OLD ARTICLE – Originally posted on June 11, 2019
Following all the local corporate failures, the media and many (ill-informed) investors have savagely turned around and blamed the external auditors. While easy–and very human–to blame someone else like an external auditor for fraud, two things have become quite apparent:
- Many people do not actually understand what an “external financial audit” is and what an “auditor” does, &
- Many people do not understand what an “external financial audit” is not and what an “auditor” does not do.
A lot of journalists fall in the above camp and, likewise, investors that cannot seem to take (at least some) responsibility for their own losses. Perpetuating this misinformed views will needlessly damage the auditing profession and, ultimately, this will damage South Africa and its own financial markets.
Having sufficiently dissed enough people above, let me quickly unpack (1) and then (2) before concluding:
An external auditor is hired by the Board but voted in and out by shareholders. Ultimately, these external financial auditors (and their firms) report to shareholders and the Board does not have the power to remove them. This prevents Boards that have adverse opinions being published against them removing auditors until they find one that will “side” with them (i.e. sign-off their fraud).
In this manner–including a range of rules, laws and safeguards–external auditors should be completely independent of their “clients”, being the company that they are in fact auditing. They report to shareholders. Any impairment (or even the appearance) of this independence is severely dealt with and puts them and their firm(s) at personal risk.
This complex relationship is important to understand and a large portion of the auditing standards and various ethical standards that all auditors (being CA (SA)’s and their trainees) adhere religiously. Not to adhere–or have proof of adhering–would put them at personal legal risk. Note that: personal risk.
Now, amidst this balancing act, external auditors have a singular objective: to ensure that the financial statements of the company that they are auditing comply with the International Financial Reporting Standards (IFRS) and any other relevant rules or legislation (for example, the JSE’s various rules and/or the Public Finance Management Act) in all material respects.
While the adherence to rules is fairly self-explanatory, the aspect of “materiality” is less so.
An auditor considers something “material” if its inclusion (or omission) would change the decisions of the ultimate users of the financial statements.
Most users in the market seem to view financial statements as fact. They are not fact. Rather, a set of financial statement of any company will include a degree of interpretation, guess-work, estimations and may have errors. Unfortunately, business is complicated and large businesses are more so, hence the nature of the accounting beast that is trying to be as accurate as possible, but, when in doubt, at least materially accurate.
How does an auditor ensure the above?
They utilize a large series of tests to check for the validity, accuracy and completeness of a company’s accounting records that feed through to the final financial statements that they then sign off.
Using samples, statistics and a risk-based process–i.e. testing the riskier and larger things more thoroughly than the less-risky and smaller things–they compile evidence that will eventually support their opinion that a company’s financial statements reasonably represent (in all material ways) an accurate reflection of that business.
Sampling and the focus on risk–i.e. materiality–mean that most things are probably (read: hopefully) caught, the client will be told to adjust for it and the quality of the final financials should be much improved. If the client refuses to adjust for material mistakes–even if they are unintentional–then the auditor can issue a qualified audit opinion and highlight these aspects. This does not mean that the company does not produce financial statements, but rather that the end-user of those financial statements needs to be very, very careful in relying on them…
Do yourself a favour: google and find SAA’s latest financial statements. Ignore all the rubbish PR in it and jump straight to the external auditor’s report and read that.
How horrifying is that report? It is the polar opposite of all the wonderful, fist-pumping PR that fills the rest of SAA’s financial statements.
That report is what a qualified audit report looks like. And, almost every single SOE, municipality and Government agency has one of these.
Almost not a single listed company does. (Those two or three that currently have audits pending and/or auditors have identified problems the JSE has highlighted and they are noteworthy due to their rarity on the JSE and not their prevalence i.e. Tongaat Hulett & Choppies right now.)
Just point out this juxtaposing fact. Our local corporates are still generally well-run. Our public sector is still mostly a pile of rubbish. Don’t let the politicians or journalists try to tell you otherwise.
Moving on to (2)!
Do you notice in the above granular unpacking of an external auditor’s role a number of things have not been said?
An auditor’s job is to ensure material correctness, accuracy and validity of financials, and not whether the business is a good or bad one?
While financials are normally compiled on the assumption that a business is a going concern, in reality, this is quite easy for a smart management team to prove irrespective of the underlying realities and risks that they are taking. Also, the future and fortunes can change quickly, especially with large amounts of debt!
Auditors have little chance in picking up large and fast collapses before they happen (albeit, slow train-smashes may be detected and noted in their audit reports). They do try, but not even auditors know what the future is.
Thus, an auditor signing off a set of financials does not really mean that the investors’ money is safe there either. No, that judgment the investor alone will need to make for themselves!
Likewise, auditors are not verifying the quality of the underlying business. They may make very reserved recommendations to management, but they are not running the business. In fact, they are not allowed to be involved in decision-making or operations as that would be a serious conflict of interest.
When businesses are badly run, well, that is all on management.
Probably the most misunderstood aspect of external auditors is that they are not there to detect fraud. They do not test everything. They use sampling and materiality to guide them and can miss plenty, particularly if management is making a serious and coordinated attempt to hide something. And (major) fraud is rarely committed in isolation and almost always with top-level coordination. And those that commit fraud will always try to conceal it because that is the nature of it.
No, external auditing is not forensic auditing. The latter does not work on a sample basis but, rather, check each and every single transaction. This is probably why PwC’s report on Steinhoff is taking so long… The difference between taking a sample of transactions and checking each and everyone for a global, multi-national retailer is gigantic…
Hence, forensic auditors work slowly and charge a lot. If listed companies’ only reported forensically audited financial statements, then we would probably be waiting years for a set of financials from any of them and the audit fees alone would wipe out most profits!
Time also makes a set of financials relevant. Too late and no one cares because the world, markets and the underlying business itself has moved on.
Now, if an external auditor stumbles onto fraud then, yes, they do act on it! But, no, they do not focus exclusively on finding it.
I. Cannot. Emphasize. This. Enough.
Investors need to do their own work to decide whether they trust a management team or not. Decide whether there are warning signs in a business or not. And then own their own decisions and their mistakes.
External auditors can protect investors against this, but they are a wide net to cast with many practical holes in it. Thus, auditors should not be exclusively relied on as the first-last-and-final defense against fraud.
In summary, external financial auditors use sampling and materiality to arrive at an evidence-based conclusion that a company’s set of financial statement are or are not valid, accurate and complete (per the various rules, like IFRS, that they need to comply with).
The auditors ultimately report this to the shareholders. If major risks in terms of going concern and/or fraud are found, then this may be communicated too, but these are–broadly-speaking–not the external auditor’s exclusive focus.
No, at some point, investors have to take responsibility for their own decisions to invest.
There are bad Boards out there and rubbish management teams. Avoid these, invest in the good ones, read the audit reports and, with a bit of luck, you will avoid the next Steinhoff, Tongaat Hulett and/or Choppies.