.jpg)
Transparently collaborated with guest writers Bob Conway and Joe Howie in a series of op-eds on audit quality and regulatory capture. In his second piece, Joe examines how business models built around bundled services, aggressive growth, and missing accountability can quietly transfer firm risk to the investors that rely on their work. He argues that structural incentives can be misaligned in ways no policy refresh will fix.
Neither author was paid to write for us and their views are their own.
In our series:
SEC Focus on capital formation comes at the expense of investor protection
SEC, PCAOB fall victim to regulatory capture: Lessons learned
Can audit committees be counted on to protect investors?
Are the Big Four failing public trust? A culture of silence
Joe Howie, United States –For years, the large accounting firms have defended the bundling of audit, tax and consulting services as proof of capability. But it is also a source of structural conflict.
If culture helps explain why audits fail, the business model helps explain why those failures repeat. Increasingly, the risks created by that model are not borne by the firms themselves - they are quietly transferred to the investors who rely on their work.
Risk is quietly exported
Investors are not naïve. They know audits are not guarantees. But they are entitled to rely on what auditors explicitly represent: that their work was performed independently and in accordance with professional and regulatory standards - in the opinion itself and in transparency reports that surround it.
And their reliance is not merely moral, it is increasingly reinforced as a matter of law. The US Supreme Court recently declined to disturb a decision recognizing that an auditor’s certification of compliance with PCAOB standards “conveys important information” to reasonable investors and can be material even without proof of a specific accounting error.
When firms pursue aggressive growth without proportionate investment in acceptance discipline, staffing and oversight, they are not absorbing the additional risk themselves. They are transferring it to the investors who rely on their opinions — without providing any visibility into the change in risk investors are being forced to bear.
Accepting higher-risk clients without enhanced procedures, reducing staffing to meet overly aspirational internal targets, or applying a “soft touch” to troubling allegations all increase the likelihood of failure. Failure to properly investigate credible NOCLAR (non-compliance with laws and regulations) allegations - whether during client acceptance or during the audit itself — is another acute example of how investors can be left exposed when skepticism weakens.
In extreme cases, the gap between what firms assert publicly and what they do internally raises uncomfortable questions about knowing misrepresentation by firm leadership.
Two cultures, two outcomes
In healthy audit cultures, bad news travels quickly. Concerns are escalated, skepticism is expected, and leaders earn credibility by walking away from unacceptable risk.
Failure-producing cultures invert those incentives. When protecting revenue becomes the unspoken priority, skepticism becomes a “relationship problem”, difficult questions are labelled unhelpful, and those who preserve the client relationship are rewarded - until the inevitable failure arrives.
Behavioral science calls this normalization of deviance: gradual acceptance of unacceptable practices until catastrophe becomes inevitable.
Cultural weaknesses do not stop at today’s audits. As firms increasingly develop and deploy AI and other technologies that will shape audit judgments, the same incentives and values embedded in the organization will shape those tools. If a firm struggles to apply skepticism and ethical discipline today, investors should reasonably ask whether those principles will be reliably embedded in the technologies it builds for tomorrow.
The company you keep
Client acceptance is the first ethical decision of every audit. Best-in-class firms assess integrity, independence threats, evidence availability, and reputational risk, addressing not only “can we” but “should we”. Failure-producing cultures treat acceptance as a sales decision with documentation.
Charlie Munger captured the danger bluntly: “If you mix raisins with turds, they’re still turds.”
When firms retain clients with significant integrity uncertainty who they cannot credibly audit while continuing to sell the assurance of their brand, risk assessments become distorted, procedures are mis-scoped, and clean opinions become misleading. The damage spreads beyond the individual engagement. Teams will use these problematic clients as a benchmark to calibrate their sense of acceptable risk elsewhere in the portfolio - if we accepted that, then this must be fine, if that is medium risk, then this must be low. Quickly, the firm loses its grip on the real risks it carries.
More troubling still, public data indicates that more than one Big Four firm has recently audited companies listed on US or foreign exchanges that have had — and in some cases may still have — publicly documented links to organized criminal networks involved in human trafficking, narcotics distribution, large-scale online fraud, sanctions evasion and money laundering.
For firms entrusted with safeguarding public capital markets, lending the credibility of an audit opinion to such enterprises is professionally and morally indefensible. When leadership is aware of such risks — past or present — the failure is no longer technical — it represents one of the most extreme expressions of a culture that has abandoned its ethical responsibilities.
At that point, the gatekeeper function has already failed. The audit opinion no longer functions as a safeguard for investors; it becomes a signal of credibility that markets may rely on, unaware of the risks behind it.
When consulting eats assurance
Yes, audits require specialists: tax, IT, valuation, data, forensics. The “multidisciplinary” model is often justified as a way to bring specialist expertise into audits. In practice, it can also create powerful commercial incentives that broadly weaken audit governance inside the firm.
Leaders who rose from non-audit businesses may import a mindset where the auditor is subtly pressured to “keep the client happy”. Applying consulting-style metrics and approach to audit practices can carry serious consequences that compound behind the scenes.
For example, firms that aggressively pursue revenue growth while suppressing the requisite increase in audit partner headcount become structurally short on oversight capacity, a root cause of failure. Partners become overburdened by their books of business, with insufficient time to review and supervise the work beneath them. Further, firm monitoring functions become understaffed. Goals designed without regard for audit complexity or quality simply displace professional obligations. No explicit directive is required - incentives realign behaviour organically.
