6034 Evaluating the work of the internal audit function

Jun-2021

OAG Guidance

Having obtained an understanding of the internal audit function and its activities and determined that it is appropriate to use the work of the function in the audit circumstances, including the nature and extent of the planned use, the audit team needs to discuss planned use with appropriate members of the internal audit function.

Such discussions are usually most effective when they are iterative. As the planned audit strategy either reduces or extends the planned use of the function’s work, or as information comes to the audit team’s attention that may have an impact on the work or planned use of the work, those changes are communicated on a timely basis to the relevant individuals within the function.

Similarly, regular communications provide a means for members of the internal audit function to communicate matters that have come to their attention to the audit team, so that the audit team can assess, on a timely basis, any impact on the audit, including the planned use of the internal audit function’s work.

As part of ongoing communications, the audit team discusses the reports of the internal audit function with appropriate members of the function to update the understanding as necessary with regard to the procedures performed and findings.

The audit team documents details of each report that it reads, including the name and date of the report, the area of the work, and any significant findings that are relevant to the planned use of the work or that have wider implications for the audit (and for the responses to such findings). Copies of the reports do not need to be retained in the audit file.

OAG Guidance

Determining the nature and extent of procedures

Whenever the audit team plans to use the work of an internal audit function, it is not a matter of simply placing reliance on that work—the audit team must obtain sufficient appropriate audit evidence to determine whether the work is adequate for the purposes of the external audit.

The audit team performs procedures on some of the work of the internal audit function to form a conclusion about all of the function’s work that has been determined to be relevant to the audit. The audit team’s testing does not need to cover every audit test or piece of work carried out by the function. Instead, it needs to be sufficient and appropriate for the audit team to be able to conclude that the work of the function as a whole is of an appropriate quality to use for the purposes of the audit. The audit team therefore performs procedures on a cross‑section of work that has been performed and reviewed by different internal auditors and that covers different business processes.

Typically, when the audit team plans to use the work of the function in a particular business process, it may expect to perform some procedures to evaluate the work in that process. However, it does not need to perform procedures on each piece of work within a business process that it intends to use.

Also, the audit team’s considerations take into account the number of different internal auditors who may have performed and reviewed the procedures. For example, if the same internal auditor performed procedures across multiple business processes, the audit team may perform procedures on a subset of those processes and conclude that it is satisfied with the work of that individual.

Audit teams apply professional judgment in determining the areas of work on which to perform evaluation procedures.

Nature and extent of procedures

The following illustration lists the factors that the audit team must consider when developing the procedures for evaluating the work of the internal audit function.

Where the work the audit team plans to use involved little judgment and related to a normal risk, it would still expected to perform either observation or other procedures (on the basis that inquiry alone cannot provide sufficient audit evidence) on some of the body of work that the audit team plans to make use of. The evaluation also includes considering:

• the materiality level applied by the internal auditor in conducting their testing;

• the nature, timing and period covered by the testing;

• whether the function made their sample selections from the appropriate population(s); and

• whether the sample sizes applied by the function in performing their testing are adequate—see the guidance in the Consideration of sample sizes and methodology when evaluating the work of the function for testing operating effectiveness of internal controls or substantive testing block below.

See OAG Audit 4028.4 for further guidance on the reliability of information generated by an IT application used in our audit. When determining the adequacy of work of internal audit, the audit team also assesses whether procedures performed to assess the completeness and accuracy of information used in the work performed by internal audit is sufficient.

Other factors which should be taken into consideration include the following:

Some of the evidence for determining the adequacy of the work results from reperformance of that work (see below, “Reperformance”). However, the audit team may perform other audit procedures on the body of the function’s work to evaluate the overall quality, objectivity, and adequacy of that work for the purposes of the audit.

These additional procedures may include the following:

• The audit team may make inquiries of the relevant members of the internal audit function who performed the work that the audit team intends to use, including the approach to that work, conclusions drawn, and any issues that arose. Note that inquiries alone do not provide sufficient appropriate audit evidence to reduce risk to an appropriately low level for a relevant assertion, or to support a conclusion about the operating effectiveness of a control.

• The audit team may coordinate the timing of the internal audit work with the audit visit, or it may arrange with the entity a separate date to observe procedures as they are performed by the internal audit function.

• The audit team may obtain and review the detailed working papers regarding areas of work that the audit team plans to use.

Re-evaluation of conclusions regarding objectivity, competence, and levels of judgment

As part of its evaluation of the adequacy of the internal audit function’s work, the audit team must consider whether the conclusions drawn regarding the nature of the work and extent of its planned use remain appropriate. In performing audit procedures on the body of work, the audit team remains alert to matters that would indicate

• that its conclusions regarding objectivity or competence were inappropriate, and that planned use of the work of the function needs to be revised so that the audit team performs more of the work directly;

• that the levels of judgment involved in testing by the function were greater than originally anticipated, so that more audit procedures must be performed on the work to determine its adequacy; or

• that using such work would no longer be appropriate because it involves significant judgment, for which the CAS 610 requires that the audit team perform the work directly.

Documenting overall conclusions

The rationale for the work selected to undertake audit procedures on needs to be documented on the audit file. See Overall conclusions and documentation below for further guidance on the nature and extent of matters to be documented.

OAG Guidance

Even if the audit team concludes that the internal audit function’s work is insufficient on its own, it can consider the results of the function’s work when determining the necessary evidence. If the audit team plans to use the function’s work, and the level of evidence obtained is lower than what might have been obtained by the audit team itself, the audit team first evaluates whether the level of evidence in the function’s work falls within a reasonable range to be sufficient for the needs of the audit, given the specific risks and circumstances. Once the audit team has evaluated the individual procedures performed by the function and considered whether their sample sizes fall within a reasonable range, it also evaluates whether the evidence obtained by the function overall is sufficient for the purposes of the audit. (e.g., when all sample sizes used by the function are slightly lower than those included in OAG Audit, the audit team evaluates if this might result in the overall body of evidence being insufficient for our purposes, even though each individual procedure performed by the function falls within a reasonable range).

Testing the operating effectiveness of internal controls

If the audit team determines that the nature or extent of procedures performed by the internal audit function is not sufficient for the purposes of the audit, it obtains its own evidence to support its conclusions about the operating effectiveness of the related controls. Although any incremental evidence the audit team decides to obtain is a matter of professional judgment and would include testing a sample of control occurrences, the audit team does not simply “top off” the testing performed by the internal audit function. That is, if the audit team determines that the function’s sample sizes are outside of a reasonable range, and that independent testing with use of the Office’s sample sizes is warranted, the audit team selects a full sample and performs the test.

For example, if the audit team needs to test 25 instances of a control to achieve the planned level of assurance, and if internal auditors tested a number of instances that was reasonably close to 25, the audit team may decide that internal audit testing falls within a reasonable range and is sufficient, given the results of reperformance of work and other tests performed by the audit team. However, if internal audit function tested a limited number of instances of the control but the audit team judges it necessary to test 25 instances, it would select a full sample of 25 and perform the test.

As explained in OAG Audit 6033, if the audit team plans to use the work of the function, it must subsequently confirm that the rigour of testing is sufficiently robust to meet its needs—that is, that the testing involved a sufficient and appropriate combination of observation, inspection, and reperformance of the controls as detailed in OAG Audit 6053.

Substantive procedures

As with the testing of internal controls, if the audit team wishes to use substantive testing procedures of the internal audit function in providing evidence for the audit, it must be satisfied that the extent of testing falls within a reasonable range to be sufficient for its needs, according to OAG Audit 7040. Consider the following examples:

• If the internal audit function has performed, or will perform, audit sampling, the audit team must consider the extent of work in light of the sample that would be expected to test based on IDEA, the OAG non‑statistical sampling template, the basis of sample selection, and other guidance found in OAG Audit 7044.

• For accept-reject testing performed by the internal audit function, the audit team must consider the guidance and sample sizes given in OAG Audit 7043.

