Author Archives: Simon Laffin Business Services Ltd

About Simon Laffin Business Services Ltd

Chairman of both Flybe Group plc and Assura plc.

Response to consultation on Market Study on Statutory Audit Services

CMA report coverI am responding to the request from the Government for views on the recommendations by the Competition and Markets Authority on the market for Statutory Audit Services. This submission is made in a purely personal capacity.

Over the last 25 years, I have been chairman or director of ten different companies, from small privately owned to FTSE100, participating in over 200 audit committee meetings. I have never worked for an auditing firm, big or small. I am now a non-executive director/Chairman of the Audit Committee at Watkins Jones plc and Chairman of the Audit Committee of Dentsu Aegis Network, as well as a private investor.

Introductory Comments

There needs to be a clearer understanding that audit is a regulated statutory service. As such companies and stakeholders should rely on the regulator to ensure high quality standards. Failings in the quality of audits are primarily the responsibility of the audit firms and their regulator, not company audit committees. Audit committees should be responding to issues that they see in the conduct of their own audits, and should be allowed to select their auditor based on their own criteria. If shareholders are unhappy with this, then they have the power to influence boards and ultimately vote directors out if necessary.

The CMA Report is heavily UK-centric, failing to take full account that the Big 4 have international arms and associates and that most FTSE350 companies are international. It does however recognise that the dominance of the big 4 firms is an issue that must be tackled globally, or at least on a European basis. It is not tenable to argue that the global oligopoly of the Big 4 can be successfully challenged by measures that affect UK-based firms only.

The CMA report provides no analysis as to why the market has become so concentrated (although its predecessor body contributed significantly by allowing the merger of Coopers & Lybrand and Price Waterhouse in 1998). As a result, the report sheds no light on what will happen if the joint audit proposal is implemented, diverting significantly more revenue to non-big 4 players. How will they react? Will this artificial subsidy turn the non-big 4 into real challengers? The answer is that no-one knows. This is a poor basis for a major change to affect virtually all our 350 largest companies. The CMA should have recommended that this proposal be trialled first to learn what happens rather than rush to rollout a significant untried policy measure.

The most effective and fastest way to increase competition in this market would be to increase competition within the big four by ensuring that each of the big four can always compete for an individual audit. This is not currently the case as often a company already uses one or more of the big 4 to provide tax, advisory or internal audit services. The CMA recommendation to require some form of split between the audit and non-audit services of the big 4 is therefore the strongest recommendation and the one most likely to provide more choice in the short term. The government should also lobby internationally for other countries to require a similar split.

Arguably, the best opportunity for non-big four firms to increase their competition against the big 4 would be by investing in their non-audit work. Developing a strong tax practice or due diligence team is likely to be easier than trying to compete for audit work, particularly as the latter tends to require a strong international network.

Detailed responses to questions posed by the Government

  1. Do you agree that the new regulator should be given broad powers to mandate standards for the appointment and oversight of auditors, to monitor compliance and take remedial action? What should those powers look like and how do you think those powers would sit with the proposals in Sir John Kingman’s review of the Financial Reporting Council?

The CMA has not provided any guidance as to what form the ‘standards’ for the appointment and oversight of auditors would be, and therefore there is no basis for this being new powers for a regulator. UK corporate governance hinges on boards, and particularly non-executive directors, exercising their fiduciary duty to operate the company on behalf of members and other stakeholders. There is no evidence in the report of widespread failure by boards to do this. Nor is there any analysis of why individual auditing failures have emerged. Regulation of statutory audit is not the role of boards, who have in fact been let down by the failure of the regulators themselves to do their job. It is therefore somewhat ironic to have regulators trying to increase their own powers to regulate boards with regard to audit quality.

  1. What comments do you have on the ways the regulator should exercise these new powers?

These new powers are not justified by any evidence and so should not be conferred on a regulator.

  1. How should the regulator engage shareholders in monitoring compliance and taking remedial action?

Shareholders should be engaging with boards directly themselves.

  1. What would be the most cost-effective option for enabling greater regulatory oversight of audit committees? Please provide evidence where possible.

The case has not been made for greater regulatory oversight other than by shareholders themselves engaging with individual companies.

  1. Do you agree with the CMA’s joint audit proposal as developed since its interim study in December?

The CMA’s joint audit proposal does not have an evidential basis. Joint audits are voluntarily used by a few companies, but are mandatory only in France. The actual evidence shows very mixed results. For example the Lesage, Ratzinger-Sakel, Kettunen study, ‘Struggle over joint audit: on behalf of public interest?’ concludes that;

“we do not observe a higher quality associated with joint audit, neither on the Danish sample (main analysis) nor on the matched FRA/GER [France/Germany] sample.”

The CMA admits that the effect on quality ‘should be at worst neutral.’ (Final Summary Report. P10). This is hardly a ringing endorsement for a major proposal to improve audit competition and quality.

The CMA’s main objective is to increase revenue for non-big Four firms. It is akin to them mandating that shoppers must purchase half their groceries from an independent convenience store, rather than a supermarket. This proposal would by definition lead to the non-big four firms getting more audits, but is by way of a large subsidy to them rather than through increased competition. There is no guarantee – and no evidence identified – that this will improve the quality of non-big four audits, as opposed to swell their partners’ incomes.

This proposal would be a very substantial change to UK audits and incur considerable extra costs. An incumbent big Four firm is very unlikely to reduce its fees in order to fund a smaller competitor duplicating some of its work. Companies will have two sets of auditors reviewing the same accounts, slowing the process and consuming management time. It would take a long time for the non-big 4 to grow their headcount to cope with even 30% of the audit work of the FTSE 350. The CMA interestingly has made no attempt to model out how much this work would be, how long it would take for the non-big 4 to be in a position to resource this, nor whether such pace of expansion required is feasible.

The CMA has failed to show any evidence that this proposal is likely to be either successful or proportionate. In the absence of this evidential basis, the most that should be proposed is a trial for certain companies or sectors to see if joint audits do have the benefits claimed. This should be followed by a very gradual roll-out if it deemed successful. This would also give more time for the non-big 4 to resource up.

  1. Do you agree with the CMA’s proposed exemptions to the joint audit proposals? How should the regulator decide whether a company should qualify for the proposed exemption for complex companies?

Whilst I believe that the joint audit proposal is a costly and disproportionate measure, I do not see the argument to exempt complex companies. This measure would be most cost/benefit effective if applied precisely to the largest companies and largest audits, as they would transfer most revenue to non-big 4 companies per audit affected. The more complex the audit, the more the learning should be transferred to smaller firms.

  1. Do you agree that challenger firms currently have capacity to provide joint audit services to the FTSE350? If a staged approach were needed, how should the regulator make it work most effectively? If not immediately, how quickly could challenger firms build sufficient capacity for joint audit to be practised across the whole of the FTSE350?

Obviously non-big 4 firms would need both to recruit new staff and to improve the overall quality of the staff that they currently have. Inevitably this would require large scale recruitment by them from big four firms. It might well mean that non-big four firms would also have to resign from smaller audits in order to resource the new audits gained. The main results are likely to be inflation in pay for auditors and partners, with a modest growth in non-big 4 headcount. Audit quality is likely to suffer as big four firms lose staff and non-big 4 firms struggle to upscale. Accordingly, the Government would be taking a major risk in mandating a large scale roll out of this proposal.

