UK audit reform proposals: Full of sound and fury but likely to amount to nothing
Let's all say again that auditors are supposed to be performing their public duty and finding fraud, shall we?
One after another the ongoing revelations of corporate fraud and bankruptcy in the UK remind us that audits — the last defense against failed financial reporting for investors and the markets — are still not preventing, detecting, or warning anyone about it.
Enron’s bankruptcy, and its auditor Arthur Andersen’s collapse, happened twenty years ago. The financial crisis rocked the foundations of global financial stability a decade ago. Reforms intended to reassure investors and markets that company accounts can be trusted have instead fallen far short. Allegations of accounting muck-ups at UK companies such as Autonomy, Carillion, Thomas Cook, and Patisserie Valerie, to name just a few, prove politicians made empty promises.
The Right Honorable Kwasi Kwarteng, MP, the UK’s new business secretary, has now introduced a jumble of reforms after the latest corporate calamities and the failure of auditors to catch them, or even convincingly own up to a public duty to do so. The Beis proposals are pitched as a UK version of the US Sarbanes-Oxley Law, passed in 2002 in response to Enron’s failure and Arthur Andersen’s collapse.
The UK may be growling up the wrong tree. SOx reforms have always delivered more bark than bite.
It would be a huge mistake for the UK to model its reforms — ones that have so much momentum and urgent need — after US auditor reform that’s failed so miserably. UK investors deserve more.
I wrote in 2012, ten years after Sarbanes-Oxley was passed, that the law and feeble enforcement of it had failed to restore investor confidence in audit firms after Arthur Andersen’s failure to mitigate fraud at Enron. Nearly twenty years on my verdict is even more harsh. The Sarbanes-Oxley law has turned out to be a negotiated mélange of rules that have been barely enforced and gradually watered-down to within an inch of their original intent, all to reduce costs for corporations and increase new share listings.
Is the latest UK reform package truly radical or just more of the same incremental reforms, full of sound and fury yet signifying no meaningful change once again?
Incremental reform is not enough, Atul Shah, an accounting and finance professor at City University of London, told me.
I am afraid it is more of the same and the reforms will be as ineffective as all the rest. That’s because the largest global audit firms have fully captured the government and regulatory apparatus via the revolving door and have a shared objective to prop up the stock market and businesses no matter the cost to workers and small investors. After the 2008 crash, hardly any auditor was fined or went to jail over their failure to warn society.
After that, it got worse. The common factor is the cultural problem, Shah told Bloomberg in an interview this past June. When he spoke to me, Shah said the cultural problem in accounting and finance is being ignored by most universities and the firms when training new professionals. He believes there are vast cracks in the curriculums that ensure that the systemic problems continue to prevail.
Prem Sikka, an Emeritus Professor of Accounting at University of Essex, agrees. Sikka, in Left Foot Forward in September of 2020, wrote, "The audits of large companies need to be performed by a statutory body.” Lord Sikka, who was nominated for a life peerage in the 2020 Political Honours and raises his voice for the Labour Party in the House of Lords, has been a years-long critic of the audit industry status quo. He wrote:
Auditing firms have a choice. They can deliver honest, robust and socially useful audits or vacate the audit market and make way for a new institutional framework.
However, Sikka told me via email that he suspects the government would not like the idea of an independent body appointing and remunerating auditors because big corporations would oppose it.
The last time the UK pressured global audit firms to reform was in 2010 when the House of Lords conducted an inquiry into the Big Four audit firms’ role in the global financial crisis. Auditors had failed in their public duty to remain independent, place public interest above commercial interests, and undertake their duties competently, objectively and prudently, Sikka wrote in a 2009 article.
UK regulators went through the motions in 2010, and their issues were even taken up in the European Union. Michel Barnier, a French politician acting as European Commissioner for Internal Market and Services under President José Manuel Barroso from 2010 to 2014, voiced overall displeasure with the audit firms and threatened new laws and regulations that would upend the industry’s structure.
“The status quo is not an option,” Barnier said in October 2010.
Michel Barnier, however, did eventually accept the status quo. Barnier recently served as the European Commission's Head of Task Force for Relations with the United Kingdom during the Brexit negotiations. He’ll retire from the European Commission this month but stayed in the game long enough to see the audit industry status quo publicly pummeled again.
