Expert tips for making internal auditing indispensable to external auditors and the governance process.
by Christina Brune, Editor of Auditwire
“This article was reprinted with permission from the Jan/Feb 2004 Issue of Auditwire, published by The Institute of Internal Auditors, Inc., http://www.theiia.org/.”
The string of U.S. corporate failures and resulting legislation and regulations during recent years have placed a spotlight on the relationship among external auditors, internal auditors, and the organizations they audit. As the dust settles and the Public Company Accounting Oversight Board (PCAOB) begins issuing standards to guide auditors in the professional pursuit of objective auditing, one question weighs on the minds of chief audit executives (CAEs): How much will the external auditor rely on the work of internal auditing for internal control assurance and financial statement attestation?
Although the PCAOB’s recent exposure draft suggests that external auditors’ reliance on internal auditing may soon be limited, The IIA offers another viewpoint: “We think that the auditor should be able to place much more reliance on a competent and objective internal audit function than the proposed standard indicates. It should be left up to the professional judgment of the external auditor as to the level of reliance to be placed on the work of others. Internal audit functions in compliance with The IIA’s Professional Practice Framework, including the International Standards for the Professional Practice of Internal Auditing (Standards), demonstrate a number of dependable qualities such as ethical integrity, independence, competency, and sound audit planning with a focus on risk management.”
Until the PCAOB releases its final determination, external auditors will likely continue to rely upon the work of the internal audit function for risk analysis and ongoing testing of the organization’s internal controls. For the time being, the two have a symbiotic relationship. In many instances, internal and external auditors work closely to ensure that the organization’s financial and operational risks are identified, controls are thoroughly tested, and regulatory requirements are in compliance. Together, they provide broader coverage and exhibit the fullest use of the organization’s resources.
To maintain this partnership and to limit redundancy of audit testing for control validation, internal auditors must prove that their work is reliable. External auditors from three prominent certified public accounting firms spoke with Auditwire and described, from their perspective, what constitutes “reliability” in an internal audit function. As one would expect, many of the characteristics they consider valuable are requirements of The IIA’s Standards.
External auditors agree that an educated, experienced internal audit staff is one of the most important considerations when assessing the reliability of an organization’s internal audit function. “We typically review the internal auditors’ professional background, training, and expertise, and in many cases request a résumé,” says Gerry Pfeiffer, partner and director of the Financial Institution Practice for Clifton Gunderson LLP in Peoria, IL. “IIA membership and the presence or pursuit of certifications implies a degree of professional integrity, competency, and a commitment to ongoing training,” he adds. Pfeiffer also values internal auditors who keep up with current events in their specific industry and the changing audit standards.
Wayne Kolins, national director of assurance for BDO Seidman LLP in New York City, likewise examines the internal auditors’ credentials, how long they’ve been in their current position, and whether or not they hold a degree in accounting or are certified public accountants (CPA). “Their longevity at the company and how well they understand the business are also important,” he says. “Being a CPA may not be essential, but it certainly would help. I think it would also help to see whether any of the internal auditors had public accounting experience, so they could better understand how the external auditors operate and the kind of testing that the external auditors would be doing.”
Independence of internal audit function
Another top concern is internal auditing’s reporting line and its independence. “In my view, internal auditing needs to report directly to the audit committee,” says Michael Hall, managing partner of Grant Thornton’s Chicago office. “When we go in and see a structure where the internal audit department is reporting to the chief financial officer (CFO), and the CFO determines what areas will be audited and has significant control over the determination of risk areas, it’s not independent. I wouldn’t rely on any of their work.”
Kolins agrees that objectivity is compromised when a CAE reports only to the CFO. “The CAE should report directly to the audit committee, with no impediment in terms of going through the CFO, in cases where he or she sees issues arising,” he says. “Direct access to the audit committee is critical. We give a lot more credence to an internal audit staff that has a strong reporting line to the audit committee.”
Responsiveness to findings
Hall points out that although the organizational chart is important, another indicator of a truly objective and effective internal audit organization is its ability to effect change. “Ideally, we like to see past audit reports that have been supported by the audit committee and management and changes in the control structure based on those reports,” he says, adding that his group takes it seriously when there is strong tone at the top of the organization that supports internal auditing. “If you’re in a situation where issues have been raised by the internal audit group, and nothing has been done about those issues – even though they’ve been reported to the audit committee – you need to take a closer look at why the audit committee isn’t taking them seriously enough to go back to management or the CFO and ask them to correct the problem or provide more information.”
Function that’s not outsourced
Some external auditors have found that they’re able to place greater reliance on internal auditing when the function is performed by the organization’s own employees. “Personally, I greatly value the internal audit effort within a company and strongly prefer that clients have internal audit departments as opposed to outsourcing that function,” Pfeiffer notes. “I think competent, qualified internal auditors working within the company can provide more daily observations and insights into the company rather than external individuals who come in on a piecemeal basis.”
Solid audit plan
A well-constructed audit plan that covers at least a year is key to eliciting external auditors’ confidence in the internal audit function. “What you want to see is a keen sense of risk analysis and a well-thought out and well-documented process for developing the annual audit plan,” Hall explains. “You might ask, ‘How has internal auditing assessed the organization’s risks? Do they have a methodology that makes sense for risk assessment? And is the organization using this methodology? What areas are they looking at? And if there are significant areas that they’re not looking at, why not?’ If the internal auditors are going to be relied upon by the external auditors, you need to get an understanding of how they determine audit risks and assess whether they’re doing a good job of that. If every year, the internal auditor looks at the same areas routinely, that doesn’t give the external auditor a lot of comfort.”
Pfeiffer maintains that his team also evaluates the risk assessment process and looks at the scope, depth, and timing of the internal audit plan to see how they dovetail with the external audit plan. “We do sometimes influence the internal audit plan by asking the internal auditors to adjust the scope, timing, or overall extent of their work so as to permit greater reliance by us and to help avoid redundancy. Our preference is to coordinate our efforts so that we get the desired amount of work done at the right time,” he says.
Although Kolins indicates that his team also examines the internal audit plan and tries to use that plan within its own audit plan as much as possible, his group is guarded about sharing the external audit program with the organization. “Let’s say that internal auditing reports to the CFO, but has a dotted line to the audit committee,” he says, hypothetically. “In this day and age, we won’t tell the CFO about our detailed audit program, but we’ll share it with audit committee members, because they are the objective overseers of the company, and we’ll explain to the internal auditors what we’re going to do and what we’d like them to do to make our job more efficient. We don’t mind telling the audit committee or the internal auditors directly, as long as it is not divulged to the CFO or the rest of the company.”
High quality of work
“Perhaps the single most important indicator of reliability is the internal auditors’ ability, which is reflected in the work they do,” Kolins explains. “If after retesting a sample of their work, we have different findings or draw dissimilar conclusions, then we probably wouldn’t rely on the internal auditors. But if we come up with the same findings, then we have a basis for reliance.”
When beginning an audit of a particular area that has already been covered by internal auditing, Pfeiffer examines the internal auditors’ reports, programs, questionnaires, and specific underlying workpapers. “I look for evidence that the internal auditors understood what they were auditing and that there was adequate evidence for their sign-off of the specific programs reviewed,” he says. “A significant concern of mine would be if the audit programs or related workpapers were superficial in nature, didn’t bear evidence of an actual sign-off, or didn’t appear to be supported by workpapers giving evidence to the specific comments. Typically, those types of things translate into a superficial audit that lacks substance.”
Hall also studies the internal audit reports issued during the previous year to get a feel for the quality of internal auditing’s work. “If the internal audit group rarely comes back with any findings or recommendations, it either means that we’re dealing with one heck of a company, or maybe the internal audit function is subpar,” he says, adding that it’s imperative for internal auditing’s work to be well documented. “In today’s day and age, the view is, ‘If it’s not documented, it’s not done.'”
Communication with the external auditors
Another component of internal auditing’s perceived reliability is the audit group’s coordination and communication with the external audit team. “I appreciate a CAE who engages in a dialogue with the external auditors and the audit committee regarding new issues and hot buttons facing the corporate entity,” Pfeiffer notes. “Over time, hopefully, the external auditors serve as a sounding board for the internal auditors, and we establish a rapport so that if they have specific technical questions regarding a new area that they’re auditing, we can provide advice and training as a mentor. The mutual goal would be for internal auditors to perform higher quality audits. And that would enable us to place greater reliance on them.”
A new perspective
In the audit field, which is chock-full of objective, methodical investigation, it’s somewhat ironic that many external auditors don’t have a point system or numerical rating to help them determine objectively whether or not the internal auditor’s work is reliable. Instead, it’s purely a judgment call. At the end of the day, internal auditors must impress the external audit team with their independence, competency, and the quality of their work.
Not coincidentally, many of the characteristics common to reliable internal audit functions are required by The IIA’s Standards and are simply good practice for the prosperity of any internal audit group. However, it’s a good idea for CAEs to assess these issues not only from the perspective of their own successfulness, but also through the eyes of the external auditor to promote the most trusting partnership professionally possible.
Visit The IIA’s Standards online for more information about topics such as:
- Professional proficiency.
- Scope of work.
- Audit planning.
- Internal-external audit coordination.
- Risk management.
- Recording information.