SOX leaders have mixed opinions on External Auditor reliance. 

Some see it as a source of pride. It’s a testimonial to their high-quality SOX program when their External Auditor places high reliance on their controls testing work. 

Some view it as an opportunity. The goal of having their External Auditor rely on as much of their work as possible helps them elevate their SOX programs.

Some regard it as an ongoing source of frustration. They’re not seeing significant ROI on the time they spend preparing supporting documentation to meet External Auditors' precise requirements. If their External Audit fees aren’t decreasing, is creating perfect workpapers the best use of their time? 

Should your SOX team be working to increase External Audit’s reliance on your work? To help you make the call, this article lays out the considerations and shares tactics SOX teams use to establish and improve reliance.

Defining the External Auditor Reliance Strategy

First, let’s get clear on what we’re talking about and why.

An External Auditor reliance strategy is a deliberate, proactive approach that management takes to increase the extent to which the External Auditor can rely on the organization’s internal control testing and documentation for SOX compliance. 

The goal of increased reliance is reducing duplication of effort, increasing efficiency for the external audit, in hopes of lowering the audit fees.

Key Considerations for External Auditor Reliance 

If your External Auditor does not rely (or relies very little) on your organization’s SOX compliance internal control testing, the ball is in your court.

There’s a lot you and management can do to positively influence how much your External Auditor relies on.

It comes down to understanding the key reasons External Auditors do and don’t rely on management’s work. 

For more perspective, I talked to Ryan Godbey, founder of RJG Advisory and former Big Four National Office partner, who weighed in on some of the areas. 

4 Reasons External Auditors DO Rely on Management’s Work

1. Proactive initiative. Are you pushing your External Audit reliance agenda? SOX leaders and CAEs need to take the initiative to start the conversation, direct efforts, and follow up over time. Those that do not, generally do not have their external auditors relying on much, if any, of their work.
2. Clearly risk-rated controls. An essential step toward enabling reliance is helping External Auditors understand which controls are high, medium, and low risk.  External Auditors will be open to relying on management's work for most low and some medium ranked controls.
3. Aligning with the External Auditor. This includes aligning on scoping approach/attributes and using External Audit’s templates, ensuring your documentation meets their requirements. Explained Ryan, “The biggest filter I put on things is alignment. Are we aligned on control attributes and testing attributes? Can we coordinate on getting populations and selecting samples in AuditBoard or something like it? That whole song-and-dance is far and away the biggest driver of reliance. External Auditors are often thinking from an efficiency perspective. I’m thinking, is relying going to help me be more efficient? Or am I going to have to do so many things to compensate because we’re not aligned, so that I’ll incur more time by relying?” 
4. ‍Positive perceptions of SOX teams’ competence. External Auditors are more likely to consider relying if they think you know your stuff. Demonstrate your experience/expertise by: ‍
   • Showing foresight about likely questions. Ryan advised, “I want to know that they’ve already asked some of the questions I would ask. So if I’m sitting down with a SOX leader and I ask them my first two top-of-mind questions and they say, ‘Oh, I thought about that, and I already asked so-and-so what they think,’ that really helps build credibility.” 
   • ‍Ensuring SOX teams and leaders have relevant testing and controls skills/experience. Ryan said, “I’ve worked with heads of Internal Audit who don’t have SOX experience. That makes it really tough to work with them effectively.”
   • ‍Ensuring SOX teams understand the overall controls environment. Ryan mentioned that a SOX team having a good relationship with the organization’s IT group is a great sign. “It shows they understand the whole web of controls — for example, that they know what has to happen from a security perspective or a change management perspective. Ideally teams should understand what it means to integrate SOX as just one piece in a broader environment.”
   • ‍Consistently maintaining high workpaper documentation standards.
   • Proactively and transparently identifying any potential control deficiencies. 

