What can organisations do to facilitate coordination?
We concluded that the potential value of cooperation is only achieved where auditors communicate with each other, share intelligence and importantly use that intelligence to inform and refine their own activities. Therefore, what can organisations do to facilitate coordination?
Within their respective strategies both external and internal audit should clearly identify assurances upon which they potentially intend to rely; along with reasoning, extent and intended approach to cooperation.
The majority of assurance is still delivered by and managed by individuals; therefore, regular and structured dialogue between the parties is important to initiate, build, maintain and maximise the benefit of professional relationships. Those relationships should respect the roles, responsibilities, skills and knowledge of each party.
Effective cooperation is underpinned by:
Executive and Board should actively encourage and support cooperation, trust and mutual respect. The Audit Committee should be suitably constituted and engaged in organisational risk management; adopting a Board Assurance Framework approach to risk management, the Committee, should be seeking assurance over risks within the strategic risk register, these assurances, their frequency and outputs should be clearly known.
This structured approach to assurance over core strategic risks is a valuable tool to assurance providers to understand the framework of assurances in place, the first step in identifying potential assurances upon which they may be able to rely and therefore the relationships which should be sought.
If you are to place reliance upon the work of others, you must have confidence in their work. This will be based on recognition of the qualifications, skills, knowledge, professional standards and diligence with which that work is performed.
With respect to external audit this confidence must be supported by the due diligence necessary under ISA 610 and for internal audit enough to assure the Chief Internal Auditor (CIA) over competencies to comply with IPPF 2050.
There also needs to be confidence that information is openly exchanged, suitably retained and protected by all parties.
Recipients must have confidence in the openness of all communications; if there are any concerns over the transparency of those communications then this is likely to significantly reduce reliance.
This openness must be approved and supported by Audit Committee; if there are any concerns over the authority to freely exchange information, this should be discussed and clarified with Executive and Audit Committee. Ideally, procedures to facilitate effective cooperation should be agreed by parties, documented, and approved by the Audit Committee; with respect to internal audit this should be captured in suitable detail within the Internal Audit Manual (IAM) and Internal Audit Charter.
At its simplest level coordination can be achieved through the review of outputs. However, this is not enough for many to achieve any real benefit. For example, in the case of external audit, they cannot place any reliance upon the work of the internal auditor simply upon the review of reports and must meet the due diligence expectations of ISA 610.
This clearly requires a commitment and willingness from both parties; supported by a positive attitude and professional respect.
Where significant reliance is placed on the work of other assurance providers regular consultation between the parties will provide the basis for identifying, refining and exploiting opportunities for reliance or beneficial cooperation. Again, at its simplest level reviewing outputs, may throw up questions in one’s mind where clarity will only be brought about by consulting on the issue or finding.
Regular and open communication between assurance providers is essential to the success of cooperation; these communications will be both formal and informal.
Formal communication will include attendance at Audit Committee, planning meetings or catch up meetings. These structured discussions will be directly related to the organisation; particularly considering planning for cooperation, reliance, timing, and sharing of outcomes and other information.
There should also be a willingness to communicate less formally when issues arise which are of a mutual interest. Informal ad-hoc communications as and when issues of mutual interest relating to the organisation arise, or through conversations when paths cross as part of their wider professional roles.