Loading component...
How auditors can spot risk before it’s too late

Podcast episode
Paul Munter:
When an audit firm has a failure of independence, it's not the audit practice that failed to be independent, it's the firm that failed to be independent. Regardless of what your service lines are, a focus on professionalism, a focus on independence, and a focus on audit quality have to be core to what the firm is.Elinor Kasapidis:
Welcome to CPA Australia's With Interest Podcast. I'm Elinor Kasapidis, Chief of Policy Standards and External Affairs here at CPA Australia. Today we're looking at how the profession can strengthen judgement in an environment where risks are evolving faster than ever. Over the last 25 years, markets have been shaken by failures that always look obvious in hindsight. Enron, WorldCom, the global financial crisis, FTX.What's less obvious is that in the years leading up to each of them, the numbers still made sense to the people producing them. Today's risks, private capital, crypto, AI, feel familiar for that exact reason. The challenge isn't spotting fraud after the fact. It's recognising when a reasonable sounding story is slowly drifting away from reality while you're still inside it. To help us explore this issue today is our audit and assurance lead, Tiffany Tan. Welcome.
Tiffany Tan:
Thanks, El.Elinor Kasapidis:
And joining us today is a very special guest who has seen these moments from a position few ever do. Paul Munter spent more than five years at the heart of the US Securities and Exchange Commission and previously was a partner at KPMG in the Department of Audit Quality and Professional Practice as well as the global IFRS reporting practice. He ultimately served as its chief accountant advising on how market information holds together and where it starts to fail. Paul, welcome to With Interest.Paul Munter:
Thanks, Elinor. Great to be with you.Elinor Kasapidis:
Paul, you've had a rare longitudinal vantage point watching US markets and the accounting profession up close across multiple cycles. Let's go back to the late 1990s, the early 2000s, Enron and WorldCom were in the news. What in your view were the first points where the reporting narrative started to drift from economic reality?Paul Munter:
So if you go back to those days, you get several challenges that ultimately manifested themselves in disasters, to be honest with you. But there were first of all, some weaknesses in the accounting standards that existed at that point in time. And in fact, following up on that, the SEC did a study on what were the key drivers of off-balance sheet reporting to identify where were those weaknesses in the accounting standards. One was with use of special purpose entities. Another was with respect to lease arrangements.And a third was with respect to post-retirement benefits, all of which were reflected outside of the financial statements subject to certain requirements. But then the other thing you had was poor application of standards. If you look at Enron, for example, which is kind of a poster child for use of special purpose entities and you drill down in a lot of cases, they weren't following the existing guidance.
So while certainly there were shortcomings in the guidance itself, beyond that, then you've got a company that was misusing the guidance that did exist. And then that, of course, was further exacerbated by a lack of high-quality audits around the information. So you really had a breakdown of all of the pillars that drive high-quality financial reporting, which is high-quality standards, high-quality application of the standards, and high-quality audits of the information which were illustrated by the subsequent collapses.
And I think to the point you said in the tee up is it's oftentimes easier to see this in the rear-view mirror than it is when you're in the moment. But I think it's a reminder that for those that are charged with providing high-quality information to investors, you have to keep focused on that objective, which is what is it that's going to provide meaningful and useful information to investors as you're guiding star? And I think in these and other cases, it's pretty easy to see in retrospect that both management and auditors lost sight of that guiding star.
Tiffany Tan:
That's great insight, Paul. I mean, when you talk about Enron and WorldCom, I was just a baby back then, like the infants, not baby. I was just starting out with my career as a junior auditor. So fresh grads, very green, don't know what's going on. And what I recall at that time is with Arthur Andersen then following then collapse is like, "Holy crap." Arthur Andersen, it's one of the big five at the time, it's aspire firm to be in for all the new grads, all the grads that wants to go in. I'm like, "Oh my God."And then the news break and how the shredding. Not good example. But it was really interesting time and I think the profession learned a lot. But one thing that happened in that time as well is because we talk about how Arthur Andersen didn't just lose one major client, that was some major clients, but the firm itself collapsed because of the scandal.
