The internal audit function is most likely to be relevant for the external auditor if the responsibility assigned to the internal auditor is related to the entity’s financial reporting and other internal control related processes on which the external audit will rely while conducting his audit. Certain internal audit activities may not be relevant to an audit of the entity’s financial statements, for example, the internal auditors’ procedures to evaluate the efficiency of certain management decision-making processes are ordinarily not relevant to a financial statement audit.
While determining whether the work of the internal auditor is relevant and adequate for the purpose of the audit, the external auditor has to evaluate parameters set out in the table below:
The external auditor would need to consider the materiality of the account balances or classes of transactions which were covered by internal audit, the risk of material misstatement of the assertions related thereto and the degree of subjectivity involved in the evaluation of the audit evidence gathered in support of the assertions. As the materiality of the financial statement amounts increases and either the risk of material misstatement or the degree of subjectivity increases, the need for the auditor to perform his or her own tests of the assertions increases. Where an auditor elects to use the work of internal audit, audit documentation prepared by him should include the auditor’s evaluation of internal audit, the nature and extent of the work used and the basis for that decision, the audit procedures performed by the auditor to evaluate the adequacy of the work used, and an overall evaluation of the evidence obtained. The nature and extent of the procedures the auditor would perform when making this evaluation is a matter of judgment. Ordinarily, an external auditor should not use the work of internal audit when performing procedures related to controls that have a higher risk of failure (e.g., internal controls intended to address assertions where a significant judgment or a risk of fraud has been identified).
Unlike in situations of branch audits or audits of subsidiaries for the purpose of consolidation where an external auditor has the latitude of using and relying on the work of other independent auditors, he does not have the same autonomy as far as using the work of internal auditors is concerned. The external auditor remains solely responsible for the audit opinion issued on the financial statements audited by him. At the same time, it is not obligatory for the auditor to rely on the work performed by internal audit.
We will consider two case studies to understand the above concepts:
Case Study 1 – Relevance of Internal Audit function to the External Auditor
Background
LMN Private limited is a company which is engaged in the business of travel and tourism. The management has constituted an in-house internal audit function. The scope of internal audit as decided by the management includes the following:
1) Monitoring the controls over bookings from customers and recording of revenue in the ERP system.
2) Review of the monthly, quarterly and yearly financial statements prepared by the company and. verifying that these comply with the financial reporting framework
3) Verifying the process of pre-departure formalities necessary to be completed like insurance and visa application to ensure compliance with the processes set out in the procedure manual of the company.
4) R eview of contracts entered into with the vendors who provide services to the company including hotels and coordinators for transfers. Ensure that the standard operating procedures for vendor selection as set by the management have been followed.
5) Verifying the process of background verification of the employees joining the company.
PMR and Associates (PMR) have been appointed as the statutory auditors of the company. Which of the above would be relevant and adequate to the work conducted by PMR?
Analysis
As per SA 610 ‘Using the work of the internal auditors’, the external auditor may use the work performed by the internal auditor if he considers it relevant to his audit. Some procedures performed by the internal auditor may impact the nature or timing or extent of the work performed curtailing his planned work for a particular area during the course of audit. In the given scenarios, factors that could be considered in evaluating the relevance of the scope of internal audit function have been explained below.
1) T he work performed by the internal audit function could be used by the external auditor to understand the process over tour bookings and revenue recognition. If there are significant internal control issues identified by the internal auditor, these could be factored in by the external auditor to modify the procedures that he would perform to test revenue. The external auditor may examine some of the controls or transactions that the internal auditors examined or examine similar controls or transactions not actually examined by the internal auditors. In reaching conclusions about the internal auditors’ work, the auditor should compare the results of his tests with the results of the internal auditors’ work.
2) Though the review of the monthly, quarterly and yearly financial statements by the internal audit team is directly related to the financial reporting process, the external auditor cannot merely rely on the work performed by the internal auditor. His review of the financial statements and assurance of compliance with financial reporting framework remains independent of the review performed by the internal auditor. However, the external auditor should be wary of control lapses in the accounts closing process, if any, which have been identified by the internal auditor and ensure that the risk of possible misstatements emanating therefrom is adequately addressed, for e.g., if the internal auditor has commented about the lack of robustness in the he process for provision for expenses for pending bills, the external auditor would need to more skeptical in verifying the completeness of provisions for expenses. He would need to enlarge the sample size, perform a more robust testing of expense booking/payments in the subsequent period, trend analysis etc.
3) One of the objectives of the internal audit function is to test the orderly conduct of business operations consistent with the processes set by the management. Verifying whether the process of completion of predeparture formalities would ensure compliance to the service standards of the company however this is not likely to have any direct impact on financial reporting, as such, may not be relevant from a financial statement audit perspective.
4) The external auditor can use the observations made in the internal audit reports on vendor contracts entered during the period under audit and evaluate whether these have any impact on reporting on internal controls or financial reporting – for e.g., any onerous terms entailing provision/disclosures etc. the internal audit reports could also possibly highlight non-compliance with standard operating procedures in selection and awarding of vendor contracts. The external auditor would be in a position to evaluate whether such non- compliance is indicative of fraud. Internal audit function can act as a good checkpoint for fraud prevention and reporting.
