Internal and External Auditors are often lumped into the same category. While there are many similarities, and grey areas that can cause confusion, these two teams have very different roles. I worked in External Audit for four glorious busy seasons, and one of the difficulties I experienced was deciding how much to rely on and leverage the Internal Auditors working at client companies. As a career Internal Auditor, I was often tasked with managing the External Auditors engaged by our company, intervening in conflicts or misunderstandings, and ensuring the final result was successful.
Some Internal Audit support is always necessary and appropriate when External Auditors are on site, but there are times when that involvement can cross a line. Today, I’ll get into the basics of External Audit for those who need an explainer or refresher, and offer advice on setting appropriate boundaries and avoiding common pitfalls of the Internal/External Auditor relationship.
Improving the Internal/External Auditor relationship can have positive implications company-wide. If you sit on an Audit Committee, are a corporate executive, or regularly interact with External Auditors in your role, keep reading!
External Audit 101
So, who are these people, and what do they do?
Most companies are required to have an annual financial statement audit, performed by an independent and qualified audit team. This requirement originates from shareholders, regulators, bankers, etc. Publicly traded companies have quarterly reporting requirements that involve External Audit as well. The auditors’ purpose is to issue an opinion on whether there is reasonable assurance the financial statements conform to Generally Accepted Accounting Principles (GAAP) and are free from material misstatements.
Financial statement auditors perform tests of controls, balances, transactions, and analytical procedures over the course of the engagement. In most cases, the auditors will arrive on site before the end of the year and perform interim testing. Typical interim testing procedures are control observations, fraud interviews with staff, inventory observations, and sending receivable and payable confirmations (or confirming loans and accounts for banks and credit unions). Some transaction testing can also be performed before year end, but will need to be rolled-forward.
At some point after your company’s year-end date, the auditors will return, perform the majority of procedures, and issue their report and opinion. An “unqualified” opinion is considered a “good” or “clean” opinion. A “qualified” opinion is the bad one, and can happen for different reasons. The auditors may have found material misstatements or their scope may have been limited, making it impossible for them to complete their work. Another type of opinion is known as a “going concern.” Technically an unqualified opinion, a going concern opinion means that the auditors doubt the company will be able to continue operating for the next year.
The RFP, Bidding and Due Diligence Process
Internal Audit’s involvement starts much earlier than the interim testing period. The first step in engaging an auditor is the RFP (Request for Proposal) process. Many firms have an RFP form on their website, or a standard template for users to download. The Audit Library has a blank RFP template for subscribers who would prefer to send their own RFPs, or are working with a firm who did not provide one. The firms who accept your RFP will send along a packet of marketing and basic information, such as proposed pricing, additional fees, staffing, professional references, and anything else they believe will set them apart from the pack.
It’s very common for Audit Committees to have Internal Auditors prepare, coordinate, and review the RFPs, and provide advice during the selection process. This is one of the Audit Committee’s most critical tasks. Make sure to include time in your budget to meet all of the Committee’s needs, and consider the timing of any RFPs when creating your Audit Committee schedule for the year.
Once the firm selection is made, a new phase and set of responsibilities begins. Someone at the company needs to provide administrative and logistical support to the auditors, and this duty often falls on Internal Audit. Large companies may have an entire team of people responsible for meeting External Auditor demands. On the other end of the spectrum, these responsibilities often belong to Accounting for companies with no Internal Audit department. The following are examples of the types of support that will be needed:
- Reserving a conference room or office for the External Auditors
- Arranging wireless, systems, and building access for the duration of the engagement
- Coordinating preparation of requested documents
- Transferring files to the External Auditors securely
- Serving as a first contact point for inquiries and troubleshooting
Nothing on this list is exclusive to Internal Audit, and could be completed by any staff member who is detailed and organized. Internal Audit has access to most files and systems, regularly works with IT, and has a general understanding of who does what at all times, making us an obvious choice to take on the support role. This arrangement can also present challenges, which Internal Audit departments should consider and plan for prior to fieldwork.
