SESSION 15 – EXTERNAL AND INTERNAL AUDIT

OVERVIEW
Objective

¾ To describe the separate roles of the external and internal auditors.

COMPARISON

ASSURANCE
SERVICES

EXTERNAL AUDIT INTERNAL AUDIT

¾ As an assurance service ¾ Definition

¾ The auditor’s report ¾ Scope of work
¾ Audit process ¾ Approach to assignments
¾ Assessing the need for an
internal audit function
¾ Assignments
¾ Use of external organisations

1501
SESSION 15 – EXTERNAL AND INTERNAL AUDIT

1 COMPARISON
¾ Before considering in detail the separate roles of the external and internal audit functions, the table below provides a useful comparison of
their differences.

External audit Internal audit

Role ¾ To provide an independent opinion (in a ¾ To appraise, examine and evaluate organisational
report) on financial statements. activities and assist management in discharging its
responsibilities.

Required by ¾ Statute (typically). ¾ Management, usually in larger organisations, will be

urged/required by best practice (e.g. governance codes)
to continually review need for internal audit.

Appointed by ¾ Shareholders (usually at an Annual General ¾ Highest level of management charged with responsibility
Meeting) or directors on behalf of for internal audit (e.g. audit committee under corporate
shareholders (must be approved by governance codes)
shareholders at AGM).

Reports to ¾ Shareholders (primary statutory duty) and ¾ For listed companies, usually the audit committee under
management (professional responsibility). corporate governance codes. For other companies, the
highest level of management charged with governance
(e.g. the board).

1502
 SESSION 15 – EXTERNAL AND INTERNAL AUDIT

External Internal

Reports on ¾ Financial statements. Primary responsibility ¾ Organisational risk management, internal control and
is of a financial focus. quality of performance. Focus is operational as well as
financial.

Forms opinions on ¾ “True and fair view” (or similar) of financial ¾ Effectiveness of risk management strategy and
statements. operations, operation of corporate governance, adequacy
and effectiveness of internal control and other business
functions as a contribution to the economic, efficient and
effective use of resources.

Status ¾ Independent of client company. ¾ Employee (therefore potentially less objective).

Qualification ¾ Usually ACCA, ICAEW, ICAI or ICAS ¾ May also be members of other professional bodies (e.g.
IIA) or unqualified.

Scope of assignment ¾ Unlimited, to fulfil statutory obligation. ¾ Prescribed by management, those charged with
Usually defined by legislation as well as ISA. governance or audit committee.

Conduct of audit ¾ In accordance with ISAs, for example. ¾ Similar, Standards for the Professional Practice of Internal
Auditing. including ethics.

1503
 SESSION 15 – EXTERNAL AND INTERNAL AUDIT

2 ASSURANCE SERVICES
¾ Over the last 20 years or so the auditing profession (both internal and external) has
sought to broaden its role with external audit developing a wide range of assurance
services (of which the financial statement audit is just one part) and internal audit
becoming an essential assurance element on the risk assessment requirements of strong
corporate governance.

Definition

Assurance services are independent professional services that improve the

quality of information, or its context, for decision makers.

An assurance engagement is an engagement in which the practitioner (e.g. the

accountant/auditor) expresses a conclusion designed to enhance the degree of
confidence of the intended users (of the information), other than the
responsible party, about the outcome of the evaluation or measurement of a
subject matter against criteria

¾ Factors contributing to the increasing demand for assurance services include:

‰ The rapid expansion of information available, the changing information needs of

businesses and consumers and the increase in demand for relevant information for
decision-makers.

‰ Developments in IT and the growth of computerisation in businesses has led to

more systems and risk-based approaches requiring assurance to be given to both
internal and external users.

‰ Globalisation of businesses creating worldwide needs.

‰ Increasing corporate accountability demanding more relevant and reliable

information.

‰ The accounting profession responding to the opportunity to position the

professional accountant as a primary provider of other non-audit services.

