SUMMARY OF KEY POINTS

  1. The role and value of internal audit should be better recognised within the UK Code of Corporate Governance, and guidance issued under it by the Financial Reporting Council (FRC), with regard to publicly listed private sector organisations. This would bring the private sector into line with best practice in the public sector.

  2. At the same time, we would like to see a clearer understanding of the differences between external audit and internal audit and an appreciation of the different contributions they can make.

  3. Audit committees have a vital role to play in supporting internal audit quality. The FRC's Code of Corporate Governance and the supporting Guidance for Audit Committees should require audit committees to satisfy themselves in relation to the competency, confidentiality, independence, objectivity, security of resources of internal audit and of the effectiveness of the relationship between internal audit and the audit committee.

  4. Regulators in general should give greater recognition to the assurance that they can take from the work of a professional internal audit function.

  5. The breadth and scope of internal audit's role means that it has a significant role to play in supporting the organisation to improve corporate governance.

  6. Accounting firms should not provide internal audit services to their external audit clients.

THE INSTITUTE OF INTERNAL AUDITORS

  7. Established in the UK and Ireland since 1948, the Institute of Internal Auditors—UK and Ireland has over 8,000 members and, from 1 October 2010, becomes the Chartered Institute of Internal Auditors (IIA). It is the only professional body dedicated exclusively to training, supporting and representing internal auditors in the UK and Ireland. We are part of a global network of 170,000 members in 160 countries.

  8. Members of the IIA work in all sectors of the economy: private business (including most FTSE 100 organisations), government departments, utilities, voluntary sector organisations, local authorities, and public service organisations such as the National Health Service. All members globally work to the same International Standards and Code of Ethics, which are part of a globally agreed International Professional Practices Framework and have been recognised in the Financial Reporting Council's Guidance for Audit Committees and adopted in UK central government's Government Internal Audit Standards and in the internal audit standards for the NHS.

  9. The IIA offers a postgraduate level professional qualification in two stages, leading initially to the PIIA (practitioner) designation and subsequently to the designation "CMIIA" (Chartered Internal Auditor), with an ongoing requirement for professional development and adherence to professional standards. The qualification assesses a combination of knowledge, understanding and professional competence.

WHAT IS INTERNAL AUDIT?

  10. All organisations face risks in everything they do. It is the role of senior management and the board to put in place frameworks and processes to manage all types of risks and to monitor how successful they are at managing them. Internal audit provides assurance to the board on the effectiveness of these frameworks and processes.

  11. To perform their role effectively, internal auditors must build strong relationships with line managers, audit committee chairs, chief executives and chairmen. These relationships enable the internal auditor to champion effective risk management, challenge those responsible for it on its success and use their knowledge of the business and the management of risk to act as a catalyst for improvement in an organisation's risk management practices.

  12. Internal audit is a function that belongs to the organisation and sits within the governance structure; but it must be independent of the areas it evaluates and internal auditors must be free from undue influence from management, or indeed, anyone else, so that their judgments can be as objective as possible. To help safeguard their objectivity and independence, the head of internal audit should report directly to the audit committee.

  13. Internal audit is essential to the long term success of an organisation. This is because, alongside non executive directors, executive management and external audit, internal audit is one of the four cornerstones of good corporate governance. Without it, the board would lack information and insight into how well the people within the organisation are managing their risks.

Three lines of defence

  14. The three lines of defence model has been increasingly applied to corporate governance, and particularly risk management, over recent years. The IIA finds it useful to help demonstrate the different roles in governance and the interplay between them.

  15. The IIA believes that risk management is an essential part of management. The first line of defence is formed by line managers who own the risks that they take every day.

  16. In larger organisations, there are specialist "risk management functions" which support the line managers with this work. They form the second line of defence. They facilitate risk management activities, advise line managers and help ensure consistency of definitions and measurement of risk.

