RELIANCE BY INTERNAL AUDIT ON OTHER ASSURANCE PROVIDERS-PRACTICE GUIDE - DECEMBER 2011
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
– Practice Guide
Reliance by
Internal Audit on Other
Assurance Providers
DECEMBER 2011IPPF – Practice Guide
Reliance by Internal Audit on Other Assurance Providers
Table of Contents
Executive Summary......................................................................................... 1
Introduction.................................................................................................... 1
Principles for Relying on the Work of Internal or External
Assurance Providers....................................................................................... 4
Relying on Internal Assurance Providers......................................................... 6
Relying on External Assurance Providers....................................................... 10
Appendix A: Services Provided by External Assurance Provider..................... 13
Appendix B: Guide for Internal Auditors to Assess the
Reliability of Other Assurance Providers........................................................ 17
Glossary ...................................................................................................... 21
About the Authors and Reviewers................................................................. 26
www.globaliia.org/standards-guidance / BIPPF – Practice Guide
Reliance by Internal Audit on Other Assurance Providers
Executive Summary 4. Elements of Practice.
5. Communication of Results and Remediation.
Chief audit executives (CAEs) are charged with providing
assurance on the adequacy of governance, risk manage- The principles are interdependent. To illustrate, the CAE
ment, and related internal controls. This gives manage- would place higher value on assurance providers who
ment and an organization’s governing body, including the commit to a common purpose, convey objective expertise,
audit committee, an assessment of risk, governance, and and practice rigor and monitoring to shorten the time to
control processes and practices across the organization, management action. The results of these other assurance
rather than a series of audit reports on individual areas of providers can be integrated with the work of internal audit
the organization. Since the risk profile is in a perpetual to communicate a comprehensive opinion to key stake-
state of change, internal audit functions are challenged in holders. The guidance gives a process for valuing the work
meeting this expectation using traditional, point-in-time, of others and assessing the reliability of assurance pro-
or cycle audit methods and resources. viders. In turn, good coordination attracts greater reliance
on internal audit decreasing the cost of compliance and
Ever-increasing compliance requirements and business increasing the efficiency for providing assurance.
complexity have driven companies to establish or procure
other risk management and assurance functions. They
are charged with measuring and reporting risk, identify-
Introduction
ing control gaps, tracking remediation, and concluding 1.1 Introduction
whether control processes are operating effectively in spe- Internal audit is charged by the International Standards for
cific areas. Examples of some internal assurance providers Professional Practice of Internal Auditing (Standards) with
are identified as environmental compliance groups, qual- providing assurance on the adequacy of governance, risk
ity management functions that focus on manufacturing management, and related controls. In many organizations,
activities, internal control teams that assess controls over management has established (or engaged a third party to
financial reporting, and IT governance groups. External provide) other assurance functions — such as in the ar-
assurance providers are often engaged to communicate eas of IT projects, manufacturing quality, environmental
an opinion to another auditor regarding specific control health and safety, controls over financial reporting, and
objectives operated by a service provider. These activities other regulatory compliance. The purpose of this practice
provide assurance on the areas they assessed and recom- guide is to provide ideas and ways to leverage the work
mendations to strengthen the related controls, often in of other assurance providers, whether the assurance is
areas that are within the scope of internal audit’s work. provided internally within the organization or externally
to minimize duplication of work and disruption to the op-
This practice guide provides guidance to the CAE and in- eration, provide enhanced coverage, and conserve audit
ternal audit leadership on an approach for relying on the resources for high-risk processes.
assurance provided by other internal or external assurance
functions. A continuum of five principles determines the
extent of reliance: Standard 2050: Coordination
The chief audit executive should share information and coordinate
1. Purpose. activities with other internal and external providers of assurance
2. Independence and Objectivity. and consulting services to ensure proper coverage and minimize
3. Competence. duplication of efforts.
www.globaliia.org/standards-guidance / 1IPPF – Practice Guide
Reliance by Internal Audit on Other Assurance Providers
An added value to the organization of coordinating the “A department, division, team of consultants, or other
activities of the various assurance providers is limiting du- practitioner(s) that provides independent, objective assur-
plicate work. Multiple audits or examinations of the same ance and consulting services designed to add value and
risks and testing of the same controls by multiple assur- improve an organization’s operations. The internal audit
ance providers is an unnecessary burden on process own- activity helps an organization accomplish its objectives by
ers and an inefficient use of resources. If one assurance bringing a systematic, disciplined approach to evaluate
provider, such as internal audit, can rely on the work of and improve the effectiveness of governance, risk man-
another, the value is clear. agement, and control processes.”
1.2 Who are assurance providers? It is noteworthy that this definition emphasizes objective
IIA Practice Advisory 2050-2: Assurance Maps describes assurance and does not reference an expectation for de-
three classes of assurance providers, differentiated by the livering audit reports or ensuring compliance. Tradition-
stakeholders they serve, their level of independence from ally, internal auditors spend a significant amount of time
the activities over which they provide assurance, and the performing direct inspection audits, but there are other
robustness of that assurance: ways to provide assurance. The typical organization has
a number of different groups who provide risk manage-
A. Those who report to management and/or are part ment, compliance, and assurance activities independently
of management (management assurance), including of one another. In many cases these groups are testing
individuals who perform control self-assessments, controls deeper and with greater frequency than the inter-
quality auditors, environmental auditors, and other nal auditor. Without effective coordination and reporting,
management- designated assurance personnel. work can be duplicated or key risks may be missed or mis-
B. Those who report to the board, including internal judged. By adopting a more integrated assurance model
audit. that includes the internal auditor relying on the work of
C. Those who report to external stakeholders (such as others, several benefits accrue to the organization. These
external audit assurance, which is a role traditionally include:
fulfilled by the independent/statutory auditor). • More precise assurance by involving greater subject
The IIA defines assurance as an objective examination of matter expertise in audit activities. For example,
evidence for the purpose of providing an independent as- reliance on an environmental compliance group with
sessment on governance, risk management, and control specialized knowledge and certifications in the field
processes. The level of assurance desired, and who should of environmental regulations may improve the level
provide that assurance, will vary depending on the risk of insight into operations and the quality of assur-
and stakeholder expectations. The scope of the internal ance provided.
audit function covers the entire organization, including • Reduced redundancy of effort (audit once, audit
risk management processes (both their design and oper- well) and ‘audit fatigue’ for the organization.
ating effectiveness), and the management of those risks • Expanded coverage of the enterprise without increas-
classified as “key” or significant (including the effective- ing direct audit hours. (Reliance on others may allow
ness of the related controls). internal audit to reduce the hours spent in that area
and allocate them to other risk areas.)
1.3 Benefits
• Shortened time to management action. For example,
The IIA’s Standards define an internal audit activity as: the other assurance provider may have continuous
www.globaliia.org/standards-guidance / 2IPPF – Practice Guide
Reliance by Internal Audit on Other Assurance Providers
monitoring methods in place, or management may Since external and internal assurance providers and the
have integrated responses to issues detected by other internal auditor may have different purposes, it is impor-
assurance groups into routine business processes. tant to manage expectations beforehand regarding the
• Strategic collaboration, transparency, and better gov- purpose of the review, the objectivity and competence of
ernance for meeting organizational objectives result- the evaluator, the rigor of the assessment and testing pro-
ing in predictable compliance. When all the groups cesses, and the timeliness of the conclusion.
involved in assurance cooperate and share informa-
tion, insights, and best practices, the quality of the 1.5 Opportunity
whole effort is likely to rise. Other sources or forms of assurance can advance innova-
Reliance on other assurance groups may enable the CAE tive models for communicating assurance as an alterna-
to redirect scarce audit resources to other areas of sig- tive to the traditional inspect-and-report model. Practices
nificant risk to the enterprise. For example, the audit plan such as continuous monitoring, self-reported issues, and
may be expanded to include additional strategic risks, or macro-assurance planning are designed to assess and
risks in connection with mergers and acquisitions, major strengthen internal controls by identifying issues prompt-
IT and other initiatives and capital programs, and research ly and reducing the time to management action:
and development processes. • Continuous Monitoring: Monitoring controls to de-
tect potential failures, or transactions to identify pos-
The IIA’s Practice Guide, Coordinating Risk Management sible errors and defects, enables management to see
and Assurance, advises the CAE to help in the creation and respond to risk early, as it emerges. Continuous
of an assurance map for the organization to create a more monitoring reduces the time to action, sustains the
connected assurance and governance community. Assur- resolution, and extends assurance. When manage-
ance maps help identify duplication and overlap in assur- ment has continuous monitoring practices in place,
ance coverage, define scope boundaries and roles for vari- internal audit may be able to assess the programs and
ous assurance providers and determine gaps in assurance then rely on them as part of a continuous auditing or
coverage that need to be addressed. assurance program.
• Self-reported Issues: This practice empowers man-
1.4 Risk agement to raise issues and track remediation to
Relying on other assurance providers, however, can add advance corrective action. Internal auditors gain
audit risks such as: comfort when management promptly addresses root
• Missing a control weakness or deficiency and reach- causes for the self-reported issues.
ing the wrong conclusion due to defects in the work • Macro-assurance: Pervasive themes can be high-
or coverage of the other assurance provider. lighted by comparing and trending common issues
• Failing to identify issues that are not shared by the raised by the governance community. Coordinating
other assurance provider due to their lack of inde- principle-based assessments performed by other as-
pendence from management. surance providers in sequence with internal audit en-
gagements could give an over-arching macro-opinion
• Raising as an exception and issuing a matter out of across multiple entities or processes.
context that would not ordinarily be considered sig-
nificant by internal audit, due to differences in risk In addition, efficiency and effectiveness of overall assur-
assessment processes. ance activities may be improved when common tools are
www.globaliia.org/standards-guidance / 3IPPF – Practice Guide
Reliance by Internal Audit on Other Assurance Providers
used by the internal auditor and other assurance provid- 2.2 Five Principles in Determining Reliance
ers. For example, multiple assurance functions can use
The extent of reliance to be placed on the other internal
an integrated platform to manage the assessment process,
or external assurance providers depends on the following
share results, and track remediation of significant issues.
five principles:
The sharing of schedules and plans, and the results of as-
1. Purpose: The assurance provider is clear in purpose
sessments, can avoid duplicate work. It also can highlight
and committed to providing assurance on a specified risk
areas of increased risk. For example, multiple compliance
area and their work is relevant to internal audit’s objec-
issues raised by other assurance groups (such as noncom-
tives and scope. This is a fundamental principle which
pliance with trade compliance regulations) may indicate
must be in place before proceeding further with an evalu-
a need to address entity-level controls (such as the avail-
ation to determine reliability. For internal providers, the
ability of experts in trade compliance regulations).
purpose should be established in a charter or other similar
documentation. For external providers this should be pro-
Principles for Relying on the vided for in a contract or statement of work.
