IN THIS ISSUE
Improving Internal and External Audit Coordination
Because of the potential value of CSA, internal auditors and their organizations need to work together to effectively integrate CSA into the external auditing process.
DR. TERRY J. ENGLE, CPA
Many internal auditors already know that control self-assessment (CSA) can be an exceptionally useful tool for their organizations. However, what is less known is how external auditors can use CSA to improve the efficiency and effectiveness of a financial statement audit. A control self-assessment survey — conducted by the authors — of organizations and their external auditors revealed a low level of CSA usage by external auditors and a low level of communication between internal and external auditors. The survey also found several basic misconceptions on the part of internal and external auditors, and other organizational personnel that likely are contributing to low CSA usage. (For survey information and findings, see the sidebar "About the CSA Survey.") Because of CSA's value, organizations and their internal auditors should work to promote the use of CSA by their external auditors.
The internal audit profession has always had significant responsibilities over internal controls, which is demonstrated by its definition. In addition to their traditional control responsibilities, internal auditors are increasingly being called upon to assist management — by serving as its eyes and ears — in fulfilling its obligations under the U.S. Sarbanes-Oxley Act of 2002, particularly for Sections 302 and 404. The IIA's Professional Practices Framework also advocates that internal auditors be involved in both a consulting and assurance capacity.
As a result of the Sarbanes-Oxley requirements, the internal audit profession must evaluate both hard and soft controls under the guidelines of The Committee of Sponsoring Organizations of the Treadway Commission's (COSO's) Internal Control–Integrated Framework. Hard controls (e.g., credit approval indicated on an invoice) can be effectively evaluated by traditional auditing tests. However, soft controls (e.g., management's ethics and integrity) are vaguer and traditional audit tests are far less effective in evaluating them. The internal audit profession has been a leader in searching for new audit tools to more effectively evaluate soft controls and CSA has emerged as an effective tool in this area, but according to the survey, organizations are not using CSA in the most audit relevant areas. Only 14 percent of the 73 organizations using CSA used the tool to evaluate controls that promoted the reliability of the organization's independently audited financial statements. This use of CSA would be most directly relevant to independent financial statement audits. Yet, few organizations employed CSA in this manner.
CSA is used to evaluate organizational processes and controls, and can be helpful in improving the effectiveness of internal and external auditing. However, of the organizations surveyed, although most had CSA data available, organizations were not communicating with external auditors about their use of CSA. The organizations were not asking their external auditors to use the existing CSA data and few external auditors were making CSA-related requests of the organizations. Of the 67 respondents using CSA and also receiving an independent audit, none indicated that management requested that CSA be used by their auditor. In addition, according to the survey, no auditor asked their organization to implement new CSA activities that were relevant to the external audit. Only 14 organizations indicated that their auditors requested evidence that had been created via existing CSA activities.
The internal and external audit functions are two critical components of organizational governance systems and the International Standards for the Professional Practice of Internal Auditing recognizes that the two audit functions should be effectively coordinated. After Sarbanes-Oxley was passed, internal control responsibilities increased for internal and external auditors, which represents an area where tremendous value can be achieved through proper coordination. Internal auditors have been leaders in the effective use of CSA in control evaluations.
External auditors also have enhanced control responsibilities under Sarbanes-Oxley. In addition to their long-standing responsibility to evaluate an organization's control system as part of a financial statement audit, Section 404 requires that the external auditors attest to the fairness of management assertions contained in their internal control report. In essence, external auditors are now required to audit the organization's system of internal control over financial reporting while also auditing the financial statements. This additional attestation on internal control necessitates a level of control understanding and testing that far exceeds what formerly was necessary to support an opinion on the financial statements. Using CSA can contribute to the effective attainment of these comprehensive audit responsibilities. But the survey results show that a significant number of individuals at organizations possessed negative sentiments about external auditors being involved in their CSA activities even though most organizations had no direct experience with such involvement. A majority of organizations did not believe that external auditor involvement in CSA activities would improve their CSA initiatives, and a significant minority (ranging from 19 to 45 percent, depending on the question asked) thought that external auditor involvement would actually hurt their CSA processes.
Performance Standard 2050: Coordination and its related practice advisories place a professional responsibility on internal auditors to effectively coordinate internal and external auditor control activities. Since the advent of Sarbanes-Oxley, this professional responsibility has taken on increased importance because the enhanced involvement of external auditors in the control arena has a direct bearing on the quantity and quality of the control information made available to top management and the board as they attempt to govern their organizations and fulfill their statutory responsibilities under Sarbanes-Oxley.
To fulfill their responsibilities under Standard 2050, internal auditors should determine whether external auditors are using CSA to evaluate the many soft controls that are a critical component of any internal control system under COSO's Internal Control–Integrated Framework. Soft controls are too important to ignore and the appropriate tools must be used to evaluate them.
Because of the potential value of CSA, organizations and their internal auditors should work together to effectively integrate CSA into the external audit process. The survey of IIA Control Self-assessment Center members revealed that organizations were not using CSA in areas most relevant to external auditors, that organizations and auditors were not communicating with each other about the use of CSA, and that a significant proportion of employees appeared to hold negative sentiments about the value of external auditor participation in their organization's CSA activities.
Internal auditors should do all that they can to promote CSA. If organizations implement such measures, the likely result would be enhanced coordination between the internal and external auditing functions, more effective and efficient independent financial statement audits, enhanced compliance with regulatory requirements, and more constructive internal control recommendations from external auditors.
How has flextime work schedules impacted audit completion time for your agency?
Audits have been completed faster.
There has been no change.
Audits take longer to complete.
My agency does not have a flextime poilcy.
The Institute of Internal Auditors - 247 Maitland Avenue • Altamonte Springs, Florida 32701-4201 U.S.A.
+1-407-937-1100 • Fax +1-407-937-1101 • www.theiia.org
All contents of this Web site, except where expressly stated, are the copyrighted property of The Institute of Internal Auditors Inc.