False hopes and the death of the external audit

July 2019

By Sean Coady, Risk Consulting Practice Leader at Insync 

False hopes and the death of the external audit 

Organisational behaviour is now the most significant risk to reputation but who is going to tell you? And who should care the most?

The cluster of four layered elements that drive reputation risk have a mixed history of oversight, insight and foresight. None of it good enough for today's expectations.

Behaviour risk

Over-reliance on external audits and their fast-track and privileged access to the Audit Committee have always cast a shadow on efforts to manage other risk drivers. Think back to how much time and money was spent on making sure the numbers were right compared to how much time and money was spent on ensuring the behaviours, products, practices, and business structures that made that money were 'right'?  I'd argue that the balance is wrong and, worse than that, the singular priority given to financial reporting risk has stolen oxygen from arguably more important matters over the last 10 years. Organisations simply have not invested enough in the other layers, particularly behavioural risk.

Financial reporting risk, however, has fallen back into the pack. It's now time to invest more in other drivers of reputational risk - and plenty has been written about that recently in Australia on the back of the Financial Services Royal Commission.

This is not a specific criticism about board competence and risk ownership, but it does require boards to demand better methodologies, tools and systems to shore-up this reputational risk chasm that has cost even 'good' companies much more than they could have imagined. Boards need to be more proactive and dig deeper into the four layers represented in this illustration so they can assess the drivers that matter most, not just those management wants to tell them about or the narrow scope of the external audit report on Financial Reporting Risk (FRR).

To be more proactive and effective, boards need better data. Understanding, measuring, monitoring and responding to behavioural drivers and organisational decision making has to be a priority. While every organisation is different, in our experience the 80/20 rule is spot on and the key areas listed above are a workable starting point for most. The actions required are already underway in many businesses even while the methodologies themselves are evolving.

The APRA report into CBA's failures (APRA CBA Final Report), the UK Parliament - Carillion Report (recommended read), and the gift that keeps on giving with Wells Fargo, Wells Fargo - Independent Board Investigation Report into Sales Practices, are three public and impactful examples of the need to deal with all aspects of reputation risk. Wells Fargo has reportedly been assessed as suffering a $100bn reptuation cost impact (Top 4 issues driving reputation risk solutions).

The Carillion report is a stronger read that the APRA report and provides more specific suggestions too. The opening lines might inspire you to read more of it: "Carillion's rise and spectacular fall was a story of recklessness, hubris and greed. Its business model was a relentless dash for cash, driven by acquisitions, rising debt, expansion into new markets and exploitation of suppliers. It presented accounts that misrepresented the reality of the business, and increased its dividend every year, come what may. Long term obligations, such as adequately funding its pension schemes, were treated with contempt. Even as the company very publicly began to unravel, the board was concerned with increasing and protecting generous executive bonuses. Carillion was unsustainable. The mystery is not that it collapsed, but that it lasted so long." Ouch.

Don't you be left sitting with false hope while external audit becomes no more than a bit-player in managing reputational risk. There is no more hiding behind the auditors or seeing financial risk as more important than non-financial risk.

Related resources and articles