New external audit standards and increased regulatory pressure on external auditors have placed the internal–external auditor relationship in the spotlight. Internal auditors need to understand these changes and the steps they can take to make sure their organization continues to receive the full value of coordinated audit services.
The New Environment
External audit firms are subject to three major standard-setting bodies: the International Auditing and Assurance Standards Board (IAASB), the American Institute of Certified Public Accountants (AICPA), and the U.S. Public Company Accounting Oversight Board (PCAOB). The IAASB and the AICPA have issued new standards that raise the bar for external auditors when determining whether they can use the work of internal audit. The PCAOB has released guidance alerting external auditors to frequent deficiencies it has observed in their compliance with requirements governing the internal–external auditor relationship. These changes mean that external auditors are now examining the internal audit function more closely and stepping up the tests they apply to internal auditors’ work.
Until now, external auditors have been able to use the work of internal audit in obtaining audit evidence if they have no reservations about the objectivity or competence of the internal auditors. The new standards from the IAASB and AICPA now add a third condition, requiring external auditors to determine whether internal audit applies a systematic and disciplined approach, including quality control. Internal audit activities that comply with The IIA’s
International Standards for the Professional Practice of Internal Auditing (Standards) satisfy this requirement, particularly through Standard 1300: Quality Assurance and Improvement Program.
Even when external auditors are unable to rely on internal audit’s work, they may be able to use internal auditors to provide direct assistance on the external audit engagement. However, this ability still depends on the external auditors’ evaluation of the objectivity and competence of the internal audit function. In either case — whether using work that internal auditors have previously prepared or work they perform through direct assistance — the external auditor must test and evaluate that work. The new regulatory guidance cites instances where this assessment has been inadequate or, in other cases, missing altogether. Given these findings, external auditors are intensifying their scrutiny of the internal audit function. In this new environment, numerous opportunities arise for internal auditors to enhance the value of their collaborative efforts.
Recognizing the Key Areas
To achieve the maximum value of coordination, discussions should be held early, so internal audit work can be tailored to be mutually beneficial. Like all aspects of internal audit, any modifications are the ultimate responsibility of the CAE. Nevertheless, the Standards’ requirement for the exercise of due professional care means that every auditor is responsible for developing an understanding of how the external audit will impact the internal audit plan. The focus of this understanding should include both specific aspects of the external audit engagement and its documentation requirements, especially for internal auditors in the initial stages of their careers.
The first and most important element of the audit is the risk assessment, which drives the internal audit plan. Identification of significant risks is the basis for subsequent scoping decisions. Therefore, knowledge sharing between internal and external auditors is critical so that potentially significant risks are not overlooked. The external auditors devote most of their attention — and budgeted time — to these risks. And while their professional standards do not permit them to use the work of internal auditors as the sole source of audit evidence for high-risk financial statement items, that work still can reduce the extent of their testing.
A key aspect of the external auditor’s risk assessment is materiality. During the planning phase, internal auditors should obtain a clear understanding of materiality considerations relevant to the engagement. Internal audit testing can then be performed at a level sufficient for the external auditors’ reliance, without the need for them to perform extensive additional procedures. The external audit materiality thresholds may not prove problematic, because they often are much higher than those used by internal audit. However, it is important for novice auditors to recognize that the external auditors’ primary focus is the risk of material financial misstatement, not the operational and compliance risks that internal audit addresses. Moreover, as emphasized in the Standards, the internal auditor’s concern is for significant risks. In this context, “significant” is a much broader concept than “material,” as used for external audit purposes.
Before planning discussions conclude and testing begins, internal audit should request that the external auditors share their sample size methodology for tests of controls. For tests of details, the request should include the external auditors’ calculation of sample sizes using their specific templates. More broadly, internal auditors should ask for the outside auditors’ current templates for all types of audit tests planned. These are updated frequently, and internal audit’s use of an up-to-date testing template will minimize the need for external audit follow up. Additionally, these templates will ensure that internal audit’s documentation meets the external auditors’ professional requirements and that audit efforts are not duplicated.
In addition to relying on internal audit’s work as audit evidence, the external auditors may decide to use the internal audit staff in a direct assistance capacity. If so, external audit standards require that external auditors direct and supervise the internal auditors and review and test their work. Even with this requirement, it is incumbent on the internal audit staff to make sure that external audit is fulfilling these responsibilities timely. Internal auditors should request regularly scheduled meetings with external audit to assess progress and to make certain their work is continuing to meet the external auditors’ expectations. Newer internal auditors will want to make discussions with the CAE (or the CAE’s designated lead auditor) a part of this ongoing communication, especially if any questions arise about their responsibilities when performing external audit tasks.
Achieving the Right Balance
In stepping up their efforts to avoid regulatory comments and disciplinary actions, external auditors are making regular communication with internal audit a priority. The new external audit standards emphasize the importance of ongoing dialogue, so internal auditors should find their outside peers receptive to discussions about points of common concern. While the two professions pursue their objectives from different perspectives, they share the goal of providing an overall audit service that is both effective and efficient. Internal auditors have an equal stake in making sure their relationship with external audit is truly collaborative.