Printer Friendly

How to more effectively comply with the requirements of SAS 128.

[ILLUSTRATION OMITTED]

In Brief

This article describes the salient requirements of SAS 128, Using the Work of Internal Auditors, and demonstrates how the International Professional Practices Framework (IPPF), promulgated by the Institute of Internal Auditors (ILA), can be utilized as a normative standard to achieve highly effective evaluations of an audit client's internal audit function in compliance with its requirements. While this article primarily focuses on the evaluation of internal audit functions during independent financial statement audits, much of the information should be of value to all CPAs that are called upon to evaluate an organization's internal audit function.

The AICPA's Auditing Standards Board (ASB) recently promulgated the clarified Statement on Auditing Standards (SAS) 128, Using the Work of Internal Auditors, effective for audits of financial statements for periods ending on or after December 15, 2014. The pronouncement supersedes SAS 65, "The Auditors' Consideration of the Internal Audit Function in an Audit of Financial Statements." The ASB also had redrafted AU section 322, "The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statement," for clarity, and added guidance to AU-C 315, "Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement". The ASB task force commenced in February 2013 with the objective of reflecting on the developments in the internal auditing environment and changes in practice regarding the interactions between external and internal auditors. The ASB wanted to converge with the International Auditing and Assurance Standards Board (IAASB) pronouncement of International Standards on Auditing (ISA) 610. Because ISA 610 was also under revision, the ASB waited until the ISA redrafting was complete.

At first, ISA 610 was redrafted to conform to the clarity format with no changes; however, the IAASB decided that it needed to be more responsive to the issue of direct assistance by the internal audit staff. The IAASB had some difficulty dealing with direct assistance, and the final pronouncement was not issued until March 2013.

SAS 128 focuses on the external auditor's responsibilities when using the work of internal auditors during independent financial statement audits. SAS 128 does not apply if an audit client does not have an internal audit function. In addition, this SAS does not apply if the client has an internal audit function, but the external auditor finds that the activities of the function are not relevant to the financial statement audit, if--based on the auditor's preliminary understanding of the internal audit function--the external auditor does not expect to use the function. It is important to realize that external auditors are not required to use a client's internal audit function during a financial statement audit. That said, external auditors cannot completely ignore a client's internal audit function when one exists. AU 315, "Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement," requires that while obtaining the required understanding of an audit client, the external auditor should obtain an adequate understanding of the client's internal audit function in order to properly plan the external audit and to decide whether the internal audit function can be used. It should be recognized that an ineffective internal audit function might be a weakness in the monitoring component of internal control rising to the level of a significant deficiency. Material weaknesses should be communicated in writing to management, and to those charged with governance following the requirements of AU 265, "Communicating Internal Control Related Matters Identified in an Audit."

If the external auditor obtains an overall understanding of the internal audit function, but still believes that the function is relevant to the external audit strategy and objectives, and elects to use the function in the gathering of audit evidence, the external auditor under SAS 128 must be satisfied about three critical internal audit attributes in order to use the internal audit function:

* The function is sufficiently objective.

* The function is sufficiently competent.

* The function is effectively using a systematic and disciplined approach, including quality control.

External auditors should gather sufficient and appropriate evidence in order to make an evaluation of these three critical internal auditing attributes. SAS 128 clearly states that the degree to which the client's internal audit function possesses these attributes not only detennines whether the external auditor can use the internal audit function in obtaining audit evidence, but these attributes significantly influence the extent to which the internal audit function can be used. The standard provides some basic guidance that external auditors can follow in evaluating these three critical internal auditing attributes.

Objectivity

SAS 128 states, "Objectivity refers to the ability to perform tasks without allowing bias, conflicts of interest, or undue influence of others to override professional judgments" (SAS 128, para. 7). The standard provides guidance as to factors that the external auditor should consider in the evaluation of the objectivity of internal auditors. Two salient factors that should be focused upon are the organizational positioning of the internal audit function, and the reporting relationships of the Chief Audit Executive (CAE). Other suggested factors to consider are whether the internal audit function is free of conflicting managerial or operating responsibilities, and whether those "charged with governance" are instrumental in the significant resourcing and employment decisions affecting the CAE, and more broadly, the entire internal audit function. Finally, external auditors should consider the following:

Whether the internal auditors are members of relevant professional bodies and their memberships obligate their compliance with relevant professional standards relating to objectivity. (SAS 128, para. A7)

Competence

SAS 128 states, "Competence of the internal audit function refers to the attainment and maintenance of knowledge and skills of the function as a whole at the level required to enable assigned tasks to be performed diligently and with the appropriate level of quality" (SAS 128, para. A8). Among the factors that should be considered by the external auditor when evaluating internal audit competence are whether the client has policies in place for hiring and training internal auditors, whether internal auditors receive the necessary training and proficiency in auditing, whether the internal auditors possess the required knowledge relating to the entity's financial reporting framework and the necessary skills to perform the work, whether the internal auditors are members of relevant professional associations, and whether internal auditors have relevant professional certifications that obligate them to obtaining continuing professional education.

Application of a Disciplined Approach

One of the most important new requirements introduced by SAS 128 is that in order for external auditors to be able to use a client's internal audit function, the external auditors must be satisfied that the internal audit function uses a "systematic and disciplined approach, including quality control." Relative to the prior auditing standard governing the use of internal auditors (i.e., SAS 65), this requirement represents an additional evaluation that must be performed while determining whether the client's internal audit function can be used. The external auditor's evaluation of this attribute is intended to address the risk that: "the external auditor inappropriately uses internal audit-like work performed in an informal unstructured, or ad hoc manner" (SAS 128, para. A14). SAS 128 suggests that in evaluating this critical internal auditing attribute, the external auditor may assess factors such as the internal audit functions use of audit documentation (i.e., work papers), the use of documented audit programs, and whether the internal audit function has appropriate quality control policies and procedures in place.

Obtaining Audit Evidence

Under SAS 128 requirements, external auditors are allowed to utilize a client's internal audit function in obtaining audit evidence after the external auditors have evaluated the internal audit function and found it to be sufficiently objective, competent, and effectively utilizing a "systematic and disciplined approach, including quality control." The nature, timing, and extent of this internal audit utilization should be based on the degree to which these three essential attributes are found to be present and effectively operating. In addition, SAS 128 recognizes that the specific facts and circumstances of each client situation can properly affect the external auditor's internal audit utilization decisions. SAS 128 mandates that the external auditor is solely responsible for the audit opinion, and should be sufficiently involved in the audit. To prevent inappropriate use of the internal audit function, external auditors should plan to de-emphasize internal audit usage as the use of judgment in the audit increases, as the assessed risk of material misstatements increases, and because the assessed level of internal audit competence and objectivity decreases.

When external auditors elect to utilize a client's internal audit function, the function can be used in two primary ways: 1) The external auditors may use the existing work product of the internal auditors, and 2) the internal auditors can provide "direct assistance." SAS 128 provides detailed guidance on the proper use of internal auditors in each of these ways.

Using the Existing Work of the Internal Audit Function

Internal audit functions' assurance and consulting agendas are commonly relevant to the external audit. For example, internal audit assurance engagements commonly involve the evaluation of the reliability and integrity of financial information, the assessment of the effectiveness of internal controls over financial reporting, the evaluation of processes focusing on the safeguarding of assets, and the evaluation of the operational effectiveness of the organizations overall enterprise risk management system. External auditors should assess whether the internal auditors' existing work product--or planned work--addresses these areas, and is thereby relevant to the external audit strategy. External auditors can obtain relevant information by performing procedures such as reading relevant internal audit reports and reviewing internal audit work papers.

If the external auditors find the work of internal auditors relevant and plan on using the existing work of the internal auditors in obtaining audit evidence, the external auditor should communicate with the internal auditors and attempt to coordinate activities. In addition, the external auditor should directly perform sufficient audit procedures on the internal audit work to evaluate whether it has been properly performed and is truly adequate for external audit purposes. While external auditors are not required to reperform a portion of the internal auditor's work in all areas being used, SAS 128 requires some reperformance on the body of work that the external auditors are going to rely upon. The nature and extent of all of these verification procedures should be responsive to the risk of material misstatements, the amount of judgment involved and, of course, the assessed competence and objectivity of the internal auditors. SAS 128 also recognizes that if the risk of material misstatement in an area is other than "low," it is highly likely that the external auditor should perform some tests directly.

Direct Assistance

The second major way that client internal audit functions can be used is "direct assistance." SAS 128 defines direct assistance as "the use of internal auditors to perform audit procedures under the direction, supervision, and review of the external auditor" (SAS 128, para. 12). In determining the nature and extent of the direct assistance to be performed by the internal auditors, and the extent of supervision required, external auditors should consider factors such as the threats and safeguards to the internal auditor's objectivity, the assessed competence of the internal auditors, and the risk of material misstatement in the assigned areas. SAS 128 introduces an explicit requirement whereby prior to using internal auditors to provide direct assistance, the external auditor should obtain a written acknowledgement from client management or those charged with governance, as appropriate. The written acknowledgement should state that the internal auditors providing the direct assistance will be allowed to follow the external auditors' instructions, and that the client organization will not interfere with the work being performed. In addition to directing the internal auditors, the external auditors should supervise and review their work.

The previous discussion makes it clear that, under the clarified auditing standards, external auditors are currently required to evaluate a client's internal audit function on all audits where an internal audit function is present. While the use of the internal audit function when gathering audit evidence is not required, the evaluation of the internal audit function is required. In situations where external auditors find the internal audit function relevant to the strategy and objectives for the external audit, and elect to utilize the internal auditors, a more in-depth evaluation is in order to determine whether the internal audit function fulfills the minimum standards for external auditor reliance on the function, as prescribed by SAS 128.

Therefore, under these clarified statements, external auditors must be equipped to perform effective evaluations of internal audit functions. These evaluations necessarily entail a comparison of "what is" (i.e., the current state of a client's internal audit function) with "what should be" (a normative standard for the professional practice of internal auditing). SAS 128 provides some basic guidance on best practices for internal auditing; however, external auditors can more comprehensively refresh their understanding of the best practices for internal auditing--and thereby improve their evaluations of internal audit functions--by becoming familiar with the authoritative guidance contained in the recently revised International Profession Practices Framework (IPPF) promulgated by the Institute of Internal Auditors (IIA).

The IPPF serves as a normative standard for the professional practice of internal auditing throughout the globe, and many internal audit functions are currently stating that they follow the authoritative guidance of the IPPF. External auditors can use this globally recognized standard as an effective tool during evaluations of client internal audit functions. Furthermore, if external auditors are satisfied that a client's internal audit function is in compliance with the requirements of the IPPF, the external auditors can have a high level of assurance that the client's internal audit function possesses the critical attributes that are necessary for reliance on the internal audit function in conformity SAS 128 requirements.

The remainder of this article will overview the recently revised IPPF that was launched in July 2015 and demonstrate how the requirements, and recommended practices, that are contained in this framework fulfill the SAS 128 requirements for an external auditor's reliance on internal audit functions.

The IPPF

The IPPF can be thought of as a container that holds and organizes the authoritative internal auditing guidance promulgated by the IIA. The framework is recognized worldwide as a primary source of authoritative guidance constituting the essential elements for the practice of internal auditing. The IPPF has a "Mission of Internal Audit" and six other components that are categorized by the IIA as either "mandatory guidance" or "recommended guidance" (http://www.theiia.org). The mandatory guidance is considered essential to the practice of internal auditing, while the recommended guidance provides detailed information to help implement the mandatory guidance. The IIA considers the recommended guidance as best practice, but the IIA recognizes that internal auditors may comply with the mandatory guidance by implementing alternative practices. The mandatory guidance applies to all entities and individuals that perform internal auditing services, but the IIA can only sanction IIA members and recipients of or candidates for IIA professional certifications for violations. Unlike the public accounting profession where statutory sanctions are typically available, the internal auditing professional primarily relies on the voluntary compliance.