So one of the things that from your point of view as an SEC at the time or when you were at KPMG, maybe I can't recall where stage of career is, how did you see that unfold as a system event and where did the breakdown become undeniable? You can't dispute that that is basically broken.
Paul Munter:
So it really gets back to the audit firm being focused on its core responsibilities. And later when I was actually at the SEC at that point in time, and then I returned after I retired from KPMG and what was back again. And when I was there the second time, spent a lot of time talking about audit firms having to be focused on audit quality and audit independence, regardless of what services they provide beyond the audit.And if you look in retrospect at Andersen and frankly the other firm probably had some of these same issues, but without the catastrophic consequences is you had a lot of situations where partners were being motivated through compensation and evaluation and the like by their selling of non-audit services to audit clients. For example, there was certainly a lack of oversight of the audit profession. We were back in a peer review structure back in those days.
So there was a need for stronger oversight of the profession. There wasn't the same kind of focus on quality control or systems of quality control within the audit firm and kind of across the audit firm, not just its audit practice, but across the entire firm. And the growth strategies of the firms were looking at things beyond the audit practice. Now, and I've said this before, I don't have a personal view on whether a firm should be a multidisciplinary firm or not.
That's for the firm to figure out what a strategy is and the like. But if they are going to be an audit firm as at least one of those disciplines, then that has to be core to their culture regardless of what service line you're talking about. When an audit firm has a failure of independence, it's not the audit practice that failed to be independent, it's the firm that failed to be independent.
And we've seen circumstances where independence violations have arisen from other service lines within the audit firm. So I think one of the real lessons out of that I think is that regardless of what your service lines are and what your growth plans are and the like, a focus on professionalism, a focus on independence and a focus on audit quality have to be core to what the firm is.
Tiffany Tan:
Yeah. I think completely agree with you, Paul, because I think that's why we also have in recent years the ISQM 1 standard. That one is definitely to deal with the quality of the firm, all the divisions specifically and talk about the tone from the top, the culture of the firm, the governance and whatnot, doing the right thing. So it's really important because at the end of the day, auditors is all about trust. So if we break that trust, it's really hard to gain back that trust. I might shift gear now and we talk about Enron, we talk about WorldCom, another crisis, sorry, saw that coming.So what about the global financial crisis where scrutinised mortgages took down Lehman Brothers and threatened the system? And we can see that that is like a snowball effect. When Lehman Brothers gone down, it impact the whole world, not just the US. So from that perspective, what was the SEC most focused on and what changed out of that episode?
Paul Munter:
So there were a couple of things coming out of that. I think one is Lehman Brothers had engaged in what's now come to be called window dressing transactions where they would do repos right near the balance sheet date to prop up their liquidity position, which were then flipped shortly after the balance sheet date so that their liquidity position at the balance sheet date itself wasn't really representative of their liquidity position over an extended period of time.And going back to the earlier point, some of that was arguably a weakness in the standard, which in the US, the FASB amended the standards in response to that. Some of that arguably was a weakness in disclosure practices because there are certainly ways that the disclosures could have been more transparent to indicate that the balance sheet position was a bit of a temporary anomaly that was taking place.
And then there also would expose some larger structural issues, which you're alluding to, Tiffany, where you have Lehman collapsing and that cascaded and that gets to a question of, well... And this is a bit beyond accounting and financial reporting, but from a risk management perspective, do you understand fully counterparty risk? And can you see through the channel to really understand what kind of counterparty risks you have so that you can manage that counterparty risk? Now, that ultimately does get back to disclosure. Probably a lot of that is outside of the financial statements.
That's perhaps management commentary or what we might call risk factors or the like, but it ultimately gets back to the risk management processes and the degree to which you understand when you enter into a transaction, what are the risks that you're actually taking on? Have you accounted for them properly, number one. And number two, have you explained those in a fashion that's transparent and understandable to investors?
