Sei sulla pagina 1di 47

It Takes Two

A good practice guide to co-operation between


internal and external auditors

The Audit Commission promotes


proper stewardship of public
finances and helps local
authorities and health service
bodies achieve economy,
efficiency and effectiveness. It is
concerned to identify and spread
best practice in auditing.

Effective co-operation between


internal and external auditors is
an example of good practice. This
guide, for use by internal and
external auditors, deals with how
they can work together.

Internal and external auditors


follow different priorities and are
ruled by different requirements,
but follow similar principles and
share many aims. There is much
to be gained by good cooperation between them.

Good co-operation means active


planning, imaginative assessment
and a mutual exchange of
information. It benefits from
support from the top.

Most internal and external


auditors co-operate to some
extent, but the Audit Commission
has found plenty of scope for
improvement. Sometimes there is
no one at the audited body to
encourage auditors to try harder.
Management or the Audit
Committee have a role to play
here.

The Audit Commission encourages


its appointed auditors to work
together with internal auditors to
achieve the best value for money
for the audited body.

good practice
guide
May 1996

AUDIT
COMMISSION

Good Practice Guide

It Takes Two

How to use this guide

Contents

If your main interest is the benefit


to be gained from co-operation
between internal and external
auditors, read the first chapter of
this guide on the concept of cooperation and its possible impact.
You may also need to know the
technical or regulatory basis for it,
which is in the second chapter
entitled Practicalities.

Appendices

Concept and impact

Best practice: practicalities

Best practice: preparation

10

Best practice: procedures

21

Problem solving

26

Finally

30

Definition of the Managed


Audit
31

Understanding each other:


the different obligations
placed on internal and
external auditors
32

Control self assessment

33

Chapter 2 also outlines the areas


for co-operation and gives some
helpful hints.
All auditors should read the
chapters on Best practice and
Problem solving. External auditors
implementing or considering the
Managed Audit should be fully
familiar with them.
The Checklist for action (inserted
as a pull-out centre section) will be
helpful to management and Audit
Committees who wish to identify
their priorities and make
improvements.
This guide focuses on co-operation
between internal and external
audit. It does not cover compulsory
or voluntary competitive testing of
the internal audit service, the role
of the Audit Committee, or
transfers of staff between internal
and external auditors. It has been
written for audits where the
external auditors are appointed by
the Audit Commission, but the
principles within it can be applied
more widely.

Acknowledgements
This guide is based on research into
professional standards for internal
and external auditors, publications
concerning co-operation between
internal and external auditors, and
field visits. The Audit Commission
gratefully acknowledges assistance
from the internal and external
auditors of the following local
government and NHS bodies:

Essex County Council

Oxfordshire County Council

Mid Sussex District Council

Fareham Borough Council

Leicestershire Health Authority

Frenchay NHS Trust

Epsom Healthcare NHS Trust

Merton and Sutton Healthcare


Trust

The Audit Commission also visited the


following bodies and is most grateful
to their internal and external auditors
for the contribution they made to our
researches:

British Nuclear Fuels plc

British Waterways Board

London Electricity plc

Royal Mail

The Audit Commission also thanks


Mollie Bickerstaff of KPMG and Lynn
Hine of Coopers & Lybrand for their
work in preparing this guide, and the
various auditors and others, including
professional bodies, who reviewed the
consultation draft and gave us the
benefit of their views.

Concept and impact

Internal and external audit have


different roles and different priorities
but there can be a lot of overlap in
what they do and why they do it.
Good co-operation between them will
minimise duplication of effort and
maximise the benefits of working
together towards the same goals. The
concept applies to all audits where
there is an internal audit function,
whether supplied by an in-house
team, a consortium or another firm of
auditors. It is an integral part of the
I
Audit Commissions Managed Audit .
Auditors are familiar with it and
should already be doing it, but we
have found that there is scope for
improvement. Critical factors for
success, as illustrated in Exhibit 1, are
support from management and the
Audit Committee (where one exists),
and the attitudes of the two auditors.

Successful implementation of best


practice in co-operation may require
input from management, internal
audit and external audit over a lead
time that could take more than one
year. Improved co-operation brings
benefits to management, internal
audit and external audit, as illustrated
in Exhibit 2 (overleaf).
Exhibit 1
Success factors for co-operation

Factor
Management and the
Audit Committee

Probable failure to
achieve best practice

Probable success

are supportive

take little or no
interest

Internal audit

takes an active role in


co-operating with
external audit

just hands over


whatever is
requested by
external audit

External audit

is willing to make
changes to achieve
best practice in cooperation

makes demands on
internal audit and
gives little or no
feedback

I
Readers who are not familiar with the
Managed Audit will find a definition in
Appendix A to this guide. Further
information can be found in the Good
Practice Guide to the Managed Audit,
available on request from the Audit
Commission.

Good Practice Guide

It Takes Two

Exhibit 2
Benefits
Management

Internal audit

A co-ordinated, efficient and effective total audit service.

Independent assurance that the internal audit function meets


good practice and complies with professional standards. This
arises from a comprehensive evaluation of the function by
external audit.

Improved management satisfaction with the internal and


external audit services arising from better joint planning and
communication.

A potential release of external audit days which may be used to


undertake other external audit work such as local VFM projects
tailored to specific needs or an increased focus on the
prevention and detection of fraud and error.

External audit

A forum for discussion of good practice techniques,


approaches to systems-based testing and issues at the audited
body.

The opportunity to implement a more effective audit focused


on key risk areas with no unnecessary duplication of effort.

The opportunity to implement the Audit Commission Managed


Audit and deliver the benefits to be derived from it.

The effect on overall audit costs


Once co-operation has been
maximised, some external audit time
may be released for other external
audit work, such as more time for

local VFM projects tailored to suit


specific needs, or an increased focus
on the prevention and detection of
fraud or error. Alternatively, it may be
realised as a saving.

The size of the audit and of the


internal audit resource will have an
effect on the potential for tangible
benefits arising from improved cooperation. Small audits or limited
internal audit resources mean
proportionately less scope.

Concept and impact

Exhibit 3
Answers to some common questions from management

Is this something new? Why havent my auditors been doing it for years?
Most internal and external auditors
are already co-operating but many could go further or do better. This guide
may help improve the benefits being derived from co-operation.

External audit time can only be


reduced if the agreed plans for cooperation are met each year. This
generally means that internal audit
must be able to complete their agreed
plan of systems-based audits and be
given sufficient resources. For
example, if internal audits work on
ad hoc queries, fraud investigations or
other unplanned emergencies drives
out agreed systems work, external
audit will have to do the essential
work, at additional cost. In small
audited bodies or cases where
internal audit resource is very limited,
it may not be possible to cope with
unexpected demands on internal
audit time without dropping some
work previously agreed with external
audit.

Why should my internal audit resource have to do the external auditors


work for them?
It shouldnt. Thats not what
co-operation is about. Co-operation is about understanding where the two
types of work overlap and eliminating unnecessary duplication.
Will it bring my overall audit costs down?
Possibly. The external auditors may be
able to spend less time on some areas of the audit, without an appreciable
increase in internal audit costs. You may wish to make use of any released
time on, say, local VFM projects.
Will I be expected to get more internal auditors?
Probably not, athough that depends on
whether you have an optimal level of internal audit resource in the first
place. You will want to determine how to use internal audit resource so as to
provide a service that meets managements requirements most effectively.

Some audited bodies may decide to


consider increasing their investment
in internal audit in order for external
audit to place maximum reliance on
their work.

Why do I have to have two sets of auditors anyway?

Co-operation between internal and


external auditors still gives rise to
some basic questions from
management, as illustrated in Exhibit
3. Auditors should make sure that
management understands the issues
and the need to be supportive.

Internal and external auditors carry out different functions, both of them
useful to management and the audited body. See Appendix B for the details.
The law says you have to have external auditors, and good sense generally
compels you to have internal auditors too, although there may also be certain
rules or regulations (eg, NHS requirements).
5

Good Practice Guide

It Takes Two

Best practice: practicalities


This chapter
considers the areas of
audit work where the
external auditor will
normally consider
relying on internal
audit.

The first and most fundamental


practical requirement is that internal
and external auditors should
understand the different obligations
placed on the other auditors.
Appendix B to this guide discusses the
main points of similarity and
difference between what is required
of internal and external audit.
The second practical requirement is
the existence of a well-run and
appropriately resourced internal audit
unit. This guide does not deal with
how to resource and run an internal
audit unit. Guidance on these matters
is available from, among others,
CIPFA, the Institute of Internal
Auditors, and the NHS Executive.
This chapter considers the areas of
audit work where the external auditor
will normally consider relying on
internal audit. Reliance, and how the
external auditor should approach it,
are dealt with in the next chapter, on
preparation.

Opinion and non-opinion external


auditing

Due for publication in 1996. Contact


CIPFA, the Chartered Institute of Public
Finance and Accountancy, at 3 Robert
Street, London WC2N 6BH.

External auditors appointed by the


Audit Commission must meet several
different audit objectives, of which
giving an opinion on the financial
statements is only one, normally the
most significant. This is explained in
more detail in Appendix B. The
external auditor may rely on internal
audit work for many of the audit
objectives, as outlined below.

Review of internal control


The most common areas of cooperation will be the review of
internal control. External auditors may
decide to rely on internal control as
part of their opinion audit work.
External auditors appointed by the
Audit Commission are also required to
give an independent assessment of
the adequacy of the audited bodys
financial systems. In either case,
external auditors need not carry out
the detailed work themselves if they
are able to rely instead on systems
work done by internal audit.
The review of internal control over
financial systems is a well known area
of audit work, but there are many
different approaches to it. Effective
co-operation between internal and
external audit will benefit from
methods that are shared, or at least
well understood, by both parties. A
I
CIPFA guide incorporating detailed
control matrices for seven systems
identified as core to local authorities
and the NHS will be helpful in
achieving a widely shared
understanding and possibly a
common method.

Best practice: practicalities

Computer audit work

Value for Money (VFM) auditing

There is some useful co-operation in


the use of computer-assisted audit
techniques (CAATs, usually data file
interrogation software). But,
otherwise, we found little cooperation in practice on computer
audit work, which may result from a
relative scarcity of computer audit
skills among internal auditors. Where
this is the case, management should
consider whether internal audit might
benefit from joint projects with more
experienced external computer audit
staff, or whether more formal training
by external audit would be beneficial.

VFM auditing is an area where overlap


between internal and external audit is
possible but can be limited. Some
internal audit units have adopted the
objective of assisting management in
the pursuit of value for money, but
some do not have this objective and
therefore do not carry out work that
is equivalent to the VFM work being
done by external audit. On the other
hand, there may be occasions where
an operational audit or a special
project carried out by internal audit
can replace all or part of an external
audit VFM project, or instances when
a project taken to overview stage by
the external auditors can be
completed by an internal audit team.

Final accounts work


Internal audit can assist external audit
with work on year end balances or on
the verification of assets. In some
cases year end work is not within
internal audits ambit but where it is
or can be accommodated then cooperation is possible.

Visits to establishments
In cases where there are many entities
within the audited body requiring
audit visits (eg, schools, GP
fundholders, cash offices, social
services units) it will often be sensible
for internal audit to take the lions
share of the necessary audit visits,
since their greater familiarity with the
business being conducted and their
year-round presence provide potential
efficiencies for the audited body.

Where internal audits objectives and


the scope of their responsibilities
include VFM or the equivalent, then
internal and external audit should
discuss whether any project or review
could be done on a co-operative
basis. In cases where work is being
done jointly, the external auditors will
need to ensure that the study team
meets the Audit Commissions
requirements as set out in the Annual
I
Letter of Guidance.
The Audit Commission is considering
a different approach to the
implementation of VFM studies,
currently known as study-implementaudit. Internal audit may have a role
to play in the implement stage.

The Annual Letter of Guidance is issued


by the end of October each year by the
Audit Commission to its appointed
auditors.

Good Practice Guide

It Takes Two

Review, appraise and report upon


the extent to which the
Trust/Authoritys assets and
interests are accounted for and
safeguarded from loss of any kind,
arising from:

VFM follow up
External audit is required to
investigate the audited bodys
progress in implementing agreed VFM
recommendations from past years
and in achieving agreed savings. This
is an area where internal audits
greater degree of presence on site
and closer knowledge of the audited
body could mean they can deal with
VFM follow up effectively. Both
auditors will be aware that it is
managements responsibility to own
and to deliver the follow-up action.

Management arrangements
External audit is required to assess
managements arrangements for the
economic, efficient and effective use
of resources. Internal auditors will
often be required to appraise the
economy and efficiency with which
resources are employed (Institute of
Internal Auditors Standard 340).
There is good potential for cooperation here too.

Fraud and corruption


Internal and external audit will both
have audit objectives concerning
fraud and corruption. In the case of
external audit, it is to give an
independent assessment of the
audited bodys arrangements for
preventing and detecting fraud and
corruption, while internal audits
objectives will vary depending on
their terms of reference and may be
wider than those of external audit.
For instance, the NHS Internal Audit
Manual requires internal audit to:

fraud and other offences;

waste, extravagance,
inefficient administration;

poor value for money or other


causes.

Internal audit may be seen as part of


managements arrangements in the
prevention or detection of fraud and
corruption. External audit is obliged
to follow guidance issued from time
to time by the Audit Commission.
Internal and external audit should
keep each other fully informed of
their plans and work in progress on
the prevention and detection of fraud
and corruption, and should be able to
co-operate. For instance, they should
be able to agree a joint programme
for cyclical coverage of selected audit
areas. But external auditors will
generally be expected to carry out
some work themselves in addition to
relying on the work done by internal
audit.

Grant claims
The external auditor relying on
internal audit work on local authority
grant claims will be expected to reperform some of the internal audit
work concerned. This requirement
stems from the risk inherent in grant
claims that management may have a
8

vested interest in falsifying such


claims. The external auditor will be
aware that internal audit, by its
nature, can never be wholly
independent of top management, and
so is expected to take this or an
equivalent precaution in exercising
the external auditors responsibility to
certify grant claims. The extent and
level of re-performance will be a
matter for the external auditors
judgement, having regard to an
assessment of risk.

Performance indicators
External auditors appointed by the
Audit Commission are required to
satisfy themselves that arrangements
put in place by management for the
collection, recording and publication
of certain performance indicators are
adequate. This is another area where
co-operation with internal audit can
be considered.

Sharing the files


It will be sensible, where possible, for
internal audit and external audit to
agree some means of sharing the
relevant working paper and
correspondence files without
duplicating them, since duplication
introduces an increased risk of the
two copies becoming out of step.
Ownership of the files may be an
issue. External audit working papers
belong to the external auditor, while
internal audit working papers
ultimately belong to the audited
body. If the logistical or ownership

problems of file sharing are


insurmountable, then arranging free
access to each others files may be an
acceptable alternative, and care
should be taken when relying on a
copy of a document or working paper
where the original could have been
updated.

Joint reporting
Joint reporting may also be difficult to
arrange, for practical reasons. Internal
audit are often required to report
promptly to their Audit Committee (or
equivalent governing body eg, an
alternative committee or the Chief
Executive or Director of Finance) as
soon as each project is complete.
Internal audit will probably be
working to terms of reference for the
project that go beyond the
requirements of external audit.
Conversely, external audit will
normally be working to a different
audit reporting timetable, focused on
memoranda to management to deal
with any matters arising from their
early review work and the annual
management letter issued towards
the end of the year. Where some form
of joint reporting is arranged, often
on systems evaluation, for instance,
care should be taken not to blur the
different accountabilities of the
internal and external auditors.
Auditors should consider joint
reporting where it adds value for the
audited body.

Best practice: practicalities

Staff transfers
The short-term transfer or
secondment of staff can be useful in
achieving a better understanding of
the other auditors processes and
priorities. This is more often done by
transfer of an internal auditor to work
with the external auditors for a time,
although transfers in the other
direction, or swaps, can also take
place.

Reliance on self assessment


Control self assessment (see
Appendix C) is a risk and an internal
control review technique that can be
of benefit to the audited body but, by
its nature, external audit may have
difficulty in establishing whether it
meets their requirements. Since the
use of control self assessment in local
government and the health service is
limited as yet, external auditors who
encounter it in practice should consult
the Audit Commission and should
consider each case on its merits. If
internal audit and the audited body
concerned are finding control self
assessment (or any other form of self
assessment by management)
sufficient to give assurance on
internal control, then the Audit
Commission would wish its appointed
auditors to work constructively with
internal audit to determine whether a
means of relying on it might be
found.

Good Practice Guide

It Takes Two

Best practice: preparation


The external
auditor relies on work
done by internal
audit but may not
hand over
responsibility for it.

Good co-operation is a multi-stage


process that may take a number of
years to develop. It can be initiated by
either party. This chapter describes
how to get ready and Chapter 4 deals
with the annual cycle.

Reliance by external audit on


internal audit
Key among the obligations placed
upon external audit is the
requirement to take responsibility for
meeting the audit objectives in the
Code of Audit Practice. External
auditors are not allowed to
subcontract this responsibility. The
external auditor relies on work done
by internal audit but may not hand
over responsibility for it. The external
auditor achieves this by:

an overall evaluation carried out


by external audit from time to
time to determine whether
internal audit continues to meet
required standards;

an update review each year to


confirm the external auditors
understanding of the quality of
the internal audit work being
done on areas earmarked for
reliance; and

specific reviews by external audit


of individual pieces of internal
audit work, carried out each year,
which may include some reperformance, depending on the
nature of the work and the results
of the updated overall evaluation.

