ImprovIng cooperatIon between Internal and external audIt
-
Upload
phungnguyet -
Category
Documents
-
view
225 -
download
0
Transcript of ImprovIng cooperatIon between Internal and external audIt
ImprovIng cooperatIon between Internal and external audIt
POSITION PAPER
enHancIng governance tHrougHInternal audIt
Improving cooperation between internal and external audit
2contents3 IntroductIon
4 Internal audIt’s role and responsIbIlIty
- DefinitionaccordingtotheInstitute of Internal Auditors
5 external audIt’s role and responsIbIlIty
- DefinitionaccordingtoInternational Auditing and Assurance Standards Board
6 tHe InteractIon between Internal and external audIt
- Thedistinctrolesofinternaland external audit
- Interaction and cooperation
9 conclusIons
10 appendIx - Examples of best practice in
effective cooperation - Assurance mapping - Thebankingsector - Theutilitiessector
enHancIng governance tHrougH Internal audItECIIAistheEuropeanConfederationofInstitutesof Internal Auditing.
It is organised under Belgian law and its membersarethenationalIIAinstitutes.
ECIIAhas34membersandrepresents40.000internal auditors.
ItsmissionistobetheconsolidatedvoicefortheprofessionofinternalauditinginEuropebydealingwiththeEuropeanUnion,itsParliamentandCommissionandanyotherappropriateinstitutionofinfluenceandtopresentanddeveloptheinternalauditprofessionandgoodcorporate governance in Europe.
contact:European Confederation of Institutes of Internal Auditing (ECIIA)
Koningsstraat109-111 Bus5,BE–1000 Brussels,Belgium
Phone:+3222173320 Fax:+3222173320 Email:[email protected]
www.eciia.eu
Thankyoutotheworkinggroupforthispaper,comprising:
• VolkeHampel,ChiefExecutiveOfficer,IIAGermany
• DavidLyscom,PolicyDirector,IIAUKandIreland
• SandijsMikelsons,AssistantManagerPricewaterhouseCoopers,ChairmanoftheBoardIIALatvia
• BenteSverdrup,ChiefAuditExecutiveGjensidigeForsikringASA
• MichelUhart,EDFDeputySeniorVice President Corporate Audit
• PascaleVandenbussche,ECIIASecretaryGeneral
ThankyoutoallECIIAmembersandECIIABoardmembersfortheirreviewandcontribution
Improving cooperation between internal and external audit
3IntroductIon
In theresolutionoftheEuropeanParliamentonthelessonslearnedfromthe
financialcrisisandtheimpactonauditing1,theParliamentrecommendsdistinguishingclearlybetweeninternalandexternalaudit.Currently,theEuropeanCommissionisworkingonitsauditreformproject,whichwillclarifytheresponsibilitiesofexternalauditandthegovernanceoftheauditfirmsthemselves.
Inthecurrentenvironment,governingbodies,suchastheboardandtheauditcommittee,andseniormanagementareresponsibleformonitoringtheeffectivenessofthecompany’sinternalcontrolandriskmanagementsystems.Inperformingthisfunction,theyseekassurancefromvarioussourcesbothfromwithinandoutsidetheirorganisations.Governingbodiesshouldplayakeyroleincoordinatingthedifferentplayersanddelineatingtheresponsibilitiesforriskmanagementandcontroltoensurethatsignificantrisksareaddressedandsuitablecontrolsexisttomitigateandreducetheserisks.
TheInstituteofInternalAuditors(IIA)2 promotesthe“ThreeLinesofDefence”modelasanimportanttoolforintegrating,coordinating and aligning all assurance
activitiesinordertooptimisethelevelofgovernance,riskandcontroloversight.
Inthismodel,thefirstlinehasownership,responsibilityandaccountability;thesecondlineisinchargeofmethodologyandmonitoring;andthethirdlineprovidesassuranceontheeffectivenessofgovernance,riskmanagementandinternalcontrols.Reportinglines,asillustratedinFig.1,showinternalaudit’sfunctionalreportinglineasbeingdirecttotheauditcommittee,whichoffersindependencefromtheexecutivebodyandprovidesthenecessarydegreeofobjectivitytotherole.Internalauditprovidescomprehensiveassurancetothegoverningbodyandtoseniormanagement.
