co-partnership how to create co-partnership? External versus Internal Assurance: I

co-partnership
External versus Internal Assurance:
how to create co-partnership?
Instituut van de Bedrijfsrevisoren
Koninklijk Instituut
Institut des Réviseurs d’Entreprises
Institut royal
The present paper has been written by a working group of representatives of IIA and IRE:
Mr Philip MAEYAERT, Mr Virgile NIJS, Mr Paul PAUWELS, Mr Lieven ACKE, Mr Philippe MENÈVE, Mr Gerrit SARRENS
and Mrs Michèle MALISART with the help of IIA and IRE/IBR staff members Mrs Pascale VANDENBUSSCHE (Chief
Supporting Officer – IIA) and Mrs Stéphanie QUINTART (Responsible Studies IBR/IRE).
Ed. resp.: D. Szafran – IRE/IBR – Rue d’Arenberg 13 – 1000 Bruxelles
Tel.: +32.2.512.51.36 – Fax.: +32.2.512.78.86 – e-mail: info@ibr-ire.be – www.ibr-ire.be
and P. Vandenbussche – IIA Belgium - Rue Royale 109-111, boîte 5 - 1000 Bruxelles – Koningsstraat 109-111,
bus 5 - 1000 Brussel
Tel.: +32.2.219.82.82 - Fax: +32.2.217.12.97 – e-mail: info@iiabel.be - www.iiabel.be
Design:
greenpepper.be
© 2010
TABLE OF CONTENT
CHAPTER I - INTRODUCTION
p 08
CHAPTER II - EXECUTIVE SUMMARY
p 09
CHAPTER III - ROLES AND RESPONSIBILITIES
p 10
1. ROLE AND RESPONSIBILITIES OF MANAGEMENT p 10
2. ROLE AND RESPONSIBILITIES OF External AuditorS
p 10
2.1. Qualification as External Auditors
2.2. Institute of External Auditors 2.3. Mandate of External Auditors 2.4. Other legal assignments for External Auditors
2.5. Other contractual assignments and prohibited services
2.6. Professional auditing standards 2.7. Responsibility of External Auditors p 10
p 10
p 11
p 11
p 12
p 12
p 12
3. ROLE AND RESPONSIBILITIES OF Internal AuditorS 3.1. Context
3.2. Definition of internal audit
3.3. Positioning of internal audit
3.4. Internal audit engagements 3.5. IIA’s Standards p 13
p 13
p 13
p 13
p 14
p 14
3.5.1. Attribute Standards (AS)
3.5.2. Performance Standards (PS)
3.5.3. Glossary
p 14
p 14
p 14
4. ROLE AND RESPONSIBILITIES OF THE AUDIT COMMITTEE p 15
4.1. Legal regulations regarding the establishment of an Audit Committee p 15
4.1.1. Main provisions of the law on Audit Committees
4.1.2. 2009 Belgian Corporate Governance Code
4.1.3. Audit Committee charter
p 15
p 15
p 16
4.2. Responsibilities of the Audit Committee 4.3. The role of the Audit Committee for the cooperation between external and internal audit p 16
p 17
5. AUDITING PROCESS: THE EXTERNAL AND Internal AuditorS VIEWS p 18
5.1. The external audit Process p 18
5.1.1. Client acceptance
5.1.2. Initial Audit planning process 5.1.3. Perform the audit plan 5.1.4. Report and assess performance
p 18
p 18
p 19
p 19
5.2. The internal audit Process p 20
5.2.1. Planning of the internal audit Activities
5.2.2. Engagement Planning
5.2.3. Performing the Engagement
5.2.4. Communicating Results
5.2.5. Monitoring Progress
p 20
p 20
p 21
p 21
p 21
CHAPTER IV: PROFESSIONAL STANDARDS ON COOPERATION BETWEEN EXTERNAL
AND Internal AuditorS p 22
1. EXTERNAL AUDIT STANDARDS p 22
1.1. Belgian legal context: using the work of others and engagement acceptance 1.2. International Standards on Auditing (ISA) 1.3. Statements on Auditing Standards (SAS) 1.4. Public Company Accounting Oversight Board (PCAOB) Standards p 22
p 23
p 24
p 25
2. INTERNAL AUDIT STANDARDS p 25
2.1. The Institute of Internal Auditors (IIA): International Professional Practices Framework (IPPF) p 25
3. SPECIFIC STANDARDS FOR FINANCIAL INSTITUTIONS p 27
3.1. Basel Committee on Banking Supervision p 27
CHAPTER V: THE COOPERATION BETWEEN EXTERNAL AND Internal AuditorS p 28
1. THE FEEDBACK FROM THE SURVEY AND THE INTERVIEWS
p 28
1.1. Commitment 1.2. Benefits
1.3. Communication 1.4. Systematic exchanges p 28
p 28
p 29
p 32
2. THE BEST PRACTICES IN RESPECT OF THE COOPERATION BETWEEN EXTERNAL AND Internal AuditorS p 33
2.1. Introduction
p 33
2.2. Risk Management Assessment p 34
2.2.1. Introduction
2.2.2. Role of internal audit
2.2.3. Role of external audit
2.2.4. Cooperation proposed
2.2.5. Benefits
p 34
p 34
p 34
p 34
p 35
2.3. Internal Control Assessment p 35
2.3.1. Introduction
2.3.2. Definition
2.3.3. Role of internal audit 2.3.4. Role of external audit
2.3.5. Cooperation proposed
2.3.6. Benefits
p 35
p 35
p 35
p 35
p 36
p 36
2.4. Audit Plan determination p 36
2.4.1. Introduction 2.4.2. Definition 2.4.3. Role of internal audit 2.4.4. Role of external audit 2.4.5. Cooperation proposed 2.4.6. Benefits p 36
p 36
p 37
p 37
p 37
p 37
2.5 Audit Testing p 37
2.5.1. Introduction
2.5.2. Definition
2.5.3. Role of internal audit
2.5.4. Role of external audit
2.5.5. Cooperation proposed
2.5.6. Benefits
p 37
p 37
p 38
p 38
p 38
p 38
2.6 Audit Reporting
p 39
2.6.1. Introduction
2.6.2. Definition
2.6.3. Role of internal audit
2.6.4. Role of external audit
2.6.5. Cooperation proposed
2.6.6. Benefits
p 39
p 39
p 39
p 39
p 39
p 39
2.7 Recommendations follow up p 40
2.7.1. Introduction
2.7.2. Definition
2.7.3. Role of internal audit
2.7.4. Role of external audit
2.7.5. Cooperation proposed
2.7.6. Benefits
p 40
p 40
p 40
p 40
p 40
p 40
Appendix 1. How Do I ... Distinguish Internal and External Auditing?
2. Glossary
3. Model internal audit activity charter
4. Model Audit Committee Charter
5. Demographics
p 41
p 42
p 44
p 47
p 50
CHAPter I INTRODUCTION
The objective of the present paper is to propose best practices in respect of the cooperation between external and Internal
Auditors in Belgium. Such cooperation could benefit to the improvement of the governance of companies.
It is to be noted that this document will mainly focus on private sector in general. Specifications for the financial sector will
only be briefly introduced.
This paper first lays down a general framework by identifying the roles and responsibilities of the players involved (see
also appendix 1). Management, External Auditors, Internal Auditors and the Audit Committee have each their part to play,
subject to their own regulation and limited by their responsibility. It is also important to describe the auditing process
as performed respectively by external and Internal Auditors in order to clearly understand where cooperation between
internal and External Auditors could be improved.
Chapter I - Introduction  8
Furthermore some professional standards dealing with the cooperation between internal and External Auditors are
summarized to facilitate the reader’s understanding. Eventually, an overview of current practices and proposals of best
practices are formulated.
CHAPter II
EXECUTIVE SUMMARY
The control functions are important in all organizations and represented by different actors. This is the reason why the
cooperation between the different actors is becoming crucial in order to maximize the level of control and the efficiency.
Effective cooperation between external and Internal Auditors leads to a range of benefits.
The Audit Committee must play an important role in defining this cooperation and supervising the planning of the activities of
the Auditors (external and internal).The committee must take a broad view of audits activity in the organization.
In this position paper, we will discuss about the role, responsibilities of the internal and External Auditors.
Based on a survey, international standards and discussions in a workgroup, we have also defined best practices for the copartnership between external and Internal Auditors.
The survey shows that the most important benefit is the increase of the audit work efficiency.
Systematic exchanges and common methodology are very limited on both sides.
When we define best practices, we may say that the External Auditors may collaborate in various ways with the Internal
Auditors. The most important criteria to define the levels of cooperation are:
• the maturity of the internal audit department;
• the compliance with the International Professional Practices Framework;
• the certification and experience of the Internal Auditors;
• the quality of the work performed by the Internal Auditors.
When the External Auditors plan to use the work of the Internal Auditors, they will need to consider internal audit’s tentative
plan for the period and discuss it at early stage. They will also need to agree in advance the extent of the internal audit work
coverage, the materiality levels and the proposed methods.
This cooperation may take different ways:
• communication of reports, documents;
• regular meetings;
• consultations on risk assessments, internal control assessments, corporate governance issues;
• cooperation included in the audit plans;
• arrangements for the sharing information;
• set up of common methodology to evaluate risks, internal controls;
• follow up of consolidated findings and recommendations;
• use of the work of the other auditors in order to avoid duplication of work;
• training about external audit methodology, etc.
It is important to set up a clear agreement about the cooperation expected. The cooperation may also be integrated in the
internal audit charter.
Because of the wider scope of internal audit work, reliance is most likely to be by external audit on internal audit. Although
External Auditors may rely on the work of internal audit, they can not hand over their responsibilities.
summary
Most External Auditors have good cooperation experience, based on the survey. The main reasons for not promoting the
cooperation are due to corporate decisions, rotation of junior people, unequal sharing of information, and maturity levels of
the internal audit departments and lack of independence of the internal audit departments.
Chapter II - Executive
The survey has shown that the cooperation in practice may vary a lot and that most of the time the initiative is coming from
the internal audit departments.
 9
One profession is strongly regulated (the External Auditors) and the other is not, except in the financial sector. Nevertheless,
it is important to notice that both professions follow international standards and report on a fixed format.
CHAPter III
ROLEs AND RESPONSiBILITIES
1. ROLE AND RESPONSIBILITIES OF MANAGEMENT
Management is, under the supervision of the Board of directors, responsible for, amongst others, the preparation and
the fair presentation of the financial statements in accordance with the applicable financial reporting framework. This
responsibility includes designing, implementing and maintaining internal control relevant to the preparation and fair
presentation of financial statements that are free from material misstatements, whether due to fraud or error.
Chapitre III - Role
and
Responsabilities  10
The 2009 Belgian Code on Corporate Governance states in this respect that companies that apply the code should amongst
others describe and disclose in the Corporate Governance Statement the main features of the company’s internal control
and risk management systems.
The publication of the Audit Committee Charter is not compulsory but recommended as good practice.
Statutory Audit Directive 2006/46/EC of 14 June 20061 requires companies whose securities are admitted to trading on
a regulated market and which have their registered office in the European Community to disclose an annual corporate
governance statement as a specific and clearly identifiable section of the annual report. That statement should at least
provide shareholders with easily accessible key information about the corporate governance practices actually applied,
including a description of the main features of any existing risk management systems and internal controls in relation to
the financial reporting process.
The majority of the financial institutions that are under the prudential supervision by the CBFA are required to assess the
adequacy of their internal controls (design and operating effectiveness) on a yearly basis and to report the outcome of the
assessment to the Board of directors, the CBFA and the statutory auditor. The Statutory Auditors do have to assess the
internal control measures and report their findings to the CBFA.
2. ROLE AND RESPONSIBILITIES OF External AuditorS
2.1. Qualification as External Auditors
In Belgium, the qualification as External Auditor (“Réviseur d’entreprises/Bedrijfsrevisor”) is granted by the Belgian
Institute of Registered Auditors (“Institut des Réviseurs d’Entreprises / Instituut van de Bedrijfsrevisoren”, abbreviated as
IRE/IBR) under the conditions as defined in the law of July 22, 1953, which has last been coordinated by a Royal Decree of
April 30, 2007 in order to comply with most of the disposition of the Statutory Audit Directive 2006/46/EC.
For the purpose of this paper the Registered Auditors are referred to as “External Auditors” in the exercise of the function
of statutory auditor (“commissaire/commissaries”) as described below (see point 2.3., p. 11).
