The International Organisation of Supreme Audit Organisations (INTOSAI) has always been aware of opportunities that cooperation with internal auditors in the public sector offers, and – simultaneously – of related potential concerns. The INTOSAI's cornerstone document, the Lima Declaration states: “ As the external auditor, the Supreme Audit Institution has the task of examining the effectiveness of internal audit. If internal audit is judged to be effective, efforts shall be made, without prejudice to the right of the Supreme Audit Institution to carry out an overall audit, to achieve the most appropriate division or assignment of tasks and cooperation between the Supreme Audit Institution and internal audit ” [Lima Declaration, Section 3, item 3.] .
This guidance, whose nature is not mandatory, aims to provide auditors of Supreme Audit Institutions (SAIs) with an easy to use compendium that will help to:
In terms of the SAI audit essentials, the Guidance strictly corresponds with ISSAI 100: Fundamental Principles of Public-Sector Auditing . It also encompasses the concepts of the financial audit standard ISSAI 2610: Using the Work of Internal Auditors . However this guidance presents a broader view of possible modes of cooperation with internal audit functions that can be applied to all types of audit.
By promoting strong internal audit functions within public sector organisations SAIs support those managers who, based on assurance provided by internal audit, intend to use their entities’ internal control systems as an efficient means of constant improvement. Secondly, strong internal audit function that provides reliable information on the entities’ operations is a valuable partner for SAI auditors.
The guidance aims to help SAI auditors understand the internal audit function, to encourage them to cooperate with internal auditors, and to help them review internal audit while deciding on the scope of cooperation. The contents of this guidance may be applied to the Planning, Conducting, Reporting and Follow Up stages of the audit process – in line with ISSAI 100: Fundamental Principles of Public Sector Auditing .
Among various groups of users [See: paragraph 92 of the Review and Analysis of the IFPP (Component One of the SDP 2020–2022).] of the INTOSAI pronouncements, apart from SAI auditors, the guidance may be useful for SAI methodologists and SAI leadership. It may also attract interest of internal auditors, their organisations' management and other SAIs’ stakeholders. Thus, broader objective of the ICS guidance fulfils the INTOSAI acknowledgment to the idea of strong, objective and high quality internal audit in organisations, which is beneficial not only to these organisations and to SAIs in fulfilling their mission, but also – in a broader sense – to the public interest [See also: INTOSAI-P 12. ] .
The most well-known global organisation of internal auditors is the Institute of Internal Auditors (The IIA). The IIA promulgates the International Professional Practices Framework (IPPF) which include the Global Internal Audit Standards . The concept of internal auditing is implemented, in various ways, in many national and international level public and private organisations. Advice and standardisation efforts are made by such organisations as the International Federation of Accountants (IFAC), the Organisation for Economic Co-operation and Development (OECD), the World Bank, and the Chartered Institute of Public Finance and Accountancy (CIPFA).
Naturally, all these organisations look at internal audit primarily from the perspective of their own mission, which must be considered when their – often very valuable – pronouncements and recommendations are used in the context of SAI audits.
The mission of INTOSAI is public sector external auditing, and SAI auditors perceive internal auditors as partners. At the same time, internal audit is a function of an auditee and so may, and should, be audited by the SAI when necessary.
The INTOSAI notion of internal audit most frequently refers to functional means by which the entities obtain assurance from internal sources that the processes for which they are accountable operate with the lowest possible probability of error, inefficient and uneconomical practices, or fraud [Based on the definition used in INTOSAI GOV 9100 pronouncement, which is absent from the INTOSAI Framework of Professional Pronouncements currently. ] .
The IIA defines internal auditing as “ an independent, objective assurance and advisory service designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes ” [https://www.theiia.org/en/standards/what-are-the-standards/definition-of-internal-audit/] .
The International Standards on Auditing (ISA) definition [The International Standards on Auditing (ISA) set by the International Auditing and Assurance Standards Board (IAASB).] of internal audit function, which is also used in the International Standards of Supreme Audit Institutions ( ISSAI 2610 ), perceives internal auditing as a " function of an entity that performs assurance and consulting activities designed to evaluate and improve the effectiveness of the entity’s governance, risk management and internal control processes " [ISA 610 (Revised 2013), Using the Work of Internal Auditors and Related Conforming Amendments, March 2013, International Auditing and Assurance Standards Board (IAASB), paragraph 14a: https://www.ifac.org/_flysystem/azure-private/publications/files/ISA-610-(Revised-2013).pdf.] .
Sector definitions of internal audit should also be taken into account because some SAIs are mandated to audit entities of various types. For instance, in the banking sector an internal audit function strives to comply with the recommendations of the Basel Committee on Banking Supervision and “ provides vital assurance to a bank’s board of directors and senior management (and bank supervisors) as to the quality of the bank’s internal control system. In doing so, the function helps reduce the risk of loss and reputational damage to the bank ” [The internal audit function in banks, Basel Committee on Banking Supervision, 2012, paragraph 3.] .
The Three Lines Model [https://www.theiia.org/en/content/position-papers/2020/the-iias-three-lines-model-an-update-of-the-three-lines-of-defense/] , developed by The IIA and supported by other international organisations, including the Committee of Sponsoring Organizations of the Treadway Commission (COSO), helps understand internal audit in the overall organisational context. This model is defined as “ a framework to analyze governance arrangements and can be used to inform responsibilities, structures, and allocation of resources ”. The IIA’s Joint Paper: Applying the Three Lines Model In the Public Sector [https://www.theiia.org/en/content/articles/2022/applying-the-three-lines-model-in-the-public-sector. ] was developed in cooperation with INTOSAI (Subcommittee on Internal Control Standards – ICS). It applies the Three Lines Model to the structural complexity of all levels of the public sector, with the aim of helping to clarify roles and relationships that are crucial for good governance.
The Joint Paper: Applying the Three Lines Model in the Public Sector points out the Three Lines Model as a tool to enhance good governance in the public sector that “ fosters operational excellence through enhanced transparency which helps senior management and governing bodies maintain effective oversight and make well-informed decisions. Transparency also provides external stakeholders with a reliable view of actions taken and results achieved. Awareness of public scrutiny further encourages better behaviors and performance by leaders ” [Page 4.] . The first and second lines, which are responsible for action and management, are supported by internal audit – the third line: “ central to governance is the provision of independent assurance and advice to senior management and the governing body — based on objective, systematic, and disciplined review (that is, auditing) ” [Page 4.] .
The role of internal audit is considered one of the key elements of assurance: “ A staff person who is sufficiently independent from those responsible for the system, such as the internal auditor, could provide additional assurance on the effectiveness and cost efficiency of the internal control system ” [H.3.5 Evaluating and Improving Internal Control in Organizations, IFAC, June 2012.] . Internal auditors may operate in collaboration with “ other roles, such as inspectors, investigators, evaluators, and other assurance providers ” [Joint Paper: Applying the Three Lines Model in the Public Sector.] .
In accordance with The IIA’s Global Internal Audit Standards , the purpose of internal auditing as “ Internal auditing strengthens the organization’s ability to create, protect, and sustain value by providing the board and management with independent, risk-based, and objective assurance, advice, and foresight. ”
Assurance and advisory work should be separated, and their nature, in a particular organisational context, should be defined in an internal audit charter [1000.A1 and 1000.C1 of https://na.theiia.org/standards-guidance/attribute-standards/Pages/Attribute-Standards.aspx] .
The multitude of definitions of audit universe comes down to an intuitional idea of an inventory of all processes, functions and locations that can be audited. This universe can be arranged in various ways, depending on the organisation. Its basic use is to control the scope of audits from the perspective of subject and time. The main idea of the concept is to support consistency of the audit planning process. It may not always be easy to use, though. For instance, a list of significant items can be extensive in larger organisations and then a risk assessment has to be applied rather than a cycle-based approach. Still, in all cases, the audit universe concept provides a good basis for understanding of the reality of a particular internal audit function.
The role of internal audit can also be extended to cooperating and coordinating with external assurance providers. In the public sector these include, firstly, SAI auditors – so as to ensure proper coverage and to eliminate, or at least minimise, duplication of efforts [In line with The IIA Standard 2050 on coordination and reliance: https://na.theiia.org/standards-guidance/performance-standards/Pages/Performance-Standards.aspx ] . The knowledge and insight that internal auditors have about their organisations, and their assessments of risks, governance structures and operations, can potentially provide SAI auditors with useful and meaningful information. Governance and control, including internal audit structures, roles and relationships as viewed by The IIA, have been depicted in the Three Lines Model .
Internal audit is often closely linked with neighbouring second line functions such as inspection, fraud examination, compliance, integrity enhancement, and risk management. Sometimes these functions co-exist in one unit or team, due to practical reasons and the need for close cooperation among them. In such a situation, however, a risk may arise of blurring internal audit’s identity which could impact objectivity.
As noted in the Joint Paper : “ Internal audit activities operate primarily within a single entity ”. Complexity of larger organisations, which are frequent in the public sector adds “ options for outsourcing, cosourcing, or combined services, the same team of auditors may be involved in audits across multiple entities, usually within the same tier of government ” [Page 16.] . Among other characteristics of the public sector, the dominant role of public interest and legal obligations prevail.
The idea of public interest is fundamental for all public sector organisations. The public interest is usually emphasised at the constitutional level of national legal systems, although frequently it is not literally defined. It is most commonly used as a criterion for decisions related to particular activities regulated by law, regarding such aspects as public procurement, safety and order, citizens’ rights and freedoms, and public health. The very notion can thus be more precisely defined in the context of a particular domain [For example for the financial domain see: International Federation of Accountants (IFAC) Policy Position 5: A Definition of the Public Interest, New York, June 2012.] . Public sector auditors, both external and internal, should consider public interest when assessing all types of activities, decisions, policies, strategies and laws, in particular with respect to public funds spending and the activities performed to meet objectives by those entrusted to do so [See also: ISSAI 100 paragraphs 24 (on public-sector auditing), 40 (subparagraph 3) and 42 (Materiality).] .
Over the past years, growing interest of private sector entities can be observed in this respect, too. In the new Global Internal Audit Standards (2024), The IIA has emphasised that internal auditing enhances organizations’ ability to serve the public interest, which “ encompasses the social and economic interests and overall well-being of a society and the organizations operating within that society (including those of employers, employees, investors, the business and financial community, clients, customers, regulators, and government). ” [See The IIA’s Global Internal Audit Standards, page 7, 15.]
The activities of SAI auditors are formally based on national legislations at various levels, often starting from constitutional provisions. On the other hand, internal audit, as an inherent function of organisations, is most often based on internal regulations.
In some countries, however, public sector internal auditing is regulated by the national law. [For example in Poland via: the Act on Public Finance (2009) or in Hungary: Act on Public Finance (2011).] Such a legal framework aims usually to ensure transparency, accountability, and good governance in the use of public funds and resources. In these cases, such laws or specific legal provisions define the scope, responsibilities, and standards for internal audit in government entities and organisations. This framework may establish the authority and mandate of the internal audit function and also outline what aspects or areas need to be audited, such as financial transactions, compliance with regulations, operational efficiency or risk management.
In line with the Lima Declaration : “ internal audit services are established within government departments and institutions, whereas external audit services are not part of the organisational structure of the institutions to be audited. Supreme Audit Institutions are external audit services ” [Lima Declaration 3.1.] .
Although the purpose, focus, methods and timing of their engagements can be fundamentally different, both SAI and internal auditors are likely to look at an organization’s internal control system, risk management and governance, with the aim of improving controls and performance. Therefore, the activities of a SAI audit team and those of an internal audit function can, in some cases, show similarities, and possibly also overlap. It depends on the nature, objectives, scope and timing of engagements carried out by SAI auditors and those undertaken by the internal audit function; the standards, methods and procedures applied; and the culture, skills and resources that both have at their disposal. At the same time, both external and internal auditors bear the sole responsibility for results of their own audits.
INTOSAI’s interest in internal audit remains high. In the past, in order to present the perspective of the public sector and public sector auditing, the INTOSAI Subcommittee on Internal Control Standards (ICS) developed numerous guidance documents which focussed on internal audit independence in the public sector and coordination and cooperation between SAI and internal auditors in the public sector [INTOSAI GOV 9140 on Internal Audit Independence in the Public Sector and INTOSAI GOV 9150 on Coordination and Cooperation Between SAIs and Internal Auditors in the Public Sector – no longer included in INTOSAI Framework of Professional Pronouncement (IFPP).] . These documents contained guidance for public sector managers as the main addressee.
For SAI auditors, the presence of internal audit can be seen as a signal that the involved public sector organisation takes responsibility to obtain certainty about the effectiveness and correctness of its operations. If the focus of the internal audit encompasses the proper spending of funds, the efficiency of the functioning of the organisation and the effectiveness of the delivery of public services, then the internal audit might be one of the most useful sources of information for SAI auditors. In the long run, the existence of strong internal audit functions throughout the whole government organisations might not only be in the interest of the government itself, but also in the interest of the SAI.
Paragraph 40 of ISSAI 100 states the option for SAI auditors to “ use the work of internal auditors ” even if " the objectives of internal audit are different from those of external audit ". What " offers opportunities for coordination and cooperation and the possibility of eliminating duplication of effort " is promotion of good governance by both internal and external audit, which contributes " to transparency and accountability for the use of public resources, as well as economy, efficiency and effectiveness in public administration ".
On the other hand The IIA in the Global Internal Audit Standards (2024), Standard 9.5 Coordination and Reliance states that “ The chief audit executive must coordinate with internal and external providers of assurance services and consider relying upon their work. (…) If unable to achieve an appropriate level of coordination, the chief audit executive must raise any concerns with senior management and, if necessary, the board. ” [The IIA’s Global Internal Audit Standards (2024), page 69.]
In practice, effective cooperation between internal and SAI auditors can only be achieved if both parties are ready to develop coordinated and effective audit services. Management's decision or specific regulatory conditions can be necessary in particular cases to start such cooperation. For external audit, it is necessary to assess the internal audit (IA) function before deciding on the level and intensity of cooperation. Encouragement and oversight of an audit committee may increase the likelihood of successful coordination and cooperation between SAI internal and auditors. None of these, however, will suffice to achieve really effective and efficient cooperation if a number of preconditions are not fulfilled.
The first and fundamental precondition is that the constitutional or legal basis of the SAI allows its auditors to cooperate with internal auditors.
The following preconditions have to be met by both parties to make cooperation really effective:
Commitment – effective cooperation can only be achieved if both parties are willing and committed.
Communication – depending on needs, it can be conducted as a safe, two-way process.
Common understanding – auditors understand each other’s objectives and ways of work, even if they use different techniques and methods.
Confidence – auditors mutually recognise their professional approach.
The more engaging cooperation is foreseen, the better the preconditions should be met. In other words: when more benefits are expected from cooperation, the higher the number of risks to be mitigated. An audit committee may be helpful in setting appropriate conditions.
Both parties – SAI auditors and internal auditors – may obtain a range of benefits from coordination and cooperation, including those discussed below.
Broad knowledge and understanding of audited domains. Internal auditors’ in-depth knowledge and understanding of operational conditions of the auditee can add significant value to SAI auditors’ work.
Inspiration for future audits , e.g. from information about the other party’s recent audits, plans for the future, or current trends.
Verification of ideas, closely related to the above benefit (inspiration), but focused on particular interests, assumptions and hypotheses.
More effective audits arising from:
More efficient audits arising from:
SAI auditors need to be aware of various types of risks when cooperating with internal auditors, including:
Professional integrity , especially in areas of:
Responsibility :
Application of standards :
Content of an audit :
Information control : premature communication on potential findings to a third party.
