ASB Meeting July 31-August 2, 2012 The Auditor s Consideration of the Internal Audit Function in an Audit of Financial Statements Agenda Item 1 Objective of Agenda Item To discuss proposed AU-C 610, Using the Work of Internal Auditors, conforming amendments to AU-C 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment, and other conforming amendments. Task Force members are: Megan Zietsman D&T (chair) Rob Chevalier KPMG Sam Cotterell Boise Jim Dalkin GAO Marc Panucci PwC Paul Penler E&Y Background The Task Force was charged with redrafting AU-C 322, The Auditor's Consideration of the Internal Audit Function in an Audit of Financial Statements, using the ISA 610 (Revised), Using the Work of Internal Auditors, as a base. In December 2011, the IAASB voted to approve as a final standard ISA 610 (Revised) and conforming amendments to ISA 315. However, in doing that, the IAASB bifurcated its decision in that it approved as a final standard the section which addresses the use of the internal audit function by the external auditor, but deferred approving as a final standard the section which addresses direct assistance to the external auditor. The IAASB did however vote the direct assistance section as closed off. The IAASB asked the International Ethics Standards Board for Accountants (IESBA) to look into the possible independence implications of external auditors using an internal auditor in a direct assistance capacity. The IESBA began looking into the matter and in January 2012 issued an exposure draft on a proposed amendment to the definition of an engagement team to specifically exclude internal auditors working in a direct assistance capacity (i.e., thereby clarifying that internal auditors working in such a capacity are not subject to the same ethical (including independence) requirements as external auditors. The Prepared by: Hiram Hasty (July 2012) Page 1 of 9
exposure period ended on May 31, 2012, however IESBA s final resolution on the matter is expected sometime late 2012 or 2013. If the IESBA s exposure draft is finalized similar to how it has been proposed, then our understanding is that the IAASB would finalize the direct assistance section of ISA 610 (Revised) without further amendment. At the May 2012 ASB meeting, Ms. Zietsman discussed with the ASB the major issues related to the proposed AU-C 610, including how to address the issue relating to direct assistance described in the previous paragraph, as well as some other concerns that the Task Force had about certain aspects of the international standard. In that meeting, the ASB directed the Task Force to move forward with the clarification and convergence of AU 322 using ISA 610 (Revised) as the base, including the closed-off content dealing with direct assistance. The ASB however agreed to revisit the timing of the approval of the final content, with it being agreed that it would not be desirable for the ASB to finalize its revised standard before the resolution of the direct assistance issue at the international level. The specific requirements addressing direct assistance, along with the related application guidance 1 added to the proposed AU-C 610, are as follows: Paragraphs 27-28 Determining Whether Internal Auditors Can Be Used to Provide Direct Assistance for Purposes of the Audit (application guidance para. A33-A37) Paragraphs 29-30 Determining the Nature and Extent of Work that Can Be Assigned to Internal Auditors Providing Direct Assistance (application guidance para. A37-A38) Paragraphs 31-34 Using Internal Auditors to Provide Direct Assistance (application guidance para. A39-A42) Issues for Discussion with the ASB 1) Application of systematic and disciplined approach ISA 610 (Revised) focuses on the existence of an internal audit function in order to be able to use the work of internal auditors in accordance with the proposed standard. In doing that, ISA 610 (Revised) introduces the notion of a systematic and disciplined approach, including quality control as a requirement to be satisfied. Paragraph 8 [7] 2 of ISA 610 (Revised) states: Depending on whether the internal audit function s organizational status and relevant policies and procedures adequately support the objectivity of the internal auditors, the level of competency of the internal audit function, and whether the function applies a systematic and disciplined approach, the external auditor may also be able to use the work of the internal audit function in a constructive and complementary manner. 1 The content dealing with direct assistance, which were added to the proposed AU-C 610, are identified by a grey shade in the ISA 610 column of the matrix document (Item 1A). 2 Paragraph references are to the matrix document prepared by the Task Force. Paragraph references in brackets represent the references in ISA 610 (Revised) as issued by the IAASB in February 2012 see Agenda Item 1A. For purposes of redrafting AU 322, the Task Force incorporated in the matrix document the section on direct assistance, which was not included in the ISA 610 (Revised), and accordingly the ISA paragraph references are different to the version of ISA 610 (Revised) that is currently effective. Agenda Item 1 Page 2 of 9
