External audits provide an independent evaluation of an organization’s financials, information systems and controls. By having an external auditor check the accuracy of financial statements and accounts, as well as highlight errors in systems and controls, organizations become more resilient and convey transparency and trust to their employees, customers and shareholders.
What Is an External Audit?
An external audit is performed by auditors outside of the organization. This independent review is typically provided to external parties such as regulators, lenders and investors.
Types of external audits include financial statement audits, audits of systems and controls such as Sarbanes-Oxley (SOX), and health and safety audits such as HIPAA and OSHA.
External Auditing Procedures
To help maintain the structure and validity of an external audit, five main components help auditors to properly prepare, review and analyze, confirm accuracy, and report findings and opinions to interested parties.
Planning
The external auditor works with the organization to scope the audit, define functional areas, create the schedule, and understand who will need to participate. As the audit plan is drafted, the organization should begin to determine which artifacts (documents, records, etc.) will be needed, as well as what people will need to participate in meetings and interviews.
As planning is taking place, include in the audit plan a schedule of progress reviews with senior leadership to ensure transparency and obtain input.
Evaluation and Analysis
Once planning is complete, the auditor will review key systems and controls to determine if they comply with the scoped regulatory requirements and standards that are listed in the audit plan. In some cases, they will work with employees to determine how systems are used and to understand if procedures are followed. Additionally, auditors will likely examine the workflow of key activities to understand what actions take place, and how documentation is created, reviewed and approved, measuring the effectiveness of controls.
Validating Accuracy
Once the auditors evaluate and understand key controls, activities, systems and documentation within the organization, they will benchmark these elements against regulatory requirements and standards. Auditors will begin to draft their report, which consists of several elements, including recommendations, observations and findings.
Although reporting will begin at this stage, it typically is not finalized until it is reviewed with those involved with the audit within the organization to be sure it is an accurate account.
Determining Conclusions
At this stage, auditors complete the draft report and review it with the internal team to validate its accuracy. As observations and findings are validated, consider working with the internal team to understand any remediation that will need to be put into place, especially if it may require a budget, people or systems.
Reporting and Communicating
Lastly, the final report will be reviewed with all stakeholders. This will include the scope, findings and observations. Remediation that needs to be put into place will take the form of management action plans, which will detail the steps required to bring any weakness back into compliance.
External Auditing Templates
There are several external auditing tools that any external auditor will want to have in their toolkit. When leveraging any template, it is best to standardize the format so there are no surprises when sharing for review and approval.
Checklist
An audit checklist is an essential document that should be drafted during the planning phase. The template is composed of questions, typically grouped under functional areas such as finance, technology, or internal (e.g., organizational charts, meeting minutes, etc.), or questions related to a quality management standard. Providing this checklist early will enable the organization to gather information before evaluation begins.
Audit Plan
The audit plan is central to the audit process. Consider including the following sections:
- The scope of the audit, including areas of risk
- Those involved in the audit (names, roles, contact information, etc.)
- Review and reporting schedule
- Governance (e.g., senior management progress reviews)
- Reporting types
- Activities after the final report is published
Audit Report
An audit report is prepared as conclusions are determined. The report contains a summary of audit activities and any observations. While observations can be formalized, typically findings are presented with information such as level of materiality or severity and recommended remediation. Consider writing the report and any action items in a way that is relevant to the business and is actionable.
External Auditing Standards
An independent external auditor can plan, conduct and report the results of an audit following generally accepted standards. Below are two common standards:
Generally Accepted Auditing Standards (GAAS)
GAAS is a framework that many external auditors use in financial audits. These standards ensure that consistency and reliability are the same during every audit. GAAS is divided into three categories: general standards, standards of fieldwork and standards of reporting, which cover the different aspects of the auditing process. The latest version of GAAS can be found in the U.S. Government Accountability Office’s Yellow Book.
ISO 91011
ISO 91011 is an international standard used for guidance for managing systems. Like GAAS, ISO 91011 provides guidance on managing the audit program; auditing principles; and how to properly evaluate processes, artifacts and people. As technology evolves, ISO 91011 reviews ensure that technological advances do not increase risk, so the audit program can remain relevant as changes occur. ISO 91011 is maintained by the International Organization for Standardization.
External Auditing Best Practices
Running an effective and successful external audit takes coordination and effort from both the external auditor and the organization under review. The key takeaway: this is a joint effort. With that in mind, there are several best practices to consider.
Engage Early
All teams, both the external auditing team and internal teams should meet early on to discuss potential risk areas, expectations, governance and a preliminary schedule. Begin to engage with those people who will need to gather evidence and/or need to be available for meetings or interviews.
Be Available
For all people who are involved in the audit, it is extremely important to be available and engaged. Consider providing the schedule of those responsible for key areas, and once the audit schedule is drafted, be sure all individuals who are key resources are available when asked. Have senior leaders review early report drafts, and, if possible, attend workshops to ask questions early and often to show responsiveness.
Communicate
Lastly, ongoing, clear and honest communication is a must on both sides. Doing so will convey confidence in the process and results, as concerns will be raised sooner and potential remediation and action plans can be put into place quickly. Regular communication goes a long way toward addressing any potential stakeholder concerns.
Learn more about external auditing by exploring these related resources on KnowledgeLeader: