The Tangenty Tangents of Audit - navigating regulatory risks and the impact of AI

Show Notes

Neil Williams of Howden is joined by guests Richard Highley and Julian Bub-Humfreys from DAC Beachcroft as well as Thomas Plewman from Brick Court Chambers to discuss audit reform and emerging trends in regulation. Here we look at changing regulatory risks and explore how AI might impact the regulatory environment and look at emerging trends.

Chapters

• 0:05: Audit Reform and Regulatory Risks
• 16:06: The Impact of AI on Auditing
• 22:05: Audit Risk Management and Regulatory Strategies

Transcript

Speaker 1: 0:05

Welcome to Howden's podcast Fortune Favors the Brave. We all take risks in our everyday life, and business is no different. In this podcast, we're speaking to the experts about a topical challenge or issue and what business leaders can do to overcome it.

Speaker 2: 0:19

Hello and welcome to the Howden Fortune Favors, the Brave podcast. I'm Neil Williams and I'm a claims director here at Howden. In the podcast today we're going to be discussing audit risks for accountants and audit reform. I'm joined by Julian Bubb-Humphreys and Richard Hiley from DACB Solicitors and Thomas Pluman, KC of Brickcourt Chambers. Just to start. I wonder if you could all introduce yourselves and, as per Howden tradition, could you tell us about a risk you've taken recently and how it paid off?

Speaker 3: 0:47

Thank you very much. My name's Julian. I work with Richard at DACB doing various things, but a lot of civil claims against auditors, regulatory matters against auditors a risk I run routinely. Whenever I see a recipe that calls for garlic, I quintuple it. I've never yet had a bad result and thus far have not been attacked by vampires. So the empirical evidence bears out that risk Brilliant.

Speaker 2: 1:10

Thanks very much for that, and you, thomas.

Speaker 4: 1:12

So, thomas Pluman, I'm a barrister at Brick Court Chambers. I'm engaged in large scale commercial litigation kind of across the piece, but I have been involved in auditors' professional negligence for the last 30 years 15 years in South Africa, now 15 years in England. So far as risks are concerned, it struck me as I was coming here that the one risk that I had very recently taken is that a hearing next week would not go ahead and the consequence would be I would have lots of time to prepare for this podcast and that didn't turn out so well because it is going away. It is going ahead, so what am I doing about it? Well, burn the midnight oil. That's what we do excellent.

Speaker 2: 1:51

Thanks very much for that. And finally, richard, so.

Speaker 5: 1:54

Richard Hiley works very closely with Julian on all things accountancy. Accountants have been one of my passions for virtually all my career acted on numerous cases have always found them to be excellent company. Notwithstanding all the jokes, we love accountants. As far as risks are concerned, I changed my story. Literally sitting around this table just before we started, I appeared on the Today programme. It was following a call the previous night where I was called up by the BBC and asked do I want to appear on the Today Programme for my clients? And that seemed like a big risk to me. So I went to my wife first of all, having put the phone down on them, and said I'll get back to them. And my wife said of course you must. Against my better thoughts, I did. I appeared before a microphone the following morning and at least the feedback was I did fine. So big risk, something I've never regretted doing Brilliant.

Speaker 2: 3:00

Thanks very much for that and welcome to you all. So this podcast is effectively going to be in two parts. First off, we're going to talk about regulatory risks, including the changing landscape, and then we're going to move on to the risks of civil liability and also talk about some key risk management strategies. So, to start off, in the King's speech this year, audit reform finally made it onto the bill. The ICAW seemed excited by that, with some caveats. The FRC also seemed excited. Quite frankly, I'm quite excited. So, richard, if you can perhaps lead us off, what are the changes that are going to happen in terms of the future for audit regulation?

Speaker 5: 3:35

Well, I'm going to share this, I think, with Julian, but I'll start off by so it's the Audit Reform Corporate Governance Bill. That's what it will be when it hits the legislative program. It was in the Kings Beach, so it does feel as though this time, under this government, it will happen. One of the big changes is an expansion of the companies which will fall within the FRC's jurisdiction to cover private companies. Now, I'm not talking about any private companies, it's very large private companies. Under the previous government, large was defined as 750 employees, 750 million turnover. These are not just any commoner garden private companies. If that happens, will that make a huge change? I'm not sure it will actually, because in our experience we've got two cases at the moment. The FRC, if it feels that a company scandal, a company falling into insolvency which demands a public investigation, they will take control of the investigation. They will open one and, notwithstanding that it's not a company which strictly falls within the definition of a pie, they will investigate the corporate demise. But, julian, do you want to talk about what else?

