http://www.aicpa.org/Research/Standards/AuditAttest/DownloadableDocuments/AU-00322.pdf
Auditor’s Consideration of Internal Audit Function
253
AU Section 322
The Auditor’s Consideration of the
Internal Audit Function in an Audit
of Financial Statements
(Supersedes SAS No. 9.)
Source: SAS No. 65.
Effective for audits of financial statements for periods ending after December
15, 1991, unless otherwise indicated.
.01
The auditor considers many factors in determining the nature, timing,
and extent of auditing procedures to be performed in an audit of an entity’s
financial statements. One of the factors is the existence of an internal audit
function.
1
This section provides the auditor with guidance on considering the
work of internal auditors and on using internal auditors to provide direct assistance
to the auditor in an audit performed in accordance with generally
accepted auditing standards.
Roles of the Auditor and the Internal Auditors
.02
One of the auditor’s responsibilities in an audit conducted in accordance
with generally accepted auditing standards is to obtain sufficient appropriate
audit evidence to provide a reasonable basis for the opinion on the
entity’s financial statements. In fulfilling this responsibility, the auditor maintains
independence from the entity. [Revised, March 2006, to reflect conforming
changes necessary due to the issuance of Statement on Auditing Standards
No. 105.]
2
.03
Internal auditors are responsible for providing analyses, evaluations,
assurances, recommendations, and other information to the entity’s management
and those charged with governance. To fulfill this responsibility, internal
auditors maintain objectivity with respect to the activity being audited. [Revised,
April 2007, to reflect conforming changes necessary due to the issuance
of Statement on Auditing Standards No. 114.]
Obtaining an Understanding of the Internal
Audit Function
.04
An important responsibility of the internal audit function is to monitor
the performance of an entity’s controls. When obtaining an understanding of
1
An internal audit function
may consist of one or more individuals who perform internal auditing
activities within an entity. This section is not applicable to personnel who have the title
internal auditor
but who do not perform internal auditing activities as described herein.
2
Although internal auditors are not independent from the entity, The Institute of Internal Auditors’
Standards for the Professional Practice of Internal Auditing
defines internal auditing as an
independent appraisal function and requires internal auditors to be independent of the activities they
audit. This concept of independence is different from the independence the auditor maintains under
the AICPA Code of Professional Conduct.
AU §322.04
254
The Standards of Field Work
internal control,
3
the auditor should obtain an understanding of the internal
audit function sufficient to identify those internal audit activities that are relevant
to planning the audit. The extent of the procedures necessary to obtain
this understanding will vary, depending on the nature of those activities.
.05
The auditor ordinarily should make inquiries of appropriate management
and internal audit personnel about the internal auditors’—
a.
Organizational status within the entity.
b.
Application of professional standards (see paragraph .11).
c.
Audit plan, including the nature, timing, and extent of audit work.
d.
Access to records and whether there are limitations on the scope of
their activities.
In addition, the auditor might inquire about the internal audit function’s charter,
mission statement, or similar directive from management or those charged
with governance. This inquiry will normally provide information about the goals
and objectives established for the internal audit function. [Revised, April 2007,
to reflect conforming changes necessary due to the issuance of Statement on
Auditing Standards No. 114.]
.06
Certain internal audit activities may not be relevant to an audit of the
entity’s financial statements. For example, the internal auditors’ procedures to
evaluate the efficiency of certain management decision-making processes are
ordinarily not relevant to a financial statement audit.
.07
Relevant activities are those that provide evidence about the design
and effectiveness of controls that pertain to the entity’s ability to initiate, authorize,
record, process, and report financial data consistent with the assertions
embodied in the financial statements or that provide direct evidence about potential
misstatements of such data. The auditor may find the results of the following
procedures helpful in assessing the relevancy of internal audit activities:
a.
Considering knowledge from prior-year audits
b.
Reviewing how the internal auditors allocate their audit resources
to financial or operating areas in response to their risk-assessment
process
c.
Reading internal audit reports to obtain detailed information about
the scope of internal audit activities
[Revised, April 2002, to reflect conforming changes necessary due to the issuance
of Statement on Auditing Standards No. 94. Revised, March 2006, to
reflect conforming changes necessary due to the issuance of Statement on Auditing
Standards No. 106.]
.08
If, after obtaining an understanding of the internal audit function,
the auditor concludes that the internal auditors’ activities are not relevant to
the financial statement audit, the auditor does not have to give further consideration
to the internal audit function unless the auditor requests direct assistance
from the internal auditors as described in paragraph .27. Even if some
of the internal auditors’ activities are relevant to the audit, the auditor may
conclude that it would not be efficient to consider further the work of the internal
auditors. If the auditor decides that it would be efficient to consider how
the internal auditors’ work might affect the nature, timing, and extent of audit
3
Section 314,
Understanding the Entity and Its Environment and Assessing the Risks of Material
Misstatement
, describes the procedures the auditor follows to obtain an understanding of internal
control and indicates that the internal audit function is part of the entity’s monitoring component.
