Chapter 2
2.1 INTRODUCTION
The objective of this chapter is to explore current international thought and practices on the subject area by identifying and reviewing relevant local and foreign literature. This will set the basis for establishing a theoretical understanding on the role of government auditing, both external and internal auditing, with particular emphasis on issues concerning the relationship between them. Figure 2.1 gives an outline of this chapter.
Figure 2.1: Outline of Chapter 2
2.2 AUDITING IN THE PUBLIC SECTOR
"In virtually all jurisdictions, the public sector plays a major role in society, and effective governance in the public sector can encourage the efficient use of resources, strengthen accountability for the stewardship of those resources, improve management and service delivery and thereby contribute to improving people's lives." (IFAC, 2001, par.004)
Government auditing is a cornerstone of good public sector governance (IIA, 2006a). Auditors play a crucial role by assisting government entities achieve, amongst other important objectives, accountability and integrity by providing unbiased opinions on the use of public resources. [1]
The public sector represents a principal-agent relationship as shown in Figure 2.2 below, with the officials acting as the principal's agents that must give account to their principal of the extent to which the public's objectives have been achieved. An effective audit activity is deemed important in order to reduce the risks inherited in such a relationship.
Figure 2.2: 3-Party Relationship (IIA, 2006a)
Given that public sector entities are complex and diverse, no single governance model can serve all of such entities (IIA, 2006a). Thus, based on the needs and circumstances, many structures rely on a combination of audit activities including both external and internal auditing.
2.2.1 External Auditing
The scope of external audit in the public sector should go beyond giving an expert opinion on the truth and fairness of the financial statements to incorporate assessments on aspects of corporate governance and the use of resources, commonly referred to as 'value for money' (Bourn, et. al, 2002). Moreover, INTOSAI GOV 9150 asserted that "compared to the IA, the Supreme Audit Institution (SAI) has the additional task of examining the effectiveness of the IA."
Furthermore, in carrying out their work EAs are not to be hindered during the performance of the audit but "…shall have the right of access at all times to the company's accounting records…" (Companies Act, 1995). In this regard NAO (2009) specified that the Auditor General's work is "facilitated by legislation which stipulates that any circumstance inhibiting such access to information is to be reported to Parliament."
It is useful to distinguish between the key elements of public sector audits. NAO (2009) classify its audits under the following categories: [2]
financial and compliance audits;
performance audits;
special audits and investigations;
IT audits.
2.2.2 Internal Auditing
INTOSAI GOV 9140 highlighted that the role of internal auditing has "evolved from an administrative procedure with a focus on compliance" to an essential component of governance in the public sector. Indeed internal audit activities are seen as providing assurance on the effectiveness of public sector entities' internal control environment by identifying opportunities for performance improvement.
Asare (2008) identified three main elements, sometimes referred to as the 'three pillars' to explain the role of internal auditing in the public sector. As shown in Figure 2.3 below, these include the "evaluation and improvement of risk management, control and governance processes." This suggests that internal audit has continued to move away from financial and compliance audits to a broader value-adding role, embracing both consultancy and assurance activities, thereby acting as the executive arm of government.
Figure 2.3: The Three Pillars of Internal Auditing (Asare, 2008)
A brief description on each of these three pillars is summarised in Table 2.1 below:
TABLE 2.1: BRIEF DESCRIPTION ON THE THREE PILLARS OF INTERNAL AUDITING
Governance
This relates to the means by which goals are established and accomplished. IA's roles are identified to be twofold: 1) providing independent and objective assessments that the entity's governance structures and processes are properly designed and 2) acting as catalysts for change by advising on potential improvements for a better governance structure. (IIA, 2006b)
Control
This includes all the policies and procedures put in place that are aimed at improving the entity's operations and control structures. Internal Audit Activity has become essential for monitoring and evaluating managerial activities prior to external evaluation by external auditors. (Baltaci & Yilmaz, 2006)
Risk Management
Risk Assessment is central to internal auditing and the INTOSAI's Guideline (2004) for internal control standards proposes a four-phase risk assessment model: 1) identify the risks, 2) evaluate the risks, 3) assess the risk appetite and 4) develop responses.