Paragraph 10 [8] of ISA 610 further adds: Internal Audit There may be individuals in an entity that perform procedures similar to those performed by an internal audit function. However, unless performed by an objective and competent function that applies a systematic and disciplined approach, including quality control, such procedures would be considered internal controls Paragraph 16 [13] of ISA 610 states: The external auditor shall determine whether the work of the internal audit function can be used for purposes of the audit by evaluating the following: (c) Whether the internal audit function applies a systematic and disciplined approach, including quality control Paragraph 17 [14] of ISA 610 (Revised) provides the following prohibition: The external auditor shall not use the work of the internal audit function if the external auditor determines that: (c) The function does not apply a systematic and disciplined approach, including quality control We note that in our jurisdiction, it is not uncommon for entities to have appropriately skilled individuals involved in performing internal auditing activities, such that there might not be employees dedicated to an internal audit function 100% of the time, and that even though an internal audit function exists with appropriate objectives and work plans, the degree of formality may be less, which is subject to a systematic and disciplined approach. This may be especially the case in smaller entities that have a very limited number of internal audit personnel (or perhaps even have part-time internal audit personnel). Consequently, the Task Force believes that it is important that it be clear that judgment can be applied (based on the facts and circumstances) in determining whether the internal audit function applies an appropriately systematic and disciplined approach such that the work of the function can be used by the external auditor. In its comment letter, the AICPA expressed concerns to the IAASB about this requirement and how it was intended to be applied. Other commenters submitted similar commentary to the AICPA s, but there were also a number of other commenters that supported the concept as proposed or asked for it to be strengthened even more. The IAASB concluded that the requirement would be retained, but added some additional application material that was intended to provide some flexibility in terms of how to evaluate whether a systematic and disciplined approach exists (see paragraphs A-2 and A-11 of ISA 610 in Agenda Item 1A). In May, the Task Force discussed with the ASB its concern that the intent of this guidance was not sufficiently clear and recommended additional application guidance to further explain that the application of a systematic and disciplined approach was not intended to preclude altogether the use of internal audit in smaller entities that have less formal groups or individuals who perform internal audit activities. Accordingly, the Task Force proposes the following paragraph be added to the proposed SAS to expand on the guidance in ISA 610: Agenda Item 1 Page 3 of 9
A12. The auditor s consideration of the nature and extent to which the internal audit function applies a systematic and disciplined approach is intended to address the risk that the auditor inappropriately uses internal audit-like work performed in an informal, unstructured or ad hoc manner. The required level of formality of the approach, including the documentation of internal audit procedures or guidance of the internal audit function that is necessary to conclude that the function has a sufficiently systematic and disciplined approach such that the auditor may plan to use its work, will however vary depending on the size and complexity of the entity. In smaller, less complex entities, the internal audit function may be small (for example, may only comprise one or a few individuals) and may have less formally documented processes. 2) Evaluation of the Internal Audit Function s Quality Control Paragraphs 16(c) and 17(c) of ISA 610 require that the auditor evaluate the quality control aspects of the internal audit function in determining whether the internal audit function applies a systematic and disciplined approach. Paragraph A11 of ISA 610 (Revised) explains that factors that may affect the auditor s determination of whether the internal audit function applies a systematic and disciplined approach, include whether internal audit function has quality control policies and procedures which are equivalent to the relevant sections of ISQC 1 (which would be the equivalent of those in SQCS 8 for audits performed in accordance with AICPA standards.) The Task Force recognizes that this paragraph only provides application guidance, but the Task Force believes that this may inadvertently establish what might be an unduly high hurdle in evaluating the quality control of the internal audit function. The Task Force is also concerned about the perception that the standards for external auditors now appear to be imposed upon internal auditors. Instead, the Task Force believes that the auditor might look at what the internal audit function has put in place to comply with professional quality control standards applicable to internal auditors, for example, those standards promulgated by the Institute of Internal Auditors ( IIA ). Accordingly, the Task Force proposes the following edits to paragraph A11 of the proposed SAS: Whether the internal audit function has appropriate quality control policies and procedures, for example, such as those policies and procedures in ISQC 1 3 that would be applicable to an internal audit function (such as those relating to leadership, human resources, and engagement performance) or quality control requirements in standards set by the relevant professional bodies for internal auditors, for example, the Institute of Internal Auditors. Such bodies may also establish other appropriate requirements such as conducting periodic external quality assessments. Does the ASB agree with the Task Force s proposed application guidance in paragraph A12 to better explain how the notion of systematic and disciplined approach should be considered? Agenda Item 1 Page 4 of 9
Does the ASB agree with the proposed amendments to paragraph A11 to align the consideration of quality control policies with the IIA rather than ISQC1 (or SQCS 8)? 3) Relevant Ethical Requirements Consistent with paragraph 17 of ISA 610 (Revised), paragraph 16 of the proposed SAS states in part that the external auditor shall not use the work of the internal audit function if the external auditor determines that a) the function s organizational status and relevant policies and procedures do not adequately support the objectivity of internal auditors The related application guidance (paragraphs A13-A15) provides further information about how to evaluate the internal auditor s objectivity. However, the Task Force understands that the application guidance in ISA 610 (Revised) is premised upon the IESBA s conceptual framework of threats and safeguards, which is not consistent with the U.S. standards. The task force is concerned that the notions of threats and significant threats, as well as their implications will not be well or consistently understood in the United States. Paragraph A13 refers to the situation where the internal audit function reports to management as being a significant threat. It is not entirely clear to the Task Force how this paragraph is intended to interact with the discussion in paragraph A-7. As a result, the Task Force proposes the following edit to the paragraph A-13. The Task Force believes that the guidance in paragraph A-7 provides an appropriate discussion of the factors to be considered when evaluating the objectivity of the internal audit function: A13. Consideration of the factors in paragraphs A7, A8 and A11 of this ISA proposed SAS individually and in aggregate is important because an individual factor is often not sufficient to conclude that the work of the internal audit function cannot be used for purposes of the audit. For example, the internal audit function s organizational status is particularly important in evaluating threats to the objectivity of the internal auditors. If the internal audit function reports to management, this would be considered a significant threat to the function s objectivity unless other factors such as those described in paragraph A7 of this ISA collectively provide sufficient safeguards to reduce the threat to an acceptable level. Similarly, paragraph A14 refers to the IESBA Code in discussing the self-review threat that is created when the external auditor accepts an engagement to provide internal audit services to an audit client and the results of those services will be used in conducting the audit. The AICPA Code of Ethics does not address the issue in the same way and therefore it is not possible to simply replace the reference to the IESBA Code with a reference to the AICPA Code of Ethics. The Task Force also understands that the AICPA Code may be amended in the relatively near future and therefore believed it to be more appropriate to replace paragraph A14 with a reference to the AICPA Code and not include a more detailed summary of what the Code says. Does the ASB agree with the proposed changes to paragraph A13 and A14? 4) Determining the Nature and Extent of Work that Can Be Assigned to Internal Auditors Providing Direct Assistance Agenda Item 1 Page 5 of 9
Paragraph 30 states that the auditor should not use internal auditors providing direct assistance to perform certain procedures. Paragraph A38 of ISA 610 (Revised), which is application guidance to paragraph 30, states the following: A38. Similarly, since in accordance with ISA 505 4 the external auditor is required to maintain control over external confirmation requests and evaluate the results of external confirmation procedures, it would not be appropriate to assign these responsibilities to internal auditors. However, internal auditors may assist in assembling information necessary for the external auditor to resolve exceptions in confirmation responses. The Task Force believes that this application guidance is not consistent with AU-C 505, External Confirmations, because AU-C 505 does not specifically address the issue of using internal audit in any capacity, and this paragraph therefore introduces a narrow interpretation of AU-C 505. As a result, the Task Force decided to delete the paragraph. Does the ASB agree that this application is not consistent with AU-C 505 and that it should be deleted? 5) Determining Whether Internal Auditors Can Be Used to Provide Direct Assistance for Purposes of the Audit Paragraph 27 requires the auditor to evaluate, among other things, existence and significance of threats to the objectivity of the internal auditor used in direct assistance. The Task Force believes that paragraph A35 (which is attached to paragraph 27 as application guidance) as written in ISA 610 (Revised) is potentially confusing because it seems to suggest that the auditor might need to obtain an understanding about those factors outlined in paragraph A35, rather than obtaining an understanding of the internal auditor s policies and procedures about such matters, i.e., how management monitors and controls these matters. To make the point clearer, the Task Force suggests the following edits: A.35 As stated in paragraph A8 of this ISA SAS, objectivity refers to the ability to perform the proposed work without allowing bias, conflict of interest or undue influence of others to override professional judgments. In evaluating the existence and significance of any threats to the objectivity of an internal auditor, the auditor may consider the following factors may be relevant: Tthe extent to which the internal audit function s organizational status and relevant policies and procedures support the objectivity of the internal auditors, including, for example, policies and procedures addressing the following matters 5 Family and personal relationships 4 ISA 505, paragraphs 7 and 16 5 See paragraph A8. Agenda Item 1 Page 6 of 9
Association with the division or department in the entity to which the work relates Financial interests that are exceptional in the circumstances Does the ASB agree with the Task Force suggestions to amend A35 to make clear the intent of the application guidance? 6) Direct Assistance--Communications with Those Charged with Governance Paragraph 31 of the proposed AU-C reads as follows: The external auditor should, in communicating with those charged with governance an overview of the planned scope and timing of the audit in accordance with AU-C 260, communicate the nature and extent of the planned use of internal auditors to provide direct assistance so as to agree that the proposed nature and extent of the use is not excessive. This requirement originates from the IAASB discussions and deliberations, including those with the IESBA. This requirement represents one of the safeguards put in place in the standard in order to make it more acceptable that internal auditors could be used in a direct assistance capacity, notwithstanding that they are employees of the entity.. The requirement directs the external auditor to communicate with those charged with governance the nature and extent of the planned use of internal auditors in a direct assistance capacity so as to agree that the proposed nature and extent of the use is not excessive. The Task Force deliberated the issue as to whether those charged with governance are in a position to agree with the auditor about the excessive of internal auditors in a direct assistance and the ways an auditor might document the discussion with those charged with governance. The Task Force decided not to propose any changes to the requirement (paragraph 31), but suggests adding application guidance to provide further guidance about how the auditor might communicate the matter and document the agreement with those charged with governance. The Task Force believes it is important to be clear that the communication might be achieved in a variety of ways, and in particular that a documented discussion (as opposed to a formal written communication and agreement) would be acceptable. The Task Force notes that the requirement does not specifically require that the communication and agreement be in writing. The proposed application guidance is as follows: A40. The agreement of those charged with governance that the proposed nature and extent of use of internal auditors to provide direct assistance is not excessive may be obtained in various ways, including for example through a discussion with those charged with governance that is documented accordingly in the audit documentation. Does the ASB agree with the addition of A40 to better explain the manner in which the auditor would document the agreement with those charged with governance? Agenda Item 1 Page 7 of 9
7) Using Internal Auditors to Provide Direct Assistance Paragraph 32 states, in part, that Prior to using internal auditors to provide direct assistance for purposes of the audit, the external auditor should Obtain written agreement from the internal auditors that they will keep confidential specific matters as instructed by the external auditor and inform the external auditor of any threat to their objectivity. The Task Force is concerned that this requirement is confusing because it could be very broadly interpreted, and could cause concern on the part of internal auditors who are asked to provide this written agreement to the external auditor. For example, what is the criterion that an internal auditor would evaluate a threat to their objectivity? Additionally, given that any threats would need to be communicated to the external auditor, this could become a very burdensome requirement. No application guidance has been provided in ISA 610 (Revised). Similar to the discussion in Issue 3 above, the Task Force believes this might be better understood in a jurisdiction where the ethics standards are based on a threats (and significant threats) and safeguards conceptual framework. The Task Force believes that additional application guidance is needed in the United States to further explain that external auditors may work with internal auditors in communicating the purpose of this requirement and in explaining what kinds of things external auditors would expect to be communicated pursuant to the requirement. What are the ASB s views on the issue? Does the ASB agree that additional application guidance is necessary and that the Task Force s preliminary views are appropriate? Alternatively, does the ASB believe that the requirement should be modified, and if so, how might this be done without diverging from the ISA? Does the ASB believe that this is an issue which should be highlighted in the explanatory memorandum to ED as a question for responders? 8) Other The Task Force made other changes to the ISA 610 (Revised) wording as reflected in the matrix document with applicable commentary in the Comments column. The Task Force seeks input from ASB on the appropriateness of these changes and requests the ASB to provide such input when the Task Force reviews the proposed SAS with the ASB, paragraph-by-paragraph. Items Presented Item 1 Cover Memo Item 1A Matrix AU-C 610 Agenda Item 1 Page 8 of 9
Item 1B AU-C 610 Proposed SAS Item 1C AU-C 315 Conforming Amendments Item 1D Other Conforming Amendments Internal Audit Ms. Zietsman will refer to the cover memo (item 1) and the matrix (item 1A) in leading the discussion of this topic. Agenda Item 1 Page 9 of 9