Weekend Reading: The Problem with Auditing Audit Culture Problems
By: Stephen J. Scott , Founder & CEO of Starling
This piece first appeared in Starling Insights' newsletter on August 25, 2024. If you are interested in receiving our thrice-weekly newsletter, among many other benefits, please consider signing up as a Member of Starling Insights.
Last weekend, I groused about the deluge of dross that typifies discussion of ‘culture problems’ and I argued that a serious topic needs serious discussion among serious people. I’d intended to be more cheerful this weekend.?Alas, and with apologies in advance, another (very) long grumble is warranted this weekend.
Let’s start with the banking sector to see what lessons it may impart to those in audit sector oversight…
Non-financial risks are prudential risks
The Australian Prudential Regulation Authority (APRA) has lost patience with the leadership of 澳新银行 , one of the ‘big four’ Aussie banks, after a persistent failure to improve its non-financial risk governance practices.
"APRA has held longstanding concerns with ANZ’s non-financial risk management and imposed a $500 million operational risk capital add-on to the bank in 2019 to reflect deficiencies in its risk governance,” the?regulator explained. "This capital add-on has remained in place as the bank implemented a remediation program,” APRA reminded the bank’s stakeholders. "Despite this program being in place for several years,” however, "APRA has yet to observe significant improvements in ANZ’s non-financial risk management.”??
APRA Chair John Lonsdale was pointed in observing that the bank is financially sound, with adequate capital and liquidity. But, along with some other thoughtful bank regulators, like Canada’s Peter Routledge, Lonsdale argues that capital cushions are not enough to maintain an institution’s soundness. Here’s Routledge:
We have learned over the past several years that our traditional definition of the word “prudential” was incomplete. We thought that solvency was king, but that mindset has proven to be overly simplistic because we underappreciated the fact that non-financial risks can produce financial risks, often suddenly and abruptly… Therefore, non-financial risks are, in fact, prudential risks and [the Office of the Superintendent of Financial Institutions Canada ] must supervise and regulate them in a manner equivalent to its supervision and regulation of financial risks.?
As a creditor or lender of a financial institution, ask yourself this: can I truly find comfort in my financial institution’s capital or liquidity ratios if I have concerns about its cyber risk management, third-party risk management, the integrity of its leaders, the security of its physical and information assets, its fidelity in adhering to the laws in the jurisdictions in which it operates, the culture of the organization, and the strength of governance provided by its board of directors?
Financial history is littered by companies that failed on these dimensions even though their financial indicators did not signal the severity of their problems, near to or until the last day of their existence. If you are not persuaded by this argument, please solicit the points of view of those institutions’ former creditors … or … their former shareholders. [mic drop]
APRA’s leadership clearly shares the Canadian regulator's view.?Unhappy with non-financial risk management among the country’s major banks, APRA imposed?risk capital add-ons?of AUD $500m on three of them in 2019. (The fourth had already been saddled with an operational risk capital add-on of AUD $1bn.)?“Australia’s major banks are well-capitalised and financially sound but improvements in the management of non-financial risks are needed,” then-APRA Chair Wayne Byres explained at the time.?
"This will require a real focus on the root causes of the issues that have been identified, including complexity, unclear accountabilities, weak incentives and cultures that have been too accepting of long-standing gaps,” Byres warned then. Lonsdale is continuing in this direction today, observing last week that ANZ is the only bank not to have seen the 2019 capital add-ons lifted after successfully ameliorating the concerns Byres called out.
?"While the bank has implemented actions to improve its risk governance and culture over the past five years,” Lonsdale explained, continued challenges "suggest there continues to be material gaps that need to be closed as a priority.”?APRA has therefore imposed a further AUD $250m operational risk capital add-on at ANZ, and Lonsdale warned that further actions would follow should ANZ fail to demonstrate the alacrity APRA expects.?
European regulators and international standard setters have joined the Canadians and Australians in making the argument that non-financial risks warrant prudential oversight, and that culture is both a key contributor to persistent failures in non-financial risk governance and key to the successful remediation of such failures:?
"In recent years there has been increasing recognition that governance and culture relating to financial risks cannot be separated from governance and culture of firms’ activities considered more broadly,” Dutch central bank president and Chairman of the Financial Stability Board Klaas Knot observed in our 2022 Compendium. "Governance and culture are also crucial in managing operational risks.”?
"The events in the first half of 2023 are dramatic examples of the consequences of lax governance and poor risk cultures,” argued the FSB’s then head of regulatory and supervisory policies, Eva H.G. Hüpkes , in our 2023 report. "Supervisory approaches that focus primarily on compliance and do not give proper weight to culture and governance cannot keep pace with changes in finance,”?she warned.