Speaker 3: 5:03

Well, I was going to sort of just take the other side of that argument.

Speaker 3: 5:06

There's no doubt going to be a sort of a consultation process, as there always is, and it does feel like we're getting to finally the transition to ARGA, the new audit regulator. It's felt a bit like the universal constant, certainly over the entirety of my career. That's been discussed and it's never quite happened, but it may just. And the change to the definition of of what audits come within the scope of the FRC the public interest entity is a is obviously a huge issue for the audit firms and for their insurers, because an FRC investigation and an ICAEW investigation are just very, very different beasts very much more, much more costly, much, much more time-consuming for management, much more publicity. It's night and day, and so which side of the line you fall is very, very relevant. Now, currently, if you were to scan down the list of open FRC investigations, you would be struck, I think, by the number of non-PIs, non-public interest entities, that are on that list, so entities other than, as you rightly said, those that would be the FRCs by right.

Speaker 3: 6:17

And also I think you'd be struck if you look to the decided cases, by the number of decided cases in respect of companies that are technically pies because they have securities admitted to trading on a regulated market but that aren't really entities where there's any particular public interest. You know the cash shell that just happens to have a listing on the main market, on the stock exchange. Is there any public interest in that in, you know, in a real, true sense? I think that that that's kind of created a degree of uncertainty so you can't be sure at any given time what side of the line you fall, and it it may be um, that a more, perhaps a more complicated definition, but one that gives more certainty, would um, would be helpful. So, for instance, is there a? Is there a public interest in in a cash shell with um, some securities admitted to trading not really um?

Speaker 3: 7:13

Those audits could happily be done by non-pi registered auditors. Is there a public interest in a private limited company, even if it's relatively small but it has a has a mega, uh defined benefit pension scheme kind of riding on it? Yeah, probably there is, and those sorts of issues might help give a bit of clarity when it comes to renewal. It's all very well to say well, we don't do PIS, we don't do FRC, in scope audits, but of course every audit is an in scope audit. So where do you go from there?

Speaker 2: 7:43

I just added. So I was going to say I just add into that. In terms of the insurance aspect. Insurers are very interested in this area. In rough terms, it does vary from year to year. The FRC conducts about eight or nine investigations, but that could mean that they're up to 30 or 40 in the insurance market at any one time and the costs are very significant in relation to FRC investigations and that does have a knock-on effect on the insurance market more widely. So it is worth bearing that in mind in terms of the future outlook.

Speaker 5: 8:11

Not so much for insurance but certainly for the accountancy firms. One has to remember that FRC oversight is both supervision supervisory as well as enforcement. And what an expansion of the definition of PI will do is it will bring more companies, large private companies within FRC supervisory and the FRC's focus on audits of those companies will be all about audit quality, not necessarily about scandals, not necessarily about companies in difficulty. So it will have an impact on audit supervision. To return to my opening theme whether that will actually result in a big change in terms of audit enforcement, I think the jury's out, because the FRC has already proven willing to take on investigations of non-Pi entities. Julian, you were talking to me yesterday about directors. Do you want to talk about that?

Speaker 3: 9:16

Yeah, well, I mean, this is one of the biggest potential changes to the audit regulatory landscape. So the Financial Reporting Council, one might say, it has been said, could be viewed as a bit of a misnomer from a regulatory enforcement perspective. Because who does financial reporting? Well, it's not auditors, it's companies. Companies do financial reporting and auditors audit those financial statements, but the directors who prepare financial statements fall outside the FRC's enforcement jurisdiction. So all the focus is on the auditor generally, and that has long been viewed as unfair by a lot of auditors. We don't get the impression that the FRC itself necessarily disagrees with that.

Speaker 3: 10:07

It's just taken time for this bill to come on. Those who are cynical by nature professionally sceptical even, one could say might say that the reason why corporate directors haven't yet come within the regulatory enforcement scope of the FRC or its successor regulator is that former MPs might very well take up corporate directorships but they're highly unlikely to become audit partners. However, I think it probably will be the best chance, with this upcoming bill, for directors coming in within the scope Now. I think that will lead to a fairer and more a more full picture of what goes wrong when there's an error in company accounts. When something goes wrong, you need to look at the source of that error and also why it wasn't spotted. I mean, there might have been all sorts of reasons that don't necessarily lie at the feet of the auditors why that wasn't spotted, or they might not, but at least there's a wider scope for gathering evidence.

Speaker 3: 11:22

Now a few things. That all sounds very fair and all very well and good, but what's the effects of that for audit firms, for insurers? Well, d&o insurers, in our experience, um, don't perhaps have this, uh, on their radar. Some may do, some others may not, but it's absolutely um something that that should be on dno insurers radar horizon scanning because, um, this is a new regulator that can come after um directors and the the. The threshold for doing so may be much less than, say, for the SFO, so D&O premiums may need to change. D&o insurers will need to reflect on that, discuss with their colleagues who underwrite FRC matters.

Speaker 5: 12:15

I would say the threshold is going to be definitely lower, substantially lower. We'll have all sorts of investigations involving directors which aren't currently being brought.

Speaker 3: 12:26

Yeah well, I guess it kind of has to be, because if the SFO can go after fraudulent directors, then what's the point of expanding the scope of the regulators who can look into these matters? Point of expanding the the scope of the regulators who can look into these matters? So interesting from the perspective of the audit firms. It's. It's not an unalloyed blessing. Um, obviously there's. Uh, you know, you do get the fuller picture. Not everything falls at the auditor's door, but this does create more complexity, more witnesses, more longer, more complex investigations in what is already often a very long and complex process. So probably to be welcomed, but not necessarily with both hands.

Speaker 4: 13:15

Sorry, Thomas, can I just say I do think inherently it feels fairer to have just one target when possibly, probably the real culprit is not in the room, just feels wrong, and that's what we've got at the moment if you have cases taken to tribunal against the director and the auditor or the directors and the auditor at the same time, then there is all the potential for the one to be throwing mud at the other, which may in fact make the regulator's job easier, but will be a complicated dynamic that will have to be handled in those proceedings.

Speaker 2: 13:56

Yeah, I mean, I think the DNO point is an exceptionally important point and DNO insurers need to start thinking about that now. But it's also worth bearing in mind the cost and the human cost of dealing with these things. As you say, the process could become elongated, couldn't it, and there's already a considerable toll on the individuals involved and the firms involved as well. It's always worth bearing that in mind. If we just move on a little bit now and, um, thomas, perhaps we could bring you in and talk a bit about the developments we're seeing now in the regulatory space um, yes, I'm less involved on the regulatory side than than um some, but um, two things I mean.

Speaker 4: 14:30

The one is the point that richard has already covered, which is that this change is only half a big change because the FRC have been going after non-public interest entity investigations in any event.

Speaker 4: 14:46

And the real question is will the proportionality of Arga's approach be different to that of the FRC? And that is, I think, an imponderable. The FRC, and that is, I think, an imponderable. The political pressures remain the same, which is to hold auditors and perhaps directors to account in the wake of corporate collapse, to have some kind of scapegoat in those circumstances. So I would imagine it will continue, but there is at least the potential for some adjustment. Looking at what those who monitor these things say, the last year there have been fewer cases started than in preceding years, and some have asked whether that means a trend on at least the FRC's part towards what one might call a more proportionate response or a less intrusive approach to things. My own sense of that is quite the contrary. It is that the FRC is in its current guise, is as intent on sending lessons to the industry and finding new ways to set standards in different parts of the industry, as ever it was, so I think that will continue.

Speaker 2: 16:04

Excellent. Thanks very much for that. And just moving on from there, a little bit horizon scanning. What does AI do to the regulatory risk environment? Julian, do you want to start off on that?

Speaker 3: 16:14

I think every discussion of almost any topic has to involve AI these days, but on this particular topic it is actually um highly relevant and important. So a couple of things. Um, today, not all auditors use ai. Um, tomorrow, half of the profession may use it very effectively. Um, could that lead to sort of uh two auditing, a two-speed profession? Those who can afford to invest in these technologies may move apart from the others.

Speaker 3: 16:49

And the issue that audit firms face is relatively kind of thinly capitalized businesses outside of the top, you know, the top six or seven firms is where is all of that capital for that investment going to come? And that scene, that sort of that, that tension, that ambiguity seems to run through the recent letter on the on the frc's website that was sent to various firms about um taking private equity money. Um, I think that's probably a trend, that that just has to happen. It's here to stay. If audit firms are going to invest to use these new technologies effectively, then that money is going to have to come from somewhere and that brings with it all of the tensions, the challenges of moving away from the traditional partnership model. But that may just be the way it has to be, and I think it does have to be that way, and the reason for that is not because using AI makes auditing easier it may do, it may make it more comprehensive but because auditors aren't the only ones who get to use AI.

