Archive for the ‘Auditors’ Tag

Cyber Security: A Question of Risk

Cyber security has been in the headlines recently with high profile incidences of hacking of various organisations’ IT systems and their supposedly secure data.

The ‘UK Corporate Governance Code (2016)’ discusses risk management and internal control stating ‘ The directors should confirm in the annual report that they have carried out a robust assessment  of  the  principal  risks  facing  the  company, including  those that would threaten  its  business  model,  future  performance,  solvency  or  liquidity.  The directors should describe those risks and explain how they are being managed or mitigated’, para C.2.1.

The UK’s Financial Reporting Council (FRC) placed cyber security firmly on the agenda for companies’ risk management strategies when, in October 2016, they wrote to audit committee chairs and finance directors, commenting “we encourage companies to consider a broad range of factors when determining the principal risks and uncertainties facing the business, for example cyber security and climate change”.

The Federation of European Risk Management Associations (FERMA) and the European Confederation of Institutes of Internal Auditing (ECIIA) published a joint report ‘At the Junction of Corporate Governance & Cyber Security (2017).’  The report recommends that the fundamentals of a cyber risk management framework should be based on the OECD  principles contained in ‘OECD  Recommendation – Digital Security Risk Management for Economic and Social Prosperity (2015)’ and the ‘Three  Lines  of  Defence’  model  promoted  in the joint FERMA-ECIIA publication ‘Audit and Risk Committees – News from EU Legislation and Best Practices (2014)’.

The FERM-ECIIA (2017) report’s conclusions include: beyond IT, cyber-security is also becoming a matter of corporate governance, and the right governance framework is crucial to an efficient management of cyber risks; organisations should create a “Cyber Risk Governance Group”, reporting to the Risk Committee and chaired by the Risk Manager, to determine with other functions the cyber risk exposure, expressed financially, and establish the possible mitigation plans. The Group should cooperate with Internal Auditors to avoid silos; Internal Auditors review the controls implemented and give an independent assurance to the Audit Committee about the cyber risk, the efficiency of the controls and the mitigation plans; the Risk Committees and the Audit Committees must collaborate to present a common view to the Board about cyber risk management.

Cyber security in large FTSE companies

In February 2017, Deloitte published its ‘Cyber Reporting Survey (2017)’ which is available here.  It provides useful insights into the cyber reporting practices of the UK’s FTSE 100 companies. The outcomes of their review of FTSE 100 annual report disclosures include that 87% companies disclose cyber as a principal risk; the value destruction capability of cyber risk is very high, ranging from remediation demands to huge reputation damage; detailed disclosure highlights the risks to shareholders and the better disclosures are company specific, year specific and provide sufficient detail to give meaningful information to investors and other stakeholders; boards and board committees are increasingly educating themselves about the cyber threat and challenging management on how they are dealing with the risk; companies should take credit for what they are doing, including describing who has executive  responsibility, board level responsibilities, the policy framework, internal controls, and disaster recovery plans. The Deloitte’s Cyber Reporting Survey also points out that the UK does not have a specific cyber security disclosure framework but that the USA may provide helpful guidance on such disclosure as the Securities and Exchange Commission (SEC) issued disclosure guidance as far back as 2011.

In July 2017, HM Government published their ‘FTSE 350 Cyber Governance Health Check Report 2017’. The Government has undertaken a regular survey of the UK’s top 350 companies since 2013, to understand how they are managing their cyber risks. Overall 105 companies responded to the 2017 Health Check survey with the majority being the Chair of their company’s audit committee. Cyber risk is now seen as a top, or group-level risk, among the majority of Boards (54%) when compared with all the risks faced by their company. Only 13% of respondents now say cyber risk is viewed as a low, or an operational-level risk for their Boards. Whilst 31% of boards receive comprehensive and informative management information on cyber risks, 68% say they have not received any training to deal with a cyber incident.

Concluding thoughts

The reports discussed above indicate a common theme that cyber security is of increasing importance, that cyber risk is recognized as a major risk facing companies, and that managing that risk is part of a robust corporate governance structure.  There is still a consensus to be reached on whether the risk committee, the audit committee, or a cyber risk governance group is the most appropriate to manage this risk and how they might work together to do so. However it seems clear that in the near future more attention will have to be paid to training in cyber security issues and the appointment of qualified individuals with relevant knowledge of this area to corporate boards/board committees.

Chris Mallin

November 2017


Where were the auditors?

– in which Bob Tricker explains why he resigned from the Institute of Chartered Accountants in England and suggests a provocative future for auditors*

In the ongoing crisis facing financial institutions around the world, plenty of questions are being asked: why did the independent directors not act, did they even understand the risks in the business models being pursued; did the regulators fail; were the credit agencies at fault; are the risks of securitisation still properly understood; did short-term performance bonuses encourage greed and excessive risk taking?

But a crucial question remains: where were the auditors? Audit reports reassured readers about these companies’ accounts even though, as we now know, the underlying strategic model was suspect and the businesses exposed to massive risk, even the possibility of trading when insolvent.

In the original 19th century model of the joint-stock company, the state permitted incorporation of limited-liability entities provided certain safeguards were met to protect society. Auditors, appointed from amongst the investors, reported to these shareholder-owners that the directors of their company had faithfully recorded the company’s financial situation.

Then the accounting profession emerged. Small firms at first but, as companies grew in scale and complexity, they grew larger. Mergers enabled them to grow further. By the end of the twentieth century the world’s major listed companies were audited by just five vast, international accounting firms.

However, in essence the auditors’ duty has not changed since the founding years. It is still to report that the information given by the directors to the shareholders reasonably reflects the truth. But the relationship of the auditors to the companies they audit has changed. As scale and complexity increased, the role of the auditors properly became more professional. Inevitably, their relationships with the directors of their client companies grew closer. Although in many jurisdictions the shareholders still voted on a resolution to appoint the auditors, it was the board of directors who really made the decisions. And although nominally the auditors reported to the shareholders of the company, their detailed reports went to the directors.

Inevitably, a close relationship developed between the auditors and the staff of their client, particularly in the finance department. Issues that arose during the audit – questions about asset valuations, capital or revenue decisions, risk assessment or management control, for example – were resolved without the board even being aware of them. So audit committees were introduced, first in the US and then, following the Cadbury Report, in the UK. Sub-committees of the main board, these audit committees relied on independent outside directors to provide a bridge between company and auditor, avoiding too close a relationship between executive directors and audit staff, and ensuring that the directors were fully aware of audit issues.

Following the Enron debacle, the listing rules of most stock exchanges demanded audit committees composed entirely of independent directors, the rotation of audit managing partners, the prohibition of consultancy work for their audit clients, and a cooling-off period before audit staff could join the finance department of a client. The rotation of audit firms, though called for by some, was not demanded.

But I believe the issues go deeper. The real question is whether audit and accountancy is a profession or a business. Do the auditors offer a service to management or are they part of society’s regulatory function?

In the 1950s I was articled to a professional audit practice, which provided service for a fee. The number of partners was small. The phrase corporate governance had yet to be coined. In those days the accounting profession consisted mainly of relatively small firms. Of course, our partners were keen to be successful. In their community they were respected and well to do; but they were not rich. Neither would they compromise their principles. They would not sign an audit report, stating that the client’s account’s showed a true and fair view, unless the partner was personally convinced that they did. Better to lose a client than your integrity. This was a profession, after all. The audit process demanded absolute objectivity of thought and independence from the client.

How different at the beginning of the 21st century. The five major accounting firms had become vast, international and concentrated. They are major businesses, offering products and solutions, with market share and profit performance as watchwords. Partners were judged by fee generation and growth. Then in 2002 one of the five, Arthur Andersen, collapsed, brought down by the Enron catastrophe in the United States. Then there were four.

Partners’ expectations have been influenced by the remuneration levels of their ‘fat cat’ clients. But auditing is not astro-physics. True, the work demands detailed, intense and up-to-date work, but it is not actually difficult. Admittedly, too, these days the risks of litigation and forced resignation are higher. But the real challenge lies in determining standards and living up to them, as it always did.

When I began my accounting career in England, the Institute of Chartered Accountants was at the head of a self-regulating profession. Today, as the Arthur Anderson saga has shown, the market place, not the profession, regulates. Indeed, I believe that auditing has ceased to be a profession: it has become a business. So after nearly fifty years as a Chartered Accountant, including service as a member of its governing Council, I decided that the profession I had joined no longer existed and resigned my Fellowship.

Of course the business world has changed. Nostalgia has no place in strategic thinking. There is no going back to the profession of half a century ago. But I suspect that, unless auditing rediscovers what it means to be a profession and returns to its roots, state regulation of the audit process will have to be imposed to protect creditors, investors and the wider community.

Serious questions have to be asked about the auditors’ position. Who are their real clients: the directors or the shareholders? The de jure response that the client is the company and that somehow this means the body of shareholders will no longer wash. The de facto reality is that the client is the board, backed up by the board’s audit sub-committee. Is this satisfactory under current circumstances? What are the alternatives?

Consider some options:
1. Open the audit market with the second tier firms playing an increasing role in the audit of major listed companies. There has been slight movement in opening the market for audit. But financial markets like the assurance they think they get from an audit opinion signed by one of the big four firms. Predictably, the partners of the firms in this global oligopoly do not favour this solution.

2. Increase regulation introducing further rules to regulate auditors’ activities. This has been the approach adopted in many countries, with the Sarbannes Oxley Act (SOX) in the US, and tighter regulations and stock exchanges’ listing rules elsewhere. But SOX has proved far more demanding, expensive, and bureaucratic than expected; and less effective, as we see from its failure to identify the exposure underlying the financial institutions that have collapsed.

3. Face reality, require auditors to be appointed by and report to the state. It is the state that permits companies to incorporate, and the state that is responsible for protecting the interests of investors, creditors and other stakeholders. That is why we have regulators. A start could be made by introducing this requirement in those companies that have just been massively funded by the state. Surely, the auditors of companies that have been bailed out should not report solely to the directors. He who pays the piper…

The regulatory organisational structures already exist to manage such a relationship. The regulators, working with the shareholders in general meeting, would appoint, re-appoint, or if necessary replace the auditors, agree their fees and receive their reports. The company would, as now, bear the costs.

In this way cosy relationships between directors and auditors would be avoided. If they reported to the regulator rather than the directors, the auditors would have to develop a new mind set. Moreover, shareholders would now have a direct line to their auditors and the board’s audit committee.

Eventually, such an arrangement could be applied to all listed companies. Shareholders would benefit. Investors would know that their auditors worked for them, just as in the 19th century model.

Bob Tricker
* This is a personal view and the ideas are not necessarily shared by my fellow blogger Professor Chris Mallin nor the Oxford University Press.