¾ Typical assurance services include:

‰ Audits of financial statements (can only be carried out by external auditors)

‰ Reviews of historical financial information (can be internal auditors, but usually an
external auditor service)
‰ Business ethics audits (usually internal audit, but can be external as well)
‰ Business risk assessments (usually internal audit, but can be external as well)
‰ e-Commerce assessments (usually internal audit, but can be external as well)
‰ Performance measurement (usually internal audit, but can be external as well)
‰ Systems and control reliability (usually internal audit, but can be external as well)

1504
 SESSION 15 – EXTERNAL AND INTERNAL AUDIT

3 EXTERNAL AUDIT

Definition

The objective of an external audit of financial statements is to enable an

independent auditor to express an opinion as to whether the financial
statements are prepared, in all material respects, in accordance with an
identified financial reporting framework

¾ The independent external audit gives confidence in the integrity of corporate reporting
for the benefit of stakeholders and society as a whole, by providing an external,
independent and objective view on the statutory financial statements and related
reports produced by management. The auditors report to the shareholders as the
principal stakeholders.

3.1 As an assurance service

¾ As noted above, the external audit is an assurance service. The responsible party
(directors) prepare the subject matter (financial statements) for the intended users
(shareholders). The auditor then provides assurance to the shareholders about those
financial statements and related disclosures based on appropriate criteria (the directors’
assertions, IFRS and other statutory requirements).

RESPONSIBLE
Directors
PARTY

Prepares

SUBJECT
MATTER Financial statements
prepared under IFRS

Evaluates

INTENDED PRACTIONER
USER
Assures
Shareholders External (independent)
auditor

¾ Generally (in a simplistic form) companies are owned by their shareholders (principals),
but managed by the directors (agents). The directors are appointed by the shareholders.
The shareholders then appoint the auditors to report to them (provide assurance) on the
information provided to them by the directors (the annual financial statements as
required by law).

¾ In most jurisdictions, the relationships between the directors, shareholders and auditors
are described in terms of stewardship, agency and accountability.

1505
SESSION 15 – EXTERNAL AND INTERNAL AUDIT

3.1.1 Stewardship

¾ Stewardship is the practice of managing another person’s property. Directors and other
managers of an enterprise have the responsibility of stewardship for the property of that
enterprise, which is owned by the shareholders.

¾ Responsibilities, e.g. duties embodied in statute and corporate governance

requirements, may include:

‰ keeping books of accounts and proper accounting records;

‰ safeguarding the assets of the enterprise;
‰ implementing appropriate business, financial and risk management controls;
‰ producing financial statements (statement of financial position, statement of
comprehensive income, cash flow, statement of changes in equity, disclosure notes)
that show a true and fair view and the results of their stewardship;
‰ producing a directors’ report and other information (eg as required by listing rules)
which is consistent with the financial statements and contains certain specified
information.

3.1.2 Agency

¾ An agent is an individual (or another enterprise) employed or used to provide a

particular service. The individual utilising the agent is referred to as the principal.

Example 1

Identify the agency relationships between auditors, directors and shareholders.

Solution

3.1.3 Accountability

¾ Accountability is where one party is held responsible (answerable) to another party for
their actions. They will be required to justify their actions and decisions to that party.

¾ Directors of an enterprise are accountable to the shareholders. Many jurisdictions place

legal requirements on directors as to how they are accountable and the way they
communicate with stakeholders, e.g. director’s reports, financial statements prepared
under an appropriate framework (e.g. IFRS). Directors of listed companies will also be
subject to listing rules and corporate governance codes, e.g. interim financial statements,
regular meetings with financial institutions, profit and going concern warnings, analysis
and management of risk, audit committees, annual general meetings.

¾ The auditors of a company’s financial statements are accountable to shareholders. They

act in the interest of the shareholders (the primary stakeholders) whilst also having
regard to the wider public interest in that other stakeholders will read their report (but
note that they are not the agents of any other stakeholder and their report is not
addressed to such stakeholders, only to the shareholders).