After the financial crisis, the Financial Times and the Guardian were full of stories about the auditors and what they did, and did not do, to warn of the crisis or mitigate the impact to investors. UK politicians made much more noise over the auditors’ role than US politicians did. In November of 2010 UK audit firm leadership appeared before the House of Lords Economic Affairs Committee and admitted they did not issue “going concern” warnings for any of the large UK banks that were eventually nationalized. That’s because they were assured during private, confidential meetings in December 2008 and January 2009 with Lord Myners, and others that the government would bail out the banks if needed.
Photo taken from live testimony posted by the House of Lords, left to right: Scott Halliday (EY), Ian Powell (PwC), John Griffith-Jones (KPMG), John Connolly (Deloitte)
The Financial Reporting Council’s Sharman inquiry, prompted by the incredible revelations, let them all off the hook in June of 2012. Bank auditors are not obliged to express doubts about their client’s short-term survival if it is receiving adequate liquidity support, including from the state, and are able to meet its long-term liabilities, the FRC said.
The latest proposals
On March 18, Kwarteng and Beis published “ambitious plans to strengthen the UK’s audit and corporate governance framework and empower shareholders” that have been much discussed and long delayed, most recently by the COVID pandemic. The proposals entertain most of the recommendations of three independent reviews of the UK audit industry completed in recent years.
Sir Donald Brydon, the former chairman of the London Stock Exchange, delivered a 135-page report in December 2019 that recommended significant structural changes to how auditors work and how their firms are structured and regulated including proposing a new definition of the purpose of a company audit. He also emphasized why auditors should be expected to act as “bloodhounds” that detect corporate fraud. (The collapse of Grant Thornton-audited Patisserie Valerie in January 2019 brought a new example of an auditor insisting it was not obligated to look for fraud.)
A Competition and Markets Authority report in 2019 recommended that UK-listed companies should be required to use two firms — preferably one a non-Big 4 firm — to do a “joint audit” of accounts. The year before John Kingman produced a highly critical report focusing on the regulation of the audit industry.
Lord Sikka believes the reform white paper’s foundation, all of the recent studies, is deficient. The Kingman Review only applies to one of five audit regulators and does not explain how to avoid capture, Sikka said. The CMA report does not tackle questions like auditor liability (an important pressure point) or inviting new suppliers of audit services and the Brydon Review does not look at the actual audit process, per Sikka.
The Financial Times Editorial Board has characterized the proposals as an equivalent to the US Sarbanes-Oxley regime, albeit one the UK must introduce carefully, “without piling unfair costs and burdens on to companies struggling to recover from the pandemic.”
The Beis white paper is a 232-page set of proposals and goes out for public consultation and comment until July. Given the number of recommendations and length of the report, the Beis plan is expected to generate plenty of mail. That is only a first step and there is no guarantee any of the proposals will eventually be mandated.
Kwarteng writes in the introduction:
The Government understands the serious challenges that businesses are facing because of the pandemic and we will not add to those: reforms will be introduced over an appropriate timetable. However, I am committed to our stated aim of reforming the corporate governance and audit regime and we intend to bring forward these reforms later in the Parliament, once we have taken account of your responses.
Separating audit and consulting, in body or at least in spirit via service prohibitions, is a perennial reform recommendation whenever conflicts rear their ugly head. The UK’s Financial Reporting Council already issued a 22-point plan last July for a “ringfence” requirement — the operational separation of the audit side of the largest global firms from the rest of their business. Firms were required to outline how they would make the changes by late last year, and the plan must be implemented in full by June 30, 2024 at the latest.
When the ring fencing requirements were announced, Deloitte said it would work with the FRC to develop its plans, but was concerned about losing momentum with other reforms mentioned in the three reviews.
Deloitte UK has come around. The firm announced in September that its UK audit operations would have a standalone board beginning in 2021. Public relations firm Teneo is announced this week it would purchase the Deloitte UK restructuring arm which reportedly has 250 people including 27 partners.
PwC was less committal but agreed to “continue to engage with the watchdog on the complexity and detail of the principles.” EY said it would work with the FRC, but warned the proposals alone “would not deliver all the changes needed.” The firm said in December that its plans had been submitted to the regulator.
