Internal Auditor’s blogs reflect the personal views and opinions of the authors. These views may differ from policies and official statements of The Institute of Internal Auditors and its committees and from opinions endorsed by the bloggers’ employers or the editors of Internal Auditor.

Are You Getting a Quality External Audit?​​​

Comments Views

With the U.S. Pu​blic Company Accounting Oversight Board (PCAOB) continuing to report a significant level of "defects" in the audits its examiners inspect, management and boards should be thinking about whether they are getting the audit they are paying for.

While the PCAOB examiners rarely say the opinion expressed by the audit firm on the company's financial statements or system of internal control was wrong, they are reporting that the documentation included in the audit files oft​en does not support the judgments and assessments the audit team made.

Tammy Whitehouse wrote an interesting article for Compliance Week in April that merits our attention.

Whitehouse starts with the important point that, on the surface, the audit firms have stopped fighting the results of the examinations and increased their efforts to find the root causes of deficiencies and address them.

I say this is on the surface, because I have yet to hear of an audit firm admitting to a client that it had a quality defect.

In fact, based on the conversations I have had with the many Sarbanes-Oxley project management officers and financial executives who attend my Sarbanes-Oxley training, the audit firms continue to complain about the examiners. They assert that the examiners are picky (just as management perceives the external audit team) and are changing the standards for what is required. As I explained in an earlier post, the examiners are not setting new standards — they are holding the audit teams to existing ones.

For example, let's take reliance on internal audit work — especially for Sarbanes-Oxley. Although the PCAOB's October 2013 report criticized the firms in this area, they did not set new standards. They reaffirmed existing guidance. But, they said the firms had not documented the basis for their judgment in relying (or not relying) on the work of the internal audit team. Yet, as Whitehouse reports, the Center for Audit Quality reported, "A significant portion of participants [in their survey of audit firms] believed that there has been a substantial change in the PCAOB's posture on the use of internal audit's work. One external auditor said, 'So far as reliance is concerned, this Fall it seems like the nature and extent of the testing of internal audit has been questioned more than ever.'"

A recent article (brought to my attention by Angie Chin) blamed the failure to have documentation to support auditor judgment on management. I don't buy that argument. It fails because a) if the auditor asked for it and it was lacking, that would be in the audit files and would have been identified as an issue; b) it might have existed but not included in the audit files; and c) if the auditor had recognized that this was a requirement in prior years, it would have been communicated this to management and made the documentation available to the auditor.

So what are management, the audit committee, and (working with them) the CAE to do?

  1. Do not accept without appropriate skepticism any assertion by the audit firm that it is doing more work because the PCAOB has changed its standards. Instead, require the audit team to show where, in writing, that has occurred.
  2. Do not accept that the PCAOB has changed its position on reliance by the audit firm on internal audit work. That is not true.
  3. Require that the audit firm disclose how PCAOB examinations have affected the work it does for them and why it is making the change.
  4. Require the audit firm to explain how it ensures that all its work is derived from an assessment of risk and is necessary to address the risk of material error or omission, and to disclose what those risks are.
  5. Require the audit firm to discuss how it ensures quality across the engagement, including where reliance is placed on other offices or associated firms.

I welcome your comments.

Internal Auditor is pleased to provide you an opportunity to share your thoughts about these blog posts. Some comments may be reprinted elsewhere, online or offline.



Comment on this blog post

comments powered by Disqus
    • CIA-September-2021-Blog-2
    • Your-Voices-September-2021-Blog-3