While it is clear that the role of the external auditor is important and that the audit committee is charged with their oversight, it is unusual to see advice on how that oversight should be discharged.
One of the reasons is that most of the advice given audit committees comes from the audit firms, and they are hardly likely to suggest that they are asked penetrating questions.
Another reason is surely political: who wants to upset the auditors?
In my experience, both as the leader of internal audit functions and more recently as an advisor to organizations, audit committees fail to challenge the external auditors and ensure they are providing quality services at an appropriate cost.
Some of that may be because they see the auditors as having to be independent and don’t feel they should be questioning either their expertise or insight.
Both can be questionable and the audit committee needs to ensure that the auditors are doing the job they are paid for – well and at reasonable cost.
I want to bring my blogs up to date by talking about the external auditors’ work on SOX.
As you may know, I literally wrote the book for the IIA on SOX (now in its 4th edition). I also teach SOX managers and advise organizations on efficient and effective SOX compliance.
What I am hearing, again and again, is that the audit firms are NOT following PCAOB Auditing Standard No. 5 (since renumbered but unchanged) – which they are REQUIRED to follow.
The standard mandates that the scope of work is based on a top-down, risk based approach.
The only controls that need to be included in the scope and tested are those that are relied upon to detect or prevent an error or omission that is not only material but reasonably possible.
Instead, perhaps out of fear of being criticized by the PCAOB Examiners, the auditors are demanding (and that is the correct word) that management’s scope and work include areas where there is not such a reasonable possibility. The latest (but not only) fear-driven scope creep is around information security and cyber – and who has heard of a hacker altering the financial statements?
This is driving up both the cost of management testing and external auditor fees.
Why does this matter to the audit committee?
They are responsible for oversight of the external auditors.
When the auditors feel that they can do whatever they like, ignoring management’s comments that “there is no risk”, I have to feel that something is wrong.
I want the auditors to focus on areas where there is a real risk, one where there is a reasonable possibility of a material misstatement.
I don’t want them distracting management and consuming their limited resources.
Please, audit committee members, ask your audit partner whether his or her team are following a top-down and risk-based approach, and agreeing on the risks with management (and internal audit, as appropriate).
If the answer is unclear, I have to question their capability.
I welcome your comments.