Is your Auditor participating in writing of policies and procedures? If so, your audit may be determined as not independent.
Auditing is one service that Compliance Alliance does not offer to member banks, with good reason. According to the auditing standards, auditing should not be performed by those who also provide policy and procedure documents to your bank, as the audit can be determined to not be independent.
There are two important aspects to independence which must be distinguished from each other:
- Independence in fact (real independence); and
- Independence in appearance (perceived independence).
Both are essential to achieve the goals of independence. Real independence refers to the actual independence of the auditor, also known as independence of mind. More specifically, real independence concerns the state of mind an auditor is in, and how the auditor acts in/deals with a specific situation. An auditor who is independent 'in fact' has the ability to make independent decisions even if there is a perceived lack of independence present, or if the auditor is placed in a compromising position by company directors. Many difficulties lie in determining whether an auditor is truly independent, since it is impossible to observe and measure a person’s mental attitude and personal integrity. Similarly, an auditor’s objectivity must be beyond question, but how can this be guaranteed and measured? This is why perceived independence is of such importance.
It is essential that the auditor not only acts independently, but appears independent too. If an auditor is in fact independent, but one or more factors suggest otherwise, this could potentially lead to the conclusion that the audit report does not represent a true and fair view. Independence in appearances also reduces the opportunity for an auditor to act otherwise than independently, which subsequently adds credibility to the audit report.
Consulting Versus Auditing
There are a wide range of opinions regarding the difference between auditing and consulting. A large majority agree that compliance review and risk assessment objectives are very strongly associated with auditing, and that implementing policies and procedures are very strongly associated with consulting
However, a significant majority, believe that the identification of critical issues and recommendations to solve problems were a mix of auditing and consulting.
In an effort to make certain there is no confusion between the two very different functions, we have identified a set of activities that are common practice for the two fields:
- Focus on daily activities and future events (procedures for daily and policies for future)
- Address the implementation of activities
- Initiated by departmental needs
- Primary client is department manager
- Involves staff throughout the organization
- Yields a product rather than an audit report (policies, procedures, tools)
- Focused on past or historical events (specific point in time, i.e. “as of date” for audit or exam)
- Address compliance issues and business risks
- Initiated by Audit Committee or Board of Directors
- Primary client is Audit Committee/Senior Manager
- Conducted exclusively by members of third party audit firm or internal audit department
- Yields an audit report with findings and recommendation used by Senior Managers to address how well the organization is adhering to policies and legal requirements, as well as to begin the development of a product (i.e. a policy, procedure, tool) to guide the organization to compliance with requirements of the policy or procedure
Regulatory opinion, as stated in several exam findings, allowing the audit personnel to perform traditional consulting activities (policy or procedure development) gives the bank a "false” sense of security. That is, although the auditors experience may give them insight in how to correct an issue or the ability to produce a product to assist the bank in implementing a specific finding, allowing the auditor to produce the policy or procedure would remove the independence, in essence the auditor would then be auditing their own work.
Given the importance of independence and objectivity to the internal audit function, it is of utmost importance to consider this opinion.
The credibility and effectiveness of the entire audit function is at stake if, by engaging in certain activities, auditors are risking their independence." Based upon the Standards for the Professional Practice of Internal Auditing (SPPIA), the requirement for independence and objectivity can be summarized as follows: "Internal auditors should be independent of the activities they audit. Such independence permits internal auditors to perform their work freely and objectively. Without independence, the desired results of internal auditing cannot be realized. ... (Independence) is achieved through organizational status and objectivity. ... Objectivity is an independent mental attitude which internal auditors should maintain in performing audits. Internal auditors are not to subordinate their judgment on audit matters to that of others. It is important to note that external auditors are governed by as strict of guidelines as the internal auditors.
Designing, installing, and operating systems are not audit functions. Also, the drafting of procedures for systems is not an audit function. Performing such activities is presumed to impair audit objectivity."
These are the primary citations in the SPPIA:
GENERAL STANDARD 100 - Independence
Internal Auditors should be independent of the activities they audit.
Guideline 100.01. Internal auditors are independent when they can carry out their work freely and objectively. Independence permits internal auditors to render the impartial and unbiased judgments essential to the proper conduct of audits. It is achieved through organizational status and objectivity.
SPECIFIC STANDARD 110 - Organizational Status
The organizational status of the internal auditing department should be sufficient to permit the accomplishment of its audit responsibilities.
- Guideline 110.01.1. The director of the internal auditing department should be responsible to an individual in the organization with sufficient authority to promote independence and to ensure broad audit coverage, adequate consideration of audit reports, and appropriate action on audit recommendations.
- Guideline 110.01.2 the director of internal auditing should have direct communication with the board. Regular communication with the board helps assure independence and provides a means for the board and the director to keep each other informed on matters of mutual interest.
SIAS #7 - Communicating with the Board of Directors
The term "board," as used in the Standards and in this statement, includes boards of directors, audit committees of such board, heads of agencies or legislative bodies to whom internal auditors report, boards of governors or trustees on nonprofit organizations, and any other designated governing bodies of organizations.
SPECIFIC STANDARD 120 - Objectivity
Internal auditors should be objective in performing audits.
- Guideline 120.01. Objectivity is an independent mental attitude which internal auditors should maintain in performing audits. Internal auditors are not to subordinate their judgment on audit matters to that of others.
- Guideline 120.02. Objectivity requires internal auditors to perform audits in such a manner that they have an honest belief in their work product and that no significant quality compromises are made. Internal auditors are not to be placed in situations in which they feel unable to make objective professional judgments.
- Staff assignments should be made so that potential and actual conflicts of interest and bias are avoided. The director should periodically obtain from the audit staff information concerning potential conflicts of interest and bias.
- Internal auditors should report to the director any situations in which a conflict of interest or bias is present or may reasonably be inferred. The director should then reassign such auditors.
- Staff assignments of internal auditors should be rotated periodically whenever it is practicable to do so.
- Internal auditors should not assume operating responsibilities. But if on occasion senior management directs internal auditors to perform non-audit work, it should be understood that they are not functioning as internal auditors. Moreover, objectivity is presumed to be impaired when internal auditors audit any activity for which they had authority or responsibility (which would include having the ability to make policy).
- Persons transferred to or temporarily engaged by the internal auditing department should not be assigned to audit those activities they previously performed until a reasonable period of time has elapsed. Such assignments are presumed to impair objectivity and should be considered when supervising the audit work and reporting audit results.
- Guideline 120.03. The internal auditor's objectivity is not adversely affected when the auditor recommends standards of control for systems or reviews procedures before they are implemented. Designing, installing, and operating systems are not audit functions. Also, the drafting of procedures for systems is not an audit function. Performing such activities is presumed to impair audit objectivity.
The greatest risk of violating the independence principle comes from mixing consulting with auditing.
The “gray area” between auditing and consulting offer opportunities for observers (specifically, regulators) to conclude that auditors have violated the independence principle when they write policies and procedures to be implemented in the banks they perform audit functions.
For the most part, auditors and regulatory agencies believe that performing consulting services carries a relatively high risk of jeopardizing independence.
Senior Management needs to establish criteria to differentiate auditing and consulting work. The bank should appreciate and expect the auditors to protect the independence and objectivity of the audit function, and not expect or allow the auditor (internal or external) to participate in any activity that would jeopardize the independence.
Considering the strict standards required of the audit function and the regulatory view of independence, the Board should ensure the audit function is clearly separate from the management function of policy making and the writing of procedures. Remember, auditors make recommendations for “best practice” to include in a policy, but in no way should be involved in the actual writing or implementation of the policies.