10

External audit may take into account


any other form of accreditation
achieved by internal audit, such as
reviews carried out by regulatory
bodies or other agencies.
Other measures that can be taken
from time to time include:

training as needed in each others


audit methodology for appraising
internal control over financial
systems;

rotational reviewing, where


internal audit might review a
certain system in most years with
external audit carrying out the
review once, say, every third or
fourth year (although some
significant systems need to be
reviewed each year); and

arrangements for joint working on


specific projects with the
possibility of skills acquisition or
transference.

The fact that external audit is relying


on internal audit, and needs to follow
an evaluation process before doing
so, tends to make it seem a one-way
process. There is a temptation for
external audit to make all the
demands and for internal audit to be
reactive. But internal audit has many
advantages, stemming from its
permanent presence on site and
closer knowledge of the audited body,
and has much to contribute. An open
approach, with both parties playing
their part actively in a joint audit
process is best.

Exhibit 4
Procedures

EVALUATION

Every
few
CONSULTATION

years

The joint audit process


There are eight main stages in the
joint audit process for external and
internal audit, including
communication. They are summarised
in Exhibit 4. Auditors will move
through all of these stages, some
every year and others every few years.

TRAINING

RISK
ASSESSMENT

REPORTING

Annual
cycle
MONITORING
AND REVIEW

11

PLANNING

COMMUNICATION

A two-way process is best

Best practice: preparation

Good Practice Guide

It Takes Two

Case Study 1
Effective communication
The internal and external audit at one entity have a written agreement to meet
on a quarterly basis with set agendas for each meeting. These formal meetings
are accompanied by access to the other auditor, if needed, on an ongoing
basis throughout the year. The agendas for the quarterly meetings include:
February

Confirmation of internal audit testing and results

May

Discussion of external audit findings so far, internal audit


progress and any external audit planning issues requiring
internal audit liaison

September Informing internal audit of external audit results, and discussion


of internal audit planning issues for the following year
December Discussion of internal audit progress and issues arising

Communication
Communication is fundamental in
developing and maintaining good cooperation between auditors. It runs
through the co-operation process
from start to finish, and may be
formal, informal or a combination of
both. Good communication is
genuinely two-way so that issues are
discussed at the appropriate stages of
both audit cycles, with formal notes

The Auditing Practices Board (APB) was


established in 1991 by the Consultative
Committee of Accounting Bodies to
advance standards of auditing and
provide prescriptive, persuasive and
other guidance for the exercise of the
auditors role.

produced and further meetings


arranged throughout the year. Good
practice examples are described in
Case Studies 1 and 2.

Evaluation
Under Statement of Auditing
Standard (SAS) 500.3 issued by the
I
APB, external auditors should
perform an evaluation of the internal
audit function if they consider that it
may be possible and desirable to
place reliance on internal audits
work. SAS 500 applies to Audit
Commission audits. A full evaluation
should be carried out from time to
time, and should be updated every
year. Some audited bodies prefer a
full evaluation at least every two
years.

II

Source: Audit Commission data for


1993/94 and 1994/95.

12

The evaluation should assess how well


internal audit meet their objectives
and whether the service delivers value
to the audited body. There would
generally be a full evaluation of
internal audit in a period with any
major change; for example, a change
in key internal audit staff or the
appointment of new internal auditors.
In the NHS, for example, there has
been a recent change away from inhouse provision of internal audit
II
services, the difference being spread
fairly equally between consortia and
firms. These new providers will have
to be assessed.
This guide does not deal with any of
the methodologies for evaluating
internal audits performance. The
method of evaluation is a matter for
the external auditor concerned, who
will be able to obtain advice from, for
example, CIPFA, the Institute of
Internal Auditors or any of the firms
which specialise in this work.
The concept of a peer review will be
familiar to many internal auditors,
and is included in the standards
issued by the Institute of Internal
Auditors. Internal auditors may wish
to consider whether they would
prefer to have a review carried out by
someone other than the current
external auditor, perhaps with wider
experience of the internal audit
function, and whether the results of
that review might be made available
to the external auditors.

Difficulties may arise if the internal


auditors have any reason to suppose
that the external auditors may be
bidding against them in some future
competitive tender, whether for
internal audit services to the same or
another audited body. In such
circumstances, it is for the parties
concerned to come to an
understanding, having regard to their
respective professional requirements.
The Audit Commissions view is that
the interests of the audited body
should take precedence.
The results of the evaluation should
be discussed fully and openly with
internal audit, with a view to making
constructive suggestions for
improvement where appropriate. The
results should also normally be

Case Study 2
Communicating the results of an
evaluation
An auditing consortium that has
often been evaluated by different
external auditors always asks the
external auditors not to say in their
reports we cannot rely on internal
audit when what they mean is the
coverage achieved by internal audit
in any year is insufficient to allow
us to do less systems work
ourselves, or words to that effect.
It is important to be clear when
wording the results of an
evaluation, so as not to give any
false impressions.

Best practice: preparation

Case Study 3
Evaluation of internal audit
One NHS body visited had appointed new internal auditors for the 1994/95
financial year. External audit undertook an evaluation of the new internal
audit service to ensure that it complied with the mandatory standards of the
NHS Internal Audit Manual, in respect of:
Objectives and scope

Independence

Due professional care

Staffing and training

Relationships

Planning, controlling and recording

Evidence

Evaluation of the internal control system

Reporting and follow up


The results of this evaluation were discussed in detail with the internal audit
service. This was followed up by comprehensive reporting of the agreed
evaluation to management and to the Audit Committee. This reporting
explained each internal audit standard and the external auditors assessment
as to whether internal audit met the standard. An overall conclusion of the
evaluation was also given by external audit.

presented to management and the


Audit Committee, where one exists, as
part of the overall audit service.
External auditors should be aware that
some internal audit consortia, agency
suppliers (NHS) or firms operate across
a number of audited bodies. External
auditors should consider whether it
may be satisfactory for one external
auditor to carry out the overall
evaluation of the consortium and
make the results available to the
external auditors of the other audited
bodies using the consortium.
Appropriate terms of reference may
need to be agreed, and suitable
assurances exchanged, to cater for the
liabilities that might arise.

13

Detailed reviews of the consortia


working papers on particular audited
bodies should be completed by each
individual external auditor. The results
of the evaluation process should be
communicated to the internal auditor.
They should also be reported to
management (s151 officers and
appropriate non-executives in local
government and Audit Committees in
the NHS). A good practice example of
an evaluation can be seen in Case
Study 3.

Good Practice Guide

It Takes Two

Consultation
Consultation aims to determine the
mechanism through which internal
and external audit will co-operate,
and to set it up to run for a number
of years. Auditors should consult on
the standards and procedures for cooperation in the broad sequence
shown in Exhibit 5 which is discussed,
stage by stage, in the rest of this
chapter.

Exhibit 5
Consultation

ACTION PLAN
Systems
approach

Documentation

STANDARDS

Sharing
files

Reporting
Communication

Timing of
cycles

Review
mechanism
PROCEDURES

Systems
work

Fraud
work
VFM work

AGREEMENT
14

Best practice: preparation

Action plan

Systems approach

Management and both sets of


auditors will initially need to agree an
action plan to implement the
recommendations arising from the
evaluation stage. All three parties
should agree this action plan to
ensure:

Internal audit work on systems and


internal control is primarily intended
to ensure that the service delivered
meets managements.needs. It will
often be wider in scope than external
audit work on systems, which is
carried out to meet the audit
objectives set by the Code of Audit
Practice. Consultation may therefore
be required to ensure that each
auditor understands the others
systems-based audit approach. Cooperation between internal and
external audit can be less time
consuming when both sets of
auditors use similar systems-based
audit approaches, making it quicker
for external audit to identify areas
where they will be able to rely on the
work of internal audit and to carry
out the required reviews of internal
audit work. But external audit should
be capable of understanding and
reviewing internal audits approach,
even when it differs from their own.

management buys to in all


recommendations with resource
implications;

internal audit accepts the


recommendations made; and

external audit is satisfied with the


actions proposed by internal audit
and management.

Alternatively, external audit may


simply be made aware of the
reasoning behind the rejection of a
recommendation. For example,
external audit may have
recommended that the internal audit
function employ more specialists but
management may decide that there
are insufficient benefits to justify
implementing this recommendation.
In this case, the auditors would
normally respond by considering
whether productivity can be further
enhanced.

In many cases, both sets of auditors


are probably already using similar
approaches to the identification of
systems and auditable areas. One
example of a shared audit approach
was seen at a health authority, as
shown in Case Study 4.

15

Case Study 4
A shared audit approach
The external and internal audit
services at a health authority came
together to discuss and draw up
joint testing plans and audit
schedules for GP fundholder
audits. This has enabled external
audit to achieve the Audit
Commissions recommended threeyear cycle, with reliance on internal
audit in the interim years.

