I worked at Accenture as an MD for several years, primarily on innovation and transformation programs. I have plenty to say about them, but I think the key driving factor for all of the grift and awful performance has a lot to do with how they operate, which is to sell in a big program, then pull a switcheroo and try and pack a project with as many low-paid MBAs as possible – kids straight out of college tasked with a (thin slice) of a major strategic program, or find some sub to farm it out to at a really low price.
Since going out on my own as a consultant – focused on the same sort of growth programs, as opposed to audit – I generally find that I can achieve the same outcomes for a client with a handful of people on a a reasonable budget.
I left primarily because it's just bonkers how much pork these big consultancies manage to get away with packing on, to the point where it was a major reputation risk to me.
I'd encourage any CXOs out there seeking to outsource major strategic initiatives to consider hiring individuals or smaller entrepreneurs with experience inside the bigs, but without the downward pressure to get as many butts in seats as possible.
On the consulting side of the audit firms that you're talking about, I think people misunderstand why companies hire big consultancies.
It is not for performance.
It's for minimizing risk.
And not "risk that the project will fail to hit its schedule." Rather "risk that the company is unable to deliver the thing we're asking for at all."
When I've seen big consultancies fail, it almost always goes like this: (1) big idea sold with A-team, (2) contract won and lowest-cost B-team substituted in, (3) B-team screws up execution, and customer usually figures out on or right before target delivery date, (4) if smart, customer tears consultancy a new asshole, from people with VP et al. titles, (5) if interested in further business then consultancy profusely apologies and puts an A-team back on the project, (6) A-team delivers, albeit after schedule.
The difference between ey et al. vs smaller shops is (4). Smaller shops don't have extra senior bodies laying around to retask.
So a more accurate description of a VP hiring ey is probably "I know they're going to screw it up, but I know if I bitch enough they'll eventually get it done right."
Nailed it. My only beef is that when you’re going line-by-line on the deliverables, arguing over the “definition of done” that you’re actually crushing whatever good will and budget remains for the innovation a company actually needs.
And when I say innovation I don’t mean gravity boots, I just mean a progressive use of robust tech, easily understood processes, and a general aversion to complexity - so you don’t have to do it all over again in five years.
OTOH executive retention is tanking, so maybe it’s fine you one-and-done it, and move on to your next job before the truth is out - YOLO! (Barf).
I've always thought that if it gets to the point where a consultant and company are arguing over line items and it didn't go so badly as to preclude future work, then just meet in the middle, call it a poorly run project, and try and do better next time.
There's no good outcome from a knock-down, drag-out fight for either party when it goes that badly.
And yeah... I've observed my fair share of "So, we all agree we're going to call this a success? Great!" + director / VP takes a new job before it explodes.
The good P&L owners make it right and eat the marginal loss because they know long term relationships are more important than a single contract. That is generally how I ran my line – but I have had a very small number of extremely toxic/litigious clients and so I'll go the distance with them, line-by-line, make sure we've got 'done' in writing. It sucks but some people are just jerks.
The risk of non-delivery exists for these large firms too - see Hertz vs Accenture, for example. Or Indiana vs IBM.
In my company, to hire a company like IBM or Accenture we have to propose a plan, which has to be approved by many layers of bureaucracy. This plan includes a budget. A real risk is that the consultant underdelivers, or we need more budget. Then we have the sunk cost problem, and we have a bureaucratic one as well to increase the budget. And the consultant already costs more than hiring on our own and doing it in house.
Actually I disagree strongly. It's primary because blame shifting. You know, "no on got fired for buying IBM". Also, to confirm a C-execs "vision". He can always say "<big firm> agrees with this too".
> Also, to confirm a C-execs "vision". He can always say "<big firm> agrees with this too".
This is the crux of it. GP described the process but not the reasoning. Consultancy come in to help management push a vision. One or two VPs may not be able to get their vision but if one of the big 4 supports them it will likely be easier to get buy in.
> And not "risk that the project will fail to hit its schedule." Rather "risk that the company is unable to deliver the thing we're asking for at all."
The other big risk is: 'Will _I_ get in trouble, if the project fails?'
Part of the grift is that roughly one of ten of these unproven low-paid MBAs will be exceptional. So when one does a good job they'll use it as an example of typical performance. I see this happen with dev talent agencies and unproven software engineers. Only the great projects go in their portfolio and the satisfied clients are happy to appear on their website because they don't realize they just got lucky.
With software engineers some of the remaining 90% really are talented but spend most of the project learning on the job, fixing an issue in a few hours that a senior engineer in their stack could fix in 30 minutes with their arcane knowledge. Meanwhile the senior engineer goes to the scrums (they love to hide behind agile). It's a solid grift.
Yeah I mean I don't blame people for celebrating their successes and sexiest projects – I certainly don't include all my fails in my portfolio, heh.
What's interesting about this article (and the general state of management consulting) is that the cracks are beginning to show in these big firms that used to have a "nobody got fired for hiring EY" reputation.
I work as a Client Partner for a $1B+ consulting firm that comes in and cleans up after these situations. We bring in seasoned, experienced consultants with the functional knowledge that these big consulting firms don’t have. And even though our consultants are more costly on a per head basis, we’re more cost effective overall, because we do more with less.
I always admired the big consulting firms until I realized how consistently they fail to deliver. It’s hard for the clients to fix it because they genuinely think they are getting the best. It’s sad and laughable. Eventually they figure it out. Usually when a firm like us comes in and exposes the dysfunction by getting a few consultants in there that know what they are doing and running things like it should. And it generally comes down to a lack of leadership— by both the client and the big consulting firm. They point the finger at each other. But also it’s just a lack of experience by those running/implementing the program. Staffed by consultants who read all the books and go to the trainings and classes but have never been in industry and been in the clients shoes.
Well lets say you're a guy who runs the 10-year-old analytics platform for your company; your team's job is to deliver a bunch of charts and data to the executive team on the performance of the company on a weekly basis.
That's not an easy job, because you've got a shitton of unstructured data, new data sources coming online all the time, and a patchwork of analysis tools. This work would be a hell of a lot easier and more accurate and maybe even cheaper in the long run if you had an analytics layer that was more modern - but you don't have time to make the case to the CIO, because you're too busy just running the reports and doing the job that you're paid to do.
However, maybe a guy like me is having a convo with his client the CIO and she says "Y'know, Eisenstein thinks we need a new analytics plat, but he's busy on five other projects – can I pay you $5k to take a look at it and make me some recommendations?"
So I can sit with you, get your hot take, maybe bring in one of my guys who is shit-hot on dozens of analytics platforms, show you and your boss the trade-offs, costs, etc. If I'm lucky maybe you'll even hire one of my guys for a couple of months to install it and train you and your team up on it.
Way cheaper than interviewing and trying to do an apples-to-apples comparison between a dozen different analytics companies who're all gonna lie to your face about how their product is the best, probably politically better that you don't miss a full quarter of you doing your job, and your boss also gets to look good when I ship a sexy deck that shows how we're going to integrate all her peers' pet systems and provide much more timely, accurate, and readable results.
(I made this all up out of whole cloth, but the bottom line is sometimes incentives are aligned as such that a middle man can help you get there faster, cheaper, and better than DIY. On the other hand, consultants can also make things WAY worse as this thread illustrates)
The big consulting firm runs a program/project to deliver a result. Perhaps implement a new business system or technology or integration, optimize or implement a new process, perform some organizational change in the way things are done, etc.
Companies don’t have the skills or experience or expertise or resources or time in-house to do it themselves, so they essentially outsource the initiative or objective to a consulting firm.
It’s seen as less risky to go with name brand big consulting firm. But companies think they can pay little and get a quality delivery team, and the big consulting firms usually find a way to make a profit at the expense of quality by leveraging inexperienced consultants or consultants overseas with no real world experience.
Agree with all of these except the “pay little.” Top consulting firms are crazy expensive to the point we could hire a team of several analysts and a manager for a few years for what we pay them.
Engagements are often around $100k a month and when I go looking for one of the consultants to help in an emergency, I often hear they are busy with something else (another client) and need a day to get the request started. When we’re paying 100k a month you better damn well have one person on deck or able to pivot immediately to us as if they are one of our employees.
$100,000 a month is nothing. That’s like 1-3 full time consultants, at like a $200-600 bill rate.
My current client is spending $300M+ a year on an implementation program, and they are going on their third year with 2-3 more to go.
When I say pay little, they need more people and/or more experienced people to actually get the job done right. But they end up off shoring to teams in India or green consultants with zero industry background and limited experience.
They choose the firm with the most compelling economics, but severely overlook quality. They forget that these are organizational changes that impact humans. That outsourcing to lower skilled or different cultural regions will impact communication and team dynamics and overall ability to get things done properly.
Lets face it, the answer from chatGPT would be almost identical to what these consultants say, however the main reason for consultants is to CYA so if the decision is bad, you can blame someone else.
My savviest clients are already on this - why hire a consultant for strategy when you can just suss out what the competition is doing and improve incrementally on that?
My only (personal) hope is that it’ll free guys like me up to soar through ‘creative configuration space’ and come up with those truly unique and unexpected tactics that are new to an entire segment or industry.
Sure I don’t get to be a millionaire MD with two hundred reports billing hourly, but maybe I can do value-based or outcome-based pricing and get my clientele to take ‘healthy’ risk - instead of sitting around fretting about shaving half a point off labor costs through a mindless re-org :/
Related anecdote: if you see someone on the airplane rejiggering a public company’s org chart - short the stock!
