, is being sued after issuing a clean security audit to CardSystems Solutions in 2004, three months before CardSystems was hacked and compromised.  Wired’s Threat Level blog calls this the first such suit against a security auditing firm.

When CardSystems Solutions was hacked in 2004 in one of the largest credit card data breaches at the time, it reached for its security auditor’s report.

In theory, CardSystems should have been safe. The industry’s primary security standard, known then as CISP, was touted as a sure way to protect data. And CardSystems’ auditor, Savvis Inc, had just given them a clean bill of health three months before.

Yet, despite those assurances, 263,000 card numbers were stolen from CardSystems, and nearly 40 million were compromised.

More than four years later, Savvis is being pulled into court in a novel suit that legal experts say could force increased scrutiny on largely self-regulated credit card security practices.

They say the case represents an evolution in data breach litigation and raises increasingly important questions about not only the liability of companies that handle card data but also the liability of third parties that audit and certify the trustworthiness of those companies.

The case, which appears to be among the first of its kind against a security auditing firm, highlights flaws in the standards that were established by the financial industry to protect consumer bank data. It also exposes the ineffectiveness of an auditing system that was supposed to guarantee that card processors and other businesses complied with the standards.

Credit card companies have touted the standards and the auditing process as evidence that financial transactions conducted under their purview are secure and trustworthy. Yet Heartland Payment Systems and RBS WorldPay, two processors that recently experienced large breaches, were certified compliant before they were breached. And Hannaford Bros. was certified in February 2008 while an ongoing breach of the company’s system was underway.

A Visa executive told an audience earlier this month that the companies were not compliant, though auditors certified they were. “No compromised entity has yet been found to be in compliance with [the standards] at the time of the breach,” she said.

In the CardSystems case, Merrick Bank, which is based in Utah and services 125,000 merchants, sued Savvis last year in Missouri. Merrick says Savvis was negligent in certifying that CardSystems was compliant. The case was moved to Arizona five months ago but only recently assigned a judge, allowing the suit to finally move forward.

KPMG is being sued for “no less than $1 billion in compensatory and consequential damages” by the bankruptcy trustee for New Century Financial.

The trustee overseeing the bankruptcy of subprime lender New Century Financial Corp. filed suit against its auditor, KPMG LLP, claiming that “reckless and grossly negligent audits” helped accelerate the firm’s collapse two years ago.

The lawsuits filed Wednesday said that specialists at KPMG tried to point out errors in New Century’s financial statements but were silenced by the KPMG partner in charge of the audits “to protect KPMG’s business relationship with, and fees from, New Century.”

Francine McKenna, of Re: The Auditors fame, is quoted in the story, saying that if the suit is successful, “it may embolden others to look more closely at the possibility of bringing [accounting] firms to some level of culpability for the things that happened” that led to the credit crisis.

KPMG spokesman Dan Ginsburg said, “KPMG acted in accordance with professional standards in New Century, and we will vigorously defend our audit work. Any implication that the collapse of New Century was related to accounting issues ignores the reality of the global credit crisis. This was a business failure not an accounting issue.”

New Century disclosed a total of $10.4 million in fees between fiscal 2002 and 2005.

McGladrey & Pullen has been sued by the bankruptcy trustee for Sentinel Management Group, Frederick Grede, for $550 million, according to the Wall Street Journal.  Gede accuses McGladrey of “certifying false financial statements and creating some of the accounting entries that led to Sentinel’s financial misstatements.”

Mr. Grede, whom the court appointed last year to oversee Sentinel’s bankruptcy, said the firm’s “failure to properly fulfill its responsibilities” let Sentinel executives run the company for their own benefit.”"M&P’s failure to either ensure that Sentinel’s financial statements accurately reflected the facts or refuse to certify materially misstated financial statements, as well as its failure to report these violations in its audit report and to authorities, reflects a deliberate disregard of M&P’s obligations as an auditor,” he said.

Grede has also sued three former Sentinel executives and the Bank of New York.Thus far, McGladrey has not made comment on the suit.  Considering what BDO has faced in the ES Bankest case after deciding to go to trial,  one wonders whether McGladrey will seek a settlement.

UK’s Accountancy Age analyzes BDO Seidman’s future as it appeals the verdict in the ES Bankest case, and also takes a look at the impact on BDO International and BDO Stoy Hayward, the UK member firm of BDOI.

Firms in the UK are desperately keen on boasting about their US counterparts – until they hit trouble, that is.

KPMG’s tax issues in the US were one thing. BDO’s problems with its US firm BDO Seidman look equally troubling.

The article notes that BDO Seidman’s appeal is pending and that the firm has a strong track record of defending itself against lawsuits. “Admirably, perhaps, it does not just pay out.” Furthermore, BDOI has defeated an effort to make it jointly liable in the suit, and BDO Stoy Hayward remains “relaxed” regarding the claim. However, should something happen to BDO Seidman, that attitude would change.

The alternative could be extremely worrying for BDO Stoy Hayward in the UK, which relies on Seidman for its exposure to the US. Its clients with US operations need Seidman’s assistance there, and it will get referrals from there too.

Jeremy Newman, managing partner of BDO Stoy Hayward, BDO International’s member firm in the UK, regularly posts to his blog. Last night, he made a brief comment on BDO Seidman’s verdict in the ES Bankest lawsuit.

It is not for me to comment on the US judicial process save to note that it is very different to that in the UK. BDO Seidman are confident that the jury’s findings will be overturned on appeal. Indeed they have been successful in a number of other claims which went against them at initial trial but were ultimately reversed. Large claims against major accounting firms are an unfortunate feature of professional life in the USA.

As with ourselves, BDO Seidman has enjoyed strong growth in recent years which reflects the strength of that firm. It remains capable of handling work for any of our clients operating in the USA and is a key part of the BDO International global network.

The comment is decidedly at arms-length, but it is an acknowledgment from BDO leadership, even if it is from the UK firm.

Mr. Newman also references a statement issued by BDO Seidman, but there is still nothing to be found at bdo.com.

The jury reached a decision regarding punitive damages yesterday in the BDO/ES Bankest trial.

A jury on Tuesday ordered accounting firm BDO Seidman to pay more than $351 million in punitive damages in a negligence case, bringing BDO’s potential liability in the case to about $521 million.

The jury had found BDO negligent for failing to find massive fraud in its audits of a financial services company backed by a Portuguese bank. The amount will be added to the same jury’s award of $170 million in compensation to the bank, Banco Espirito Santo.

In court filings, BDO Seidman had warned that a loss of $170 million could trigger massive layoffs and cause the company to lose its standing as the fifth-largest accounting firm. The jury was barred from issuing damages that could destroy a company.

In testimony Tuesday, BDO Seidman attorney Adam Cole asked the company’s chief executive, Jack Weisbaum, whether the firm’s financial operations would stay the same if it had to pay punitive damages.

“Probably not,” Weisbaum said. “It would be very difficult. We certainly wouldn’t look the way we do now.”

This Washington Post article has more interesting details about BDO and the case.

• BDO’s net worth for fiscal 2006 was $171 million
• BDO’s fiscal 2006 revenue was $589 million

Last night, the jury in BDO/ES Bankest suit ruled that BDO must pay $170 million in damages for “gross negligence.”

The award raises a question mark over the financial future of BDO, which last year argued in court papers that such a decision could undermine its standing as a national accounting firm and lead to the layoff of thousands of employees. BDO is one of the second-tier of national accounting firms.

A spokesman for BDO said last night that the firm “intends to ask the trial court to set [the award] aside and, failing that, to appeal.” He added that, “the firm has a track record for successfully appealing these jury verdicts.”

But the worst may be yet to come. The jury will now decide whether and how much in punitive damages to assess against BDO. Under Florida law punitive damages can be triple the amount that investors initially claimed, or $170 million.

This case has been notable for a couple reasons. First, in January, the Wall Street Journal noted that BDO was one of few major firms that was willing to take major cases to trial. Then, in June, the jury in the case ruled that the firm was negligent, and BDO stated that the $170 million negligence liability would jeopardize its future as a national firm.

While the firm will appeal and no huge penalty check has yet been written, the firm has been at least partly hit with the legal penalty that BDO’s legal statements say puts the firm’s future at risk. And yet, BDO has still not made a public statement about the matter. As of this morning, firm’s website still has no information about the suit.

