How well does your SOX team work with the external auditor?
This week, I have been with a group of twelve SOX experts talking about how to optimize their SOX program. One of the opportunities relates to working with the external auditor:
- To improve their reliance on management’s assessment and testing work (including work performed by the internal auditor)
- Ensuring consistent identification of scope, key controls, etc.
- Enabling a common understanding of what constitutes a material weakness, etc.
- Minimizing disruption to the business
- And more
We use the Guide I wrote for the IIA (3rd edition to be released in a few months) for our discussion – and I have excerpted below the chapter on this topic.
But I have questions for you:
- How would you rate your SOX coordination and relationships with the external auditor?
- What level of reliance have you obtained? For what percentage of the key controls does the internal auditor rely on management testing?
- What is your target level of reliance?
- What would you suggest as best practices in this area?
Working with the External Auditor
While it is not in theory necessary to work in a collaborative fashion with the external auditor, there are strong reasons to do so:
- It is highly inefficient for management and the auditor to identify different financial reporting risks, materiality levels, significant accounts or locations, or key controls and – as a result – test different controls. The earlier the above are agreed, the lower the risk that management will have to change its scope and find that it failed to test locations (for example) that should have been included in scope, or performed tests of controls that did not need to be in scope.
- Efficiencies are gained when the external auditor is able to rely on management’s work. It is possible for the auditor to rely on management testing for as much as 80% or more for the testing of some key controls, resulting in significant fee reductions and reduced disruption to the business through their support of the testing. But the auditor has to include this in their plan, and obtain comfort on both management’s approach to testing and the adequacy of the testing program. It is inefficient for the auditor to assess and conclude on management’s testing team and process after work has been completed, especially if that work is not up to the required standard and will have to be redone before reliance can be placed on it.
AS/5 contains this guidance for the external auditor:
“16. The auditor should evaluate the extent to which he or she will use the work of others to reduce the work the auditor might otherwise perform himself or herself. AU sec. 322, The Auditor’s Consideration of the Internal Audit Function in an Audit of Financial Statements, applies in an integrated audit of the financial statements and internal control over financial reporting.
“17. For purposes of the audit of internal control, however, the auditor may use the work performed by, or receive direct assistance from, internal auditors, company personnel (in addition to internal auditors), and third parties working under the direction of management or the audit committee that provides evidence about the effectiveness of internal control over financial reporting. In an integrated audit of internal control over financial reporting and the financial statements, the auditor also may use this work to obtain evidence supporting the auditor’s assessment of control risk for purposes of the audit of the financial statements.
“18. The auditor should assess the competence and objectivity of the persons whose work the auditor plans to use to determine the extent to which the auditor may use their work. The higher the degree of competence and objectivity, the greater use the auditor may make of the work. The auditor should apply paragraphs .09 through .11 of AU sec. 322 to assess the competence and objectivity of internal auditors. The auditor should apply the principles underlying those paragraphs to assess the competence and objectivity of persons other than internal auditors whose work the auditor plans to use.
“Note: For purposes of using the work of others, competence means the attainment and maintenance of a level of understanding and knowledge that enables that person to perform ably the tasks assigned to them, and objectivity means the ability to perform those tasks impartially and with intellectual honesty. To assess competence, the auditor should evaluate factors about the person’s qualifications and ability to perform the work the auditor plans to use. To assess objectivity, the auditor should evaluate whether factors are present that either inhibit or promote a person’s ability to perform with the necessary degree of objectivity the work the auditor plans to use.
“Note: The auditor should not use the work of persons who have a low degree of objectivity, regardless of their level of competence. Likewise, the auditor should not use the work of persons who have a low level of competence regardless of their degree of objectivity. Personnel whose core function is to serve as a testing or compliance authority at the company, such as internal auditors, normally are expected to have greater competence and objectivity in performing the type of work that will be useful to the auditor.
“19. The extent to which the auditor may use the work of others in an audit of internal control also depends on the risk associated with the control being tested. As the risk associated with a control increases, the need for the auditor to perform his or her own work on the control increases.”
While there continues to be a debate among internal auditors as to whether they should perform testing of key controls on behalf of management, AS/5 makes it clear that the external auditors are more likely to rely on internal audit testing than testing by operating management. This is something, again, that should be decided as early in the planning process as possible.
- One interesting opportunity is for the SOX team and the external auditor to coordinate walkthroughs, visits to overseas locations, etc. This can lead to a common understanding of those processes and the key controls, and minimizing disruption to those locations as they only have to accommodate a single visit.
- The level of trust that is obtained when the SOX team works well with the external auditor has great value. For example,
- The auditor is more likely to inform the SOX team promptly when questions or issues arise. When the SOX team is involved, working with management to understand issues surfaced from testing by the external auditor, those issues are much more likely to be addressed promptly and satisfactorily. The SOX team can be of great value to management if involved in these situations, so it can explain the concerns and answers to both parties (management and auditor).
- It is easier to obtain agreement on the significance of deficiencies and the required corrective action.
- The SOX manager is more likely to obtain information on the status of the external auditor’s work when reports to management or the audit committee are required.
- Another area of efficiency from collaboration is that when there are good relations and communication, there are channels to keep the external auditor up-to-date on changes that might affect their work – such as changes in the business or new computer systems. The external auditor is also informed when management finds problems, so they can delay their own testing until the issues are resolved. Surprising the auditor is never a good idea!
- Management often feels that the external auditor does more work than necessary: includes more accounts and locations in scope; sets the materiality level too low; tests too many key controls; and does too much testing of those key controls. Management is far more likely to be able to influence the external auditor’s work if relationships and communications are first class, and there is mutual trust and respect – both of which have to be earned.