Articles Norman Marks, CRMA, CPA Feb 06, 2023
The audit committee is responsible for overseeing and assessing the work of the external audit firm. Internal audit can assist by facilitating an independent assessment based on management's observations and insights.
One of the audit committee’s responsibilities is oversight of the external auditor. The board and shareholders look to the audit firm for assurance that the financial statements that the company files with the regulators are free from material error and that management’s system of internal control over financial reporting is effective. Every year, the audit committee should evaluate whether the audit firm is providing the necessary audit services at an appropriate quality and price.
The audit committee may want the CAE’s assistance in discharging this responsibility for a couple of reasons. First, there is a risk that the audit firm will fail to identify material errors or omissions in the company’s financial statements.
Every year, external audit failures make news headlines and are investigated by regulators, leading to legal actions against the company, reputation damage, and lawsuits by shareholders or lenders.
The second reason the audit committee may want the CAE’s help is that it has no other staff. All committee members can do is ask the CEO, chief financial officer, and corporate controller for their assessment. Sometimes those individuals are constrained by a desire not to confront the audit partners. In addition, executives may not have all the information necessary to evaluate the external audit team’s performance.
The examples in this article are based on my experience as a CAE at several companies.
Internal audit can add value by facilitating an independent and objective assessment of the audit firm’s performance, just as internal audit does for other sources of business risk. The assessment should be based on observations, comments, and insights from management as well as its own (see “A Bird’s Eye View” on this page).
Internal audit won’t have access to the auditor’s workpapers to see whether the firm is complying with audit standards and performing the risk assessment and testing it should. But there are other aspects of the external audit team’s performance that internal audit can assess.
It would be unusual for the external audit team to lack technical accounting capabilities and tax expertise. Internal audit can confirm its abilities through discussions with the company’s accounting and tax teams.
However, the external audit team doesn’t always have desired expertise with technology issues. Sometimes the firm’s IT auditors cannot appropriately assess technology-related risks, relying on theory instead of determining whether there may be a risk of significance to the financial statements.
In fact, external auditors consistently ask for IT-related controls where a failure is extremely unlikely to result in a material error or omission in the financial statements. At one of my companies, the firm’s IT audit manager explained that we had a serious control deficiency impacting ICFR. He explained that our network relied on a router in Taiwan to connect our headquarters in the U.S. to our operations in Asia. The traffic through that router was not encrypted nor was access to the router secured. Although there was a risk of network disruption if the router was attacked, I helped the manager understand that the possibility of somebody inserting or modifying transactions that went undetected and created a material error in our financial statements was highly unlikely.
The external audit team is only involved with the company for a few months each year, so its members may not understand the business. The manager and partner may be experts in technical accounting, but understanding the challenges in running a business is totally different. If external auditors don’t understand the business, they may not be able to hone in on potential sources of risk and may misunderstand the level of risk when they identify issues.
One problem I faced was when external audit testing identified a control weakness. The auditors informed management of the weakness after review by their manager and partner, but didn’t understand it represented a risk of fraud. This led to a delay in addressing the problem and a failure to investigate whether anyone had taken advantage of the weakness.
Auditing standards call for both management and the external auditors to use informed judgment in assessing risk — in establishing the scope of work and assessing the significance of deficiencies. In my experience, many external auditors rely on rules and theory. Seeking consistency, the firms train their staff to follow firm guidance. Only the more experienced and confident partners will use professional judgment in assessing a potential weakness or error.
At one of the companies where I worked, a journal entry was posted backwards, creating a material error in the financial statements for that quarter. When internal audit looked at the root causes, it discovered that the division controller who was responsible for creating the journal entry was on vacation — the first time he had been away at a quarter-end in a decade. The error should have been detected by the controller of another division, but she was home sick for the first time in several years. The operations controller, corporate controller, and their staff performed flux reviews that should have caught the mistake, but several unusual activities that quarter hid it from view.
In other words, many highly unusual events happened at the same time. But the partner was forced by his national office to declare, against his own judgment, that this was a material weakness in the system of internal control over financial reporting. Fortunately, this was at quarter-end and as soon as one of the two controllers returned to work, the deficiency corrected itself.
A balanced and thoughtful exercise of judgment would have seen this as an error that was highly unlikely ever to happen again, not a material weakness that indicated an ineffective system of internal control over financial reporting.
Auditing standards require external auditors to focus their attention on areas where there is at least a reasonable possibility of an error or omission that would be material. However, they sometimes bring up issues that do not pass that test. This can be due to their limited understanding of the business or a failure to take the top-down, risk-based approach required by the regulators, but another common reason is that the external auditor received instructions from a senior member to include the issue because it has been a concern in other audits.
