The International Auditing and Assurance Standards Board (IAASB) recently released International Standard on Auditing (ISA) 610, Using the Work of Internal Auditors, which addresses the external auditor’s responsibilities when using the work of an internal audit function. It requires external auditors to “evaluate” the internal audit function. Specifically it states the following:
13. The external auditor shall determine whether the work of the internal audit function can be used for purposes of the audit by evaluating the following:
(a) The extent to which the internal audit function’s organizational status and relevant policies and procedures support the objectivity of the internal auditors; (Ref: Para. A5–A9)
(b) The level of competence of the internal audit function; and (Ref: Para. A5–A9)
(c) Whether the internal audit function applies a systematic and disciplined approach, including quality control. (Ref: Para. A10–A11)
14. The external auditor shall not use the work of the internal audit function if the external auditor determines that:
(a) The function’s organizational status and relevant policies and procedures do not adequately support the objectivity of internal auditors;
(b) The function lacks sufficient competence; or
(c) The function does not apply a systematic and disciplined approach, including quality control. (Ref: Para. A12–A14)
On the surface, this seems a bit unreasonable. Internal and external auditing are two separate but occasionally overlapping disciplines. External auditing is primarily concerned with the integrity of financial statements. Internal auditing, in contrast, may focus on operational effectiveness/efficiency, compliance with laws/rules/policy, or financial statement integrity. Some internal audit functions do not perform “test of controls over financial reporting”. However, this does not mean that they are not effectively carrying out the duties outlined in the audit charter. For this reason alone, external auditors looking to apply ISA 610 must use this standard in conjunction with (ISA) 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment.
ISA 315 acknowledges the diversity of audit functions. Specifically, it states
A110. The objectives and scope of an internal audit function, the nature of its responsibilities and its status within the organization, including the function’s authority and accountability, vary widely and depend on the size and structure of the entity and the requirements of management and, where applicable, those charged with governance. These matters may be set out in an internal audit charter or terms of reference.
It provides the following additional clarity
A111. The responsibilities of an internal audit function may include performing procedures and evaluating the results to provide assurance to management and those charged with governance regarding the design and effectiveness of risk management, internal control and governance processes. If so, the internal audit function may play an important role in the entity’s monitoring of internal control over financial reporting. However, the responsibilities of the internal audit function may be focused on evaluating the economy, efficiency and effectiveness of operations and, if so, the work of the function may not directly relate to the entity’s financial reporting.
This standard encourages external auditors to first obtain an understanding of the internal audit function’s activities. Then, to evaluate the internal audit function if there is substantial work performed related to the controls over financial reporting.
Many in the internal auditing community were concerned by the revised ISA standard 610. On the surface, it appeared as though the standard gave external auditors the authority to “assess” internal audit functions. In its press release, the Institute of Internal Auditors President and CEO Richard Chambers stated, “This is a milestone for both the internal audit profession and The IIA, as we have worked in partnership with the IAASB to ensure the revision takes into full consideration the capabilities and responsibilities of internal auditors.” I tend to agree in the context of ISA 315, external auditors should evaluate the internal audit function as it relates to work performed concerning the controls over financial reporting.
Ultimately, if you have a world class audit function (see article on Building a World Class Audit Function), you have nothing to worry about.
What do you think?
IAASB Press Release – IAASB Strengthens Standard on Using the Work of Internal Auditors