AS 1210: Relying on the Internal Audit Function

Auditing Standard 1210, issued by the Public Company Accounting Oversight Board (PCAOB), provides a framework for external auditors of public companies. It governs how independent auditors can incorporate work from a company’s internal audit function into their external audit. The standard’s purpose is to allow for audit efficiencies by leveraging the internal team’s efforts without compromising the external auditor’s independence or the overall quality of the audit. This ensures that any reliance is justified and does not transfer the external auditor’s responsibilities, while the external auditor maintains professional skepticism and makes all final judgments.

Evaluating the Internal Audit Function

Before an external auditor can use work from a company’s internal auditors, the standard mandates a rigorous evaluation of the internal audit function itself. This assessment is a detailed review centered on two main pillars: competence and objectivity. The conclusions drawn from this evaluation directly dictate the extent to which the external auditor can rely on the internal team’s work.

The first pillar, competence, refers to the collective capability of the internal audit team to perform their duties effectively. External auditors must investigate several factors to make this determination. This includes reviewing the educational backgrounds and professional certifications of the staff, such as Certified Internal Auditor (CIA) or Certified Public Accountant (CPA). They also assess the team’s experience within the specific industry and the quality of their ongoing training programs.

Assessing competence also involves the external auditor examining the internal audit department’s hiring policies and performance evaluation processes. They look for evidence that the department prioritizes technical proficiency and professional development. The external auditor might also review the internal audit plan and past work papers to gauge the complexity of assignments the team has handled and the quality of their documentation.

The second pillar, objectivity, focuses on the internal auditors’ ability to perform their tasks without bias. A primary indicator of objectivity is the organizational structure and the reporting lines of the internal audit function. The external auditor must assess to whom the chief audit executive reports; reporting to the audit committee of the board of directors is a strong indicator of objectivity, as it places the function outside the influence of management.

To further evaluate objectivity, the external auditor reviews policies designed to prevent conflicts of interest. This includes rules that prohibit internal auditors from auditing areas where they have recently worked or where relatives are employed. The auditor also considers if management can unduly restrict the scope of internal audits, which may impair objectivity. The external auditor must be satisfied that the internal auditors can act impartially.

Using Internal Audit Work as Audit Evidence

Once the external auditor has favorably evaluated the internal audit function, they may consider using the internal auditors’ completed work as part of their own audit evidence. The external auditor must first assess the risk of material misstatement for the specific financial statement accounts and disclosures being considered. Reliance on internal audit work is more acceptable for areas determined to have a lower risk.

The decision to use internal audit work involves a direct link between the initial evaluation and the degree of reliance. If the internal audit function was deemed to have high levels of competence and objectivity, the external auditor might place more reliance on their work. For every area where reliance is contemplated, the external auditor must perform procedures to evaluate the quality of the specific work performed by the internal auditors by reviewing their work papers.

A central requirement of the standard is that the external auditor must re-perform some of the tests conducted by the internal auditors. This re-performance is a sample-based test to validate the internal auditors’ findings, not a full re-audit of the area. The extent of this re-performance is directly influenced by the assessed risk of material misstatement and the evaluation of the internal audit function.

This re-performance serves as a direct check on the quality of the internal audit work. For example, if the internal auditors tested the operating effectiveness of 50 purchase order controls, the external auditor might select a small subset of those same controls and re-perform the exact tests. If the external auditor’s results align with the internal auditors’ findings, it provides strong evidence supporting the decision to rely on their work. Any discrepancies would require further investigation.

Receiving Direct Assistance from Internal Auditors

Beyond using the completed work of internal auditors, the standard provides a framework for receiving direct assistance. In this scenario, internal auditors perform specific audit tasks at the direction and under the supervision of the external auditor. This is distinct from using their pre-existing work because the tasks are integrated directly into the external audit plan for the external auditor’s purposes.

When using internal auditors for direct assistance, the external auditor retains full responsibility for the work performed. This means they must direct, supervise, and review the activities of the internal auditors as if they were members of the external audit engagement team. The external auditor is required to clearly communicate the objectives of the procedures, key matters that could affect the procedures, and the expected documentation standards.

Before any work begins, the standard requires the external auditor to obtain specific written acknowledgments. The internal auditors who will be providing the assistance must provide a written confirmation that they will follow the external auditor’s instructions. This document also confirms they will not be influenced by management, which helps to formally establish their accountability to the external audit team.

Simultaneously, the external auditor must obtain a written acknowledgment from an appropriate level of company management. This letter must state that management will not interfere with the work the internal auditors are performing for the external auditor. These formal communications are designed to safeguard the integrity of the direct assistance arrangement and reinforce the objectivity of the internal auditors involved.

Prohibited Areas of Reliance

The standard establishes firm boundaries on the extent to which an external auditor can rely on the internal audit function, regardless of how competent or objective the function is deemed to be. These prohibitions are in place to protect the external auditor’s independence and ensure they retain ultimate responsibility for the audit opinion. The standard explicitly forbids using either the work of internal auditors or their direct assistance for procedures that form the basis of the external auditor’s own judgments.

The external auditor cannot delegate work that involves making significant judgments in the audit. This includes tasks such as assessing the risk of material misstatement, evaluating the sufficiency of audit evidence gathered, or testing the valuation of complex and subjective accounting estimates like goodwill. Furthermore, reliance is prohibited for procedures related to high-risk areas where the auditor’s judgment is the principal factor in reaching a conclusion, such as testing controls that are critical to addressing a significant fraud risk.

Decisions about the overall effectiveness of the company’s internal control over financial reporting must also be made by the external auditor. These limitations ensure that the external auditor does not outsource their core responsibilities. The prohibitions outlined in the standard serve as a safeguard, ensuring that the audit opinion is the product of the independent auditor’s own work and professional judgment.