Which of the following factors does the auditor need to evaluate before relying on the internal audit function?

Obtaining an understanding of the activities of the internal audit function before relying on its work

CSAE 3001 requires that the audit team makes inquiries regarding whether the audited entity has an internal audit function and, when it is the case, needs to obtain an understanding of the activities of the internal audit function (i.e. the objectivity of the internal auditors, the level of competence of the internal audit unit, and processes in place to ensure quality of the work conducted). This evaluation is done during the planning phase of the audit.

To evaluate whether the internal audit function’s organizational status and relevant policies and procedures support the objectivity of the internal auditors, the audit team may consider:

• the results of internal and external assessments on the conformance with relevant professional practice standards of the internal auditing function;

• the internal audit function’s responsibilities, its reporting relationship, the extent of its independence from the influence of operational management and whether internal auditors have direct access to those charged with governance;

• the activities performed, or to be performed, by the internal audit function;

• if the internal auditors are free from any conflicting responsibilities;

• if the internal auditors employed by the internal audit function are members of relevant professional bodies which require members to comply with relevant professional standards relating to objectivity;

• the results of the internal audit work are reported to senior management and the audit committee or board of directors;

• the internal audit recommendations are acted upon;

• the head of the internal audit function is free to communicate directly with the audit committee or the board of directors; and

• there are constraints placed on the internal audit function’s ability to gain access to important systems, units or activities of the entity, or to information or key personnel.

The audit team should also consider whether there are policies to maintain internal auditors’ objectivity, such as prohibiting internal auditors from auditing areas where they were recently assigned or where relatives are employed.

[Exhibit—Text Version]

To assess the level of competence of the internal audit function, the audit team needs to consider whether

• the internal audit work is performed by persons who possess adequate technical training and competence as internal auditors,

• policies for training and development of internal auditors are in place,

• internal audit staff have a minimum level of experience, and

• internal audit staff have professional qualifications or are members of a professional body or association.

To evaluate whether the internal audit function applies a systematic and disciplined approach, including quality control, the audit team may consider whether:

• the internal audit function has an audit manual or other similar documents, work programs and internal audit documentation that are adequate and conform to professional standards and practices;

• the activities of internal audit function are properly planned, resourced, supervised, reviewed and documented; and

• a quality control system is in place (i.e. quality control policies and procedures).

It is normally sufficient to perform an overall assessment of the internal audit function. If the audit team is satisfied that there are appropriate policies and procedures in place to assess the competence of internal auditors and there is adequate quality assurance over the completion of the working papers and reports in place to assess the due professional care of internal auditors, the team does not need to reassess these factors for each internal audit conducted.

Evaluating the adequacy of the work of internal audit on the engagement

Once the audit team has obtained an understanding of the activities of the internal audit function, CSAE 3001 requires that the team assess whether the work of the internal audit function is adequate for the purposes of the engagement before planning to rely on it.

To carry out an evaluation of the work of internal audit, the team needs to consider whether

• the methodology followed by the internal auditor demonstrates compliance with recognized professional standards;

• the objectives, scope, and criteria used for the internal audit work are suitable for the engagement;

• the results of the internal audit work are consistent with other audit evidence obtained in the course of the engagement;

• findings and conclusions available in the internal audit report are relevant and reasonable (i.e. sufficient appropriate evidence was obtained to support the conclusions);

• methods and assumptions used to conduct the internal audit work are relevant and reasonable in the circumstances; and

• sources of data used are relevant, complete, and accurate.

When planning to evaluate and perform audit procedures on specific work of the internal audit function, the audit team is encouraged to have an agreement with internal audit to obtain the information necessary to complete this evaluation. Information that is likely to support the evaluation includes

• the objectives, scope, criteria, and timing of the specific work performed;
• the extent of testing performed;
• documentation of the work performed;
• evidence of supervision and review; and
• the final report that was issued.

Reporting considerations for special examinations

Auditors are required to include in the special examination report a statement on how far they relied or not on internal audits, as indicated in Section 139(2)(b) of the Financial Administration Act. The OAG special examination report template includes draft wording to satisfy this requirement.

When planning to include a statement of reliance on internal audits, auditors should advise the head of the entity’s internal audit function.

What are the factors to consider before implementing an internal audit function?

What are the factors the auditor must evaluate to understand it?

What factors do external auditors generally consider before determining whether the work of the internal audit function can be relied upon for the purposes of the audit?

What factors should the external auditor consider before placing any reliance on the work of an internal auditor?