Annual Audit Manual
COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
6033 Determining the nature and extent of work of the internal audit function that the Office finds appropriate to use
Jun-2019
In This Section
Overview
This section explains:
- Factors affecting the determination of the nature and extent of work of the internal audit function that can be used
- Specific considerations relevant to the extent of judgment involved and assessed risk of material misstatement
- Evaluating the sufficiency of the audit team’s involvement in the audit when planning to use the work of an internal audit function
- Communication of planned use of the work of the internal audit function with Those Charged With Governance
Factors affecting the determination of the nature and extent of work of the internal audit functions that can be used
CAS Requirement
As a basis for determining the areas and the extent to which the work of the internal audit function can be used, the external auditor shall consider the nature and scope of the work that has been performed, or is planned to be performed, by the internal audit function and its relevance to the external auditor’s overall audit strategy and audit plan (CAS 610.17).
CAS Guidance
Once the external auditor has determined that the work of the internal audit function can be used for purposes of the audit, a first consideration is whether the planned nature and scope of the work of the internal audit function that has been performed, or is planned to be performed, is relevant to the overall audit strategy and audit plan that the external auditor has established in accordance with CAS 300 (CAS 610.A15).
Examples of work of the internal audit function that can be used by the external auditor include the following (CAS 610.A16):
- Testing of the operating effectiveness of controls.
- Substantive procedures involving limited judgment.
- Observations of inventory counts.
- Tracing transactions through the information system relevant to financial reporting.
- Testing of compliance with regulatory requirements.
- In some circumstances, audits or reviews of the financial information of subsidiaries that are not significant components to the group (where this does not conflict with the requirements of CAS 600).
The external auditor’s determination of the planned nature and extent of use of the work of the internal audit function will be influenced by the external auditor’s evaluation of the extent to which the internal audit function’s organizational status and relevant policies and procedures adequately support the objectivity of the internal auditors and the level of competence of the internal audit function in paragraph 18 of this CAS. In addition, the amount of judgment needed in planning, performing and evaluating such work and the assessed risk of material misstatement at the assertion level are inputs to the external auditor’s determination. Further, there are circumstances in which the external auditor cannot use the work of the internal audit function for purpose of the audit as described in paragraph 16 of this CAS (CAS 610.A17).
OAG Guidance
Building an understanding
Having drawn conclusions as to the adequacy of the objectivity and competence of the internal audit function and been satisfied that a systematic and disciplined approach exists, the audit team’s next step is to consider whether the planned nature and scope of the work of the function that has been performed, or is planned to be performed, is relevant to the overall audit strategy and audit plan.
The following illustration lists the factors to consider when determining the extent to which the internal audit function’s work can be used.
Using the work of internal auditors may allow the audit team to reduce its own testing in a number of ways, as illustrated in CAS 610.A16. Additional considerations related to the planned nature and scope of the internal audit function’s work include
- the frequency of site visits,
- the level of detail (nature and extent) of the work,
- the allocation of the internal audit function’s resources to financial or operating areas in response to its risk assessment process,
- the pervasiveness of the controls being tested, and
- the potential for management override of controls.
The audit team may coordinate work with the internal audit function to enhance its understanding of the planned nature and scope of the work that the internal audit function has performed or plans to perform. The following activities may be appropriate for this purpose:
- holding periodic meetings;
- scheduling work to coordinate with that of the internal auditors to allow the audit team to determine the relevance and adequacy of its work and discuss any issues as they arise;
- obtaining early access to internal audit reports and, where necessary, working papers; and
- reviewing internal audit reports and the recommendations made from work performed.
See OAG Audit 6034 for further guidance on communicating with the internal audit function.
Using the work of the function to test the operating effectiveness of controls
We may make use of system flow charts and other documentation prepared by an internal audit or equivalent function in understanding the design of processes and controls. To evaluate whether controls have been implemented we observe or inspect a minimum of one occurrence based on professional judgment of the control to meet the objectives of understanding those controls ourselves (this could also be achieved by using internal auditors in a direct assistance capacity).
