ICPAK

USING THE WORK OF INTERNAL

AUDITORS (ISA 610)
Presentation by: KIMEU, J Musyoki

Hilton Hotel, Nairobi, KENYA

Thursday 2nd October, 2014
Introduction

Background
 MBA (For Executives)
 BCom. (Hons)
 CISA
 CPAK
 FCCA
CPA KIMEU, J. Musyoki
 Over 16 years experience in Risk
MD/Lead Consultant:
Management, Audit, Consultancy in GAMAX Ltd
Risk, Internal Controls, IT Audits and +254 722 607157
[email protected]
Corporate Governance

2
CONTENT

Introduction – ISA 610

Objectives of IAASB
Scope of ISA 610
Requirements
Internal Auditors (IA) Assistance
Documentation
Objectivity & Competence
Related Conforming Amendments
Slide 3
AUDITING – Risk Identification

 What could go wrong?

 How could we fail?
 What keeps us up at night?
 What do people complain about?
 What must go right for our
business to succeed?
ISA 601

Developed and approved by the International Auditing

and Assurance Standards Board (IAASB).

IAASB develops auditing and assurance standards

and guidance for use by all professional
accountants under a shared standard-setting
process involving the Public Interest Oversight
Board, which oversees the activities of the IAASB, and the
IAASB Consultative Advisory Group, which provides
public interest input into the development of the
standards and guidance.
 OBJECTIVE OF IAASB

To serve the public interest by;

 setting high-quality auditing, assurance, and other related
standards and by facilitating the convergence of
international and national auditing and assurance
standards, thereby enhancing the quality and consistency of
practice throughout the world and strengthening public
confidence in the global auditing and assurance profession.

The structures and processes that support the operations

of the IAASB are facilitated by the International
Federation of Accountants (IFAC).
 INTERNATIONAL STANDARD ON
AUDITING 610 (Rev.2013)

Effective for audits of financial statements for

periods ending on or after December 15, 2013,

Except the use of internal auditors to provide direct

assistance, which is effective for audits of financial
statements for periods ending on or after
December 15, 2014.)
 SCOPE OF ISA 610

1. Deals with the external auditor’s responsibilities if

using the work of internal auditors. This includes;
a) Using the work of the internal audit function in
obtaining audit evidence and
b) Using internal auditors to provide direct assistance
under the direction, supervision and review of the
external auditor.

2. This ISA does not apply if the entity does not have an
internal audit function.
 SCOPE OF ISA 610

3. If the entity has an internal audit function, the

requirements in this ISA relating to using the work of
that function do not apply if:
a) The responsibilities and activities of the
function are not relevant to the audit; or

b) Based on the auditor’s preliminary understanding

of the function obtained as a result of procedures
performed under ISA 315 (Revised),1 the external
auditor does not expect to use the work of the
function in obtaining audit evidence.
 SCOPE OF ISA 610

NOTE:

Nothing in this ISA requires the external auditor to use

the work of the internal audit function to modify the
nature or timing, or reduce the extent, of audit
procedures to be performed directly by the external
auditor; it remains a decision of the external auditor
in establishing the overall audit strategy.
 SCOPE OF ISA 610

4. The requirements relating to direct assistance do not

apply if the external auditor does not plan to use
internal auditors to provide direct assistance.

5. In some jurisdictions, the external auditor may be

prohibited, or restricted to some extent, by law or
regulation from using the work of the internal audit
function or using internal auditors to provide direct
assistance. The ISAs do not override laws or regulations that
govern an audit of financial statements. Such prohibitions or
restrictions will therefore not prevent the external auditor from
complying with the ISAs. (Ref: Para. A31)
 Relationship between ISA 315 (Revised) and
ISA 610 (Revised 2013)
6. Many entities establish internal audit functions as part of
their internal control and governance structures.