1506
 SESSION 15 – EXTERNAL AND INTERNAL AUDIT

3.2 The auditor’s report

¾ As defined, the objective of an audit of financial statements is to enable the auditor to

express an opinion whether the financial statements are prepared, in all material
respects, in accordance with an identified financial reporting framework. This is done
through the auditor’s report.

INDEPENDENT AUDITOR’S REPORT TO …………………… On whose

Reference can behalf
be by page We have audited the accompanying financial statements of ABC Company, audit is
numbers which comprise the statement of financial position as at December 31, 20X1, carried
and the statement of comprehensive income, statement of changes in equity out
and statement of cash flows for the year then ended, and a summary of
significant accounting policies and other explanatory notes.
Detailed Management’s Responsibility for the Financial Statements
responsibilities Management is responsible for the preparation and fair presentation of these
including financial statements in accordance with International Financial Reporting
reference to Standards. This responsibility includes: designing, implementing and
internal controls, maintaining internal control relevant to the preparation and fair presentation of
accounting financial statements that are free from material misstatement, whether due to
policies, fraud or error; selecting and applying appropriate accounting policies; and
estimates and making accounting estimates that are reasonable in the circumstances. Standards
fraud complied with
Auditor’s Responsibility
Our responsibility is to express an opinion on these financial
statements based on our audit. We conducted our audit in accordance with
International Standards on Auditing. Those standards require that we comply
Reasonable, with ethical requirements and plan and perform the audit to obtain reasonable
but not assurance whether the financial statements are free from material
absolute, misstatement. Implies
assurance An audit involves performing procedures to obtain audit evidence about the whether
amounts and disclosures in the financial statements. The procedures selected due to
depend on the auditor’s judgement, including the assessment of the risks of fraud or
material misstatement of the financial statements, whether due to fraud or error
error. In making those risk assessments, the auditor considers internal control
relevant to the entity’s preparation and fair presentation of the financial
statements in order to design audit procedures that are appropriate in the Nature of audit
circumstances, but not for the purpose of expressing an opinion on the examination
effectiveness of the entity’s internal control. An audit also includes evaluating (scope)
the appropriateness of accounting policies used and the reasonableness of
accounting estimates made by management, as well as evaluating the overall
presentation of the financial statements.
We believe that the audit evidence we have obtained is sufficient and or “present
appropriate to provide a basis for our audit opinion. fairly, in
Unqualified all
Opinion
implies that, for material
example, changes In our opinion, the financial statements give a true and fair view of respects,”
in accounting the financial position of ABC Company as of December 31, 20X1, of its
principles etc financial performance and its cash flows for the year then ended in accordance
have been with International Financial Reporting Standards … (and comply with …).
properly
determined and Relevant
Signature, And/or applicable GAAP statutes/law
disclosed
Date
Address Must include

1507
SESSION 15 – EXTERNAL AND INTERNAL AUDIT

Commentary

The format and content of the auditor’s report will not be examined in F1. It has been
produced here to help in understanding the role of the external auditor.

¾ The above report is an example of a report with an unqualified opinion. Should the
auditor materially disagree with any facts or figures presented within the financial
statements or is unable to obtain all the information they require in order to form an
opinion (limitation of scope) they would qualify their opinion accordingly.

¾ Note that the auditor only reports on the financial statements (i.e. statement of financial
position, statement of comprehensive income, statement of cash flows, statement of
changes in equity and the disclosures and notes). They must however, review any other
information sent to shareholders with the financial statements (e.g. chairman’s
statement, CEO’s review, directors’ report, sustainability report) for inconsistencies with
the financial statement. If there are any material inconsistencies, then this must be
reported to the shareholders by the auditors.

¾ In addition, in most jurisdictions, the auditors are required to report on certain matters
if such matters have not been duly complied with, e.g. failure to maintain proper books
and records. If the requirements have been followed, the auditors do not refer to them
in their report.

¾ Whilst the external auditor does not specifically report on the internal control of the
company, they are required by ISAs to report to management (and the audit committee
for listed companies) any material weaknesses in control design, implementation or
operation that they become aware of during their audit.

3.3 Audit process

Agree terms
of
engagement
Form opinion Understand the
(Auditor’s entity and its
report) environment
Documentation

Obtain
management Plan
representations

Assess risk
Review and internal
control

Substantiate Reliance on
assets, liabilities, control
transactions & effectiveness
disclosures

1508
 SESSION 15 – EXTERNAL AND INTERNAL AUDIT

¾ Engagement letter – sets out the auditor’s duties and responsibilities, as well as those of
management.

¾ Planning – Planning and controlling audit work is essential to performing work to the
required high standard of skill and care. Includes understanding the entity, its
environment & business risk, internal control (design and implementation of controls)
and the risk of material misstatements in the financial statements.

¾ Reliance on control effectiveness – Where the auditor decides to gain an element of audit
assurance from controls within an entity (that reduce the risk of material misstatement
within the financial statements), the effectiveness of such controls must be tested. This
is usually referred to as control testing or compliance testing.

¾ Substantiate (verify) assets, liabilities, transactions and disclosures – Balances and

transactions within the financial statements, together with disclosures must be verified
based on key substantive assertions (e.g. completeness, occurrence, measurement, rights
and obligations, valuation, existence,). Referred to as substantive testing.

¾ Review and finalisation procedures – To ensure that the audit has been carried out in
accordance with ISA and that the audit working papers fully support the audit opinion.

¾ Obtain management representations – The auditor asks management to formally confirm in

writing that they are responsible for the fair presentation of the financial statements, the
design and implementation of internal control to prevent and detect fraud; that they
have recognised and carried out their legal and governance responsibilities and that
they approve the financial statements. Representations may also be required from
management to support audit evidence (e.g. that all obligations and liabilities have been
fully disclosed; that the entity has good title to all assets).

¾ Sign auditor’s report – After the directors have approved the financial statements, the
auditors will sign their audit report.

4 INTERNAL AUDIT

4.1 Definition

An independent, objective assurance and consulting activity designed to add

value and improve an organisation’s operations. It helps an organisation
accomplish its objectives by bringing a systematic, disciplined approach to
evaluate and improve the effectiveness of risk management, control, and
governance processes. (Institute of Internal Auditors IIA)

¾ This definition usefully outlines the relationship between internal audit and the
management of an entity. Key elements are:

‰ Independent, objective – whilst internal auditors cannot be fully independent because

they are employees, they must still ensure that they are sufficiently independent to
ensure that their objectivity is not impaired in any way. Under corporate
governance procedures this is usually achieved through their relationship with the
audit committee. (see Session 8).

1509
SESSION 15 – EXTERNAL AND INTERNAL AUDIT

‰ Add value – Organisations exist to create value or benefit to their owners, other
stakeholders, customers, and clients. Value is provided through:
− the development of products and services; and
− the use of resources to promote those products and services.
When gathering data to understand and assess risk, internal auditors gain insight
into operations and opportunities for improvement that can be beneficial to the
organisation.

‰ Control is any action taken by management, the board, etc to enhance risk
management and increase the likelihood that established objectives and goals will
be achieved.

‰ Adequate control is present if management provides reasonable assurance that:

− risks have been managed effectively; and
− goals and objectives will be achieved efficiently and economically.

‰ Governance process is the procedures utilised by the representatives of the entity’s

stakeholders to provide oversight of risk and control processes administered by
management (see Session 8).

4.2 Scope of work

¾ Understand the key business risks (including fraud) and assess the adequacy of the
processes by which these risks are identified, evaluated and managed.

¾ Review the sufficiency of the information, and the adequacy and operation of controls,
used to manage those risks.

¾ Assess the reliability and integrity of key financial and operating information, and the
means used to identify, measure, classify and report such information.

¾ Review the processes and systems to ensure adherence with those policies, plans,
procedures, laws and regulations which could have an impact on the company, and
determine whether it is in compliance therewith.

¾ Review the means of safeguarding assets and other key resources, especially
information in hard copy or on computer systems, including business contingency plans
and the security of computer systems.

¾ Review operations or projects (including systems under development) to ascertain

whether results are consistent with established objectives and goals and, whether the
operation or projects are being carried out as planned.

