September 24, 2008

Improving Internal and External Audit Coordination

Because of the potential value of CSA, internal auditors and their organizations need to work together to effectively integrate CSA into the external auditing process.



About the CSA Survey


  • Surveys were mailed to 430 individuals listed in The IIA's Control Self-Assessment Center 2001 Membership Directory.
  • Recipients were located in the United States or Canada and worked for employers likely to receive independent financial statement audits.
  • Useful responses were received from 113 organizations and 73 indicated that they used CSA within the prior year. Out of the 73 organizations using CSA, 67 also had an independent financial statement audit the prior year.
  • Organizations that received an external audit were asked to provide their external auditors with an auditor's survey.


  • Information from 31 responding accounting firms revealed that on average, CSA was used in only 21.6% of the audits performed out of the respondent's office in the previous year. The two most common reasons cited by external auditors for not using CSA was the belief that it was inefficient and they lacked training.
  • Assertions about CSA inefficiency were directly contradicted by the 9 responding auditors that actually used CSA on the audit of the organization that provided them with their auditor survey. More than 75 percent of those auditors reported that the use of CSA resulted in a more efficient and effective financial statement audit.
  • The totality of the survey results suggest that CSA is being used in a relatively small percentage of financial statement audits, but the auditors that are actually using CSA were very satisfied with both the efficiency and effectiveness of this tool. It is likely that current impediments to using CSA would dissipate as external auditors gain a better understanding of the tool.

Many internal auditors already know that control self-assessment (CSA) can be an exceptionally useful tool for their organizations. However, what is less known is how external auditors can use CSA to improve the efficiency and effectiveness of a financial statement audit. A control self-assessment survey — conducted by the authors — of organizations and their external auditors revealed a low level of CSA usage by external auditors and a low level of communication between internal and external auditors. The survey also found several basic misconceptions on the part of internal and external auditors, and other organizational personnel that likely are contributing to low CSA usage. (For survey information and findings, see the sidebar "About the CSA Survey.") Because of CSA's value, organizations and their internal auditors should work to promote the use of CSA by their external auditors.


The internal audit profession has always had significant responsibilities over internal controls, which is demonstrated by its definition. In addition to their traditional control responsibilities, internal auditors are increasingly being called upon to assist management — by serving as its eyes and ears — in fulfilling its obligations under the U.S. Sarbanes-Oxley Act of 2002, particularly for Sections 302 and 404. The IIA's Professional Practices Framework also advocates that internal auditors be involved in both a consulting and assurance capacity.

As a result of the Sarbanes-Oxley requirements, the internal audit profession must evaluate both hard and soft controls under the guidelines of The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Internal Control–Integrated Framework. Hard controls (e.g., credit approval indicated on an invoice) can be effectively evaluated by traditional auditing tests. However, soft controls (e.g., management's ethics and integrity) are vaguer and traditional audit tests are far less effective in evaluating them. The internal audit profession has been a leader in searching for new audit tools to more effectively evaluate soft controls and CSA has emerged as an effective tool in this area, but according to the survey, organizations are not using CSA in the most audit relevant areas. Only 14 percent of the 73 organizations using CSA used the tool to evaluate controls that promoted the reliability of the organization's independently audited financial statements. This use of CSA would be most directly relevant to independent financial statement audits. Yet, few organizations employed CSA in this manner.

CSA is used to evaluate organizational processes and controls, and can be helpful in improving the effectiveness of internal and external auditing. However, of the organizations surveyed, although most had CSA data available, organizations were not communicating with external auditors about their use of CSA. The organizations were not asking their external auditors to use the existing CSA data and few external auditors were making CSA-related requests of the organizations. Of the 67 respondents using CSA and also receiving an independent audit, none indicated that management requested that CSA be used by their auditor. In addition, according to the survey, no auditor asked their organization to implement new CSA activities that were relevant to the external audit. Only 14 organizations indicated that their auditors requested evidence that had been created via existing CSA activities.


The internal and external audit functions are two critical components of organizational governance systems and the International Standards for the Professional Practice of Internal Auditing recognizes that the two audit functions should be effectively coordinated. After Sarbanes-Oxley was passed, internal control responsibilities increased for internal and external auditors, which represents an area where tremendous value can be achieved through proper coordination. Internal auditors have been leaders in the effective use of CSA in control evaluations.

