6 minute read 18 Feb 2019
couple on laptop reviewing investment portfolio

How understanding independence can lead to more strategic relationships

By

Amy Brachio

EY Global Advisory Risk & Performance Improvement Leader

Industry leader in risk management. A voice for working women. Passionate about diversity and inclusiveness. Mother. Wife.

Contributors
6 minute read 18 Feb 2019
Related topics Advisory Risk Digital

Companies can use the same third party for internal audit and other services. But how do you encourage objectivity?

Over the last several years, stakeholders (e.g., audit committees, executive management and others within the organization) have been asking more of internal audit. In addition to assurance, they expect internal audit to provide business insights and strategic advice. These increased and evolving demands drive a need for knowledge, skills, and technical experience that is extensive and varied, and can be difficult to maintain in-house.

Many internal audit departments regularly bring in third parties to support a range of activities that include executing the internal audit plan, providing subject matter insight, and even transforming the department. However, internal audit isn’t the only part of the company that needs external assistance. Companies are facing complex business issues that span the organization.

Third parties that provide internal audit services often have additional capabilities and resources that can benefit other parts of the organization. As a result, companies have the opportunity to include the same third party who provides internal audit services when considering who to bring in to help with other business issues. The business knowledge and relationships gained through internal audit uniquely position them to support other activities across the company.

But when evaluating advisors, there may be a misunderstanding of whether, and to what extent, a service provider may support internal audit activities while providing other services to the organization.

Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year.

Audit independence vs. objectivity

It is essential to understand the distinction between independence and objectivity, as defined by The Institute of Internal Auditors (IIA):

  • Independence: freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner.
  • Objectivity: unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Requires that internal auditors do not subordinate their judgment on audit matters to others.

In practical terms, this means internal auditors must refrain from assessing specific operations for which they were previously responsible. Objectivity is presumed to be impaired if an internal auditor provides assurance services for an activity for which the internal auditor had responsibility within the previous year. But internal auditors may provide consulting services relating to operations for which they had previous responsibilities.

Importantly, the professional standards and requirements for internal audit differ significantly from those that apply to external audit, and do not preclude a firm from providing both internal audit and consulting services.

There are several ways that service providers can structure engagements to provide the right level of objectivity. One common approach is to establish firewalls between the core internal audit team and other project teams that enable team members to remain objective while supporting a broad range of services. Independence and objectivity are also enabled by clearly defining that while advice and recommendations are provided to assist management functions in making their decisions, the internal auditor or consultant will not assume management responsibilities or act in a management capacity.

Internal audit objectivity assessment

Thoughtful consideration of the specific circumstances is important. These questions can be used to assess whether there are any risks to an individual’s objectivity when assigning resources to audits:

1. Will the individual be auditing their own work?

  • Within the past year, has the individual performed ongoing control activities that affect the execution of transactions?
  • Did the individual perform application development or configuration related to the scope of the audit?
  • Was the individual responsible for any defect or problem arising out of or related to data processing in any systems?
  • Did the individual perform routine activities in connection with the company’s operating processes?
  • Has the individual performed bookkeeping or other services related to the accounting records or financial statements within the scope of the audit?
  • Did the individual authorize, execute or process transactions?
  • Did the individual prepare source documents or transitions?
  • Did the individual prepare the financial statements or related financial statement disclosures?
  • Does the individual have custody of assets?

2. Within the past year, did the individual act in any capacity equivalent to a member of management within the area being audited?

Was the individual responsible for any key decision over financial information systems design and implementation?

Was the individual responsible for deciding which, if any, recommendations for improving internal control should be implemented?

3. Will the individual’s familiarity of work cause prejudgments?

4. Will the individual be working with a relative or close friend?

If the answer to any of the questions in the assessment is yes, there are threats to objectivity and the team should document all mitigating factors and work with management to assess whether the mitigating factors are sufficient.

Test your audit knowledge

The following scenarios demonstrate how independence and objectivity can be applied.

Scenario 1: An internal auditor assists with an internal controls pre-assessment for a new acquisition and is scheduled to assist with an internal audit of the same business later in the year (within 12 months).

  • Answer: Permissible because the pre-assessment was a risk and control engagement.

Scenario 2: A third party performs a consulting engagement related to revenue recognition implementation work and the third party is scheduled to perform an internal audit within the next 12 months for the same subject matter.

  • Answer: Permissible as long as the third-party team members on the internal audit are not the same as the team members who assisted on the consulting engagement. If a subject matter resource (SMR) from the revenue recognition team is requested on the team, the permissibility of their involvement will depend on the depth of the role the SMR played in implementing the original services.

Scenario 3: A third-party internal auditor helps design and implement controls related to a new subsidiary company to be consistent with the acquiring company’s SOX program and is scheduled on a subsidiary integration internal audit later that year.

  • Answer: Not permissible for the internal auditor who participated in a consulting project in which they helped design and implement controls because the individual could be auditing their own work. A 12-month cooling-off period is necessary. Use of the same third-party provider is permissible as long as the team members on the internal audit team are not the same as the team members who assisted in the controls design engagement.

Take a thoughtful approach to third-party auditors

Companies can use the same third party for internal audit and other services. In many cases, organizations benefit from this structure, as the business knowledge and relationships gained through internal audit uniquely position these providers to provide insight when supporting other activities across the company. Consideration should be given to the specific circumstances, and it is important to make sure protocols are discussed and put in place to maintain objectivity.

Organizations that employ a thoughtful approach have the opportunity to more strategically leverage trusted advisors with deep institutional knowledge. These trusted advisors, and their exposure to industry leading practices, can provide insights that help companies protect, grow, optimize and innovate their businesses.

Summary

Third parties that provide internal audit services often have additional capabilities and resources that can benefit other parts of the organization. The business knowledge and relationships gained through internal audit uniquely position them to support other activities across the company. This can present challenges to independence and objectivity in such strategic relationships, however. But with thoughtful consideration of the specific circumstances, such challenges can be avoided.

About this article

By

Amy Brachio

EY Global Advisory Risk & Performance Improvement Leader

Industry leader in risk management. A voice for working women. Passionate about diversity and inclusiveness. Mother. Wife.

Contributors
Related topics Advisory Risk Digital