Internal and External Auditors and Audit Committees Need to Improve Relationships
Better communication among internal and external auditors and audit committee members can ease some of the tensions, according to a new report.
The report, from the Institute of Internal Auditors and the Center for Audit Quality, found that improved communication and cooperation among the various auditing roles can help with enterprise risk management at a company. The report, “Intersecting Roles: Fostering Effective Working Relationships Among External Audit, Internal Audit, and the Audit Committee,” highlights examples of such strong communications and cooperation from organizations across the country, with a focus on building a clearer understanding of what external auditors require to be able to use the work of internal audit, and when it is not appropriate to use that work.
The report is based on a series of three roundtable discussions held last fall in Houston, San Diego and Kansas City, sponsored by the Center for Audit Quality and the Institute of Internal Auditors’ Audit Executive Center. The discussions drew internal auditors, external auditors and audit committee members.
“It was really a unique opportunity to get insights from these three groups about how all three of them, who play such an important role in companies, can better communicate,” said CAQ executive director Cindy Fornelli, during a conference call Tuesday with reporters. “We focused on three areas, which were how enterprise risk management could be introduced into companies, how internal and external auditors could work together more productively, particularly in light of the PCAOB’s expectations for the external auditor, and then on how the audit committee can help improve communications between themselves and internal and external audit to build better working relationships, given that the audit committee sits at the hub."
The participants in the roundtables offered observations about the challenges and opportunities created by the various audit roles, particularly in the process of internal control over financial reporting. The report also shared auditing practitioners’ best practices and strategies for coping with the various challenges.
The IIA and the CAQ released the report Tuesday during the IIA’s General Audit Management conference in Las Vegas.
“I hosted a panel yesterday that included representatives from these key groups that we’ve been talking about, and I think the same themes that came through in the paper that we’ve just published came out there,” said IIA president and CEO Richard Chambers during Tuesday’s press call. “One of the recurring points that the paper makes is that regardless of which of these challenges we’re talking about, whether it’s ERM or whether it’s external audit’s reliance on internal audit’s work, or whether it has to do with relationships in general, the recurring theme throughout has been that communication has to be strong. It’s got to be continuous and with strong communication between the audit committee, the external auditors and the internal auditors. With this sort of trilateral communication, you’re going to be much more successful as an organization navigating all of these challenges.”
The paper also notes how one internal auditor discussed the helpful role that a facilitator can play in managing the audit burden that company staff may experience.
“There’s a certain amount of audit fatigue out there, or oversight fatigue,” said Chambers. “So many different folks are involved in playing those second lines of defense roles, but I think in this case it had to do specifically with setting up and championing ERM. The facilitator could be the chief audit executive, as we often see happen out there when there are several different players who potentially have a role to play in an area like launching enterprise risk management. One of the themes in the paper had to do with the fact that the audit committee, internal audit, and the external auditors can play a role in helping companies to embrace or adopt enterprise risk management.”
“It’s less about who the ERM champion is and more that it should be well defined, whether it’s the CEO, the CFO, the audit [committee], the risk committee, or even internal audit, just that there is a clear champion who has ownership of standing it up and monitoring it,” said Fornelli.
During a panel discussion at the conference that Fornelli moderated, U.S. Bancorp audit committee chair Olivia Kirtley and chief audit executive Mark Sparano talked about how they work together. “They are a financial institution and by law they have to have a risk committee,” Fornelli noted. “It was very interesting to hear Olivia and Mark talk about how they set up their ERM program and then the oversight that the audit committee and the risk committee provide to internal audit and external audit too.”
Also at the conference, Public Company Accounting Oversight Board member Jeanette M. Franzel delivered a speech in which she discussed the subject of protecting investors through a coordinated system of audit and audit oversight. “Internal auditors are in a position to have a significant positive impact on the external audit by making sure that the communication and coordination with the outside auditor and the audit committee run smoothly and swiftly,” she said.