Introduction
It was recently reported that the former KPMG audit partner who worked for Laurentian University has been sanctioned by the Chartered Professional Accountants of Ontario for her failure to flag the university’s financial woes in 2020. This action answers a question many have had about “where were the auditors?” and “why was Laurentian’s financial crisis not flagged by them?”
The most important thing is for universities to learn the lessons that arise.
Why Should Auditors Be Independent?
Auditors play a critical role in the integrity of the board’s oversight of university financial controls. Auditor independence is fundamental to the credibility of audited financial statements. University constituents rely on financial statements – they need to be accurate, trustworthy, and complete. The auditor must be able to conduct their audit without undue influence, bias, or conflicts of interest. I often say that the PSE sector can learn a lot from standards of public company governance, and this is one of those areas. In Canada, NI 52-110 and Rule 204 (Chartered Professional Accountants) both require that auditors of reporting issuers meet stringent independence criteria, ensuring both actual and perceived independence from their audit clients. University boards should adhere to the same standards, even if their auditors don’t.
The Standards to Which Auditors Should be Held
It is reported that the KPMG audit partner had “led the annual audits of Laurentian University’s year-end financial statements starting in 2005” and continuing until 2020. My own experience is that universities often retain their auditors and their lead partners for many years. While this is technically not contrary to the rules, it is ill advised as longstanding service by an auditor is seen as and often is a threat to audit independence and objectivity.
The Chartered Professionals Association (Rule 204)[1], recognizes the importance of auditor independence and recognizes situations that threaten auditor independence (many of which could also be described as conflicts of interest). These threats include:
- Self-interest Threat: Any financial interest held by an auditor in a client is strictly prohibited.
- Self-review Threat: Auditors may not audit their own work or systems they helped implement.
- Advocacy Threat: Auditors cannot act as an advocate for their audit client in disputes or negotiations.
- Familiarity Threat: Recognizes that if partners are not rotated and the auditor serves for an excessively long time, they may develop unduly close relationships with audit clients.
- Intimidation Threat: This is the threat of losing a client’s work or not getting other work.
The Rule specifies measures for dealing with self-interest such as disallowing audit involvement where the auditor has a financial relationship or serves or has recently served on the audit client’s board. The Rule also limits lead engagement partner service to an audit client to 7 years and precludes re-engagement within 5 years thereafter.
What Should Audit Committees do to ensure Auditor Independence?
The Board of the university, (typically through its audit committee) is responsible to ensure that the university’s external auditor is independent. The audit committee terms of reference should explicitly include a responsibility to oversee the effectiveness and independence of the external auditor. (See the Terms of Reference for Queen’s University’s Audit & Risk Committee as an example). They should ensure that there are effective practices in place to govern the management (retention, performance review, and termination) of the auditor (The CPA has issued a Tool for the Comprehensive Review of External Auditor), as well as ensuring that non-audit services (revenue to the auditor from services other than the audit) are minimal (as an example, the University of Toronto’s Policy on the Use of the External Auditor for Non-Audit Services, explicitly follows public company rules). Having at least one meeting per year with the auditor (with administration excluded) is critical to creating a relationship between the board and the auditor, and to giving the auditor the opportunity to disclose potential threats and concerns. Having a practice of changing audit firms or, at a minimum, lead partners, every 5 to 7 years is also key.
What Are the Lessons?
Good governance doesn’t guarantee effective oversight, but the absence of good governance will lead to failures of oversight. Only those involved can know for sure if excessive familiarity with Laurentian staff contributed to the KPMG lead partner’s admitted failures in the performance of her professional duties. However, what we have known for a long time is that leaving auditors in place for too long allows for the development of personal relationships that may compromise professional judgment and discourage appropriate diligence.
We also know that as clients, university boards can enforce standards of independence even where their auditors or internal management teams don’t.
Conclusion – It’s the Audit Committee’s Job
Regardless of whether your auditor is leading the way to ensure independence, audit committees play a crucial role in maintaining the transparency, integrity, and trustworthiness of university financial statements.
[1] although applicable to public companies (reporting issuers or listed entities) and not to other organizations, it’s clear that the principles are entirely appropriate for other organizations.