Relationship with External Auditors

Finally, as we wrap up this chapter about building an effective internal IT audit function, we'll briefly discuss external auditors and their impact on the internal audit team. Your company's external auditors also will have a need to review IT controls, especially as they relate to Sarbanes-Oxley compliance. They will need to review the internal audit team's work and also perform their own independent testing in certain areas. It is easy to see this as an intrusion and an annoyance. No one likes having their work reviewed and questioned, but really, the external auditors are just giving the internal auditors a taste of their own medicine. If we can't take it, we shouldn't dish it out. Accept the fact that the external auditors are there for a legitimate reason. A healthy working relationship between the internal and external auditors, where information is shared freely, is how to make the best of the situation. It also important for each group to keep the other informed of their activities. This will allow you to notify your audit customers about situations in which it may appear that they are being asked duplicate questions. Do your best to smooth over those situations such that the customers at least understand the reasons for them. Also, you should encourage the external auditors to review the internal auditors' work prior to speaking with your customers. This at least will give them a baseline of knowledge and minimize the amount of time the customer has to spend explaining the basics of the environment. Again, the external auditors are there for a reason, so do your best to work together and minimize the impact for your customers.