5) Background verification of employees would prevent the company from hiring fraudulent employees or employees with malicious intent. Though there is no direct implication of this on the financial reporting of the company, the procedures performed by the internal auditor may help the external auditor address the risk of fraud over employee hiring. The auditor based on his assessment of internal audit could use their work in this area to re-engineer the substantive work necessary to be performed by him audit for addressing fraud risk.
Case study 2- Adequacy and use of work performrd by the Internal Auditor
background
ABC limited has appointed M/s. XYZ and Co. (XYZ) as their internal auditors. The statutory auditors of the company – M/s.PQR & associates (PQR) need to evaluate the adequacy of the work performed by XYZ. Consider the following scenarios:
1) XYZ is a reputed firm of chartered accountants with a sizeable client portfolio. the recruitment policy of the firm specifies that only qualified Chartered accountants or students pursuing Chartered accountancy course can be recruited in the internal audit department. The firm follows a policy of training new joiners in accordance with XYZ’s audit manual which helps new joiners understand the audit methodology to be followed while conducting internal audits. XYZ also ensures that the team composition on any client comprises of at least one experienced member with relevant industry knowledge. The work performed by the internal audit team goes through various levels of reviews by partners and managers before the final reports are issued to the clients. As far as relationship with ABC limited is concerned, XYZ occupies an independent status and reports directly to the board of directors of ABC Limited. XYZ presents its observations in the monthly operations meeting of the company and the line managers of the company are responsible to take corrective action within an agreed timeline. XYZ organises meetings with the external auditors – PQR on a monthly basis to discuss their findings and also to assess the requirements of the external auditors if any, when planning their scope for the year. Determine whether the work performed by the internal auditor can be considered as adequate for the purpose of the audit by the external auditor
2) Assume that for the year ended 31st march 20X0, XYZ has performed a comprehensive review of revenue cycle of ABC Limited. There were no adverse findings. in view of the background information given in (1) above, mr. Khanna, audit manager – PQR decided not to perform any work on revenue as this area was extensively covered by XYZ. Mr. Khanna elected to rely on the work already performed by XYZ and was contemplating requesting XYZ to provide them with a copy of their report as well as work papers for his audit file documentation.
Analysis
1) In the given scenario, the internal audit function comprises of a highly prestigious firm with set procedures and hierarchy of reviews. The internal audit division has qualified accountants and trainees. New recruits are provided adequate training. It is also ensured that at all times there is at least once experienced member in the engagement team due to which the entire team gets the requisite guidance. The internal auditor enjoys an independent position with ABC Limited. Internal audit reports directly to the board which is indicative of minimal interference by operating management. Management takes cognizance of internal audit findings and has in place a mechanism to address these in a time bound manner. Internal auditors communicate the observations emanating from their audits with the external auditors. Internal auditors take cognizance of the requirements and expectations of the external auditors from the internal auditors. These are indicators of effective implementation of internal audit function within the organisation. In such an environment, the external auditors – PQR may be able to conclude that the internal audit function is effective and may undertake to modify the extent of testing for that they would undertake on those account captions which have been subjected to internal audit.
2) (a) It would not be appropriate for mr. Khanna to conclude that no work should be performed on the revenue cycle. Given that revenue is presumed to have fraud risk, the auditor should not entirely rely on the work of internal audit when performing procedures related to controls that are intended to address assertions which are susceptible to fraud risk. Mr. Khanna would need to devise his own testing plan, he may consider modifying the testing approach in terms of controls testing and substantive procedures. Given the existence of a robust internal audit system, he may elect to test fewer key controls, rationalize the sample size, undertake substantive procedures which are less time consuming etc.
(b) In the indian context, the Code of ethics provides that a chartered accountant in practice would be deemed to be guilty of professional misconduct if he discloses information acquired in the course of his professional engagement to any person other than his client. As such, XYZ would not be in a position to share their work papers with PQR without prior consent from the Company.
(c) Even considering a scenario where PQR provides access to XYZ access to its work papers (after prior approval from the company), it would be incumbent upon PQR to test or re-perform the work performed by XYZ by obtaining evidence directly from the management of the Company supporting the samples verified by XYZ as opposed to reviewing the documentation provided by XYZ. PQR may exercise its judgment as to whether all samples tested by XYZ should be tested again by PQR or whether PQR should select an entirely new sample. Mere reliance on the documentation provided is not sufficient.
Closing Remarks
Using the work of an internal auditor could assist the external auditor in performing a more efficient and effective audit. However, the external auditor would continue to be solely responsible for the audit opinion.
The Companies act, 2013 has re-emphasied the importance of a robust internal financial control environment by casting specific responsibility on the Board of directors of a company to establish internal financial controls and ensuring that these are adequate and they operate effectively. internal audit will play a very significant role in providing a comfort to the Board in this regard. Statutory auditors are also required to comment in their report, whether the company has an adequate internal financial controls system in place and the operating effectiveness of such controls. The statutory auditors too would need to take cognisance of the work performed by internal auditors on testing of controls. This will entail increased cohesiveness between internal and external auditors however, the external auditor would continue to be responsible for his opinion on the design and operative effectiveness of internal controls.