Build a Bridge to the Internal Audit Department

The outside auditor needs to have an open, candid dialogue with the audit committee.

THE RENEWED FOCUS ON AUDIT COMMITTEE OVERSIGHT of the financial reporting function can assist outside auditors in preventing financial statement irregularities. Auditors now have an opportunity to develop a relationship with the audit committee that may promote frank communication in a way that their usual relationship with management did not. Also, the kinds of matters the audit committee and auditor should, or are now required to discuss, facilitate fraud prevention.

THE AUDIT COMMITTEE OVERSEES THE RELATIONSHIP with the outside auditor and is supposed to have a full understanding of the terms of the engagement. According to New York Stock Exchange and NASD rules for audit committees, their charters must specify that “the outside auditor for the company is ultimately accountable to the board of directors and audit committee of the company” (as representatives of the shareholders).

THE AUDIT COMMITTEE AND AUDITOR SHOULD MEET often and privately. At minimum, once per quarter. For a frank dialogue to occur, the auditor and audit committee will need to meet, on occasion, without company management present.

CHARGE THE CLIENT WHAT THE AUDIT IS WORTH. Auditors should be properly compensated. A competent audit, simply put, is an investment every company should make.

GAAS NOW REQUIRES DISCUSSION OF SAS no. 61 items in conjunction with the the auditor’s quarterly review, and under SEC rules the audit committee is required to disclose whether such discussion occurred.

KELLY M. HNATT, Esq., is a partner in the law firm of Willkie Farr & Gallagher, New York City, and concentrates in the areas of commercial litigation, accountant liability and securities litigation.

t has been said that “it takes a great person to deal with catastrophe, and an even greater one to prevent it.” Revelation of an accounting irregularity or fraud, with its inevitable impact on a company’s stock price and reputation—as well as the “follow-on” shareholder lawsuits and SEC problems—can be disastrous for a company. It’s a catastrophe no business wants to suffer—and no outside auditor wishes to be involved in.

The outside auditor has a key role to play in fraud prevention even though companies, regulators such as the SEC and courts alike recognize they can’t rely only on the outside auditor to prevent accounting irregularity or fraud. This is even more true in today’s environment in which audit committees are being charged with more financial reporting oversight than ever before (see “The Audit Committee’s Roadmap,” JofA , Jan.99, page 47 ).

But what should the role of the outside auditor be? Working within the new audit committee framework—as laid out in the report of the Blue Ribbon Committee on Improving the Effectiveness of Corporate Audit Committees and the report of the Panel on Audit Effectiveness (the O’Malley panel)—the outside auditor can serve as a valuable resource in preventing and detecting accounting fraud. For more information, see “The State of Audit Committees.”


Having the right kind of relationship with an audit committee is critical to the independent auditor’s role. To structure an effective relationship, the outside auditor should consider the following guidance.

Let the audit committee be the fulcrum of the financial reporting function. View the audit committee as the keystone to a successful financial reporting system. Understand that the audit committee, in its oversight role of the financial reporting function, should also oversee the outside auditor relationship and have a clear understanding of the terms of the engagement. The audit committee, not company management, should take responsibility for the selection, compensation terms and, if necessary, replacement of the outside auditor. According to New York Stock Exchange and NASD audit committee rules, their charters must specify that “the outside auditor for the company is ultimately accountable to the board of directors and the audit committee of the company” (as representatives of the shareholders).

Meet regularly with the audit committee. The outside auditor and audit committee should meet no less than once a quarter. More frequent meetings are desirable, and the auditor should feel free to call the audit committee chair if material issues arise between scheduled meetings.

Meet privately and directly. Auditors and audit committees need to have a frank dialogue about the company’s financial reporting function. Focus on actual or potential holes in the system and provide, as necessary, constructive criticism of company management and even senior executives. One way auditors and audit committees can ensure a candid and open discussion is to meet privately, without company management present—perhaps at the end of regularly scheduled committee meetings or on a separate occasion.

Encourage the audit committee to avoid the checklist mentality. Don’t assume a checklist will have all the answers. Lots of professionals draft checklists for audit committees to use in their discussions with auditors, but they should be used carefully. More important, a list tends to drive discussions. One can imagine a scheduled one-hour call and a 30-item list: That’s 2 minutes per item—start the timer! People will be preoccupied with checking boxes, instead of discussing the critical issues and specific areas of potential breakdown. There is also the litigation risk. Lawyers could later use these lists in shareholder suits as evidence of what the audit committee and auditors did or did not do.