External Auditors do qualify by completing a three-year training period and passing several examinations organized by the
Institute. External Auditors are compelled to continually update their professional knowledge and proficiency, maintain
total independence and exercise professional care in their conduct of their work.
2.2. Institute of External Auditors
The IRE/IBR has been set up by law dated July 22, 1953, coordinated in 2007. The duties of the Institute include:
• admission of the External Auditors (réviseurs d’entreprises / Bedrijfsrevisoren), as well for individuals as for audit
firms;
• control over the public register in which External Auditors must be registered;
• drafting of professional auditing standards and recommendations;
• organization of the educational program for trainees;
• supervision of the continuous education of the External Auditors;
1 Directive 2006/46/EC of the European Parliament and of The Council amending Council Directives 78/660/EEC on the annual accounts of certain types of companies, 83/349/
EEC on consolidated accounts, 86/635/EEC on the annual accounts and consolidated accounts of banks and other financial institutions and 91/674/EEC on the annual
accounts and consolidated accounts of insurance undertakings.
• organization of the periodic quality control over the work of External Auditors;
• issue of a code of conduct for External Auditors;
• set up of disciplinary procedures for External Auditors and trainees.
The IRE/IBR is accountable to the High Council for Economic Professions and the Minister of Economic Affairs.
2.3. Mandate of External Auditors
External Auditors can only be dismissed by the general shareholders’ meeting under certain conditions as laid down by the
Belgian Company Act (art. 135). Unless for serious personal reasons, the External Auditor cannot resign during the fixed
term of three years except at a general shareholders’ meeting, and then, only after informing at the meeting about the
reasons for his resignation.
Each year, the External Auditor must, amongst others, report to the shareholders meeting on the true and fair view of the
statutory financial statements. In addition, the Auditor is also required to report as to whether:
• the financial statements and the books and records comply with the legal requirements;
• t he directors’ report deals with the information required by law and whether it is consistent with the financial
statements;
• the company complies with its articles of association and with the Belgian Company Act.
He must also issue such a report on the consolidated accounts and consolidated directors’ report, where applicable.
The External Auditor is also expected to report on a certain number of transactions or situations if they occur in the entity
where he has been appointed, e.g.:
• capital increase by way of a contribution in kind;
• merger or de-merger (split);
• decision to enter into liquidation;
• report on financial and economic information submitted to the workers’ council.
For acting as statutory auditor for financial institutions the External Auditor must in addition be accredited by the CBFA as
having the appropriate qualifications to audit such entities.
2.4. Other legal assignments for External Auditors
In smaller entities which are not required to appoint a statutory auditor, an External Auditor (“réviseur d’entreprises/
Bedrijfsrevisor”) will have to be appointed to report specifically on the transactions or situations referred to in the last
paragraph of the preceding point.
and
The appointment of the External Auditor is decided by the general shareholders’ meeting, for a fixed term of three years
upon proposal by the Board of Directors and, where applicable, after approval by the workers’ council. However if an Audit
Committee is to be appointed (on voluntary basis or required by law), the proposal of the Board of Directors to appoint an
External Auditor is to be submitted to the general shareholders’ meeting based upon a proposal by the Audit Committee.
Chapitre III - Role
Financial institutions that are under the supervision of the Banking, Finance and Insurance Commission (CBFA) do have
to appoint an External Auditor irrespective of their size. Financial institutions that are under the supervision of the CBFA
are, amongst other: credit institutions, insurance companies, investment firms, undertakings for collective investment,
Management companies of undertakings for collective investment. The Auditors of financial institutions do assist the CBFA
with the prudential supervision it exercises. The assistance comprises, amongst others, a review and audit of respectively the
interim and year-end prudential returns as well as an assessment of the internal control measures taken by Management.
This assistance is governed by specific auditing standards and instructions issued by the CBFA.
Responsabilities  11
In accordance with the Belgian Company Act (art. 15, 141 and 142), all companies exceeding certain criteria (number of
staff employed, annual turnover and balance sheet total) are required to appoint an External Auditor as statutory auditor
(“commissaire / commissaris”). Consolidated financial statements that exceed the thresholds for statutory audits also
need to be audited unless the parent company is exempted from the consolidation requirement due to the fact that its
financial statements and those of its subsidiaries are included in the consolidated financial statements of its parent or
ultimate parent company, provided that the parent or ultimate parent consolidated financial statements are prepared in
accordance with the seventh EC-Directive or equivalent.
2.5. Other contractual assignments and prohibited services
The ‘réviseur d’entreprises / Bedrijfsrevisor’ can also carry out audit assignments on a contractual basis, e.g. due diligence
or acquisition reviews, or valuation reports. He can also provide advisory services in respect of legal or tax situations, or
act as arbitrator or liquidator, or even provide internal audit assistance, but always on the condition that his independence
is not impaired. Therefore, internal audit services (outsourcing) should not be provided by the same accounting firm that
audits the organization’s financial statements, as it would impair the independence of the External Auditor. Nevertheless,
the internal audit services could be provided by any other accounting firm.
The ‘réviseur d’entreprises / Bedrijfsrevisor’ can also be requested by the Court to provide an expert opinion.
The following services are considered as prohibited non-audit services:
Chapitre III - Role
and
Responsabilities  12
• to take any managerial decision, or take part in any managerial decision making;
• the provision of bookkeeping services, i.e., the preparation of client accounting records or financial statements;
• the design, development, implementation and management of financial information technology systems;
• to make any valuations that are subsequently incorporated in the financial statements;
• to act for the client in the resolution of litigation, including tax litigation;
• to participate in the recruitment of Senior Management for financial, administrative or management functions.
It is forbidden for an External Auditor to assume any management or director’s function in a commercial company. However
individual exemptions may be granted by the Council of IBR/IRE after acceptable advice from the advice and control
committee on the independence of External Auditor (ACCOM).
2.6. Professional auditing standards
Over the years, the IRE/IBR has issued its main “general auditing standards”, as well as a number of specific auditing
standards1, dealing, amongst others, with:
• auditing and reporting in entities having a “workers’ council”;
• reporting on consolidated financial statements;
• control over contribution in kind (including “quasi-contribution” in kind;
• reporting in case of change of legal form;
• audit over merger or de-merger (split) transactions of commercial companies;
• control in connection with proposal to liquidate companies with limited responsibility;
• audit of the Board of Directors report on statutory and consolidated financial statements;
• management representation letter.
In addition, the IRE/IBR has issued a number of recommendations which do not have the compulsory character of the
actual auditing standards. However, if the External Auditor does not specifically comply with these recommendations, he
should justify the deviation in his working files. These recommendations cover different aspects such as:
• engagement acceptance;
• audit methodology;
• technical aspects of audit methods such as: external evidence, using the work of another auditor, using the work of
internal audit, etc.;
• specific aspects of the control work such as the review of financial statement disclosures;
• going concern, etc.
IRE/IBR is actively working on preparing the implementation of the International Standards on Auditing (ISAs) in the near
future. It must be said that the present “general auditing standards” as issued by the IRE/IBR are very much in line with
the ISA standards.
2.7. Responsibility of External Auditors
External Auditor is sole responsible for the opinion he expresses on the financial statements which implies that his audit
scope must cover all relevant aspects of the accounts, regardless of the fact whether he is able to rely on the work of the
Internal Auditors. This means also that the External Auditor assumes full responsibility for all internal audit work on which
he has been relying.
1 Available on www.ibr-ire.be
3. ROLE AND RESPONSIBILITIES OF Internal AuditorS
3.1. Context
The profession of Internal Auditor is internationally recognized thanks to the Institute of Internal Auditors (IIA) that is
internationally recognized as a trustworthy guidance-setting body that has developed standards and definitions that support
the role and responsibilities of Internal Auditors and provide a guideline to practitioners.
We will present the functioning of the internal audit process according to the IIA’s International Standards for the Professional
Practice of Internal Auditing Framework.
3.2. Definition of internal audit
As defined by the IIA, “Internal auditing is an independent, objective assurance and consulting activity designed to add
value and improve organization’s operations. It helps an organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.”
Regulatory compliance
Risk management & internal
control management
Internal audit responsibility
Set up of processes and structures “to
“Assess and make appropriate
recommendations for improving
the governance process in its
accomplishment.2”
inform, direct, manage and monitor
the activities of the organization
toward the achievement of its
objectives1”
Establish compliance rules and
procedures (business code of
conduct) and for the members of the
organization (declaration form) and its
stakeholders to prevent
criminal conduct
Organize risk management and
control processes
Include in the audit plan compliance
assessments of specific areas
entailing legal issues
Assist the management and the
Audit Committee by suggesting
improvements on the adequacy of risk
management and control process.
The Internal Auditor assesses the whole audit universe of the organization he is working for, including the risk management
and the compliance functions in case they are present.
The independence of the judgement and the quality of advices are very important. The Internal Auditor is however not
a judge and make recommendations based on discussions with management. It is up to them to give the appropriate
response.
1 Glossary IIA.
2 Practice Advisory 2130.
and
Governance
Management responsibility
Chapitre III - Role
The positioning of internal audit in the organization is crucial in order to keep the independence of the department.
Therefore, it is recommended that internal audit reports to the Audit Committtee.
Responsabilities  13
3.3. Positioning of internal audit
3.4. Internal audit engagements
Giving assurance on governance, risks and controls processes is the key element of the audit work. Besides the audit
assignments planned to evaluate the audit universe of the organization, internal audit activities cover other types of
engagements such as consultancy at request of the management, and special assignments at request of the executive
Committee.
Internal Auditors can also be involved in Control Self-Assessment (CSA) as validator of the process as consultant.
In the framework of Section 302 of the Sarbanes-Oxley Act, internal audit plays a role too in quarterly financial reporting,
disclosures and management certifications, as validator of the process, participant, coordinator or independent assessor.
The role and responsibilities of the internal audit department are described in the internal audit activity charter (see model
in appendix 3).
3.5. IIA’s Standards
Chapitre III - Role
and
Responsabilities  14
The International Standards for the Professional Practice of Internal Auditing is made of1:
• mandatory guidance:
- definition of internal auditing,
- code of Ethics,
- standards (described below).
• strongly recommended guidance:
- position papers,
- practice advisories,
- practice guides.
3.5.1. Attribute Standards (AS)
The Attribute Standards deal with the purpose, authority and responsibility of the Internal Auditor, as well as independence
and objectivity rules and those related to proficiency and due professional care. Quality assurance and continuing training
are also required from Internal Auditors.
3.5.2. Performance Standards (PS)
The Performance Standards relate foremost to the management of the audit activity (planning, resources, procedures and
reporting to the Board of Directors and to the audited Managers). The Performance Standards state, amongst others, that
the Chief Audit Executive could share information and coordinate activities with other internal and external providers of
assurance and consulting services to ensure proper coverage and minimize duplication of efforts.
The Performance Standards also stress the importance of engagement planning that takes into account risks, controls and
governance processes in place, the adequacy of the resources required for the execution of the audit assignments and the
usage of a formalized work program adapted to the audit assignment objectives.
In addition, the PS’s give guidelines about performing the engagement and communicating results, monitoring process
and last but not least, the set up of a follow-up system of the recommendations implementation, not only for their own
recommendations but also for those issued by External Auditors and local regulators.
3.5.3. Glossary
A glossary with the main definitions is part of the framework.
1 IPPF issued by IIA Ink and available on www.iiabel.be/knowledgecenter.
4. ROLE AND RESPONSIBILITIES OF THE AUDIT COMMITTEE
In this chapter the roles and responsibilities of the Audit Committee will be described, in particular in relation to the
cooperation between the internal and External Auditors
4.1. Legal regulations regarding the establishment of an Audit Committee
New regulations regarding, amongst others, the establishment of Audit Committees entered into force in early 2009
following the adoption of the Law of 17 December 2008 on the establishment of Audit Committees in listed companies and
financial undertakings1 (the Law of 17 December 2008). The new requirements primarily apply to listed companies, as well
as to certain financial institutions, whether listed or non-listed.
The Law of 17 December 2008 implements the provisions of the Statutory Audit Directive 2006/46/EC relating to the
Audit Committees into Belgian law. Before the adoption of the law, the establishment of an Audit Committee was only a
recommendation under the Belgian Corporate Governance Code for Belgian listed companies.
4.1.2. 2009 Belgian Corporate Governance Code
The tasks of the Audit Committee as defined in the Law of 17 December 2008 are very much in line with the tasks of the
Audit Committee as defined in the 2009 Belgian Corporate Governance Code.
The Code provides in respect of the tasks of the Audit Committee the following additional guidance:
• monitoring of the financial reporting process:
- when monitoring the financial reporting process, the Audit Committee should, in particular, review the relevance and
consistency of the accounting standards used by the company and its group. This review should involve assessing the
correctness, completeness and consistency of financial information before it is made public and should be based on a
programme adopted by the Audit Committee;
- the Executive Management should inform the Audit Committee of the methods used to account for significant and
unusual transactions where the accounting treatment may be open to different approaches;
- the Audit Committee should discuss significant reporting issues with both the Executive Management and the External
Auditor.
• monitoring the effectiveness of the company’s internal control and risk management systems:
- the monitoring of the effectiveness of the company’s internal control and risk management systems set up by the
Executive Management should be done at least once a year, with a view to ensuring that the main risks are properly
identified, managed and disclosed;
- the Audit Committee should review the statements included in the Corporate Governance Statement on internal control
and risk management.
1 Appendix C of the Belgian Corporate Governance Code.
and
• s ubject to some exceptions, the Board of Directors of all listed companies and financial institutions are obliged to establish
an Audit Committee. The committee must be entirely composed of non-executive members of the Board of directors;
• f or listed companies at least one member needs to be “independent” in accordance with the criteria defined in the law
and must have a necessary competence in accounting and auditing matters;
• s mall listed companies do not need to establish an Audit Committee. In such a case, the tasks of the Audit Committee
must be performed by the entire Board of directors, with some necessary provisions such as the appointment of at least
one independent director. This exemption also applies to small credit institutions and insurance companies with the
exception that the law does not require them to have at least one independent director. Further, if a financial institution or
a subsidiary of a group has established an Audit Committee competent for the group, the CBFA can grant an exception to
the requirement to establish an Audit Committee. Such an exemption possibility does not apply to listed companies;
• the Audit Committee has, as a minimum the following tasks:
- monitoring the financial reporting process;
- monitoring the effectiveness of the company’s internal control and risk management systems;
- if there is an internal audit, monitoring the internal audit and its effectiveness;
- monitoring the statutory audit of the annual and consolidated accounts, including any follow-up of questions and
recommendations of the statutory auditor;
- reviewing and monitoring the independence of the statutory auditor, in particular regarding the provision of additional
services to the company1.
Chapitre III - Role
The main provisions of the law on Audit Committees are the following:
Responsabilities  15
4.1.1. Main provisions of the law on Audit Committees
• monitoring of the internal audit:
- the Audit Committee should review the Internal Auditor’s work programme, having regard to the complementary roles
of the internal and external audit functions. It should receive internal audit reports or a periodic summary and should
monitor management’s responsiveness to the Audit Committee’s findings and recommendations;
- if the company does not have an internal audit function, the need for one should be reviewed at least annually.
• monitoring the statutory audit and the independence of the statutory auditor:
- the Audit Committee should make a proposal on the selection, appointment of the External Auditor, as well as on the
terms of his engagement;
- the External Auditor shall:
- annually confirm its independence and inform the committee about the additional services provided;
- examine with the Audit Committee the risks relating to its independence and the safety measures taken to decrease
these risks;
- provide to the Audit Committee a report describing all relationships between the External Auditor and the company
and its group;
- the External Auditor shall report to the Audit Committee on the key matters arising from the statutory audit and in
particular on material weaknesses in internal control in relation to the financial reporting process;
- the Audit Committee shall review the effectiveness of the external audit process, and management’s responsiveness to
the recommendations made in the External Auditor’s management letter;
- the Audit Committee should investigate the issues giving rise to any resignation of the External Auditor, and should
make recommendations regarding any required action.
Chapitre III - Role
and
Responsabilities  16
The Audit Committee must report regularly to the Board of Directors on the performance of its tasks, at least each time the
Board of Directors prepares the annual accounts and other (interim) summary financial statements or reports.
4.1.3. Audit Committee charter
Preparing an Audit Committee charter is often referred to as a best practice. The purpose of such a charter is to assist
the Audit Committee in fulfilling its oversight responsibilities for the financial reporting process, the system of internal
control, the audit process, and the company’s process for monitoring compliance with laws and regulations and the code
of conduct.
The IIA published on its website a sample Audit Committee charter that captures many of the best practices used today and
complies with the requirements of the Sarbanes-Oxley Act and the U.S. Stock Exchanges. The sample charter can therefore
be used as a starting point and should be tailored to any committee’s specific needs and governing rules. The example is
included in the appendix 4.
4.2. Responsibilities of the Audit Committee
The responsibilities of the Audit Committee cover mainly:
• financial statements and reporting thereon;
• internal control systems;
• supervision of internal audit function;
• appointing and overseeing the work of External Auditor.
As part of the latter the Audit Committee will have to evaluate the possible cooperation that may be put in practice between
the company’s Internal Auditors and the External Auditor. The principle of authorizing such cooperation should be reflected
in the Audit Committee Charter. Planning arrangements for the actual cooperation should then be left to both auditors who
should submit their suggestions to the Audit Committee. During the subsequent meetings of the Audit Committee, the
latter should review and evaluate the work of both auditors, who normally will participate in such meetings.
4.3. The role of the Audit Committee for the cooperation between external and
internal audit
It is clear from the above that there is quite some interaction between the Audit Committee and the internal and the External
Auditors. The interaction results amongst others from the fact that the Audit Committee has to oversee the performance of
the company’s internal and external audit.
On the other hand, the Audit Commitee does, to a very large extent, rely on other people to help in performing its duties.
Internal and external audit functions can be the best resources available to help the Audit Committee perform its
function.
The Belgian Corporate Governance Code requires that the Audit Committee meets the external and Internal Auditors to
discuss matters relating to its terms of reference and any issues arising from the audit process, and in particularly any
material weaknesses in internal control. The internal and External Auditors should have free access to the Board. In
this context, the Audit Committee should act as the principal point of contact for the internal and External Auditors. The
External Auditor and the head of the internal audit team should have direct and unrestricted access to the chairman of the
Audit Committee and the chairman of the Board.
The coordination of internal and external audit work is, according to this practice advisory, the responsibility of the Chief
Audit Executive1. The Chief Audit Executive should obtain the support of the Board to coordinate audit work effectively.
Assigning the coordination responsibility to an individual will help focus the efforts of the company and make sure that the
company continues to work to improve its coordination efforts. In addition, the Audit Committee will be able to easily follow
up and monitor the progress made in coordination efforts. The Audit Committee may also choose to suggest ideas and to
request feedback directly from the individual in charge of coordination to make sure the coordination efforts move forward.
If companies want to improve coordination levels, the internal auditing function should take the first step.
Coordination may also ensure that:
• the planning of both auditors guarantees a maximum of coverage and efficiency by avoiding audits in the same departments
and in the same periods;
• both auditors can put greater pressure on Management to prevent from using aggressive accounting principles than each
party can do independently;
• common issues are analyzed together and a common recommendation is made to the Audit Committee;
• communication of reports and issues on both sides is made timely;
• increased audit coverage through coordination lowers the risk of misstatement and fraud; thus, decreasing the risk of
personal and corporate litigation of each member of the Audit Committee;
• the Audit Committee agenda includes the main audit points that must be discussed.
1 It is the highest position in the internal audit department.
and
Through a better cooperation between the internal and External Auditors, risk assessments will be improved and will
better integrate internal and external factors (industry changes, compliance, etc.).
Chapitre III - Role
Practice Advisory 2050-1 of the IIA on Coordination states that the oversight of the work of the External Auditors, including
coordination with the internal audit activity is the responsibility of the Board (Audit Committee).
Responsabilities  17
Audit Committees may play an important role to facilitate the cooperation between external and Internal Auditors. The
objective being to maximize the effectiveness and efficiency of the audits but also to reduce the risk of misstatements.
5. AUDITING PROCESS: THE EXTERNAL AND Internal AuditorS VIEWS
Chapitre III - Role
and
Responsabilities  18
5.1. The External Audit Process
!
5.1.1. Client acceptance
The statutory auditor will assess his engagement risk and include factors affecting this risk in his client acceptance
procedures. Before he starts any of the audit work, he will conclude on the pervasive risks, including all obligations linked
to the legislation on money laundering and fraud risks. Once this phase is completed, the External Auditor will establish the
terms of the engagement and document them in an engagement letter, to be signed by the officials representing the company.
The engagement team will be selected with care and in function of the complexity of the audit.
5.1.2. Initial audit planning process
Understanding the client’s business is essential to a high quality audit. The first phase of an audit cycle includes a disciplined
and systematic study of the company based upon interviews with management, identification of the key management
controls and monitoring activities. The External Auditor develops his audit strategy and audit plan in different steps
including the determination of the planning materiality (used to evaluate the fair view of the financial statements) and
monetary precision (used, amongst others, to determine sample sizing and results of substantive analytical review).
Understanding the client’s control environment and accounting process is an essential part of these procedures, including
external and internal factors affecting the entity. The External Auditor will understand the entity’s selection and application
of accounting policies and the measurement and review of the entity’s financial performance, including the going concern
assumptions. Every significant flow of transactions, and related internal controls and computer processing environment
will be looked at, in order to get a preliminary understanding of the internal controls at both entity level and process level.
Specific fraud inquiries will help the External Auditor to focus risks, and are in any case applied when the Auditor applies
ISA’s. The engagement team discusses the risks, classifies the entity’s use of computers to evaluate the necessity of
involving IT specialist and performs preliminary analytical reviews on the interim financial statements.
These procedures allow the External Auditor to assess the risk at account level and develop responses for the identified risk
areas, which will be formalized in an audit plan. This plan will be communicated, where applicable, to the Audit Committee
and can be discussed with the internal audit department. Such plan will allow a good repartition of the tasks by team
member, enable supervision on the executed work and will ease the introduction of new team members.
5.1.3. Perform the audit plan
The External Auditor will determine the control activities to be executed on basis of the effectiveness of the internal controls
of the entity. The External Auditor will select those techniques that he feels are the most appropriate to fulfill his audit
work.
The first step in the audit plan will be the evaluation of the internal controls. The External Auditor will plan and perform
procedures to obtain audit evidence of the operating effectiveness of controls and identify the related controls. Through
a systematic analysis of risks specific to business processes, the External Auditor derives an acute focus on areas,
transactions and events that are material to the financial statements.
After the execution of the field work, and between the report date and the end date of that field work, the External Auditor
will perform a subsequent events review. He will assess the events up to the date of his report, assess the facts discovered
after the date of his audit report and before the financial statements are issued. He will evaluate the overall scope of the
audit and the effect of uncorrected misstatements on the financial statements.
The External Auditor needs to obtain written management representation on the financials statements and on the uncorrected
misstatements and will consider any litigation and claims involving the entity. Any findings will be communicated to those
charged with governance, such as the Audit Committee and management in due time. A management letter might be
issued also.
The work will be concluded with the issuance of an audit report that will reflect the opinion of the External Auditor on the
fair view of the financial statements, consideration on the other information (like the report of the Board of directors) and
eventual non compliance with laws and regulations.
and
5.1.4. Report and assess performance
Chapitre III - Role
At the period closing the External Auditor will design substantive tests. He will design and perform tests of details on basis
of well determined selections and sample sizes. He will amongst others use confirmations, attend stock takes, perform
observations, obtain evidence from internal and external sources. The External Auditor will also perform substantive
analytical procedures and identify those account balances or disclosures and the related potential errors to be tested by
substantive analytical procedures. After having developed an expectation for the substantive analytical procedures, he will
consider the threshold between expected values and actual balances. He will as such evaluate differences requiring further
investigation and obtain, quantify and corroborate explanations when performing these procedures. The audit procedures on
accounting estimates will include identification of the circumstances requiring accounting estimates and an understanding
of the estimation process. The reasonableness of the estimates will be tested and differences in judgment about accounting
estimates will be responded to. After review of these estimates for bias and execution of detailed testing as described
above, the External Auditor will perform the financial review, evaluate unexplained significant changes identified during
this review and conclude. The External Auditor will consider any litigation and claims involving the entity and evaluate
communications with the entity’s legal counsel.
Responsabilities  19
Central part is thus the selection and performance of tests of relevant controls in the audit and the evaluation of the
effectiveness of this testing in the current period. The information systems audit is an integral part of the audit approach,
where the computer plays a dominant role in the processes. When the External Auditor evaluates that the internal controls
are not sufficient, he will adapt his control procedures to match this and report the weaknesses to the appropriate levels
of the Management and the Board.
5.2. The internal audit Process
Internal Audit
Charter
Planning phase
Audit Universe
Risk
Assessment
Audit Plan
Planning
Engagement Phase
Preparation
Field Work
Documentation
Reporting phase
Chapitre III - Role
and
Responsabilities  20
Reporting
Follow up
5.2.1. Planning of the internal audit activities
The Chief Audit Executive must establish risk-based plans to determine the priorities of the internal audit activity,
consistent with the organization’s goals. By doing this, the Chief Audit Executive takes into account the organization’s risk
management framework, including using risk appetite levels set by management for the different activities or parts of the
organization. If a framework does not exist, the Chief Audit Executive uses his/her own judgment of risks after consultation
with Senior Management and the Board.
It is clearly recommended that the internal audit activity’s plan of engagements is based on a documented risk assessment,
undertaken at least annually and if possible more frequently. The input of Senior Management and the Board must be
considered in this process as well as a coordination with ERM1 function (if the function exists). The Chief Audit Executive
could consider accepting proposed consulting engagements based on the engagement’s potential to improve management
of risks, add value, and improve the organization’s operations. Accepted engagements must be included in the plan.
The Chief Audit Executive must communicate the internal audit activity’s plans and resource requirements, including
significant interim changes, to Senior Management and the Board for review and approval
Besides, the Chief Audit Executive must report periodically to Senior Management and the Board on the internal audit
activity’s purpose, authority, responsibility, and performance relative to its plan. Reporting must also include significant
risk exposures and control issues, including fraud risks, strategic risks,governance issues, and other matters needed or
requested by Senior Management and the Board.
5.2.2. Engagement Planning
For each engagement, the CAE will define the engagement’s objectives, scope, timing, and resource allocations.
In planning the engagement, Internal Auditors must consider:
• the objectives of the activity being reviewed and the means by which the activity controls its performance;
• t he significant risks to the activity, its objectives, resources, and operations and the means by which the potential impact
of risk is kept to an acceptable level;
• t he adequacy and effectiveness of the activity’s risk management and control processes compared to a relevant control
framework or model; and
• t he opportunities for making significant improvements to the activity’s risk management and control processes
(Performance Standard 2201).
Each engagement will start with a mission letter that will specify to the auditees, the scope, objectives, timing of the
engagement as well as the documentation to be received in order to prepare the engagement.
The scope of the engagement must include consideration of relevant systems, records, personnel, and physical properties,
including those under the control of third parties.
1 See Glossary, appendix 2.
Finally, Internal Auditors must develop and document work programs that achieve the engagement objectives. Work
programs must include the procedures for identifying, analyzing, evaluating, and documenting information during the
engagement. The work program must be approved prior to its implementation, and any adjustments approved promptly.
The work programs will be as follow:
Objective/Area
Risk
Likelihood/
Significance
Actual Controls
Evaluation of
Adequacy
Tests of
Effectiveness
For each area reviewed, they will evaluate the risk, the controls that are implemented and their adequacy. Finally, they will
define the tests to be performed in order to evaluate the effectiveness of the controls in place (substantive, analytical, ad
hoc testing).
5.2.3. Performing the Engagement
5.2.4. Communicating Results
Internal Auditors must communicate the engagement results This implies an evaluation of the residual risk and a discussion
with the management about the findings and recommendations.
More specifically, communications must include the engagement’s objectives and scope as well as applicable conclusions,
recommendations, and action plans. Final communication of engagement results must, where appropriate, contain Internal
Auditors’ overall opinion and/or conclusions. Internal Auditors are encouraged to acknowledge satisfactory performance in
engagement communications. When releasing engagement results to parties outside the organization, the communication
must include limitations on distribution and use of the results.
The Chief Audit Executive or designee reviews and approves the final engagement communication before issuance and
decides to whom and how it will be disseminated.
5.2.5. Monitoring Progress
The Chief Audit Executive must establish a follow-up process to monitor and ensure that management actions have been
effectively implemented or that Senior Management has accepted the risk of not taking action. Most of the time, key
performance indicators are communicated to the Audit Committee.
and
Engagements must be properly supervised to ensure objectives are achieved, quality is assured, and staff is developed.
This is the overall responsibility of the CAE.
Chapitre III - Role
More specifically, Internal Auditors must base conclusions and engagement results on appropriate analyses and evaluations.
Internal Auditors must also document relevant information to support the conclusions and engagement results.
Responsabilities  21
Overall, Internal Auditors must identify, analyze, evaluate, and collect sufficient information to achieve the engagement’s
objectives.
CHAPter IV:
Chapitre IV -
professional standards on cooperation between external and
Internal Auditors  22
ROFESSIONAL STANDARDS ON COOPERATION
P
BETWEEN EXTERNAL AND Internal AuditorS
In this chapter, we will provide a summary of the professional standards dealing with the cooperation between internal and
External Auditors. We recommend readers to consult the website of IBR/IRE mentioned for more details.
1. EXTERNAL AUDIT STANDARDS
1.1. Belgian legal context: using the work of others and engagement acceptance
The Belgian IRE/IBR has issued the following recommendations1 - which have not the same compulsory character as a
standard on auditing - in respect of the use of the work of others:
• Using the work of another auditor;
• Using the work of an internal audit department;
• Using the work of experts.
Each of these recommendations defines principles and provides guidance regarding the use of the work of others as audit
evidence. Within the context of this study, we restrict our comments to the recommendation “using of the work of an
internal audit department”, which to a large extent has been inspired by the ISA n° 610 “Considering the work of Internal
Auditing”.
In the context of cooperation between internal and External Auditors, the recommendation on engagement acceptance
is also to be mentioned. Even if not being a recommendation nor a standard it is also worth mentionning the existence of
examples of contractual framework for services where authorized communication between internal and External Auditors
could be formalized.
Scope and objectives of internal auditing
It is recognized that the activities of the internal audit department can vary widely. Depending upon the size and structure
of the entity and the requirements of its management, a distinction is made between:
• review of internal controls surrounding financial or accounting information and systems, and
• review of the efficiency and effectiveness of operations.
Relationship between Internal Auditors and the External Auditor
The External Auditor could consider the work of the internal audit department and its effect on external audit procedures,
provided that:
• the control objectives fit in with the scope of the external audit procedures;
• the Internal Auditors have the right professional qualifications.
The External Auditor has however the sole responsibility for the audit opinion expressed and this responsibility is not
reduced by any use made of internal auditing.
1 Available on the website of IRE/IBR: www.ibr-ire.be
Review and assessment of internal audit function
As part of his decision process on the extent the External Auditor will use and rely on the work of the Internal Auditors, he
could assess:
• the planning and timing for internal audit work;
• the access to relevant working files and other documentation of the department;
• the reporting and follow up of exceptions and anomalies found to exist.
In addition the External Auditor could evaluate the appropriateness of performing audit procedures in areas covered in
detail by the internal audit department.
Restrictions on the reliance on and use of internal audit work
The recommendation points out that the existence of an internal audit department cannot be a pure substitution of the
control work of the External Auditor. The fact that the External Auditor is sole responsible for the opinion he expresses on
the financial statements, implies that his audit scope must cover all relevant aspects of the accounts, regardless of the
fact whether he is able to rely on the work of the Internal Auditors. This means also that the External Auditor assumes full
responsibility for all internal audit work on which he has been relying.
It is recommended that the External Auditor could cover personally all aspects and transactions having a significant
impact on the financial statements, including the evaluation of accounting and valuation principles, as well as the correct
application of the Belgian Company Act.
Letter of engagement
Before the start of the audit engagement, the client and the External Auditor should clearly set out the terms of the audit
assignment in order to avoid misunderstandings with respect to the engagement. This engagement letter documents and
confirms the Auditor’s acceptance of the appointment, the objective and scope of the audit, the extent of the Auditor’s
responsibilities to the client and the form of any reports. Should also be included the arrangements (at least in general
terms) concerning the involvement of and cooperation with Internal Auditors (and other client staff).
Example of contractual framework for services
For the External Auditors who so wish, the IBR/IRE provides example of a letter summarizing the terms of business, which can
be found on the web site of the ICCI (www.icci.be). These terms of business (conditions générales / algemene voorwaarden)
together with the engagement letter form the entire agreement between the client and the External Auditor.
Although the example of such letter - because of it’s general nature - does not include any specific reference to the
cooperation of internal and External Auditors or simply to the External Auditor’s access of the working files and reports of
the Internal Auditors, it is recommended where applicable to make mention of such authorized communication in the letter
“contractual framework for services”.
professional standards on cooperation between external and
Under this caption guidance is provided on the External Auditor’s requirements for using the work of the internal audit
department. Particular attention is suggested for:
Chapitre IV -
Definition of nature and extent of the use of the internal audit work
Internal Auditors  23
• the degree of independence of the internal audit function within the entity’s organization;
• the technical competence of its staff;
• the extent of the scope of their work;
• the professional care for the planning and execution of the work.
1.2. International Standards on Auditing (ISA)
The International Standards on Auditing (ISAs) are developed by the International Federation of Accountants (IFAC) through
its International Auditing and Assurance Standards Board (IAASB). For more details, consult: http://www.ifac.org/IAASB/
Chapitre IV -
professional standards on cooperation between external and
Internal Auditors  24
ISA 610: Considering the work of internal audit
Overall, the ISA recommends that the External Auditor could consider the activities of internal auditing and their effect, if
any, on external audit procedures. This ISA stresses that, irrespective of the degree of autonomy and objectivity of internal
auditing, it cannot achieve the same degree of independence as required by the External Auditor when expressing an
opinion on the financial statements. The External Auditor has sole responsibility for the audit opinion expressed, and that
responsibility is not reduced by any use made of internal auditing.
The External Auditor could obtain a sufficient understanding of internal audit activities to identify and assess the risks of
material misstatement of the financial statements and to design and perform further audit procedures. Effective internal
auditing will often allow a modification in the nature and timing, and a reduction in the extent of audit procedures performed
by the External Auditor but cannot eliminate them entirely. When obtaining and performing an assessment of the internal
audit function, the important criteria are:
• organizational status;
• scope of function;
• technical competence;
• due professional care.
When planning to use the work of internal auditing, the External Auditor will need to consider internal audit’s tentative
plan for the period and discuss it at the earliest stage. It is desirable to agree in advance the timing of the work of internal
auditing, the extent of audit coverage, materiality levels and proposed methods of sample selections, documentation of
the work performed and review and reporting procedures. Besides, liaison with internal auditing is more effective when
meetings are held at appropriate intervals during the period. The External Auditor would need to be advised of and have
access to relevant internal auditing reports and be kept informed of any significant matter that comes to the Internal
Auditor’s attention which may affect the work of the External Auditor. Similarly, the External Auditor would ordinarily
inform the Internal Auditor of any significant matters which may affect internal auditing.
1.3. Statements on Auditing Standards (SAS)
Statements on Auditing Standards (SASs) are issued by the Auditing Standards Board (ASB), the senior technical body of
the American Institute of Certified Public Accountants (AICPA). For more details, consult:
http://www.aicpa.org/Professional+Resources/Accounting+and+Auditing/Audit+and+Attest+Standards/.
SAS No. 65: The Auditor’s Consideration of the internal audit Function in an Audit of Financial Statements
When obtaining an understanding of internal control, the External Auditor could obtain an understanding of the internal
audit function sufficient to identify those internal audit activities that are relevant to plan the audit. The External Auditor
ordinarily could make inquiries about the Internal Auditors’:
• organizational status within the entity;
• application of professional standards;
• audit plan, including the nature, timing, and extent of audit work;
• access to records and whether there are limitations on the scope of their activities.
Relevant activities are those that provide evidence about the design and effectiveness of controls that pertain to the entity’s
ability to initiate, authorize, record, process and report financial data consistent with the assertions embodied in the
financial statements or that provide direct evidence about potential misstatements of such data. The External Auditor may
find the results of the following procedures helpful in assessing the relevancy of internal audit activities:
• considering knowledge from prior-year audits;
• r eviewing how the Internal Auditors allocate their audit resources to financial or operating areas in response to their
risk-assessment process;
• reading internal audit reports to obtain detailed information about the scope of internal audit activities.
When assessing the Internal Auditors’ competence, the External Auditor could obtain or update information from prior
years about such factors as:
In making judgments about the extent of the effect of the Internal Auditors’ work on the Auditor’s procedures, the External
Auditor considers:
• the materiality of financial statements amounts in terms of accounts balances or transactions allocations;
• t he risk (consisting of inherent risk and control risk) of material misstatement of the assertions related to these financial
statement amounts.
• the degree of subjectivity involved in the evaluation of the audit evidence gathered in support of the assertions.
1.4. Public Company Accounting Oversight Board (PCAOB) Standards
The Public Company Accounting Oversight Board (PCAOB) is a private sector, nonprofit corporation, created by the
Sarbanes-Oxley Act of 2002, to oversee the Auditors of public companies in order to protect the interests of investors and
further the public interest in the preparation of informative, fair, and independent audit reports. For more details, consult:
http://www.pcaob.org/Standards/index.aspx.
Auditing Standard No. 5: An audit of internal control over financial reporting that is integrated with an audit of
financial statements
For purposes of the audit of internal control the External Auditor may use the work performed by, or receive direct
assistance from, Internal Auditors, company personnel (in addition to Internal Auditors), and third parties working under
the direction of management or the Audit Committee that provides evidence about the effectiveness of internal control
over financial reporting. In an integrated audit of internal control over financial reporting and the financial statements, the
External Auditor also may use this work to obtain evidence supporting his assessment of control risk for purposes of the
audit of the financial statements.
The External Auditor could assess the competence and objectivity of the persons whose work he plans to use to determine
the extent to which he may use their work. The higher the degree of competence and objectivity, the greater use the
External Auditor may make of the work. The External Auditor could apply the principles outlined in SAS No. 65 (cf. above)
to assess the competence and objectivity of Internal Auditors. Personnel whose core function is to serve as a testing or
compliance authority at the company, such as Internal Auditors, normally are expected to have greater competence and
objectivity in performing the type of work that will be useful to the External Auditor.
professional standards on cooperation between external and
• the organizational status of the Internal Auditor responsible for the internal audit function;
• policies to maintain Internal Auditors’ objectivity about the areas audited.
Chapitre IV -
When assessing the Internal Auditors’ objectivity, the External Auditor could obtain or update information from prior years
about such factors as:
Internal Auditors  25
• educational level and professional experience of Internal Auditors;
• professional certification and continuing education;
• audit policies, programs, and procedures;
• practices regarding assignment of Internal Auditors;
• supervision and review of Internal Auditors’ activities;
• quality of working-paper documentation, reports, and recommendations;
• evaluation of Internal Auditors’ performance.
2. INTERNAL AUDIT STANDARDS
2.1. The Institute of Internal Auditors (IIA): International Professional Practices
Framework (IPPF)
Chapitre IV -
professional standards on cooperation between external and
Internal Auditors  26
The Institute of Internal Auditors (IIA) provides for internal audit professionals all around the world authoritative guidance
organized in the International Professional Practices Framework as mandatory and strongly recommended guidance.
For more details, consult: http://www.theiia.org/guidance/standards-and-guidance/.
Performance Standard 2050: Coordination
The Chief Audit Executive (CAE) could share information and coordinate activities with other internal and external providers
of assurance and consulting services to ensure proper coverage and minimize duplication of efforts.
A recent practice advisory1 suggests that CAE completes an assurance map of the organization in order to ensure that the
assurance requirements of the Board are fulfilled. This map would, for each risk category, define the residual risk, the risk
owner (management) and the coverage of the different assurance functions (internal and External Auditors but also Risk
Managers, Compliance Officers and other assurance functions)
The CAE is responsible for regular evaluations of the coordination between internal and External Auditors. The CAE obtains
the support of the Board to coordinate audit work effectively. Such evaluations may also include assessments of the overall
efficiency and effectiveness of internal and external audit activities, including aggregate audit cost. The CAE communicates
the results of these evaluations to Senior Management and the Board, including relevant comments about the performance
of External Auditors.
Without prejudice to art. 79 of Belgian law of July 22, 1953, coordinated in 2007 on professional confidentiality of External
Auditors, organizations may use the work of External Auditors to provide assurance related to activities within the scope
of internal auditing. In these cases, the CAE takes the steps necessary to understand the work performed by the External
Auditors, including:
• the nature, extent, and timing of work planned by External Auditors, to be satisfied that the External Auditors’ planned
work, in conjunction with the Internal Auditors’ planned work, satisfies the requirements of Standard 2100 (Nature of
Work);
• the External Auditors’ assessment of risk and materiality;
• the External Auditors’ techniques, methods, and terminology to enable the CAE to (1) coordinate internal and external
auditing work; (2) evaluate, for purposes of reliance, the External Auditors’ work; and (3) communicate effectively with
External Auditors;
• access to the External Auditors’ programs and working papers, to be satisfied that the External Auditors’ work can
be relied upon for internal audit purposes. Internal Auditors are responsible for respecting the confidentiality of those
programs and working papers.
The External Auditors may rely on the work of the internal audit activity in performing their work. In this case, the CAE needs
to provide sufficient information to enable External Auditors to understand the Internal Auditors’ techniques, methods, and
terminology to facilitate reliance by External Auditors on work performed. Access to the Internal Auditors’ programs and
working papers is provided to External Auditors in order for External Auditors to be satisfied as to the acceptability for
external audit purposes of relying on the Internal Auditors’ work.
The internal audit activity’s final communications, management’s responses to those communications, and subsequent
follow-up reviews are to be made available to External Auditors. In addition, Internal Auditors need access to the External
Auditors’ presentation materials and management letters. Matters discussed in presentation materials and included in
management letters need to be understood by the CAE and used as input to Internal Auditors in planning the areas to
emphasize in future internal audit work. After review of management letters and initiation of any needed corrective action
by appropriate members of Senior Management and the Board, the CAE ensures that appropriate follow-up and corrective
actions have been taken.
1 Practice Advisory 2050-2: Assurance Maps, IIA International, August 2009.
3. SPECIFIC STANDARDS FOR FINANCIAL INSTITUTIONS
3.1. Basel Committee on Banking Supervision
Principle 14 notes that supervisory authorities could have periodic consultations with the bank’s Internal Auditors to discuss
the risk areas identified and the measures taken. At the same occasion, the extent of the cooperation between the bank’s
internal audit department and the bank’s External Auditors may also be discussed.
Principle 16 recommends that supervisory authorities could encourage consultation between internal and External Auditors
in order to make their cooperation as efficient and effective as possible.
professional standards on cooperation between external and
Overall, co-operation between banking supervisors, the Internal Auditor and the External Auditor optimizes supervision.
Chapitre IV -
Internal audit in banks and the Supervisor’s relationship with Auditors
Internal Auditors  27
The Basel Committee on Banking Supervision provides a forum for regular cooperation on banking supervisory matters. Its
objective is to enhance understanding of key supervisory issues and improve the quality of banking supervision worldwide.
The Committee is best known for its international standards on capital adequacy; the Core Principles for Effective Banking
Supervision; and the Concordat on cross-border banking supervision. For more details, consult: http://www.bis.org/bcbs/
index.htm.
CHAPTER V
HE COOPERATION BETWEEN EXTERNAL
T
AND Internal AuditorS
In this chapter, we will provide an overview of current practices based on a survey conducted and interviews with External
Auditors and Internal Auditors. We will also define best practices for the cooperation between external and Internal
Auditors.
Chapitre V -
the cooperation between external and
Internal Auditors  28
1. THE FEEDBACK FROM THE SURVEY AND THE INTERVIEWS
A survey and interviews were conducted amongst internal and External Auditors in the beginning of 2009 (see details of the
participants in appendix 5).
1.1. Commitment
Internal Auditors currently take an active role in promoting cooperation between internal and external audit (76.2%). This
is fully confirmed by External Auditors (100%). For the future more than 93% of the Internal Auditors are willing to take an
active role in the promotion vs 100% for the External Auditors.
The main reasons for internal and External Auditors for not promoting the cooperation are the following ones:
• conflict of interests (different but complementary missions);
• corporate decision for a clear segregation between the Auditors type;
• unequal sharing of information;
• high rotation of junior External Auditors.
The interviews reveal new elements such as:
• communication problems at the side of External Auditors;
• unwillingness on behalf of External Auditors;
• lack of transparency on behalf of External Auditors
• unequal quality of Internal Auditors, due to various backgrounds. So cooperation is not always possible and External
Auditors must re-do some testing;
• Internal Auditors are not always perceived as fully independent from the management.
According to the interviews, the size of the internal audit department seems to influence the scope of the commitment: in
smaller departments, less specific exchanges may be organized. The maturity of the internal audit department is another
important element for defining the cooperation between the two professions. The initiative for the cooperation is mostly coming
from the Internal Auditors but it is interesting to notice that it comes, sometimes from the CFO or the Audit Committee.
1.2. Benefits
Internal Auditors were asked to assess the following benefits of a good cooperation with the External Auditors and the
figures below are expressed in % of answers:
!
!
!
Both professions think that a cooperation increases the audit work efficiency. But it is interesting to notice that the cost
reduction is not a recognized benefit for the External Auditors.
The exchange of expertise, the knowledge sharing and the better coordination of work are the benefits listed by both
professions.
Otherwise, Internal Auditors do also mention as additional benefits the following points:
• the decrease of workload for the External Auditors;
• the improvement of the client’s image about auditing;
• the increase of confidence by the Audit Committee (building trust);
• the avoidance of double work;
• the alignment of methodologies between external and Internal Auditors;
• the increase of knowledge about the company and the industry for the External Auditor;
• the advises from External Auditors: sounding Board;
• the limited surprises for the management at year end.
The External Auditors have identified the following additional benefits:
Chapitre V -
• the improvement of the fieldwork quality thanks to the Internal Auditors’ knowledge;
• the reduction of audit risk thanks to a better understanding of the risk management;
• the optimization of available resources.
the cooperation between external and
!
Internal Auditors  29
External Auditors were asked if they consider the following benefits of a good cooperation with the Internal Auditors and the
figures below are expressed in % of answers:
1.3. Communication
The Internal Auditors were asked if they consult the External Auditors on different matters. The External Auditors were
asked if they consult the Internal Auditors on the same matters. The following table explains the view of each party.
!
According to the survey, the communication between External Auditors and Internal Auditors is more active on the side of
External Auditors.
However during the interviews it appeared that many Internal Auditors do not get information from the external ones.
It seems also that sometimes External Auditors discuss the risk analysis with Internal Auditors when appropriate for their
own analysis.
!
The communication between External Auditors and Internal Auditors is more active on the side of External Auditors.
The exchange of the planning facilitates the global assurance to the Board of Directors and/or Audit Committee. It could
be a responsibility of the Audit Committee to garanty the coordination between the two plannings and the exchange of the
reports.
The internal and External Auditors were also asked the following questions:
Chapitre V -
the cooperation between external and
Internal Auditors  30
The Internal Auditors were asked whether they communicate with the External Auditors on different matters. The External
Auditors were asked whether they communicate with the Internal Auditors on the different matters. The following table
explains the view of each party.
!
The External Auditors initiate more meetings with the Internal Auditors than the other way around. Only the audit
engagements feedbacks get a better result from the Internal Auditors side.
According to the interviews, External Auditors exchange work papers with Internal Auditors on a limited basis and only when
necessary, because of the assignement responsibility towards shareholders. The External Auditors do review sometimes
the work of Internal Auditors when a formal cooperation is defined.
Different maturity models have been observed:
• Internal Auditor is just a contact point for External Auditor;
• Internal Auditor helps with interim and period-end work for External Auditor;
• Internal Auditor performs significant parts of the interim and period-end work.
The use of other auditors’ work is very popular on both sides.
!
Chapitre V -
Auditors have also been asked why they would not use the work of the other profession. The graphics here after describe
the reasons mentioned by each profession:
the cooperation between external and
Internal Auditors  31
Both groups were asked whether or not they use the work of other auditors. The following table explains the view of each
party.
!
Internal Auditors  32
the cooperation between external and
Chapitre V -
!
On the External Auditors side, the lack of knowledge of financial aspects and independence are the most cited reasons for
not collaborating with Internal Auditors.
On the Internal Auditors side, the lack of willingness and the refusal are the main reasons which suggests that there is still
room for improvement.
