The working relationship between external audit and internal audit
Five points on the relationship between external and internal audit
External audit and internal audit are clearly separate and distinct in their respective functions and duties but there should be regular communication between the two. In this the second of two articles, I look at the working relationship between the internal auditor and the external auditor.
1. Statutory right of access by an auditor
An auditor of a company (this refers to the external auditor) has a right of access to information (Companies Act 2006, section 499) and this would include finalised internal audit reports, the supporting working papers and the right to obtain information and explanations from any employee and officer, including internal auditors, of the company.
The internal audit function should also have an unrestricted right of access to all information, explanations and records required to carry out their work. This right should be clearly stated in the organisation’s internal audit charter approved by the audit committee.
2. Under International Standards on Auditing (ISAs) (UK)
The relationship is described in several of the ISAs (UK) - namely ISAs 240, 315, 600, and above all, ISA(UK) 610.
- ISA(UK) 240: The auditor’s responsibilities relating to fraud in an audit of financial statements, states in paragraph 19 that “For those entities that have an internal audit function, the auditor shall make inquiries of appropriate individuals within the function to determine whether they have knowledge of any actual, suspected or alleged fraud affecting the entity, and to obtain its views about the risks of fraud.”
Internal audit may also be able to provide insight in relation to weaknesses in counter-fraud controls and/or fraud risk indicators within the organisation.
- ISA (UK) 315: Identifying and assessing the risks of material misstatement through understanding of the entity and its environment, states in paragraph 23: “If the entity has an internal audit function, the auditor shall obtain an understanding of the nature of the internal audit function’s responsibilities, its organisational status, and the activities performed, or to be performed.”
The external auditor will want to know as a minimum the following regarding the internal audit function:
- Is there an internal audit charter?
- What is the size of the internal audit section?
- Qualifications and continuous professional development of the internal audit staff.
- Reporting structure to management.
- Details about the audit committee, if one exists.
- Annual audit plan and performance against that plan.
The external auditor will also want to read copies of the reports issued during that financial year and meet with the Chief Internal Auditor, or equivalent.
- ISA(UK) 610: Using the work of internal auditors, contains an important proviso at the beginning of the standard that “Nothing in this ISA(UK) requires the external auditor to use the work of the internal audit function to modify the nature or timing, or reduce the extent, of audit procedures to be performed directly by the external auditor; it remains a decision of the external auditor in establishing the overall audit strategy.”
Paragraphs 21 to 25 of ISA (UK) 610 state that “If the external auditor plans to use the work of the internal audit function, the external auditor shall discuss the planned use of its work with the function as a basis for coordinating their respective activities.”
ISA(UK) 610 places restrictions on how far the external auditors can place reliance on work carried out by internal audit. The use of direct assistance is prohibited per Para 5-1 of ISA(UK) 610 which states that “The use of internal auditors to provide direct assistance is prohibited in an audit conducted in accordance with ISAs(UK)”.
Direct assistance is defined in the International Auditing and Assurance Standards Board as: “the use of internal auditors to perform audit procedures under the direction, supervision and review of the external auditors”. Paragraph 30 of ISA (UK) 610 states that “the external auditor shall not use internal auditors to provide direct assistance to perform procedures that:
- Involve making significant judgements in the audit
- Relate to higher assessed risks of material misstatement where the judgement required in performing the relevant audit procedures or evaluating the audit evidence gathered is more than limited.
- Relate to work with which the internal auditors have been involved and which has already been or will be reported to management or those charged with governance by the internal audit function.
- Relate to decisions the external auditor makes in accordance with the ISA(UK) regarding the internal audit function and the use of its work or direct assistance.
For example, if stock/inventory is a material item, and is considered by the external auditor to be an area of higher risk, it would be acceptable for the external auditor to request that internal audit review the processes and controls relating to stock management, but it would not be appropriate for them to request that internal audit assess the adequacy of stock provisions as this would involve more than limited judgement.
3. Advantages of coordination and collaboration between external and internal audit
- Close communication and planning ensures that audit resources can be directed towards the area of most need i.e. high-risk areas of the organisation. This means that internal audit can plan their work to minimise duplication with external audit testing and to provide assurance over those systems and controls on which external audit may wish to place reliance, subject to appropriate review procedures being applied.
- The audit teams can plan the timing of their work to minimise disruption and interference with key members of staff.
- The audit team can share intelligence on key events, changes and plans that may impact on the risk profile of the organisation and therefore, on their work.
4. Challenges that may arise within a collaboration between external and internal audit
- The Head of Internal Audit must balance requests from external audit against the need to provide appropriate coverage over the organisation’s key risk areas, to enable them to provide an annual opinion. This may result in high demand for limited resources and the Head of Internal Audit will need to ensure appropriate compromises are reached.
- A close relationship with external audit may cause a shift in the perception of internal audit from being a critical friend to a policing function. It is crucial for internal audit to retain the trust of the management team and staff so that they can perform their work effectively.
5. Examples of good practice of effective communication between external and internal audit
To have a smooth working relationship between the two sets of auditors, it is crucial that there is effective and regular communication between the Chief Internal Auditor (or senior team member) and the External Auditor (e.g. the audit engagement partner or one of the senior team members). This will be helped by:
- Discussions at appropriate intervals during the year on any major matters which may affect the work of either party.
- Full and prompt access to reports issued by the internal audit function during the year.
- Full and prompt access to the internal audit plan of work, audit files and testing.
- The audit committee facilitating communication between internal audit and external audit.
Explore seven differences between external audit and internal audit