  17. Internal audit provides the third line of defence. It is part of the governance process but sits outside of the risk management process. Internal audit regularly evaluates the effectiveness of each element of the risk management process and of the process overall, ie the performance of the first and second lines of defence. Internal audit may (and indeed should) use the outputs of risk management activity in forming its conclusions.

INTERNAL AUDIT COMPARED TO EXTERNAL AUDIT

  18. The IIA recognises that the historical connections between providers of external and internal audit services mean that many stakeholders may not be as familiar with the differences between external and internal audit as we are. The table below provides an outline of these differences. More detailed explanations of these differences are given in Appendix 1.

RESPONSES TO QUESTIONS RELATING PARTICULARLY TO INTERNAL AUDITING

Question 12. Should the role of internal auditors be enhanced and how should they interact with external auditors?

Role of internal auditors

  19. We have outlined above the role of the internal auditing profession. The IIA does not believe that role needs enhancing. However, we do believe that the corporate governance code for listed companies needs to recognise the modern role of internal auditing.

  20. Currently, the Code of Corporate Governance of the Financial Reporting Council recognises the need for internal audit but treats it very differently from every other element that contributes to good governance, in that it requires companies only to consider the need for internal audit. We believe that the Code should be amended to include a clear provision that the company should have a professional internal audit function. This is particularly important for internal audit since it is not a statutory requirement. As with all other provisions, the company will be able to explain why it does not comply if it does not believe it needs internal audit (ie comply or explain).

  21. Since modern internal auditing's scope is very broad and is intimately related to the information that the board needs, we propose that this provision be included within the Section B.5. of the Code, relating to the Information needs of the board.

  22. In contrast, the requirements in the public sector are much clearer. The Code of Good Practice for Corporate Governance in central government departments and similar guidance for local authorities are clear that "the board should ensure that effective arrangements are in place to provide assurance on risk management, governance and internal control. In this respect, the board should be independently advised by: ... an internal audit service operating in accordance with Government Internal Audit Standards".[3]

Interaction with external auditors

  23. The IIA's International Standards impose on the head of internal audit a professional obligation to coordinate the internal audit activity with other assurance providers. We recognise that the work of the different assurance providers, including external audit and internal audit, may sometimes be looking at the same things in the same areas. Where that is the case, then a close working relationship, sharing plans and reports, can ensure that the organisation receives more effective and efficient coverage of all its risks.

  24. However, it is important that the head of internal audit and the external audit partner work together in an environment where they both understand each other's objectives and scope and respect their different professional standards.

  25. In particular, it is essential that everyone involved, including external audit, internal audit, audit committees and regulators, recognises that, even when internal audit is working in the same areas as external audit, they are very likely to be addressing different sets of questions. These may not be appropriate to the needs of external audit and external audit will report that it is not able to rely on internal audit work to reach their conclusion on the truth and fairness of the financial statements. This does not mean that the internal audit work is of poor quality or that there is unnecessary duplication. The audit committee may find that it benefits from receiving the different insights from the two groups of auditors.

  26. There are two other areas of contemporary debate: firstly, the extent to which an accounting firm might provide its external audit client with internal auditors and, secondly, the extent to which an external auditor might use internal auditors to gather evidence to support the external audit opinion.

  27. The IIA believes that internal audit and external audit are two of the cornerstones of healthy governance. If two of those cornerstones are provided by the same entity, it is likely that the entire corporate governance structure will be weakened. Therefore, we recommend strongly that an accounting firm does not provide internal audit services to its external audit clients.

  28. The IIA believes that where the external auditor undertakes internal audit work there are—or there could appear to be—potential threats to the quality of external audit work from self-interest, self-reliance and taking a management role. In addition, the IIA believes that relying on the external auditor to provide internal audit services may pose threats to the independence, objectivity, competency and resourcing of internal audit services.

  29. In the case of external auditors using internal auditors to gather evidence for their opinion, the IIA sees similar issues—it weakens the overall quality of governance. In addition, it may reduce the quality of internal auditing in the organisation since the opportunity cost of internal auditing completing external audit's work is less internal auditing resource to deploy on all the other risks facing the organisation. It provides a management problem for the organisation too. The internal auditors concerned may wish to obtain written confirmation from the organisation that their employer is happy to waive any terms related to confidentiality, etc, so that they can report findings to the external auditor.

