improving cooperation between internal and external audit

ImprovIng cooperatIon between Internal and external audIt

POSITION PAPER

enHancIng governance tHrougHInternal audIt

Improving cooperation between internal and external audit

2contents3 IntroductIon

4 Internal audIt’s role and responsIbIlIty

- DefinitionaccordingtotheInstitute of Internal Auditors

5 external audIt’s role and responsIbIlIty

- DefinitionaccordingtoInternational Auditing and Assurance Standards Board

6 tHe InteractIon between Internal and external audIt

- Thedistinctrolesofinternaland external audit

- Interaction and cooperation

9 conclusIons

10 appendIx - Examples of best practice in

effective cooperation - Assurance mapping - Thebankingsector - Theutilitiessector

enHancIng governance tHrougH Internal audItECIIAistheEuropeanConfederationofInstitutesof Internal Auditing.

It is organised under Belgian law and its membersarethenationalIIAinstitutes.

ECIIAhas34membersandrepresents40.000internal auditors.

ItsmissionistobetheconsolidatedvoicefortheprofessionofinternalauditinginEuropebydealingwiththeEuropeanUnion,itsParliamentandCommissionandanyotherappropriateinstitutionofinfluenceandtopresentanddeveloptheinternalauditprofessionandgoodcorporate governance in Europe.

contact:European Confederation of Institutes of Internal Auditing (ECIIA)

Koningsstraat109-111 Bus5,BE–1000 Brussels,Belgium

Phone:+3222173320 Fax:+3222173320 Email:[email protected]

www.eciia.eu

Thankyoutotheworkinggroupforthispaper,comprising:

• VolkeHampel,ChiefExecutiveOfficer,IIAGermany

• DavidLyscom,PolicyDirector,IIAUKandIreland

• SandijsMikelsons,AssistantManagerPricewaterhouseCoopers,ChairmanoftheBoardIIALatvia

• BenteSverdrup,ChiefAuditExecutiveGjensidigeForsikringASA

• MichelUhart,EDFDeputySeniorVice President Corporate Audit

• PascaleVandenbussche,ECIIASecretaryGeneral

ThankyoutoallECIIAmembersandECIIABoardmembersfortheirreviewandcontribution


3IntroductIon

In theresolutionoftheEuropeanParliamentonthelessonslearnedfromthe

financialcrisisandtheimpactonauditing1,theParliamentrecommendsdistinguishingclearlybetweeninternalandexternalaudit.Currently,theEuropeanCommissionisworkingonitsauditreformproject,whichwillclarifytheresponsibilitiesofexternalauditandthegovernanceoftheauditfirmsthemselves.

Inthecurrentenvironment,governingbodies,suchastheboardandtheauditcommittee,andseniormanagementareresponsibleformonitoringtheeffectivenessofthecompany’sinternalcontrolandriskmanagementsystems.Inperformingthisfunction,theyseekassurancefromvarioussourcesbothfromwithinandoutsidetheirorganisations.Governingbodiesshouldplayakeyroleincoordinatingthedifferentplayersanddelineatingtheresponsibilitiesforriskmanagementandcontroltoensurethatsignificantrisksareaddressedandsuitablecontrolsexisttomitigateandreducetheserisks.

TheInstituteofInternalAuditors(IIA)2 promotesthe“ThreeLinesofDefence”modelasanimportanttoolforintegrating,coordinating and aligning all assurance

activitiesinordertooptimisethelevelofgovernance,riskandcontroloversight.

Inthismodel,thefirstlinehasownership,responsibilityandaccountability;thesecondlineisinchargeofmethodologyandmonitoring;andthethirdlineprovidesassuranceontheeffectivenessofgovernance,riskmanagementandinternalcontrols.Reportinglines,asillustratedinFig.1,showinternalaudit’sfunctionalreportinglineasbeingdirecttotheauditcommittee,whichoffersindependencefromtheexecutivebodyandprovidesthenecessarydegreeofobjectivitytotherole.Internalauditprovidescomprehensiveassurancetothegoverningbodyandtoseniormanagement.

External audit can be considered as anadditionallineofdefence,outsidetheorganisation,withalimitedmandateandspecificscopetoexpressanopiniononthefinancialstatements.

Thispublicationseekstoclarifytheareas of difference between internal audit and external audit as well as to explain theworkingrelationshipbetweenthetwoformsofaudit.Itwillillustratethiswithsomeexamplesofbestpractice.

SENIOR MANAGEMENT

GOVERNING BODY / AUDIT COMMITTEE

RE

GU

LATO

R

EX

TER

NA

L AU

DIT

1ST LINE OF DEFENCE

Internal ControlMeasures

ManagementControls

3RD LINE OF DEFENCE

Internal Audit

2ND LINE OF DEFENCE

Financial Controller

Security

Risk Management

Quality

Inspection

Compliance

Fig. 1: the three lines of defence model3

1 ResolutionsoftheEuropeanParliament,OfficialJournal–March20132IIAGlobal,GlobalAdvocacyPlatform,www.theiia.org3Themodelisrecommendedbestpractices,widelyapplicabletothefinancialsectorandinsomecountries


4Internal audIt’s role and responsIbIlIty

Definition according to the Institute of Internal auditors:

“Internalauditingisanindependent,objectiveassuranceandconsultingactivitydesignedtoaddvalueandimproveanorganisation’soperations.Ithelpsanorganisationaccomplishitsobjectivesbybringingasystematic,disciplinedapproachtoevaluateandimprovetheeffectivenessofriskmanagement,control,andgovernanceprocesses.”3

Internal audit is an important part of acompany’sgovernanceandassistsboardsandexecutivemanagementintheeffectiveoperationoftheorganisation.

Internalauditactsasacatalystforimprovinganorganisation’seffectivenessandefficiencyby

makingrecommendationsbasedonobjectiveanalysesandassessmentsofdataandprocesses.

Tosupporttheaccomplishmentoftheseresponsibilities,theIIAInternationalProfessionalPracticesFramework(IPPF)providesaglobalframeworkfortheprofession.ItincludestheStandards,theCodeofEthicsandthePracticeAdvisories.Moreover,IIAhasdevelopedinternationalqualifications,suchasCertifiedInternalAuditor(CIA)andotherspecificcertifications(CRMA,CCSA)tosupporttheacquisitionoftheknowledgeandskillsrequiredofaninternalauditor.Somecountryinstitutesoffertheirownrecognisedequivalents.

3DefinitionfromtheIIAInternationalProfessionalPracticesFramework(IPPF)


5Definition according to International auditing and assurance standards board:

“Theexternalauditorshallexpressanopinionwhetherthefinancialstatementsareprepared,inallmaterialrespects,inaccordancewiththeapplicablefinancialreportingframework.Theexternalauditor’sresponsibilitiesare:

(i)Toidentifyandassesstherisksofmaterialmisstatementofthefinancialstatements,whetherduetofraudorerror,designandperform audit procedures responsive to thoserisks,andobtainauditevidencethatissufficientandappropriatetoprovideabasisfortheauditor’sopinion.Theriskofnotdetecting a material misstatement resulting fromfraudishigherthanforoneresultingfromerror,asfraudmayinvolvecollusion,forgery,intentionalomissions,misrepresentations,ortheoverrideofinternalcontrol.

(ii) To obtain an understanding of internal controlrelevanttotheauditinordertodesignauditproceduresthatareappropriateinthecircumstances,butnotforthepurposeofexpressinganopinionontheeffectivenessofthe

entity’sinternalcontrol.Incircumstanceswhentheauditoralsohasaresponsibilitytoexpressanopinionontheeffectivenessofinternalcontrolinconjunctionwiththeauditofthefinancialstatements,theauditorshallomitthephrasethattheauditor’sconsiderationofinternalcontrolisnotforthepurposeofexpressinganopinionontheeffectivenessoftheentity’sinternalcontrol”4

Inadditiontothisrole,externalauditmaycarryoutotherassignmentsonacontractualbasisthatdonotconflictwiththeirprimaryrole.Externalauditorshavesoleresponsibilityfortheopinionstheyexpressonthefinancialstatements.

InternationalnormsexistfortheprofessionandarecodifiedintheInternationalStandardonAuditing(ISA)issuedbytheInternationalAuditing and Assurance Standards Board. In eachEuropeancountry,specificlawsapplyforstatutoryauditintermsofnomination,standardsand reports.

external audIt’s role and responsIbIlIty

4DefinitionfromtheInternationalStandardonAuditing(ISA)


6tHe InteractIon between Internal and external audItInternal audit functions are

establishedaspartofanentity’sinternalcontrol,riskandgovernancestructures.Theinternationalnormsforinternalauditdefinethewayinternalauditmayrelyonotherassuranceproviders(Standard2050).Insomeindustries,suchasthefinancialsector,itisrequiredbylawtoestablishaninternalauditfunction.Theobjectivesandscopeofaninternalauditfunctionvarywidelyanddependonthesizeandstructureoftheentity

andtherequirementsofmanagement.ISA6105setsouthowtheknowledgeand

experienceoftheinternalauditfunctioncaninformtheexternalauditor’sunderstandingoftheentityanditsenvironment.Thestandardsforbothinternalandexternalauditrequireeffectiveinformationsharingandcoordination.

Theexternalauditorhassoleresponsibilityfortheauditopinionexpressed,andthatresponsibilityisnotreducedbytheexternalauditor’suseoftheworkoftheinternalauditfunction.

Fig. 2: the distinct roles of internal and external audit6

5 Theinternationalnormsfortheexternalauditors(ISA610)definethewayexternalauditmayusetheworkofinternalaudittomodifythenatureortimingorreducetheextentoftheauditprocedurestobeperformeddirectlybythem6 Best practice

employment/report

scope

objective

Focus

Independence

recipient of reports

timing and frequency

professionnal Framework

Improvements

skills

Internal audIt

Employedbytheorganisationandreportingtotheboardorauditcommittee

Assessmentofallcategoriesofrisksandtheirmanagement:financial,operational,compliance and governance

Provideassurancethatseniormanagementfulfilltheirdutiesrelatedtogovernance,riskmanagementandinternalcontrols

Understandingthebusiness,providingassuranceontheefficiencyandeffectivenessofriskmanagementandinternalcontrolssystems

Professionalethicalstandardsoverseenbytheauditcommitteethroughaqualityassurance and improvement programmeMainfocus:objectivity

Theboard,theauditcommittee,senior management and auditees

According to an audit plan approved bytheboardorauditcommittee,and senior management

International Professional StandardsandCodeofEthics

Systematicrecommendationsandfollow up of corrective actions

Diverseskillssetsrequired:beingable to understand corporate governance,businessrisks,operational,strategicandcompliancerisks

external audIt

Hiredexternalcontractorreportingtotheshareholdersorequivalent

Expressanopiniononthestatutoryfinancialstatementsandrelateddisclosures,thereforeexamininginternalcontrolsrelevantfortheopinion

Provideassurancetothestakeholdersorequivalentregardingstatutoryfinancialstatementsandotherreportsasrequiredbylocallaw

Understandingthebusinesssufficientlytoexpressanopiniononthefinancialstatements

ProfessionalethicalstandardsreviewedandmonitoredbytheauditcommitteeandtheregulatoryframeworkMainfocus:independentviewonthefinancialstatements

Auditors’opiniontotheshareholder(s)or equivalent. Management letters to governingbodyandseniormanagement

Statutoryfinancialreporting,insomeentitiesreportingtostockexchange

Statutoryandregulatoryframework

Managementletterontheprocessesreviewedandimprovementsneededmostlyfocusedonfinancialreportingprocesses

Understandingthebusinesstobeabletochallengetheuseoftheaccountingstandards


7Interaction and cooperation

Interactionandcooperationbetweentheinternalauditorsandexternalauditorsshouldhelpthegoverningbodyobtainamorecomprehensiveviewofoperationsandriskswhilsteliminatingareasofpossibleduplicationofauditeffort.Goodcommunicationbetweeninternalandexternalauditshouldalsobeofbenefittoseniormanagersasbothauditengagements and subsequent recommendations totheimprovementofriskmanagementandinternal control will be better coordinated.

