position paper improving cooperation between internal and...
TRANSCRIPT
ImprovIng cooperatIon between Internal and external audIt
POSITION PAPER
enHancIng governance tHrougHInternal audIt
Improving cooperation between internal and external audit
2contents3 IntroductIon
4 Internal audIt’s role and responsIbIlIty
- DefinitionaccordingtotheInstitute of Internal Auditors
5 external audIt’s role and responsIbIlIty
- DefinitionaccordingtoInternational Auditing and Assurance Standards Board
6 tHe InteractIon between Internal and external audIt
- Thedistinctrolesofinternaland external audit
- Interaction and cooperation
9 conclusIons
10 appendIx - Examples of best practice in
effective cooperation - Assurance mapping - Thebankingsector - Theutilitiessector
enHancIng governance tHrougH Internal audItECIIAistheEuropeanConfederationofInstitutesof Internal Auditing.
It is organised under Belgian law and its membersarethenationalIIAinstitutes.
ECIIAhas34membersandrepresents40.000internal auditors.
ItsmissionistobetheconsolidatedvoicefortheprofessionofinternalauditinginEuropebydealingwiththeEuropeanUnion,itsParliamentandCommissionandanyotherappropriateinstitutionofinfluenceandtopresentanddeveloptheinternalauditprofessionandgoodcorporate governance in Europe.
contact:European Confederation of Institutes of Internal Auditing (ECIIA)
Koningsstraat109-111 Bus5,BE–1000 Brussels,Belgium
Phone:+3222173320 Fax:+3222173320 Email:[email protected]
www.eciia.eu
Thankyoutotheworkinggroupforthispaper,comprising:
• VolkeHampel,ChiefExecutiveOfficer,IIAGermany
• DavidLyscom,PolicyDirector,IIAUKandIreland
• SandijsMikelsons,AssistantManagerPricewaterhouseCoopers,ChairmanoftheBoardIIALatvia
• BenteSverdrup,ChiefAuditExecutiveGjensidigeForsikringASA
• MichelUhart,EDFDeputySeniorVice President Corporate Audit
• PascaleVandenbussche,ECIIASecretaryGeneral
ThankyoutoallECIIAmembersandECIIABoardmembersfortheirreviewandcontribution
Improving cooperation between internal and external audit
3IntroductIon
In theresolutionoftheEuropeanParliamentonthelessonslearnedfromthe
financialcrisisandtheimpactonauditing1,theParliamentrecommendsdistinguishingclearlybetweeninternalandexternalaudit.Currently,theEuropeanCommissionisworkingonitsauditreformproject,whichwillclarifytheresponsibilitiesofexternalauditandthegovernanceoftheauditfirmsthemselves.
Inthecurrentenvironment,governingbodies,suchastheboardandtheauditcommittee,andseniormanagementareresponsibleformonitoringtheeffectivenessofthecompany’sinternalcontrolandriskmanagementsystems.Inperformingthisfunction,theyseekassurancefromvarioussourcesbothfromwithinandoutsidetheirorganisations.Governingbodiesshouldplayakeyroleincoordinatingthedifferentplayersanddelineatingtheresponsibilitiesforriskmanagementandcontroltoensurethatsignificantrisksareaddressedandsuitablecontrolsexisttomitigateandreducetheserisks.
TheInstituteofInternalAuditors(IIA)2 promotesthe“ThreeLinesofDefence”modelasanimportanttoolforintegrating,coordinating and aligning all assurance
activitiesinordertooptimisethelevelofgovernance,riskandcontroloversight.
Inthismodel,thefirstlinehasownership,responsibilityandaccountability;thesecondlineisinchargeofmethodologyandmonitoring;andthethirdlineprovidesassuranceontheeffectivenessofgovernance,riskmanagementandinternalcontrols.Reportinglines,asillustratedinFig.1,showinternalaudit’sfunctionalreportinglineasbeingdirecttotheauditcommittee,whichoffersindependencefromtheexecutivebodyandprovidesthenecessarydegreeofobjectivitytotherole.Internalauditprovidescomprehensiveassurancetothegoverningbodyandtoseniormanagement.
External audit can be considered as anadditionallineofdefence,outsidetheorganisation,withalimitedmandateandspecificscopetoexpressanopiniononthefinancialstatements.
Thispublicationseekstoclarifytheareas of difference between internal audit and external audit as well as to explain theworkingrelationshipbetweenthetwoformsofaudit.Itwillillustratethiswithsomeexamplesofbestpractice.
SENIOR MANAGEMENT
GOVERNING BODY / AUDIT COMMITTEE
RE
GU
LATO
R
EX
TER
NA
L AU
DIT
1ST LINE OF DEFENCE
Internal ControlMeasures
ManagementControls
3RD LINE OF DEFENCE
Internal Audit
2ND LINE OF DEFENCE
Financial Controller
Security
Risk Management
Quality
Inspection
Compliance
Fig. 1: the three lines of defence model3
1 ResolutionsoftheEuropeanParliament,OfficialJournal–March20132IIAGlobal,GlobalAdvocacyPlatform,www.theiia.org3Themodelisrecommendedbestpractices,widelyapplicabletothefinancialsectorandinsomecountries
Improving cooperation between internal and external audit
4Internal audIt’s role and responsIbIlIty
Definition according to the Institute of Internal auditors:
“Internalauditingisanindependent,objectiveassuranceandconsultingactivitydesignedtoaddvalueandimproveanorganisation’soperations.Ithelpsanorganisationaccomplishitsobjectivesbybringingasystematic,disciplinedapproachtoevaluateandimprovetheeffectivenessofriskmanagement,control,andgovernanceprocesses.”3
Internal audit is an important part of acompany’sgovernanceandassistsboardsandexecutivemanagementintheeffectiveoperationoftheorganisation.
Internalauditactsasacatalystforimprovinganorganisation’seffectivenessandefficiencyby
makingrecommendationsbasedonobjectiveanalysesandassessmentsofdataandprocesses.
Tosupporttheaccomplishmentoftheseresponsibilities,theIIAInternationalProfessionalPracticesFramework(IPPF)providesaglobalframeworkfortheprofession.ItincludestheStandards,theCodeofEthicsandthePracticeAdvisories.Moreover,IIAhasdevelopedinternationalqualifications,suchasCertifiedInternalAuditor(CIA)andotherspecificcertifications(CRMA,CCSA)tosupporttheacquisitionoftheknowledgeandskillsrequiredofaninternalauditor.Somecountryinstitutesoffertheirownrecognisedequivalents.
3DefinitionfromtheIIAInternationalProfessionalPracticesFramework(IPPF)
Improving cooperation between internal and external audit
5Definition according to International auditing and assurance standards board:
“Theexternalauditorshallexpressanopinionwhetherthefinancialstatementsareprepared,inallmaterialrespects,inaccordancewiththeapplicablefinancialreportingframework.Theexternalauditor’sresponsibilitiesare:
(i)Toidentifyandassesstherisksofmaterialmisstatementofthefinancialstatements,whetherduetofraudorerror,designandperform audit procedures responsive to thoserisks,andobtainauditevidencethatissufficientandappropriatetoprovideabasisfortheauditor’sopinion.Theriskofnotdetecting a material misstatement resulting fromfraudishigherthanforoneresultingfromerror,asfraudmayinvolvecollusion,forgery,intentionalomissions,misrepresentations,ortheoverrideofinternalcontrol.
(ii) To obtain an understanding of internal controlrelevanttotheauditinordertodesignauditproceduresthatareappropriateinthecircumstances,butnotforthepurposeofexpressinganopinionontheeffectivenessofthe
entity’sinternalcontrol.Incircumstanceswhentheauditoralsohasaresponsibilitytoexpressanopinionontheeffectivenessofinternalcontrolinconjunctionwiththeauditofthefinancialstatements,theauditorshallomitthephrasethattheauditor’sconsiderationofinternalcontrolisnotforthepurposeofexpressinganopinionontheeffectivenessoftheentity’sinternalcontrol”4
Inadditiontothisrole,externalauditmaycarryoutotherassignmentsonacontractualbasisthatdonotconflictwiththeirprimaryrole.Externalauditorshavesoleresponsibilityfortheopinionstheyexpressonthefinancialstatements.
InternationalnormsexistfortheprofessionandarecodifiedintheInternationalStandardonAuditing(ISA)issuedbytheInternationalAuditing and Assurance Standards Board. In eachEuropeancountry,specificlawsapplyforstatutoryauditintermsofnomination,standardsand reports.
external audIt’s role and responsIbIlIty
4DefinitionfromtheInternationalStandardonAuditing(ISA)
Improving cooperation between internal and external audit
6tHe InteractIon between Internal and external audItInternal audit functions are
establishedaspartofanentity’sinternalcontrol,riskandgovernancestructures.Theinternationalnormsforinternalauditdefinethewayinternalauditmayrelyonotherassuranceproviders(Standard2050).Insomeindustries,suchasthefinancialsector,itisrequiredbylawtoestablishaninternalauditfunction.Theobjectivesandscopeofaninternalauditfunctionvarywidelyanddependonthesizeandstructureoftheentity
andtherequirementsofmanagement.ISA6105setsouthowtheknowledgeand
experienceoftheinternalauditfunctioncaninformtheexternalauditor’sunderstandingoftheentityanditsenvironment.Thestandardsforbothinternalandexternalauditrequireeffectiveinformationsharingandcoordination.
Theexternalauditorhassoleresponsibilityfortheauditopinionexpressed,andthatresponsibilityisnotreducedbytheexternalauditor’suseoftheworkoftheinternalauditfunction.
Fig. 2: the distinct roles of internal and external audit6
5 Theinternationalnormsfortheexternalauditors(ISA610)definethewayexternalauditmayusetheworkofinternalaudittomodifythenatureortimingorreducetheextentoftheauditprocedurestobeperformeddirectlybythem6 Best practice
employment/report
scope
objective
Focus
Independence
recipient of reports
timing and frequency
professionnal Framework
Improvements
skills
Internal audIt
Employedbytheorganisationandreportingtotheboardorauditcommittee
Assessmentofallcategoriesofrisksandtheirmanagement:financial,operational,compliance and governance
Provideassurancethatseniormanagementfulfilltheirdutiesrelatedtogovernance,riskmanagementandinternalcontrols
Understandingthebusiness,providingassuranceontheefficiencyandeffectivenessofriskmanagementandinternalcontrolssystems
Professionalethicalstandardsoverseenbytheauditcommitteethroughaqualityassurance and improvement programmeMainfocus:objectivity
Theboard,theauditcommittee,senior management and auditees
According to an audit plan approved bytheboardorauditcommittee,and senior management
International Professional StandardsandCodeofEthics
Systematicrecommendationsandfollow up of corrective actions
Diverseskillssetsrequired:beingable to understand corporate governance,businessrisks,operational,strategicandcompliancerisks
external audIt
Hiredexternalcontractorreportingtotheshareholdersorequivalent
Expressanopiniononthestatutoryfinancialstatementsandrelateddisclosures,thereforeexamininginternalcontrolsrelevantfortheopinion
Provideassurancetothestakeholdersorequivalentregardingstatutoryfinancialstatementsandotherreportsasrequiredbylocallaw
Understandingthebusinesssufficientlytoexpressanopiniononthefinancialstatements
ProfessionalethicalstandardsreviewedandmonitoredbytheauditcommitteeandtheregulatoryframeworkMainfocus:independentviewonthefinancialstatements
Auditors’opiniontotheshareholder(s)or equivalent. Management letters to governingbodyandseniormanagement
Statutoryfinancialreporting,insomeentitiesreportingtostockexchange
Statutoryandregulatoryframework
Managementletterontheprocessesreviewedandimprovementsneededmostlyfocusedonfinancialreportingprocesses
Understandingthebusinesstobeabletochallengetheuseoftheaccountingstandards
Improving cooperation between internal and external audit
7Interaction and cooperation
Interactionandcooperationbetweentheinternalauditorsandexternalauditorsshouldhelpthegoverningbodyobtainamorecomprehensiveviewofoperationsandriskswhilsteliminatingareasofpossibleduplicationofauditeffort.Goodcommunicationbetweeninternalandexternalauditshouldalsobeofbenefittoseniormanagersasbothauditengagements and subsequent recommendations totheimprovementofriskmanagementandinternal control will be better coordinated.
Iftheexternalauditorshoulddecidetousetheinternalauditor’sworkinarrivingattheiropinion,theprocesswillberegulatedbyISA610.
Giventhespecificscopeandobjectivesoftheirmission,theriskinformationgatheredbyexternalauditorsistypicallylimitedtofinancialreportingrisks,anddoesnotincludethewayseniormanagementandtheboard/auditcommitteearemanaging/monitoringtheorganisation’sstrategic,businessandcompliancerisks.However,internalauditfunctioncanprovideassuranceontheseareastoseniormanagementaswellasthegoverningbody.
Thisdistinctionbetweenexternalandinternalauditassurancecanbegraphicallyillustrated (SeeFig.3).
Whilsttheobjectivesofexternalandinternalauditactivitiesaredifferent,theremaybesomepotentialareasofoverlap,particularlyintheareaoffinancialreporting.Inparticular,externalauditmayprovide“managementlettercomments”inrelationtointernalcontrolweaknessesnotedinthecourseoftheirauditengagement.
Internalauditshouldconsiderthesepointsinitsauditplanningprocessandmayinitiateseparatefollow-upactivitiestoascertaintheeffectivenessofmanagement’scorrectiveactions.Similarly,externalauditshould considerinternalauditfindingsasaninput intotheirownwork.
Beforethecooperationtakesplace,eachauditorwillassesstheworkthatcanbereusedfromtheotherauditors.
Aminimumlevelofinteractionwillbe:• Thatauditplanningbybothaudittypesshould
be coordinated in order to avoid duplication and overlap
• Theinternalauditorsshouldmakeavailabletheexecutivesummaryoftheirreporttotheexternalauditorandthe externalauditorshouldsendacopyoftheirreportandmanagementlettertothechiefaudit executive
Fig. 3: coso’s enterprise risk management (erm) framework
En
tity-Leve
l
Divisio
n
Bu
sine
ss Un
it
Su
bsid
iary
Compliance
Strategic
Operations
INTERNAL AUDITASSURANCE
EXTERNALAUDIT
erations
OperReportin
g
Internal Environment
Objective Setting
Information & Communication
Control Activities
Monitoring
Risk Identification, Assessment and
Response
Improving cooperation between internal and external audit
8• Theinternalandexternalauditorsshould
meetatleastonceayeartodiscusscommonissues and concerns and ensure coordination
• Thechiefauditexecutiveshouldattendtheauditcommittee(orboard)meeting for agenda items relating to theexternalauditorsstatusreport.
Ahigherandmorefrequentlevelofcooperationmayinclude:• Theexchangeofinformationanddiscussion
duringtheriskassessmentexerciseconcerningfinancialandothertypesofrisks
• Theevaluationofinternalcontrolsevidencedinthedetailedinternalauditreportscouldbemadeavailabletotheexternalauditors
• Anexchangeofviewsonmethodologyandframeworkinordertoestablishamutualunderstandingofauditapproach
• Regularinformationtotheexternalauditoronupdatestotheinternalauditplan
• Uponrequest,andwhereallowedbylaw,enableaccesstospecificworkingpapers
• Internal audit interim reports including
current status and progress on implementation of recommendations could be made available to external audit
• Regularmeetingsbetweentheinternal auditors and external auditors todiscussanyrelevantissues
• Dependingonthelevelofrisks,theinclusionoftheexternalauditors’recommendationsintheinternalauditstatusreport
• Theregularparticipationofthechiefauditexecutiveinanymeetingstheauditcommittee(orboard)holdswiththe external auditor.
Itisrecommendedthatthedegreeofcooperationshouldbediscussedanddefinedatauditcommittee(orboard)level.Theconfidentialityofauditworkmustberespected7. Thedetailednatureofthecooperationmayalsobespecifiedintheinternalauditcharter.Thechiefauditexecutive8shouldassessonaregularbasisthecoordinationbetweentheinternalauditorsandtheexternalauditors.
7InternationalStandardonAuditing610§338 InternationalProfessionalPracticesFramework,PracticeAdvisory2050
Improving cooperation between internal and external audit
9Internal auditassiststheboardin
theeffectiveoperationofthecompany.Externalauditexpressesanopiniononthefinancialstatementsaddressedtotheboardandthemarkets.
Eachtypeofaudithasitswell-definedrole,scopeandresponsibilities.Mostinternal audit engagements review non-financialprocesses,whileexternalauditismainlyfocusedonfinancialprocesses.
Nevertheless,itisrecommendedthatinternalaudit and external audit collaborate in order toharmonisethemessagereceivedbythegoverningbody.Theauditcommitteeshoulddefineandmanagethescopeofthiscooperation.
Thelevelandintensityofthecollaborationmayvarybasedonvariousfactorsonbothsides,butorganisationsshouldensureacertaindegreeofcooperationbetweenthetwofunctions.
Asaminimum,wewouldadviseorganisationstoexchangeinformationontheplanningoftheworktobeperformed,andinareasofworkwithpotentiallyhighlevelsofimpact.Executivesummaries,oranannualreport,shouldbemadeavailablebyinternalaudittoexternalaudit.Externalauditshouldsharetheirreportandmanagementletterwithinternalauditors.
Thisrelationshipbetweeninternalauditandexternalauditwillfacilitatetheworkofbothsetsofauditors,avoidduplication,andensurethemaximumcoverageoftherisksfacedbytheentity.Itwillalsohelpthegoverningbodyobtainacomprehensiveviewofthecontrolsandtherisksoftheentity.
conclusIons
Improving cooperation between internal and external audit
10examples of best practice in effective cooperation:
Thenatureandextentofcooperationvariesfromoneorganisationtoanother.Thelevelofmaturityoftheinternalauditdepartmentisimportant,aswell as its level of professionalism and resources.
Forthisreason,cooperationcanbestbeillustratedthroughconcreteexamples.
1. assurance mapping
AccordingtoIIAStandardPracticeAdvisory2110:“Theinternalauditactivitymustevaluateand
contributetotheimprovementofgovernance,riskmanagement,andcontrolprocessesusingasystematicanddisciplinedapproach….Coordinatingtheactivitiesofandcommunicatinginformationamongtheboard,externalandinternalauditors,andmanagement.”
Therearedifferentfunctionsintheorganisationinchargeofcontrolsandrisk.Eachoneislooksatadefinedpartoftheorganisationwithitsownmethodology.Thisiswhyassurancemappingisausefultoolforobtainingaglobaloverviewofthevariousriskevaluations.Itspurposeistovisualisewhichcontrolshavebeeneffectiveinthereportingperiodforhighlightingkeyrisks.Ithelpsthegoverningbodiestogetacomprehensiveviewofthewayrisksaremanaged.
Fig.4illustratesthattheremightbeareaswhereriskmanagementandcompliancegivedifferentratingsbasedontheirseparateremitsandpriorities.Internalauditshouldmakeitsownindependentreviewoftheseratingsandexternalauditorsshouldconsideronwhichprocessesitisnecessarytogetcomfortinordertoenablethemtoexpresstheiropiniononthefinancialstatements.
appendIx
Fig. 4: assurance mapping
1st lIne 2nd lIne 3rd lIne External audit Incharge Risk Compliance Internalaudit internalcontrol Management relevant to financial reporting process
segment a
Process 1
Process2 N/A
…
segment b
Process 1
Process2 N/A
…
segment c
Process1 N/A N/A
Process2 N/A
…
ratIngs:
Satisfactory
Improvements needed
Unsatisfactory
Improving cooperation between internal and external audit
112. the banking sector
Therearemanyopportunitiesforcooperationbetweeninternalauditandexternalauditintheauditcycle,asshownbelow.
pHase
planning (annual/strategic)
execution
reporting1. regular2. annual
Internal audIt
Riskassessment
Identifyingandassessingcontrol design and efficiencyforallprocesses(includingfinancialreporting process).
1. Reporting to management.
2a.Reportingtoexternalaudit regarding controls audited and effectiveness.
2b.Auditcommittee/supervisoryboardontheoverallcontrolenvironment and mainrisks/actions.
external audIt
Riskassessment
Evaluatingfinancialreportingprocesses,controlefficiencyandlevelofrelianceonthem
1. Reporting to management,thechiefexecutiveofficerand internal audit
2.Reportingtomanagement,thechiefexecutiveofficer,board,internalauditandshareholders.
cooperatIon
Agreeingonhighrisks,agreeing on scope of bothinternalandexternalaudits to save resources.
Usingofthesamenumberingforfinancialprocesses to ease communication during theinternalauditofkeycontrols.
*Riskmanagement/compliance function can be involved in control identificationwork.
Agreeing on deadlines forreportingisveryimportant for external audit to be able to use information from internal auditinitswork.Also,internalauditshouldreceive data from external auditconsideringriskareasidentifiedinthefinancialreportingprocessandinotherareas,suchasIT.
3. the utilities sector
Theinternalauditplanispresentedtotheexternal auditors in December. It is approved bymanagementandtheauditcommitteebeforetheendofMarchinthepresenceoftheexternalauditors.ThefinalplanoftheexternalauditorsisthenapprovedbythechieffinancialofficerinAprilsothatheorshecanensurethatcooperationbetweentheauditfunctionshasbeenplannedproperlybyeachside.
Theexternalauditorsareinvitedtotheauditcommitteetwiceayeartodiscussinternalauditmatters:auditplanningandthesummaryoftheauditengagements’findingsandrecommendations.
Beforetheyissuetheirhalf-yearlyfinancialreport,theexternalauditorsreceivetheinternalauditreportsforthesamehalf-yearperiod being examined.
Beforeaninternalauditofalargeentity starts,theinternalauditorsmeetwiththeexternalauditorsinordertoexchangeviews on relevant information.
Beforethereviewofanyfinancialprocess,theinternalauditorspresenttheirtermsofreferenceandtheirauditprogramtotheexternalauditors.Theydiscusstheapproachtaken,andtheexternalauditorscommunicateanyinformationtheymayhavepreviouslycollectedontheprocessesbeingreviewed.Inthiswaythereisnoredundancyintheworkperformed.
Aninternalauditguideforfinancialprocesseshasbeensetupshowingcommonandspecificobjectivesforeachprocess.Theguidehasbeendiscussedandapprovedbytheexternalauditors.
Theinternalauditorsarepresentatthemeetingorganisedbytheexternalauditorstopresenttheirmanagementlettersandrecommendations.
European Confederation of Institutes of Internal Auditing (ECIIA)
Koningsstraat109-111 Bus5,BE–1000 Brussels,Belgium
www.eciia.eu
our mIssIonTobetheconsolidatedvoicefortheprofessionofinternalauditinginEuropebydealingwiththeEuropeanUnion,itsParliamentandCommissionandanyotherappropriateinstitutionofinfluenceandtopresentanddeveloptheinternalauditprofessionandgoodcorporategovernanceinEurope.
IIA Austria www.internerevision.atIIAAzerbaidjan www.audit.gov.azIIA Belgium www.iiabel.beIIA Bosnia andHerzegovina www.interni-revizori.infoIIA Bulgaria www.iiabg.orgIIA Croatia www.hiir.hrIIACyprus www.iiacyprus.org.cyIIACzech www.interniaudit.czIIADenmark www.iia.dkIIA Estonia www.theiia.org/chaptersIIA Finland www.theiia.fiIIA France www.ifaci.comIIAGermany www.diir.deIIAGeorgia www.theiia.org/chaptersIIAGreece www.theiia.org/chaptersIIAHungary www.iia.huIIA Iceland www.fie.isIIAItaly www.aiiaweb.it
IIA Latvia www.iai.lvIIALithuania www.theiia.org/chaptersIIA Luxembourg www.theiia.org/chaptersIIA Montenegro www.iircg.co.meIIA Morocco www.theiia.org/chaptersIIANetherlands www.iia.nlIIANorway www.iia.noIIA Poland www.iia.org.plIIA Portugal www.ipai.ptIIA Romania www.aair.roIIA Serbia www.theiia.org/chaptersIIASlovakia www.skiia.skIIA Slovenia www.si-revizija.si/iia/IIA Spain www.auditoresinternos.esIIA Sweden www.internrevisorerna.seIIASwitzerland www.svir.chIIA Tunisia www.iiatunisia.org.tnIIATurkey www.tide.org.trIIAUK&Ireland www.iia.org.uk