Every year, external audit failures make news headlines and are investigated by regulators, leading to legal actions against the company, reputation damage, and lawsuits by shareholders or lenders.
The second reason the audit committee may want the CAE’s help is that it has no other staff. All committee members can do is ask the CEO, chief financial officer, and corporate controller for their assessment. Sometimes those individuals are constrained by a desire not to confront the audit partners. In addition, executives may not have all the information necessary to evaluate the external audit team’s performance.
The examples in this article are based on my experience as a CAE at several companies.
Assessing External Audit
Internal audit can add value by facilitating an independent and objective assessment of the audit firm’s performance, just as internal audit does for other sources of business risk. The assessment should be based on observations, comments, and insights from management as well as its own (see “A Bird’s Eye View” on this page).
Internal audit won’t have access to the auditor’s workpapers to see whether the firm is complying with audit standards and performing the risk assessment and testing it should. But there are other aspects of the external audit team’s performance that internal audit can assess.
It would be unusual for the external audit team to lack technical accounting capabilities and tax expertise. Internal audit can confirm its abilities through discussions with the company’s accounting and tax teams.
However, the external audit team doesn’t always have desired expertise with technology issues. Sometimes the firm’s IT auditors cannot appropriately assess technology-related risks, relying on theory instead of determining whether there may be a risk of significance to the financial statements.
In fact, external auditors consistently ask for IT-related controls where a failure is extremely unlikely to result in a material error or omission in the financial statements. At one of my companies, the firm’s IT audit manager explained that we had a serious control deficiency impacting ICFR. He explained that our network relied on a router in Taiwan to connect our headquarters in the U.S. to our operations in Asia. The traffic through that router was not encrypted nor was access to the router secured. Although there was a risk of network disruption if the router was attacked, I helped the manager understand that the possibility of somebody inserting or modifying transactions that went undetected and created a material error in our financial statements was highly unlikely.
The external audit team is only involved with the company for a few months each year, so its members may not understand the business. The manager and partner may be experts in technical accounting, but understanding the challenges in running a business is totally different. If external auditors don’t understand the business, they may not be able to hone in on potential sources of risk and may misunderstand the level of risk when they identify issues.
One problem I faced was when external audit testing identified a control weakness. The auditors informed management of the weakness after review by their manager and partner, but didn’t understand it represented a risk of fraud. This led to a delay in addressing the problem and a failure to investigate whether anyone had taken advantage of the weakness.
Reason and Judgment
Auditing standards call for both management and the external auditors to use informed judgment in assessing risk — in establishing the scope of work and assessing the significance of deficiencies. In my experience, many external auditors rely on rules and theory. Seeking consistency, the firms train their staff to follow firm guidance. Only the more experienced and confident partners will use professional judgment in assessing a potential weakness or error.
At one of the companies where I worked, a journal entry was posted backwards, creating a material error in the financial statements for that quarter. When internal audit looked at the root causes, it discovered that the division controller who was responsible for creating the journal entry was on vacation — the first time he had been away at a quarter-end in a decade. The error should have been detected by the controller of another division, but she was home sick for the first time in several years. The operations controller, corporate controller, and their staff performed flux reviews that should have caught the mistake, but several unusual activities that quarter hid it from view.
In other words, many highly unusual events happened at the same time. But the partner was forced by his national office to declare, against his own judgment, that this was a material weakness in the system of internal control over financial reporting. Fortunately, this was at quarter-end and as soon as one of the two controllers returned to work, the deficiency corrected itself.
A balanced and thoughtful exercise of judgment would have seen this as an error that was highly unlikely ever to happen again, not a material weakness that indicated an ineffective system of internal control over financial reporting.
Auditing standards require external auditors to focus their attention on areas where there is at least a reasonable possibility of an error or omission that would be material. However, they sometimes bring up issues that do not pass that test. This can be due to their limited understanding of the business or a failure to take the top-down, risk-based approach required by the regulators, but another common reason is that the external auditor received instructions from a senior member to include the issue because it has been a concern in other audits.
At another company where I worked, the IT audit partner told management that the company needed controls over a specific IT-related risk. I met with that partner and explained that this was not a source of risk in our business. She told me the firm had found serious issues in several of its clients, and the regional partner — her boss — had instructed her that all her clients needed to have controls over it.