Risk & Economy » Audit » Focus on risk, not rotation

Focus on risk, not rotation

Rather than enforce mandatory rotation, European regulators should be improving auditors’ risk management, writes Tom Roland

AN APPLE TREE takes six years from planting to produce ideal fruit for cider-making. Sometimes nature offers us solutions for our business dilemma. And there has been plenty of discussion and intensive lobbying about Michel Barnier’s hard-hitting proposals for audit rotation every six years and the creation of audit-only firms.

Yet precious little has been spoken about how the finance director has to deal with all of the extra change and disruption. And, make no mistake, changing auditors involves adapting to new faces, systems and relationship with the FD at the sharp end of this cascade of rules and regulation.

My experience working alongside FDs of some of the biggest companies in the US and the UK is that the Europe’s regulators who are seeking to make dramatic changes have neglected to examine the unique nature of the FD and his executive finance team working with the Big Four auditors.

The key has always been about building a strong working relationship based on trust and honesty, and there is a danger that an enforced audit rotation will weaken, rather than strengthen, this position. A continual rotation every six years or so puts extra stresses on the finance director. After all, it is the FD who will be ultimately responsible for the beauty parade, signing the audit agreement, ensuring the bedding in process, then negotiation the exit, and monitoring the hand over. This is valuable company time, when often the relationship is working extremely well and indeed bearing fruit. Why would you cut down an apple tree just when it starts to make good cider?

Of course, there have been questions over audit firms being too comfortable with large clients: complacency and complicity replacing compliance and comprehension. But that has often been overplayed in well-run businesses where there is a positive benefit in the relationship between the FD and the external auditor. Where conversations are forthright, directions are firm, and external expertise is properly given and received, companies can actually get good value for the fees being shelled out.

Risk is an unfolding panorama in any business, and identifying and then managing this is a journey through this landscape. It takes time to mature a proper strategy towards risk, and the external auditors are central in this role. In my view, what the European regulators should be doing is encouraging the Big Four to embrace higher levels of enterprise risk management (ERM).

Managements might be good at identifying risk, but they often do not have the discipline or mindset on how best to respond, a long-term relationship with the auditors can really add value.

The FD’s job is already hard enough. Risk management has been left to a board-level committee or a separate risk-department with little joined-up understanding of the whole picture. Basically, silo-thinking, which excludes many qualified people across the business who might have been able to identify problems.

ERM provides clear benchmarks working through five levels, from the initial, fragmented, comprehensive, integrated and strategic, which allows the board to properly calibrate their response and this means making risk part of the psyche in any organisation, from the shop floor to the board room.

It is now clear that enterprise-wide risk requires a comprehensive and systemic framework using consistence methods and terminology. This is an ‘early-warning system’ for risk, using the skills and knowledge of audit teams – both external and internal – acting as a lightning rod, identifying risks upwards to the board. Yet, the alarming factor is that many of the UK’s leading companies still haven’t woken up to ERM, so only the enlightened few are building an effective ERM process. Surely, this is of greater concern than the window dressing of compulsory audit rotation?

In each organisation, ERM assigns a set of internal ‘risk owners’ whose duty and performance depends on flagging up danger zones and monitoring the stress on the bulkheads. This requires a set of metrics and tools, and a higher level of corporate education and engagement right across the organisations. Then the board requires coaching on how to handle the surge of extra information flowing back up to the top. A ‘Cry Wolf’ mentality has to be avoided, so that everyone takes potential and actual risk more seriously.

The Big Four external auditors can surely play a more prominent part in this process. ERM is working now and if large corporates are not embracing it, then they should be reporting on why they do not think it is necessary. A wise FD knows he or she doesn’t have all the answers, but needs to have the vision to see clearly the full picture on the risks to his company. For sustainable business relationships to bear fruit, they need proper time to grow and be cultivated, surely not cut off in their prime.

Tom Roland is managing director of MorganFranklin in London, a financial advisory house, headquartered in Washington

Comments are closed.