The Big Four, long auditors of the world’s largest public companies, have been busy shedding the bottom 10–20 percent of audit clients (by revenue) to promote growth in their non-audit service lines. As mid-tier firms are picking up this business, they’re discovering the inadequacies of their existing risk assessment and onboarding processes.
“Risk assessment” for the purposes of this article refers to the entirety of processes an accounting firm conducts when evaluating new business opportunities to determine if the firm can and should take on the new piece of business. These processes can range from the informal and ad-hoc (for example, a firmwide email asking if anyone is doing work that may conflict with a piece of new business) to the robust and well-designed (a defined process that runs the new business through thoughtfully chosen risk metrics). Most mid-tier firms fall in the former camp of informal processes, which are proving inadequate in the face of an influx of new business that needs to be rigorously vetted.
All good risk assessments begin and end with data
At mid-tier firms that struggle with their risk processes, client and engagement data is typically housed in several different systems — and oftentimes even in spreadsheets. These fragmented data sources make it difficult for firms to ensure a comprehensive and standardized risk assessment process, regardless of which person or group is running each particular assessment.
In contrast, the most forward-thinking firms ensure that they check, maintain, and update a full universe of necessary data. These firms understand that data often represents the weakest link in any risk assessment. And this weak link can remain invisible unless the firm addresses both its data challenges and its risk challenges, ensuring data centralization and maintenance while establishing reliable risk processes that incorporate that centralized data source.
Independence is difficult to master
Firms that audit a substantial number of public companies receive close scrutiny from regulators. Therefore, as mid-tier firms take on more public company audits, they are likely to invite increased regulatory attention — with regulators particularly focused on identifying any circumstances that might impair firm independence. To avoid any such impairments, mid-tier firms should proactively address the following challenges:
- Growing pains. Growing firms often tell us, “We want to grow in the right way.” And when firms grow at a measured and predictable pace, legacy risk processes may prove adequate at identifying potential independence impairments. But as many firms plan for major growth that involves significant new business taken on in bulk, they realize their existing risk processes will be overwhelmed and put the firm at risk of overlooked impairments to independence. Today, we see these challenges playing out as mid-tier firms take on many new clients at once, without sufficiently rigorous independence checks. Or, if the checks are in fact rigorous but still overly manual, some engagement partners simply won’t wait and will begin the billable work before the checks are complete. While it’s understandable that partners are anxious to onboard clients and begin work, in the event of failures, regulators impose unforgiving penalties.
- Acquiring firms’ existing relationships. Private equity has its eye on acquiring ownership stakes in accounting firms, adding an extra layer of complexity to risk assessments. If an accounting firm is acquired by a private equity (PE) firm, the accounting firm must remain independent of all the portfolio companies in the acquiring PE firm’s funds. That requirement, however, is very challenging to meet, as the data set the firm must check will grow exponentially, change constantly, and is by nature private, which renders it difficult to track. These challenges around private data necessitate a well-designed and robust process that accounts for these complexities.
- Risky clients. Along with the opportunity to take on more potential clients, there unfortunately also comes a greater likelihood that firms will accept some of the wrong ones. So after answering the “Can we?” question when conducting risk assessments, our clients follow the critical best practice of asking a second key question: “Should we?” The main challenge to answering this second question lies in figuring out exactly who a potential client is and what level of risk it poses to the firm. After all, most malpractice lawsuits occur because firms accepted the wrong type of clients — say, by taking on clients that didn’t match their internal risk profiles, entering industries they weren’t truly equipped to serve (think crypto or cannabis), or going beyond their established risk appetite without the proper approvals. These missteps can have significant, lasting financial and reputational effects on firms.
How mid-tier accounting firms can master risk assessment
So what are the solutions to these complex challenges? Here are several ways mid-tier firms can most effectively address them:
- Review your processes. Take an honest look at your current risk processes. What worked for a 25-partner firm 10 years ago will not work for a 200-partner firm today or a 550-partner firm tomorrow.
- Define your goals and risk limits. Decide what type of business you want to go after and the type of business you are willing to accept. The best firms choose the strategic direction they want their firm to go and build their risk processes to serve that business objective. They assess which regions, industries, and service lines they want to build out and expand into. After making these assessments, they define their risk processes to serve these business decisions.
- Assess your technology capabilities. Once you’ve defined your processes, decide whether you want to build or buy the necessary technology. Although very large firms may build a solution, committing major resources to a new solution, most prefer to buy a pre-built solution that was designed specifically for their industry.
- Address your data needs. In parallel to building or procuring a technology solution, make sure you have a plan for your data. What data needs to be checked? Where does it come from? How does it inform your decisions? A sound data governance plan is central to any new risk process
Once mid-tier firms conduct this four-step process, they will be well positioned to build risk processes designed to be rigorous, scalable, and strategic.
Intapp can help your firm build such a risk management process that incorporates leading technology used by many of the world’s largest accounting firms. You can learn more here.