Internal audit’s trustworthiness shouldn’t be a question for boards.
The U.S. PCAOB's recent proposal to update the standard for how external auditors manage third-party confirmations calls into question the trustworthiness of internal auditors.
Articles Matt Kelly Apr 10, 2023
The U.S. PCAOB's recent proposal to update the standard for how external auditors manage third-party confirmations calls into question the trustworthiness of internal auditors.
Call it the PCAOB provocation. Or maybe the contretemps over confirmations. Or — wait, I’ve got it now — the indignity to internal audit. I speak, of course, of the U.S. Public Company Accounting Oversight Board’s recent proposal to update the standard for how external auditors manage third-party confirmations. The proposal declares that internal auditors should neither send confirmation requests nor receive confirmation responses, because that involvement “creates the risk that information exchanged between the auditor and the confirming party is intercepted and altered.”
Naturally the internal audit community took exception to the implied insult in those words. The IIA even published a statement saying it was “deeply concerned” that the proposal suggests internal audit is just like any other corporate function: one not to be trusted by external audit or the board.That’s really the issue, isn’t it? How can internal audit demonstrate that it is a valuable and trustworthy partner for boards? “For the most part, internal audit and external audit are more friend than foe,” says Neil Frieser, former CAE at a Fortune 500 company and these days an audit committee member at Colorful Networks, a privately held startup in Arizona, and several other firms. “We collaborated a great deal with external audit, and that was a very fruitful relationship.”
Those fruitful relationships aren’t just important because people want to get along. Internal audit, external audit, the board’s audit committee, management — they all need each other. External audit teams rely on internal audit functions for insights about business processes and data. A strong internal audit function allows the external audit to happen more efficiently, which helps to keep audit fees down.
Above all, respectful relationships among management, internal audit, and external audit allow all three to resolve tricky issues before those issues become fights in front of the audit committee, which is the last thing anyone wants. Including members of the audit committee.
“As an audit committee member, that is not at all what I want to see at a meeting,” says Kelly Barrett, chair of the audit committee for retailer Aaron’s and a former head of internal audit for Home Depot. “If fights like that happen, something has gone very wrong.”
Let’s go back to the PCAOB. Aside from its proposal for third-party confirmations, the agency already has standards for how external auditors should approach a client’s internal audit function.
Audit Standard 2605, Consideration of the Internal Audit Function, says that external auditors should first decide whether they want to rely on the internal audit team at all. If the external auditor does want assistance from internal audit, the external auditor must evaluate the internal audit team’s competence and objectivity. That means considering criteria such as the internal auditors’ experience and education, and whether the head of internal audit reports to a sufficiently senior executive so that audit findings get acted upon.
In practice, that could be something like external audit asking to see the credentials of everyone on the internal audit team and asking the internal auditors to complete an independence questionnaire.
Assuming that internal audit does have the competence and objectivity to work with external audit, AS 2605 says the external audit team must still “supervise, review, evaluate, and test the work performed by internal auditors to the extent appropriate in the circumstances.”
For example, Frieser says, internal audit might review 30 transactions and show its work to the external auditors. The external audit team would then reperform, say, five of those tests, and if all went well, would then accept internal audit’s work on the other 25.
“That’s all healthy and appropriate,” Frieser says.
Given that context, one can see how the PCAOB’s language in its proposal for third-party confirmations might rankle. That is, if the PCAOB already requires external auditors to evaluate the competency and integrity of the internal audit team, and then supervise what internal audit does — shouldn’t that be enough? Why make third-party confirmations the exception to that rule, when nobody has ever even used confirmations to perpetrate a fraud?
Indeed, in a letter to the PCAOB, The IIA said the proposed new standard “implies no assessment of competence and objectivity can possibly permit internal auditors to assist external auditors in certain facets of the confirmation process. Internal auditors are, prima facie, not to be considered trustworthy.”
That’s not how it works in real life. External audit teams will always have some tasks that only they can do — develop a risk assessment, for example, or brief the board on material weaknesses they find — but in the main, internal and external audit teams are close partners.
Another reality is that internal and external audit teams will still disagree on some issues from time to time. So the other key to a healthy, respectful relationship is to develop a process that resolves those disputes before they escalate all the way to the audit committee.
For example, Frieser and his internal audit team would meet with the external audit team several weeks ahead of sending out materials for the next audit committee meeting, to review processes and systems in scope, significant transactions that needed more attention, status of open audit issues, and so forth.
“We used those meetings so we were never really out of alignment on who thinks one thing or another,” he says. “They were to hash out any issues where we might stub our toes.”
Barrett has similar recommendations. Internal audit, external audit, and management (the controller, a vice president of financial planning, or perhaps even the chief financial officer) should always strive to resolve the issue. “They’re there to assure the board that they can keep the organization moving forward,” she says.
Or, to put things another way: The audit committee is there to assure that the company has processes in place to resolve disputes, not to settle the dispute directly. If internal and external audit teams bring a fight to the audit committee, then the problem is the people fighting, not the underlying accounting issue.
Then again, Barrett and Frieser both say they’ve never heard of internal and external audit teams fighting in front of the audit committee, or even just viewing each other as untrustworthy — and we’re back to the PCAOB’s proposal for third-party confirmations yet again. Like many internal audit professionals, they just don’t know where the PCAOB was coming from with this language. “I can’t imagine there’s a circumstance where it’s even possible for internal audit to be close enough to a process that they’d fabricate evidence,” Frieser said. Whether the PCAOB comes around to that point of view remains to be seen.