“Culture and governance should be more and more the key focus of our debates,” argues former ECB Supervisory Board Chair Andrea Enria in our 2024 report, “and the challenge is to design effective supervision to address shortcomings in these areas…”
In the US, the NY Fed has championed the argument that culture matters for over a decade. After the failure of SVB last year, the Vice Chair for Supervision at the Federal Reserve Board , Michael Barr , pointed to challenges in the supervisory culture at the Fed itself as contributing to the oversight failure seen at SVB. Barr promised to explore the issue, but if he’s done so, the silence subsequently emanating from the Fed has been deafening.
In a speech earlier this month, however, Fed Governor Miki Bowman signaled that the topic has not been (perhaps conveniently) forgotten by everyone at the Board.
“We must not lose sight of the lesson that cultural problems at both banks and regulators can compound cyclical downturns in the banking environment and pose more serious risks to the banking system,” Bowman cautioned, in a welcome display of leadership that we might have expected from Barr.
The lesson that audit sector overseers can draw from their banking sector peers is simply this: culture matters.
This is true for many reasons, we’d argue. But there is an emerging consensus among banking sector supervisors that, at a minimum, an organization’s culture matters because it either limits or enables management’s ability to identify and mitigate non-financial risks, and this matters, in turn, because non-financial risks represent systemic concerns that warrant proactive prudential oversight.?
Which brings us to the unfinished business at hand: how do we achieve prudential oversight of culture in a manner that allows us to draw defensible and actionable conclusions as regards the concrete remedial measures that may be necessary, practical, achievable, and auditable…?
And the very well-established short answer to that entirely sensible question is, “who the hell knows?”?
领英推荐
Same time next week?
Saying that the culture of an organization is important for its healthy functioning is a bit like saying love is important in a marriage. Sure, but if I presented my wife with a well-intentioned metric that suggested we’d achieved a sub-optimal love-score, and helpfully proposed a 10-step remedial program she might care to follow, I’m not certain that the ensuing conversation would prove as productive as I might wish.?
But surely the value in marriage counseling lies precisely in having a well-trained, independent, 3rd party pose awkward questions, while challenging responses that sound insincere, rehearsed, evasive, or unduly self-sure. We may assume that it is this sort of dynamic introspection that APRA hopes to provoke among ANZ’s leaders with its accumulating operational risk capital off-sets. Notably, APRA has also demanded that ANZ hire an external advisor to help it explore the causes of its continuing misconduct challenges.
But where to find such expertise? Couples who’ve tried will attest that many marriage counselors are, in a word, crap. How to know if the one you’re considering is any good, will ‘get’ the history and dynamics of your marriage, or will successfully navigate the challenges in your potentially conflicting communication styles, etc.? Is there such a thing as a successful ‘end-state’ and, if so, how does a couple — or counselor — determine that it has been sustainably achieved? The process is necessarily one of trial and error.?
Imagine, now, that some ‘oversight body’ — your mother-in-law, perhaps — is standing by, ready to hit you with capital charges each time trial produces error? Those who object to regulatory insistence that culture can be made subject to supervisory scrutiny raise precisely these kinds of complaints. The process is invasive, fraught with biased and competing views of what ‘good’ looks like, and thus leaves you feeling set up to fail. Moreover, it’s none of your god-damned business — it’s between me and my board.
And it is into this quagmire that audit sector regulators now tread.
Auditing audit culture
The metaphor, of course, is flawed: public companies are not private affairs, so it is entirely appropriate that public interests are asserted and safeguarded, and that includes public interest in how the culture of a publicly listed entity impacts its performance, and how that performance impacts the public.
Regulators and supervisors exist to serve these public interests, so it is entirely appropriate that they hold a firm’s leadership to account when it harms those interests, threatens to do so, and particularly when it appears likely to do so again. And this is why the repeated problems at ANZ have left APRA so animated.
It is also why audit sector regulators have stepped up efforts to grapple with audit firm culture amidst declining audit quality, spectacular corporate collapses that have damaged investors, and a series of misconduct scandals that includes audit firm partners caught cheating on ethics exams, of all things. Like the banking sector, many have concluded that the audit sector is suffering from ‘culture problems,’ and regulators have decided that remedial measures are necessary.
In the UK, the newly installed Labour government has pledged to champion corporate governance and audit reform. Earlier this month, the?UK Financial Conduct Authority (FCA) fined?PwC?£15 million for failing to report concerns about potential fraudulent activity at collapsed audit client,?London Capital & Finance, marking the first time the regulator has taken such an action against an audit firm. While 普华永道 ’s failure was “not reckless or deliberate,” the FCA found, it wished to remind that audit firms are relied upon to play a “central role” in keeping markets clean, and their failure to do so will thus have consequences.
