The audit committee of the board has oversight responsibilities for the external auditor: their appointment and compensation. With this comes the responsibility to ensure they perform a quality audit, and to fire them if they don't.
I wrote about this in
an earlier post, where I referenced a report that the PCAOB found deficiencies in 45% of the audits they inspected that were performed by Deloitte, and 29%, 23%, and 20% in those performed by PwC, KPMG, and EY respectively.
I suggested that the audit committee should provide improved oversight of the external auditor, listing 6 questions to ask.
You don't read many reports of audit firms being fired by the audit committee for poor audits except where there has been a misstatement, financial statement fraud, or other public situation. In my experience, audit committees are passive in their oversight. They are reluctant, even if able, to ask penetrating questions, demand performance, and discipline the partner and/or the firm where necessary.
Most often, the initiative comes from a frustrated management team — hardly the best check on the independence of the auditor, even if it is a good source of insight into their quality.
I believe the audit committee should have the ability and the will to provide effective oversight of the external auditor, and that may mean that they have to strengthen its composition with experts — such as retired CAEs (hint) — that can do the job. I refer to retired CAEs because retired CPA firm partners may be seen to be (if not in practice are) members of the same club as the audit firm.
Possible disciplinary actions for poor performance are many, including termination, replacement of the lead partner, reduction in fees (e.g., not paying for unnecessary or unsatisfactory work), or removal of other partners or managers.
Changing the focus…………………………..
The audit committee is also responsible for the quality performance of the
internal auditor. After all, the CAE should (and generally does) report functionally to the audit committee and (only) administratively to a senior member of the management team.
With this functional responsibility comes the responsibility to decide whether the CAE's performance is acceptable and whether he should be replaced.
Yet, it is rare to hear that the audit committee has initiated the termination of the CAE. It is always management that presses for termination and the audit committee that goes along with it.
Is this right?
I believe, and have said in other posts, that the failure of internal audit leaders to provide formal assessments of the condition of risk, governance, and related control processes is because the audit committees of this world are not demanding them. (Although the numbers are growing, the number of CAEs providing formal assessments is still low).
Again, I believe audit committees have been passive. They may endorse proposals for upgrading internal audit from the CAE, and they will generally accept strong management proposals — including not only the replacement of the CAE, the hiring of a CAE that suits the CFO's plans to rotate people out of the CAE position into his leadership team, or to cut the internal audit budget. They may support the CAE so he can retain his budget or position in the face of management opposition, but this is unfortunately infrequent.
However, they rarely initiate actions themselves.
In the same way that audit committees need to be willing and able to provide effective oversight of the external auditor, they need to be willing and able to provide effective oversight of the internal auditor.
They should know what the internal audit function should be able to provide in terms of both assurance and consulting services. They should know that the function should be helping the organization succeed, and not just throwing audit findings over the wall for management to fix.
They should know whether the internal audit function is performing at an acceptable level, achieving its potential: valuable assurance that helps the board and executive management sleep through the night, reasonably confident that risks are being maintained within acceptable levels by effective processes, people, organizations, and systems, and providing consulting services that make an appreciable difference to the success of the organization.
I welcome your comments and opinions. The opinions I express here are my own and may not reflect those of The IIA.