Growing Pains: Mid-Sized Auditing Firms Are Seeing an Influx of New Clients, But at What Cost?

Mid-tier firms may encounter many challenges when scaling to support such sudden growth. Among these challenges is the lack of ability to manage the influx of welcomed but unexpected new business from a compliance perspective. Once-sufficient risk and compliance processes might not properly detect independence impairments or conflicts before partners make new business decisions during a sudden influx, possibly exposing the firm to associated regulatory consequences.    

At the same time, increasingly stringent audit and regulatory requirements that vary around the world are pressuring firms to modernize conflict-clearance processes. Some large, forward-leaning firms have already designed systems that enable compliance with current regulations and incorporate the ability to scale as regulations evolve, such as through the use of automation. However, many mid-sized firms try running new business through old systems that leave them awash in compliance risk.

Cybersecurity

What Matters in Audits — Alleged Independence or True Transparency?

by Justin Beals

January 4, 2023

In decades past, independence (a flawed measure even in good times) was considered the gold standard of audit. But Strike Graph’s Justin Beals argues that it’s well past time to catch up with technology and instead rely on transparency as a marker for security audit.

Read more

5 key risk triggers

The environment is rapidly changing for mid-sized accounting firms and, possibly for the first time, introducing business triggers that force them to answer hard questions about risk processes.

Finding independence impairments at various stages

Historically, mid-sized firms lacked focus on automating the evaluation of conflicts clearance and waivers. Some independence checks processes were simply emails asking if any partners had an independence issue with a new client the firm wanted to sign. 

These processes may have been sufficient when firms were smaller. But when a client windfall is created by a combination of industry split-ups, M&As and audit-needy clients who were denied or shed by the Big Four, the old method falls apart. 

The idea that risk processes need to be automated rarely arises until some conflicts start to occur. Whether as subtle as a general unease with the current process, or as traumatic as having a regulator find issue and force changes — conflicts take center stage during rapid growth. Mid-size firms are starting to ask: How will risk processes keep up?

More private equity ownership of clients

The challenges that private equity poses are revealed in its name — this is a private market. This private nature ensures difficulty when attempting to capture all relationships and ownership stakes across any particular PE fund.  

And as private equity funds continue to buy more stakes in more companies, independence rules (which extend to all portfolio companies within PE funds) become more difficult to adhere to. Searching, tracking and monitoring complex private equity ownership data presents a perennial challenge to mid-tier accounting firms in their efforts to maintain independence with respect to a growing audit client base. 

Progressive mid-tier firms are beginning to employ third-party data sources to ensure structure around how they incorporate PE data into their risk management processes. Other firms are adopting a big-firm practice — namely, quarterly calls with the PE funds themselves to understand their changing portfolio company structure. 

Growth on steroids through acquisition

In some cases, accounting firms feel the need to race through the vetting process in order to begin billable work on the influx of new client opportunities from a buyout. Without an automated risk process, exponential growth can quickly overwhelm a firm’s legacy manual risk management processes. It also impedes the ability to make informed decisions about which clients of a newly acquired firm to keep and which ones to shed. 

Firms might even venture into new industries or new geographies that come with their own unique considerations from both a risk and regulatory perspective. If risk processes can’t scale to handle the flow of acquisitions today, they certainly won’t manage the increasing rate of acquisitions tomorrow.

Hitting the threshold number for audit companies

Accounting firms hit an increased level of scrutiny once their public audit client count crosses 100. For example, regulatory inspections increase from once every three years to once a year. As such, accounting firms try to balance their business between public and private companies. 

They want constant visibility into their audit client growth, so they can make informed decisions on how many and which audit clients to accept. These decisions depend partly on a firm’s appetite for public company audits and ability to address the extra level of scrutiny.

Accepting the wrong clients

If robust risk processes do not exist, an accounting firm might unintentionally take on the wrong clients, opening itself up to a malpractice suit. While accounting firms are often subject to expensive malpractice insurance premiums, they have the opportunity to cut costs by demonstrating that they have robust, centralized risk processes in place that ensure firms will take only the right clients.

Automation can help answer the question: Who is the right client?

Effective processes help to confidently answer the big question at the heart of the acceptance issue: Who is the “right” client? To more easily answer this question in the future, the firm must define multiple factors: What is the ideal risk profile for a client? What is the firm’s risk appetite? What industries or geographies does the firm want to be involved in? Do the industries (such as cryptocurrency or cannabis) or geographies carry unique risks and unknowns? Anytime these questions are ill-defined or unable to be properly answered, the firm is opening the door to unidentified and therefore unmanageable risk.

Risk processes are only as good as the data that feeds them. Unfortunately, at many firms siloed data — caused by multiple sources of truth, legacy databases from past acquisitions, and a growing number of internal systems with no associated data strategy — prevents a unified approach to risk management. Therefore, accounting firms must also create a data strategy in parallel with their risk and compliance strategy. Firms find they need to centralize their proprietary client and engagement data (often housed in separate and siloed systems) and develop a plan to keep this data maintained and updated over time. 

Process automation also creates a competitive edge in the war for talent. Young people hired today expect an easy experience with technology and are increasingly less tolerant of manual processes and data entry. When firms lack an updated and automated risk process, they face a different kind of risk: the loss of new talent before they have a chance to grow into tomorrow’s top talent. Even worse, firms can miss out on the next class of top talent if employees report back to their alma mater that their firm’s technology stack is outdated and inefficient.

Leverage the opportunity

Forward-thinking mid-tier firms are using a simple equation to drive their thinking around processes: increased business + legacy systems = increased compliance and reputational risk. The savviest risk manager sees the current accounting firm landscape as a major impetus for transforming their data management and conflicts processes without losing out on new business opportunity — and their business counterparts agree.

The right transformation changes the growth/risk equation by meeting the challenges and compliance demands inherent in rapid growth and building an effective independence process. Only then can mid-tier firms successfully capture newly available audits, integrate clients from a merged firm and move into a new realm of success, without facing existential risk.