Question 13. Should the role of audit committees be enhanced?

  30. Audit committees already have a pivotal role in overseeing the audit arrangements of the organisation.

  31. The IIA believes that the Code of Corporate Governance and the supporting Guidance for Audit Committees, provided by the FRC, concentrate too much on the financial statements and the external auditors. We would like to see some clarification and rationalisation which ensures that the audit committee satisfies itself in relation to competency, confidentiality, independence, objectivity, security of resources of internal audit and of the effectiveness of the relationship between internal audit and the audit committee. We would like to see audit committee members:

(a) Understand the different objectives and scopes of external audit and internal audit.

(b) Support the external auditor in providing an effective service to the shareholders.

(c) Consider whether the non-audit services the external auditor provides undermine—or may be seen to undermine—the quality of the external audit.

(d) Recognise the importance of the audit committee's role in providing the environment in which a healthy internal audit activity can flourish—the audit committee is key to self-regulation.

(e) Ensure that the activities of these two important services are coordinated and do not duplicate unnecessarily. However, the Institute advises audit committee members to bear in mind the value of both covering the operational risks of each business area and collecting evidence to support assertions in the financial statements—this may necessitate some overlap to provide effective checks and balances and healthy debate.

(f) Insist on the services of a competent, qualified and experienced head of internal audit to oversee all internal audit activity, including that carried out by any external service provider, whether a firm or individual contractors.

(g) Take care to provide effective support to the head of internal audit: build a relationship that allows the head of internal audit to challenge and to raise issues directly with the audit committee, unmediated by management.

(h) Take steps to ensure the competency of every person undertaking internal audit work.

(i) Ensure that anyone undertaking internal audit work is required—either by employment contract or by contract for services—to respect the international ethical and practising standards of the internal audit profession, as set out by the international Institute of Internal Auditors Inc and the IIA in the UK and Ireland.

(j) In particular, satisfy itself that all internal auditors:

(i) respect the confidentiality of information about or from the company; and

(ii) feel able to remain unbiased whether they are employees of that or another organisation.

Question 14. Is the auditing profession well placed to promote improvement in corporate governance?

  32. External audit has a key role to play in corporate governance. It gives a view on the reliability of the statements that are the tool to provide transparency over financial results, allowing the directors of a company to report to the owners. It wields a fairly blunt instrument: it can give a clean opinion or it can provide a less than clean opinion, all flavours of which can be disastrous to most companies. There is perhaps a limited role that the company's external auditor can play in improving these aspects of corporate governance.

  33. Internal audit operates within the governance structure. Its role is both to provide assurance on the effectiveness of governance processes, including the management of risk, and to help the organisation to improve. When it is effective, it may not be very visible since it works to facilitate and assist the managers in making changes and improvements that they want to make. However, this way of facilitating change can be very effective.

Question 10. Do conflicts of interest arise between audit and consultancy roles? If so, how should they be avoided or mitigated?

  34. Yes. We endorse the view of the external audit standards, which are clear that non-audit work poses potential threats to external audit quality. They identify six types of threats: self-interest, self-review, management, advocacy, familiarity or trust and intimidation.[4]

  35. The external audit ethical standards provide extensive procedures that external auditors must follow to prevent such threats from affecting the external auditor's independence. The extensive inspection regime seeks to ensure that the standards are followed and, thus, mitigate the threats.

  36. The only way to avoid threats arising would be to prevent audit firms from performing any other work. This would require a substantial reengineering of the industry and would have implications for the quality of the people involved and the work that they do and the price of audits.

  37. For internal audit, the question is slightly different. Helping the organisation to improve is central to the internal audit role. However, the International Standards make it clear that internal auditors must not take management's responsibility when they do "consulting" work and that they may not provide assurance on those areas of the business where they have undertaken design work—thus avoiding the management and self-review threats above. In general, for internal auditors, "consulting" means facilitating the efforts of managers to make the changes they want to make.