¾ Monitor corrective action plans to ensure that management implement them promptly
and effectively.

¾ Advise management on cost effective controls for new systems and activities.

¾ Liaise with those charged with governance (e.g. the audit committee) and the external
auditors (as necessary).

1510
 SESSION 15 – EXTERNAL AND INTERNAL AUDIT

4.3 Approach to assignments

¾ The general framework in which internal auditors will approach their assignments is
not that dissimilar to the approach used by external auditors (see section 3).

¾ Both require terms of reference – the external auditor within the letter of engagement,
the internal auditor within the scope of instructions given by management/audit
committee.

¾ Both need to understand the entity, its environment and internal control. In particular,
the internal auditor will need to cover all controls (not just financial) that are relevant to
their assignment.

¾ Both will need to plan and document their work. Materiality, risk assessments,
sampling, analytical review, use of CAATs, computer assisted auditing techniques
(especially in systems heavily reliant on information technology) are all aspects of the
internal auditor’s planning and work procedures.

¾ Both apply strong quality control procedures (e.g. IAASB and IIA requirements).

¾ Both will report on their work, although the nature, format and who is reported to are
different.

4.4 Assessing the need for an internal audit function

¾ When the board and senior management is sufficiently close to the business and the
systems are not so complex, the following sources of assurance about the way the
business is operated may prove to be adequate:

‰ the views of, and representations from, executive directors and senior managers;
‰ the views of other employees through (say) a self-assessment process;
‰ results of management’s internal confirmation procedures;
‰ regular information on financial and operational matters;
‰ performance indicators;
‰ early warning mechanisms;
‰ external auditors’ management letters;
‰ reports of any relevant external regulators;
‰ reports (if any) from relevant internal compliance functions.

In such cases there may be no immediate need for an internal audit function.

¾ However, as organisations grow and:

‰ become more geographically diverse;

‰ business is undertaken in new environments (e.g. e-commerce);
‰ develop new products and competitive pressures increase;
‰ systems become more complex;
‰ change is the norm;

then management’s time and attention can be very stretched.

1511
SESSION 15 – EXTERNAL AND INTERNAL AUDIT

¾ In particular, when a company becomes listed, the demands placed on management for
transparency and effective running of the business by the stakeholders are significantly
increased.

4.4.1 Key issues

¾ As many stock exchanges require listed companies to operate internal control functions
(or explain why they do not in their annual reports) the key issues to consider may
mainly relate to larger, unlisted entities.

‰ Are the existing management processes adequate to:

− identify and monitor the significant risks facing the company; and
− confirm the effective operation of the established internal control systems?
‰ With ever increasing pressures on management at all levels, can those who are
responsible for managing risks and operating controls always take a wholly
objective and systematic view of their own performance?
‰ Does the board receive the right quality of assurance and information from
management and is it reliable?

Example 2

Suggest additional matters that directors might consider when assessing the
need for an internal audit function.

Solution

4.4.2 Needs of the Board

¾ The board needs to obtain assurances that its risk and control processes are effective.
Management, internal audit and others may provide such assurance. Objective
assurance and advice is provided by an internal audit function, thereby assisting the
board and senior management with their stewardship responsibilities.

1512
 SESSION 15 – EXTERNAL AND INTERNAL AUDIT

¾ Boards, audit committees and senior management now recognise that what is of
relevant value to their business is the internal auditors’:

‰ knowledge of the organisation, its systems and its processes; and

‰ skills and experience (e.g. in independently reporting on their findings and making
recommendations to improve effectiveness of the processes).

4.5 Assignments

¾ The various assignments that internal audit carry out for management include:

‰ Risk management
‰ Value for money
‰ IT/IS audit
‰ Financial processes audit
‰ Operational audit
‰ Functional, e.g. procurement, marketing, treasury, human resource, audits

4.5.1 Risk management

¾ The assurance role of internal audit is to deliver assessments of the adequacy and
effectiveness of the processes by which business risks are:
‰ identified and prioritised;
‰ managed, controlled and mitigated; and
‰ reported,
such that the residual risks are recognised by, and are clearly acceptable to, the board.

