Technical Articles

International Journal of Government Auditing – April 2012

Overcoming Barriers between the Internal and External Audit Functions in Malta

According to the Institute of Internal Auditors, government auditing is a cornerstone of good public sector governance. Auditors play a crucial role in assisting government entities to achieve accountability and integrity by providing unbiased opinions on the use of public resources. The Maltese public service, like its counterparts in other countries, relies on audit activities from a combination of external and internal auditors. The National Audit Office (NAO), an INTOSAI member, carries out the external audit function, while the Internal Audit and Investigations Department (IAID) carries out the internal audit function.

This article is based on recent research carried out in Malta to evaluate the relationship between the NAO and IAID and to assess any potential barriers to that relationship as well as the effect of having two types of auditors on different aspects of auditing.

To achieve these objectives, 24 personal semi-structured interviews were held with officials from the NAO, IAID, and government departments. In quantifying the comparisons, ANOVA testing was used to identify any significant differences.

The research identified a number of important barriers in the NAO/IAID relationship that constitute a dividing wall between the two functions that needs to be tackled. Figure 1 summarizes the barriers and the actions proposed to overcome them.

Figure 1: Tackling the Barriers between Internal and External Audit Functions in Malta
Figure 1: Tackling the Barriers between Internal and External Audit Functions in Malta

The study revealed that although no intentional barrier existed between the external and internal auditors, both acknowledged that communication between the two offices was still in its infancy and there was definitely room for improvement.

Elements of a Dividing Wall

Although both offices needed to be independent to avoid conflicts of interest, especially since they had different lines of reporting, there was no need for barriers to exist between the two parties. The following sections analyze the barriers hindering the relationship between the two parties.

An Ingrained Culture

The study ascertained that resistance to change was the strongest barrier between external and internal auditors and that this resistance can be linked to the ingrained culture of certain public officers, particularly external auditors. From their perspective, the relationship was shaped by the overriding requirement to be, and to be seen as, independent. This led to a prevailing culture that was a possible hindrance to the relationship with the other function. For example, it emerged that external audit staff rarely consulted the work of internal auditors, except where such audits were directly relevant to the audits they were undertaking.

Furthermore, research findings revealed that the prevailing culture particularly influenced the relationship between the two parties in the area of fraud and irregularities. Most external auditors expressed concern about dealing with the internal audit function in fraud risk areas and, as a result, did not seek any second opinions. Instead, each party took responsibility for its own findings and independently decided whether or not to approach the police.

Informal Communication

The results also suggested that although an open-door policy existed between the two offices, communication between them was too informal and, in particular, affected cooperation in audit planning. Half of the respondents agreed that this was the area in which they consulted with each other the most, yet much remained to be done to maximize the benefits to both bodies. This level of informal communication also influenced their coordination on internal controls. Limited cooperation at the planning stage can result in the external audit function not using data gathered by the internal audit function.


One common misperception among the different stakeholders, including the two institutions, was that the external audit function could not make use of internal auditors’ work. This finding was further supported by the research finding that the two institutions rarely exchanged their reports. Many pointed out that this was true primarily because of different lines of reporting and legislation that provided for confidentiality. This misperception indicated a situation in which both entities failed to realize how they could actually help each other.

The Internal Audit and Financial Investigations Act provides that internal auditors should not disclose any information acquired during internal audits. Reports are strictly for the permanent secretary’s use to ensure confidentiality and safeguard the interest of auditees. However, an exception exists in the case of the supreme audit institution. The auditor general and external auditors are protected by their constitutional rights and, therefore, cannot be treated like other external entities. Although this is not specified in the legislation, there is no justification for precluding the NAO from viewing internal audit reports and working papers. Thus, respondents questioned whether external auditors were aware enough of their rights and made use of them.

Most respondents also pointed out that external auditors generally did not request internal auditors’ reports because the two types of auditors worked in separate areas. They claimed that this prevented overlaps leading to duplication of work and thus a waste of resources. Few referred to the opportunities that existed for cooperation in practice.

