Can external audit rely on internal audit?

Internal audit refers to the department located within a business that monitors the efficacy of its processes and controls. The internal audit function is especially necessary in larger organizations with high levels of process complexity, where it is easier for process failures and control breaches to occur.

What is an External Audit?

An external audit is an examination that is conducted by an independent accountant. This type of audit is most commonly intended to result in a certification of the financial statements of an entity. This certification is required by certain investors and lenders, and for all publicly-held businesses.

Comparing Internal and External Audits

There are multiple differences between the internal audit and external audit functions, which are as follows:

• Internal auditors are company employees, while external auditors work for an outside audit firm.

• Internal auditors are hired by the company, while external auditors are appointed by a shareholder vote.

• Internal auditors do not have to be CPAs, while a CPA must direct the activities of the external auditors.

• Internal auditors are responsible to management, while external auditors are responsible to the shareholders.

• Internal auditors can issue their findings in any type of report format, while external auditors must use specific formats for their audit opinions and management letters.

• Internal audit reports are used by management, while external audit reports are used by stakeholders, such as investors, creditors, and lenders.

• Internal auditors can be used to provide advice and other consulting assistance to employees, while external auditors are constrained from supporting an audit client too closely.

• Internal auditors will examine issues related to company business practices and risks, while external auditors examine the financial records and issue an opinion regarding the financial statements of the company.

• Internal audits are conducted throughout the year, while external auditors conduct a single annual audit. If a client is publicly-held, external auditors will also provide review services three times per year.

In short, the two functions share one word in their names, but are otherwise quite different. Larger organizations typically have both functions, thereby ensuring that their records, processes, and financial statements are closely examined at regular intervals.

According to International Internal Audit Standards, continuous audit is a method to evaluate risks and controls frequently more than traditional way. Or it is a process of collecting audit evidences frequently by using internal audit (Caldwell, 2009).

Big four audit firms illustrate through research of (Searcy, 2003) their clients are increasing the using of continuous internal auditing. In addition, (Alles et al, 2006) developed an approach of Continuous Monitoring of Business Process Controls (CMBPC) for internal IT audit department of Siemens Corporation.

The following Figure 1 illustrates the difference between conventional and continuous internal audit effect on controls:

Figure 1 Conventional and Continuous Internal Audit Effect on Controls

Several companies were already involved in some form of continuous auditing or control monitoring while others are attempting to adopt more advanced audit technologies (Vasarhelyi et al., 2010).

On one hand there is a direct relation between automation and the use of modern technologies in business processes with the expanded use of enterprise resource planning (ERP) systems, and a direct relation between automation and integrity of internal audits within continuous internal auditing on other hand (Vasarhelyi et al., 2004).

By applying a continuous audit, there are measurable differences in the risk of fraud and errors. Following are some benefits of using internal audit (Verver, 2008):

1. Provide management and internal audit a better understanding of risk priorities and needed controls against these risks.

2. Release the internal audit team from traditional procedures that focus on immediate risk areas.

3. Some of internal audit cases needs several weeks to be processed, under using of continuous internal audit need a fraction of this time.

The Institute of Internal Auditors-IIA within the Global Technology Audit Guide noted that the application of continuous auditing is based on:

1. Continuous risk assessment.

2. Continuous control assessment.

Whether it is for the traditional enterprise data-processing system or for enterprise resource planning (ERP) systems.

ISA 610

ISA 610 which deals with the external auditor's relationship with the internal auditor and the use of the external auditor for the internal auditor's work. The standard clarifies that, although the objectives of both internal and external audit are different, it may be similar the way achieving these objectives.

External auditors need to assess the adequacy of internal auditors and adequacy of the evidences obtained by the internal auditors when performing their work.

Therefore, in the case of using continuous internal audit by internal auditors, the external auditors' assessment of internal audit work quality increases, and the risk assessment of material misstatement decreases.

According to IIA’s recommendations, the ideal situation is when the internal and external auditors meet periodically to discuss common interests; benefit from their complementary skills, areas of expertise, and perspectives; gain understanding of each other's scope of work and methods; discuss audit coverage and scheduling to minimize redundancies; provide access to reports, programs and working papers; and jointly assess areas of risk (Pop et al., 2004).

Also, (Ramasawmy, 2012) emphasized that external auditors agreed that coordination with internal auditors leads to some benefits and they give ample importance to the internal auditors’ competence, work performance. This agreed with (Hajiha, 2011) who study “The Impact of Internal Audit Function Quality on Audit Delays”, and found many factors affect the number of days required to complete financial statement audits, these factors are mainly was competence and fieldwork quality.

