Compliance professionals under the age of 30 might not believe this, but once upon a time a company’s audit committee was primarily responsible for—get this—the annual company audit.
Today, of course, the audit committee is also responsible for risk management, regulatory compliance, internal investigations, cybersecurity, and pretty much anything else that goes wrong at a large organization. Yet we do have some fresh news on the audit committee’s most primordial duty: selecting and overseeing the company’s external audit firm.
For the last several weeks Compliance Week has surveyed senior audit and compliance executives about what discussions you have with your audit committees about the external audit firm, and what information the audit committee wants to know about the audit firm before signing an engagement contract. We have more than 100 responses now, from a variety of large-cap and mid-cap companies.
So let’s do a gap analysis of what compliance and audit executives want to know about their audit firms, what audit committees want to know, and what information you actually present to the committee—because, believe me, there are gaps.
First, the large majority of you (78 percent) do prepare and conduct reviews of your audit firm for the audit committee. Frankly, I’m more curious about the 22 percent who do not review the audit firm’s performance, given how expensive the annual audit can be, but perhaps with a larger sample size that number might be lower. I hope so, and I suspect regulators like the Public Company Accounting Oversight Board would hope so too. The PCAOB has been calling for companies to pay more heed to their interactions with audit firms for a few years now.
Perhaps more interesting is that 60 percent of compliance and audit executives don’t do any peer analysis of other companies and their audit firms when preparing to brief your audit committee, and 80 percent say the process to pull together data and prepare a report for the audit committee has seen only “slight” improvement or no improvement at all in the last 10 years.
Think about that for a moment. For all the tumult we’ve seen in the last decade—the rise of SOX compliance, steep increases in annual audit fees, PCAOB inspection reports that paint quite unflattering pictures of audit firms, huge clamor from investors and regulators for companies and audit firms alike to do a better job identifying risks and financial fraud earlier—most companies simply do what they have always done when reviewing the performance of their audit firms. That is an astonishing fact.
Better news is that compliance and audit executives do try to provide the audit committee a mosaic picture of the audit firm’s performance—but the emphasis is on “try.” More than 70 percent of respondents give the audit committee some sort of analytical data about their audit firms: a benchmarking of audit fees, summaries of PCAOB inspection reports, analysis of SOX disclosures or comment letters from the Securities and Exchange Commission. The single most common type of analysis is a benchmarking of audit fees (55 percent provide this), but many respondents also cited a few other types of information as well. Twenty-eight percent said they provide no such help to the audit committee, and I do wonder about those people, but hey, we all have to start somewhere.
The “try” part is this: almost across the board, more people wanted to offer extra information than the number who actually did—which means that a significant number of CCOs and CAEs believe they aren’t giving the best quality information to their audit committees. For example, 55 percent provide a benchmarking of audit fee analysis, but 85 percent of you want to provide that data. The same holds true for every type of data we asked about, from auditor market share to SEC comment letters to SOX disclosures and more: more compliance executives want to bring that information to the audit committee than actually do.
All of these glimpses feed into a larger discussion about what the audit committee should be doing and disclosing to the public. In December the Center for Audit Quality published its Audit Committee Transparency Barometer, an in-depth look at what audit committees disclose to the public about their oversight of audit firms. The report found that even in just the last few years, from 2012 to 2014, audit committees now disclose much more. A few examples:
In 2012, only 16 percent of companies explained their rationales for appointing the auditor; today 31 percent do.
In 2012, only 26 percent of companies included the tenure of the auditor; today 50 percent do.
In 2012, only 1 percent of companies disclosed that the audit committee was involved in selecting the audit firm’s lead partner; today 44 percent do.
Clearly, how audit committees handle the audit firm is in a state of flux. And how audit committees decide to handle the audit firm depends on what information the committee gets about the firm—and that information comes from you.