by Dina Medland in London
Audit and Regulation
The reprieve of KPMG, cleared of misconduct by the audit watchdog the Financial Reporting Council (FRC) in relation to its work for the UK lender HBOS will not go unmarked. It is likely to take its toll in the ongoing battle for public trust in the financial services sector and in those responsible for its regulation.
These are distracting times, and the UK is keen to be seen as giving a high priority to best practice in corporate governance. But after an investigation that lasted 15 months on events that took place almost a decade ago, it seems we are being told that today’s increasingly popular concept of thinking in terms of 'red lines' had not then yet been defined.
Two years ago, media headlines screamed out on a failure of regulation and a lack of accountability at the top. In closing the investigation, the FRC said that KPMG’s work "did not fall significantly short of the standards reasonably to be expected of the audit, the test that a tribunal would apply." KPMG said: "The collapse of HBOS and other examples of corporate failure and fraud in the last decade have highlighted a gap between what society expects of an audit and what an audit has been designed to do."
Designed by whom? The language leaves an uncomfortable sense of a financial services sector floating along with unsecured moorings.
Note the Lombard column in the Financial Times. It says: "KPMG claimed that, since 2008, it had explored ways to close this expectation gap — for example, by offering 'extended audit opinions which give a view on corporate risks.' But it took until 2014 for the FRC to carry out its own thematic review of bank audits, and conclude their quality was insufficient in the crucial area of loan loss provisions."
Lombard concludes: "In other words, challenging a bank’s management on loan risk was listed as an additional duty in 2014, rather than a basic requirement of any auditor at any time. No wonder the FRC found no case against KPMG. And no wonder society expects so much more."
Cybersecurity and audit
A pressing boardroom issue that has strangely not hit the media headlines as yet is that of cybersecurity and the role of the audit committee. It has taken the National Audit Office (NAO) which has been scathing on the lack of IT and cybersecurity skills in the UK – to highlight the role of the audit committee when it comes to responsibility.
In the United States, Equifax, the credit reporting giant that suffered a massive data breach involving the personal data of more than 143 million people, could have avoided it, say the headlines. Questions are now being asked of senior executives and the board.
Here in the UK the NAO at least is very clear: audit committees should be scrutinising cyber security arrangements. To aid them, it has just published guidance that it says "complements government advice by setting out high-level questions and issues for audit committees to consider."