Internal audit lock-in : depending too much on internal auditors as for their knowledge and understanding of the audited domains.
Expected benefits and risks are considered when deciding on a mode of cooperation, both in the case of individual audits and in the long term cooperation perspective. Fundamental questions for SAI auditors are:
Use of internal audit work in a SAI’s audit can be minimal, medium or more advanced, depending on the objectives of a given audit, as well as organisational mechanisms and arrangements in place. It does not mean, however, that the focus, scope or timing of a SAI’s audit can be reduced, but it can benefit from additional knowledge, confirmation of facts or data analyses. A risk-based analysis is key to find an appropriate balance.
The value and the quality of information are the main things to consider when using internal audit work. As in all other activities, the expected benefits need to be weighted up against the costs, which in this case is the workload related to additional assessment. More profound assessment on the part of SAI auditors is expected to bring greater benefits, but a risk of inefficiency should always be taken into account: sometimes more effort by a SAI team in assessing the internal audit function may bring relatively low benefits, especially if the assessment does not provide crucial information about critical weaknesses soon enough.
With minimal costs, e.g. when a SAI conducts a ‘one-time’ audit at a low risk entity, as a supplementary examination for a broader audit topic, a conversation and exchange of information may be the only form of cooperation needed. In fact it does not differ from communication with other experts of the auditee, but – as with every audit-related activity – it calls for the auditor’s professional scepticism and judgment.
If SAI auditors want to use an internal audit report for their own audit purposes, more confidence regarding the quality of the internal audit function’s work is needed. The first step is gaining knowledge of the quality control procedures applied to IA reports. The assessment of their reliability, scope and content will, however, also require a review of the internal audit’s independence level – a crucial element of objectivity. The scope of verification can be reduced or extended, depending on the needs of the given audit by a SAI, and additional knowledge on the entity’s internal audit function.
When reviewing the internal audit function in line with the following chapter of the Guidance [See: Review of Internal Audit.] , it is suggested to pay special attention to the following items:
Reliance on internal audit work, as said above, gives SAI auditors an option “ to modify the nature or timing, or reduce the extent of audit procedures to be performed” [ISSAI 2610 paragraph 13.] . Thus it can have a significant impact on the scope and content of a SAI's audit. A well-established model to review whether external auditors can rely on the internal audit work has been developed for financial audit. In INTOSAI it is covered by ISSAI 2610 – Using the work of internal auditors . [https://www.issai.org/pronouncements/financial-audit-standards/]
It is a step ahead if compared with using the internal audit work, but it also means a change of the general approach. The cost-benefit balancing still has its meaning but it gives precedence to procedures of obtaining such a level of assurance that allows external auditors to rely on the internal audit work. It is important in this regard that if the risk of material misstatement is not low, regardless of the form of cooperation with internal audit, it “ is unlikely to reduce the audit risk to an acceptably low level and eliminate the need for the external auditor to perform some tests directly ” [ISSAI 2610 paragraph A21.] .
The cost of failed reliance when reliance is planned, due to factors such as staff shortages, competency and amended internal audit plans, has also to be taken into consideration by a SAI audit team. When determining reliance on internal audit, external auditors do not focus on the value and quality of information only. Their interest also covers a possibility to complement their work with the work of the internal audit function. It will usually require a thorough review of the IA functioning model, including not only the items related to audit reports quality, but also human resources capacity, certificates and licences necessary to perform particular tasks. In a broader sense, it will refer to knowledge, experience and professional development of the internal audit function.
During review [See: Review of Internal Audit] , it is suggested to pay special attention to the following items:
Examination of the internal audit function as a goal per se can be considered by some SAIs, depending on their mandate and topics of interest. It can be approached as getting prepared for various forms of cooperation, including direct assistance.
If not required by their mandate, SAIs usually will not be interested in certifying the IA function, but they will rather look for their role in government programmes and organisations. A separate examination of the maturity of the internal audit function could also be performed, which – taking into account its time and workload – will usually be applied to entities with which SAI cooperate regularly. It can be based, for example, on The IIA’s Internal Audit Capability Model [Internal Audit Capability Model (IA-CM), Revised Edition 2017, The Institute of Internal Auditors. Also: https://www.theiia.org/en/promotions/bookstore/IA-CM/] . A cost-benefit reference is still present, but it is balanced for the whole audit function, rather than for individual audit activities. Moreover, the benefits and costs of such a holistic approach can be regarded in a longer, multi-annual perspective if the auditee is frequently audited by a SAI that – on the basis of a full review – would like to use (rely on) internal audit work in future audits. A full review can therefore be useful to reduce the costs of future audits, but it still needs to be repeated periodically.
Direct assistance , through which an internal auditor performs some audit assignments under the oversight of an external auditor, is the most engaging mode of cooperation for the internal audit function. It has numerous benefits for both sides, including transfer of skills and information on the use of audit tools. This mode of cooperation is, however, subject to specific national regulations in some countries. It was also covered by requirements stated in ISSAI 2610.
Full review covers all main elements:
The above modes of cooperation may be predefined through relevant legal frameworks or agreements. It is also important that SAI auditors enter cooperation by taking into consideration all critical factors. When they believe that an entity’s internal audit function is likely to be relevant to their audit, they have to determine:
(a) Whether, and to what extent, it will be beneficial to use internal audit work.
