The Standard states:

The chief audit executive should share information, coordinate activities, and consider relying upon the work of other internal and external assurance and consulting service providers to ensure proper coverage and minimise duplication of efforts.

The Standard recognises that the Chief Internal Auditor (CIA) may rely on the work of other assurance providers; these may be either internal or other external. In the case of external these may be commissioned by the CIA to support and compliment their own work, or more typically in the case of minimising duplication of effort simply other assurance providers which are already commissioned by the Executive team from which internal audit may be able to draw comfort.

In the case where the CIA is commissioning the work of external providers, this is usually a relatively straight forward extension of the planned internal audit. As we have already established under Standard 2200 Engagement Planning the CIA has a responsibility to ensure not only the quantity, but quality of resources allocated are appropriate to deliver the intended audit scope; one of the ways in which the CIA may address any shortcoming is through the engagement of a third party to perform the assignment. In this case the work is being performed to specifically address the CIA’s original intended scope and purpose; therefore, assuming that it is delivered with professional care and diligence it should meet the CIA and their clients’ needs.

However, when performing or updating the organisation’s underlying Audit Needs Assessment (ANA) and risk assessment, the CIA might become aware of other sources of assurance which may provide comfort to them over a particular aspect of the risk environment. It is these assurances where the CIA does not directly commission, direct nor manage the delivery of assignments that they must ensure that they are sufficient to meet their needs.

The Standard also addresses the fact that the CIA should be prepared to share information with other assurance providers to minimise duplication of effort and ultimately achieve best value from an organisation’s investment in assurance. However, in the same way as the CIA retains ultimate responsibility for internal audit conclusions and opinions, the same is true of other providers such as external audit who will be required to comply with further standards and expectations such as the International Auditing and Assurance Standards Board (IAASB), published by the International Federation of Accountants (IFAC) International Standards on Auditing 610 and 315; discussed later.

The CIA should always ensure that they are acting within their client’s confidentiality requirements; typically, most clients are willing and appreciative of coordination between assurance providers to ensure proper coverage and minimise duplication of efforts, however, parties should confirm that this is indeed the case before sharing any information. The type and volume of information shared between parties must be agreed and in accordance with any confidentiality requirements; significant limitations in the extent to which parties may cooperate is likely to reduce the value of any cooperation and could be counterproductive to achieving efficiencies and securing best value from the organisation’s assurance investment. 

When coordinating and relying on others:

  • Remember that the CIA retains responsibility for internal audit conclusions and opinions.
  • The CIA should seek to identify what other sources of assurance may exist across the client when performing and updating the risk assessment on which the Internal Audit Strategy and audit plans are based.  This should involve making enquiries of the Executive team and reviewing Board or reports of delegated committees.  As part of this risk assessment the CIA may form an assurance map, or indeed one may already exist within the organisation depending upon the maturity of their risk management arrangements; this can be useful evidence.
  • Consider whether there are any issues which impact upon the independence of the assurance provider; considering the issues outlined in Standard 1100 Independence & Objectivity.
  • Gather further intelligence as to the extent of the work of others; including meeting and discussing the work of each party, and, their competencies in respect of experience, qualifications and skills.  Within any confidentiality restrictions parties should consider objectives, scope, methodology, quality assurance arrangements, timing and results; this will inform an early indication of whether it will meet the respective needs of each party and therefore whether there is a real possibility of placing reliance upon the work of others.
  • Review outcomes and ensure a clear understanding of the methodology and findings is held; ideally, the CIA may wish to perform a cold file review to assure themselves over the appropriateness of findings and whether they may be reasonably relied upon, making suitable considerations along the lines we have already discussed in respect to Standard 2200 Engagement Planning.
  • The CIA should reflect on the outcomes and consider whether the outputs reflect their own understanding and expectations of the area reviewed.  Where the outcomes do not meet with expectation the CIA should consider whether further work is necessary prior to placing reliance upon that work and allowing it to either positively or negatively impact upon their professional opinion of the risk, governance or internal control arrangements.
  • Where the extent of the work does not meet with expectations the CIA should consider whether additional work should be undertaken to broaden the assurance available and inform their professional opinion.
  • When the CIA’s opinion is influenced significantly by the outcomes of another’s work; the CIA should explicitly refer to those influencing factors within their report, whilst reinforcing the fact they remain responsible for the opinion reached.

Whilst the above is written in the context of a CIA placing reliance upon the work of others; similar activities should be performed by the external auditor (or other parties) seeking to place reliance upon that of internal audit; the standards to which our external audit colleagues must work are set by the Financial Reporting Council (FRC).

Core Evidence Demonstrating Compliance

  1. Communication & Confidentiality Protocols; including any Communication Plan and the IA Charter
  2. Audit Needs Assessment documentation; including any assurance map
  3. Internal Audit Strategy; identifying any reliance upon third party assurance
  4. Due diligence exercise on any identified third-party assurance
  5. Chief Internal Auditor Opinion statements

Key here is that the CIA can demonstrate that when placing reliance upon the work of others this decision has been taken in a structured and considered manner; the CIA hasn’t just happened to come across some ‘assurance’ which can allow them to reduce their own workload. 

Identification of other assurance sources, subsequent evidence of the due diligence performed upon that work and how it has influenced the CIA’s own opinion (for which they retain responsibility at all times) should be clearly evidenced; ideally starting with an explicit statement of such intentions within the Strategy itself.