1
EUROPEAN CONFEDERATION OF INSTITUTES OF INTERNAL AUDITING (IVZW)
Phil Tarling Carolyn Dittmeier
PRESIDENT VICE PRESIDENT
Head Office: c/o IIA Belgium – Koningstraat 109-111, bus 5 - B-1000 Brussels (Belgium) Phone: +32 2 217 33 20 Fax: +32 2 217 33 20 Email: office@eciia.org
Dear Sir/Madam,
The ECIIA (the European Confederation of Institutes of Internal Auditing) would like to thank DG-MARKT for offering the opportunity to comment on your Green Paper
“Audit Policy: Lessons from the Crisis”.
The ECIIA is a confederation of national associations of internal auditing located in 35 countries, including all those of the EU, representing over 35000 internal audit
professionals. As such, the ECIIA is an Associated Organisation of the global Institute of Internal Auditing (the IIA), a professional organisation of more than 170000
members in some 165 countries. Throughout the world, the Global IIA is recognised as the internal audit profession's leader in certification, education and research regarding internal auditing. The Global IIA also maintains the International
Professional Practices Framework (IPPF) which includes the International Standards for the Professional Practice of Internal Auditing (available in 29 languages), the definition of internal auditing, the code of ethics, practice advisories and other guidance. (http://www.theiia.org/guidance/standards-and-guidance/interactive-ippf/.)
While we understand that the goal of this paper is to launch a debate on the (future) role and scope of the statutory audit function in the context of financial market regulatory reform, Chapter 2 “Role of the Auditor” includes some thoughts and suggestions which impact, directly or indirectly, the internal audit function and for which we would like to offer our general comments, in addition to answering some specific questions.
As an overall comment, the ECIIA believes that a debate on the role and the scope of the external auditor as a major contributor to increased financial stability should also include clarification on the role of internal auditors and more specifically their
interaction with other assurance providers – including external auditors. In addition to adding value to this debate, a proper consideration of internal audit’s contribution to improved governance- and risk management structures in future regulatory initiatives will add to increased financial stability.
We would like to further detail this overall comment in relation to some of the statements in the Green Paper.
2
Higher Level of Assurance to Stakeholders
The ECIIA agrees that stakeholders request a very high level of assurance regarding the “true and fair” view of audited financial statements. In this respect, the paper suggests exploring the case for “going back to basics”, with a strong focus by external auditors on substantive testing and less reliance on underlying risk and control
processes. We believe, however, that external auditors of a large complex company cannot just base themselves on substantive testing for evidence and will also have to rely on their evaluation of the underlying internal controls over financial reporting (ICFR).
On the other hand, as the paper rightly suggests, the effectiveness of risk management and control processes is indeed the responsibility of the organisation’s management and board, and related assurance is provided by its internal audit function. That is why mutually supportive external audit and internal audit functions are key for providing a higher level of assurance to the organisation’s board and stakeholders.
The ECIIA however recognises that the historical connections between providers of external and internal audit services mean that many stakeholders may not be very familiar with the differences between both functions. A good comprehension of their respective objectives and scope is however required to understand how they may best co-ordinate their efforts in view of the need for increased assurance towards the board and stakeholders. ECIIA therefore proposes to add this issue to the debate and offers the following outline for discussion:
Primary differences between internal and external audit
Item External audit Internal audit
Recipient of reports Shareholders or Members Board members and senior managers Objective(s) Add credibility and reliability to reports from
the organisation to its shareholders by giving an opinion on them
Provide the assurance that members of the board and senior management use to fulfil their duties
Coverage Financial reports and related disclosures, financial reporting risks and their management1
All processes and categories of risks, their management (1) including the flow of information throughout the company, and governance
Timing and frequency Project(s) tied into financial reporting cycle,
focused on objective of audit opinion Ongoing and pervasive
Focus Mainly historical Forward-looking on the basis of “as-is” and
recommended “to-be” scenarios Responsibility for
identifying areas for improvement
None – duty to report problems noted during
engagement Responsibility to report recommendations for
improvement and promote related action plans, fundamental to the mission of internal auditing
Status and authority Statutory and regulatory framework and
International Auditing Standards (IAS) International professional standards and Code of Corporate Governance
Independence Professional ethical standards overseen by audit committee and regulatory framework
Professional ethical standards overseen by audit committee
1Risk management starts with objectives/purpose, then includes identification, evaluation and assessment of the risk; selection and implementation of the appropriate responses; and monitoring to ensure that the responses are working as required.
3
The ECIIA further recognises that, in addition to external and internal audit, senior management and the board may seek risk and control assurance from other (internal) sources to effectively assume their oversight and monitoring duties. In this respect, the ECIIA supports the “Three Lines of Defence” (3LoD) - model as a benchmark for future regulatory guidance. This model, which is rapidly gaining universal recognition, can be illustrated as follows:
o As a first line of defence, operational management has ownership,
responsibility and accountability for assessing, controlling and mitigating risks o As a second line of defence, the risk management-, compliance- and similar functions facilitate and monitor the implementation of effective risk management practices by operational management and assist the risk owners in reporting adequate risk related information up and down the organisation.
o As a third line of defence, the internal auditing function will, through a risk based approach, provide assurance to the organisation’s governing body and senior management, on how effective the organization assesses and manages its risks, including the manner in which the first and second lines of defence operate. This assurance task covers all elements of an institution’s risk
4
management framework: i.e. from risk identification, risk assessment and response to communication of risk related information (throughout the organisation and to senior management and the governing body).
While the above-mentioned functions operate within the organisation, the external auditor contributes as an outside body, providing assurance regarding the true and fair view of an organisation’s financial statements. However, given the specific scope and objectives of their mission, the risk information gathered by external auditors is limited to financial reporting risks and does not include the manner in which senior management and the governing body are managing/overseeing other (strategic, operational and compliance) risks, and for which the risk management- and internal auditing function provide monitoring , respectively assurance.
This three lines of defence model has been increasingly applied to corporate governance, and particularly risk management, over recent years. The ECIIA finds that it is a useful tool to explain and demonstrate the different roles in governance and risk management, the interplay between them and how they fit together to provide stronger corporate governance. It also forms the basis of a recent paper, jointly issued by ECIIA and the Federation of European Risk Management Associations (FERMA) on “Guidance for boards and audit committees on the implementation of Art 41. 2 of the 8th Directive” (see separate attachment)
Better External and Internal Communication
The paper also launches a debate on providing in the external audit report, in addition to historical financial information, some forward looking information on the organisation’s exposure to future risks.
The ECIIA agrees that such information may indeed provide more value to stakeholders, but only if it properly considers the entire portfolio of potential risks (including, in addition to financial reporting risks, also strategic, operational and compliance risks)
Pertinent studies on “rapid losses on shareholder value” (focussed on “large caps”) indeed indicate that an ineffective management and monitoring of strategic, business and operations risks counts for 80% of shareholder losses (compared to less than 15% for financial reporting risks).
For the external auditor to publicly communicate on all significant risk exposures, this would necessitate a major extension of the scope of its work (historically focussed on financial reporting risks), which is neither realistic in terms of cost nor really value added.
The ECIIA therefore believes that any public disclosure on the organisation’s exposure to future risks, and their potential impact on its financial health, should come through a
communication from the board. To assume this (external) fiduciary duty, but also to fulfil its internal management oversight role, boards may look to their internal auditors for independent and objective assurance on governance and risk management aspects, other than financial reporting.
This obviously requires some safeguards regarding the independence and professionalism of the organisation’s internal audit function:
o Independence: covering three different areas:
Independence of the internal audit function from any activity it reviews
5
Organisational independence, in terms of the Chief Audit Executive’s reporting line within the organisation.
Individual objectivity – the “state of mind” of the internal auditors.
The International Standards for the Professional Practice of Internal Auditing (IIA Standards) 1100 to 1130 provide the necessary guidance on how to ensure the required “Independence and Objectivity” for the internal audit function. (see Appendix)
o Professionalism: requiring that all public interest companies establish and maintain adequately and competently staffed internal audit functions, which act in accordance with the globally recognised International Professional Practices Framework (IPPF) issued by the Global Institute of Internal Auditors.
http://www.theiia.org/guidance/standards-and-guidance/interactive-ippf/.
