Performance Audit Manual

COPYRIGHT NOTICE — This document is intended for internal use. It cannot be distributed to or reproduced by third parties without prior written permission from the Copyright Coordinator for the Office of the Auditor General of Canada. This includes email, fax, mail and hand delivery, or use of any other method of distribution or reproduction. CPA Canada Handbook sections and excerpts are reproduced herein for your non-commercial use with the permission of The Chartered Professional Accountants of Canada (“CPA Canada”). These may not be modified, copied or distributed in any form as this would infringe CPA Canada’s copyright. Reproduced, with permission, from the CPA Canada Handbook, The Chartered Professional Accountants of Canada, Toronto, Canada.

4030 Reliance on Internal Audit
Jul-2020

Overview

This section outlines the assessment that needs to be followed by audit teams to obtain an understanding of the activities of the internal audit function before relying on it, and the evaluation that needs to be conducted to ensure that the work performed by internal audit is adequate for the purpose of the OAG’s engagement.

CPA Canada Copyright

CSAE 3001 Requirements

50. The practitioner shall make inquiries of the appropriate party(ies) regarding:

[...]

(b) Whether the responsible party has an internal audit function and, if so, make further inquiries to obtain an understanding of the activities and main findings of the internal audit function with respect to the underlying subject matter; and

[...]

60. If the practitioner plans to use the work of the internal audit function, the practitioner shall evaluate the following:

(a) The extent to which the internal audit function’s organizational status and relevant policies and procedures support the objectivity of the internal auditors;

(b) The level of competence of the internal audit function;

(d) Whether the work of the internal audit function is adequate for the purposes of the engagement.

CSAE 3001 Application Material

A136. While paragraphs A121-A135 have been written in the context of using work performed by a practitioner’s expert, they may also provide helpful guidance with respect to using work performed by another practitioner, a responsible party or an internal auditor.

Considerations When a Practitioner’s Expert Is Involved on the Engagement

Nature, Timing and Extent of Procedures (Ref: Para. 57)

A121.The following matters are often relevant when determining the nature, timing and extent of procedures with respect to the work of a practitioner’s expert when some of the assurance work is performed by one or more practitioner’s expert (see paragraph A69):

(a) The importance of that expert’s work in the context of the engagement (see also paragraphs A122-A123);

(b) The nature of the matter to which that expert’s work relates;

(d) The practitioner’s knowledge of and experience with previous work performed by that expert; and

(e) Whether that expert is subject to the practitioner’s firm’s quality control policies and procedures (see also paragraphs A124-A125).

Integrating the work of a practitioner’s expert [...]

A123. As noted in paragraph A70, when the work of a practitioner’s expert is to be used, it may be appropriate to perform some of the procedures required by paragraph 57 at the engagement acceptance or continuance stage. This is particularly so when the work of the practitioner’s expert will be fully integrated with the work of other assurance personnel and when the work of the practitioner’s expert is to be used in the early stages of the engagement, for example, during initial planning and risk assessment.

The Competence, Capabilities and Objectivity of the Practitioner’s Expert (Ref: Para. 57(a))

A126. Information regarding the competence, capabilities and objectivity of a practitioner’s expert may come from a variety of sources, such as:

Personal experience with previous work of that expert.
Discussions with that expert.
Discussions with other practitioners or others who are familiar with that expert’s work.
Knowledge of that expert’s qualifications, membership of a professional body or industry association, license to practice, or other forms of external recognition.
Published papers or books written by that expert.
The firm’s quality control policies and procedures (see also paragraphs A124-A125).

Obtaining an Understanding of the Field of Expertise of the Practitioner’s Expert (Ref: Para. 57(b))

A130. Having a sufficient understanding of the field of expertise of the practitioner’s expert enables the practitioner to:

(a) Agree with the practitioner’s expert the nature, scope and objectives of that expert’s work for the practitioner’s purposes; and

(b) Evaluate the adequacy of that work for the practitioner’s purposes.

A131. Aspects of the practitioner’s expert’s field relevant to the practitioner’s understanding may include:

Whether that expert’s field has areas of specialty within it that are relevant to the engagement.
Whether any professional or other standards and regulatory or legal requirements apply.
What assumptions and methods, including models where applicable, are used by the practitioner’s expert, and whether they are generally accepted within that expert’s field and appropriate in the circumstances of the engagement.
The nature of internal and external data or information the practitioner’s expert uses.

Evaluating the Adequacy of the Practitioner’s Expert’s Work (Ref: Para. 57(d))

A134. The following matters may be relevant when evaluating the adequacy of the practitioner’s expert’s work for the practitioner’s purposes:

(a) The relevance and reasonableness of that expert’s findings or conclusions, and their consistency with other evidence;

(b) If that expert’s work involves use of significant assumptions and methods, the relevance and reasonableness of those assumptions and methods in the circumstances; and

(c) If that expert’s work involves the use of source data that is significant to that expert’s work, the relevance, completeness, and accuracy of that source data.

A135. If the practitioner determines that the work of the practitioner’s expert is not adequate for the practitioner’s purposes, options available to the practitioner include:

(a) Agreeing with that expert on the nature and extent of further work to be performed by that expert; or

(b) Performing additional procedures appropriate to the circumstances.

Financial Administration Act Requirements for Special Examinations

FAA 138(5) An examiner shall, to the extent he considers practicable, rely on any internal audit of the corporation being examined conducted pursuant to subsection 131(3).

FAA 131(3) Each parent Crown corporation shall cause internal audits to be conducted, in respect of itself and each of its wholly-owned subsidiaries, if any, to assess compliance with subsections (1) and (2), unless the Governor in Council is of the opinion that the benefits to be derived from those audits do not justify their cost.

FAA 139(2)(b) The report of an examiner under subsection (1) shall include [...] (b) a statement of the extent to which the examiner relied on internal audits.

OAG Policy

Audit teams shall, to the extent they consider practicable, rely on internal audit in conducting their audit. [Nov-2015]

Audit teams shall make inquiries to obtain an understanding of the activities of the internal audit function. [Nov-2015]

When audit teams plan to use the work of the internal audit function, they shall assess whether the work of the internal audit function is adequate for the purpose of the engagement before planning to rely on it. [Nov-2015]

OAG Guidance

Obtaining an understanding of the activities of the internal audit function before relying on its work

CSAE 3001 requires that the audit team makes inquiries regarding whether the audited entity has an internal audit function and, when it is the case, needs to obtain an understanding of the activities of the internal audit function (i.e. the objectivity of the internal auditors, the level of competence of the internal audit unit, and processes in place to ensure quality of the work conducted). This evaluation is done during the planning phase of the audit.

To evaluate whether the internal audit function’s organizational status and relevant policies and procedures support the objectivity of the internal auditors, the audit team may consider:

the results of internal and external assessments on the conformance with relevant professional practice standards of the internal auditing function;
the internal audit function’s responsibilities, its reporting relationship, the extent of its independence from the influence of operational management and whether internal auditors have direct access to those charged with governance;
the activities performed, or to be performed, by the internal audit function;
if the internal auditors are free from any conflicting responsibilities;
if the internal auditors employed by the internal audit function are members of relevant professional bodies which require members to comply with relevant professional standards relating to objectivity;
the results of the internal audit work are reported to senior management and the audit committee or board of directors;
the internal audit recommendations are acted upon;
the head of the internal audit function is free to communicate directly with the audit committee or the board of directors; and
there are constraints placed on the internal audit function’s ability to gain access to important systems, units or activities of the entity, or to information or key personnel.

The audit team should also consider whether there are policies to maintain internal auditors’ objectivity, such as prohibiting internal auditors from auditing areas where they were recently assigned or where relatives are employed.

Reliance on internal audit

[Exhibit—Text Version]

To assess the level of competence of the internal audit function, the audit team needs to consider whether

the internal audit work is performed by persons who possess adequate technical training and competence as internal auditors,
policies for training and development of internal auditors are in place,
internal audit staff have a minimum level of experience, and
internal audit staff have professional qualifications or are members of a professional body or association.

To evaluate whether the internal audit function applies a systematic and disciplined approach, including quality control, the audit team may consider whether:

the internal audit function has an audit manual or other similar documents, work programs and internal audit documentation that are adequate and conform to professional standards and practices;
the activities of internal audit function are properly planned, resourced, supervised, reviewed and documented; and
a quality control system is in place (i.e. quality control policies and procedures).

It is normally sufficient to perform an overall assessment of the internal audit function. If the audit team is satisfied that there are appropriate policies and procedures in place to assess the competence of internal auditors and there is adequate quality assurance over the completion of the working papers and reports in place to assess the due professional care of internal auditors, the team does not need to reassess these factors for each internal audit conducted.

Evaluating the adequacy of the work of internal audit on the engagement

Once the audit team has obtained an understanding of the activities of the internal audit function, CSAE 3001 requires that the team assess whether the work of the internal audit function is adequate for the purposes of the engagement before planning to rely on it.

To carry out an evaluation of the work of internal audit, the team needs to consider whether

the methodology followed by the internal auditor demonstrates compliance with recognized professional standards;
the objectives, scope, and criteria used for the internal audit work are suitable for the engagement;
the results of the internal audit work are consistent with other audit evidence obtained in the course of the engagement;
findings and conclusions available in the internal audit report are relevant and reasonable (i.e. sufficient appropriate evidence was obtained to support the conclusions);
methods and assumptions used to conduct the internal audit work are relevant and reasonable in the circumstances; and
sources of data used are relevant, complete, and accurate.

When planning to evaluate and perform audit procedures on specific work of the internal audit function, the audit team is encouraged to have an agreement with internal audit to obtain the information necessary to complete this evaluation. Information that is likely to support the evaluation includes

the objectives, scope, criteria, and timing of the specific work performed;
the extent of testing performed;
documentation of the work performed;
evidence of supervision and review; and
the final report that was issued.

Reporting considerations for special examinations

Auditors are required to include in the special examination report a statement on how far they relied or not on internal audits, as indicated in Section 139(2)(b) of the Financial Administration Act. The OAG special examination report template includes draft wording to satisfy this requirement.

When planning to include a statement of reliance on internal audits, auditors should advise the head of the entity’s internal audit function.

Breadcrumb

Performance Audit Manual

4030 Reliance on Internal Audit
Jul-2020

Overview

CSAE 3001 Requirements

CSAE 3001 Application Material

Financial Administration Act Requirements for Special Examinations

OAG Policy

OAG Guidance

Obtaining an understanding of the activities of the internal audit function before relying on its work

Evaluating the adequacy of the work of internal audit on the engagement

Reporting considerations for special examinations

Primary navigation (left column)

Institutional links

Direct Engagement Manual

Footer

Breadcrumb

Performance Audit Manual

4030 Reliance on Internal Audit Jul-2020

Overview

CSAE 3001 Requirements

CSAE 3001 Application Material

Financial Administration Act Requirements for Special Examinations

OAG Policy

OAG Guidance

Obtaining an understanding of the activities of the internal audit function before relying on its work

Evaluating the adequacy of the work of internal audit on the engagement

Reporting considerations for special examinations

Primary navigation (left column)

Footer

4030 Reliance on Internal Audit
Jul-2020