Beyond the mission, the IIA categorizes the other six components of the IPPF (the following components are adapted from http://www.theiia.org): Mandatory Guidance

* Core principles for the professional practice of internal auditing

* Definition of internal auditing

* Code of ethics

* International standards for the professional practice of internal auditing (standards) Recommended Guidance

* Practice advisories (implementation guides)

* Supplemental guidance.

Additional Guidance

The recently promulgated Mission of Internal Audit "articulates what internal audit aspires to accomplish within an organization," but the core principles, "taken as a whole, articulate internal audit effectiveness" (http://www.theiia.org). The definition of internal auditing describes modern internal auditing, and the code of ethics conveys the minimum ethical requirements for individuals and organizations to follow while in the practice of internal auditing. The International Standards for the Professional Practice of Internal Auditing (Standards) are the primary source of detailed mandatory, and presumptively mandatory, requirements that all individuals and organizations in the practice of internal auditing should follow.

Turning to the recommended guidance, the practice advisories (implementation guides) provide detailed guidance to assist internal auditors in complying with the mandatory guidance. Individual practice advisories are directly related to individual standards, and they are most commonly promulgated when the IIA believes that additional guidance is needed for the effective and efficient adherence to a standard. Practice advisories address overall approaches and methodologies, but they do not contain detailed processes or procedures. The more detailed guidance is found with the supplemental guidance (e.g., Practice Guides; http://www.theiia.org)

How External Auditors Use IPPF

External auditors can utilize the mandatory guidance of the IPPF (primarily the requirements contained in the Code of Ethics and Standards) as a widely accepted normative standard when evaluating a client's internal audit function, and when deciding whether to rely upon the work of an internal audit function during an external audit. While it is beyond the scope of this article to comprehensively cover all the guidance of the IPPF that may be relevant to the overall evaluation of an internal audit function, the following discussion will demonstrate how the requirements of the IPPF exceed the minimum requirements of SAS 128 for external auditors to be allowed to rely upon the work of internal auditors.

The Exhibit depicts the critical internal audit attributes that must satisfy external auditors before they are allowed to rely on a client's internal audit function under SAS 128. The Exhibit maps specific examples of mandatory IPPF guidance that address each attribute.

Quality Control

SAS 128 makes it clear that before an external auditor can utilize a client's internal audit function, the external auditor should be satisfied that the client's internal audit function has an effective system of quality control. IPPF Standard 1300, Quality Assurance and Improvement Program, has an explicit provision stating: "The chief audit executive must develop and maintain a quality assurance and improvement program that covers all aspects of the internal audit activity."

Collectively, the suite of standards addressing the required quality control system (in Exhibit) requires that the quality control system consists of both internal quality control assessments performed by the internal audit personnel, other qualified individuals from within the organization, and external quality assessments. A qualified outside assessor or assessment team must conduct the required external assessments. This required quality control system rigorously assesses many attributes of the internal audit function, especially adherence to the requirements of the standards. Standard 1321, Use of "Conforms with the International Standards for the Professional Practice of Internal Auditing explicitly states that the CAE may declare that the internal audit activity conforms with the IIA Standards "only if the results of the quality assurance and improvement program support this statement." External auditors can utilize these required attributes for quality control systems as they evaluate the quality control systems of their clients. When a client is found to have a quality control system in compliance with the IIA standards, this provides a very high level of assurance that the client's internal audit function has a very effective quality control system in place that fulfills the SAS 128 requirements.

