Home > Audit, COSO, GRC, IIA, Sarbanes, SOX > Evaluating the external auditors

Evaluating the external auditors

The Audit Committee Collaboration (six associations or firms, including the National Association of Corporate Directors and NYSE Governance Services) recently published External Auditor Assessment Tool: A Reference for Audit Committees Worldwide.

It’s a good product, useful for audit committees and those who advise them (especially CAEs, CFOs, and general counsel).

The tool includes an overview of the topic, a discussion of important areas to assess (with sample questions for each), and a sample questionnaire to ask management to complete.

However, the document does not talk about the critical need for the audit committee to exercise professional skepticism and ask penetrating questions to test the external audit team’s quality.

Given the publicized failures of the audit firms to detect serious issues (fortunately few, but still too many) – the latest being FIFA (see this in CFO.com) – and the deficiencies continually found by the PCAOB Examiners, audit committees must take this matter seriously.

Let me Illustrate with a story. Some years ago, I joined a global manufacturing company as the head of the internal audit function, with responsibility for the SOX program. I was the first to hold that position; previously, the internal audit function had been outsourced. Within a couple of months, I attended my first audit committee meeting. I informed them that there was an internal control issue that, if not addressed by year-end, might be considered a material weakness in the system of internal control over financial reporting. None of the corporate financial reporting team was a CPA! That included the CFO, the Corporate Controller, and the entire financial reporting team. I told that that, apart from the Asia-Pacific team in Singapore, the only CPAs on staff were me, the Treasurer, and a business unit controller. The deficiency was that, as a result, the financial reporting team relied heavily on the external auditors for technical accounting advice – and this was no longer permitted.

The chairman of the audit committee turned to the CFO, asked him if that was correct, and received an (unapologetic) affirmative. The chairman then turned to the audit partner, seated directly to his right, and asked if he knew about this. The partner also gave an unapologetic “yes” in reply.

The chairman then asked the CEO (incidentally, the former CFO whose policy it had been not to hire CPAs) to address the issue promptly, which it was.

However, the audit committee totally let the audit partner off the hook. The audit firm had never reported this as an issue to the audit committee, even though it had been in place for several years. The chairman did not ask the audit partner why, whether he agreed with my assessment of the issue, why the firm had not identified this as a material weakness or significant deficiency in prior years, or any other related question.

If you talk to those in management who work with the external audit team, the most frequent complaint is that the auditors don’t use judgment and common sense. They worry about the trivial rather than what is important and potentially material to the financial statements. In addition, they often are unreasonable and unwilling to work with management – going overboard to preserve the appearance of independence.

I addressed this in a prior post, when I said the audit committee should consider:

  • Whether the external auditor has adopted an appropriate attitude for working with the company, including management and the internal auditor
  • Whether the auditor has taken a top-down and risk-based approach that focuses on what matters and not on trivia, minimizing both cost and disruption, and
  • Whether issues are addressed with common sense rather than a desire to prove themselves

Does your audit committee perform an appropriate review and assessment of the external audit firm and their performance?

I welcome your comments.

  1. Sundar A. Rodriguez
    June 14, 2015 at 10:52 AM

    Finally the process of belling the cat has been started. Let me make a confession, I have not read the article in full. However, I would like to state that the empasis was more on the audit committees and its powers to evaluate the work of the external auditors. I who has been both external and internal auditors in various capacities for the past 32 years would like to speak for myself as external auditor.
    To start with the audit committee’s agenda is to make the organization more responsible as they were not doing it as required. This could not just be looked from the developed countries prespective, as the document purports to be a tool for assessing auditors “world wide”. In this regard I would like to make a specific reference to my country, which is considered to be a developing one, India. Here, the external auditors are more bound by the statutes in force and the compliance with the requirements enforced by the enforcing authorities under the statute. Further, the auditors, thanks to being effectively monitor with its own regulations, by the Institute of Chartered Accountants, had given the external auditors more clout. I am just explaining this because, the overall importance given to “audit committee” in the paper does not in many countries like India apply.
    However, there should be a mechanism in place, which is transparent, and within the acceptable natural justice (emphasis added) should be in place, otherwise independence of the auditors would be compromised. To much of oversight of the external auditors by the audit committee would invariably curtail the wings without which the external auditors could not soar, as it is expected of them both by the laws in force, and other statkeholders to whom they are answerable.
    Any views on this are welcome.
    I would come back with more comments after reading and understanding the text in full. Yes, I would be back.

