An external auditor performs an audit, in accordance with specific laws or rules, of the financial statements of a company, government entity, other legal entity, or organization, and is independent of the entity being audited.[1] Users of these entities' financial information, such as investors, government agencies, and the general public, rely on the external auditor to present an unbiased and independent audit report.
The manner of appointment, the qualifications, and the format of reporting by an external auditor are defined by statute, which varies according to jurisdiction. External auditors must be members of one of the recognised professional accountancy bodies.[2] External auditors normally address their reports to the shareholders of a corporation. In the United States, certified public accountants are the only authorized non-governmental external auditors who may perform audits and attestations on an entity's financial statements and provide reports on such audits for public review. In the UK,[3] Canada and other Commonwealth nations Chartered Accountants and Certified General Accountants have served in that role.
For public companies listed on stock exchanges in the United States, the Sarbanes-Oxley Act (SOX) has imposed stringent requirements on external auditors in their evaluation of internal controls and financial reporting. In many countries external auditors of nationalized commercial entities are appointed by an independent government body such as the Comptroller and Auditor General. Securities and Exchange Commissions may also impose specific requirements and roles on external auditors, including strict rules to establish independence.[4]
In some countries, audit firms may be organized as LLCs or corporate entities. The organization of audit firms has been a subject of debate in recent years on account of liability issues. For example, there are rules in EU member states that more than 75% of the members of an audit firm must be qualified auditors.[5] In India, audit firms can only be partnerships of qualified members of The Institute of Chartered Accountants of India.
In the USA, the external auditor also performs reviews of financial statements and compilation. In review auditors are generally required to tick and tie numbers to general ledger and make inquiries of management. In compilation auditors are required to take a look at financial statement to make sure they are free of obvious misstatements and errors. An external auditor may perform a full-scope financial statement audit, a balance-sheet-only audit, an attestation of internal controls over financial reporting, or other agreed-upon external audit procedures.[6]
External auditors also undertake management consulting assignments. Under statute, an external auditor can be prohibited from providing certain services to the entity they audit. This is primarily to ensure that conflicts of interest do not arise. The independence of external auditors is crucial to a correct and thorough appraisal of an entity's financial controls and statements. Any relationship between the external auditors and the entity, other than retention for the audit itself, must be disclosed in the external auditor's reports. These rules also prohibit the auditor from owning a stake in public clients and severely limits the types of non-audit services they can provide.
The primary role of external auditors is to express an opinion on whether an entity's financial statements are free of material misstatements.
Internal auditors who are members of a professional organization would be subject to the same code of ethics and professional code of conduct as applicable to external auditors. They differ, however, primarily in their relationship to the entities they audit. Internal auditors, though generally independent of the activities they audit, are part of the organization they audit, and report to management. Typically, internal auditors are employees of the entity, though in some cases the function may be outsourced. The internal auditor's primary responsibility is appraising an entity's risk management strategy and practices, management (including IT) control frameworks and governance processes. [7] They are also responsible for the internal control procedures of an organization and the prevention of fraud.[8]
If an external auditor detects fraud, it is their responsibility to bring it to the management's attention and consider withdrawing from the engagement if management does not take appropriate actions. Normally, external auditors review the entity's information technology control procedures when assessing its overall internal controls. They must also investigate any material issues raised by inquiries from professional or regulatory authorities, such as the local taxing authority.
External Auditors' Liability to Third Parties
Auditors may be liable to 3rd parties who are damaged by making decisions based on information in audited reports. This risk of auditors' liability to third parties is limited by the doctrine of privity. An investor or creditor, for instance, can not generally sue an auditor for giving a favorable opinion, even if that opinion was knowingly given in error.
The extent of liability to 3rd parties is established (in general) by 3 accepted standards: Ultramares, restatement, and foreseeability.
Under the Ultramares doctrine, auditors are only liable to 3rd parties who are specifically named. The Restatement Standard opens up their liability to named "classes" of individuals. The foreseeability standard puts accountants at the most risk of liability, by allowing anyone who might be reasonably foreseen to rely on an auditor's reports to sue for damages sustained by relying on material information.
While the Ultramares doctrine is the majority rule, (to the relief of many new and budding accountants pursuing an auditing career!) the restatement standard is preferred in several states and is growing in popularity. The foreseeability standard will not likely be widely adopted anytime soon because the cost (time and financial) of litigation would be enormous.
CFOs, company accountants, and other employees are not provided the same luxuries of the doctrine of privity. Their material actions and statements open them (and their companies) up to liability from third parties damaged by relying on these statements.