During the interviews with Internal Auditors, the personnal relationship has also been identified as a factor that could have
an impact on the cooperation. The lack of training, judgement or computerised auditing process of Internal Auditors has
also be mentionned in the interviews with External Auditors.
Some common reasons, for not using the work of each other, have been identified and are:
• the different scope definitions;
• the different materiality levels.
It is interesting to note from the interviews that the different scope of each profession is considered as an advantage for
cooperation by Internal Auditors and as a reason for non cooperation by the External Auditors.
According to the interviews External Auditors are also helping Internal Auditors in specific matters or countries that they
can not cover themselves (lack of ressources and knowledge).
1.4. Systematic exchanges
Each profession was also asked whether they receive systematic information from the other profession. The graphic below
shows the results:
!
Only 46% of Internal Auditors do have access to the management letter and only 42% receive the reports from the External
Auditors.
The systematic exchanges and the common methodology are actually very limited on both sides.
2. THE BEST PRACTICES IN RESPECT OF THE COOPERATION BETWEEN EXTERNAL
AND Internal AuditorS
We will describe best practices for the cooperation. Nevertheless, it is important to remind that this cooperation is only
possible if the internal audit department is mature, professional, complies with the International Professional Practices
Framework (IPPF) and if External Auditors are willing to collaborate.
It is to be noted that both internal and External Auditors are required to follow continuous professional development. In
order to facilitate the use of the same language and terminology and to better understand the methodology of the other,
external and Internal Auditors should be encouraged to follow parts of the education programme provided by the other
institute.
The Internal Auditors’ considerations:
The Professional Standards foresee an external quality assessment of the internal audit department every 5 years. This
review can guarantee the professionalism of the internal audit activities, as it will confirm the reliance with the IPPFs and
shows the benchmarking with other internal audit activities.
The External Auditors’ considerations:
External Auditors are required by Law, further defined by a Royal Decree and a standard to submit to a quality control by
peer review every 3 years when they audit public interest entities and every 6 years otherwise.
External Auditors must be informed about the competence, organization and charter of an independent internal audit
department in the organization they review.
Most of the time, External Auditors will have to assess the level of reliance they may apply on the internal audit
department.
The criteria mostly used are the following:
• the qualifications and experience of the team;
• the documentation and methodology used for the engagements (review of the Internal Auditors working papers);
• t he conformity with the IPPFs and implementation of a strong quality assurance and improvement program over all
processes in the internal audit activity, including human resources and hiring;
• the ethical behavior based on The Institute of Internal Auditors’s Code of Ethics to Internal Auditors, etc.;
• the maturity of the internal audit department ;
• t he performance of a risk assessment for the internal audit activity to identify potential risks that might impact its
“brand”;
• the evaluation of the internal audit department within the organization (surveys, reporting,etc.).
In all cases, the External Auditors must assess the work of the Internal Auditors when using it and extend the testing when
necessary.
In addition the External Auditors must be:
• informed about the possible cooperation;
• knowledgeable about the way Internal Auditors are working;
• informed about the acceptance of this cooperation according to the Professional Standards;
1
See p. 2.
the cooperation between external and
2.1. Introduction
Chapitre V -
The exchanges proposed here below are based on the documentation described above and are resulting from a combination
of various sources in Belgium and abroad.
Internal Auditors  33
A workgroup made of representatives of both institutes1 has analyzed the results of the survey. Interviews with Chief Audit
Executives and External Auditors have been organized in order to discuss about the cooperation between external and
Internal Auditors.
• in good relationship with the Internal Auditors;
• willing to cooperate and work in teams, etc.
2.2. Risk Management Assessment
2.2.1. Introduction
The importance to strong corporate governance and managing risks has been increasingly acknowledged. Organizations
are under pressure to identify all the business risks they face; social, ethical and environmental as well as financial and
operational, and to explain how they manage them to an acceptable level. The cooperation is only possible if the companies
are using a risk management framework. More and more companies use an enterprise-wide risk management framework
and recognize their advantages over less coordinated approaches to risk management
Chapitre V -
the cooperation between external and
Internal Auditors  34
Internal and External Auditors contribute to the management of risk in a variety of ways.
2.2.2. Role of internal audit
The Internal Auditors usually assist the management in the implementation of a risk management process by giving training
and advises. Their role is mainly a consulting one in this case. Once the process is up and running, Internal Auditors will
provide assurance in three areas:
• risk management process (design and ongoing function);
• management of “key” risks including effectiveness of mitigating risks;
• assessment of risks and the reporting of their status.
In some organizations, Internal Auditors may facilitate the implementation of the control self assessment process.
2.2.3. Role of external audit
At the start of every new mission, the External Auditors assess the risks that impact the financial statements. Governance
and monitoring of the risks by the appropriate levels in the entity being audited is high on the agenda of the External
Auditor, in order to assess the risk related to the engagement. In this context, they will review and discuss the enterprise
risk management (ERM)1 process with the responsible of the organization and evaluate if the existing risk management
process leads to a monitoring of the entity’s risks. Besides these considerations, external audit updates its knowledge on
industry data, legislation evolution, external factors, etc., in order to plan the audit adequately.
2.2.4. Cooperation proposed
The level of the cooperation depends on the implementation and maturity of an ERM process in the organization.
In organizations where the process exists and is up and running, exchanges of information between the external and
Internal Auditors should be organized.
The assessment of the ERM process (audit report) made by the Internal Auditors should be given to the External Auditors.
If some recommendations affect the financial statements, they should be discussed with the External Auditors.
During the yearly assessment (for the planning), External Auditors should participate to a workshop with the Internal
Auditors where they would debate about the financial risks. The experience and knowledge of the External Auditors would
be a real asset for a detailed analysis of the financial and compliance areas.
In organizations where self assessment is performed, the implementation details should be discussed with the External
Auditors in order to ensure that financial and compliance risks are addressed appropriately.
In organizations where ERM does not exist, it would nevertheless be interesting that internal and External Auditors exchange
their view on the risks assessments they have made.
1
See Glossary for the definition, appendix 2
2.2.5. Benefits
If cooperation between internal and External Auditors is organized in the area of risk management, the main benefits could be:
• t he use of a common methodology (framework, language, evaluation criteria,…);
•a
(common) message to the Board/Audit Committee regarding the main risks identified in the organization;
• t ransparency in terms of risks identification, evaluation and management;
•a
ssessment of the risks through the use of internal information (Internal Auditors) and external information (External
Auditors).
2.3. Internal Control Assessment
Internal control will be that much more relevant if it is built on rules of conduct and integrity.
2.3.2. Definition
Internal control is a company’s system, defined and implemented under its responsibility, which aims to ensure that:
laws and regulations are complied with; the instructions and directional guidelines fixed by Executive Management or the
management Board are applied; the company’s internal processes are functioning correctly, particularly those implicating
the security of its assets; financial information is reliable; and generally, contributes to the control over its activities, to the
efficiency of its operations and to the efficient use of its resources.
2.3.3. Role of internal audit
Internal Auditors evaluate the internal control processes in terms of efficiency and effectiveness. In some organizations,
the Chief Audit Executive (CAE) may be requested to issue an overall opinion on the adequacy of internal controls within the
organization. This request is becoming more common with the advent of new financial reporting legislation and regulation.
The International Standards for the Professional Practice of Internal Auditing (The Standards), specifically Standard 2410.
A1 indicates, final communication of engagement results, where appropriate, contains the Internal Auditor’s overall opinion
and or conclusions.
2.3.4. Role of external audit
One of the critical activities in the external audit process is the assessment of the reliability of financial information and
ensure that the internal control procedures allow faithful recording of all the operations performed by the organization. As
stated above, the first step in the execution of the audit plan will be the evaluation of internal controls.
The quality of this internal control system can be, amongst others, looked at by means of evaluating:
• s egregation of duties, enabling a clear distinction to be made between recording duties, operational duties and retention
duties;
• f unction descriptions which could enable the origins of the information prepared to be identified, together with its
recipients;
• design, implementation and operating effectiveness of business controls; and
• accounting internal control system enabling to check that the operations have been performed in accordance with general
and specific instructions, and that they have been accounted for so as to produce financial information which complies with
generally accepted accounting principles.
the cooperation between external and
These objectives must be applicable to the various units of the entity and clearly communicated to staff so that they can
understand and adhere to the organization’s risk and control policy.
Chapitre V -
It is up to every company to design an internal control system which is suitably adapted to its situation. Executive Management
or the management Board conceives the internal control system. The principal directional guidelines in terms of internal
control are determined in line with the company’s objectives.
Internal Auditors  35
2.3.1. Introduction
The evaluation of the internal controls is performed throughout the audit. At first, at the planning phase, the External
Auditor looks back on previous experience and corroborates with management on risks and related controls. During the
financial year (and after the closing for closing procedures) the External Auditor investigates if he can rely on the internal
controls structure of the entity. He tests controls or expands the level of substantive testing if the External Auditor feels he
cannot rely on controls, these being deficient, not practical or not functioning on a regular basis.
2.3.5. Cooperation proposed
Chapitre V -
the cooperation between external and
Internal Auditors  36
The internal control evaluation made by Internal Auditors should be communicated to the External Auditors. In case the
CAE express a global opinion on internal controls1, it should be discussed with the External Auditors. For processes with
sophisticated financial impacts, the Internal Auditors should ask assistance to the External Auditors to evaluate these
processes.
Internal Auditors perform more and more integrated audits to assess the internal control besides the IT, governance and
financial dimensions. This last one should be communicated to the External Auditors.
For the interim review done by the External Auditors, it would be interesting to have a close cooperation between External
and Internal Auditors who both evaluate the internal controls’ processes or at least an exchange of the evaluation
documentation on the processes reviewed.
The External and Internal Auditors can discuss executed audit procedures, review each others conclusions and evaluate the
use of the work of the other auditor as a basis for the conclusions. In general, where it concerns high risk areas or items
with a particular appreciation of the Auditor (like estimates related to impairments, provisions…), the External and Internal
Auditors will not rely on the full extent on the work of the other party. Indeed, in such cases, the Auditor needs to evaluate
the controls and reinforce its own evaluation procedures.
The two auditors should also exchange their recommendations to improve the internal control process that impacts
the financial statements and the reporting in order to align messages to the Audit Committees or appropriate levels of
management.
2.3.6. Benefits
The cooperation in internal control assessments could mainly generate the following benefits:
• the integration of the internal control processes review (combination of financial and operational processes);
• the reduction of review works for the internal and External Auditors (as they do not test this aspect);
• common language-methodology towards the management that facilitates the discussions with both auditors;
• evaluation of the processes by the best qualified persons (e.g. financial ones by the External Auditors);
• on the field training for both auditors;
• interesting discussions may take place between the external and Internal Auditors in case of differing views and this can
only benefit to the organization.
2.4 Audit Plan determination
2.4.1. Introduction
The priorities of the audit activity must be defined and evaluated at least on a yearly basis. It is common practice to set up
a three years plan and to update it yearly. The plan commonly defines the level of activities, the scope and the resources
required.
2.4.2. Definition
The plan is based on the risk analysis and defines the processes to review, the scope of the audit, the workload, the
resources profile, the financial budget and the timing.
IIA Practice Guide: “ Formulating and expressing internal audit opinion”, April 2009.
1
2.4.3. Role of internal audit
As defined by the IIA-Performance Standards, the CAE could establish risk based plan to determine the priorities of the
internal audit activity, consistent with the organization’s goals. This exercise is based on the audit universe (global scope)
of the internal audit activity and the audit charter that defines the role and responsibilities of the internal audit department.
For all the processes, the risk is evaluated, the internal controls are assessed and the residual risk is defined. The period
of coverage is also defined as well as the changes in the organizations, processes or IT tools. Based on all these elements,
a plan (work schedule, staffing plan, financial budget, scope coverage vs resources limitation) is proposed for approval to
the Audit Committee.
2.4.5. Cooperation proposed
The plannings of both auditors should be discussed before the first Audit Committee meeting, where both auditors ensure
minimal overlap and allocation of the best resources to perform the testing. During this discussion, the cooperation for
some testing should be discussed: the areas where Internal Auditors would rely on External Auditors work and the other
way around. The need for technical financial expertise on some audits should be discussed as well in order to define the
allocation of the work between the external and the Internal Auditors.