Good Practice Guide

It Takes Two

Documentation
Another area of consultation may be
the standards of documentation to be
maintained on internal and external
audit files in order for reliance to be
maximised. Both sets of auditors are
required by professional standards to
record their work adequately, but may
find it useful to discuss at a more
detailed level certain minimum
standards of documentation for both
sets of auditors to adopt; for example,
whether source documentation is to
be copied to the audit file when
errors are noted during detailed
testing. There are advantages and
disadvantages to adopting one
auditors methods of testing and

Exhibit 6
Audit documentation
Advantages

Disadvantages

External auditors method

quick and easy for the external


auditor to assess each year
whether the work has been done
in accordance with the Code of
Audit Practice.

training and support may be


needed for the internal audit
team.

Internal auditors method

no initial delay in training.

the method may need to be


adapted in some ways to meet
the external auditors needs.

little or no change for the internal


auditor.

the external auditor has to do


more work to understand and
evaluate the internal auditors
methods and results.

16

documentation, as shown in Exhibit 6.


It is up to the auditors to decide
which option is best in each case.
Good practice examples of coordination of documentation in
undertaking systems work were seen
at a local authority and a public utility
company. These are described in Case
Study 5.

Sharing files
Auditors should also agree practical
arrangements for sharing relevant
files and working papers. These
consultations may include
arrangements for access to the files,
photocopying the files where
necessary, file storage and the
retention policy to be used, and may
have regard to ensuring that no
inappropriate liabilities might arise.

Communication
Both auditors should consider and
agree how communication between
them will work in practice. One
example of a good mechanism for
communication was noted in Case
Study 1 (page 12). Auditors may also
wish to set up other practical
communication arrangements such as
arrangements for sharing
accommodation when the external
auditors are on site.

External audit at one local


authority have shared their systems
testing and summary
documentation with internal audit
for a number of years. This
documentation has been adapted
slightly by internal audit to meet
their own needs. External audit
find it quick to review the work of
internal audit as the
documentation used bears a strong
resemblance to their own.
The internal and external audit
functions at a public utility
company visited have found a
practical and easy way for internal
audit to document their work to
facilitate quick review by external
audit. The internal audit function
continue to use their own standard
documentation; however, all of the
tests on which external audit seek
to rely have been identified on the
internal audit programme by the
use of italic type. This was achieved
by the internal and external
auditors jointly going through the
internal audit documentation to
identify tests of particular
relevance to external audit.

both sets of auditors. There may be


scope for management to take a part
in developing a standard format, to
ensure the result is going to be useful
to management.

Timing of cycles
In order for co-operation between
auditors to work most effectively,
there should be consultation and
agreement as to the timing of their
audit cycles during the year. Prior to
consultation and discussion between
internal and external audit, the timing
of the external regularity audit cycle
during the year may look like
Exhibit 7.
The internal audit cycle normally runs
on a financial year basis. By April,

internal auditors will generally have a


plan agreed with management for the
year ahead. External audit planning
for the financial year audit generally
takes place from November to January
in the financial year, followed by a
systems audit at some point from
January to April and a final accounts
audit in the summer following the
year end. External audit planning for
the following year will not take place
until approximately November, some
nine or ten months after internal
audit planning for that same year. The
external audit management letter, an
annual report on all audit activities
that must address all the audit
objectives, should be issued to
members by 31 December.

Exhibit 7
External audit cycle before discussions (excluding VFM audit)

Level of activity

Case Study 5
Systems audit work documentation

Best practice: preparation

Final
accounts
audit
Systems
audit
Planning

Reporting
Auditors may wish to agree a
standard reporting format. The main
advantage of a standard format is
that audit findings will be reported to
management in a consistent way by

Time

17

Good Practice Guide

It Takes Two

Case Study 6
Planning
As soon as new internal auditors
were appointed in April 1994, the
external auditors met with the
internal auditors to discuss internal
audit plans and how to maximise
co-operation between the two sets
of auditors. This meant that the
external auditors began to think
about the planning for their
1994/95 audit before they had
completed their 1993/94 financial
statements audit. The external
auditors were able to implement a
Managed Audit for 1994/95.

For co-operation to work most


effectively there needs to be
consultation as to the timing of these
audit cycles and a readiness to adapt,
where possible, to accommodate the
needs of the other auditor. External
auditors should be aware of the
timing of the internal audit planning
cycle. Good practice examples of this
advancement of elements of the
external audit planning process were
seen at a number of bodies. An
example is shown in Case Study 6.
Other timing issues that may require
consultation are the timing of internal
audit reviews and follow-up work on
key financial systems and the timing
of the external auditors interim
systems audit. External auditors need
to gain assurance as to the operation
of key financial systems throughout

18

Case Study 7
The consultation process
As a result of consultation on
internal audit plans at one audited
body, the internal audit service
agreed to reschedule their audit of
creditor payments from April 1994
to December 1994. This gave
external audit the opportunity to
place greater reliance on the work
of internal audit with only three
months of the financial year not
covered by the internal audit work.
The external and internal auditors
at another audited body have
agreed that internal audit work on
systems should take place later in
the financial year in future, and
that their selection of samples
should be spread over the period
to date. This will give external audit
greater comfort in expressing an
opinion on the financial statements
for the year. External audit have
agreed that their interim audit can
be moved from January/February to
after March.
In another case, internal audit
schedule their work in consultation
with external audit, to mutual
benefit. At least one audit is
undertaken for the external
auditors each year. Internal audit
suggest the topic, and draw up an
assignment brief which is signed
off by both auditors. The report
goes to external audit and to the
County Treasurer.

the financial year in order for them to


be able to reduce the level of
substantive testing they need to
undertake. For this reason, external
auditors may wish to discuss with
internal audit the timing of internal
audit reviews of key financial systems.
Examples of this consultation process
are described in Case Study 7.
The results of consultations between
auditors on the timing of audit cycles
may give rise to an external audit
cycle looking something like that
shown in Exhibit 8.

Best practice: preparation

Fraud and corruption and VFM


work
External and internal audit
consultations may also extend to
fraud and corruption and value for
money work. A number of examples
were seen of joint internal and
external audit fraud and corruption
cyclical programmes covering a period
of years. An example of good practice
is described in Case Study 8.
The auditors at an audited body have
shared the Audit Commission Fraud
Manual. This manual was used by
both sets of auditors when they sat
down to devise and agree a joint
three-year plan on fraud and
corruption work to be undertaken by
each set of auditors.

Level of activity

Exhibit 8
External audit cycle after discussions (excluding VFM audit)

Case Study 8
Consultations on fraud and
corruption work
The auditors at an audited body
have shared the Audit Commission
Fraud Manual. This manual was
used by both sets of auditors when
they sat down to agree a joint
three year plan for audit work on
the prevention of fraud and
corruption.

Systems work
The final matter that internal audit,
external audit and management may
wish to consider is the extent of
systems work external audit believes
they should undertake. For example,
the agreement in Case Study 1 (page
12) clearly specifies the work that
external audit will undertake on
systems, assuming that internal audit
have completed their agreed work.

Training
Final
accounts
audit
Planning

Systems
audit

Time

19

Consultation may indicate training


requirements both for internal and
external audit so that they can ensure
they can perform their agreed areas
of work. At one public utility
company, a training need was
identified for the internal audit
function in techniques for file design
and cross referencing of working
papers. In this instance, the external
audit function carried out this
training. In some cases there may be a
training need for external auditors in

Good Practice Guide

undertaking effective reviews of


internal audit work and in analytical
review audit techniques. If the
consultation process has resulted in
an agreement to adopt one method
for systems audit work, there may be
a training need for at least one set of
auditors to become familiar with a
new approach.

Getting started
Auditors starting from square one, or
close to it, may find the summary
implementation plan in Exhibit 9
useful.

It Takes Two

Exhibit 9
An implementation plan
The internal and external auditors at a local authority agreed this action plan:

Agree in principle with the Director of Finance. Copy to


Chief Executive and members. Produce draft protocol
of external/internal coverage of accounting systems.

December
1994

Agree internal audit programme for 95/96.

February
1995

Review internal audit standards achieved on 94/95


work and feed back any areas for improvement.

March
1995

Produce an external audit plan for 95/96 audit work


based on agreed internal audit coverage and assumed
standards agreed following review of internal audit
94/95 work. Agree the plan with internal audit.

September
1995

Produce an agreed three-year cyclical plan for joint


systems coverage.

January
1996

Review internal audit performance in 95/96.

March
1996

Establish a programme for full implementation, if


possible, from 96/97.

March
1996

Conclusion
Best practice co-operation depends
on sound set-up work which is
updated from time to time. It requires
continuing attention to training and
effective communication. This chapter
has described the steps to be taken in
order to prepare for and maintain
co-operation at its optimum level.

20

Best practice: procedures


Risk assessment is
the driving force
behind both auditors
approaches to their
work.

The Audit Commission is obliged, by


law, to publish and maintain a Code of
Audit Practice that embodies the Audit
Commissions view of best professional
practice in the standards, procedures
and techniques to be adopted by
auditors in discharging their functions.