(b) Which of the available modes of cooperation will be relevant.
(c) Most of all: whether this will not impact confidentiality or quality, the independence of the audit team and authority of their work.
In general, following the IIA’s Standard 9.5 Coordination and Reliance , the coordinated cooperation can include: “ Synchronizing the nature, extent, and timing of planned work. Establishing a common understanding of assurance techniques, methods, and terminology. Providing access to one another’s work programs and reports. Using management’s risk management information to provide joint risk assessments. Creating a shared risk register or list of risks. Combining results for joint reporting. ” [The IIA’s Global Internal Audit Standards, page 70.]
In practice, external and internal auditors can choose from the following areas of cooperation, each varying in terms of its level of commitment:
The two parties often share knowledge for purposes of their own risk assessment. It does not have to be related to a specific audit, and it may concern particular stages of the audit process. It can vary from ad hoc communication to more structured forms of cooperation, as noted below. Arrangements, including consultation procedures of SAIs, can be regulated by law, but even then they usually allow their auditors for some flexibility.
Ad hoc communication is the most common and the least binding mode of cooperation. Even if there is no broader cooperation, external and internal auditors may always find it useful to communicate with regard to a specific task, such as exchanging knowledge in a particular expert domain. Internal auditors, as part of the auditee, are usually obliged to share all relevant information. On the other hand, SAI auditors may legally be prohibited from sharing information received during audits, which limits the opportunities for ad hoc communication. Depending on the legal provisions in force, this limitation may sometimes be removed (e.g. in the case of more structured forms of the cooperation), based on a decision by the SAI’s senior management, or through an interinstitutional agreement. [See also 4.3. Review: Information.]
Sharing of audit reports is another frequent form of cooperation. Reports with a secrecy clause are usually an exception, unless some additional procedures are in place. Unlike ad hoc communication, sharing audit reports seems to be more common for SAIs, as they usually make their reports publicly available. If legal or internal regulations prevent internal auditors from sharing their reports, SAI auditors may recommend, in their audit reports, to reconsider those regulations [See also INTOSAI-P 10 Mexico Declaration on SAI Independence, Principle 4.] . Where internal auditors are allowed to share their reports with SAI auditors, they are encouraged to do it simultaneously with sending reports to those charged with governance.
Sharing audit documentation at the discretion of the SAI or internal auditors may aid the audit process. SAI auditors by definition have the right to access an auditee’s documentation, including that of the IA – since the internal audit function is part of the audited entity. In the case of the direct assistance mode, external auditors are obliged to include internal audit working papers in their audit documentation [ISSAI 2610, paragraph 37e.] . In some jurisdictions, internal auditors, as part of an auditee, can access SAIs’ audit documentation. In other cases, access will usually depend on the SAI’s or audit team’s consent, and it can be granted only under certain conditions. The two parties have to pay special attention to confidentiality issues when disclosing audit documents that may contain sensitive information, e.g. in the case of forensic investigations.
If both parties agree, external and internal auditors can meet regularly, e.g. during the annual planning process, at key stages of audits, or periodically. In this way, they are updated on key issues of common interest. Systematic mutual commenting on audit reports allows for more standardised terminology and more efficient and easier analyses. For regular meetings to be effective, though, mutual confidence in security and quality of information is required, to a larger extent than in the case of ad hoc cooperation.
Training events in which both external and internal auditors participate jointly, can significantly improve communication between the two parties, e.g. through providing consistent terminology and unified understanding of audit related notions. For example, updates of national or international auditing and accounting standards, or legal acts relevant to external and internal auditors’ work, can make good topics of shared training. Consequently, mutual cooperation can be more efficient and effective, and constantly enhanced. Such training events can also be implemented through staff secondments or staff lending, i.e. through “on-the-job training”.
Cooperation between external auditors and the internal audit function may also be in regard to future audits, in particular when following the Lima Declaration ’s idea “ to achieve the most appropriate division or assignment of tasks ”.
At the stage of planning, several forms of cooperation between external and internal auditors can be taken into account. One of them is communication of audit plans or strategies that allow both parties to be informed about topics and ideas for upcoming audits. On the other hand, joint planning sessions let them exchange views and discuss concepts in more detail.
Ad hoc learning and training sessions can be organised in connection with a specific audit, aimed to introduce the structures or activities to be audited. Such training or workshops can be provided by internal auditors who are familiar with the matters of their organisation. While the presentations and clarifications regarding the very audit can be given by external auditors.
Cooperation between external and internal auditors in developing methodologies, like using IT audit tools, may lead to better quality and more comparable results of work. Such cooperation can comprise:
During the audit process, there are manifold opportunities for cooperation between external and internal auditors, applicable to all types of audits conducted in line with the corresponding ISSAIs. At organisations where the engagement of the SAI and internal auditors is not limited to just one or few audits, more opportunities are available. This is often the case of recurring audits (financial, budgetary, IT, etc.). A decision on the level of commitment depends, to a certain extent, on regulatory and legal requirements. In many cases, it will, however, be determined by the assessment of the reliability and quality of the other party’s work, as well as by the risk management measures in place. Below there is a description of the forms of audit and the level of potential cooperation.
Using each other’s work on an ad hoc basis is always possible in single audits. This type of cooperation does not have a specific character and is decided individually by the two parties each time.