As suggested above, a pilot scheme involving a relatively small set of large companies would be the optimum next step to see if the remedy works without causing widespread disruption.

  1. Do you agree with the CMA’s recommendation that the liability regime would not need to be amended if the joint audit proposal were implemented?

If both firms were jointly and severally liable, they would need to review each others’ work. It seems unlikely that they could place reliance on the other’s review. This would reinforce the duplication of effort and increased costs of this proposal.

  1. Do you have any suggestions for how a joint audit could be carried out most efficiently?

A joint audit is inherently inefficient, particularly when its main purpose is to give more work to smaller players in the market.

  1. The academic literature cited in the CMA’s report suggests the joint audit proposal would lead to an increased cost of 25-50%. Do you agree with this estimate?

This sounds plausible.

  1. Do you agree with the CMA’s assessment of the alternatives to joint audit, including shared audit?

No comment.

  1. How strongly will the CMA’s proposals improve competition in the wider audit market, and are there any additional measures needed to ensure that those impacts are maximised?

The CMA’s proposals will cause significant dislocation in the audit industry as non-big 4 firms try to grow to meet the increased number of audits required, poaching staff from the big 4. Overall audit quality is likely to therefore decrease, not helped by the inefficiency of having two auditors.

  1. Do you agree with the CMA’s proposals for peer review? How should the regulator select which companies to review?

The CMA argues that there should be a non-big 4 peer review for audits that are too complex for a non-big 4 firm to jointly auditor. This seems illogical, especially as the inexperienced non-big 4 firm will have no liability for the outcome. How different is this from a regulator’s Audit Quality Review (AQR)? What value would the peer review have? The peer reviews would report only to the regulator, but if they are not shared with either the auditor or the Audit Committee, how can the regulator get a balanced view of the value of said peer review?

  1. Are any further measures needed to ensure that the statutory audit market remains open to wider competition in the long term?

It is likely that forcing a split between audit and other services would be the most effective and low risk measure to improve competition. This would enable companies to have a fuller choice between the big 4, reducing the times that one or more is ruled out through a conflict of interests.

  1. What factors do you think the regulator should take into account when considering action in the case of a distressed statutory audit practice?

As the CMA recommends, the regulator should take a close interest in the viability of the big 4 and act early in the unlikely event that one appears to be failing.

  1. What powers of intervention do you think the regulator should have in those circumstances, and what should be their duties in exercising them?

No comment.

  1. Do you agree with the CMA’s analysis of the impacts on audit quality that arise from the tensions it identifies between audit and non-audit services?

I have not seen any evidence that audit quality is affected by ‘tension’ between audit and non-audit services. There are in fact benefits from the cross-fertilisation between audit and non-audit in sharing knowledge and career development. However, the overwhelming argument is to split them organisationally to increase effective choice for audit clients.

  1. What are your views on the manner and design of the operational split recommended by the CMA? What are your views on the overall market impact of such measures?

The proposals for an operational split seem sensible.

  1. Are there alternative or additional measures which would meet these concerns more effectively or produce a better market outcome?

No comment.

  1. Do you agree with the CMA’s proposal to keep a full structural separation in reserve as a future measure?


  1. What implementation considerations should Government take into account when considering the operational split recommendations? Please provide reasoning and evidence where possible.

No comment.

  1. Do you agree with the CMA’s other possible measures? How would these suggestions interact with the main recommendations? How would these additional proposals impact on the market?

Limiting notice periods and non-compete clauses for big 4 firms seems sensible. The other proposals appear somewhat peripheral. Moving audits to a fixed term of seven years would be unnecessarily intrusive, but there could be a requirement for a tender every seven years. This however should not be expected to have an impact on big 4 market share.

  1. Do you agree with the CMA’s suggestions regarding renumeration deferral and clawback?

Having the opportunity to clawback auditor remuneration for serious failings discovered later seems sensible and in line with modern corporate governance.

  1. How would a deferral and clawback mechanism work under a Limited Liability Partnership structure?

No comment.

  1. Do you agree that liberalising the ownership rules for audit firms would reduce barriers for challengers and entrants to the market?

It is difficult to be sure how this would work in practice, but it would be worth trialling for a few smaller firms to see how it works.

  1. Do you agree with the CMA’s suggestions regarding technology licensing?

It might work, but you might find a low take up by smaller firms.

  1. Do you agree with the CMA’s suggestions to provide additional information for shareholders? Do you have any observations on the impact of the Public Company Accounting Oversight Board’s database on the US audit market?

This seems harmless, but I’m not sure that there will be significant benefit.

  1. Do you agree with the CMA’s suggestions regarding notice periods and non- compete clauses? Do you agree that the regulator should consider whether Big Four firms should be required to limit notice periods to 6 months?


  1. Do you agree with the CMA’s suggestions regarding tendering and rotation periods?

Moving audits to a fixed term of seven years would be disproportionate, but the requirement for a tender could be set at seven years. This however should not be expected to have an impact on big 4 market share.

  1. Do you have other proposals for measures to increase competition and choice in the audit market that the CMA has not considered? Please specify whether these would be alternatives or additional to some or all of the CMA’s proposals, and whether these could be taken forward prior to primary legislation.

The Big 4 could be required to initiate a certain level of secondments of staff into non-big 4 players, in order to boost the latter’s capabilities.

  1. What actions could audit firms take on a voluntary basis to address some or all of the CMA’s concerns?

They could initiate an operational split between audit and non-audit services. They could also have a code of conduct to facilitate movement of staff into smaller players.

  1. Is there anything else the Government should consider in deciding how to take forward the CMA’s findings and recommendations?

The Government has a major role in lobbying for international action to increase competition and quality, as these proposals cannot work if implemented solely in the UK.



Simon Laffin                                                                                                28 August 2019

The Baked Bean Audit

Heinz baked beansWhat if the government insisted that every time you bought a tin of Heinz baked beans, you had to buy at least half a tin of Crosse & Blackwell ones too? You would have to explain to the grocery regulator why you chose Heinz, and if it thought that your choice was the wrong one it would mandate you to buy differently, publicly shame you and even take control of your grocery shopping as a punishment. You might not feel so great about it, but there’s no doubt that sales would rise for Crosse & Blackwell, who could then choose to invest the extra cash in improving its product, reducing its costs, or simply pay higher dividends.

The Competition and Markets Authority (CMA) is recommending this degree of intervention and forced joint-buying for the audit industry. The CMA report on the audit industry has many shortcomings; a lack of evidence, poor use of data, and a sharper ear to preferred interest groups. It clearly placed great weight on the views of politicians and investor corporate governance lobbies, but little weight on the views of companies and particularly not to chairs of audit committees;

“There are widespread public concerns about audit quality. While some Audit Committee Chairs (ACCs) and companies questioned whether there was a systemic and significant quality problem, the views of investors – the ultimate customers of statutory audits – were more supportive of our analysis that there is a persistent problem of variable or poor audit quality.”