Since Sarbanes-Oxley Was Passed:

  • Both internal and external auditors must now provide more thorough evaluations of the internal control system.
  • Soft controls are widely recognized as an important element of all internal control systems and they must be evaluated properly.
  • Tools to evaluate soft controls are scarce, and CSA is a highly effective tool for this purpose.
  • CSA could be used by both internal and external auditors to more effectively meet their objectives relating to internal control evaluations.
  • Internal auditors have an increased responsibility to coordinate the activities of the external auditor, including coordinating the organization's use of CSA and available CSA data that could be used by external auditors.

External auditors also have enhanced control responsibilities under Sarbanes-Oxley. In addition to their long-standing responsibility to evaluate an organization's control system as part of a financial statement audit, Section 404 requires that the external auditors attest to the fairness of management assertions contained in their internal control report. In essence, external auditors are now required to audit the organization's system of internal control over financial reporting while also auditing the financial statements. This additional attestation on internal control necessitates a level of control understanding and testing that far exceeds what formerly was necessary to support an opinion on the financial statements. Using CSA can contribute to the effective attainment of these comprehensive audit responsibilities. But the survey results show that a significant number of individuals at organizations possessed negative sentiments about external auditors being involved in their CSA activities even though most organizations had no direct experience with such involvement. A majority of organizations did not believe that external auditor involvement in CSA activities would improve their CSA initiatives, and a significant minority (ranging from 19 to 45 percent, depending on the question asked) thought that external auditor involvement would actually hurt their CSA processes.

Performance Standard 2050: Coordination and its related practice advisories place a professional responsibility on internal auditors to effectively coordinate internal and external auditor control activities. Since the advent of Sarbanes-Oxley, this professional responsibility has taken on increased importance because the enhanced involvement of external auditors in the control arena has a direct bearing on the quantity and quality of the control information made available to top management and the board as they attempt to govern their organizations and fulfill their statutory responsibilities under Sarbanes-Oxley.

Five Ways Organizations Can Promote CSA to External Auditors

  1. Consider the needs of external auditors when planning a CSA agenda.
  2. Apply CSA tools to areas most relevant to the external audit, particularly internal controls promoting the reliability of financial statements.
  3. Communicate with external auditors about the organization's CSA programs and encourage them to use CSA-produced evidence.
  4. Be receptive to reasonable external auditor requests for new CSA initiatives.
  5. Educate employees about the advantages of external auditor involvement in CSA to help dispel negative sentiments that may exist.

To fulfill their responsibilities under Standard 2050, internal auditors should determine whether external auditors are using CSA to evaluate the many soft controls that are a critical component of any internal control system under COSO's Internal Control–Integrated Framework. Soft controls are too important to ignore and the appropriate tools must be used to evaluate them.


Because of the potential value of CSA, organizations and their internal auditors should work together to effectively integrate CSA into the external audit process. The survey of IIA Control Self-assessment Center members revealed that organizations were not using CSA in areas most relevant to external auditors, that organizations and auditors were not communicating with each other about the use of CSA, and that a significant proportion of employees appeared to hold negative sentiments about the value of external auditor participation in their organization's CSA activities.

Internal auditors should do all that they can to promote CSA. If organizations implement such measures, the likely result would be enhanced coordination between the internal and external auditing functions, more effective and efficient independent financial statement audits, enhanced compliance with regulatory requirements, and more constructive internal control recommendations from external auditors.

Dr. Terry J. Engle, CPA, currently serves as the advisory council professor of accounting at the University of South Florida. His teaching and research interests are in the areas of internal auditing and independent financial statement auditing. Engle has been the author of numerous articles that have appeared in leading academic and practitioner journals, including the American Accounting Association's Accounting Horizons, The IIA's Internal Auditor, The New York State Society of CPAs' The CPA Journal, and the American Institute of Certified Public Accountants' Journal of Accountancy.
Dr. Gilbert W. Joseph, CPA, CISA, is the endowed Dana Professor of accounting at The University of Tampa, Florida. He teaches financial and accounting systems courses and is an active member of several professional societies. Joseph has published more than 30 articles on a variety of topics in many academic and professional journals. Prior to teaching, he spent more than 20 years with the U.S. government working in computer systems.

All contents of this Web site, except where expressly stated, are the copyrighted property of the Institute of Internal Auditors Inc.