External audit can be considered as anadditionallineofdefence,outsidetheorganisation,withalimitedmandateandspecificscopetoexpressanopiniononthefinancialstatements.
Thispublicationseekstoclarifytheareas of difference between internal audit and external audit as well as to explain theworkingrelationshipbetweenthetwoformsofaudit.Itwillillustratethiswithsomeexamplesofbestpractice.
SENIOR MANAGEMENT
GOVERNING BODY / AUDIT COMMITTEE
RE
GU
LATO
R
EX
TER
NA
L AU
DIT
1ST LINE OF DEFENCE
Internal ControlMeasures
ManagementControls
3RD LINE OF DEFENCE
Internal Audit
2ND LINE OF DEFENCE
Financial Controller
Security
Risk Management
Quality
Inspection
Compliance
Fig. 1: the three lines of defence model3
1 ResolutionsoftheEuropeanParliament,OfficialJournal–March20132IIAGlobal,GlobalAdvocacyPlatform,www.theiia.org3Themodelisrecommendedbestpractices,widelyapplicabletothefinancialsectorandinsomecountries
Improving cooperation between internal and external audit
4Internal audIt’s role and responsIbIlIty
Definition according to the Institute of Internal auditors:
“Internalauditingisanindependent,objectiveassuranceandconsultingactivitydesignedtoaddvalueandimproveanorganisation’soperations.Ithelpsanorganisationaccomplishitsobjectivesbybringingasystematic,disciplinedapproachtoevaluateandimprovetheeffectivenessofriskmanagement,control,andgovernanceprocesses.”3
Internal audit is an important part of acompany’sgovernanceandassistsboardsandexecutivemanagementintheeffectiveoperationoftheorganisation.
Internalauditactsasacatalystforimprovinganorganisation’seffectivenessandefficiencyby
makingrecommendationsbasedonobjectiveanalysesandassessmentsofdataandprocesses.
Tosupporttheaccomplishmentoftheseresponsibilities,theIIAInternationalProfessionalPracticesFramework(IPPF)providesaglobalframeworkfortheprofession.ItincludestheStandards,theCodeofEthicsandthePracticeAdvisories.Moreover,IIAhasdevelopedinternationalqualifications,suchasCertifiedInternalAuditor(CIA)andotherspecificcertifications(CRMA,CCSA)tosupporttheacquisitionoftheknowledgeandskillsrequiredofaninternalauditor.Somecountryinstitutesoffertheirownrecognisedequivalents.
3DefinitionfromtheIIAInternationalProfessionalPracticesFramework(IPPF)
Improving cooperation between internal and external audit
5Definition according to International auditing and assurance standards board:
“Theexternalauditorshallexpressanopinionwhetherthefinancialstatementsareprepared,inallmaterialrespects,inaccordancewiththeapplicablefinancialreportingframework.Theexternalauditor’sresponsibilitiesare:
(i)Toidentifyandassesstherisksofmaterialmisstatementofthefinancialstatements,whetherduetofraudorerror,designandperform audit procedures responsive to thoserisks,andobtainauditevidencethatissufficientandappropriatetoprovideabasisfortheauditor’sopinion.Theriskofnotdetecting a material misstatement resulting fromfraudishigherthanforoneresultingfromerror,asfraudmayinvolvecollusion,forgery,intentionalomissions,misrepresentations,ortheoverrideofinternalcontrol.
(ii) To obtain an understanding of internal controlrelevanttotheauditinordertodesignauditproceduresthatareappropriateinthecircumstances,butnotforthepurposeofexpressinganopinionontheeffectivenessofthe
entity’sinternalcontrol.Incircumstanceswhentheauditoralsohasaresponsibilitytoexpressanopinionontheeffectivenessofinternalcontrolinconjunctionwiththeauditofthefinancialstatements,theauditorshallomitthephrasethattheauditor’sconsiderationofinternalcontrolisnotforthepurposeofexpressinganopinionontheeffectivenessoftheentity’sinternalcontrol”4
Inadditiontothisrole,externalauditmaycarryoutotherassignmentsonacontractualbasisthatdonotconflictwiththeirprimaryrole.Externalauditorshavesoleresponsibilityfortheopinionstheyexpressonthefinancialstatements.
InternationalnormsexistfortheprofessionandarecodifiedintheInternationalStandardonAuditing(ISA)issuedbytheInternationalAuditing and Assurance Standards Board. In eachEuropeancountry,specificlawsapplyforstatutoryauditintermsofnomination,standardsand reports.
external audIt’s role and responsIbIlIty
4DefinitionfromtheInternationalStandardonAuditing(ISA)
Improving cooperation between internal and external audit
6tHe InteractIon between Internal and external audItInternal audit functions are
establishedaspartofanentity’sinternalcontrol,riskandgovernancestructures.Theinternationalnormsforinternalauditdefinethewayinternalauditmayrelyonotherassuranceproviders(Standard2050).Insomeindustries,suchasthefinancialsector,itisrequiredbylawtoestablishaninternalauditfunction.Theobjectivesandscopeofaninternalauditfunctionvarywidelyanddependonthesizeandstructureoftheentity
andtherequirementsofmanagement.ISA6105setsouthowtheknowledgeand
experienceoftheinternalauditfunctioncaninformtheexternalauditor’sunderstandingoftheentityanditsenvironment.Thestandardsforbothinternalandexternalauditrequireeffectiveinformationsharingandcoordination.
Theexternalauditorhassoleresponsibilityfortheauditopinionexpressed,andthatresponsibilityisnotreducedbytheexternalauditor’suseoftheworkoftheinternalauditfunction.
Fig. 2: the distinct roles of internal and external audit6
5 Theinternationalnormsfortheexternalauditors(ISA610)definethewayexternalauditmayusetheworkofinternalaudittomodifythenatureortimingorreducetheextentoftheauditprocedurestobeperformeddirectlybythem6 Best practice
employment/report
scope
objective
Focus
Independence
recipient of reports
timing and frequency
professionnal Framework
Improvements
skills
Internal audIt
Employedbytheorganisationandreportingtotheboardorauditcommittee
Assessmentofallcategoriesofrisksandtheirmanagement:financial,operational,compliance and governance
Provideassurancethatseniormanagementfulfilltheirdutiesrelatedtogovernance,riskmanagementandinternalcontrols
Understandingthebusiness,providingassuranceontheefficiencyandeffectivenessofriskmanagementandinternalcontrolssystems
Professionalethicalstandardsoverseenbytheauditcommitteethroughaqualityassurance and improvement programmeMainfocus:objectivity
Theboard,theauditcommittee,senior management and auditees
According to an audit plan approved bytheboardorauditcommittee,and senior management
International Professional StandardsandCodeofEthics
Systematicrecommendationsandfollow up of corrective actions
Diverseskillssetsrequired:beingable to understand corporate governance,businessrisks,operational,strategicandcompliancerisks
external audIt
Hiredexternalcontractorreportingtotheshareholdersorequivalent
Expressanopiniononthestatutoryfinancialstatementsandrelateddisclosures,thereforeexamininginternalcontrolsrelevantfortheopinion
Provideassurancetothestakeholdersorequivalentregardingstatutoryfinancialstatementsandotherreportsasrequiredbylocallaw
Understandingthebusinesssufficientlytoexpressanopiniononthefinancialstatements
ProfessionalethicalstandardsreviewedandmonitoredbytheauditcommitteeandtheregulatoryframeworkMainfocus:independentviewonthefinancialstatements
Auditors’opiniontotheshareholder(s)or equivalent. Management letters to governingbodyandseniormanagement
Statutoryfinancialreporting,insomeentitiesreportingtostockexchange
Statutoryandregulatoryframework
Managementletterontheprocessesreviewedandimprovementsneededmostlyfocusedonfinancialreportingprocesses
Understandingthebusinesstobeabletochallengetheuseoftheaccountingstandards
Improving cooperation between internal and external audit
7Interaction and cooperation
Interactionandcooperationbetweentheinternalauditorsandexternalauditorsshouldhelpthegoverningbodyobtainamorecomprehensiveviewofoperationsandriskswhilsteliminatingareasofpossibleduplicationofauditeffort.Goodcommunicationbetweeninternalandexternalauditshouldalsobeofbenefittoseniormanagersasbothauditengagements and subsequent recommendations totheimprovementofriskmanagementandinternal control will be better coordinated.
Iftheexternalauditorshoulddecidetousetheinternalauditor’sworkinarrivingattheiropinion,theprocesswillberegulatedbyISA610.
Giventhespecificscopeandobjectivesoftheirmission,theriskinformationgatheredbyexternalauditorsistypicallylimitedtofinancialreportingrisks,anddoesnotincludethewayseniormanagementandtheboard/auditcommitteearemanaging/monitoringtheorganisation’sstrategic,businessandcompliancerisks.However,internalauditfunctioncanprovideassuranceontheseareastoseniormanagementaswellasthegoverningbody.
Thisdistinctionbetweenexternalandinternalauditassurancecanbegraphicallyillustrated (SeeFig.3).
Whilsttheobjectivesofexternalandinternalauditactivitiesaredifferent,theremaybesomepotentialareasofoverlap,particularlyintheareaoffinancialreporting.Inparticular,externalauditmayprovide“managementlettercomments”inrelationtointernalcontrolweaknessesnotedinthecourseoftheirauditengagement.
Internalauditshouldconsiderthesepointsinitsauditplanningprocessandmayinitiateseparatefollow-upactivitiestoascertaintheeffectivenessofmanagement’scorrectiveactions.Similarly,externalauditshould considerinternalauditfindingsasaninput intotheirownwork.
Beforethecooperationtakesplace,eachauditorwillassesstheworkthatcanbereusedfromtheotherauditors.
Aminimumlevelofinteractionwillbe:• Thatauditplanningbybothaudittypesshould
be coordinated in order to avoid duplication and overlap
• Theinternalauditorsshouldmakeavailabletheexecutivesummaryoftheirreporttotheexternalauditorandthe externalauditorshouldsendacopyoftheirreportandmanagementlettertothechiefaudit executive
Fig. 3: coso’s enterprise risk management (erm) framework
En
tity-Leve
l
Divisio
n
Bu
sine
ss Un
it
Su
bsid
iary
Compliance
Strategic
Operations
INTERNAL AUDITASSURANCE
EXTERNALAUDIT
erations
OperReportin
g
Internal Environment
Objective Setting
Information & Communication
Control Activities
Monitoring
Risk Identification, Assessment and
Response
Improving cooperation between internal and external audit
8• Theinternalandexternalauditorsshould
meetatleastonceayeartodiscusscommonissues and concerns and ensure coordination
• Thechiefauditexecutiveshouldattendtheauditcommittee(orboard)meeting for agenda items relating to theexternalauditorsstatusreport.
Ahigherandmorefrequentlevelofcooperationmayinclude:• Theexchangeofinformationanddiscussion
duringtheriskassessmentexerciseconcerningfinancialandothertypesofrisks
• Theevaluationofinternalcontrolsevidencedinthedetailedinternalauditreportscouldbemadeavailabletotheexternalauditors
• Anexchangeofviewsonmethodologyandframeworkinordertoestablishamutualunderstandingofauditapproach
• Regularinformationtotheexternalauditoronupdatestotheinternalauditplan
• Uponrequest,andwhereallowedbylaw,enableaccesstospecificworkingpapers
• Internal audit interim reports including
current status and progress on implementation of recommendations could be made available to external audit
• Regularmeetingsbetweentheinternal auditors and external auditors todiscussanyrelevantissues
• Dependingonthelevelofrisks,theinclusionoftheexternalauditors’recommendationsintheinternalauditstatusreport
• Theregularparticipationofthechiefauditexecutiveinanymeetingstheauditcommittee(orboard)holdswiththe external auditor.
Itisrecommendedthatthedegreeofcooperationshouldbediscussedanddefinedatauditcommittee(orboard)level.Theconfidentialityofauditworkmustberespected7. Thedetailednatureofthecooperationmayalsobespecifiedintheinternalauditcharter.Thechiefauditexecutive8shouldassessonaregularbasisthecoordinationbetweentheinternalauditorsandtheexternalauditors.
7InternationalStandardonAuditing610§338 InternationalProfessionalPracticesFramework,PracticeAdvisory2050
Improving cooperation between internal and external audit
9Internal auditassiststheboardin
theeffectiveoperationofthecompany.Externalauditexpressesanopiniononthefinancialstatementsaddressedtotheboardandthemarkets.
Eachtypeofaudithasitswell-definedrole,scopeandresponsibilities.Mostinternal audit engagements review non-financialprocesses,whileexternalauditismainlyfocusedonfinancialprocesses.
Nevertheless,itisrecommendedthatinternalaudit and external audit collaborate in order toharmonisethemessagereceivedbythegoverningbody.Theauditcommitteeshoulddefineandmanagethescopeofthiscooperation.
Thelevelandintensityofthecollaborationmayvarybasedonvariousfactorsonbothsides,butorganisationsshouldensureacertaindegreeofcooperationbetweenthetwofunctions.
Asaminimum,wewouldadviseorganisationstoexchangeinformationontheplanningoftheworktobeperformed,andinareasofworkwithpotentiallyhighlevelsofimpact.Executivesummaries,oranannualreport,shouldbemadeavailablebyinternalaudittoexternalaudit.Externalauditshouldsharetheirreportandmanagementletterwithinternalauditors.
Thisrelationshipbetweeninternalauditandexternalauditwillfacilitatetheworkofbothsetsofauditors,avoidduplication,andensurethemaximumcoverageoftherisksfacedbytheentity.Itwillalsohelpthegoverningbodyobtainacomprehensiveviewofthecontrolsandtherisksoftheentity.
conclusIons
Improving cooperation between internal and external audit
10examples of best practice in effective cooperation:
Thenatureandextentofcooperationvariesfromoneorganisationtoanother.Thelevelofmaturityoftheinternalauditdepartmentisimportant,aswell as its level of professionalism and resources.
Forthisreason,cooperationcanbestbeillustratedthroughconcreteexamples.
1. assurance mapping
AccordingtoIIAStandardPracticeAdvisory2110:“Theinternalauditactivitymustevaluateand
contributetotheimprovementofgovernance,riskmanagement,andcontrolprocessesusingasystematicanddisciplinedapproach….Coordinatingtheactivitiesofandcommunicatinginformationamongtheboard,externalandinternalauditors,andmanagement.”
Therearedifferentfunctionsintheorganisationinchargeofcontrolsandrisk.Eachoneislooksatadefinedpartoftheorganisationwithitsownmethodology.Thisiswhyassurancemappingisausefultoolforobtainingaglobaloverviewofthevariousriskevaluations.Itspurposeistovisualisewhichcontrolshavebeeneffectiveinthereportingperiodforhighlightingkeyrisks.Ithelpsthegoverningbodiestogetacomprehensiveviewofthewayrisksaremanaged.
Fig.4illustratesthattheremightbeareaswhereriskmanagementandcompliancegivedifferentratingsbasedontheirseparateremitsandpriorities.Internalauditshouldmakeitsownindependentreviewoftheseratingsandexternalauditorsshouldconsideronwhichprocessesitisnecessarytogetcomfortinordertoenablethemtoexpresstheiropiniononthefinancialstatements.
appendIx
Fig. 4: assurance mapping
1st lIne 2nd lIne 3rd lIne External audit Incharge Risk Compliance Internalaudit internalcontrol Management relevant to financial reporting process
segment a
Process 1
Process2 N/A
…
segment b
Process 1
Process2 N/A
…
segment c
Process1 N/A N/A
Process2 N/A
…
ratIngs:
Satisfactory
Improvements needed
Unsatisfactory
Improving cooperation between internal and external audit
112. the banking sector
Therearemanyopportunitiesforcooperationbetweeninternalauditandexternalauditintheauditcycle,asshownbelow.
pHase
planning (annual/strategic)
execution
reporting1. regular2. annual
Internal audIt
Riskassessment
Identifyingandassessingcontrol design and efficiencyforallprocesses(includingfinancialreporting process).
1. Reporting to management.
2a.Reportingtoexternalaudit regarding controls audited and effectiveness.
2b.Auditcommittee/supervisoryboardontheoverallcontrolenvironment and mainrisks/actions.
external audIt
Riskassessment
Evaluatingfinancialreportingprocesses,controlefficiencyandlevelofrelianceonthem
1. Reporting to management,thechiefexecutiveofficerand internal audit
2.Reportingtomanagement,thechiefexecutiveofficer,board,internalauditandshareholders.
cooperatIon
Agreeingonhighrisks,agreeing on scope of bothinternalandexternalaudits to save resources.
