A brief guide to working with other providers
If it’s to work efficiently and effectively, internal audit needs to work well with other providers of assurance, particularly in large organisations.
Traditionally some internal auditors have worked under managed audit arrangements with the external auditor. It would be cheaper for certain tests to be performed by the organisation’s internal audit team under the direction of the external auditor. The external auditor would subsequently review and place reliance upon this work to reduce the external audit work and associated fee.
However, the revised International Auditing & Assurance Standards Board (IAASB) International Standards on Auditing (ISA) 610 and 315 issued in 2013 have significantly reduced the benefits of this ‘managed audit’ approach because they have significantly increased the work that the external auditor must undertake before it can place reliance on such internal audit work.
That said, internal and external audit should have a meaningful professional dialogue - particularly at the time of planning the external audit. The external auditor will generally review internal audit outputs to inform their overall view of the internal control environment and associated governance statements, rather than resulting in any significant reduction in their own audit work (other than for the largest of organisations).
Internal audit, in the performance of its own role providing reasonable assurance to the audit committee, may be able to rely upon the outputs of other third party audit providers. This would enable it to potentially work more efficiently and effectively, particularly in larger organisations where a range of assurance sources may exist.
However, when forming such a view, the chief audit executive (CAE) must always consider the reason, scope, objective, timing, depth and independence of any other assignment commissioned, as this may be quite different from their own needs.
To identify these other sources of assurance the CAE should review the risk register / board assurance framework which may identify sources of assurance such as:
- management reporting (second line)
- compliance functions (second line)
- Sarbanes-Oxley Act (SOX)
- health and safety
- quality control (second line)
- accreditation reports (third line)
- consultants (third line)
- external audit (third line)
Whilst the CAE may not be able to rely entirely upon the above sources, they may provide useful information which would assist or focus internal audit in its work.
Where reliance is placed on the work of others, the CAE is still accountable and responsible for ensuring adequate support for conclusions and opinions reached by the internal audit activity.
Sharing of information should be subject to the approval of the audit committee and senior management. Certain legal exceptions may apply and in these cases the CAE is required to comply with the law. When sharing information the CAE should seek legal advice as necessary prior to sharing information, subject to confidentiality controls, including:
- audit plan
- audit reports
- issues raised and accepted
- follow up
IIA IPPF Standard 2050 – coordination and reliance