Comment: Auditors' red flags left to flutter by CBA Board
External and internal auditors have been ignored for various reasons by the board committees of the Commonwealth Bank, according to the report into the bank's governance and systems released earlier this week by the Australian Prudential Regulation Authority. The failure of the committees dealing with risk and audit to properly engage with the internal auditors led APRA's review panel to recommend that the company needed to benchmark its committee processes with global best practice. In other words, CBA's audit and risk committees needed a serious overhaul.Risk management is at the core of any bank's business and the Commonwealth Bank was found to have fail to manage a series of risks relating to compliance with anti-money laundering legislation. The APRA report into the CBA found: insufficient rigour and urgency by the board and its committees in holding management to account for mitigating risks and for closing issues in a timely manner; gaps in reporting and metrics hampered the effectiveness of the board and its committees; and over-reliance on the authority of key individuals likely weakened the committee construct and the benefits that it provides.The report said that the most critical examples of the failure of internal controls and committee processes were matters of non-compliance identified in relation to money laundering. CBA's internal auditors presented three 'red' audit reports on the non-compliance. They identified repeated issues that continued to be ignored. Some of the reasons for this, the report says, were: board audit committee members were not routinely provided with, nor did they request, copies of 'red' audit reports and members were content to rely on a summary of these reports prepared by internal audit, to which the chair of the BAC and internal auditor spoke; owners of issues raised in red audit reports did not, as a matter of course, appear directly before the BAC; group executives and their teams periodically reported to the BAC to discuss their control frameworks, but this was not directly linked to critical audit findings in their business; and the BAC did not require timely follow-up of 'red' audit reports.These observations by the review panel are scathing. Internal auditors spend their time seeking to point to problems that need urgent attention. The fact that committee members were not given the 'red' audit reports in the first instance is poor governance practice. Those reports should have been in the hands of the directors involved in deliberating on matters related to managing internal risks. They were not and the audit committee as a whole was unable to evaluate the information properly.What is worse is that the directors did not show any interest. They were content with a briefing from the chairman of the committee and the head of internal audit. The audit committee members did not ask for the primary documentation on which the briefings were based. No board member can do their job properly if they are not provided the relevant documents in the first place. How can the board members say that