co-partnership how to create co-partnership? External versus Internal Assurance: I
co-partnership External versus Internal Assurance: how to create co-partnership? Instituut van de Bedrijfsrevisoren Koninklijk Instituut Institut des Réviseurs d’Entreprises Institut royal The present paper has been written by a working group of representatives of IIA and IRE: Mr Philip MAEYAERT, Mr Virgile NIJS, Mr Paul PAUWELS, Mr Lieven ACKE, Mr Philippe MENÈVE, Mr Gerrit SARRENS and Mrs Michèle MALISART with the help of IIA and IRE/IBR staff members Mrs Pascale VANDENBUSSCHE (Chief Supporting Officer – IIA) and Mrs Stéphanie QUINTART (Responsible Studies IBR/IRE). Ed. resp.: D. Szafran – IRE/IBR – Rue d’Arenberg 13 – 1000 Bruxelles Tel.: +32.2.512.51.36 – Fax.: +32.2.512.78.86 – e-mail: [email protected] – www.ibr-ire.be and P. Vandenbussche – IIA Belgium - Rue Royale 109-111, boîte 5 - 1000 Bruxelles – Koningsstraat 109-111, bus 5 - 1000 Brussel Tel.: +32.2.219.82.82 - Fax: +32.2.217.12.97 – e-mail: [email protected] - www.iiabel.be Design: greenpepper.be © 2010 TABLE OF CONTENT CHAPTER I - INTRODUCTION p 08 CHAPTER II - EXECUTIVE SUMMARY p 09 CHAPTER III - ROLES AND RESPONSIBILITIES p 10 1. ROLE AND RESPONSIBILITIES OF MANAGEMENT p 10 2. ROLE AND RESPONSIBILITIES OF External AuditorS p 10 2.1. Qualification as External Auditors 2.2. Institute of External Auditors 2.3. Mandate of External Auditors 2.4. Other legal assignments for External Auditors 2.5. Other contractual assignments and prohibited services 2.6. Professional auditing standards 2.7. Responsibility of External Auditors p 10 p 10 p 11 p 11 p 12 p 12 p 12 3. ROLE AND RESPONSIBILITIES OF Internal AuditorS 3.1. Context 3.2. Definition of internal audit 3.3. Positioning of internal audit 3.4. Internal audit engagements 3.5. IIA’s Standards p 13 p 13 p 13 p 13 p 14 p 14 3.5.1. Attribute Standards (AS) 3.5.2. Performance Standards (PS) 3.5.3. Glossary p 14 p 14 p 14 4. ROLE AND RESPONSIBILITIES OF THE AUDIT COMMITTEE p 15 4.1. Legal regulations regarding the establishment of an Audit Committee p 15 4.1.1. Main provisions of the law on Audit Committees 4.1.2. 2009 Belgian Corporate Governance Code 4.1.3. Audit Committee charter p 15 p 15 p 16 4.2. Responsibilities of the Audit Committee 4.3. The role of the Audit Committee for the cooperation between external and internal audit p 16 p 17 5. AUDITING PROCESS: THE EXTERNAL AND Internal AuditorS VIEWS p 18 5.1. The external audit Process p 18 5.1.1. Client acceptance 5.1.2. Initial Audit planning process 5.1.3. Perform the audit plan 5.1.4. Report and assess performance p 18 p 18 p 19 p 19 5.2. The internal audit Process p 20 5.2.1. Planning of the internal audit Activities 5.2.2. Engagement Planning 5.2.3. Performing the Engagement 5.2.4. Communicating Results 5.2.5. Monitoring Progress p 20 p 20 p 21 p 21 p 21 CHAPTER IV: PROFESSIONAL STANDARDS ON COOPERATION BETWEEN EXTERNAL AND Internal AuditorS p 22 1. EXTERNAL AUDIT STANDARDS p 22 1.1. Belgian legal context: using the work of others and engagement acceptance 1.2. International Standards on Auditing (ISA) 1.3. Statements on Auditing Standards (SAS) 1.4. Public Company Accounting Oversight Board (PCAOB) Standards p 22 p 23 p 24 p 25 2. INTERNAL AUDIT STANDARDS p 25 2.1. The Institute of Internal Auditors (IIA): International Professional Practices Framework (IPPF) p 25 3. SPECIFIC STANDARDS FOR FINANCIAL INSTITUTIONS p 27 3.1. Basel Committee on Banking Supervision p 27 CHAPTER V: THE COOPERATION BETWEEN EXTERNAL AND Internal AuditorS p 28 1. THE FEEDBACK FROM THE SURVEY AND THE INTERVIEWS p 28 1.1. Commitment 1.2. Benefits 1.3. Communication 1.4. Systematic exchanges p 28 p 28 p 29 p 32 2. THE BEST PRACTICES IN RESPECT OF THE COOPERATION BETWEEN EXTERNAL AND Internal AuditorS p 33 2.1. Introduction p 33 2.2. Risk Management Assessment p 34 2.2.1. Introduction 2.2.2. Role of internal audit 2.2.3. Role of external audit 2.2.4. Cooperation proposed 2.2.5. Benefits p 34 p 34 p 34 p 34 p 35 2.3. Internal Control Assessment p 35 2.3.1. Introduction 2.3.2. Definition 2.3.3. Role of internal audit 2.3.4. Role of external audit 2.3.5. Cooperation proposed 2.3.6. Benefits p 35 p 35 p 35 p 35 p 36 p 36 2.4. Audit Plan determination p 36 2.4.1. Introduction 2.4.2. Definition 2.4.3. Role of internal audit 2.4.4. Role of external audit 2.4.5. Cooperation proposed 2.4.6. Benefits p 36 p 36 p 37 p 37 p 37 p 37 2.5 Audit Testing p 37 2.5.1. Introduction 2.5.2. Definition 2.5.3. Role of internal audit 2.5.4. Role of external audit 2.5.5. Cooperation proposed 2.5.6. Benefits p 37 p 37 p 38 p 38 p 38 p 38 2.6 Audit Reporting p 39 2.6.1. Introduction 2.6.2. Definition 2.6.3. Role of internal audit 2.6.4. Role of external audit 2.6.5. Cooperation proposed 2.6.6. Benefits p 39 p 39 p 39 p 39 p 39 p 39 2.7 Recommendations follow up p 40 2.7.1. Introduction 2.7.2. Definition 2.7.3. Role of internal audit 2.7.4. Role of external audit 2.7.5. Cooperation proposed 2.7.6. Benefits p 40 p 40 p 40 p 40 p 40 p 40 Appendix 1. How Do I ... Distinguish Internal and External Auditing? 2. Glossary 3. Model internal audit activity charter 4. Model Audit Committee Charter 5. Demographics p 41 p 42 p 44 p 47 p 50 CHAPter I INTRODUCTION The objective of the present paper is to propose best practices in respect of the cooperation between external and Internal Auditors in Belgium. Such cooperation could benefit to the improvement of the governance of companies. It is to be noted that this document will mainly focus on private sector in general. Specifications for the financial sector will only be briefly introduced. This paper first lays down a general framework by identifying the roles and responsibilities of the players involved (see also appendix 1). Management, External Auditors, Internal Auditors and the Audit Committee have each their part to play, subject to their own regulation and limited by their responsibility. It is also important to describe the auditing process as performed respectively by external and Internal Auditors in order to clearly understand where cooperation between internal and External Auditors could be improved. Chapter I - Introduction 8 Furthermore some professional standards dealing with the cooperation between internal and External Auditors are summarized to facilitate the reader’s understanding. Eventually, an overview of current practices and proposals of best practices are formulated. CHAPter II EXECUTIVE SUMMARY The control functions are important in all organizations and represented by different actors. This is the reason why the cooperation between the different actors is becoming crucial in order to maximize the level of control and the efficiency. Effective cooperation between external and Internal Auditors leads to a range of benefits. The Audit Committee must play an important role in defining this cooperation and supervising the planning of the activities of the Auditors (external and internal).The committee must take a broad view of audits activity in the organization. In this position paper, we will discuss about the role, responsibilities of the internal and External Auditors. Based on a survey, international standards and discussions in a workgroup, we have also defined best practices for the copartnership between external and Internal Auditors. The survey shows that the most important benefit is the increase of the audit work efficiency. Systematic exchanges and common methodology are very limited on both sides. When we define best practices, we may say that the External Auditors may collaborate in various ways with the Internal Auditors. The most important criteria to define the levels of cooperation are: • the maturity of the internal audit department; • the compliance with the International Professional Practices Framework; • the certification and experience of the Internal Auditors; • the quality of the work performed by the Internal Auditors. When the External Auditors plan to use the work of the Internal Auditors, they will need to consider internal audit’s tentative plan for the period and discuss it at early stage. They will also need to agree in advance the extent of the internal audit work coverage, the materiality levels and the proposed methods. This cooperation may take different ways: • communication of reports, documents; • regular meetings; • consultations on risk assessments, internal control assessments, corporate governance issues; • cooperation included in the audit plans; • arrangements for the sharing information; • set up of common methodology to evaluate risks, internal controls; • follow up of consolidated findings and recommendations; • use of the work of the other auditors in order to avoid duplication of work; • training about external audit methodology, etc. It is important to set up a clear agreement about the cooperation expected. The cooperation may also be integrated in the internal audit charter. Because of the wider scope of internal audit work, reliance is most likely to be by external audit on internal audit. Although External Auditors may rely on the work of internal audit, they can not hand over their responsibilities. summary Most External Auditors have good cooperation experience, based on the survey. The main reasons for not promoting the cooperation are due to corporate decisions, rotation of junior people, unequal sharing of information, and maturity levels of the internal audit departments and lack of independence of the internal audit departments. Chapter II - Executive The survey has shown that the cooperation in practice may vary a lot and that most of the time the initiative is coming from the internal audit departments. 9 One profession is strongly regulated (the External Auditors) and the other is not, except in the financial sector. Nevertheless, it is important to notice that both professions follow international standards and report on a fixed format. CHAPter III ROLEs AND RESPONSiBILITIES 1. ROLE AND RESPONSIBILITIES OF MANAGEMENT Management is, under the supervision of the Board of directors, responsible for, amongst others, the preparation and the fair presentation of the financial statements in accordance with the applicable financial reporting framework. This responsibility includes designing, implementing and maintaining internal control relevant to the preparation and fair presentation of financial statements that are free from material misstatements, whether due to fraud or error. Chapitre III - Role and Responsabilities 10 The 2009 Belgian Code on Corporate Governance states in this respect that companies that apply the code should amongst others describe and disclose in the Corporate Governance Statement the main features of the company’s internal control and risk management systems. The publication of the Audit Committee Charter is not compulsory but recommended as good practice. Statutory Audit Directive 2006/46/EC of 14 June 20061 requires companies whose securities are admitted to trading on a regulated market and which have their registered office in the European Community to disclose an annual corporate governance statement as a specific and clearly identifiable section of the annual report. That statement should at least provide shareholders with easily accessible key information about the corporate governance practices actually applied, including a description of the main features of any existing risk management systems and internal controls in relation to the financial reporting process. The majority of the financial institutions that are under the prudential supervision by the CBFA are required to assess the adequacy of their internal controls (design and operating effectiveness) on a yearly basis and to report the outcome of the assessment to the Board of directors, the CBFA and the statutory auditor. The Statutory Auditors do have to assess the internal control measures and report their findings to the CBFA. 2. ROLE AND RESPONSIBILITIES OF External AuditorS 2.1. Qualification as External Auditors In Belgium, the qualification as External Auditor (“Réviseur d’entreprises/Bedrijfsrevisor”) is granted by the Belgian Institute of Registered Auditors (“Institut des Réviseurs d’Entreprises / Instituut van de Bedrijfsrevisoren”, abbreviated as IRE/IBR) under the conditions as defined in the law of July 22, 1953, which has last been coordinated by a Royal Decree of April 30, 2007 in order to comply with most of the disposition of the Statutory Audit Directive 2006/46/EC. For the purpose of this paper the Registered Auditors are referred to as “External Auditors” in the exercise of the function of statutory auditor (“commissaire/commissaries”) as described below (see point 2.3., p. 11). External Auditors do qualify by completing a three-year training period and passing several examinations organized by the Institute. External Auditors are compelled to continually update their professional knowledge and proficiency, maintain total independence and exercise professional care in their conduct of their work. 2.2. Institute of External Auditors The IRE/IBR has been set up by law dated July 22, 1953, coordinated in 2007. The duties of the Institute include: • admission of the External Auditors (réviseurs d’entreprises / Bedrijfsrevisoren), as well for individuals as for audit firms; • control over the public register in which External Auditors must be registered; • drafting of professional auditing standards and recommendations; • organization of the educational program for trainees; • supervision of the continuous education of the External Auditors; 1 Directive 2006/46/EC of the European Parliament and of The Council amending Council Directives 78/660/EEC on the annual accounts of certain types of companies, 83/349/ EEC on consolidated accounts, 86/635/EEC on the annual accounts and consolidated accounts of banks and other financial institutions and 91/674/EEC on the annual accounts and consolidated accounts of insurance undertakings. • organization of the periodic quality control over the work of External Auditors; • issue of a code of conduct for External Auditors; • set up of disciplinary procedures for External Auditors and trainees. The IRE/IBR is accountable to the High Council for Economic Professions and the Minister of Economic Affairs. 2.3. Mandate of External Auditors External Auditors can only be dismissed by the general shareholders’ meeting under certain conditions as laid down by the Belgian Company Act (art. 135). Unless for serious personal reasons, the External Auditor cannot resign during the fixed term of three years except at a general shareholders’ meeting, and then, only after informing at the meeting about the reasons for his resignation. Each year, the External Auditor must, amongst others, report to the shareholders meeting on the true and fair view of the statutory financial statements. In addition, the Auditor is also required to report as to whether: • the financial statements and the books and records comply with the legal requirements; • t he directors’ report deals with the information required by law and whether it is consistent with the financial statements; • the company complies with its articles of association and with the Belgian Company Act. He must also issue such a report on the consolidated accounts and consolidated directors’ report, where applicable. The External Auditor is also expected to report on a certain number of transactions or situations if they occur in the entity where he has been appointed, e.g.: • capital increase by way of a contribution in kind; • merger or de-merger (split); • decision to enter into liquidation; • report on financial and economic information submitted to the workers’ council. For acting as statutory auditor for financial institutions the External Auditor must in addition be accredited by the CBFA as having the appropriate qualifications to audit such entities. 2.4. Other legal assignments for External Auditors In smaller entities which are not required to appoint a statutory auditor, an External Auditor (“réviseur d’entreprises/ Bedrijfsrevisor”) will have to be appointed to report specifically on the transactions or situations referred to in the last paragraph of the preceding point. and The appointment of the External Auditor is decided by the general shareholders’ meeting, for a fixed term of three years upon proposal by the Board of Directors and, where applicable, after approval by the workers’ council. However if an Audit Committee is to be appointed (on voluntary basis or required by law), the proposal of the Board of Directors to appoint an External Auditor is to be submitted to the general shareholders’ meeting based upon a proposal by the Audit Committee. Chapitre III - Role Financial institutions that are under the supervision of the Banking, Finance and Insurance Commission (CBFA) do have to appoint an External Auditor irrespective of their size. Financial institutions that are under the supervision of the CBFA are, amongst other: credit institutions, insurance companies, investment firms, undertakings for collective investment, Management companies of undertakings for collective investment. The Auditors of financial institutions do assist the CBFA with the prudential supervision it exercises. The assistance comprises, amongst others, a review and audit of respectively the interim and year-end prudential returns as well as an assessment of the internal control measures taken by Management. This assistance is governed by specific auditing standards and instructions issued by the CBFA. Responsabilities 11 In accordance with the Belgian Company Act (art. 15, 141 and 142), all companies exceeding certain criteria (number of staff employed, annual turnover and balance sheet total) are required to appoint an External Auditor as statutory auditor (“commissaire / commissaris”). Consolidated financial statements that exceed the thresholds for statutory audits also need to be audited unless the parent company is exempted from the consolidation requirement due to the fact that its financial statements and those of its subsidiaries are included in the consolidated financial statements of its parent or ultimate parent company, provided that the parent or ultimate parent consolidated financial statements are prepared in accordance with the seventh EC-Directive or equivalent. 2.5. Other contractual assignments and prohibited services The ‘réviseur d’entreprises / Bedrijfsrevisor’ can also carry out audit assignments on a contractual basis, e.g. due diligence or acquisition reviews, or valuation reports. He can also provide advisory services in respect of legal or tax situations, or act as arbitrator or liquidator, or even provide internal audit assistance, but always on the condition that his independence is not impaired. Therefore, internal audit services (outsourcing) should not be provided by the same accounting firm that audits the organization’s financial statements, as it would impair the independence of the External Auditor. Nevertheless, the internal audit services could be provided by any other accounting firm. The ‘réviseur d’entreprises / Bedrijfsrevisor’ can also be requested by the Court to provide an expert opinion. The following services are considered as prohibited non-audit services: Chapitre III - Role and Responsabilities 12 • to take any managerial decision, or take part in any managerial decision making; • the provision of bookkeeping services, i.e., the preparation of client accounting records or financial statements; • the design, development, implementation and management of financial information technology systems; • to make any valuations that are subsequently incorporated in the financial statements; • to act for the client in the resolution of litigation, including tax litigation; • to participate in the recruitment of Senior Management for financial, administrative or management functions. It is forbidden for an External Auditor to assume any management or director’s function in a commercial company. However individual exemptions may be granted by the Council of IBR/IRE after acceptable advice from the advice and control committee on the independence of External Auditor (ACCOM). 2.6. Professional auditing standards Over the years, the IRE/IBR has issued its main “general auditing standards”, as well as a number of specific auditing standards1, dealing, amongst others, with: • auditing and reporting in entities having a “workers’ council”; • reporting on consolidated financial statements; • control over contribution in kind (including “quasi-contribution” in kind; • reporting in case of change of legal form; • audit over merger or de-merger (split) transactions of commercial companies; • control in connection with proposal to liquidate companies with limited responsibility; • audit of the Board of Directors report on statutory and consolidated financial statements; • management representation letter. In addition, the IRE/IBR has issued a number of recommendations which do not have the compulsory character of the actual auditing standards. However, if the External Auditor does not specifically comply with these recommendations, he should justify the deviation in his working files. These recommendations cover different aspects such as: • engagement acceptance; • audit methodology; • technical aspects of audit methods such as: external evidence, using the work of another auditor, using the work of internal audit, etc.; • specific aspects of the control work such as the review of financial statement disclosures; • going concern, etc. IRE/IBR is actively working on preparing the implementation of the International Standards on Auditing (ISAs) in the near future. It must be said that the present “general auditing standards” as issued by the IRE/IBR are very much in line with the ISA standards. 2.7. Responsibility of External Auditors External Auditor is sole responsible for the opinion he expresses on the financial statements which implies that his audit scope must cover all relevant aspects of the accounts, regardless of the fact whether he is able to rely on the work of the Internal Auditors. This means also that the External Auditor assumes full responsibility for all internal audit work on which he has been relying. 1 Available on www.ibr-ire.be 3. ROLE AND RESPONSIBILITIES OF Internal AuditorS 3.1. Context The profession of Internal Auditor is internationally recognized thanks to the Institute of Internal Auditors (IIA) that is internationally recognized as a trustworthy guidance-setting body that has developed standards and definitions that support the role and responsibilities of Internal Auditors and provide a guideline to practitioners. We will present the functioning of the internal audit process according to the IIA’s International Standards for the Professional Practice of Internal Auditing Framework. 3.2. Definition of internal audit As defined by the IIA, “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” Regulatory compliance Risk management & internal control management Internal audit responsibility Set up of processes and structures “to “Assess and make appropriate recommendations for improving the governance process in its accomplishment.2” inform, direct, manage and monitor the activities of the organization toward the achievement of its objectives1” Establish compliance rules and procedures (business code of conduct) and for the members of the organization (declaration form) and its stakeholders to prevent criminal conduct Organize risk management and control processes Include in the audit plan compliance assessments of specific areas entailing legal issues Assist the management and the Audit Committee by suggesting improvements on the adequacy of risk management and control process. The Internal Auditor assesses the whole audit universe of the organization he is working for, including the risk management and the compliance functions in case they are present. The independence of the judgement and the quality of advices are very important. The Internal Auditor is however not a judge and make recommendations based on discussions with management. It is up to them to give the appropriate response. 1 Glossary IIA. 2 Practice Advisory 2130. and Governance Management responsibility Chapitre III - Role The positioning of internal audit in the organization is crucial in order to keep the independence of the department. Therefore, it is recommended that internal audit reports to the Audit Committtee. Responsabilities 13 3.3. Positioning of internal audit 3.4. Internal audit engagements Giving assurance on governance, risks and controls processes is the key element of the audit work. Besides the audit assignments planned to evaluate the audit universe of the organization, internal audit activities cover other types of engagements such as consultancy at request of the management, and special assignments at request of the executive Committee. Internal Auditors can also be involved in Control Self-Assessment (CSA) as validator of the process as consultant. In the framework of Section 302 of the Sarbanes-Oxley Act, internal audit plays a role too in quarterly financial reporting, disclosures and management certifications, as validator of the process, participant, coordinator or independent assessor. The role and responsibilities of the internal audit department are described in the internal audit activity charter (see model in appendix 3). 3.5. IIA’s Standards Chapitre III - Role and Responsabilities 14 The International Standards for the Professional Practice of Internal Auditing is made of1: • mandatory guidance: - definition of internal auditing, - code of Ethics, - standards (described below). • strongly recommended guidance: - position papers, - practice advisories, - practice guides. 3.5.1. Attribute Standards (AS) The Attribute Standards deal with the purpose, authority and responsibility of the Internal Auditor, as well as independence and objectivity rules and those related to proficiency and due professional care. Quality assurance and continuing training are also required from Internal Auditors. 3.5.2. Performance Standards (PS) The Performance Standards relate foremost to the management of the audit activity (planning, resources, procedures and reporting to the Board of Directors and to the audited Managers). The Performance Standards state, amongst others, that the Chief Audit Executive could share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts. The Performance Standards also stress the importance of engagement planning that takes into account risks, controls and governance processes in place, the adequacy of the resources required for the execution of the audit assignments and the usage of a formalized work program adapted to the audit assignment objectives. In addition, the PS’s give guidelines about performing the engagement and communicating results, monitoring process and last but not least, the set up of a follow-up system of the recommendations implementation, not only for their own recommendations but also for those issued by External Auditors and local regulators. 3.5.3. Glossary A glossary with the main definitions is part of the framework. 1 IPPF issued by IIA Ink and available on www.iiabel.be/knowledgecenter. 4. ROLE AND RESPONSIBILITIES OF THE AUDIT COMMITTEE In this chapter the roles and responsibilities of the Audit Committee will be described, in particular in relation to the cooperation between the internal and External Auditors 4.1. Legal regulations regarding the establishment of an Audit Committee New regulations regarding, amongst others, the establishment of Audit Committees entered into force in early 2009 following the adoption of the Law of 17 December 2008 on the establishment of Audit Committees in listed companies and financial undertakings1 (the Law of 17 December 2008). The new requirements primarily apply to listed companies, as well as to certain financial institutions, whether listed or non-listed. The Law of 17 December 2008 implements the provisions of the Statutory Audit Directive 2006/46/EC relating to the Audit Committees into Belgian law. Before the adoption of the law, the establishment of an Audit Committee was only a recommendation under the Belgian Corporate Governance Code for Belgian listed companies. 4.1.2. 2009 Belgian Corporate Governance Code The tasks of the Audit Committee as defined in the Law of 17 December 2008 are very much in line with the tasks of the Audit Committee as defined in the 2009 Belgian Corporate Governance Code. The Code provides in respect of the tasks of the Audit Committee the following additional guidance: • monitoring of the financial reporting process: - when monitoring the financial reporting process, the Audit Committee should, in particular, review the relevance and consistency of the accounting standards used by the company and its group. This review should involve assessing the correctness, completeness and consistency of financial information before it is made public and should be based on a programme adopted by the Audit Committee; - the Executive Management should inform the Audit Committee of the methods used to account for significant and unusual transactions where the accounting treatment may be open to different approaches; - the Audit Committee should discuss significant reporting issues with both the Executive Management and the External Auditor. • monitoring the effectiveness of the company’s internal control and risk management systems: - the monitoring of the effectiveness of the company’s internal control and risk management systems set up by the Executive Management should be done at least once a year, with a view to ensuring that the main risks are properly identified, managed and disclosed; - the Audit Committee should review the statements included in the Corporate Governance Statement on internal control and risk management. 1 Appendix C of the Belgian Corporate Governance Code. and • s ubject to some exceptions, the Board of Directors of all listed companies and financial institutions are obliged to establish an Audit Committee. The committee must be entirely composed of non-executive members of the Board of directors; • f or listed companies at least one member needs to be “independent” in accordance with the criteria defined in the law and must have a necessary competence in accounting and auditing matters; • s mall listed companies do not need to establish an Audit Committee. In such a case, the tasks of the Audit Committee must be performed by the entire Board of directors, with some necessary provisions such as the appointment of at least one independent director. This exemption also applies to small credit institutions and insurance companies with the exception that the law does not require them to have at least one independent director. Further, if a financial institution or a subsidiary of a group has established an Audit Committee competent for the group, the CBFA can grant an exception to the requirement to establish an Audit Committee. Such an exemption possibility does not apply to listed companies; • the Audit Committee has, as a minimum the following tasks: - monitoring the financial reporting process; - monitoring the effectiveness of the company’s internal control and risk management systems; - if there is an internal audit, monitoring the internal audit and its effectiveness; - monitoring the statutory audit of the annual and consolidated accounts, including any follow-up of questions and recommendations of the statutory auditor; - reviewing and monitoring the independence of the statutory auditor, in particular regarding the provision of additional services to the company1. Chapitre III - Role The main provisions of the law on Audit Committees are the following: Responsabilities 15 4.1.1. Main provisions of the law on Audit Committees • monitoring of the internal audit: - the Audit Committee should review the Internal Auditor’s work programme, having regard to the complementary roles of the internal and external audit functions. It should receive internal audit reports or a periodic summary and should monitor management’s responsiveness to the Audit Committee’s findings and recommendations; - if the company does not have an internal audit function, the need for one should be reviewed at least annually. • monitoring the statutory audit and the independence of the statutory auditor: - the Audit Committee should make a proposal on the selection, appointment of the External Auditor, as well as on the terms of his engagement; - the External Auditor shall: - annually confirm its independence and inform the committee about the additional services provided; - examine with the Audit Committee the risks relating to its independence and the safety measures taken to decrease these risks; - provide to the Audit Committee a report describing all relationships between the External Auditor and the company and its group; - the External Auditor shall report to the Audit Committee on the key matters arising from the statutory audit and in particular on material weaknesses in internal control in relation to the financial reporting process; - the Audit Committee shall review the effectiveness of the external audit process, and management’s responsiveness to the recommendations made in the External Auditor’s management letter; - the Audit Committee should investigate the issues giving rise to any resignation of the External Auditor, and should make recommendations regarding any required action. Chapitre III - Role and Responsabilities 16 The Audit Committee must report regularly to the Board of Directors on the performance of its tasks, at least each time the Board of Directors prepares the annual accounts and other (interim) summary financial statements or reports. 4.1.3. Audit Committee charter Preparing an Audit Committee charter is often referred to as a best practice. The purpose of such a charter is to assist the Audit Committee in fulfilling its oversight responsibilities for the financial reporting process, the system of internal control, the audit process, and the company’s process for monitoring compliance with laws and regulations and the code of conduct. The IIA published on its website a sample Audit Committee charter that captures many of the best practices used today and complies with the requirements of the Sarbanes-Oxley Act and the U.S. Stock Exchanges. The sample charter can therefore be used as a starting point and should be tailored to any committee’s specific needs and governing rules. The example is included in the appendix 4. 4.2. Responsibilities of the Audit Committee The responsibilities of the Audit Committee cover mainly: • financial statements and reporting thereon; • internal control systems; • supervision of internal audit function; • appointing and overseeing the work of External Auditor. As part of the latter the Audit Committee will have to evaluate the possible cooperation that may be put in practice between the company’s Internal Auditors and the External Auditor. The principle of authorizing such cooperation should be reflected in the Audit Committee Charter. Planning arrangements for the actual cooperation should then be left to both auditors who should submit their suggestions to the Audit Committee. During the subsequent meetings of the Audit Committee, the latter should review and evaluate the work of both auditors, who normally will participate in such meetings. 4.3. The role of the Audit Committee for the cooperation between external and internal audit It is clear from the above that there is quite some interaction between the Audit Committee and the internal and the External Auditors. The interaction results amongst others from the fact that the Audit Committee has to oversee the performance of the company’s internal and external audit. On the other hand, the Audit Commitee does, to a very large extent, rely on other people to help in performing its duties. Internal and external audit functions can be the best resources available to help the Audit Committee perform its function. The Belgian Corporate Governance Code requires that the Audit Committee meets the external and Internal Auditors to discuss matters relating to its terms of reference and any issues arising from the audit process, and in particularly any material weaknesses in internal control. The internal and External Auditors should have free access to the Board. In this context, the Audit Committee should act as the principal point of contact for the internal and External Auditors. The External Auditor and the head of the internal audit team should have direct and unrestricted access to the chairman of the Audit Committee and the chairman of the Board. The coordination of internal and external audit work is, according to this practice advisory, the responsibility of the Chief Audit Executive1. The Chief Audit Executive should obtain the support of the Board to coordinate audit work effectively. Assigning the coordination responsibility to an individual will help focus the efforts of the company and make sure that the company continues to work to improve its coordination efforts. In addition, the Audit Committee will be able to easily follow up and monitor the progress made in coordination efforts. The Audit Committee may also choose to suggest ideas and to request feedback directly from the individual in charge of coordination to make sure the coordination efforts move forward. If companies want to improve coordination levels, the internal auditing function should take the first step. Coordination may also ensure that: • the planning of both auditors guarantees a maximum of coverage and efficiency by avoiding audits in the same departments and in the same periods; • both auditors can put greater pressure on Management to prevent from using aggressive accounting principles than each party can do independently; • common issues are analyzed together and a common recommendation is made to the Audit Committee; • communication of reports and issues on both sides is made timely; • increased audit coverage through coordination lowers the risk of misstatement and fraud; thus, decreasing the risk of personal and corporate litigation of each member of the Audit Committee; • the Audit Committee agenda includes the main audit points that must be discussed. 1 It is the highest position in the internal audit department. and Through a better cooperation between the internal and External Auditors, risk assessments will be improved and will better integrate internal and external factors (industry changes, compliance, etc.). Chapitre III - Role Practice Advisory 2050-1 of the IIA on Coordination states that the oversight of the work of the External Auditors, including coordination with the internal audit activity is the responsibility of the Board (Audit Committee). Responsabilities 17 Audit Committees may play an important role to facilitate the cooperation between external and Internal Auditors. The objective being to maximize the effectiveness and efficiency of the audits but also to reduce the risk of misstatements. 5. AUDITING PROCESS: THE EXTERNAL AND Internal AuditorS VIEWS Chapitre III - Role and Responsabilities 18 5.1. The External Audit Process ! 5.1.1. Client acceptance The statutory auditor will assess his engagement risk and include factors affecting this risk in his client acceptance procedures. Before he starts any of the audit work, he will conclude on the pervasive risks, including all obligations linked to the legislation on money laundering and fraud risks. Once this phase is completed, the External Auditor will establish the terms of the engagement and document them in an engagement letter, to be signed by the officials representing the company. The engagement team will be selected with care and in function of the complexity of the audit. 5.1.2. Initial audit planning process Understanding the client’s business is essential to a high quality audit. The first phase of an audit cycle includes a disciplined and systematic study of the company based upon interviews with management, identification of the key management controls and monitoring activities. The External Auditor develops his audit strategy and audit plan in different steps including the determination of the planning materiality (used to evaluate the fair view of the financial statements) and monetary precision (used, amongst others, to determine sample sizing and results of substantive analytical review). Understanding the client’s control environment and accounting process is an essential part of these procedures, including external and internal factors affecting the entity. The External Auditor will understand the entity’s selection and application of accounting policies and the measurement and review of the entity’s financial performance, including the going concern assumptions. Every significant flow of transactions, and related internal controls and computer processing environment will be looked at, in order to get a preliminary understanding of the internal controls at both entity level and process level. Specific fraud inquiries will help the External Auditor to focus risks, and are in any case applied when the Auditor applies ISA’s. The engagement team discusses the risks, classifies the entity’s use of computers to evaluate the necessity of involving IT specialist and performs preliminary analytical reviews on the interim financial statements. These procedures allow the External Auditor to assess the risk at account level and develop responses for the identified risk areas, which will be formalized in an audit plan. This plan will be communicated, where applicable, to the Audit Committee and can be discussed with the internal audit department. Such plan will allow a good repartition of the tasks by team member, enable supervision on the executed work and will ease the introduction of new team members. 5.1.3. Perform the audit plan The External Auditor will determine the control activities to be executed on basis of the effectiveness of the internal controls of the entity. The External Auditor will select those techniques that he feels are the most appropriate to fulfill his audit work. The first step in the audit plan will be the evaluation of the internal controls. The External Auditor will plan and perform procedures to obtain audit evidence of the operating effectiveness of controls and identify the related controls. Through a systematic analysis of risks specific to business processes, the External Auditor derives an acute focus on areas, transactions and events that are material to the financial statements. After the execution of the field work, and between the report date and the end date of that field work, the External Auditor will perform a subsequent events review. He will assess the events up to the date of his report, assess the facts discovered after the date of his audit report and before the financial statements are issued. He will evaluate the overall scope of the audit and the effect of uncorrected misstatements on the financial statements. The External Auditor needs to obtain written management representation on the financials statements and on the uncorrected misstatements and will consider any litigation and claims involving the entity. Any findings will be communicated to those charged with governance, such as the Audit Committee and management in due time. A management letter might be issued also. The work will be concluded with the issuance of an audit report that will reflect the opinion of the External Auditor on the fair view of the financial statements, consideration on the other information (like the report of the Board of directors) and eventual non compliance with laws and regulations. and 5.1.4. Report and assess performance Chapitre III - Role At the period closing the External Auditor will design substantive tests. He will design and perform tests of details on basis of well determined selections and sample sizes. He will amongst others use confirmations, attend stock takes, perform observations, obtain evidence from internal and external sources. The External Auditor will also perform substantive analytical procedures and identify those account balances or disclosures and the related potential errors to be tested by substantive analytical procedures. After having developed an expectation for the substantive analytical procedures, he will consider the threshold between expected values and actual balances. He will as such evaluate differences requiring further investigation and obtain, quantify and corroborate explanations when performing these procedures. The audit procedures on accounting estimates will include identification of the circumstances requiring accounting estimates and an understanding of the estimation process. The reasonableness of the estimates will be tested and differences in judgment about accounting estimates will be responded to. After review of these estimates for bias and execution of detailed testing as described above, the External Auditor will perform the financial review, evaluate unexplained significant changes identified during this review and conclude. The External Auditor will consider any litigation and claims involving the entity and evaluate communications with the entity’s legal counsel. Responsabilities 19 Central part is thus the selection and performance of tests of relevant controls in the audit and the evaluation of the effectiveness of this testing in the current period. The information systems audit is an integral part of the audit approach, where the computer plays a dominant role in the processes. When the External Auditor evaluates that the internal controls are not sufficient, he will adapt his control procedures to match this and report the weaknesses to the appropriate levels of the Management and the Board. 5.2. The internal audit Process Internal Audit Charter Planning phase Audit Universe Risk Assessment Audit Plan Planning Engagement Phase Preparation Field Work Documentation Reporting phase Chapitre III - Role and Responsabilities 20 Reporting Follow up 5.2.1. Planning of the internal audit activities The Chief Audit Executive must establish risk-based plans to determine the priorities of the internal audit activity, consistent with the organization’s goals. By doing this, the Chief Audit Executive takes into account the organization’s risk management framework, including using risk appetite levels set by management for the different activities or parts of the organization. If a framework does not exist, the Chief Audit Executive uses his/her own judgment of risks after consultation with Senior Management and the Board. It is clearly recommended that the internal audit activity’s plan of engagements is based on a documented risk assessment, undertaken at least annually and if possible more frequently. The input of Senior Management and the Board must be considered in this process as well as a coordination with ERM1 function (if the function exists). The Chief Audit Executive could consider accepting proposed consulting engagements based on the engagement’s potential to improve management of risks, add value, and improve the organization’s operations. Accepted engagements must be included in the plan. The Chief Audit Executive must communicate the internal audit activity’s plans and resource requirements, including significant interim changes, to Senior Management and the Board for review and approval Besides, the Chief Audit Executive must report periodically to Senior Management and the Board on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan. Reporting must also include significant risk exposures and control issues, including fraud risks, strategic risks,governance issues, and other matters needed or requested by Senior Management and the Board. 5.2.2. Engagement Planning For each engagement, the CAE will define the engagement’s objectives, scope, timing, and resource allocations. In planning the engagement, Internal Auditors must consider: • the objectives of the activity being reviewed and the means by which the activity controls its performance; • t he significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact of risk is kept to an acceptable level; • t he adequacy and effectiveness of the activity’s risk management and control processes compared to a relevant control framework or model; and • t he opportunities for making significant improvements to the activity’s risk management and control processes (Performance Standard 2201). Each engagement will start with a mission letter that will specify to the auditees, the scope, objectives, timing of the engagement as well as the documentation to be received in order to prepare the engagement. The scope of the engagement must include consideration of relevant systems, records, personnel, and physical properties, including those under the control of third parties. 1 See Glossary, appendix 2. Finally, Internal Auditors must develop and document work programs that achieve the engagement objectives. Work programs must include the procedures for identifying, analyzing, evaluating, and documenting information during the engagement. The work program must be approved prior to its implementation, and any adjustments approved promptly. The work programs will be as follow: Objective/Area Risk Likelihood/ Significance Actual Controls Evaluation of Adequacy Tests of Effectiveness For each area reviewed, they will evaluate the risk, the controls that are implemented and their adequacy. Finally, they will define the tests to be performed in order to evaluate the effectiveness of the controls in place (substantive, analytical, ad hoc testing). 5.2.3. Performing the Engagement 5.2.4. Communicating Results Internal Auditors must communicate the engagement results This implies an evaluation of the residual risk and a discussion with the management about the findings and recommendations. More specifically, communications must include the engagement’s objectives and scope as well as applicable conclusions, recommendations, and action plans. Final communication of engagement results must, where appropriate, contain Internal Auditors’ overall opinion and/or conclusions. Internal Auditors are encouraged to acknowledge satisfactory performance in engagement communications. When releasing engagement results to parties outside the organization, the communication must include limitations on distribution and use of the results. The Chief Audit Executive or designee reviews and approves the final engagement communication before issuance and decides to whom and how it will be disseminated. 5.2.5. Monitoring Progress The Chief Audit Executive must establish a follow-up process to monitor and ensure that management actions have been effectively implemented or that Senior Management has accepted the risk of not taking action. Most of the time, key performance indicators are communicated to the Audit Committee. and Engagements must be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed. This is the overall responsibility of the CAE. Chapitre III - Role More specifically, Internal Auditors must base conclusions and engagement results on appropriate analyses and evaluations. Internal Auditors must also document relevant information to support the conclusions and engagement results. Responsabilities 21 Overall, Internal Auditors must identify, analyze, evaluate, and collect sufficient information to achieve the engagement’s objectives. CHAPter IV: Chapitre IV - professional standards on cooperation between external and Internal Auditors 22 ROFESSIONAL STANDARDS ON COOPERATION P BETWEEN EXTERNAL AND Internal AuditorS In this chapter, we will provide a summary of the professional standards dealing with the cooperation between internal and External Auditors. We recommend readers to consult the website of IBR/IRE mentioned for more details. 1. EXTERNAL AUDIT STANDARDS 1.1. Belgian legal context: using the work of others and engagement acceptance The Belgian IRE/IBR has issued the following recommendations1 - which have not the same compulsory character as a standard on auditing - in respect of the use of the work of others: • Using the work of another auditor; • Using the work of an internal audit department; • Using the work of experts. Each of these recommendations defines principles and provides guidance regarding the use of the work of others as audit evidence. Within the context of this study, we restrict our comments to the recommendation “using of the work of an internal audit department”, which to a large extent has been inspired by the ISA n° 610 “Considering the work of Internal Auditing”. In the context of cooperation between internal and External Auditors, the recommendation on engagement acceptance is also to be mentioned. Even if not being a recommendation nor a standard it is also worth mentionning the existence of examples of contractual framework for services where authorized communication between internal and External Auditors could be formalized. Scope and objectives of internal auditing It is recognized that the activities of the internal audit department can vary widely. Depending upon the size and structure of the entity and the requirements of its management, a distinction is made between: • review of internal controls surrounding financial or accounting information and systems, and • review of the efficiency and effectiveness of operations. Relationship between Internal Auditors and the External Auditor The External Auditor could consider the work of the internal audit department and its effect on external audit procedures, provided that: • the control objectives fit in with the scope of the external audit procedures; • the Internal Auditors have the right professional qualifications. The External Auditor has however the sole responsibility for the audit opinion expressed and this responsibility is not reduced by any use made of internal auditing. 1 Available on the website of IRE/IBR: www.ibr-ire.be Review and assessment of internal audit function As part of his decision process on the extent the External Auditor will use and rely on the work of the Internal Auditors, he could assess: • the planning and timing for internal audit work; • the access to relevant working files and other documentation of the department; • the reporting and follow up of exceptions and anomalies found to exist. In addition the External Auditor could evaluate the appropriateness of performing audit procedures in areas covered in detail by the internal audit department. Restrictions on the reliance on and use of internal audit work The recommendation points out that the existence of an internal audit department cannot be a pure substitution of the control work of the External Auditor. The fact that the External Auditor is sole responsible for the opinion he expresses on the financial statements, implies that his audit scope must cover all relevant aspects of the accounts, regardless of the fact whether he is able to rely on the work of the Internal Auditors. This means also that the External Auditor assumes full responsibility for all internal audit work on which he has been relying. It is recommended that the External Auditor could cover personally all aspects and transactions having a significant impact on the financial statements, including the evaluation of accounting and valuation principles, as well as the correct application of the Belgian Company Act. Letter of engagement Before the start of the audit engagement, the client and the External Auditor should clearly set out the terms of the audit assignment in order to avoid misunderstandings with respect to the engagement. This engagement letter documents and confirms the Auditor’s acceptance of the appointment, the objective and scope of the audit, the extent of the Auditor’s responsibilities to the client and the form of any reports. Should also be included the arrangements (at least in general terms) concerning the involvement of and cooperation with Internal Auditors (and other client staff). Example of contractual framework for services For the External Auditors who so wish, the IBR/IRE provides example of a letter summarizing the terms of business, which can be found on the web site of the ICCI (www.icci.be). These terms of business (conditions générales / algemene voorwaarden) together with the engagement letter form the entire agreement between the client and the External Auditor. Although the example of such letter - because of it’s general nature - does not include any specific reference to the cooperation of internal and External Auditors or simply to the External Auditor’s access of the working files and reports of the Internal Auditors, it is recommended where applicable to make mention of such authorized communication in the letter “contractual framework for services”. professional standards on cooperation between external and Under this caption guidance is provided on the External Auditor’s requirements for using the work of the internal audit department. Particular attention is suggested for: Chapitre IV - Definition of nature and extent of the use of the internal audit work Internal Auditors 23 • the degree of independence of the internal audit function within the entity’s organization; • the technical competence of its staff; • the extent of the scope of their work; • the professional care for the planning and execution of the work. 1.2. International Standards on Auditing (ISA) The International Standards on Auditing (ISAs) are developed by the International Federation of Accountants (IFAC) through its International Auditing and Assurance Standards Board (IAASB). For more details, consult: http://www.ifac.org/IAASB/ Chapitre IV - professional standards on cooperation between external and Internal Auditors 24 ISA 610: Considering the work of internal audit Overall, the ISA recommends that the External Auditor could consider the activities of internal auditing and their effect, if any, on external audit procedures. This ISA stresses that, irrespective of the degree of autonomy and objectivity of internal auditing, it cannot achieve the same degree of independence as required by the External Auditor when expressing an opinion on the financial statements. The External Auditor has sole responsibility for the audit opinion expressed, and that responsibility is not reduced by any use made of internal auditing. The External Auditor could obtain a sufficient understanding of internal audit activities to identify and assess the risks of material misstatement of the financial statements and to design and perform further audit procedures. Effective internal auditing will often allow a modification in the nature and timing, and a reduction in the extent of audit procedures performed by the External Auditor but cannot eliminate them entirely. When obtaining and performing an assessment of the internal audit function, the important criteria are: • organizational status; • scope of function; • technical competence; • due professional care. When planning to use the work of internal auditing, the External Auditor will need to consider internal audit’s tentative plan for the period and discuss it at the earliest stage. It is desirable to agree in advance the timing of the work of internal auditing, the extent of audit coverage, materiality levels and proposed methods of sample selections, documentation of the work performed and review and reporting procedures. Besides, liaison with internal auditing is more effective when meetings are held at appropriate intervals during the period. The External Auditor would need to be advised of and have access to relevant internal auditing reports and be kept informed of any significant matter that comes to the Internal Auditor’s attention which may affect the work of the External Auditor. Similarly, the External Auditor would ordinarily inform the Internal Auditor of any significant matters which may affect internal auditing. 1.3. Statements on Auditing Standards (SAS) Statements on Auditing Standards (SASs) are issued by the Auditing Standards Board (ASB), the senior technical body of the American Institute of Certified Public Accountants (AICPA). For more details, consult: http://www.aicpa.org/Professional+Resources/Accounting+and+Auditing/Audit+and+Attest+Standards/. SAS No. 65: The Auditor’s Consideration of the internal audit Function in an Audit of Financial Statements When obtaining an understanding of internal control, the External Auditor could obtain an understanding of the internal audit function sufficient to identify those internal audit activities that are relevant to plan the audit. The External Auditor ordinarily could make inquiries about the Internal Auditors’: • organizational status within the entity; • application of professional standards; • audit plan, including the nature, timing, and extent of audit work; • access to records and whether there are limitations on the scope of their activities. Relevant activities are those that provide evidence about the design and effectiveness of controls that pertain to the entity’s ability to initiate, authorize, record, process and report financial data consistent with the assertions embodied in the financial statements or that provide direct evidence about potential misstatements of such data. The External Auditor may find the results of the following procedures helpful in assessing the relevancy of internal audit activities: • considering knowledge from prior-year audits; • r eviewing how the Internal Auditors allocate their audit resources to financial or operating areas in response to their risk-assessment process; • reading internal audit reports to obtain detailed information about the scope of internal audit activities. When assessing the Internal Auditors’ competence, the External Auditor could obtain or update information from prior years about such factors as: In making judgments about the extent of the effect of the Internal Auditors’ work on the Auditor’s procedures, the External Auditor considers: • the materiality of financial statements amounts in terms of accounts balances or transactions allocations; • t he risk (consisting of inherent risk and control risk) of material misstatement of the assertions related to these financial statement amounts. • the degree of subjectivity involved in the evaluation of the audit evidence gathered in support of the assertions. 1.4. Public Company Accounting Oversight Board (PCAOB) Standards The Public Company Accounting Oversight Board (PCAOB) is a private sector, nonprofit corporation, created by the Sarbanes-Oxley Act of 2002, to oversee the Auditors of public companies in order to protect the interests of investors and further the public interest in the preparation of informative, fair, and independent audit reports. For more details, consult: http://www.pcaob.org/Standards/index.aspx. Auditing Standard No. 5: An audit of internal control over financial reporting that is integrated with an audit of financial statements For purposes of the audit of internal control the External Auditor may use the work performed by, or receive direct assistance from, Internal Auditors, company personnel (in addition to Internal Auditors), and third parties working under the direction of management or the Audit Committee that provides evidence about the effectiveness of internal control over financial reporting. In an integrated audit of internal control over financial reporting and the financial statements, the External Auditor also may use this work to obtain evidence supporting his assessment of control risk for purposes of the audit of the financial statements. The External Auditor could assess the competence and objectivity of the persons whose work he plans to use to determine the extent to which he may use their work. The higher the degree of competence and objectivity, the greater use the External Auditor may make of the work. The External Auditor could apply the principles outlined in SAS No. 65 (cf. above) to assess the competence and objectivity of Internal Auditors. Personnel whose core function is to serve as a testing or compliance authority at the company, such as Internal Auditors, normally are expected to have greater competence and objectivity in performing the type of work that will be useful to the External Auditor. professional standards on cooperation between external and • the organizational status of the Internal Auditor responsible for the internal audit function; • policies to maintain Internal Auditors’ objectivity about the areas audited. Chapitre IV - When assessing the Internal Auditors’ objectivity, the External Auditor could obtain or update information from prior years about such factors as: Internal Auditors 25 • educational level and professional experience of Internal Auditors; • professional certification and continuing education; • audit policies, programs, and procedures; • practices regarding assignment of Internal Auditors; • supervision and review of Internal Auditors’ activities; • quality of working-paper documentation, reports, and recommendations; • evaluation of Internal Auditors’ performance. 2. INTERNAL AUDIT STANDARDS 2.1. The Institute of Internal Auditors (IIA): International Professional Practices Framework (IPPF) Chapitre IV - professional standards on cooperation between external and Internal Auditors 26 The Institute of Internal Auditors (IIA) provides for internal audit professionals all around the world authoritative guidance organized in the International Professional Practices Framework as mandatory and strongly recommended guidance. For more details, consult: http://www.theiia.org/guidance/standards-and-guidance/. Performance Standard 2050: Coordination The Chief Audit Executive (CAE) could share information and coordinate activities with other internal and external providers of assurance and consulting services to ensure proper coverage and minimize duplication of efforts. A recent practice advisory1 suggests that CAE completes an assurance map of the organization in order to ensure that the assurance requirements of the Board are fulfilled. This map would, for each risk category, define the residual risk, the risk owner (management) and the coverage of the different assurance functions (internal and External Auditors but also Risk Managers, Compliance Officers and other assurance functions) The CAE is responsible for regular evaluations of the coordination between internal and External Auditors. The CAE obtains the support of the Board to coordinate audit work effectively. Such evaluations may also include assessments of the overall efficiency and effectiveness of internal and external audit activities, including aggregate audit cost. The CAE communicates the results of these evaluations to Senior Management and the Board, including relevant comments about the performance of External Auditors. Without prejudice to art. 79 of Belgian law of July 22, 1953, coordinated in 2007 on professional confidentiality of External Auditors, organizations may use the work of External Auditors to provide assurance related to activities within the scope of internal auditing. In these cases, the CAE takes the steps necessary to understand the work performed by the External Auditors, including: • the nature, extent, and timing of work planned by External Auditors, to be satisfied that the External Auditors’ planned work, in conjunction with the Internal Auditors’ planned work, satisfies the requirements of Standard 2100 (Nature of Work); • the External Auditors’ assessment of risk and materiality; • the External Auditors’ techniques, methods, and terminology to enable the CAE to (1) coordinate internal and external auditing work; (2) evaluate, for purposes of reliance, the External Auditors’ work; and (3) communicate effectively with External Auditors; • access to the External Auditors’ programs and working papers, to be satisfied that the External Auditors’ work can be relied upon for internal audit purposes. Internal Auditors are responsible for respecting the confidentiality of those programs and working papers. The External Auditors may rely on the work of the internal audit activity in performing their work. In this case, the CAE needs to provide sufficient information to enable External Auditors to understand the Internal Auditors’ techniques, methods, and terminology to facilitate reliance by External Auditors on work performed. Access to the Internal Auditors’ programs and working papers is provided to External Auditors in order for External Auditors to be satisfied as to the acceptability for external audit purposes of relying on the Internal Auditors’ work. The internal audit activity’s final communications, management’s responses to those communications, and subsequent follow-up reviews are to be made available to External Auditors. In addition, Internal Auditors need access to the External Auditors’ presentation materials and management letters. Matters discussed in presentation materials and included in management letters need to be understood by the CAE and used as input to Internal Auditors in planning the areas to emphasize in future internal audit work. After review of management letters and initiation of any needed corrective action by appropriate members of Senior Management and the Board, the CAE ensures that appropriate follow-up and corrective actions have been taken. 1 Practice Advisory 2050-2: Assurance Maps, IIA International, August 2009. 3. SPECIFIC STANDARDS FOR FINANCIAL INSTITUTIONS 3.1. Basel Committee on Banking Supervision Principle 14 notes that supervisory authorities could have periodic consultations with the bank’s Internal Auditors to discuss the risk areas identified and the measures taken. At the same occasion, the extent of the cooperation between the bank’s internal audit department and the bank’s External Auditors may also be discussed. Principle 16 recommends that supervisory authorities could encourage consultation between internal and External Auditors in order to make their cooperation as efficient and effective as possible. professional standards on cooperation between external and Overall, co-operation between banking supervisors, the Internal Auditor and the External Auditor optimizes supervision. Chapitre IV - Internal audit in banks and the Supervisor’s relationship with Auditors Internal Auditors 27 The Basel Committee on Banking Supervision provides a forum for regular cooperation on banking supervisory matters. Its objective is to enhance understanding of key supervisory issues and improve the quality of banking supervision worldwide. The Committee is best known for its international standards on capital adequacy; the Core Principles for Effective Banking Supervision; and the Concordat on cross-border banking supervision. For more details, consult: http://www.bis.org/bcbs/ index.htm. CHAPTER V HE COOPERATION BETWEEN EXTERNAL T AND Internal AuditorS In this chapter, we will provide an overview of current practices based on a survey conducted and interviews with External Auditors and Internal Auditors. We will also define best practices for the cooperation between external and Internal Auditors. Chapitre V - the cooperation between external and Internal Auditors 28 1. THE FEEDBACK FROM THE SURVEY AND THE INTERVIEWS A survey and interviews were conducted amongst internal and External Auditors in the beginning of 2009 (see details of the participants in appendix 5). 1.1. Commitment Internal Auditors currently take an active role in promoting cooperation between internal and external audit (76.2%). This is fully confirmed by External Auditors (100%). For the future more than 93% of the Internal Auditors are willing to take an active role in the promotion vs 100% for the External Auditors. The main reasons for internal and External Auditors for not promoting the cooperation are the following ones: • conflict of interests (different but complementary missions); • corporate decision for a clear segregation between the Auditors type; • unequal sharing of information; • high rotation of junior External Auditors. The interviews reveal new elements such as: • communication problems at the side of External Auditors; • unwillingness on behalf of External Auditors; • lack of transparency on behalf of External Auditors • unequal quality of Internal Auditors, due to various backgrounds. So cooperation is not always possible and External Auditors must re-do some testing; • Internal Auditors are not always perceived as fully independent from the management. According to the interviews, the size of the internal audit department seems to influence the scope of the commitment: in smaller departments, less specific exchanges may be organized. The maturity of the internal audit department is another important element for defining the cooperation between the two professions. The initiative for the cooperation is mostly coming from the Internal Auditors but it is interesting to notice that it comes, sometimes from the CFO or the Audit Committee. 1.2. Benefits Internal Auditors were asked to assess the following benefits of a good cooperation with the External Auditors and the figures below are expressed in % of answers: ! ! ! Both professions think that a cooperation increases the audit work efficiency. But it is interesting to notice that the cost reduction is not a recognized benefit for the External Auditors. The exchange of expertise, the knowledge sharing and the better coordination of work are the benefits listed by both professions. Otherwise, Internal Auditors do also mention as additional benefits the following points: • the decrease of workload for the External Auditors; • the improvement of the client’s image about auditing; • the increase of confidence by the Audit Committee (building trust); • the avoidance of double work; • the alignment of methodologies between external and Internal Auditors; • the increase of knowledge about the company and the industry for the External Auditor; • the advises from External Auditors: sounding Board; • the limited surprises for the management at year end. The External Auditors have identified the following additional benefits: Chapitre V - • the improvement of the fieldwork quality thanks to the Internal Auditors’ knowledge; • the reduction of audit risk thanks to a better understanding of the risk management; • the optimization of available resources. the cooperation between external and ! Internal Auditors 29 External Auditors were asked if they consider the following benefits of a good cooperation with the Internal Auditors and the figures below are expressed in % of answers: 1.3. Communication The Internal Auditors were asked if they consult the External Auditors on different matters. The External Auditors were asked if they consult the Internal Auditors on the same matters. The following table explains the view of each party. ! According to the survey, the communication between External Auditors and Internal Auditors is more active on the side of External Auditors. However during the interviews it appeared that many Internal Auditors do not get information from the external ones. It seems also that sometimes External Auditors discuss the risk analysis with Internal Auditors when appropriate for their own analysis. ! The communication between External Auditors and Internal Auditors is more active on the side of External Auditors. The exchange of the planning facilitates the global assurance to the Board of Directors and/or Audit Committee. It could be a responsibility of the Audit Committee to garanty the coordination between the two plannings and the exchange of the reports. The internal and External Auditors were also asked the following questions: Chapitre V - the cooperation between external and Internal Auditors 30 The Internal Auditors were asked whether they communicate with the External Auditors on different matters. The External Auditors were asked whether they communicate with the Internal Auditors on the different matters. The following table explains the view of each party. ! The External Auditors initiate more meetings with the Internal Auditors than the other way around. Only the audit engagements feedbacks get a better result from the Internal Auditors side. According to the interviews, External Auditors exchange work papers with Internal Auditors on a limited basis and only when necessary, because of the assignement responsibility towards shareholders. The External Auditors do review sometimes the work of Internal Auditors when a formal cooperation is defined. Different maturity models have been observed: • Internal Auditor is just a contact point for External Auditor; • Internal Auditor helps with interim and period-end work for External Auditor; • Internal Auditor performs significant parts of the interim and period-end work. The use of other auditors’ work is very popular on both sides. ! Chapitre V - Auditors have also been asked why they would not use the work of the other profession. The graphics here after describe the reasons mentioned by each profession: the cooperation between external and Internal Auditors 31 Both groups were asked whether or not they use the work of other auditors. The following table explains the view of each party. ! Internal Auditors 32 the cooperation between external and Chapitre V - ! On the External Auditors side, the lack of knowledge of financial aspects and independence are the most cited reasons for not collaborating with Internal Auditors. On the Internal Auditors side, the lack of willingness and the refusal are the main reasons which suggests that there is still room for improvement. During the interviews with Internal Auditors, the personnal relationship has also been identified as a factor that could have an impact on the cooperation. The lack of training, judgement or computerised auditing process of Internal Auditors has also be mentionned in the interviews with External Auditors. Some common reasons, for not using the work of each other, have been identified and are: • the different scope definitions; • the different materiality levels. It is interesting to note from the interviews that the different scope of each profession is considered as an advantage for cooperation by Internal Auditors and as a reason for non cooperation by the External Auditors. According to the interviews External Auditors are also helping Internal Auditors in specific matters or countries that they can not cover themselves (lack of ressources and knowledge). 1.4. Systematic exchanges Each profession was also asked whether they receive systematic information from the other profession. The graphic below shows the results: ! Only 46% of Internal Auditors do have access to the management letter and only 42% receive the reports from the External Auditors. The systematic exchanges and the common methodology are actually very limited on both sides. 2. THE BEST PRACTICES IN RESPECT OF THE COOPERATION BETWEEN EXTERNAL AND Internal AuditorS We will describe best practices for the cooperation. Nevertheless, it is important to remind that this cooperation is only possible if the internal audit department is mature, professional, complies with the International Professional Practices Framework (IPPF) and if External Auditors are willing to collaborate. It is to be noted that both internal and External Auditors are required to follow continuous professional development. In order to facilitate the use of the same language and terminology and to better understand the methodology of the other, external and Internal Auditors should be encouraged to follow parts of the education programme provided by the other institute. The Internal Auditors’ considerations: The Professional Standards foresee an external quality assessment of the internal audit department every 5 years. This review can guarantee the professionalism of the internal audit activities, as it will confirm the reliance with the IPPFs and shows the benchmarking with other internal audit activities. The External Auditors’ considerations: External Auditors are required by Law, further defined by a Royal Decree and a standard to submit to a quality control by peer review every 3 years when they audit public interest entities and every 6 years otherwise. External Auditors must be informed about the competence, organization and charter of an independent internal audit department in the organization they review. Most of the time, External Auditors will have to assess the level of reliance they may apply on the internal audit department. The criteria mostly used are the following: • the qualifications and experience of the team; • the documentation and methodology used for the engagements (review of the Internal Auditors working papers); • t he conformity with the IPPFs and implementation of a strong quality assurance and improvement program over all processes in the internal audit activity, including human resources and hiring; • the ethical behavior based on The Institute of Internal Auditors’s Code of Ethics to Internal Auditors, etc.; • the maturity of the internal audit department ; • t he performance of a risk assessment for the internal audit activity to identify potential risks that might impact its “brand”; • the evaluation of the internal audit department within the organization (surveys, reporting,etc.). In all cases, the External Auditors must assess the work of the Internal Auditors when using it and extend the testing when necessary. In addition the External Auditors must be: • informed about the possible cooperation; • knowledgeable about the way Internal Auditors are working; • informed about the acceptance of this cooperation according to the Professional Standards; 1 See p. 2. the cooperation between external and 2.1. Introduction Chapitre V - The exchanges proposed here below are based on the documentation described above and are resulting from a combination of various sources in Belgium and abroad. Internal Auditors 33 A workgroup made of representatives of both institutes1 has analyzed the results of the survey. Interviews with Chief Audit Executives and External Auditors have been organized in order to discuss about the cooperation between external and Internal Auditors. • in good relationship with the Internal Auditors; • willing to cooperate and work in teams, etc. 2.2. Risk Management Assessment 2.2.1. Introduction The importance to strong corporate governance and managing risks has been increasingly acknowledged. Organizations are under pressure to identify all the business risks they face; social, ethical and environmental as well as financial and operational, and to explain how they manage them to an acceptable level. The cooperation is only possible if the companies are using a risk management framework. More and more companies use an enterprise-wide risk management framework and recognize their advantages over less coordinated approaches to risk management Chapitre V - the cooperation between external and Internal Auditors 34 Internal and External Auditors contribute to the management of risk in a variety of ways. 2.2.2. Role of internal audit The Internal Auditors usually assist the management in the implementation of a risk management process by giving training and advises. Their role is mainly a consulting one in this case. Once the process is up and running, Internal Auditors will provide assurance in three areas: • risk management process (design and ongoing function); • management of “key” risks including effectiveness of mitigating risks; • assessment of risks and the reporting of their status. In some organizations, Internal Auditors may facilitate the implementation of the control self assessment process. 2.2.3. Role of external audit At the start of every new mission, the External Auditors assess the risks that impact the financial statements. Governance and monitoring of the risks by the appropriate levels in the entity being audited is high on the agenda of the External Auditor, in order to assess the risk related to the engagement. In this context, they will review and discuss the enterprise risk management (ERM)1 process with the responsible of the organization and evaluate if the existing risk management process leads to a monitoring of the entity’s risks. Besides these considerations, external audit updates its knowledge on industry data, legislation evolution, external factors, etc., in order to plan the audit adequately. 2.2.4. Cooperation proposed The level of the cooperation depends on the implementation and maturity of an ERM process in the organization. In organizations where the process exists and is up and running, exchanges of information between the external and Internal Auditors should be organized. The assessment of the ERM process (audit report) made by the Internal Auditors should be given to the External Auditors. If some recommendations affect the financial statements, they should be discussed with the External Auditors. During the yearly assessment (for the planning), External Auditors should participate to a workshop with the Internal Auditors where they would debate about the financial risks. The experience and knowledge of the External Auditors would be a real asset for a detailed analysis of the financial and compliance areas. In organizations where self assessment is performed, the implementation details should be discussed with the External Auditors in order to ensure that financial and compliance risks are addressed appropriately. In organizations where ERM does not exist, it would nevertheless be interesting that internal and External Auditors exchange their view on the risks assessments they have made. 1 See Glossary for the definition, appendix 2 2.2.5. Benefits If cooperation between internal and External Auditors is organized in the area of risk management, the main benefits could be: • t he use of a common methodology (framework, language, evaluation criteria,…); •a (common) message to the Board/Audit Committee regarding the main risks identified in the organization; • t ransparency in terms of risks identification, evaluation and management; •a ssessment of the risks through the use of internal information (Internal Auditors) and external information (External Auditors). 2.3. Internal Control Assessment Internal control will be that much more relevant if it is built on rules of conduct and integrity. 2.3.2. Definition Internal control is a company’s system, defined and implemented under its responsibility, which aims to ensure that: laws and regulations are complied with; the instructions and directional guidelines fixed by Executive Management or the management Board are applied; the company’s internal processes are functioning correctly, particularly those implicating the security of its assets; financial information is reliable; and generally, contributes to the control over its activities, to the efficiency of its operations and to the efficient use of its resources. 2.3.3. Role of internal audit Internal Auditors evaluate the internal control processes in terms of efficiency and effectiveness. In some organizations, the Chief Audit Executive (CAE) may be requested to issue an overall opinion on the adequacy of internal controls within the organization. This request is becoming more common with the advent of new financial reporting legislation and regulation. The International Standards for the Professional Practice of Internal Auditing (The Standards), specifically Standard 2410. A1 indicates, final communication of engagement results, where appropriate, contains the Internal Auditor’s overall opinion and or conclusions. 2.3.4. Role of external audit One of the critical activities in the external audit process is the assessment of the reliability of financial information and ensure that the internal control procedures allow faithful recording of all the operations performed by the organization. As stated above, the first step in the execution of the audit plan will be the evaluation of internal controls. The quality of this internal control system can be, amongst others, looked at by means of evaluating: • s egregation of duties, enabling a clear distinction to be made between recording duties, operational duties and retention duties; • f unction descriptions which could enable the origins of the information prepared to be identified, together with its recipients; • design, implementation and operating effectiveness of business controls; and • accounting internal control system enabling to check that the operations have been performed in accordance with general and specific instructions, and that they have been accounted for so as to produce financial information which complies with generally accepted accounting principles. the cooperation between external and These objectives must be applicable to the various units of the entity and clearly communicated to staff so that they can understand and adhere to the organization’s risk and control policy. Chapitre V - It is up to every company to design an internal control system which is suitably adapted to its situation. Executive Management or the management Board conceives the internal control system. The principal directional guidelines in terms of internal control are determined in line with the company’s objectives. Internal Auditors 35 2.3.1. Introduction The evaluation of the internal controls is performed throughout the audit. At first, at the planning phase, the External Auditor looks back on previous experience and corroborates with management on risks and related controls. During the financial year (and after the closing for closing procedures) the External Auditor investigates if he can rely on the internal controls structure of the entity. He tests controls or expands the level of substantive testing if the External Auditor feels he cannot rely on controls, these being deficient, not practical or not functioning on a regular basis. 2.3.5. Cooperation proposed Chapitre V - the cooperation between external and Internal Auditors 36 The internal control evaluation made by Internal Auditors should be communicated to the External Auditors. In case the CAE express a global opinion on internal controls1, it should be discussed with the External Auditors. For processes with sophisticated financial impacts, the Internal Auditors should ask assistance to the External Auditors to evaluate these processes. Internal Auditors perform more and more integrated audits to assess the internal control besides the IT, governance and financial dimensions. This last one should be communicated to the External Auditors. For the interim review done by the External Auditors, it would be interesting to have a close cooperation between External and Internal Auditors who both evaluate the internal controls’ processes or at least an exchange of the evaluation documentation on the processes reviewed. The External and Internal Auditors can discuss executed audit procedures, review each others conclusions and evaluate the use of the work of the other auditor as a basis for the conclusions. In general, where it concerns high risk areas or items with a particular appreciation of the Auditor (like estimates related to impairments, provisions…), the External and Internal Auditors will not rely on the full extent on the work of the other party. Indeed, in such cases, the Auditor needs to evaluate the controls and reinforce its own evaluation procedures. The two auditors should also exchange their recommendations to improve the internal control process that impacts the financial statements and the reporting in order to align messages to the Audit Committees or appropriate levels of management. 2.3.6. Benefits The cooperation in internal control assessments could mainly generate the following benefits: • the integration of the internal control processes review (combination of financial and operational processes); • the reduction of review works for the internal and External Auditors (as they do not test this aspect); • common language-methodology towards the management that facilitates the discussions with both auditors; • evaluation of the processes by the best qualified persons (e.g. financial ones by the External Auditors); • on the field training for both auditors; • interesting discussions may take place between the external and Internal Auditors in case of differing views and this can only benefit to the organization. 2.4 Audit Plan determination 2.4.1. Introduction The priorities of the audit activity must be defined and evaluated at least on a yearly basis. It is common practice to set up a three years plan and to update it yearly. The plan commonly defines the level of activities, the scope and the resources required. 2.4.2. Definition The plan is based on the risk analysis and defines the processes to review, the scope of the audit, the workload, the resources profile, the financial budget and the timing. IIA Practice Guide: “ Formulating and expressing internal audit opinion”, April 2009. 1 2.4.3. Role of internal audit As defined by the IIA-Performance Standards, the CAE could establish risk based plan to determine the priorities of the internal audit activity, consistent with the organization’s goals. This exercise is based on the audit universe (global scope) of the internal audit activity and the audit charter that defines the role and responsibilities of the internal audit department. For all the processes, the risk is evaluated, the internal controls are assessed and the residual risk is defined. The period of coverage is also defined as well as the changes in the organizations, processes or IT tools. Based on all these elements, a plan (work schedule, staffing plan, financial budget, scope coverage vs resources limitation) is proposed for approval to the Audit Committee. 2.4.5. Cooperation proposed The plannings of both auditors should be discussed before the first Audit Committee meeting, where both auditors ensure minimal overlap and allocation of the best resources to perform the testing. During this discussion, the cooperation for some testing should be discussed: the areas where Internal Auditors would rely on External Auditors work and the other way around. The need for technical financial expertise on some audits should be discussed as well in order to define the allocation of the work between the external and the Internal Auditors. 2.4.6. Benefits The integration of the plannings could lead to: • a better coverage of the audit universe; • a reduction of the audit activities on one side (external or Internal Auditors); • optimal allocation of the resources: in terms of headcounts and knowledge; •a n absence of agenda conflicts for the management (e.g.: both auditors will not review the same process during the same period); • a better view of the audit work for the Audit Committee that receives a consolidated view, etc. 2.5 Audit Testing 2.5.1. Introduction Based on the planning defined, the Auditors conduct the engagements and perform different kinds of testing. 