KPMG has said it supports the ring fence plan as a “first step to restoring trust in companies.” Previously, in 2019, KPMG Chairman Bill Michael had warned that "an extreme form of ring-fencing would have significant unintended consequences, especially with regard to audit quality.” Next tier firm Grant Thornton followed the leaders and said the move would fail to boost competition.
KPMG UK agreed to a £400m deal with private equity firm HIG Capital for its UK restructuring unit. The firm is arguably in no position to complain about regulatory scrutiny. KPMG has been criticized recently — and been heavily fined — for the poor quality of its audits, in particular related to construction company Carillion. In 2020, the firm saw profits drop 6% before tax and partner payouts. Partner payouts were down 11% from 2019.
KPMG is also the firm where an audit practice ring fence will have the least impact on its results. KPMG’s audit practice generates a higher percentage of total revenue, nearly 29% in fiscal year 2020 than the other Big 4 firms, EY (21.2%), PwC (22.9%) and consulting behemoth Deloitte which only derives 14.8% of its revenue in the UK form audit services.
Conflicts, however, will continue to turn up. The sell-off of restructuring arms, in particular may help firms like KPMG UK avoid the conflict between its work to wind-up companies like Patisserie Valerie and its audit work but won’t prevent the kind of conflict of interest to be replaced on the job. The Patisserie Valerie auditor Grant Thornton is also KPMG’s audit firm. The forced split up of Big Four audit practices from their consulting units may provide an opening for the firms to continue expansion into legal services.
The US experience
The U.S. Securities and Exchange Commission attempted to “modernize” auditor independence rules — the ones that govern potential conflicts when an auditor performs tax and consulting services — in 2000, even before Enron filed bankruptcy. Audit firms were doing more consulting than auditing at audit clients and the concern was the work, and the fees, distracted them from their core purpose: auditing.
That time the Big 4 didn’t wait for regulators to force them to ringfence audit to protect its integrity from the influence of consulting fees. The Big 4 were so concerned about the growing regulatory and public criticism that two of the four firms sold their consulting practices in 2000 and 2001. The Sarbanes-Oxley Act was passed in July 2002 and PricewaterhouseCoopers Consulting was sold to IBM in October 2002. Deloitte Consulting never separated from Deloitte & Touche, and went on an acquisition spree.
Arthur Andersen’s perceived unhealthy emphasis on its lucrative consulting work at Enron instead of its audit was the catalyst for critics to succeed in getting nine prohibitions against consulting services to audit clients into the Sarbanes-Oxley law. The service restrictions prohibit audit firms from providing non-audit services such as internal audit outsourcing services, financial information systems design and implementation, and bookkeeping to an audit client including company affiliates.
However, between 2002 and 2012, the SEC and PCAOB made only a handful of enforcement actions against the firms for auditor independence violations and they were minor. This laissez-faire attitude encouraged the Big 4 firms to rebuild and then expand their consulting arms as soon as non-compete agreements with the original buyers of the businesses expired. The easiest prohibition to police – the one that restricts performing software design, development and implementation consulting for an audit client when it would impact the ability to audit accounting and financial reporting - is the one most recently sanctioned by the SEC, against PwC and a partner. In this case, one partner violated this prohibition in 15 clients for 19 engagements over five years, 2015-2019.
Can the UK succeed where the US has not?
Professor Shah is pessimistic and wrote in a 2019 OpEd, “We have already lived through the costly experience of the failure of “Chinese walls” in banking. Why should we still believe they can and will work here?”
Kingman’s recommendation for a new regulator called the Audit, Reporting and Governance Authority is also already in process. Following the FRC Review, the FRC, under new leadership, “has taken significant steps to strengthen its capabilities. However, legislation is needed in many areas to complete the task of remodelling the regulator and to establish the FRC’s successor body, the Audit, Reporting and Governance Authority (ARGA),” according to the Beis white paper.
So, full reform will, again, wait for Parliament.
The UK reform proposals borrow from recommendations made by the Competition and Markets Authority but go around its recommendation to mandate joint audits in the FTSE 350. From the white paper:
It is not healthy for audit quality that the UK audit market is so concentrated, with 97% of FTSE 350 audits undertaken by just four audit firms. This concentration is not helped by the fact that those firms also compete to provide a wide range of other business services to the largest companies.
The reform proposals greater regulatory powers and duties intended to increase choice and competition in the FTSE 350 audit market, initially through a managed shared audit regime, not joint audits, and, later if needed, a managed market share cap.
The operational separation between the audit and non-audit arms of certain firms is intended to lead to separate governance, financial statements prepared on an arm’s length basis, and regulatory oversight of audit partner remuneration and audit practice governance.
Jane Fuller, a fellow of CFA Society of the UK and co-director of the Centre for the Study of Financial Innovation advocates separating audit from consultancy but admits implementing the ring-fence will be challenging. Fuller wrote in her CFSI blog in October:
The devil in the implementation detail lies in the second objective: ‘Improve audit market resilience by ensuring that no material, structural cross-subsidy persists between the audit practice and the rest of the firm. The seriousness of this issue has led a few of my contacts (outside the audit profession) to question whether the ‘standalone’ audit practices will be viable.
Legislation would also provide statutory powers for the regulator to “proactively monitor the resilience of the audit market and audit firms, including powers to require audit firms to address any viability concerns that are identified.” This is a big missing piece of US audit firm regulate on since the SEC primarily regulates audits and auditors as their activities impact public company issuers. The Public Company Accounting Oversight Board monitors the process of auditing and the firms and professionals’ adherence to auditing standards.
No one publicly acknowledges a legal obligation to monitor the financial viability of audit firms, despite widely expressed fears of catastrophic private litigation against one of the remaining Big 4 firms and a generally accepted aversion by regulations to put another firm pout of business through regulatory fines or sanctions, resulting in an implied “too few to fail” policy when faced with necessary enforcement actions against any of the Big 4.
The US government hasn’t officially scrutinized the level of concentration in the market for public company audits since 2008. The US General Accounting Office admitted “there was no general consensus for various proposals put forth for addressing concentration.”
In their 2015 paper, “Competition in the Audit Market: Policy Implications,” Joseph Gerakos of Dartmouth’s Tuck School of Business and Chad Syverson of the University of Chicago Booth School of Business explored the possibility of further audit concentration as a result of the unexpected exit of a Big Four audit firm. This impact could be mitigated by new entry into the public company audit market by next tier firms like Grant Thornton.
Spreading the work of auditing listed companies around outside the Big 4 would potentially keep fee increases in check and, maybe, also prevent the Big 4 from operating with impunity. However, next tier audit firms have not been able to successfully dilute Big 4 market power in the developed economies. When Arthur Andersen collapsed completely, for example, Grant Thornton, RSM, and BDO did not step-up to fill the void anywhere.
In 2018 Grant Thornton UK announced that it would no longer even pitch for audit work with FTSE 350 clients. Perhaps that’s for the best given Grant Thornton’s failed audit of Patisserie Valerie and payment of a £3 million fine for “misconduct” relating to its audits of Nichols and the University of Salford.
In its November 2020 report, the UK FRC said that introduction of mandatory audit tendering and rotation in 2016 had not made much of an impact on industry concentration.
The Big Four firms continue to dominate the FTSE 350 audit market, particularly for the largest companies by market capitalisation. The failure of any one of these firms would threaten the stability of the overall audit market.
Data from Big 4 global and UK annual reports as of 2020, PCAOB filings and Audit Analytics data.
UK firm revenues represent between 6-9% of global firm revenues but that understates the importance of the UK to each firm’s global network as a key spoke in its global seamless service delivery model for multinationals, wherever they are listed.
The UK member firm in each of the Big 4 global networks signs the audit opinion for a handful of key multinationals, some resident in the UK or other parts of Europe, that are listed on the New York Stock Exchange or Nasdaq. For example, Deloitte UK signs the opinion for Glaxo Smith Kline PLC and BP PLC. KPMG UK signs the audit opinion for BT Group, BHP Group, and Barclays and PwC audits Rio Tinto, Pearson PLC, and Santander. EY UK signs for Royal Dutch Shell and the Royal Bank of Scotland.
PwC’s rank as the largest UK firm by total revenues and audit services revenue is likely directly related to its significant activity as a participating audit firm in 81 US listed companies. That highlights how critical the UK Big 4 firms are as member firms of their respective global networks who audit the UK operations for US and other European exchange-listed clients.