Structured single audits (a single audit concept on a regular and structured basis): increased use of each other’s work; alignment of audit planning; results of the audits or their parts, depending on the scope of cooperation, are communicated to all the participants.
Parallel audits : coordination covers not only audit planning and results sharing, but also strict coordination of audit tasks timing that allows for exchanging data and experience at all audit stages.
Alignment of the audit function : both external and internal auditors actively attempt to increase partnership in audit work; alignment of audit criteria and norms, and on-line/real-time sharing of audit files during the audit process.
Alignment of professional practice : active cooperation in audits, related to development of methodologies and professional practises; mutual support in communicating with the auditee.
During an actual audit, provided that legal conditions make it possible, external auditors can consider using internal auditors to provide direct assistance under the direction, supervision and review of the external auditor [ISSAI 2610, paragraph 9.] . In practice, internal auditors (or other employees of the auditee) can be assigned to a particular audit or analytical task that requires expert knowledge or skills. Another option is to task the whole IA team with audit work whose results are subsequently used by external auditors.
Independently of the type of audit and mode of cooperation, the general rule stated by ISSAI 2610 is always valid: “ external auditor has sole responsibility for the audit results presented in the audit report or expressed in the audit opinion. It is not reduced by the external auditor’s use of work of the internal audit function or internal auditors to provide direct assistance on the engagement ”.
Once a desired mode of cooperation has been chosen, internal audit has to be reviewed with consideration to its role in the organisation. The concept of review presented below is based on:
The review has to be preceded with standard introductory steps:
Understanding the auditee – including its external environment, the organisational structure and business model, reporting and internal control frameworks, and the identification of risk factors; it is necessary in every audit, also indispensable to cooperate effectively with internal auditors of an entity.
Functions and scope – considering the functions of internal audit and the scope of its work.
Usability – deciding whether the work performed by the internal audit function may be relevant for a SAI’s audit (additional assessment necessary here).
Reliability – reflected through objectivity , competence and quality of results of the internal audit work – acceptable for SAI auditors. Each of the three comprises a set of different elements and needs an additional assessment.
A review can be performed at every stage of an audit, yet it comes natural at the planning stage so that cooperation can start and evolve during the subsequent stages. However, in practice sometimes only fieldwork may give opportunities for a review, as it is only then that SAI auditors can evaluate the work of internal audit (e.g. during on-the-spot checks).
Usually before starting the planning stage, SAIs collect data on the audit environment and conduct initial risk assessments regarding domains and entities to be audited. In line with ISSAI 2315 and 2610 , SAI auditors consider the rough outlines of their audit designs, including the first assessment of the possibilities for using the work of and cooperating with the internal audit function [See: ISSAI 2315 – Identifying and assessing the risks of material misstatement through understanding the entity and its environment and ISSAI 2610 – Using the work of internal auditors (https://www.issai.org/pronouncements/financial-audit-standards/) ] . This mainly comprises activities to explore whether the internal audit function can be a reliable source of information during risk assessment, and to assess whether conditions are ensured to re-use the IA’s work results. At this stage, similarly to the planning stage, SAI auditors can benefit from properly organised data on the previous audits and auditees.
This section focuses on elements provided by the internal audit environment. To function properly, internal audit as a part of the whole organisation needs various kinds of input – i.e. capitals, or in other words: resources, information and values. [See the Integrated Reporting Framework, page 18.]
Shared norms, values and behaviours , including understanding of the idea of internal auditing and its role in organisations. The attitude of the internal audit team as a whole and of its individual members is significant in this respect. Internal audit that follows an external set of standards, like those of The IIA, is easier to be reviewed. Apart from formal statements, the approach can be also traced across the topics, findings and recommendations resulting from internal audit engagements.
Key stakeholders – internal and external [See also: Preamble to INTOSAI P-12.] . Perception of the key stakeholders can give an insight into how internal auditors understand their role in the organisation. It can be, to some extent, verified with the use of an assurance map of more and less frequently audited entities and topics.
Reputational perspective . It is important what professional image the internal audit strives to retain and how it is perceived by the other components of the organisation.
For an internal audit function, even more than for other functions, it is necessary to balance its position as an integral part of the organisation with its own organisational distinction. All kinds of audit, to be objective, need an appropriate dose of independence in the organisational meaning and in terms of values followed by individual auditors. At the same time, internal auditors are most useful for their organisations if they understand them deeply and possess sufficient expert knowledge corresponding with the organisation’s activity domain.
Reporting lines . The basis for internal audit’s independent position in the framework of an organisation is reporting, accountability, and direct access to those charged with governance and senior management.
Separation . The internal audit function is located outside the management of the unit under audit.
Rank of CAE . A sufficiently high rank of the Chief Audit Executive (CAE), preferably equal to that of senior management, strengthens the status of internal audit.
Support . Decisions important for the internal audit function, like appropriate staffing and remuneration, call for support from senior management and those charged with governance.
Stability . Consultation with those charged with governance on appointment and removal of the CAE also allows for ensuring appropriate status of internal audit.
Audit committee may play a significant role in both supporting and stabilizing the internal audit function in the organisation.
When reviewing the internal audit team, the following have to be considered:
Number of staff . Adequate staff in relation to audit tasks and coverage of the audit universe .
Qualifications, skills and knowledge necessary to audit the areas of core activities of the entity.
Loyalties and motivations, including individual internal auditors’ approach to their organisation’s mission and challenges, as well as to their own professionalism, including independence. In sound organisations, they are in line with the entity’s shared norms, values and behaviours. [See above: Professional Relationships.]
Internal structure or division into teams that corresponds with the main audit areas.
Assignment . Audit work is performed by persons with appropriate skills and expertise.
Recruitment of audit staff responds to the nature of the profession, and the CAE participates in recruitment.
Staff turnover. High staff turnover may result from deeper managerial problems.
Standards . Usually the point of reference for internal audit is the Global Internal Audit Standards by The Institute of Internal Auditors (IIA). In some cases, standards for internal audit are enshrined in the national regulatory system, which then is the primary reference. If the Global Internal Audit Standards are applied, compliance with them and accompanying practices is periodically examined. In other cases, evaluations by external parties, like peer reviews, or self-assessments, are to be taken.
Intellectual property . All necessary software, licences, copyright etc.
Procedures, or more broadly: frameworks and practices being at the IA’s disposal and used effectively.
Tacit knowledge . Internal auditors usually know a lot about their organisation in terms of what is difficult to document, organise, include into flowcharts or transfer from one expert to another. Practical knowledge is difficult to be formally reviewed, but for experienced auditors it is natural to take it into account.
Budget. Sufficient financial resources are ensured for tasks of internal audit as a whole and for performing current tasks.
Adequate pecuniary conditions related to grading are ensured for internal auditors in the organisation.
Premises available to the IA team ensure appropriate work conditions, responding to specific needs of the internal audit function.
Equipment , including IT, is up-to-date and provided with necessary services.
Computer Assisted Audit Tools (CAATs). Special attention is paid to using expert audit IT software.
Governance – understood as strategic level leadership, goals setting, shaping the organisational culture and accountability – requires managers to translate it into the day-to-day practice. This section deals with governance and management of internal audit.
In line with The IIA’s Global Internal Audit Standards four basic elements: insight, foresight, assurance and advice (consultancy) are decisive in designing the scope of IA activities [See also above: Assurance, Advice and Insight.] .
The business model is understood here as a totality of activities which transform inputs into outputs with the goal to obtain desired outcomes. It is usually analysed as a factor of “ the organization’s long-term success by initiatives such as process improvement, employee training and relationships management ” [integratedreporting.org/resource/international-ir-framework/] . In the case of internal audit, its organisation, as well as its role as a function of a larger entity, will be taken into account.
Objectivity of internal auditors refers to the ability to perform their tasks without allowing bias, conflict of interest or undue influence of others to override professional judgements [ISA 610 (Revised 2013) A7. ] . Objectivity allows internal auditors to perform their engagements in such a manner that they believe in their work product and that no quality compromises are made [IIA’s International Professional Practices Framework Oversight Council (IPPF) Standard 1100. ] .
Factors that enhance internal auditors’ objectivity include, but are not limited to: a sufficient level of independence, an appropriate status of the internal audit function and reporting line [See above: Organisational position.] , freedom of conflicting responsibilities, such as managerial functions, and the lack of restrictions in communicating findings of internal audit engagements. Any threats to objectivity, such as potential conflicts of interest or flaws in professional behaviour, must be managed by the organisation and disclosed if necessary.
Auditors’ insufficient objectivity can be visible through poor selection of audit topics (e.g. bypassing some important areas or focusing on particular units without sufficient explanation), avoiding difficult questions or issuing not well targeted recommendations. It means lower quality of the internal audit function, and may also stem from insufficient competency of individual auditors.
A prerequisite for internal auditors to be objective is their independence, understood as freedom from conditions that threaten their ability to carry out their responsibilities in an unbiased manner. Apart from organisational differences, external and internal auditors share values of independence based on personal integrity, professional scepticism and ability to conduct and pronounce results of own professional judgment. These personal values are to be supported and enhanced by recruitment, training and real life examples, or – to put it more broadly – by organisational culture.
There are also organisational solutions which can support or counteract independence. Internal audit is usually in a weaker position in this respect than a Supreme Audit Institution. In line with the Lima Declaration : “ Internal audit services necessarily are subordinate to the head of the department [Equivalent of Ministry, Agency or other public entity. Not to be taken for an organisational unit of the entity. ] within which they have been established. Nevertheless, they shall be functionally and organisationally independent as far as possible within their respective constitutional framework ” [Lima Declaration 3.2.] . A review of the following elements helps assess if the independence level is sufficient.
Internal audit can accept only clear and formally appropriate responsibilities:
Avoiding conflicting assignments , i.e. segregation of internal auditing from managerial tasks and decisions, or other assignments which could somehow limit internal auditors’ independence and objectivity.
Absence of conflicts of interest . Internal auditors do not audit operations for which they have been previously responsible, or which for other reasons might put them at risk of conflicts of interest. A proper procedure of formal exclusion from audit of individual auditors or teams is applied in such cases.
When reviewing the organisation and practices of internal audit, special attention is paid to formal, customary and incidental limitations of its work. First of all analysis is needed in the case of limitation to:
Audit planning , including topics, scope, timing – auditors usually take into account reasonable arguments for necessary changes, but they should not be forced to modify their plans if it is not in line with their intentions.
