From an organisational perspective it can be easy to jump to the conclusion that there are many benefits of coordination across external and internal audit; after all, both have the term ‘audit’ in the title and therefore must naturally do similar tasks, meaning that significant duplication must exist, this is quite simply not true.

The external auditor’s duties, rights and obligations are governed by statute. In the UK these are set out in the Companies Act 2006 Part 16, Chapters 1 to 7. The core purpose is to carry out sufficient work to enable them to express an independent opinion to the members upon a set of the financial statements and whether these show a true and fair view. The format of reporting their audit opinion is prescribed in standards.

Whereas internal audit is an independent, objective assurance and consulting activity designed to add value and improve an organisation's operations. It helps an organisation accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. There is freedom over the format, wording and approach to reporting.

Unlike external audit, the role and responsibilities of internal audit are not governed by statute; compliance with the professional standards is good practice, but, voluntary other than in regulated sectors where annotated versions such as the Public Sector Internal Audit Standards (PSIAS) exist.

You can see that external audit is limited in scope and by its very nature looking at the past; whereas in contrast the scope of internal audit may be much wider, is not defined by statute and arguably more proactive, concerned with the future, looking to improve and offer new insight. In essence internal audit will mean many different things, to many different organisations, depending upon the sectors in which they operate.

The above is limited to external and internal audit; the external auditor is only likely to place reliance upon the work of internal audit, not other assurance providers, however, the same is not necessarily true of internal audit. The Chief Internal Audit (CIA) may identify other sources of assurance beyond just that of external audit; these may be used by the CIA in accordance with Standard 2050 Coordination & Reliance.  

Traditionally many think of external audit placing reliance upon internal audit, however, in reality due to its non regulated status and greater flexibility it is increasingly the internal auditor who is placing reliance upon other assurance sources when planning the best use of its own defined resources.

However, putting aside the inherent differences what are the potential benefits of coordination?

  • audit efficiency based on a clear understanding of respective audit roles and requirements;
  • informed scope reducing organisational audit ‘burden’ resulting in less distraction to the day job; 
  • avoiding potential timing clashes and exacerbating the audit ‘burden’;
  • more informed dialogue on organisational risk improving the focus of audit effort and consequently the value to Executive, Board and other stakeholders; and
  • better coordinated internal and external audit activity based upon wider intelligence; informing future work, resulting in more targeted audit scope, delivering improved efficiency or value.

The limitations of ISA 610 (UK) on directed assurance must be observed; however, these do not prevent cooperation and exchange of audit intelligence which will benefit the associated quality of end-products.

The specific benefits, and the scale to which they could be achieved, will vary by organisation.

Whenever pursuing such benefits the organisation and respective audit teams should remain mindful of the cost vs. benefit; for example there may be a historic perception that the external auditor is placing reliance upon the work of internal audit and therefore an internal audit is repeatedly performed each year, however, the reality based upon the standards with which external audit must comply may mean that it places very limited or no reliance upon it, depending upon their own risk assessment and functional due diligence in accordance with Standard 610.

However, flip this and the internal auditor’s risk assessment and planned audit work may recognise that the organisation receives adequate assurance from regulated external audit work over significant costs within the financial statements such as Payroll; the internal audit is not mandated to perform the same extent of due diligence and will take comfort that external audit is regulated, therefore may use this to inform the direction and priority of resources. However, the extent and scope of an internal audit within this area may extend beyond that which the external auditor performs to form an opinion over the material accuracy of the value within the financial statements; therefore, whilst assured over the value, there may still be benefit in the internal auditor reviewing from an efficiency, economy and effectiveness perspective.

One thing does remain true regardless of the various activities and sources of assurance across an organisation; the potential value of cooperation is only achieved where auditors communicate with each other, share intelligence and importantly use that intelligence to inform and refine their own activities.