To further illustrate the point, the FCA also recently censured Baker Tilley, alleging it failed to meet the required standards for preparing client asset reports. “In a first of its kind, this censure underscores the important role that auditors play in providing accurate reports on whether firms are complying with our rules,” said Therese Chambers , Joint Executive Director of Enforcement and Market Oversight at the FCA. The UK’s Financial Reporting Council, has made audit culture a priority.?
In Australia, after a series of audit sector misconduct scandals, and amidst declining audit quality, the Australian Securities & Investments Commission ( ASIC ) announced plans to ramp up investigations of auditor independence earlier this year and, earlier this month, the Accounting Professional & Ethical Standards Board called for regulatory oversight of the consulting arms of the Big Four. “Auditors should deliver professional, high-quality audits,” ASIC has emphasized, “through a strong internal culture focused on quality audits and professional scepticism.” It will test for this.
And in the US, the Big Four accounting firms recently admitted to hundreds of violations of rules aimed at preserving their independence. In its 2023 audit inspections, the Public Company Accounting Oversight Board (PCAOB) found that, in 46% of the audit work it sampled, audit firms had failed to provide sufficient evidence to support the final audit opinions issued. Last week, the U.S. Securities and Exchange Commission signed off on new rules aimed at increasing personal liability where auditor negligence seems apparent.
In an effort to drive improvements in audit quality, PCAOB Chair Erica Williams has insisted that the agency will take more aggressive enforcement actions and will be examining how audit firm culture has contributed to past lapses. “We have a team in our division of registration and inspections that is looking at the culture of firms: the tone at the top that comes from leadership and how that might impact audit quality,” Williams said. “They’re running procedures and gathering information from the firms which we are interested in seeing. It’s a new initiative, so we don’t know what the conclusions are going to be yet.”
“Culture is a nebulous topic encompassing broad formal policies and procedures,” PCAOB Board Member George Botic offered in a late 2023 speech. “But like any organization, audit firm culture is also informed by so-called ‘unwritten rules.’ Without maintaining a keen unrelenting focus on the importance of audit quality,” Botic rightly added, “a firm’s culture may not embody what the organization wants to project nor what investors expect.” Indeed. But what to do about that?
I still haven’t found what I’m looking for
A 2019 survey of the relevant academic literature, “The Effect of Audit Culture on Audit Quality,” finds existing studies fail to provide “a comprehensive understanding of: (1) How audit culture affects audit quality and (2) What an audit culture that is effective in supporting high audit quality looks like and how it can be shaped.”
A 2020 paper, “Audit Firm Culture: Recent Developments and Trends in the Literature,” underwhelmingly concludes that, “the culture of an audit ?rm is most oriented toward quality if leadership emphasizes professionalism over commercialism, promotes ethical judgments, and facilitates learning through systems, integration of specialists, and interpersonal interactions among auditors.”
That’s not much to go by. After years of “mis-steps and scandals,” audit firms are rethinking how culture contributes to their internal risk governance, the quality of their work, and the impact this has on partner pockets. But — just as we’ve seen in banking — neither audit sector regulators nor those they oversee have established just how audit firm culture is best to be audited.
There is irony in this, given that PwC employs a number of “culture specialists” who presume to “support businesses in their culture evolution efforts,” while Deloitte provides counsel on “Cultural Risk and Your Organization's Reputation,” even as EY offers clients the use of its “Culture Fitness Diagnostic Tool,” and KPMG stands ready to advise clients in its “Culture and Conduct Assurance Framework.” On recent evidence, these firms appear not to value the counsel of their own culture specialists. Why should we?
Unsure what else to do, audit sector overseers are ramping up fines for errant auditors and accounting firms, hoping this will successfully prompt change. Alas, research from the banking sector suggests that monetary fines lack compelling moral force and are largely seen as an irritating but ultimately affordable ‘cost of doing business.’ Studies are few and findings are mixed, but research in the audit sector similarly suggests that punitive fines may not drive improved audit quality.
Experience from the banking sector suggests that punitive regulatory fines for failures in non-financial risk governance, to include outright fraud, are effectively ‘priced in’ to business models. After Goldman Sachs entered an unprecedented guilty plea in the 1MDB bribery scandal and agreed to punitive fines of some $5bn, Fitch Ratings reported no immediate expected ratings impact. “Fitch considers the financial impact of this settlement manageable within the context of the firm's earnings power and current rating level.”
Audit sector overseers, and audit firm leaders, have an opportunity to learn from the experience of their banking sector peers. Banking sector regulators appear to hope that the threat of punitive action, like increased operational risk capital add-ons, will provoke culture change in the industry and improved non-financial risk governance. They are repeatedly disappointed. Following that example seems unwise.?
Since the Financial Crisis, estimates suggest that banks have absorbed over $800bn in punitive fines, in the global aggregate, while spending a similar cumulative amount on their non-financial risk governance infrastructures with questionable return-on-investment. Following that example seems similarly unwise.
I’ll be back next weekend with more.