The work of external audit — providing assurance on the accuracy of financial reporting — is a complex operation, especially given today's increasing pressure from boards, regulators, and activist investors.
Internal audit encourages a strong and symbiotic relationship with external audit, as part of efforts to ensure the accuracy of financial reporting and to support external audit's efforts. Unfortunately, external audit does not always reciprocate in relying on the work of internal audit.
Identifying risks and weaknesses in internal controls requires a thorough and sophisticated understanding of the organization, and internal audit's place as an independent and ongoing assurance provider across the organization makes it the default expert. External audit, in its limited and periodic review role, cannot be expected to have as comprehensive an appreciation and understanding of the operating environment.
It is clear to me that external auditors can and should rely on the work of internal audit when the internal audit function is independent, appropriately resourced, and follows The IIA's International Standards for the Professional Practice of Internal Auditing.
I'm actually a bit offended when I hear about instances when this doesn't happen, or where external audit evaluates the work of internal audit and rejects it, based on no objective, defined, consistent criteria.
If a subjective evaluation by the external auditor leads to a determination that internal audit's work is unreliable, it can increase the amount of work required by external audit and increases the fees it can charge. If it looks like self-interest bias and smells like self-interest bias, well …
No one should have a more thorough and broad understanding of internal control than internal audit, and it must be the default position for external audit to rely on that if the audit function is independent, appropriately resourced, and follows the Standards.
In addition, any evaluation of the internal audit function must include an examination of whether the audit committee is fulfilling its oversight responsibilities. It is this oversight that ensures the independence of both internal audit and external audit.
In fact, I've heard experts say that external audit is more independent than internal audit. If both are reporting to the audit committee (or something equivalent) and that audit committee is taking its oversight responsibilities seriously, then they are both equally independent. I'm already hearing someone say, "But the internal auditors are employees and the external auditors come from the outside." That may be true, but the money paying for both comes from the same bank account.
The default position must be for the external auditor to rely upon the work of internal audit unless it confirms that internal audit is not operating in conformance with the Standards (easily determined by the presence of an external quality assessment) and/or that the audit committee has not maintained its oversight responsibility of the internal audit department.
We can't run the risk of inconsistency, subjectivity, the potential for repeating internal audit's work unnecessarily, and whether this creates at least a perception of self-interest for the external auditor. Once reliability has been determined — based on conformance with the Standards and an examination of the oversight role of the audit committee — external audit's ability to rely upon that work should be absolute across the breadth and depth of internal audit's coverage.
That's my point of view. I'd be happy to hear yours.