Audit results . Findings and recommendations can and should be discussed with auditees, but can be changed by internal auditors only to improve their reporting quality, and not for political reasons, or due to other external or inter-organisational pressure.
Access to information, people, locations.
Communication with auditees is indispensable to obtain necessary data, opinions and views. On the other hand, direct communication with those charged with governance reinforces the organisational status of internal audit and helps ensure that there is no impairment to independence.
It is important that the internal audit function is established in accordance with broader legislation or regulation, and that its objectivity and independence are ensured in the organisation through an appropriate document ( internal audit charter ). Apart from the organisational status, well supported objectivity of internal audit requires relevant policies and adequate procedures.
Internal auditors’ membership in a professional body, like The IIA, supports their independence and compliance with respective standards. Such a membership will often be connected with additional quality assurance requirements and it can be taken into account as a positive factor when assessing the internal audit function.
In some organisations, the internal audit function co-exist with the second line functions [See above chapters on: Three Lines Model and Neighbouring Functions.] . If they are placed in the same unit or team, it is important to ensure that independence and compliance with standards are properly secured.
Quality and realism of risk analysis tells a lot about the IA’s disposition to solve problems and to advise others in this respect. Completeness of the audit universe can be taken into account when reviewing risk domains conceived by internal auditors.
Strategic objectives and related activities of internal audit are expected to help mitigate risks and maximise opportunities. Even if not written in a separate document [The IIA’s Standards issued in 2024, require internal audit to have a strategic plan.] , depending on the scale of an organisation and its internal audit function, the internal audit strategy will usually be visible from documents and practices. Together with the internal audit charter and the organisation’s valid strategies, IA strategies frame internal audit periodic plans, internal audit methodologies, audit programmes and other activities of the IA function.
Assessment of audit performance is necessary for bringing the function to higher levels of maturity. The IIA’s Internal Audit Capability Model [Internal Audit Capability Model (IA-CM), Revised Edition 2017, The Institute of Internal Auditors.] provides users with a broad set of notions related to the assessment of the function’s performance capabilities. Starting with an IA business plan (level 2 Infrastructure), through cost information (level 3 Integrated) and integration of qualitative and quantitative performance measures (level 4 Managed), to outcome performance and value to the organisation achieved (level 5 Optimizing).
Depending on the level of maturity, realistic plans are drawn up for further development of the internal audit capabilities. Providing the organisation with “ foresight and serve as a catalyst to achieve positive changes ” [Ibidem, Services and Role of Internal Auditing, level 5-Optimizing.] is an ambitious objective for the function. From the SAI auditors’ perspective, an important role will be played by the outlook of audit universe coverage, continuous quality improvement, or consideration of particular expectations.
The following have to be assessed:
The following have to be assessed:
The simplest and most basic output of auditing is information. Exchange of information, if not restricted, can take place at all stages of an audit. It can be assessed against such criteria as relevance, reliability and added value to a SAI team’s understanding of the auditee and risk analysis. Usability of information is usually verified during the audit.
The quality of internal audit reports makes a significant feature of their relevance for:
Both areas are usually connected, but some inconsistencies may happen. Usually, the quality of reports concerning particular areas of interest goes with the general quality of the IA work. It may happen, however, that some areas are served better or worse than others, especially in the case of the low maturity – or initial capability [See: IIA Capability Model (IA-CM).] – of the IA function. The causes of such inequalities will be determined, if needed, at the next stages of the review.
Reports quality assessment is subordinated to the SAI’s audit objectives. It can be introductory, e.g. through a revision by an experienced auditor when the SAI auditors consider using some data from IA reports. Such assessments usually comprise:
A full range quality assessment, on the other hand, is necessary if SAI auditors wish to rely on the internal audit function “ to modify the nature or timing, or reduce the extent, of audit procedures to be performed ” [ISSAI 2610.13] . Apart from a review of reports, it can cover other analytical documents and it obliges the reviewers to get insight into the internal auditors’ work standards and practices followed. Thus, the above revision list has to be expanded to include:
Issues discovered when audit reports are analysed may be also rooted in external procedures related to the core audit work. Tracking their causes leads to subsequent questions, and shifts the assessment to a holistic assessment of the internal audit function, including its objectivity based on independence, organisation and skills.
As any other part of an organisation, internal audit is expected to add value to the capitals – financial, manufactured, intellectual, human, social and natural – of its own organisation. In practice, the outcomes of internal audit include assurance with regard to compliance and performance. It is so through preventing, deterring and detecting illegal acts, as well as adding value by identifying opportunities for the organisation. [See: Level 2 of Service and Role of Internal Auditing in: Internal Audit Capability Model (IA-CM) in Public Sector, The Internal Audit Foundation, 2017.] At the ‘Optimizing’ level 5 of IA capability: “ The work of the IA adds higher value by influencing organizational policy and contributing to better decisions by key stakeholders ” [Ibidem, Level 5 of Service and Role of Internal Auditing.] .
The guidance was developed by the Internal Control Standards Subcommittee. Members of the Subcommittee benefited from comments of other INTOSAI bodies and individual Supreme Audit Institutions. We were also honored to get insightful advice and suggestions from The Institute of Internal Auditors, one of INTOSAI's main partner worldwide organizations.
Warsaw, PL
Phone: +48 22 444 5081
ics@nik.gov.pl