¾ Internal audit can:

‰ provide advice on the design, implementation and operation of control systems;

‰ identify opportunities to make control cost savings;
‰ promote a risk and control culture within the organisation;
‰ act as facilitators, guiding managers and staff through a self- assessment process
(e.g. by leading workshops);
‰ become a centre of expertise for managing risk by providing enterprise-wide risk
management services (ERM).

4.5.2 Value for money (VFM)

¾ VFM auditing is evaluation of management’s achievements in terms of the economy,

efficiency and effectiveness (the 3 “Es”) of operations.

‰ Economy is about obtaining specified resources (inputs, eg material, finance, human,

time) at the lowest cost.
‰ Efficiency is the achievement of either:
− the maximum output (at a given quality) from a given input; or
− a given output (at a given level of quality) from the minimum input.

1513
SESSION 15 – EXTERNAL AND INTERNAL AUDIT

‰ Effectiveness is the achievement of outputs which meet management’s objectives.

Objectives

Economy Effectiveness

Inputs
Resources Process Outputs

Efficiency

¾ Internal audit can report (for example) on:

‰ unnecessary spending (e.g. overtime guaranteed when work is completed in

normal hours);
‰ misdirected spending (e.g. capital expenditure outlay on lower quality assets
requiring higher level of revenue expense on quality control);
‰ over-priced spending (e.g. discounts are unclaimed);
‰ under-recovered revenue (e.g. failure to collect on disposals of assets).

4.5.3 IT and IS audits

¾ The primary role of internal audit will be to review and report on all aspects of IS within
the organisation, e.g. ensuring that the controls and systems operate as intended.

¾ Where IT/IS systems are being developed, internal audit can ensure that:

‰ adequate, effective controls are built into the system;

‰ complementary manual controls are designed to ensure adequate and effective

internal controls over the business system as a whole;

‰ the most efficient combination of manual and automated, preventative and

detective controls are designed and implemented;

‰ provide assurance that IS projects are being effectively and efficiently managed; and
‰ carry out appropriate testing (eg static, dynamic, unit, system, performance) at each
stage of the system’s development process.

1514
 SESSION 15 – EXTERNAL AND INTERNAL AUDIT

4.5.4 Financial process audit

¾ Internal control’s traditional role.

¾ The purpose of the accounting and financial process audit is to review all available
evidence to substantiate information (basically substantive testing) in management and
financial reporting (such that it is not inappropriate and inaccurate). That is, to
minimise risk by ensuring:

‰ the completeness and accuracy of recorded transactions;

‰ that assets are safeguarded;
‰ that complete, accurate and relevant information is provided on a timely basis; and
‰ that accounting and finance functions are managed efficiently.

4.5.5 Operational audit

¾ An audit of the operational processes of an organisation (its primary activities and

support activities) to ensure that management has:

‰ adequate controls and other risk management measures in place to achieve

business objectives (risk management) economically and efficiently; and
‰ adequate routine assurances which inform them that their controls and risk
management measures are effective

¾ Basically a compliance based audit to ensure that controls are operating as intended.

4.5.6 Functional audits

¾ Basically, separate audits to ensure that individual functions are operating as intended.

¾ For example, the audit of the marketing function would ensure that:

‰ marketing processes are authorised, conducted in accordance with written

company policy and apply relevant laws and regulations;

‰ complete, accurate, relevant and timely information is obtained from internal and
external sources (eg market research) and is freely available to all involved; and

‰ advertising, campaigns, promotion and unit pricing is planned, budgeted, cost-

benefit analysed, monitored and controlled;

‰ contingency plans are in place to limit potential image and reputation risk.

4.6 Use of external organisations

¾ Some companies outsource their internal audit function to specialist internal audit
entities or to their external auditors.

¾ In some jurisdictions, under corporate governance requirements for listed companies,

the use of the organisation’s external auditor to provide additional services beyond
audit and taxation is either specifically banned (Sarbannes-Oxley in the US) or has to be
approved and justified by an audit committee (UK Combined Code).

