Navigating External Auditors

Most people have heard of, or been coerced into participating in, an internal audit. Internal audits are conducted by auditors who are usually employees of the organization (or 3rd party consulting auditors, like R3) but are independent of the areas they audit. By taking a peek behind the curtain, they assess various things, typically checking to see if the way things are getting done matches the way they are supposed to be getting done, and provide assurance that the organization’s operations are efficient, effective, and compliant. This can involve any business function, such as accounting, information security, quality, delivery, etc. Usually during an internal audit, you are dealing with someone asking questions and gently probing for more information when they encounter something that doesn’t add up. 

Internal audits are performed annually, and sometimes more frequently, and possibly in a phased approach to accommodate internal staff limitations and avoid interruption to business functions. The purpose of these audits is multi-fold, however performing an in-house check is often a requirement to achieve certification. They offer early warnings on issues that can and should be remediated in a timely fashion and provide a good health-check for leadership to understand how the business is functioning. 

An external audit is an entirely different animal. External audits are independent evaluations performed by outside, independent bodies that are paid for their auditing services. They usually assess against a published, authoritative set of standards or controls (CMMI, NIST, ISO, SOC2, etc.). 

External auditors follow a systematic and standardized audit process, which includes planning, risk assessment, testing, and reporting. They gather evidence, perform analytical procedures, conduct interviews with key personnel, and perform substantive reviews of policies, processes, procedures, and records to validate the company’s adherence to the standard. 

After completing the audit, the external auditors issue an audit report that includes their opinion on the aptitude of the organization’s implementation of the standard. The report always includes an assessment, but often includes suggestions regarding opportunities to improve the way the company is functioning, or observations on things that could potentially become risks. 

External audits provide assurance to stakeholders that the organization’s current state of operations is in accordance with the standard. In addition, they enhance the credibility and transparency of internal processes, promote trust in the organization (both for employees and clients), and help maintain the integrity of the brand. 

That being said, finding an external auditor that will match your company’s culture can be challenging, and unfortunately lots of research and word of mouth are the best options to determine who will ultimately be a good fit. External auditors are human after all, and their interpretation of the standard, as well as their background (personal and professional) will all play a part into how the audit proceeds.  

There are key elements to consider when you start your search: 

1. Identify requirements: The specific standard and scope you choose will point you in the right direction. Often a 3rd-party auditor, like R3, can perform an internal audit to identify gaps or needs of the company and provide insight into the standard and scope that is ideal for your business. 
2. Research and shortlist potential auditors: Use your research to assess qualifications, experience, reputation, accreditations, and industry expertise. 
3. Seek recommendations from trusted sources such as colleagues, other organizations in your industry, professional networks, or industry associations.  
4. Take measure of the auditor’s personality…if they seem rigid, overly prescriptive, or unyielding they may not just look for a control to be satisfied, but have certain ideas about how things should be done, which can be problematic. Ask yourself how the auditor may react if an interviewee was unavailable when scheduled because they had COVID or were giving birth (trust us, it has happened). 
5. Consider any affiliations that the auditor may have that could cause a potential conflict or compromise their ability to be independent. 
6. Verify that there have not been complaints or disciplinary actions taken by approval bodies. 
7. Budget: Solicit fee proposals from your shortlist and make a decision using analytical tools and techniques to choose the best candidate. 

The final selection of an external auditor should be based on a thorough and objective evaluation process that involves key stakeholders in the decision-making process. The person responsible for hiring the auditor should take into consideration the input and feedback that the involved stakeholders provide. This will not only promote transparency, but also ensure that the auditor aligns with organizational goals (i.e., choosing the correct standard to audit against) as well as mitigate risks to the success of the audit. An external audit is not a short process, so the relationship with an external auditor can afford your staff with helpful, ongoing support, guidance, and can contribute to your organizations longer term success. If you’re looking for compliance services with a partner you can trust, take a look at R3’s Governance, Risk, and Compliance Services and schedule some time to chat with a member of our team.