Risk assessment
One of the earliest steps in the annual
audit cycles of each set of auditors is
to review and update their risk
assessment in accordance with their
own policies and procedures. The
internal auditor considers whether an
event or action will adversely affect
the audited body. The external auditor
considers the risk of giving an
inappropriate audit opinion on the
financial statements, and the risk
associated with each of the other
external audit objectives (see
Appendix B). In good practice
examples, risk assessment is the
driving force behind both auditors
approaches to their work.
For internal auditors, the result of the
risk assessment process is usually the
production of an Internal Audit Needs
Assessment. This is an appraisal of the
systems operated by the audited
body, their relative risk, and the
frequency with which an internal
audit appraisal of them should be
made. This assessment encompasses
the compliance, operational and
financial activities of the audited
body. The external auditors risk
assessment is generally restricted to
the financial systems, in accordance
I
with the Code of Audit Practice.
Internal and external auditors should
share the information contained in
their risk assessments in order to
inform each others assessments.
Differences may arise. For instance,
external auditors may need to
recognise that internal audit may rate
21

a system at a lower risk and therefore


may not need to test it as often as the
external audit objectives might
require.

Planning
Next, each set of auditors will draw
up their initial audit plans for the year.
External auditors may be some nine or
ten months, or in extreme cases up to
a year, behind internal audit in
drawing up their plans for the same
financial year. This disparity in the
timing of internal and external audit
cycles needs to be actively managed.
Internal and external audit need to
discuss each others plans to
understand the proposed scope,
timing and extent of audit work with
a view to eliminating duplication of
effort.
External auditors need to start
thinking further ahead. By the time
external audit start planning, internal
audit are generally already over half
way into their audit year, with a good
view of progress and findings to date
and the likely outturn of internal audit
activity against the original plan. Both
these pieces of information will be of
use to external audit planning in
order to determine the amount of
reliance on internal audit that they
can build into their plan and the likely
systems and substantive testing to be
carried out. Exhibits 10 and 11
(overleaf) give examples of the
considerations auditors may have
when reviewing each others plans.

Good Practice Guide

It Takes Two

Exhibit 10
Reviewing INTERNAL audit plans
Timing could any adjustments be
made to the timing of internal or
external audit proposed work to
maximise the potential for
reliance?
Scope could any adjustments be
made to the areas of work selected
by internal audit to enable
maximum reliance to be placed on
their work?
Extent could any adjustments be
made to the extent of internal
audit work; for example, from
review to detailed testing, in order
for reliance to be maximised?

Exhibit 11
Reviewing EXTERNAL audit plans
Duplication is there any
potential duplication in the work
proposed by external audit with
work we have already undertaken
or are due to undertake?
Assistance are there any areas in
which external audit are planning
work where we could assist within
our agreed resources and plan?
Omissions are there any areas
external audit have overlooked
which, due to my knowledge of
the entity, one of us should be
doing some audit work on?
22

Management and Audit Committees


should seek to promote good joint
planning between internal and
external audit. The NHS Executive
Audit Committee Handbook contains
suggested questions for Audit
Committees when reviewing external
audit plans. These include the
question,What are the auditors doing
to co-ordinate their work with the
authoritys/trusts Internal Auditors?

Performing work
The next stage is for both auditors to
perform their agreed audit plan using
the agreed approach and
documentation methods. Internal
audit work for the year will start first
and internal auditors should continue
to liaise and communicate with
external auditors on the progress of
their audits during the year. This will
enable external audit to update their
plans to take account of internal audit
progress, findings and
recommendations.

In a number of good practice sites,


this ongoing liaison as work is
performed takes place by means
of quarterly meetings between
internal and external audit.

In another example, liaison


arrangements were more informal
with external audit sharing
accommodation with internal
audit when on site.

Both these mechanisms can work


well, provided the auditors concerned
understand the underlying imperative
of good two way communication. The
extent of external audit systems work
should depend on the timing, scope
and extent of internal audit work on
each system. This may also be true for
fraud and corruption work and
possibly value for money work. In
order for external audit to rely on the
specific work of internal audit, they
must first take reasonable steps to
ensure that the work has been done
in accordance with the requirements
of the Code. This is considered further
in the next section on review. Having
undertaken their review of internal
audit work, external audit will draw
up their own programme of systems
and substantive tests in order to gain

Exhibit 12
External audit systems testing
Following a detailed review of the
work performed by internal audit,
the external audit work
programme for systems and
controls testing was limited to:

summarising the work and


findings of internal audit;

testing of a small number of


key year end controls not
covered by internal audit due
to the timing of the internal
audit work; and

a detailed analytical review.

Best practice: procedures

sufficient audit assurance to meet


their obligations under the Code. One
good practice example of tailoring of
the external audit systems
programme to take account of the
work of internal audit is described in
Exhibit 12.
In order for external audit to
maximise their reliance on the work
performed by internal audit, they may
delay their interim systems audit until
after internal audit have completed or
substantially completed their financial
systems work. In one local authority,
for example, the external audit
systems audit has been put back from
December to late January/early
February with plans for future systems
visits to take place after the 31 March
year end. A public utility company has
seen a different effect from increased
reliance on internal audit work by
external audit. External audit are no
longer perceived as undertaking their
work in defined interim and final
audit visits. Instead, an external audit
presence is seen at the audited body
throughout the year, with external
audit reviewing internal audit work
and determining their own work
programmes as and when internal
audit work is completed.

23

When external audit have undertaken


their work programmes for systems
testing, they should feed back the
results of their work to internal audit
as well as to management. This may
be achieved in practice by providing
internal audit with copies of any
external audit systems reports to
management. This will ensure that
internal audit are made aware of the
results of any external audit work that
may have an impact on the internal
audit needs assessment for future
years.

Good Practice Guide

It Takes Two

Review
As noted above, external audit need
to take reasonable steps to ensure
internal audit work is performed in
accordance with the requirements of
the Code of Audit Practice. Their
review of specific internal audit work
will consider whether the work has
been performed properly and has met
the standards agreed at the
consultation stage. The results of the
review will help external audit to
determine whether the overall
evaluation of the internal audit service
remains appropriate. The issues
external auditors take account of in
their review include the matters
shown in Exhibit 13.
A good practice example of
documentation of the external audit
review of internal audit work is

described in Exhibit 14. External audit


should ensure that the results of their
review of internal audit work are
formally communicated to the
internal auditors. This should further
promote two way communication
and enable the Chief Internal Auditor
to take action on any points arising
where it may be needed.

Reporting
The final stage in each audit cycle is
reporting. Internal auditors generally
produce reports for each audit they
undertake, together with summary
reports on at least an annual basis.
Internal auditors should keep external
audit informed by sending them a
copy of each final audit report
produced. This good practice was
noted at most of the sites visited. In
order for internal audit to be

Exhibit 13
Review considerations

Was the work done by properly trained staff?

Was the work of junior staff properly supervised and reviewed?

Was sufficient appropriate audit evidence obtained?

Are the conclusions reached appropriate in the circumstances?

Is the internal audit report consistent with the results of the work
performed?

Have all the exceptions or unusual matters reported by internal audit


been properly resolved?

What is the impact of internal audit findings on the external audit plan?

Is there a need to test the work of internal audit to confirm its


adequacy?

24

Best practice: procedures

Conclusion

Exhibit 14
Review of internal audit
The external auditors of one audited body complete a standard record of
assessment of internal audit work on each significant system. This
assessment asks the following questions:

Has internal audit work covered appropriate controls?

Are methods of selection and samples chosen for testing adequate?

Have appropriate tests been applied to key controls?

Has testing been performed satisfactorily?

Have correct conclusions been drawn from the work and, if appropriate,
reported and action secured?

Has the work been adequately recorded?

appraised of external audit findings, a


number of external auditors copy
internal audit with all external audit
reports produced for the audited
body. One interesting example where
this was achieved is shown in Exhibit
15. The findings of external audit
work are a relevant source of
information for internal audit when
they update their Internal Audit Needs
Assessment.

External auditors are expected to


include appropriate reference to
reliance on internal audit, the
assessment of internal audit and the
results from their systems work in the
management letter. All references to
internal audit should be discussed
with internal audit first as a matter of
courtesy. This reporting process will
feed back into the overall evaluation
of internal audit by external audit.

25

Best practice co-operation starts each


year at the risk assessment stage, is
an integral part of planning, and does
not end until the opinion is given and
the management letter issued. By
then, the next annual cycle will
probably have already begun and the
cycle continues.

Exhibit 15
External audit reporting
The Chief Internal Auditor at an
audited body co-ordinates
responses to the external auditors
Report to Officers, and takes the
opportunity to add value to the
report (but without assuming an
operational responsibility) by, for
instance, identifying any errors and
suggesting updates for action
already taken by management. This
ensures that the internal audit
function at the council are aware
of the results and
recommendations arising from the
work of external audit, and is
helpful to external audit since it
adds to the quality of their
outputs.

Good Practice Guide

It Takes Two

Problem solving

In theory, maximising co-operation


between internal and external audit
has much to commend it but, in
practice, it is not being achieved as
widely as appears possible. Many
auditors shy away from it, either
because they see problems where
none may exist or because no one is
compelling them to try harder. This
chapter summarises problems

encountered in practice and suggests


how they may be overcome. Once the
problems likely to arise in any
particular case have been identified
and addressed, then management
and audit committees should decide
whether there is a scope for a greater
degree of co-operation between
internal and external audit.

What happens when...

Set out below are some questions


that come up in practice, together
with our suggested response to
solving the problem. The problems
listed do not include issues already
addressed and resolved in earlier
chapters of this guide.

Suggested response

External audit

The external audit evaluation of internal audit shows a


poor result?

External audit do not give feedback on their evaluation


of internal audit?

External audit only consider internal audit plans when


they undertake their own planning and then seek
amendments to the internal audit plans over halfway
through the internal audit year?

The external auditors of a number of audited bodies each


wish an internal audit consortium to adopt their own
preferred method of systems testing and
documentation?

26

Management, internal audit and external audit need to


discuss and agree an action plan for improvements to be
made in the internal audit service.
Management may wish to draw up or revise their
specification for internal audit to take account of the
evaluation recommendations.
Reporting the results of the evaluation in the management
letter is too late. Good practice means prompt and
constructive feedback to management and internal audit at
each stage.
External audit should be aware of the timing of the internal
audit planning cycle. Internal auditors can help here by
ensuring that external audit receive copies of internal audit
draft plans.
The implications of suggested amendments to internal audit
plans during the year should be considered by the Chief
Internal Auditor. Any issues that cannot easily be resolved
between auditors, or any requiring significant additional
internal audit resource should be discussed with
management.
The consortium will wish to adopt the method and style of
systems testing most suitable for an effective provision of
internal audit services to their clients.
The external auditors should consider getting together, in
consultation with the consortium, to see if a method that
suits the majority can be agreed.

Problem solving

What happens when...

Suggested response

External audit
External audit try to direct internal audit work to
concentrate only on the areas in which external audit wish
to rely?

External audit request internal audit to perform work that


internal audit are not happy with?

External audit do not wish to share Audit Commission


Technical Releases and other publications with internal
audit?

It is wrong for either party to be directive. The approach to


co-operation should be consultative.
Any concerns that internal audit may have should be
discussed with external audit and where necessary
management and the Audit Committee (where one exists).
Internal audit should discuss the reasons for their concerns
with the external auditors. Management and audit
committees may need to become involved if any potential
extra work for internal audit is going to prohibit them from
undertaking their agreed plan.
Auditors have always had the option of making Technical
Releases available, where they consider it relevant and
helpful.
The Audit Commission will begin to make its Technical
Releases available to audited bodies from April 1996.

External audit should discuss their findings with the Chief


Internal Auditor and agree which auditor should undertake
External audits review of internal audit work indicates that further work to overcome the weaknesses in the internal
audit work. If the Chief Internal Auditor is unable to make
insufficient work has been carried out or that the work
improvements (for example, due to lack of resources), both
done has not been sufficiently recorded?
sets of auditors should consider jointly how best to present
this problem to management or the audit committee.
External audit do not copy their reports to internal audit?

27

Both sets of auditors should agree mechanisms by which


they receive copies of each others reports promptly.

Good Practice Guide

It Takes Two

What happens when?

Suggested response

Internal audit is provided by a consortium or a firm and


competition or issues of commercial confidentiality are put
forward by either auditor as barriers to co-operation?

Auditors professional standards require them to establish


constructive working relationships and mutual understanding
between internal and external audit on each engagement. In
these circumstances, auditors will typically be concerned that
a competitor could gain access to their material or could
derive information that might disadvantage them in future.
Both auditors should be sensitive to these concerns but
should not treat them as an automatic barrier to achieving a
greater degree of co-operation.

Internal audit

LGFA: Local Government Finance Act, which also applies to the


external audit NHS bodies.

Internal auditors may like to note that external auditors


appointed by the Audit Commission have a right of access
I
under s16 LGFA 1982 to all documents relating to a body as
appear necessary for the purpose of their audit. External
auditors are restrained by s30 LGFA 1982 from divulging
information obtained during the course of an audit.

Internal audit have completed their financial systems


fieldwork early in the year giving coverage for only part of
the year?

The timing of internal and external audit work is a matter for


consultation between auditors. Internal audit may agree to
undertake further or follow-up work later on in the year to
increase the coverage for the year.

Internal audit work indicates that there are significant


systems control weaknesses?

External audit will need to assess the findings of internal


audit and determine the most appropriate external audit
approach. This may mean that external audit will find it more
appropriate to adopt a substantive based approach in order
to obtain the required level of external audit assurance.

Internal audit work on systems is spread across the


financial year for each system, to give systems audit
coverage for the whole year. When should internal audit
report their findings?

Internal audit may wish their reporting to follow the pattern


of work during the year. If work is undertaken in more than
one tranche on a particular system, internal audit may find it
necessary to produce more than one report on the significant
findings from each tranche of work.

Internal audit complete their work but are not effective at


producing reports of their findings?

External audit will still be able to rely on the work performed


by internal audit, provided they are content with the timing,
scope and extent of the work. Any significant findings from
the internal audit work should then be incorporated into the
relevant external audit report. They may also need to be
reported to line management. External audit may consider
discussing with internal audit ways of making improvements
in the internal audit reporting process.

28

Problem solving

What happens when...

Suggested response

Management
For audit findings and recommendations to have maximum
impact they should be reported as soon as possible after
the completion of fieldwork.
Management ask why they get two reports on their
financial systems if internal and external audit are
co-operating effectively?

Where internal and external audit have adopted joint


testing plans for fraud and corruption work, it may be
useful to produce one report of audit findings and
recommendations for management, athough both parties
will first need to consider whether any such joint reporting
might give rise to any inappropriate liabilities or interfere in
any way with each auditors accountability.
This is no excuse for external audit to do nothing. They
should co-operate with the old and new internal auditors.

Management are proposing a change of internal audit


services?

Management may wish to consult the external auditor in


the selection process for new internal audit services, to
benefit from their wider view, although the decision to
appoint must remain with management.

Both sets of auditors

Both sets of auditors do not discuss their plans with each


other?

Both sets of auditors are not committed to co-operation?

29

For co-operation to work, both auditors must be


committed to the process. Each should be aware of the
planning and audit cycle of the other.
Each auditor should ensure that their plans are copied to
the other in sufficient time for the other auditor to be able
to comment on the content of the plan.
Audit committees (where they exist) and management
should encourage co-operation between auditors and ask
how co-operation has been built into each auditors plan
and programme of work.

Good Practice Guide

It Takes Two

Finally...
Co-operation between internal and
external audit is something that most
auditors could do better, given more
support from top management or the
Audit Committee and a little more
understanding of the obligations
placed upon the other auditor.
Improved co-operation can mean
better progress with the Managed

Audit and a more productive audit


service. Sorting out any perceived
problems or barriers to better cooperation will demonstrate that for
full success it takes two auditors,
internal and external, working
together to eliminate duplication and
deliver a seamless service to the
audited body.

If you are interested in discussing


how to improve the co-operation
between internal and external
auditors at your local authority or
NHS body, then may we suggest
you take it up with the auditors in
the first instance. They will be
familiar with the issue and will
welcome views from management
or members.
The Audit Commission also
welcomes comments. If you would
like to raise any points on the
matters discussed in this guide
please contact:
Director of Purchasing
The Audit Commission
1 Vincent Square
London SW1P 2PN
Telephone: 0171 828 1212

30

Appendix A
Definition of the Managed Audit
The Managed Audit is the opinion
audit service that results from
applying the principles of auditing
and proper professional standards in
conditions where the audited body
has:

sound financial systems;

effective controls;

good internal audit; and

reliable accounts production


processes.

The Managed Audit is a cost-effective


way of delivering the opinion part of
the external audit. The opinion audit
is the work an external auditor must
do, under the Code of Audit Practice,
to give an independent assessment of
whether the accounts present fairly
the financial position of the audited
body (or are true and fair for NHS
trusts).

Exhibit A1
Spectrum of possible conditions at the audited body
Managed audit not
possible

poor control
environment
poor monitoring
controls exercised by
management
reliance on internal
audit not possible
production of
accounts schedules
inaccurate or late

Partial use of
managed audit

some systems well


controlled
some reliance can be
placed on internal
audit
some aspects of final
accounts production
can be carried out
more efficiently by
the audited body

Managed audit
achievable

strong control
environment
reliance on internal
audit
good co-operation
from the audited
body

(An audited body can move to the right or to the left on this spectrum from year to year.)