Don’t swamp the audit committee with too much paper. Minimize the use of paper. Some professionals recommend extensive written documentation between the outside auditor and audit committee, and suggest the dialogue between them should be principally in writing. This may not be a good idea. It undoubtedly will stifle the flow of information, as most people find it more difficult to be candid on paper. Another reason to avoid paper is, again, concern about its use in litigation.

Charge the client what the audit is worth. Auditors should be properly compensated. Quality audits and auditors aren’t cheap. A competent audit, simply put, is an investment every public company ought to make. An audit committee should appreciate what a diligently performed audit by competent staff is worth to a company: Public knowledge of even a minor accounting irregularity can cause a company to lose overnight a substantial portion of its share value. And how does a company even begin to measure the damage arising from the harm to its reputation, the loss of access to financial markets and disruption of activity, let alone the distractions of the inevitable shareholders’ suits?


Once the external auditor has established an effective, structured relationship with the audit committee, his or her next step is to make that relationship a genuine part of the company’s fraud-prevention efforts. Specifically, an auditor should engage in a candid, probing dialogue with the audit committee to address the aspects of the financial reporting function that are most susceptible to improper activity. There are a number of points the auditor might regularly discuss with the audit committee.

The financial environment. The outside auditor, first and foremost, should seek out and candidly report on the nature of the company’s financial reporting environment. Is management under too much pressure? Is there a reluctance to report bad news? Is there a danger management will tweak results to meet quarterly earnings expectations? These are the types of questions auditors and audit committees must ask—they are fundamental to the prevention and early detection of financial fraud.

Both the law and good business sense require a company to maintain its books and records in a manner that fairly reflects corporate transactions and events. An auditor’s inquiry should include the extent of computerization, its sophistication, any software inadequacies and overall staffing. This will help the auditor in other ways as well, as accounting system problems only make an audit more difficult.

Managerial bias in applying GAAP. Another area the auditor should discuss is the management’s bias in applying GAAP. How GAAP is applied depends on management’s judgment. What are the areas of subjectivity? Is management overly aggressive? Overly conservative? Trying to get it right?

Recent amendments to Statements on Auditing Standards nos. 61, Communication with Audit Committees, and 71, Interim Financial Information, require the auditor to share his or her view on how that judgment is being exercised with the audit committee. The amendments say the auditor should discuss with the committee judgments about the quality, not just the acceptability, of the company’s accounting principles as applied in its financial reporting. The amendments also specify this discussion include the consistency of the company’s accounting policies and the clarity and completeness of the company’s financial statements.

Cooperation from company management. The outside auditor should address with the audit committee management’s level of cooperation during the audit or review of quarterly financial information and any difficulty the auditor encountered. Frequently, a lack of cooperation and the presence of difficult issues will go hand in hand. Individually or together, they can be telltale signs of a broader problem. In particular, a lack of cooperation can suggest an attitude toward financial reporting that is inconsistent with an open and obvious environment.

Unusual revenue or reserve activity. Financial statement fraud frequently originates in revenue manipulation. The auditor should look for revenue recognition patterns that do not match the ebb and flow of the company’s normal business cycle. Revenue spikes toward the end of a quarter or other financial reporting period may be a warning of something out of the ordinary (see “Timing is of the Essence” ).

The auditor also should focus on the level of reserves, not only at yearend but during the course of the year, to see if there are any unjustified or unexplained changes. Reserves that are established or modified almost entirely based on management’s judgment may warrant particular scrutiny. The auditor should also review other aspects of the application of GAAP in which management judgment plays an important role. The overall goal is for the auditor and the audit committee to satisfy themselves that any unusual patterns and deviations flow from business activity and not from a desire to meet internal reporting targets or analysts’ expectations.


Outside auditors have not had it easy in attempting to uncover accounting irregularities. This is because:

Accounting irregularities often start out small, falling below the radar screen of materiality thresholds upon which auditors traditionally have focused.

Irregularities frequently involve allocations over a three-month period, and auditors historically have had little or no involvement with quarterly financial statements.

Auditors typically are on the client’s site only once a year and junior staff members usually perform the audit—hardly an adequate opportunity to fully understand a particular corporate environment.

Irregularities tend to arise in areas of financial reporting that are somewhat hazy to begin with.

Management is undoubtedly aware of the testing and inquiry auditors will undertake and may design activities specifically to avoid auditor detection.