2.5.2. Definition The testing is based on the area reviewed, the level of internal control and risk, the periodicity of the audit. the cooperation between external and The planning includes the work schedule, the scope, the staffing, the budget and the timing. This planning is submitted to the Audit Committee. Chapitre V - Every year, the first phase of the audit cycle includes a disciplined and systematic study of the company, based upon interviews, updated risk analysis, identification of key management controls and the knowledge of the company (past audits, sector, materiality level…), the External Auditors define the planning for the review of the financial statements. Internal Auditors 37 2.4.4. Role of external audit 2.5.3. Role of internal audit As defined by the IIA-Performance Standards, the internal audit activity evaluates and contributes to the improvement of risk management, control and governance systems. The testing depends on the type of audit performed: financial, operational, compliance, IT. More and more Internal Auditors review all aspects of the department (or process or organization) through an integrated approach that combines the testing in all areas. The review is made based on defined testing and scoping and may be adapted based on the results (e.g. if the internal control is very basic, the testing might be limited and a recommendation is made to the management to improve the internal control process). Different approaches might be combined: inquiry, observation, inspection, confirmation and computer assisted techniques. Chapitre V - the cooperation between external and Internal Auditors 38 It is very important to record the information accurately and keep all details of the findings during the testing. The results of the testing will be the basis to define the recommendations and improvement points for the management and the Audit Committee. 2.5.4. Role of external audit The methodology is similar to the one used by the Internal Auditors. Nevertheless, the External Auditors will perform advanced testing for all risks that have been identified as critical in the audit plan and areas where internal audit has no independence/expertise. The objectives of the testing will be the design and implementation and operational effectiveness of the internal controls to ensure the completeness, the existence, the accuracy, the evaluation, the ownership and the presentation of the financial statements. The results of the testing will be evaluated and translated into financial impacts (positive or negative) but also to improvements of the internal control and risk management processes. A recommendation letter will in a lot of cases be remitted to management to ensure that appropriate follow up of the findings is guaranteed. 2.5.5. Cooperation proposed Based on the planning defined, different types of cooperations may take place: • team set up with external and Internal Auditors who perform the testing together; • exchange of the working papers between the external and Internal Auditors (both sides) in order to avoid that both auditors perform the same testing. This cooperation may take place at the preparation phase (collection of information about the process reviewed) and goes on during the testing and results phases; • additional testing of external or Internal Auditors for some processes instead of full testing. The cooperation between the external and Internal Auditors should take place at the interim as well: circularization for example can also be delegated to the Internal Auditors. It is important to notice that External Auditors will perform solely the testing of processes that have significant impact on the financial statements and will not be able to “outsource” this to the Internal Auditors. 2.5.6. Benefits The cooperation between the internal and the External Auditors could: • increase the coverage of the testing; • reduce the detection risk (risk that an issue is not identified by the audit); • reduce the workload of the internal and External Auditors in some areas and authorize other engagements (more consulting for the Internal Auditors for example); • facilitate the use of the best qualified person for each engagement (by combining resources and knowledge); • reduce the overlap of work on the field and reduce the time spent by the management on audit enquiries. 2.6 Audit Reporting 2.6.1. Introduction The final output of the audit work is materialized with the reporting. 2.6.2. Definition A draft report is discussed with the Management in charge of the process/organization reviewed in order to validate the recommendations and set up the action plans. If the Management and the Auditors do not agree on some recommendations, the comments of the Management will be included in the final report. Usually, the final report is sent to the External Auditors, after the validation by the Management and the presentation to the Management Committee. 2.6.4. Role of external audit The External Auditors are legally obliged to issue a report about the “true and fair view” of the financial statements (statutory accounts). The report may include different kinds of opinion depending on the findings in the audit on the financial statements and related controls, the adjustments proposed to the Financial Statements, the going concern of the organization External Auditors are required to request a representation letter in order to make the CEO and CFO aware of their obligations and ensure that all relevant information has been communicated before issuing this report. 2.6.5. Cooperation proposed Internal Auditors should communicate their reports systematically to the External Auditors. If a “draft” exists and the subject is important for the External Auditors, the main conclusions and the general rating may be discussed with the External Auditors. The External Auditors should communicate their reports and management letter to the Internal Auditors. For the post balance sheet review, the discussion takes place between the External Auditors and the management/Board of directors. The internal audit can assist in case they have performed engagements after the closing of the financial statements that do impact the financial statements (adjustment not identified by the External Auditor). This should be highly relevant for example in case of fraud detection or internal control weaknesses, new isues identified and not provided for. 2.6.6. Benefits With a transparent communication on both sides, the knowledge of the Auditors (external and internal) about the organization will increase and their risk assessment will improve. This is also the final result of a good and efficient cooperation. the cooperation between external and As defined by the IIA-Performance Standards, an audit report is the basis for the evaluation of the internal audit activity by the management and the Board/Audit Committee. It includes the engagement’s objectives, scope and applicable conclusions, recommendations and action plans. The report could disclose the compliance with the Standards. More and more, the report includes a general rating for the process/organization reviewed as well as the residual risk estimated. Chapitre V - 2.6.3. Role of internal audit Internal Auditors 39 The reporting aims to inform the auditees about the findings and the recommendations. It is also a useful document for the Board/Audit Committee in order to follow up the engagements made and the actions to be taken. 2.7 Recommendations follow up 2.7.1 Introduction The management is taking actions to correct the weaknesses identified by the Auditors. 2.7.2. Definition Chapitre V - the cooperation between external and Internal Auditors 40 The recommendations made are based on best practices and aim to reduce the risk of the process/organization reviewed. A good balance between the needs required to correct the issue and the benefits must be made. Indeed, sometimes, management may decide not to implement some recommendations because the costs – benefits are not well balanced. The remaining risk is than accepted by the management and communicated to the Audit Committee. 2.7.3. Role of internal audit In the action plan, Internal Auditors have defined, together with the management, the actions, due date and responsible. They are responsible for establishing a process to monitor and ensure that management actions have been effectively implemented or that Senior Management has accepted the risk of not taking action. The follow up includes the recommendations made by External Auditors and may include recommendations from other parties (quality audit,…). Key performance indicators are published in order to show the results of the recommendations’ implementation. If the recommendations are due, it is good practice to inform the Audit Committee about the delays and the reasons advanced by the management. For high risk, Internal Auditors may conduct an engagement to evaluate the implementation. 2.7.4. Role of external audit The External Auditors follow up the remarks of the management letter during their next visit. The review is similar to the one of the Internal Auditors. Any subsequent events that affect the financial position of the entity will be taken into account for the opinion. 2.7.5. Cooperation proposed Internal Auditors should include the recommendations of the External Auditors in their follow up. They should also send the KPIs to the External Auditors so that they may follow up the reaction of the management on the recommendations. 2.7.6. Benefits A consolidated view of all recommendations and the implementation status is available for the management and the Audit Committee. As Internal Auditors are present in the organization, they may remind to the management the recommendations due on a more regular basis than External Auditors. APPENDIX 1. ow Do I ... Distinguish Internal and H External Auditing?1 Internal Auditors and External Auditors each play an important role in the governance of an organization. Both groups have mutual interests regarding the effectiveness of internal financial controls, and both adhere to ethical codes and professional standards set by their respective professional bodies. Additionally, both types of auditors operate independently of the activities they audit, and they’re expected to have extensive knowledge about the business, industry, and strategic risks faced by the organization they serve. Yet, with all of their similarities, internal auditing and external auditing are two distinct functions that have numerous differences. ORGANIZATIONAL STRUCTURE how do i... Internal Auditors represent an integral part of the organization - their primary clients are management and the Board. Although historically Internal Auditors have reported to the Chief Financial Officer or other Senior Management staff, the trend today is for internal auditing to report directly to the Audit Committee. Conversely, External Auditors are not part of the organization, but are engaged by it. Their objectives are set primarily by statute and by the Board of directors. Appendix 1 - The IIA defines internal auditing as «an independent, objective assurance and consulting activity designed to add value and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.» In contrast, external auditing provides an independent opinion of a company’s financial statements and fair presentation. This type of auditing encompasses whether the statements conform with Generally Accepted Accounting Principles, whether they fairly present the financial position of the organization, whether the results of operations for a given period of time are represented accurately, and whether the financial statements have been affected materially. 41 DIVERGING APPROACHES MANDATORY VERSUS VOLUNTARY In general, internal audit functions are not mandatory for organizations. Instead, their installment is left up to individual organizations’ discretion. An external audit is legally required for many companies, particularly those listed on a public exchange. External audits of some government agencies are also legislated, requiring government auditors to submit the audit report to their respective legislature. QUALIFIED AND KNOWLEDGEABLE The necessary qualifications for an Internal Auditor rest solely on the judgment of the employer. Although Internal Auditors are often qualified as accountants, some are qualified engineers, sales personnel, production engineers, and management personnel who have moved through the ranks of the organization with a sound knowledge of its operations and have garnered experience that makes them aptly qualified to perform internal auditing. External Auditors are required to understand errors and irregularities, assess risk of occurrence, design audits to provide reasonable assurance of material detection, and report on such findings. In most countries, auditors of public companies must be members of a body of professional accountants recognized by law. 1 Adapted from «Two Sides of Auditing» by Lal Balkaran (Internal Auditor, «Back to Basics,» October 2008). Appendix 2. Glossary 1. Risk Management Definition People undertake risk management activities to identify, assess, manage, and control all kinds of events or situations that could have an (negative) impact on the achievement of their objectives. These can range from single projects or narrowly defined types of risk, e.g. market risk, to the threats and opportunities facing the organization as a whole. 2. Enterprise Risk Management Appendix 2 - Glossary 42 Enterprise-wide risk management (ERM) is a structured, consistent and continuous process across the whole organization for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement of its objectives. The Board has overall responsibility for ensuring that risks are managed. In practice, the Board will delegate the operation of the risk management framework to the management team, who will be responsible for completing the activities. One of the key requirements of the Board or its equivalent is to gain assurance that risk management processes are working effectively and that key risks are being managed to an acceptable level. It is likely that assurance will come from different sources. Of these, assurance from management is fundamental. This could be complemented by the provision of objective assurance, for which the internal audit activity is a key source. Other sources include External Auditors and independent specialist reviews. In most organizations, the COSO ERM framework1 is used as tool for the implementation as well as the evaluation of the ERM process. ! Enterprise Risk Management Integrated Framework, published in 2004 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO ).More info on 1 www.coso.org 3. Role of internal audit in ERM: ! 4. Internal Control Integrated Framework The Internal Control Integrated Framework, published in 1992 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) is the most common framework for assessing internal controls. The framework is a simplified version of the ERM’s one (see above p.42) The COSO report defines an internal control structure along five elements (control environment, risk assessment, control activities, information and communication, and monitoring) and three components/objectives (financial reporting, operations and compliance), with identification of the areas/activities audited (e.g., geographic unit, business unit, process). 