Auditors' Work after COVID-19: Should we burninate the Big 4?
23 May 2020 (modified on 23 May 2020)
Burninate: fig. to immolate violently and without just cause (Urban Dictionary)
Reading Vladimir Berezansky's thoughtful article "Compliance after Covid 19", got me thinking about what changes this crisis would bring to the financial industry in general. After we exchanged on it, he advised me to reformat my thoughts into an essay. Here it is.
What follows reflects, of course, only my views. Or rather, it reflects "those views" that have been coursing through the banking industry for a while. You know, those subjects that everyone knows about, but one should never talk about in public (shudder)? Yes, "those ones". Well, someone had to open the bag, and let the cat out. The cat does not look pretty and it is smelly.
External audit work often sucks. And banks fully know it.
This article contains honest content and graphic depictions of banking reality. Some paragraphs could be distressing for quiet, middle-of-the-road auditors with no previous exposure to outspokenness. If you are one of those, do not read further.
On the Lack of Outspokenness
The problem of the banking sector is that outspokenness is too rare. Auditors sometimes break out in cold sweat at the idea of communicating a negative finding to their clients — as if they were the ones caught with their fingers in the cookie jar.
Let us not forget: the improvement of banks will only come out of a constant struggle with reality, which involves a lot of scratches and bruises. That's what audit work is for. We will never improve our skills, or those of our clients, by soaking our audit findings in PR goo.
That was the essence of a message that General George Patton delivered to American troops back in 1943 (for context: they had just overcome the moral crisis of the campaign in North Africa; Patton had to tell them the truth, i.e. they sucked in front of the Wehrmacht; he also taught them how to fix that; now he was getting them ready for more).
“When I want my men to remember something important, to really make it stick, I give it to them double dirty. It may not sound nice to some bunch of little old ladies at an afternoon tea party, but it helps my soldiers to remember. You can't run an army without profanity; and it has to be eloquent profanity. An army without profanity couldn't fight it's way out of a piss-soaked paper bag.”
Of course, we are dealing here with the banking industry (not the army), and business etiquette frowns on profanity. The one thing we should refuse ourselves to do, would be to act rough and vulgar. Yet the gist is here: let the client fully have it.
The concern in our audit work is not to be popular with the client's general management, but to expose all the dirty laundry we can lay our hands on. The more dirty laundry we find, the more we have earnt our audit fee. The proper way to show respect to a client is to deliver the product one was paid for... and kindly help her or him overcome the regrets of having asked you to do it.
So next time, no dilly-dallying: when we find dirty laundry laying around, let us act firm, let us act proud, and let us dip the managers' noses into it. If done well, this is going to serve the client: their whole company is going to grow stronger.
A Practical Consequence of Covid-19: The Rise of Remote Work
We all share the same observation: remote work or work-from-home (WFH) has changed working habits. For me, remote work had already been SOP for years, for entire teams (I have actually set up such systems myself, with everything located on the cloud).
From that vantage point, I can tell confidently that this is not a technical issue per se (because technology and providers do exist). It is first and foremost a social challenge.
The problem during lockdown was, and still is, education: how to train millions of people, at once, on new procedures they had no idea about, only two months ago. I must say that, in general, I was pleasantly surprised at how it worked out — at least for the basic things: people learning the steps needed to get connected to a video conference, and how to deal with interactions over a camera, etc..
When most people are faced with real necessity, they learn; they act. They make it.
Cyber Security from Home: Uggh...
During this Covid crisis, I have been coaching a number of people about security, as a public service (see an elementary instructional site here in French). Let me tell you that we have a big problem: millions of clueless children scattered in the forest, with no survival skills.
They may get cocky after their first successful videoconferences; but in reality, they have no idea. If any of them ever meets the bad wolf, it will make short work of them.
Vladimir correctly mentioned the length of password, double authentication, etc. User access security is important bare-metal precautions, like putting a stronger lock or a metal bar on your front door.
But a word of caution
While the door is ordinarly a prefered entryway to a house, that may have no bearing on the overall security risk. Many burglars do not mind at all entering through windows. Most of the people realize in which cognitive bias they have lived in, only after they have been burglarized.
You have been warned.
It so happens that I am a computer engineer by training. My attempts to explain to non-IT specialists what risks they are really taking, and how they could easily be compromised, is sometimes beyond my teaching skills. One get all sorts of irrational, incredulous responses, which all come out of ignorance. The more ignorant, the more flippant. Among the most clueless, we find the suicidal types who proudly share their confidential information with Facebook Inc., California (directly, or through "free" providers such as Zoom).