2.3 THE IMPORTANCE OF AUDITING STANDARDS AND INDEPENDENCE OF BOTH EXTERNAL AND INTERNAL AUDITORS
Diplock (2005) argued that the challenge for the audit profession is to regularly reassess whether standards are being followed and to demonstrate its independence. Over the years, INTOSAI members agreed that robust and reliable auditing standards were required, emphasising that public sector auditing must be underpinned by international standards as well. As a result of unique cooperation between public and private sector auditing there has been the development of International Standards of Supreme Audit Institutions (ISSAIs) [3] .
With respect to the Maltese scenario, the NAO uses the ISSAIs as guidelines of practices that are followed when conducting its financial and compliance audits. The Office also uses International Standards on Auditing (ISA) of the IFAC when carrying out the audit of financial statements of certain public sector entities (NAO, 2009). The methodology used by the IAID is based on International Standards for the Professional Practice of Internal Auditing that (include Diagram) is issued by the IIA (IAID, 2010d).
The independence of auditors, both EAs and IAs, is vital in ensuring that "public bodies are accountable for their performance in terms of both stewardship of public money and the delivery of high quality services" (Bourn, et. al, 2002). Indeed Bourn, et. al (2002) advocate that such independence ensures that they can 'speak as they find' and 'without fear or favour' in an objective way. This has become increasingly important following the recent financial scandals that have brought with them the loss in credibility in the auditing profession. Furthermore, INTOSAI GOV 9150 stated that, "IA's independence is fundamental to SAIs in the issue of using IA's work … to be able to coordinate and cooperate with an IA."
2.4 RELATIONSHIP BETWEEN EXTERNAL AND INTERNAL AUDITORS
"If internal audit is judged to be effective, efforts shall be made … to achieve the most appropriate division or assignment of tasks and cooperation between the SAI and Internal Audit." (Lima Declaration, ISSAI 1, section 3, par.3)
Coordination and cooperation between SAIs and IAs is enhanced as both parties can reap benefits in their continuous drive to achieve efficiency and effectiveness in public services. For this reason, such a relationship should be seen as an opportunity to strengthen public sector auditing.
The IIA and INTOSAI recognise the importance of such a relationship by being 'natural partners'. They share a common language such as standards; understand respective roles, responsibilities and expectations (Moser, 2008).
2.4.1 Opportunities for Cooperation in Practice
Although relatively little research has examined the areas of coordination and cooperation between I&EAs in the public sector, the following five aspects of fundamental auditing practice feature most prominently in the literature:
Audit planning;
Internal Controls;
Fraud and Irregularities;
Reporting;
Consultancy.
Audit Planning: INTOSAI GOV 9150 identified five main stages during an audit process where SAIs may use the work of IAs amongst which there is the planning stage. [4] This stage is deemed to be an important part of the process for managing an audit function where the EA should perform a preliminary assessment of the internal audit function. Such an assessment will influence the nature, timing and extent of external audit procedures, depending on the SAIs judgment of the relevancy of the internal audit.
Audit Commission (2010) sets out the importance for the EA to identify what work it will be seeking to place reliance upon during the planning stage as this, "ensures that the proposed work meets the timetable and requirements to enable external audit to place reliance upon it." Spencer Pickett (2010) explained that there are several levels to which audit planning may be interfaced as shown in Figure 2.4.
As can be seen in the below figure, at the extreme, it can result in one planning document being prepared which, according to Spencer Pickett (2010), is more relevant in the public sector given that EAs tend to assume a role in securing value for money.
Figure 2.4: Interfaced Audit Planning
Internal Controls: Following the enactment of the Sarbanes-Oxley Act of 2002, internal control responsibilities for both I&EAs increased. According to Engle and Joseph (2008), this "represents an area where tremendous value can be achieved through proper coordination."
The primary purpose of internal audit is to evaluate and improve the effectiveness of the system of internal control. [5] On the other hand EAs are required to obtain an understanding of the control environment prior to the preparation of the financial statements in order to plan the audit and develop an effective audit approach.
In her study, Colbert (1993) concluded that the IAs' work can aid the EA in understanding the design of the control structure by, for instance, providing system and document flowcharts of the accounting system and determining if the set system has been actually put in place.
Fraud and Irregularities: This has been identified by HM Treasury and NAO (2000) as another possible area where information can be exchanged, given that both auditors are interested in the prevention and detection of fraud. Internal audit work in relation to fraud can be relevant to EAs when assessing the risks of material misstatements found in the financial statements.
Since IAs have greater knowledge about the entity's operations than EAs, fraud risk assessment warrant significant reliance on internal audit work. Such a statement is supported by studies done by KPMG, which indicate that IAs are more likely to discover fraud than EAs (KPMG, 2009). This is illustrated in Figure 2.5 where 47% of frauds were discovered by internal audit, legal or compliance personnel compared to the 9% of frauds detected by EAs.
Reporting: One of the basic types of cooperation between auditors includes the exchange of audit documentation. Audit Commission (2010) recognises that sharing of audit reports and other audit information will "enhance understanding and effectiveness".
Moeller (2005) argued that internal audit reports should be circulated to EAs as they constitute an important means of keeping the EA informed of the internal audit findings and other activities. In undertaking the work necessary to underpin an opinion on the audited entity's financial statements, the EA may seek to rely on the work of the IA.
Audit Commission (2010) indicated that the IAs can provide the EAs with:
An audit plan;
Access to audit reports and associated working paper files;
Details of any significant changes to the audit plan.
Spencer Pickett (2010) further highlighted that the internal audit activity's final communications, management's responses to such communications, together with any subsequent follow-up reviews can assist EAs in determining and adjusting the scope and timing of their work.
Some EAs, on the other hand, may have concerns about turning over their work papers to IAs due to their professional obligations concerning confidentiality and independence as highlighted by Moeller (2005). Nonetheless their work can be "used as input to IAs in planning the areas to emphasise in future internal audit work" Spencer Pickett (2010).
Consultancy: HM Treasury and NAO (2000) indicated that consultation is fundamental to build an effective cooperation channel. The same view is shared by Spencer Pickett (2010) who affirmed that regular consultation is essential in order "to use similar techniques, methods and terminology" to carry out the work. The two parties may consult with each other even when they are not working together in a particular area such as consulting on specific audit findings.
Commitment, communication and confidence were identified as three essential components that need to be present to ensure effective consultation, as indicated in Table 2.2 below.
TABLE 2.2: BUILDING EFFECTIVE COOPERATION (HM Treasury and NAO, 2000)
Commitment
Both parties must be willing and committed to develop coordinated and effective audit services. They should take an active role in encouraging cooperation and be willing to undertake changes. Commitment is seen as an "attitude of mind."
Communication
Communication must be a two-way process where there will be regular and open communication between SAIs and IAs. This may include the exchange of audit reports and management letters and in some instances, granting access to each other's audit programs and documentation, by always providing for the necessary confidentiality.
Confidence
Mutual confidence is deemed essential between the two auditors which is based on the recognition that both audits are conducted within relevant professional standards. Confidence is also needed to ensure that information exchanged is treated professionally and with integrity.
INTOSAI GOV 9150 acknowledges that coordination and cooperation can be done either formally, where there will be formal agreements or protocols or in an informal way based on goodwill such as in the case of consultations.
Other possible areas of coordination and cooperation between SAIs and IAs were identified by HM Treasury and NAO (2000) and a brief summary is provided below:
Compliance with Laws and Regulations
Since IAs continuously assess the controls over compliance with laws and regulations that are internal to the Government such as Parliamentary approval for expenditure, SAIs can place reliance on their work. This is important given that most SAIs' mission statement emphasise the significance of the consideration of propriety [6] and hence internal audit activity is useful to determine whether "activities and business have been conducted in accordance with Parliament's expectations" (HM Treasury and NAO, 2000).
Audit of dispersed organisations
Although not particularly applicable to Malta, this has been recognised as another area of cooperation when the audited entity is dispersed geographically. HM Treasury and NAO (2000) argued that when the two parties are allowed to work in joint teams or one of them undertakes work on behalf of the other, more economical use of audit resources is made.
Reliance on the Internal Audit's Work
ISSAI 200 pointed out that,
"When the SAI uses the work of another auditor(s), it must apply adequate procedures to provide assurance that the other auditor(s) has exercised due care and complied with relevant auditing standards, and may review the work of the other auditor(s) to satisfy itself as to the quality of that work." (Section 2, par.2.45)
Reliance by EAs on internal audit's work is governed by ISSAI 1610 that further highlighted two main points that SAIs must consider after establishing that the internal audit function is relevant to the audit. These include [7] :
Whether and to what extent, to use the specific work of the IAs;
If so, whether such work is adequate for the purposes of the audit.
Such standard requires EAs to review IAs work, which usually involves redoing specific tests as well as performing a more general review.
The Sharman [8] Report (2001) found that the relationship between central government internal auditors and NAO "has not been as close as might have been expected", in part because the focus of internal audit has tended towards non-financial areas, making its work of less value to those auditing financial statements. Three major criterions were identified as a common element in the studies that examined the relationship between I&EAs. These elements influence the EAs' reliance on IAs as shown in Figure 2.6 below.
Figure 2.6: Framework of Judgement of EAs' reliance on IAs (Haron H. et al)
2.4.2 Potential Risks of Cooperation
A number of benefits were identified from the coordination and cooperation between SAIs and IAs including amongst others, more efficient and effective audits based on a clearer understanding of the respective audit roles and requirements (HM Treasury and NAO,2000).
Nonetheless, INTOSAI GOV 9150 highlighted some possible risks that could feature in their relationship and that should be managed accordingly in order to achieve the full range of benefits. The salient points include:
Possible conflicts of interest;
Any compromise of independence and objectivity, obstructing the ability to carry out an audit with an unbiased opinion;
Premature disclosure of audit findings to an external party, possible leading to a breach of confidentiality;
No consideration of constraints or restrictions placed on the other auditor when determining the extent of coordination and cooperation;
Developing incorrect conclusions when using the work of IAs;
Possible difference of conclusions or opinions which could lead to a potential risk of credibility of either party.
To achieve a healthy relationship both parties need to be efficient and effective as otherwise a potential threat might exist if inefficient operations are in place, especially if there is reliance on each other's work.
With reference to the Maltese scenario, the NAO conducted a study on the 'Internal Audit Function within Government Ministries' (NAO Report, 2000). [9] This study dates back to 1999 and no further study has been carried out since then.
It was observed that, although the function did lead to some isolated benefits, it fell short of the required level of effectiveness. This was mostly due to:
Inadequate central coordination;
Limitations in the function's independence within Ministries;
Lack of management support;
Deficiencies in recruitment and training practices;
Restrictions and lack of resources;
Other factors influencing the effectiveness of the function including the relationship between the NAO and IAs.
2.5 challenges and barriers to effective coordination
Golen (2008) highlighted that "in any working relationship, one has to be totally cognizant of the human relations component that can arise, and the internal and external audit relationship is no exception." In fact the first relevant study regarding the relationship between I&EAs, realised by Mautz (1984), as cited by Haron et al (2004), showed that from internal audit's point of view the relationship with external audit was only 'ostensibly' a good one.
Since a working team relationship is a key component for an effective and efficient independent audit, communication problems have a direct impact on the outcome of an audit. Indeed the following communication barriers were recognised by Golen (2008), given that, once identified and addressed, communication between I&EAs would improve.
Distortion or Omission of Information
This occurs when an element of pride influences the information exchanged negatively, as each party perceives his work as critically important for the conclusion of an audit. Both parties may not contribute in enough detail with respect to the information required from each other. Golen (2008) highlighted that such a barrier could be managed by "providing an environment that encourages open lines of communication" in order to meet the objective of the audit.
Lack of Credibility
This is especially important from the standpoint of the EA because if the latter perceives that the IAs lack credibility, he will be unwilling to place reliance on the IA's work. In fact, Golen (2008) argued that "some IAs see their interactions with EAs as not one of their favourite parts of the job because of the EAs' limited use of their work." Such a situation may result in tension and conflict. The relationship could be improved if IAs possess the knowledge, skills and other competencies to demonstrate their value, in order for EAs to accept their work as reliable.
Tendency not to listen
According to Golen (2008), the first step to enhance communication is through effective listening as negative attitudes towards each other can be detrimental to the relationship. He argued that both parties need to be open-minded by establishing a basis of trying to gain proper information from each other without developing any premature judgements.
Resistance to Change
Another common barrier highlighted is the EAs' resistance to change to new concepts and procedures as these may be seen as a threat. When this happens IAs may develop a feeling of resentment that could further worsen an "already fragile relationship" Golen (2008). Both I&EAs must be willing to give enough time to each other to prove the benefits that could be gained by allowing for change.
2.6 CONCLUSION
In light of the above, one can conclude that although there are some potential risks resulting from cooperation, working together as a team rather than two independent groups can only improve the efficiency and effectiveness of the independent audit and ultimately leading to a better service to the public. Yet, such cooperation can only thrive in an environment where there is mutual confidence, implying that both I&EAs should adopt an active role in seeking opportunities to coordinate work, where possible, in the interests of maximising the benefit of their work and minimising duplication of effort.
(3160 words)
