Position paper: Internal audit's relationship with external audit
Download this policy paper in format of a briefing document
Main message
Internal audit (IA) is distinct and different from external audit. While they are complementary functions within the assurance framework which may work closely together and need to be coordinated, organisations will not get the best or most cost effective assurance from IA unless the differences are recognised and IA is treated as a separate profession with its own value and expertise.
Both forms of audit are essential for the effective governance of an organisation. Both need to be independent, objective, properly resourced and work according to their respective international standards. But they perform different functions and need to report separately to the board / audit committee.
Regulators must take these differences into account when creating policy related to governance and internal audit. Legislative and regulatory references to “audit” and ”the auditor” should be specific as to whether they are referring to external audit or internal audit.
What do we want?
The role and value of internal audit should be better recognised within the UK Code of Corporate Governance and guidance issued under it by the Financial Reporting Council (FRC), with regard to publicly listed private sector organisations.
Regulators rightly recognise that the role of internal audit in supporting the work of external audit needs to be strictly controlled in order to ensure quality and objectivity. But they also need to recognise that internal audit work has a much broader remit, covering risk and governance as well as internal financial control, and that this wider work can also require internal audit to make judgements about the work of external audit.
Additional points
Audit committees have a vital role to play in supporting internal audit quality. The FRC’s Code of Corporate Governance and the supporting Guidance for Audit Committees and on Risk Management, Internal Control and Related Financial and Business Reporting should require audit committees to satisfy themselves on the competence, confidentiality, independence, objectivity and resources of internal audit and of the effectiveness of the relationship between internal audit and the audit committee.
The International Standards for internal audit [1] require internal audit functions to develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity. The quality assurance and improvement program must include both internal and external assessments. External assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organisation. We do not believe it is helpful for the external assessment to be carried out by the external audit firm which provides the organisation’s external audit as they cannot be seen to be independent, although they may have professionally qualified internal audit staff within the accountancy firm.
Although they have distinct roles, external audit may use internal audit work to avoid duplication, inform its understanding of the organisation and its control environment, and help it identify and assess the risks of material misstatement. Working with internal audit also creates an environment in which the external auditor can be informed of significant matters that may affect its work.
But where this occurs it is vital that internal audit does not simply become a tick in the external audit box, or that internal audit is distracted from its core roles. External audit must also assure itself on the objectivity and quality of the internal audit function.
Some organisations have encouraged their external auditors to place reliance on internal audit simply to reduce the cost of external audit and allowed the external auditors either to direct the internal auditors’ plan of work or to borrow internal audit staff resources. We believe this practice is detrimental to the work of both auditors and reduces the assurance that the audit committee obtains from either source. It is also a false economy. Internal auditors are likely to be fully qualified whereas the staff they would replace on the external audit can often be student accountants.
The potential breadth and scope of the internal audit function should mean that it has a significant role to play in supporting improvements in corporate governance and overseeing the management of risk. Audit Committees need to recognise that the value of internal audit goes beyond financial control.
Similarly regulators should give greater recognition to the assurance that they can take from the work of a professional internal audit function.
Key differences between internal and external audit
Main 'customers' of the assurance
External auditors provide assurance to the shareholders or members of the company, ie outside the company’s governance boundary. It is vital to the quality of their work that they focus on this customer group.
Internal auditors, in contrast, provide assurance within the governance boundary, to the audit committee, the board in general and to senior management.
Purpose of the assurance
The external audit opinion, and the work that the external auditor performs in order to provide it, exist to add verification, credibility and reliability to reports from the company to its shareholders.
Internal auditors provide members of the board and senior management with assurance that they can use to fulfil their own duties to the company and its shareholders.
Coverage or nature of work
External audit provides an opinion on financial statements and the related disclosures, on other forms of reporting from the company to shareholders as well as on financial reporting risks and their management.
Internal audit covers all categories of risks and their management, starting from their identification, taking in various responses to risks, including traditional internal financial and non-financial controls, and including the flow of information around the company about risk. Internal auditors also cover governance processes.
Timing and frequency of audit work
External audit work is tied into the company’s cycle for external financial reporting and is designed to support the external auditor’s annual opinion on the financial statements.
Internal auditing should be a permanent and ongoing presence in a company. Much of its work will be in the form of engagements scheduled in advance. However, internal audit may also react to changes in circumstances and undertake worked linked to emerging issues.
Focus of opinion
The external audit focus is predominantly on validating that the financial statements are a true and fair representation of past performance.
For internal audit, the focus ideally is on providing assurance that the governance and risk management processes are effective in managing risks. Therefore, the focus is also forward-looking.
Responsibility for improvement
External auditors have no explicit responsibility to improve their clients’ governance or risk management processes. They have a duty to report internal control problems that they come across as part of their work
In contrast, improvement is fundamental to the role of internal audit. Working within the organisation on a constant basis allows internal auditors to identify current or emerging weaknesses, and advise, coach and facilitate managers’ efforts to improve processes. At the same time, internal auditors have a professional duty to avoid usurping the responsibility of those managers to manage.
Status and authority
As a regulated profession, external audit’s status and authority is provided by statute and supported by the framework of regulation provided by the IAASB and/or FRC working with the chartered accountancy profession.
Internal audit has a set of global professional standards, the International Professional Practices Framework, including a Code of Ethics and the International Standards for the Professional Practice of Internal Auditing (International Standards). These require the head of internal audit to establish an internal audit charter that sets out the authority of the function and to present this to the audit committee and senior management. Internal auditors rely on the support of the audit committee, and in particular non-executive directors, to maintain their status and authority.
The UK Code of Corporate Governance provided by the FRC recognises that the audit committee is responsible for overseeing the effectiveness of internal audit. The Guidance for Audit Committees, also provided by the FRC, provides additional tasks and recognises the International Standards as a source of more detailed guidance.
Independence
External audit is sometimes seen as more independent than internal audit because it is not conducted by employees of the organisation. On the other hand it can be argued that no-one who is appointed by, engages with and is remunerated by an organisation is entirely independent of it, in particular where the relationship is medium-to-long term.
For internal auditors, independence (according to the International Standards) means freedom from influence exerted by the audited activity i.e. the Executive, reinforced by a reporting line to the Board via an audit committee. Internal auditors must also be independent of any other group, such as other assurance providers or regulators, in order to ensure that the assurance they give is also independent although they may share information and coordinate activities with other internal and external providers of assurance and consulting services. Internal auditors may be employed directly by the organisation or under contract from external providers. The Audit Committee needs to satisfy itself that the internal auditors operate independently whatever the contractual arrangement.
For the external auditor, the profession’s ethical standards and other regulations and rules seek to protect independence and promote auditor scepticism. There is an extensive regulatory regime in place, administered by the accounting bodies and the FRC, that enforces these standards. In addition, the UK Code of Corporate Governance expects the company’s audit committee to review and monitor the independence and objectivity of the external auditor.
Table 1 The distinct roles of internal and external audit
Item |
External audit |
Internal audit |
|
Recipient of reports |
Shareholders or Members |
Board members and senior managers |
|
Objective(s) |
Add credibility and reliability to reports from the organisation to its shareholders by giving an opinion on them |
Provide the assurance that members of the board and senior management use to fulfil their duties |
|
Coverage |
Financial reports and related disclosures, financial reporting risks and their management |
All categories of risks, their management including the flow of information around the company, and governance |
|
Timing and frequency |
Project(s) tied into financial reporting cycle, focused on objective of audit opinion |
Ongoing and pervasive |
|
Focus |
Mainly historical |
Ideally forward-looking |
|
Responsibility for improvement |
None – duty to report control weaknesses |
Fundamental to the purpose of internal auditing |
|
Status and authority |
Statutory and regulatory framework |
International professional standards and Code of Corporate Governance |
|
Independence |
Professional ethical standards overseen by audit committee and regulatory framework |
Professional ethical standards overseen by audit committee |
Appendix
IIA advice for audit committees and boards in considering external and internal audit services
- Understand the different objectives and scopes of external audit and internal audit.
- Support the external auditor in providing an effective service to the shareholders.
- Consider whether the non-audit services the external auditor provides undermine – or may be seen to undermine – the quality of the external audit
- Recognise the importance of the audit committee’s role in providing the environment in which a healthy internal audit activity can flourish – the audit committee is key to self-regulation.
- Ensure that the activities of these two important services are coordinated and do not duplicate. Audit committee members should ensure that internal and external auditors liaise to provide effective checks and balances on the full range of activities and that issues to not fall below the radar of one or other of the audit functions.
- Insist on the services of a competent, qualified and experienced head of internal audit (internal or outsourced) to oversee all internal audit activity, including that carried out by any external service provider.
- Take care to provide effective support to the head of internal audit: build a relationship that allows the head of internal audit to challenge.
- Take steps to ensure the competence of every person undertaking internal audit work.
- Ensure that anyone undertaking internal audit work is required – either by employment contract or by contract for services – to respect the international ethical and practicing standards of the internal audit profession.
- In particular, make sure that all internal auditors:
- respect the confidentiality of information about or from the company
- feel able to remain unbiased even if they are employees of another organisation
See also the ECIIA publication Improving cooperation between internal and external audit
Download PDF
