Banks’ financial statements tell their performance story to the outside world. Because the banks’ independent external auditor’s reports provide assurance about the quality of the information in the financial statements, the audit committee’s relationship with the bank’s external, independent auditor is very important. The auditor/audit committee relationship is key to the committee’s ability to monitor financial reporting risk, to oversee management of regulatory compliance risk, and to perform the committee’s other oversight and monitoring functions. Your audit committee’s management of this relationship is critical to the discharge of your obligations under most committee charters.
Because the external auditor’s product is assurance, the auditor will measure the efficacy and operation of the bank’s systems of control to determine where the auditor believes the financial reporting risks— errors or fraud—are greatest. The auditor will test the bank’s control systems, to determine the extent to which the auditor can rely upon the control systems to produce reliable financial statements and required related financial information. Because auditors’ judgments about the auditor’s risk, for example, failing to find misstatements that exist, or determining there is a misstatement when there is not, help determine the nature and extent of the audit procedures, questions between auditor and audit committee shape the audit scope, and the nature and extent of the procedures the auditor performs.
There are two key aspects of the information exchange process between auditor and audit committee: Required communications and auditor/audit committee meetings.
Required auditor communications are determined under the American Institute of Certified Public Accountants (AICPA) “Codification of Statements on Auditing Standards.” AICPA AU-C-260 “Communications with Those Charged with Governance” (previously AICPA SAS 61 and SAS 114) deals with required communications from the external auditor. Additional authority for publicly traded banks is found in the Securities and Exchange Act of 1934, Section 10(A) and Public Company Accounting Oversight Board (PCAOB) Auditing Standard 16. Communications regarding significant deficiencies and material weaknesses in controls identified in the audit are covered under AICPA AU-C-265 and PCAOB AS5 (previously AICPA SAS 115).
PCAOB AS16, governing public issuers of securities (including publicly traded banks) requires certain matters to be communicated in writing by the auditor. In the planning stage, they include the following:
- Written engagement letter defining the scope and terms of the engagement
- That the auditor has discussed with the audit committee any matters known to the committee and relevant to the audit, including possible violations of law or regulation
- An overview of the overall audit strategy, including the timing of the audit
- Significant risks identified during the auditor’s risk assessment procedures
After most audit procedures have been performed, and generally communicated concurrent with the issuance of the auditor’s report, the external auditor’s communication should include the following:
- Changes in critical and significant accounting policies and the adequacy of, application of, and disclosures regarding accounting policy changes
- Critical accounting estimates (e.g. for a bank, the allowance for loan and lease losses or ALLL)
- Significant unusual transactions
- Difficult or contentious matters for which the auditor consulted outside the engagement team and that the auditor reasonably determined are relevant to the audit committee’s oversight of the financial reporting process
- When the auditor is aware that management consulted with other accountants about significant auditing or accounting matters and the auditor has identified a concern regarding such matters
- A schedule of current year uncorrected, immaterial misstatements and corrected errors that were brought to management’s attention by the auditor
On this last point, the auditor is not a component of the bank’s system of controls. Errors caught and corrected within the bank’s system of control are indicative of a control system that is working; auditor-found errors are indicative of a control system that may have weaknesses.
Apart from the required written communications, scheduled but less formal discussions at audit committee meetings, between auditor and audit committee, can be very productive financial reporting risk management tools.
I serve as chairman of an audit committee for a bank, and when our audit committee meets with our external auditors, the committee is free to ask whatever they wish. Some members prepare questions in advance; others will wait until the required communications have been made to form their questions. Management is excluded from the question-and-answer session with the external auditor. Questions generally take a skeptical but respectful tone, and frequently include the following:
- Did anything found during your work surprise you?
- Did anything found during your work surprise management?
- Were there any times during the audit when you believed management was not fully prepared or forthcoming in responding to requests?
- Were there any other difficulties encountered during the audit?
- Are there tools the bank’s management team is using (as to operations and financial reporting) that are obsolete or inefficient given your observations at banks of similar size and complexity?
- What regulatory matters are you seeing that are receiving more or less scrutiny than in the past?
- What are the emerging accounting topics that could have future impact on the bank’s financial reporting?
- Do you believe the accounting and financial reporting functions in the bank have adequate resources? If not, are there suggestions the auditor could make?
- Were you able to rely in any way on the work performed by internal auditors?
- Were there any repeat matters of concern or concerns from prior audits that were unresolved?
- What is the required partner rotation to maintain auditor independence and what is the plan and time frame for the next rotation?
- What unplanned audit procedure did you perform to surprise management and what was the outcome of the procedure?
While not meant to be all inclusive, the questions listed above help provide the basis for a frank and useful discussion with the bank’s external auditors. By always taking your bank’s and management’s unique characteristics and attributes into account, you can develop your own questions to help the audit committee and the auditors discharge their financial reporting risk management functions.