A Wake-up Call for Audit Committees

Norman Marks, CRMA, CPA, is a vice president for SAP and has been a chief audit executive and chief risk officer at major global corporations for more than 20 years.

 

An article in Compliance Week, PwC Takes Hit in Latest Inspection, Asks PCAOB to Act, should be mandatory reading for every audit committee, whether they have PwC as their auditor or not. 

This excerpt from the piece should sound an alarm:

The 2011 inspection of PwC took a close look at 60 audits, plus three additional audits where the firm played a critical role but didn't issue the final audit report. Inspectors found fault with 26 audits, or 41 percent, including three cases where issuers restated their financial results or announced their intention to do so after the inspection, according to the report. Last year (PDF), PwC saw 37 percent of its audits called out for problems by PCAOB inspectors.”

While PwC can try to transfer the blame to the PCAOB and ask for better standards, presumably so they have better rules and have to rely less on judgment, it is clear that too many audits lack quality.

This, the risk of a poor audit, is something that audit committees should be very concerned about. After all, they are responsible for oversight of the external auditor. 

What should they do? The first step is to recognize that this is a potential problem and the audit committee cannot assume that because the lead audit partner demonstrates confidence, even arrogance on occasion, that his team will perform a quality audit.

The members should probe the quality and experience of the audit team, especially whether the PCAOB has inspected any of their clients. I would insist that they report on whether any of the clients of the audit partners or managers had been inspected in the last three years, what the results were, and what actions were taken in response. I would go further and insist on information about the firm’s own quality inspections of their clients.

I believe that audit committees should now consider themselves on notice that bad audits happen and they have a responsibility to address that risk at their company.

Some years ago, at one of my first audit committee meetings at Tosco (where I led internal audit), the audit committee asked the audit partner about reports of significant legal settlements and the firm’s continued ability to serve as the company’s auditor. The audit partner said that she had spoken to her firm’s leadership: she could assure the committee that the firm had sufficient capital and its continued viability was not in question. The CEO (Tom O’Malley, one of the sharpest people I have had the privilege of working with) turned to her and observed that she was asking the company to trust her. He asked “would you accept a response like that from your client?” Let’s just say that at the next meeting, a very senior firm partner attended and provided the details and assurance the audit committee and the CEO needed.

The audit committee should demonstrate similar skepticism about the skills, experience, and quality of the audit team. They should ask penetrating questions and probe the results of inspections and quality reviews — until they are satisfied that they have a team they can trust to perform.

I welcome your views and comments.

 

Other reference material:

 

Posted on Nov 14, 2012 by Norman Marks

Share This Article:    

  Comments (3) un-categorized
  1. Comment by: Tim Leech   (11/15/12 07:56 AM)   http://riskoversight.ca

    Norman:

    Thanks for raising a very important issue.  Historically audit committees have taken great comfort in the fact the firm is using a big 4, big 6 firm and, unfortunately, not always been as probing as they could/should to determine if they are getting a quality audit. In some cases the blame is shared as some companies go for the lowest cost proposal.  In the "old days" some of these were "loss leaders" to allow access to more lucrative consulting work. (e.g. Enron)  Today some companies are still getting the "C team" on their audits, including partners with significant track records of restatements.

    Audit failure has been around for as long as audits have been performed. Unfortuntately, for a variety of reasons, there hasn't been much rigorous analysis of root causes of audit failure.  Today when an audit fails on a public company it fails on two levels, Level one is the external auditors asssesment of control using COSO 92. The approach used today does not identify the account balances with the highest residual risk statusLevel two is the substantive audit of account balances.  There is a desperate need for rigorous analysis of root cause of failure at both levels. I don't believe this has been done or if it is being done it is being done behind closed doors which doesn't help audit committees. 

    The IIA should take a lead role champtioning this type of rigorous research and do its best to convince COSO to participate. 

  1. Comment by: Harish   (11/20/12 04:43 PM)   

    Most committee meetings whether audit or not have action log of items with identified individual responsible to act on those needed action log items.

    Audit Committee is generally interested to know reported audit findings and comment remain resolved or unresolved by way of using logs. Logs are detective control in nature to help any investigative matters for audit committee also. Quality audit questions from audit committee is a discussion that requires peer reviews from external auditors. Once again, internal audit and external audit reviews cannot be done by the same cosourcing or outsourcing audit firms, let alone, audit of compliance matters on anit-money laundering etc.

  1. Comment by: Doug Hendrick   (11/22/12 09:23 PM)   http://doughendrick.com Norman, Your identification of quality of audit/performance risks to the audited entity is enlightening. It implies that the ARM applies to some degree to audited entity as well as the audit firm; though presumably the weighting of risks is different. A thorough academic analysis might not only help us develop a clear understanding of the risks involved for the client but also improve the ARM. These sorts of performance and quality risk questions are standard in some other professional service acquisitions. I've been involved, both as an acquisition professional and as a board member, in the acquisition of architect-engineer services and watched firm after firm present in great detail the composition of the engagement team, the past work of those team members, and the firm's financial position and other current engagements. The firms expected to do this for us and with the national firms we were just as concerned as with the local firms. Sometimes when you saw how much other current work they had you wondered how much senior management would really care about your project. It makes sense that we'd want to do this with our external auditors as well.

Leave a Reply