Application and Other Explanatory Material
Definition of Internal Audit Function
A1
The objectives and scope of internal audit functions typically include assurance and consulting activities designed to evaluate and improve the effectiveness of the entity’s governance processes, risk management and internal control such as the following:
Activities Relating to Governance
- The internal audit function may assess the governance process in its accomplishment of objectives on ethics and values, performance management and accountability, communicating risk and control information to appropriate areas of the organisation and effectiveness of communication among those charged with governance, external and internal auditors, and management.
Activities Relating to Risk Management
- The internal audit function may assist the entity by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and internal control (including effectiveness of the financial reporting process).
- The internal audit function may perform procedures to assist the entity in the detection of fraud.
Activities Relating to Internal Control
- Evaluation of internal control. The internal audit function may be assigned specific responsibility for reviewing controls, evaluating their operation and recommending improvements thereto. In doing so, the internal audit function provides assurance on the control. For example, the internal audit function might plan and perform tests or other procedures to provide assurance to management and those charged with governance regarding the design, implementation and operating effectiveness of internal control, including those controls that are relevant to the audit.
- Examination of financial and operating information. The internal audit function may be assigned to review the means used to identify, recognise, measure, classify and report financial and operating information, and to make specific enquiry into individual items, including detailed testing of transactions, balances and procedures.
- Review of operating activities. The internal audit function may be assigned to review the economy, efficiency and effectiveness of operating activities, including non-financial activities of an entity.
- Review of compliance with laws and regulations. The internal audit function may be assigned to review compliance with laws, regulations and other external requirements, and with management policies and directives and other internal requirements.
A2
Activities similar to those performed by an internal audit function may be conducted by functions with other titles within an entity. Some or all of the activities of an internal audit function may also be outsourced to a third‑party service provider. Neither the title of the function, nor whether it is performed by the entity or a third‑party service provider, are sole determinants of whether or not the external auditor can use the work of the function. Rather, it is the nature of the activities; the extent to which the internal audit function’s organisational status and relevant policies and procedures support the objectivity of the internal auditors; competence; and systematic and disciplined approach of the function that are relevant. References in this Auditing Standard to the work of the internal audit function include relevant activities of other functions or third‑party providers that have these characteristics.
A3
In addition, those in the entity with operational and managerial duties and responsibilities outside of the internal audit function would ordinarily face threats to their objectivity that would preclude them from being treated as part of an internal audit function for the purpose of this Auditing Standard, although they may perform controls that can be tested in accordance with ASA 330.[12] For this reason, monitoring controls performed by an owner‑manager would not be considered equivalent to an internal audit function.
A4
While the objectives of an entity’s internal audit function and the external auditor differ, the function may perform audit procedures similar to those performed by the external auditor in an audit of a financial report. If so, the external auditor may make use of the function for purposes of the audit in one or more of the following ways:
- To obtain information that is relevant to the external auditor’s assessments of the risks of material misstatement due to error or fraud. In this regard, ASA 315[13] requires the external auditor to obtain an understanding of the nature of the internal audit function’s responsibilities, its status within the organisation, and the activities performed, or to be performed, and make enquiries of appropriate individuals within the internal audit function (if the entity has such a function); or
- Unless prohibited, or restricted to some extent, by law or regulation, the external auditor, after appropriate evaluation, may decide to use work that has been performed by the internal audit function during the period in partial substitution for audit evidence to be obtained directly by the external auditor.[14]
[Sentence deleted by the AUASB. Refer Aus 1.2][15]
Determining Whether, in Which Areas, and to What Extent the Work of the Internal Audit Function Can Be Used
Evaluating the Internal Audit Function
Objectivity and Competence (Ref: Para. 15(a)-(b))
A5
The external auditor exercises professional judgement in determining whether the work of the internal audit function can be used for purposes of the audit, and the nature and extent to which the work of the internal audit function can be used in the circumstances.
A6
The extent to which the internal audit function’s organisational status and relevant policies and procedures support the objectivity of the internal auditors and the level of competence of the function are particularly important in determining whether to use and, if so, the nature and extent of the use of the work of the function that is appropriate in the circumstances.
A7
Objectivity refers to the ability to perform those tasks without allowing bias, conflict of interest or undue influence of others to override professional judgements. Factors that may affect the external auditor’s evaluation include the following:
- Whether the organisational status of the internal audit function, including the function’s authority and accountability, supports the ability of the function to be free from bias, conflict of interest or undue influence of others to override professional judgements. For example, whether the internal audit function reports to those charged with governance or an officer with appropriate authority, or if the function reports to management, whether it has direct access to those charged with governance.
- Whether the internal audit function is free of any conflicting responsibilities, for example, having managerial or operational duties or responsibilities that are outside of the internal audit function.
- Whether those charged with governance oversee employment decisions related to the internal audit function, for example, determining the appropriate remuneration policy.
- Whether there are any constraints or restrictions placed on the internal audit function by management or those charged with governance for example, in communicating the internal audit function’s findings to the external auditor.
- Whether the internal auditors are members of relevant professional bodies and their memberships obligate their compliance with relevant professional standards relating to objectivity, or whether their internal policies achieve the same objectives.
A8
Competence of the internal audit function refers to the attainment and maintenance of knowledge and skills of the function as a whole at the level required to enable assigned tasks to be performed diligently and in accordance with applicable professional standards. Factors that may affect the external auditor’s determination include the following:
- Whether the internal audit function is adequately and appropriately resourced relative to the size of the entity and the nature of its operations.
- Whether there are established policies for hiring, training and assigning internal auditors to internal audit engagements.
- Whether the internal auditors have adequate technical training and proficiency in auditing. Relevant criteria that may be considered by the external auditor in making the assessment may include, for example, the internal auditors’ possession of a relevant professional designation and experience.
- Whether the internal auditors possess the required knowledge relating to the entity’s financial reporting and the applicable financial reporting framework and whether the internal audit function possesses the necessary skills (for example, industry-specific knowledge) to perform work related to the entity’s financial report.
- Whether the internal auditors are members of relevant professional bodies that oblige them to comply with the relevant professional standards including continuing professional development requirements.
A9
Objectivity and competence may be viewed as a continuum. The more the internal audit function’s organisational status and relevant policies and procedures adequately support the objectivity of the internal auditors and the higher the level of competence of the function, the more likely the external auditor may make use of the work of the function and in more areas. However, an organisational status and relevant policies and procedures that provide strong support for the objectivity of the internal auditors cannot compensate for the lack of sufficient competence of the internal audit function. Equally, a high level of competence of the internal audit function cannot compensate for an organisational status and policies and procedures that do not adequately support the objectivity of the internal auditors.
Application of a Systematic and Disciplined Approach (Ref: Para. 15(c))
A10
The application of a systematic and disciplined approach to planning, performing, supervising, reviewing and documenting its activities distinguishes the activities of the internal audit function from other monitoring controls that may be performed within the entity.
A11
Factors that may affect the external auditor’s determination of whether the internal audit function applies a systematic and disciplined approach include the following:
- The existence, adequacy and use of documented internal audit procedures or guidance covering such areas as risk assessments, work programs, documentation and reporting, the nature and extent of which is commensurate with the size and circumstances of an entity.
- Whether the internal audit function has appropriate quality control policies and procedures, for example, such as those policies and procedures in ASQC 1[16] that would be applicable to an internal audit function (such as those relating to leadership, human resources and engagement performance) or quality control requirements in standards set by the relevant professional bodies for internal auditors. Such bodies may also establish other appropriate requirements such as conducting periodic external quality assessments.
Circumstances When Work of the Internal Audit Function Cannot Be Used (Ref: Para. 16)
A12
The external auditor’s evaluation of whether the internal audit function’s organisational status and relevant policies and procedures adequately support the objectivity of the internal auditors, the level of competence of the internal audit function, and whether it applies a systematic and disciplined approach may indicate that the risks to the quality of the work of the function are too significant and therefore it is not appropriate to use any of the work of the function as audit evidence.
A13
Consideration of the factors in paragraphs A7, A8 and A11 of this Auditing Standard individually and in aggregate is important because an individual factor is often not sufficient to conclude that the work of the internal audit function cannot be used for purposes of the audit. For example, the internal audit function’s organisational status is particularly important in evaluating threats to the objectivity of the internal auditors. If the internal audit function reports to management, this would be considered a significant threat to the function’s objectivity unless other factors such as those described in paragraph A7 of this Auditing Standard collectively provide sufficient safeguards to reduce the threat to an acceptable level.
A14
In addition, the relevant ethical requirements[17],[*] state that a self‑review threat is created when the external auditor accepts an engagement to provide internal audit services to an audit client, and the results of those services will be used in conducting the audit. This is because of the possibility that the engagement team will use the results of the internal audit service without properly evaluating those results or without exercising the same level of professional scepticism as would be exercised when the internal audit work is performed by individuals who are not members of the firm. The relevant ethical requirements[18],[#] discuss the prohibitions that apply in certain circumstances and the threats and the safeguards that can be applied to reduce the threats to an acceptable level in other circumstances.
Determining the Nature and Extent of Work of the Internal Audit Function that Can Be Used
Factors Affecting the Determination of the Nature and Extent of the Work of the Internal Audit Function that Can Be Used (Ref: Para. 17–19)
A15
Once the external auditor has determined that the work of the internal audit function can be used for purposes of the audit, a first consideration is whether the planned nature and scope of the work of the internal audit function that has been performed, or is planned to be performed, is relevant to the overall audit strategy and audit plan that the external auditor has established in accordance with ASA 300.[19]
A16
Examples of work of the internal audit function that can be used by the external auditor include the following:
- Testing of the operating effectiveness of controls.
- Substantive procedures involving limited judgement.
- Observations of inventory counts.
- Tracing transactions through the information system relevant to financial reporting.
- Testing of compliance with regulatory requirements.
- In some circumstances, audits or reviews of the financial information of subsidiaries that are not significant components to the group (where this does not conflict with the requirements of ASA 600).[20]
A17
The external auditor’s determination of the planned nature and extent of use of the work of the internal audit function will be influenced by the external auditor’s evaluation of the extent to which the internal audit function’s organisational status and relevant policies and procedures adequately support the objectivity of the internal auditors and the level of competence of the internal audit function in paragraph 18 of this Auditing Standard. In addition, the amount of judgement needed in planning, performing and evaluating such work and the assessed risk of material misstatement at the assertion level are inputs to the external auditor’s determination. Further, there are circumstances in which the external auditor cannot use the work of the internal audit function for purpose of the audit as described in paragraph 16 of this Auditing Standard.
Judgements in planning and performing audit procedures and evaluating results (Ref: Para. 18(a))
A18
The greater the judgement needed to be exercised in planning and performing the audit procedures and evaluating the audit evidence, the external auditor will need to perform more procedures directly in accordance with paragraph 18 of this Auditing Standard, because using the work of the internal audit function alone will not provide the external auditor with sufficient appropriate audit evidence.
A19
Since the external auditor has sole responsibility for the audit opinion expressed, the external auditor needs to make the significant judgements in the audit engagement in accordance with paragraph 18. Significant judgements include the following:
- Assessing the risks of material misstatement.
- Evaluating the sufficiency of tests performed.
- Evaluating the appropriateness of management’s use of the going concern assumption.
- Evaluating significant accounting estimates.
- Evaluating the adequacy of disclosures in the financial report, and other matters affecting the auditor’s report.
Assessed risk of material misstatement (Ref: Para. 18(b))
A20
For a particular account balance, class of transaction or disclosure, the higher an assessed risk of material misstatement at the assertion level, the more judgement is often involved in planning and performing the audit procedures and evaluating the results thereof. In such circumstances, the external auditor will need to perform more procedures directly in accordance with paragraph 18 of this Auditing Standard, and accordingly, make less use of the work of the internal audit function in obtaining sufficient appropriate audit evidence. Furthermore, as explained in ASA 200,[21] the higher the assessed risks of material misstatement, the more persuasive the audit evidence required by the external auditor will need to be, and, therefore, the external auditor will need to perform more of the work directly.
A21
As explained in ASA 315,[22] significant risks are risks assessed close to the upper end of the spectrum of inherent risk and therefore the external auditor’s ability to use the work of the internal audit function in relation to significant risks will be restricted to procedures that involve limited judgement. In addition, where the risks of material misstatement is other than low, the use of the work of the internal audit function alone is unlikely to reduce audit risk to an acceptably low level and eliminate the need for the external auditor to perform some tests directly.
A22
Carrying out procedures in accordance with this Auditing Standard may cause the external auditor to re-evaluate the external auditor’s assessment of the risks of material misstatement. Consequently, this may affect the external auditor’s determination of whether to use the work of the internal audit function and whether further application of this Auditing Standard is necessary.
Communication with Those Charged with Governance (Ref: Para. 20)
A23
In accordance with ASA 260,[23] the external auditor is required to communicate with those charged with governance an overview of the planned scope and timing of the audit. The planned use of the work of the internal audit function is an integral part of the external auditor’s overall audit strategy and is therefore relevant to those charged with governance for their understanding of the proposed audit approach.
Using the Work of the Internal Audit Function
Discussion and Co‑ordination with the Internal Audit Function (Ref: Para. 21)
A24
In discussing the planned use of their work with the internal audit function as a basis for co-ordinating the respective activities, it may be useful to address the following:
- The timing of such work.
- The nature of the work performed.
- The extent of audit coverage.
- Materiality for the financial report as a whole (and, if applicable, materiality level or levels for particular classes of transactions, account balances or disclosures), and performance materiality.
- Methods of item selection and sample sizes.
- Documentation of the work performed.
- Review and reporting procedures.
A25
Co-ordination between the external auditor and the internal audit function is effective when, for example:
- Discussions take place at appropriate intervals throughout the period.
- The external auditor informs the internal audit function of significant matters that may affect the function.
- The external auditor is advised of and has access to relevant reports of the internal audit function and is informed of any significant matters that come to the attention of the function when such matters may affect the work of the external auditor so that the external auditor is able to consider the implications of such matters for the audit engagement.
A26
ASA 200[24] discusses the importance of the auditor planning and performing the audit with professional scepticism, including being alert to information that brings into question the reliability of documents and responses to enquiries to be used as audit evidence. Accordingly, communication with the internal audit function throughout the engagement may provide opportunities for internal auditors to bring matters that may affect the work of the external auditor to the external auditor’s attention.[25] The external auditor is then able to take such information into account in the external auditor’s identification and assessment of risks of material misstatement. In addition, if such information may be indicative of a heightened risk of a material misstatement of the financial report or may be regarding any actual, suspected or alleged fraud, the external auditor can take this into account in the external auditor’s identification of risk of material misstatement due to fraud in accordance with ASA 240.[26]
Procedures to Determine the Adequacy of Work of the Internal Audit Function (Ref: Para. 23-24)
A27
The external auditor’s audit procedures on the body of work of the internal audit function as a whole that the external auditor plans to use provide a basis for evaluating the overall quality of the function’s work and the objectivity with which it has been performed.
A28
The procedures the external auditor may perform to evaluate the quality of the work performed and the conclusions reached by the internal audit function, in addition to re-performance in accordance with paragraph 24, include the following:
- Making enquiries of appropriate individuals within the internal audit function.
- Observing procedures performed by the internal audit function.
- Reviewing the internal audit function’s work program and working papers.
A29
The more judgement involved, the higher the assessed risk of material misstatement, the less the internal audit function’s organisational status and relevant policies and procedures adequately support the objectivity of the internal auditors, or the lower the level of competence of the internal audit function, the more audit procedures are needed to be performed by the external auditor on the overall body of work of the function to support the decision to use the work of the function in obtaining sufficient appropriate audit evidence on which to base the audit opinion.
Re‑performance (Ref: Para. 24)
A30
For purposes of this Auditing Standard, re‑performance involves the external auditor’s independent execution of procedures to validate the conclusions reached by the internal audit function. This objective may be accomplished by examining items already examined by the internal audit function, or where it is not possible to do so, the same objective may also be accomplished by examining sufficient other similar items not actually examined by the internal audit function. Re‑performance provides more persuasive evidence regarding the adequacy of the work of the internal audit function compared to other procedures the external auditor may perform in paragraph A28. While it is not necessary for the external auditor to do re‑performance in each area of work of the internal audit function that is being used, some re‑performance is required on the body of work of the internal audit function as a whole that the external auditor plans to use in accordance with paragraph 24. The external auditor is more likely to focus re‑performance in those areas where more judgement was exercised by the internal audit function in planning, performing and evaluating the results of the audit procedures and in areas of higher risk of material misstatement.
Direct Assistance
A31-A41
[Deleted by the AUASB. Refer Aus 1.2][27]
See paragraph 10 of this Auditing Standard.
See ASA 315, paragraph 14(a).
See paragraphs 15–25 of this Auditing Standard.
[Footnote deleted by the AUASB. Refer Aus 1.2]
Auditing Standard ASQC 1 Quality Control for Firms that Perform Audits and Reviews of Financial Reports and Other Financial Information, Other Assurance Engagements and Related Services Engagements (as amended).
[Footnote deleted by the AUASB]
See ASA 102 Compliance with Ethical Requirements when Performing Audits, Reviews and Other Assurance Engagements (as amended).
[Footnote deleted by the AUASB]
See ASA 102 (as amended).
ASA 300 Planning an Audit of a Financial Report (as amended).
See ASA 600 (as amended).
See ASA 200 (as amended), paragraph A29.
See ASA 315, paragraph 12(1).
See ASA 260 (as amended), paragraph 15.
See ASA 200 (as amended), paragraphs 15 and A18.
See ASA 315, paragraph A118.
See ASA 315, paragraph A11 in relation to ASA 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of a Financial Report.
[Footnotes 27-30 deleted by the AUASB. Refer Aus 1.2]