I won't deny that I've been using it as a research assistant to investigate a lot market forces and conditions, but as always I have to support it with quality data and citations if it's gonna play in the board room and with savvy institutional investors.
Well for my clients they're often up against maxed-out resources or employees who are just mired in their day-to-day and need a sort of entrepreneur-in-residence. For me, I'm given one or several major strategic initiatives and then my job is to build a 'demonstrator' that hits all of those without needing to fully build them out.
My client (typically an executive) can then take the presentation to his or her leadership team or board to unlock the funding required to stand up the 'execution' phase of that initiative internally through hiring.
So I guess you could say I build MVPs or proofs-of-concept that, if they work and are desirable to the company, get spun out into new lines of business.
This sounds like amazing work, the best part of software engineering is coming up with a prototype and experimenting. Most of my personal projects are basically “I wonder if X is easy or hard, and if I can make it work”
Do you stick to a particular business domain? Eg finance, transportation, e-commerce? I’d think it would help you to build MVPs if you stayed in a specific domain, but it could be fun to move around a bit too :)
Also: how do you find clients? I feel like again this would come from having connections in a specific business domain? It feels like it should be hard to sell yourself as the “prototype person”, but how do you convince someone to let you prototype for them for a while?
1. Yeah I stick primarily to hospitality and consumer companies (B2C and B2B2C) with a large amount of tech debt; because they're so mired in keeping their current systems alive, they don't have time to innovate, so thats where I come in.
2. Word of mouth primarily. When they look at what I cost them vs. what the big consultancies – or even the midsize 'innovation consultancies' like Frog or IDEO cost, it's a no-brainer. I just blend basic financial rigor with a bit of visionary thinking and competitive research, and set my clients up for the win when they go ask for permission to go from idea to prototype to MVP to pilot.
I'm saying they are 5x more expensive than they need to be. So most of the money that goes to the agencies is de facto corruption, even if it goes to the workers who are working, but ouputting not much.
The rate cards we use are tied to market rates. Consulting (and services businesses in general) aren't super-profitable.
I think probably you're just pulling numbers out of thin air.
Now if you think that the value of consultants is overrated, I tend to agree with you in some - but not all - cases. As an example, it makes little sense to hire FTEs for a short term project that has to happen on a discrete timeline.
They're both global professional advisories with a ton of similar services and competing for similar clients. They ought to be thought of as basically body shops for management consulting.
Accenture was spun out of Andersen Consulting after the Enron saga. Andersen had both a consulting business and an audit arm - they were one of the “big five” audit firms before the collapse of Enron. Today, Accenture only do consulting; they do zero auditing.
EY are not related to Accenture or Andersen. EY is an audit firm (one of the “big four”) with a massive consulting arm. Unlike Accenture which is a global firm, EY operates more like a local franchise. They do this to minimise risk of contagion from a bad apple like in Germany to other audit businesses in different countries. As such, EY is far from a global firm, but more like a collection of separate audit and consulting firms in different countries who all have a license to use the EY brand. This is an important difference.
I don't know if I have just enough knowledge to be dangerous, but it seems to me that auditors don't really do what people think they do. Auditors seem mainly to just double check the numbers they're handed. This serves a purpose, it provides some level of guarantee that companies that are acting in good faith are generally reporting correct numbers. Auditors don't do what people seem to think they should do - investigate and uncover fraud. If a company wants to commit fraud, the auditors simply aren't resourced in a way that would allow them to uncover it because there's not really that much incentive to uncover the fraud, the fraudster is extremely motivated, and if you wanted that level of hostile investigative work it would be much more expensive for every company.
Also, from a dynamics perspective, this is a lot like the insurance industry. In the insurance industry you can underestimate risk during the good times, take profits, and then go bankrupt in the bad times. In auditing you can spend a lot of money being extremely thorough - you'll lose all your customers because you're expensive and painful. So instead you lower your standards, you're cheap, you're easy to work with, and it's easy for a fraudster to slip through, in the 1 in a 1000 chance that happens the regulator comes down on you like a tonne of bricks. Well ok, but was EY less competent than McKinsey or did they just get unlucky that they're the poor bastards who stepped on the landmine?
Well, maybe in this case we should learn from the insurance industry and institute some sort of fund that all auditors pay into that pays out in the case that fraud is discovered.
> Well ok, but was EY less competent than McKinsey or did they just get unlucky that they're the poor bastards who stepped on the landmine?
I have asked myself the same question, before I noticed that EY is basically the Credit Suisse and the SoftBank of the audit world[1]:
> EY has been involved in many accounting scandals: Bank of Credit and Commerce International (1991), Informix Corporation (1996), Sybase (1997), Cendant (1998), One.Tel (2001), AOL (2002), HealthSouth Corporation (2003), Chiquita Brands International (2004), Lehman Brothers (2010), Sino-Forest Corporation (2011), Olympus Corporation (2011), Stagecoach Group (2017), Wirecard (2020), Luckin Coffee (2020) and NMC Health (2020).
In fact, Wirecard managed to partner with EY, Credit Suisse, and SoftBank simultaneously just before going bankrupt.
Maybe because no reputable companies wanted to touch it?
Well, EY started as part of Andressen (?) and was as such part of the Enron scandal. We shouldn't ignore the scandal of the century. EY so is a very reputable accounting firm. Unreputable would be the Metaverse headquartered shop FTX used.
The OP is thinking of "Arthur Andersen", the accounting firm that serviced both Enron and Worldcom. The first paragraph of Wikipedia cites the scandals as factors in enacting SOX (src: https://en.wikipedia.org/wiki/Arthur_Andersen)
Accenture is Andersen Consulting. It left and changed its name to Accenture because of internal infighting and politics prior to the Enron scandal that took down Andersen entirely.
The auditing arm of EY is in a completely different industry than McK and similar firms.
That EY's auditing track record is, well, checkered is a different problem. By throwing those two into the same bucket, so, shows some lack of understanding of auditing, accounting and consulting. EY also does, sometimes legally required "consulting" work for in the accounting space. That work is completely different from stragoc management consulting ala McK and BCG. And it also a different beast than the lower level outsourcing consulting ala Accenture.
> The auditor has a responsibility to plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud.1 Because of the nature of audit evidence and the characteristics of fraud, the auditor is able to obtain reasonable, but not absolute, assurance that material misstatements are detected.2
> Auditors seem mainly to just double check the numbers they're handed. This serves a purpose, it provides some level of guarantee that companies that are acting in good faith are generally reporting correct numbers. Auditors don't do what people seem to think they should do - investigate and uncover fraud. If a company wants to commit fraud, the auditors simply aren't resourced in a way that would allow them to uncover it because there's not really that much incentive to uncover the fraud, the fraudster is extremely motivated, and if you wanted that level of hostile investigative work it would be much more expensive for every company.
While I agree audit is a hard job auditors should not just rubber stamp what the company gives them. They should ask probing questions like "where did this sale come from?", "how did you calculate this figure?" and "why are you doing this? It is unusual." A consequence of this is that they may pick up on suspicious signs within a set of accounts and choose not to sign them off, but I wouldn't say theeir job is to identify fraud per se.
What is clear from cases such as wirecard is that EY have failed to ask these probing questions on several occasions, and subsequent audits (by other firms) have shown it is entirely possible to ask appropriate questions and uncover dodgy practices.
1) auditors do uncover errors. sometimes those errors leaad to firings and restatements. An entire company does not need to be complicit with fraud, for there to be fraud. key employees commit fraud to enrich themselves or make their numbers look better. from that perspective, the board does benefit from existing audits.
Also audit is highly regulated. If the standards are too loose the PCAOB can come in and punish you severely.
Its the pervasive cases, the wirecards, that are hard. Those are the frauds that are pervasive and go to the top, and include auditors that are not pushing back. These are the true landmines.
How are they addressed? Many ways:
A) There is a layer of prevention, where audit firms will force rotation of their lead audit partners on an audit every 2-3 years to prevent cozy relationships.
B)
And theres Also the "audit the auditor" where another partner has the sole job of reviewing the work done. He's the landmine hound looking for explosives.
2) the insurance business actually rakes in profits typically after a large disaster, when premiums are sky high and customers are are hyper aware of the risks (and Boards unforgiving with CEOs that fail to mitigate the risks.
What never made any sense to me was the incentives. Is the company supposed to hire people to write a public report saying the company committed fraud? It doesn't really seem like it makes sense for anyone. If anything, you'd just do some minimal performative work to say you had a good look in the company, and then you pick up more work next year. If you write a critical report, how many companies will want to hire you? I'll pick the easy going auditor who doesn't give me a hard time, thanks.
Contrast that with say an HMRC tax audit. They're not there to be your friend and it actually makes sense for them to investigate certain firms.
It would be interesting to read a history of the industry to see how we ended up here.
The auditors are appointed by the audit committee which consists of board members who are non executive directors i.e. they are not involved in the day to day running of the company and so theoretically should be independent and interested in uncovering any wrongdoing by management.
Exactly — the auditor is appointed to represent the interests of the shareholders, not the executives. At least, that’s the way it is supposed to work.
And then there is also this https://www.ft.com/content/5e6f15ce-9eda-4b04-883d-686617020... -- cheating on ethics exams by EY.
It's all very funny that the whole system is built on assumption where the supposedly knowledgeable, ethical experts audit companies, but in reality, it nowhere close to that.
"Cheating on ethics exam" sounds bad but it amounts to not taking some boring corporate CYA compliance training seriously, it's not actually unethical in my opinion. If anything it speaks to how bad corporate training is generally, not the ethics of the people "cheating".
Probably similar to you, I couldn't read the FT article because it's behind a paywall; however, I'm familiar with the general story. It's not some corporate training. They, plus many other accounting firms, cheated on professional licensing exams. Egregious because the accounting firms are doing the opposite of their sole purpose - add trust to the financial system.
If a CEO mismanages and goes bankrupt, they cannot start another company for 5 years; a two-year ban seems mild, but better than nothing, as the reputational damage is substantial (why would any non-criminal pick EY afterwards in good faith if there are others?).
As well as a €500K fine, five employees were also fined between €23,000 and €300,000. And seven others escaped punishment by handing back their auditor’s licences.
I’m not sure many reputable public companies will be queuing up to use their services in 2 years time
If a certified and liscenced auditor in Germany returns his liscence, well, that person just ended their professional career. So the alternativr seems to have been considerable worse. Rightly so, Wirecard was a fuck up of epic proportions.
Really? 5 years? That seems really harsh. Is it all business failures or does it have to be due to mismanagement? I've heard the climate is very hostile to businesses in Germany; my sister in law was trying to sell art on etsy and apparently she had to get a business license to do so in Germany. She's now back in the USA where she can just sell stuff online and the only thing she needs to do is file her taxes correctly
> Really? 5 years? That seems really harsh. Is it all business failures or does it have to be due to mismanagement?
There’s a big difference between bankruptcy and business failure. Plenty of businesses fail without entering bankruptcy, they’re wound down responsibly and their creditors are repaid in full.
If a company fails due to bankruptcy, then it means that people who lent money to that business are out of pocket, and end up paying for the failure.
The whole point of “limited liability” companies is that the owners and management are shielded from creditors in the event of bankruptcy (hence the “limited liability”). So a five year ban (which is true in most countries) from directing another limited liability company is reasonable, it don’t prevent your from running a business, only from running a limited liability business, because there’s now evidence that in the event of failure you’ll leave your creditors high and dry.
Ultimately the privilege of running a limited liability company, where the state promises to protect you from your creditors if things go wrong, is just that, a privilege. If you prove yourself unable use that privilege responsibly, then that privilege is temporary taken away. To be clear, the privilege removed is protection from creditors by the state, if your business fails. You can absolutely start another business, it’s just that the state won’t protect you if you fail.
The counterpoint is what's the point of reducing losses on bankruptcy if it makes the entire business climate worse? By trying to protect creditors you just make everyone poorer.
Does it? You could equally well argue that punishing CEOs for bankruptcy makes banks more willing to lend money, improving the business climate.
And of course for startups in the early years it's not that relevant anyways, since nobody will lend you anything until you have revenue. VCs invest instead of lending and aren't owed anything if you shut the company down.
Well, you’re basically taking something (cost of capital) that could be priced (via interest rates and collateral requirements) and turning it into a regulatory barrier. Personally I doubt that that is better, and I think the general consensus is that it is quite a bit harder to do business in those places with these regulations.
Does it? For most companies their creditors are other businesses that they’re sourcing supplies from. What makes you think those businesses can afford to take the hit?
Ultimately most of the real creditors to small and medium businesses are other small and medium businesses. So if you offer no protection to them at all, you either get extremely risk adverse companies that refuse to offer any sort of credit (such as 30 day invoices), or a single business failure ends up causing a cascade of failures all of their suppliers take the hit, and also go out of business.
Ultimately increasing the trust between businesses, so they’re able to extend thing like 30 day invoices as standard, substantially improves the business climate. It reduces the barrier and risk of everyday business transactions, makes it easier for businesses to manage their cashflow, and ultimately allows businesses to grow faster and in more robust manner.
None of this is about protecting lenders like banks, or investors. Most of the time they screwed anyway, it’s about protecting other businesses who’s primary function isn’t financial risk management.
Though, I don't think the distinction really matters within the context of my point. Both investors and creditors are exchanging money for a bet on future profit derived from the company being solvent in the future and having extra money to either pay back debts or pay out dividends.
My point is that America tends to get a lot of flak for rigging the system in favor of those with excess money (some of it is even fair). My point is that if you want to structure your system past what we're willing to do, you may want to stop and think for a second about if that's what you really want.
Now, if you want to protect the money of people with extra money to lend out, that's absolutely fine. It's a completely internally consistent position. But my understanding is that it's not that popular of a position, so I'm surprised the system is set up this way.
> Both investors and creditors are exchanging money for a bet on future profit derived from the company being solvent
Nope, that's still just investors.
Creditors are not people who made bets on the company's future profits. Creditors are people who the company made legally binding contracts with to pay them. For example people who provided products and services who are getting stiffed. Also: taxes due.
Even a bank loan is not a bet on the company's future profits. A bank loan is a contract that says you will repay the money lent, with interest. Irrespective of profitability.
Which is why a limited liability company usually can't get credit unless it is also guaranteed by someone else. Because with no outside guarantees, it would be a bet. (Yes, convertible bonds exist, but different topic).
We could go back to bad old days, where business owners were directly exposed to their creditors. Business fails, say goodbye to home, car, personal savings. If that’s not enough, off to the debtors prison with you, you can work till you’ve repaid your business debts.
Screwing over the bond market by screwing over owners of your company's bonds make the entire investing and general retirement and pension climates worse. Retirements and pensions are often guaranteed in part by the government, with tax funds. Tax increases and retirement deficits directly hit consumers in their ability to consume, and at least a few years back consumers were responsible for about 2/3rds of GDP (in the US, at least), so a bit more important than the business climate itself.
And that's without even factoring in the effect of bankruptcy on consumers employed by the bankrupt company. Employees of a bankrupt company are considered the highest level of unsecured creditors, but they still come behind secured creditors. So bankruptcy can not only result in an employee (who is also a consumer in the more general economy) losing their job, but losing their last paycheck and benefits coverage. Which has a consequent effect not only on consumption, but on utilization of public, tax- or fee-supported services.
---
If a person bankrupts a company, they could probably use 5 years to let all of the lessons that they should have learned sink in. If you fail out of school you have to retake your classes in order to graduate.
So just bring in another CEO just for the bankruptcy. Currently that's not an uncommon practice in the US. Of course this new CEO would have to be a one-use fall guy with somebody else actually doing the job...
> If you prove yourself unable use that privilege responsibly
Good luck determining whose actually to blame and who is innocent... at the end of the days only unlucky small to medium business owners who can't afford expensive lawyers or consultants will suffer from such a policy.
Because you can just hire the CEO to take the blame and continue running the company from another position. Unlike with lawyers, engineers and auditors this arrangement would be much hard to prove.
Also CEO are liable when they engage in criminal behavior just like everyone else.
And where are talking about auditors there are very specific and procedures which define they duties and responsibilities. How could you replicate that for CEOs?
You can also screw over your creditors without declaring bankruptcy. Just stop paying your bills. Elon is famous for not paying creditors at twitter. Bankruptcy is just a way to get relief from creditors and prevent them from suing you.
Is it possible to have declared bankruptcy with no creditors? Can you just spend all of your own money down to zero? Would you still be banned due to losing only your own money?
I think it would be very difficult to achieve, you would somehow need to convince a bankruptcy court to accept your bankruptcy, despite having no creditors.
If you spend all your money down to zero, then the normal thing is to just have your company dissolved and struck of the companies register. For which there is no consequences, you just tell the state your business is no longer operating, they make a note of that, and that’s it. Business dissolved, you get on with your day.
Bankruptcy is something you get into when you can't pay debts to your creditors.
If you have no debts, and thus, no creditors, you can't go bankrupt by definition. Of course, if there are government fees or taxes to pay, the collector of those becomes a creditor. You would want to formally close the business so that it doesn't accrue annual fees and force you to do more paperwork.
do you have any sources for that? Considering that in germany, the "Mittelstand" is the major economic engine powering the economy compared to major corporations.
You know, all regulations only hurt small sellers, people at the “top” always get away from all the crap they are directly responsible for, no matter they are hurting their own business or the society as a whole
It's the wrong take-away to say all regulations only hurt small sellers. Do you want to give up regulations on child labor, or worker safety, or foods and drugs? If not, how come, considering it all hurts only small sellers?
The problem isn't the concept of regulation, but the follow-through on loopholes. By doing away with regulations you'll decrease quality of life for most people. Instead we have to find ways to react to loopholes in a fair way. It's not impossible, we've done it before, see the previously-mentioned examples!
I don't think small sellers have anything to do with child labour. And since you mentioned loopholes, it is always the big players who get away with loopholes that small business owners do not
Small sellers aren’t worth even going after until they reach a certain size for huge swaths of the regulatory regime.
See, for example, UL/CE and FCC regulations - unless they burn something down or interfere with emergency services, businesses can usually defer the regulatory cost till they can afford it. Or the FAA, which gives out slaps on the wrist like its going out of style, as long as the offender is not an airline.
Case in point: many countries allows underage family members to work for family businesses and even the ones that don’t, barely enforce it. A factory hiring dozens of kids? That’s a lot less likely to go unnoticed.
Business owners get away with breaking violating the law. Small businesses are infamous for paying people under the table, stealing wages, not giving appropriate breaks, employing children etc.. The size of a business only affects the kind of laws they're likely to get away with breaking.
Digging into his post history to avoid refuting his point (which is overstated) is ... not appropriate? great?
I can pretty easily agree with a weaker version of his statement: regulations have a disproportionate impact on small entities. They're expensive to comply with, and small entities tend not to have access to the exotic legal tricks and arms-length interaction with regulations that can make them much less effective.
For the first one, if we can agree the regulation is good, then so be it. If your business can only thrive by hurting other people, you don’t get to be in business, that isn’t a more fundamental right than not being harmed by businesses. For the second, the solution is to plug loopholes that allow businesses of any size to bypass regulations. In no case is it the correct solution to get rid of good regulations.
> For the first one, if we can agree the regulation is good, then so be it.
IMO: If we can agree that the regulation has a net good effect, considering externalities and adverse effects. Having a "good regulation" that also increases concentration of control in an industry can end up being a net negative.
> For the second, the solution is to plug loopholes that allow businesses of any size to bypass regulations.
This is a nice thing to strive for, but in practice layers of indirection and ample legal counsel accomplishes a lot even in well-run democracies (even leaving aside how large organizations often influence how they are regulated in both direct and indirect ways).
Bankruptcy is not a mild consequence. People can and often are ruined by a bankruptcy, not to mention the harsh impact that it has on employees who are suddenly forced out of a job. Declaring bankruptcy should not be considered as something mundane or yet another run-of-the-mill managerial decision.
Also, not being able to found a company is not what I would call "harsh". Even in a purely capitalist view of society, a entrepreneur needs to focus on ventures to ensure they are successful, and "failing fast" does not mean it's ok to file for bankruptcies.
But a lot of businesses fail for reasons other than the directors "mistakes". The general macro trend has a lot to do with it. Should the owners of a cafe or bar that went under owing suppliers some money during covid be banned from starting a new business? Or someone who buys a failing business trying to turn it around and failing also be barred for 5 years?
At the end of the day, creditors must (and generally do) realise when supplying a limited liability company there is a risk that the company goes under you won't get paid. That's why credit insurance and credit control departments exist.
If the directors were committing fraud by misrepresenting the state of the business and it fails, that is a completely different thing and directors should be barred from trading. But businesses fail all the time and we must accept that. Barring people from trying again for 5 years isn't a great solution imo.
> But a lot of businesses fail for reasons other than the directors "mistakes".
All the more reason why entrepreneurs should not take lightly the prospect of filing for bankruptcy, and should focus their energy on ventures where they can minimize the chance of burning through cash right into bankruptcy. Otherwise it starts to sound like these serial entrepreneurs are just flinging crap at a wall to see which one will stick with little to no effort. This is a massive disservice to investors and employees alike, if not outright fraud.
Can’t speak about Germany for sure, but usual euro way is you don’t need to do taxes at all if you do not run a business. Employer fills it for you. And getting a doing-business-as-individual is as simple as filling a form at revenue service website telling you’re starting a business. Then you get a tax ID to put on your invoices next day.
If you sell as an individual, it’s just you selling random stuff that you don’t need to pay taxes for. Once you do this as a business, you declare it as such and notify the state about it.
Germany is notoriously bureaucratic. And Spain is just pure fucking hell. Notaries should be hunted for sport.
Britain is great. I can file my taxes online relatively painlessly for any non-employment income. Employment income is done automatically. To set up a small business, I buy public liability insurance and a domain. Many tasks that require multiple notary appointments in Spain can be done online or, for some obscure processes, at the post office.
I suspect that business climate divides sharply between the north and south, with Germany and France being honorary southerners. I'd love to unpack the link between Catholicism and stultifying bureaucracy, since both involve archaic institutions imposing themselves between oneself and one's goal.
I doubt there's much link with Catholicism. Here in Lithuania bureaucracy is pretty simple as I described above. From what I hear Poland is even easier.
>she had to get a business license to do so in Germany. She's now back in the USA where she can just sell stuff online
If you want to sell in the Germany, get a business license from Estonia or Romania or some other low-cost low-bureocracy EU country, and pay your taxes there. Germany is still living in the business climate of the '60s.
This is terrible advice and you or actually your Estonian company will be fined for tax fraud.
In Germany income is taxed where it is generated, which includes the head of the person running the business. So if you run your foreign company from Germany - which is expect to be the case if you have no physical permanent office in Estonia, where you also have to be regularly present - you home is considered to be an business location and thus you are taxed accordingly.
Note that this only applies to limited liability companies.
If you are a single person with no need for limited liability, just register an individual business (Einzelunternehmen) with your local authority (Gewerbeamt). It’s really easy, cheap and if you need support, tax consulting for individual business is rather cheap as well and worth it if your business generates regular income. Otherwise you can just talk to the authorities, because income from passion projects (i.e. non-regular, without the goal of generating a substantial income amount) is not taxed at all.
Which single person doesn't need limited liability though? In my experience small freelancers/businesses need that protection much more than bigger organisations, which can afford legal fees and court costs if things go south.
If you are a freelancer trading without a corporate entity you can get screwed so hard. There are nasty people out there that will take advantage of this and can demand loads of free work or refunds, knowing that your entire personal wealth is on the line.
Only if you're a resident in Germany, But if I live somewhere in the EU and sell something to someone living in Germany I don't owe income tax to the German government.
I pay my income tax where I'm a fiscal resident (Estonia, Romania, etc.)
Lucky you in this case, not having to learn and deal with all this then :)
But the original comment was about someone living in Germany (at least at the time)
Dubai? Extremely bad advice unless you deeply understand the sometimes “crazy” implications of their Sharia based laws e.g. debts:
The UAE has no bankruptcy laws, so there is no protection for those who fail to meet their car repayments, pay off their credit cards or default on their mortgage, even accidentally.
Anyone who fails to make their payments faces imprisonment in the notoriously tough prisons of the United Arab Emirates, and the Sharia-influenced debt offences have even led Interpol to circulate red alerts to capture indebted Europeans attempting to flee the UAE.
There have been previously recorded cases of foreign workers being prevented from leaving the Emirates after being blacklisted for simply missing one credit card payment or bouncing a cheque. As a result, many expats are forced to abandon their lives to avoid jail time, often with their car keys still in the ignition.
I would bet they fixed their information systems, and you couldn’t now leave if you happen to screw up.
Don't forget the 0% tax lowering the probability of bankruptcy significantly while living expenses are on par to a regular German city... Most of those expats you mentioned simply wanted to live above their means.
> Most of those expats you mentioned simply wanted to live above their means.
Actually, I had a friend working there as a nurse who bought property to live in, and they were underwater for a while. They were not stupid: it was an easy and normal mistake to make given their background (mortgages are not thought of as jail material at home, I’m not sure if they were warned of dangers).
I expect there are other unknown serious “gotchas”, because you are not a citizen in Dubai. You could easily be treated the same as the third-world working imported labour, and the legal system there can heavily penalise non-citizens.
Yeah: 0% tax is nice, but personally I think it is not worth it to live in a crappy place and there are hidden costs. Been there for a week just to have a good look around: fucking hated how people were treated there - weird economy.
Taxes are due where the business is managed, where the rwvenue is coming from and where tax authorities consider you a company of being a resident. So in your example, the Estonian company will still pay taxes as a German company. Which is explicitly stated in the tax treaty between Estonia and Germany.
The current problem is that the insentives are all wrong.
It is the company being audited that gives the auditers the business. Its not in the interests of a dodgy company to appoint a good auditor, and its not actually in the auditors (short term) interest to uncover wrongdoing as it just means they'd lose a client.
My proposal is that you require every company to have insurance to cover the risks, making the insurers fully liable for fraud (and any other business risk that audits protect against).
Companies then don't appoint their own auditors, but the insurers do. Its in the insurers interest to make sure that any audit is effective as they're on the hook for any liability the audit misses.
This way the insentives for the auditors are aligned with the interests of the people relying on the audit (shareholders, customers, suppliers).
There was something like this with bonds pre 2008 but it didn’t work out like you suggest.
Rating agencies were, and are, paid by bond issuers are rated a bunch of synthetic real estate backed bonds as very safe. But then on top of that, certain of these bonds were insured—-notably by AIG. However, AIG just rubber stamped the ratings and ended up going bankrupt when the crisis hit.
The real mismatch of incentives is one layer deeper than your comment suggests. An insurance company CEO can do very well for himself underpricing insurance. The business grows as premiums roll in and he collects a bunch of bonuses. When the SHTF he could just resign and collect his golden parachute.
The Maltese gambling regulator did something like this back in 2016. While the idea is good (and I support the practice in principle), it was a dismal failure in aggregate. Devil's in the details.
The regulator pre-negotiated approved rates and vetted a bunch of companies, all of which had to had presence in Malta. The audit reports have to be turned by mid-June, IIRC, and they can't really start until the accounts for the previous year have been finalised. So in practice the audits must take place between late February and mid-May. At the time the entire nation of Malta had about 450k people in total, and each audit blocks two accredited people for approximately three weeks.
Turns out there are a lot of gambling companies registered in Malta, and each pair of auditors could only process 5-6 companies within the allotted time. The country would have run out of auditors ... so they licensed a whole lot of local smaller shops as accredited gambling auditors to make up the numbers. Many of whom did not have the technical knowledge to actually even assess, let alone understand the businesses they were assigned to.
And I can say this from painful experience: there is real value having the same team of auditors for 2-3 years running. They will get to know how your company operates, and any good ones will figure out entirely new questions to ask you from year to year. By all means, be an adversarial assessor, but at least please be clued in.
Disclosure: on the receiving end as a key person in technical audits since 2015.
> Auditors insist that their services cannot be treated as a guarantee that accounts are truthful, and note that sophisticated frauds are by their nature difficult to spot.
As someone who knows nothing about this area, I don't understand why audits won't always detect fraud.
I would naively assume that auditors have access to all financial accounts and records of cash flows and they make sure they all add up and are categorized correctly. And that if fraud is happening, there will necessarily be numbers that don't add up.
So what am I missing? Do they not have access to all accounts and statements? Is it just a top-level glance at the numbers because there isn't enough time/money to scrutinize everything? Or can the numbers all add up but there's still fraud?
Is there anyone here who can give an example of something fraudulent that is hard to catch?
Auditors have access to all the financials, but they only audit a statistically significant sample, because it would be incredibly expensive to audit every transaction.
Fraud can be easily detected if one employee is committing it. Fraud is substantially harder to find if two employees are involved, specifically 2 employees involved in internal controls.
For instance, if you have a policy that all checks paid over $10k require 2 signatures from corporate officers, it’s easy to catch a check with one officer forging the name of a second in order to siphon money to his 3rd party shell company.
But if both officers make a shell company, they can post the check as usual, and the check would pass auditor checks unless they looked into the specific corporation being paid, which may be out of scope if it’s a relatively small transaction.
Ultimately, you don’t need assurance that the financials don’t have fraud, you want assurance that they’re materially correct. Whether the company lost 10k to fraud or waste or incompetence is almost irrelevant for the investor, because the company has 10k less money. Obviously they’d prefer it not be due to fraud, but the impact on the financials is more or less the same.
Your comment was the first in this comment section where everything was coherent and on point. While everyone else is spitballing, you hit the nail on the head. I was not surprised at all that you revealed you’re a CPA because the accuracy of your comment perfectly conveys your credentials. Funny how things like that can come through.
Curious, this seems like a good place to deploy AI tooling. If I’m involved in internal controls, I’ll know what the auditors look for.
If an AI can augment the auditors to find more suspicious transactions such as to companies with no employees, or conflicts of interest - I could probably find more fraud.
Ex-IT Auditor and I agree. I was screaming for automation in the audit process for years and nobody would listen. Many of the employees are burnt-out and hate their jobs. My prediction is that governments will decide to audit companies using some kind of AI and report back any findings to shareholders, while ensuring correct taxes are paid. Big 4 has 5 years max to pivot their business or they're going to die.
> Ex-IT Auditor and I agree. I was screaming for automation in the audit process for years and nobody would listen.
Honestly, this seems like a lose-lose for decision makers:
- automation reduces billable hours, a net loss to the auditor
- automation finds more fraud, a net loss to the person who hired the good auditor
Of course, shareholders would appreciate less fraud, but have no seat at this particular table.
I’m very excited to see how technology impacts financial reporting in the future. We’re rapidly approaching a point where every single transaction could be audited in real time with software, and the details of each transaction automatically scrutinized.
"Excited" is one way of putting it. If we had any chance of this working or ending well, we wouldn't get daily or weekly posts here on HN of people having their Stripe/AWS/PayPal/Google accounts banned. Look forward to "Your company has been locked, please contact your auditor AI to get no help whatsoever"...
But that's the exact opposite to the economics of consulting esp at these big companies. The goal is to get as many low cost employees doing the most amount of high bill work as possible to make the most profit. Automation or ai would just lower what you can charge by removing 1000 hours per year of a college grad making 50-90k while charging at 500k a year for them. And you need these rates to cover for the highly paid sales leads and project leads as well as profits. You'd have no good way to pay your high bill rate applied scientist.
But why does cost not matter on the contract? A few reasons, one being is these are hourly contracts and the consultants know the customer has to finish the project. there will be more money. Second the customers are picking one of these companies on rep. If they fire the consultants they just rotate through the rest of the big five. There's no real incentive for the big five to change their model with customers who are making decisions based on who sponsors the golfer they like. Just like how every VC used svb, go with who you know.
This is why I left consulting. Every good shop gets wooed by the siren song of butts in seats economics. After consulting I've moved to where I sonetimes have to damage control projects from the big 5 and other high end large tech consultants on code. They're all doing the same thing if they get that big.
We had 2 recently with nationally renowned consultants where the provided heads couldn't use basic shell scripts or basic cloud cli, all at a senior DevOps bill rate. I ended up interviewing several of them and the only one of them id trust was their senior principal architect (5% time) who I'd put as a Jr/sr sysde/sde at our co. We fired the consultants. Luckily we only wasted money, our pm, and a few hours of my time.
Beware any company that competes with beer and insurance companies for commercial slots.
As a subject of some of those audots, and as being responsible for a subset of relevant processes, I can confirm. I'd just add that, at least under SOX audits, also the internal controls are audited. And if those controls are laclong, that is a, potentially major, audit finding as well.
> Or can the numbers all add up but there's still fraud?
Yes, of course. Consider that you've set up a separate company and you intend to steal money from your employer. You've got a buddy in accounts payable that you're in cahoots with. You get set up as a vendor, you send invoices to the company, they pay them, and you never deliver anything. The company's numbers add up. They pay vendors for services all the time. Whether the vendors are real, the contracts are legitimate, and the expected services were provided isn't on the account statements.
Wirecard was the other way around. Send invoices to companies that don't exist, and transfer the earnings to a bank account that does not exist either. Don't forget to pay taxes of couse. Get bonus payments and earn nicely on rising stock prices.
Version two of this fraud is you do supply something, but it's either a) something the company doesn't actually use, so you can provide a stand-in, knowing it will be stocked and later destroyed, b) something worthwhile that you've bought and marked up with help, etc.
Right--this is a demonstration of how an audit is more than looking at double-entry accounting statements and "seeing if the numbers add up." That's the point of my post.
Someone was CFO at two companies and the auditors only checked the year end balance against his falsified statements. So he transferred money from the other company temporarily to make them match.
"""To avoid detection, Morgenthau doctored African Gold’s monthly bank statements
by, for example, deleting his unauthorized transactions and overstating the available account balance in any given month by as much as $1.19 million. [...]
Morgenthau knew that African Gold’s auditor would confirm directly with the bank the actual account balance as of December 31, 2021, as a part of its year-end audit. [...]
Morgenthau deposited more than half a million dollars of Strategic Metals’ funds into African Gold’s bank account on December 31, 2021, because he knew that African Gold’s auditor would confirm the account balance as of that date, in connection with African Gold’s year-end audit.
"""
Interesting. I guess that is the inherent flaw of all audit methods which predominantly check the paperwork, while rarely venturing out into the real world. With sufficiently bad actors, the whole paperwork can be doctored and completely untethered from reality. Such bad actors need to only make a plausible Potemkin village for the controllers in selected spots where they are expected to verify if reality matches presented paperwork.
Enron was doing similar trick by selling buildings to another business entity, and buying them back after the audit. I might not have all the details correct but it was the same type of shenanigans. :-)
So, Wirecard claimed to make huge profits. Now, the auditors would expect to see a pile of cash in the accounts. However, Wirecard claimed to expand rapidly by purchasing other companies in Asia. Those, then, booked most of the "profits" and were the assets on the book. Wirecard produced bank statements from the Philippines claiming that they had $2bn cash sitting there. So, to the auditor, the numbers added up, and the whole story was somewhat coherent. It's just that the foreign businesses and that cash didn't actually exist.
Which, to be clear, is a failure of the auditor. We don't need auditors to make sure the numbers add up; the whole point of double-entry bookkeeping is "the numbers always add up".
Plenty of things aren't necessarily evidences. Just because you have access to account statements telling you you got a bunch of money coming in from person X for provision of service Y and a matching contract doesn't mean that the contract has been fulfilled or that the service was worth the money.
Same with picking a supplier - there are processes in place that try to assess quality, speed, price, effort, etc, but in the end it's humans making decisions, humans with bias and the ability to lie and make untrue statements as to how they made their decision.
Then there are the usual money laundering techniques, eg art dealing. You could easily spend a few million $$ on art for, say, a big office. And the VP's niece might be an artist that can demand that on the open market.
>>Is there anyone here who can give an example of something fraudulent that is hard to catch?
Someone in control of the checkbook at a medical facility who starts a shell company with some innocuous sounding name (i.e. Smith's Medical Supply) and and regularly submits bills in low enough amounts that they don't raise concerns - which of course is relative to the size of the company - but say you run a practice that has $50M in annual revenues, it would be quite easy to send in bills for supplies that only amount to 1-2K per invoice over a long period of time.
This kind of thing happens a lot, and without actually contacting every single vendor, verifying they are real, and verifying every thing that was purchased, can be very difficult to root out - especially with supplies that get used up, as opposed to hard assets they are supposed to be around for a while.
When the numbers are small enough, nobody even bothers to verify them - even though over years they can add up to a significant amount of losses.
I hear about stories like this all the time - it is pretty common.
That would hopefully be caught by internal controls and internal audit but would be of relatively little interest to an external auditor like EY. The figures are small enough to be immaterial, meaning they don't significantly affect the accounts. The external auditors would be more likely to scrutinise big contracts and related party transactions involving senior management.
It’s hard to grasp how complex accounting can be for companies. EY is not auditing small businesses, these are large multinational companies and per audit guidelines they likely just audit random samples of accounts. It’s not as simple as let’s pull a listing of all bank accounts and make sure everything ties. The actual effectiveness of audits is a different conversation.
Just because you have access to the entire source code of Linux kernel, doesn't mean you'll be able to find all the bugs in it. Sometimes the numbers may add-up but it is the patterns which may be suspicious. Automation like sanity checks/pattern matching etc (+ ML now a days) would help a great deal but even then it is not a guarantee.
Bad analogy. Auditors have conflict of interests and risk losing clients if they keep asking too many 'wrong' questions. Reputable ones will refuse to sign the final audit. Less reputable ones will even help clients cook the book.
It's more akin to you being denied Linux maintainer privilege if you keep finding bugs and annoy Linus in the forum. Which is hardly the case (heh).
Most of the others replying here are generally saying fraud is missed because it's complicated; however, in my opinion, it's because the auditors don't know anything else other than "do the numbers add up". Once the numbers do add up, they stop there.
The vast majority of auditors are only 3 year or less years out of school. They don't even know how a corporation is run at that point, so how are they supposed to catch anything suspicious.
I expect that EY does not have access to numbers and any account information. You give away as least information as you can because you cannot just trust auditing team from some 3rd party not to use that data in collusion with your competitors.
What I expect they do have access to is documentation for procedures and processes. They audit for example if all procedures are written down and check proofs for procedures that were done by employees.
So it is like you have to clean the toilet and you have procedure that whoever cleans the toilet signs list. Every end of the shift manager checks the list and checks toilet if it is clean.
Fun part is having signed list for a day does not tell you that for half of the shift employee was only signing the list but did not do any cleaning and you might have dozens of customers seeing how terrible dirty toilet was.
Quite the opposite, EY as an aidotor has, and is supposed to het, access to any financially relevant data, documents and transactions they need to their job. That includes, among other things, invoices to customers, suppliers, inventory data and transactions, bank statements, credit card data, contracts with clients and suppliers and so on and so forth. That is actually part of a financial auditors job and responsibility. Yryong to minimize data access is exactly what Wirecard did, and EY accepted for some reason. Which absolutely not normal, it is in fact a major red flag.
but the tl;dr is that auditors don't provide "insurance", they provide "assurance", specifically reasonable assurance.... that the accounts are "true and fair"
or to be put it in even simpler terms, they can't guarantee something fishy did or didn't happen, the transaction scope is just too much, they will "try their best" and do enough of a check to say if anything fishy pops put.
> Is it just a top-level glance at the numbers because there isn't enough time/money to scrutinize everything?
yes you hit the nail right on the head. Of course things have changed, govt have put their own requirements in addition to auditing standards, but still that's an adequate summary.
the more through of a check, the more difficult, time consuming and expensive it becomes, and at some point the fraud becomes cheaper than the audit.
but even more importantly is the mentality. There is a phrase we were taught "Auditor is a watchdog and not a bloodhound" that kind of explains what auditors are supposed to do.
----
i left the field but i'll try to answer to the best of my ability
In crypto the auditing process is somewhat more sophisticated. They scan the contract for similarity to known scams and analyze it for possible backdoors. They also do due diligence on the promoter of the contract ("fully doxxed").
In reality of course all this work could have been replaced by def is_fraud():return True
And the accuracy would probably increase. Crypto fraud has the beautiful property that the people being defrauded actively defend the fraudsters. Moreover, in a lot of cases it isn't technically fraud since the contract is upfront about what it does but at the same time it is very exploitative but that doesn't matter to crypto people
how do you technologize intent-detection? maybe chatgpt-x could do it, but that's the crux.
i am NOT haying pattern recognition won't help, search for audit software and you will see each of the big four has specialized software. (here is EY's: https://www.ey.com/en_gl/audit/technology)
the problem is the issue of perverse incentives, IMHO. Audit takes a butt load of time and money, and disrupt business while they do their thing, and pays peanuts frankly... and audit firms earn more from associated services, contracts which they can earn if they don't bother the management too much.
yes, there are a dozen caveats and stuff, but frankly, the issue comes down not to technology but to people. The same network of people are in the few audit firms, and the spin out to join companies sometime later, who hire the same few audit firms, and so on.
Audits in general are such a joke. Rubber stamping and checks done by students or graduates who barely understand what they are doing. And even if they detect something, it is considered as not material and ignored.
From business perspective the auditors are clueless.
I dont claim that audits are bad, they are very needed. But the execution in many ways is so poor.
I once worked at a small pen-testing firm that also conducted PCI DSS compliance tests, and I can confirm that this is an accurate depiction of the industry. A majority of the staff were recent grads, and it was disheartening to see that most clients were primarily interested in obtaining the compliance certification rather than genuinely improving their product security. This, in turn, creates a perverse incentive for auditors to grant compliance, as clients who don't get the desired outcome may simply switch to a different auditor. In such a setup, it's difficult to ensure that security standards are genuinely upheld. On a positive note, these compliance tests do help in making sure that card data isn't stored in plaintext, but beyond that, the overall impact on security seems rather limited.
Not financial sector, but in my own experience working in tech consulting partnering with large management consulting firms in the past, security was the last thing to get checked and the first thing to be neglected.
Sure there were some "bare minimum" things that was expected to be upheld like passwords not being in plain text, but come time for a security audit it was exactly as you say. Not done out of genuine interest in security but as a rubber stamp of items to be able to show the client "look we did this"
Not even joking when I say that the development plan for most of these projects basically just tacked on a few days in the last week for "security improvements" alongside things like "tech debt" rather than it being a top of mind thing for the entire development process.
I worked at a company that had to deal with EY as a part of a tech certification. Tha auditors barely knew why they were being sent over. Out managers and techs had to explain the process to them and assure them the numbers in the report were correct. The auditors happily accepted that, and then charged around 100k. Top job.
> From business perspective the auditors are clueless.
Hey! I used to be a young IT grad helping with financial audits.
If it helps, I was young and clueless and frequently I still figured out more about the business processes I was auditing than the client employees taking care of them every day :-p
From my experience, you're the exception, not the norm.
Many audits and compliance frameworks have so many loopholes and DIY rulings that basically anything is possible and acceptable as long as whatever you're doing is written beforehand.
Well, I'm not talking about everything, or the high level picture.
But I was checking what were called "IT controls" for their systems and a lot of that stuff was straight forward and yes, it did involve some rubber stamping, but a lot of it made sense: "Do you have a written approval process for adding users to this sensitive system?". "Can you show us how you mitigate not having a written process?".
And it wasn't super rare that besides the fact they didn't have the thing I asked for, but sometimes I couldn't even get them to understand why it would be a good idea.
All audits should be disclosed in giant black letter on the front “PAID FOR BY THE AUDITED COMPANY”
The conflict of interest in external audit is absurd. It’s similar to securities rated rating agencies paid to rate the instruments by the issuing company.
The audited company often buys consulting services from the auditors which in effect is an extra incentive on top of the moneys paid for the auditing service. The mechanism that allows this is the ‘Chinese wall’ but that is a total joke. What really need to happen is to separate out consulting from auditing. That’s not going to happen though as there is just so much money is consulting.
Audits can be very expensive and finding the optimal depth of auditing is difficult and unlikely that a public trust would be anywhere close to optimum amount. Financially savvy people should already know that the audit process is flawed and should not simply be accepted on face value. How flawed is usually stated in the audit, checks are split into controls testing and substantive testing. Usually the cheaper the audit the less substantive testing that is done. People need to trust audits less not more. If an organization is unable to pass an audit then it’s a really bad sign, if they have to hire EY to pass an audit then that is also a bad sign.
Also have you ever tried to stop something that makes a ton of money? It is damn near impossible. If governments had that much power the people who would lose their money have a very strong incentive to invest a large portion of that money into regulatory capture. So any solution that uses government must be predicated on a non-corruptable government which do not exist, at least not for very long. A variation of auditor’s prudence. A lot of our traditions and institutions that are resistant to corruption were designed and maintained that way to support wealth extraction via expansive empires, as you can’t export wealth if it all disappears into corruption. And empires must export wealth from colonies in order to compete with other burgeoning empires. Without such an empire to support the resistance to corruption erodes as the mechanism to reward those who eschew corruption disappears. It becomes increasingly difficult to acquire power without first being corrupt.
Here’s a counter example: going public. The SEC does a deep probe, one that has material teeth, and “yes” isn’t a conclusion. Surely the SEC is subject to these forces? Another example is merger approval, along antitrust and other regulations. This is a very deep process, clearly with a lot of extremely powerful money on the line. Or another, tax collection. Fact is there’s actually a lot of examples of effective controls on business, especially when financial crimes or malfeasance are the target. The laws are particularly sharp in the finance world compared to say, food safety or other regulatory areas that are clearly captured.
The laws are only sharp in the finance world because it is more profitable for it to be that way which I think prevents it from being a counter example. Take for example the Positive Accounting Theory of Watts and Zimmerman which seeks to explain actual accounting practices as opposed to academic accounting practices. One of their findings was that due to the costly signaling nature of audits some companies will do more extensive audits than would otherwise be standard or even optimal. There is value in trust and that value can be captured in the form of decreased cost of debt from lenders and an increase in stock price. Without trust the whole financial industry implodes and that would be bad for just about everyone in finance and especially bad for those making the most money from it.
Which in turn creates the issue of how to keep this trust truly independent. There have been successful long term campaigns to wrest control of supposedly independent bodies and align them with special interest groups.
Today they’re explicitly not independent, that seems specifically worse. There are also examples of highly effective regulators. Financial services is actually replete with them.
As a former CPA/External Auditor this fact confused me the most. No amount of disclosure will avoid the reality that the food on my table (audit fee) depends on the clients I am supposed to be impartial to. This system seems blatantly idiotic to me.
Look, these sentences are probably more than just and even on the light sight. Handing in your auditing license is a pretty severe punishment, at least career changing. But will the risk and audit professionals at BaFin face the same penalties?
BaFin's role in this is indeed pretty astonishing:
"The German financial watchdog has filed a criminal complaint against two Financial Times journalists and several short sellers, accusing them of potential market manipulation over reports about suspected accounting irregularities at payments processor Wirecard."
Indeed, they failed big time. Apparently some BaFin employees were also trading the shares of Wirecard (and presumably other companies they were supposed to oversee).
There's a pretty good book on the whole sad story: Money Men: A Hot Startup, A Billion Dollar Fraud, A Fight for the Truth by the FT journalist that did most of the digging.
If journalists and short sellers hadn't kept pushing (against Wirecard, auditors, and BaFin), Wirecard might have survived a bit longer, managed to acquire Deutsche Bank, and then (with the merged balance sheet) gotten away with it. Mind boggling.
However, I must say, after reading that book and several articles about the whole thing, I am still not quite sure how they could keep up the fraud for so long, what exactly happened there, and who benefited.
(I suspect that crypto firms have taken over a lot of Wirecard's "business"...)
The head of BaFin and their deputy were forced out over it and the agency is undergoing significant restructuring[1], and a new agency was formed specifically for investigating financial crimes[2].
In terms of actual liability - no, at least not yet. A number of lawsuits by individual investors were thrown out[3] but it's possible there will be public prosecution:
> Criminal prosecutors in Frankfurt are assessing whether BaFin employees obstructed justice by not properly investigating fraud warnings.
In the end, it's a regulator, they have to rely on auditors to some point. If Wirecard lies and EY doesn't catch it, that's on the criminal and the auditor. Still, it's hard to understate just how badly the agency fucked this one up... Hopefully, it'll serve as a true wake-up call.
Certainly seems like it - they have been more aggressive recently with other problem companies like N26, Solaris Bank, Coinbase, Deutsche and others.
> The head of BaFin and their deputy were forced out over it
They tried to get innocent people put in prison. They belong in prison themselves. If all that happened to them was losing their careers, then they haven't been brought to justice.
Who is "they"? The head of the agency? Their advisors? Individual employees? Politicians? Failure of this magnitude is almost always a systemic failure.
Actually figuring out who, if anyone, committed a crime (through gross negligience, willful obstruction, or similar) will take years.
To reply to just one sentence: From my experience the relationship between auditors and financial (prudential) regulators is only lightly one of relying upon. On the one hand of course having trouble getting your financial report signed is a key risk indicator for the regulator, on the other hand the regulator in my sector (insurance) goes markedly deeper in their thematic and on-site reviews than the auditors do. Even though the auditors sign off on things like capital requirements, the regulators understand models way better. Those building proper models usually don’t work for the big-4 that do auditing, but work for more niche firms and the insurers themselves.
I’ve worked for a regulator in a sector with more lenient oversight (health) and there the accountant was one of the pillars of our understanding. We just didn’t have the mandate or capabilities to understand the finance of the thousands of providers. In that way regulating finance is easy. Banks and insurers are relatively low-N activities. In case of BaFin I find it hard to imagine that they couldn’t, so they probably wouldn’t.
Food for another thread is how to match the European perspective above to, say, the SVB case in the US. How on earth the regulator didn’t track the interest rate risk is beyond me. (I believe the legal explanation is that they fell in a D-F regime with less regulatory burden.)
Could you please stop posting unsubstantive comments and flamebait? You've unfortunately been doing it repeatedly. It's not what this site is for, and destroys what it is for.
I acknowledge that my comments in the last time where short and bold/flamebaiting, because i was on my phone. I will be explaining my views more thoroughly.
Appreciated! If you explain them more thoroughly while sticking to the site guidelines (e.g. curious, respectful conversation, without swipes or snark), all should be fine.
That's part of the issue. Another big part is that we should put a whole load more money into investigating financial crime (so funding white collar crime investigatory units as well as tax authorities).
"The accounting-and-consulting giant is being sued for $2.7bn by the administrators of NMC, a London-listed hospital operator it had audited and which went into administration after understating debts by $4bn." would be cool if the article could say why. I hear that's something good journalists do.
Still beter than one-off few million EUR fine... billion worth of fraud here, billion worth of fraud there, and pretty soon we'll be talking about real consequences.
Publicly traded company should pay a small fee to SEC each year and they be responsible to hire auditors, for everyone. Or even better, market bid for auditors with incentives for finding irregularities.
With the current line up of incentives, auditors merely ensures any fraud are slightly better hidden.
SOX is such a well thought of law. It requires any public company listed in thr US to have one auditing company and one "consulting" company supporting the set up internal controls and processes, prepare the books and so on. Those comoanies have to br changed every couple of years (if memory serves well every four years), and you cannot simply switch roles and stay with the same two. Hence a market demand for the big four: A prepares the books, B audits them. Then C replaces A and D replaces B.
Is it? The incentives are not going to be aligned so far as the auditing companies are hired by the company being audited. It doesn't matter how many auditing company there is and the division of labor within.
Think of lobbyists, there are many different flavor of lobbyists, some might even be against the others. They distribute events, campaign finances and other things to legislators and as we know recently even certain members of judiciary. A bad idea in general in terms of the incentives at play.
I’m not saying you shouldn’t hire them (though any local auditor with the same license would likely be better from a quality standpoint), I’m just saying you shouldn’t trust anything they report.
As a CPA and now software engineer, I'm observing quite a bit of confidently incorrect or misguided takes in here. For starters, people are comparing EY to McKinsey and other consultancy firms, but this article is discussing EY's auditing practice, which begs for comparison to the other members of the Big 4: PwC, Deloitte, and KPMG.
I do think the incentives are entirely wrong for auditing. Auditors should be paid for by shareholders. Even if it decreases your dividends, you _want_ to pay for an auditor to provide reasonable assurance that there is no funny business going on with your money. In fact, that's how auditing began. The current system provides for conflicts of interest where partners are incentivized to please the board of directors that hire them and pay them large sums of money.
However, this doesn't lead straight to all auditors covering up fraud, and I feel that many people in these comments are overly critical. Having skepticism of the process is great (and auditors emphasize professional skepticism themselves), but I don't think we should throw the baby out with the bathwater as the current system does still provide a lot value. I also think many people here believe auditors at Big 4 firms are forensic accountants, which they are not. In the US, the FBI employs the forensic auditors many here may be thinking of. The auditors that EY employs are there to provide an audit opinion that expresses reasonable assurance that the financial statements are fairly presented. It's a very tough job that cannot be performed perfectly in its current form yet works remarkably well, all things considered. Finally, EY is a very large company that's really made up of many individual pieces that share a larger name but are structurally different, particularly between regions such as the US and Europe. EY in Germany certainly deserves the negativity they're receiving here, but that shouldn't necessarily be applied to all employees of EY all over the world. It's an accounting firm made up of thousands partners who are CPAs (in the US at least).
The exciting thing is that given the nature of accountancy, the industry is extremely conservative and open to disruption. However, that disruption has to adhere to numerous rules and regulations that would probably frustrate many entrepreneurs here. Most auditors are working with Excel and PDFs and do mindless work at the lower levels. A lot of this is getting off-shored, which is lessening the quality of the work. If a new technology was able to be designed that could overcome the shortcomings of humans manually using Excel and PDF markup tools while providing a higher quality of work than the off-shore work many in the industry are using, there would be a great opportunity to replace jobs at the lower level - boy I don't like saying that out loud. Hopefully it would allow for new employees to focus more on judgement based decisions using their expertise gained from obtaining the difficult to attain CPA license. They say that every year at a Big 4 accounting firm is equal to two years in industry, and I certainly believe that. Based on my experience, I strongly believe that licensed CPAs that come from auditing firms know far more about the ins and outs of businesses than the MBAs at consulting firms like McKinsey that many here seem to be conflating them with.
Perhaps I should join an accounting software company. It can be easy to forgot how much expertise I have as a CPA when I was surrounded by them in my previous career. Yet I have found that the software companies I have reached out to undervalue my CPA and overemphasize leetcode skills, which is truly a shame. If anyone is interested in a decent software engineer with a CPA to add, I'm open to talking!
This is capitalism failing again because of an unchallenged oligopoly/monopoly. The obvious solution would be to break the oligopoly down. Instead we see mild punishments like this. This will not change anything.
EY, Mckinsey, Accenture, BCG all of them should be banned.
They were the big proponent of the the just in time management principles in the hospitals in the Netherlands.
Then when covid came they were the first the market on twitter & linkedin for advice how to improve your health inventory & deal with covid challenges.
Serious impact with zero skin in the game. These consultants are parasites.
They are mainly used as proxies to make decisions managers dont want to be responsible for.
My partner works at one of these big four companies and the way she puts it - they essentially function as outsourced expertise for governments the world over - essentially expert functions have been hollowed out of state governments and into the private sector and thus there is really no expertise within the national government level to handle complex tax and accounting situations and they are instead all outsourced to these firms.
We should really consider the present western world as some sort of marriage of corporatism and government - they are really hand in hand as two sides of the same coin.
Not if you look at Audit (which is what the EY story is about). In Audit you have legislature requiring accountability structures and typically there will be one or more persons in an audit that are personally accountable about the attestation. These people in big fours typically are some certified auditors in their 30s and also a partner at the firm (40s and up)
I know a few people who went into Audit after Masters in Accounting degrees. It was basically a 2 year post grad program to excel their careers. None of them wanted to go for partner it was just a 2-3 year box to check.
I know much more people on the IT Consulting side who are in it for the long haul to partner or whatever. The job was also much better than the Audit scene, 80+ hour days in a sweaty conference room and next to no days off.
They both had he same MO, send in the 30s\40s flashy employees who then delegate all the work to 23 year olds. Once the project is in full force they tend to leave and another crew comes in who interfaces with the low cost offshore teams or 23 year olds.
You do have to delegate work in audit as well as in the other professional services disciplines. Nobody will contest that. What makes audit stand out though is that legislators require and enforce accountabilities (as the wirecard story clearly shows).
That is not correct. Audit is very regulated inside big auditing companies and the processes and evidence requirements are almost always part of an internal auditing framework that is designed by very senior staff.
Shure a lot of the leg work is being delegated off to juniors but that is not of substance here.
What you talk about might be happening in smaller shops but not on tier 1 audits inside the big four, there just is too much at stake.
Because approaching 30 and being in the senior consultant, (junior) manager and director positions ones primary job at Deloitte becomes selling / pitching work that those below you will do.
I worked in government and they were still obviously smarter than the gov workers. Experience is not everything and I think that should actually be a major lesson from government employment practices.
How can a 23-year-old with four years of college experience and one year of corporate experience possess more expertise than a government employee who has dedicated a decade to working within their specific domain?
> We should really consider the present western world as some sort of marriage of corporatism and government
“Corporatism” is a model of society in which government, private industry, union, and other power centers are integrated, mutually cooperating, and centrally coordinated. A “marriage of corporatism and government” is just “corporatism”.
(Corporatism is an element of, but not coextensive with, fascism.)
> there is really no expertise within the national government level handle complex tax and accounting situations and they are instead all outsourced to these firms.
worth mentioning that the complex tax situations are the effect of lobbying of the big four firms in the first place.
Well, EY didn't get banned from consulting, but rather accounting work. And the latter is crucial, and even legally required for all and every public company. The reasons are, among others, Enron and , yes, Wirecard. And the fact that EY screwed up Wirecard is the reason they got banned.
By the way, it was KPMG that caught the Wirecard fraud. And KPMG is in the same league and business as EY.
One of the reasons, IMHO, that Wirecard managed to get away with it for so long is, that as a German company, they didn't have to switch Accountants and have another accounting firm helping them in preparing the books. That would be a SOX set-up, and it makes perfect sense. It helps to prevent fraud and it protects retail investors, both of which are good things in my book.
Strategy consulting, the stuff BCG and McK does, is different. As is the outsourcing and consulting Accebture does, which is also different from what McK does. The topic so, is EY and accounting.
This article is about auditing, your comments appear to be about consulting / advisory businesses.
Otherwise, I mostly agree, though I don't support a ban. It's a complex topic - companies are free to waste money how they want, and even governments do need real advice. It's just too bad they pick such shitty advisors to support decisions they've already made instead of actually seeking good advice.
Yes, companies should be free to waste their money as they want. However, auditors serve a purpose and that is to identify any fraudulent activities. In the case of Wirecard, EY failed at this.
Correct and that is why they should be made accountable for this. I'm with gp that this particular ban is a bit harsh but nonetheless it is the state determining accountabilities and it seems to have been a thorough investigation.
OTOH, the monetary penalties where a bit on the light side so maybe that also balances out the rather harsh ban.
Advice for money at least at the top level is in the long run always going to end up bad advice. The incentives are pretty much all about lining up more work for the firm.
They are "professional scapegoats" IMO, companies pay them to take the blame and their business model seems to be: collect fees, do an "audit", pay the fine, keep the spread.
Audit results are taken very seriously by companies operating in heavily regulated industries that intend to stay in business, so healthcare, finance, insurance etc.
If you are a team lead doing programming for one of these sorts of companies and the auditors come round with some findings, I promise you that you need to take it deadly seriously. I've seen engineers fired for cause by the board of directors of a fortune 500 for failing to do so. Word gets around and nobody will touch them after that. Its literally career ending to poo poo audits.
Tech companies are the odd man out when it comes to audits, which is why its possible for so many in a thread like this to have opinions that are so wildly inconsistent with reality. Who knows how much longer that will last, particularly with advances in AI.
It means delaying or coming up with excuses for why you can't have security concerns remediated within the agreed upon time frame. Regardless of the technical challenges involved.
Audit remediations are not the kind of projects where delays are acceptable. You absolutely must drop everything else you've got going on in those situations if you even remotely get a hint that the project might be behind.
The reason here is that your boss and your bosses' boss can't save you. If bad audit results come back you can bet the C suite had an emergency meeting discussing how to explain them to the board and the timeframe for getting them fixed. And you can bet they made some sort of commitment.
There are hundreds of millions to billions of dollars on the line in insurance premiums and future legal process in some cases. Oftentimes cyber insurance will mandate some kind of timeframe for remediation upon notification of a security issue. So you'll get hit with penalties well before the next audit if you delay. You don't want to be the programmer(s) that missed a deadline there.
The trouble is, in no way do they act like they are "crucially important for a working economy" (which i agree with). They abuse their position at every opportunity.
We might as well turn "audits" over to the short sellers like Hindenburg Research, at least they make money by exposing rotten accounts rather than hiding them.
The fact that being an activist short seller has become a business model in the last ~8 years tell you how bad the likes of EY are.
Moody, Standard & Poors and Fitch are RATING agencies.
RATING agencies are different from AUDITING companies different from CONSULTANCIES.
Rating agencies were somewhat restructured after 2008 (but are still kind of edgy) - because they did literally write AAA on a piece of paper for money. But there ratings were opinions and had no real legal meaning.
I was about to say aren't there only 4 auditing agencies in the entire US after the fifth fucking imploded after the Enron scandal due to their reputation being tarnished?
No, there are more. But auditing an S&P500 corporation is pretty complex. I am not in the auditing S&P 500 corporation business and it looks like there may be six - but the Big4 literally seem to do 491/497 companies.
I’m not sure I am too concerned about the auditing quality of the Big4 tbh though…
Enron’s problem was the “consulting AND auditing” mess with conflict of interest if I am not mistaken.
>They are mainly used as proxies to make decisions managers dont want to be responsible for.
Interesting I just watched a video [1] on consulting yday. It is on something similar happening in the UK. And another video ( couldn't find it ) that suggest unless there are some other interest for these consultant, ( like outsourcing certain function to certain clients ) all they do is to make a case for what the management wanted to do anyway, and rubber stamp on it. And mostly because management wanted something on their CV / resume, so they could move on to another job and repeat the same process again.
McKinsey and BCG do not audit companies. They are consultancies and do not certify accounts to be “correct and legit”. Think of auditing companies a little bit like of vehicle inspection shops certifying your car is safe for the road.
Consultancies are not doing that.
I’m not sure why certain businesses should be “banned” because YOU believe they do not add value. Do you pay them? No.
It’s not correct that they are proxies for decision making that mangers don’t want to be responsible for. Neither McK nor BCG could run at the scale they do for five decades if that was the case.
But I suppose that was just your happy Sunday rant of the day to let off some steam.
We should probably ban the "no skin in the game part" instead of just the sector. Even though there have been a few court cases, the effect was tiny and they are still considered reputable. In some cases probably more personal lawsuits should be done more often (also for politicians and civil servants)
With governments having like 30-50% GDP share of the economy (e.g., tax versus GDP) - we are gonna have a hard time banning literally everything based on that…
That was Booz Allen Hamilton, they are a government subcontractor that largely provides long-term staff augmentation... totally different type of professional services than strategy consultants or even system integrator (SI) shops like Accenture and Deloitte.
The big four prop up the business world, status quo.
Say your a large company listed on the stock market, so pick from the four big companies because serious companies use them, who's the CFO an ex-account from the big four who knows their orderand process.
Now if no other companies can enter that bubble, are we really surprised at the outcome!?
It's not hate, it's accountablity. They are very powerful and rich institutions in the Western world that are able to make billions, of which a large part tax payers money and have in many cases a negative impact.
I think your comment is worse in nature than OP. Are you adding any counter-ideas to the conversation or just complaining? And now I'm complaining about your complaining.
Seems to me the comment is a concise, if clearly one-sided, narrative of misaligned incentives of the consulting industry and its particular role in the difficulties that the Dutch healthcare providers experienced during the pandemic.
