Coordination between internal and external auditors

Role of accountant

Accountants whether in business or in practice have a personal responsibility to deliver trust- to employees , investors, stakeholders and to each other . Investors and other users of financial statements rely on the financial information. Most of them do not have access to any other source of information. they trust the management , the auditors , the analysts . Trust is the foundation of all relationships whether at personal level or macro level .It is important for the economic growth and stability of countries and markets that this trust is not jeopardized.

Accountants have a major have a role to play in promoting and protecting the integrity and stability of the market which can be maximized when investors feel they are adequately protected against fraud and corruption and when they feel they can truly rely on financial information produced by companies.

Special role of auditor

The auditor’s opinion on the truth, fairness, accuracy etc. of the financial statement imposes a larger responsibility on the auditor, which transcends the relationship with the client. The external auditor has to maintain total independence from the client. The auditor is supposed to be watchdog. Government, creditors, investors and the business and financial community rely on the independence, objectivity and integrity of the auditors for maintaining confidence in operations of a company.

Audit opinion

The typical audit opinion states:

We conducted our audits in accordance with auditing standards. Generally accepted in India. Those standards require that we plan and perform the audit to obtain reasonable assurance about whether the financial statements are free of material misstatement. An audit includes examining, on a test basis, evidence supporting the amounts and disclosures in the financial statements. An audit also includes assessing the accounting principles used and significant estimates made by management, as well as evaluating the overall financial statement presentation. We believe that our audits provide a reasonable basis for our opinion.

Roles & responsibilities of internal and external auditor

Responsibilities of Internal Auditor

Internal Audit is a service to management. Its functions include examining and evaluating internal control and providing assurance to the management. It is a part of the organisation’s system of internal control and its scope includes ALL aspects of internal control, not just financial control.. The scope of internal audit is much wider than statutory/external audit. It should ideally cover all the organisation’s activities. They include:

Ö       Financial audit –accuracy, completeness and fairness of financial statements

Ö       Operational audit- effectiveness and efficiency of operations

Ö       Safeguarding of assets

Ö       Review of projects

Ö       Management audit

Ö       Fraud detection- developing fraud exposures for every audit and detecting red flags

Ö       Review of effectiveness of internal control

Ö       Compliance with laws, regulations, policies and procedures

Ö       Preservation of ethical culture – monitor the ethical climate and report on red flags that may compromise ethics

Ö       Providing advise on reducing waste or inefficiency

Responsibilities of External Auditor

External auditors have to express an opinion on accuracy and fairness of financial information. An external audit programme encompasses a full-scope financial statement audit, an attestation of internal controls over financial reporting, or other agreed-upon external audit procedures.

A typical report includes inter alia, information on:

• Whether they have obtained all the necessary information
• Whether the companies has kept all the requisite books of accounts
• Whether the financial statements are in conformity with books of accounts
• The financial statements present a true and fair view of the state of affairs
• Proper records for assets, inventory, loans etc. have been maintained by the company
• Adequacy of internal control procedures
• Existence of internal audit system commensurate with nature and size of business.
• Details of statutory dues and matters under litigation

Although internal and external auditors have different and clearly defined roles they do share the same broad purpose of serving the public by helping to ensure the highest standards of regularity and propriety for the use resources and in promoting efficient, effective and economic administration. Co-ordination among them maximises the benefits, which can be gained from working together in areas where there is an overlap in the work to be done.

Benefits of co ordination between Internal & External Auditor

Proper coordination can lead to efficient and effective audits as there is no unnecessary duplication of efforts and auditors can focus on other tasks.  With the increasing scandals and frauds, regulators are specifying newer requirements to increase the accuracy of financial reports. In this environment, coordination between auditors is one of the methods by which companies can improve their perceived trustworthiness.

Varied strengths increase effectiveness

By the nature of their responsibilities, internal auditors spend a lot of time working for the same company. This gives them a better understanding of the culture and working of the organisation. They notice things and come across instances, which the external auditor is unable to see during his visits. The external auditors on the other hand have exposure to wider variety of financial issues as they have multiple clients.  External auditors may therefore discover and solve issues that internal auditors have not dealt with before.

Increase in efficiency

Coordination increases efficiency. When the audit is not properly coordinated, external auditors may duplicate work already performed by the internal auditors. This redundancy causes higher audit fees but does not increase the effectiveness of the audit. Similarly, internal auditors may duplicate external auditors work, which results in wasted internal audit time. Coordination increases the probability that the information companies release is accurate. Combined, the synergies realized through improved coordination add value to a company’s shareholders.

Better audit coverage

It is expected that elimination of redundant work will leave time and resources for better audit coverage.

Cost reduction

Coordination reduces the time and efforts which the external auditor would expend on redundant work thus, reducing the audit fees. In most cases, the savings from co-ordination are greater than the cost incurred by the internal audit function to perform the work on which the external auditors rely.

Better understanding of each others work

Coordination would imply that the auditors communicate and consult with each other their plans and findings. This will lead to clearer understanding of respective audit roles and requirements and a better understanding by each group of auditors.

Building co-operation between Internal & External Auditor

Approval

External and internal auditors owe allegiance to different set of people .The internal auditor is accountable to the management. Either the management or any other body in charge of governance decides the internal auditor’s scope of work. When the external auditor needs assistance from the internal auditor, he has to first inform the management /governing body and seek their approval.

Commitment

As discussed earlier, both the auditors work with different objectives and responsibilities. They are accountable to a different set of people. Given this situation when the need for coordination arises, it requires commitment. They have to adjust and plan the work to satisfy each others needs.

Communication

Communication is sine qua non for success of any coordination process. . There should be frequent and open communication between internal and external auditors. They should decide on timing and nature of communication-it may be written or electronic or face to face or telephonic or combination of whatever format is suitable. The auditors can have regular meetings to plan for identification of opportunities for cooperation, elimination of duplication of work and agree on methods to share information and other findings.   Even where internal and external auditors are not working together in a particular area there may be circumstances where they wish to consult with each other on particular issues or on specific audit findings. The coordination plans and procedures should ideally be agreed by both parties, documented, and approved by the governing body/management.

Trust

There needs to be mutual confidence between both groups of auditors. This confidence is enhanced when the auditors are members of professional bodies and are bound by their professional standards and code of conduct. When the external auditor requires direct assistance or needs to rely on the work in certain area, he may conduct procedures to get specific assurance. There also needs to be confidence that any information exchanged is treated professionally and with integrity.

Areas of co-operation between Internal & External Auditor

• Internal control
• Corporate governance
• Reporting and financial statements
• Compliance with laws
• Anti Fraud measures
• Performance indicators
• Testing
  • systems
  • programs
• Liaison between company and external auditors
  • Ensure that all information, documentation is provided to internal auditor
  • Audit of dispersed organizations
  • Follow up on audit issues and implementation of recommendations

Applicability of Auditing and Assurance  standards

Examining the applicability of various auditing standards to the subject of relationship of external and internal auditor.

AAS 7- Relying upon the work of internal auditor

Relationship between internal and external auditor

• Though the primary objective is different for both the auditors, some of their means are same and the work of internal auditor may be useful to the external auditor in determining the nature, extent and timing of procedures to be performed
• The external auditor should evaluate the internal audit function before relying on the work and adopting less extensive procedures
• The internal auditor cannot have the same degree of independence as the external auditor so the opinion of the external auditor on the financial statements remains his responsibility .

Aspects to be considered while evaluation

• Organisational status –reporting level, existence of operational responsibility , constraints or limitations placed by management
• Scope of function
• Technical competence
• Due professional care

Coordination

• External auditor to ascertain the internal auditor’s plan – timing of audit, scope, sample selection, documentation, reporting procedures
• Regular communication with the internal auditor , access to records, information about significant matters.

AAS 9-Using the work of an expert

An expert or specialist is a person, firm, or other association of persons possessing special skill, knowledge and experience in a particular fields other than accounting and auditing .An expert may be engaged /employed by client or auditor.

Skill and competence of expert

When relying on work of expert the auditor should consider:

• Professional qualifications
• Membership in appropriate professional body
• Experience and reputation in the subject matter.

The auditor need not inquire into skills and competence of expert employed by him.

Evaluating the work of an expert

• Objective and scope of work
• Confidentiality of work
• Relationship of expert with client, if any
• Confidentiality of information used

Assurance on appropriateness of audit evidence by considering

• Source data
• Assumptions used
• Results of expert’s work in light of auditor’s overall knowledge of business

The auditor can obtain an understanding of assumption and methods .The appropriateness and reasonableness of assumptions and methods used and their application are the responsibility of the expert .The auditor does not have the same expertise and therefore cannot always challenge the expert’s assumptions and methods.

This particular accounting standard seems similar to AAS 7 but is not applicable to this particular subject. The primary reason being that it defines an expert as a person with special skill, knowledge and experience in particular fields other than accounting and auditing.

AAS 10- Using the work of another auditor

Does not deal with joint auditors relationship with predecessor auditor

Standard does not apply when the principal auditor considers financial information of a component as immaterial

Principal auditor is the auditor with the responsibility for reporting on the financial information of an entity when it includes financial information of one or more components audited by another auditor

Other auditor means an auditor with responsibility of reporting on the financial information of component, which is included in the financial information audited by the principal auditor.

Procedures

• The principal auditor should determine how work of other auditor will affect the audit
• Relying on work of auditor
  • Consider professional competence if not a member of ICAI.
  • Perform procedures and obtain evidence
  • Advise the other auditor of accounting and other requirement
  • Obtain representation for above
  • Review written summary of report
  • Consider significant findings.
• Coordination between auditors
  • There should be sufficient communication between both auditors
  • The other auditor should coordinate with the principal auditor and inform him of significant findings.

• If the principal auditor concludes that the work of the other auditor cannot be used for some reason, he should express a qualified opinion or disclaimer stating the limitation on the scope of audit.
• State the reliance on report

On comprehensive reading of AAS 10, it is quite clear that it is not applicable to relationship between internal and external auditor as the ‘other auditor’ referred to in the standard has responsibility of the component audited by him which can also be stated in the report. This does not match with provisions of AAS 7.

International scenario

Let us examine the international situation.

AICPA SAS 65: The Auditor’s consideration of the internal Audit function in an Audit of financial statements

Understanding function

The extent of the procedures necessary to obtain this understanding will vary, depending on the nature of those activities.

a. Organizational status within the entity.

b. Application of professional standards.

c. Audit plan, including the nature, timing, and extent of audit work.

d. Access to records and whether there are limitations on the scope of their activities.

In addition, the auditor might inquire about the internal audit function’s charter, mission statement, or similar directive from management or the board of directors.

Relevancy

The auditor should consider only those activities of the internal auditor which are relevant to the audit of financial statements like activities which provide evidence about the design and effectiveness of controls that pertain to the entity’s ability to initiate, record, process, and report financial data or that provides direct evidence about potential misstatements of such data. The following may help in assessing the relevancy:

a. Considering knowledge from prior-year audits

b. Reviewing how the internal auditors allocate their audit resources to financial or operating areas in response to their risk-assessment process

c. Reading internal audit reports to obtain detailed information about the scope of internal audit activities.

After assessing the relevancy:

• In case of matters which are not relevant, the external auditor may decide not to give further consideration unless he auditor requests direct assistance. Or
• The auditor may conclude that it will not be efficient to consider the internal auditors work or
• If the auditor considers that it would be efficient to consider the work, and then assess the competency and objectivity of work.

Determining competency

SAS 65 requires auditors to look at seven factors relating to competence, including:

• Educational level and professional experience of internal auditors.
• Professional certification and continuing education.
• Audit policies, programs, and procedures.
• Practices regarding assignment of internal auditors.
• Supervision and review of internal auditor’s activities.
• Quality of working-paper documentation, reports, and recommendations.
• Evaluation of internal auditor’s performance.

Determining objectivity

When evaluating the objectivity of internal auditors, external auditors are to search for factors under two general headings:

• The organizational status of the internal auditor responsible for the internal audit function.

