You are here: Home » General » Are the Big 4 risking too much?

Are the Big 4 risking too much?

by Dennis Howlett on June 26, 2008

These days I leave the flaying of the Big Four to Francine McKenna but today I can’t help but comment on her analysis of the KPMG case involving Independent Insurance Group that saw the firm and partner Andrew Sayers fined £500,000 with £1.15 million in costs. Rather than dwell on her excellent analysis I’d prefer to concentrate on the consequences and other issues:

We’ve seen the sanctions handed down by the SEC lately and they are also fairly minimal in comparison with the economic loss visited on the shareholders, employees and other stakeholders by these failures.  Does a finding by a Tribunal in the UK mean this firm and the auditor can be sued?  Or is that what the liability caps are intended for?

As far as I know, there is nothing in current law to stop aggrieved shareholders from suing. Given the scale of the case (Francine is quoting Director of Finance online):

The effect of this was that for a premium of £77 million, Independent would be able to turn a LOSS of £105 million into a PROFIT of £22 million.

The Tribunal pointed out that this was too good to be true. The company underwriting the stop loss insurance appeared certain to lose money. It gave rise to an obvious suspicion that there may be more to the stop loss insurance than KPMG was being told.

and the fact that Sayer made basic errors that a junior would be hard pressed to replicate, shareholders would be strongly advised to seeking remedies. It is staggering that the Tirbunal didn’t recognize the scale of loss, but the costs award suggests to me that KPMG put up one heck of a fight. Even so, the total is a fleabite on partner earnings, barely the equivalent of petty cash if KPMG adopts its usual policy of farming these kinds of loss around the partners as a whole.

But there is more. I recently noticed that the UKs Top 50 firms have banded together to create:

Accounting IT Directors Forum to improve information sharing.

Spearheaded by Jim Greenfield, national IT director for PKF, the forum will let IT directors meet face to face to discuss technology topics affecting the accountancy profession.

The forum is born of IT directors’ frustration with the lack of knowledge sharing in the industry…

Although the May meeting was attended by the top 30 firms and the next meeting in July has attracted interest among the top 50, the Big Four firms have been notable only by their absence.

The problem with the Big Four is identifying the right people in the right department to attend,’ he said.

What the heck? Apart from the fact they’ve cranked prices for SarBox compliance which hasn’t exactly been the thrill of the year and requires systems compliance testing, AIT is saying the Big 4 can’t find the right people? The broader question – do they have the right people? Following Enron, the Big 4 pretty much lost their IT expertise as a result of the break up of the consulting operations. By all accounts they’ve not recovered.

So what do we have? The Big Four, brand leaders routinely ending up under Francine’s microscope for one or other cock up and incapable of fielding a single representative on IT issues. Plenty of cause for celebration there then.

Related articles
Zemanta Pixie
GD Star Rating
loading...
GD Star Rating
loading...
  • Share/Bookmark

Tagged as: big four, GRC, KPMG

  • Hi Dennis, There are several examples, but I will give you two in this forum:

    1)Current SOx testing on the ERP side focuses on configuration related to segregation of duties (roles and responsibility assignment) and access/approval controls. But what about business logic and business rules for example- either as delivered or as configured? How do transactions work? How many different charts of accounts are set up? How is the org structure set up so that dollars and pennies can be booked but booked off to the side or off-balance sheet?

    2)While at PwC, i heard more than once that there was no external auditor review of policies and procedures regarding patch application and testing/promotion to production of new code from the vendor. Why? 'If it's Oracle or SAP, then it has to be bug free out of the box." WTF? This was a handshake agreement amongst the firms that none of them would not call out these issues because if they started it would never end. Neither the firms nor their clients had enough staff to control this issue. Given the number of companies that would be called out on basic IT SDLC related and operations controls, everyone would look bad. Moratorium until companies could get a handle on it. Only best in class companies have tight procedures over these activities and if issues were found it would spill over all over the place. If the ERP software is buggy to begin with but you don't know where it's buggy and this is your GL, what comfort do you have that any financial reporting is right?

    Add to this the fact that no one got or has received a material weakness for not having a disaster recovery/contingency plan documented, tested rehearsed because very few companies outside of those affected by 9/11 (I am assuming) have it, and you see what I'm talking about.
  • Francine - I'm curious about 'technical architecture and application level instead of at the functional/user level' - can you provide an example? Are you talking about process execution?
  • Dennis,

    Thanks again for trusting me to deliver the news of the Big 4. I agree with your assessment that the Big 4, since the sale of their consulting businesses in 2001-2002 have not recovered on the IT side, regardless of their marketing and positioning. Even though Deloitte did not sell, they are still not a consulting firm on the same scale of other systems integrators and are still first and foremost an audit firm, with the independence issues having to take precedence in al cases over any consulting opportunities.

    I have also noted on my blog that IT controls are still not on the radar at the requisite level in most Sarbanes-Oxley reviews. There have been material weaknesses and significant deficiencies related to IT cited only in the most egregious cases. Too much need to get the financial review right first and that has taken a long while. Not enough staff at either the firms or their clients to do it right, and therefore, a potentially "collusive" agreement between the firms to let a lot of stuff go until later, such as disaster recovery and contingency planning and really thorough, in depth reviews of ERP controls at the technical architecture and application level instead of at the functional/user level. Just as maybe the learning curve had been accomplished for the financial side and there may have been an opportunity to start looking at how systems support financial reporting, we are instead dealing with hew and cry to reduce costs. I suspect the next company failure will be because of a catastrophic failure on the part of critical systems to execute proper controls, either due to management fiat such as at Societe General or because the software is flawed or incapable of accomplishing the objectives an no one knows or cares.
blog comments powered by Disqus

Previous post:

Next post: