Useful Guidance
External auditors'
reliance on work performed by internal audit function:
Meeting the requirements of the External Audit function represented by the public accounting firm
Meeting the requirements of the External Audit function represented by the public accounting firm
This
document has been prepared to be used as a guideline for the
entities that have an Internal Audit function and intend to increase
the efficiency of their audits by having the work performed internally
leveraged by their External Audit engagement teams.
Why - If there is a spotlight on improving the efficiency of the audit-related processes, having External Auditors place (place more) reliance on the work performed internally will significantly lower the costs associated with the regulatory compliance attestation efforts.
How much reliance can be placed - up to 100% reliance on Internal Audit’s work for non-public clients and 50-70% is what we normally see for public clients.
The extent of the reliance external auditors can place on the work performed by others is determined by:
COMPETENCY OF THE INTERNAL AUDIT FUNCTION
As part of the assessment of the competency of the internal audit function, external auditors evaluate the existence and quality of such factors as listed below:
As part of the assessment of the objectivity of the internal audit function, external auditors evaluate the existence and quality of such factors as listed below:
Note: There is more emphasis now on a sufficient level of independent corporate governance and seeing audit committees act as more independent, effective managers of a company's external and internal auditors.
Note: Internal audit should play a very significant but advisory role in the compliance project.
ADEQUACY OF THE AUDIT SCOPE:
As part of the assessment of the adequacy of the scope defined by the Internal Audit function, external auditors evaluate factors listed below:
Note: The External Audit function represented by the public accounting firm will have their set of criteria to determine any significant areas of organization operations/ key internal control processes. If organization intends to increase the efficiency of the audit by having the work performed by the Internal Audit function leveraged by the External Audit engagement teams, it is essential to work with External Auditor to ensure you agree with their scoping and cover the same areas internally.
PERIOD OF AUDIT COVERAGE:
External Audit engagement team will have to ensure that the period/timeframe assessed by the Internal Audit’s testing procedures is adequately aligned with the period under review:
QUALITY AND TIMING OF THE DELIVERABLES
Lastly, the quality of the working papers prepared by the Internal Audit function and the timing of the deliverables must meet the requirements of the External Auditors:
SUMMARY:
Why - If there is a spotlight on improving the efficiency of the audit-related processes, having External Auditors place (place more) reliance on the work performed internally will significantly lower the costs associated with the regulatory compliance attestation efforts.
How much reliance can be placed - up to 100% reliance on Internal Audit’s work for non-public clients and 50-70% is what we normally see for public clients.
The extent of the reliance external auditors can place on the work performed by others is determined by:
- Competency of the Internal Audit function
- Objectivity of the Internal Audit function
- Adequacy of the audit scope
- Period of audit coverage
- Quality of the deliverables
- Timing of the deliverables
COMPETENCY OF THE INTERNAL AUDIT FUNCTION
As part of the assessment of the competency of the internal audit function, external auditors evaluate the existence and quality of such factors as listed below:
- Education and professional experience of the internal auditors, including professional certification and continuing education:
- Inquiries might be made regarding professional certification and continuing education standards for the department
- Copies of the resumes for everyone involved with the audit are normally requested by the External Auditors
- Supervision and review of the internal auditors' activities:
- External Auditors will need to understand who is responsible for managing the auditors’ day-to-day activities and addressing any issues;
- What procedures are being performed to ensure that the recommendations issued by the Internal Audit are being implemented?
- How recommendations for correction are reported to the management, and such.
As part of the assessment of the objectivity of the internal audit function, external auditors evaluate the existence and quality of such factors as listed below:
- Organizational status of the internal auditor responsible for the internal audit function:
- Does the Internal Audit department have sufficient visibility with upper management (i.e. reports to someone with sufficient status to achieve adequate consideration of the findings and recommendations reported by internal auditors)?
- Does the Internal Audit function reports regularly to those charged with governance?
- Are the decisions related to the Internal Auditor who performed the work sufficiently overseen by those charged with governance?
- Does the Internal Audit function have a direct reporting relationship to the audit committee? How limited is this relationship beyond the scheduled board meetings?
Note: There is more emphasis now on a sufficient level of independent corporate governance and seeing audit committees act as more independent, effective managers of a company's external and internal auditors.
- Policies/procedures to maintain the internal auditors' objectivity:
- Internal Auditor(s) performing the work should be prohibited from auditing areas in which the Internal Auditor was recently assigned or is scheduled to be assigned upon completion of his/her responsibilities in the internal audit function;
- The Internal Auditor performing the work should also be prohibited from auditing areas in which relatives are employed in important or audit-sensitive positions.
Note: Internal audit should play a very significant but advisory role in the compliance project.
ADEQUACY OF THE AUDIT SCOPE:
As part of the assessment of the adequacy of the scope defined by the Internal Audit function, external auditors evaluate factors listed below:
- The extent of the work performed by the Internal Audit function:
- Is there an audit plan that outlines the work performed by the Internal Audit function, including the nature and the extent of audit procedures?
- Have significant areas of organization operations with coverage over all significant business units been identified?
- How did organization identify key internal control processes that are financially significant (e.g., criticality analysis, etc.)?
- Have the compliance to control procedures been tested and the results documented for all key internal control processes or are there areas not covered by the internal audit function?
- Does the Internal Audit function have adequate access to the entity’s records and whether there are limitations on the scope of the internal audit function’s activities?
- Relevance of the activities performed by the Internal Audit function to the audit procedures in scope for External Auditors:
- How well the scope of the work performed by the Internal Audit function is aligned with the scope of the procedures to be performed by the External Auditors?
- Which of the activities performed by the Internal Audit function are relevant to the audit procedures in scope for External Auditors?
- Are there areas in scope for External Auditors not covered by the Internal Audit function?
Note: The External Audit function represented by the public accounting firm will have their set of criteria to determine any significant areas of organization operations/ key internal control processes. If organization intends to increase the efficiency of the audit by having the work performed by the Internal Audit function leveraged by the External Audit engagement teams, it is essential to work with External Auditor to ensure you agree with their scoping and cover the same areas internally.
PERIOD OF AUDIT COVERAGE:
External Audit engagement team will have to ensure that the period/timeframe assessed by the Internal Audit’s testing procedures is adequately aligned with the period under review:
- Relevance of coverage performed by the Internal Audit function to the audit procedures in scope for External Auditors:
- External auditors will need to gain assurance that controls operated effectively over a certain period of time (i.e., for financial statements audit external auditors must attest to the quality of the organization’s internal controls over the fiscal year).
- As such, inquiries will be made regarding how much of the period under review is covered by the Internal Audit’s procedures: have the compliance to control procedures been tested, the results documented, and the opinion issued for all key internal control processes over the whole fiscal year under review or are there limitations to the coverage of the internal audit activities?
- Any portion of the period under review not covered by internal audit will be a subject to an independent assessment by the External Audit function.
- It is recommended to discuss the period under review with external auditors prior to finalizing the scoping of any internal procedures to ensure Internal Audit covers sufficient timeframe.
QUALITY AND TIMING OF THE DELIVERABLES
Lastly, the quality of the working papers prepared by the Internal Audit function and the timing of the deliverables must meet the requirements of the External Auditors:
- Timing of the deliverables:
- When audit deliverables prepared by the Internal Audit team will be made available to the External Audit function?
- Management/Internal Audit function needs to agree on timing with external auditors well in advance to make sure that internal controls compliance project is in process to meet the agreed upon deadlines.
- Quality of the deliverables:
- Documentation is very important because External Audit engagement team will need to attest that controls are operating effectively based on the examination of the Internal Audit’s documentation. If documentation is inadequate, the External Audit function will deem necessary to perform an independent assessment instead.
- See here for the listing of items Internal Audit should include as part of their documentation (including recommended sampling guidelines) for each control activity.
SUMMARY:
- Ensure that those performing testing are qualified to do so (either have an audit experience or otherwise qualified to assess the areas they are testing for operating effectiveness)
- Ensure that those performing testing do not have conflicts of interest or segregation of duties concerns (should not test the areas they are assigned to as part of their day-to-day responsibilities, should not be related to or report to anyone they're auditing, etc.)
- Ensure that the scope
of your work is relevant
- Ensure that you cover as much of the period of intended reliance as possible
- Ensure the quality of your deliverables (see here for guidance)
- Share your deliverables with the External Auditor team at the agreed upon timeframe