External Auditor Communication: How Boards and Management Should Engage
Quick Answer: Effective communication with external auditors requires structured touchpoints throughout the audit cycle: board and audit committee oversight of auditor independence and scope, management's delivery of complete and accurate information, timely responses to inquiries, and formal representation letters. The audit committee is responsible for auditor appointment, fee approval, and reviewing significant disagreements between management and auditors. Management must provide access to all requested records, persons, and information without scope limitations.
Key Takeaways
- The audit committee—not management—has primary responsibility for external auditor appointment, oversight, and assessment of independence.
- Management must respond to auditor inquiries promptly; delays can trigger going concern warnings or qualified opinions.
- Management representation letters are required for all audits; they formalize management's assertions and confirm no undisclosed information.
- Incomplete or delayed responses constitute scope limitations, which may result in qualified opinions or adverse conclusions.
- Board communication with auditors typically flows through the audit committee, not direct management channels.
- Post-audit debriefs should document significant findings and recommendations for process improvements.
- Recurring audit adjustments indicate control weaknesses that management and the board should address.
Who Communicates with External Auditors?
Audit communication operates on multiple levels with distinct responsibilities:
| Party | Primary Responsibility | Communication Channel |
|---|---|---|
| Audit Committee | Auditor appointment, independence oversight, scope approval | Audit committee meetings, executive sessions |
| Board of Directors | High-level oversight, significant findings review | Board meetings (via audit committee reports) |
| CFO / Controller | Day-to-day coordination, document provision | Planning meetings, fieldwork requests |
| CEO | Strategic issues, tone at the top | CEO representation letters, executive discussions |
| Internal Audit / Compliance | Coordination with external audit, control documentation | Workpaper sharing, control testing |
| Legal Counsel | Litigation, contingent liabilities | Separate legal representations |
The Audit Cycle: Communication by Phase
Phase 1: Pre-Audit Planning (2–4 weeks before fieldwork)
Pre-audit communication sets the tone for engagement efficiency:
- Engagement letter review: Audit committee approves scope, fees, and independence confirmations
- Risk assessment requests: Auditors seek preliminary information on business changes, significant transactions, and control deficiencies
- Materiality threshold: Agreed between auditors and audit committee; communicated to management
- Trial balance and schedules: Management prepares year-end data for auditor access
Phase 2: Fieldwork (2–8 weeks)
Active audit execution requires rapid management response:
- Information requests (PBCs): Management provides Prepared By Client schedules supporting account balances
- Inquiry responses: CFO and key personnel respond to auditor questions within agreed timelines
- Exception clearance: Management explains variances and provides supporting documentation
- Control walkthroughs: Key personnel demonstrate control operation to audit team
Phase 3: Reporting and Close (1–3 weeks)
Final communications determine audit opinion quality:
- Management letter points: Auditors present internal control deficiencies and recommendations
- Adjusting entries: Management agrees to or disputes proposed corrections
- Representation letters: Executives formalize assertions before opinion issuance
- Audit committee debrief: Partner presents significant findings and management perspectives
Management Representation Letters: Requirements and Content
ISA 580 and AS 2905 require management to affirm certain assertions in writing. These letters are dated the same date as the auditor's report and cover:
| Assertion Category | What Management Confirms |
|---|---|
| Completeness | All financial records were made available; no unrecorded transactions |
| Fraud | No knowledge of fraud affecting the entity |
| Laws | No violations of laws with material financial statement impact |
| Related parties | All related-party relationships and transactions disclosed |
| Estimates | Accounting estimates are reasonable and based on best information |
| Subsequent events | No undisclosed subsequent events affecting financial statements |
Example: Representation Letter Timeline
For a December 31 year-end audit with a February 15 expected completion date:
- January 5: CFO provides preliminary representations for interim testing
- February 10: CEO and CFO review and sign final representation letters
- February 15: Signed letters dated same date as auditor's report
Letters cannot be dated earlier than the audit report date. If subsequent events require adjustment, revised letters may be needed.
Scope Limitations: Causes and Consequences
Management actions—or inactions—that restrict audit scope create reportability issues:
| Scope Limitation Type | Example | Potential Outcome |
|---|---|---|
| Records denial | Management refuses access to bank statements | Qualified opinion or disclaimer |
| Personnel restriction | Key employees unavailable for inquiry | Qualified opinion |
| Location access | Remote locations denied to auditors | Scope limitation paragraph |
| Document timing | PBCs not ready until after report deadline | Report delay or qualification |
| Legal privilege | External counsel refuses litigation disclosure | Emphasis of matter or modification |
Audit Committee Communication Requirements
Under SOX 301 and corporate governance codes, audit committees must:
- Pre-approval: All audit and non-audit services must be pre-approved
- Independence confirmation: Committee must receive written independence confirmations
- Executive sessions: Committee must meet separately with auditors without management present
- Disagreement review: Significant management-auditor disagreements must be discussed
- Critical audit matters: For public company audits, CAMs must be communicated
Required Audit Committee Disclosures (PCAOB AS 1301)
Auditors must communicate to the audit committee:
- Significant engagement terms, including fees
- Auditor's independence and quality control policies
- Significant risks identified during planning
- Significant accounting policies and practices
- Management's sensitive accounting estimates
- Significant unusual transactions
- Going concern evaluation
- Any disagreements with management
The Management Letter: Responding to Recommendations
Auditors often provide a separate "management letter" highlighting control deficiencies:
| Deficiency Severity | Definition | Required Response |
|---|---|---|
| Control deficiency | Design or operation of control does not prevent or detect misstatements | Management discretion; best practice to remediate |
| Significant deficiency | Important enough to merit attention by those charged with governance | Disclosed to audit committee; remediation tracked |
| Material weakness | Reasonable possibility that material misstatement will not be prevented | Public disclosure for issuers; immediate remediation required |
Example: Management Letter Response Process
- Responsibility assignment: CFO designates owners for each recommendation
- Remediation plan: Timeline and resource requirements documented
- Implementation: Controls updated and staff trained
- Follow-up testing: Internal audit validates remediation effectiveness
- Audit committee review: Status reported quarterly until closure
Managing Difficult Auditor Conversations
When significant issues arise, structured communication prevents escalation:
Scenario 1: Potential Going Concern Issue
- Auditor flag going concern analysis requirements early in planning
- CFO provides detailed cash flow projections and financing plans
- Audit committee briefed on risks and mitigation strategies
- If going concern is in doubt, disclosure drafted with auditor input
Scenario 2: Revenue Recognition Disagreement
- Technical accounting position memo prepared by management
- Auditor presents alternative interpretation
- Materiality assessment performed by both parties
- Audit committee adjudicates if views diverge
Communication Best Practices
To optimize auditor engagement:
- Pre-audit meeting: CFO meets with audit partner to discuss year-end changes and risk areas
- PBC owner assigned: Dedicated controller manages the Prepared By Client list
- Weekly status calls: Formal check-ins during fieldwork prevent surprises
- Issue escalation: Defined protocol for when partner involvement is required
- Post-audit debrief: Structured review of what worked and what to improve for next year
Red Flags: Auditor Relationship Risks
Boards and audit committees should watch for:
- Frequent auditor turnover (auditor shopping)
- Management refusing to sign representation letters
- Significant scope limitations late in the engagement
- Material weaknesses recurring year-over-year without remediation
- Excessive audit fee increases without explanation
- Management seeking to limit audit procedures to reduce findings
