The Big 4 And The Ratings Agencies – A Self-Fulfilling Prophecy?
Whatever the defensive spin and the persistent denial of the deepening conditions of adversity, problems yet to ripen mean that we are not yet even approaching what Winston Churchill termed the “end of the beginning.” …The agencies themselves are touting a menu of fixes, from Moody’s proposal to replace letter ratings with numbers – arguably no more than a switch from illiteracy to innumeracy – to massive downgrades of mortgage-backed securities with knock-on effects for other debt portfolios and the entire bond insurers speciality, to the blame-the-user invocation by Standard & Poor’s of more “investor education.”
But should the ratings agencies feel confident of dodging the bullets? Two lessons in history suggest not. First, the closely analogous model of the auditors’ participation in the securities marketplace has brought them to grief, with multi-billion dollar litigations threatening their very survival. Second, both plaintiffs’ lawyers and legislators, inspired by Sarbanes-Oxley, will pick on proximate targets. That’s where they will both fix the blame and aim their fire…
But let’s back up a little bit.
Let’s bring the auditors into the picture.
…Are the ratings agencies always the last to know, or just the last to acknowledge a problem? The agencies point out that they rely on facts presented by issuers, and that they are not responsible for conducting due diligence. In other words, if S&P and Moody’s are asked to rate a pool of mortgage loans, they don’t actually examine any of the individual mortgages within the pool. An S&P spokesperson tells us, “We are not auditors; we are not accounting firms.” So if all the information about the assets underlying these bonds comes from the person selling them, and the credit rating agency never verifies any of it, investors might ask, what exactly does the rating agency provide? An opinion…
But does it get any better for the investor if the audit firms are involved in the process?
No way, José !
I have criticized the audit firms for their “too little too late” response to their banking and financial serviccs clients’ accounting issues related to the subprime crisis. They’re all involved in all of them. So if the auditors are supposed to be certifying financial statements and giving assurances on companies that are issuing mortgages and later mortgage-backed securities and the ratings agencies are counting on those disclosures, without doing their own due diligence to ascertain that those ratings are justified, who is monitoring the authenticity, integrity, and financial viability of the ratings agencies’ business model?
The Big 4.
The three largest ratings agencies, S&P (part of McGraw-Hill), Moody’s, and Fitch (part of Fimalac, a French company) are all public companies that issue Big 4 certified financial statements. So the Big 4, that’s right – only four firms, are on all sides of the equation:
1) They audit the companies that create the mortgages like New Century, Countrywide, Northern Rock and American Home.
2) They audit the firms that create, market and invest in the collateralized mortgage obligations such as Bear Stearns and Citibank and Merrill Lynch.
3) They audit the ratings agencies that put the seal of approval on the credit risk insurers and the securities for sale to the investor public.
4) They audit the monoline credit risk insurance providers MBIA (PwC) and AMBAC (KPMG).
And the ratings agencies rate the credit risk insurers.
From AMBAC’s web page:
Ambac Financial Group, Inc., headquartered in New York City, is a holding company whose affiliates provide financial guarantees and financial services to clients in both the public and private sectors around the world. Ambac’s principal operating subsidiary, Ambac Assurance Corporation, a leading guarantor of public finance and structured finance obligations, has earned AAA ratings from Moody’s Investors Service, Inc. and Standard & Poor’s Ratings Services and a Aa rating from Fitch, Inc. Moody’s has placed Ambac’s AAA on review for possible downgrade. Standard & Poor’s has placed Ambac’s AAA rating on “negative outlook.” Fitch has placed Ambac’s Aa rating on “rating watch negative.”
The auditor for Moody’s has been PwC for a long time .
The auditor for Fimalac, owner of Fitch, has been PwC for a long time .
The auditor for McGraw-Hill, owner of S&P, has been E&Y for a long time .
All recent opinions for all three are clean.
Dontcha think that the audit firms should have had some kind of insight into how the pieces did or didn’t fit together? Or did they just take the enormous amounts of money and run?
Francine, i think you are on to a good thing and have all my support. I have worked for 3 of the Big 4 firms in different continents for a combined 11 years. I have been especially shocked by the negligence & technical incompetence displayed by PwC whom i worked for in the US in the last 3 years. When i tried to express these views, they fudged my performance appraisals and fired me. I am in the process of writing to the relevant accounting authorities regarding my experiences in the US accounting profession. I may have to be anonymous so as not to jeopardise my current job. I think the audit profession is a sham, especially in the US. There is cause for real concern.
Who would you write? The PCAOB which is stuffed with “former” Big Four partners? The SEC? The various state accountancy boards? I assure you, no matter who you write, nothing will be done to correct your concerns.
I started reading your blog a few weeks ago and am very interested in your take on issues facing the Big 4, both in the US and worldwide.
