Swiping right on risk reviews

Tom Ravlic
The fuse has been lit and audit regulation is being looked at again by a parliamentary committee that has in some ways been sparked by some of the revelations of work that has been done by consultants and auditors for the major banks.

Some of this has arisen as a result of concerns about the quality of audit as it has been described to the Parliamentary Joint Committee into the regulation of auditing in Australia.

A further reason for the focus on the way in which audit firms do their work has emerged as a result of the recent coverage of a bundle of leaked NAB documents over the weekend, reported by Adele Ferguson in The Age and the Sydney Morning.

The documents provide some insight into the sausage machine of a consulting engagement and show that there was an acknowledgement by board chairman Ken Henry that the NAB was still likely to have some products that were going to lead to remediation. These interviews or discussions were part of a risk management systems review that was being done by risk professionals from Ernst & Young for the bank as required by APRA.

Ernst & Young, or EY as it is currently known, has been the bank's external auditor for more than a decade.

It has been argued by commentators that this represents a conflict of interest. They contend there is no independence in the relationship, a view which is dependent on the definition of independence that is applied.

One reading of the prudential standard, CPS 220, that has contributed to this delightful tussle on independence matters is that the term 'independent' means somebody independent of the banking operation. A person such as an internal auditor that is working on risk management as part of their job is the kind of internal person that the standard may be contemplating.

The APRA prudential standard also permits external consultants to do the review of the risk management systems. This lives in Paragraph 45 of the prudential standard.

There is, however, a paragraph that has not been discussed much at all in this debate.

Paragraph 44 of the prudential standard states that the effectiveness of the risk management framework needs to be subjected to review at least annually by internal and/or external audit. In other words, APRA asks that the risk management framework be evaluated annually by the internal auditors and possibly the external auditors.

It does raise the question as to whether something APRA requires as a part of the annual audit should in fact be done by other parties when the words of the prudential standard state that the external audit firm must be involved in an annual review.

Taken together the two paragraphs would seem to suggest that the risk management systems review would be a natural thing for the external audit firm to do because it is engaged to look at the damn risk management framework anyway because the prudential standard requires it to look at the framework on an annual basis.

The flare up at the moment relates to whether EY as the external audit firm was sufficiently independent to do the work, but the analysis does not seem to extend to what Paragraph 44 says about the external auditors looking at the risk management framework on an annual basis. There are a multitude of views including strongly expressed views that nobody paid by the entity could be considered independent so they could not do that review properly.

Let us accept for the purpose of the argument that the view expressed here is the one that policymakers fix their beady eyes on because it has been mentioned in the press in the context of this NAB-EY scenario.

What then do the critics of the existing situation propose ought to happen?

Some point to the United Kingdom's dalliance with the concept of hiving off audit divisions from accounting firms but there are significant problems in doing this and advocates of this solution need to appreciate the vast challenges involved in getting such a regime up.

One of the key problems will be how a firm splits its existing practice and which partners are sent off to the audit rump to establish the audit business. Can experts that remain in the part of the firm from which the audit types have been jettisoned be used as experts in audit engagements that the new audit firm undertakes?

This question is important because firms are able to source their own internal experts in the present environment. Clarity around this kind of detail will be important as people play with these concepts across the board. There are many details to consider in toying with this concept.

One solution that will annoy audit and non-audit practitioners every time it is raised is for Parliament to legislate a prohibition on the provision of auditors providing any other service to an audit client. This would create a stir because it may cause some firms to review whether they want to stay in the audit space or offer other compliance or consulting services.

Another solution to this little conundrum as illustrated by the NAB-EY scenario is to take away completely the notion of people within or outside the bank doing the risk management systems review. APRA could consider taking the reviews of risk management systems in-house and seek greater resources to be able to send in the SWAT teams to rip through the risk management systems without any of this independence twaddle being particularly relevant.

This approach would be dependent on APRA having sufficient funds to pull together a team to do the reviews and also ensure that they are appropriately qualified. It would also require APRA to regulate rather than cruise.

The recent capability review by the Graham Samuel-led committee was an indictment on the banking regulator body. A move by them to take this issue off the table by amending the relevant prudential standard and doing risk management reviews themselves may be one way of redeeming APRA.