Looking back over our posts over the past year or so, we've commented on a number of issues which impact investors' due diligence procedures when thinking about the audit process, the financial statements, and the auditor themselves.
We thought it would be useful to recap on a group of issues which continue to be troubling:
1) And why can't the auditor identify themselves?
Back in November, we commented on the challenge of getting the Big 4 audit firms to admit that they are, actually, the auditor of the fund in question. In the six months since then, practices appear to have standardized: typically, the Big 4 will now provide a form response, but only after the investor has signed an extensive disclaimer letter. The slight snag? The disclaimer is usually so wide ranging that it appears to materially impact the investors' ability to sue the auditor in the event of audit failure (which, of course, is the idea). We advise our clients not to sign it.
As a counterpoint, it is worth noting - and forcefully reminding the Big 4 - that every other auditor on the planet makes the confirmation process smooth and effective. Castle Hall is particularly appreciative of the responsiveness and professionalism of Rothstein Kass each time we make an audit confirmation request. In fact, that reminds me...do I actually need a Big 4 auditor?
2) And it's pretty much the same for SAS 70s..
Unfortunately, the SAS 70 process is pretty much the same - it is becoming increasingly difficult for the end investor to obtain a copy of the SAS 70 document for many administrators. This is, of course, despite the fact that the SAS 70 is now a key marketing point in the admin industry.
It's particularly annoying when the SAS 70 is stated only to available (i) to the auditors of (ii) the administrator's clients, the funds. The first point makes the SAS 70 process seem more than a little self serving, as the auditors give each other work for the sake of it. The second raises the broader issue (and one of our favorite topics) of who exactly is the administrator's client - the fund or the investor?
A particular black mark goes to those administrators who will not provide investors with a copy of the SAS 70 under any circumstances, and insist on providing a summary of the SAS 70...prepared by themselves. And exactly how is the investor supposed to place any reliance on that?
An honorable mention in the hall of shame must go, however, to those administrators who try to charge the costs of their SAS 70 review through to their fund clients as an out of pocket expense. In other words, the admin expects the funds' shareholders' to pay for their own SAS 70.
And no, we still can't see it.
3) Who distributes the financial statements?
While the confirmation issue above is tediously annoying, thinking practically, the risk that a hedge fund simply fabricates a relationship with PwC or KPMG is pretty remote. What is more likely is that a reputable audit firm has been appointed and completes their work...but a manager then elects to change some or all of the financial statements and gives investors a set of fake accounts. As we have said before, a copy of Adobe photoshop only costs $500.
The double irony is that, even with the audit confirmation we discussed above, the auditor does not send the investor the accounts directly. There is, therefore, no way of getting a direct confirmation from the auditor that the accounts in your possession are, in fact, genuine.
One suggestion we have heard would be, in the offshore world at least, for investors to access financial statements direct from the Cayman Monetary Authority (perhaps via a secure website with appropriate authorizations). This would draw on the requirement that the fund auditors must give the Cayman authority a copy of the (genuine) accounts themselves. An excellent idea....Cayman?
As a more immediate solution, we are always anxious to confirm that the fund administrator receives the audited financials direct from the auditor and thereafter sends them to investors. This is a great control - it ensures that the financial statements are authentic, and it also unequivocally confirms the identity of the auditor at the same time.
The snag? While this is crucially important, administrators seem pretty casual about the whole process. Admins are generally happy to do this, but only if a fund asks for this "service", and many admins are certainly far from proactive on this topic. There are some admins, mind you, that don't want to get involved (we came across one admin that had decided, on a related point, that they would not send offering memos to investors.)
In our mind, this is a vital control and should be mandatory for every administrator. Getting the financials from the admin is just as important as ensuring that the investor monthly NAV statements come from the admin and not from the manager.
4) And who is the audit report addressed to?
Another particular bugbear is the obsession of one of the Big 4 audit firms in Cayman to change the addressee of the audit report from "to the board of directors and shareholders" to just "to the board of directors". The objective, of course, is transparent and predictable - the auditor is looking to enhance the concept of privity and assert that the firm only has a relationship with the Board and no relationship - none, never, nada - with the investor.
The irony here - the directors who are now the sole recipient of the audit are usually our rent a director friends who sit on a few hundred other hedge fund boards. And does anyone really think - including the partner at the Big 4 firm signing the opinion - that these guys really have time to read every set of audited financial statements from cover to cover?
One solution here - could the Cayman regulator mandate that the audit opinion must be addressed to the shareholders in order to be meet Cayman requirements? Again, this would be a small change that would send a very helpful, investor friendly signal from this jurisdiction.
5) In fact, do you even have to leave the office?
A final observation reflects what seems to be an emerging trend over the past audit cycle - certain auditors (and certain offices of certain auditors in particular) seem to be adopting a desk fieldwork process. We have recently completed due diligence on a number of funds - albeit usually long short equity - when both the administrator and the manager stated that the audit team had never came on site to do any audit work. All work was done remotely from the auditor's own offices.
Now, aside from the fact that fieldwork is called fieldwork for a reason (er...you're in the field) we see this as a worrying trend. It stands to question that the quality of the audit is not the same if you never look the individual responsible for preparing the accounts in the eye.
As a counterpoint to our observations, we do continue to recognize that the audit process is ever more challenging and that many skilled professionals work incredibly hard, especially during busy season. As just one example, we were recently speaking with the audit partner of a Big 4 firm discussing FIN 48 - a tortuous challenge for the profession.
At the same time, the audit process is critical for investors and we're certainly entitled to ask tough questions - we are "sophisticated", after all.
It's also worth noting that the auditors' ever increasing fees are, of course, borne by the end allocator. We're happy to pay....provided we get good value. Net net, the hedge fund audit profession would certainly be well served to make things a little easier for the person cutting the pay cheque.
Hedge Fund Operational Due Diligence
"Risk Without Reward" is a trademark of Entreprise Castle Hall Alternatives Inc. All rights reserved.