    • Norman Marks
      June 15, 2015 at 6:46 AM

      Surely, whether in India or anywhere else, the directors serve the interests of the shareholders and other stakeholders – who all need a quality audit by the external audit firm. Is it reasonable to rely on regulators and quality reviews by the Institute of Chartered Accountants? Do they have the ability to question the members of your audit team?

      While I want quality external reviews, I don’t believe that is sufficient – given the continuing drum beat of audit failures.

  2. Arnold Schanfield
    June 15, 2015 at 9:32 AM

    The number one problem I have Norman with work performed by the external auditors is consistently over the past ten years at least and perhaps longer, is how they perform the risk assessment because as you know, this in turn drives the audit plan. The document you have attached states that “the audit team provides a sound assessment at the outset of the audit, including an assessment of fraud risk.” I do not believe they do this or ever did this.

    Their risk assessment is flawed in many respects and most notably because they commence their risk assessment from the financial statements when the risk assessment needs to be started from the strategic objectives of the company. If they started their risk assessment from the strategic objectives of the company, they would identify both financial and non financial risks. Many to all of the non financial risks, will become financial risks at some point in time and we all know this from the numerous fiascos witnessed in the marketplace. When you challenge them on this point, they resist or attempt to hide both because they do not understand how to perform a risk assessment using the strategic objectives as a starting point and secondly their work follows guidance which originates with the COSO framework. This is one of the major flaws I saw years ago with Sarbanes Oxley even after they shifted gears a bit and changed wording to say risk assessment “from the top down.

    Audit Committees need to be retrained from such individuals as you on specifically the kinds of things they should be asking to properly evaluate external auditors performance- questions such as

    Walk us through the process you followed to prepare the risk assessment?

    What reliance specifically did you use in your review of the risk assessment and risk management system that our company has in place?

    How specifically did you use work performed by the internal auditors and other compliance functions of the company as the basis for preparation of your risk assessment?

    Where did you document your understanding of the company’s strategy, context and risk appetite and kindly share results of such documentation?

    Show us the results of your prior management letter comments and management’s implementation of your recommendations?

    Many other questions as well, but you get the drift.

  3. Bishwajit
    June 17, 2015 at 8:06 AM

    @Arnold, very pertinent questions. However, the External Auditors restrict themselves as the cost of audit will ( they need to be competitive in the market) be much more if he risk assessment to start with Strategic Objectives. Here the Internal Auditors can really help if consulted by External Auditors. Unfortunately Audit Committees are normally glad to receive the profit numbers and move over rather than asking questions to understand the depth of audit and the understanding of auditors on the risk that exists in the organization.

  4. June 18, 2015 at 12:54 AM

    Hi Norman

    I really enjoyed this article and its predecessor, and couldn’t agree more. From my +20 years dealing with both internal and external audit, the external collection have 2 big ticket behaviours that have frustrated me for years.

    The first, which you’ve noted above, is the trivial, unfocussed items they spend far too much time on – I recently has an external auditor ask me to provide the template used for stock exchange releases, rather than a sample of the actual releases with sign-off, this latter being the control. Go figure how a template is a good assessment of that…

    The second is the “training” that clients are providing for baby auditors. In theory, I don’t have a problem with providing a level of development input to build skills for newly qualified auditors, because that is how we all learn at various stages. What I object to is actually becoming the de-factor training officer for an audit firm – the audit manager isn’t developing the junior with some input from the client, the client is providing the training by having to go into drilled-down step-by-step details. I certainly don’t believe I am paying my auditors to provide their staff training.

    Like any other service provider, the external audit firms should be subject to ongoing quality of service and delivery of service assessments – that is what management should be thinking and the board and/or audit committees asking. I have had the luxury of working in a couple of organisations that did challenge the audit firm, often, and it definitely does make a difference to the quality of what is being produced.

    Maybe part of the problem is that many audit committees are chaired by a director that was formerly an auditor themselves – possibly a conflict of interest when it comes to really challenging the state of play!

  5. Arnold Schanfield
    June 18, 2015 at 7:02 AM

    Bishwajit,
    This is an accurate summation. So the next time, there is a blow up in any company- the shareholders should perform an external investigation and then fire and sue the audit committee. More lawsuits and blowups will be major catalysts to bring about change. In addition, our field should have “paid mercenaries”, individuals with significant skills in this field to function as third party court experts on behalf of the defense or prosecution. So imagine how further interesting the British Petroleum investigation into the oil spill, could have been if either the prosecution or defence hired say- Norman Marks and tasked him to prepare a comprehensive report on the state of the risk management system in place at the company at time of the spill. Methinks that this would then require Norman to acquire 24 hour security. But this is what it is coming down to. Watch and see!!

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: