Position paper: Internal audit's relationship with external audit

April 2020

Main message

Internal and external audit should ensure appropriate and regular communication and sharing of information – a constructive relationship on this basis can be of benefit to the organisations they serve. However, it is vital that the two assurance functions maintain clear boundaries, as well as ensure they preserve their independence and objectivity.

Internal and external audit are complementary functions within the assurance framework and both are essential for the effective governance of an organisation. However, internal audit is distinct from external audit and both functions have their own value and expertise. They perform very different roles and should report separately to the board/audit committee. Both need to be independent, objective, properly resourced and work according to their respective international standards.

Despite the need to preserve their independence and objectivity, internal and external audit should maintain a close, constructive relationship. This is to ensure their work is coordinated and there is an efficient use of resources. On the relationship between internal and external audit, our Internal Audit Code of Practice “Guidance on effective internal audit in the private and third sectors” says:

“The chief internal auditor and the partner responsible for external audit should ensure appropriate and regular communication and sharing of information.”

It is important that regulators and policymakers understand and take into account the differences between internal and external audit when developing new policies related to audit and corporate governance. Legislative and regulatory references to “audit” and “the auditor” should be specific as to whether they are referring to internal audit or external audit.


Chartered IIA’s position

Independence and objectivity

We believe keeping clear boundaries between internal and external audit is crucial to preserving internal audit’s independence and objectivity, as well as avoiding conflicts of interest.

The International Internal Audit Standards define independence and objectivity in Standard 1100:

“The internal audit activity must be independent, and internal auditors must be objective in performing their work.”

The guidance states:

“Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the chief audit executive has direct and unrestricted access to senior management and the board. This can be achieved through a dual-reporting relationship.Threats to independence must be managed at the individual auditor, engagement, functional, and organizational levels.

“Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others. Threats to objectivity must be managed at the individual auditor, engagement, functional, and organizational levels.”

External audit’s reliance on the work of internal audit

As a general principle, external auditors should be able to use evidence and reports obtained from the internal audit function to assist them in their audit work, inform their understanding of the organisation and its control environment and help identify and assess the risks of material misstatement. However, external auditors should not place absolute reliance upon such evidence. They should ensure they maintain their own independence, objectivity, and professional scepticism in drawing conclusions from it.

Internal audit’s support to external audit

Regulators rightly recognise that the role of internal audit in supporting the work of external audit needs to be strictly controlled in order to ensure quality and objectivity. However, they also need to recognise that internal audit’s work has a much broader remit, covering risk and governance and key internal controls across the organisation, as well as internal financial controls. This wider work may also require internal audit to make judgements about the work of external audit.

For this, and for wider reasons linked to conflicts of interest, we support International Standard on Auditing (UK) 610 (ISA (UK) 610), which governs how external auditors may use the work of internal auditors and offers clear guidance on the rules of engagement between the two functions.

Whilst the international standard does allow internal audit to directly assist the external auditor, the UK standard specifically prohibits this. We believe that it should continue to remain prohibited here in the UK, as it helps to eliminate potential conflicts of interest and maintains the independence and objectivity of both internal and external audit.

Interaction between internal audit and external audit

Although internal and external audit need to maintain clear boundaries and independence from each other, both functions complement one another. Therefore, it is beneficial for external and internal audit to maintain an appropriate, constructive, and fluid two-way dialogue. This relationship will ensure they coordinate efforts and share valuable information, such as the internal audit programme of work, the external audit management plan, the risks each function has identified, or changes in legislation/regulation.

As stated above, the Chartered IIA’s Internal Audit Code of Practice states that:

“The chief internal auditor and the partner responsible for external audit should ensure appropriate and regular communication and sharing of information.”

This position supports the IIA Global International Standards for the Professional Practice of Internal Auditing (International Standards) - Standard 2050:

“The chief audit executive should share information, coordinate activities, and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimize duplication of efforts.”

We note that one unintended consequence of the UK standard, which prohibits internal auditors directly assisting external auditors, is that the interaction between the two functions seems to have diminished over recent years. The chief audit executive and the partner responsible for the external audit should find ways to communicate and facilitate a constructive relationship, whilst maintaining their independence and objectivity.

This is something that Sir Donald Brydon also raised in his final report of the Independent Review into the Quality and Effectiveness of Audit (December 2019). He wrote:

“I heard frequently that ISA (UK) 610, which governs how auditors may make appropriate use of internal audit work without receiving direct assistance, is complex to adhere to. As a result, there is very limited use made of internal audit by external auditors.”

He continued by suggesting that ISA (UK) 610 should be reviewed with a view to encouraging greater, but still appropriate, use of internal audit by the external auditor. The Chartered IIA would support such a review, particularly if it leads to a better and more productive relationship between the two assurance functions.

Quality assurance and improvement programme

The International Internal Audit Standards – 1300 series require internal audit functions to develop and maintain a quality assurance and improvement programme that covers all aspects of internal audit activity. The quality assurance and improvement programme must include both internal and external assessments. External quality assessments must be conducted at least once every five years by a qualified, independent assessor or assessment team from outside the organisation.

We do not believe it is helpful for the external quality assessment to be carried out by the external audit firm that provides the organisation’s external audit, as they cannot be seen to be independent, although they may have professionally qualified internal audit staff within the firm.


Key differences between internal and external audit

Main “customers” of the assurance

External auditors mostly provide assurance to the shareholders and investors (i.e. outside the company’s governance boundary). It is vital to the quality of their work that they focus on this customer group. Having said that, the work of external audit is also of interest to senior management, the board and the audit committee of the organisation they are auditing.

Owners, management, investors, governments, regulators and other stakeholders need to rely on the successful conduct of business activities, sound internal processes and the production of credible information. These operational and reporting processes enable users to make decisions and develop policies. Confidence diminishes when there are uncertainties around the integrity of information or of underlying operational processes.

Internal auditors, in contrast, provide assurance within the governance boundary, to the audit committee, the board in general and to senior management.

Purpose of the assurance

The external auditor opinion, and the work that the external auditor performs in order to provide it, exists to add verification, credibility and reliability to reports from the company to its shareholders. The assurance from external independent bodies such as the external auditors may not have the existing familiarity with the organisation that an internal audit function has, but they can bring a new and valuable perspective. Additionally, their outsider status is clearly visible to third parties, so that they can not only be independent, but be seen to be independent.

An external audit process ensures that a company's internal controls, processes, guidelines and policies are adequate, effective and in compliance with governmental requirements, industry standards and company policies. This type of audit also ensures that reporting mechanisms prevent errors in financial statements.

Internal auditors provide members of the board and senior management with assurance that they can use to fulfil their own duties to the company and its shareholders. Internal audit provides an objective and independent assurance, providing reasonable (not absolute) assurance of the overall effectiveness of governance, risk management and controls. The level and depth of assurance provided will depend on the size and focus of the internal audit function and management’s appetite for internal audit assurance.

Coverage or nature of the work

An external audit is an examination that is conducted by an independent accountant. This type of audit is most commonly intended to result in a certification of the financial statements of an entity. This certification is required by certain investors and lenders, and for all publicly held businesses.

The objectives of an external audit are to determine:

  • The accuracy and completeness of the client's accounting records;
  • Whether the client's accounting records have been prepared in accordance with the applicable accounting framework; and
  • Whether the client's financial statements present fairly its results and financial position.

There are other types of external audits that may be targeted at specific issues concerning a client's accounting records, such as an examination that searches for the existence of fraud.

Internal audit covers all categories of risks and their management, starting from their identification, taking in various responses to risks, including traditional internal financial and non-financial controls and including the flow of information around the company about risk. Internal auditors also cover governance processes and the internal control environment that seeks to mitigate risk and governance issues.

Timing and frequency of audit work

External audit work is tied into the company’s cycle for external financial reporting and is designed to support the external auditor’s annual opinion on the financial statements.

Internal auditing should be a permanent and ongoing presence in a company. Much of its work will be in the form of engagements scheduled in advance. However, internal audit may also react to changes in circumstances and undertake work linked to new and emerging issues/risks e.g. the coronavirus pandemic.

Focus of opinion

The external audit focus is predominantly on validating that the financial statements are a true and fair representation of past performance.

For internal audit, the focus ideally is on providing assurance that the governance and risk management processes are effective in managing risks. Internal audit activities are being asked by the board, management, and other stakeholders to provide opinions as part of each individual audit report, as well as on the overall adequacy of governance, risk management, and control within the organisation. These requests may be for an assurance or opinion at a broad level for the organisation as a whole (macro-level opinion) or on individual components of the organisation’s operations (micro-level opinion).

Internal audit in the public sector is required to provide an annual opinion that informs the governance statement. In the financial services sector, internal audit will provide an opinion at least annually. However, for all other sectors the chief audit executives are not required to provide an annual opinion, despite the fact that many do as it is best practice.

Chief audit executives should consider the speed at which risks emerge and change within their organisation together with the dynamics of strategy and decision-making which means the focus is also forward-looking.

Responsibility for improvement

External auditors have no explicit responsibility to improve their clients’ governance or risk management processes. They have a duty to report internal control problems that they come across as part of their work.

In contrast, improvement is fundamental to the role of internal audit. Working within the organisation on a constant basis allows internal auditors to identify current or emerging weaknesses and advise and facilitate managers’ efforts to improve processes. At the same time, internal auditors have a professional duty to avoid usurping the responsibility of managers to manage.

Status and authority

As a regulated profession, external audit’s status and authority is provided by statute and supported by the framework of regulation provided by the IAASB and/or FRC working with the chartered accountancy profession.

