Moves underway globally to reform the audit process should reduce the likelihood of corporate collapses and internal fraud, writes Paul Kilduff
Whenever there is a sudden company collapse, a shocking fraud or a financial scandal, the details make the front pages of the newspapers and news sites, and the shareholders and the public rightly ask: ‘And where was audit?’ Work is presently underway to address this vital question.
In the US, the Public Company Accounting Oversight Board (PCAOB) oversees the audits of public companies in order to protect investors. There are quality control standards in place covering personnel, ethics, engagement performance and client acceptance, but the chair of the PCAOB accepts that these are outdated and do not adequately promote audit quality.
The PCAOB’s plan is to close the gaps by updating the rules for how firms should police their audit work. It recently issued its 2022–2026 Strategic Plan for public comment, so these planned developments will take time.
In the UK, the Financial Reporting Council (FRC) develops and maintains auditing and assurance standards. The most recent annual report from the FRC on the quality of audit in the UK found that 33 percent of all audits reviewed needed improvement. This was an unacceptably high number of audits, according to the accounting watchdog. Of the 147 audits inspected by the FRC, 41 required ‘further improvements’ and seven needed ‘significant changes’.
The Institute of Internal Auditors believes the FRC findings underline the need for urgent audit reform and robust measures designed to increase audit quality. One solution is to put the FRC audit regulator on a statutory footing with enough new legal powers to do its job effectively. Sadly, the problem of audit quality remains, and it has impacted the work of the auditor for years.
High-profile scandals
When Nick Leeson single-handedly destroyed Barings Bank, I was an internal audit manager with HSBC in London. My first reaction was one of relief that the calamitous events had not occurred at our bank. My second reaction was one of concern that the bank’s internal audit team and external auditors in Singapore had not discovered the £869 million trading loss hidden by Leeson.
Leeson outfoxed audit. When internal audit arrived from the London head office, he met them on the chaotic trading floor of SIMEX, he told them he was very busy, and he avoided the office and all meetings with the auditors. When external audit from a Big 4 firm asked him for a confirmation for a large bogus option trade, Leeson manufactured the confirmation from a page of headed bank notepaper, using scissors, glue, and a photocopier. The audit team was none the wiser as to his deceit.
Wirecard AG, a Munich-based electronic payments provider, once valued at €24 billion, went kaput in 2020. The accounts of this listed company included a bank deposit in Singapore of €1.9 billion, which simply did not exist. The Financial Times reported that, instead of obtaining confirmation of the deposit directly from the bank, the auditors relied on documents and screenshots provided by a third-party trustee and by Wirecard staff.
This audit failure happened not once, but at three successive year-ends from 2016 to 2018. I qualified as an ACA many years ago, but even then, obtaining independent confirmation of bank deposits was covered in day one of audit training.
The head of the German financial watchdog BaFin was critical of the audit work performed and said the Wirecard scandal was ‘a complete disaster’, adding: ‘It starts with looking at a complete failure of senior management and it goes on to the scores of auditors who couldn’t dig up the truth.’
In the UK, there are recent examples of previously robust companies, which had been audited by leading UK accounting firms, suddenly failing. The demise of retail chain BHS, travel agency Thomas Cook and construction giant Carillion had a major impact on the UK economy, costing the taxpayer millions. The Institute of Internal Auditors believes that stronger governance and audit can help to prevent such collapses occurring in the future, protecting jobs, pensions, investors and incomes.
Necessary reform
The necessary improvements to audit must deliver on several fronts. The audit profession must ensure that it attracts capable individuals with strong product knowledge, an inquiring mindset, and a character strong enough to deal with any management obstruction.
The improved audit approach must be documented in revised policies and procedures, which must be ingrained in audit work. Quality Assurance functions must be set up or enhanced in firms to ensure standards are met. The cost of implementing these audit reforms must be reasonable to bear, whether the auditor is in an internal audit function, a Big 4 audit firm or a small audit firm with a more limited budget.
There is an expectation that audit reform must use all available technology to improve the quality and scope of audit work. In the past, audit sampling may have been acceptable, but with advanced Computer Assisted Audit Techniques (CAATs), 100 percent auditing is the likely optimal solution.
Global audit reform must also consider the changing nature of work, and the associated risks. Few auditors thought three years ago that so many employees would now be working on a hybrid basis, relying on remote systems access for client verification, payments processing and other critical tasks.
When reform does arrive, there should be international convergence, so that the audit quality rules in the US, UK and other jurisdictions are consistent and align with international standards, thereby avoiding unnecessary differences and costly duplication that could weaken audit effectiveness.
In the meantime, accountancy bodies are providing new guidance to members.
New guidance
In the UK, the Institute of Accountants in England and Wales recently reported on the significant resources devoted to fraud-related activities within audit firms. It also acknowledged the public perception that auditors can and should be doing much more to deter and detect fraud and to prevent the unexpected failure of large companies due to fraud.
It was Lord Justice Lopes who famously summed up the auditor’s duty in the case of Kingston Cotton Mills Co., where the company directors had fraudulently overstated the value of stock, by proclaiming: ‘An auditor is not bound to be a detective. He is a watchdog, but not a bloodhound.’
Lopes opined that the auditor cannot be liable for any wrongdoings they had no reason to suspect were taking place, but that landmark legal judgement was handed down in 1896. The expectation placed on both internal and external auditors is significantly higher today.
The auditor is not specifically expected to search out any fraud or deception in their audit, but if there are warning signs that all is not well, the auditor must investigate these to reach a satisfactory conclusion regarding the audit opinion.
While writing my latest banking book, I researched the case of Joseph Jett, a former bond trader with Kidder Peabody in New York, who created $350 million of phantom trading profits on the bank’s computer systems.
The subsequent post-mortem report stated that the internal auditors learnt that Jett had booked billions of dollars of unusual transactions, but no auditor followed up on this anomaly. The auditor had to explain his work in court, as audit workpapers were produced with hand-written annotations without evidence of action. This is not a situation any auditor would wish to defend.
I also came across Sir Allen Stanford and his Stanford Financial Group, based in Antigua, which was later revealed to be a giant Ponzi scheme. His bank at the time had a value of $8 billion, but it was audited by a small Antiguan audit firm with just ten staff. This should never have been acceptable.
When corporate disaster does strike, it is easy to point the finger at the auditor, but this is often unfair. Every auditor comes to work with the intention of doing a good job. The aim of audit reform is to assist and guide the auditor in their work, rather than to make their work more onerous.
The global audit reform process is underway, and it must deliver improvements to reduce the likelihood of further high-profile corporate disasters, which damage the reputation of the auditor. In the meantime, the auditor at large would do well to maintain a healthy sense of scepticism.
Paul Kilduff B.Comm FCA is an author and banker, who has worked with HSBC, Bank of Ireland, Bank of America, Barclays and Citibank. His eighth book, Stupid Bankers: The World’s Worst Banking Disasters Revealed, is available exclusively on Amazon UK in paperback and Kindle format