Should Internal Auditors Participate in the Evaluation of External Auditors?

Richard Chambers, CIA, CGAP, CCSA, CRMA, shares his personal reflections and insights on the internal audit profession. 

 

In my recent blog on the uptrend in compliance audits, I wrote that internal audit should be risk-centric, meaning that our focus as auditors should evolve to align with prevailing risks and the concerns of our stakeholders. One risk getting a lot of attention these days from regulators and the media is the quality of external audits.

Wall Street Journal Senior Editor Emily Chasan reports in her Sept. 13 CFO Journal blog that external audits are headed for a new era of disclosure. The U.S. Public Company Accounting Oversight Board (PCAOB) is drafting new auditor identification rules to pierce the veil of anonymity that created the opportunity for some individuals to perpetrate fraud. And the International Auditing and Assurance Standards Board is seeking comment on a proposal to enhance audit reporting standards.

Among the more significant changes in the proposal is a recommendation that external auditors of listed companies begin reporting specific findings or “key audit concerns,” in addition to the conventional pass/fail general opinion. In this regard, external audit reports could start to resemble internal audit reports.

Another goal of the proposed changes is to engage senior management and board members in the external audit process, increasing both the depth of understanding and the accountability of lead auditors.

I believe internal auditors, as a key resource for audit committee members on audit matters, can fill an important advisory role for the audit committee, applying their knowledge of risk and control frameworks to evaluate the overall performance of the external auditors. Such an assessment would serve as an important data point for the audit committee’s use in formulating its own assessment of the external auditors.

Obviously, nothing that internal audit does by way of assessing the external auditors’ performance should impair the external auditors’ independence. I am not suggesting that we show up at the external auditors’ door with an audit plan in hand and pour over their engagement records like the PCAOB does. I am merely suggesting that we be prepared to provide an assessment of the external auditors’ work based on our own observations and analysis. We can then share our assessment either by report or in executive session with the audit committee.

From my experience, many audit committees are already availing themselves of internal audit’s perspectives on the external auditor, and I predict more will follow in the future. I think that mutual accountability makes sense and should become standard practice. As audit professionals, internal auditors are uniquely qualified to advise their boards on external audit matters.

What do you think? Has your audit committee sought your input on external audit quality? Is this something you see as valuable? Is there a downside? I’d love to read your opinions.

Posted on Sep 23, 2013 by Richard Chambers

Share This Article:    

  1. I think the idea proposed is interesting and could be valuable if the external auditors are open and receptive to feedback provided by the internal auditors. From my experience, I am wondering how it would work for internal audit to provide feedback or assess the work of the external auditors if and when external audit places reliance on the work of internal audit? Maybe those specific audits could be left out of the assessment made by internal audit. I have not been asked by either of the two audit committees I worked with for feedback on the quality of external audit; however, my preference would be to have a tripartite meeting (ie, the chair of the audit committee, the lead from external audit, and the manager from internal audit) to present/discuss/review feedback given by both audit teams to their respective managers to bring to the meeting.
  1. I certainly feel that Internal Auditors should participate in evaluating the External Auditors. I have had first hand experiences where the Internal Auditors had found rampant fraud, that could have been detected with some very basic checks like Payments Vouching. However, the External Auditors, who had done these checks, had not reported a single discrepancy. There were various other irregularites, but the External Auditors had given a "clean report". Internal Audit suggested to the Company to fire the External Auditors, and to file a case against them. This was done, and a new firm of External Auditors was appointed.

    I must add however that management on their own, did not seek Internal Audit's opinion about the External Auditors. The initiative was taken by the Internal Auditors.  

  1. The professional internal auditors are well equipped to handle many different aspects in my view within an organization. The fraud is one area where there is lot of eagerness among all the parties to listen and provide expertise for controls due to the inherent nature of audit risk here. Internal auditors must be able to express unfairness in external auditors opinion also based on the external audit risk assessment and materiality threshold issues since auditors liability amounts dictate external auditors test, scope and types of audit tests here. Once again, the issue becomes "what should be first" in terms of audit priority and this ends up being budgetary talk, staff availability and management succession plans etc. Hence, the subject matter should not be one sided where internal auditors extend helping hand and provide opinion at any cost and not able to expect the same cooperation from external auditors.
  1. Please see this discussion of a Center for Audit Quality paper: (http://normanmarks.wordpress.com/2012/10/15/new-guidance-on-assessing-the-external-auditor/)

    Also, this discussion includes a link to a form I have used to help the audit committee assess the performance of the external auditor: http://www.theiia.org/blogs/marks/index.cfm/post/Risk%20and%20Control%20Issues%20Commonly%20Overlooked%20by%20Internal%20Audit%207:%20The%20External%20Auditor

  1.  My take on this is that internal audit should assess the work of external auditors. cases abound where financial statements are given a clean bill of health only for cases of fraud to emerge later. i believe the knowledge internal auditors have on operations could help external auditors reconcile with the financial figures as they undertake substantive tests and confirmation of balances.

    i have often seen external auditors setting materiality levels of significant values and some finance officers have often beaten this by splitting transactions so that some balances are left out during their tests/audits.