Elinor Kasapidis:
Picking up on that, I could talk about the GFC all day, but the whole mortgage-backed securities, even securitization as a concept was fairly new to many investors. And it took pension funds, Freddie Mae, Freddie Mac, quite by surprise when all of this started to collapse. And Lehman Brothers was the most obvious. But other banks, other lenders, other borrowers were also in a very tricky situation. And you talk about the NINJA loans, no income, no job. How do you look at that as a regulator in the market? And you sort of see this risk growing or this market perhaps before you even see the risk. What sort of deliberations are you undertaking as it's unfolding or does it need a trigger event like the thing that just cascades through the system and you become a reactive regulator, I guess.Paul Munter:
Yeah. And I think depends on what kind of regulator you're talking about. From a securities regulator perspective, there's a question as to whether those kinds of structures are within your remit other than trying to make sure that there is sufficient transparency around that. Now, there is a financial stability aspect to securities regulation that is in play. Obviously, the strength of the regulatory tools that a securities regulator has are different from one jurisdiction to another.But a lot of that I think falls within the purview of prudential regulators who have not just a financial stability mandate, but a safety and soundness mandate. And your example about these mortgage-backed securities is a really good one because you've got two things going on. One is you've got a trend where you've got mortgages being originated with lower and lower quality customers to the mortgage, but that seemingly not being adequately priced into the mortgage.
And then you've got the repackaging, the securitization so that now what you've done is you have amplified the risk when you securitize it. And then to take it a step further there, of course, you've got the securitization of an MBS. So your securitization squared or cube, depending upon how many iterations that you have. And so now the risk that was inherent in the original mortgage has been amplified through the various iterations of securitization.
I think what that says is in a lot of places around the world, probably the US as well, is at the moment it wasn't entirely clear as to who, if anybody, has the regulatory responsibility and authority over those subsequent iterations of these securitization pools, which is why not surprisingly in the US, we had a legislative response. Dodd-Frank came into play after that. And obviously in other countries, there were legislative responses and I think it served to indicate that we have to be continually vigilant to make sure that our regulatory regime is fit for purpose in light of what's going on in the marketplace at a particular point in time.
Elinor Kasapidis:
And hearing you speak for us policy people, Tiffany and I, it makes sense. We can understand how these different iterations, these different crises lead us to the structures, the recommendations, the regulatory frameworks we have today. Speaking of today, we've got Bitcoin entering the market in 2010 and crypto, it is still a thing. But when we looked at FTX building and building market cap, sponsoring things and then it collapsed and billions vanished overnight, do you see this same pattern recurring of you've got this new thing happening, you've got this excitement. Maybe I feel sorry for the auditors as well, because they're dealing with things that they've never necessarily in essence had to deal with. They've got the processes, the controls. Again, what do we do each time one of these things comes up?Paul Munter:
It's a question of first figuring out what is within the regulatory remit? And when you take examples like that, the question becomes first, are you really dealing with what amounts to an exchange, which in a lot of cases, some of these are exchanges and in the US exchanges have to register. So there's a registration requirement to bring them within the regulatory authority. In the example you're dealing with, they did not register and so they were outside of the SEC's examination protocols.For example, they weren't being audited by a PCOB registered audit firm. For example, they weren't subject to capital adequacy requirements that are imposed on exchanges. And then going beyond that, some of them run brokerages and there are, again, requirements for brokers and dealers to register and to maintain capital adequacy and the like. So it's really challenging when you've got these... and you of course have to balance appropriate regulation and not stifle innovation.
There's obviously part of the trick to it, but it's difficult to have sufficient regulation when you don't have sufficient visibility into what's going on, which is why there are registration requirements in first place. But if you don't have compliance with the initial registration requirements, how exactly do you get at that? How do you identify the risks and put preventive measures into place is the regulatory challenge.
