[angus-prune]

The current problem is that the insentives are all wrong.

It is the company being audited that gives the auditers the business. Its not in the interests of a dodgy company to appoint a good auditor, and its not actually in the auditors (short term) interest to uncover wrongdoing as it just means they'd lose a client.

My proposal is that you require every company to have insurance to cover the risks, making the insurers fully liable for fraud (and any other business risk that audits protect against).

Companies then don't appoint their own auditors, but the insurers do. Its in the insurers interest to make sure that any audit is effective as they're on the hook for any liability the audit misses.

This way the insentives for the auditors are aligned with the interests of the people relying on the audit (shareholders, customers, suppliers).

[bradleyjg]

There was something like this with bonds pre 2008 but it didn’t work out like you suggest.

Rating agencies were, and are, paid by bond issuers are rated a bunch of synthetic real estate backed bonds as very safe. But then on top of that, certain of these bonds were insured—-notably by AIG. However, AIG just rubber stamped the ratings and ended up going bankrupt when the crisis hit.

The real mismatch of incentives is one layer deeper than your comment suggests. An insurance company CEO can do very well for himself underpricing insurance. The business grows as premiums roll in and he collects a bunch of bonuses. When the SHTF he could just resign and collect his golden parachute.

[mjevans]

Who audits the auditors? The insurance company also needs it's risks assessed independently.

[bostik]

The Maltese gambling regulator did something like this back in 2016. While the idea is good (and I support the practice in principle), it was a dismal failure in aggregate. Devil's in the details.

The regulator pre-negotiated approved rates and vetted a bunch of companies, all of which had to had presence in Malta. The audit reports have to be turned by mid-June, IIRC, and they can't really start until the accounts for the previous year have been finalised. So in practice the audits must take place between late February and mid-May. At the time the entire nation of Malta had about 450k people in total, and each audit blocks two accredited people for approximately three weeks.

Turns out there are a lot of gambling companies registered in Malta, and each pair of auditors could only process 5-6 companies within the allotted time. The country would have run out of auditors ... so they licensed a whole lot of local smaller shops as accredited gambling auditors to make up the numbers. Many of whom did not have the technical knowledge to actually even assess, let alone understand the businesses they were assigned to.

And I can say this from painful experience: there is real value having the same team of auditors for 2-3 years running. They will get to know how your company operates, and any good ones will figure out entirely new questions to ask you from year to year. By all means, be an adversarial assessor, but at least please be clued in.

Disclosure: on the receiving end as a key person in technical audits since 2015.