Iftheexternalauditorshoulddecidetousetheinternalauditor’sworkinarrivingattheiropinion,theprocesswillberegulatedbyISA610.

Giventhespecificscopeandobjectivesoftheirmission,theriskinformationgatheredbyexternalauditorsistypicallylimitedtofinancialreportingrisks,anddoesnotincludethewayseniormanagementandtheboard/auditcommitteearemanaging/monitoringtheorganisation’sstrategic,businessandcompliancerisks.However,internalauditfunctioncanprovideassuranceontheseareastoseniormanagementaswellasthegoverningbody.

Thisdistinctionbetweenexternalandinternalauditassurancecanbegraphicallyillustrated (SeeFig.3).

Whilsttheobjectivesofexternalandinternalauditactivitiesaredifferent,theremaybesomepotentialareasofoverlap,particularlyintheareaoffinancialreporting.Inparticular,externalauditmayprovide“managementlettercomments”inrelationtointernalcontrolweaknessesnotedinthecourseoftheirauditengagement.

Internalauditshouldconsiderthesepointsinitsauditplanningprocessandmayinitiateseparatefollow-upactivitiestoascertaintheeffectivenessofmanagement’scorrectiveactions.Similarly,externalauditshould considerinternalauditfindingsasaninput intotheirownwork.

Beforethecooperationtakesplace,eachauditorwillassesstheworkthatcanbereusedfromtheotherauditors.

Aminimumlevelofinteractionwillbe:• Thatauditplanningbybothaudittypesshould

be coordinated in order to avoid duplication and overlap

• Theinternalauditorsshouldmakeavailabletheexecutivesummaryoftheirreporttotheexternalauditorandthe externalauditorshouldsendacopyoftheirreportandmanagementlettertothechiefaudit executive

Fig. 3: coso’s enterprise risk management (erm) framework

En

tity-Leve

l

Divisio

n

Bu

sine

ss Un

it

Su

bsid

iary

Compliance

Strategic

Operations

INTERNAL AUDITASSURANCE

EXTERNALAUDIT

erations

OperReportin

g

Internal Environment

Objective Setting

Information & Communication

Control Activities

Monitoring

Risk Identification, Assessment and

Response


8• Theinternalandexternalauditorsshould

meetatleastonceayeartodiscusscommonissues and concerns and ensure coordination

• Thechiefauditexecutiveshouldattendtheauditcommittee(orboard)meeting for agenda items relating to theexternalauditorsstatusreport.

Ahigherandmorefrequentlevelofcooperationmayinclude:• Theexchangeofinformationanddiscussion

duringtheriskassessmentexerciseconcerningfinancialandothertypesofrisks

• Theevaluationofinternalcontrolsevidencedinthedetailedinternalauditreportscouldbemadeavailabletotheexternalauditors

• Anexchangeofviewsonmethodologyandframeworkinordertoestablishamutualunderstandingofauditapproach

• Regularinformationtotheexternalauditoronupdatestotheinternalauditplan

• Uponrequest,andwhereallowedbylaw,enableaccesstospecificworkingpapers

• Internal audit interim reports including

current status and progress on implementation of recommendations could be made available to external audit

• Regularmeetingsbetweentheinternal auditors and external auditors todiscussanyrelevantissues

• Dependingonthelevelofrisks,theinclusionoftheexternalauditors’recommendationsintheinternalauditstatusreport

• Theregularparticipationofthechiefauditexecutiveinanymeetingstheauditcommittee(orboard)holdswiththe external auditor.

Itisrecommendedthatthedegreeofcooperationshouldbediscussedanddefinedatauditcommittee(orboard)level.Theconfidentialityofauditworkmustberespected7. Thedetailednatureofthecooperationmayalsobespecifiedintheinternalauditcharter.Thechiefauditexecutive8shouldassessonaregularbasisthecoordinationbetweentheinternalauditorsandtheexternalauditors.

7InternationalStandardonAuditing610§338 InternationalProfessionalPracticesFramework,PracticeAdvisory2050


9Internal auditassiststheboardin

theeffectiveoperationofthecompany.Externalauditexpressesanopiniononthefinancialstatementsaddressedtotheboardandthemarkets.