Further information on the


Managed Audit can be found in the
Audit Commission publication The
Managed Audit a good practice
guide, January 1995.

31

Good Practice Guide

It Takes Two

Appendix B
Understanding each other: the different obligations placed on internal and external
auditors
In establishing co-operation, internal
audit and external audit will be
concerned to fulfil their own
obligations properly and to maximise
their contribution to the audited
body. The outcome will be better all
round if both parties take steps to
understand the others position.

Experience shows that internal


auditors can have a limited perception
of the needs and requirements placed
upon external audit, and that external
audit can have a relatively poor
understanding of how internal audit
is placed in the organisation and what
they are there to do. But external
audit are often in a stronger
negotiating position, in that they can
take a unilateral decision to rely on
certain aspects of internal audit work
and may not then form a wider
understanding of the rest of internal
audits prerogatives.

These requirements are exactly the


same in principle for both internal
audit and external audit but they may
be achieved in different ways or to
varying extents, depending on the
obligations placed on the auditor.

Good co-operation between internal


audit and external audit restores the
balance, so that understanding each
other and the ability to make
demands are more evenly distributed
between the parties.

Best practice in auditing


Best practice in auditing generally
means:
I

The Auditing Practices Board (APB) was


established in 1991 by the Consultative
Committee of Accounting Bodies to
advance standards of auditing and
provide prescriptive, persuasive and
other guidance for the exercise of the
auditors role.

32

independence, an objective
attitude and due professional care;
an approach that is risk based,
carefully planned, and carried out
to plan with no undue overruns or
delays; and

an auditing methodology that


conforms to the relevant auditing
standards (on audit working
papers, for example, or quality
control) and that provides the
auditor with enough evidence on
which to base the assurances they
give to management.

The obligations placed on internal


auditors
Internal audit is an independent
appraisal function established by
management of an organisation for
their review of the internal control
system as a service to the
organisation (APB Auditing Guideline
I
308). This general definition is broad
and needs to be interpreted to suit
the circumstances of the audited
body, so each internal audit unit
should have terms of reference or a
charter to define what it is for and
how it operates. Such a document
should have been agreed at the
highest level in the audited body. It
normally covers at least the matters
shown in Exhibit B1.
Auditing Standard 550 issued by the
Institute of Internal Auditors states
that, The Chief Internal Auditor
should ensure that internal and
external audit efforts are properly co-

Appendix B

ordinated. The impetus for good cooperation should already be present


in the internal audit approach.

A duty of service to the audited


body
Internal auditors are employees of the
audited body. The higher their status
within the audited body the better
their degree of independence, but
ultimately they are members of staff
and owe a duty of service to the
audited body. This may mean, for
instance, that they will choose not to
fulfil their planned annual programme
of controls work if they decide that
some other audit work is more
important to the audited body. A
typical example will be the need to
investigate a suspected fraud.

Consortia or other providers


Internal audit is not necessarily an inhouse service. It can be provided
under contract by a specialist
consortium or by a firm of auditors.
The firm in question may also act as
one of the Audit Commissions
appointees (although never on the
same audited body, since this is
prohibited by the Audit Commission).
The obligations placed on one of
these providers are the same in
principle as on an in-house provider
and may be more clear, since they will
have been set out in the specification
which originally led to the contract.

Exhibit B1
Terms of reference for internal audit
For example: to assist the Chief Executive (or s151 Officer) and members to
meet their objectives and to discharge their responsibilities by providing an
independent appraisal of the adequacy and effectiveness of the controls
operated by management and of the arrangements made by management
for the conduct of business and the use of resources.

The different responsibilities of internal audit and of management

The professional requirements placed on internal audit


For example, ethical guidance and independence requirements,
professional qualifications, standards to be adopted, audit
methodologies to be followed.

The organisational status of internal audit in the audited body and their
reporting lines

The authority of internal audit within the audited body

The scope of internal audit work

The output from internal audit work

Any staffing or training commitments

The internal audit planning cycle


Best practice in internal auditing
generally means a planning cycle of
three to five years, and a cyclical
examination of systems based on an
evaluation of the likely risk of loss or
error. This means that internal audit
will usually have planned for each
audit year long before the related
external audit planning cycle begins.

33

Good Practice Guide

It Takes Two

Internal audit objectivity


Internal audit operates to greatest
advantage when it has staff that
know the business thoroughly but are
able to distance themselves from it
sufficiently, to carry out an objective
and well-informed appraisal. Their
work should be at a level
commensurate with managements
concerns.

The obligations placed on


external auditors
External auditors appointed by the
Audit Commission are required to be
fully independent of the audited
body. Audited bodies in local
government and the health service
may not, by law, appoint their own
auditors, although they will always be
consulted by the Audit Commission
and their views taken into account.
The Audit Commission is obliged, by
law, to publish and maintain a Code
of Audit Practice that embodies the
Audit Commissions view of best

Exhibit B2
Audit objectives
The external auditors objectives are to give an independent assessment of:
1.

whether the statements of accounts present fairly the financial position


of the audited body and its income and expenditure for the year in
question (or, for NHS trusts, give a true and fair view) and have been
properly prepared in accordance with appropriate legislation;

2.

the adequacy of the audited bodys arrangements to secure economy,


efficiency and effectiveness in the use of resources;

3.

the general financial standing of the audited body;

4.

the adequacy of the audited bodys financial systems;

5.

the adequacy of the audited bodys arrangements for preventing and


detecting fraud and corruption;

6.

the adequacy of the audited bodys arrangements for ensuring the


legality of transactions that might have a financial consequence; and

7.

the adequacy of the audited bodys arrangements for collecting,


recording and publishing information in cases where the audited body is
I
required, pursuant to directions under section 1 of the LGFA 1992, to
publish performance information.

The Code of Audit Practice, paragraph 4

34

Appendix B

professional practice in the standards,


procedures and techniques to be
adopted by auditors in discharging
their functions. The Code sets out a
wide range of objectives that external
audit are to achieve. The opinion
audit is only one of seven separate
audit objectives, as shown in Exhibit
B2.

External auditors appointed by


the Audit Commission are also
required to confirm, by means of
detailed checking, that certain
grant income is being claimed in
accordance with the prevailing
rules.
Audit Commission audits always
consist of two main elements: value
for money auditing and regularity
audit work.

Value for Money (VFM) auditing


External auditors are obliged to take
reasonable steps, including
examination of the accounts, to
satisfy themselves that the audited
body has made proper arrangements
for securing economy, efficiency and
effectiveness in its use of resources.
This is known as VFM auditing, as
defined in paragraph 37 of the Code.
The Audit Commission issues national
studies and provides its auditors with
guidance on how to carry out the
study locally, subject to the auditors
judgement on whether the study
applies and, if so, to what extent. The
Audit Commission also issues broader
guidance, from time to time, on VFM
work on management arrangements.

External auditors may also carry out


local VFM projects on issues of
current importance to the use of
resources by the audited body. The
Audit Commission sets targets for
audit performance on VFM work and
measures the auditors achievement
of these performance indicators as
part of its annual programme of
quality control review.

Regularity audit work


Regularity is the collective name given
to the rest of the audit work which is
intended to achieve the rest of the
audit objectives. It is here that there is
most common ground with internal
audit. The largest element in it is the
opinion audit work, but it also
includes the work on managements
arrangements for the prevention and
detection of fraud and corruption,
audit review work on financial
systems, and audit review work on
the systems for producing certain
performance indicators.

(g) co-operate with other external


auditors and the Audit
Commission in order to ensure
that knowledge of good practice
is transferred effectively from one
audited body to another.
[Extract from paragraph 27 of the
Code.]
Exhibit B3, overleaf, summarises
the main points to consider in
achieving a good understanding of
the other auditors point of view.

A requirement to co-operate
The Code includes the following
comments relating to other auditors:
In framing a methodology that will
meet the requirements of this Code,
auditors should:
(f) establish effective co-ordination
arrangements between internal
and external audit and seek to
place reliance on the work of
internal audit wherever possible;

35

LGFA: Local Government Finance Act,


which also applies to the external audit
NHS bodies.

Good Practice Guide

It Takes Two

Exhibit B3
Understanding each other

Both internal audit and external audit need a reasonable understanding


of the requirements placed on the other party, of how their audit
objectives may differ, and why.

The requirement placed on external audit to carry out an overall


evaluation of internal audit from time to time can be dovetailed with any
requirement placed upon internal audit for an independent or peer
review.

Planning of the detailed audit work needs to be carried out much earlier
than would normally be the case for external audit, which should be
looking two or more years ahead when discussing co-operation with
internal audit and should be familiar with internal audits planning cycle
(which may be five years or more).

Monitoring the work being done by internal audit needs to be sensitive


to external audits needs. Work on which external audit planned to rely
in a certain period will normally need to be done in that planned period.
If it can not, then external audit will probably have to make good the
deficiency and will benefit from an early warning.