Elinor Kasapidis:
And Tiff, from an auditor's perspective, so regardless of whether they're in the system or not, let's just say at the very least they had auditors and yes, their accounts were on an Excel spreadsheet and yes, they had related party transactions. Given your experience in audit, what do you think is an approach that the profession can take in exploring these new risks and these new businesses?Tiffany Tan:
It's so hard. Every day you come up with a new risk and this particular example, FTX is a good example because obviously it's fraud involved. So it's not like a basic, oh, error in accounting or whatever. It's deliberate shifting money from US offshore, all the money bypass US just go offshore. So like Paul was talking about, it even bypass the regulatory, it's not part of the regulated system. So in that context, and even if it's audited, but if they haven't got any requirement for the auditors to report or anything that's not part of the system, where does the report goes to? I don't know, no idea how to deal with this. Paul, you might be more experienced in dealing with this as an auditor.Paul Munter:
Well, it goes back to a core tenet of audit, which is we're required to have appropriate technical competence for an engagement. And so the auditor should be asking, "Do I have the technical competence here?" One of the things would be to ask yourself not only about the technicalities of the digital assets and the like and how you go about auditing that, but asking, well, what should be the registration requirements for this company, if any?And do you have the appropriate knowledge, competence, et cetera, before you accept the engagement? So I think that's the breakdown from the audit side is the firm itself, it would appear. Now I don't have inside knowledge on that, but it would seem as though the firm itself didn't stop and ask itself, do I have the appropriate competence to engage in this?
Interestingly enough, if you look at the auditor of Madoff's structure, you see a similar kind of thing. You see a little tiny audit firm that is not auditing any other funds. Do you have the appropriate competence and technical knowledge to be accepting that engagement in the first place?
Tiffany Tan:
We can talk about this all day because I did hear rumour about how none of the big four, none of the reputable firm will want to touch this kind of entity, not because of anything else, but more because they don't understand well enough that's the first thing, the competence. Because obviously the auditing standards is comprehensive. We have ISA 210 about the acceptance and continuation of the engagement. So most auditors, if they're doing the right thing, they would have like, "Nah, this is too hard." I know in my audit days I'm from a mid-tier firm perspective, we stayed clear from the banking industry. So we said, "No, we are not doing banking. We will not do mining as well. So we will do the normal manufacturing and retail and whatnot, but we know where our expertise lies and we don't go there." Yeah, that's a good point. Yeah.Elinor Kasapidis:
Which then goes into the private markets where depending on where you sit, there may or may not be a statutory requirement to have audit. But in Australia, and I think it's the same in the US, we're doing a lot of thinking around private capital and private equity. We've got trillions now and it started small, but there are, I guess, lower barriers to investment in the private market. The investors are considered to be more sophisticated and more knowledgeable, which given some of the thresholds we do question. So from a market integrity standpoint, you're talking about what is the regulatory sphere for a regulator. From the US perspective, I think there's been a bit in the private equity markets and private issuances. How do you go from this, or if you're just a listed public to a range of different instruments and different types of entities, how do you see that evolving over time?Paul Munter:
Yeah, so that's something we've certainly had a lot of debate on in the US in the last few years and there's kind of a couple of aspects to it. One is, which you're touching on, Elinor, is who should be allowed to invest in private equity or if we go beyond that private credit as a specialised form of private equity. And we have rules on that and there are questions about whether the rules are fit for purpose or need to be revised or what have you.And that conversation is ongoing, but that's question number one is who should be allowed to invest in them in the first place? And then the second is from a systemic perspective, which gets back to financial stability is, well, how much information should they be required to report to public authorities even though they aren't necessarily subject to their regulatory oversight. But just from standpoint of having information and understanding what systemic risks there are, how much information should be reported. And that's also a subject of debate in the US.
So you've got both those things going on and there's of course tension that you've got. Some are in favour of a stronger regulatory regime and more reporting of information. Others have a perspective of, well, we ought to let the markets function more in a free market circumstance. And in most cases, the answer lies somewhere in between the two that I think we've got a long enough history to say that markets operating completely unregulated is not a good formula from an investment perspective. You have to have some kind of regulatory oversight of it. And I think that's the same kind of debate we're having in the US I suspect elsewhere is to how much visibility do we need to understand what the risks are that are inherent in these structures and who is it that should be allowed to invest in those kind of structures.
Elinor Kasapidis:
And I'm going to go a little left here. We talked right from the beginning about you need these pillars, standards, the application of the standards and the audit, and we've touched on the regulatory space. In the profession, we are concerned about the lack of the pipeline of auditors. And I think the conversation today has really highlighted where you need independence, you need to have scrutiny, you need to protect the market's investors and just the broader economy from different kinds of changes. So Tiffany, how do you see the role of audit and why do you think it is this real challenge to get people to recognise the importance and be invested and see it as a career?Tiffany Tan:
I want to say it obviously is a critical role. It's a trust in the system. You can have financial reporting, but if you haven't got the audit lens over it, it means nothing for most because you're relying on an independent audit to be conducted to make sure that the numbers stack up. But I think one of the challenges, continued challenge, I'm not sure about in the US. I know I worked in Asia a little bit in my early days that was horrendous, six and a half days work. And I think the work-life balance, it's always a challenge.I know that in Australia, at least it's getting better, with COVID, it shifted a fair bit of how we worked, a lot of working from home happening. And I think important thing is really, I think some of the time as an auditor at the initial stage in the early days, you're just going almost like going through the process. This is my experience, may not be everyone's experience, but only until you observe in action.
So I was in meetings and stuff like that with some senior partners and where you see those all the debate happen in action and how it impact the outcome of the financial report. And that's when you realise how important your role is, even though at that time I was just doing ticking and bashing. So the opportunity to actually observe those trust and integrity of audit brings into the set of financial statements in action brings it home and say, "My role is important. I'm here to find the truth. I need to apply critical mindset and professional judgement. I need to escalate if I find issue and be brave, ask a challenging question. I mean, I'm green, but at that time, so I did experience that. One of the CFOs say, "Where did you find this girl? She's so green, but she's absorbing it like sponge. She keep asking question, too much question from her."
Elinor Kasapidis:
I love that though. It's about the curiosity.Paul Munter:
No, I think that's a great point, Tiffany. I think one of the lessons that I've tried to instil in people that I've worked with or have worked for me is ask questions. And if the answer doesn't make sense, keep asking questions until you get an answer that does make sense. Because oftentimes if you look back in retrospect at some of the failures, you either didn't ask the question because in a lot of these red flags were there that weren't pursued or you ask a question, got an answer and drove on even though you didn't necessarily fully understand it. So I think that's a really good point. I think the other thing in terms of the pipeline part of the question is as a profession, we have not done a very good job of explaining the value proposition to people and particularly those who are thinking about coming into the profession, that the audit profession is instrumental to capital formation.It's instrumental to being able to raise capital regardless of whether you're talking about through equities, through borrowing, through other financing vehicles, but do so at a reasonable cost of capital so that you can invest that as a business and generate a return on that. And so we haven't explained that and that's what you were touching on a moment ago, Tiffany. We haven't explained that to people very well.
The other thing we haven't done a very good job of explaining is what are the career paths that are available. I kind of look back on my career and you touched on a couple of the things I've done, but I've been very fortunate to be able to do a lot of different things. And if somebody had told the 20-year-old Paul, here are the things you're going to have the opportunity to do and here are the people you're going to be able to engage with and the like. I'm not quite sure how I would've reacted, but it would've been very interesting information.
And we don't do a very good job as a profession of explaining either of those things to younger people that I think would help them understand why it's useful to go into the career and what kinds of opportunities and career paths and satisfying progressions they can engage in. And I think we would serve ourselves well if we did a better job on both of those fronts.
Tiffany Tan:
I'll add to what Paul say though, it just reminded me. I did say that it's a hardworking role being a junior auditors. But one of the things that keep me going is the promise of travel.Elinor Kasapidis:
Careers, destinations.Tiffany Tan:
Destination, travel. So I have secondment in UK and I'm going to Manchester, Birmingham. It snowed when I have to have audit clients at Birmingham, we end up with the chocolate factory, Cadbury. So it's not an endorsement, but you know what I mean? I think those are the thing that young people back then my time, I really look forward to the travel. Oh, next week I'm in here. Next month I'm there. And the other thing that I stick with audit for a while, obviously, and hence I'm here today. I don't think I was last maybe a year in the corporate environment because I'll be doing balance sheet and P&L and whatnot every day or journal entries every day.But in the audit role, you go from clients in the fashion industry to a abattoir, a slaughterhouse. It's quite a different perspective. And the people that you meet, I always say to the junior staff that I take them on audit, I say, "Your three years spent in the audit firm is the best time. It should be hard work, but we play hard as well."
But it is the fastest time you can get your experience because you see across all sector as well, different people. And I love the people factor. And I did feel that once... I did get into technical stuff and once I'm in technical, my people-facing time decreased significantly. I'm like, "Oh, that's not what I want to do." But I mean, depending on the personality as well, I think as an auditor, there's a lot of prospects. It's a very interesting job from my perspective, I might be biassed, but it's that getting through that discipline, the hard work and learn, be inquisitive, keep asking question.
Elinor Kasapidis:
So we started with corporate collapses and we've finished off with audit careers. Thank you so much. I think really what this has highlighted is the critical nature of the profession, the depth and variety of what opportunities professional accountants can have across the various spheres of regulation, of business management and audit. And Paul, thank you so much for taking the time to sit with us today and share your experiences.Paul Munter:
My pleasure. I've really enjoyed the conversation.Tiffany Tan:
Thanks, Paul. Thanks El, for hosting.Elinor Kasapidis:
And thank you for listening to With Interest. We have a range of audit tools and resources on our website, including guidance on systems of quality management and career pathways. Please hit subscribe. Until next time, thanks for listening.
Loading component...
About the episode
Strong professional judgement is often the difference between identifying risk early and recognising failure only in hindsight.
This episode explores what major market collapses can teach auditors, accountants and finance professionals about maintaining trust, independence and scepticism when risks are evolving rapidly.
With Paul Munter, formerly of the US Security and Exchange Commission (SEC), in the studio – along with CPA Australia’s audit and assurance lead Tiffany Tan – this episode offers deep insight into this important issue.
Drawing on lessons from Enron, WorldCom, the global financial crisis and FTX, the discussion examines how reporting narratives can gradually drift from economic reality and why strong professional judgement remains critical.
Key takeaways:
- What past market failures reveal about weaknesses in reporting, auditing and oversight
- Why audit quality, independence and professional scepticism remain essential
- How emerging risks such as crypto and private capital challenge traditional approaches
- The importance of asking better questions and challenging explanations that do not make sense
- Why the profession needs to do a better job explaining the value and career opportunities within audit
- How auditors contribute to market confidence, capital formation and investor trust
Host: Elinor Kasapidis, chief of policy standards and external affairs, CPA Australia.
Guests:
- Paul Munter served as the US Securities and Exchange Commission (SEC) chief accountant (2021-25) and its deputy chief accountant (2019-21). He had previously retired from KPMG where he was the lead technical partner for its international accounting and International Financial Reporting Standards (IFRS) activities. He is a CPA in Colorado, New York, and Florida.
- Tiffany Tan, audit and assurance lead, CPA Australia.
You can learn more about Paul Munter here.
CPA Australia also has some useful audit and assurance tools and resources.
Loving this podcast? You can listen to more With Interest episodes and other CPA Australia podcasts on YouTube.
CPA Australia publishes four podcasts, providing commentary and thought leadership across business, finance, and accounting:
Search for them in your podcast platform.
You can email the podcast team at [email protected]
Subscribe to With Interest
Follow With Interest on your favourite player and listen to the latest podcast episodes