In June, BDO Seidman was found negilent in a fraud case involving a defunct Florida factoring company, ES Bankest. After a Wall Street Journal article mentioned BDO’s track record of taking cases to trial, versus the Big Four practice of settling, we have been following the case. The penalty in the case is still yet to be decided, and BDO has said in court filings that the maximum penalty of more than $500 million would jeapordize the firm’s future.
A brief survey of news this afternoon shows that the penalty has not yet been decided. What was interesting is that BDO’s website has no current information on the case, despite being revised no longer ago than July 24.
No one likes to repeat negative news on oneself. However, in this case, others are telling BDO’s bad news without the firm giving its own view of the situation.
At least two objections come to mind, arguing for BDO not making its own public statements. First, the public has no interest in another accounting firm spinning bad news. Second, it’s bad practice to comment on a case still in litigation.
While both objections have some validity, management’s responsiblity to the firm’s partners and employees outweight these and other concerns. If the firm is, as it has itself said, in the fight for its very existence, the firm must not let the message be told exclusively by others. Regarding any legal concerns, a simple recitation of the current and settled facts of the case would seem to be beyond all but the most hypersensitive of legal objections. The firm could issue a press release consisting of nothing more than the standing of the case at the time, and what appeal or remedy the firm intends to make. After satisifying the legal concerns, it is the management’s responsibility to in some way “spin” the story. It is the firm’s duty to protect itself competently. And a competent defense can abosolutely be made while holding to the highest ethical standards.

CFO.Com reports (via Jack Ciesielski’s AAO Weblog) that New Century Financial creditors are seeking documents from KPMG relating to the firm’s work for New Century.

While New Century Financial Corp. seeks to retain control of its Chapter 11 process in U.S. Bankruptcy Court, its unsecured creditors want to use the court to probe the relationship of former auditor KPMG to the collapsed subprime mortgage lender.

In a filing with the court in Wilmington, Del., the official committee representing New Century’s creditors sought the ability to force KPMG to produce documents related to its work for the company, according to the Associated Press.

The unsecured creditors want to examine documents related to KPMG’s audits, reviews of the company’s interim financial statements, audits and assessments of internal controls over financial reports, and other professional services provided to New Century, AP said…

While KPMG is still ostensibly New Century’s auditor, in that the company has not yet changed to another firm, the article notes that KPMG’s last opinion was on New Century’s fiscal 2005 annual report.

PricewaterhouseCoopers today paid $225 million to settle audit malpractice claims in conjunction with Tyco International. The firm said it settled due to the cost of defense and the size of the class action suit, despite saying that it was prepared to defend itself against the claims.

The settlement applies to claims from both Tyco investors, who had filed a class-action lawsuit against the accounting firm in federal court in New Hampshire, and the company itself. The agreement was disclosed Friday in a legal filing by PwC, Tyco and the class-action investors.
Tyco’s involvement in the PwC deal followed on its agreement in May to settle for $2.975 billion claims brought against it by the same class-action plaintiffs — removing a cloud of liability that shadowed the conglomerate as it split into three publicly traded companies. As part of that agreement, Tyco allowed investors to pursue its claims against PwC, while the company would pursue claims on behalf of shareholders against former executives including L. Dennis Kozlowski.

The WSJ article also included some interesting metrics on the size of the settlement relative to the case and PwC.

The PwC settlement ranks among the top 10 legal payouts made by accounting firms related to work on behalf of one company. Ernst & Young LLP’s $335 million settlement in 1999 related to work for Cendant Corp. remains the biggest-ever payout by an auditor.
As a percentage of the overall settlement reached by the company and other parties — a key metric considered by accounting firms — the PwC deal represented a payout on its end of about 7% of the total. That is generally in line with payouts by accounting firms, which tend to range from 5% to 15% of total payouts.

Tyco had reached its own agreement with plaintiff’s in May, paying out $3 billion to settle suits, ahead of its June split into three separate public companies. The terms of Tyco’s settlement turned Tyco’s claims against PwC over to the plaintiff shareholders.

PricewaterhouseCoopers didn’t settle. As part of the agreement, Tyco assigned to the shareholder plaintiffs the right to pursue the company’s claims against Pricewaterhouse for accounting malpractice and to keep any damages. Jay Eisenhofer of Grant & Eisenhofer, one of the lead-counsel firms in the case, said, “Pricewaterhouse is liable potentially for billions of dollars” for not spotting and stopping fraud while auditing Tyco’s books.