Risk and Control Issues Commonly Overlooked by Internal Audit 7: The External Auditor

As CAE, I have frequently helped the audit committee with their assessment of the external auditor’s performance. While some boards treat this as a perfunctory task, reappointing the auditors without much analysis or discussion, I don’t concur with that approach. Why not? I have seen external audit teams that were poor performers.

What are the risks if the external auditor’s performance is poor?

  1. Inaccurate or misleading financial statements, containing material error. It’s not only that the auditor may fail to detect an error by management, but they may recommend a treatment or presentation that is incorrect. Some years ago, my company’s accounting staff detected an error in a prior year’s financial statements. It was material and had been the specific recommendation of the external audit partner (the current partner agreed that it was an error). There are multiple stories in the news about external auditor failure – can you afford that to happen to your company?
  2. Higher cost than necessary, as the auditor performs work that is inefficient or even unnecessary
  3. Disruption to the business, as the auditor consumes critical management time. I have also seen the external auditor obtain more access to our systems than necessary, which was misused in a way that caused massive disruption: the auditor closed the accounting period during the quarter closing process, preventing journal entries, etc. to be completed.

Now, some may say that it is not the internal auditor’s role to check on the external auditor. But, I believe the CAE should at least consider the risks to the business if the external auditor’s performance is lacking. When the risk appears high, the CAE has to consider what actions to take. In my view, that can best be achieved by facilitating an assessment by the audit committee. You can download the form I used most recently here. It’s very simple, requiring modification to address the specific risks at your organization.

I welcome your thoughts on this topic. I expect it to be controversial — certainly, the external auditors at my companies didn’t like being assessed.

Previous items:
#1: Information required to run the business
#2: The adequacy of risk management
#3: The root cause of almost every internal control issue is people.
#4: Linking Strategy to Execution
#5: Management
#6: The audit committee


Posted on Jul 4, 2011 by Norman Marks

Share This Article:    

  1. I agree with you.

    The external auditors, in general; would be reluctant to be assessed by the internal auditors of the respective company/bank. Some of the external auditors even go further by rejecting  the idea of coordinating with the internal auditors as it might lead to "reliance on them", as the Board and Senior Management may consider lowering their audit fees if they do so! This is why if they decide to rely on the internal auditors, they do that with many limitations so that they would have an easy way back..

    One more point to support your views is that the newly promoted partners may not be at the same level of experience which their senior partners may be at. This is why it is important to annually assess the external auditors' performance taking into consideration such a factor.   

  1. One of the comments on LinkedIn talks about the directors not assessing the performance of the external auditors. Check this out. It's an Australian case where the directors were found liable for not asking questions of the external auditors: http://www.bloomberg.com/news/2011-06-27/centro-directors-breached-duties-on-debt-disclosure-melbourne-judge-says.html

  1.  We should be commenting on ineffective external auditors and not only commenting but recommending that they be replaced immediately based on pre established criteria which would form part of our review on integrity of the risk management system. We currently are not commenting on ineffective external auditors because we do not know how to do so and are afraid to do so. Petried is probably a more correct interpretation. We are afraid to do so because this is the training that we have  received or have not received by the primary organizations that we belong to including the IIA and the AiCPA. We have received little in the way of meaningful training on providing assurance over risk management (which would include assessment of external auditors).

    We have been inculcated with the belief that we are second class citizens to the external auditors from the days when we were their surrogates for performing year end work for them to reduce the audit fees, when they were able to convince management that the internal audit function should be outsourced and when they were able to convince management that they were the ones best qualified to properly assess the internal audit function as part of the external quality assurance review.

    We were set up to fail because they reported directly to the Audit Committee who understood the external audit well but did not understand internal audit or risk management well. In many instances the Audit Committee Chair was in fact a former partner of a Big 4 firm.

    Continued below

  1.  Conclusion from above

    By so doing, you will put pressure on the IIA to clean up their act and to remember that it is the members that are their primary stakeholders. This COSO ERM framework should have been rejected outright moons ago and the ISO 31000 framework should have been comrprehensively endorsed as the sole framework.

    Once you receive the necessary training t hat you need in risk management, then you will feel confident to properly assess performance of the external auditors and provide your Board and Executive Management with detailed input as to whether the external auditors should be retained or terminated. The tables need to be turned around my friends. But you can do it.  It just takes a bit of courage.

  1. I'm quite surprised to note that EA closed the accounting period. Why did they have access to do so? Any auditor be it IA or EA should have only view access to the data.

    I believe that IA should assess and update the EA's performance to Audit Committee / Board. Perhaps he / she is the correct person to do so.  

  1. Like most of my peers, I've been both an external and an internal auditor and, like Arnold, I've often been treated like a second class citizen by an external audit team with far less experience and knowledge than the Internal Auditors that they look down upon.  The big firms are experts at managing relationships and creating a perception that they are infallible, and that perception precedes the firm when they arrive at the client's office.  Executive Management typically values a timely and unqualified opinion more than a high quality audit and can easily overlook their oversight role.  This can often be a sore spot with Internal Auditors, as we typically don't have the same level of respect from Senior Management even though we come from the same background as those performing the external audit and often have more concern for the company's well being.

    Part of the CAE's role, in my opinion, is to ensure Executives and the Audit Committee understand that the external auditor is under constant pressure to produce profits and that their primary role is to provide a compliance function (i.e.,audit opinions).  Even though firms will tout all their value-added services, they ultimately have to put firm profitability ahead of all other goals and this may come at their clients' expense.

    I like the checklist and can see the benefits of a CAE facilitating the firm oversight process, but I think a CAE should ultimately assess the quality of oversight as a control and be careful not to become the control mechanism.  I see this as a fine line, but just like any other control, someone should be able to demonstrate how the oversight role is performed.  I see the CAE's role as verifying this process and if the process is ineffective, it should be treated the same as any other control weakness.

  1.  I think areas being overlooked by IA is a great theme - we have to be alert to our own blind-spots as a profession - as soon as we dont think we have any we diminish our standing as a profession that seeks to find the blind-spots in what others do (see IIA UK article March 2010)

    Of course we need to tread carefully with these sorts of issues and be careful not to judge EA based on a misunderstanding of its role and impressions of what it has done well/less well. That said I agree that IA should be very interested in how robust the performance discussions about EA since this is a crucial part of the governance assurance picture and we shouldnt forget that there are factors at an unconscious level that may lead the organisation to water down any concerns with the EA (i.e. an unspoken sense of "better the devil we know" and "lets keep them since they look like they will agree to accounting treatment X or Y")

    Above EA we also have other complex relationships where there can be a "love / hate" dynamic deriving from a degree of reliance on what they do, but a frustration they could do more - In my experience these dynamics can cover Compliance functions, Other Assurance functions, Finance, Legal and even the Audit Committee!! Good topic to choose and interested to hear views and further discussions

  1. Norman:

    A draft of a paper I wrote with my daughter that builds a business case for both external auditors and companies using a true "risk-based" approach to public company financial statements is available on our website at www.riskoversight.ca

    External audits and a large percentage of internal audits are not currently done using globally accepted risk management principles.  If that changed I believe results, and confidence in internal and external audit, would increase. The internal audit profession should take the lead promoting true risk-based SOX 404 assessments instead of sitting silently on the sidelines as it did when PCAOB AS 2 was issued.  If IA really believes that better risk management is key to better corporate goverance, it should join my daughter and I  calling for use of real risk management processes on external audits and internal SOX 404 work and start doing the majority of interal audits using the core principles of ISO 31000 to lay a better foundation for ERM.

  1. Tim, AICPA and PCAOB standards require the external auditor to follow a risk-based approach. If internal audit facilitated an assessment, I would suggest it include a section on whether they have done so based on where management believes the greater risks lie. ISO is not the complete answer, unless it is tailored to suit two purposes (as explained in PCAOB guidance): the more significant risks of material misstatement, and the risk that the external auditor might miss a material misstatement. 

    By the way, people should know that IIA has a serious advocacy program and it includes providing comments to draft PCAOB standards (including those on risk) and a seat on the PCAOB oversight committee.

  1. Norman:

    You should note I indicated a "true risk-based approach".  This requires statistical analysis of frequency of event and frequency of root cause of problems.  Neither of these core elements of risk management are followed when analyzing financial statements.  If you can point me to an external audit firm that tracks statistically error sources generally, for the sector being audited and the company being audited I and the statistically predictable causes of materially wrong financial statements and allocates audit resources proportionately I will stand corrected.  SOX 404 (a) reviews should also include these steps.

     I would assert to you that external audits currently do not employ core risk management processes.  They are based largely on subjective views of what constitutes "audit risk".  Audit risk is not the same as risk of materially wrong financial statements as it requires the error become internally and publicly known.

    I believe that many SOX reviews avoid using true risk management processes as it requires addressing some issues considered to sensitive. (e.g. CFO/controller lack current technical knowledge, CFO/CEO incentivized to manage earnings)  and doesn't allow for the millions of hours of testing on low impact controls that the current approach does.

Leave a Reply