Annual Audit Manual
COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
6031 The role of the internal audit function
Sep-2022
In This Section
Definition of an internal audit function
Internal audit function as part of the entity’s internal control and governance structure
CAS Objectives
The objectives of the external auditor, where the entity has an internal audit function and the external auditor expects to use the work of the function to modify the nature or timing, or reduce the extent, of audit procedures to be performed directly by the external auditor, or to use internal auditors to provide direct assistance, are (CAS 610.13):
(a) To determine whether the work of the internal audit function or direct assistance from internal auditors can be used, and if so, in which areas and to what extent;
and having made that determination:
(b) If using the work of the internal audit function, to determine whether that work is adequate for purposes of the audit; and
(c) If using internal auditors to provide direct assistance, to appropriately direct, supervise and review their work.
OAG Policy
Auditors shall, to the extent they consider practicable, rely on internal audit in conducting a financial audit or special examination of a Crown corporation, as defined in the Financial Administration Act. [Nov‑2011]
Requirement for internal audit
CAS Guidance
If the entity has an internal audit function, the requirements in this CAS relating to using the work of that function do not apply if (CAS 610.3):
(a) The responsibilities and activities of the function are not relevant to the audit; or
(b) Based on the auditor’s preliminary understanding of the function obtained as a result of procedures performed under CAS 315, the external auditor does not expect to use the work of the function in obtaining audit evidence.
Nothing in this CAS requires the external auditor to use the work of the internal audit function to modify the nature or timing, or reduce the extent, of audit procedures to be performed directly by the external auditor; it remains a decision of the external auditor in establishing the overall audit strategy.
In some jurisdictions, the external auditor may be prohibited, or restricted to some extent, by law or regulation from using the work of the internal audit function or using internal auditors to provide direct assistance. The CASs do not override laws or regulations that govern an audit of financial statements. Such prohibitions or restrictions will therefore not prevent the external auditor from complying with the CASs (CAS 610.5).
Depending on whether the internal audit function’s organizational status and relevant policies and procedures adequately support the objectivity of the internal auditors, the level of competency of the internal audit function, and whether the function applies a systematic and disciplined approach, the external auditor may also be able to use the work of the internal audit function in a constructive and complementary manner. This CAS addresses the external auditor’s responsibilities when, based on the external auditor’s preliminary understanding of the internal audit function obtained as a result of procedures performed under CAS 315, the external auditor expects to use the work of the internal audit function as part of the audit evidence obtained. Such use of that work modifies the nature or timing, or reduces the extent, of audit procedures to be performed directly by the external auditor (CAS 610.8).
The external auditor has sole responsibility for the audit opinion expressed, and that responsibility is not reduced by the external auditor’s use of the work of the internal audit function or internal auditors to provide direct assistance on the engagement. Although they may perform audit procedures similar to those performed by the external auditor, neither the internal audit function nor the internal auditors are independent of the entity as is required of the external auditor in an audit of financial statements in accordance with CAS 200. This CAS, therefore, defines the conditions that are necessary for the external auditor to be able to use the work of internal auditors. It also defines the necessary work effort to obtain sufficient appropriate evidence that the work of the internal audit function, or internal auditors providing direct assistance, is adequate for the purposes of the audit. The requirements are designed to provide a framework for the external auditor’s judgments regarding the use of the work of internal auditors to prevent over or undue use of such work (CAS 610.11).
OAG Guidance
The presence of internal audit in an entity subject to audit may in some instances be mandated by legislation. Some entities have an exemption from internal audit granted by order‑in‑council if the costs of such audits are considered to outweigh the benefits.
Legal requirement to rely on internal audit
The Financial Administration Act requires auditors conducting annual audits to rely on internal audits conducted pursuant to subsection 131(3) where practicable. FAA 132(8) An auditor shall, to the extent he considers practicable, rely on any internal audit of the corporation being audited that is conducted pursuant to subsection 131(3).
FAA 138(5) An examiner shall, to the extent he considers practicable, rely on any internal audit of the corporation being examined conducted pursuant to subsection 131(3).
FAA 131(3) Each parent Crown corporation shall cause internal audits to be conducted, in respect of itself and each of its wholly‑owned subsidiaries, if any, to assess compliance with subsections (1) and (2), unless the Governor in Council is of the opinion that the benefits to be derived from those audits do not justify their cost.
FAA 83(1) “Crown corporation” means a parent Crown corporation or a wholly‑owned subsidiary.
The common meaning of “practicable” in this context is “that it can be done, is feasible” which includes a consideration that the costs do not outweigh the benefits.
Auditors must assess whether the internal audit function is likely to be relevant to the audit as a first step before planning to rely on it.
Applicability of this section
This section of the manual applies only to audit engagements of entities with an internal audit function that fits the definition of an internal audit function as described in the guidance block below. This section does not apply when the responsibilities and activities of the internal audit function are not relevant to the audit, or when the audit team does not expect to use the work of an internal audit function (having assessed that under CAS 315).
OAG Audit 6031 to OAG Audit 6034 provides guidance on using the work of an internal audit function in obtaining evidence. OAG Audit 6035 provides additional guidance applicable to circumstances when we plan to use internal auditors to provide direct assistance.
Refer to OAG Audit 5011 for risk assessment procedures regarding internal audit that we need to perform in accordance with CAS 315 (even when we do not plan to use the work of an internal audit function).
Local law prohibiting or restricting use of the work of an internal audit function
If legislation or other regulation prohibits the use of the work of an internal audit function in its entirety, this section of OAG Audit is not applicable. If legislation or regulation prohibit only the use of internal auditors to provide direct assistance (the use of internal auditors to perform audit procedures under the direction, supervision and review of the external auditor), OAG Audit 6035 will not be applicable, but other guidance in this section will be relevant when planning to use the work of an internal audit function. Where there are restrictions on the use of the work of an internal audit function, further guidance will be issued to engagement teams on acceptable use and which parts of the OAG Audit Guide section remain applicable.
Definition of an internal audit function
CAS Guidance
For purposes of the CASs, the following terms have the meanings attributed below (CAS 610.14):
(a) Internal audit function—A function of an entity that performs assurance and consulting activities designed to evaluate and improve the effectiveness of the entity’s governance, risk management and internal control processes.
(b) Direct assistance—The use of internal auditors to perform audit procedures under the direction, supervision and review of the external auditor.
The objectives and scope of internal audit functions typically include assurance and consulting activities designed to evaluate and improve the effectiveness of the entity’s governance processes, risk management and internal control such as the following (CAS 610.A1):
Activities Relating to Governance
-
The internal audit function may assess the governance process in its accomplishment of objectives on ethics and values, performance management and accountability, communicating risk and control information to appropriate areas of the organization and effectiveness of communication among those charged with governance, external and internal auditors, and management.
Activities Relating to Risk Management
-
The internal audit function may assist the entity by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and internal control (including effectiveness of the financial reporting process).
-
The internal audit function may perform procedures to assist the entity in the detection of fraud.
Activities Relating to Internal Control
-
Evaluation of internal control. The internal audit function may be assigned specific responsibility for reviewing controls, evaluating their operation and recommending improvements thereto. In doing so, the internal audit function provides assurance on the control. For example, the internal audit function might plan and perform tests or other procedures to provide assurance to management and those charged with governance regarding the design, implementation and operating effectiveness of internal control, including those controls that are relevant to the audit.
-
Examination of financial and operating information. The internal audit function may be assigned to review the means used to identify, recognize, measure, classify and report financial and operating information, and to make specific inquiry into individual items, including detailed testing of transactions, balances and procedures.
-
Review of operating activities. The internal audit function may be assigned to review the economy, efficiency and effectiveness of operating activities, including non‑financial activities of an entity.
-
Review of compliance with laws and regulations. The internal audit function may be assigned to review compliance with laws, regulations and other external requirements, and with management policies and directives and other internal requirements.