1 IIA Position Paper; The role of internal auditing in the ERM, January 2009. Appendix 2 - Glossary 43 More generally, the schema below describes the role of internal audit in ERM1. APPENDIX 3. odel internal audit activity M charter1 Introduction: Appendix 3 - Model internal audit activity charter 44 Internal Auditing is an independent and objective assurance and consulting activity that is guided by a philosophy of adding value to improve the operations of the <organization>. It assists <organization> in accomplishing its objectives by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization’s risk management, control, and governance processes. ROLE: The internal audit activity is established by the Board of Directors or oversight body (hereafter referred to as the Board). The internal audit activity’s responsibilities are defined by the Board as part of their oversight role. PROFESSIONALISM: The internal audit activity will govern itself by adherence to The Institute of Internal Auditors’ mandatory guidance including the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of Internal Auditing (Standards). This mandatory guidance constitutes principles of the fundamental requirements for the professional practice of internal auditing and for evaluating the effectiveness of the internal audit activity’s performance. The Institute of Internal Auditors’ Practice Advisories, Practice Guides, and Position Papers will also be adhered to as applicable to guide operations. In addition, the internal audit activity will adhere to <organization> relevant policies and procedures and the internal audit activity’s standard operating procedures manual. AUTHORITY: The internal audit activity, with strict accountability for confidentiality and safeguarding records and information, is authorized full, free, and unrestricted access to any and all of <organization> records, physical properties, and personnel pertinent to carrying out any engagement. All employees are requested to assist the internal audit activity in fulfilling its roles and responsibilities. The internal audit activity will also have free and unrestricted access to the Board. ORGANIZATION: The Chief Audit Executive will report functionally to the Board and administratively (i.e. day to day operations) to the Chief Executive Officer. The Board will approve all decisions regarding the performance evaluation, appointment, or removal of the Chief Audit Executive as well as the Chief Audit Executive’s annual compensation and salary adjustment. The Chief Audit Executive will communicate and interact directly with the Board, including in executive sessions and between Board meetings as appropriate. 1 Published by the Institute of Internal Auditors, revised on 6/08/2009. INDEPENDENCE AND OBJECTIVITY: The internal audit activity will remain free from interference by any element in the organization, including matters of audit selection, scope, procedures, frequency, timing, or report content to permit maintenance of a necessary independent and objective mental attitude. Internal Auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly, they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other activity that may impair Internal Auditor’s judgment. Internal Auditors must exhibit the highest level of professional objectivity in gathering, evaluating, and communicating information about the activity or process being examined. Internal Auditors must make a balanced assessment of all the relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments. The Chief Audit Executive will confirm to the Board, at least annually, the organizational independence of the internal audit activity. INTERNAL AUDIT PLAN: At least annually, the Chief Audit Executive will submit to Senior Management and the Board an internal audit plan for review and approval. The internal audit plan will consist of a work schedule as well as budget and resource requirements for the next fiscal/calendar year. The Chief Audit Executive will communicate the impact of resource limitations and significant interim changes to Senior Management and the Board. The internal audit plan will be developed based on a prioritization of the audit universe using a risk-based methodology, including input of Senior Management and the Board. Any significant deviation from the approved internal audit plan will be communicated to Senior Management and the Board through periodic activity reports. internal audit activity charter •E valuating the reliability and integrity of information and the means used to identify, measure, classify, and report such information. •E valuating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations which could have a significant impact on the organization. •E valuating the means of safeguarding assets and, as appropriate, verifying the existence of such assets. •E valuating the effectiveness and efficiency with which resources are employed. •E valuating operations or programs to ascertain whether results are consistent with established objectives and goals and whether the operations or programs are being carried out as planned. •M onitoring and evaluating governance processes. •M onitoring and evaluating the effectiveness of the organization’s risk management processes. •E valuating the quality of performance of External Auditors and the degree of coordination with internal audit. •P erforming consulting and advisory services related to governance, risk management and control as appropriate for the organization. •R eporting periodically on the internal audit activity’s purpose, authority, responsibility, and performance relative to its plan. •R eporting significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by the Board. •E valuating specific operations at the request of the Board or management, as appropriate. Appendix 3 - Model The scope of internal auditing encompasses, but is not limited to, the examination and evaluation of the adequacy and effectiveness of the organization’s governance, risk management, and internal process as well as the quality of performance in carrying out assigned responsibilities to achieve the organization’s stated goals and objectives. This includes: 45 RESPONSIBILITY: REPORTING AND MONITORING: A written report will be prepared and issued by the Chief Audit Executive or designee following the conclusion of each internal audit engagement and will be distributed as appropriate. Internal audit results will also be communicated to the Board. The internal audit report may include management’s response and corrective actions taken or to be taken in regard to the specific findings and recommendations. Management’s response, whether included within the original audit report or provided thereafter (i.e. within thirty days) by management of the audited area should include a timetable for anticipated completion of action to be taken and an explanation for any corrective action that will not be implemented. The internal audit activity will be responsible for appropriate follow-up on engagement findings and recommendations. All significant findings will remain in an open issues file until cleared. Appendix 3 - Model internal audit activity charter 46 PERIODIC ASSESSMENT: The Chief Audit Executive will periodically report to Senior Management and the Board on the internal audit activity’s purpose, authority, and responsibility, as well as performance relative to its plan. Reporting will also include significant risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by Senior Management and the Board. In addition, the Chief Audit Executive will communicate to Senior Management and the Board on the internal audit activity’s quality assurance and improvement program, including results of ongoing internal assessments and external assessments conducted at least every five years. Internal Audit Activity charter Approved this _________ day of ____________, _________. _________________________________ _________________________________ Chief Audit Executive Chief Executive Officer _________________________________ Chairman of the Board of Directors _________________________________ Chairman of the Audit Committee APPENDIX 4. Model Audit Committee Charter1 PURPOSE To assist the Board of Directors in fulfilling its oversight responsibilities for the financial reporting process, the system of internal control, the audit process, and the company’s process for monitoring compliance with laws and regulations and the code of conduct. The Audit Committee will consist of at least three and no more than six members of the Board of directors. The Board or its nominating committee will appoint committee members and the committee chair. Each committee member will be both independent and financially literate. At least one member shall be designated as the «financial expert,» as defined by applicable legislation and regulation. MEETINGS The committee will meet at least four times a year, with authority to convene additional meetings, as circumstances require. All committee members are expected to attend each meeting, in person or via tele- or video-conference. The committee will invite members of management, auditors or others to attend meetings and provide pertinent information, as necessary. It will hold private meetings with auditors (see below) and executive sessions. Meeting agendas will be prepared and provided in advance to members, along with appropriate briefing materials. Minutes will be prepared. RESPONSIBILITIES The committee will carry out the following responsibilities: Financial Statements •R eview significant accounting and reporting issues, including complex or unusual transactions and highly judgmental areas, and recent professional and regulatory pronouncements, and understand their impact on the financial statements. •R eview with management and the External Auditors the results of the audit, including any difficulties encountered. •R eview the annual financial statements, and consider whether they are complete, consistent with information known to committee members, and reflect appropriate accounting principles. •R eview other sections of the annual report and related regulatory filings before release and consider the accuracy and 1 Published by the Institute of Internal Auditors, revised on 6/5/2009 audit committee charter COMPOSITION Appendix 4 - Model The Audit Committee has authority to conduct or authorize investigations into any matters within its scope of responsibility. It is empowered to: •A ppoint, compensate, and oversee the work of any registered public accounting firm employed by the organization. •R esolve any disagreements between management and the Auditor regarding financial reporting. •P re-approve all auditing and non-audit services. •R etain independent counsel, accountants, or others to advise the committee or assist in the conduct of an investigation. •S eek any information it requires from employees-all of whom are directed to cooperate with the committee’s requests-or external parties. •M eet with company officers, External Auditors, or outside counsel, as necessary. 47 AUTHORITY completeness of the information. • Review with management and the External Auditors all matters required to be communicated to the committee under generally accepted auditing Standards. • Understand how management develops interim financial information, and the nature and extent of internal and External Auditor involvement. • Review interim financial reports with management and the External Auditors before filing with regulators, and consider whether they are complete and consistent with the information known to committee members. Internal Control • Consider the effectiveness of the company’s internal control system, including information technology security and control. • Understand the scope of internal and External Auditors’ review of internal control over financial reporting, and obtain reports on significant findings and recommendations, together with management’s responses. Appendix 4 - Model audit committee charter 48 Internal Audit • Review with management and the Chief Audit Executive the charter, activities, staffing, and organizational structure of the internal audit function. • Have final authority to review and approve the annual audit plan and all major changes to the plan. • Ensure there are no unjustified restrictions or limitations, and review and concur in the appointment, replacement, or dismissal of the Chief Audit Executive. • At least once per year, review the performance of the CAE and concur with the annual compensation and salary adjustment. • Review the effectiveness of the internal audit function, including compliance with The Institute of Internal Auditors’ International Professional Practices Framework for Internal Auditing consisting of the Definition of Internal Auditing, Code of Ethics and the Standards. • On a regular basis, meet separately with the Chief Audit Executive to discuss any matters that the committee or internal audit believes should be discussed privately. External audit • Review the External Auditors’ proposed audit scope and approach, including coordination of audit effort with internal audit. • Review the performance of the External Auditors, and exercise final approval on the appointment or discharge of the Auditors. • Review and confirm the independence of the External Auditors by obtaining statements from the Auditors on relationships between the Auditors and the company, including non-audit services, and discussing the relationships with the Auditors. • On a regular basis, meet separately with the External Auditors to discuss any matters that the committee or auditors believe should be discussed privately. Compliance • Review the effectiveness of the system for monitoring compliance with laws and regulations and the results of management’s investigation and follow-up (including disciplinary action) of any instances of noncompliance. • Review the findings of any examinations by regulatory agencies, and any auditor observations. • Review the process for communicating the code of conduct to company personnel, and for monitoring compliance therewith. • Obtain regular updates from management and company legal counsel regarding compliance matters. Reporting Responsibilities •R egularly report to the Board of Directors about committee activities, issues, and related recommendations. •P rovide an open avenue of communication between internal audit, the External Auditors, and the Board of directors. •R eport annually to the shareholders, describing the committee’s composition, responsibilities and how they were discharged, and any other information required by rule, including approval of non-audit services. •R eview any other reports the company issues that relate to committee responsibilities. Other Responsibilities Appendix 4 - Model audit committee charter 49 •P erform other activities related to this charter as requested by the Board of directors. • I nstitute and oversee special investigations as needed. •R eview and assess the adequacy of the committee charter annually, requesting Board approval for proposed changes, and ensure appropriate disclosure as may be required by law or regulation. •C onfirm annually that all responsibilities outlined in this charter have been carried out. •E valuate the committee’s and individual members’ performance on a regular basis. APPENDIX 5. Demographics 1. Participants to the survey: 63 Internal Auditors and 18 External Auditors have participated to the survey. Appendix 5 - Demographics 50 2. Size of the organizations represented ! ! 3. Activity sector of the organizations represented For External Auditors, the sectors mentioned are the ones for which they fill in the questionnaire. 21 internal auditors belong to the Financial Services and 7 from the public sector. For the rest, we have : ! Rue d’Arenberg 13 1000 Bruxelles Arenbergstraat 13 1000 Brussel Instituut van de Bedrijfsrevisoren Koninklijk Instituut Institut des Réviseurs d’Entreprises Institut royal Rue Royale 109 - 111 1000 Bruxelles Koningsstraat 109-111 1000 Brussel m TIle Institute Institute of of JJl.• l'M InternaI AudItors I6. BELGIUM IRIi'EL'GIuM
![[140] Engagement letters Contents](http://cdn1.abcdocz.com/store/data/000026628_2-3e0c83d8594f69cbd4fb4a2c402c0bc4-250x500.png)
© Copyright 2024