The CMA suggested – without any evidence – that audit chairs were anyway likely to favour the Big Four if they had previously worked for them;

“The presence of ex-Big Four employees on Audit Committees is perhaps unsurprising given that the Big Four do employ a disproportionate share of financial professionals…However, it raises questions about whether Audit Committee members’ greater familiarity with the Big Four might lead them to favour Big Four firms when assessing audit tenders.” 1

Few would question that the audit market is too supply-side concentrated in only four companies. But the CMA is suggesting that the problem is demand-side driven. The purchasers of audit are making suboptimal choices, perhaps because audit chairs are just appointing their alma maters. The CMA also got itself into quite a spin trying to understand why ‘cultural fit’ was a helpful criterion for the selection of someone you are going to be working closely with for the next seven years, so it concluded that part of the problem is that audit committees are just looking for a friendly or compliant audit partner.

The CMA couldn’t quite persuade enough people that the choice of auditor should be taken completely out of the hands of the audit committee, but wants the regulator to; mandate minimum standards for the appointment and oversight of auditors; monitor compliance by audit committees; and issue reprimands to ‘non-performing’ committees. The CMA is silent on what those standards are, how the regulator will monitor them and how it can be sure that a regulator’s view will be superior to experienced directors working with the business and elected by shareholders.

The dual buying/joint audit remedy will increase cost and complexity for companies, but will also force revenue and market share towards smaller audit firms. This will, by definition, reduce market concentration. It may prove successful in increasing long-term audit competition if those non-big 4 firms seize the opportunity, or it may just be a long-term subsidy to possibly lower quality players, depending on how good the non-big 4 really are. In any case, the CMA has launched the project in the certain knowledge that it won’t be around to take responsibility by the time we know the ultimate outcome.

What worries me is the dismissive attitude that the CMA, regulators and politicians have for non-executives and the audit committee in particular. Independent non-executives are the key to our modern corporate governance, and yet the CMA wants audit committees to be supervised to an extraordinary degree. Auditor choice is to be mandated with joint audits and the process is to be reviewed by a regulator, who can ultimately take over the appointment decision. What would this say about the quality and integrity of our non-executives?

Even more concerningly, what does it say about the state of our regulators? Following the recent accounting scandals, regulators have lost faith in our basic corporate governance, whilst becoming more confident of their overriding wisdom. Most audit committees feel that the accounting scandals have demonstrated that the quality of regulation of audit firms is poor and needs to be drastically improved. But here we have regulators concluding that the answer is in fact more and wider regulation extended to audit committees.

Audit committees do need to face up to questioning, but it needs to be thoughtful. Do we expect audit committees to find fraud and accounting irregularities, if neither management nor auditors spot them? Do we expect boards to provide complete assurance that no company will ever go bust? How do we help boards to identify risks in their companies that might be signs of poor accounting practice or future financial instability? To help answer those questions, government needs to work with boards to understand better the issues, not just extend regulation and threats;

  • Does the audit industry need more or just better regulation?
  • Do we hold boards primarily accountable for running companies, or do we need to regulate them more?
  • Do we trust non-executives to provide sufficient independent challenge on boards, or do we side-line them by regulating more?
  • How do we help boards to identify and manage financial and accounting risks?

Otherwise we are back to the government deciding it knows best which baked bean is right for us.



1 This is a proposition that of course the CMA could have tested, but choose not to.



My response to the Competition and Markets Authority Invitation to comment on the inquiry into the Statutory audit market



I am making this submission in a purely personal capacity. Over the last 25 years, I have been Chairman or a director of ten different companies, from small privately owned to FTSE100, participating in some 200 audit committee meetings. I have never worked for an auditing firm, big or small. I am now Chairman of Flybe Group plc, a non-executive director/Chairman of the Audit Committee at Watkins Jones plc and Chairman of the Audit Committee of Dentsu Aegis Network.



The CMA needs to define what a high-quality audit looks like.

The CMA notes ‘widespread public concerns’, but concedes that part of the problem may be an ‘expectation gap’, where commentators do not understand what an audit is intended to do. However, the CMA doesn’t define what it thinks an audit should achieve and what a high-quality audit should look like, nor is there any description of a ‘poor’ audit. The latter needs to distinguish between concerns that the auditor signed off; a going concern (but the company subsequently went bust); the ‘wrong’ number; a number biased towards management; or where it failed to detect fraud.

The CMA should define clearly its objectives in enhancing audit quality and trace through remedies to show how they would address the specific issues noted.

The CMA should consult with Audit Committees to understand what they think a high- quality audit looks like. They would find that it differs significantly from the quality benchmark applied by the AQR. The latter essentially audits an audit, looking at technical process and documentation. The Audit Committee looks for an audit to identify issues, challenge management’s assumptions and identified risks, propose improvements to controls, and work with management to finalise accounts that satisfy all regulation in a timely manner.

The CMA seems to imply that a poor-quality audit is one where the auditors are lax in agreeing whatever number management wants to declare. However, this is a very simplistic interpretation of quality. The CMA would do better to understand a quality audit in terms of the process of applying technical standards, speediness of response, identification of control and risk issues, collaborative working and good technical judgement. Crucially, only management and Audit Committees are able to judge most of these facets of quality, and they also have the strongest incentives to employ an auditor who can deliver on them.

Most of the ‘public concerns’ stem from a few well-publicised ‘failures’. These are important, but need to be out in the context of many thousands of audits that are completed successfully. If the CMA wishes to address these ‘failures’, it must study them to understand what actually happened. Then it should test its possible remedies to show that they would have stopped, or at least reduced the risk of, these events happening. The CMAneeds to be careful not to impose wide-reaching remedies just to address relatively rare individual failures.


The CMA needs to be realistic about the failures of previous regulatory interventions and learn from these when proposing new ones

The CMA takes satisfaction that, despite ‘only three years in force, the Competition Commission (CC) remedies have generated some positive change in the operation of the audit market, with increases in both tendering of audit contracts and switching.’ Since retendering and switching became compulsory, it’s not too surprising to see it happening. However, the CMA provides no evidence that this has made a positive change to the market, as opposed simply to increasing churn.

The CMA argues that ‘Alongside this, the FRC has reported broad increases in quality, albeit sampling means that we should be cautious in interpreting a trend over time.’ Indeed, the CMA should be cautious, since the AQR reviewed only 6% of audits within its scope. This included 24 – only 4% of those in scope – at much-criticised KPMG.

The AQR admits; ‘Our report focuses on the key areas requiring action by the firm to safeguard and enhance audit quality. It does not seek to provide a balanced scorecard of the quality of the firm’s audit work.’ In fact, the AQR targets particular ‘problematic’ sectors for review, underlining that this is not random sample.

The CMA admits that the objective of reducing the dominance of the Big Four has signally failed. 97% of FTSE350 audits are now performed by the Big Four, up from 95% at the time of the last review.

The CMA should make a balanced appraisal of the benefits of the previous CC remedies. The 2013 remedies imposed significant extra cost on companies and audit firms, and the regulator should feel accountable for those costs being borne by the market to deliver whatever market benefits have been achieved. The CMA admits that the dominance of the Big Four has increased and public confidence is reducing. How can this be reconciled with the CMA’s conclusion of ‘some positive change’?

With a new review and remedies being proposed, the CMA should be fully confident, with real evidence to support, that any new remedies will indeed be effective and proportionate, and will not have counter-productive unintended consequences.

The CMA needs to understand its own limitations in this market

The CMA doesn’t tackle the inherent contradiction between regulation and competition. Since auditors are themselves regulators of financial reporting, is greater competition between regulators going to produce better regulation? After all, there Is only one CMA. The CMA must acknowledge that greater competition (even assuming the CMA could deliver this) may not be the solution to improving audit quality. There may be a better solution in improving the regulatory oversight of audits.

Without an understanding of what audit quality is, it is not clear how the CMA will assess the effectiveness of the AQR process (3.21). The consultation says that the CMA will ‘explore what quality means’, but appears to prejudge this by saying it will be ‘building on the CC’s report that quality involves scepticism, objectivity, integrity and independence’ (3.34 d). It then says that “We do not expect to focus our work on theme 1 (Scope and purpose of audit” (3.46). The consultation is confused and contradictory.

The CMA is correct that there is a lack of choice in selecting an auditor

The question whether there is sufficient choice of auditor is a pertinent one. The CMA will need to address whether this is a UK domestic or international problem. There may be little point in designing a solution for the former, if the problem is the latter, or if addressing the former makes the latter more problematic.

The CMA should also be aware that some companies now feel that they have reduced choice as some audit firms are actually competing with them (3.25). For example, the booming area of data analytics, increasingly being offered by the Big 4, is also a key business area for many media, IT and consultancy companies. Can you be regulated by another party that competes with your business, and do you want to open up your business to a competitor?

The CMA analysis of auditor selection and perverse incentives is naive and not backed by evidence

The demand for independent external audit arises from the social or stakeholder need for reliable financial information, not just shareholder’s needs (para 3.4 as then noted in para 3.5). This sets up a false analysis of incentives. To say that ‘the auditor is selected and paid by the company’ (3.8, error repeated in 3.18) is to ignore corporate governance that forms the heart of UK listed company regulation. The auditor is selected by independent non- executive directors, not the company.

In any case, the proposition that management only wants low prices and shareholders only high quality is naïve and not backed by any evidence. In my experience, management wants a quality audit above everything else. The consequences of having to deal with poor quality auditors during the highly time-pressured Results process are significant. The dominance of the Big Four in winning tenders reinforces that companies put a high value on their perception of quality, as smaller audit firms usually charge less and may be in a weaker position faced with management pressure. Management has to work with auditors. It is unlikely that they would seek out poor quality audit.

The scope and purpose of audit may be determined by international rules, but the CMA should try to understand what value companies expect to get from an audit. In the ten or so audit tenders, in which I have participated in, audit firms place little emphasis on how accurately they apply requisite standards. This is rightly taken as read, with the emphasis on a quality service to the company. Furthermore, the general attitude of audit committees in a tender is to select the best audit firm and then negotiate the price, not vice versa.


The scope is aimed at large listed companies, but the market is much bigger than this

The scope will be large companies. Why is the scope limited to large companies (3.46)?

The concerns about agency are much reduced in private companies, especially where management may be very close to shareholders, but again there may not be independent non-executives running an audit committee. However, the vast bulk of the consultation is devoted to large listed companies, so how will the CMA fully understand the position in private companies?

The CMA should avoid designing remedies just for the FTSE 100 that then get applied inappropriately to the whole market for audit services.

The potential outcomes may be counter-productive

The list of potential remedies emphasises the difficulty of applying competition solutions to a regulatory issue. There is undoubtedly a competition issue in that dominance of the Big Four reduces effective choice for companies. However earlier, well-intended regulatory reforms have actually made this worse. The CMA’s forerunner, the Monopolies and Merger Commission waived through the merger of Coopers & Lybrand and Price Waterhouse in 1998, reducing the Big Six to Big Five, despite much protest from industry. The restrictions on non-audit work by auditors has actually reduced choice and mandatory tendering has in fact strengthened the oligopoly of the Big Four.

Several of the remedies suggested are likely to reduce audit quality, for example; by shrinking audit firms to audit only; forcing some companies to take non-Big Four audits (the consequence of a market cap on the Big Four) and forcing inefficient joint audits. Other ideas, such as a regulator appointing auditors have no coherent connection with increasing choice.


The CMA should;

  1. Define what it means by a quality audit, after understanding what audit committees and management want and value in an audit.

  2. Be clear about the difference between the benefits of competition and higher quality regulation, and not try to achieve the latter by the former.

  3. Recognise the limitations of competition policy and not propose measures in order to be seen to do something under political pressure.

  4. Address the specific causes of public disquiet about audits and test any remedies against whether they would have avoided well-publicised company ‘failures’.

  5. Develop an evidence-based case for any further competition measures that takes explicit account of costs generated and fully understands the possible unintended consequences.

The audit punch-bag: Where is the voice of industry?

Punchbag auditStorm clouds are gathering over the audit market. Government, politicians, media and regulators are all queueing up to condemn companies and auditors over the few, but well-publicised, failures of certain companies. Lack of knowledge about the audit process is no bar to these opinion-formers. Meanwhile industry bodies are supine in defending business and signally failing to provide the missing knowledge as to what actually happens and what went wrong.

Having attended some 200 Audit committee meetings across 10 companies of all sizes and ownerships over the last 25 years, I have seen how audits actually work for companies and shareholders.

Is there a fundamental problem with the audit process?

There are hundreds of thousands of audits completed every year in the UK. There has been a handful of, admittedly large, company failures in recent years. There are even fewer cases where an auditor has been found culpable, remembering that it is not an auditor’s job to stop a company failing. There certainly have been issues in auditing, like any business, but it is not legitimate to conclude that the system is fundamentally flawed based on a few examples.

Has greater regulation helped in the past?

In 1998, I along with many other Finance Directors pleaded with the then competition regulator, the Monopolies and Mergers Commission, not to allow the merger of Coopers & Lybrand with Price Waterhouse. This, coming soon after the demise of Arthur Anderson, would mean that we would be left with only four global auditing firms. Industry was ignored, as the regulator knew better and convinced itself that competition would be maintained. Move forward 20 years, and the current regulator, the Competition and Markets Authority, is without a single blush of shame, looking at whether the Big Four are too concentrated. Industry told them 20 years ago that this was a bad thing. What chance that the regulator will listen to industry this time?

The European Union decided in 2014 that the answer would be compulsory tenders and controls on non-audit work. This hasn’t increased competition between auditors and especially non-Big Four, who haven’t won more work. It has created an industry in pitching for new audits, which itself disadvantages the smaller players who cannot afford such expense and who are increasingly not bothering to pitch for larger company work. Moreover, the banning of a company’s auditors from doing non-audit work has actually reduced choice where other Big Four firms are already providing tax, advisory or internal audit services. The choice can end up between two firms, one of whom might then be ruled ineligible as a long-standing incumbent.

In the UK, audit quality is monitored by the Audit Quality Review team, part of the Financial Reporting Council. It reviews about 25 audits for each of the Big Four and a handful each for another four firms. The reviews are effectively an audit on the audit. Although the AQR says that it contacts each Audit Committee Chair at the start and sometimes at the end of each review, there is no evidence in the reports that any weight is attached to their views. For example, the typical Audit Committee concerns; responsiveness, clarity on technical issues and speed are not mentioned in these reports. It is clear that the regulator feels it knows best what makes a good audit.