Eachtypeofaudithasitswell-definedrole,scopeandresponsibilities.Mostinternal audit engagements review non-financialprocesses,whileexternalauditismainlyfocusedonfinancialprocesses.

Nevertheless,itisrecommendedthatinternalaudit and external audit collaborate in order toharmonisethemessagereceivedbythegoverningbody.Theauditcommitteeshoulddefineandmanagethescopeofthiscooperation.

Thelevelandintensityofthecollaborationmayvarybasedonvariousfactorsonbothsides,butorganisationsshouldensureacertaindegreeofcooperationbetweenthetwofunctions.

Asaminimum,wewouldadviseorganisationstoexchangeinformationontheplanningoftheworktobeperformed,andinareasofworkwithpotentiallyhighlevelsofimpact.Executivesummaries,oranannualreport,shouldbemadeavailablebyinternalaudittoexternalaudit.Externalauditshouldsharetheirreportandmanagementletterwithinternalauditors.

Thisrelationshipbetweeninternalauditandexternalauditwillfacilitatetheworkofbothsetsofauditors,avoidduplication,andensurethemaximumcoverageoftherisksfacedbytheentity.Itwillalsohelpthegoverningbodyobtainacomprehensiveviewofthecontrolsandtherisksoftheentity.

conclusIons


10examples of best practice in effective cooperation:

Thenatureandextentofcooperationvariesfromoneorganisationtoanother.Thelevelofmaturityoftheinternalauditdepartmentisimportant,aswell as its level of professionalism and resources.

Forthisreason,cooperationcanbestbeillustratedthroughconcreteexamples.

1. assurance mapping

AccordingtoIIAStandardPracticeAdvisory2110:“Theinternalauditactivitymustevaluateand

contributetotheimprovementofgovernance,riskmanagement,andcontrolprocessesusingasystematicanddisciplinedapproach….Coordinatingtheactivitiesofandcommunicatinginformationamongtheboard,externalandinternalauditors,andmanagement.”

Therearedifferentfunctionsintheorganisationinchargeofcontrolsandrisk.Eachoneislooksatadefinedpartoftheorganisationwithitsownmethodology.Thisiswhyassurancemappingisausefultoolforobtainingaglobaloverviewofthevariousriskevaluations.Itspurposeistovisualisewhichcontrolshavebeeneffectiveinthereportingperiodforhighlightingkeyrisks.Ithelpsthegoverningbodiestogetacomprehensiveviewofthewayrisksaremanaged.

Fig.4illustratesthattheremightbeareaswhereriskmanagementandcompliancegivedifferentratingsbasedontheirseparateremitsandpriorities.Internalauditshouldmakeitsownindependentreviewoftheseratingsandexternalauditorsshouldconsideronwhichprocessesitisnecessarytogetcomfortinordertoenablethemtoexpresstheiropiniononthefinancialstatements.

appendIx

Fig. 4: assurance mapping

1st lIne 2nd lIne 3rd lIne External audit Incharge Risk Compliance Internalaudit internalcontrol Management relevant to financial reporting process

segment a

Process 1

Process2 N/A

…

segment b

Process 1

Process2 N/A

…

segment c

Process1 N/A N/A

Process2 N/A

…

ratIngs:

Satisfactory

Improvements needed

Unsatisfactory


112. the banking sector

Therearemanyopportunitiesforcooperationbetweeninternalauditandexternalauditintheauditcycle,asshownbelow.

pHase

planning (annual/strategic)

execution

reporting1. regular2. annual

Internal audIt

Riskassessment

Identifyingandassessingcontrol design and efficiencyforallprocesses(includingfinancialreporting process).

1. Reporting to management.

2a.Reportingtoexternalaudit regarding controls audited and effectiveness.

2b.Auditcommittee/supervisoryboardontheoverallcontrolenvironment and mainrisks/actions.

external audIt

Riskassessment

Evaluatingfinancialreportingprocesses,controlefficiencyandlevelofrelianceonthem

1. Reporting to management,thechiefexecutiveofficerand internal audit

2.Reportingtomanagement,thechiefexecutiveofficer,board,internalauditandshareholders.

cooperatIon

Agreeingonhighrisks,agreeing on scope of bothinternalandexternalaudits to save resources.

