In our post-Sarbanes-Oxley world, a rigorous external audit is essential for maintaining public confidence in our economic system. However, the audit is often viewed as costly, both in terms of dollars and other corporate financial resources committed to its annual performance.
According to a recent Financial Executives International survey of more than 7,000 SEC registrants, external audit fees average over $1.5 million per company annually, with a median fee of around $415,000. Audit fees have been increasing more than 3 percent annually, and this trend doesn’t appear to be ending anytime soon.
Audit committees and executive management teams are increasingly focused on how best to rein in these costs while at the same time benefiting from a risk-based, intensive review of the financial results of the company by their external auditor. Among the greatest opportunities to reduce costs and concurrently improve audit quality is through the coordinated use of internal audit (IA).
For organizations with an established IA function, the audit committee (AC) should require that the external auditor plan and conduct the audit in close coordination with, and maximum reliance on, the work of IA. PCAOB Auditing Standard No.5 allows the external auditor, in certain circumstances, to rely upon the IA’s work and receive direct assistance from them. Under the watchful eye of the AC, coordinated external/internal audit activities may be able to achieve reduced external audit fees.
Internal audit can be most effectively leveraged when:
- The audit committee continuously monitors the activities of both the external audit and IA.
- The company has an enterprise-wide risk management (ERM) framework in place.
- Communication and planning between external auditors and internal auditors starts early in the audit process.
- The internal auditor is properly trained, independent and produces high-quality and responsive work.
1. The audit committee takes the lead
Overseeing the external audit relationship is a fundamental responsibility of the audit committee. However, many companies go about this duty with little or no consideration of their IA function, resulting in a wasted opportunity to potentially reduce external audit fees. The AC should discuss the external auditor’s position on leveraging IA’s work. The AC is instrumental in considering the amount of support internal audit will provide to the external auditors.
Audit committees also can act as useful intermediaries in managing expectations for each group as well as facilitating communication between them. Ultimately, it’s up to the AC to decide how much of internal audit’s time and resources should be devoted to the external audit process. The AC should discuss this separately with both the internal audit and external audit teams and then bring them together to try to identify specific internal audit areas of responsibility that may support external auditors in order to help avoid duplication of effort and maximize efficiency.
2. ERM underlies the process
Management, internal audit and external audit all start by understanding the business, its inherent risks and its mitigating policies, procedures and controls. The presence of a robust enterprisewide risk management program provides a framework for addressing risk and can be a springboard to the audit process. It’s the place where everybody can come together and begin the process of thinking about risk of financial misstatement. Any ERM findings, as well as other risk assessments analyzed internally, should be shared with the external auditors.
3. Coordinated planning starts early
The external and internal auditors should communicate early and often to help eliminate duplicate work, avoid eleventh-hour surprises, gain efficiencies and enhance audit quality. Both audit functions should agree on status meetings and tracking mechanisms to keep the audit on track and help prevent issues from unnecessarily growing or going to the audit committee. Before starting the work, internal audit should verify that the work that they will be generating is going to meet external audit’s needs.
Additional considerations:
- Share plans and timelines.
- Coordinate internal control documentation and procedures to reduce duplication of efforts.
- Employ common work paper standards and templates.
- Confirm that sample sizes, selection methodologies and testing guidelines align.
- Communicate what work will be used and what won’t.
- Determine how to efficiently share documentation.
4. IA are trained and objective and deliver high-quality work
The internal auditors must be independent, competent and objective. Independence and objectivity are required standards of the IA profession. However, these attributes may be questioned by external auditors depending upon IA functional reporting lines, evaluation and remuneration practices, and consulting projects performed. IA should have an external quality assessment, performed by a third party, which can help validate their conformance with the independence and objectivity standards.
Furthermore, the internal audit team should complete and maintain evidence of training and development programs, as well as strive to obtain appropriate certifications. Training should be provided for IA staff on the desired audit evidence required by the external auditor.
The bottom line
If done effectively, organizations can leverage internal audit activities to reduce external audit fees while concurrently improving audit quality, reducing audit fatigue and increasing efficiency of resources. Companies should consider the recommendations above when thinking about how to approach their next audit.
Justin Gwin