Let Them Do Their Own Work!
The first land mine to avoid is doing the External Auditors’ work for them, but let’s start with the exception to the rule. The Audit Committee will sometimes assign certain tasks to Internal Audit in order to save on fees. I’ve had Internal Auditors prepare and send confirmations, and relied on control testing performed by Internal Auditors when I was on the External Audit side. Reliance on Internal Audit work is perfectly acceptable per Generally Accepted Auditing Standards (GAAS). If your Audit Committee expects Internal Audit to perform specific tasks, make sure to include adequate time in your budget, and adhere to any deadlines the External Auditors set.
In the majority of cases, there is no formal arrangement for Internal Auditors to perform audit testing functions, and firms have a huge incentive to let a competent Internal Auditor take charge of their engagement. It will reduce their time on site, improving their realization ratios, and earning everyone praise from the partners and better bonuses. If you ever think External Auditor requests are crossing a line, be bold and confident, and challenge them. Involve your Chief Audit Executive, Chief Financial Officer and others involved in the project if needed. Keep good notes and debrief with your Audit Committee after the engagement is over; if the External Auditors could not function without significant Internal Audit support, your Committee needs to know that.
These professionals bill your company a lot of money, and while you want them to be profitable, managing the engagement successfully is their responsibility. Outside of work assignments in the contract, let them do their own work.
Don’t Speak for Management!
Another grey area to be avoided: speaking on behalf of management. This one can really sneak up on you! The financial statement audit is a stressful event for everyone involved. The External Auditors are on a tight schedule, managing multiple clients, working long hours, living out of a suitcase, and experiencing pressure that would break many people. There’s a reason most of your External Auditors are young; people burn out doing this work! As much as we can empathize with what External Auditors go through, the stress is mutual. Your company doesn’t just shut down during the audit. Customers still need assistance, bills still need to be paid, emails still flood your inbox, and meetings still require everyone’s presence.
If an External Auditor has a question, the responsible staff member is unavailable, and you know the answer, it is awfully tempting to just tell them what they need to know. Friends, I implore you not to do this! What if a process or control has changed since the last time you looked into it? What if the person responsible for the control or process doesn’t understand it fully? The External Auditors need to ask the questions themselves, weigh the answers, and adjust according to their firm’s methodology. There is a huge difference between answering their question directly, and being available to discuss the implications of someone else’s answer.
Let them have their disagreements, discussions, and make compromises. You can listen to everyone, and be a sounding board for each group, without taking sides. You can tell people you disagree with them, call out bad behavior, and encourage healthy debate. You don’t need to fight anyone’s battle for them.
Understand How Much They Don’t Know
A final mistake that your company should avoid is assuming that the auditors know everything. Let me be clear: a team of really smart and talented individuals is examining the inner workings and external reporting for your company. This process will yield valuable information. It will not uncover every error, resolve each inconsistency, or solve all the problems that existed before the auditors ever set foot on site. Remember your first day or week at your company, and how overwhelming it was? That is every week or two for these folks. Assuming your company has a clean audit, their final report will state they have reasonable assurance that the financial statements are free of material misstatements. Not complete assurance, or all misstatements.
I bring this up not to insult External Auditors, but to encourage you to have a realistic view of what they can and cannot do. Often, staff, leaders, and officials (Board and Audit Committee members) will have unrealistic expectations for the External Auditors. If you have a healthy understanding of what the External Auditors do, and what their reports mean, you can help manage these expectations. If there is a fraud happening at your company, the chances of them finding and unspooling it during their short engagement are miniscule. Teach your bosses auditing concepts like sampling, materiality, and scope. When something bad happens (it will, eventually) the calls of “where were the auditors?!” will be much easier to answer.
Now I want to hear from you! Any advice or personal anecdotes about managing a healthy Internal/External Audit relationship? Any times where you could have improved communication or expectations from your career? Leave a comment!
Thank you so much for reading, and considering my point of view.