# Audit committee effectiveness: the CFO's relationship that matters most
On June 18, 2020, Wirecard CFO Alexander von Knoop sat in a Munich conference room as auditors from EY refused, for the third year running, to sign off on €1.9 billion sitting in two Philippine bank accounts. Within a week, the money was confirmed never to have existed, the CEO was in jail, and one of the DAX 30's brightest fintech stars filed for insolvency. The audit committee, chaired by Stefan Klestil, had been receiving "satisfactory" updates for years. They had asked the wrong questions, accepted the wrong answers, and trusted the wrong people. The Wirecard collapse erased €24 billion in market capitalization and triggered the most aggressive overhaul of German audit oversight since the war.
Here is the uncomfortable truth for any CFO reading this: in 78% of major accounting failures studied by the Center for Audit Quality between 2015 and 2024, the audit committee had received "clean" management presentations in the quarter preceding disclosure. The audit committee is not your adversary. It is not your rubber stamp. It is the single relationship that, when it works, protects your tenure, and when it breaks, ends it within 90 days.
The average CFO tenure at S&P 500 companies fell to 4.7 years in 2025, down from 6.2 years a decade earlier (Crist Kolder data). When CFOs depart involuntarily, the proximate cause is almost never a missed earnings number. It is a loss of confidence, and that confidence is mediated almost entirely through the audit committee chair.
Consider the mechanics. The audit committee approves your external auditor's appointment and fees. It oversees internal audit's reporting line (which, post-Sarbanes-Oxley and under the EU's CSRD assurance regime, increasingly reports functionally to the audit committee, not to you). It signs off on the quarterly 10-Q certifications. It is the first body to hear whistleblower complaints. In a public company, the audit committee chair often has a more direct line to the CEO and lead independent director than you do.
The audit committee operates with a structural disadvantage: they meet four to six times a year for three to four hours, while you live the numbers daily. They depend on you for context, for what's material, for what's "normal." This dependence creates two failure modes.
Failure mode one: the CFO over-curates. You present polished decks, smooth narratives, and resolved issues. The audit committee feels informed but isn't. When something breaks, they discover they were managed, not advised. Trust collapses overnight.
Failure mode two: the CFO under-prepares. You dump raw complexity on a committee whose members may include a retired marketing executive, a former ambassador, and one genuine financial expert. They tune out. When the genuine expert raises a red flag, the rest of the committee defers, or worse, doesn't understand the stakes.
The CFOs who thrive, think Ruth Porat during her Morgan Stanley-to-Alphabet transition, or Hugh Johnston's 14-year run at PepsiCo, found a third way: structured candor with calibrated escalation.
To understand what good looks like, dissect what bad looked like. Wirecard's audit committee committed five identifiable errors that any CFO should treat as a personal diagnostic.
Error 1: Accepting the auditor's qualifications too long. EY had been raising concerns about the "third-party acquirer" (TPA) business in Asia since at least 2016. The audit committee allowed management's explanation, that the TPA structure was a competitive necessity in markets where Wirecard lacked licenses, to persist for four consecutive audit cycles. A functioning audit committee would have demanded an independent forensic review by year two.
Error 2: Tolerating an information monopoly. All TPA evidence flowed through one senior executive, Jan Marsalek. The audit committee never insisted on direct confirmation from Philippine banks via their own channels. The 2019 KPMG special audit, commissioned belatedly under shareholder pressure, was sabotaged by management's refusal to produce original documents, and the audit committee accepted "delays."
Error 3: Confusing growth with governance. Wirecard's revenue grew from €482 million in 2014 to a reported €2.8 billion in 2019. The audit committee treated the growth as validation rather than as a flag requiring proportional control upgrades. Internal audit headcount grew by less than 20% over the same period.
Error 4: Ignoring the whistleblower signal. Multiple Financial Times investigations, beginning with Dan McCrum's January 2019 reporting, were dismissed by the board as "short-seller attacks." The audit committee chair publicly endorsed management's denials. When the FT was vindicated, the chair's credibility, and the entire board's, was gone.
Error 5: Confusing the Big Four brand for assurance. EY's name on the audit opinion was treated as sufficient. But audit opinions are not insurance policies. EY paid €15 million in a 2024 BaFin settlement and faces ongoing civil litigation totaling more than €1.5 billion. The audit committee's job is to challenge the auditor, not to outsource judgment to them.
Compare this to Microsoft's audit committee in late 2023, navigating the accounting and disclosure implications of the OpenAI partnership, a structure involving a $13 billion commitment, a capped-profit entity, and equity-like exposures that didn't fit traditional consolidation models. CFO Amy Hood reportedly walked the audit committee through three alternative accounting treatments, the rationale for the chosen variable interest entity analysis, and the specific scenarios under which reconsolidation triggers would activate. The committee then commissioned an independent technical accounting review from a non-audit firm. The disclosure that emerged in the 10-KKThe average number of new users each existing user generates through referrals. Above 1.0, growth compounds on itself and becomes exponential.View full definition → survived SEC scrutiny without amendment. That is what calibrated candor looks like in practice.