Usingofthesamenumberingforfinancialprocesses to ease communication during theinternalauditofkeycontrols.

*Riskmanagement/compliance function can be involved in control identificationwork.

Agreeing on deadlines forreportingisveryimportant for external audit to be able to use information from internal auditinitswork.Also,internalauditshouldreceive data from external auditconsideringriskareasidentifiedinthefinancialreportingprocessandinotherareas,suchasIT.

3. the utilities sector

Theinternalauditplanispresentedtotheexternal auditors in December. It is approved bymanagementandtheauditcommitteebeforetheendofMarchinthepresenceoftheexternalauditors.ThefinalplanoftheexternalauditorsisthenapprovedbythechieffinancialofficerinAprilsothatheorshecanensurethatcooperationbetweentheauditfunctionshasbeenplannedproperlybyeachside.

Theexternalauditorsareinvitedtotheauditcommitteetwiceayeartodiscussinternalauditmatters:auditplanningandthesummaryoftheauditengagements’findingsandrecommendations.

Beforetheyissuetheirhalf-yearlyfinancialreport,theexternalauditorsreceivetheinternalauditreportsforthesamehalf-yearperiod being examined.

Beforeaninternalauditofalargeentity starts,theinternalauditorsmeetwiththeexternalauditorsinordertoexchangeviews on relevant information.

Beforethereviewofanyfinancialprocess,theinternalauditorspresenttheirtermsofreferenceandtheirauditprogramtotheexternalauditors.Theydiscusstheapproachtaken,andtheexternalauditorscommunicateanyinformationtheymayhavepreviouslycollectedontheprocessesbeingreviewed.Inthiswaythereisnoredundancyintheworkperformed.

Aninternalauditguideforfinancialprocesseshasbeensetupshowingcommonandspecificobjectivesforeachprocess.Theguidehasbeendiscussedandapprovedbytheexternalauditors.

Theinternalauditorsarepresentatthemeetingorganisedbytheexternalauditorstopresenttheirmanagementlettersandrecommendations.

European Confederation of Institutes of Internal Auditing (ECIIA)

Koningsstraat109-111 Bus5,BE–1000 Brussels,Belgium

www.eciia.eu

our mIssIonTobetheconsolidatedvoicefortheprofessionofinternalauditinginEuropebydealingwiththeEuropeanUnion,itsParliamentandCommissionandanyotherappropriateinstitutionofinfluenceandtopresentanddeveloptheinternalauditprofessionandgoodcorporategovernanceinEurope.

IIA Austria www.internerevision.atIIAAzerbaidjan www.audit.gov.azIIA Belgium www.iiabel.beIIA Bosnia andHerzegovina www.interni-revizori.infoIIA Bulgaria www.iiabg.orgIIA Croatia www.hiir.hrIIACyprus www.iiacyprus.org.cyIIACzech www.interniaudit.czIIADenmark www.iia.dkIIA Estonia www.theiia.org/chaptersIIA Finland www.theiia.fiIIA France www.ifaci.comIIAGermany www.diir.deIIAGeorgia www.theiia.org/chaptersIIAGreece www.theiia.org/chaptersIIAHungary www.iia.huIIA Iceland www.fie.isIIAItaly www.aiiaweb.it

IIA Latvia www.iai.lvIIALithuania www.theiia.org/chaptersIIA Luxembourg www.theiia.org/chaptersIIA Montenegro www.iircg.co.meIIA Morocco www.theiia.org/chaptersIIANetherlands www.iia.nlIIANorway www.iia.noIIA Poland www.iia.org.plIIA Portugal www.ipai.ptIIA Romania www.aair.roIIA Serbia www.theiia.org/chaptersIIASlovakia www.skiia.skIIA Slovenia www.si-revizija.si/iia/IIA Spain www.auditoresinternos.esIIA Sweden www.internrevisorerna.seIIASwitzerland www.svir.chIIA Tunisia www.iiatunisia.org.tnIIATurkey www.tide.org.trIIAUK&Ireland www.iia.org.uk

improving cooperation between internal and external audit

Documents