An amendment to paragraph .19 has been adopted by the PCAOB and approved by the U.S. Securities and Exchange Commission. The standard as amended will be effective for audits of financial statements for fiscal years ending on or after December 15, 2024. See PCAOB Release No. 2022-002, SEC Release No. 34-95488. View the standard as amended.
Summary Table of Contents
- .02 Roles of the Auditor and the Internal Auditors
- .04 Obtaining an Understanding of the Internal Audit Function
- .09 Assessing the Competence and Objectivity of the Internal Auditors
- .12 Effect of the Internal Auditors' Work on the Audit
- .18 Extent of the Effect of the Internal Auditors' Work
- .23 Coordination of the Audit Work With Internal Auditors
- .24 Evaluating and Testing the Effectiveness of Internal Auditors' Work
- .27 Using Internal Auditors to Provide Direct Assistance to the Auditor
- .28 Effective Date
- .29 Appendix - Consideration of the Internal Audit Function
.01 The auditor considers many factors in determining the nature, timing, and extent of auditing procedures to be performed in an audit of an entity's financial statements. One of the factors is the existence of an internal audit function.1 This section provides the auditor with guidance on considering the work of internal auditors and on using internal auditors to provide direct assistance to the auditor in an audit performed in accordance with the standards of the PCAOB.
Note: When performing an integrated audit of financial statements and internal control over financial reporting, refer to paragraphs .16-.19 ofAS 2201, An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements, for discussion on using the work of others to alter the nature, timing, and extent of the work that otherwise would have been performed to test controls.
.02 One of the auditor's responsibilities in an audit conducted in accordance with the standards of the PCAOB is to obtain sufficient appropriate evidential matter to provide a reasonable basis for the opinion on the entity's financial statements. In fulfilling this responsibility, the auditor maintains independence from the entity.2
.03 Internal auditors are responsible for providing analyses, evaluations, assurances, recommendations, and other information to the entity's management and board of directors or to others with equivalent authority and responsibility. To fulfill this responsibility, internal auditors maintain objectivity with respect to the activity being audited.
.04 An important responsibility of the internal audit function is to monitor the performance of an entity's controls. When obtaining an understanding of internal control,3 the auditor should obtain an understanding of the internal audit function sufficient to identify those internal audit activities that are relevant to planning the audit. The extent of the procedures necessary to obtain this understanding will vary, depending on the nature of those activities.
- Organizational status within the entity.
- Application of professional standards (see paragraph .11).
- Audit plan, including the nature, timing, and extent of audit work.
- Access to records and whether there are limitations on the scope of their activities.
In addition, the auditor might inquire about the internal audit function's charter, mission statement, or similar directive from management or the board of directors. This inquiry will normally provide information about the goals and objectives established for the internal audit function.
.06 Certain internal audit activities may not be relevant to an audit of the entity's financial statements. For example, the internal auditors' procedures to evaluate the efficiency of certain management decision-making processes are ordinarily not relevant to a financial statement audit.
.07 Relevant activities are those that provide evidence about the design and effectiveness of controls that pertain to the entity's ability to initiate, record, process, and report financial data consistent with the assertions embodied in the financial statements or that provide direct evidence about potential misstatements of such data. The auditor may find the results of the following procedures helpful in assessing the relevancy of internal audit activities:
- Considering knowledge from prior-year audits
- Reviewing how the internal auditors allocate their audit resources to financial or operating areas in response to their risk-assessment process
- Reading internal audit reports to obtain detailed information about the scope of internal audit activities
.08 If, after obtaining an understanding of the internal audit function, the auditor concludes that the internal auditors' activities are not relevant to the financial statement audit, the auditor does not have to give further consideration to the internal audit function unless the auditor requests direct assistance from the internal auditors as described in paragraph .27. Even if some of the internal auditors' activities are relevant to the audit, the auditor may conclude that it would not be efficient to consider further the work of the internal auditors. If the auditor decides that it would be efficient to consider how the internal auditors' work might affect the nature, timing, and extent of audit procedures, the auditor should assess the competence and objectivity of the internal audit function in light of the intended effect of the internal auditors' work on the audit.
Competence of the Internal Auditors
- Educational level and professional experience of internal auditors.
- Professional certification and continuing education.
- Audit policies, programs, and procedures.
- Practices regarding assignment of internal auditors.
- Supervision and review of internal auditors' activities.
- Quality of working-paper documentation, reports, and recommendations.
- Evaluation of internal auditors' performance.
- The organizational status of the internal auditor responsible for the internal audit function, including—
- Whether the internal auditor reports to an officer of sufficient status to ensure broad audit coverage and adequate consideration of, and action on, the findings and recommendations of the internal auditors.
- Whether the internal auditor has direct access and reports regularly to the board of directors, the audit committee, or the owner-manager.
- Whether the board of directors, the audit committee, or the owner-manager oversees employment decisions related to the internal auditor.
- Policies to maintain internal auditors' objectivity about the areas audited, including—
- Policies prohibiting internal auditors from auditing areas where relatives are employed in important or audit-sensitive positions.
- Policies prohibiting internal auditors from auditing areas where they were recently assigned or are scheduled to be assigned on completion of responsibilities in the internal audit function.
.11 In assessing competence and objectivity, the auditor usually considers information obtained from previous experience with the internal audit function, from discussions with management personnel, and from a recent external quality review, if performed, of the internal audit function's activities. The auditor may also use professional internal auditing standards4 as criteria in making the assessment. The auditor also considers the need to test the effectiveness of the factors described in paragraphs .09 and .10. The extent of such testing will vary in light of the intended effect of the internal auditors' work on the audit. If the auditor determines that the internal auditors are sufficiently competent and objective, the auditor should then consider how the internal auditors' work may affect the audit.
- Procedures the auditor performs when obtaining an understanding of the entity's internal control (paragraph .13).
- Procedures the auditor performs when assessing risk (paragraphs .14 through .16).
- Substantive procedures the auditor performs (paragraph .17).
When the work of the internal auditors is expected to affect the audit, the guidance in paragraphs .18 through .26 should be followed for considering the extent of the effect, coordinating audit work with internal auditors, and evaluating and testing the effectiveness of internal auditors' work.
.13 The auditor obtains a sufficient understanding of the design of controls relevant to the audit of financial statements to plan the audit and to determine whether they have been placed in operation. Since a primary objective of many internal audit functions is to review, assess, and monitor controls, the procedures performed by the internal auditors in this area may provide useful information to the auditor. For example, internal auditors may develop a flowchart of a new computerized sales and receivables system. The auditor may review the flowchart to obtain information about the design of the related controls. In addition, the auditor may consider the results of procedures performed by the internal auditors on related controls to obtain information about whether the controls have been placed in operation.
.15 At the financial-statement level, the auditor makes an overall assessment of the risk of material misstatement. When making this assessment, the auditor should recognize that certain controls may have a pervasive effect on many financial statement assertions. The control environment and accounting system often have a pervasive effect on a number of account balances and transaction classes and therefore can affect many assertions. The auditor's assessment of risk at the financial-statement level often affects the overall audit strategy. The entity's internal audit function may influence this overall assessment of risk as well as the auditor's resulting decisions concerning the nature, timing, and extent of auditing procedures to be performed. For example, if the internal auditors' plan includes relevant audit work at various locations, the auditor may coordinate work with the internal auditors (see paragraph .23) and reduce the number of the entity's locations at which the auditor would otherwise need to perform auditing procedures.
.16 At the account-balance or class-of-transaction level, the auditor performs procedures to obtain and evaluate evidential matter concerning management's assertions. The auditor assesses control risk for each of the relevant financial statement assertions related to all significant accounts and disclosures in the financial statements and performs tests of controls to support assessments below the maximum. When planning and performing tests of controls, the auditor may consider the results of procedures planned or performed by the internal auditors. For example, the internal auditors' scope may include tests of controls for the completeness of accounts payable. The results of internal auditors' tests may provide appropriate information about the effectiveness of controls and change the nature, timing, and extent of testing the auditor would otherwise need to perform.
.17 Some procedures performed by the internal auditors may provide direct evidence about material misstatements in assertions about specific account balances or classes of transactions. For example, the internal auditors, as part of their work, may confirm certain accounts receivable and observe certain physical inventories. The results of these procedures can provide evidence the auditor may consider in restricting detection risk for the related assertions. Consequently, the auditor may be able to change the timing of the confirmation procedures, the number of accounts receivable to be confirmed, or the number of locations of physical inventories to be observed.
.18 Even though the internal auditors' work may affect the auditor's procedures, the auditor should perform procedures to obtain sufficient, appropriate evidential matter to support the auditor's report. Evidence obtained through the auditor's direct personal knowledge, including physical examination, observation, computation, and inspection, is generally more persuasive than information obtained indirectly.5
.19 The responsibility to report on the financial statements rests solely with the auditor. Unlike the situation in which the auditor uses the work of other independent auditors,6 this responsibility cannot be shared with the internal auditors. Because the auditor has the ultimate responsibility to express an opinion on the financial statements, judgments about assessments of inherent and control risks, the materiality of misstatements, the sufficiency of tests performed, the evaluation of significant accounting estimates, and other matters affecting the auditor's report should always be those of the auditor.
- The materiality of financial statement amounts—that is, account balances or classes of transactions.
- The risk (consisting of inherent risk and control risk) of material misstatement of the assertions related to these financial statement amounts.
- The degree of subjectivity involved in the evaluation of the audit evidence gathered in support of the assertions.7
As the materiality of the financial statement amounts increases and either the risk of material misstatement or the degree of subjectivity increases, the need for the auditor to perform his or her own tests of the assertions increases. As these factors decrease, the need for the auditor to perform his or her own tests of the assertions decreases.
.21 For assertions related to material financial statement amounts where the risk of material misstatement or the degree of subjectivity involved in the evaluation of the audit evidence is high, the auditor should perform sufficient procedures to fulfill the responsibilities described in paragraphs .18 and .19. In determining these procedures, the auditor gives consideration to the results of work (either tests of controls or substantive tests) performed by internal auditors on those particular assertions. However, for such assertions, the consideration of internal auditors' work cannot alone reduce audit risk to an acceptable level to eliminate the necessity to perform tests of those assertions directly by the auditor. Assertions about the valuation of assets and liabilities involving significant accounting estimates, and about the existence and disclosure of related-party transactions, contingencies, uncertainties, and subsequent events, are examples of assertions that might have a high risk of material misstatement or involve a high degree of subjectivity in the evaluation of audit evidence.
.22 On the other hand, for certain assertions related to less material financial statement amounts where the risk of material misstatement or the degree of subjectivity involved in the evaluation of the audit evidence is low, the auditor may decide, after considering the circumstances and the results of work (either tests of controls or substantive tests) performed by internal auditors on those particular assertions, that audit risk has been reduced to an acceptable level and that testing of the assertions directly by the auditor may not be necessary. Assertions about the existence of cash, prepaid assets, and fixed-asset additions are examples of assertions that might have a low risk of material misstatement or involve a low degree of subjectivity in the evaluation of audit evidence.
Note: When performing an integrated audit of financial statements and internal control over financial reporting, refer toAS 2201.18-.19, regarding assessing the interrelationship of the nature of the controls and the competence and objectivity of those who performed the work.
- Holding periodic meetings.
- Scheduling audit work.
- Providing access to internal auditors' working papers.
- Reviewing audit reports.
- Discussing possible accounting and auditing issues.
.24 The auditor should perform procedures to evaluate the quality and effectiveness of the internal auditors' work, as described in paragraphs .12 through .17, that significantly affects the nature, timing, and extent of the auditor's procedures. The nature and extent of the procedures the auditor should perform when making this evaluation are a matter of judgment depending on the extent of the effect of the internal auditors' work on the auditor's procedures for significant account balances or classes of transactions.
- Scope of work is appropriate to meet the objectives.
- Audit programs are adequate.
- Working papers adequately document work performed, including evidence of supervision and review.
- Conclusions are appropriate in the circumstances.
- Reports are consistent with the results of the work performed.
.26 In making the evaluation, the auditor should test some of the internal auditors' work related to the significant financial statement assertions. These tests may be accomplished by either (a) examining some of the controls, transactions, or balances that the internal auditors examined or (b) examining similar controls, transactions, or balances not actually examined by the internal auditors. In reaching conclusions about the internal auditors' work, the auditor should compare the results of his or her tests with the results of the internal auditors' work. The extent of this testing will depend on the circumstances and should be sufficient to enable the auditor to make an evaluation of the overall quality and effectiveness of the internal audit work being considered by the auditor.
.27 In performing the audit, the auditor may request direct assistance from the internal auditors. This direct assistance relates to work the auditor specifically requests the internal auditors to perform to complete some aspect of the auditor's work. For example, internal auditors may assist the auditor in obtaining an understanding of internal control or in performing tests of controls or substantive tests, consistent with the guidance about the auditor's responsibility in paragraphs .18 through .22. When direct assistance is provided, the auditor should assess the internal auditors' competence and objectivity ( see paragraphs .09 through .11) and supervise,8 review, evaluate, and test the work performed by internal auditors to the extent appropriate in the circumstances. The auditor should inform the internal auditors of their responsibilities, the objectives of the procedures they are to perform, and matters that may affect the nature, timing, and extent of audit procedures, such as possible accounting and auditing issues. The auditor should also inform the internal auditors that all significant accounting and auditing issues identified during the audit should be brought to the auditor's attention.
Footnotes (AS 2605 - Consideration of the Internal Audit Function):
1An internal audit function may consist of one or more individuals who perform internal auditing activities within an entity. This section is not applicable to personnel who have the title internal auditor but who do not perform internal auditing activities as described herein.
2Although internal auditors are not independent from the entity, The Institute of Internal Auditors' Standards for the Professional Practice of Internal Auditing defines internal auditing as an independent appraisal function and requires internal auditors to be independent of the activities they audit. This concept of independence is different from the independence the auditor maintains under the PCAOB Rule 3520, Auditor Independence.
3AS 2110, Identifying and Assessing Risks of Material Misstatement, describes the procedures the auditor performs to obtain an understanding of internal control over financial reporting.
4Standards have been developed for the professional practice of internal auditing by The Institute of Internal Auditors and the General Accounting Office. These standards are meant to (a) impart an understanding of the role and responsibilities of internal auditing to all levels of management, boards of directors, public bodies, external auditors, and related professional organizations; (b) permit measurement of internal auditing performance; and (c) improve the practice of internal auditing.
5See paragraph .08 of AS 1105, Audit Evidence.
6See AS 1205, Part of the Audit Performed by Other Independent Auditors.
7For some assertions, such as existence and occurrence, the evaluation of audit evidence is generally objective. More subjective evaluation of the audit evidence is often required for other assertions, such as the valuation and disclosure assertions.
8See AS 1201, Supervision of the Audit Engagement, for the type of supervisory procedures to apply.