View CartView Cart
QuestionsContact Us

Useful Guidance



The objective of the materials offered below is to share our professional, Big 4, consulting, and industry experience in the information systems security, risk management, audit, control assurance and regulatory compliance fields. Our goal is to help organizations as well as the IT & non-IT audit, risk and security professionals to:
  • Identify opportunities for efficiency
  • Streamline and simplify regulatory compliance efforts.

We also strive to help organizations interested in reducing the work, and therefore the fees, of the Big 4 audit firms by having their external audit function rely on the work performed by management as part of the regulatory compliance procedures.

Useful Guidance

Increasing External Auditors' reliance on Internal Auditors' work

This document has been prepared to be used as a guideline for the entities that have an Internal Audit function and intend to increase the efficiency of their audits by having more work performed internally leveraged by their External Audit engagement teams.

Why?

Based on our Big 4 experience providing attestation services to the client companies, the reason for the relatively low reliance threshold rarely has anything to do with management not meeting certain requirements. Often, it is the lack of initiative from management. Management does not always question decisions made by their external audit engagement teams regarding their reliance approach. This may result in missing out on the opportunities for efficiency and incuring unnecessary costs associated with the regulatory compliance efforts in the process.

External auditors do need to obtain reasonable assurance that controls operated effectively over the period of intended reliance. However, there is no guidance out there indicating that external auditors cannot obtain that same level of assurance through re-performance testing of a reasonable amount of management’s work.

How to do better?

First of all, let's clarify some misconceptions:
  • First and foremost any public accounting firm is a business. Like any business public accounting firms need to make money. The more reliance external auditors place on management’s work, the less they’ll collect in audit fees. It is in their best interest to keep reliance on internal audit’s work decreased to keep the external audit fees higher.
  • External Audit cannot actively give advice - their functions and actions are proscribed by law to withhold advice and from helping to fix any problems they may find. External Audit cannot tell companies what to do or not to do.
  • There is nothing that companies can possibly do to damage the relationship with their external auditors. The reason this is being brought up is because it is staggering how many companies do not voice their concerns in the spirit of maintaining this relationship. There is nothing wrong with asking questions and the desire to be efficient. Also, at $550-$750 an hour there is virtually nothing that companies can do to make their external auditors love them any less.
  • Take ownership, showcase your knowledge and ask questions – remember no one can demonstrate a better understanding of your risk and control environment then you. Do not accept something as true without questioning just because external auditor has said so.

Next Steps
  • If you haven’t discussed reliance approach with your External Auditors, the sooner you have that discussion scheduled the better. Communication with external auditors as early as possible is absolutely vital. During that meeting:
    • Clearly understand what the External Auditor will and won’t accept as adequate. That will help tremendously with tailoring your audit procedures toward what needs to be under scrutiny;
    • Demonstrate a good understanding of your environment;
    • Show commitment to perform a robust assessment of the risks to accurate financial reporting;
    • Demonstrate commitment to ensure sufficient controls exist and operate effectively to provide platforms supporting the accurate, complete, and valid initiation, processing and recording of financial information and disclosure;
    • Show your dedication to meet the requirements of the external audit’s function in order to increase their reliance threshold - see guidance.
  • Perform (or revisit existing) a risk assessment which basically is management’s evaluation of the things that could go wrong and the controls that mitigate those risks. It is recommended to rank the risk of the resulting misstatements based on the likelihood of occurrence and the impact in case of an occurrence.
  • Perform scoping exercise to identify relevant control objectives and controls that should be tested to meet these control objectives.
  • Have another discussion with External Auditors:
    • Share company’s assessment of the risks and mitigating controls to come to the agreement on the “reliance” approach;
    • External Auditors should have no objections to placing reliance on management’s testing of controls that mitigate “low” or “medium” level risks;
    • Auditors may be less comfortable relying on management’s testing of the controls that mitigate “high” level risks. The key is to learn what causes the concerns and work with External Auditors to make them comfortable (i.e. they might not be sure in the adequacy of your testing procedures - offer to submit testing workpapers and supporting evidence to them for review in advance so that they have a chance to reevaluate their reliance approach if necessary, etc.). With time auditors will get sufficient confidence in management’s work and when this happens, management and auditors will achieve a balance of re-performance and reliance which will result in reduced cost of compliance.
  • To maximize the external auditor’s reliance on management work, company needs to perform test work that meets external auditor’s needs:
    • To ensure that the efficiency of the audit is not negatively affected due to poorly documented testing procedures, we’ve prepared guidance around the nature and extent of documentation that management should maintain... see testing documentation checklist for internal audits.
  • Walk through the budget with External Auditors and identify any additional opportunities for efficiency (i.e. direct assistance or leveraging knowledge obtained during past audits) - see key opportunities for efficiency offered by AS5.
  • Continue to maintain communication with your external auditors throughout the audit.