At a recent webinar hosted by the South African Institute of Chartered Accountants, as part of a series on leadership in a time of crisis, the outgoing CEO of the Independent Regulatory Board for Auditors (IRBA), Bernard Agulhas, explored the reasons for recent auditing failures, and how IRBA could go about restoring trust in the profession. Acumen spoke to Agulhas as well as several other experts to explore the reasons for the auditing failures and how the industry might regain the trust of the public, as well as what lessons we might deduce that would apply to the broader challenge of a society in which public trust in institutions, including the government, could hardly be lower.
Auditing’s crisis stems from a number of high-profile corporate scandals, of which Steinhoff is the most significant. The key issue is why the external auditors allowed corporate malfeasance to continue unchecked: were they colluding, or were they incompetent? In such cases, one must also remember, perception is as important as fact.
Auditing as a profession has lost a lot of standing, and thus is much less trusted by society at large and, one might venture to suggest, within the business community. Agulhas has several observations to make about the reasons for this apparent “failure to launch” on the part of audit teams in such cases. The first is that auditors exist within a financial reporting chain and that what seem to be audit failures are actually failures of the whole chain.
“Many participants in the financial value chain do not understand what their responsibilities are,” he says.
A particular concern is the role of the audit committee, a preponderance of whose members are typically independent, non-executive directors (NEDs). He worries that NEDs have insufficient access to the detail they need to ask questions that are sufficiently penetrating even though, he adds, they are employed to do just that and need to take steps to obtain the detail they need. They cannot rely on internal or external auditors only.
“One can’t outsource oversight. That’s a key principle,” he says.
GIBS Professor Emeritus John Ford, himself a CA(SA), has a research interest in governance. He says that part of the problem could be traced to the greater number of non-executives and independents on boards – a development which, he believes, gives too much power to the executives. “One can be critical of boards, but if there are so many independent non-executives, how can they really hold the executives properly to account? They just don’t have the deep understanding of the business,” he argues. “One can’t blame them – it’s hard for part-timers to know enough.”
Of course, the reason boards have increased the proportion of non-executives and reduced the number of executives was to enable them to hold management accountable. The implication here, then, is that the pendulum has swung too far in the opposite direction, with the unintended consequence of effectively making it easier for unscrupulous executives to pull the wool over the eyes of board members.
This theme of expertise is one that Ford also stresses. In his view, there is something of a skills/experience vacuum in the auditing profession. One issue is the shortage of CAs, which has been evident from the 2000s. This has meant that graduates only stay in auditing long enough to complete their articles before they move on to higher-paying parts of the profession, typically within corporate finance departments or management consulting. “Auditors are only there for two minutes,” he jokes. “There’s no longer a bench in the audit side of the industry, and a corresponding loss of institutional memory.”
The extraordinary case of EY and its client Wirecard suggests that there must be some truth in the view that auditing, even at the highest level, lacks skills. EY audited Wirecard for 10 years before eventually identifying that £1.9 billion shown on its balance sheet did not in fact exist. The Financial Times attributes this to the omission of “routine audit procedure that could have uncovered the fraud”. This apparent failure in the basics of auditing supports the view that role-players in the finance value chain do not necessarily understand their roles.
EY’s chairman sent out a letter to clients as part of a process to repair its reputation, and it will be interesting to observe what else it does and how successfully.
The numbers don’t lie…
A related issue, Ford says, is an overly technocratic approach. He says modern auditors tend to be numbers-focused, and too reliant on technology. The modern version of an audit is for a group of generally young auditors to spend several weeks in a conference room glued to their laptops. “But we shouldn’t be auditing the numbers; we should be auditing the client!” he argues. “If you have no idea what the warehouse or the factory looks like, then you have lost the ability to be truly sceptical. The less you understand the business, the more you rely on the numbers.”
And numbers, despite the cliché, are all too easy to manipulate.
For that reason, he (somewhat controversially) believes that separating the consulting and auditing arms of the big accounting firms was ultimately a mistake because it robs auditing of access to people who truly understand business. Agulhas, for one, disagrees with this stance, arguing that this separation preserves independence and prevents conflicts of interest.
Then there’s the inherent conflict in the business model: the organisation being audited that pays the auditor’s bill. This creates tremendous role confusion because it’s completely natural for auditors to see the company as the client, particularly the CFO because he or she is the one who pays the bill. One can plausibly argue that this sets the system up to fail because, in the real world, how likely is an audit firm to jeopardise a lucrative contract by asking the penetrating questions it ought?
Agulhas says that this “payor model” is indeed a global problem and one for which the profession has so far failed to find a solution. One obvious option would be to have a regulatory body like IRBA acting as an intermediary, with companies paying the regulator to be audited, with the regulator appointing and paying the auditors. This would position auditors as professionals with a duty towards the public and not their “client” but, he says, “The risk is that the regulator’s own independence is compromised.”
Following on from his point about the lack of role clarity across the financial reporting chain, Agulhas says that a fragmented regulatory regime is a critical issue – all members of the chain need to be regulated, he says, not just auditors. This integrated regulatory approach exists in the United Kingdom, for example.
IRBA has made a proposal to the Minister of Finance along these lines.
However, the point needs to be made that regulation is only ever likely to be part of the answer. Agulhas agrees that in an ideal world one wants to achieve “right-touch regulation” but that in reality there is a swing between over-regulation and under-regulation. In the end, regulation should be less about punishing malefactors and more about driving the right kind of behaviour, but given the situation, we are in currently, perhaps we need more regulation, he suggests.
Quis custodiet?
The question of behaviour is perhaps one of the most important when it comes to looking at what is going wrong in auditing, in business generally and, of course, in government. A big component here, in Agulhas’s words, is the way in which leadership has failed organisations. Ethics professionals all agree that the actions of leaders have an enormous impact on the way the rest of the organisation behaves – the “tone at the top” or, less respectfully, “a fish rots from the head”.
As CEO of the Institute of Directors in South Africa (IoDSA), Parmi Natesan gives a lot of thought to these matters. For her, trust is lost when institutions and their leaders do not do what they promised, what their stakeholders need or expect or “the right thing”. In other words, trust is broken when actions do not match words or expectations, and it’s true that virtually all organisations officially commit themselves to serving the greater good.
It’s therefore clear that ethics lies at the heart of the breakdown of trust, and its repair. “If a partner is ethical, independent and sceptical, then the juniors will follow suit,” Agulhas observes wryly. The opposite is presumably also true. In the end, when people are ethical, they can be trusted to do the right thing. This is important because, as we all know, regulation alone cannot do the job. To the unethical, regulation is simply a compliance exercise and, as Ford notes, “If you know what the controls are, it is easy to bypass them.”
Rabbi Gideon Pogrund, founding director of the GIBS Ethics and Governance Think Tank, adds, “There’s no substitute for instilling a value system, a moral education to frame the role whose primary purpose is not to chase after high fees but to serve the public interest and to act as the guardian of corporate governance.”
The ethical person, it is often observed, does what is right even when nobody is looking.
The big question, clearly, is how to help ethics take root. Agulhas references the work of psychologist Harry Helson, which suggests that behaviour is a function of the organism and its environment. By changing the environment and the way the organism operates, one can change behaviour. It’s a more sophisticated version of “monkey see, monkey do”.
This dynamic of behaviour and environment mutually reinforcing each other for good or ill seems to apply not only to organisations but also to more complex organisms like countries. South Africa, to its shame, could be said to offer a textbook illustration of the way in which every level of society takes its cue from the top: when the top is materialistic, opportunistic and predatory, then the same types of behaviour are widely adopted. In one sense, this is a matter of survival – if the state is corrupt and inimical, then to survive within its ambit one has to follow suit.
For example, one often hears government spokespeople or apologists making the point that corruption requires two parties and that the private sector is as much to blame as the state. That’s true as far as it goes, but it’s also true that the company wanting to do business with the state will have to adapt (at the minimum) to its corrupt practices.
And so on, down to the ordinary citizen in the street.
Ethical failures are complex, Pogrund observes, and apportioning blame is not as easy as it seems. “While auditors bear the brunt of the blame, we sometimes don’t focus enough on the failure of shareholders and directors to apply their minds and ask the right questions – for example, allowing themselves to get bamboozled by charismatic or bullying CEOs,” he says.
One could thus argue that the more corrupt a society or an organisation is, the less able an ethical individual is to maintain his or her probity. When there is too great a chasm between private and public behaviours and conviction, the organisation loses the individual or the individual capitulates and adopts the corrupt practices around him or her, bowing to “the way of the world”.
Something like this seems to be going on now as the citizenry finds ways to bypass what are widely perceived to be ill-advised or frankly hostile regulations.
An even more depressing conclusion is that it seems as though there is limited scope for change to be driven from the bottom up. This, one might argue, is the ultimate justification for democracy, which gives the electorate the opportunity to remove a power structure in whom it has lost trust without the collateral damage and unpredictability of a revolution.
A primer for rebuilding trust
How can an organisation (political, business or otherwise) go about rebuilding trust with its stakeholders? The following pointers emerge:
- Understand the value chain. Bernard Agulhas’ point that all players in the financial reporting chain do not necessarily understand their role in sufficient detail is probably applicable across the board. The point is that, in order to do what needs to be done, one must first understand one’s role thoroughly, and how it fits into the whole.
- Ventilate conflicts of interest. Once the value chain is understood, it becomes easier to identify potential conflicts. In auditing, as noted above, there is a basic problem in that auditors are paid by the very organisation they are auditing, as profound a conflict as one might imagine. But this dynamic plays out across society: a director may ultimately be expected to call out the very organisation that pays his or her fees, a government minister might find his or her party or personal loyalties in conflict with his or her duty to the citizens of the country.
- Train and educate. As Gideon Pogrund argues, the world is increasingly complex, as are organisations. Auditors and everybody else in office need to be given the skills to deal with this complexity. Without them, unscrupulous leaders will find it easy to manipulate those who are supposed to act as guardians of the public interest. In particular, individuals need to be given the skills to deal with bullying, corrupt leaders. “Critical thinking and professional scepticism are essential,” he says.
A related point is the creation of a professional ethos. Auditing is not just a job, it’s also a calling, and the same could be said of most other professions. Creating a distinct professional code of ethics administered by a professional body makes it easier for individuals to understand that they have obligations to the public first, not just the organisations that pay them.
- Be transparent… and patient. An organisation that has lost trust must be frank about what steps it is taking to put things right and communicate with its stakeholders. Trust takes an age to build up, and seconds to destroy. “Rebuilding trust is not impossible, but will take time and consistent, deliberate action to prove to stakeholders that things have changed, Parmi Natesan says. “The same applies to the government, which is effectively the leaders of the country or South Africa Inc.”