A Lack of Resources

Limited resources were another major issue, particularly for internal auditors, who complained of insufficient resources and claimed that because their remit was quite large, they could have covered a wider area if they had been given more human and financial resources. They also claimed that heavy time constraints resulting from a lack of resources limited the amount of consulting that could take place between the two offices.

Deconstructing the Wall

To eliminate these barriers and improve the relationship between both institutions, actions are called for in a number of areas. These include taking the appropriate steps on both sides to formalize their relationship, strengthening communication and consulting more readily, and retaining records of the audit work performed. The following sections discuss each of these actions.

Formalization of the NAO and IAID Relationship

Formalizing the relationship between the NAO and IAID is probably the fundamental step that needs to be taken to overcome the barriers between the two parties. This could be done through a written agreement, regulated by law, paying particular attention to the supreme audit institution’s mandate so it becomes clearer that both entities may interact for auditing purposes. Working together by tacit acceptance of certain practices or attitudes may be a starting point. However, formalizing the relationship could definitely add further scope and audit value. Linking useful techniques and expertise from both offices may create a value chain.

The relationship could be formalized gradually in different stages. This process could be promoted by a memorandum of understanding aimed at defining and prioritizing areas of useful interaction. Such a memorandum, especially between the senior management of both offices, would clearly be preferable to a formal written legal agreement. Respondents stated that uch a memorandum would result in more affinity between the parties.

Better Communication and More Readiness to Consult

The relationship needs to be nourished through regular and open communication on matters of mutual interest. Specifically, such communication would be beneficial at each stage of the audit process to ensure the best possible results. Periodic meetings at the senior management level, perhaps every quarter, would also be helpful if they involved discussions of general issues of concern identified during the audits.

Moreover arrangements could be made to routinely exchange reports and useful working papers between the two institutions without each party having to wait for a specific request, as long as there are no data security or confidentiality issues. However, some claimed that this would inevitably result in exchanging documentation that would never actually be used. To avoid this problem, information to be shared in this way could be of only a general nature, such as comments on the overall deficiencies found in specific departments, particularly in the initial stages.

Moreover, ISSAI 1610, Using the Work of Internal Auditors, acknowledges the need for a point of reference between internal and external auditors. Yet, as has been seen, better coordination could be achieved if both parties expressed more willingness to consult each other. Admittedly, this is not an easy task because staff members on each side are yet to be convinced that such consultation will actually lead to a win-win situation.

Retention of Work Records

Retaining agreed-upon records on each side and making them easily usable and available to each party would also be another step forward. As shown in figure 2, typical records to be retained and exchanged by each party could include, in addition to the audit opinion, control, compliance, and other key issues.

Figure 2: Typical Audit Records for Retention
Figure 2: Typical Audit Records for Retention

Of course, such a facility would enable both sets of auditors to manage their audit risks more effectively. For example, when doing an audit plan, both offices would know whether a particular area was high risk or not.

Going Beyond the Wall

The relationship between the NAO and the IAID cannot progress further unless more resources are dedicated to having an internal audit unit within every ministry, which is as yet not the case. This would require that the internal audit function be decentralized while retaining a central monitoring unit. In addition, audit committees at the level of each ministry would also provide an opportunity for external and internal auditors and directors to have a meeting of the minds at this decentralized level. Figure 3 illustrates this model for a decentralized internal audit function with links to external auditors.

Figure 3: Consolidating the Oversight Function: Decentralizing the Internal Audit Function and Linking with External Auditors
Figure 3: Consolidating the Oversight Function: Decentralizing the Internal Audit Function and Linking with External Auditors

A structure such as that suggested above would ensure a balance between the decentralization needed for internal auditing (thus securing its relevance) and the consolidation of an oversight function to keep in view the overall national audit picture in close collaboration with external auditors.


In the public sector in Malta, both internal and external auditors need to gain more standing in each other’s eyes. For this to occur, a number of steps may be taken that will also enhance both audit efficiency and effectiveness. Within a holistic spectrum of government audit activities, the key is for the two functions to be and to be seen as complementing each other, rather than as treading on each other’s toes.

For additional information, contact the authors at and