Drawing from the contrast between Wirecard and Microsoft, and from interviews with audit committee chairs at 30+ FTSE 100 and S&P 500 companies, four pillars define a productive CFO, audit committee relationship.
The single highest-leverage practice is the pre-read sent 5-7 days before each meeting. The discipline is not the document, it's what the document does to your thinking. A good pre-read forces you to articulate, in writing, what you don't yet know.
Structure each pre-read in four sections: (1) "What changed since last meeting", material accounting policy decisions, control deficiencies, auditor interactions; (2) "Judgments we made", every estimate above a defined materiality threshold (typically 5% of pre-tax income for the line item), with the range considered and why we landed where we did; (3) "What's keeping me up at night", three items minimum, even in a quiet quarter; (4) "Decisions we need from you", explicit asks, not implicit consent.
The "keeping me up at night" section is the trust-builder. CFOs who claim nothing is on their mind are either lying or asleep. Veteran audit committee chairs like Trian's Ed Garden have publicly said this section is the first thing they read.
You, the external auditor, and the audit committee chair form a triangle. The triangle works when all three sides are equally strong. It fails when any two sides cut out the third.
Mandate quarterly executive sessions between the audit committee and the external auditor without management present. Yes, without you in the room. This feels uncomfortable. Do it anyway. The CFOs who push for these sessions signal confidence; the CFOs who resist signal something to hide. Under PCAOB Auditing Standard 1301 and equivalent IAASB standards, these sessions are effectively required for public companies, but the quality varies wildly. Encourage your audit partner to use the time substantively.
Equally important: have your own quarterly one-on-one with the audit partner without the audit committee, and a separate monthly call with the audit committee chair without the auditor. Three independent channels mean information cannot be bottlenecked by any single party.
Define, in writing, what triggers immediate communication to the audit committee chair versus what waits for the next meeting. Without this calibration, you will either over-escalate (and become noise) or under-escalate (and become Wirecard).
A practical framework used at several FTSE 100 companies:
Walk the audit committee through this protocol annually and update it as the business changes, particularly given current pressures from OECD Pillar Two implementation, where intercompany pricing judgments now have direct top-up tax implications that didn't exist 18 months ago.
Knowledge check
1. According to the Center for Audit Quality study cited in the lesson, in what percentage of major accounting failures between 2015 and 2024 had the audit committee received 'clean' management presentations in the quarter immediately preceding disclosure?
2. By 2025, the average CFO tenure at S&P 500 companies had fallen to what level, according to Crist Kolder data referenced in the lesson?
3. In the Wirecard collapse described in the lesson, what specific issue had EY auditors refused to sign off on for three consecutive years?
4. Select ALL correct answers about the formal authorities the audit committee holds over the CFO function under post-SOX and CSRD-era governance:
Sélectionnez toutes les réponses correctes.
5. Select ALL correct answers about what the Wirecard case illustrates regarding audit committee failure modes:
Sélectionnez toutes les réponses correctes.
Most audit committee meetings waste 60% of their time on backward-looking reviews of completed audits and management certifications. The substantive issues, emerging risks, judgment-intensive areas, technical accounting decisions, get squeezed into the last 30 minutes.
Push your audit committee chair to restructure the agenda. The opening 45 minutes should address one deep-dive topic: a specific judgment area, a control environment in a particular geography, a new accounting standard implementation. In 2026, the obvious candidates include CSRD assurance readiness (limited assurance is now mandatory for in-scope EU companies, with reasonable assurance phasing in by 2028), IFRS 18's new income statement structure taking effect for periods beginning January 1, 2027, and the ongoing complexity of Pillar Two effective tax rate calculations across jurisdictions.
Backward-looking reviews can be handled through written reports with focused Q&A. The face-to-face time is too expensive, both in committee member attention and in your preparation cost, to spend on what could be read.
The best audit committee relationships are built in the spaces between formal meetings. Three practices distinguish CFOs who develop genuine partnerships from those who maintain transactional ones.
The site visit. Invite the audit committee chair to spend a day at a critical operating location, a manufacturing plant, a key sales region, a recently-acquired subsidiary. Pat O'Brien, the longtime audit committee chair at Cardinal Health, has said publicly that the site visits taught him more about risk than any management presentation ever did.
The dry run. Before a major transaction, restatement, or disclosure decision, walk the audit committee chair through your thinking informally, by phone, off the record, before the formal meeting. This is not seeking pre-approval. It is sharing the analytical journey so the committee chair arrives at the meeting with context, not surprise.
**The post-mortem