RESPONSES TO QUESTIONS RELATING TO EXTERNAL AUDIT THAT HAVE IMPLICATIONS FOR INTERNAL AUDIT

Question 1. Why did auditing become so concentrated on four global firms? For example, do economies of scale make it too difficult for smaller firms to compete?

  38. There is a great deal of evidence available on this topic since it has been the subject of academic research and of the 2006 study[5] commissioned by the government. Our comments are limited to the relevance and implications for internal auditing.

  39. Internal auditing is essentially different from external audit. The market for internal audit services in the private sector is smaller than that for external audit services in that it is not mandated in most of the sector. In addition, in-house teams still meet much of the demand for internal auditing, particularly at the larger end of the FTSE index, where concentration for external audit services is more of a concern. This reduces still further the market for internal audit services supplied by third-party contractors.

  40. The demand for internal audit services from third-party contractors comes from two sources. Firstly, in-house heads of internal audit do often supplement employed resources with extra resources either to fulfil a spike in demand or to meet a need for specialist skills, eg in computer auditing, a practice often described as co-sourcing. Secondly, some organisations out-source their whole internal audit department.

  41. The supply of internal auditing services is met not only by the big four global firms but also by small specialist consultancies, independent contractors, the mid-tier and smaller accounting firms and two large international consultancies, Jefferson Wells and Protiviti, which are not accounting firms.

  42. We have recently commented to the Auditing Practices Board on their call for evidence with regard to the rules that guide external audit firms in providing non-audit services to their external audit clients. As outlined above in the answer to Question 1, we strongly believe that it is healthier for corporate governance if the statutory auditor of an organisation does NOT provide internal audit services to that organisation. We would like to see the rules strengthened in this area to prevent that aspect of concentration.

Question 2. Does a lack of competition mean clients are charged excessive fees?

Question 3. Does a narrow field of competition affect objectivity of advice provided?

Question 4. Alternatively, does limited competition make it easier for auditors to provide unwelcome advice to clients who have relatively few choices as there is less scope to take their business elsewhere?

  43. The research referred to above did find some relationship between the increase in audit fees over 25 years or so and the increasing concentration of the market for external auditors. However, they also point out that there are other drivers including the increasing complexity of external audit and the desire of audit committee chairs for quality.

  44. We support the need for a quality external audit product. At present, the "client" is often in practice the executive management of the organisation who perhaps benefits least from the external audit. We support any practical development that gives a bigger say to the shareholders, and other owners, in appointing and retaining an external auditor.

Question 5. What is the role of auditors and should it be changed?

  45. Above we have outlined the role of external auditors and the role of internal auditors. The IIA does not see the need to change these roles but would like to see better understanding of the similarities and differences. This needs regulators such as the Financial Services Authority (FSA) and FRC and bodies such as the CBI and the Institute of Directors to recognise and promote the role and value of internal auditing.

Question 6. Were auditors sufficiently sceptical when auditing banks in the run-up to the financial crisis of 2008? If not, was the lack of competition in auditing a contributory factor?

  46. The debate about scepticism raises interesting questions for both internal and external auditors. The evidence we have gathered so far does not support a lack of scepticism from internal auditors in the banks in the run up to the 2008 financial crisis. However, the question remains: how can internal audit help to prevent a future crisis? The IIA is shortly to undertake a review that will seek to provide answers to that question. It is unlikely that the results of this work will be available in time for the committee's report.

  47. It is possible that it was not scepticism that was missing but the capacity to think differently from everyone else in society—not just in the companies being audited. Even if the external auditors had had that capacity, how capable would the other players in the market have been to hear what they said—not just executive management but also non-executive directors, investors, shareholders, regulators, media and even policy makers?

