Annual Audit Manual
COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
6032 Evaluate ability to use the work of an internal audit function
Sep-2014
In This Section
Evaluating the internal audit function—Objectivity and competence
Circumstances when the work of an internal audit function cannot be used
OAG Policy
Audit teams shall determine the adequacy of the work of internal audit (assess the internal audit function) for the purposes of the audit where the audit team expects to use the work of internal audit. [Nov‑2011]
Evaluating the internal audit function—Objectivity and competence
CAS Requirement
The external auditor shall determine whether the work of the internal audit function can be used for purposes of the audit by evaluating the following (CAS 610.15):
(a) The extent to which the internal audit function’s organizational status and relevant policies and procedures support the objectivity of the internal auditors; and
(b) The level of competence of the internal audit function.
CAS Guidance
The external auditor exercises professional judgment in determining whether the work of the internal audit function can be used for purposes of the audit, and the nature and extent to which the work of the internal audit function can be used in the circumstances (CAS 610.A5).
The extent to which the internal audit function’s organizational status and relevant policies and procedures support the objectivity of the internal auditors and the level of competence of the function are particularly important in determining whether to use and, if so, the nature and extent of the use of the work of the function that is appropriate in the circumstances (CAS 610.A6).
Objectivity refers to the ability to perform those tasks without allowing bias, conflict of interest or undue influence of others to override professional judgments. Factors that may affect the external auditor’s evaluation include the following (CAS 610.A7):
-
Whether the organizational status of the internal audit function, including the function’s authority and accountability, supports the ability of the function to be free from bias, conflict of interest or undue influence of others to override professional judgments. For example, whether the internal audit function reports to those charged with governance or an officer with appropriate authority, or if the function reports to management, whether it has direct access to those charged with governance.
-
Whether the internal audit function is free of any conflicting responsibilities, for example, having managerial or operational duties or responsibilities that are outside of the internal audit function.
-
Whether those charged with governance oversee employment decisions related to the internal audit function, for example, determining the appropriate remuneration policy.
-
Whether there are any constraints or restrictions placed on the internal audit function by management or those charged with governance, for example, in communicating the internal audit function’s findings to the external auditor.
-
Whether the internal auditors are members of relevant professional bodies and their memberships obligate their compliance with relevant professional standards relating to objectivity, or whether their internal policies achieve the same objectives.
Competence of the internal audit function refers to the attainment and maintenance of knowledge and skills of the function as a whole at the level required to enable assigned tasks to be performed diligently and in accordance with applicable professional standards. Factors that may affect the external auditor’s determination include the following (CAS 610.A8):
-
Whether the internal audit function is adequately and appropriately resourced relative to the size of the entity and the nature of its operations.
-
Whether there are established policies for hiring, training and assigning internal auditors to internal audit engagements.
-
Whether the internal auditors have adequate technical training and proficiency in auditing. Relevant criteria that may be considered by the external auditor in making the assessment may include, for example, the internal auditors’ possession of a relevant professional designation and experience.
-
Whether the internal auditors possess the required knowledge relating to the entity’s financial reporting and the applicable financial reporting framework and whether the internal audit function possesses the necessary skills (for example, industry‑specific knowledge) to perform work related to the entity’s financial statements.
-
Whether the internal auditors are members of relevant professional bodies that oblige them to comply with the relevant professional standards including continuing professional development requirements.
Objectivity and competence may be viewed as a continuum. The more the internal audit function’s organizational status and relevant policies and procedures adequately support the objectivity of the internal auditors and the higher the level of competence of the function, the more likely the external auditor may make use of the work of the function and in more areas. However, an organizational status and relevant policies and procedures that provide strong support for the objectivity of the internal auditors cannot compensate for the lack of sufficient competence of the internal audit function. Equally, a high level of competence of the internal audit function cannot compensate for an organizational status and policies and procedures that do not adequately support the objectivity of the internal auditors (CAS 610.A9).
OAG Guidance
The audit team must carefully consider whose work to use and whether such work has been done by individuals who are part of an internal audit or equivalent function—that is, whether these individuals are objective and competent, and whether they have applied a systematic and disciplined approach, including quality control. As noted in OAG Audit 6031 in certain circumstances the Office may use the work of individuals who are part of an objective and competent function that applies a systematic and disciplined approach, including quality control, but who do not have the title of internal auditor. Such functions could include management, personnel and/or third parties and would be considered equivalent to members of an internal audit function.
The audit team should consider using tests performed by individuals outside the internal audit or equivalent function (treating such tests as internal controls in accordance with CAS 330) if the testing was performed by individuals who are not responsible for performing the control or for ensuring the completeness and accuracy of the information being tested (that is, management testing). The Office does not use tests performed by the same personnel who are responsible for performing the control or for the completeness and accuracy of the information being tested (i.e., management self‑assessment) as part of audit evidence because these individuals do not have sufficient objectivity as it relates to the subject matter.
Having determined that the work of an internal audit or equivalent function can be used, the audit team then determines the extent to which it can be used, depending on the level of competence and objectivity of the individuals who performed the work. The following diagram illustrates the typical relationship between the role of the person who performed the procedures and the amount of evidence that can be obtained from the work.
Inquiries of appropriate members of the entity’s internal audit function required by CAS 315 (see OAG Audit 5036) will provide information that enables the audit team to assess the objectivity and competence of the function. In conducting those inquiries consider questions that will give insight into the factors listed in CAS 610.A7 and CAS 610.A8.
Objectivity and competence are not absolute measures and may be viewed as a continuum. Assessment of these attributes is judgmental and the conclusions drawn will be somewhere on a continuum, e.g., there is a range on which we will judge the objectivity and competence—from low to high. Please see the illustration below:
The audit team should assess objectivity and competence separately and determine its ability to use the work of the function. It is important to note that a high level of assessed objectivity cannot compensate for an assessed low level of competence, and vice versa. Conclusions reached are documented in the audit file to demonstrate the audit team’s consideration of these attributes. See OAG Audit 6034 for further guidance on the nature and extent of matters to be documented.
It is normally sufficient to perform only an overall assessment of the internal audit function. If the audit team is satisfied that there are appropriate policies and procedures in place to assess the competence of internal auditors. and there is adequate quality assurance over the completion of the working papers and reports in place to assess the due professional care of internal auditors, it is ordinarily not necessary to reassess these factors for each component and business process.
These attributes are assessed primarily to determine whether there is an appropriate underlying basis on which to use the work of the function. However, the higher the assessment of the levels of both objectivity and competence, the more likely it is that the work of the internal audit function can be used to a greater extent. Conversely, if the audit team concludes that the function has lower levels of objectivity or competence, or identifies one or more matters that affect certain aspects of its assessment of the function’s objectivity and competence, more careful consideration is needed to determine the precise nature and extent of the work that can be used. An assessment of lower levels of objectivity and competence does not preclude the use of the function’s work in its entirety.
The overall nature and extent of the planned use of the work of the function, taking into consideration our conclusions reached with respect to objectivity and competence, and on whether the function uses a systematic and disciplined approach that includes quality control (see block Evaluating the internal audit function—Application of a systematic and disciplined approach, including quality control below) is subject to a number of additional considerations which are discussed in OAG Audit 6033.
Evaluating the internal audit function—Application of a systematic and disciplined approach including quality control
CAS Requirement
The external auditor shall determine whether the work of the internal audit function can be used for purposes of the audit by evaluating the following (CAS 610.15):
(c) Whether the internal audit function applies a systematic and disciplined approach, including quality control.
CAS Guidance
The application of a systematic and disciplined approach to planning, performing, supervising, reviewing and documenting its activities distinguishes the activities of the internal audit function from other monitoring controls that may be performed within the entity (CAS 610.A10).
Factors that may affect the external auditor’s determination of whether the internal audit function applies a systematic and disciplined approach include the following (CAS 610.A11):
-
The existence, adequacy and use of documented internal audit procedures or guidance covering such areas as risk assessments, work programs, documentation and reporting, the nature and extent of which is commensurate with the size and circumstances of an entity.
-
Whether the internal audit function has appropriate quality control policies and procedures, for example, policies and procedures that would be applicable to an internal audit function (such as those relating to leadership, human resources and engagement performance) or quality control requirements in standards set by the relevant professional bodies for internal auditors. Such bodies may also establish other appropriate requirements such as conducting periodic external quality assessments.
OAG Guidance
In addition to considering the objectivity and competence of the internal audit function, the audit team should consider whether the function applies a systematic and disciplined approach, including quality control.
The application of such an approach is one of the characteristics that distinguishes an internal audit function from other individuals within the entity who perform activities that might be considered internal audit activities, as explained in OAG Audit 6031.
As with its assessment of objectivity and competence, the audit team makes inquiries of appropriate members of the entity’s internal audit function to obtain information that allows an assessment of whether the function applies a systematic and disciplined approach, including quality control. In making these inquiries, which are required by CAS 315 (see OAG Audit 5036), the audit team considers the factors listed in CAS 610.A11. There are no minimum requirements or benchmarks that define what constitutes a “systematic and disciplined approach, including quality control.” Audit teams, having made appropriate inquiries of members of the function, and taking into consideration any other factors or information that is known, apply professional judgment in reaching and documenting a conclusion. See OAG Audit 6034 for further guidance on the nature and extent of matters to be documented.
Factors that may apply to an internal audit function and that may assist the audit team in its assessment include whether the function has policies and procedures
-
for promoting an internal culture in which quality is recognized as essential in performing engagements;
-
for determining whether any person or persons that the entity has assigned operational responsibility for the function’s system of quality control has sufficient and appropriate experience and ability, and the necessary authority;
-
for providing reasonable assurance that it has, and can assign, sufficient personnel with the competence, capabilities, and commitment to ethical principles necessary to (1) perform engagements in accordance with (any relevant) professional standards and regulatory and legal requirements, and (2) enable the function to issue reports that are appropriate in the circumstances;
-
for promoting consistency in the quality of engagement performance;
-
for addressing supervision and reviewing responsibilities;
-
for conducting quality control reviews that provide an objective evaluation of the significant judgments made by the internal auditor conducting the work and the conclusions reached in formulating the report; and
-
for establishing a monitoring process designed to assess whether the policies and procedures related to the system of quality control are relevant, adequate, and effective.
Examples of attributes that might be indicators of a systematic and disciplined approach, include (but are not limited to):
-
recruitment processes that include formal requirements regarding necessary qualifications that potential internal audit team members must possess;
-
members of the function are subject to continual professional development requirements—for example, attendance at regular training sessions;
-
the function has a performance evaluation system with regard to its personnel;
-
the function has a formal manual describing the nature and scope of its procedures, including supervision processes; and
-
formal review processes are in place and operating effectively with regards to reviewing the work of members of the function.
Circumstances when the work of an internal audit function cannot be used
CAS Requirement
The external auditor shall not use the work of the internal audit function if the external auditor determines that (CAS 610.16):
(a) the function’s organizational status and relevant policies and procedures do not adequately support the objectivity of internal auditors;
(b) the function lacks sufficient competence; or
(c) the function does not apply a systematic and disciplined approach, including quality control.
CAS Guidance
The external auditor’s evaluation of whether the internal audit function’s organizational status and relevant policies and procedures adequately support the objectivity of the internal auditors, the level of competence of the internal audit function, and whether it applies a systematic and disciplined approach may indicate that the risks to the quality of the work of the function are too significant and therefore it is not appropriate to use any of the work of the function as audit evidence (CAS 610.A12).
Consideration of the factors in paragraphs A7, A8 and A11 of this CAS individually and in aggregate is important because an individual factor is often not sufficient to conclude that the work of the internal audit function cannot be used for purposes of the audit. For example, the internal audit function’s organizational status is particularly important in evaluating threats to the objectivity of the internal auditors. If the internal audit function reports to management, this would be considered a significant threat to the function’s objectivity unless other factors such as those described in paragraph A7 of this CAS collectively provide sufficient safeguards to reduce the threat to an acceptable level (CAS 610.A13).
In addition, in Canada, the relevant ethical requirements may state that a self‑review threat is created when the external auditor accepts an engagement to provide internal audit services to an audit client, and the results of those services will be used in conducting the audit. This is because of the possibility that the engagement team will use the results of the internal audit service without properly evaluating those results or without exercising the same level of professional skepticism as would be exercised when the internal audit work is performed by individuals who are not members of the firm. In Canada, the relevant ethical requirements may discuss the prohibitions that apply in certain circumstances and the threats and the safeguards that can be applied to reduce the threats to an acceptable level in other circumstances. [In ISA 610, the first sentence states: In addition, the IESBA Code states that self‑review threat . . . ; and the last sentence states: The IESBA Code discusses the prohibition . . . ] (CAS 610.CA14).
OAG Guidance
When the audit team concludes that it is not appropriate to use the work of the internal audit function because the function lacks objectivity, competence, or a systematic and disciplined approach, it should consider whether any of the testing carried out by other individuals represents an internal control, and whether testing of any identified controls in accordance with OAG Audit 6050 is relevant to the overall audit strategy.
In such circumstances, the audit team should communicate its conclusions to those charged with governance. See OAG Audit 6033 for further guidance on required communications.
Refer also to OAG Audit 6031 and OAG Audit 6033 for guidance on engagement specific circumstances when it is inappropriate, or prohibited, to use the work of the internal audit function in one or more areas.
Related Sections
OAG Audit 6031 The role of the internal audit function
OAG Audit 6033 Determining the nature and extent of work of the internal audit function that the Office finds appropriate to use
OAG Audit 6034 Evaluating the work of the internal audit function
OAG Audit 6035 Using internal auditors to provide direct assistance