The external auditors willing to rely more on internal audit work in a continuous audit environment than in a traditional environment, and this effect is magnified when the prior year audit report on the effectiveness of internal controls indicates that controls are working properly (Malaescu & Sutton, 2013).

Why ERP Audit is Different?

Implementation of enterprise resource planning systems is a complex technological and organizational business undertaking that requires the knowledge of a process approach to overcome its implementation constraints (Epizitone & Olugbara, 2019). Thus, through ERP Systems traditional batches controls and audit trails are no longer available, modules have automated entries for each other’s, all transactions are integrated and stored in one common database, need of extensive and complex access security and authority matrix, need also complex network and database access security matrix and controls needed should be different from traditional systems.

Therefore, within using of ERP systems, auditors need to understand and assess all of the following:

1. Computerized Information flow.

2. Computerized Information interaction.

3. Computerized Information risks.

4. Computerized Information controls.

This will improve ability to assess risks and needed controls upon these risks within ERP environment.

(Hunton et al., 2001) examined the extent to which financial auditors recognize differences in the nature and extent of unique business and audit risks associated with enterprise resource planning (ERP) systems, as compared to traditional computerized (non-ERP) systems and investigate financial auditors' level of confidence in assessing such risks and their propensity to seek consultation with information systems (IS) audit specialists in their firm and found that financial auditors were significantly less concerned than IS audit specialists with risks of the ERP environment.

Literature Review

The process of electronic data processing has become necessary in large and small enterprises that aim to achieve greater effectiveness in their activities (Romney et al., 2018). Through ISA 200, international audit standards emphasized the importance of external auditor work quality; in addition, Public Company Accounting Oversight Board (PCAOB, 2013) emphasized the audit quality definition, which reflect the needs of investor and decision makers. (ERP) systems have institutional logics in controlling business process that pressure the IAF to change

The changes in auditing processing effected by business globalization, modern technologies acceleration and demand on audit added value. It is necessary nowadays in all sizes of organizations to use electronic data processing for more effectiveness and efficiency (Romney et al., 2018). As (Elbardan & Ali, 2012) emphasized that internal Audit function faces a pressure to change controlling business process under using of Enterprise Resources Planning (ERP) systems.

One of the most important issues related to auditors recently is to have a fair enough technology background (Moorthy et al., 2011). ERP systems aim to consolidate all organization’s information systems under one system, which definitely affected the workflow of internal and external auditors. The use of (ERP) systems has become an essential part of conducting business for many small, medium, and large companies (Haynes & Li, 2016).

Linking the ERP system, which companies are now looking to apply more widely with continuous audit on these system’s needs in the future towards ongoing studies and research to explore continuous audit in the ERP environment (Kuhn, 2010).

ISA 401 (Auditing in a Computer Information Systems Environment) aimed to guide external auditor within computerized environment. This led us to clarify the importance of modern audit within modern skills in addition to traditional skills and it the extending of external auditor relying on internal auditor.

Also, International Internal Audit Standard (IIAS 1230) illustrated the needs of internal audit to strengthen their knowledge, skills and efficiency through continuous professional development, such as using of continuous internal audit.

Due to significant changes in the risk environment of organizations as a result of globalization and digitalization a continuous perspective in audit activities is required (Eulerich et al., 2019).

(Chen et al., 2011) concluded that accountants must have certain degree of knowledge in the realm of traditional finance accounting. In addition, accounting supervisors think implementing an ERP system changes the role of accountants.

Research Problem

Within the last decades, the acceleration growth of information age, there is a gab growing between external auditors and implemented information systems inside client’s organizations, where the external auditor's current technological skills need to be improved to match the acceleration growth (Abu Lehiah, 2015).

The knowledge and relevant expertise in particular areas of the internal auditors while they are the employees of the entity, this may effect on external auditor to rely more on internal auditor's work to provide direct assistance.

Depending on the previous illustration, as the continuous internal audit includes (continuous assessment of controls and continues evaluation of risks) which the external auditor relies on when expressing an opinion on financial statements.

At the same time, continuous analytic monitoring will intrude into the internal control arena, especially since it is built on the firm’s own ERP systems.

This will create concerns within the relationship between internal and external auditing (Vasarhelyi et al., 2004).

External auditors need to have enough knowledge in informatics fields. In addition, they should have enough skills parallel with new technologies.

Vinatoru & Calota, (2014) revealed that ERP system is usually followed by an increase in internal audit procedures as a result the organization may reach a higher level of integration in business processes and to improve the quality of the reports also (Haynes & Li, 2016) concluded that ERP is an invaluable tool for businesses that need to comply with federal and international accounting standards and practices, because it offers increased monitoring, reporting, and risk identification, as well as the enhanced implementation and meta-analysis of internal controls and continuous internal audit benefits of speed, reliability and standardization. This formed the main question(s) of current study about external auditor relying on internal auditor work through these circumstances of ERP continuous internal audit.

Thus, Research problem focusing on answering the following two questions:

1. Does the internal auditor's use of continuous risk assessment work affect the extent of external auditor's relying on this assessment?

2. Does the internal auditor's use of continuous control assessment work affect extent of external auditor's rely on this assessment?

Research Methodology

The survey conducted with the use of designed questionnaire as a primary research instrument aimed the internal auditors, where aiming external auditors may reflect biased feedback.

Questions within questionnaire asked to internal auditors inside organizations using ERP systems and adopting internal continues audit, for concluding from given answers if the external auditors are (Never Rely, Rarely Rely, Sometimes Rely, Often Rely, and Always Rely) on the internal auditors.

The number of organizations using ERP systems in Jordan and have internal audit department is 68 (Received feedback from 44 Companies), but number of organizations using ERP systems and adopting internal continues audit is 16 only (Received feedback from 13 Companies).

For more reliability on research results, the same questions within same questionnaire distributed to the internal auditors inside organizations using ERP systems in Jordan and have internal audit department, but do not adopting continuous internal audit, which lead to have a comparison between the feedbacks received in two cases.

Results and Discussion

First: Results related to internal auditors inside organizations using ERP systems and adopting continuous audit (13 Companies):

As Table 1 declared that external auditor rarely relies on internal continuous auditor’s work in evaluating ERP internal procedures and policies, evaluating employees’ compliance with ERP internal procedures and policies plus assessing controls of ERP systems outputs, where the mean of previous questions was below study mean (3.00) and calculated (T) for the previous questions were negative.

In addition, Table 1 illustrate that external auditor sometimes rely on internal continuous auditor’s work in evaluating risks and assessing controls related to ERP systems input, where the mean of previous questions was above study mean (3.00) and calculated (T) for the previous questions were positive.

But, Table 1 declared that external auditor almost relies on internal continuous auditor’s work in evaluating risks and assessing controls related to ERP systems processing, where the mean was above (4.00) and calculated (T) for the previous dimensions’ questions were positive.

Second: Results related to internal auditors inside organizations using ERP systems but not adopting continuous audit (44 Companies):

As Table 2 declared that external auditor rarely relies on internal auditor’s work in evaluating ERP internal procedures and policies, evaluating employees’ compliance with ERP internal procedures and policies plus evaluating risks and Assessing controls of ERP systems outputs, where the mean of previous questions was below study mean (3.00) and calculated (T) for the previous questions were negative.

In addition, Table 2 illustrate that external auditor sometimes rely on internal auditor’s work in evaluating risks related to ERP systems input, evaluating risks and assessing controls related to ERP system processing, where the mean of previous questions was above study mean (3.00) and calculated (T) for the previous dimensions’ questions were positive.

Where the Table 2 declared that external auditor almost relies on internal continuous auditor’s work in assessing controls related to ERP systems inputs, where the mean was above study mean and equal (4.00), calculated (T) for the previous question was positive.

Finally: The previous discussion may indicate the conclusion of the needs to improve auditors’ abilities to understand and audit computerized systems in general, specially auditing ERP systems. But, more specifically auditing ERP systems processing.

This agree with (Haynes & Li, 2016) conclusion that ERP system has a significant impact on the efficiency, fraud risk reduction, knowledge application, as well as the credibility of the auditing team, the most important factors for the successful use of fraud mitigation techniques rely on ERP systems, which have continuous audit functions. Also, agree with (Eulerich et al., 2019) which emphasized that the use of continuous audit information for the internal audit function’s point of view influence the collaboration with the external auditor.

Conclusion and Recommendations

The study recommends audit offices in Jordan to give more concern regarding auditor's training and developing skills related to modern computerized and electronic information systems. In addition, encourage them to have professional certifications related to information systems such as CISA, CISSA... etc.

For researchers, the study recommends giving more concern about researches related to the modern information systems implementation and it is effect within acceleration and growth of information systems technologies.

Should external auditors rely on internal audit?

Why external auditors rely on internal controls?

Can external audits be internal audits?

Can auditor rely on internal check?