As a result of the fraud and failure of German payments processor Wirecard, this has meant investors and regulators, as well as plaintiffs’ attorneys, are keenly interested in what role EY UK and EY US played in the EY Germany audit of Wirecard. Wirecard had a subsidiary in England and one in Dublin, Ireland. Its 2019 annual report said that the subsidiary in England was audited by an EY network firm and its Dublin sub by a third-party firm.
The FCA forced Wirecard’s U.K. subsidiary, Wirecard Card Solutions, to halt operations when its parent company filed for insolvency in Germany in June 2020. The Newcastle-based fintech Railsbank agreed to buy the U.K. subsidiary of Wirecard. Wirecard’s North America unit, which it bought from Citigroup in 2016, was sold by the bankruptcy administrator to a company backed by buyout specialist Centerbridge Partners LP.
The failure to detect fraud
The Beis proposal also, in line with the Brydon Review’s recommendation, proposes to legislate to require directors of public companies, or what are called “Public Interest Entities” in the UK, to report on the steps they have taken to prevent and detect material fraud.
The Brydon Review also identified “both confusion and a gap between the reality and the expectations of performance of auditors [regarding detecting material fraud].” To dispel such confusion, it recommended that the regulator amend the auditing standard on fraud “to make clear that it is the obligation of an auditor to endeavour to detect material fraud in all reasonable ways.”
The proposal says the UK intends “to legislate to require auditors of Public Interest Entities, as part of their statutory audit, to report on the work they performed to conclude whether the proposed directors’ statement regarding actions taken to prevent and detect material fraud is factually accurate.”
It’s one of the biggest myths that the global audit industry perpetuates: The audit is not designed to detect fraud.
Auditors used to acknowledge their responsibility to detect fraud. In March 2007, PwC’s former US Chairman Dennis Nally was interviewed by the WSJ:
WSJ: Is it an auditor’s job to try and find fraud?
Nally: Absolutely. We have a responsibility to perform procedures that are detecting fraud just like we have responsibilities to perform procedures to detect errors in financial statements.
WSJ: You seem pretty certain, but the firms as a whole often eschew some responsibility for finding fraud, especially in court.
Nally: The audit profession has always had a responsibility for the detection of fraud. The debate has always gone toward how far do you carry that, what type of procedures do you have to develop and in what environment. The classic issue becomes the cost benefit of all of that and this is why I think there is this expectation gap.
By 2011, Nally had changed his tune. Helen Thomas of the Financial Times asked PwC Global Chairman Nally, “What about fraud or disingenuous bookkeeping? Surely auditors should rightly find themselves in the line of fire when a case slips through on their watch?”
The FT’s Thomas writes that Nally “crossed his arms across his monogrammed shirt, for the first time looking a touch defensive.”
There are professional standards out there [and] an audit is not designed under those standards to detect fraud,” [Nally] says, pointing out that detecting fraudulent behaviour rests on other indications including a company’s governance, management tone and control systems. The reasons it has been done that way is because, while we always hear and read about the high-profile fraud, the number of those situations that you actually encounter in practice is very de minimis.
You’re not designing an audit for ‘the exception’ because, quite frankly, the cost itself would be prohibitive to all of the capital markets and . . . who wants to pay for that if the benefit isn’t there?”
What happened to change his mind? Satyam happened.
Nally, and his boss, former PwC Global Chairman Sam DiPiazza, were caught flat-footed on the Satyam fraud in India in December 2008. DiPiazza told the Times of India:
What we understand is that this was a massive fraud conducted by the (then) management, and we are as much a victim as anyone. Our partners were clearly misled.
Faced with allegations that PwC India partners were in on the Satyam fraud, now Global Chairman Nally gave a rambling, incoherent interview to Business Today in India in July 2009 – more than six months after the fraud was uncovered by the Satyam CEO not PwC — and reversed his WSJ comments from 2007:
Many times there is an expectation from the investor community that the auditor is in fact fully responsible for the detection of fraud. Now that is not our job, today.
Judge Barbara Jacobs Rothstein of the United States District Court for the Middle District of Alabama, in her decision in the case Federal Deposit Insurance Corporation v. PricewaterhouseCoopers LLP et al, No. 2:2012cv00957, found on December 28, 2017 that PwC had breached its professional duty to exercise reasonable care in performing its audits by failing to plan and perform its audits to detect fraud and failing to obtain sufficient audit evidence that would have led to discovery of the Colonial Bank-TBW fraud.