• IIA Standards 1300 to 1322 (see Appendix) provide the necessary guidance for developing and maintaining a quality assurance and improvement program that covers all aspects of the internal audit activity. More particularly, standard 1312 foresee that “External assessments must be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organisation.”
In addition to the above general comments, the ECIIA would like to offer specific responses to the following questions in the paper:
(4) Do you believe that audits should provide comfort on the financial health of companies? Are audits fit for such a purpose?
- See above general comments under Higher Level of Assurance to Stakeholders (5) To bridge the expectation gap and in order to clarify the role of audits, should the audit methodology employed be better explained to users?
Yes:
- the “public-at-large” should have a better understanding of scope and limitations of the external audit approach and scope. This may be facilitated also by the communication processes of the Audit Committee itself and through reference to existing audit guidelines
- In addition to communicating on what was covered during the audit, external auditors should also publicly disclose on the issues that were “outside scope”.
(8) What additional information should be provided to external stakeholders and how?
- See above general comments under Better External and Internal Communication
6
(19) Should the provision of non-audit services by audit firms be prohibited? Should any such prohibition be applied to all firms and their clients or should this be the case for certain types of institutions, such as systemic financial institutions
- The ECIIA endorses the view of the external audit standards, which are clear that non- audit work poses potential threats to external audit quality. While these standards provide extensive procedures that external auditors must follow to prevent such threats from affecting the external auditor’s independence, the ECIIA believes that the only way to avoid threats arising would be to prevent audit firms from offering non audit services to audit clients
Once again, the ECIIA would like to thank DG- MARKT for offering us the opportunity to participate in this debate on the (future) role and scope of the statutory audit function in the context of financial market regulatory reform. We are happy to assist you in developing future recommendations and/or regulatory measures in this respect.
.
Sincerely,
Brussels, 8th December, 2010
Phil Tarling Carolyn Dittmeier
President ECIIA Vice-President ECIIA
7
Appendix International Internal Audit Standards (excerpt)
1100 – Independence and Objectivity
The internal audit activity must be independent, and internal auditors must be objective in performing their work.
Interpretation:
Independence is the freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. To achieve the degree of independence necessary to effectively carry out the responsibilities of the internal audit activity, the chief audit executive has direct and unrestricted access to senior
management and the board. This can be achieved through a dual-reporting relationship.
Threats to independence must be managed at the individual auditor, engagement, functional, and organizational levels.
Objectivity is an unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others. Threats to objectivity must be managed at the individual auditor,
engagement, functional, and organizational levels.
1110 – Organizational Independence
The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities. The chief audit executive must confirm to the board, at least annually, the organizational independence of the internal audit activity.
Interpretation:
Organizational independence is effectively achieved when the chief audit executive reports functionally to the board. Examples of functional reporting to the board involve the board:
Approving the internal audit charter;
Approving the risk based internal audit plan;
Receiving communications from the chief audit executive on the internal audit activityʼs performance relative to its plan and other matters;
Approving decisions regarding the appointment and removal of the chief audit executive; and
Making appropriate inquiries of management and the chief audit executive to determine whether there are inappropriate scope or resource limitations.
1110.A1 – The internal audit activity must be free from interference in determining the scope of internal auditing, performing work, and communicating results.
1111 – Direct Interaction with the Board
The chief audit executive must communicate and interact directly with the board.
1120 – Individual Objectivity
Internal auditors must have an impartial, unbiased attitude and avoid any conflict of interest.
Interpretation:
Conflict of interest is a situation in which an internal auditor, who is in a position of trust, has a competing professional or personal interest. Such competing interests can make it difficult to fulfill his or her duties impartially. A conflict of interest exists even if no unethical or improper act results. A conflict of interest can create an appearance of impropriety that can undermine confidence in the internal auditor, the internal audit activity, and the profession. A conflict of interest could impair an individual's ability to perform his or her duties and responsibilities objectively.
1130 – Impairment to Independence or Objectivity
If independence or objectivity is impaired in fact or appearance, the details of the impairment must be disclosed to appropriate parties. The nature of the disclosure will depend upon the impairment.
Interpretation:
Impairment to organizational independence and individual objectivity may include, but is not limited to, personal conflict of interest, scope limitations, restrictions on access to records, personnel, and properties, and resource limitations, such as funding.
8
The determination of appropriate parties to which the details of an impairment to
independence or objectivity must be disclosed is dependent upon the expectations of the internal audit activityʼs and the chief audit executiveʼs responsibilities to senior management and the board as described in the internal audit charter, as well as the nature of the
impairment.
1300 – Quality Assurance and Improvement Program
The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity.
Interpretation:
A quality assurance and improvement program is designed to enable an evaluation of the internal audit activityʼs conformance with the Definition of Internal Auditing and the Standards and an evaluation of whether internal auditors apply the Code of Ethics. The program also assesses the efficiency and effectiveness of the internal audit activity and identifies opportunities for improvement.
1310 – Requirements of the Quality Assurance and Improvement Program
The quality assurance and improvement program must include both internal and external assessments.
1311 – Internal Assessments Internal assessments must include:
• Ongoing monitoring of the performance of the internal audit activity; and
• Periodic reviews performed through self-assessment or by other persons within the organization with sufficient knowledge of internal audit practices.
Interpretation:
Ongoing monitoring is an integral part of the day-to-day supervision, review, and measurement of the internal audit activity. Ongoing monitoring is incorporated into the routine policies and practices used to manage the internal audit activity and uses processes, tools, and information considered necessary to evaluate conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards.
Periodic reviews are assessments conducted to evaluate conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards.
Sufficient knowledge of internal audit practices requires at least an understanding of all elements of the International Professional Practices Framework.
1312 – External Assessments
External assessments must be conducted at least once every five years by a qualified, independent reviewer or review team from outside the organization. The chief audit executive must discuss with the board:
• The need for more frequent external assessments; and
• The qualifications and independence of the external reviewer or review team, including any potential conflict of interest.
Interpretation:
A qualified reviewer or review team demonstrates competence in two areas: the professional practice of internal auditing and the external assessment process. Competence can be demonstrated through a mixture of experience and theoretical learning. Experience gained in organizations of similar size, complexity, sector or industry, and technical issues is more valuable than less relevant experience. In the case of a review team, not all members of the team need to have all the competencies; it is the team as a whole that is qualified. The chief audit executive uses professional judgment when assessing whether a reviewer or review team demonstrates sufficient competence to be qualified.
An independent reviewer or review team means not having either a real or an apparent conflict of interest and not being a part of, or under the control of, the organization to which the internal audit activity belongs.
1320 – Reporting on the Quality Assurance and Improvement Program
The chief audit executive must communicate the results of the quality assurance and improvement program to senior management and the board.
9 Interpretation:
The form, content, and frequency of communicating the results of the quality assurance and improvement program is established through discussions with senior management and the board and considers the responsibilities of the internal audit activity and chief audit executive as contained in the internal audit charter. To demonstrate conformance with the Definition of Internal Auditing, the Code of Ethics, and the Standards, the results of external and periodic internal assessments are communicated upon completion of such assessments and the results of ongoing monitoring are communicated at least annually. The results include the reviewerʼs or review teamʼs assessment with respect to the degree of conformance.
1321 – Use of “Conforms with the International Standards for the Professional Practice of Internal Auditing”
The chief audit executive may state that the internal audit activity conforms with the International Standards for the Professional Practice of Internal Auditing only if the results of the quality assurance and improvement program support this statement.
Interpretation:
The internal audit activity conforms with the Standards when it achieves the outcomes described in the Definition of Internal Auditing, Code of Ethics, and Standards.
The results of the quality assurance and improvement program include the results of both internal and external assessments. All internal audit activities will have the results of internal assessments. Internal audit activities in existence for at least five years will also have the results of external assessments.
1322 – Disclosure of Nonconformance
When nonconformance with the Definition of Internal Auditing, the Code of Ethics, or the Standards impacts the overall scope or operation of the internal audit activity, the chief audit executive must disclose the nonconformance and the impact to senior management and the board.
