Can external auditors use the work of internal auditors?

Internal audit refers to the department located within a business that monitors the efficacy of its processes and controls. The internal audit function is especially necessary in larger organizations with high levels of process complexity, where it is easier for process failures and control breaches to occur.

What is an External Audit?

An external audit is an examination that is conducted by an independent accountant. This type of audit is most commonly intended to result in a certification of the financial statements of an entity. This certification is required by certain investors and lenders, and for all publicly-held businesses.

Comparing Internal and External Audits

There are multiple differences between the internal audit and external audit functions, which are as follows:

• Internal auditors are company employees, while external auditors work for an outside audit firm.

• Internal auditors are hired by the company, while external auditors are appointed by a shareholder vote.

• Internal auditors do not have to be CPAs, while a CPA must direct the activities of the external auditors.

• Internal auditors are responsible to management, while external auditors are responsible to the shareholders.

• Internal auditors can issue their findings in any type of report format, while external auditors must use specific formats for their audit opinions and management letters.

• Internal audit reports are used by management, while external audit reports are used by stakeholders, such as investors, creditors, and lenders.

• Internal auditors can be used to provide advice and other consulting assistance to employees, while external auditors are constrained from supporting an audit client too closely.

• Internal auditors will examine issues related to company business practices and risks, while external auditors examine the financial records and issue an opinion regarding the financial statements of the company.

• Internal audits are conducted throughout the year, while external auditors conduct a single annual audit. If a client is publicly-held, external auditors will also provide review services three times per year.

In short, the two functions share one word in their names, but are otherwise quite different. Larger organizations typically have both functions, thereby ensuring that their records, processes, and financial statements are closely examined at regular intervals.

External audit and internal audit are clearly separate and distinct in their respective functions and duties but there should be regular communication between the two. In this the second of two articles, I look at the working relationship between the internal auditor and the external auditor.

1. Statutory right of access by an auditor

An auditor of a company (this refers to the external auditor) has a right of access to information (Companies Act 2006, section 499) and this would include finalised internal audit reports, the supporting working papers and the right to obtain information and explanations from any employee and officer, including internal auditors, of the company.

The internal audit function should also have an unrestricted right of access to all information, explanations and records required to carry out their work. This right should be clearly stated in the organisation’s internal audit charter approved by the audit committee.

2. Under International Standards on Auditing (ISAs) (UK)

The relationship is described in several of the ISAs (UK) - namely ISAs  240, 315, 600, and above all, ISA(UK) 610.

• ISA(UK) 240: The auditor’s responsibilities relating to fraud in an audit of financial statements, states in paragraph 19 that “For those entities that have an internal audit function, the auditor shall make inquiries of appropriate individuals within the function to determine whether they have knowledge of any actual, suspected or alleged fraud affecting the entity, and to obtain its views about the risks of fraud.”

Internal audit may also be able to provide insight in relation to weaknesses in counter-fraud controls and/or fraud risk indicators within the organisation.

• ISA (UK) 315: Identifying and assessing the risks of material misstatement through understanding of the entity and its environment, states in paragraph 23: “If the entity has an internal audit function, the auditor shall obtain an understanding of the nature of the internal audit function’s responsibilities, its organisational status, and the activities performed, or to be performed.”

The external auditor will want to know as a minimum the following regarding the internal audit function:

• Is there an internal audit charter?
• What is the size of the internal audit section?
• Qualifications and continuous professional development of the internal audit staff.
• Reporting structure to management.
• Details about the audit committee, if one exists.
• Annual audit plan and performance against that plan.

The external auditor will also want to read copies of the reports issued during that financial year and meet with the Chief Internal Auditor, or equivalent.

• ISA(UK) 610: Using the work of internal auditors, contains an important proviso at the beginning of the standard that “Nothing in this ISA(UK) requires the external auditor to use the work of the internal audit function to modify the nature or timing, or reduce the extent, of audit procedures to be performed directly by the external auditor; it remains a decision of the external auditor in establishing the overall audit strategy.”

Paragraphs 21 to 25 of ISA (UK) 610 state that “If the external auditor plans to use the work of the internal audit function, the external auditor shall discuss the planned use of its work with the function as a basis for coordinating their respective activities.”

ISA(UK) 610 places restrictions on how far the external auditors can place reliance on work carried out by internal audit. The use of direct assistance is prohibited per Para 5-1 of ISA(UK) 610 which states that “The use of internal auditors to provide direct assistance is prohibited in an audit conducted in accordance with ISAs(UK)”.

Direct assistance is defined in the International Auditing and Assurance Standards Board as: “the use of internal auditors to perform audit procedures under the direction, supervision and review of the external auditors”. Paragraph 30 of ISA (UK) 610 states that “the external auditor shall not use internal auditors to provide direct assistance to perform procedures that:

• Involve making significant judgements in the audit
• Relate to higher assessed risks of material misstatement where the judgement required in performing the relevant audit procedures or evaluating the audit evidence gathered is more than limited.
• Relate to work with which the internal auditors have been involved and which has already been or will be reported to management or those charged with governance by the internal audit function.
• Relate to decisions the external auditor makes in accordance with the ISA(UK) regarding the internal audit function and the use of its work or direct assistance.

For example, if stock/inventory is a material item, and is considered by the external auditor to be an area of higher risk, it would be acceptable for the external auditor to request that internal audit review the processes and controls relating to stock management, but it would not be appropriate for them to request that internal audit assess the adequacy of stock provisions as this would involve more than limited judgement.

3. Advantages of coordination and collaboration between external and internal audit 

• Close communication and planning ensures that audit resources can be directed towards the area of most need i.e. high-risk areas of the organisation. This means that internal audit can plan their work to minimise duplication with external audit testing and to provide assurance over those systems and controls on which external audit may wish to place reliance, subject to appropriate review procedures being applied.
• The audit teams can plan the timing of their work to minimise disruption and interference with key members of staff.
• The audit team can share intelligence on key events, changes and plans that may impact on the risk profile of the organisation and therefore, on their work.

4. Challenges that may arise within a collaboration between external and internal audit

• The Head of Internal Audit must balance requests from external audit against the need to provide appropriate coverage over the organisation’s key risk areas, to enable them to provide an annual opinion. This may result in high demand for limited resources and the Head of Internal Audit will need to ensure appropriate compromises are reached.
• A close relationship with external audit may cause a shift in the perception of internal audit from being a critical friend to a policing function. It is crucial for internal audit to retain the trust of the management team and staff so that they can perform their work effectively.

5. Examples of good practice of effective communication between external and internal audit

To have a smooth working relationship between the two sets of auditors, it is crucial that there is effective and regular communication between the Chief Internal Auditor (or senior team member) and the External Auditor (e.g. the audit engagement partner or one of the senior team members). This will be helped by:

Can external auditor rely on internal audit work?

Can the external auditor use and rely on the work of the internal auditor to reduce his testing and costs?

Can an auditor use the work of another auditor?

Is it wise for an external auditors to use others work internal auditors and experts for audit purpose?