[Footnote revised, March 2006, to reflect conforming changes necessary due to the issuance of Statement
on Auditing Standards No. 109.]
AU §322.05
Auditor’s Consideration of Internal Audit Function
255
procedures, the auditor should assess the competence and objectivity of the internal
audit function in light of the intended effect of the internal auditors’ work
on the audit.
Assessing the Competence and Objectivity of the
Internal Auditors
Competence of the Internal Auditors
.09
When assessing the internal auditors’ competence, the auditor should
obtain or update information from prior years about such factors as—
•
Educational level and professional experience of internal auditors.
•
Professional certification and continuing education.
•
Audit policies, programs, and procedures.
•
Practices regarding assignment of internal auditors.
•
Supervision and review of internal auditors’ activities.
•
Quality of working-paper documentation, reports, and recommendations.
•
Evaluation of internal auditors’ performance.
Objectivity of the Internal Auditors
.10
When assessing the internal auditors’ objectivity, the auditor should
obtain or update information from prior years about such factors as—
•
The organizational status of the internal auditor responsible for the
internal audit function, including—
— Whether the internal auditor reports to an officer of sufficient status
to ensure broad audit coverage and adequate consideration of,
and action on, the findings and recommendations of the internal
auditors.
— Whether the internal auditor has direct access and reports regularly
to those charged with governance.
— Whether those charged with governance oversee employment decisions
related to the internal auditor.
•
Policies to maintain internal auditors’ objectivity about the areas
audited, including—
— Policies prohibiting internal auditors from auditing areas where relatives
are employed in important or audit-sensitive positions.
— Policies prohibiting internal auditors from auditing areas where
they were recently assigned or are scheduled to be assigned on completion
of responsibilities in the internal audit function.
[Revised, April 2007, to reflect conforming changes necessary due to the issuance
of Statement on Auditing Standards No. 114.]
Assessing Competence and Objectivity
.11
In assessing competence and objectivity, the auditor usually considers
information obtained from previous experience with the internal audit function,
from discussions with management personnel, and from a recent external quality
review, if performed, of the internal audit function’s activities. The auditor
AU §322.11
256
The Standards of Field Work
may also use professional internal auditing standards
4
as criteria in making
the assessment. The auditor also considers the need to test the effectiveness of
the factors described in paragraphs .09 and .10. The extent of such testing will
vary in light of the intended effect of the internal auditors’ work on the audit.
If the auditor determines that the internal auditors are sufficiently competent
and objective, the auditor should then consider how the internal auditors’ work
may affect the audit.
Effect of the Internal Auditors’ Work on the Audit
.12
The internal auditors’ work may affect the nature, timing, and extent
of the audit, including—
•
Procedures the auditor performs when obtaining an understanding of
the entity’s internal control (paragraph .13).
•
Procedures the auditor performs when assessing risk (paragraphs .14
through .16).
•
Substantive procedures the auditor performs (paragraph .17).
When the work of the internal auditors is expected to affect the audit, the guidance
in paragraphs .18 through .26 should be followed for considering the extent
of the effect, coordinating audit work with internal auditors, and evaluating and
testing the effectiveness of internal auditors’ work.
Understanding of Internal Control
.13
The auditor obtains a sufficient understanding of the design of controls
relevant to the audit of financial statements to plan the audit and to determine
whether they have been placed in operation. Since a primary objective of many
internal audit functions is to review, assess, and monitor controls, the procedures
performed by the internal auditors in this area may provide useful information
to the auditor. For example, internal auditors may develop a flowchart
of a new computerized sales and receivables system. The auditor may review
the flowchart to obtain information about the design of the related controls.
In addition, the auditor may consider the results of procedures performed by
the internal auditors on related controls to obtain information about whether
the controls have been placed in operation. [Revised, February 1997, to reflect
conforming changes necessary due to the issuance of Statement on Auditing
Standards No. 78.]
Risk Assessment
.14
The auditor assesses the risk of material misstatement at both the
financial-statement level and the account-balance or class-of-transaction level.