In short, the evidence is that greater regulation and intervention have proved at best ineffective, largely counter-productive and have actually reduced competition in the audit market.

Is new regulation going to help?

The Government has asked the Kingman inquiry and the CMA to look at aspects of the audit process. There are two key themes; increasing competition in the audit market and looking at a regulator taking over the responsibility for appointing a company’s auditors.

Increasing competition in the audit market

Commentators often wonder why so many companies, especially large ones, principally use the Big Four. The answer is simple. Multinational companies need to be sure that they will get a high-quality audit in all their countries, and the Big Four have the best international networks. Coordinating different auditors in different countries with different technical outlooks and rules is an unwanted significant additional complexity for companies.

There are high quality people in all audit firms, but, from my experience, there is significantly less quality in depth in the non-Big 4. They don’t have the resources, attractiveness and career development that the largest players do. If the objective is higher quality audits, forcing companies to employ less well-suited auditors is a strange response.

Breaking up the Big Four would be very problematic. These are international alliances of companies, so breaking up the UK firms wouldn’t solve the issue the international issue. It is very difficult to imagine that a coordinated multilateral effort could successfully break up the alliances across the world. The Government could encourage or subsidise the non-Big Four to merge, invest, grow their expertise and better develop international partnerships, but this feels pretty tricky. The most plausible change would be to force UK firms to divest all their non-audit work. The auditors worry that this would make audit firms less attractive as employers, and that this would damage audit quality. They may well be right, but industries also have a habit of accommodating such change, not least by increasing salaries.

A regulator appointing auditors

Some believe that companies select auditors who are more malleable to management. However, I can find no suggestion that some auditors are too lenient in any of the AQR reviews of audits, nor indeed any other evidence of this anywhere else. My experience from seven tenders that I have participated in, is that auditors are chosen largely on how sharp, commercially-aware and technically-competent the lead partner and top team are. Never has an auditor even implied that they would allow management more leeway than others. Moreover, if this were the case, then our whole governance structure with independent non-executives and audit committees would be failing. The answer then would be in governance change, rather in imposing audit appointments.

On what basis would a regulator appoint an auditor to an individual company? Would they use sector expertise? This would inevitably lead to a greater concentration of audits as it would be self-reinforcing. Would it be a cab-rank principle like barristers? But this couldn’t cope with companies needing sector-expertise or international coverage. How would allocating audits on a ‘buggins’ turn basis contribute to effective competition between auditors? If a company were allocated a poor performing audit partner, what recourse could it have when the audit is imposed on them? And how would this enhance competition?

An audit does much more than simply agree a profit number. A good audit works closely with management in order to get under the skin of a business and use that knowledge to make judgements, challenge assumptions, identify risks and suggest improvements in processes. The Audit Committee, in consultation with management, is in a good position to assess an auditor’s success in achieving this. How would a regulator be better placed to make this call for an individual audit, along with thousands of other appointments that it would have to make?

There is a problem, but how do we get to a solution?

There are issues with the quality of some audits, but there is no evidence that this is widespread. In fact, the continued repetition of Carillion and BHS as evidence actually suggests that there are relatively few known examples. Clearly there were issues to investigate at Carillion, BHS, Patisserie Valerie, and Conviviality, but no-one is really trying to understand how the audit process contributed to those failures. The media, government, Select Committees and regulators have focussed on allocating blame to individuals. This is not the same as understanding what happened. In fact, searching for blame is pretty much guaranteed to block thoughtful impartial analysis.

It does make sense not to allow any company to become too important to an audit firm. It may well be helpful to separate out completely non-audit work from all audit firms. But making auditors more nervous and cautious about signing off a company’s going concern statement won’t save companies from going bust. In fact, it is likely to increase it, as companies that could perhaps have been saved, have to through in the towel after being unable to get their accounts signed off as a going concern.

The current pressure to increase audit regulation is likely, on past experience, to be counter-productive. It may buy some good headlines for a beleaguered government, but responsible regulation has to be built on evidence, clear thinking and understanding of all the consequences (whether intended or not). It also requires the humility that would come from accepting the failures of past measures and decisions.

The likelihood is that we will end up with more regulation proposed by the ‘great and the good’, few of whom have actual experience of company audits, based on little evidence, but genuflecting to politicians with little or no understanding of business.

And where is the voice of business? The trade bodies remain craven to the government and fearful of a political backlash. The accountancy bodies, dominated by auditors, keep their heads down. It is no wonder that companies are likely to end up being the punch bag for yet more political games.


Motherhood & apple pie – the latest corporate governance regulations for private companies

Wates cover

The FRC has set out new proposals for more corporate governance regulation (the Wates Report) for large private companies.

This is my response to the consultation.





High quality regulation should focus on outcomes and provide evidence to support new rules and principles. Both the government and the FRC seem to be impervious to either. The Wates proposals identify neither outcomes nor evidence. They require private companies to disclose more about governance, but don’t identify who will use this information nor what they will do with it.

The FRC has missed another opportunity to research and think deeply about why companies get into difficulties and how it can reduce the likelihood of this happening. Clear corporate governance is probably a ‘good’ thing for all companies, but there is little evidence that it actually leads to better outcomes. The corporate governance principles proposed for private companies are well-meaning and are hard to disagree with, but, as currently written, are not specific enough to be other than a gentle nudge to companies, and more likely a cause of more boiler-plate wording in annual reports. A few specific questions for companies to answer would give clearer disclosure. The Principles need also to be applied to the actual governance of companies, rather than their legal structures.


  1. What is the objective?

It is not clear what the objective is of this exercise. Paragraph 2 talks about a loss of public trust in big business. Paragraph 3 refers to the ‘privileges of limited liability status’ and lower reporting and accountability requirements than listed companies, highlighting public interest in whether companies ‘operate in a sustainable and responsible manner’. The Consultation Questions explain that ‘The Principles and the guidance are designed to improve corporate governance practice…’ Presumably, the assumption is that ‘good’ corporate governance will build public trust. Sadly, the evidence from the listed arena is that this is not true. Carillion, for example, complied very closely with the Corporate Governance Code.

The foreword explains that the Principles are intended to help companies comply with a new legislative requirement on governance. The FRC is simply responding to a government edict. Without a clear objective, it is not easy to test whether the principles meet their aim, other than to turn a vague statutory requirement into something that companies can comply with.

There is no estimate of how many companies will be caught by those provisions, nor how much it will cost to comply, and least of all any idea of what the benefit will be.


  1. Are the Principles sufficiently specific to achieve the objective?

The Principles themselves are a set of very high-level statements, with which it is difficult to disagree. It’s unclear how a company can realistically claim not to comply with them. Turn each of the sentences into the negative and see who would claim that this applies to them;

  1. The board does not promote the purposes of the company.
  2. The board does not have an effective chair. The size of the board is not guided by scale & complexity of the company.
  3. The board does not have a clear understanding of its accountability and terms of reference.
  4. The board does not promote the long-term success of the company.
  5. The board does not promote executive remuneration aligned to sustainable long-term success of the company.
  6. The board does not have meaningful engagement with material stakeholders.

 What status does the more specific “guidance for consideration” have? It appears to be largely discursive, so would not need to form part of a company’s assessment as to whether it complies with the principles.  It seems that the FRC has pulled back from being too prescriptive, but in doing so has ended up with principles that, whilst undoubtedly worthy, are largely motherhood and apple pie.


  1. Do the Principles and guidance take account of the various ownership structures of private companies?

The Companies (Miscellaneous Reporting) Regulations 2018 confuses legal structure and governance. Legislators appear to believe that every company has a board that manages that individual business on a day to day basis. This may be true of some independent companies, but it doesn’t take account of group structures. A number of subsidiary companies may together constitute a group, which is managed by a board at that level. The size tests apply at company, rather than consolidated level. Yet many holding companies do not directly employ significant numbers of employees, not have large revenue themselves. The Regulations will therefore miss some large groups that are presumably the principal intended target of this legislation. It may also cause subsidiaries to invent bogus governance to comply or have to explain why they don’t comply.

The FRC should make it clear that the Principles apply to the board that actually constitutes the main governance for each entity, irrespective of the legal structure, provided that this is explained and disclosed in each company annual report. A subsidiary could simply report that its main governance structure sits with a parent entity and that details will be found in that company’s report and accounts.

The FRC should also clarify that the tests for the need to comply (employee numbers, turnover and net assets) should apply to the consolidated accounts, rather than the parent company alone.


  1. What more could be done?

To make these proposals have any meaning, the FRC should consider making adequate disclosure a key part of the Code. I appreciate that this is implied, but it should be made explicit and specific. The proposals in the guidance could be backed by a small set of simple disclosure requirements;


  1. Describe the values by which the Board and the Company operate.
  2. How does the Company promote behaviour in line with its values whilst discouraging misconduct and unethical practices?

Board composition

  1. How are board members appointed and what relationship does each have with the shareholders or parent group?
  2. What does each board member bring to the board?

Board responsibilities

  1. Describe how the board governs the company, including through use of subcommittees.
  2. How does the board ensure that the company systems and controls work effectively?

Opportunity and risk

  1. How does the board evaluate and manage risk?
  2. What is the board’s appetite for risk?


  1. How does the board set remuneration for directors and senior executives?


This list of disclosure questions should be kept short and high level. The risk is that everyone will want to add a question, but the longer the list the greater likelihood of a box ticking mentality and boiler plate answers. This should be the minimum number of questions that a company would need to answer to give adequate disclosure on the Principles.




How a bow-tie can smarten up corporate risks

BowtieImagine that you are worried about your infirm mother and want to make sure that you do everything to protect her. If you adopted typical corporate risk management practice, you would identify a risk that she falls over. You would then calculate the impact (maybe a broken bone) and then identify some mitigations, such as putting some cushions around her bed or installing a handrail. All sensible, but not very through. What if the consequence were a significant chance of her dying? Would you then want to do a more comprehensive risk analysis?

Understanding corporate and financial risks is becoming an increasingly important part of any board’s job. Most companies seem to use this same basic format. However, one of the biggest problems in traditional corporate risk analysis is the general, catch-all nature of ‘mitigations’. Anything you do to reduce the risk or ameliorate the impact is classed as a mitigation. This causes glib generalisations and sloppy thinking.

Good risk management has to be very specific and very clear. You won’t protect your mother from falling by saying that you’ll ‘keep an eye on her’. You would need to be very specific about who does what, when and why.

Typical risk analysis in an annual report

The Principal Risk section in an annual report typically has a description of the risk, its potential impact, mitigations and whether the risk is getting bigger or not. I’m not sure of the value of the trend, as it is surely more important to concentrate on size of the absolute risk. However, it’s the catch-all mitigations that are the key and these are usually high-level generalisations;

“Adoption of rigorous policies and processes…”

“Regular performance reviews…”

“Deployment of high quality people..”

These are real examples of ‘mitigations’ of a risk that actually brought down a multibillion pound listed company1. But they are also typical of most annual reports.

The bow-tie model

If you want to see best practice in risk management, look in industries where it is literally a matter of life and death, such as oil exploration, aviation, mining and maritime. They tend to use the ‘bow-tie’ model, which can also be applied to financial and corporate risks.

Hazard: The model starts by identifying a hazard. In our example, this would be your infirm mother moving around. She’s safe in bed, but the moment she gets up she opens herself up to a hazard. That hazard may lead to an event.

Event: This is the moment at which you lose control over the hazard. The hazard is her moving around, but the moment she loses control of her movement, ie she trips, it becomes an event. This is close to the typical corporate idea of a risk.

We now look at causation of events;

Threats: These are whatever might cause the event to happen. For example, the lady might have had a few drinks, or she might slip on some water, or she might have a funny turn.

Preventative barriers: These are things that might reduce or eradicate the threat. This would include some actions that would traditionally be called mitigations. In our example, it might include hiding the sherry bottle, or getting a carer to mop the floor or altering her medication.

And there are the results of an event happening;

Consequences: These are the outcomes from an event occurring. There can never be absolute certainty that barriers will work (ie prevent a threat causing an event). You can never be sure that your mother won’t ever fall over, despite your best efforts. It is important therefore to look at the results of such a failure. In this example, your mother might slip and break a leg or be left unable to call for help. These are not the risks themselves, but are possible results of the risk occurring.

Recovery barriers:  These are things that might reduce or eradicate the consequence. Again, these include traditional mitigations, but are sometimes overlooked as it is often assumed that mitigations will stop any event from happening. In this example, you could put an emergency button on your mother’s wrist or put in cushioned flooring.

And then there are escalation factors;

Escalation factors: Few barriers are perfect. There are likely to be reasons why the barrier might fail. These are called escalation factors and can weaken barriers to both threats and consequences.

This model forces a detailed think through of the risks and how to stop these risks form crystallising and if they do, how to mitigate the consequences. Think about the barriers as gates that stop bad things happening, but the escalation factors sometimes force the gates open.

An example of a corporate risk

Here is an example of a corporate risk, that of poor people management leading to resignations of key people, shown as a bow-tie model;

Bow tie diagram

This model shows the threats that might cause those resignations; uncompetitive remuneration, poor culture, inadequate career development and poor management practices. For each of those threats, the model shows what the company is doing to counter or prevent those threats. It also notes that there is an escalation factor, stress on people, that might exacerbate the threat of poor management, but this itself is offset by the use of in-house counselling.

If there were resignations of key people, the company could suffer the loss of key personnel, difficulty in day-to-day management, having to delay new projects, and putting more strain on remaining employees. To try to avoid or minimise these, the company will: conduct interviews to determine if a counter offer would retrieve the employee; use succession planning to identify replacement people who could be reallocated; use consultants if possible; and identify other personnel at risk who could be offered retention bonuses. The latter could be at risk of financial constraints, but the company addresses this by keeping a contingency budget ready for such an eventuality.

What emerges is a complete story of what dangers the company faces and how it is reacting to all of them. This is a much more powerful analysis than the traditional risk, impact and mitigation model.

This model can be used for any corporate risks and to build the risk register. Quantification could of course be added if required. This would be shown as the severity x likelihood of the risk happening without any barriers and then again with the barriers that are currently in force. In our example, the risk of key personnel resigning might be 80%, and this might be judged to cause £10m of damage, ie an unmitigated weighted risk of £8m. You might conclude that with the barriers in place, the residual risk would be 30% and a likely damage of £5m, giving a mitigated risk of £1.5m.

Annual Report

The full model would be too big to include in an annual report, but could be summarised in this way;bowtieannreport.jpg

This format is a useful summary, but the full model is better as a management tool in visualising and explaining the stages of risk management.


Planning for risks and risk management needs to be done on a detailed and specific level. Generalisations won’t work. Too much risk work that comes to boards is rife with generalisations and bland ‘mitigations’. The bowtie model, developed in industries that deal literally with life and death safety risks forces a proper step by step plan of risks, management processes and actions that either reduce the risk and ameliorate the impact if the risk crystallises, as well as understanding reasons why those actions might fail. This model has a great deal to offer companies in sharpening up their understanding and presentation of corporate risk management.


Simon Laffin

1 The risk was ‘Contract management’ and the company was Carillion plc. These quotes are from their last (2016) annual report.



Carillion – What can we learn?

Carillion vans

The collapse of Carillion was a tragedy, especially for its 45,000 employees and 25,000 pensioners. In an earlier article, I looked at its last Annual Report to see if there had been clues that could have tipped readers off to the impending catastrophe. Since then, we have had Select Committee hearings and their January 2018 turnaround Business Plan has been released. This now gives quite a bit more colour to understand better what happened and what lessons can be learned to improve corporate reporting.

This was a business with a yo-yo strategy and difficult execution

In 2009, Carillion had a strategy review, which concluded that it should halve the size of its UK construction business and double the size of its Middle East and Canada businesses. By 2013 however, Carillion changed its strategy again, and stopped bidding for work in Canada (other than PFI) and would no longer bid for traditional construction work in the Middle East (unless export finance was agreed). However, it seems that the die was cast and long-term contracts already signed in Canada and the Middle East proved fatal in 2018.

It wasn’t just a faulty strategy that was the problem. Its rescue Business Plan1 in Jan 2018, concluded; “The Group had become too complex with an overly short-term focus, weak operational risk management and too many distractions outside of our ‘core’”.

When things went wrong, they appear to have gone wrong quickly

Carillion signed off its Annual report in March 2017. At that time, cash was ‘…broadly in line with the budgeted position for the first couple of months of the year…” (recalled Keith Cochrane2, then a non-executive director, later Interim CEO from July 2017). At the AGM on 3 May 2017, Richard Howson, Cochrane’s predecessor as CEO, announced3 to the markets that; “trading conditions across the Group’s markets have remained largely unchanged since we announced our 2016 full-year results in March.”.

However, at ‘the beginning of May’2 the board learned that the internal reporting of contracts had been incorrect, with management accounts netting off receivables and payables, and therefore reducing the apparent cash risk. The board then commissioned the external auditors (KPMG) to conduct a review of the accounting. This concluded that the published accounts had correctly grossed up the amounts, but that the internal reporting was wrong. This, however, sufficiently unnerved the board that it then commissioned a second report from KPMG, initiated “around the end of May2, to examine the cash recoverability of its largest contracts.

This second KPMG review: “driven largely by a deterioration in cash flows on a number of major contracts, which occurred particularly as we went through Q2” (according to Keith Cochrane2) concluded that there needed to be an £845m provision made.

The provision was announced4 to the markets on 10 July 2017. The auditors5 concluded this some four months after signing off the original accounts.

The business had major risks that weren’t clear from their Annual Report

Zafar Khan, Carillion’s short-lived CFO from January to September 2017, told the Select Committee2;

If you look at the 2016 annual report, and if you look at the key risks identified within that, my view is that the setbacks and issues that we experienced in 2017 were largely related to the risks that we had set out in the 2016 annual report. What was not anticipated at the time was the number of risks that crystallised in the end, and also the quantum of the impact that we had to deal with.”

However, it seems that 6 to 8 long term contracts came to a scheduled end in 2017, but this had not been flagged in the 2016 annual report6. Khan explained2;

“Another factor that I do not think has been given enough attention is that, going into 2017, we had a number of large-ish contracts in our UK construction business that were coming towards completion…We had a good pipeline of opportunities…”

The top risks disclosed in the annual report were;

  1. Work winning
  2. Contract management
  3. Pension liability
  4. Brexit

But the risks that seem to have brought the company down were in fact;

  1. Contract management
  2. Working capital management
  3. Excessive cash outflow breaching debt facilities

All of these are of course linked, and stem from the fundamental problem of poor contract management. Carillion’s stated6 mitigations of the contract management risk were;

Adoption of rigorous policies and processes for mobilisation, monitoring and management of contract performance. Regular performance reviews…Independent peer reviews of contracts…and contract health checks undertaken by internal audit

These mitigations don’t sit easily with admissions now being made by directors.

Long term construction contracts are difficult to manage

Long-term contracts have many complexities and risks, not least as changes are made over several years with cash flow trailing. Keith Cochrane explained2: “If you take the Qatar job…this is a job that had doubled in size. It had 2,500 design variations to it, and essentially we were not paid for 18 months prior to the business failing.”

Richard Howson gave an example2 of Crossrail. The initial contract was for £30m, but by the end of 2014 costs were £90-£100m, with Carillion having been paid only £76m. The final revenue was eventually agreed at £100m and the rest of cash received at the end of the contract.

Zafar Khan put it bluntly2: “Carillion has some quite large contracts…and cash flows on those can change over a short period of time.”

Carillion had to finish long-term construction contracts as it got full payment only at the end, and on many contracts, if it walked away the client could appoint another contractor thereby also losing performance bonds. Carillion didn’t have the right to suspend work on the Qatar contract. The Qatari client, in dispute with Carillion, appointed another contractor in June 2017 to complete the works at Carillion’s cost, also jeopardising its £54m performance bond.

But Carillion contributed to the problems

Philip Green, the Chairman, admitted2; “There were some examples where negotiations around the contract itself were done too quickly, and the lesson learned was that if we had spent longer on the actual negotiations, some of the risks may well have been able to be mitigated.”

Carillion found it difficult to collect cash due on some of its contracts

Keith Cochrane said2; “…as it (the group) sought to exit from certain key markets and start to refocus itself on its core, that required us to take a different perspective on our ability to collect outstanding receivables in those markets.”

But then he suggested2 operational issues:

‘…there was a lot of focus on reported debt across the business. Was there the same focus on collecting cash, day in, day out…?”

There were concerns about the accounting

The new CFO, Emma Mercer, appointed in September 2017, told the Select Committee2 that she saw: “slightly more aggressive trading of the contracts” than in her previous experience.

“As part of Keith’s strategic review, we had changed the way we were looking at some of the services contracts, and that resulted in an increased position at the end of September, in terms of an additional £200m of provision.” Confusingly, the interim results7 published that month, described this provision as having “minimal impact on cash

Emma Mercer explained2 about contract accounting;

“…you have to exercise judgement over all sorts of things: when the contract is going to get finished; how much we are going to receive; if we are claiming against anybody; what entitlement we may have…both the number of contracts we were taking judgement on and the size of those judgements had increased….when we saw the deterioration…because we were already at a more aggressive position, it was very difficult to withstand those deteriorations on those projects.”

The numbers were huge

The May 2017 contract review led to an £845m provision being made. Of this, £375m related to the UK and £400m related to Canada and Middle East, particularly in Oman and Qatar. The Qatar contract alone owed £200m.

In total Carillion wrote £1.1bn off against its contracts, including £215m related to service contracts. In 2017, net debt increased by £850m, £1.1bn higher than expected. It used £834m working capital (of which £371m related to 9 construction contracts). Average net debt was £886m. It then projected1 to use another £234m working capital in 2018 and 2019, including £325m related to nine construction contracts. On top of this, it planned for another £131m cash restructuring cash costs in 2017-19.

Carillion ran out of cash and debt facilities

Carillion tended to focus on ‘cash conversion’, ie underlying cash inflow from operations divided by underlying cash from operations. This seems a strangely static snapshot view for a business based around long-term contracts with complex cash flows. The ‘cash conversion’ over the three years to 2016 was 119%, 104% and 117%, appearing to show a healthy cash generation. But year-end net debt was actually flat over that period at £219m. Underlying cash from operations of course excludes all the bad news; pension top-ups, non-recurring items, interest, tax and capital expenditure.

Reducing net debt was stated as being a key objective in the 2016 annual report, but the amount of net debt wasn’t then given as one of its 14 key performance indicators. Furthermore, focusing on year-end net debt was of little value when you realise that average net debt was more than double this.

In the 2016 annual report, debt facilities were stated as £1.4bn. With only £85m to mature in 2017 and additional funding secured after the start of the year, facilities should have been still around £1.4bn when Carillion went into compulsory liquidation. On 30 June 2017, Carillion had net debt of £571m. We now know1 that average net debt during 2017 was £886m. In December 2017, it announced8 that it had got agreement to defer covenant testing (probably net debt to Ebitda) until April 2018, suggesting that it was at least close to breaching them. Net debt actually rose by £791m in 2017, driven by £834m of working capital outflow.

Using nearly £800m of cash on top of a year start net debt of £200m, would imply a year-end net borrowing of about £1bn, against £1.4bn of facilities. If you add the cash outflow to the 2016 average net debt of £587m, this suggests a pro-forma average debt of £1.4bn. It therefore is easy to imagine that their peak debt outran their facilities of £1.4bn. The fact that the average net debt at £886m was so much lower than this implies that there was a serious ‘run’ on working capital towards the end of the year.

So what lessons are there for reporting from the collapse of Carillion?

Companies should be more balanced in writing about themselves

The Strategic Report must, by law, contain a fair, balanced and comprehensive analysis of the company’s development, performance and financial position.

I suspect that there is a growing practice of annual reports being written by professional writers, thereby becoming increasingly an arm of the PR/communication industry. Carillion’s text in its annual report boasts about pretty much every aspect of their business. This is little different to most annual reports. But in Carillion’s case, ex-directors are now making statements that do not sit comfortably with what the board wrote so recently in the annual report.

An annual report is never going to be an impartial review. What organisations, including regulators and politicians, ever write impartial reviews of their own performance? This is difficult to legislate for, but it may be appropriate to hold directors to account if something goes seriously wrong that is not discussed as a risk in the annual report.

Discussion of risks needs to be integrated into the whole report

The risk section in the annual report is of little use. Carillion is typical in that it lists ‘top’ risks and then gives mere platitudes about mitigation. The mitigation section gives no feel of the real risk, or the ability to avoid or reduce the impact of the risk occurrence. As is standard practice, its declared risks are listed together in a few tedious pages. There is insufficient information for the reader to become better informed, even if bothered to read the whole thing.

The key to risk management is to integrate it into decision-making, not ghettoised as a separate activity or schedule. Annual reports would be much more informative if they tackled each risk together with the relevant business activity or segment. For example, the section on construction contracts could have had a discussion of their inherent risks. At the very least, every risk should have a discussion of how the company reduces the chance of the risk happening (“avoidance”), how it will know when things are going wrong (“detection”); and how it would react if the risk did crystallise (“mitigation”)9. Risks also require numeric quantification as well as words.

Cash needs to be taken even more seriously

Carillion’s use of cash conversion (underlying operating cash flow/underlying operating profit) was not fit for purpose. It excluded too many cash items and did not reflect the complex cash flows of its long-term contracts. It’s impossible to define a single cash metric for all businesses, but companies should think hard about how to communicate cash effects. Carillion could have shown segmental cash flow and return on capital. This might have provided some warning about the cash flow characteristics that eventually proved fatal.

There is far too much emphasis on year-end cash. Businesses fail when their peak cash usage breaks through facilities. Companies should be more explicit about average and peak debt, and explain why if this differs significantly from year-end levels.

The viability statement was introduced to give some comfort on future cash flows and debt over a period longer than a year. Regulators have tended to fixate on the length of the look forward, but actually this misses the point. As a result, half of Carillion’s viability statement6 is justifying its looking forward only three years. But this business didn’t start to deteriorate years later. It apparently started the month after annual report stated6;

“On the basis of both reasonably probable and more extreme downside scenarios, the Directors believe that they have a reasonable expectation that the Company will be able to continue in operation and meet its liabilities as they fall due over the three-year period of their assessment.”

It’s clear that without some quantification of the assumptions made and scenarios tested, the viability statement assurance is of very limited value.


The Carillion annual report is a very typical one, glossy smooth talk and adhering to the rules, regulations and corporate governance requirements. However, it is also an example of the inadequacies of such reports. It fails to convey adequately the risks that the business was running, its volatile working capital and long-term working cash flows.

Some changes that would help in reporting are;

  1. Companies need to more balanced about their company, talking about downsides as well as the wonders. Boards should take back writing and editorial rights from copywriters.
  2. Strategy and segmental performance sections should discuss risks, cash flow, and capital employed. The current risk section should be broken up and risks tackled in the relevant section of the body of the report.
  3. Discussion of the risk appetite should be integrated into the strategy section.
  4. Discussions of risks need to be more detailed, covering at least avoidance, detection and mitigation, with numeric quantification.
  5. The going concern and viability reviews should require more detail and quantification of how they have been stress tested.

This isn’t just about the annual report. This would also help to focus board discussions and potentially alert directors to looming issues. Risk management has to be a major part of every management and board discussion, not just a periodic review by a committee and internal audit.


1 Carillion Business Plan January 2018

2 Business, Energy and Industrial Strategy and Work and Pensions Committees; Oral evidence: Carillion, HC 769, Tuesday 6 February 2017

3 RNS issued 3 May 2017

4 Trading Statement 10 July 2017

5 The FRC has opened an investigation in relation to KPMG’s audit of the financial statements of Carillion plc. The investigation will cover the years ended 31 December 2014, 2015 and 2016, and additional audit work carried out during 2017.

6 Carillion Annual Report 2016, published March 2017

7 Carillion Interim Results 29 September 2017

8 Carillion RNS statement 22 December 2017

9 This methodology for reviewing risks is discussed in my blog