2.4.6. Benefits
The integration of the plannings could lead to:
• a better coverage of the audit universe;
• a reduction of the audit activities on one side (external or Internal Auditors);
• optimal allocation of the resources: in terms of headcounts and knowledge;
•a
n absence of agenda conflicts for the management (e.g.: both auditors will not review the same process during the same
period);
• a better view of the audit work for the Audit Committee that receives a consolidated view, etc.
2.5 Audit Testing
2.5.1. Introduction
Based on the planning defined, the Auditors conduct the engagements and perform different kinds of testing.
2.5.2. Definition
The testing is based on the area reviewed, the level of internal control and risk, the periodicity of the audit.
the cooperation between external and
The planning includes the work schedule, the scope, the staffing, the budget and the timing. This planning is submitted to
the Audit Committee.
Chapitre V -
Every year, the first phase of the audit cycle includes a disciplined and systematic study of the company, based upon
interviews, updated risk analysis, identification of key management controls and the knowledge of the company (past
audits, sector, materiality level…), the External Auditors define the planning for the review of the financial statements.
Internal Auditors  37
2.4.4. Role of external audit
2.5.3. Role of internal audit
As defined by the IIA-Performance Standards, the internal audit activity evaluates and contributes to the improvement of risk
management, control and governance systems. The testing depends on the type of audit performed: financial, operational,
compliance, IT. More and more Internal Auditors review all aspects of the department (or process or organization) through
an integrated approach that combines the testing in all areas.
The review is made based on defined testing and scoping and may be adapted based on the results (e.g. if the internal
control is very basic, the testing might be limited and a recommendation is made to the management to improve the
internal control process).
Different approaches might be combined: inquiry, observation, inspection, confirmation and computer assisted
techniques.
Chapitre V -
the cooperation between external and
Internal Auditors  38
It is very important to record the information accurately and keep all details of the findings during the testing.
The results of the testing will be the basis to define the recommendations and improvement points for the management
and the Audit Committee.
2.5.4. Role of external audit
The methodology is similar to the one used by the Internal Auditors. Nevertheless, the External Auditors will perform
advanced testing for all risks that have been identified as critical in the audit plan and areas where internal audit has no
independence/expertise.
The objectives of the testing will be the design and implementation and operational effectiveness of the internal controls to
ensure the completeness, the existence, the accuracy, the evaluation, the ownership and the presentation of the financial
statements.
The results of the testing will be evaluated and translated into financial impacts (positive or negative) but also to
improvements of the internal control and risk management processes. A recommendation letter will in a lot of cases be
remitted to management to ensure that appropriate follow up of the findings is guaranteed.
2.5.5. Cooperation proposed
Based on the planning defined, different types of cooperations may take place:
• team set up with external and Internal Auditors who perform the testing together;
• exchange of the working papers between the external and Internal Auditors (both sides) in order to avoid that both
auditors perform the same testing. This cooperation may take place at the preparation phase (collection of information
about the process reviewed) and goes on during the testing and results phases;
• additional testing of external or Internal Auditors for some processes instead of full testing.
The cooperation between the external and Internal Auditors should take place at the interim as well: circularization for
example can also be delegated to the Internal Auditors.
It is important to notice that External Auditors will perform solely the testing of processes that have significant impact on
the financial statements and will not be able to “outsource” this to the Internal Auditors.
2.5.6. Benefits
The cooperation between the internal and the External Auditors could:
• increase the coverage of the testing;
• reduce the detection risk (risk that an issue is not identified by the audit);
• reduce the workload of the internal and External Auditors in some areas and authorize other engagements (more
consulting for the Internal Auditors for example);
• facilitate the use of the best qualified person for each engagement (by combining resources and knowledge);
• reduce the overlap of work on the field and reduce the time spent by the management on audit enquiries.
2.6 Audit Reporting
2.6.1. Introduction
The final output of the audit work is materialized with the reporting.
2.6.2. Definition
A draft report is discussed with the Management in charge of the process/organization reviewed in order to validate the
recommendations and set up the action plans. If the Management and the Auditors do not agree on some recommendations,
the comments of the Management will be included in the final report. Usually, the final report is sent to the External
Auditors, after the validation by the Management and the presentation to the Management Committee.
2.6.4. Role of external audit
The External Auditors are legally obliged to issue a report about the “true and fair view” of the financial statements
(statutory accounts). The report may include different kinds of opinion depending on the findings in the audit on the
financial statements and related controls, the adjustments proposed to the Financial Statements, the going concern of the
organization
External Auditors are required to request a representation letter in order to make the CEO and CFO aware of their obligations
and ensure that all relevant information has been communicated before issuing this report.
2.6.5. Cooperation proposed
Internal Auditors should communicate their reports systematically to the External Auditors. If a “draft” exists and the
subject is important for the External Auditors, the main conclusions and the general rating may be discussed with the
External Auditors.
The External Auditors should communicate their reports and management letter to the Internal Auditors.
For the post balance sheet review, the discussion takes place between the External Auditors and the management/Board
of directors. The internal audit can assist in case they have performed engagements after the closing of the financial
statements that do impact the financial statements (adjustment not identified by the External Auditor). This should be
highly relevant for example in case of fraud detection or internal control weaknesses, new isues identified and not provided
for.
2.6.6. Benefits
With a transparent communication on both sides, the knowledge of the Auditors (external and internal) about the organization
will increase and their risk assessment will improve. This is also the final result of a good and efficient cooperation.
the cooperation between external and
As defined by the IIA-Performance Standards, an audit report is the basis for the evaluation of the internal audit activity
by the management and the Board/Audit Committee. It includes the engagement’s objectives, scope and applicable
conclusions, recommendations and action plans. The report could disclose the compliance with the Standards. More and
more, the report includes a general rating for the process/organization reviewed as well as the residual risk estimated.
Chapitre V -
2.6.3. Role of internal audit
Internal Auditors  39
The reporting aims to inform the auditees about the findings and the recommendations. It is also a useful document for the
Board/Audit Committee in order to follow up the engagements made and the actions to be taken.
2.7 Recommendations follow up
2.7.1 Introduction
The management is taking actions to correct the weaknesses identified by the Auditors.
2.7.2. Definition
Chapitre V -
the cooperation between external and
Internal Auditors  40
The recommendations made are based on best practices and aim to reduce the risk of the process/organization reviewed.
A good balance between the needs required to correct the issue and the benefits must be made. Indeed, sometimes,
management may decide not to implement some recommendations because the costs – benefits are not well balanced. The
remaining risk is than accepted by the management and communicated to the Audit Committee.
2.7.3. Role of internal audit
In the action plan, Internal Auditors have defined, together with the management, the actions, due date and responsible.
They are responsible for establishing a process to monitor and ensure that management actions have been effectively
implemented or that Senior Management has accepted the risk of not taking action.
The follow up includes the recommendations made by External Auditors and may include recommendations from other
parties (quality audit,…). Key performance indicators are published in order to show the results of the recommendations’
implementation.
If the recommendations are due, it is good practice to inform the Audit Committee about the delays and the reasons
advanced by the management.
For high risk, Internal Auditors may conduct an engagement to evaluate the implementation.
2.7.4. Role of external audit
The External Auditors follow up the remarks of the management letter during their next visit. The review is similar to the
one of the Internal Auditors. Any subsequent events that affect the financial position of the entity will be taken into account
for the opinion.
2.7.5. Cooperation proposed
Internal Auditors should include the recommendations of the External Auditors in their follow up. They should also send
the KPIs to the External Auditors so that they may follow up the reaction of the management on the recommendations.
2.7.6. Benefits
A consolidated view of all recommendations and the implementation status is available for the management and the Audit
Committee. As Internal Auditors are present in the organization, they may remind to the management the recommendations
due on a more regular basis than External Auditors.
APPENDIX 1.
ow Do I ... Distinguish Internal and
H
External Auditing?1
Internal Auditors and External Auditors each play an important role in the governance of an organization. Both groups have
mutual interests regarding the effectiveness of internal financial controls, and both adhere to ethical codes and professional
standards set by their respective professional bodies. Additionally, both types of auditors operate independently of the
activities they audit, and they’re expected to have extensive knowledge about the business, industry, and strategic risks
faced by the organization they serve. Yet, with all of their similarities, internal auditing and external auditing are two distinct
functions that have numerous differences.
ORGANIZATIONAL STRUCTURE
how do i...
Internal Auditors represent an integral part of the organization - their primary clients are management and the Board.
Although historically Internal Auditors have reported to the Chief Financial Officer or other Senior Management staff, the
trend today is for internal auditing to report directly to the Audit Committee.
Conversely, External Auditors are not part of the organization, but are engaged by it. Their objectives are set primarily by
statute and by the Board of directors.
Appendix 1 -
The IIA defines internal auditing as «an independent, objective assurance and consulting activity designed to add value
and improve an organization’s operations. It helps an organization accomplish its objectives by bringing a systematic,
disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.»
In contrast, external auditing provides an independent opinion of a company’s financial statements and fair presentation.
This type of auditing encompasses whether the statements conform with Generally Accepted Accounting Principles,
whether they fairly present the financial position of the organization, whether the results of operations for a given period of
time are represented accurately, and whether the financial statements have been affected materially.
 41
DIVERGING APPROACHES
MANDATORY VERSUS VOLUNTARY
In general, internal audit functions are not mandatory for organizations. Instead, their installment is left up to individual
organizations’ discretion.
An external audit is legally required for many companies, particularly those listed on a public exchange. External audits of
some government agencies are also legislated, requiring government auditors to submit the audit report to their respective
legislature.
QUALIFIED AND KNOWLEDGEABLE
The necessary qualifications for an Internal Auditor rest solely on the judgment of the employer. Although Internal Auditors
are often qualified as accountants, some are qualified engineers, sales personnel, production engineers, and management
personnel who have moved through the ranks of the organization with a sound knowledge of its operations and have
garnered experience that makes them aptly qualified to perform internal auditing.
External Auditors are required to understand errors and irregularities, assess risk of occurrence, design audits to provide
reasonable assurance of material detection, and report on such findings. In most countries, auditors of public companies
must be members of a body of professional accountants recognized by law.
1
Adapted from «Two Sides of Auditing» by Lal Balkaran (Internal Auditor, «Back to Basics,» October 2008).
Appendix 2.
Glossary
1. Risk Management Definition
People undertake risk management activities to identify, assess, manage, and control all kinds of events or situations that
could have an (negative) impact on the achievement of their objectives. These can range from single projects or narrowly
defined types of risk, e.g. market risk, to the threats and opportunities facing the organization as a whole.
2. Enterprise Risk Management
Appendix 2 - Glossary  42
Enterprise-wide risk management (ERM) is a structured, consistent and continuous process across the whole organization
for identifying, assessing, deciding on responses to and reporting on opportunities and threats that affect the achievement
of its objectives.
The Board has overall responsibility for ensuring that risks are managed. In practice, the Board will delegate the operation
of the risk management framework to the management team, who will be responsible for completing the activities. One
of the key requirements of the Board or its equivalent is to gain assurance that risk management processes are working
effectively and that key risks are being managed to an acceptable level.
It is likely that assurance will come from different sources. Of these, assurance from management is fundamental. This
could be complemented by the provision of objective assurance, for which the internal audit activity is a key source. Other
sources include External Auditors and independent specialist reviews.
In most organizations, the COSO ERM framework1 is used as tool for the implementation as well as the evaluation of the
ERM process.
!
Enterprise Risk Management Integrated Framework, published in 2004 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO ).More info on
1
www.coso.org
3. Role of internal audit in ERM:
!
4. Internal Control Integrated Framework
The Internal Control Integrated Framework, published in 1992 by the Committee of Sponsoring Organizations of the
Treadway Commission (COSO) is the most common framework for assessing internal controls.
The framework is a simplified version of the ERM’s one (see above p.42)
The COSO report defines an internal control structure along five elements (control environment, risk assessment, control
activities, information and communication, and monitoring) and three components/objectives (financial reporting, operations
and compliance), with identification of the areas/activities audited (e.g., geographic unit, business unit, process).
1
IIA Position Paper; The role of internal auditing in the ERM, January 2009.
Appendix 2 - Glossary  43
More generally, the schema below describes the role of internal audit in ERM1.
APPENDIX 3.
odel internal audit activity
M
charter1
Introduction:
Appendix 3 - Model
internal audit activity charter
 44
Internal Auditing is an independent and objective assurance and consulting activity that is guided by a philosophy of
adding value to improve the operations of the <organization>. It assists <organization> in accomplishing its objectives
by bringing a systematic and disciplined approach to evaluate and improve the effectiveness of the organization’s risk
management, control, and governance processes.
ROLE:
The internal audit activity is established by the Board of Directors or oversight body (hereafter referred to as the Board). The
internal audit activity’s responsibilities are defined by the Board as part of their oversight role.
PROFESSIONALISM:
The internal audit activity will govern itself by adherence to The Institute of Internal Auditors’ mandatory guidance including
the Definition of Internal Auditing, the Code of Ethics, and the International Standards for the Professional Practice of
Internal Auditing (Standards). This mandatory guidance constitutes principles of the fundamental requirements for the
professional practice of internal auditing and for evaluating the effectiveness of the internal audit activity’s performance.
The Institute of Internal Auditors’ Practice Advisories, Practice Guides, and Position Papers will also be adhered to as
applicable to guide operations. In addition, the internal audit activity will adhere to <organization> relevant policies and
procedures and the internal audit activity’s standard operating procedures manual.
AUTHORITY:
The internal audit activity, with strict accountability for confidentiality and safeguarding records and information, is
authorized full, free, and unrestricted access to any and all of <organization> records, physical properties, and personnel
pertinent to carrying out any engagement. All employees are requested to assist the internal audit activity in fulfilling its
roles and responsibilities. The internal audit activity will also have free and unrestricted access to the Board.
ORGANIZATION:
The Chief Audit Executive will report functionally to the Board and administratively (i.e. day to day operations) to the Chief
Executive Officer.
The Board will approve all decisions regarding the performance evaluation, appointment, or removal of the Chief Audit
Executive as well as the Chief Audit Executive’s annual compensation and salary adjustment. The Chief Audit Executive
will communicate and interact directly with the Board, including in executive sessions and between Board meetings as
appropriate.
1
Published by the Institute of Internal Auditors, revised on 6/08/2009.
INDEPENDENCE AND OBJECTIVITY:
The internal audit activity will remain free from interference by any element in the organization, including matters of audit
selection, scope, procedures, frequency, timing, or report content to permit maintenance of a necessary independent and
objective mental attitude.
Internal Auditors will have no direct operational responsibility or authority over any of the activities audited. Accordingly,
they will not implement internal controls, develop procedures, install systems, prepare records, or engage in any other
activity that may impair Internal Auditor’s judgment.
Internal Auditors must exhibit the highest level of professional objectivity in gathering, evaluating, and communicating
information about the activity or process being examined. Internal Auditors must make a balanced assessment of all the
relevant circumstances and not be unduly influenced by their own interests or by others in forming judgments.
The Chief Audit Executive will confirm to the Board, at least annually, the organizational independence of the internal audit
activity.
INTERNAL AUDIT PLAN:
At least annually, the Chief Audit Executive will submit to Senior Management and the Board an internal audit plan for
review and approval. The internal audit plan will consist of a work schedule as well as budget and resource requirements for
the next fiscal/calendar year. The Chief Audit Executive will communicate the impact of resource limitations and significant
interim changes to Senior Management and the Board.
The internal audit plan will be developed based on a prioritization of the audit universe using a risk-based methodology,
including input of Senior Management and the Board. Any significant deviation from the approved internal audit plan will
be communicated to Senior Management and the Board through periodic activity reports.
internal audit activity charter
•E
valuating the reliability and integrity of information and the means used to identify, measure, classify, and report such
information.
•E
valuating the systems established to ensure compliance with those policies, plans, procedures, laws, and regulations
which could have a significant impact on the organization.
•E
valuating the means of safeguarding assets and, as appropriate, verifying the existence of such assets.
•E
valuating the effectiveness and efficiency with which resources are employed.
•E
valuating operations or programs to ascertain whether results are consistent with established objectives and goals and
whether the operations or programs are being carried out as planned.
•M
onitoring and evaluating governance processes.
•M
onitoring and evaluating the effectiveness of the organization’s risk management processes.
•E
valuating the quality of performance of External Auditors and the degree of coordination with internal audit.
•P
erforming consulting and advisory services related to governance, risk management and control as appropriate for the
organization.
•R
eporting periodically on the internal audit activity’s purpose, authority, responsibility, and performance relative to its
plan.
•R
eporting significant risk exposures and control issues, including fraud risks, governance issues, and other matters
needed or requested by the Board.
•E
valuating specific operations at the request of the Board or management, as appropriate.
Appendix 3 - Model
The scope of internal auditing encompasses, but is not limited to, the examination and evaluation of the adequacy and
effectiveness of the organization’s governance, risk management, and internal process as well as the quality of performance
in carrying out assigned responsibilities to achieve the organization’s stated goals and objectives. This includes:
 45
RESPONSIBILITY:
REPORTING AND MONITORING:
A written report will be prepared and issued by the Chief Audit Executive or designee following the conclusion of each
internal audit engagement and will be distributed as appropriate. Internal audit results will also be communicated to the
Board.
The internal audit report may include management’s response and corrective actions taken or to be taken in regard to
the specific findings and recommendations. Management’s response, whether included within the original audit report or
provided thereafter (i.e. within thirty days) by management of the audited area should include a timetable for anticipated
completion of action to be taken and an explanation for any corrective action that will not be implemented.
The internal audit activity will be responsible for appropriate follow-up on engagement findings and recommendations. All
significant findings will remain in an open issues file until cleared.
Appendix 3 - Model
internal audit activity charter
 46
PERIODIC ASSESSMENT:
The Chief Audit Executive will periodically report to Senior Management and the Board on the internal audit activity’s
purpose, authority, and responsibility, as well as performance relative to its plan. Reporting will also include significant
risk exposures and control issues, including fraud risks, governance issues, and other matters needed or requested by
Senior Management and the Board.
In addition, the Chief Audit Executive will communicate to Senior Management and the Board on the internal audit activity’s
quality assurance and improvement program, including results of ongoing internal assessments and external assessments
conducted at least every five years.
Internal Audit Activity charter
Approved this _________ day of ____________, _________.
_________________________________
_________________________________
Chief Audit Executive
Chief Executive Officer
_________________________________
Chairman of the Board of Directors
_________________________________
Chairman of the Audit Committee
APPENDIX 4.
Model Audit Committee Charter1
PURPOSE
To assist the Board of Directors in fulfilling its oversight responsibilities for the financial reporting process, the system of
internal control, the audit process, and the company’s process for monitoring compliance with laws and regulations and
the code of conduct.
The Audit Committee will consist of at least three and no more than six members of the Board of directors. The Board or
its nominating committee will appoint committee members and the committee chair.
Each committee member will be both independent and financially literate. At least one member shall be designated as the
«financial expert,» as defined by applicable legislation and regulation.
MEETINGS
The committee will meet at least four times a year, with authority to convene additional meetings, as circumstances require.
All committee members are expected to attend each meeting, in person or via tele- or video-conference. The committee will
invite members of management, auditors or others to attend meetings and provide pertinent information, as necessary. It
will hold private meetings with auditors (see below) and executive sessions. Meeting agendas will be prepared and provided
in advance to members, along with appropriate briefing materials. Minutes will be prepared.
RESPONSIBILITIES
The committee will carry out the following responsibilities:
Financial Statements
•R
eview significant accounting and reporting issues, including complex or unusual transactions and highly judgmental areas,
and recent professional and regulatory pronouncements, and understand their impact on the financial statements.
•R
eview with management and the External Auditors the results of the audit, including any difficulties encountered.
•R
eview the annual financial statements, and consider whether they are complete, consistent with information known to
committee members, and reflect appropriate accounting principles.
•R
eview other sections of the annual report and related regulatory filings before release and consider the accuracy and
1
Published by the Institute of Internal Auditors, revised on 6/5/2009
audit committee charter
COMPOSITION
Appendix 4 - Model
The Audit Committee has authority to conduct or authorize investigations into any matters within its scope of responsibility.
It is empowered to:
•A
ppoint, compensate, and oversee the work of any registered public accounting firm employed by the organization.
•R
esolve any disagreements between management and the Auditor regarding financial reporting.
•P
re-approve all auditing and non-audit services.
•R
etain independent counsel, accountants, or others to advise the committee or assist in the conduct of an investigation.
•S
eek any information it requires from employees-all of whom are directed to cooperate with the committee’s requests-or
external parties.
•M
eet with company officers, External Auditors, or outside counsel, as necessary.
 47
AUTHORITY
completeness of the information.
• Review with management and the External Auditors all matters required to be communicated to the committee under
generally accepted auditing Standards.
• Understand how management develops interim financial information, and the nature and extent of internal and External
Auditor involvement.
• Review interim financial reports with management and the External Auditors before filing with regulators, and consider
whether they are complete and consistent with the information known to committee members.
Internal Control
• Consider the effectiveness of the company’s internal control system, including information technology security and
control.
• Understand the scope of internal and External Auditors’ review of internal control over financial reporting, and obtain
reports on significant findings and recommendations, together with management’s responses.
Appendix 4 - Model
audit committee charter
 48
Internal Audit
• Review with management and the Chief Audit Executive the charter, activities, staffing, and organizational structure of
the internal audit function.
• Have final authority to review and approve the annual audit plan and all major changes to the plan.
• Ensure there are no unjustified restrictions or limitations, and review and concur in the appointment, replacement, or
dismissal of the Chief Audit Executive.
• At least once per year, review the performance of the CAE and concur with the annual compensation and salary
adjustment.
• Review the effectiveness of the internal audit function, including compliance with The Institute of Internal Auditors’
International Professional Practices Framework for Internal Auditing consisting of the Definition of Internal Auditing,
Code of Ethics and the Standards.
• On a regular basis, meet separately with the Chief Audit Executive to discuss any matters that the committee or internal
audit believes should be discussed privately.
External audit
• Review the External Auditors’ proposed audit scope and approach, including coordination of audit effort with internal
audit.
• Review the performance of the External Auditors, and exercise final approval on the appointment or discharge of the
Auditors.
• Review and confirm the independence of the External Auditors by obtaining statements from the Auditors on relationships
between the Auditors and the company, including non-audit services, and discussing the relationships with the
Auditors.
• On a regular basis, meet separately with the External Auditors to discuss any matters that the committee or auditors
believe should be discussed privately.
Compliance
• Review the effectiveness of the system for monitoring compliance with laws and regulations and the results of
management’s investigation and follow-up (including disciplinary action) of any instances of noncompliance.
• Review the findings of any examinations by regulatory agencies, and any auditor observations.
• Review the process for communicating the code of conduct to company personnel, and for monitoring compliance
therewith.
• Obtain regular updates from management and company legal counsel regarding compliance matters.
Reporting Responsibilities
•R
egularly report to the Board of Directors about committee activities, issues, and related recommendations.
•P
rovide an open avenue of communication between internal audit, the External Auditors, and the Board of directors.
•R
eport annually to the shareholders, describing the committee’s composition, responsibilities and how they were
discharged, and any other information required by rule, including approval of non-audit services.
•R
eview any other reports the company issues that relate to committee responsibilities.
Other Responsibilities
Appendix 4 - Model
audit committee charter
 49
•P
erform other activities related to this charter as requested by the Board of directors.
• I nstitute and oversee special investigations as needed.
•R
eview and assess the adequacy of the committee charter annually, requesting Board approval for proposed changes,
and ensure appropriate disclosure as may be required by law or regulation.
•C
onfirm annually that all responsibilities outlined in this charter have been carried out.
•E
valuate the committee’s and individual members’ performance on a regular basis.
APPENDIX 5.
Demographics
1. Participants to the survey:
63 Internal Auditors and 18 External Auditors have participated to the survey.
Appendix 5 - Demographics  50
2. Size of the organizations represented
!
!
3. Activity sector of the organizations represented
For External Auditors, the sectors mentioned are the ones for which they fill in the questionnaire.
21 internal auditors belong to the Financial Services and 7 from the public sector. For the rest, we have :
!
Rue d’Arenberg 13
1000 Bruxelles
Arenbergstraat 13
1000 Brussel
Instituut van de Bedrijfsrevisoren
Koninklijk Instituut
Institut des Réviseurs d’Entreprises
Institut royal
Rue Royale 109 - 111
1000 Bruxelles
Koningsstraat 109-111
1000 Brussel
m
TIle Institute
Institute of
of
JJl.• l'M
InternaI AudItors
I6.
BELGIUM
IRIi'EL'GIuM