In the third in our series of blogs about independent assurance in risk management Tony and John explain the relationship and inter-dependencies between internal and external assurance. Operational Risk Software can be key to supporting this discipline.
Taken from: Mastering Risk Management
Internal and external audit share a common agenda of providing assurance to the board, including third party assurers, that the risk and control processes are appropriate and effective. Both should function independently of management and report to the board. But there are differences in the roles they play.
Internal auditors are part of the organisation and, while they maintain their independence, their objectives are determined by the audit committee or, in its absence, the board. External auditors are, by definition, outside the organisation. Their objectives, while framed and signed off by the audit committee in their terms of engagement, are also driven partly by statutory and professional requirements. They are answerable for their professional standards to their professional bodies (as indeed should a good internal auditor also be) and can be answerable also to regulators who may have outsourced investigatory work to them and other third party assurers.
One of the advantages of being inside the organisation is that internal audit can sense changes in culture creeping in, for instance slackness in operating controls or in recording events and losses. As the organisation’s independent eyes and ears, internal audit can also spot breaches of the firm’s ethical standards – or simply ethical creep – which could cause significant reputational damage.
In many firms, assuring culture is part of the remit of internal audit. It should be good practice for the Head of Internal Audit to report annually to the board about the experiences of audits and the values and behaviours which are seen.
Those are advantages which are unlikely to be enjoyed by a firm which has outsourced its internal audit (assuming it works much of the time outside the firm) and are beyond the scope of an external audit. On the other hand, being outside the firm, the external auditor may spot conflicts or problems which are not seen by those involved in day-to-day management, including the internal auditor.
The external auditor also brings an outsider’s view, informed by having seen many businesses in the same or similar industries. They should be a helpful provider of best practice and advise on new developments in risk management, corporate governance, financial accounting and controls. If the external auditor reports only on balance sheet issues and not on how the business is run, the firm is not getting best value.
Internal audit is continuously reviewing risk processes and controls. For its part, the external auditor’s primary responsibility as regards risk management is to assure itself that appropriate governance standards are being maintained to enable it to sign off the financial reports, including statements made by the directors about risk.
And of course, the external auditors make their assessment at a point in time rather than on a continuous basis. That assessment is fundamental to external audit’s primary role, which is to establish whether the financial statements represent a true and fair reflection of the financial position of the organisation at that point in time.
The two auditors come together in two respects – their independence and their need to work closely together. We have commented on the independence of the internal auditior. As regards the external auditor, independence is critical. A board, or audit committee, should understand the auditor’s processes for ensuring its independence and avoiding conflicts of interest. These may include auditor rotation, ensuring that secondees from the auditor to the firm do not make management decisions, and its policy on the overall level of fees for audit and non-audit services and the ratio of these two services. In the end, the board or audit committee has to make a subjective judgement.
In the US, the Sarbanes-Oxley legislation has specifically prohibited an external auditor from undertaking certain work including; book-keeping and related services, designing financial information systems, actuarial services, internal audit outsourcing services, management functions or human resources and expert services unrelated to the audit. Other countries are considering their own approaches and whether to impose similar restrictions or requirements, such as the UK, which has decided, in the Big 4 accounting firms, to split the audit part of the firm from the non-audit part of the firm. Ultimately, though, the decision on whether the auditor’s position has been compromised is made by the board. Complying with legislation is a minimum, not the standard.
The board should also be able to agree with the following statements:
‘Management respects the auditors as providers of an objective and challenge process’
You need an external auditor (and an internal one for that matter) who is prepared to go on asking unpleasant questions if necessary and for management to accept and respect that.
‘The relationship with the audit firm is controlled by the audit committee (or the independent non-executive directors) and not by management.’
External auditors must remain independent of management. The board needs assurance that they do not come too close, especially to the CFO who is often their prime point of contact in their day-to-day audit.
Finally, to enhance cooperation between the internal and external audit, personnel should meet periodically to discuss common interests. They are complementary parts of the assurance process, the third line of defence, and support each other. Coordination of activities and mutual provision of reports and working papers will reduce disruption to the firm and will lead to improved efficiency and effectiveness in the overall audit process.
In our next blog Tony and John discuss the relationship between internal audit and risk management oversight.
Mastering Risk Management by Tony Blunden and John Thirlwell is published by FT International. Order your copy here: https://www.pearson.com/en-gb/subject-catalog/p/mastering-risk-management/P200000003761/9781292331317
For more information about how Operational Risk software can help your organisation, contact us today on sales@risklogix-solutions.com