Given these impediments, how can the outside auditor effectively work with a company to prevent accounting irregularities? The renewed focus on audit committee oversight, arising from the reports of the blue ribbon committee and the O’Malley panel, should help. The auditor is now charged with developing a relationship with the audit committee that promotes more frank communication in a way the auditor’s traditional relationship with management did not. And the kinds of matters the audit committee and auditor now are required to discuss, such as the effectiveness of internal accounting controls, also facilitate fraud prevention (see “New Rules, New Responsibilities,” JofA, Aug.00, page 53).


Every conscientious outside auditor will conduct an audit according to GAAS. But is that enough? The auditor may want to explore with the audit committee other steps he or she might take, such as meeting privately with members of management to gain extra insight into the corporate environment and identify potential causes of financial misstatements. Are people reluctant to report bad news?

The SEC requires registered companies to have an outside auditor review before filing financial statements included with their quarterly forms 10-Q. Amended SAS no. 71 established a level of auditor scrutiny of quarterly information beyond the quick once-over that historically had been the convention. In conducting a review under SAS no. 71, the auditor must consider such matters as significant changes in the internal control structure, items that appear to be unusual (like revenue changes that deviate from the company’s historical trends), changes in accounting practices and changes in business activities. Although a SAS no. 71 review is not an audit, it is much more than many companies had been asking their outside auditors to do. These new requirements are helpful in preventing fraud.

Also, GAAS now requires discussion of SAS no. 61 items in conjunction with the auditor’s quarterly review—not just at yearend. SAS no. 61, as amended, places the burden on the auditor to communicate with the audit committee concerning certain specified items, and under SEC rules implementing the blue ribbon committee recommendations, the audit committee is required to disclose whether such discussion occurred. The list of items to be discussed is extensive. It includes the auditor’s responsibility under GAAS, significant accounting policies, management judgments about accounting estimates, significant audit adjustments, disagreements with management, difficulties encountered in performing the audit and the quality—not just the acceptability—of the company’s application of accounting principles. In the embellished relationship discussed above, the audit committee and the outside auditor may find they already have more than adequately addressed all, or virtually all, the SAS no. 61 items. To the extent they have not, they should make sure they have considered any remaining items.


No discussion of the audit committee’s interaction with the outside auditor is complete without at least some acknowledgment of the auditor independence issue. In 1999 the Independence Standards Board issued ISB Standard no. 1, Independence Discussion with Audit Committees, requiring the auditor to apprise the audit committee of all relationships that may bear on independence. The new rule requires a disclosure in the company’s proxy statement between the auditor and the audit committee regarding whether this dialogue has occurred. Accordingly, the audit committee will be asked to make an informed judgment as to whether, in the context of a particular audit, the outside auditor’s independence was adequately preserved.

At the moment, a collection of ad hoc rules embodied in GAAS, the AICPA Code of Professional Conduct, exchange rules and SEC regulations define “auditor independence.” The definition undoubtedly will continue to evolve. (For more on this topic, see “A Framework for Auditor Independence,” JofA, Jan.01, page 39. ) At this juncture the audit committee will have to use its own good judgment to determine whether the outside auditor can and will speak openly and without influence from senior management.

As long as the company retains and pays the auditor, he or she will, at some level, be sensitive to its wants and needs. Both the auditor and audit committee must understand that thoroughness, candor and zeal are the best criteria by which to measure audit performance.

Investors rely on outside auditors to provide an unbiased examination of numbers to ensure their credibility and gauge a company’s performance. Outside auditors are one of the cornerstones in the corporate governance triad charged with the quality of companies’ financial reporting and accounting controls. When auditors and audit committees embrace best practices to fulfill their responsibilities, the quality of public companies’ information and reporting improves—not just the audit process.

Build a Bridge to the Internal Audit Department

W hile the audit committee must oversee dealings with the outside auditor, it should also have a strong sense of the challenges facing the internal auditors. “Contact with the internal audit department is crucial,” says Patricia Carbine, chairwoman of the audit committee of New York Life Insurance Co. Carbine believes that regular and open communication with the internal auditors is critical for an audit committee to develop a meaningful understanding of a company’s financial reporting systems and processes. Her own experience and initiatives at New York Life offer a road map other boards of directors can follow to foster stronger relationships between the audit committee and internal auditor.