• For targeted testing performed by the internal audit function, the audit team must consider the guidance in OAG Audit 7042.

In all cases, the audit team must assess relevant performance materiality in determining whether the testing that has been performed is adequate and sufficient. This assessment includes an evaluation of any identified misstatements.

If the audit team determines that the nature or extent of procedures performed by the internal audit function is insufficient for the audit, it must obtain its own evidence to support its conclusions. As with the testing of internal controls, the audit team would not simply “top off” the testing performed by the function, even though any incremental evidence it decides to obtain is a matter of professional judgment. If it needs to test 25 transactions to achieve the planned level of assurance, for example, and internal auditors tested a number of transactions that was reasonably close to 25, the audit team may decide that internal audit testing falls within a reasonable range and is sufficient, given its own reperformance of work and other tests. However, if the audit team judges it necessary to test 25 transactions but the internal audit function tested far fewer transactions, the audit team would select a full sample of 25 and perform the test.

Note that if the procedures performed by the function were specifically aimed at achieving a lower level of evidence than the level needed, the audit team may be able to achieve the desired level of evidence by designing another test in addition to the procedures performed by the function. For example, suppose the function performed targeted testing of transactions exceeding 100,000, which the audit team considers sufficient to achieve a low level of evidence, but the audit team needs a moderate level of evidence. In this case, the audit team may perform audit sampling of the untested balance at the low level of evidence, which could help achieve a moderate level of evidence when combined with the targeted testing performed by the function. However, if the internal audit function has performed audit sampling at a low level of evidence and what is needed is a moderate level from audit sampling, the audit team would not “top off” the sampling performed by the function, but would select a full sample itself.

OAG Guidance

There is no formal guidance in CAS 610 as to how much reperformance or independent testing is necessary. However, the level of testing, in conjunction with the other audit procedures performed on the body of work of the function (see guidance block “Procedures to determine the adequacy of the internal audit function” above), needs to be sufficient to enable the audit team

• to evaluate the overall quality and effectiveness of the work, and

• to assess whether the audit evidence obtained through examination and reperformance is sufficient to allow the use of all work that the audit team is planning to use.

The overall extent of work selected for reperformance will be subject to the same overall considerations as those when determining in which areas to perform other procedures to evaluate the work of the function as described in the guidance block Procedures to determine the adequacy of the work of the internal audit function above).

Nature and extent of reperformance—selecting areas of work for reperformance

The audit team applies judgment in choosing which areas to reperform the work of the internal audit function, and in determining an acceptable level of reperformance in the audit circumstances. The audit team must consider the nature and extent of the function’s work that is used to support the external audit.

Typically, when the audit team considers the function’s work that it plans to use, it expects to focus its reperformance on areas involving more than limited judgment, or involving a higher assessment of the risk of material misstatement. However, based on the premise that most of the work the audit team uses will not involve significant judgment, the audit team must perform such work directly. That is, to achieve a sufficient basis on which to conclude on the adequacy of the overall body of work of the function, the audit team usually needs to include some reperformance of work that involved limited judgment.

The audit team should also include the work of an appropriate cross‑section of members of the internal audit function in the overall body of work that it reperforms. By selecting areas of work performed by different internal auditors, the audit team can assess quality and adequacy of work across the entire function.

Nature and extent of reperformance—extent of testing on areas selected for reperformance

The audit team applies judgment in determining the nature and extent of testing on areas of work selected for reperformance. The extent of reperformance testing depends on the nature of the testing procedures performed by the internal audit function, on the level of judgment involved in the planning and performance of those procedures, and on the evidence obtained from them. The audit team also considers whether the function has selected samples from the appropriate populations. As shown in the examples below, the audit team would typically expect to reperform a sample of the tests performed by the function in each area of work that has been selected for reperformance.

Illustrative examples

The following scenarios may be appropriate when the work of the internal audit function is related to testing the operating effectiveness of controls:

• If the internal audit function has tested multiple controls to address several relevant assertions for a particular financial statement line item (FSLI), the audit team would typically select a sample of controls to reperform, and for each selected control, the audit team would select a sample of the total number of instances that were tested by the function. For example, if the function tested 4 controls for accounts payable, and for each control tested a sample of 45 instances of that control being executed, the audit team would reperform 5 instances for 2 of those controls.

• If the audit team has planned to use controls testing that address multiple assertions for multiple FSLIs, the audit team would reperform an appropriate sample of controls that cover the range of those FSLIs, and test a subset of the individual samples. For example, if the function tested 100 controls for all FSLIs, and for each control tested a sample of 45 instances of that control being executed, the audit team would reperform 5 instances for 20 of those controls.

When the work of the function is related to substantive audit procedures, the audit team typically considers the materiality of the relevant FSLI, the nature of the procedure performed (such as targeted testing or non‑statistical sampling), and the level of judgment involved in that testing when it selects how many items to reperform. For example, for a targeted testing procedure, the audit team may test relatively few items if there are material transactions that can be tested by reperformance, whereas for a non‑statistical sampling procedure, the audit team may perform a slightly greater number of items. However, the number of items is a subset of the total number of items tested by the internal audit function.

Reperformance typically involves examining items already examined by the internal audit function, but re‑examination of items is not always possible. (For example, some procedures related to inventory counts cannot be reperformed.) In such cases, testing similar items that were not originally examined by the function may also serve as an appropriate basis for determining the adequacy of the original testing.

Documenting overall conclusions

The audit team must clearly document in the audit file the rationale for selecting particular areas of work for reperformance, and the nature and extent of testing that is performed for each selected area of work. See next section for further guidance on the nature and extent of matters to be documented.

OAG Guidance

OAG Audit 1111 provides general guidance on the nature, purpose, and extent of audit documentation.

The audit team must ensure that the audit file demonstrates its considerations regarding the use of the internal audit function’s work, from initial planning to evaluation of the work’s adequacy. In particular, the audit team documents the following matters:

• its consideration of whether the internal audit function exhibits appropriate levels of objectivity and competence, and uses a systematic and disciplined approach, including quality control, and the audit team’s resulting conclusions on its ability to use the function’s work (OAG Audit 6031 and OAG Audit 6032);

• its consideration of the function’s planned scope of work and its relevance to the audit;

• its consideration of the following where it has concluded that the function’s work is relevant to the audit:

  • the mapping of the work that has been performed, or will be performed, to the assessment of the risks of material misstatement (which is one of the significant judgments that the audit team is required to perform directly);
  • the extent of judgment involved in planning, performing, and evaluating the function’s work, and the audit team’s conclusions regarding the work that it considers appropriate to use, in each area of planned use—that is, the audit team’s demonstration that it plans to make less use of the work as the risk and judgment involved in the work increase;

• its evaluation and conclusion reached regarding whether the use of the internal audit function’s work to the extent planned would, in aggregate, result in the audit team’s sufficient involvement in the audit, given the audit team’s sole responsibility for the audit opinion expressed;

• its evidence of the communications with those charged with governance and with the internal audit function on the planned use of the function’s work;

• the rationale for its selection of particular work of the internal audit function to perform audit procedures for evaluating the overall adequacy of the function’s body of work for the purposes of the external audit;

• the procedures performed, including reperformance, to assess the adequacy of the body of work, and the subsequent conclusions; and

• confirmation that the planned approach was appropriate.

In certain circumstances, it may be appropriate to document the relevant considerations and approach taken in a significant matter that would be reviewed by the engagement leader (and quality reviewer, where applicable). Examples of such circumstances include the following:

• when the extent of use of the internal audit function’s work is significant, and significant judgment has been applied in concluding that the audit team has been sufficiently involved in the audit;

• when the internal audit function’s work was used in areas of significant risk; and

• when the audit team considered contentious matters in planning to use the internal audit function’s work.

The audit team does not need to retain copies of the internal audit function’s working papers in the audit file so long as it has clearly documented, in sufficient detail, the working papers that it reviewed and reperformed, and the conclusions on the overall adequacy of the work of the internal audit function, as described above.