At another company where I worked, the IT audit partner told management that the company needed controls over a specific IT-related risk. I met with that partner and explained that this was not a source of risk in our business. She told me the firm had found serious issues in several of its clients, and the regional partner — her boss — had instructed her that all her clients needed to have controls over it.
Often, there is poor communication between management and the external auditors. Senior executives are busy people, and unnecessary surprises are unwelcome.
Management wants to know when the auditors are coming. For example, executives want to ensure the right people are available, and they don’t want the auditors demanding their attention when they are overwhelmed with other work. At one company where I was CAE, managers at several of the global subsidiaries were angry with the local audit team. They told me the external audit team was arrogant and not only gave them little notice of their visits, but also were unresponsive to management’s requests to move their testing to a more convenient time.
When the auditors find a serious issue, management and internal audit want to know about it promptly so it can be fixed. However, external auditors can take weeks to inform these groups, leaving the risk untreated for far longer than necessary.
On the other hand, the audit committee can assess the quality of communications with the audit firm without internal audit’s assistance. In a January 2022 Center for Audit Quality and Deloitte survey of audit committee members, Audit Committee Practices Report: Common Threads Across Audit Committees, 85% said “strong communication between engagement partner and audit committee … contributes most to audit quality.”
Some external audit teams are very flexible in performing work at convenient times; other teams stand on their independence and refuse to change their schedule. Similarly, some audit partners and managers listen to suggestions on audit scope and timing of ICFR testing, while others simply won’t engage.
One opportunity for both the company and the audit firm is to perform joint walkthroughs of key controls as part of the ICFR work. While some welcome the opportunity, other audit partners and managers are suspicious and refuse. This inflexibility can extend to being open to discussing the level of materiality and the key controls that should be included in scope. That is unfortunate, because internal audit has a greater understanding of the business, risks, and controls, as well as an ongoing relationship with management.
While some CAEs, external audit partners, and managers believe the two audit teams should remain totally separate to maintain their independence, they can be of great value to each other.
How to perform an external audit assessment
1. Meet with the leaders of the finance function and others who the external auditors worked with, including the CFO, corporate controller, operations controller, head of tax, treasurer, financial reporting, and chief information officer. The way I assessed external audit performance was a combination of interviews and a survey. I committed to keeping their names confidential. Because I couldn’t meet with everybody, I sent a survey that asked for their rating and comments on the performance areas.
2. Summarize responses and ratings in each area to explain the assessment.
I did not produce a formal internal audit report. Instead, I produced a summary with comments and quotes. I discussed this summary with the CFO and corporate controller, who were usually surprised to hear the results.
3. Share findings with audit partners and members. The CFO and I talked first to the audit committee chair before sharing the full report with all the members and discussing it in executive session. Where necessary, they told the partners that changes were needed. When the report was favorable, they expressed their appreciation to the partners.
Internal audit can be a source of knowledge for the external auditors because it understands the business, the people in management, and the key controls. IIA Standard 2050: Coordination and Reliance and its Implementation Guidance discuss working with external assurance providers.
In addition, external auditors should be able to rely far more on internal audit’s work. The external auditors also can help internal auditors by letting them know when they see problems or opportunities for improvement in processes and controls.
The CFO is usually the person who negotiates the audit fee. However, it must be approved by the audit committee, which can benefit from internal audit providing an objective assessment.
Fees for the statutory audits of global subsidiaries are often overlooked. Internal audit can obtain information on those fees, as well as feedback on their reasonableness from local financial leaders.
I have seen situations where the audit committee was not comfortable that management had engaged the audit firm for additional services outside the annual audit, even though regulators have standards that detail what types of work are permissible. Internal audit can ensure that the audit committee is fully informed of such work, preferably before management commits to it.
The audit committee needs to know if the company’s audit was selected for examination by the regulators and what the results were. The chair should ask the audit partners about this at least annually.
Similarly, the chair should ask whether any of the firm’s quality control activities — such as peer reviews with other audit firms — involved the company’s audits. In addition, the chair should ask whether any of the engagement team have been involved, to any degree, in litigation or performance improvement plans. CAEs should stay abreast of other matters that could indicate firm quality issues that are reported in the press, in social media, or by audit industry experts.
The audit committees and management of the companies where I assisted with assessing external audit performance found it of great value. It takes time, tact, and careful listening by the CAE. Performing the work not only helps the audit committee discharge its responsibilities, but also builds bonds among the CAE, management, and committee members.