The objectives and scope of an internal audit function, the

nature of its responsibilities and its organizational status,
including the function’s authority and accountability, vary
widely and depend on the size and structure of the entity
and the requirements of management and, where
applicable, those charged with governance.
 Relationship between ISA 315 (Revised) and
ISA 610 (Revised 2013)
7. ISA 315 (Revised) addresses how the knowledge and
experience of the internal audit function can inform the
external auditor’s understanding of the entity and its
environment and identification and assessment of risks
of material misstatement.

ISA 315 (Revised)3 also explains how effective

communication between the internal and external auditors
also creates an environment in which the external auditor
can be informed of significant matters that may affect the
external auditor’s work.
 Relationship between ISA 315 (Revised) and
ISA 610 (Revised 2013)

Depending on whether the internal audit function’s organizational

status and relevant policies and procedures adequately support the
objectivity of the internal auditors, the level of competency of the internal
audit function, and whether the function applies a systematic and
disciplined approach, the external auditor may also be able to use the
work of the internal audit function in a constructive and complementary
manner.
 Relationship between ISA 315 (Revised) and
ISA 610 (Revised 2013)

8. This ISA addresses the external auditor’s responsibilities

when, based on the external auditor’s preliminary
understanding of the internal audit function obtained as a
result of procedures performed under ISA 315 (Revised), the
external auditor expects to use the work of the internal audit
function as part of the audit evidence obtained.

Such use of that work modifies the nature or timing, or

reduces the extent, of audit procedures to be performed
directly by the external auditor.
 Relationship between ISA 315 (Revised) and
ISA 610 (Revised 2013)
9. Addresses the external auditor’s responsibilities if considering
using internal auditors to provide direct assistance under the
direction, supervision and review of the external auditor. external
auditor.

10. In case of individuals in an entity that perform procedures

similar to those performed by an internal audit function. However,
unless performed by an objective and competent function that applies a
systematic and disciplined approach, including quality control, such
procedures would be considered internal controls and obtaining
evidence regarding the effectiveness of such controls would be
part of the auditor’s responses to assessed risks in accordance
with ISA 330.5
 The External Auditor’s Responsibility for the
Audit

The external auditor has sole responsibility for the audit

opinion expressed, and that responsibility is not reduced by
the external auditor’s use of the work of the internal audit
function or internal auditors to provide direct assistance on
the engagement.
 OBJECTIVES OF THE EXTERNAL
AUDITOR
Where the entity has an IA function and the EA expects to use
the work of the function to modify the nature or timing, or
reduce the extent, of audit procedures to be performed directly
by the EA, or to use IA to provide direct assistance, are:
 To determine whether the work of the internal audit function or
direct assistance from internal auditors can be used, and if so, in
which areas and to what extent; and having made that
determination:
 (b) If using the work of the internal audit function, to determine
whether that work is adequate for purposes of the audit; and
 (c) If using internal auditors to provide direct assistance, to
appropriately direct, supervise and review their work.
 DEFINITIONS (ISAs)

(a) Internal audit function – A function of an entity that

performs assurance and consulting activities designed to
evaluate and improve the effectiveness of the entity’s
governance, risk management and internal control
processes. (Ref: Para. A1–A4)

(b) Direct assistance – The use of internal auditors to

perform audit procedures under the direction, supervision
and review of the external auditor.
REQUIREMENTS

Determining Whether, in Which Areas, and to What

Extent the Work of the Internal Audit Function Can Be
Used
A. Evaluating the Internal Audit Function
i. The extent to which the internal audit function’s
organizational status and relevant policies and
procedures support the objectivity of the internal
auditors;
ii. The level of competence of the internal audit function;
and
iii. Whether the internal audit function applies a systematic
and disciplined approach, including quality control.
REQUIREMENTS

Determining the Nature and Extent of Work of the Internal Audit

Function that Can Be Used
- consider the nature and scope of the work that has been
performed, or is planned to be performed, by the internal
audit function and its relevance to the external auditor’s
overall audit strategy and audit plan
REQUIREMENTS

Judgment CALL;
(a) The more judgment is involved in:
• (i) Planning and performing relevant audit procedures; and
• (ii) Evaluating the audit evidence gathered;
• (b) The higher the assessed risk of material misstatement at the
assertion level, with special consideration given to risks identified
as significant;
• (c) The less the internal audit function’s organizational status and
relevant policies and procedures adequately support the
objectivity of the internal auditors; and
• (d) The lower the level of competence of the internal audit
function.
REQUIREMENTS

External Auditor: Shall, in communicating with those

charged with governance and overview of the planned scope
and timing of the audit in accordance with ISA 260,
communicate how the EA has planned to use the work of the
internal audit function.
 USING THE WORK OF INTERNAL
AUDITORS
1. Discuss the planned use of its work with the function as a basis
for coordinating their respective activities.

2. Read the reports of the internal audit function relating to the

work of the function that the external auditor plans to use to
obtain an understanding of the nature and extent of audit
procedures it performed and the related findings.

3. Perform sufficient audit procedures on the body of work of the

internal audit function as a whole that the external auditor plans
to use to determine its adequacy {planned, performed, supervised,
reviewed and documented; sufficient appropriate evidence, Conclusions
reached are appropriate }
Internal Audit Direct Assistance

Review Objectivity and Competence {Objectivity refers to the

ability to perform those tasks without allowing bias, conflict of interest or
undue influence of others to override professional judgments}.

Internal Audit Direct Assistance

i) May be prohibited by law or regulation from obtaining
direct assistance;
ii) evaluate the existence and significance of threats to
objectivity and the level of competence of the internal auditors
who will be providing such assistance.
 Internal Audit Direct Assistance –
Prohibitions
Performance of procedures that:
• (a) Involve making significant judgments in the audit; (Ref: Para.
A19)

• (b) Relate to higher assessed risks of material misstatement

where the judgment required in performing the relevant audit
procedures or evaluating the audit evidence gathered is more
than limited; (Ref: Para. A38)

• (c) Relate to work with which the Ias have been involved and
which has already been, or will be, reported to management or
those charged with governance by the internal audit function; or
 Internal Audit Direct Assistance –
Prohibitions

• (d) Relate to decisions the external auditor makes in

accordance with this ISA regarding the internal audit
function and the use of its work or direct assistance.
 Using IA to Provide Direct Assistance

The EA shall:
• (a) Obtain written agreement from an authorized
representative of the entity that the internal auditors will be
allowed to follow the external auditor’s instructions, and that
the entity will not intervene in the work the internal auditor
performs for the external auditor; and
• (b) Obtain written agreement from the IAs that they will
keep confidential specific matters as instructed by the external
auditor and inform the external auditor of any threat to their
objectivity.
• C) direct, supervise and review the work performed by
internal auditors {nature, timing and extent of direction, supervision,
and review - checking back to the underlying audit evidence }
 DOCUMENTATION

The external auditor shall include in the audit documentation:

• (a) The evaluation of:
– (i) Whether the function’s organizational status and relevant
policies and procedures adequately support the objectivity
of the internal auditors;
– (ii) The level of competence of the function; and
– (iii) Whether the function applies a systematic and
disciplined approach, including quality control;
• (b) The nature and extent of the work used and the basis for
that decision; and
• (c) The audit procedures performed by the external auditor to
evaluate the adequacy of the work used.
 DOCUMENTATION (Assistance)

The EA shall include in the audit documentation:

• (a) The evaluation of the existence and significance of threats to the
objectivity of the IAs, and the level of competence of IAs used to
provide direct assistance;
• (b) The basis for the decision regarding the nature and extent of the
work performed by the IAs;
• (c) Who reviewed the work performed and the date and extent of
that review in accordance with ISA 230
• (d) The written agreements obtained from an authorized
representative of the entity and the IAs under paragraph 33 of this
ISA; and
• (e) The working papers prepared by the IAs who provided direct
assistance on the audit engagement.
 APPLICATION AND OTHER
EXPLANATORY MATERIALS
• Definition of Internal Audit Function (Ref: Para. 2, 14(a))

The objectives and scope of IA functions typically include

assurance and consulting activities designed to evaluate and
improve the effectiveness of the entity’s governance processes,
risk management and internal control such as the following:
i) Activities Relating to Governance
ii) Activities Relating to Risk Management
iii) Activities Relating to Internal Control (financial, operating,
compliance etc)
 Consideration for Objectivity

i. If the organizational status of the IA function, including the

function’s authority and accountability, supports the ability of
the function to be free from bias, conflict of interest or undue
influence of others to override professional judgments.

ii. Whether the IA function is free of any conflicting

responsibilities

iii. Whether those charged with governance oversee employment

decisions related to the IA function, for example, determining
the appropriate remuneration policy.
 Consideration for Objectivity

iv. Constraints or restrictions placed on the internal audit function by

management or those charged with governance,

v. Membership to relevant professional bodies and their memberships

obligate their compliance with relevant professional standards relating to
objectivity, or whether their internal policies achieve the same objectives
 Consideration for COMPETENCE

 Competence of the IA function refers to the attainment and

maintenance of knowledge and skills of the function as a whole
at the level required to enable assigned tasks to be performed
diligently and in accordance with applicable professional
standards. Factors that may affect the EA’s determination
include the following:
i) adequately and appropriately resourced relative to the
size of the entity and the nature of its operations
ii) if there are established policies for hiring, training and
assigning internal auditors to IA engagements
iii) if adequate technical training and proficiency in
auditing.
 Consideration for COMPETENCE

iv) possess the required knowledge relating to the entity’s

financial reporting and the applicable financial reporting
framework and whether the internal audit function possesses
the necessary skills

v) members of relevant professional bodies that oblige them

to comply with the relevant professional standards including
continuing professional development requirements.
 Application of a Systematic and Disciplined
Approach

• Existence, adequacy and use of documented IA procedures or

guidance covering such areas as risk assessments, work
programs, documentation and reporting, the nature and extent
of which is commensurate with the size and circumstances of
an entity.

• Appropriate quality control policies and procedures, for

example, such as those policies and procedures in ISQC 116
that would be applicable to an IA function (such as those
relating to leadership, human resources and engagement
performance) or quality control requirements in standards set
by the relevant professional bodies for IAs.
 Use of work of IAs

Examples of work of the IA function that can be used by the

EA include the following:
Testing of the operating effectiveness of controls.
Substantive procedures involving limited judgment.
Observations of inventory counts.
Tracing transactions through the information system relevant
to financial reporting.
Testing of compliance with regulatory requirements.
In some circumstances, audits or reviews of the financial
information of subsidiaries that are not significant components to
the group (where this does not conflict with the requirements of
ISA 600)
 Use of work of IAs

Significant judgments include the following:

 Assessing the risks of material misstatement;

 Evaluating the sufficiency of tests performed;
 Evaluating the appropriateness of management’s use of the
going concern assumption;
 Evaluating significant accounting estimates; and
 Evaluating the adequacy of disclosures in the financial
statements, and other matters affecting the auditor’s report.
 Discussion and Coordination with the IA
Function

It may be useful to address the following:

• The timing of such work.
• The nature of the work performed.
• The extent of audit coverage.
• Materiality for the financial statements as a whole (and, if
applicable, materiality level or levels for particular classes of
transactions, account balances or disclosures), and performance
materiality.
• Proposed methods of item selection and sample sizes.
• Documentation of the work performed.
• Review and reporting procedures.
 Effective Coordination

• Discussions take place at appropriate intervals

throughout the period.
• The EA informs the internal audit function of significant
matters that may affect the function.

• The EA is advised of and has access to relevant

reports of the IA function and is informed of any
significant matters that come to the attention of the
function when such matters may affect the work of the EA
so that he/she is able to consider the implications of such
matters for the audit engagement.
 Procedures to Determine the Adequacy of
Work of the IA Function

The procedures the EA may perform to evaluate the quality

of the work performed and the conclusions reached by the
IA function, in addition to reperformance in accordance with
paragraph 24, include the following:

 Making inquiries of appropriate individuals within the

internal audit function.
 Observing procedures performed by the internal audit
function.
 Reviewing the IA function’s work program and working
papers.
 Reperformance

 Involves the EA’s independent execution of procedures to validate

the conclusions reached by the IA function.

 This objective may be accomplished by examining items already

examined by the IA function or, where it is not possible to do so, the
same objective may also be accomplished by examining sufficient
other similar items not actually examined by the IA function.

 Provides more persuasive evidence regarding the adequacy of the

work of the IA function compared to other procedures the EA may
perform
 Some is required on the body of work of the IA function as a
whole that the EA plans to use
 Reperformance

NB:
 Those areas where more judgment was exercised by the IA
function in planning, performing and evaluating the results of the
audit procedures and in areas of higher risk of material misstatement.
 Significance & Threats to Objectivity

The following factors may be relevant:

 The extent to which the IA function’s organizational status
and relevant policies and procedures support the objectivity of
the IA
 Family and personal relationships with an individual
working in, or responsible for, the aspect of the entity to which
the work relates.
 Association with the division or department in the entity to
which the work relates.
 Significant financial interests in the entity other than
remuneration on terms consistent with those applicable to
other employees at a similar level of seniority.
 Direct Assistance

Activities and tasks that would not be appropriate to use IAs to

provide direct assistance include the following:
 Discussion of fraud risks. However, the external auditors may
make inquiries of internal auditors about fraud risks in the
organization in accordance with ISA 315 (Revised).29
 Determination of unannounced audit procedures as addressed
in ISA 240.
 Maintain control over external confirmation requests and
evaluate the results of external confirmation procedures
 Evaluation of the adequacy of the provision based on the aging
would involve more than limited judgment
 Using IA’s to Provide Direct Assistance

the EA’s direction, supervision and review of the work

performed by IA’s providing direct assistance will generally
be of a different nature and more extensive than if
members of the engagement team perform the work

the EA’s considerations include whether the evidence

obtained is sufficient and appropriate in the circumstances,
and that it supports the conclusions reached.
 RELATED CONFORMING
AMMENDMENTS

 ISQC 1, Quality Control for Firms that Perform Audits

and Reviews of Financial Statements, and Other
Assurance and Related Services Engagements
Engagement team: All partners and staff performing the engagement, and
any individuals engaged by the firm or a network firm who perform procedures
on the engagement. This excludes an auditor’s external experts engaged by the
firm or by a network firm. The term “engagement team” also excludes
individuals within the client’s internal audit function who provide direct
assistance on an audit engagement when the external auditor complies with the
requirements of ISA 610 (Revised 2013).

 ISA 220, Quality Control for an Audit of Financial Statements

 RELATED CONFORMING
AMMENDMENTS

 ISA 260, Communication with Those Charged with

Governance
• How the external auditor and internal auditors can work in a constructive and
complementary manner, including any planned use of the work of the internal
audit function, and the nature and extent of any planned use of internal auditors
to provide direct assistance
 ISA 300, Planning an Audit of Financial Statements
– Characteristics of the Engagement : Whether the entity has an internal audit
function and, if so, whether, in which areas and to what extent, the work of the function can
be used, or internal auditors can be used to provide direct assistance, for purposes of the
audit.
 ISA 600, Special Considerations - Audits of Group
Financial Statements (Including the Work of Component
Auditors)
 RELATED CONFORMING
AMMENDMENTS

Matters that are relevant to the planning of the work of the

component auditor:
 The ethical requirements that are relevant to the group audit
and, in particular, the independence requirements, for example, where
the group auditor is prohibited by law or regulation from using
internal auditors to provide direct assistance, it is relevant for the
group auditor to consider whether the prohibition also extends to
component auditors and, if so, to address this in the communication to
the component auditors
 I thank you

#0722 607157
[email protected]