4 Reasons External Auditors DON’T Rely on Management’s Work

1. Independence perceptions. If individuals reporting to the CFO (whether second or third line) are performing the control testing, they’re deemed less independent because they’re testing controls that are the CFO’s responsibility. On the flipside, where there’s clear separation (e.g., IT control owners reporting to the CIO), External Auditors are more likely to consider relying.
2. Disorganized, inconsistent work, making you look ill-prepared and potentially unreliable. A purpose-built controls solution (e.g., SOXHUB) can often solve for this, because out-of-the-box functionality typically includes (1) reminding control owners of updated documentation expectations and enabling them to upload it (which SOX teams can then quality-check) and (2) helping SOX teams quickly reference how controls were documented in the past.
3. Significant business changes. These changes introduce risks and complexity that External Auditors have to consider given the potential impact on testing and controls. Examples include an acquisition resulting in a new in-scope entity for SOX compliance or a technology implementation impacting controls design and operation (e.g., External Audit may not rely on a SAP S/4HANA implementation in its first year given the financial controls impact). 
4. New players. This could take the form of a new External Audit lead partner who lacks knowledge/relationships and trust with your team, a new External Audit firm in its first year of working with you, or a SOX compliance leader who’s new to your organization. 

On that note, don’t underestimate the importance of building and maintaining a strong relationship with the lead External Audit partner. This informal relationship can significantly impact your success. That’s why next week’s Enabling Positive Change newsletter will put the spotlight on why and how you should cultivate this critical relationship.

The Business Case AGAINST Having an External Auditor Reliance Strategy

I recently talked with a CAE responsible for overseeing testing of 1,000+ SOX controls whose team had recently stopped maintaining its strategy. This was notable, because they had a lot of factors in place to achieve high reliance. 

So I asked: What changed? Why now?

He shared several reasons, including:

• Increasing External Auditor documentation requirements needed for relying on management’s testing work — leading to increased time spent by Internal Audit fulfilling the new requirements, which took time away from other assurance and advisory work.
• Increasing costs of Internal Audit controls testing resources.
• Difficulties in proving or realizing savings in External Audit fees, even when the reliance strategy was working optimally. 
• A deliberate strategic shift toward internal efforts to lower SOX costs and free up Internal Audit resources to support more management requests, including:
  
  • Offshoring more SOX testing work to geographies with lower labor costs.
  • Automating controls, both from control performance and control testing perspectives.
  • Pushing back on External Audit recommendations for new controls as appropriate given a well-developed understanding of management’s considerations of key controls.
  • Upgrading to a purpose-built SOX solution from a legacy application.

This team’s experience reflects the big-picture reality many teams face.

External Auditors typically don’t share the spend (hours/dollars) on the internal controls portion of the integrated audit. And when they do show a reduced controls spend, new focus areas tend to pop up (e.g., statutory audits, work around company technology initiatives). 

It can be the External Audit equivalent of a game of Whack-a-Mole. No matter which “mole” you push back into its hole, another one pops up. Year over year, most External Audit fees end up trending to a 4–7% increase. 

It raises the question: Why do all this extra work if you're still going to pay your External Auditor the same amount — only out of a different pocket?

The Bottom Line: What Does Your CFO Think?

These are all important factors to consider. But there’s another big consideration worth calling out. 

While there may be a handful of SOX leaders — like the CAE whose story I shared — who can shift their efforts elsewhere, the majority will have to keep up their External Audit reliance strategies. 

CFOs, audit committees, and boards will always look to reduce areas of significant spend, and External Audit fees tend to be a major line item for any organization. That means most CFOs are going to advocate for their Internal Audit teams to work to reduce spend in this area. 

CFOs are unlikely to change their minds, despite any valid contrarian views. They see increasing External Audit reliance as a key way Internal Audit can add value and support their agenda. 

Plus, here’s something else that’s unlikely to change: Most companies ultimately benefit from the more rigorous, detail-oriented SOX programs that result from efforts to increase reliance.

So, whether you view your SOX team’s efforts to increase External Auditor reliance as a source of pride, an opportunity, or a headache that won’t quit, your CFO probably sees it as valuable and important. That consideration may eclipse everything else.