Financial-Statement Level
.15
At the financial-statement level, the auditor makes an overall assessment
of the risk of material misstatement. When making this assessment, the
auditor should recognize that certain controls may have a pervasive effect on
many financial statement assertions. The control environment and accounting
system often have a pervasive effect on a number of account balances and
transaction classes and therefore can affect many assertions. The auditor’s assessment
of risk at the financial-statement level often affects the overall audit
4
Standards have been developed for the professional practice of internal auditing by The Institute
of Internal Auditors and the General Accounting Office. These standards are meant to (
a
) impart
an understanding of the role and responsibilities of internal auditing to all levels of management,
boards of directors, public bodies, external auditors, and related professional organizations; (
b
) permit
measurement of internal auditing performance; and (
c
) improve the practice of internal auditing.
AU §322.12
Auditor’s Consideration of Internal Audit Function
257
strategy. The entity’s internal audit function may influence this overall assessment
of risk as well as the auditor’s resulting decisions concerning the nature,
timing, and extent of auditing procedures to be performed. For example, if the
internal auditors’ plan includes relevant audit work at various locations, the
auditor may coordinate work with the internal auditors (see paragraph .23)
and reduce the number of the entity’s locations at which the auditor would
otherwise need to perform auditing procedures.
Account-Balance or Class-of-Transaction Level
.16
At the account-balance or class-of-transaction level, the auditor performs
procedures to obtain and evaluate audit evidence concerning management’s
assertions. The auditor assesses control risk for each of the significant
assertions and performs tests of controls to support assessments below the
maximum. When planning and performing tests of controls, the auditor may
consider the results of procedures planned or performed by the internal auditors.
For example, the internal auditors’ scope may include tests of controls for
the completeness of accounts payable. The results of internal auditors’ tests
may provide appropriate information about the effectiveness of controls and
change the nature, timing, and extent of testing the auditor would otherwise
need to perform. [Revised, March 2006, to reflect conforming changes necessary
due to the issuance of Statement on Auditing Standards No. 105.]
Substantive Procedures
.17
Some procedures performed by the internal auditors may provide direct
evidence about material misstatements in assertions about specific account
balances or classes of transactions. For example, the internal auditors, as part
of their work, may confirm certain accounts receivable and observe certain
physical inventories. The results of these procedures can provide evidence the
auditor may consider in restricting detection risk for the related assertions.
Consequently, the auditor may be able to change the timing of the confirmation
procedures, the number of accounts receivable to be confirmed, or the number
of locations of physical inventories to be observed.
Extent of the Effect of the Internal Auditors’ Work
.18
Even though the internal auditors’ work may affect the auditor’s procedures,
the auditor should perform procedures to obtain sufficient appropriate
audit evidence to support the auditor’s report. Evidence obtained through the
auditor’s direct personal knowledge, including physical examination, observation,
computation, and inspection, is generally more persuasive than information
obtained indirectly. [Revised, March 2006, to reflect conforming changes
necessary due to the issuance of Statement on Auditing Standards No. 105.]
5
.19
The responsibility to report on the financial statements rests solely
with the auditor. Unlike the situation in which the auditor uses the work of
other independent auditors,
6
this responsibility cannot be shared with the internal
auditors. Because the auditor has the ultimate responsibility to express
an opinion on the financial statements, judgments about assessments of inherent
and control risks, the materiality of misstatements, the sufficiency of
tests performed, the evaluation of significant accounting estimates, and other
matters affecting the auditor’s report should always be those of the auditor.
5
See section 326, Audit Evidence
, paragraph .13. [Footnote revised, March 2006, to reflect conforming
changes necessary due to the issuance of Statement on Auditing Standards No. 106.]
6
See section 543, Part of Audit Performed by Other Independent Auditors
.
AU §322.19
258
The Standards of Field Work
.20
In making judgments about the extent of the effect of the internal
auditors’ work on the auditor’s procedures, the auditor considers—
a.
The materiality of financial statement amounts—that is, account balances
or classes of transactions.
b.
The risk (consisting of inherent risk and control risk) of material
misstatement of the assertions related to these financial statement
amounts.
c.
The degree of subjectivity involved in the evaluation of the audit evidence
gathered in support of the assertions.
7
As the materiality of the financial statement amounts increases and either the
risk of material misstatement or the degree of subjectivity increases, the need
for the auditor to perform his or her own tests of the assertions increases. As
these factors decrease, the need for the auditor to perform his or her own tests
of the assertions decreases.
.21
For assertions related to material financial statement amounts where
the risk of material misstatement or the degree of subjectivity involved in the
evaluation of the audit evidence is high, the auditor should perform sufficient
procedures to fulfill the responsibilities described in paragraphs .18 and .19.