Work of Internal or External 2. Independence & Objectivity: The professional judg-
Assurance Providers ment of the assurance provider is impartial, without in-
appropriate interference from others. The assurance pro-
2.1 Prior Guidance vider should demonstrate a sufficient degree of objectivity
The CAE can look to several authoritative sources for in the course of its work. Although internal assurance
guidance on how the internal auditor may rely on the providers often report to management and thus are not
work of others. The IIA’s Practice Guide, Formulating and truly independent, they can be relied on when they dem-
Expressing Internal Audit Opinions (April 2009), defines onstrate appropriate objectivity and competence.
other assurance providers and provides guidance for a
CAE to assess their competency, independence, and ob- 3. Competence: The assurance provider is knowledge-
jectivity. able of the risks to the organizational processes, how con-
trols are designed to operate in response to the risks, and
According to The IIA’s Practice Advisory 2050-3: Relying what constitutes a weakness or deficiency. Characteristics
on the Work of Other Assurance Providers, the decision to of proficiency for internal or external assurance providers
rely on the work of other assurance providers can be made include organizational process expertise, education level,
for a variety of reasons: professional experience, relevant professional certifica-
tions, continuing education, and the assurance provider’s
• To address areas falling outside of the competence of
reputation for sound judgment.
the internal audit activity.
• To gain knowledge transfer from other assurance 4. Elements of Practice: The assurance provider has
providers. established policies, programs, and procedures and fol-
• To efficiently enhance coverage of risk beyond the lows them. In execution, assurance work is appropriately
audit plan. planned, supervised, documented, and reviewed. Results
are based on persuasive evidence sufficient to support the
level of assurance. They also should have the authority to
access sufficient information to reach a conclusion.
www.globaliia.org/standards-guidance / 4IPPF – Practice Guide
Reliance by Internal Audit on Other Assurance Providers
5. Communication of Results & Impactful Reme- factors in balancing lower objectivity and establishing
diation: The assurance provider communicates results reliance.
and ensures management takes timely action. Weak-
nesses and deficiencies are reported to the person directly Competence: Assurance providers can bring a high level
responsible for taking corrective actions and to the mem- of expertise relevant to the specific business process while
bers of management that have oversight responsibilities. exercising sufficient objectivity. Although internal auditors
Ongoing monitoring ensures the resolution is sustained provide a high degree of objectivity, they may not have the
as intended. Rigorous process and persuasive and reliable depth of knowledge needed to provide the desired level of
communication results in prompt corrective action. In assurance in certain organizational processes or technical
turn, management action validates an effective assurance areas.
process that internal audit can place greater reliance on.
Elements of Practice: The external and internal assur-
ance providers’ discipline to practice standard procedures
High Reliance
is directly related to their capability for timely and persua-
sive conclusions. Consistency and rigor in practice should
Elements of Practice
raise the internal auditor’s confidence in the assurance
Competency
provider’s work.
Objectivity
Impact
Level
of Risk Impact: Internal assurance providers who are in close
proximity to the business process may communicate risk
and influence management to remediate control deficien-
cies quickly, perhaps more quickly than would a tradi-
tional internal audit. By monitoring risk and responding
Purpose promptly, internal assurance providers may shorten the
Low Reliance time to management action.
Assessment of each factor plus consideration
of risk determines reliability These principles are interdependent and operate at differ-
ent levels, proportionate to risk. The internal auditor must
The application of these principles is further described in evaluate each of these principles in relation to each other
this diagram. The upward arrows depict a continuum. As and to the overall risk of the relevant processes to arrive at
the assurance provider puts these principles into practice, a decision on whether to and how much to rely on another
the CAE can place higher reliance on the provider’s work. source of assurance provided outside of internal audit. For
example, an assurance activity that has a clear purpose
Purpose: When the assurance provider is committed and and is found to be objective and competent, but does not
its purpose is aligned with internal audit’s objectives, au- effectively communicate results or affect constructive
ditors will find the work more relevant. change, would likely lead the CAE to rely on it to a much
lesser extent. It also is important to note the positive role
Objectivity: The assurance provider can demonstrate the internal audit function can play in raising the perfor-
credibility and deliver value to the internal auditor even mance bar for other assurance providers through sharing
where independence is lacking. The assurance provider’s of best practices and insight into risk management, con-
competence, elements of practice and impact are key trols, and audit principles.
www.globaliia.org/standards-guidance / 5IPPF – Practice Guide
Reliance by Internal Audit on Other Assurance Providers
Relying on Internal • Objectivity.
• Technical competence.
Assurance Providers • Due professional care.
3.1 Who are Internal Assurance Providers? • Regular communication.
Internal assurance providers (other than the indepen- IAS 620, Using the Work of an Auditor’s Expert, names
dent internal audit function) are groups that may report competence, capability, and objectivity as essential factors
to the board, management, or are part of management. when considering reliance on the work of others’ exper-
These members of the governance community may con- tise. Competence relates to the nature and level of exper-
duct control self-assessments, continuous monitoring tise of the auditor’s expert. Capability relates to the ability
and compliance inspections, quality audits, or a variety to exercise that competence in carrying out the engage-
of other activities by other names which are designed to ment. Objectivity relates to the possible effects that bias,
provide assurance of achievement of some key organiza- conflict of interest, or the influence of others may have on
tional objectives or requirements. Organizationally, these the expert’s judgment.
individuals and groups may report to the legal department
(common for regulatory compliance functions); finance Similarly, the U.S. Public Company Accounting Oversight
(common for financial reporting control focused or regu- Board (PCAOB), a private corporation that oversees the
latory compliance functions); information security (com- auditors of public companies in the United States, has
mon for security functions under the chief information provided guidance1 to external auditors on relying on the
officer); environmental, health and safety; or to any op- work of others. The same principles and considerations
erational unit that has decided to invest in a compliance should be applied in relation to internal audit relying on
program. All of these are groups the CAE should consider the work of others. The level of reliance should be based
when developing audit plans with the potential to rely on on a careful evaluation of the competence, practices, and
their work. objectivity of the persons whose work the auditor plans to
rely. A higher degree of competence and objectivity results
3.2 Considerations for Internal in greater reliance.
Assurance Provider
The International Accounting Standards Board (IASB) is For purposes of relying on the work of others, the PCAOB
an independent accounting standard-setter with the ob- defines competence as the attainment and maintenance
jective of establishing globally accepted financial report- of a level of understanding and knowledge that enables a
ing standards based on clear accounting principles. The person to perform assigned tasks. Objectivity means the
IASB gives guidance on using the work of component ability to perform those tasks impartially and with intel-
auditors, internal auditors, and auditor’s experts in Inter- lectual honesty. When assessing the internal assurance
national Standard on Auditing (IAS) Nos. 600, 610, and provider’s competence, the CAE should evaluate such
620, respectively. IAS 610 describes the following factors factors as:
that primarily affect the external auditors’ determination • Educational level and professional experience of
for using the work of internal auditors: staff.
1 Auditing Standard No. 5: An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements; PCAOB Release No. 2007-005A; AU
Section 322 — The Auditor’s Consideration of the Internal Audit Function in an Audit of Financial Statements
www.theiia.org/guidance / 6IPPF – Practice Guide
Reliance by Internal Audit on Other Assurance Providers
• Professional certification and continuing education. • Sufficient expertise regarding the organizational
• Audit policies, programs, and procedures. process and risk.
• Supervision and review of staff activities. • Disciplined, repeatable processes.
• Quality of workpaper documentation, reports, and • Communication of results, risks, or control concerns
recommendations. and remediation tracking.
• Evaluation of staff performance. It also is critical to understand the scope of assurance work
performed by an internal assurance provider and how it
Assessing the objectivity of other assurance providers can may fit into the internal auditor’s assurance objectives and
be a challenge as most of these groups report to manage- audit plans. Even though internal audit can bring value to
ment and not an independent body such as the audit the enterprise through objective quality reviews of inter-
committee of the board of directors, supervisory board, or nal assurance and compliance functions, there is limited
head of an agency. There are several factors the CAE may value if this work does not extend coverage and help the
consider when determining if the assurance group dem- CAE provide greater assurance to its stakeholders.
onstrates sufficient objectivity to be relied on:
• The reporting lines for the other assurance group and 3.4 A Process for Relying on the Work
the level of management to which they report. of Others
• Whether the scope of work, including the tests per- The internal auditor should develop a consistent process
formed or the assessment and reporting of the other for how it will place reliance on the work of others. The
assurance provider are inappropriately influenced by following is a basic approach that has been successful for
management. some internal audit functions. It involves the basic steps
• Policies and practices preventing the assurance of identification, evaluation, adjustment, and monitoring.
provider from auditing areas where the individuals
involved have current or recent operational responsi-
bilities.
Identify
• The internal auditor’s assessment of the quality of
work performed by the assurance function, including
fact-based conclusions, reporting, and follow-up to
identified issues. Monitor Evaluate
3.3 Know When to Rely and Not to Rely
Before investing any significant time in evaluating a par- Adjust
ticular internal assurance function, the CAE can consider
some key factors to determine the extent of potential reli-
ance. These include: Identify — Locate internal assurance groups and deter-
mine maturity and priority based on preliminary assess-
• A charter or similar statement of clear objectives and ment. In large, complex enterprises this can be a chal-
well-defined responsibilities. lenge. If an organization has an enterprise risk management
• Objective reporting relationships and/or conflicting process, this can be a good single source for identifying
operational duties. additional groups. As other assurance providers are identi-
www.globaliia.org/standards-guidance / 7IPPF – Practice Guide
Reliance by Internal Audit on Other Assurance Providers
fied, the internal auditor also must consider how their surance internal audit provides management, and where
scope fits into internal audit’s own view of the overall risk there are opportunities to reduce internal audit’s own test-
and control environment and the potential benefits for in- ing. Internal audit should communicate expectations, ob-
tegrating these assurance activities. Priorities should be jectives, and responsibilities in a memo of understanding
based on a measurable value to the organization. This val- with other assurance providers regarding the portion of
ue includes expanding coverage and minimizing fatigue their work that will be relied on.
caused by redundant audit activities.
Monitor — Maintain close communication with each
Evaluate — Perform an evaluation of individual groups group, sharing risk assessments, audit plans, and results.
to determine the extent the internal auditor can rely on It is important to establish strong communication and
the work of others. This is the most critical and time-con- sharing protocol following the evaluation of the assurance
suming phase of the reliance model, where internal au- providers. This will help ensure the most efficient and ef-
dit carefully considers the competency and objectivity of fective use of internal audit resources as well as maintain
the assurance work performed by others. This evaluation confidence in relying on the work of the other providers.
also can bring value to the enterprise by providing rec- A re-evaluation of the assurance providers should be per-
ommendations to improve the effectiveness of assurance formed on a periodic basis (see section 3.6).
activities. As the evaluation is concluded, there should be
a clear communication of how internal audit intends to 3.5 Reliance Continuum: Levels of Value
use the assurance work on an ongoing basis. Additional The value the internal auditor can derive from an effective
guidance is provided below on how to evaluate the assur- partnership with other assurance groups will vary. There
ance provider. is a continuum of reliance moving from one side of the
spectrum, where the auditor determines the work of the
Adjust — Modify audit plans and scope to eliminate du- other assurance provider is useful but places little reli-
plicative testing and expand risk coverage. To realize the ance, moving across the spectrum to where an assurance
full value from a more integrated assurance model, careful provider is fully relied on.
consideration must be carried out to determine how these
other activities can be used to bolster the independent as-
High Reliance
Low Reliance
• Program commitment • Common purpose • Common purpose • Integral purpose/priority
• Broad expertise • Process expertise • Process expertise • Technical expertise
• Assess and report risk • Inspection discipline • Repeatable testing • Rigorous practice
• Point-in-time • Issue tracking • Sustained remediation
conclusion • Analytics • Continuous monitoring
• Communicate emerging
risk
www.globaliia.org/standards-guidance / 8IPPF – Practice Guide
Reliance by Internal Audit on Other Assurance Providers
At a minimum, an effective assurance or compliance
function should be regularly assessing and communicat- Considerations for the CAE – A Case Study
ing risk for its area of responsibility. If the risk assessment Complex and business critical processes compel an approach for rely-
process is determined to be sound, it can provide valu- ing on other assurance providers:
able information to help the internal auditor develop audit A global provider of computer products and services relies on a
plans and priorities. complex and multichannel sales process involving thousands of
third-party distributors around the world. Effectively managing this
More robust assurance functions, which begin to incor- mix of sales channels can be a competitive advantage and is es-
porate periodic testing of controls, may allow the internal sential for the long-term success of the business. Management has
auditor to rely on their conclusions at a particular point implemented numerous control processes to mitigate a range of risks
in time. As these assessments become more frequent and inherent in this area. Some examples of risk include compliance (e.g.,
extensive, the internal auditor may be able to place more doing business with restricted parties), financial (e.g., unprofitable
reliance and further reduce the depth or frequency of its sales discounting), and operational (e.g., non-standard and inefficient
own testing. processes).
Based on management’s assessment of the risks and identified control
Finally, where an effective assurance program is coupled weaknesses, management has invested in a compliance program that
with reliable monitoring mechanisms embedded at the includes regular self-assessments by trained, objective assessors
control level, the internal auditor may place the maximum outside of internal audit, who test the operating effectiveness of key
degree of reliance and confidence in the activity. controls, report findings, and recommend corrective actions. Internal
audit provided consultation to help management develop the control
3.6 Importance of Periodic Evaluation of the framework and key compliance program elements with the intent to
Other Assurance Provider rely on this work. This model promoted management ownership of risk
and control and more frequent monitoring and testing of controls than
Where internal audit will rely to any measurable extent the internal audit function could realistically provide due to resource
on the work of other assurance providers, regular assess- constraints and other enterprise risks to be monitored.
ments should be made of the assurance providers’ pro-
grams. This is a critical element for internal audit to in- Once the compliance program was implemented and stabilized,
clude in any reliance model to mitigate the risks described internal audit performed a review to validate that it was operating
earlier (see section 1.4). These assessments should ad- as intended, providing factual and objective assurance and driving
dress the continued adequacy of the assurance providers’: positive change in the business. As part of the review, internal audit
also connected the compliance program scope with the audit plan and
• Objectivity. determined how and when the work would be leveraged, and agreed
• Competence. with management on how the two groups would communicate on a
regular basis, share information, and collaborate to form a trusted
• Practices. partnership.
• Communication that enacts change.
Internal audit has significantly reduced the frequency and depth of
their control testing, which is now covered by management’s compli-
The assessment should include performing tests suffi-
ance process, and has been able to focus on other areas historically
cient to provide objective evidence supporting the reliance
not audited such as product lifecycle management, strategic sourcing,
placed by internal audit. Opportunities for improving the and IT project management.
work of the other assurance provider should be reported,
consistent with standard internal audit practices.
www.globaliia.org/standards-guidance / 9IPPF – Practice Guide
Reliance by Internal Audit on Other Assurance Providers
Relying on the Work of fairness and accuracy of financial statements; performing
performance audits to give assurance that appropriate val-
External Assurance Providers ue for money is being achieved from various activities and
projects; conducting reviews of compliance with laws and
4.1 Introduction regulations; assessing the effectiveness of internal con-
A wide variety of external groups provide assurance ser- trols over financial reporting; and attest to engagements
vices to organizations worldwide to ensure that internal covering system security, availability, processing integrity,
controls and risk management procedures are in place confidentiality, and privacy.
and operating effectively. External assurance providers
also provide these services at third-party service organiza- Consulting companies – provide many services simi-
tions for the benefit of the service organization and their lar to those of public accounting firms mentioned above.
respective business clients. The purpose of this section is However, they are not licensed or registered to issue an
to examine some of the services offered by external assur- opinion on the fairness of financial statements.
ance providers and discuss key areas that the CAE should
consider before placing reliance on their work. Legal firms – provide services to help organizations and
third-party service providers to assess compliance with
4.2 Who Are External Assurance Providers? various laws and regulations in jurisdictions where they
do business. Legal firms also bring a wealth of knowledge
Common external assurance providers include public ac-
when assisting organizations in completing privacy and le-
counting firms, government auditor general offices, con-
gal risk assessments.
sulting companies, legal firms, security organizations, and
internal audit departments of third-party service provid-
Security organizations – provide specialized assurance
ers. The following provides a description of each.
services such as validating compliance with requirements
of the Payment Card Industry Data Security Standards
Public accounting firms – provide many assurance
(PCI-DSS) as a qualified security assessor (QSA), con-
services such as opining on the fairness and accuracy of
ducting network penetration assessments, and perform-
financial statements; performing International Organiza-
ing system vulnerability assessments for security patches,
tion of Standards (ISO) certification reviews to ensure that
viruses, and fixes. They also provide services related to
an organization conforms to the requirements specified in
fraud and IT risk assessments.
an ISO standard; conducting reviews of compliance with
laws and regulations; assessing the effectiveness of inter-
The internal audit function of service providers —
nal controls over financial reporting; reporting on a service
like other internal audit departments, provide many audit-
provider’s privacy program and assessing the protection of
ing and consulting services to ensure that internal con-
personal information; and attest engagements covering
trols are working effectively and efficiently, and verify that
system security, availability, processing integrity, confiden-
management has programs in place to address significant
tiality, and privacy.
IT infrastructure risk, application risk, and business pro-
cess risk relevant to the organization.
Government auditor general offices – provide ser-
vices similar to public accounting firms; however, they
Internal audit functions of user entities – often the
are usually government appointed functions that report to
service organization is contacted by internal audit func-
the overall government rather than to shareholders. They
tions of their customers, user entities, to provide assur-
provide many assurance services such as opining on the
ance regarding a particular service or organizational pro-
www.globaliia.org/standards-guidance / 10IPPF – Practice Guide
Reliance by Internal Audit on Other Assurance Providers
cess or to gain visibility throughout a specific time period. the International Organization of Supreme Audit
It’s not unusual for the service organization to be audited Institutions (INTOSAI), and other similar govern-
by multiple user entities. Analyzing the audit results and ing bodies.
issues raised through assessments conducted by user en- • Ensure that the external assurance provider is
tities can provide the service organization with common in good standing with their respective governing
themes providing a unique view to its capability for carry- body and place greater reliance on the work of
ing out control activities consistently. compliant external assurance providers compared
to those not subject to professional standards.
Specific services provided by external assurance providers
can be found in appendix A. • Determine if the external assurance provider is
subject to professional ethics requirements to en-
4.3 Considerations for the CAE When sure the assurance work is performed by qualified
Relying on External Assurance Providers individuals, and done in an objective and inde-
pendent manner.
It is important for management and the CAE to under-
stand the relevance of assurance work completed by ex- • Confirm that due diligence was performed on
ternal assurance providers within the organization. It also the external assurance provider that includes
is important for management and the CAE to have the background checks, financial stability, years in
same understanding if the organization is outsourcing key business, confidentiality agreement, references,
business processes to third-party service providers. The and a review of resumes of provider’s engagement
CAE also must assess the impact their assurance work employees.
may have on the internal audit function. • Obtain evidence, as necessary, to confirm that the
individuals performing the work meet competen-
For information on the role of the CAE in sharing information cy and experience requirements, that the work is
and coordinating activities with other providers of assurance performed and supervised consistent with quality
and consulting services, refer to The IIA’s Practice Guide on standards, and that the assessment and report are
Co-coordinating Risk Management and Assurance. free from inappropriate influence from manage-
ment. Consideration should be given to whether
Some common questions are outlined below, along with the assurance provider performs other consult-
points for consideration: ing work for management which might influence
their assurance activities, including whether there
1. Are the external assurance providers sufficiently is either a real or perceived independence and
qualified, objective, and independent to perform objectivity issue.
the necessary assurance work? How much reliance
2. What is the impact to the annual internal audit plan
should the CAE place on the work of external assur-
if the CAE either places reliance or does not place
ance providers?
reliance on the work of external assurance providers?
The CAE should:
The CAE should:
• Determine if the external assurance provider is
• Be aware of the scope, objectives, and findings of
subject to professional performance standards and
the external assurance engagement to determine
guidance such as those prescribed by The IIA, the
the impact to the annual audit plan.
International Federation of Accountants (IFAC),
www.globaliia.org/standards-guidance / 11IPPF – Practice Guide
Reliance by Internal Audit on Other Assurance Providers
• Determine if there is duplication of audit cover- • Before additional audit work is planned by the
age as a result of the engagement. Alternatively, organization’s third-party service provider(s),
the CAE should determine if there are coverage identify the right-to-audit clauses contained in the
gaps in the engagement that may require addi- service agreement with the service provider.
tional audit work by internal audit.
• If the engagement is performed at the organization, 5. Should internal audit reperform audit work com-
determine if there is an opportunity to co source pleted by external assurance providers?
the engagement, or at a minimum, participate in • The level of expertise brought to the engagement
the tracking of audit findings and resolutions. and the rigor practiced by the other assurance
provider will determine the extent of diligence
• If the engagement was conducted by the organiza-
conducted by internal audit to accept their audit
tion’s third-party service provider, reach out to the
work. In most cases internal audit would not re-
service provider to obtain information about the
perform testing; rather, the CAE should conduct
engagement.
a suitable analysis to determine if the audit work
• Consider the need for any preliminary audit work completed was commensurate with the assertions
prior to the start of the engagement. as intended based on risk, scope, and competence
of the external service providers.
3. Do the objectives and scope of work performed by
external assurance providers address key risks of the • For specialist reviews like penetration and net-
organization? work vulnerability engagements or income tax
consulting, the CAE should understand that this
The CAE should: area is technical in nature, so the skill set of each
• Carefully review and understand the scope and auditor should include a solid background in
objectives of the external assurance engagement network and information security, income taxes,
before determining the impact it may have on or the relevant specialty.
internal audit.
6. Should the CAE pursue co sourcing arrangements
• Keep in mind that an external assurance engage-
with external assurance providers?
ment typically will not cover all the business risks,
key controls, and concerns. • The CAE should consider separate (from manage-
ment) co sourcing arrangements with the external
4. Should internal audit complete additional assurance
assurance provider that would provide the ap-
work to supplement the work of external assurance
propriate skill sets and add to the efficiency and
providers?
effectiveness of the audit engagement.
• An external assurance engagement typically will
Co sourcing arrangements may include preliminary au-
not cover all the risks and exposures related to the
dit work prior to the start of the engagement, conduct-
organization. As such, the CAE and internal audit
ing some audit work during the engagement under the
may have to perform additional audit work based
supervision of the external service provider, and complet-
on its risk assessment.
ing post-audit work to validate on-going compliance and
• Consider the scope, objectives, and results of the remediation efforts.
engagement before finalizing any additional audit
work.
www.globaliia.org/standards-guidance / 12IPPF – Practice Guide
Reliance by Internal Audit on Other Assurance Providers
Appendix As a licensed offering, SysTrust engagements are con-
ducted by certified public accountants (CPAs) or char-
Appendix A: Services Provided by External tered accountants (CAs). Many organizations, particularly
Assurance Provider third-party service providers, request this type of engage-
ment to demonstrate to their clients that they are con-
The types of services offered by external assurance ser-
cerned about protecting the information assets entrusted
vice providers include AICPA/CICA SysTrust, ISO/IEC
to them, and addressing business risks and controls asso-
27002:2005 certifications, SSAE 16/ISAE 3402 reviews,
ciated with complex IT systems. These reports also can be
internal audit cosourcing, PCI-DSS assessments, network
used by the service organization in marketing its services
penetration security assessments, vulnerability manage-
to potential clients/customers.
ment reviews, and many other types of services. A descrip-
tion of some of these common services follows:
ISO/IEC 27002:2005
AICPA/CICA SysTrust The ISO/IEC 27002:2005 – Code of Practice for infor-
mation security management is one of a set of Informa-
For example, in North America, SysTrust is a branded as-
tion Security Management System (ISMS) standards
surance service offering licensed by the American Institute
published by the International Organization for Stan-
of Certified Public Accountants (AICPA) and Canadian
dardization (ISO) and the International Electrotechnical
Institute of Chartered Accountants (CICA) Trust Servic-
Commission (IEC). Through the use of these standards,
es Principles and Criteria (Trust Services). Trust Services
organizations can develop and implement a framework for
are professional attestation and advisory services based on
managing the security of their information assets such as
principles and criteria that address risks and opportuni-
financial information, intellectual property, and customer
ties of IT-enabled systems and privacy programs. Specific
and employee personal information. The ISMS family
areas covered in Trust Services guidance include:2
of standards consists of the following international stan-
dards, under the general title of Information technology
• Security – the system is protected against unauthor-
– Security techniques:3
ized access (both physical and logical).
• Availability – the system is available for operation • ISO/IEC 27000:2009, Information security manage-
and use as committed or agreed. ment systems — Overview and vocabulary.
• Processing integrity – system processing is complete, • ISO/IEC 27001:2005, Information security manage-
accurate, timely, and authorized. ment systems — Requirements.
• Confidentiality – information designated as confi- • ISO/IEC 27002:2005, Code of practice for informa-
dential is protected as committed or agreed. tion security management.
• Privacy – personal information is collected, used, • ISO/IEC 27003, Information security management
retained, disclosed, and destroyed in conformity with system implementation guidance.
the commitments in the entity’s privacy notice and
• ISO/IEC 27004, Information security management
with criteria set forth in generally accepted privacy
— Measurement.
principles issued by the AICPA and CICA.
2 Trust Services Principles and Criteria – An Overview, January, 29, 2009, www.aicpa.org/InterestAreas/InformationTechnology/Resources.
3. ISO/IEC 27000:2009, Information technology – Security techniques – Information security management systems – Overview and vocabulary, First edition 2009-05-01, ISO/IEC.
This material is reproduced from ISO/IEC 27000:2009 with permission from the American National Standards Institute (ANSI) on behalf of the International Organization for
Standardization (ISO). No part of this material may be copied or reproduced in any form, electronic retrieval system or otherwise or made available on the Internet, a public network,
by satellite or otherwise without the prior written consent of the ANSI. Copies of this standard may be purchased from ANSI, 25 West 43rd Street, New York, NY 10036, (212) 642-
4900, http://webstore.ansi.org.
www.globaliia.org/standards-guidance / 13IPPF – Practice Guide
Reliance by Internal Audit on Other Assurance Providers
• ISO/IEC 27005:2008, Information security risk clients that they have good security practices in place to
management. protect the information assets that are entrusted to them.
• ISO/IEC 27006:2007, Requirements for bodies pro-
viding audit and certification of information security ISO does not audit or assess an organization to validate
management system. that its standards are being implemented in conformity
with the requirements. An external independent certifica-
• ISO/IEC 27007, Guidelines for information security
tion body or ISO registrar conducts the audit to deter-
management systems auditing.
mine if the organization conforms to the requirements
• ISO/IEC 27011, Information security management specified in the standard to obtain certification. There are
guidelines for telecommunications organizations numerous certification bodies (assurance service provid-
based on ISO/IEC 27002. ers) worldwide that carry out certification assessments.
ISO/IEC 27002 provides guidance on the implementa- External service providers performing this type of service
tion of 11 commonly accepted security control objectives include public accounting firms, consulting companies,
along with best practice controls that can be applied to and sole practitioners.
achieve the objectives. The standard also includes com-
ments on risk assessment and treatment. Specific areas SSAE 16/ISAE 3402
covered in the standard include: Third party assurance reviews are normally performed for
• Security policy. organizations that process financial transactions for their
clients or customers. The resulting report is typically used
• Organization of information security.
by internal and external auditors and can potentially re-
• Asset management. duce the amount of work required in their audits. The
• Human resources security. reports describe the service offerings and the control en-
vironment surrounding the processing of customer trans-
• Physical and environmental security.
actions.
• Communications and operations management.
• Access control. ISAE 3402
• Information systems acquisition, development, and The International Standard on Assurance Engagements
maintenance. No. 3402 (ISAE 3402), Assurance Reports on Controls
at a Service Organization, was issued in December 2009
• Information security incident management.
by the International Auditing and Assurance Standards
• Business continuity management. Board (IAASB) under the International Federation of Ac-
• Compliance. countants (IFAC). ISAE 3402 was developed to provide
an international assurance standard for allowing public
Many organizations, particularly third-party service pro- accountants to issue a report for user organizations and
viders, who have adopted the ISO/IEC 27002 informa- their auditors (user auditors) on the controls at a service
tion security management standard, choose to be certified organization that are likely to impact or be a part of the
compliant with the standard through a formal indepen- user organization’s system of internal control over finan-
dent audit. Third-party service providers often use this cial reporting.4 The effective date for this standard applies
certification to demonstrate to current and future business to periods ending on or after June 15, 2011.
4 2011 IAES3402.com, http://isae3402.com/ISAE3402_overview.html
www.globaliia.org/standards-guidance / 14IPPF – Practice Guide
Reliance by Internal Audit on Other Assurance Providers
SSAE 16 and substantive tests at the user organization. However,
Statement on Standards for Attestation Engagements they are not intended to provide a basis for reducing as-
(SSAE) No. 16, Reporting on Controls at a Service Or- sessments of control risk below the maximum.
ganization, was finalized by the Auditing Standards Board
Type II: Reports on controls placed in operation and
of the AICPA in January 2010. SSAE 16 replaced State-
tests of operating effectiveness
ment on Auditing Standards (SAS) No. 70, Service Orga-
nizations, as the authoritative guidance for reporting on A service auditor’s report on a service organization’s de-
controls at service organizations. SSAE 16 was formally scription of the controls that may be relevant to a user
issued in April 2010 with an effective date of June 15, organization’s internal controls, whether such controls
2011.5 SSAE 16 is based on the IAASB assurance stan- were suitably designed to achieve specified control objec-
dard for service auditors ISAE 3402. It should be noted tives, whether they had been placed in operation as of a
that the requirements for auditing the financial state- specific date, and whether the controls that were tested
ments of entities that use service organizations remains were operating with sufficient effectiveness to provide
in the auditing standards in a new SAS, Audit Consider- reasonable, but not absolute, assurance that the related
ations Relating to an Entity Using a Service Organization. control objectives were achieved during the period speci-
fied. Such reports may be useful in providing the user
The AICPA is establishing three reporting options to pro- auditor with an understanding of the controls necessary
vide a framework for CPAs to examine controls and to to plan the audit and may also provide the user auditor
help management understand related risks. The Service with a basis for reducing his or her assessments of control
Organization Control 1 (SOC 1) report addresses con- risk below the maximum.
trols for financial statement audits with guidance pro-
vided by SSAE 16. SOC 2 reports on controls related Some common misconceptions about SSAE 16 reports
to compliance or operations with guidance provided by the CAE should be aware of include:
Attestation Standard (AT) Section 101, Attest Engage- 1. All SOC reports contain the same control objec-
ments. Both SOC 1 and SOC 2 reports are restricted use tives. (Control objectives are defined specifically for
reports. SOC 3 reports are the same as a SOC 2 report the environment been attested.)
but general use.
2. SOC reports are “forward-looking” documents.
The AICPA SSAE 16 or ISAE 3402 allows for two
3. Type I vs. Type II reports don’t really make a dif-
types of reports:
ference to my audit planning. (Type I only covers
Type I: Reports on controls placed in operation control design effectiveness and is point in time.
A service auditor’s report on a service organization’s de- Type II covers control operating effectiveness for an
scription of the controls that may be relevant to a user opinion period.)
organization’s internal controls, whether such were suit-
4. Exceptions are not reported. (Any exceptions to the
ably designed to achieve specified control objectives, and
controls are clearly identified in the test tables even
whether they had been placed in operation as of a specific
if it does not rise to the level of being a qualified
date. These reports may be useful in providing a user au-
report.)
ditor with an understanding of the controls necessary to
plan the audit, as well as design effective tests of controls 5. Exceptions have no impact on my audit plan.
5 2011 SSAE16.com, http://ssae16.com/SSAE16_overview.html
www.globaliia.org/standards-guidance / 15You can also read
