What ever happened to Audit? 5 years ago now it seems, I penned a 7 part essay that tried to lay out why audit did not spot or contribute anything to the financial crises if 2007-2008. The silence has not gone unnoticed, and now the Economist picks up with The dozy watchdogs
PwC's failure to detect the problem is hardly an isolated case. If accounting scandals no longer dominate headlines as they did when Enron and WorldCom imploded in 2001-02, that is not because they have vanished but because they have become routine. On December 4th a Spanish court reported that Bankia had mis-stated its finances when it went public in 2011, ten months before it was nationalised. In 2012 Hewlett-Packard wrote off 80% of its $10.3 billion purchase of Autonomy, a software company, after accusing the firm of counting forecast subscriptions as current sales (Autonomy pleads innocence). The previous year Olympus, a Japanese optical-device maker, revealed it had hidden billions of dollars in losses. In each case, Big Four auditors had given their blessing.
Yes, we've all noticed a steady series of blindspots-turned-disaster. But it goes further than the accidental, and I asked "Let's check the record: did any audit since Sarbanes-Oxley pick up any of the problems seen in the last 18 months to do with the financial crisis?" The Economist carries on:
And although accountants have largely avoided blame for the financial crisis of 2008, at the very least they failed to raise the alarm. America's Federal Deposit Insurance Corporation is suing PwC for $1 billion for not detecting fraud at Colonial Bank, which failed in 2009. (PwC denies wrongdoing and says the bank deceived the firm.) This June two KPMG auditors received suspensions for failing to scrutinise loan-loss reserves at TierOne, another failed bank. Just eight months before Lehman Brothers' demise, EY's audit kept mum about the repurchase transactions that disguised the bank's leverage.
What went wrong? The Economist puts it this way:
Of course, no police force can hope to prevent every crime. But such frequent scandals call into question whether this is the best the Big Four can do -- and if so, whether their efforts are worth the $50 billion a year they collect in audit fees. In popular imagination, auditors are there to sniff out fraud. But because the profession was historically allowed to self-regulate despite enjoying a government-guaranteed franchise, it has set the bar so low -- formally, auditors merely opine on whether financial statements meet accounting standards -- that it is all but impossible for them to fail at their jobs, as they define them.
Now, I put it differently, but not so differently that we would part friends:
My claim in today's post then is that the user cannot tell whether an audit is any use or not. Which audit is good for you, and which not, even if good for others? Which audit is good, and which is plain bad? The crux of the matter is that you yourself cannot tell what any of those pronouncements mean, unless you are an insider. You don't know whether you can rely, when to rely or how to rely.
Which was a truth, or an absence of reliable truth, that I'd discovered in a 3 year auditing experience at CAcert. Which leads to the Economist's view as to the future of audit:
In recent years this yawning "expectations gap" has led to a pattern in which investors disregard auditors and make little effort to learn about their work, value securities as if audited financial statements were the gospel truth, and then erupt in righteous fury when the inevitable downward revisions cost them their shirts.The stakes are high. If investors stop trusting financial statements, they will charge a higher cost of capital to honest and deceitful companies alike, reducing funds available for investment and slowing growth. Only substantial reform of the auditors' perverse business model can end this cycle of disappointment.
Of course, the Economist is speaking to all those auditors who purchase subscriptions of the magazine, and thus it is best to suggest "substantial reform," details in issues to come. I'm not so sure; I actually think the Audit boat has sailed, and what is left I tried out for size in part 7:
People who have followed financial cryptography for the last 2 decades will know of which I speak. E.g., Ricardo was mostly self-auditing with a thing called the 5 parties model, and a lot of crypto-glue to knit the statements together, something which maybe now is making its way into Bitcoin and especially sidechains which attempt to knit two blockchains together. At CAcert we pioneered a way of delivering member-made reliable statements called CARS, and I built a system to couple this up to the criteria body. As long as we have a member-body to do the work, the audit itself is almost routine, and it's certainly auditable in and of itself.
We -- you! -- can do it without the auditors.
Which all leads to a dictum waiting to emerge, but already hinted at by the arisal of Bitcoin: we will build the next financial system as a self-auditing system. AKA "trustless" or "open governance."
Not because we're against the state, or we don't like taxes or we're looking to re-finance the silk road, or hoping to sell off our kid sister.
But because we have to. Because the audit profession left us no choice.
Posted by iang at December 30, 2014 03:11 PMAuditors have ALWAYS been crooks - and not only in finance.
The best proof is that they are mandatory under the law.
When people ask money to "audit" source code, they actually resell your code to third-parties (including your competitors) and, at best, charge a premium for merely run a batch of automated tests on it.
Most often, they don't go this far as checking the code and just ASK YOU -the party being audited- to "DECLARE IN GOOD FAITH" that the "regulatory constraints" have been met (using NIST-approved algorithms).
Then, after months of pointless requests, groundless delays and royal fees, you MAY finally get their "approval" and be "certified", that is "trusted".
The result of this gold-plated auditing industry?
- financial crisis (groundless triple-A ratings)
- ubiquitous vulnerabilities in the critical infrastructure
In one word, that's cronyism.
Posted by: Plato at March 2, 2015 12:15 PMDear Plato,
Nice story - have you got any evidence or references to reselling of source code? This is such a titillating breach of faith that we would love to tell more.
I can fully understand the schlock "automated audit" stuff that the various certifications people get into... To a large extent it is a competitive industry and the product is meaningless to people, so the pressure is on to reduce costs, to preserve margins, and spend on marketing. We call this 'the race to the bottom'.
Unfortunately the people who demand the audit are not really aware of the pain, and don't pay the cost. So don't expect any change soon.
Posted by: Iang at March 3, 2015 09:48 AM