On July 2, 2018, Judge Rothstein wrote that the FDIC was "entitled to recover all reasonably foreseeable losses Colonial incurred from its ongoing fraudulent relationship with TBW," and “[t]here can be no real dispute (indeed PwC does not raise one) that it was foreseeable that because PwC failed to detect the fraud, Colonial would continue to fund TBW-originated mortgages, both legitimate and fake.”
Judge Rothstein ordered PwC, the former auditor for now-defunct Colonial Bank, to pay the Federal Deposit Insurance Corp. $625 million in damages arising out of PwC's failure to detect the "massive fraud" perpetrated by employees of Colonial Bank and Taylor, Bean & Whitaker Mortgage Corporation from 2002-2009, which ultimately led to Colonial Bank's failure.”
It was the largest ever damages award for auditor liability. The two sides eventually settled for $335 million.
Judge Rothstein’s decision in FDIC v. PwC, should be the last word on whether the auditor has an obligation under law to design the audit to detect fraud and illegal acts at their audit clients.
In November 2013 the PCAOB published a very useful, and at the time very brave Appendix to a discussion document distributed at a PCAOB Standing Advisory Group meeting. The agenda item for the meeting was, “Consideration of Outreach and Research Regarding the Auditor’s Approach to Detecting Fraud”.
The appendix provides a detailed overview of auditors’ obligations under existing PCAOB standards to design and perform the audit to detect fraud. The document covers the entire audit lifecycle from engagement acceptance and continuance to reasons to resign an audit.
The Beis director proposals
The Financial Times Editorial Board believes the real “steps forward” in the BEIS proposals are not the audit firm reforms but changes to corporate governance rules.
At the least, directors would be required to sign off personally on the effectiveness of companies’ internal controls and risk management. That stops short of the US approach, where top executives must certify the accuracy of accounts. But making directors sign off on management, compliance and internal audit controls is a significant step — especially backed by the threat of fines, suspensions, or clawing back bonuses if sizeable errors or fraud are later found. It could also potentially make it easier to bring legal charges against them.
Strictly speaking, making directors sign off on internal controls would be quite a few steps above and beyond the US Sarbanes-Oxley requirement for the CEO and CFO to sign off on internal controls and disclosure controls. The FT’s mandarins, however, do not approve of the most severe controls proposed for company directors.
More stringent options proposed in the paper would require auditors to report on their views of how effective internal controls are, or — closest to the US system — give a formal opinion on directors’ assessment of controls. Jumping straight to the strictest option risks imposing unreasonable costs on post-Covid business.
Fuller told me in an interview she is hopeful that the proposed reforms to hold company directors personally responsible will act as a check and balance on executives and auditors.
That’s where the US SOx experience may be instructive.
The Sarbanes-Oxley Act of 2002 mandates that audit committees would be directly responsible for the oversight of the engagement of the company's independent auditor. SOX Section 302 requires that the principal executive and financial officers of a company, typically the CEO and CFO, personally attest that financial information is accurate and reliable. Besides lawsuits and negative publicity, a CEO or CFO who does not comply or submits an inaccurate certification is subject to a fine up to $1 million and/or ten years in prison, even if done mistakenly. Intentional certification of a false report risks even more severe criminal penalties.
However, there have been very few enforcement actions for violation these SOX provisions and none for some of the highest profile potential cases from the financial crisis. Other than the high-profile prosecution of Health South’s Richard Scrushy for Section 906 violations — he was eventually acquitted — the US Department of Justice did not pursue a single prosecution under these statutes as a result of the financial crisis.
The BEIS proposals have been greatly delayed, including for another month after the FT reported they were imminent. Perhaps the Big 4 audit firms and business weighed in, again, to create more ambiguity and wiggle room for Parliament later.
Media reporting of “pressure on the Big 4 firms” to renounce the commercialism of the status quo and redirect their hearts and minds to serving the public as professionals has often been just be a clever public relations strategy orchestrated by the firms themselves. It allows government and legislators to entertain the mistaken impression they’re actually “regulating.” Auditors then fend off the worst proposals with the same old arguments, for a while longer, under the guise of compromise.
© Francine McKenna, The Digging Company LLC, 2020