Performance Audit Manual
COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.
4030 Reliance on Internal Audit
Jul-2020
Overview
This section outlines the assessment that needs to be followed by audit teams to obtain an understanding of the activities of the internal audit function before relying on it, and the evaluation that needs to be conducted to ensure that the work performed by internal audit is adequate for the purpose of the OAG’s engagement.
Financial Administration Act Requirements for Special Examinations
FAA 138(5) An examiner shall, to the extent he considers practicable, rely on any internal audit of the corporation being examined conducted pursuant to subsection 131(3).
FAA 131(3) Each parent Crown corporation shall cause internal audits to be conducted, in respect of itself and each of its wholly-owned subsidiaries, if any, to assess compliance with subsections (1) and (2), unless the Governor in Council is of the opinion that the benefits to be derived from those audits do not justify their cost.
FAA 139(2)(b) The report of an examiner under subsection (1) shall include [...] (b) a statement of the extent to which the examiner relied on internal audits.
OAG Policy
Audit teams shall, to the extent they consider practicable, rely on internal audit in conducting their audit. [Nov-2015]
Audit teams shall make inquiries to obtain an understanding of the activities of the internal audit function. [Nov-2015]
When audit teams plan to use the work of the internal audit function, they shall assess whether the work of the internal audit function is adequate for the purpose of the engagement before planning to rely on it. [Nov-2015]
OAG Guidance
Obtaining an understanding of the activities of the internal audit function before relying on its work
CSAE 3001 requires that the audit team makes inquiries regarding whether the audited entity has an internal audit function and, when it is the case, needs to obtain an understanding of the activities of the internal audit function (i.e. the objectivity of the internal auditors, the level of competence of the internal audit unit, and processes in place to ensure quality of the work conducted). This evaluation is done during the planning phase of the audit.
To evaluate whether the internal audit function’s organizational status and relevant policies and procedures support the objectivity of the internal auditors, the audit team may consider:
-
the results of internal and external assessments on the conformance with relevant professional practice standards of the internal auditing function;
-
the internal audit function’s responsibilities, its reporting relationship, the extent of its independence from the influence of operational management and whether internal auditors have direct access to those charged with governance;
-
the activities performed, or to be performed, by the internal audit function;
-
if the internal auditors are free from any conflicting responsibilities;
-
if the internal auditors employed by the internal audit function are members of relevant professional bodies which require members to comply with relevant professional standards relating to objectivity;
-
the results of the internal audit work are reported to senior management and the audit committee or board of directors;
-
the internal audit recommendations are acted upon;
-
the head of the internal audit function is free to communicate directly with the audit committee or the board of directors; and
-
there are constraints placed on the internal audit function’s ability to gain access to important systems, units or activities of the entity, or to information or key personnel.
The audit team should also consider whether there are policies to maintain internal auditors’ objectivity, such as prohibiting internal auditors from auditing areas where they were recently assigned or where relatives are employed.
To assess the level of competence of the internal audit function, the audit team needs to consider whether
-
the internal audit work is performed by persons who possess adequate technical training and competence as internal auditors,
-
policies for training and development of internal auditors are in place,
-
internal audit staff have a minimum level of experience, and
-
internal audit staff have professional qualifications or are members of a professional body or association.
To evaluate whether the internal audit function applies a systematic and disciplined approach, including quality control, the audit team may consider whether:
-
the internal audit function has an audit manual or other similar documents, work programs and internal audit documentation that are adequate and conform to professional standards and practices;
-
the activities of internal audit function are properly planned, resourced, supervised, reviewed and documented; and
-
a quality control system is in place (i.e. quality control policies and procedures).
It is normally sufficient to perform an overall assessment of the internal audit function. If the audit team is satisfied that there are appropriate policies and procedures in place to assess the competence of internal auditors and there is adequate quality assurance over the completion of the working papers and reports in place to assess the due professional care of internal auditors, the team does not need to reassess these factors for each internal audit conducted.
Evaluating the adequacy of the work of internal audit on the engagement
Once the audit team has obtained an understanding of the activities of the internal audit function, CSAE 3001 requires that the team assess whether the work of the internal audit function is adequate for the purposes of the engagement before planning to rely on it.
To carry out an evaluation of the work of internal audit, the team needs to consider whether
-
the methodology followed by the internal auditor demonstrates compliance with recognized professional standards;
-
the objectives, scope, and criteria used for the internal audit work are suitable for the engagement;
-
the results of the internal audit work are consistent with other audit evidence obtained in the course of the engagement;
-
findings and conclusions available in the internal audit report are relevant and reasonable (i.e. sufficient appropriate evidence was obtained to support the conclusions);
-
methods and assumptions used to conduct the internal audit work are relevant and reasonable in the circumstances; and
-
sources of data used are relevant, complete, and accurate.
When planning to evaluate and perform audit procedures on specific work of the internal audit function, the audit team is encouraged to have an agreement with internal audit to obtain the information necessary to complete this evaluation. Information that is likely to support the evaluation includes
- the objectives, scope, criteria, and timing of the specific work performed;
- the extent of testing performed;
- documentation of the work performed;
- evidence of supervision and review; and
- the final report that was issued.
Reporting considerations for special examinations
Auditors are required to include in the special examination report a statement on how far they relied or not on internal audits, as indicated in Section 139(2)(b) of the Financial Administration Act. The OAG special examination report template includes draft wording to satisfy this requirement.
When planning to include a statement of reliance on internal audits, auditors should advise the head of the entity’s internal audit function.