Internal audit has a set of global professional standards, the International Professional Practices Framework, which includes a Code of Ethics, Core Principles, Definition and the International Standards for the Professional Practice of Internal Auditing (International Standards). These require the chief audit executive to establish an internal audit charter that sets out the authority of the function and to present this to the audit committee and senior management for approval. Internal auditors rely on the support of the audit committee, particularly non-executive directors, to maintain their status and authority.

In the UK and Ireland, the International Standards have been supplemented by the Chartered IIA’s Internal Audit Code of Practice and the Financial Services Code, as well as separate Public Sector Internal Audit Standards.

The UK Corporate Governance Code 2018 provided by the FRC recognises that the audit committee is responsible for overseeing the effectiveness of internal audit. The FRC’s Guidance for Audit Committees provides additional tasks and recognises the International Standards as a source of more detailed guidance.

Independence

For internal auditors, independence (according to the International Standards) means freedom from influence exerted on the audit activity by the executive, reinforced by a reporting line to the board via an audit committee. Internal auditors must also be independent of any other group, such as other assurance providers or regulators, in order to ensure that the assurance they give is also independent.

However, they may share information and coordinate activities with other internal and external providers of assurance and consulting services. Internal auditors may be employed directly by the organisation or under contract from external providers i.e. co-sourced. Internal audit may also be outsourced to a third party. The Internal Audit Code of Practice says (recommendation 21) that, “In organisations in which the internal audit function is outsourced this Code still applies, and the chief internal auditor should always be employed directly by the organisation to ensure they have sufficient and timely access to key management information and decisions.

The audit committee needs to satisfy itself that the internal auditors operate independently whatever the contractual arrangement.

For the external auditor, the profession’s ethical standards and other regulations and rules seek to protect independence and promote auditor scepticism. There is an extensive regulatory regime in place, administered by the accounting bodies and the FRC, that enforces these standards. In addition, the UK Corporate Governance Code 2018 expects the company’s audit committee to review and monitor the independence and objectivity of the external auditor.

Table 1 – The distinct roles of internal and external audit

Item

External audit

Internal audit

Recipient of reports

Shareholders, investors, banks or members.

The board, the audit committee and senior managers.

Employment/Report

Hired by the organisation and reporting to the shareholders or equivalent.

Employed by the organisation and reporting to the board or audit committee.

Scope

Financial reports and related disclosures, financial reporting risks and their management, the external auditor has some responsibility for considering the risk of material misstatement due to fraud.

All categories of risks and their management including the flow of information around the company and governance. Internal audit helps a company ensure it has the proper controls, governance and risk management processes in place.

Objective(s)

Add credibility and reliability to reports from the organisation to its shareholders by giving an opinion on them.

Provide the assurance that members of the board and senior management use to fulfil their duties. Specifically, the objectives of an internal audit function are to:

Establish the areas of risk in the area being audited.

Establish the controls in place to address those risks and review their adequacy.

Check whether financial regulations are being followed.

Carry out detailed testing of the controls being relied on.

Make recommendations where weaknesses or inefficiencies are observed.

Timing and frequency

Project(s) tied into financial reporting cycle, focused on objective of audit opinion, usually annually.

Ongoing and pervasive.

Focus

Mainly historical.

Historic, but ideally future focussed.

Responsibility for improvement

None – duty to report control weaknesses.

Fundamental to the purpose of internal auditing.

Status and authority

Statutory and regulatory framework.

International professional standards and Corporate Governance Code.

Independence

Professional ethical standards overseen by audit committee and regulatory framework.

Professional ethical standards overseen by audit committee.


Appendix

The Chartered IIA advice for audit committees and boards in considering external and internal audit services is as follows:

  1. Understand the different objectives and scopes of external audit and internal audit.
  2. Support the external auditor in providing an effective service to the shareholders and other external parties.
  3. Consider whether the non-audit services the external auditor provides undermine – or may be seen to undermine – the quality of the external audit.
  4. Recognise the importance of the audit committee’s role in providing the environment in which a healthy internal audit activity can flourish – the audit committee is key to self-regulation.
  5. Ensure that the activities of these two important services are coordinated and not duplicated. Audit committee members should ensure that internal and external auditors liaise to provide effective checks and balances on the full range of activities and that issues do not fall below the radar of one or other of the audit functions. Both internal and external auditors should attend audit committee meetings.
  6. Insist on the services of a competent, qualified and experienced chief audit executive (internal or outsourced) to oversee all internal audit activity, including that carried out by any external service provider.
  7. Take care to provide effective support to the chief audit executive: build a relationship that allows the chief audit executive to challenge.
  8. Take steps to ensure the competence of every person undertaking internal audit work.
  9. Ensure that anyone undertaking internal audit work is required – either by employment contract or by contract for services – to respect the international professional practices framework which includes the Code of Ethics and the IIA Standards of the internal audit profession.

See also:

Download PDF
Content reviewed: 28 May 2020