Yet again, issues have arisen with respect to the quality ot external auditors' work. This article on Deloitte reported that the PCAOB found deficiencies in 45% of inspected audits performed by that firm. Previous inspections found issues with audits by Ernst & Young (deficiencies in 20% of the audits inspected), PwC (29%), and KPMG (23%).
The work of the external auditors has also been questioned in some of the recent publicized failures, like Olympus and MF Global.
Now, one big problem with the PCAOB report is that they don't indicate the severity of the deficiencies they found. We have to wonder whether these were trivial or so substantial that the auditor's opinion may have been incorrect. Personally, I have to doubt that the deficiencies were of such magnitude.
But, that still leaves us with the question of how to protect the company from the risk of a bad audit.
I don't think the answer is waiting for the SEC to take action. Frankly, I am not persuaded that the actions they propose (such as auditor rotation) are the best.
I suggest that we should look at the quality of oversight by the audit committee.
Does the audit committee ask penetrating questions of the external auditor to ensure the audit team have the appropriate skills and experience to be effective?
Does the audit committee ask management and the auditor partner questions about information flow, coordination, etc. to ensure they are appropriate? Does the auditor notify management of its plans so that information can be prepared for audit without disrupting operations? A quality audit depends on the availability of key management personnel, who will not want to be taken away from closing deals at the end of the quarter.
Does the audit committee hold the external auditors to task, ensuring they focus on what matters?
Does the audit committee make sure the external auditor takes advantage of the knowledge and insights of the internal auditor (and that doesn't mean using his staff — it means listening to his views on risks and controls).
Does the audit committee review the external auditor's risk assessment to ensure it covers all key areas, including risk culture?
Does the audit committee have a rigorous assessment process in place?
I welcome your views.