1515
SESSION 15 – EXTERNAL AND INTERNAL AUDIT

Example 3

Briefly suggest advantages and disadvantages for the outsourcing of internal

audit.

Solution

FOCUS
You should now be able to:

¾ define internal and external audit;

¾ explain the main functions of the internal auditor and the external auditor.

EXAMPLE SOLUTIONS
Solution 1 — Agents

¾ A director can be described as an agent having a fiduciary relationship (one of trust)

with a principal (i.e. the company that employs them).

¾ Directors are similarly agents of the shareholders who appoint them to manage the
company on their behalf.

¾ Auditors, as they are appointed by the shareholders in most jurisdictions, are also
agents of the shareholders.

1516
 SESSION 15 – EXTERNAL AND INTERNAL AUDIT

Solution 2 — Assessing need for internal audit function

¾ Corporate structure and the degree of autonomy of each of the business units.

¾ Overall corporate culture and management’s philosophy.

¾ The company’s appetite for risk or its ability to tolerate risk.

¾ Overall control environment.

¾ Changes in organisational structure (including delayering), reporting processes and/or

underlying information systems.

¾ Changes in key risks arising from:

‰ changes in internal processes (e.g. product or service lines or entry into new
markets);

‰ alterations in external factors such as regulatory requirements.

¾ Complexity of the company’s systems, especially IT systems.

¾ The number of moderate to high risk areas which are not appropriately controlled.

¾ Deteriorating trends in internal control systems evident from the existing monitoring
systems.

¾ Concerns about the level of “risk and control awareness” and the need to educate senior
or middle management, or staff.

¾ An increased incidence of unexpected or unacceptable results or occurrences.

¾ The views of the company’s external auditors.

Solution 3 — Outsourcing

Advantages

9 Costs – A company with an in-house internal audit service must pay salaries, training
and overheads. By outsourcing, the company would only pay for resources when
required and so overall the total cost may be cheaper.

9 Consistency with external audit – There may be greater consistency in approach between
the internal and external auditors. This may mean external audit can place more
reliance on internal audit work and hence the company would benefit from a lower
external audit fee.

9 Skills – Contracting-out internal audit allows the company to bring in new skills.
External providers will have wider experience gained by auditing other companies.

1517
SESSION 15 – EXTERNAL AND INTERNAL AUDIT

9 New techniques – Both the internal and external audit markets are very competitive. This
encourages firms to develop new techniques which are more efficient and effective.
Contracting out gives the company access to these techniques without a high level of
investment.

9 Management time – Management time and resources can be freed to concentrate on core
areas of the business instead of peripheral ones.

9 Liability – Legal action may be brought against an external service provider if their
standards are not acceptable.

Disadvantages

8 Skills – An external contractor may lack the specialist skills relevant to a particular
company which an in-house service will possess.

8 Constraints on service – The service provider will need to act in accordance with the
terms of reference. This may mean they are unable to follow up suspicious
circumstances outside their duties without first seeking permission from the company
and re-negotiating the terms of reference.

8 Flexibility – An in-house department will provide a permanent presence whilst

contracted out services may only be at the company for discrete periods. In-house staff
may have more commitment to the company (e.g. willingness to work overtime, travel,
etc). Outsourcing may result in reduced staff availability and flexibility.

8 Expectation gap – An expectation gap has existed for external audit for many years. If
the profession cannot meet public expectations for a narrow role which is defined by
statute can they meet management expectations for a wider role? The company may
discover too late that they are not getting what they want. If a contract has been agreed
it may be difficult to change

8 Standard of service – Once an external provider has secured the contract the level of
service provided may fall. The audit committee/board of directors must monitor and
ensure that the quality of staff provided is satisfactory and work is completed according
to the terms of reference.

8 Corporate culture – Contracting out any service involves a change to corporate culture.
Unless managed sensitively, outsourcing may lower employee morale, reduce
performance, generate a negative cultural impact, create permanent job insecurity.

1518