New Limitations for External auditors and Their Reliance on the Work of Internal Auditors

The recent proposed rules from the PCAOB updating the confirmation standard, AS2310, caused some ruffled feathers when it added new limitations related to the external auditor and reliance on the work of internal auditors. Where the existing 2310, which was developed in large part by using the AICPA's AU 330 almost verbatim, pointed to existing standards related to the external auditor and their reliance on the internal auditor (AS 2605), the new proposed AS2310 added specific restrictions; these include not letting internal auditors select the population, do the mailings and receive responses.

The auditor may use internal auditors to provide direct assistance to the auditor in the confirmation process in accordance with AS 2605, Consideration of the Internal Audit Function, except that an internal auditor should not (i) select the items to be confirmed, (ii) send confirmation requests, or (iii) receive confirmation responses.

The reaction to these in the comments, especially from the internal audit community, showed questioning and, in some cases, what might be called outrage. They called to question whether there has ever been any documented evidence of internal auditors having compromised their objectivity, and doing improper things with confirmations or any other task that an external auditor might have relied upon them for. This brings to question what the perception is of the role of internal audit: 1) whether internal audit has been changed or compromised in any fashion, and 2) whether there is wisdom in either telling external auditors not to rely upon internal auditors, or at least to consider their objectivity and independence when considering relying upon their work.

It is well understood that internal audit must be perceived as objective for the profession to be trusted in the role it has been given. There are ethical standards developed and published by groups like the institute for internal auditors, there are tests and other obligations and expectations, and the perception that internal auditors are objective is a very important one, as explained by Richard Chambers in his blog posts; Richard was until recently the president of the institute of internal auditors.

Of course, it is not just internal auditors whose objectivity and independence is in question. Many people have asked for a very long time whether external auditors can truly be objective and independent when they are being paid by the company which they audit. In the same way internal auditors are hired by companies and the independence of the internal audit function can be driven by the leadership – the tone at the top – and it is no less appropriate to question the independence of internal auditors than it is to question the independence of external auditors, especially given the closer tie to management and the company that hires them.

Richard Chambers points out in his blog that surveys of internal auditors, especially the chief internal auditors, have found that a large portion of them have been asked to compromise their objectivity by management. A much larger portion of those chief internal auditors has actually left their positions when forced to choose between their ethical positions and what management asks them to do.

It is no secret that people have questioned the objectivity of the internal audit function. The concept that the internal audit function should be a profit center rather than a cost center has been raised for some time. Reading academic and popular articles, the rationalization that the internal audit function – through development of risks and controls and its other work – is actually saving or making the company money, and it is not just a dream that provides no benefits by only acting as a watchdog over the internal operations. We have heard internal auditors themselves who have said that their role within their organization is to be more than a watchdog; it is also to save and make money for the company, with an expectation that they are not just there for their oversight role. As such, there is a perception in the marketplace that internal auditors – more today than ever – are not there for an independent function, but just as a layer to make the internal environments more efficient and effective.

Are the comments that come into the PCAOB regarding AS 2310 an overreaction? Are they seeking to paint a picture about internal auditors that is not universally true? Where with external auditors there's peer review and other accountability functions, do people believe that there is no such accountability for internal orders and, therefore, objections related to these concerns are just for show?

Those of us in the profession will routinely see where the PCAOB or a state society or another oversight group will bring visibility to and sanctions against external auditors who have compromised their responsibilities. Where there are people, there will be temptations. Where there is opportunity motivation and means, there is a strong reason for abuse. It is farfetched to believe that there is not a single internal auditor who has ever compromised his or her responsibilities, been pressured until that the only way to keep the job is to hide something not report something, to let something go that they should not by guidance leave alone.

Other updates in AS 2310, in particularly those about using a third-party electronic secure system to do confirmations, will obviate some of the new proposed restrictions against the internal audit community. When there is no physical mailing, no physical receipt, but all processes happen through a secure electronic system such as that of, those restrictions on trivial. The selection of confirmations is another story.

Leave a comment


  • No comments found