Usingofthesamenumberingforfinancialprocesses to ease communication during theinternalauditofkeycontrols.
*Riskmanagement/compliance function can be involved in control identificationwork.
Agreeing on deadlines forreportingisveryimportant for external audit to be able to use information from internal auditinitswork.Also,internalauditshouldreceive data from external auditconsideringriskareasidentifiedinthefinancialreportingprocessandinotherareas,suchasIT.
3. the utilities sector
Theinternalauditplanispresentedtotheexternal auditors in December. It is approved bymanagementandtheauditcommitteebeforetheendofMarchinthepresenceoftheexternalauditors.ThefinalplanoftheexternalauditorsisthenapprovedbythechieffinancialofficerinAprilsothatheorshecanensurethatcooperationbetweentheauditfunctionshasbeenplannedproperlybyeachside.
Theexternalauditorsareinvitedtotheauditcommitteetwiceayeartodiscussinternalauditmatters:auditplanningandthesummaryoftheauditengagements’findingsandrecommendations.
Beforetheyissuetheirhalf-yearlyfinancialreport,theexternalauditorsreceivetheinternalauditreportsforthesamehalf-yearperiod being examined.
Beforeaninternalauditofalargeentity starts,theinternalauditorsmeetwiththeexternalauditorsinordertoexchangeviews on relevant information.
Beforethereviewofanyfinancialprocess,theinternalauditorspresenttheirtermsofreferenceandtheirauditprogramtotheexternalauditors.Theydiscusstheapproachtaken,andtheexternalauditorscommunicateanyinformationtheymayhavepreviouslycollectedontheprocessesbeingreviewed.Inthiswaythereisnoredundancyintheworkperformed.
Aninternalauditguideforfinancialprocesseshasbeensetupshowingcommonandspecificobjectivesforeachprocess.Theguidehasbeendiscussedandapprovedbytheexternalauditors.
Theinternalauditorsarepresentatthemeetingorganisedbytheexternalauditorstopresenttheirmanagementlettersandrecommendations.
European Confederation of Institutes of Internal Auditing (ECIIA)
Koningsstraat109-111 Bus5,BE–1000 Brussels,Belgium
www.eciia.eu
our mIssIonTobetheconsolidatedvoicefortheprofessionofinternalauditinginEuropebydealingwiththeEuropeanUnion,itsParliamentandCommissionandanyotherappropriateinstitutionofinfluenceandtopresentanddeveloptheinternalauditprofessionandgoodcorporategovernanceinEurope.
IIA Austria www.internerevision.atIIAAzerbaidjan www.audit.gov.azIIA Belgium www.iiabel.beIIA Bosnia andHerzegovina www.interni-revizori.infoIIA Bulgaria www.iiabg.orgIIA Croatia www.hiir.hrIIACyprus www.iiacyprus.org.cyIIACzech www.interniaudit.czIIADenmark www.iia.dkIIA Estonia www.theiia.org/chaptersIIA Finland www.theiia.fiIIA France www.ifaci.comIIAGermany www.diir.deIIAGeorgia www.theiia.org/chaptersIIAGreece www.theiia.org/chaptersIIAHungary www.iia.huIIA Iceland www.fie.isIIAItaly www.aiiaweb.it
IIA Latvia www.iai.lvIIALithuania www.theiia.org/chaptersIIA Luxembourg www.theiia.org/chaptersIIA Montenegro www.iircg.co.meIIA Morocco www.theiia.org/chaptersIIANetherlands www.iia.nlIIANorway www.iia.noIIA Poland www.iia.org.plIIA Portugal www.ipai.ptIIA Romania www.aair.roIIA Serbia www.theiia.org/chaptersIIASlovakia www.skiia.skIIA Slovenia www.si-revizija.si/iia/IIA Spain www.auditoresinternos.esIIA Sweden www.internrevisorerna.seIIASwitzerland www.svir.chIIA Tunisia www.iiatunisia.org.tnIIATurkey www.tide.org.trIIAUK&Ireland www.iia.org.uk