Maintain regularly scheduled contact. “When the audit committee meets four times a year, we have at the table the general auditor, the deputy general auditor (members of internal audit), the head of compliance and other staff members as needed,” Carbine says. One of the cofounders of Ms. magazine and the president of the Ms. Foundation for Education and Communication, Inc., as well as cofounder of the Ms. Foundation for Women, Inc., and a veteran of many not-for-profit boards, Carbine joined New York Life’s audit committee in 1987 and became chairwoman in 1989. At that time the committee met briefly only during the morning of the board of directors’ meeting, but today it convenes for three hours the afternoon before those board meetings. Each of these afternoons ends with executive sessions that include both internal and outside auditors but no other company management representatives. Carbine calls the company CEO after her committee’s executive sessions to discuss salient points.

The time involved is “an indication of how complex the audit universe has become for audit committees,” she says. “It’s also an indication of the care and attention we feel we must give to the issues.”

Keep in touch between meetings. Carbine also has frequent, unscheduled contact with Thomas Warga, the company’s general auditor and head of internal audit. “We talk about the agendas of upcoming meetings and have informal discussions about issues such as regulatory and legal concerns.”

The committee also holds an annual reception for internal audit staff. “We have actually visited the audit department as a committee, wearing nametags, to say hello and have a cup of coffee together,” Carbine reports. “The members of the audit department get to meet us and we get to move around and give the people who labor so intensely a sense of what we’re like and how much we appreciate their work.”

Such informal follow-up to the usual committee business makes an important difference in the working relationship between the internal audit staff and the committee, she believes. Otherwise, Carbine says, the head of internal audit might be less likely to speak his or her mind on challenging issues or may hesitate to bother a committee chairperson with information that could ultimately prove important.

Ask questions. Carbine works actively to stay informed of audit issues. The internal audit staff gives her an annual presentation on the audit plan after it is finalized. “I come in midmorning and each senior department member presents his or her plan for the year, including scope, staffing, travel plans and other considerations. I get a very good grasp of the individuals and how they’re addressing their responsibilities.” The outside auditors then are invited in for a working lunch, which gives Carbine a chance to discuss issues with them as well.

Don’t work in a vacuum. Carbine recommends the Institute of Internal Auditors’ Audit Committee Effectiveness—What Works Best (2nd edition). The first edition’s self-assessment survey allowed her committee to compare its performance to best practices. Carbine encourages the general auditor to suggest material—books, articles or reports—of which she and the committee should be aware. “We’re always looking for ways in which we can measure our performance,” Carbine says.

Use the COSO model. New York Life’s internal auditor reports follow the recommendations of the Committee of Sponsoring Organizations of the Treadway Commission. Carbine says the department has created “an extraordinarily effective format, based on the COSO model, for analyzing and assessing its internal audit report.” The company’s internal control evaluations focus on the achievement of objectives in three categories: effectiveness and efficiency of operations, reliability of financial reporting and compliance with applicable laws and regulations. The reports contain a summary on each area, then a rating on a scale of 1 to 4. The ratings are color coded, with green for the best ratings, yellow for those in the middle and red for problem areas. These color codes are displayed in the table of contents, “so we know right away where the trouble is,” Carbine says.

Know which issues will be raised. “As chair, I have gotten to know what areas are of greatest concern to each committee member,” Carbine says. “I will call the general auditor beforehand if I know we’re covering a subject that could be problematic, so he’s prepared. If the chair of the committee can articulate in advance what the questions will be, we’ll do a better job of addressing them.”

Carbine often appears on conference panels with Warga, and their description of their level of communication leaves some internal auditors looking dazed, she says. As a first step for those who would like to have greater audit committee involvement, she recommends scheduling an annual presentation of the audit plan to the committee chairperson. Alerting the chairperson to articles or other items of interest is another way of initiating more regular contact. “The internal auditor knows the committee chair is a busy person and doesn’t want to bother him or her,” Carbine says. “That’s a very understandable attitude, but it doesn’t make it any easier when you have to call with bad news.”

Because of the strong relationship between the audit committee and the internal audit department, “each side has benefited greatly,” Carbine says. “We push each other to see if we’re doing everything the best way it can be done.”

—Anita Dennis

ANITA DENNIS is a JofA contributing editor.


Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.


News quiz: Retirement planning, tax practice, and fraud risk

Recent reports focused on a survey that gauges the worries about retirement among CPA financial planners’ clients, a suit that affects tax practitioners, and a guide that offers advice on fraud risk. See how much you know with this short quiz.


Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.