In determining these procedures, the auditor gives consideration to the results
of work (either tests of controls or substantive tests) performed by internal
auditors on those particular assertions. However, for such assertions, the consideration
of internal auditors’ work cannot alone reduce audit risk to an acceptable
level to eliminate the necessity to perform tests of those assertions
directly by the auditor. Assertions about the valuation of assets and liabilities
involving significant accounting estimates, and about the existence and disclosure
of related-party transactions, contingencies, uncertainties, and subsequent
events, are examples of assertions that might have a high risk of material
misstatement or involve a high degree of subjectivity in the evaluation of audit
evidence.
.22
On the other hand, for certain assertions related to less material financial
statement amounts where the risk of material misstatement or the
degree of subjectivity involved in the evaluation of the audit evidence is low,
the auditor may decide, after considering the circumstances and the results of
work (either tests of controls or substantive tests) performed by internal auditors
on those particular assertions, that audit risk has been reduced to an
acceptable level and that testing of the assertions directly by the auditor may
not be necessary. Assertions about the existence of cash, prepaid assets, and
fixed-asset additions are examples of assertions that might have a low risk of
material misstatement or involve a low degree of subjectivity in the evaluation
of audit evidence.
Coordination of the Audit Work With Internal Auditors
.23
If the work of the internal auditors is expected to have an effect on
the auditor’s procedures, it may be efficient for the auditor and the internal
auditors to coordinate their work by—
•
Holding periodic meetings.
•
Scheduling audit work.
•
Providing access to internal auditors’ working papers.
7
For some assertions, such as existence and occurrence, the evaluation of audit evidence is generally
objective. More subjective evaluation of the audit evidence is often required for other assertions,
such as the valuation and disclosure assertions.
AU §322.20
Auditor’s Consideration of Internal Audit Function
259
•
Reviewing audit reports.
•
Discussing possible accounting and auditing issues.
Evaluating and Testing the Effectiveness of Internal
Auditors’ Work
.24
The auditor should perform procedures to evaluate the quality and
effectiveness of the internal auditors’ work, as described in paragraphs .12
through .17, that significantly affects the nature, timing, and extent of the auditor’s
procedures. The nature and extent of the procedures the auditor should
perform when making this evaluation are a matter of judgment depending on
the extent of the effect of the internal auditors’ work on the auditor’s procedures
for significant account balances or classes of transactions.
.25
In developing the evaluation procedures, the auditor should consider
such factors as whether the internal auditors’—
•
Scope of work is appropriate to meet the objectives.
•
Audit programs are adequate.
•
Working papers adequately document work performed, including evidence
of supervision and review.
•
Conclusions are appropriate in the circumstances.
•
Reports are consistent with the results of the work performed.
.26
In making the evaluation, the auditor should test some of the internal
auditors’ work related to the significant financial statement assertions. These
tests may be accomplished by either (
a
) examining some of the controls, transactions,
or balances that the internal auditors examined or (
b
) examining similar
controls, transactions, or balances not actually examined by the internal auditors.
In reaching conclusions about the internal auditors’ work, the auditor
should compare the results of his or her tests with the results of the internal
auditors’ work. The extent of this testing will depend on the circumstances and
should be sufficient to enable the auditor to make an evaluation of the overall
quality and effectiveness of the internal audit work being considered by the
auditor.
Using Internal Auditors to Provide Direct Assistance to
the Auditor
.27
In performing the audit, the auditor may request direct assistance from
the internal auditors. This direct assistance relates to work the auditor specifically
requests the internal auditors to perform to complete some aspect of the
auditor’s work. For example, internal auditors may assist the auditor in obtaining
an understanding of internal control or in performing tests of controls
or substantive tests, consistent with the guidance about the auditor’s responsibility
in paragraphs .18 through .22. When direct assistance is provided, the
auditor should assess the internal auditors’ competence and objectivity (see
paragraphs .09 through .11) and supervise,
8
review, evaluate, and test the work
performed by internal auditors to the extent appropriate in the circumstances.
The auditor should inform the internal auditors of their responsibilities, the
8
See section 311, Planning and Supervision
, paragraphs .28 through .32, for the type of supervisory
procedures to apply. [Footnote revised, March 2006, to reflect conforming changes necessary due
to the issuance of Statement on Auditing Standards No. 108.]
AU §322.27
260
The Standards of Field Work
objectives of the procedures they are to perform, and matters that may affect
the nature, timing, and extent of audit procedures, such as possible accounting
and auditing issues. The auditor should also inform the internal auditors that
all significant accounting and auditing issues identified during the audit should
be brought to the auditor’s attention.
Effective Date
.28
This section is effective for audits of financial statements for periods
ending after December 15, 1991. Early application of the provisions of this
section is permissible.
AU §322.28
Auditor’s Consideration of Internal Audit Function
261
.29
Appendix
The Auditor’s Consideration of the Internal Audit Function
in an Audit of Financial Statements
AU §322.29