The fact that I got some real training on the subject, is why I very well realize the limits of my competence in the field of cybersecurity and how easy it is to fool oneself into a sense of false security.
When I get to learn a new way someone hacked into a system, it is usually because this has already been going for a few weeks. And there was always the risk, if that happened to me, of being pronounced KO within the first two minutes of the match. When I learn about it, I cannot help but having a moment of feeling beaten and humbled.
My mentality in the regard of cybersecurity, is that of a cat in the wild; which is the chief reason why cats are not extinct. So next time peer pressure is applied on you, to relax baremetal security rules, you will be excused if you show them the middle finger (yes, I just said we should be polite, but let us make an exception for Covidiots and other suicide bombers who will not apply safety measures).
Home routers: We do have the problem, as you rightly noticed, with the millions of ISP-provided routers in each home, which are often remotely controlled. Any employee of those companies can instantly know the characteristics of your computer, and any mobile device connected to your Wifi. And if one of them was ill-intentioned (or hacked), they could easily conduct a port scan or some brute force attack on any device. Which is why I would recommend that every private home should have a SECOND router behind the first one, which is privately owned and managed. In that way, there will be a second firewall between the home's internal network and the ISP -- and whatever state surveillance scheme they are inevitably sharing everybody's data with. The ISP will have no view beyond the wall of own firewall router. This should be mandatory practice for every person working from home (any moderately secure consumer product will do for now).
Compliance at home? But then, how do you ensure compliance? The only way is to train staff so that they know what they are doing. Working with field specialists will be an interesting challenge (let us forget ISPs for that task, most of their staff don’t have the minimal IT competencies).
And that is barely scratching the surface.
Oh Lord, protect us from security auditors, so that we can deal with cybercriminals!
It is my duty to warn audit firms and banks that comparing cybersecurity with Court Justice Potter Stewart's statement "I know when I see it" is both misleading and dangerous.
If, as an external auditor, you think you are able to "recognize an effective, multi-tiered log in protocol when you see it", you have my compliments. Because you have there a magic gift of certainty, which has been denied to cybersecurity experts.
Your usual security audits (conducted from a compliance perspective) are just checklists of minimal, bare-metal security measures.
Believing that a bank is « safe » because you ticked a few boxes, is whistling past the graveyard. Once again, this is the grave cognitive bias of those who are setting themselves up for a burglary, after having put a bar on their door.
But yes: if your client bank just got a management letter because they did not even pass that checklist, then that's their bad, because they deserved to have you as their security auditor.
Let us all get out of that cognitive bias, shall we?
Drill, Drill, Drill: The only way to ensure that you client is moderately safe, is to organize a full-scale intrusion testing, complete with social engineering.
A good, solid campaign of intrusion tests will likely leave the bank's staff in tears, the honor of the IT department in tatters, and general management thinking anxiously of all the breadcrumbs they sowed behind during their NSFW activity.
And earlier auditors feeling like a bunch of nitwits.
But then, it is a struggle with hard facts.
"Remote" Audits? Pfff.… Nonsense
The question of reducing travel expenses for audit missions is interesting from a commercial viewpoint. Yes, after Covid-19, banks will try to squeeze you into performing audits remotely.
This is going to be interesting. You perhaps already see where this is going: if they think (and you think) you can do it remotely, it means you have not really been doing any real audit work, lately.
If the client does not perceive any added value in your audits, that kind of makes sense, does it not?
Think about it: how could you ever conduct a serious audit, without being on location?
If there is something a company's staff don’t want you to see, they are certaintly not going to wave it in front of the videocamera of their computer.
From long experience, I can state, that "audit" is a misnomer, because one is not there to listen to the smooth claptrap that people tell you in such circumstances.
We are paid to INSPECT, that is to look into those precise corners and closets where nobody has been looking at.
Yes, those ones.
It does not matter whether it is for an audit on behalf of the regulator before a bank can go live, or it isfor a compliance audit; the purpose of an audit — nay, an inspection — is TO FIND OUT.
There is a kind of robust integrity in that job, a bending backward and refusing to be distracted by corporate hogwash and handwaving, which has been lacking in the audit industry (once again, sincerity does not relieve one of a duty of courtesy).
If, as an auditor, you are too afraid of finding something out, well, think about it: the time has perhaps come for you to look for another job. You are in luck: the HR department of your firm will probably have a good relocation package ready, especially if you do it on your own accord (they are generous).
But, the other hand, several big audit firms should probably reduce their travel expenses, because — frankly — most of their audits in the past years have been wastes of time.
Please train new recruits. Seriously
One cannot send young people to banks, who have no previous experience in that business, in the hope they will somehow dig up something interesting. I directed myself such (brilliant) young people, and I knew first hand that they were children abandoned in a forest. They badly needed boot camp training, which an audit firm could not and often cannot deliver, because audit firms often don’t have that required experience.
Inspecting a bank is something one learns by practicing the industry for years or (in my case) for decades. Not by attending 3-days workshops on a seaside resort.
The bottom line is that if a client does not see the value of you audit firm conducting an audit on their premises, well perhaps they are right. It will be charitable for your audit firm to graciously go and get lost on that contract… or to go to whichever elephant graveyard audit firms go at the end of their life. In the post-Covid world, we need competent people who can take a shovel and dig up dirt, not inexperienced clerks to fill forms.
Anti-Bribery / Anti-Corruption
I humbly bow to Vladimir's claims that Russians are at a definite cultural advantage in terms of bribery and corruption. We, in the West, did not have decades to hone our bargaining skills in back shops over a pound of butter or a bottle of Moldovan brandy. I frankly admit it: we are aced on that one (and if we add the uncontested superiority of Russian engineers, that makes it thirty-love).
I beg to differ, however, with the belief that we will ever return to those blessed days, where common Russian corruption consisted mostly of:
- filching equipment from factories to furbish one's home
- trading tickets to summer holiday resorts in Crimea.
- altering delivery agendas, for electric appliances or cars,
- and other petty thefts.
After the fall of the Soviet Union, Russian oligarchs went to Hollywood (or they put on the Ritz; or whatever one should call it). And of course, we should not attribute that inclination to Russians only, since money laundering is, essentially, a global industry. I would also go as far as asserting that the Italian Mafia was there first, already in the 1920s.
Today, the game of corruption and bribery has just gotten a lot more sophisticated. Unfortunately, — and as the Swiss FINMA regulator pointed out recently — we are now facing a serious issue with complex structures: i.e. setups of different accounts within a bank, belonging to different entities with different account holders and beneficiaries -- but which in the end all trace back to the same real beneficiary.
Always the same delusion of security…
I am sorry to disappoint AML auditors, but we, in the financial industry, have barely scratched the surface yet, by identifying the beneficial owners of single accounts.
The current AML procedures and systems in banks are crude. This is an arms race. And I could probably find half a dozen ways a good money launderer could take the bank you just audited to the cleaners (pun intended).
The Swiss Financial Market Supervisory Authority FINMA has revised its Anti-Money Laundering Ordinance (AMLO-FINMA). The changes are part of an overall package and include measures resulting from the FATF's mutual evaluation report on Switzerland. They also take account of feedback from the consultation phase and will enter into force on 1 January 2020.
If you can confidently tell a good AML setup when you see one: well, once again, you have there a magic gift which prosecutors and police forces are envying you.
As for my own competency in that sector, it is like cybersecurity: my little knowledge of the ways of money launderers gives me far less confidence than most AML auditors.
The reason why they are so confident when they are putting their signature on an audit report, is because they do not have a first idea of what they are going up against. Blessed are the innocents...
Let us all get out of that cognitive bias, shall we?
In the case of one bank, I achieved a little, mediocre confidence after sifting all deposits and withdrawals (including movements of assets) through a database; and after having an automatic program assign each to the ultimate beneficial owner, on pro-rata of ownership, using various approaches and heuristics.
When one of the Compliance heads of that bank confirmed to me that:
- The automatic control system had picked up the suspected money laundering cases that Compliance had already been aware of, and
- That automatic system had picked up new info that Compliance was not aware of
then I had a modicum of confidence I had done a good job.
So let us envy, together, the authoritativeness and self-certainty that international audit firms have displayed for years, this magic confidence quality, which no one who has any practical competency in AML fight, will ever feel.
People who have real, practical competencies are never so fully sure of themselves. Only the ignorants bask in happy certainties.
Perhaps now is the time to get over with the typical cognitive bias of the large audit firm.
Should we burninate the Big 4?
Let me know what you think about it?