It is a misconception that the responsibilities of an external auditor can be summed up to individuals who examine financial records with the goal of forming an opinion about the fairness of information presented within a company’s financial statements. An audit, in a broader sense, is a method of creating an opinion or conclusion about processes, transactions, or other information when compared to a standard or criteria. There are a variety of different services or reasons a company may need to engage an auditor. This section also helps explain what an auditor is and the broader role they serve.
If embraced, business owners can use auditors as tools to enhance processes and procedures, and create a tone from the top that deters fraudulent activity. This holds both management and employees accountable to execute their roles and responsibilities. In this post, we will review a number of topics to gain an understanding of an auditor’s responsibilities in completing an audit and the professional duties they hold as an external auditor.
What is An Auditor?
In simple words, an auditor is someone independent of whatever is being reviewed. This could be a financial statement, laws, adherence to certain laws, internal policies, or industry-specific rules. This section answers the question of what an auditor does in practice. Below are examples of different audit functions, the auditor’s duties, and the scope of work.
Types of Auditors & Audit Engagements
Understanding the different types of auditors and audit engagements helps clarify the distinct roles and services available to organizations. While all share the common goal of providing independent assessment, their specific focus areas, methodologies, and reporting requirements vary significantly based on the auditor’s role and the engagement’s purpose.
What Are the Key Responsibilities of An Internal Auditor?
An internal auditor is responsible for performing procedures that test the efficiency and effectiveness of a company’s internal controls put in place to achieve business objectives. The scope of an internal audit includes all financial and operational controls that are used to create maximum productivity at a company. Example findings or duties include:
- Provide recommendations to improve weak internal controls.
- Investigate instances of possible fraud (even those considered immaterial).
- Perform reconciliations of financial and operating information.
- Monitor compliance with industry standards, laws, and guidelines.
- Evaluate whether processes and procedures are functioning properly.
What Are the Responsibilities of a Forensic Auditor?
An auditor is responsible for using a mixture of audit and investigative techniques to determine whether the suspicion of fraud is warranted and, if so, the effects of the fraud. The scope of forensic audits can be as wide as necessary and can take a significant amount of time and resources. Generally, a successful forensic audit relies greatly on the types of monitoring a company has in place. This allows a forensic auditor to utilize logs and information captured as part of monitoring to put an accurate timeline together.
Attestation Services
An external auditor is responsible for providing different services to clients, such as guidance on accounting-related matters, technical disciplines, or industry knowledge. The scope of work depends on services rendered, but is generally defined by an agreement between the client and auditor.
Auditors report on subject matters like the design and operating effectiveness of a service organization’s internal controls over a certain objective, such as security. This is also known as System and Organization Controls (SOC) Reports. See below for more information on this type of report.
Information System Audit: Sample Attestation Service
An external auditor is responsible for evaluating the internal controls pertinent to a company’s IT infrastructure. The scope of information system audits can be determined based on a specific objective, but generally includes the following steps.
- Suitability of the design and operational effectiveness of internal controls related to the security of information. Types of internal controls include logical and physical access, data transmission, and system health monitoring. See more about specifics related to SOC reports at some of our other posts, such as “What is a SOC 1 Report?”
- Effectiveness of maintaining information security and privacy.
- Completeness and Accuracy of information processing and data integrity.
- Evaluate whether the system development life cycle meets the necessary standards.
What Are the Duties & Responsibilities of An Auditor?
The AICPA has defined the professional responsibilities of auditors performing attestation services. As outlined in AU Section 110, an auditor’s responsibilities when performing a financial statement audit are to create a plan and then execute that plan by collecting applicable supporting evidence to make a determination, or opinion, on whether or not the financial statements presented by management are free and clear of any material misstatements that were presented by way of error or fraudulent activity. Any errors or fraud that do not meet the threshold for materiality are not the responsibility of the auditor, per PCAOB auditing standards.
