Advice for audit committees and oversight of external auditor
While it is clear that the role of the external auditor is important and that the audit committee is charged with their oversight, it is unusual to see advice on how that oversight should be discharged.
One of the reasons is that most of the advice given audit committees comes from the audit firms, and they are hardly likely to suggest that they are asked penetrating questions.
Another reason is surely political: who wants to upset the auditors?
I wrote two blogs on this topic, The effective audit committee and Evaluating the external auditors, which you may want to visit.
In my experience, both as the leader of internal audit functions and more recently as an advisor to organizations, audit committees fail to challenge the external auditors and ensure they are providing quality services at an appropriate cost.
Some of that may be because they see the auditors as having to be independent and don’t feel they should be questioning either their expertise or insight.
Both can be questionable and the audit committee needs to ensure that the auditors are doing the job they are paid for – well and at reasonable cost.
I want to bring my blogs up to date by talking about the external auditors’ work on SOX.
As you may know, I literally wrote the book for the IIA on SOX(now in its 4th edition). I also teach SOX managers and advise organizations on efficient and effective SOX compliance.
What I am hearing, again and again, is that the audit firms are NOT following PCAOB Auditing Standard No. 5 (since renumbered but unchanged) – which they are REQUIRED to follow.
The standard mandates that the scope of work is based on a top-down, risk based approach.
The only controls that need to be included in the scope and tested are those that are relied upon to detect or prevent an error or omission that is not only material but reasonably possible.
Instead, perhaps out of fear of being criticized by the PCAOB Examiners, the auditors are demanding (and that is the correct word) that management’s scope and work include areas where there is not such a reasonable possibility. The latest (but not only) fear-driven scope creep is around information security and cyber – and who has heard of a hacker altering the financial statements?
This is driving up both the cost of management testing and external auditor fees.
Why does this matter to the audit committee?
They are responsible for oversight of the external auditors.
When the auditors feel that they can do whatever they like, ignoring management’s comments that “there is no risk”, I have to feel that something is wrong.
I want the auditors to focus on areas where there is a real risk, one where there is a reasonable possibility of a material misstatement.
I don’t want them distracting management and consuming their limited resources.
Please, audit committee members, ask your audit partner whether his or her team are following a top-down and risk-based approach, and agreeing on the risks with management (and internal audit, as appropriate).
If the answer is unclear, I have to question their capability.
I welcome your comments.
Leave a Reply
Norman Marks on Governance, Risk Management, and Audit 
I am surprised that the PCAOB has not commented on this as it permeates every public filer and has gotten worse in the last 3 years. I am surprised few professionals have the guts like Norman to speak out about what most likely is waste of resources and abuse of power.
Bravo, what everyone out there is thinking. AS-5 was written and was stated in the first few paragraphs that it was supposed to cut down on costs as the external audit firms were obviously using SOX as a cash cow. Initially I think costs were cut down but now they are creeping back up. Unfortunately it seems as if the PCAOB has only been auditing Public Accounting firms for what they don’t do and not when they do too much (auditing things that have no Material risk). I think firms also underbid their competition to win an account but then make up the difference by failing controls that aren’t even material, some to the extent of claiming Material Weaknesses (i.e. Costco).
Also, from an IT audit perspective, external IT audit seems to be disconnected from their financial SOX auditor counterparts and just focus on what systems SOX applications sit on and focus on testing all ITGC’s rather than a top down Material risk. Another thing I have noticed is that staff IT auditors not only are hired right out of college but have very little training as well. I have been asked multiple times what a Microsoft “SYSTEM” account is and it is easily googled in less than 1 minute. That’s just one of many examples.
Is it time for another Auditing Standard or is AS-5 fine but without any accountability from the PCAOB?
I think there are two factors at play here. One, of course, is that the PCAOB began its inspection process in 2011 and since then, there has been an increasing demand placed upon the public accounting firms, their partners, and their staff. Every year the PCAOB has points of focus (pun intended) that are driving the work and documentation requirements of the audit firms and of course, company management. This is not going to change anytime soon. The PCAOB audits are hell to put it bluntly and the external auditors are reacting with fear and trepidation. The PCAOB will say that they are following AS-5, and more importantly, they are operating in the best interest of the individual investor. It’s not that audit committees and management aren’t asking the correct questions, it’s that they are getting blank stares back and they have no power to affect any change. Go ahead and change audit firms – it won’t make any difference.
My second point is that we often overlook the impact the 2013 revision of COSO’s Internal Control – Integrated Framework has had on documentation and testing requirements. While I don’t think COSO did this intentionally, with the addition of the 17 principles and points of focus, they have given the PCAOB and the external auditors fresh ammunition. And, this has become a circular argument where the PCAOB is pointing to COSO and saying that this is what the company’s internal control framework requires. Don’t get me wrong, I fully endorse the 2013 revision, but I think it has had unintended consequences. The PCAOB will also argue that the accounting firms have failed in recognizing the true risks through their audit planning and methodologies. Again, if you try to argue this fact, you get a lot of blank stares. The bottom line is SOX is getting tougher, taking more time, and is costing more.
So, there is a new PCAOB board. Will things change and will they take a more balanced approach? This is yet to be seen. I would expect no. From a company standpoint, we need to drive efficiencies in our SOX methodologies while working with our external auditors. We also need to take a more balanced approach. Maybe we have less external auditor reliance and maybe we follow the SEC guidance and let the chips fall where they may.
You raise some interesting points. Leaving aside the fact that the PCAOB Examinations started years before 2011, certainly there is a fear among the audit firms of failing an inspection. But that doesn’t mean they are entitled to go way beyond the requirements of AS5. I hope the Examiners return to the focus hey had in 2004 and 2005 on the requirement for a risk-based approach.
The Examinations might well be Hell if the auditors have not done their job. But they are not entitled to ask us to pave over Hell and beyond to areas with little or no risk.
COSO 2013 is another interesting point. Notice that AS5 was not changed and Staff Alert No 11 was issued after the COSO update. There is no need to do a lot more work to satisfy the requirements of the COSI update. See my book for the IIA for details. Remember that the points of focus are not mandatory
All good points that need to be considered.