Independence and Objectivity

The "objectivity" requirements of SAS 128 are met with several independence and objectivity requirements contained in the Code of Ethics and Standards. The IPPF's concept of independence attaches to the internal audit function collectively, while the concept of objectivity refers to the mental attitude of individual internal auditors. Standard 1100 contains the unconditional requirement that: "The internal audit activity must be independent, and the internal auditors must be objective in performing their work." Many find the concept of "the independence of an internal audit function" difficult to understand, and many individuals mistakenly think that internal auditors cannot be independent because they work for the organization. Realizing that an internal audit function does not have to be independent of the organization is a key aspect of this issue. Internal auditors must be independent of auditees, and independence of the internal audit function is achieved with properly positioning of the internal audit function within the organization. Standard 1110 states: "The chief audit executive must report to a level within the organization that allows the internal audit activity to fulfill its responsibilities." The guidance in the related practice advisory 1110-1, Organizational Independence, clearly identifies the preferred reporting relationship to promote independence; the CAE should report functionally to the board and administratively to the CEO. While external auditors might discover that their audit clients have a variety of suboptimal alternative administrative reporting relationships (e.g., the CAE reporting to the CFO), external auditors should realize that the functional reporting relationship to the board (audit committee) is critical to the internal audit functions independence and may compensate for the less than optimal administrative reporting. Standard 1111 states: "The chief audit executive must communicate and interact directly with the board."

The Code of Ethics and Standards explicitly addresses the objectivity of each and every internal auditor; for example, Standard 1120 states: "Internal auditors must have an impartial, unbiased attitude and avoid any conflicts of interest." The code devotes one of its four ethical principles to objectivity. In part, the principle says: "Internal auditors make a balanced assessment of all the relevant circumstances and are not unduly influenced by their own interests or by others in forming judgments." The code also has several rules of conduct that promote the objectivity principle. For example, Rule 2.1 prohibits internal auditors from participating "in any activity or relationship that may impair or presume to impair their unbiased assessment." According to rule 2.2, internal auditors "shall not accept anything that may impair or be presumed to impair their professional judgment."

In summary, the IPPF specifies that internal audit functions, and individual internal auditors, must be both independent and objective. The code of ethics and the standards contain explicit requirements that external auditors can look to as they evaluate the "objectivity" of their client's internal audit function in compliance with SAS 128.

Competency

The Code of Ethics and Standards explicitly addresses competency. The competency principle of the code states, "Internal auditors apply the knowledge, skills, and experience needed in the performance of internal audit services." Three ethical rules support this principle by clarifying that internal auditors are to only provide services for which they are qualified, they should follow the IIA Standards, and they should continually improve their proficiency. The standards themselves support Code of Ethics and Standards competency requirements. Standard 1200, Proficiency and Due Care, requires that "engagements must be performed with proficiency and due care." Several related standards in the 1200 series contain some specific requirements to achieve the mandate of Standard 1200. Standard 1230, Continuing Professional Development, contains an unconditional requirement: "Internal auditors must enhance their knowledge, skills, and other competencies through continuing professional development." It should be noted that certified internal auditors, in the practice of internal auditing, have a continuing professional education reporting requirement of 40 hours annually.

A Systematic and Disciplined Approach

While it is beyond the scope of this article to comprehensively describe all of the requirements that conclusively demonstrate that the use of a "systematic and disciplined approach" is required under the IIA standards, the Exhibit lists a representative sample of applicable standards to make the point. Notice that internal auditors have to meet specific requirements in four distinct stages of a formal internal audit assurance or consulting engagement (i.e., engagement planning, fieldwork, reporting, and monitoring). Standard 2200 addresses proper engagement planning, stating: "Internal auditors must develop and document a plan for each engagement, including engagement objectives, scope, timing, and resource allocations." It should be noted that other standards related to planning require that engagement objectives be developed, and that work programs be created and documented. It should be recognized that the planning requirements for internal audit functions are very similar to the planning requirements for external auditors.

Standard 2300, Performing the Engagement, and several other standards in the 2300 series provide the primary requirements for engagement fieldwork. Collectively, the guidance requires that internal auditors gather the necessary evidence to achieve engagement objectives, properly document their work, and the internal auditors conducting the fieldwork must be properly supervised. Standard 2400, Communicating Results, and several other standards in the 2400 series collectively require that internal auditors communicate the results of engagements, and the standards provide overall guidance on the form and content of engagement communications. Unlike the public accounting profession, the internal auditing profession does not have a required internal audit report form.

The final stage of an internal audit engagement is "monitoring." Standard 2500 states: "The chief audit executive must establish and maintain a system to monitor the disposition of results communicated to management."

As the previous discussion illustrates, the standards contain detailed requirements that must be fulfilled in the planning, fieldwork, reporting, and monitoring stages of formal internal audit assurance and consulting engagements. If a client's internal audit function is complying with the IPPF, the external auditor can have a high level of assurance that the function is using a "systematic and disciplined approach" in compliance with SAS 128 requirements.

Utilizing the Internal Audit

SAS 128 promotes the effective utilization of a client's internal audit function, as long as the external auditors are satisfied that the client's internal audit function is sufficiently competent and objective and that it follows a systematic and disciplined approach, including quality control. This article has described the salient requirements of SAS 128 and demonstrated how external auditors can use the recently revised IPPF to effectively comply with the provisions of this clarified auditing standard. The Institute of Internal Auditors has made the mandatory guidance of the IPPF available (free of charge) on https://www.theiia.org, under "Standards & Guidance."

Terry J. Engle, PhD, CPA, is the advisory council professor of accounting at the University of South Florida, Tampa campus. Nicholas J. Mastracchio, Jr., PhD, CPA, is an associate professor at the University of South Florida, Sarasota Manatee Campus. Fie is a former member of the Auditing Standards Board, past chairman of the New York State Board of Accountancy, and past chairman of the Examination Review Board. He is also a member of The CPA Journal Editorial Board.
EXHIBIT
Mapping SAS 128 Requirements to International Professional Practices
Framework Requirements

Quality Control                 Objectivity

Std. 1300, Quality Assurance    Code of Ethics: Principle
and Improvement Program         "Objectivity" and Rule of
(QAIP)                          Conduct #2 "Objectivity"

Std. 1310, Requirements of      Std. 1100, Independence
the QAIP                        and Objectivity

Std. 1311, Internal             Std. 1110, Organizational
Assessments                     Independence

Std. 1312, External             Std. 1111, Direct
Assessments                     Interaction with the Board

Std. 1320, Reporting on         Std. 1120, Individual
the QAIP                        Objectivity

Std. 1321, Use of "Conforms
with the Inti. Stds. for the
Prof. Practice of Internal
Auditing"

Quality Control                 Competence

Std. 1300, Quality Assurance    Code of Ethics: Principle
and Improvement Program         "Competency" and Rule of
(QAIP)                          Conduct #4 "Competency"

Std. 1310, Requirements of      Stds. 1200-1220,
the QAIP                        Proficiency and Due Care

Std. 1311, Internal             Std. 1230, Continuing
Assessments                     Professional Development

Std. 1312, External
Assessments

Std. 1320, Reporting on
the QAIP

Std. 1321, Use of "Conforms
with the Inti. Stds. for the
Prof. Practice of Internal
Auditing"

Quality Control                 Systematic and Disciplined Approach

Std. 1300, Quality Assurance    Std. 2200, Engagement Planning
and Improvement Program
(QAIP)

Std. 1310, Requirements of      Std. 2300, Performing the Engagement
the QAIP

Std. 1311, Internal             Std. 2400, Communicating Results
Assessments

Std. 1312, External             Std. 2500, Monitoring Progress
Assessments

Std. 1320, Reporting on
the QAIP

Std. 1321, Use of "Conforms
with the Inti. Stds. for the
Prof. Practice of Internal
Auditing"
COPYRIGHT 2015 New York State Society of Certified Public Accountants
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2015 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:auditing
Author:Engle, Terry J.; Mastracchio, Nicholas J., Jr.
Publication:The CPA Journal
Date:Nov 1, 2015
Words:4584
Previous Article:One Accounting firm's contributions to World War II: the story of colonel Carter and his colleagues at Deloitte's Predecessor Firms.
Next Article:The issue of cyber risk disclosures.
Topics:

Terms of use | Privacy policy | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters