©Polka Dot Images/ISTOCK/THINKSTOCK
Internal and external auditors, the audit committee, and an organization's management all have distinct but related roles in managing risk and monitoring the effectiveness of internal controls, and stronger collaboration among the groups can improve risk management while reducing the cost and complexity of each others' efforts.
According to a summary of roundtable discussions sponsored late last year by the Center for Audit Quality and the Institute of Internal Auditors, participants offered a variety of perspectives on ways organization could leverage relationships to improve risk management, governance and external audit within each groups' respective responsibilities.
Enhancing ERM
Given the importance of risk identification and management to the overall organization, roundtable participants agreed on the importance of developing holistic approaches to ERM that define and take advantage of participants' roles and contributions to the organization.
For example, chief executives, board members and auditors (internal and external) all oversee risk to varying degrees, but taking time to coordinate those efforts can help an organization leverage the perspectives each participant can offer.
"Some companies will have an ERM assessment process separate from the internal audit risk assessment process," the report says. "Other companies will perform the ERM and internal audit risk assessments at the same time, and then internal audit will develop its own audit plan. Coordination of ERM with internal audit plans is important for ERM success."
Spelling out responsibility for risk management in an organization's bylaws or committee charters can be an important step in preventing emerging exposures, such as cyber risk, new regulatory mandates or marketplace changes from falling through the cracks.
For instance, creating a dedicated risk committee, although required for banks under Dodd-Frank, can lead to confusion about responsibilities if the committee's efforts are not coordinated with the audit committee or the broader board.
Improving Audit Relationships
More effective planning and communication was also cited as a critical factor in improving the working relationship between internal and external auditors.
Participants said after the PCAOB issued Staff Audit Practice Alert No. 11 in 2013, some external auditors have been less willing to except the conclusions reached by internal auditors over the effectiveness of internal controls, especially for high-risk areas, and have requested more documentation about internal auditors' work. In some instances, this has increased the complexity and cost of external audits, and can also strain relationships among auditors.
Another potential consequence is "audit fatigue" where internal and external auditors independently request the same information from operating units.
To enhance the audit process, participants advocated closer relationships and coordinated planning among internal and external auditors. Some recommendations include:
- Reducing duplicative efforts by having audit committee members oversee discussions between internal and external auditors to allocate work between the auditors.
- Coordinating work timelines between internal and external auditors.
- Having internal and external auditors use the same templates to reduce the need for reformatting.
- Training internal audit teams on documentation requirements.
- Participants also stressed the audit committee's oversight role over internal and external auditors alike.
Although coordination can be helpful, audit committee members have to balance this with a need to oversee both groups independently.
For instance, if external auditors are reluctant to use internal auditors' work, that could be a warning to the audit committee about the quality of internal audit's ability to test and document the effectiveness of internal controls.
"When external auditors do engage often with internal audit, they are well positioned to share with the audit committee their observations of internal audit’s performance," the report states.