Competition commission has put the cat among the pigeons

Musical chairs for the audit market?

When the relationships between auditors and some listed companies can be measured in decades, with some spanning more than a century, the idea that companies should be forced to retender for audit services as often as every seven years is a bold suggestion indeed.

But this is what the UK’s Competition Commission (CC) has – albeit provisionally and with much further consultation to come before a final statement in the Autumn – suggested this morning, in what the CC’s audit group chair Laura Carstensen admits represents “some quite radical suggestions”.

The issue Carstensen’s group originally set out to address was the perception that extended relationships between businesses and their auditors breed a kind of familiarity that prevents shareholders’ interests from being protected when auditors run the rule over corporate accounts.

It stands to reason, after all, that an auditor with a longstanding rapport with the management of a business might be inclined to audit financial statements in a way more beneficial to the interests of that management team than to its shareholders.

To shake up this supposedly cosy state of affairs, the CC has proposed mandatory retendering and rotation of audit firms. This, in addition to the prohibition of "Big Four only" clauses in loan documentation, which restrict lending to companies audited by PwC, Ernst & Young, KPMG and Deloitte, and measures to increase engagement between auditors and shareholders.

On paper, mandatory rotation certainly looks like it would protect shareholder interests and increase competition, with smaller firms gaining audit market share from the Big Four, which currently take the lion’s share.

In practice, the concept invokes serious practical considerations that many, especially among the Big Four, think could be counterproductive to the quality of audit services.

First and foremost, mandatory rotation has cost implications to both auditors, who spend time and money on pitches to prospective clients, and those being audited. There are also setting-up costs for auditors and companies in new audit engagements.

Audit rotation after short periods also poses a threat to audit quality, particularly as engagements come to an end. Auditor rotation on a seven year basis is arguably ill-suited to large, complicated financial institutions whose inner workings require a long period for audit teams to understand.

In any case, audit firms already rotate engagement partners with clients to ensure independence, so it is not as if the profession has done nothing to address the issue of over-familiarity.  

But then again, this is exactly what consultation periods are for, and the CC itself acknowledges both the range of possible approaches to the rotation and retendering issue, seeking views on rotation periods of seven, ten and 14 years, and the fact that further recommendations would be contingent on responses to the current proposals.

Carstensen, speaking to me for International Accounting Bulletin this morning, said there is “evidence there is a price benefit to tendering, but we have to weigh up the costs and benefits – we want to know how we can find a point of equilibrium where the benefits are captured, but in such a way that it is not unduly costly or burdensome.”

There is plenty of time to find this point of equilibrium. This morning’s release only represents a summary of provisional findings, and the full text won’t be available until next week, with final recommendations to come in August at the earliest.

Nevertheless, they certainly represent a more aggressive stance to shaking up the market than many in the audit market had expected, and are likely to prompt a broader change in attitudes beyond the UK.

For some time the EU has been rumbling through its own debate on audit reform, and after making some fairly conservative recommendations towards the end of last year, has been widely regarded as waiting on what comes out of the CC before making further statements. Certainly, the CC’s suggestions on mandatory rotation are unambiguously more hard line than anything that has come out of Brussels.

Carstensen told me she expected today’s comments and future findings from the commission to have a definite impact on the continuing EU debate. “Brussels has a lot of respect for our process as very rigorous and very evidence based, and I would expect parties there to be very interested in what we conclude, and the basis on which we reach it.”

In this context, one wonders if the decision to start the rotation discussion at a benchmark of five to seven years was a move designed to bring more impassioned debate to a discussion that some perceived as having become quite flat. Whatever the intention, it has certainly had that effect.  


Photograph: Getty Images

By day, Fred Crawley is editor of Credit Today and Insolvency Today. By night, he reviews graphic novels for the New Statesman.

Show Hide image

Can Trident be hacked?

A former defence secretary has warned that Trident is vulnerable to cyber attacks. Is it?

What if, in the event of a destructive nuclear war, the prime minister goes to press the red button and it just doesn't work? 

This was the question raised by Des Browne, a former defence secretary, in an interview witht the Guardian this week. His argument, based on a report from the defence science board of the US Department of Defense, is that the UK's Trident nuclear weapons could be vulnerable to cyberattacks, and therefore rendered useless if hacked. 

Browne called for an "end-to-end" assessment of the system's cybersecurity: 

 The government ... have an obligation to assure parliament that all of the systems of the nuclear deterrent have been assessed end-to-end against cyber attacks to understand possible weak spots and that those weak spots are protected against a high-tier cyber threat. If they are unable to do that then there is no guarantee that we will have a reliable deterrent or the prime minister will be able to use this system when he needs to reach for it.

Is he right? Should we really be worried about Trident's potential cyber weaknesses?

Tangled webs 

The first, crucial thing to note is that Trident is not connected to the "internet" we use every day. Sure, it's connected to the main Ministry of Defence network, but this operates totally independently of the network that you visit Facebook through. In cyber-security terms, this means the network is "air-gapped" - it's isolated from other systems that could be less secure. 

In our minds, Trident is old and needs replacing (the submarines began patrolling in the 1990s), but any strike would be ordered and co-ordinated from Northwood, a military bunker 100m underground which would use the same modern networks as the rest of the MoD. Trident is basically as secure as the rest of the MoD. 

What the MoD said

I asked the Ministry of Defence for a statement on Trident's security, and while it obviously can't offer much information about how it all actually works, a spokesperson confirmed that the system is air-gapped and added: 

We wouldn't comment on the detail of our security arrangements for the nuclear deterrent but we can and do safeguard it from all threats including cyber.

What security experts said

Security experts agree that an air-gapped system tends to be more secure than one connected to the internet. Sean Sullivan, a security adviser at F-secure, told Infosecurity magazine that while some hackers have been able to "jump" air-gaps using code, this would cause "interference" at most and a major attack of this kind is still "a long way off". 

Franklin Miller, a former White House defence policy offer, told the Guardian that the original report cited by Browne was actually formulated in response to suggestions that some US defence networks should be connected to the internet. In that case, it actually represents an argument in favour of the type of air-gapped system used by the MoD. 

So... can it be hacked?

The answer is really that any system could be hacked, but a specialised, independent defence network is very, very unlikely to be. If a successful hack did happen, it would likely affect all aspects of defence, not just Trident. That doesn't mean that every effort shouldn't be made to make sure the MoD is using the most secure system possible, but it also means that scaremongering in the context of other, unrelated cybersecurity scares is a little unjustified. 

Barbara Speed is a technology and digital culture writer at the New Statesman and a staff writer at CityMetric.