If the audit team wants to make use of the internal audit function’s work for the purpose of testing the operating effectiveness of controls, it must be satisfied that the nature and extent of that testing are appropriate. For example, does testing by the internal audit function include an appropriate combination of inquiry and other procedures (observation, inspection, and reperformance)?
For annual audits, the audit team can use the work of the function for testing the operating effectiveness of controls that the team has identified as being relevant controls. This testing would be subject to the normal assessments and guidance applicable to the testing of relevant controls as specified in OAG Audit 5035.4 and OAG Audit 6050. However, if the testing of the operating effectiveness of any control requires more than limited judgment, or involves a significant risk, the audit team may not be able to use the work of the function in those circumstances—(see the guidance below, “Situations in which planned use may not be appropriate”).
Note that the audit team should not use tests performed by the same personnel who are responsible for performing the control or for the completeness and accuracy of the information being tested, as part of audit evidence because these individuals do not have sufficient objectivity as it relates to the subject matter.
See also OAG Audit 6034 for further guidance on the extent of testing that is appropriate when the Office concludes that it is acceptable to plan to make use of the internal audit function’s work.
Using the work of the function to perform substantive audit procedures
The considerations needed to determine whether the audit team can use the internal audit function’s work for performing substantive procedures are similar to those needed to determine whether to use the function’s work for testing the operating effectiveness of controls. As explained above, the audit team must consider the nature and extent of the testing, and the additional guidance given in OAG Audit 6034.
As with controls testing, if the planned procedures require more than limited judgment or involve a significant risk, the audit team may not be able to use the work of the function in those circumstances (see the guidance below, “Situations in which planned use may not be appropriate”).
Note that certain substantive procedures may require more judgment and professional experience, and the audit team must consider whether the individuals performing the substantive procedures are sufficiently objective and competent. As explained in OAG Audit 6031, individuals who are not part of a permanently serving internal audit function may not have the required level of objectivity and competence, which could affect the extent of the use of their substantive testing. In particular, audit teams do not normally use internal audit work for substantive analytical procedures, which usually require judgment and must be performed directly by the audit team.
If the internal audit function has performed some substantive work for management purposes, and the audit team has had no influence over the work but wants to use it in the audit, the use of the work is subject to the considerations outlined above. If the audit team directly requests that the internal audit function perform specific tests (requiring limited judgment) for the Office’s external audit, then such work constitutes direct assistance, and further considerations are necessary (see OAG Audit 6035 for guidance).
If the work is being performed solely for the purpose of the audit, this is likely to be considered direct assistance (see OAG Audit 6035 for guidance).
Situations where planned use may not be appropriate
The audit team may conclude that the work of the internal audit function is not relevant to the overall audit strategy or plan, or that it is not appropriate to use the work of the function in one or more areas. The following are examples of factors that may lead the audit team to this conclusion:
- unfamiliarity with the process or client;
- significant changes in the internal audit function, for example, high turnover of personnel;
- the use of work explicitly prohibited by (CAS) (see “Circumstances when the work of an internal audit function cannot be used” in OAG Audit 6032);
- the use of work that requires significant judgment in its planning, performance, or evaluation, or that corresponds to a financial statement line item (FSLI) assertion that the audit team has assessed as being a significant risk (see guidance block below, “Specific considerations relevant to the extent of judgment involved and assessed risk of material misstatement”) (Note: considering what work is pervasive to the financial statements as a whole requires professional judgment. Testing of ITGC’s may be considered pervasive but, ordinarily, the audit team would not expect that it would necessarily be inappropriate to use the work of an internal audit function in this area, subject to all other criteria (objectivity, competence, extent of judgment involved) being appropriate in the circumstances).
Concluding on the appropriate nature and extent of planned use
Using the guidance above, the audit team can obtain a sufficient understanding of the nature and scope of the work the internal audit function has performed, or plans to perform, to assess and conclude whether the use of such work
- is permitted by CAS; and
- is appropriate, taking into consideration the extent of judgment involved in planning, performing, or evaluating the function’s work and the assessed risk of material misstatement at the assertion level in respect of each area (FSLI) in which it is planned to make use of the work of the function.
The audit team must make these determinations for each area (FSLI) in which it plans to make use of the internal audit function’s work.
The team documents in the audit file its consideration of these matters, conclusions reached, and rationale for the intended use of the work in each area (FSLI) of planned use. See OAG Audit 6034 for further guidance on the nature and extent of matters to be documented.
Specific considerations relevant to the extent of judgment involved and assessed risk of material misstatement
CAS Requirement
The external auditor shall make all significant judgments in the audit engagement and, to prevent undue use of the work of the internal audit function, shall plan to use less of the work of the function and perform more of the work directly (CAS 610.18):
(a) The more judgment is involved in
- planning and performing relevant audit procedures, and
- evaluating the audit evidence gathered.
(b) The higher the assessed risk of material misstatement at the assertion level, with special consideration given to risks identified as significant;
(c) The less the internal audit function’s organizational status and relevant policies and procedures adequately support the objectivity of the internal auditors; and
(d) The lower the level of competence of the internal audit function.
CAS Guidance
The greater the judgment needed to be exercised in planning and performing the audit procedures and evaluating the audit evidence, the external auditor will need to perform more procedures directly in accordance with paragraph 18 of this CAS, because using the work of the internal audit function alone will not provide the external auditor with sufficient appropriate audit evidence (CAS 610.A18).
Since the external auditor has sole responsibility for the audit opinion expressed, the external auditor needs to make the significant judgments in the audit engagement in accordance with paragraph 18. Significant judgments include the following (CAS 610.A19):
- assessing the risks of material misstatement;
- evaluating the sufficiency of tests performed;
- evaluating the appropriateness of management’s use of the going concern assumption;
- evaluating significant accounting estimates; and
- evaluating the adequacy of disclosures in the financial statements, and other matters affecting the auditor’s report.
For a particular account balance, class of transaction or disclosure, the higher an assessed risk of material misstatement at the assertion level, the more judgment is often involved in planning and performing the audit procedures and evaluating the results thereof. In such circumstances, the external auditor will need to perform more procedures directly in accordance with paragraph 18 of this CAS, and accordingly, make less use of the work of the internal audit function in obtaining sufficient appropriate audit evidence. Furthermore, as explained in CAS 200, the higher the assessed risks of material misstatement, the more persuasive the audit evidence required by the external auditor will need to be, and, therefore, the external auditor will need to perform more of the work directly (CAS 610.A20).
As explained in CAS 315, significant risks are risks assessed close to the upper end of the spectrum of inherent risk and therefore the external auditor’s ability to use the work of the internal audit function in relation to significant risks will be restricted to procedures that involve limited judgment. In addition, where the risks of material misstatement are other than low, the use of the work of the internal audit function alone is unlikely to reduce audit risk to an acceptably low level and eliminate the need for the external auditor to perform some tests directly (CAS 610.A21).
Carrying out procedures in accordance with this CAS may cause the external auditor to re-evaluate the external auditor’s assessment of the risks of material misstatement. Consequently, this may affect the external auditor’s determination of whether to use the work of the internal audit function and whether further application of this CAS is necessary (CAS 610.A22).
OAG Guidance
Significant judgments
All significant judgments in the audit need to be made by the audit team. Thus, the work of the internal audit function is not used if it relates to matters listed in CAS 610.A19, as well as other areas of significant judgment.
CAS 610 requires that, the greater the judgment needed to be exercised in planning and performing the audit procedures and evaluating the audit evidence, the more the Office needs to perform procedures directly. It is not possible to define a list of procedures that are commonly considered to involve ‘more’ or ‘less’ judgment, as such determinations can only be made with a full appreciation of the entity and engagement specific circumstances. However, the procedures described below have been included to illustrate those that may be considered representative of those that include ‘significant’ or ‘limited’ judgment.
Examples of significant judgments when it would ordinarily not be appropriate to use the work of the function may include
- performing risk assessment, developing the audit strategy, and planning for an engagement;
- testing significant assumptions and other inputs related to accounting estimates (for example, impairment calculation);
- testing complex controls over accounting estimates;
- performing tests to verify appropriateness of complex revenue recognition;
- performing procedures to address identified fraud risks;
- performing substantive analytical procedures;
- evaluation of identified misstatements;
- audit of an assertion for any balance or disclosure that is deemed to be highly judgmental;
- audit of fair value accounting estimates, including derivative financial instruments; and
- other significant accounting estimates (see OAG Audit 7070).
Please note that the audit team may be able to use the internal audit function’s work in relation to audit areas (FSLIs) that involve significant judgment if the procedures performed by the function are of a routine nature and require limited judgment. For example, if the internal audit function tested the mathematical accuracy of reports used in an impairment calculation, the audit team could possibly use this work, because the procedures they performed were routine and involved limited or no judgment.
By contrast, typically, a ‘limited level of judgment’ would be considered to ordinarily include procedures such as
- testing the operating effectiveness of controls that are not deemed to be complex or that require significant judgment to be exercised on the part of management (for example, authorization of a transaction by more senior personnel);
- Agreeing balances directly to third-party documentation;
- physically inspecting assets;
- testing the existence of cash and prepaid assets; and
- testing routine transactions in areas of lower risk (for example, fixed asset additions).
Like objectivity and competence, determining the extent of judgment involved in a particular procedure is a subjective determination that relies on the professional judgment of the audit team.
Assessed risk of material misstatement at the assertion level
The standard emphasizes that the higher the assessed risks of material misstatement, the more persuasive the audit evidence will need to be. As such, where the Office’s audit team has identified one or more significant risks, the team itself would be expected to perform more of the work related to those risks and make less use of the work of the internal audit function.
Significant risks
CAS 610 does not explicitly prohibit the use of the internal audit function’s work in areas of significant risk. However, it clearly states that this work in relation to significant risks must be restricted to “procedures that involve limited judgment.” The standard also makes clear that the higher the level of judgment required, the less the audit team can plan to use the work of the function. Therefore, careful consideration needs to be given to the level of judgment involved in relation to the procedures proposed to address the significant risk (both in the planning and performance of the procedures and evaluating the evidence obtained). Procedures involving more than a limited level of judgment must be performed by the audit team. In general, more of the audit work that the audit team performs in response to areas of significant risk is likely to involve more than limited judgment; therefore, the amount of the internal audit function’s work that it would be appropriate to use is likely to be relatively limited in these areas and would not constitute a significant proportion of the overall audit evidence obtained.
For example, given the requirement in CAS 610 that all significant judgments be made by the external auditor, a significant risk related to an accounting estimate would ordinarily limit our ability to use the work of internal auditors. However, as explained above, if the procedures performed by the internal audit function are of a routine nature and require limited judgment, the Office can use such work to contribute to the overall body of work performed in response to a significant risk.
Normal risks
For normal risks, it is possible to use more of the work of the internal audit function—and, for some areas, even use its work exclusively, provided that the audit team appropriately evaluates and reperforms some of the work. However, the audit team needs to assess each risk in its own right—it is not acceptable to assume that for all ‘normal’ risks this will be the case. The audit team still needs to take into account the level of judgment involved in planning, performing and evaluating the type of audit procedures that are being performed and it needs to be satisfied that the use of the work of the internal audit function alone will reduce audit risk to an acceptably low level.
For certain assertions related to less material FSLIs, where the risk of material misstatement or the degree of judgment involved in the evaluation of the audit evidence is low, it may be decided that using the work of internal audit is sufficient to reduce the risk to an acceptable level and that testing of the assertions directly by the audit team may not be necessary.
However, if any normal risk also involves more than limited judgment, the audit team must plan to use less of the function’s work related to that risk.
Typically, the only areas in which the internal audit function’s work could be used as the sole work would be those involving normal risks that also require little judgment in testing the balances and transactions. In addition, when the audit team plans to make more use of the function’s work, it needs to evaluate the overall quantity of that work to determine whether the audit team is sufficiently involved in the audit to provide a basis for expressing an audit opinion (see below, “Evaluating the sufficiency of the audit team’s involvement in the audit when planning to use the work of an internal audit function”).
Impact of conclusions on objectivity and competency
The extent of judgment that is considered acceptable in particular circumstances can also be affected by an assessment of the internal audit function’s objectivity and competence. If the function has been determined to have a lower level of objectivity or competence (but at a level deemed acceptable for making use of its work), then in addition to planning to use less of the function’s work overall, the audit team would expect to use only work involving a lower level of judgment. Similarly, as the assessment of the levels of competence and objectivity increase, the audit team could consider using work involving a greater level of judgment. However, in all cases, when significant judgment is involved in the procedures performed by the internal audit function, the audit team performs testing directly and does not plan to use the work, regardless of the assessment of the function’s objectivity and competence.
Documenting overall conclusions
Our consideration of the levels of judgment involved in the planned work of the internal audit function, relationship of the function’s work to the assessed risks of material misstatement; and the conclusions and rationale regarding the function’s work in each area (FSLI) of planned use is documented in the audit file. See OAG Audit 6034 for further guidance on the nature and extent of matters to be documented.
Evaluating the sufficiency of the audit team’s involvement in the audit when planning to use of the work of an internal audit function
CAS Requirement
The external auditor shall also evaluate whether, in aggregate, using the work of the internal audit function to the extent planned would still result in the external auditor being sufficiently involved in the audit, given the external auditor’s sole responsibility for the audit opinion expressed (CAS 610.19).
OAG Guidance
Demonstrating sufficient involvement will comprise documenting our consideration and evaluation of a number of the factors described in this section, including:
- evidencing that all significant judgments have been taken by the engagement team;
- evidencing that procedures in response to all significant risks have been performed by the engagement team, other than those that involved little judgment, and in aggregate the majority of audit evidence in relation to significant risks has been obtained directly rather than using the work of the internal audit function;
- evidencing that for normal risks our audit evidence does not come solely from using the work of the internal audit function, except in those rare instances where little judgment was involved in the testing;
- documenting any other considerations and conclusions reached by the engagement team as to why they believe they have been sufficiently involved in the audit, providing a basis for expressing the external audit opinion.
As part of the review of the audit documentation, we need to consider the overall extent of use of the work of the function and evaluate whether the procedures we performed directly and overall involvement are sufficient to allow us to sign the audit report.
Communication of planned use of the work of the internal audit function with those charged with governance
CAS Requirement
The external auditor shall, in communicating with those charged with governance an overview of the planned scope and timing of the audit in accordance with CAS 260, communicate how the external auditor has planned to use the work of the internal audit function (CAS 610.20).
CAS Guidance
In accordance with CAS 260, the external auditor is required to communicate with those charged with governance an overview of the planned scope and timing of the audit. The planned use of the work of the internal audit function is an integral part of the external auditor’s overall audit strategy and is therefore relevant to those charged with governance for their understanding of the proposed audit approach (CAS 610.A23).
OAG Guidance
When the audit team communicates to those charged with governance its plans to use the entity’s internal audit function’s work, it should explain the factors for determining the appropriate timing and extent of this work. This explanation can help those charged with governance understand the planned audit strategy, which is particularly important when they request a greater use of the internal audit function’s work than would be permitted or appropriate under CAS 610.
Related Sections
OAG Audit 6031 The role of the internal audit function
OAG Audit 6032 Evaluate ability to use the work of an internal audit function
OAG Audit 6034 Evaluating the work of the internal audit function
OAG Audit 6035 Using internal auditors to provide direct assistance