Deborah O'Neill (NSW, Australian Labor Party) Share this | Link to this | Hansard source

The Parliamentary Joint Committee on Corporations and Financial Services is currently inquiring into the regulation of auditing. I thank the Senate for sanctioning this inquiry but I'm concerned that, despite the seriousness of matters it has uncovered, there is much more work that needs to be done in the interest of Australians who use the financial services of this nation or have superannuation invested in the outcomes of those entities. And I'm concerned that some senators and members are trying to shut down this inquiry.

Much of the material I will put on the record today is exclusively related to the auditor Ernst & Young. I do so because currently there is more public knowledge available about EY than other auditing entities. The evidence we received from EY during the inquiry centred on the approach and quality of a risk management review it performed for the National Australia Bank, an external audit client. They did this under APRA's Prudential Standard CPS 220. Notwithstanding how EY classified the CPS 220 review, EY asserted that it satisfied APRA's operationally independent criteria, regardless of the fact they have been NAB's auditor for 13 years, have a deep knowledge and understanding of NAB operations and are paid over $20 million a year to perform the external audit. We learned that EY adopted what they call a no-surprises approach involving extensive consultation on drafts with NAB executives over several weeks—and, by the way, we know now that EY didn't afford Westpac the same cosy arrangement. EY has denied that it watered down the final report despite the fact that a great proportion of the report failed to reflect serious shortcomings, risks and issues that were documented in EY's own record of interview with NAB executives as well as in its own issues and observations log.

When EY was confronted about the matter during a hearing in Melbourne in December last year, EY provided a perfectly curated and nuanced response in its defence by effectively undermining the probity value of its own working papers used to inform the final report. EY also attempted to downplay the probity value of its own issues and observations log. EY's refusal to respond to and comply with information requests in the form of questions on notice from the committee on the basis they are not related to a statutory audit and are not relevant to the terms of reference highlight that EY and government members and senators continue to assert a misrepresentation that the inquiry exclusively focuses on statutory audit. In fact, the terms of reference are clearly much broader and include 'the relationship between auditing and consulting services and potential conflicts of interests', 'other potential conflicts of interests' and 'any related matter'.

As an example on the matter of conflicts of interest, it's been reported that EY pursued the renewal of its role on ANZ's internal audit panel for a further three years. It's also reported that EY's proposal to ANZ acknowledged the significant amount of work that it performs across ANZ—in particular in the area of cybersecurity. It acknowledges the conflicts associated with EY sitting on the panel, given the real risk of EY revealing its own work, but it still advanced the proposal to do the work.

In addition, I've recently been made aware that EY officers on the internal audit team may not realise that they're reviewing EY's own work which has been implemented across ANZ. Much of the work being done by EY is not branded as EY work. For example, where documents or templates are branded 'ANZ' or not branded at all, it follows then that the layers of EY officers have no idea where they performed work across ANZ previously. This entirely compromises professional standards and the core requirement of independence that is so vital to performing a quality internal audit that supports ANZ's own three lines of risk defence model and the mandate of its own board audit committee.

Furthermore, when they are not embedded in ANZ premises, inadvertently and unknowingly using and internally auditing a colleague's work, it's foolhardy to believe that so-called Chinese walls at the offices of EY are effective. It has come to my knowledge from a range of sources that there are significant risks associated with EY's own workplace arrangements, including the fact that the assurance team—including external audit—and the advisory team occupy the same floor in EY's Melbourne office. It's not known to any external body if that situation is replicated across the entire company or indeed the sector. There is no regulation about this; there is only the articulation of policies which are not subject to inspection, report or disciplinary action.

EY has a hot-desking arrangement with no physical or logical segregation of duties, allowing officers and partners to roam freely between and across floors, thus increasing the risk of insider trading through interactions with the transaction services team. There are meeting rooms that are not soundproof and conversations that can clearly be overheard. Partners move between audit and assurance engagements freely, in and out of work environments. Failures of this type, culturally, make a mockery of the consultancy businesses of EY and activities where it gets paid to advise clients on the risk controls that they should take.

I also have serious concerns about the lack of understanding the public has and the lack of access to information about the nature and risks associated with the use of managed services by major corporate entities. Going back to our EY case study: large-scale managed services such as the cybersecurity management services that EY provides to ANZ, CBA and IAG are worth tens of millions of dollars a year in fees. I understand that this is a growing part of the EY business. The more banks and other large corporate entities embed audit company consultants on a managed service basis, the more boards are at risk of being unable to have oversight of the activities for which they are accountable by virtue of their sheer size. Do the corporate boards who materially rely on audit company consultants to deliver outsourced work vital to the bank and its customers, let alone its own shareholders, know the answer to the following questions—this is for ANZ, CBA and IAG board members and the CEOs? Do they know to what extent EY relies on external third parties, whether onshore or offshore, and the cross-border issues associated with access, transmittal and storage of client data, and whether EY is classified as a material outsourced provider within the APRA Prudential Standard CPS 231? If so, do they comply with the standards for outsourcing, which would require ongoing performance reviews, and surveillance and monitoring of EY performance, given the serious risk to the stability and integrity of Australia's financial system and the supply chain if it fails, or does it escape these requirements by flying under the radar? Does the board know what controls EY has implemented to ensure it doesn't fail, bearing in mind the attrition rate for its advisory practices has reportedly been as high as 30 per cent? Does the board know how EY and other service providers would exit from a managed service without it causing disruption, given the material reliance the client—ANZ, CBA and IAG—would have on EY providing the services?

I'm advised that clients who subscribe to cybersecurity management services typically do so in place of developing their own internal capability. This allows them to hide resource numbers from the annual reports, potentially appeasing analysts and buoying the share price. This lack of transparency prevents investors from being fully informed of the true effort and investment required to sustain vital back-of-house services, and of course outsourcing does not allow the shareholders adequate detailed access to data about the risk profile of the operations. To the best of my knowledge, there is no register to enable interested investors or superannuation companies investing for millions of Australians to see who EY have acquired, or plan to acquire, and whether this has led or will lead to a substantial lessening of competition.

There is so much more that needs to be said. I've cut short my remarks today to comply with the time constraints, but, in doing so, I remind those listening and the Senate that EY is just one of the four major companies that are vital in providing auditing services and a range of other services to entities in our corporate structure across the country.

There is plenty more to be said, much of it, sadly, coming from people who are despairing at the collapse in standards around auditing, people who are too frightened to go to ASIC even to blow the whistle, for fear of retribution. I will not let this rest. I urge the Senate to give serious consideration to my motion this afternoon for an extension of the date for this inquiry to continue its important work.