Testing the Work of Internal Auditors
Testing the Work of Internal Auditors
By – Steven Firer
1. International Standards on Auditing
1.1. The objective of the auditor is to identify and assess the risks of material misstatement,
whether due to fraud or error, at the financial statement and assertion levels, through
understanding the entity and its environment, including the entity’s internal control1.2
1.2. In this context with specific reference to internal controls, the external auditor shall 3( make
inquiries of appropriate individuals within the internal audit function (if the function
exists)4.
1.3. The auditor shall5 obtain an understanding of internal control relevant to the audit.
Although most controls relevant to the audit are likely to relate to financial reporting, not
all controls that relate to financial reporting are relevant to the audit. It is a matter of the
auditor’s professional judgment whether a control, individually or in combination with
others, is relevant to the audit6.
1.4. When obtaining an understanding of controls that are relevant to the audit, the auditor
shall7 evaluate the design of those controls and determine whether they have been
implemented, by performing procedures in addition to inquiry of the entity’s personnel8.
1.5. The auditor shall9 obtain an understanding of control activities relevant to the audit, being
those the auditor judges it necessary to understand in order to assess the risks of material
misstatement at the assertion level and design further audit procedures responsive to
assessed risks. An audit does not require an understanding of all the control activities
related to each significant class of transactions, account balance, and disclosure in the
financial statements or to every assertion relevant to them.10
1 ISA 315.3
2 Internal control – The process designed, implemented and maintained by those charged with governance,
management and other personnel to provide reasonable assurance about the achievement of an entity’s
objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and
compliance with applicable laws and regulations. The term “controls” refers to any aspects of one or more of
the components of internal control.
3 Emphasis on shall – compulsory.
4 ISA 315.6a
5 Op cit note 3.
6 ISA 315.12
7 Op cit note 3.
8 ISA 315.13
9 Op cit note 3.
10 ISA 315.20
1.6. The auditor shall11 obtain an understanding of the major activities that the entity uses to
monitor internal control relevant to financial reporting, including those related to those
control activities relevant to the audit, and how the entity initiates remedial actions to
deficiencies in its controls.12
1.7. If the entity has an internal audit function, the auditor shall13 obtain an understanding of
the nature of the internal audit function’s responsibilities, its organizational status, and the
activities performed, or to be performed.
1.8. If an entity has an internal audit function, inquiries of the appropriate individuals within the
function may provide information that is useful to the auditor in obtaining an
understanding of the entity and its environment, and in identifying and assessing risks of
material misstatement at the financial statement and assertion levels. In performing its
work, the internal audit function is likely to have obtained insight into the entity’s
operations and business risks, and may have findings based on its work, such as identified
control deficiencies or risks, that may provide valuable input into the auditor’s
understanding of the entity, the auditor’s risk assessments or other aspects of the audit.
The auditor’s inquiries are therefore made whether or not the auditor expects to use the
work of the internal audit function to modify the nature or timing, or reduce the extent, of
audit procedures to be performed (Emphasis). Inquiries of particular relevance may be
about matters the internal audit function has raised with those charged with governance
and the outcomes of the function’s own risk assessment process14.
1.9. If, based on responses to the auditor’s inquiries, it appears that there are findings that may
be relevant to the entity’s financial reporting and the audit, the auditor may consider it
appropriate to read related reports of the internal audit function15.
1.10. The auditor may also consider how management has responded to the findings and
recommendations of the internal audit function regarding identified deficiencies in internal
control relevant to the audit, including whether and how such responses have been
implemented, and whether they have been subsequently evaluated by the internal audit
function16.
11 Op cit note 3.
12 ISA 315.22
13 Op cit note 3.
14 ISA 315.A9
15 ISA 315.A10
16 ISA 315.A79
1.11. If the entity has an internal audit function, obtaining an understanding of that
function contributes to the auditor’s understanding of the entity and its environment,
including internal control, in particular the role that the function plays in the entity’s
monitoring of internal control over financial reporting. This understanding, together with
the information obtained from the auditor’s inquiries in paragraph 6(a) of this ISA, may also
provide information that is directly relevant to the auditor’s identification and assessment
of the risks of material misstatement17.
1.12. If the auditor determines that the function’s responsibilities are related to the
entity’s financial reporting, the auditor may obtain further understanding of the activities
performed, or to be performed, by the internal audit function by reviewing the internal
audit function’s audit plan for the period, if any, and discussing that plan with the
appropriate individuals within the function18.
1.13. Auditors may be more likely to be able to use the work of an entity’s internal audit
function when it appears, for example, based on experience in previous audits or the
auditor’s risk assessment procedures, that the entity has an internal audit function that is
adequately and appropriately resourced relative to the size of the entity and the nature of
its operations, and has a direct reporting relationship to those charged with governance19.
1.14. The responsibilities of the internal audit function may be focused on evaluating the
economy, efficiency and effectiveness of operations and, if so, the work of the function may
not directly relate to the entity’s financial reporting20.
1.15. If, based on the auditor’s preliminary understanding of the internal audit function,
the auditor expects to use the work of the internal audit function to modify the nature or
timing, or reduce the extent, of audit procedures to be performed, ISA 610 (Revised)
applies21. Otherwise it does not apply.
17 ISA 315.A109
18 ISA 315.A112
19 ISA 315.A113
20 ISA 315.A111
21 ISA 315.A114
2. Conclusion on International Standards on Auditing
2.1. The external auditor must obtain an understanding of the internal audit function sufficient
to identify those internal audit activities that are relevant to planning the audit.
International Standard on Auditing (ISA) 610 (Revised), Using the Work of Internal Auditors
does not require the external auditor to make use of internal audit in any way. This decision
will be made by the external auditor when establishing the overall audit strategy and audit
plan, and will be based on whether it would be efficient and effective to do so
(International Standard on Auditing (ISA) 315 (Revised), Identifying and Assessing the Risks
of Material Misstatement through Understanding the Entity and Its Environment). In other
words: If, after obtaining an understanding of the internal audit function, the auditor
concludes that the internal auditors' activities are not relevant to the financial statement
audit, the auditor does not have to give further consideration to the internal audit function.
2.2. There is sufficient and appropriate evidence that even if the external auditor does not make
use of internal audit; the external auditor has an obligation to treat internal audit as an
internal control that has been introduced by management and must be subject to risk
assessment procedures independent of International Standard on Auditing (ISA) 610
(Revised), Using the Work of Internal Auditors. Based on such an assessment and the
external auditor expects to use the work of the internal auditor does ISA 610 become
relevant.
2.3. This International Standard on Auditing (ISA) deals with the auditor’s responsibility to
communicate appropriately to those charged with governance and management
deficiencies in internal control.22
2.4. The objective of the auditor is to communicate appropriately to those charged with
governance and management deficiencies in internal control that the auditor has identified
during the audit and that, in the auditor’s professional judgment, are of sufficient
importance to merit their respective attentions.23
2.5. The auditor shall include in the written communication of significant deficiencies in internal
control: (at the very least), A description of the deficiencies and an explanation of their
potential effects.24
22 ISA 265.1
23 ISA 265.5
24 ISA 265.11a
2.6. Examples of matters that the auditor may consider in determining whether a deficiency or
combination of deficiencies in internal control constitutes a significant deficiency include:
The likelihood of the deficiencies leading to material misstatements in the financial
statements in the future. The susceptibility to loss or fraud of the related asset or liability.
The subjectivity and complexity of determining estimated amounts, such as fair value
accounting estimates. The financial statement amounts exposed to the deficiencies. The
volume of activity that has occurred or could occur in the account balance or class of
transactions exposed to the deficiency or deficiencies. General monitoring controls (such as
oversight of management). Controls over the prevention and detection of fraud.
2.7. In my opinion an ineffective, inefficient and incompetent internal audit department most
certainly is a significant deficiency in internal controls and as such a description of the
deficiencies and an explanation of their potential effects must be reported to management.
NOTES
- I have not seen the SAA audit file and so my comments are general and based on my
interpretation of the International Standards on Auditing.
- If I were to look in the audit file I would expect to see the following documentation as it
pertains to the internal auditor:25
o Key elements of the understanding obtained.
o The identified and assessed risks of material misstatement at the financial statement
level and at the assertion level.
o A description of the deficiencies and an explanation of their potential effects.
o Sufficient information to enable those charged with governance and management to
understand the context of the communication.
25ISA 265
Comments