Audit Committees Should Discipline the Auditors More Often

Norman Marks, CRMA, CPA, was a chief audit executive and chief risk officer at major global corporations for more than 20 years. The views expressed in this blog are his personal views and may not represent those of The IIA.

 

The audit committee of the board has oversight responsibilities for the external auditor: their appointment and compensation. With this comes the responsibility to ensure they perform a quality audit, and to fire them if they don’t.

I wrote about this in an earlier post, where I referenced a report that the PCAOB found deficiencies in 45% of the audits they inspected that were performed by Deloitte, and 29%, 23%, and 20% in those performed by PwC, KPMG, and EY respectively.

I suggested that the audit committee should provide improved oversight of the external auditor, listing 6 questions to ask.

You don’t read many reports of audit firms being fired by the audit committee for poor audits except where there has been a misstatement, financial statement fraud, or other public situation. In my experience, audit committees are passive in their oversight. They are reluctant, even if able, to ask penetrating questions, demand performance, and discipline the partner and/or the firm where necessary.

Most often, the initiative comes from a frustrated management team — hardly the best check on the independence of the auditor, even if it is a good source of insight into their quality.

I believe the audit committee should have the ability and the will to provide effective oversight of the external auditor, and that may mean that they have to strengthen its composition with experts — such as retired CAEs (hint) — that can do the job. I refer to retired CAEs because retired CPA firm partners may be seen to be (if not in practice are) members of the same club as the audit firm.

Possible disciplinary actions for poor performance are many, including termination, replacement of the lead partner, reduction in fees (e.g., not paying for unnecessary or unsatisfactory work), or removal of other partners or managers.

Changing the focus…………………………..

The audit committee is also responsible for the quality performance of the internal auditor. After all, the CAE should (and generally does) report functionally to the audit committee and (only) administratively to a senior member of the management team.

With this functional responsibility comes the responsibility to decide whether the CAE’s performance is acceptable and whether he should be replaced.

Yet, it is rare to hear that the audit committee has initiated the termination of the CAE. It is always management that presses for termination and the audit committee that goes along with it.

Is this right?

I believe, and have said in other posts, that the failure of internal audit leaders to provide formal assessments of the condition of risk, governance, and related control processes is because the audit committees of this world are not demanding them. (Although the numbers are growing, the number of CAEs providing formal assessments is still low).

Again, I believe audit committees have been passive. They may endorse proposals for upgrading internal audit from the CAE, and they will generally accept strong management proposals — including not only the replacement of the CAE, the hiring of a CAE that suits the CFO’s plans to rotate people out of the CAE position into his leadership team, or to cut the internal audit budget. They may support the CAE so he can retain his budget or position in the face of management opposition, but this is unfortunately infrequent.

However, they rarely initiate actions themselves.

In the same way that audit committees need to be willing and able to provide effective oversight of the external auditor, they need to be willing and able to provide effective oversight of the internal auditor.

They should know what the internal audit function should be able to provide in terms of both assurance and consulting services. They should know that the function should be helping the organization succeed, and not just throwing audit findings over the wall for management to fix.

They should know whether the internal audit function is performing at an acceptable level, achieving its potential: valuable assurance that helps the board and executive management sleep through the night, reasonably confident that risks are being maintained within acceptable levels by effective processes, people, organizations, and systems, and providing consulting services that make an appreciable difference to the success of the organization.

I welcome your comments and opinions. The opinions I express here are my own and may not reflect those of The IIA.

Posted on Oct 7, 2013 by Norman Marks

Share This Article:    

  1.  FYI, this post was triggered by a discussion I had last week with an audit committee member (who also has chaired the committee). He is so frustrated with the lack of valuable performance by internal auditors that he tries to get rid of the function! His view is that they fail to address what really matters to an organization, fail to help solve problems, and have little real value.

  1.  from my experience it all boils down to the quality of the audit committee members themselves. Its about quality hiring process

  1. Whatever urguement is put foward for an oversight responsibilities, the truth remains - all governance pillars - Senior Management, Board and its committees, external auditors and internal auditors MUST be doing the right things to the organsation very well and NOT doing things righly. Each of these pillars  have 360 respontsibilities to provide a check and balance of what the other pillars are doing without fear. Each pillar needs to be saying the truth all the time on any significant matters that affect the assurance process (management and audit) and oversight roles of those who are charged with the governance.

    I am aware of well balanced politics going on in many organisations which leaves poor auditors becoming irresponsive and marginalised to the extent that  their values are never seen on the Board rooms or when they are closer to realities are being explained away along with the  urguement of  not having value to an organisation.

    We should also be careful with varied ways and  styles in the communication of many CAEs and external auditors firm throught their partners and how they fact in the responses and support from the Audit Committees and Board on any sensistive issues they come across during their work.

    Let's focus on doing the right things all the time  irregardless of whether you sit in the oversight roles, managament asssurance or audit assurance section of the governance platform.

    Many audit committtees are letting us (Internal auditors and external auditors down ). They often setlle for very little.

    This is all I can say at the moment.

  1. Many boards, including audit committees, tend to be made up of current and former CEOs and heads of operations.  They are likely not even the best individuals to evaluate the audit functions in their own companies, let alone another.  The use of former audit parters on audit committees, as you point out, is probably not the ideal since they may be invested in supporting their own profession.  The audit committee member you cite in your comment is the perfect example.  How much of his criticism relates to his own failure to provide oversight over the internal audit work plan and/or find a CAE to execute it?  If he would rather avoid internal audit than address it, does he just see his job as being there to approve the external auditor's annual fee increase to match the incremental value they must be bringing to the organization each year? 

  1. I agree wholeheartedly with Mr. Marks; everyone involved in governance should relentlessly pursue clarity over agreement - including, and especially, with one's own performance.  There is no such thing as perfection; but, at least with clarity, a group understands where individuals stand on the issues of the day - and then agree on areas of common interest. 

    Marks illustrates the next hot button with corporate governance:  what truly happens inside the boardroom?

  1. First,internal audit "barks at wrong tree" when management or board does not share key strategic objectives and plans with them. Such internal audit is not risk based and can not provide positive assurance. Second, not only laying off, but also hiring and retaining internal auditors is audit committee's responsibility. Audit committee (especially not the chairman) should not run from its responsibilities and must set appropriate "tone at the top" for internal auditors.

Leave a Reply