That said, however, I disagree with your assessment that it is the auditor’s job to identify the risk posed by having these portfolios backed by subprime mortgages. (Disclaimer: Although I don’t work in the banking or mortgage industries, I do work in the accounting industry with an emphasis on internal control over financial reporting.)
After reading a few of your previous blog postings about internal control (and your link to the COSO Framework), I wanted to clarify a few things for your readers.
First, you said:
“1)The essence of Sarbanes-Oxley is to validate controls exist to mitigate risk that threatens a company’s ability to meet its business objectives.”
Not true. It is to assess a company’s internal controls over financial reporting. Internal controls over financial reporting — the focus by auditors — (and this is clear from the link you provided to the COSO Integrated Framework Executive Summary) CANNOT ensure a company’s success, and by that definition, cannot mitigate the risk that threatens a company’s ability to meet its business objectives. A company’s business objectives are achieved through making business decisions, however wise or unwise. As long as these decisions are within the limits of the law and are properly accounted for, auditors are NOT responsible for saying whether the company made a wise choice or not. In this case, the essence of SarBox should give the investing public comfort that there are internal controls in place to prevent or timely detect errors in the accounting of these business decisions that could cause a material misstatement. But auditors are not in the position to tell the company whether their objectives are risky or not — that is what the Board of Directors and members of executive management are for! The auditors’ responsibility is to provide reasonable assurance that they are properly accounted for. Yes, a wider definition of internal controls to include operational risks might include controls that are able to mitigate risks the company faces in trying to achieve its operational objectives, but that is more of an Internal Audit function.
“4)An important part of identifying, monitoring and disclosing these risks is to value them according to GAAP and to the extent a reasonable investor would expect. Another would be to reserve according to GAAP and to the extent that a reasonable investor would expect in the event of a change in economic or other circumstances.
5)As part of the external audit process, auditors must form an opinion on whether their clients are complying with GAAP (or the other applicable standards) and whether activities such as valuation of the investment portfolio and estimation of required reserves for potential portfolio losses have been properly performed. Does the client have the internal controls in place to assure that valuations and reserve estimates are correct according to accounting standards and provide a fair presentation in the financial statements of the assets and liabilities of the company?”
Precisely. However, valuation has ALWAYS been an extremely judgmental process. You can put in as many internal controls that you want into the valuations process, but it still comes down to the assumptions, data, and judgment calls made by the team performing the calculations.
Of course, if the data that they use are not subject to input controls, and the valuation is erroneous as a result of that control failure, then YES, the auditors have a responsibility to point it out and assess its overall impact on the financial statements. (Remember, they need to have controls in place to prevent or timely detect errors that could result in a material misstatement. This would be a perfect example of a preventive control failing that could result in a material misstatement).
Auditors can only do so much. If companies want to take high risks and gamble with subprime or similarly built securities, they can. Auditors should not be in the business of letting the public know, “Hey, this is risky and we think it’s stupid since it will prevent the company from achieving their objectives.”
Instead, they are responsible for telling the public, “Hey, this is a highly judgmental valuations process, and clearly the valuations teams did not value the portfolios correctly nor reserve enough for them, BUT they did calculate the values in accordance with GAAP using the assumptions that management set forth for them. And therefore, the internal controls were in place, but internal controls are not designed to tell one whether a business decision is wise or not or whether the rationale and judgment used to make a decision were correct.” As the COSO Executive Summary says, “The likelihood of achievement is affected by limitations inherent in all internal control systems. These include the realities that judgments in decision-making can be faulty, and that breakdowns can occur because of simple error or mistake.”
I look forward to your response! Thank you for providing a forum to allow for such intellectual discourse about an issue that impacts all of us in one way or another.
Dear Recent Anonymous Commenter,
Thanks for your recent comment clarifying auditors’ responsibility in SOx. Yes, it is limited to opining on management’s assessment of internal controls over financial reporting only. However, as external auditors, they have always had a larger scope that includes opining on the company’s risk management, on their overall control structure including the internal audit function and the company’s “Tone at the Top” or whether its senior management was “walking the talk” on internal controls. So, I will continue to hold the auditors to a higher standard.
I have thought long and hard about this. You may be right, nothing may be done. But it is my duty to communicate the issues. Keeping silent doesn’t help anything either. These issues have deeply troubled my conscience. I am worried that the american public, whom we CPAs are meant to be protecting, are being betrayed without their knowledge.
Well, the elephant in the room is whether or not auditing firms can actually detect fraud. Since it seems that most people have that expectation that becomes the reality. I can assure you that audit firms can not generally detect fraud. Therefore, the end-game is likely near, as the resulting imposed liability will financial ruin the profession. The real question is what happens in the post-Big 4 world in terms of financial oversight. Interesting that this has not really been much of an issue in Europe. The only way the Big 4 can actually survive (if it is not too late already) is to be very very selective in the clients they serve, and refuse to serve those that have embedded risks, such as most of the financial insitutions and companies that want to do IPO’s. This will cause the Big 4 to shrink in a signifcant way. The Big 4 should evolve to providing financial support services (i.e., internal audit outsourcing) and tax advisory services, and provide attest services to only those companies that meet specific parameters of risk tolerance. Frankly, the Big 4 should not be doing at least 50% of the audits they are currently doing. Either the company is too risky, too immature in terms of market presence, or management has issues with integrity or transparancy. It would be interesting to see what the SEC will do for those public companies that can’t find an audit firm. Those audit firms that decide to serve regardless of risk and because of greed for fees will soon disappear. For example, why on earth would PwC want to serve AIG? Why would anyone have served Countrywide? Why would anyone serve a development stage enterprise?
Final Four Guy
I have no problem with auditing development stage enterprises. The Big 87654’s problems are: their pervasive “tick and tie” mentality and “client service” emphasis. What is this? Closing your eyes to the obvious. The last thing the Big 87654 want is to concern themselves with is the economic substance of things if the substance and form differ. I know. I worked for Big 87654 and have followed Big 87654 in doing audits for my own account. I would audit Countrywide. It doesn’t scare me. Wow! If there are substantial assets that can’t be valued except by reference to “internal models”, so be it. I’ll disclaim an opinion for lack of evidential matter. I would have told Countrywide that before accepting the engagement. That doesn’t scare me either, having resigned audits for that reason! I once followed a Big 87654 firm that had opined on a company’s financials. I never figured out what they looked at. So? I don’t see the big risk in doing audits. This supposes you do the work and are not afraid to walk away from a fee, no matter how large, if you have to.
To this day, I do not know what “tone at the top” or “internal control structure” means. As far as I can tell, it’s just AICPA-SEC-PCAOB-COSO bloviation. I know what a: variables test is, a compliance (controls) test and understatement or overstatement tests are. I even think I understand materialialty, but “empty” fuzzballs like tone at the top and control environments are beyond me. I’m a “nuts and bolts” auditor. What? Massive sample sizes, 10 times, that’s right, 10 times what I’ve seen Big 87654 select, stat sampling everywhere, overstatement, understatement, compliance deviaton rate calculations, etc. AND LET THE LAW OF LARGE NUMBERS WORK ITS MAGIC. If you look at say Countrywide and test, to the Nth degree, say 2,500 loan files, I assure you, if there is a material problem, you’ll find it. COSO, no COSO.
I’m not afraid of the AIG audit either.
Actually I think “Tone at the Top” is a very powerful concept, but one that has little meaning if the external auditors (and the internal auditors)are not willing to go to the mat.
Here’s a really good speech by Stephen Cutler, Director of Enforcement at the SEC in 2004, about practical application of this concept.
Unfortunately, as you mentioned, external auditors are afraid of losing the client and internal auditors are afraid of losing their jobs and ability to get another job. That’s why in so few situations does this concept get tested other than by plaintiff’s lawyers in securities litigation.
Francine, I find it interesting that half the time you are complaining about how the small number of major accounting firms makes it nearly impossible for large companies to have true choice in who audits them, but then the other half the time, you are calling for all out legal attacks on accounting firms no matter how minor their complicity or what their actual duty is. This, despite the fact that the lawsuits you so vehemently believe in, in conjunction with the enormous damages you think are just, would further shrink the accounting industry. You can’t have it both ways. With that said, what do you propose as a solution to these seemingly incongruous goals? Would you like to see the large audit firms split up like Bell or Standard Oil?
Independent Accountant – you certainly sound very professional and high and mighty. The reality is that Big 4 Firms do decent work, and there is so much more that tick and tie. Perhaps your experience was/is different.
Frankly, I’m not sure if that even matters. As a professional auditor, I know my limitations, and I’m not afraid to state that the AIG audit would be way over my head. Unless I had my entire team compromised of seasoned financial institution partners, I would unwilling to sign the opinion based on a traditional audit team that has a leverage model of maybe 20% partner time and 60% staff time. I really believe that if you were reasonable and thoughtful, you will feel the same way.
The issue is not about sample size, especially for financial institutions – if you believe that, then you either are not a Big 4 Partner or you did not take stat class in college. My friends, the real issue is all about the critical accounting policies and significant management judgments. Staff people don’t audit signifcant audit judgments – but they are good at doing the monkey check lists and “ticking and tying”. Only seasoned and industry qualified partners can audit the judgments, and more importantly, actually IDENTIFY where the judgments exist. And, I’m telling you, there are just noot enough Big 4 Partners out there to do this. Therefore, the only answer is for the Big 4 to withdraw from such risky and uncertain audits.
Final Four Guy
The issue may be sample sizes, as I have seen small samples used to avoid finding anything wrong. Or the issue may be partner “tick nd tie” mentality and failure to understand the economics of what is going on. I’ve seen both. So? The Big Four do some “decent work”. So? A stopped clock is right twice a day. So?