Financial Reporting Council (FRC) International Standards on Auditing (UK)
The primary standards to which external audit must work in the UK when considering the work of Internal Audit
We have previously considered IIA IPPF 2050 Coordination and Reliance which covers how the Chief Internal Auditor (CIA) should share information, coordinate activities and consider relying on the work of other providers to ensure coverage and minimise duplication in the execution of the Internal Audit Strategy (IAS) and provision of the Annual Opinion.
In this article we will be considering the primary standards to which external audit must work in the UK when considering the work of internal audit and the impact (if any) it may have on the completion of their own audit of the financial statements.
There are two core standards; the Financial Reporting Council (FRC) International Standards on Auditing (UK) 315 Identifying and Assessing the Risks of Material Misstatement Through Understanding of the Entity and Its Environment, and Standard (UK) 610 Using the Work of Internal Auditors.
Standard 315 deals with the auditor’s responsibility to establish their understanding of the entity and its environment, including its framework of internal control. This is a key element of the external audit process providing a basis for the planning of the work necessary to assess the risks of material misstatement within the financial statements. The Standard provides guidance in respect of the assessment of internal audit; if the external auditor subsequently decides to place reliance upon the work of internal audit then Standard 610 is also applicable. However, if no reliance is placed upon the work of internal audit then 610 is redundant.
Standard 610 covers the auditor’s responsibilities if using the work of internal audit; it includes a) using the work of internal audit and b) using internal audit to provide direct assistance to the external auditor. However, the use of internal audit to provide direct assistance is prohibited in the UK and therefore not applicable; for this reason, it will not be considered here.
Standard 315 in brief:
- Requires that as part of the external audit risk assessment inquiries are made of appropriate individuals within internal audit if it exists; from here on, we are therefore assuming that such a function does in deed exist. This reflects the fact that internal audit should have a wealth of organisational intelligence which is useful to the auditor in obtaining an understanding of the entity, its environment, systems of internal control and associated deficiencies, which will be useful in informing the audit risk assessment. This is true whether or not the auditor expects to use the work of internal audit. At this time the auditor will also make enquiries of any actual, suspected or alleged fraud which the team may be aware of; required by Standard 240 The Auditor’s Responsibilities Relating to Fraud in an Audit of Financial Statements.
- Further to these discussions the auditor may wish to read any internal audit reports that they consider relevant to the entity’s financial reporting and the audit.
- The auditor will also be interested in management’s response to internal audit findings and recommendations; the commitment of management to addressing identified deficiencies and whether these have been subsequently followed up by internal audit, will provide valuable insight to the general internal control environment and feed the risk assessment.
- Requires external audit to understand the nature of the internal audit function’s responsibilities, status and activities; recognising that this can vary widely across organisations. From a professional perspective team compliance with IIA IPPF 1100 Independence & Objectivity will provide comfort to the external auditor and therefore increase the likelihood of being able to use internal audit outputs. But it is also important to recognise that the roles of internal and external audit are quite different; external audit’s role and responsibilities are defined, whereas internal audit’s activities may stretch far and wide across an organisation from an efficiency, effectiveness and economy perspective and therefore may not be directly or sufficiently relevant to financial reporting, upon which external audit is focused.
- Establishing and maintaining communications with internal audit to facilitate effective sharing of information; which will provide intelligence the auditor may use to refine the audit process, contribute towards professional scepticism and being alert to information which calls into question the reliability of documentation and management representations.
Standard 610 in brief:
- This Standard is only applicable if the external auditor expects to use the work of the internal auditor to support their own audit evidence; such use may modify the nature or timing, or reduce the extent of audit processes directly undertaken by the external auditor. It is important to remember that at all times the auditor remains responsible for the conclusions they reach; they have sole responsibility for the audit opinion expressed and that responsibility is not in any way reduced through the use of internal audit work. Therefore, it is important that the external auditor has confidence in the work of the internal audit function upon which they intend to rely; it is this which forms the focus of Standard 610.
- The Standard recognises that the auditor may be able to use the work of the internal auditor in a constructive and complementary manner; the potential for this is usually identified through the engagement with internal audit as part of the risk assessment process relating to Standard 315.
- If the external auditor has determined that the work of internal audit may be beneficially used by them to inform their own review, then the external auditor must perform what is commonly termed ‘due diligence’ upon the internal audit function. They should consider the function’s organisational status and objectivity (professionalism); the level of competence within the function; and the systematic and disciplined approach to delivery of internal audits (inc. quality assurance and reporting). A favourable outcome is likely to be achieved where the function complies with IIA IPPF Standards; particularly those relating to 1100 Independence and Objectivity, 2300 Performing the Engagement, and 2400 Communicating Results.
- Where the external auditor is not satisfied with the organisational status, objectivity and general professionalism of its work, they should not rely upon any aspect of its activity to reduce their own audit procedures.
- Assuming the auditor is to rely upon the work of internal audit they should discuss this decision with the CIA, read the associated audit reports of assignments upon which they are relying, and gain any further understanding necessary of the nature and extent of audit procedures through both discussion and review of the audit file.
- In order to place reliance upon specific internal audit work, the external auditor should examine the associated audit files; specifically focused upon ensuring that those assignments have been properly planned, resourced, performed and supervised; sufficient evidence has been obtained to enable reasonable conclusions to be drawn; conclusions reached are appropriate based upon the audit work performed and evidence obtained; and reported findings are consistent with the results. Reliance is likely to be achieved where the function complies with IIA IPPF Standards; particularly those relating to 2200 Engagement Planning, 2300 Performing the Engagement, and 2400 Communicating Results.
The reality of the world is that external audit have a rather narrow and defined responsibility in respect of the Financial Statements; whereas modern internal audit is increasingly looking beyond simple compliance with financial policy and into the much wider reaches of governance, risk management, and internal controls from an efficiency, effectiveness and economy perspective across the breadth of an organisation’s activities and associated risks.
Consider this against the backdrop of a risk-based Internal Audit Strategy and ISA 610 (UK) prohibiting the direction of internal audit activities there is a reduced expectation of formal ‘managed’ audit processes which historically existed, when internal audit was sometimes tasked with performing several audits effectively on behalf of external audit to reduce their own audit work.
Furthermore, we must remember that the external audit is generally focused upon the past; whereas modern internal audit is forward looking.
Given these differences in scope, standards and evolution in approach, it is entirely plausible that in many organisations there will not be much internal audit work upon which the external auditor can routinely rely to reduce their input and even where this does exist there is a value decision over whether the time it takes to properly assess internal audit’s work is disproportionate to the benefit realised. Both sets of auditors should be clear with Executive and Audit Committee to explain the reason and justification; avoiding misconception.
In smaller organisations it may be that internal audit outputs are simply one of the elements which contribute to the external auditor’s body of evidence and view as to whether all financial, non-financial information and other messages by management are materially consistent with the underlying financials and the auditor’s knowledge of the organisation obtained throughout the external audit.
However, in large organisations there may well be value in relying upon the work of the internal auditor, performing the necessary due diligence and utilise the findings of audits to modify the nature or timing, or reduce the extent of audit processes directly undertaken by the external auditor themselves; in these instances the Standards must be compiled with and there will be greater communication and cooperation between parties.