     

    coordination between internal and external audits stands to benefit the organisation and as such evaluation of external auditors would be welcomed. 

    Looking at the management letter often issued by external auditors, it tends to be shallow and lacks depth in terms of key areas which are often dropped out. in addition, the process of follow up of issues raised in the management letter is often ignored thus same issues keep recurring.

    otherwise, i also see some external auditors for not wanting to savor relationship with the clients, would like to keep a clean sheet as such avoids laying issues bare as found out during audits.

     

     

     

  1. My personal opinion is that if you act as a board member or a supervisor (there is a lot of similarities between this roles!) you can not, in your work, rely on the Annual Report or other reports from the external auditors. Those reports can only give you a platform for your own analysis and evaluation.... this is interesting thoughts how to overcome "the gap" between internal and external audits and it can be helpful when board members and others is struggling with their analysis.
  1. First, “key audit concerns" of external auditors are control deficiencies related to preparation of financial reports. They are noted in report called "Management letter" and they are presented to management board. However, this report is for company's management purposes and is not for public disclosure. There is nothing new here. Plus,according to ISA those concerns are only related financial statements risk. So i'm not sure if these proposed measures will make external audit reports start to resemble internal audit reports. Second, internal auditors must knows the international standards for auditing in order to make an assessment over external audit quality. So, the scope of internal auditors is quite narrow here. We can only inform the audit committee if external audit did their job well and nail down the risks related only to financial statements. Everything else will be less than professional and not efficient by internal audit.
  1.  Hi Richard, an interesting thought. A key risk here would be in setting the scope of any such review. The external auditor has very real legal risk and liability attached to its opinions, and internal audit does not. To suggest that IA could input into an opinion on how well EA doea that job would need to be very careully thought through. IA would certainly not be wanting to assess whether their opinion was appropriate.

    Our IA group certainly was involved and part of the team that selected the EA, and also contributed to an overall assessment of their performance as did management through a questionnaire each year.

    More disclosure in EA reports also needs to be carefully thought through, as a lot of "key audit concerns', can just be key areas of focus due to materiality, circumstance, assumptions made etc, where in the end both management and the auditor agree on the treatment.

    Regards Andrew Dix (Australia)

  1. Noble thought of participating in evaluating external auditors.

    But the question is what is the scope of External Auditor that we are discussing here?

    They provide true and fair view on financial statements with limited resources and giving much importance to materiality aspects. Their audit techniques resorts to vouching (limited), verification, balance confirmations and management representations.

    By evaluating external auditor's ability we may get better auditor than the previous one but ultimately they all will give you true and fair view on your financial statements.

    I would suggest strengthening internal audit team by providing them more resources and Top management support to implement their findings. 

  1. The question is independence. Some argue that because they are a third-party doing the audit, they are independent. I couldn't disagree more. I have been serving as COO and CFO and was the primary contact for all accounting and regulatory agencies. I never felt comfortable being responsible for the performance of these areas, as well as design and implementation of internal controls, then, hiring the auditors and presenting their findings. Because of my self interest, I often found myself arguing with auditors about details of their findings, trying to promote the realistic managements view of cost/benefit, etc. They know that, and I came to the realization that in their minds,if they wanted to be retained for the next year, they better back off (even though I never asked for that). Now, starting a new internal audit department, I see that anytime a third-party auditor is hired by the person subject to the audit(or at their suggestion to the board's audit committee) the audit will not be as honest, complete, accurate, etc. as it would if they were subject to scrutiny from an internal auditor who also had input (significant input)regarding their quality of work. In other words, if the audit or exam doesn't say much, it may not be worth much. This says nothing negative about the integrity of the person responsible for areas being audited. Rather, it is the perception of the auditor. It is the auditors responsibility to report all concerns an make recommendations regardless of how they perceive the bank will react. It is the responsibility of the audit committee to take these into consideration, determine the risk, the cost or methods to mitigate this risk and make the final determination as to a response. I think third-party auditors would welcome the input from the internal auditor is it may give them courage to be more upfront in their audit reports.
  1. I remember hearing (from the Chairman of a big 4) a few years ago, that the external audit would be changing to focus more on the effectiveness of internal controls rather than true/fair view.  If the role  of the EA is to broaden then it will cost companies a lot more which they may baulk at.  Greater EA competition may result; More independent advisory Firms. A greater role for IA to play in assessing the scope and performance of the EA. 

     

  1. Prior to Enron, Arthur Andersen (AA) had done our external audit.  When the audits of both Enron and the Arizona Baptist Foundation came into question and the quality of  AA's work,  our IA department was directed by the Audit Committee (AC) Chair and the Chairman of the Board to review the work performed by AA and future external auditors going forward as part of an oversight role on behalf of the AC.   We have been issuing a report on the review of the external audit's work for over 10+ years.  This work does not redo their work, but reviews the methodology and approach under GAAS (Generally Accepted Auditing Standards).    

  1. Never confuse "pore" and "pour".

  1. Thanks for this full informative post and discussion who helped person like me

Leave a Reply