It’s time for the UK’s audit regulator to start taking corruption seriously

It’s time for the UK’s audit regulator to start taking corruption seriously

By: Rahul Rose

The Financial Reporting Council is investigating KPMG for failing to spot large-scale bribery at Rolls-Royce, but there are serious question marks over whether the regulator, which is yet to impose a sanction in a corruption-related case, will carry out a proper inquiry.

The FRC investigation into KPMG – which audited Rolls-Royce’s financial statements for over 20 years during which time the UK-based manufacturer paid millions in bribes across multiple countries – is only the second time that the regulator has opened an inquiry into alleged misconduct linked to overseas corruption. The other case also concerned KPMG, but for its audits of BAE Systems, which in 2010 entered into a $450 million corruption-related settlement and pleaded guilty. However, the FRC closed the BAE case in 2013 after a three-year investigation, claiming the inquiry, which looked at possible misconduct between 1997 and 2007, was no longer in the public interest as too many years had lapsed since the alleged wrongdoing.

The FRC’s foot-dragging in the BAE Systems case provoked strong criticism at the time. Two London-based civil society groups, The Campaign Against Arms Trade and The Corner House, threatened legal action against the FRC saying the regulator had dropped the investigation despite strong evidence of a failure of oversight on the part of KPMG. The auditor failed to pay particular attention to corruption allegations against BAE published in the Guardian from 2003 onwards, the civil society groups said.

The FRC’s BAE case has receded from the memory of most, but it is important that the regulator learns from its previous mistakes and avoids similar shortcomings in its Rolls-Royce investigation. It is imperative that the FRC carries out a full and thorough investigation into KPMG’s audits of Rolls-Royce, and, unlike the BAE case, gets to the bottom of whether the auditor should have done a better job at spotting evidence of corruption.

Unfortunately, the FRC’s poor track record suggests that a full and proper investigation may not be on the cards. Since 2008, UK authorities have imposed sanctions in 24 cases linked to foreign bribery, and launched many more investigations, but to date the FRC has not fined a single auditor in a case related to overseas corruption.

In fact, in some instances, the FRC has failed to take any action at all despite being told about possible corruption-related misconduct by an auditor. For example, Ian Foxley, a former lieutenant-colonel in the British army and the primary corruption whistleblower against EADS subsidiary GPT Special Project Management, offered the FRC evidence of possible wrongdoing by the company’s auditor KPMG. But to date Foxley has not been contacted by the FRC.

GPT is accused of paying bribes in connection with a multi-billion dollar deal, facilitated by the UK government, to supply communications equipment to the Saudi National Guard. Foxley, in a letter that was shared with the FRC, said GPT’s auditors KPMG were aware of possible corruption as early as 2007, but did not report inconsistencies in the company’s accounts till 2011.

In the same letter, Foxley went on to say that: “It is highly surprising that the FRC has not made any effort to contact me at all in order to ascertain the part that KPMG played in the audit of the company and whether they are culpable.” KPMG denies the allegations that Foxley has made against it. The audit firm also said it disagreed with claims that the FRC is lax in its approach to enforcement.

The HBOS debacle

Unfortunately, the FRC’s shortcomings are not restricted to corruption-related cases.  The regulator has also not sanctioned a single accountancy firm over the 2008 financial crisis, which saw a number of UK banks collapse or require a costly taxpayer-funded bailout despite being given a clean bill of health by their auditors.

The regulator only decided to open a full investigation into KPMG over its auditing of UK-based bank HBOS in 2016, some eight years after the lender was bailed out costing the taxpayer many billions of dollars. The move was a U-turn, reversing the FRC’s decision not to investigate KPMG in 2013 (at the time, the regulator said there were no “reasonable grounds” to suspect wrongdoing).

The U-turn only came after intense public pressure with former Bank of England regulator Iain Cornish commenting that the FRC had demonstrated a “lack of curiosity” in its handling of the HBOS case. Then-Treasury Select Committee chair Andrew Tyrie even went as far as to ask whether the FRC was “a weak link in the regulatory structure… a loose rivet below the waterline in an otherwise seaworthy ship?”

There are question marks over whether the HBOS investigation will be a thorough and rigorous inquiry – the FRC is only looking at a short one-year window in 2007, despite relevant events happening outside of this period. In 2005, KPMG produced a supposedly independent investigation report into the firing of whistleblower and former senior HBOS employee Paul Moore after he raised concerns with the bank’s board. KPMG had agreed to carry out an investigation into Moore’s dismissal on behalf of the Financial Services Authority, which had received a complaint from Moore. This is despite serious conflicts of interest – KPMG, which produced a report favourable to its client, was receiving millions of pounds in audit and consultancy fees from HBOS, and Moore had worked at the accountancy firm between 1995 and 2002.

The FRC: a victim of regulatory capture  

What’s behind the FRC’s lacklustre approach to enforcement? A large part of the explanation lies in the regulator’s closeness to those that it is supposed to be holding to account.

A number of the FRC’s senior positions as well as the tribunal judges that decide cases are former employees of KPMG, EY, Deloitte or PwC, the largest firms that dominate the audit industry and are collectively known as “the Big 4”[1]. Indeed, four of the FRC’s board members previously worked at Big 4 firms, while another member, Mark Armour sits on the audit committee of UK-based retailer Tesco, which recently entered into a deferred prosecution agreement with the Serious Fraud Office over allegations of accounting misconduct. The FRC’s chairman Sir Win Bischoff formerly chaired Lloyds Banking Group, which took over HBOS in January 2009 during the financial crisis, while the regulator’s director of corporate governance, Paul George, worked at KPMG for nearly 15 years.

The concentration of former Big 4 accountants and industry figures at the FRC has led to allegations of regulatory capture. However, the regulator’s shortcomings go deeper than this. It is also under-resourced. According to the FRC’s 2016 annual report, the enforcement division only has only 24 employees. The regulator often has to outsource investigations. In comparison, the UK Financial Conduct Authority (FCA) has over 650 full-time staff in its enforcement and market oversight division.

The FRC’s investigatory powers have also traditionally been limited. In particular, the regulator was until recently only able to compel information from accountancy firms, However, things have changed. As of June 2016, the FRC has been able to compel third parties to provide information, including by interview. To date no investigation has been completed using these new powers, so it remains to be seen whether they will result in an uptick in FRC enforcement.

When presented with criticisms by Corruption Watch, the FRC said it has a “robust conflict of interest policy” in place, and that its enforcement division was appropriately resourced to carry out proper and timely investigations. It added that it delegates the majority of its enforcement activity to professional accountancy bodies, such as the Institute of Chartered Accountants in England and Wales, not because of a lack of funds, but because this is required by the law.

However, investigations are not the only part of the FRC’s enforcement regime that have come under criticism – the regulator’s sanctions, and in particular its financial penalties, are too small, a drop in the ocean compared to the revenue of Big 4 firms and the remuneration of individual partners at these companies.

Between 2009 and 2012, the average fine that the FRC imposed on an individual was just £9,000. Things have got better in recent years, but only marginally – in 2016, the average fine imposed on a partner from a Big 4 firm was only 16 per cent of the mean profit per UK-based partner at such a company. In the same year, the mean fine levied on a Big 4 audit firm was only 0.12 per cent of the average UK revenue of the Big 4, and an even smaller proportion of global turnover.

The fines that the FRC levies on accountancy firms are also often small compared to the fees that firms charge their clients – what one may consider the improper benefit if an auditor does a lax job scrutinising the financial statements of a company. For example, between 2000 and 2005, Deloitte only faced a £3 million fine despite earning £30.7 million from audit and consultancy fees[2] from carmaker MG Rover Group (which collapsed in 2005 with nearly £1.4 billion in debts despite receiving a clean bill of health).

Fortunately the FRC has recognised that there may be problems with its sanctions regime. The regulator has launched an independent review, led by a former Court of Appeal judge, of its current guidance and policies for imposing sanctions. The review is focusing on, among other things, the question of whether the FRC’s fines are too low. A glance at the statistics would suggest that the answer to this question is “yes” – the FRC needs to increase the size of its financial penalties if they are to have a real deterrent effect. At the current level, fines are simply the cost of doing business for major audit firms.

Aside from increasing the size of its financial penalties, Corruption Watch also hopes that the FRC will introduce changes to separate itself more clearly from the firms that it regulates. This may require the FRC to employ fewer people from Big 4 audit firms, especially in senior positions. The regulator also needs to take a more proactive approach to pursuing possible misconduct. At present, the terms of reference for its investigations are too narrow, inquiries often take too long, and in some instances, as in the case of Ian Foxley, the FRC fails to respond to whistleblowers at all. Investing more resources in its enforcement division is a necessary first step for the FRC to take a more active and robust role in investigating possible misconduct.

In a July 2016 report, the Treasury Select Committee described the FRC’s reluctance to properly scrutinise KPMG’s auditing of HBOS as “inexplicable” and “unacceptable”. The committee has also said that it “likely” wanted to review the work and regulatory approach of the FRC in more detail. Corruption Watch hopes that Nicky Morgan, the committee’s new chair who was elected on 12 July, continues the project started by her predecessor and carries out a full review of the FRC.

[1] The Big 4 handle the vast majority of audits for large companies. They carry out audits for 98 per cent of FTSE 350 companies and 95 per cent of Fortune 500 businesses.

[2] The practice of auditors providing lucrative non-audit consultancy advice to audit clients is highly controversial. The Treasury Select Committee saying it creates “strong incentives to temper critical opinions of accounts prepared by executive boards”. However, while the practice was limited in the US by the 2002 Sarbanes-Oxley Act, the FRC has argued in the past against a prohibition on firms providing both consultancy and audit services to the same company.