The Statement of Auditing Standards


on reliance on internal audit (SAS 500)
is considered by the Audit Commission
to apply to its appointed auditors, but
paragraph 27 of the Code means an
expectation of greater co-operation
with internal audit than envisaged by
the SAS. Reliance on internal audit
work is also one of the key features of
the Managed Audit, which seeks to
promote the most cost-effective
opinion audit. But it is important to
remember that the Code also states
that the responsibility for the conduct
of the audit remains that of the
appointed auditor (paragraph 12 of
the Code). This means that external

36

audit may not sub contract any aspect


of the audit to internal audit.

Timing for external audit


The Audit Commission expects to see
each audit planned in advance, but an
external audit plan normally does not
need to be drawn up until around the
middle of the accounting year, which
typically means the period from
November to January. The Audit
Commissions annual guidance on
audits is normally issued in October of
the accounting year. External auditors
are then able to finalise their plans
and to begin to discuss them with the
audited body.

Appendix B

The work must be done in the


year
Once the audit is planned, external
audit generally has little or no
discretion about whether to carry it
out in its entirety. Work judged
necessary for the audit opinion in one
year, for instance, can not be carried
forward to the following year. It
would be very unusual for external
audit to decide not to carry out some
element of the work planned for the
year, unless there were to be some
major upheaval for the audited body
in the remaining part of the
accounting period.

Regulation by the Audit


Commission
The Audit Commission issues
guidance to auditors in the form of
Technical Releases, annual guidance
on the audit and other publications.
External auditors appointed by the
Commission are obliged to follow the
Code and the guidance issued by the
Audit Commission, and are regulated
closely by the Audit Commission to
see that they do. An internal auditor
wishing to understand external audit
will need to have a grasp of these
demanding requirements placed upon
external auditors appointed by the
Audit Commission.

37

Good Practice Guide

It Takes Two

Appendix C
Control self assessment
Taken from a professional
briefing issued by the Institute of
Internal Auditors
Control self assessment is a process
which allows individual line managers
and staff to participate in reviewing
existing controls for adequacy (both
now and in the predicted future) and
in recommending, agreeing and
implementing improvements to
existing controls.

Potential pitfalls and limitations


include:

Management and staff may not be


candid in revealing any
deficiencies.

Cross-functional or interdepartmental matters might be


missed.

Evidence, for audit purposes, of


what was done and why may not
be recorded.

It is likely to include the application of


risk criteria to the process of control
assessment, and may extend to
confirming that key identified controls
and processes are operating efficiently
and effectively and are likely to
continue to do so.
It may also include an assessment of
quality.
Potential strengths of control self
assessment include:

Line management becomes more


involved in control and risk issues
and may be more ready to accept
responsibility for maintaining and
updating controls.

It may provide better coverage,


year on year, than internal audit
may be able to deliver using more
conventional control assessment
techniques.

It may lead to more effective


corrective action by management.

38

The Audit Commission for Local


Authorities and the National Health
Service in England and Wales.
1 Vincent Square, London SW1P 2PN
Telephone: 0171 828 1212
Fax: 0171 976 6187

The Audit Commission, 1996.


Printed by Press On Printers, London

It Takes Two
A good practice guide
May 1996

A management checklist for action


In this guide the Audit Commission
has identified areas in which cooperation between internal and
external audit may be further
improved. The main questions to
consider when assessing the
arrangements for co-operation at an
audited body have been drawn
together in this checklist for action.

This checklist may be used by


management and audit committees
to stimulate discussion of cooperation arrangements. It can help
you to identify which issues are of
priority, what action is required and
who should take the lead in
addressing the priorities identified.

Good Practice Guide

It Takes Two

Questions

Concept and impact of good co-operation


1 Are the audit committee and management supportive of
effective co-operation between the two sets of auditors?
2 Does internal audit take an active role in co-operating with
external audit?
3 Have we defined the role of internal audit so as to provide a
service that meets our strategic requirements?

Practicalities
1 Is there two-way communication between internal and
external audit on matters of mutual interest and concern?
2 Do external audit report the results of their evaluation of
internal audit to us, and to internal audit, and make
constructive suggestions for improvement?
3 Have all areas for potential co-operation between auditors
been explored imaginatively by both sets of auditors?
4 Have we considered, in conjunction with our auditors,
whether joint reporting would be of value?
5 Have we looked objectively at how we use our internal audit
resource and whether it could be better deployed? For
instance, are ad hoc projects always examined to confirm
that they should take priority over internal audit work
already approved?
6 What current internal audit work would we be prepared to
drop, modify or postpone in order to improve the potential
for co-operation between internal and external audit?

Yes/no

Priority

Lead person

A management checklist for action

Questions
Preparation
1 Do our internal and external auditors meet on at least a
quarterly basis to give feedback, discuss progress and
resolve problems?
2 Is it time we had another in-depth evaluation of internal
audit?
3 Was the last evaluation constructive and helpful?

4 Have we agreed an action plan to implement the external


audit evaluation recommendations?
5 Should we discuss this with our internal and external
auditors?
6 Do both sets of auditors adopt a systems-based approach
and share systems documentation?
7 Do our auditors have an agreed method for co-ordinating
systems work documentation?
8 Have we considered the format for audit reports with our
internal and external auditors?
9 Is there a written agreement for co-operation and reliance
arrangements between both sets of auditors?
10 Is reliance on internal audit clearly built into the external
audit plan?
11 Do internal and external audit co-ordinate the timing of
their work effectively in order to maximise co-operation
and reliance?

Yes/no

Priority

Lead person

Questions
Annual procedures
1 Do we discuss all audit plans with both sets
of auditors?
2 Have the results of the external audit review
of internal audit work been reported to us
and to the internal auditors?

3 Have we actioned the recommendations


arising from the external audit review of
internal audit work?

Problem solving
1 Have we identified any potential problems
acting as a barrier to effective co-operation
between internal and external audit?

2 Have we drawn up an action plan, with both


sets of auditors, to address the issues
identified?

3 How will co-operation between auditors be


taken forward once the problems have been
addressed?

4 Have we considered the potential areas


where audit time saved as a result of better
co-operation may be redeployed?

Yes/no

Priority

Lead person

It Takes Two
A good practice guide
May 1996

A checklist for auditors


This checklist may be used by
auditors, whether internal or external,
to stimulate discussion of cooperation arrangements. It can help
identify issues of priority, what action
is required and who should take the
lead in addressing the priorities
identified. Audit Committees might
find it of interest too.

Questions
Concept and impact of good co-operation
1 Are we being active in promoting cooperation?
2 Are we willing to make changes to help
achieve the best value from co-operation?
3 Are we working with the other auditors to
determine how audit resource may best be
used to provide a service that meets
everyones requirements?
Practicalities
1 Could we be better at two way
communication with the other auditors on
matters of mutual interest and concern?
2 Do the members of our team understand
enough about how the other auditors
operate and the requirements placed upon
them?
3 Have the following areas for potential cooperation between auditors been explored
imaginatively by both of us?
Internal control
Computer audit work
VFM auditing
VFM follow up
Management arrangements
Fraud and corruption
Grant claims
Performance indicators
Other PLEASE STATE........................................
4 Are we sharing files as productively as
possible?
5 For areas of co-operation, would joint
reporting be of value?
6 Could we derive benefit for the audited body
by arranging any staff transfers, joint
training or other short-term working
arrangements?

yes/no

If no,
action by

If no, what can be done to


set this right?

Questions
Preparation
1 Is the evalution of internal audit up to date?
2 Was the latest evaluation:
Insightful?
Constructive?
Helpful?
3 Have we both agreed an action plan to
implement any external audit evaluation
recommendations?
4 Have we consulted the other auditors and
agreed our approaches to each of the
following:
Action planning
Systems approach
Documentation
Sharing files
Communication
Reporting
Timing of work cycles
Training
5 Have we agreed, in writing, our plans for cooperation and reliance arrangements with
the other auditors?
Annual procedures
1 Do we understand each others approach to
risk assessment?
2 Are we fully informed on the other auditors
latest plans and current progress?
3 Are there sensible and timely arrangements
in hand for the review of work to be carried
out by one auditor and relied upon by the
other?

yes/no

If no,
action by

If no, what can be done to


set this right?

Questions

yes/no

If no,
action by

If no, what can be done to


set this right?

4 Are we meeting with the other auditors on


at least a quarterly basis to give feedback,
discuss progress and resolve problems?
5 When the other auditors reports come out
will we be ready to review and comment on
them as appropriate?
Problem solving
1 Have we identified any potential problems
acting as a barrier to effective co-operation
with the other auditors?
Note any major outstanding or likely future
difficulties below:

2 Have we drawn up an action plan to address


these problems?
3 Will co-operation between auditors be taken
forward once these problems have been
solved?
4 Have we considered the potential areas
where audit time released as a result of
better co-operation may be redeployed?
Note them below:

Prepared by:

Date:

Reviewed and approved by:

Date: