6034 Evaluating the work of the internal audit function
Jun-2021

Overview

This section explains

  • Communicating with, and reading the reports of, the internal audit function

  • Procedures to determine the adequacy of the work of the internal audit function

  • Application of sample sizes and methodology when using the work of the function for testing operating effectiveness of internal controls or substantive testing

  • Reperformance

  • Overall conclusions and documentation

OAG Policy

If the audit team uses the specific work of the internal auditors, it shall evaluate and perform audit procedures on this work to determine its adequacy for the purposes of the audit. [Nov‑2011]

The audit team shall document

  • its conclusions regarding the adequacy of the work of internal audit (assessment of the internal audit function) for the purposes of the audit, and

  • the audit procedures it performed on the specific work of internal audit. [Nov‑2011]

When internal audit staff provide direct assistance in an audit, the engagement leader shall evaluate the knowledge, competence, and independence of internal audit staff regarding the matters subject to audit before assigning them to specific tasks, and shall properly plan and supervise their work. [Sep‑2014]

Communicating with, and reading the reports of, the internal audit function

CAS Requirement

If the external auditor plans to use the work of the internal audit function, the external auditor shall discuss the planned use of its work with the function as a basis for coordinating their respective activities  (CAS 610.21).

The external auditor shall read the reports of the internal audit function relating to the work of the function that the external auditor plans to use to obtain an understanding of the nature and extent of audit procedures it performed and the related findings (CAS 610.22).

CAS Guidance

In discussing the planned use of their work with the internal audit function as a basis for coordinating the respective activities, it may be useful to address the following (CAS 610.A24):

  • The timing of such work.

  • The nature of the work performed.

  • The extent of audit coverage.

  • Materiality for the financial statements as a whole (and, if applicable, materiality level or levels for particular classes of transactions, account balances or disclosures), and performance materiality.

  • Proposed methods of item selection and sample sizes.

  • Documentation of the work performed.

  • Review and reporting procedures.

Coordination between the external auditor and the internal audit function is effective when, for example (CAS 610.A25):

  • Discussions take place at appropriate intervals throughout the period.

  • The external auditor informs the internal audit function of significant matters that may affect the function.

  • The external auditor is advised of and has access to relevant reports of the internal audit function and is informed of any significant matters that come to the attention of the function when such matters may affect the work of the external auditor so that the external auditor is able to consider the implications of such matters for the audit engagement.

CAS 200 discusses the importance of the auditor planning and performing the audit with professional skepticism, including being alert to information that brings into question the reliability of documents and responses to inquiries to be used as audit evidence. Accordingly, communication with the internal audit function throughout the engagement may provide opportunities for internal auditors to bring matters that may affect the work of the external auditor to the external auditor’s attention. The external auditor is then able to take such information into account in the external auditor’s identification and assessment of risks of material misstatement. In addition, if such information may be indicative of a heightened risk of a material misstatement of the financial statements or may be regarding any actual, suspected or alleged fraud, the external auditor can take this into account in the external auditor’s identification of risk of material misstatement due to fraud in accordance with CAS 240 (CAS 610.A26).

OAG Guidance

Having obtained an understanding of the internal audit function and its activities and determined that it is appropriate to use the work of the function in the audit circumstances, including the nature and extent of the planned use, the audit team needs to discuss planned use with appropriate members of the internal audit function.

Such discussions are usually most effective when they are iterative. As the planned audit strategy either reduces or extends the planned use of the function’s work, or as information comes to the audit team’s attention that may have an impact on the work or planned use of the work, those changes are communicated on a timely basis to the relevant individuals within the function.

Similarly, regular communications provide a means for members of the internal audit function to communicate matters that have come to their attention to the audit team, so that the audit team can assess, on a timely basis, any impact on the audit, including the planned use of the internal audit function’s work.

As part of ongoing communications, the audit team discusses the reports of the internal audit function with appropriate members of the function to update the understanding as necessary with regard to the procedures performed and findings.

The audit team documents details of each report that it reads, including the name and date of the report, the area of the work, and any significant findings that are relevant to the planned use of the work or that have wider implications for the audit (and for the responses to such findings). Copies of the reports do not need to be retained in the audit file.

Procedures to determine the adequacy of the work of the internal audit function

CAS Requirement

The external auditor shall perform sufficient audit procedures on the body of work of the internal audit function as a whole that the external auditor plans to use to determine its adequacy for purposes of the audit, including evaluating whether (CAS 610.23):

(a) the work of the function had been properly planned, performed, supervised, reviewed and documented;

(b) sufficient appropriate evidence had been obtained to enable the function to draw reasonable conclusions; and

(c) conclusions reached are appropriate in the circumstances and the reports prepared by the function are consistent with the results of the work performed.

The nature and extent of the external auditor’s audit procedures shall be responsive to the external auditor’s evaluation of (CAS 610.24):

(a) the amount of judgment involved,

(b) the assessed risk of material misstatement,

(c) the extent to which the internal audit function’s organizational status and relevant policies and procedures support the objectivity of the internal auditors, and

(d) the level of competence of the function;

and shall include reperformance of some of the work.

CAS Guidance

The external auditors audit procedures on the body of work of the internal audit function as a whole that the external auditor plans to use provide a basis for evaluating the overall quality of the functions work and the objectivity with which it has been performed (CAS 610.A27).

The procedures the external auditor may perform to evaluate the quality of the work performed and the conclusions reached by the internal audit function, in addition to reperformance in accordance with paragraph 24 of this CAS, include the following (CAS 610.A28):

  • Making inquiries of appropriate individuals within the internal audit function.
  • Observing procedures performed by the internal audit function.
  • Reviewing the internal audit functions work program and working papers.

The more judgment involved, the higher the assessed risk of material misstatement, the less the internal audit functions organizational status and relevant policies and procedures adequately support the objectivity of the internal auditors, or the lower the level of competence of the internal audit function, the more audit procedures are needed to be performed by the external auditor on the overall body of work of the function to support the decision to use the work of the function in obtaining sufficient appropriate audit evidence on which to base the audit opinion (CAS 610.A29).

OAG Guidance

Determining the nature and extent of procedures

Whenever the audit team plans to use the work of an internal audit function, it is not a matter of simply placing reliance on that work—the audit team must obtain sufficient appropriate audit evidence to determine whether the work is adequate for the purposes of the external audit.

The audit team performs procedures on some of the work of the internal audit function to form a conclusion about all of the function’s work that has been determined to be relevant to the audit. The audit team’s testing does not need to cover every audit test or piece of work carried out by the function. Instead, it needs to be sufficient and appropriate for the audit team to be able to conclude that the work of the function as a whole is of an appropriate quality to use for the purposes of the audit. The audit team therefore performs procedures on a cross‑section of work that has been performed and reviewed by different internal auditors and that covers different business processes.

Typically, when the audit team plans to use the work of the function in a particular business process, it may expect to perform some procedures to evaluate the work in that process. However, it does not need to perform procedures on each piece of work within a business process that it intends to use.

Also, the audit team’s considerations take into account the number of different internal auditors who may have performed and reviewed the procedures. For example, if the same internal auditor performed procedures across multiple business processes, the audit team may perform procedures on a subset of those processes and conclude that it is satisfied with the work of that individual.

Audit teams apply professional judgment in determining the areas of work on which to perform evaluation procedures.

Nature and extent of procedures

The following illustration lists the factors that the audit team must consider when developing the procedures for evaluating the work of the internal audit function.

Procedures to Determine Adequacy

Where the work the audit team plans to use involved little judgment and related to a normal risk, it would still expected to perform either observation or other procedures (on the basis that inquiry alone cannot provide sufficient audit evidence) on some of the body of work that the audit team plans to make use of. The evaluation also includes considering:

  • the materiality level applied by the internal auditor in conducting their testing;

  • the nature, timing and period covered by the testing;

  • whether the function made their sample selections from the appropriate population(s); and

  • whether the sample sizes applied by the function in performing their testing are adequate—see the guidance in the Consideration of sample sizes and methodology when evaluating the work of the function for testing operating effectiveness of internal controls or substantive testing block below.

See OAG Audit 4028.4 for further guidance on the reliability of information generated by an IT application used in our audit. When determining the adequacy of work of internal audit, the audit team also assesses whether procedures performed to assess the completeness and accuracy of information used in the work performed by internal audit is sufficient.

Other factors which should be taken into consideration include the following:

Some of the evidence for determining the adequacy of the work results from reperformance of that work (see below, “Reperformance”). However, the audit team may perform other audit procedures on the body of the function’s work to evaluate the overall quality, objectivity, and adequacy of that work for the purposes of the audit.

These additional procedures may include the following:

  • The audit team may make inquiries of the relevant members of the internal audit function who performed the work that the audit team intends to use, including the approach to that work, conclusions drawn, and any issues that arose. Note that inquiries alone do not provide sufficient appropriate audit evidence to reduce risk to an appropriately low level for a relevant assertion, or to support a conclusion about the operating effectiveness of a control.

  • The audit team may coordinate the timing of the internal audit work with the audit visit, or it may arrange with the entity a separate date to observe procedures as they are performed by the internal audit function.

  • The audit team may obtain and review the detailed working papers regarding areas of work that the audit team plans to use.

Re-evaluation of conclusions regarding objectivity, competence, and levels of judgment

As part of its evaluation of the adequacy of the internal audit function’s work, the audit team must consider whether the conclusions drawn regarding the nature of the work and extent of its planned use remain appropriate. In performing audit procedures on the body of work, the audit team remains alert to matters that would indicate

  • that its conclusions regarding objectivity or competence were inappropriate, and that planned use of the work of the function needs to be revised so that the audit team performs more of the work directly;

  • that the levels of judgment involved in testing by the function were greater than originally anticipated, so that more audit procedures must be performed on the work to determine its adequacy; or

  • that using such work would no longer be appropriate because it involves significant judgment, for which the CAS 610 requires that the audit team perform the work directly.

Documenting overall conclusions

The rationale for the work selected to undertake audit procedures on needs to be documented on the audit file. See Overall conclusions and documentation below for further guidance on the nature and extent of matters to be documented.

Consideration of sample sizes and methodology when evaluating the work of the function for testing operating effectiveness of internal controls or substantive testing

OAG Guidance

Even if the audit team concludes that the internal audit function’s work is insufficient on its own, it can consider the results of the function’s work when determining the necessary evidence. If the audit team plans to use the function’s work, and the level of evidence obtained is lower than what might have been obtained by the audit team itself, the audit team first evaluates whether the level of evidence in the function’s work falls within a reasonable range to be sufficient for the needs of the audit, given the specific risks and circumstances. Once the audit team has evaluated the individual procedures performed by the function and considered whether their sample sizes fall within a reasonable range, it also evaluates whether the evidence obtained by the function overall is sufficient for the purposes of the audit. (e.g., when all sample sizes used by the function are slightly lower than those included in OAG Audit, the audit team evaluates if this might result in the overall body of evidence being insufficient for our purposes, even though each individual procedure performed by the function falls within a reasonable range).

Testing the operating effectiveness of internal controls

If the audit team determines that the nature or extent of procedures performed by the internal audit function is not sufficient for the purposes of the audit, it obtains its own evidence to support its conclusions about the operating effectiveness of the related controls. Although any incremental evidence the audit team decides to obtain is a matter of professional judgment and would include testing a sample of control occurrences, the audit team does not simply “top off” the testing performed by the internal audit function. That is, if the audit team determines that the function’s sample sizes are outside of a reasonable range, and that independent testing with use of the Office’s sample sizes is warranted, the audit team selects a full sample and performs the test.

For example, if the audit team needs to test 25 instances of a control to achieve the planned level of assurance, and if internal auditors tested a number of instances that was reasonably close to 25, the audit team may decide that internal audit testing falls within a reasonable range and is sufficient, given the results of reperformance of work and other tests performed by the audit team. However, if internal audit function tested a limited number of instances of the control but the audit team judges it necessary to test 25 instances, it would select a full sample of 25 and perform the test.

As explained in OAG Audit 6033, if the audit team plans to use the work of the function, it must subsequently confirm that the rigour of testing is sufficiently robust to meet its needs—that is, that the testing involved a sufficient and appropriate combination of observation, inspection, and reperformance of the controls as detailed in OAG Audit 6053.

Substantive procedures

As with the testing of internal controls, if the audit team wishes to use substantive testing procedures of the internal audit function in providing evidence for the audit, it must be satisfied that the extent of testing falls within a reasonable range to be sufficient for its needs, according to OAG Audit 7040. Consider the following examples:

  • If the internal audit function has performed, or will perform, audit sampling, the audit team must consider the extent of work in light of the sample that would be expected to test based on IDEA, the OAG non‑statistical sampling template, the basis of sample selection, and other guidance found in OAG Audit 7044.

  • For accept-reject testing performed by the internal audit function, the audit team must consider the guidance and sample sizes given in OAG Audit 7043.

  • For targeted testing performed by the internal audit function, the audit team must consider the guidance in OAG Audit 7042.

In all cases, the audit team must assess relevant performance materiality in determining whether the testing that has been performed is adequate and sufficient. This assessment includes an evaluation of any identified misstatements.

If the audit team determines that the nature or extent of procedures performed by the internal audit function is insufficient for the audit, it must obtain its own evidence to support its conclusions. As with the testing of internal controls, the audit team would not simply “top off” the testing performed by the function, even though any incremental evidence it decides to obtain is a matter of professional judgment. If it needs to test 25 transactions to achieve the planned level of assurance, for example, and internal auditors tested a number of transactions that was reasonably close to 25, the audit team may decide that internal audit testing falls within a reasonable range and is sufficient, given its own reperformance of work and other tests. However, if the audit team judges it necessary to test 25 transactions but the internal audit function tested far fewer transactions, the audit team would select a full sample of 25 and perform the test.

Note that if the procedures performed by the function were specifically aimed at achieving a lower level of evidence than the level needed, the audit team may be able to achieve the desired level of evidence by designing another test in addition to the procedures performed by the function. For example, suppose the function performed targeted testing of transactions exceeding 100,000, which the audit team considers sufficient to achieve a low level of evidence, but the audit team needs a moderate level of evidence. In this case, the audit team may perform audit sampling of the untested balance at the low level of evidence, which could help achieve a moderate level of evidence when combined with the targeted testing performed by the function. However, if the internal audit function has performed audit sampling at a low level of evidence and what is needed is a moderate level from audit sampling, the audit team would not “top off” the sampling performed by the function, but would select a full sample itself.

Reperformance

CAS Requirement

The nature and extent of the external auditor’s audit procedures shall be responsive to the external auditor’s evaluation of:

a) The amount of judgment involved;

b) The assessed risk of material misstatement;

c) The extent to which the internal audit function’s organizational status and relevant policies and procedures support the objectivity of the internal auditors; and

d) The level of competence of the function;

and shall include reperformance of some of the work (CAS 610.24).

CAS Guidance

For purposes of this CAS, reperformance involves the external auditor’s independent execution of procedures to validate the conclusions reached by the internal audit function. This objective may be accomplished by examining items already examined by the internal audit function, or where it is not possible to do so, the same objective may also be accomplished by examining sufficient other similar items not actually examined by the internal audit function. Reperformance provides more persuasive evidence regarding the adequacy of the work of the internal audit function compared to other procedures the external auditor may perform in paragraph A28. While it is not necessary for the external auditor to do reperformance in each area of work of the internal audit function that is being used, some reperformance is required on the body of work of the internal audit function as a whole that the external auditor plans to use in accordance with paragraph 24. The external auditor is more likely to focus reperformance in those areas where more judgment was exercised by the internal audit function in planning, performing and evaluating the results of the audit procedures and in areas of higher risk of material misstatement (CAS 610.A30).

OAG Guidance

There is no formal guidance in CAS 610 as to how much reperformance or independent testing is necessary. However, the level of testing, in conjunction with the other audit procedures performed on the body of work of the function (see guidance block “Procedures to determine the adequacy of the internal audit function” above), needs to be sufficient to enable the audit team

  • to evaluate the overall quality and effectiveness of the work, and

  • to assess whether the audit evidence obtained through examination and reperformance is sufficient to allow the use of all work that the audit team is planning to use.

The overall extent of work selected for reperformance will be subject to the same overall considerations as those when determining in which areas to perform other procedures to evaluate the work of the function as described in the guidance block Procedures to determine the adequacy of the work of the internal audit function above).

Nature and extent of reperformance—selecting areas of work for reperformance

The audit team applies judgment in choosing which areas to reperform the work of the internal audit function, and in determining an acceptable level of reperformance in the audit circumstances. The audit team must consider the nature and extent of the function’s work that is used to support the external audit.

Typically, when the audit team considers the function’s work that it plans to use, it expects to focus its reperformance on areas involving more than limited judgment, or involving a higher assessment of the risk of material misstatement. However, based on the premise that most of the work the audit team uses will not involve significant judgment, the audit team must perform such work directly. That is, to achieve a sufficient basis on which to conclude on the adequacy of the overall body of work of the function, the audit team usually needs to include some reperformance of work that involved limited judgment.

The audit team should also include the work of an appropriate cross‑section of members of the internal audit function in the overall body of work that it reperforms. By selecting areas of work performed by different internal auditors, the audit team can assess quality and adequacy of work across the entire function.

Nature and extent of reperformance—extent of testing on areas selected for reperformance

The audit team applies judgment in determining the nature and extent of testing on areas of work selected for reperformance. The extent of reperformance testing depends on the nature of the testing procedures performed by the internal audit function, on the level of judgment involved in the planning and performance of those procedures, and on the evidence obtained from them. The audit team also considers whether the function has selected samples from the appropriate populations. As shown in the examples below, the audit team would typically expect to reperform a sample of the tests performed by the function in each area of work that has been selected for reperformance.

Illustrative examples

The following scenarios may be appropriate when the work of the internal audit function is related to testing the operating effectiveness of controls:

  • If the internal audit function has tested multiple controls to address several relevant assertions for a particular financial statement line item (FSLI), the audit team would typically select a sample of controls to reperform, and for each selected control, the audit team would select a sample of the total number of instances that were tested by the function. For example, if the function tested 4 controls for accounts payable, and for each control tested a sample of 45 instances of that control being executed, the audit team would reperform 5 instances for 2 of those controls.

  • If the audit team has planned to use controls testing that address multiple assertions for multiple FSLIs, the audit team would reperform an appropriate sample of controls that cover the range of those FSLIs, and test a subset of the individual samples. For example, if the function tested 100 controls for all FSLIs, and for each control tested a sample of 45 instances of that control being executed, the audit team would reperform 5 instances for 20 of those controls.

When the work of the function is related to substantive audit procedures, the audit team typically considers the materiality of the relevant FSLI, the nature of the procedure performed (such as targeted testing or non‑statistical sampling), and the level of judgment involved in that testing when it selects how many items to reperform. For example, for a targeted testing procedure, the audit team may test relatively few items if there are material transactions that can be tested by reperformance, whereas for a non‑statistical sampling procedure, the audit team may perform a slightly greater number of items. However, the number of items is a subset of the total number of items tested by the internal audit function.

Reperformance typically involves examining items already examined by the internal audit function, but re‑examination of items is not always possible. (For example, some procedures related to inventory counts cannot be reperformed.) In such cases, testing similar items that were not originally examined by the function may also serve as an appropriate basis for determining the adequacy of the original testing.

Documenting overall conclusions

The audit team must clearly document in the audit file the rationale for selecting particular areas of work for reperformance, and the nature and extent of testing that is performed for each selected area of work. See next section for further guidance on the nature and extent of matters to be documented.

Overall conclusions and documentation

CAS Requirement

The external auditor shall also evaluate whether the external auditor’s conclusions regarding the internal audit function in paragraph 15 of this CAS and the determination of the nature and extent of use of the work of the function for purposes of the audit in paragraphs 18‑19 of this CAS remain appropriate (CAS 610.25).

If the external auditor uses the work of the internal audit function, the external auditor shall include in the audit documentation (CAS 610.36):

(a) The evaluation of:

  1. Whether the function’s organizational status and relevant policies and procedures adequately support the objectivity of the internal auditors,

  2. The level of competence of the function, and

  3. Whether the function applies a systematic and disciplined approach, including quality control,

(b) The nature and extent of the work used and the basis for that decision, and

(c) The audit procedures performed by the external auditor to evaluate the adequacy of the work used.

OAG Guidance

OAG Audit 1111 provides general guidance on the nature, purpose, and extent of audit documentation.

The audit team must ensure that the audit file demonstrates its considerations regarding the use of the internal audit function’s work, from initial planning to evaluation of the work’s adequacy. In particular, the audit team documents the following matters:

  • its consideration of whether the internal audit function exhibits appropriate levels of objectivity and competence, and uses a systematic and disciplined approach, including quality control, and the audit team’s resulting conclusions on its ability to use the function’s work (OAG Audit 6031 and OAG Audit 6032);

  • its consideration of the function’s planned scope of work and its relevance to the audit;

  • its consideration of the following where it has concluded that the function’s work is relevant to the audit:

    • the mapping of the work that has been performed, or will be performed, to the assessment of the risks of material misstatement (which is one of the significant judgments that the audit team is required to perform directly);
    • the extent of judgment involved in planning, performing, and evaluating the function’s work, and the audit team’s conclusions regarding the work that it considers appropriate to use, in each area of planned use—that is, the audit team’s demonstration that it plans to make less use of the work as the risk and judgment involved in the work increase;
  • its evaluation and conclusion reached regarding whether the use of the internal audit function’s work to the extent planned would, in aggregate, result in the audit team’s sufficient involvement in the audit, given the audit team’s sole responsibility for the audit opinion expressed;

  • its evidence of the communications with those charged with governance and with the internal audit function on the planned use of the function’s work;

  • the rationale for its selection of particular work of the internal audit function to perform audit procedures for evaluating the overall adequacy of the function’s body of work for the purposes of the external audit;

  • the procedures performed, including reperformance, to assess the adequacy of the body of work, and the subsequent conclusions; and

  • confirmation that the planned approach was appropriate.

In certain circumstances, it may be appropriate to document the relevant considerations and approach taken in a significant matter that would be reviewed by the engagement leader (and quality reviewer, where applicable). Examples of such circumstances include the following:

  • when the extent of use of the internal audit function’s work is significant, and significant judgment has been applied in concluding that the audit team has been sufficiently involved in the audit;

  • when the internal audit function’s work was used in areas of significant risk; and

  • when the audit team considered contentious matters in planning to use the internal audit function’s work.

The audit team does not need to retain copies of the internal audit function’s working papers in the audit file so long as it has clearly documented, in sufficient detail, the working papers that it reviewed and reperformed, and the conclusions on the overall adequacy of the work of the internal audit function, as described above.