  48. This has implications also for internal auditors. Although they are independent of the parts of the organisation on which they give assurance, they are still part of the organisation as a whole. They need to make efforts to cultivate a different perspective from the rest of the organisation. The IIA provides educational and networking opportunities, allowing internal auditors to mix with colleagues from different sectors and industries. This helps them to develop new perspectives and supports them in presenting the challenges to management that may result from such scepticism.

Question 7. What, if anything, could auditors have done to mitigate the banking crisis? How can auditors contribute to better supervision of banks?

Question 8. How much information should bank auditors share with the supervisory authorities and vice versa?

  49. In responding to the FSA last year on the conclusions of the "Turner Review", the IIA stated that the FSA ought to be able to rely more on the work of internal auditors. A very large proportion of the risks in which the FSA is interested are also of interest to their supervised firms. Therefore, they should be the risks that are within the scope of internal audit in those firms. There is scope for the FSA, or any new regulator, to obtain assurance from the existing work of these internal auditors.

  50. However, we also pointed out that this must be done sensitively. As long as internal audit is a function that is operationally independent, it delivers real value to management because it enhances the organisation's ability to achieve its business goals. We have discussed above one aspect of internal audit's independence: being separate from the functions it evaluates. However; interaction with the regulator could pose a different threat to independence: internal audit being perceived as an extension of the regulator, rather than focussing on the needs of the business.

  51. Therefore, any move to provide more information to the regulators than is already done must safeguard independence in order to protect the overall quality of the work on which the regulator is relying. One way to achieve this would be to encourage the management of financial services organisations to refer, in their reports to the regulator, to the evidence they have to support their assertions. This would include the results of internal audit work performed by competent, qualified internal auditors working to internationally recognised professional standards.

Question 9. If need be, how could incentives to provide objective and, in some cases unwelcome, advice to clients be strengthened?

  52. For internal auditors, the best incentive to provide such advice is the response of those receiving it. High quality internal auditing does not exist in a vacuum: it needs openness and receptiveness in the management team. One mark of effective heads of internal audit is that they have raised with senior managers issues and facts that were unwelcome. Audit committees can help here by insisting that performance assessments of heads of internal audit are realistic, ie that they recognise that such uncomfortable conversations are a sign of good performance. The IIA also seeks to help by preparing internal auditors to work in this environment and by providing them with networking opportunities to help them deal with the resultant stresses and strains.

Question 11. Should more competition be introduced into auditing? If so, how?

  53. See response to question 12 above re: internal auditing.

24 September 2010

 MAIN "CUSTOMERS" OF THE ASSURANCE

  1. External auditors provide assurance to the shareholders or members of company, ie outside the company's governance boundary. It is vital to the quality of their work that they focus on this customer group.

  2. Internal auditors, in contrast, provide assurance within the governance boundary, to the audit committee, the board in general and to senior management.

PURPOSE OF THE ASSURANCE

  3. The external audit opinion, and the work that the external auditor performs in order to provide it, exist to add credibility and reliability to reports from the company to its shareholders.

  4. Internal auditors provide members of the board and senior management with assurance that they can use to fulfil their own duties to the company and its shareholders.

COVERAGE OR NATURE OF WORK

  5. External audit provides an opinion on financial statements and the related disclosures, on other forms of reporting from the company to shareholders as well as on financial reporting risks and their management.

  6. Internal auditors cover all categories of risks and their management, starting from their identification, taking in various responses to risks, including traditional internal controls, and including the flow of information around the company about risk. Internal auditors also cover governance processes.

TIMING AND FREQUENCY OF AUDIT WORK

  7. Ideally, internal auditing is a permanent and ongoing presence in a company. Much of its work will be in the form of engagements scheduled in advance. However, internal audit may also react to changes in circumstances and undertake unscheduled and, possibly, surprise pieces of work.

  8. External audit work is tied into the company's cycle for financial reporting and designed to support the external auditor's opinion on the annual report and related items.

FOCUS OF OPINION

  9. The external audit focus is predominantly on validating that the financial statements are a true and fair representation of past performance.

