This post first appeared on Risk Management Magazine. Read the original article.
In a perfect world, companies would always give full, truthful and accurate details to investors, regulators and other stakeholders about the state of their finances and the risks to their businesses. Unfortunately, that is simply not the case, making it critical to have an independent voice to provide assurance that a company is being run properly and flag warnings when it is in trouble.
External audit has long been a legal requirement for large organizations, particularly in developed countries. And, for the most part, the system works. As a “fresh pair of eyes,” independent auditors can either give the accounts a clean bill of health or provide “qualified statements” where the scope of investigation in some areas is limited. They can even give an “adverse opinion” if they have doubts or wish to exercise “professional skepticism” about the robustness of certain risk controls or the accuracy of particular aspects of the company’s financial or risk reporting. At worst, they can provide a “disclaimer of opinion” report indicating that they have been unable to do a thorough job because of issues like conflicts of interest or management blocking them from doing their work effectively.
Recently, however, the external audit profession has come under increased scrutiny—and mounting criticism—over perceived conflicts of interest, a lack of independence and subpar work. Complaints about the state of external audit center on the fact that there are only four key players in the market (KPMG, Deloitte, EY and PwC), which restricts choice, and an overriding suspicion that management and auditors have too friendly a relationship, making audit a “paid for” opinion rather than an independent one.
Indeed, the length of some relationships does raise questions about objectivity: Consumer goods company Proctor & Gamble has used Deloitte as its auditor without interruption since 1890—some 129 years. U.S. conglomerate GE has used KPMG as its auditor since 1909 (110 years), while PwC has audited investment bank Goldman Sachs since 1926 (93 years). In an effort to address objectivity concerns, the European Union now requires mandatory audit firm rotation to try to prevent close relationships between auditor and auditee. The United States, however, only has a duty to rotate the lead audit partner, not the firm.
Many are also questioning audit quality and effectiveness. In recent years, “Big Four” audit firms have been sharply rebuked over accounting errors at the likes of Canadian gold-mining company Banro Corporation; now-defunct mortgage lending firm Taylor, Bean & Whitaker; failed bank Colonial BancGroup Inc.; oil services company Weatherford International; and investment bank Merrill Lynch. Last September, U.S. audit regulator Public Company Accounting Oversight Board (PCAOB) found that 16 of the 24 audits it inspected of BDO’s work in 2016 were seriously defective and should not have been approved.
The problem of audit quality has arisen in the UK as well, including in a quick succession of high-profile corporate governance disasters where lax audit work was uncovered. Notable examples include collapsed retailer BHS, failed infrastructure company Carillion, patisserie chain Patisserie Valerie, fashion retailer Ted Baker, tech distributor Tech Data and insurer Quindell. The Financial Reporting Council (FRC), the UK’s corporate governance and audit watchdog, warned last June that the country’s eight largest audit firms—and in particular the Big Four—must act swiftly to improve audit quality, especially singling out KPMG for “unacceptable deterioration” in quality. The regulator said that 50% of the audits the firm performed for FTSE companies in the past financial year required more than just limited improvements, compared to 35% the previous year.
As a result, public, corporate and regulatory trust in external audit has declined. According to a poll released at the end of January by ICSA: The Governance Institute and recruitment specialist The Core Partnership, only half of UK corporate secretaries feel that the level of service their organizations gets from their external auditor has improved in the wake of such corporate governance scandals.
Respondents felt that standards have dropped and that external auditors have become lazier, prompting clients to deliver more information in a specific format so they can push it through an algorithm, rather than reconciling the data themselves. This may be partly due to the fact that Big Four firms consider external audit as a loss leader to access better-paying non-audit work. When questioned about the best way to reform the audit market, 45% of corporate secretaries called for the Big Four to split their audit and advisory businesses.
They may get what they wished for. In December, the UK’s Competition and Markets Authority proposed splitting audit firms so that they could no longer cross-sell consultancy services to clients. It also recommended beefing up regulatory oversight of auditors and opening up the market to smaller players. A consultation process is ongoing.
The Need for Increased Oversight
Given the shaken confidence in audit quality, organizations may need to reassess how much stock they can put in an auditor’s opinion, and how much additional non-audit or consultancy work they want to give the same firm if there are questions over independence and audit quality.
Experts believe that audit committees, which are responsible for auditor appointments, now need to ask more questions about the scope of audit work and their planned approach, and evaluate how well the firm is progressing. Furthermore, many believe that in-house assurance functions that liaise directly with external auditors as part of their reviews—especially risk management, internal audit and compliance—need to keep a closer eye on how auditors conduct their work. They may also need to provide better assurance to the board and senior management in case the external auditors fail to spot problem areas.
“If organizations have no guarantee that an audit actually does what it is supposed to, then it falls to risk management, compliance and internal audit to do more assurance work themselves, especially if regulators are not prepared to act and break audit firms up,” said Prem Sikka, professor of accounting and finance at the UK’s University of Sheffield. “Companies will not only need to check their own controls and risk management processes more thoroughly, but they will also need to develop ways of getting better assurance about the risks underpinning the organizations they do business with because external audit reports aren’t worth the paper they’re written on. This can be achieved through better third-party auditing, as well as more thorough credit insurance policies if companies go bust.”
Recommendations for Improvement
Audit firms themselves have put forward recommendations for audit committees to get the most out of statutory audit. For example, after the UK’s corporate governance code introduced a requirement for them to explain in the annual report how they assessed the effectiveness of the audit process, EY issued guidance about how audit committees could assess audit quality as early as 2012. Audit committees in the United States have also enhanced their proxy disclosures to provide additional information about their auditor assessment process.
