Updated: Aug 18, 2020
The internal audit function is an independent function within a business that assures the risk management of a business, its governance, and internal control processes.
Internal auditors are –
professionals responsible for the internal audit of a business;
employees of a business who evaluate the operations of business independent of the management of the business.
The roles and functions of internal auditors significantly differ from those of external auditors.
Internal auditors vs External auditors
The main difference between these two is that internal auditors are the employees of the business while external auditors are third-party to the business. However, independence is vital to the functions of both internal and external auditors.
Another difference between internal and external auditors is that the internal auditors of a business are responsible for the internal audit of business throughout the year while external auditors perform the audit for a specified number of times, usually once, during the year.
Furthermore, internal auditors, being business employees, report to the board management of the business, while external auditors report to shareholders and investors.
What is the primary reason for external auditors to use internal auditor's work?
Although internal auditors have more duties within a business, some of the work of internal auditors can overlap with the work of external auditors. External auditors assess the internal controls of an organization to assess the level of risk in a business.
Internal auditors are responsible for the internal controls of the business. Sometimes external auditors may need to collaborate with the internal auditors of business and rely on their work instead of replicating the work already done by the internal auditors.
There are many benefits for external auditors to rely on the work of internal auditors.
The biggest advantage is that it can save the time of external auditors. This allows external auditors to focus on more important aspects of the audit.
Also, a working relationship between the two parties can enhance the knowledge of the business for the purpose of an external audit.
External auditors may also need to rely on the work of internal auditors that have expertise in a particular area of the business.
Factors in determining the use of internal audit work
Internal auditors are employees of the business. If external auditors rely on the work of internal auditors, there is a potential that it could result in a threat to the independence of the external auditors which is an ethical issue. There are some factors which determine whether external auditors can use the work of internal auditors.
The factors are defined by ‘ISA 610 – Using the Work of Internal Auditors’. This standard only applies if external auditors decide to use the work of internal auditors of a business. This standard does not apply if the business does not have an internal audit function or the external auditors decide not to use the work of internal auditors.
While the international auditing standards allow external auditors to use the work of internal auditors in certain circumstances, external auditors may sometimes be restricted from doing so by laws and regulations.
These laws and regulations are set by the jurisdiction the audit is being performed in. In these cases, external auditors cannot use the international auditing standards to determine whether they can use the work of internal auditors or not. If restricted by the law, external auditors must not use the work of internal auditors under any circumstances.
According ISA 610, external auditor shall determine whether the work of the internal audit function can be used for purposes of the audit by evaluating the following:
The extent to which the internal audit function’s organizational status and relevant policies and procedures support the objectivity of the internal auditors;
The level of competence of the internal audit function; and
Whether the internal audit function applies a systematic and disciplined approach, including quality control.
This means that external auditors must evaluate the objectivity or independence, the level of competence, and the approach used by the internal auditors before determining whether the work of internal auditors can be relied on.
If the internal auditors of the business are not independent of the management of the business, then their objectivity is questionable and their work cannot be used. The internal audit function of a business must be unbiased in their work, must not have a conflict of interest with the external audit, and must not be under undue influence from the management of the business.
Similarly, if the internal auditors of the business are not competent in their work, their work should not be used by the external auditors. External auditors must assess the level of knowledge of the internal auditors, their attainment and maintenance of that knowledge, and their skills that are required for the internal auditors to perform their work diligently and per professional standards.
In addition, the external auditors also need to assess the human resources policies of the business to determine whether professionals were hired for the internal audit function and their training and development policies.
Likewise, if internal auditors do not use a systematic and disciplined approach in their work, external auditors cannot use their work. Internal auditors must use a proper approach in all aspects of their work such as planning, performing, supervising, reviewing, and documenting.
External auditors can ensure this by checking the documentation of the internal auditors for adequacy in different areas of the business such as risk assessment, work programs, documentation, and reporting, etc. External auditors should also evaluate the quality control policies and procedures of the internal audit function in this regard.
Nature and extent of work of the internal audit function that can be used
After evaluating internal auditor independence, level and competence and the approach used, does it mean external auditors can use internal audit work?
To determine the areas in which external auditors can use the work of internal auditors, external auditor shall consider the nature and scope of the work that has been performed or is planned to be performed by the internal audit function and its relevance to the external auditor’s overall audit strategy and audit plan, which is stated under ISA 610 states.
In addition, the external auditor shall make all significant judgments in the audit engagement and, to prevent undue use of the work of the internal audit function, shall plan to use less of the work of the function and perform more of the work directly.
Here are the examples from ISA 610 that external auditor should perform more of the work directly –
The more judgment is involved in:
Planning and performing relevant audit procedures; and
Evaluating the audit evidence gathered;
The higher the assessed risk of material misstatement at the assertion level, with special consideration given to risks identified as significant;
The less the internal audit function’s organizational status and relevant policies and procedures adequately support the objectivity of the internal auditors; and
The lower the level of competence of the internal audit function.
Moreover, the external auditor shall also evaluate whether, in aggregate, using the work of the internal audit function to the extent planned would still result in the external auditor being sufficiently involved in the audit, given the external auditor’s sole responsibility for the audit opinion expressed.
Finally, given external auditor willingness to use the work of internal auditors, they should communicate their intention and the planned use of the work, with the management of the auditee business. This communication should be done per ‘ISA 260 (Revised) – Communication with Those Charged with Governance’.
If you find this article is helpful and you want to help others too, just share it in any social media (such as Facebook, LinkedIn).