Activities similar to those performed by an internal audit function may be conducted by functions with other titles within an entity. Some or all of the activities of an internal audit function may also be outsourced to a third‑party service provider. Neither the title of the function, nor whether it is performed by the entity or a third‑party service provider, are sole determinants of whether or not the external auditor can use the work of the function. Rather, it is the nature of the activities; the extent to which the internal audit function’s organizational status and relevant policies and procedures support the objectivity of the internal auditors; competence; and systematic and disciplined approach of the function that are relevant. References in this CAS to the work of the internal audit function include relevant activities of other functions or third‑party providers that have these characteristics (CAS 610.A2).
In addition, those in the entity with operational and managerial duties and responsibilities outside of the internal audit function would ordinarily face threats to their objectivity that would preclude them from being treated as part of an internal audit function for the purpose of this CAS, although they may perform controls that can be tested in accordance with CAS 330. For this reason, monitoring controls performed by an owner‑manager would not be considered equivalent to an internal audit function (CAS 610.A3).
While the objectives of an entity’s internal audit function and the external auditor differ, the function may perform audit procedures similar to those performed by the external auditor in an audit of financial statements. If so, the external auditor may make use of the function for purposes of the audit in one or more of the following ways (CAS 610.A4):
-
To obtain information that is relevant to the external auditor’s assessments of the risks of material misstatement due to error or fraud. In this regard, CAS 315 requires the external auditor to obtain an understanding of the nature of the internal audit function’s responsibilities, its status within the organization, and the activities performed, or to be performed, and make inquiries of appropriate individuals within the internal audit function (if the entity has such a function); or
-
Unless prohibited, or restricted to some extent, by law or regulation, the external auditor, after appropriate evaluation, may decide to use work that has been performed by the internal audit function during the period in partial substitution for audit evidence to be obtained directly by the external auditor.
In addition, unless prohibited, or restricted to some extent, by law or regulation, the external auditor may use internal auditors to perform audit procedures under the direction, supervision and review of the external auditor (referred to as “direct assistance” in this CAS).
OAG Guidance
Characteristics of an internal audit function
The characteristics of the entity’s internal audit function should be considered, to determine whether it fits the definition of an internal audit function under CAS 610.14 for the purposes of the external audit.
In particular, the following factors should be considered:
-
the nature of the activities,
-
the extent to which the internal audit function’s organizational status and relevant policies and procedures support the objectivity of the internal auditors,
-
the competence of the function, and
-
the systematic and disciplined approach of the function.
Whose work can the Office use?
In some circumstances, the Office can use the work of individuals who do not have the title of internal auditor but who are part of an objective and competent function that applies a systematic and disciplined approach, including quality control. These individuals may include management, personnel or third parties whose work would be equivalent to that of internal audit for the purposes of this guidance.
The extent to which the Office can use the work of the internal audit (or equivalent) function varies, depending on the level of competency and objectivity of the individuals performing the work, and whether they apply a systematic and disciplined approach, including quality control. Note that personnel whose core function involves permanently serving as a testing or compliance authority at the entity, such as the internal audit function, are normally expected to have greater competence and objectivity than entity personnel whose principal duties address other business objectives. As explained in OAG Audit 6032, our evaluation of the function’s competence and objectivity would affect the extent of our use of the function’s work.
In some cases, an entity may have a department or team (either internally or through an external third‑party) that is notionally called an “internal audit function” but that does not possess, or cannot appropriately demonstrate, the necessary levels of objectivity or competence, or the application of a systematic and disciplined approach, including quality control. In those circumstances, the work performed by that department, team, or individuals within the entity is not considered to be internal audit work, but is instead deemed to be an internal control. If we want to make use of the work they have performed, we test their work in line with the guidance in OAG Audit 6040 (i.e., we consider every testing procedure performed by such individuals as a separate internal control, which would need to be individually tested, when we plan to rely on it). For example, if individuals outside of the internal audit or equivalent function performed testing of 300 instances of information processing controls implemented at the entity, we could treat such procedures as element of the entity’s process to monitor the system of internal controls and rely on them if we inspect or reperform an appropriate sample using the guidance in OAG Audit 6053 (e.g., reperform 25 tests performed by the individuals outside of the internal audit or equivalent function).
Similarly, if individuals outside of the internal audit or equivalent function performed substantive testing procedures to verify the accuracy of certain financial line items (FSLIs), the audit team could treat their testing as a control within the control activities component and test it accordingly. This could enable the reduction of the extent of substantive testing (by taking credit for the evidence obtained from such controls testing), but would not eliminate the need for the audit team to perform its own substantive procedures for the related FSLIs. For example, if management performed revenue/receivables cut‑off testing, the audit team could treat such management procedures as cut‑off controls and rely on them if the audit team inspects or reperforms an appropriate sample using the guidance in OAG Audit 6053.
The Office would not use individuals outside of the internal audit or equivalent function to provide direct assistance because they would not typically possess the necessary objectivity and competence.
What work can the Office use?
The Office may use the work performed by the internal audit or equivalent function in the areas of controls and substantive testing.
The following chart illustrates the key guidance points above:
Controls Testing | Substantive Testing | |
Use of internal audit or equivalent function* | Yes, can use | Yes, can use |
Use of individuals outside of internal audit or equivalent function | No use other than test as internal controls | No use other than test as internal controls |
Direct assistance—Internal audit or equivalent function | Yes, can use | Yes, can use |
Direct assistance—Individuals outside of internal audit or equivalent function | No | No |
*Subject to evaluation of the function’s competence, objectivity, and application of systematic and disciplined approach, including quality control.
Refer to OAG Audit 6032 for guidance on evaluating objectivity and competence of an internal audit function and whether it applies a systematic and disciplined approach, including quality control.
Internal audit function as part of the entity’s internal control and governance structure
CAS Guidance
Many entities establish internal audit functions as part of their internal control and governance structures. The objectives and scope of an internal audit function, the nature of its responsibilities and its organizational status, including the function’s authority and accountability, vary widely and depend on the size and structure of the entity and the requirements of management and, where applicable, those charged with governance. (CAS 610.6)
CAS 315 addresses how the knowledge and experience of the internal audit function can inform the external auditor’s understanding of the entity and its environment, the applicable financial reporting framework and the entity’s system of internal control, and identification and assessment of risks of material misstatement. CAS 315 also explains how effective communication between the internal and external auditors also creates an environment in which the external auditor can be informed of significant matters that may affect the external auditor’s work. (CAS 610.7)
OAG Guidance
It must be understood how the internal audit function fits into the entity’s system of internal control and governance structure. This understanding is necessary in order to evaluate the function’s audit scope, organizational status, and other matters relevant to whether its work can be used in an audit engagement.
Inquiries of appropriate individuals within the internal audit function, as part of risk assessment procedures required by CAS 315, may provide information that is useful in forming an understanding of the entity’s control environment and in assessing risks.
An internal audit function performs various activities that monitor the entity’s processes, such as:
- Evaluation of sales personnel’s compliance with the entity’s policies on terms of sales contracts
- Efficiency reviews over manufacturing processes
- Compliance with organizational finance policies
Such activities can help the audit team to understand the entity and its control environment through the entity’s process to monitor the system of internal controls.
For example, an entity has an internal audit function that has a detailed audit calendar identifying the annual reviews to be performed with reports issued to various levels of management. This calendar and reporting mechanism allows the audit team to develop an understanding about how management is monitoring various aspects of their business and, based on the findings included in the reports issued by the function, the audit team may conclude that certain processes and/or locations represent a lower risk of material misstatement of the financial statements.
Related Sections
OAG Audit 6032 Evaluate ability to use the work of an internal audit function
OAG Audit 6033 Determining the nature and extent of work of the internal audit function that the Office finds appropriate to use
OAG Audit 6034 Evaluating the work of the internal audit function
OAG Audit 6035 Using internal auditors to provide direct assistance