The same misalignment occurs when firms reallocate capital from the assurance practice to fund expansion of other service lines, like acquisitions of consulting businesses and people while deferring investment in people, systems, and infrastructure that audits depend on. The longer that maintenance is deferred, the more serious the cumulative effect - and the less visible it remains until something breaks.
This dynamic is likely to intensify as transactions with private equity or IPOs of parts of professional services firms grow, creating pressure to optimize short-term metrics leading up to marketing time, with consequences that surface only after the sale.
Transparency or illusion
Healthy audit cultures communicate plainly, even when the facts are uncomfortable. But in weaker cultures, communication becomes narrative management. “Telling our story” turns into a euphemism for selective and often misleading disclosure.
A firm may announce a tougher client-acceptance framework while quietly allowing risk scores to be understated so escalation thresholds are never triggered and to lessen the chance of inspection. It may declare “transformational” improvements in IT auditing while operating with chronic shortages of specialists and relying on “auditing around” systems rather than testing them directly. Firms may even take comfort in the reality that regulatory oversight teams themselves often lack sufficient specialty resources, such as to inspect IT audit work, lowering the perceived likelihood that deficiencies will be detected.
Firms may cite internal inspection results as evidence of quality without always explaining how those inspections were designed or what limitations were imposed.
In such environments, optics replace substance. The result is not transparency but theatre - a reassuring performance for regulators and investors while noncompliance and the real risks accumulate offstage.
When legal strategy overrides judgment
Lawyers play an essential role in compliance and litigation management. But professional standards are clear: auditors may not subordinate their judgement to management, firm leadership or counsel.
In compromised cultures, legal strategy can instead become a tool to narrow investigations, limit documentation, avoid discovering facts that might require revisiting past audits or positions or increase exposure in active litigation or regulatory investigations. When legal defensibility becomes the objective, independent assurance risks being replaced with paperwork for a future defence.
Internal investigations of whistleblower concerns can sometimes be structured too narrowly — focusing on limiting exposure rather than fully examining the underlying issues. When key witnesses or relevant evidence are overlooked, prior, connected allegations are ignored, or irrefutable evidence, such as recordings of senior management involved in unethical behavior, are dismissed, the motivations behind the firm’s investigation process can come into question.
Ethical firms use counsel to navigate risk while fulfilling obligations; compromised ones use counsel to pressure undisclosed settlements, or perfect defensibility, all in attempts to limit liability irrespective of the truth.
Actions designed to withstand litigation are not necessarily designed to protect investors.
The market eventually responds
Reputation in this profession is built over decades and damaged faster than most firms expect.
Ernst & Young’s recent loss of the Shell audit — reportedly worth about $66mn annually — following independence failures is instructive not only for the scale of the loss but for what preceded it. EY’s Global Leadership had been warned about deficiencies in independence systems and processes well before the breach.
Firms with an extensive history of violations raise questions about commitment to compliance. More troubling thoughts emerge:
- Was there an intentional trade-off accepted between the risk of getting caught with related fines vs. increased revenue from impermissible business that may not be discovered?
- Were they increasing their “speed to market” and avoiding costs and client frustrations from slowdowns in onboarding new work that more fulsome checks and compliance might require?
Observable losses today are only part of the total cost of high-profile violations. Potential clients may never call or may avoid involvement with a firm they believe is distracted by controversy. Top recruits may look elsewhere. Regulators may intensify scrutiny. Collective cost mounts. Reputation, once damaged, cannot be repaired overnight through public platitudes.
A warning and a choice
A 2025 Senate Permanent Subcommittee report on bank audit failures by KPMG carried a blunt title: “THIS INDUSTRY IS A JOKE.” It cited patterns of willful blindness and questioned whether oversight mechanisms had been compromised. It called out the whole industry, not just one firm.
You could dispute the report’s conclusions but you cannot ignore what it signals: that patience with the profession’s record is thinning, and that explanations of failures as isolated are no longer being accepted at face value.
Audit firms still have enormous capacity for good. The profession still attracts people of genuine integrity, though they survive in greater numbers at some firms than others. But restoring public trust will not come from renewed commitments to quality, catchy slogans or incremental reforms. It requires cultures that align incentives, accountability, and professional purpose. It requires attaching real consequences to leadership behavior when they veer off mission.
For those with authority to change outcomes - regulators, boards, audit committees, and principled partners - the initial steps are straightforward:
- Make ethical culture a priority — through actions, not statements — and hold peer firms to the same standard
- Attach real consequences to leadership failures on ethics and quality
- Protect those who raise concerns or voice dissenting views
- Refuse clients linked to criminal groups and anywhere integrity cannot be confirmed
- Stop allowing legal strategy to override professional duty
For firms where denial, retaliation, or “defensibility” have become normalized: consider this a warning. Markets, regulators, and audit committees will become increasingly unwilling to support firms that enrich themselves by falsely assuming the role of auditor while taking the trust the public places in them for granted.
If a firm cannot consistently demonstrate that its incentives align with its public-interest mandate, it cannot credibly judge the integrity of its client.
The real question is no longer whether another significant failure will occur. It is which firms are both fully committed to the profession and willing to take the necessary steps to ensure the next scandal is not theirs.
.jpg)