— Whether the internal auditor reports to an officer of sufficient status to ensure broad audit coverage and adequate consideration of, and action on, the findings and recommendations of the internal auditors.

— Whether the internal auditor has direct access and reports regularly to the board of directors, the audit committee, or the owner-manager.

— Whether the board of directors, the audit committee, or the owner-manager oversees employment decisions related to the internal auditor.

• Policies to maintain internal auditor’s objectivity about the areas audited.

— Policies prohibiting internal auditors from auditing areas where relatives are employed in important or audit-sensitive positions.

— Policies prohibiting internal auditors from auditing areas where they were recently assigned or are scheduled to be assigned on completion of responsibilities in the internal audit function.

Assessing Competence and Objectivity

Consider information

• obtained from previous experience with the internal audit function,
• discussions with management personnel,
• external quality review, if performed, of the internal audit function’s activities. professional internal auditing standards
• the effectiveness of the factors described above
• The extent of such testing will vary in light of the intended effect of the internal auditors’ work on the audit.

Effect of the Internal Auditors’ Work on the Audit

The internal auditors’ work may affect the nature, timing, and extent of the audit, including—

• Procedures the auditor performs when obtaining an understanding of the entity’s internal control.
• Procedures the auditor performs when assessing risk.
• Substantive procedures the auditor performs.

Risks in Audit

AAS 6

All questions of coordination, increasing coverage, relying on each others work arises due to one fundamental reason –Audit risk. Audit risk means the risk that the auditor gives an inappropriate audit opinion when the financial statements are materially misstated (AAS 6). It is virtually impossible for an auditor eliminate audit risk. The auditor has to first do a risk assessment and then work upon reducing risks to an acceptable level.

Risk Assessment

To decide the risk assessment methodology the auditor should consider things like :

• Type of information to be collected
• Cost of collecting information using the methodology., if any
• Information readily available
• Additional information required to be collected to obtain the information
• Availability of time, manpower and other resources to carry on risk assessment
• Past experience of the auditor and other users about the effectiveness of the methodology in achieving the objectives
• Appropriateness of the methodology to the situation

Using Risk Assessment in Audit planning

Risk assessment, in combination with other audit techniques, facilitates in making planning decisions such as:

• The nature, extent, and timing of audit procedures
• The areas or business functions to be audited
• The amount of time and resources to be allocated to an audit

Types of Audit risks

• Inherent risk
• Control risk
• Detection risk

Inherent Risk

Inherent risk is the susceptibility of an audit area to error, which could be material, individually or in combination with other errors, assuming that there were no related internal controls. For example, the inherent risk associated with cash and other liquid assets is high due to easy liquidity. Again inherent risk for IS access is high since it is not readily observable and highly sensitive nature of information By contrast, the inherent risk associated with fixed assets is ordinarily low

Factors to be considered.

• The integrity of management and management experience and knowledge
• Changes in management
• Pressures on management which may predispose them to conceal or misstate information
• The nature of the organisation’s business and systems
• Factors affecting the organisation’s industry
• The level of third party influence on the control of the systems being audited
• Quality of accounting systems
• Complexity of transactions
• Findings from and date of previous audits
• Degree of judgement involved
• The complexity of the systems involved
• The susceptibility to loss or misappropriation of the assets controlled by the system (e.g. inventory, and payroll)
• Activities outside the day-to-day routine processing

Control Risk

Control risk is the risk that an error which could occur in an audit area, and which could be material, individually or in combination with other errors, will not be prevented or detected and corrected on a timely basis by the internal control system owing to the volume of logged information.

The auditor should assess the control risk as high unless relevant internal controls are:

• Identified
• Evaluated as effective
• Tested and proved to be operating appropriately

Detection Risk

Detection risk is the risk that the auditor’s substantive procedures will not detect an error, which could be material, individually or in combination with other errors.

In determining the level of substantive testing required, the auditor should consider both:

• The assessment of inherent risk
• The conclusion reached on control risk following compliance testing

The higher the assessment of inherent and control risk the more audit evidence the auditor should normally obtain from the performance of substantive audit procedures.

Measuring Audit Risk

Some of the mathematical theories used to measure audit risk  :

• Probability theory considers these three components (inherent risk, control risk, detection risk) as events.

• Belief-function theory considers these components as evidences. Audit risk becomes a combination (with dempster-shafer rule) of mass of evidence.

• Fuzzy logic measures audit risk concept considers these three components as sets of linguistic assessements.

ISA 315 Understanding the entity and its Environment and assessing the risks of Material misstatement

The auditor should obtain an understanding of the entity and its environment, including its internal control, sufficient to identify and assess the risks of material misstatement of the financial statements whether due to fraud or error, and sufficient to design and perform further audit procedures.

Risk Assessment Procedures

The auditor should perform the following risk assessment procedures to obtain an understanding of the entity and its environment, including its internal control:

(a) Inquiries of management and others within the entity;

(b) Analytical procedures; and

(c) Observation and inspection.

Audit Sampling

The auditor can meet the audit objectives through detailed review of the audit evidence. Review of the entire population is not possible where the auditor has to examine large number of items .The auditor needs a consistent approach to draw a sample from the data and draw conclusions from that sample. The challenge here is that the sample should be representative of the entire population. Any situation in which one has to draw conclusions based on an inspection of part of a population should consider using statistical sampling techniques. Any form of sampling, whether statistical or judgmental, is an application of a procedure to less than 100% of the population.

In ‘sampling’ the auditor accepts the risk that some or all errors will not be found and the conclusions drawn (i.e. all transactions were proper and accurate) may be wrong. Audit sampling can be of two types-statistical and non-statistical. Statistical sampling is a mathematical based method of selecting a sample representative of the population while non statistical sampling or judgemental sampling is not based on mathematics. The type of sampling used and the number of items selected should be based on the auditors understanding of the relative risks and exposures of the areas audited.

Professional Negligence and Professional Misconduct

Negligence: The dictionary defines negligence as lack of proper care and attention. In case of professionals it means “The breach by a member of a profession of either a standard of care or a standard of conduct.” Malpractice refers to negligence or misconduct by a professional person which causes injury or damage to the client.

The concept of negligence is central to the tort system of liability. The negligence concept is centered on the principle that every individual should exercise a minimum degree of ordinary care so as not to cause harm to others.

Negligence is the doing of something which a reasonably prudent person would not do, or the failure to do something which a reasonably prudent person would do, under the same or similar circumstances. It is the failure to use ordinary or reasonable care. Ordinary or reasonable care is that care which persons of ordinary prudence would use

Malpractice

An act or continuing conduct of a professional, which does not meet the standard of professional competence and results in provable damages to his/her client. Such an error or omission may be through negligence, ignorance (when the professional should have known), or intentional wrongdoing. However, malpractice does not include the exercise of professional judgment even when the results are detrimental to the client. Except when it is extremely obvious, an expert must testify as to the acceptable standard of care applied to the specific act or conduct which is claimed to be malpractice and testify that the professional did not meet that standard. The defendant then can produce his/her own expert to counter that testimony. The principal reason is that most cries of malpractice are unfounded and are based on unhappiness with the result of the original services no matter how well handled, a breakdown in communication between professional and client, anger, or greed.

Malpractice suits against accountants (Arthur Andersen) and investment advisors (Merrill Lynch) have started lately.

Liabilities of Chartered Accountants for negligence and misconduct

Under the Companies Act

Section 233:- Penalty for non-compliance by auditor with sections 227 and 229:- If any auditor’s report is made, or any document of the company is signed or authenticated, otherwise than in conformity with the requirements of sections 227 and 229, the auditor concerned, and the person, if any, other than the auditor who signs the report or signs or authenticates the document, shall, if the default is willful, be punishable with fine which may extend to ten thousand rupees.

Under Consumer Protection Act:-  Consumer” means any person who-

(i) buys any goods for a consideration which has been paid or promised or partly paid and partly promised, or under any system of deferred payment and includes any user of such goods other than the person who buys such goods for consideration paid or promised or partly paid or partly promised, or under any system of deferred payment when such use is made with the approval of such person, but does not include a person who obtains such goods for resale or for any commercial purpose; or

(ii) hires or avails of any services for a consideration which has been paid or promised or partly paid and partly promised, or under any system of deferred payment and includes any beneficiary of such services other than the person who [hires or avails of the services for consideration paid or promised, or partly paid and partly promised, or under any system of deferred payment, when such services are availed of with the approval of the first mentioned person;  but does not include a person who avails of such services for any commercial purpose.

Explanation.-For the purposes of this clause, “commercial purpose” does not include use by a person of goods bought and used by him and services availed by him exclusively for the purposes of earning his livelihood by means of self-employment;

(e) “consumer dispute” means a dispute where the person against whom a complaint has been made, denies or disputes the allegations contained in the complaint;

(f) “defect” means any fault, imperfection or shortcoming in the quality, quantity, potency, purity or standard which is required to be maintained by or under any law for the time being in force or under any contract, express or implied or as is claimed by the trader in any manner whatsoever in relation to any goods;

service” means service of any description which is made available to potential users and includes, but not limited to, the provision of facilities in connection with banking, financing insurance, transport, processing, supply of electrical or other energy, board or lodging or both, housing construction entertainment, amusement or the purveying of news or other information, but does not include the rendering of any service free of charge or under a contract of personal service;

Penalties:-

(1)Where a trader or a person against whom a complaint is made or the complainant fails or omits to comply with any order made by the District Forum, the State Commission or the National Commission, as the case may be, such trader or person or  the complainant shall be punishable with imprisonment for a term which shall not be less than one month but which may extend to three years, or with fine which shall not be less than two thousands rupees but which may extend to ten thousand rupees, or with both.

ICAI’s disciplinary mechanism

In India, the Institute of Chartered Accountants of India (ICAI) deliberates and decides cases of professional negligence of members. The initial trial is held by the Council of the Institute, its findings, whether in favour or against the chartered accountant, have to be forwarded to the High Court for its decision. The penalty can be as severe as termination of membership.

CHECKLIST FOR ASSESSING CO-ORDINATION

1. Promotion by management and audit committee (other governing body)

• Do management and the audit committee (where this exists) actively promote effective co-ordination between the internal and external audit?
• Does the audit committee consider and advise on opportunities for co-ordination?

2. Basis for reliance

• Has a review of internal audit been carried out either by an independent third party or by external audit?
• Has external audit given relevant feedback on the results of the review and how it affects opportunities for co-ordination?
• If the assessment concludes that reliance on internal audit is not possible, has external audit made recommendations for improvement and has an action plan been developed?
• Has management considered any need to revise the specification for internal audit
• Services in the light of the review?

3. Co-ordination

• Does external audit discuss the results of their evaluation of specific internal audit work on which the intend to place reliance?
• Do internal and external audit need to meet on a regular basis to give feedback, discuss progress and resolve problems?
• Do internal and external audit report to the Audit Committee on the arrangements established for routine liaison, and their future co-ordination plans?
• Have all areas for potential co-ordination between internal and external audit been explored?
• Do internal and external audit co-ordinate the timing of their work effectively in order to maximise co-ordination and reliance?
• Do management or the audit committee discuss audit plans with both sets of auditors?
• Are there any potential problems acting as a barrier between internal and external audit?
• Has a course of action been decided to help address these problems?
• Have external and internal audit considered explaining their methodology to one another?
• Do internal and external auditors consult and agree on the timing of work in areas of mutual interest?
• Have auditors discussed and agreed minimum standards of documentation to be adopted?
• Have auditors agreed on arrangements for sharing relevant files and working papers?

Communication

• Is there two-way communication between internal and external auditors on matters of mutual interest and concern at all times?
• Have procedures been agreed with management and internal audit for providing copies of internal audit reports to external audit?
• Does external audit communicate its findings to management and internal audit?

 CA Rajkumar S Adukia

rajkumarfca@gmail.com