Speaker 3: 17:56

Fraudsters get to use it as well, and if you're in an arms race, then you can't be left behind. Um, if I were a fraudster which I'm not for the avoidance of any doubt I would absolutely be using ai to create fraudulent chains of emails, um, fake invoices, if I really wanted to fraud someone. That's how I go about it. Um, and all this needs to be alive to that I think it's worth, isn't it?

Speaker 5: 18:21

uh, talking about the definition of what is ai. When we talk about auditors using ai, what are we actually talking about? Well, a simple answer that would be we don't know yet because, um, we're at, uh, the start of a journey, um, but what we have already got, and what many auditors not just those restricted to the big six is use of data analytics and ability, through software, to analyze financial data in an audited company. To my mind, it's a given that we will see more and more use of data analytics. What we don't know, because it's the start of a journey, is to what extent that will be powered up by those with much greater capital to invest to, as Julian you put it, to have a two-tier auditing profession where some can use these amazing tools to discover things which otherwise wouldn't be revealable from an ordinary, ordinary audit. Um, and yeah, and your point about the malign actor, about, uh, the malign actor using ai to create evidence, I think that's really scary.

Speaker 3: 19:44

Yeah, and the other thing that causes a little bit of trepidation is whether the two-speed audit profession could result in a change to what is regarded as the standard of a reasonable auditor in a civil claim. So if the majority of the profession is using all of these tools, is it enough to simply use the old sampling methodology? Well, I mean, if you went to court nowadays and said I'm an auditor, what is this, what is this? Excel nonsense? Um, I, I do everything in hard copy would that really cut the musters Difficult. Whereas if you and it may come to pass that if you're not using data analytics in the way that the rest of the profession is, then you you could face some serious exposure and civil claims. So it's one of these sort of like it or not, it has to be reckoned with issues.

Speaker 4: 20:38

Strikes me. It strikes me that another point that arises from that is that, both on the regulatory side and on the liability side, is that, like all new technology, it comes in, there's a rush to what the new technology can do, but it may do some things well and some things badly, and Will it therefore be, as it were, an answer from the auditor's side to say I did everything possible, I plugged in the AI engine and it spat out the answer from a data analytic perspective? Well, it may not be. It may not be, and there will be big questions about the adequacy of these systems and what results they're producing. So I guess one's got to be alive to both sides producing um so I guess one's got to be alive to both sides.

Speaker 2: 21:21

Absolutely, they're undoubtedly big risks there. I mean just going for the slight tangent. I mean, do we think it could lead to a skills shortage as well if, if ai takes over certain roles, so we don't have people coming through with the right skill set to conduct audits in the future?

Speaker 3: 21:33

absolutely the having to do things manually, by hand. It does create an awareness of what that task is. And if it's simply outsourced, do you develop into a position where you can meaningfully direct the tools that you're using? Are you asking the software the right questions? I mean, just on an even more tangenty tangent, an even more tangenty tangent. The audit claims and investigations tend to frequently arise out of corporate collapses.

Speaker 3: 22:09

Well, corporate collapses tend to come out of bubbles, and so the question as to whether we're in an AI bubble right now is an interesting one. Is AI the technology of the future? Well, quite possibly, but that doesn't mean it's not a bubble. I hear those railroad things that we use these days is an interesting one. Um. Is ai the technology of the future? Well, quite possibly, um, but but that doesn't mean it's not a, not a bubble. I, I hear those, those railroad things that we use these days, um, very useful, but um, there was a bubble, um, the bubble burst, many companies went, went bust, and then the the the real winners emerged out of the wreckage of that. Um. I, I don't know about you, but I use the internet quite frequently for my work Very useful technology, but you know, the dot-com bubble was a bubble and it burst and led to a lot of corporate collapses. And so you know, for those auditors who are auditing companies in this space, it's worth being sort of extra attentive.

Speaker 2: 22:55

That's brilliant. That's really insightful. Thanks, julian. Just to draw this part of the discussion to a close, richard, do you want to talk a little bit about risk management strategies?

Speaker 5: 23:07

that might be employed in the regulatory space. How long have we got Neil? It's the usual suspects. For anyone who's been involved in this field. It's the same things which keep getting hammered by the risk managers year on year. Which keep getting hammered by the risk managers year on year.

Speaker 5: 23:24

Number one is documentation. Document your work. Keep documents on file. If you look at a document, put it on the audit file. If you read a document, make a record of your review.