Topping the list was a recommendation for audit committees to understand from the beginning what the audit process would involve; what its scope would encompass; the seniority, experience and time commitment of the people who would be leading it; and how coordinated the relationship would be between the lead audit partner and local audit teams. Other key considerations included making sure that the auditors understood the business and its risks, and that they were prepared to stand up to management and challenge them.
As published in an EY newsletter, feedback from audit chairs indicated that organizations should leverage the relationship and try to learn as much as possible from the auditor’s past experiences. For example, tapping auditors for their industry-wide and/or sector-specific knowledge may pay dividends. Bonus questions could include asking auditors to provide information and advice on changes in regulation and how they might impact the company, the way it operates and the way that it reports.
Yet assessing audit quality can be difficult, they admitted. Regulatory reports can be “too black and white,” whether glowing or damning. In reality, performance might be more “nuanced”—good in some areas, but lacking in others. Audit chairs also note that data about audit firms’ levels of staff retention, recruitment, diversity, gender equality, promotion, client retention, audit and non-audit fee income—which are supposed to be indicators of the way they operate and of their values—can be “meaningless.”
Certainly, experts believe that organizations cannot be complacent about the level of assurance they are meant to get from an audit, and that they need to have assessments in place to check audit quality and examine ways to improve the relationship (without encroaching on auditor independence).
There are several ways that organizations can try to get the best value out of an audit. According to Matthew Weitz, associate managing director of business intelligence and investigations at global investigation firm Kroll, companies should first try to get more involved in forming a better relationship with their auditor. “Being open and willing to assist the auditors with information and access can ultimately benefit the organization—the more the auditor is able to see and cover, the more comfort management can have that the auditor is fully understanding the risks of the business and identifying potential problematic areas,” he said.
Companies should see an audit as an opportunity to identify areas for improvement in data flows, internal control or risk mitigation, rather than as an obligatory cost or a “box-ticking” exercise. “An audit provides a fresh perspective about how a company is run, its financial position, and how effectively management information is delivered and acted upon,” Weitz said. “Audit findings—both positive and negative—should be used to enhance business processes where possible.”
A good way to get comfortable that the audit is adding value is to get feedback from staff involved in the audit process and to encourage their engagement in the broader understanding of the audit’s purpose, Weitz said. “Did they ask a lot of questions, and were the questions the right ones? Did the auditors go to the parts of the business that are the most high-risk or are key to corporate strategy? How many people were involved and how long were they there for? Did they impress with their deep knowledge of the organization, or did they appear to not be as familiar with the business as they should be? Did they make any sensible or practical recommendations as part of their review that can be implemented quickly? Positive feedback can give management some assurance that the external audit is actually focusing on areas that are the riskiest in the organization.”
One of the key problems that often causes tension between auditor and auditee is an expectation gap between what auditors are required to do and what the public thinks they do. There are frequently misunderstandings about the external auditor’s role, who the audit is for, and what the audit’s scope is meant to achieve.
“It is not the prime objective of an audit review to focus on fraud detection—their role is to provide an opinion for external stakeholders on whether the financial statements are free from material error or misstatement,” Weitz said. “Of course, the auditor should robustly consider the firm’s control environment and exercise professional skepticism about the accounts and the state of the company’s finances, but it is not their prime job to focus on identifying fraud. That ultimate responsibility lies with the board and underlying management.”
Reassessing Audit Strategy
Some experts believe that poor audit quality is not just the auditor’s fault—boards must also get some of the blame. “Management’s drive to push for lower audit fees has simply resulted in audit firms cutting back on the work they will do, thereby affecting audit quality,” said Fiona Czerniawska, director at consultancy Source Global Research. “Some companies tend to see audit as a cost rather than a benefit and do not necessarily see quality as a differentiator for something that is mandatory. As a result, clients are pushing down audit fees, or are asking for ‘more for less,’ and in turn, auditors are taking a ‘tick-box’ approach, limiting their man-hours, using smaller teams with more junior staff, and narrowing the scope of their reviews in some areas.”
Another problem, Czerniawska said, is that “companies believe they can do a lot of the audit and assurance work themselves in-house because they have more sophisticated tools to crunch data and discover where key areas of risk are and where there may be gaps in management information.”
A broader issue, however, may be that audits are outdated and are no longer an accurate indicator of corporate performance, behavior or risk. Czerniawska believes that “the concept of an audit probably needs to change” to reflect how companies operate today and what their key assets are. “The days of just looking at companies’ performance on a balance sheet are long gone,” she said.
Indeed, research by consultancy Ocean Tomo found that the market value of S&P 500 companies deviates greatly from their book value—so much so, in fact, that physical and financial assets reflected on a company’s balance sheet comprise just 20% of the average firm’s true value. The majority is made up of intellectual property and proprietary technology.
“Financial performance is no longer the sole defining aspect of corporate success. A lot of what makes an organization tick and what makes it attractive to investors and other stakeholders is what the company represents, what it stands for, and how it operates,” Czerniawska said. “Long-term corporate strategy—rather than short-term gains—is now much more important, as are sourcing and retaining talent, supply-chain risks, cyberrisks and the impact of climate change. External audit should probably give these areas more attention instead of primarily focusing on giving an opinion on the accounts and financial controls.”
External audit is mandatory for the majority of organizations and is a key source of assurance—not only for businesses themselves, but also for their customers, suppliers, investors and regulators. As such, audit quality needs to be maintained, and given the dip in performance and increased regulatory scrutiny, it is only fitting that risk managers take a closer look at the audit process, as well as the level of assurance that is being generated internally.