For other types of attestation examinations, auditors are responsible for following SSAE 18. SSAE 18 details an auditor’s responsibilities in performing an audit and reporting on the opinion, conclusion, or findings in accordance with the attestation standards and type of engagement. While an external auditor is responsible for making sure that the opinion, findings, or conclusion are reported in accordance with requirements, the ultimate responsibility for the subject matter itself is still the responsibility of the client. Let’s talk a little more about that.
Another responsibility of an auditor includes the request for management to supply a written and signed assertion. Why is an assertion so important, you may ask? The simple answer is that auditors base their opinion, conclusion, or findings on the information provided by management. Because of this, management is responsible for explicitly stating to the users of their audit report that the information within the report is complete and accurate. This is all outlined as part of the assertion. If management will not provide this assertion, an auditor will be required to provide a modified opinion.
What Are the Qualifications of An Auditor?
The qualifications of an auditor are dependent upon the type of audit being performed. For example, in public accounting, auditors are required to hold a Certified Public Accountant (CPA) designation or work for a CPA firm in order to provide an opinion on the subject of the audit. In fact, any attestation report provided to a client that follows certain Statements on Standards for Attestation Engagements (SSAEs) must be completed by a CPA firm that has gone through the peer review process. Other audit types require other types of auditor qualifications. For example, practitioners who perform HITRUST audits must be a Certified CSF Practitioner (CCSFP).
Auditors who work internally within an organization, or internal auditors, are often not required to have a qualification, but generally, an internal auditor in a management position must have certain qualifications. Those can include Certified Internal Auditor (CIA) or Certified Fraud Examiner (CFE). Other qualifications also exist, depending on the type of audits performed. For example, auditors who work with information technology generally are required to be Certified Information System Auditors (CISAs) or Certified Information System Security Professionals (CISSPs), and those who work in risk management auditing receive the Certification in Risk Management Assurance (CRMA). Qualifications, as with any industry, are highly specialized to the type of work being performed, and there are endless types that different auditors can obtain depending on what they specialize in.
What Skills Do Auditors Need?
Beyond formal certifications, successful auditors must possess strong analytical thinking, attention to detail, and excellent communication skills to explain complex findings to management. Professional skepticism is essential, as auditors must question assumptions and verify information independently. Additionally, auditors need strong interpersonal skills to work effectively with client teams while maintaining professional independence. Technology proficiency has become increasingly important, as modern audits often involve data analytics software and automated testing procedures.
Who is Responsible for Audit Risk?
Audit risk is the risk that an auditor will provide the wrong opinion based on the testing completed. Both the auditor and management are responsible for audit risk. The auditor is responsible as they have to have the professional skepticism required to review the evidence provided to support their opinion. Management, on the other hand, must provide information that is complete and accurate.
What Are the Auditor’s Responsibilities with Respect to Subsequent Events?
Every audit eventually comes to an end, sad I know! At the end of every audit, the auditor is responsible for inquiring about subsequent events. Subsequent events are those events, considered material, that occur after the end of the period but prior to the report date that could impact the following:
- service description,
- design of controls,
- impact operating effectiveness, or
- management’s assertion within a SOC report.
Subsequent events in other types of audits, such as a financial statement, would be those that impact the financial statements or disclosures.
Where Do Auditors Get Their Guidelines?
When performing audits under AICPA guidance, auditors utilize the Generally Accepted Auditing Standards (GAAS), which fall into categories that include general standards, fieldwork standards, and reporting standards. Within these standards, specific guides are used to complete the audit type. For example, attestation audits follow Statements on Standards for Attestation Engagements (SSAEs).
Where Do Auditors Report Their Findings?
At times, testing will result in an audit finding. In SOC reports, audit findings are noted within section IV of the report. Additionally, the final section of the report allows for management to respond to any exceptions or findings noted. These should be reviewed to determine whether processes have been put into place to mitigate the risk of them occurring in the future.
What Qualifies Someone as an Auditor?
To qualify as an auditor, different skills are generally required. Auditors are required to retain the type of skills, such as proper education, industry background, and working knowledge, when acting as an external auditor under SSAE 18. Having the right type of auditor qualifications is particularly essential because auditors are often required to exercise their own professional judgment in determining whether certain criteria are met or if an opinion should be qualified. In addition to having the right type of proficiency, external auditors are also expected to follow certain ethics requirements. These requirements are outlined in the AICPA’s Application Code of Professionalism.
Depending on the type of audit or attestation engagement underway, the type of designations required will likely differ. A good place to start is at CPA firms. If your organization requires an attestation engagement, the report will only be legitimate if it is signed by a CPA or CPA firm.
This is, however, just the beginning. Attestation services can include a number of different processes, from financial services, information technology services, cryptocurrency, oil and gas, health care audits, and the list goes on. When engaging an external auditor to perform these services, doing the proper due diligence, such as checking designations such as CISSP, CISA, or past references, should be reviewed to determine whether those working on the engagement have the right type of background.
Why Are Auditing & the Auditor Important?
Many times, people cringe at the sight of auditors, but it is important to understand what auditors do and their function in creating a better business. Auditors provide the opportunity for business owners to incorporate independence into the review process of their internal control program. Additionally, the process helps to define gaps, weak controls, and possible risks. Moreover, recognizing the different functions auditors can provide and using their services as an asset can ultimately provide companies with an edge over their competitors.
Do Auditors Get Audited?
In fact, yes, auditors do get audited by a third-party auditor. This is done as a way to determine whether a CPA firm and the individuals working there have the correct technical knowledge, and that processes are in place to follow planning and reporting requirements. The AICPA Peer Review Program is completed once every three years.
Do Auditors Have a Duty of Care?
The cornerstone of being an auditor is a duty of care to the users of the report generated for the users of the audit. This is the most important part of the industry, and without it, reports are no longer considered valuable. This idea of duty of care is also called out in professional standards as follows: in the US, the AICPA’s Generally Accepted Auditing Standards (GAAS); auditing of public companies follows the Public Company Accounting Oversight Board (PCAOB), and SSAEs for attestation work. Additionally, auditors have been found liable when the auditor was found to be negligent in providing due care.
One interesting pattern that is starting to show up in almost every industry, and accounting is no exception, is the amount of private equity being used to consolidate or purchase small CPA firms. This pattern will change the cornerstone idea of duty of care to the importance of stakeholder value. Companies receiving audits need to be aware of the potential conflicts of interest or lower quality of work that can come when such values are being introduced at the core of a company.
What Do Auditors Do? Key Responsibilities Summary
Hopefully, as you read through this post, it has become clear that choosing the right auditor for the type of engagement your organization needs is extremely important. The responsibilities of the auditor and client are truly maximized when both parties understand their roles in the audit process. In summary, those external auditor responsibilities include the following:
- The CPA Firm will be conducting the audit
- The CPA Firm staff working on the audit have the necessary skills to provide professional judgment
- The CPA Firm has been through a peer review at least once in the last three years
- The CPA Firm requires that management provide a written assertion
- The CPA Firm acts in a professional and ethical manner
These key concepts when picking an auditor should be fundamental as your organization decides on engaging an external auditor in the future.
If you have any additional audit questions or concerns, or have an upcoming audit engagement, and are in need of CPA services, please contact Linford & Co.
This article was originally published on 1/5/2021 and was updated on 9/10/2025.
Jaclyn Finney started her career as an auditor in 2009. She started with Linford & Co., LLP. in 2016 and is a partner with the firm. She is a CISA with a special focus on SOC, HITRUST, FedRAMP and royalty examinations. Jaclyn works with her clients to provide a process that meets the needs of each customer and generates a tailored report that is useful to the client and the users of the report.