Speaker 5: 23:37

If you have meaningful conversations with management, well, how does one demonstrate professional scepticism, challenging management? And the answer is inevitably because we're human beings and we talk to each other. A lot of the challenge must come through conversations. It won't come through documented communication such as email. So you need to make a record of those conversations every time, and when you don't, you face the risk of the regulator or a civil court saying well, the conversation didn't take place. If it's not documented, it didn't take place. So that's at the top of the queue, the top of the list.

Speaker 5: 24:22

You've also got definitely training which results in meaningful engagement by the audit teams. So all of our clients are very serious about their training. How much of the training is taken on board and followed? It's still a frustrating process. We've seen it with our clients. People have to listen. The audit teams, the audit managers, the audit juniors, as well as the RIs. They have to listen and follow the training, because it's the easiest win for a regulator to say, first of all, against the firm that the training wasn't adequate because processes weren't being followed, and as against the individual, in particular the RI, who has ultimate responsibility for the competence of the audit. He has to demonstrate that he has followed firm processes and if something is not right about the audit and the firm's process has not been followed, then, to use a colloquialism, you're going down. If this is an FRC investigation and there's more than one problem, there will be an investigation. There will be allegations of breaches of relevant requirements and you don't want to give them easy wins.

Speaker 3: 25:41

There's one, there's one other, sort of just quick win, which is always to keep it, keep tabs on what the frc is doing, thematic reviews on, because it's it's always going to be a hot, that's going to be a hot potato. Um. So, looking into what the frc says about, about that, whether it be, eg, divine benefit, pension schemes or or whatever, whatever the, the, the, the hot button issue of the day, is Never a bad idea to read those and give some training and guidance on those in the light of them.

Speaker 2: 26:09

Would you say that challenger firms coming in are going to find these things even more acute in terms of following the right processes and making sure that their teams are conducting themselves in the way they should do?

Speaker 5: 26:19

They are finding it excuse the pun, they are finding it challenging. Right now. There are some which seem to be managing it more easily than others, but it's recognised when you speak to representatives of the FRC. It's recognised that there's a gap in approach. See, it's recognised that there's a gap in approach. The challenger firms need to use the word step up. They need to change how they do things because otherwise, if they take on the audit of Pies and they are investigated the way that they have conducted an audit under the telescope, it will be criticised.

Speaker 2: 27:03

And presumably there is a real risk that firms with a slightly more relaxed attitude to risk will start stepping in, which is dangerous for the whole community, isn't it?

Speaker 5: 27:13

And occasionally we have seen that From my personal experience and I'm not just saying this because I like my audit clients but they are incredibly serious about their work, they are extremely professional and they are not the kind of firms which take over large audits or audits of pies. So, yeah, it has happened and it will happen again. But you're right, and de-risking is one of the areas of focus for the FRC. The FRC has said publicly it does not want to see larger firms de-risking, refusing to go on with audits which are of higher risk, because of just the risk which you've identified, Neil. Whether or how that can be managed well, again, the jury is out on that. It's a real problem when the consequences of taking on a high-risk audit are so severe.

Speaker 3: 28:20

I mean, I think it's in the Companies Act, but the Secretary of State can play a broker role for trying to allocate high-risk audits to ensure that companies can obtain an audit. There's a sort of query whether that goal is the be-all and end all, whether whether it has to be the case that every company must have an audit. If a company is unable to go into the marketplace and find an auditor who will audit it at, given the risk that it presents and given that the price it is prepared to pay, that company cannot obtain an audit, that is is a market signal. An audit opinion is a signal to the market and the lack of an audit opinion is itself a signal to the market, a serious signal to the market. And perhaps we should accept that some companies will go without an audit and investors, lenders, employees, pension scheme beneficiaries should pay attention to that. Pension scheme beneficiaries should pay attention to that. But that's probably, yeah, it's probably getting a bit conceptual.

Speaker 2: 29:27

That's a difficult place to be as well, but certainly you know. Just going back again to the insurance aspect, you know a lot of the challenger firms are concerned about the insurance implications of entering this space and we'll be thinking about it very carefully, and also the risks to their business more widely as well. So it's worth bearing in mind all of those considerations. Thank you for listening to part one of the podcast. In part two we'll be talking about civil liability and risk management techniques. Thanks very much for listening.

Speaker 1: 29:52

Thank you for listening to this episode of Fortune Favors the Brave from Howden. To hear more episodes and subscribe to our channel search Fortune F favors the brave on your favorite podcast app.