  10. For internal audit, the focus ideally is on providing assurance that the governance and risk management processes are effective in managing risks that might happen. Therefore, the focus is also forward-looking.

RESPONSIBILITY FOR IMPROVEMENT

  11. External auditors have no explicit responsibility to improve their clients' governance or risk management processes. They have a duty to report problems that they come across as part of their work. In addition, the added-value service proposition of audit firms as businesses means that they want to assist their clients where they can.

  12. In contrast, improvement is fundamental to the role of internal auditing. Working within the organisation on an ongoing basis allows internal auditors to advise, coach and facilitate managers' efforts to improve processes. At the same time, internal auditors have a professional duty to avoid usurping the responsibility of those managers to manage.

STATUS AND AUTHORITY

  13. As a regulated profession, external audit's status and authority is provided by statute and supported by the framework of regulation provided by the FRC working with the appropriate professional bodies.

  14. Internal auditing has a set of professional standards, the International Professional Practices Framework, including a Code of Ethics[6] and the International Standards for the Professional Practice of Internal Auditing (International Standards). [7]These require the head of internal audit to establish an internal audit charter that sets out the authority of the function and to present this to the audit committee and senior management. Internal auditors rely on the support of the audit committee to maintain their status and authority.

  15. The UK Code of Corporate Governance provided by the FRC recognises that the audit committee is responsible for overseeing the effectiveness of internal audit. The Guidance for Audit Committees, also provided by the FRC, provides additional tasks and recognises the International Standards as a source of more detailed guidance.

INDEPENDENCE

  16. A reflex reaction is often that external audit is more independent than internal audit. To counter that, there is also a view that no-one who engages with an organisation or person is entirely independent of them.

  17. For internal auditors, independence is about avoiding responsibilities for functions on which they provide assurance and having a reporting line to the audit committee that provides some degree of guarantee of their independence from the areas they evaluate. It is also necessary to be sure that internal auditors are independent of any other group, such as other assurance providers or regulators, in order to ensure that the assurance they can give is also independent.

  18. For the external auditor, the profession's ethical standards and other regulations and rules seek to protect independence. There is an extensive regulatory regime in place, administered by the accounting bodies and the FRC, that enforces these standards. In addition, the UK Code of Corporate Governance expects the company's audit committee to review and monitor the independence and objectivity of the external auditor.

  A self-interest threat—when the external auditor has financial or other interests which might cause it to be reluctant to take actions that would be adverse to the interests of the audit firm.

  A self-review threat—when in the course of the audit, the external auditor may need to re-evaluate the work performed in the non-audit service.

  A management threat—when partners and employees of the audit firm from take decisions on behalf of the management of the audited entity and the audit firm may become closely aligned with the views and interests of management.

  An advocacy threat—when the audit firm undertakes work that involves acting as an advocate for an audited entity, supporting a position taken by management in an adversarial context and adopting a position closely aligned to that of management.

  A familiarity (or trust) threat—when the (external) auditor is predisposed to accept or is insufficiently questioning of the audited entity's point of view (for example, where close personal relationships are developed with the audited entity's personnel through long association with the audited entity).

  An intimidation threat—when the (external) auditor's conduct is influenced by fear or threats (for example, where the auditor encounters an aggressive and dominating individual).

2   NB risk management starts with objectives/purpose, then includes identification, evaluation and assessment of the risk; selection and implementation of the appropriate responses; and monitoring to ensure that the responses are working as required. Back

3   Corporate governance in central government departments: Code of good practice July 2005, available on HM Treasury's website. Back

4   Para 32 in Ethical Standard 1 (revised April 2008), issued by the Auditing Practices Board. See Appendix 2 for definitions of the threats. Back

5   Report entitled Competition and choice in the UK audit market prepared by Oxera for Department of Trade and Industry and Financial Reporting Council, April 2006. Back

6   2000 The Institute of Internal Auditors, Inc., 247 Maitland Avenue, Altamonte Springs, Florida 32710-4201 USA. Back

7   2008 idem. Back