RELIANCE BY INTERNAL AUDIT ON OTHER ASSURANCE PROVIDERS-PRACTICE GUIDE - DECEMBER 2011

Page created by Christian West
 
CONTINUE READING
RELIANCE BY INTERNAL AUDIT ON OTHER ASSURANCE PROVIDERS-PRACTICE GUIDE - DECEMBER 2011
– Practice Guide

            Reliance by
Internal Audit on Other
   Assurance Providers

                 DECEMBER 2011
IPPF – Practice Guide
Reliance by Internal Audit on Other Assurance Providers

      Table of Contents

      Executive Summary......................................................................................... 1
      Introduction.................................................................................................... 1
      Principles for Relying on the Work of Internal or External
      Assurance Providers....................................................................................... 4
      Relying on Internal Assurance Providers......................................................... 6
      Relying on External Assurance Providers....................................................... 10
      Appendix A: Services Provided by External Assurance Provider..................... 13
      Appendix B: Guide for Internal Auditors to Assess the
      Reliability of Other Assurance Providers........................................................ 17
      Glossary ...................................................................................................... 21
      About the Authors and Reviewers................................................................. 26

                                                          www.globaliia.org/standards-guidance                 /      B
IPPF – Practice Guide
                                                      Reliance by Internal Audit on Other Assurance Providers

Executive Summary                                              4. Elements of Practice.
                                                               5. Communication of Results and Remediation.
Chief audit executives (CAEs) are charged with providing
assurance on the adequacy of governance, risk manage-          The principles are interdependent. To illustrate, the CAE
ment, and related internal controls. This gives manage-        would place higher value on assurance providers who
ment and an organization’s governing body, including the       commit to a common purpose, convey objective expertise,
audit committee, an assessment of risk, governance, and        and practice rigor and monitoring to shorten the time to
control processes and practices across the organization,       management action. The results of these other assurance
rather than a series of audit reports on individual areas of   providers can be integrated with the work of internal audit
the organization. Since the risk profile is in a perpetual     to communicate a comprehensive opinion to key stake-
state of change, internal audit functions are challenged in    holders. The guidance gives a process for valuing the work
meeting this expectation using traditional, point-in-time,     of others and assessing the reliability of assurance pro-
or cycle audit methods and resources.                          viders. In turn, good coordination attracts greater reliance
                                                               on internal audit decreasing the cost of compliance and
Ever-increasing compliance requirements and business           increasing the efficiency for providing assurance.
complexity have driven companies to establish or procure
other risk management and assurance functions. They
are charged with measuring and reporting risk, identify-
                                                               Introduction
ing control gaps, tracking remediation, and concluding         1.1 Introduction
whether control processes are operating effectively in spe-    Internal audit is charged by the International Standards for
cific areas. Examples of some internal assurance providers     Professional Practice of Internal Auditing (Standards) with
are identified as environmental compliance groups, qual-       providing assurance on the adequacy of governance, risk
ity management functions that focus on manufacturing           management, and related controls. In many organizations,
activities, internal control teams that assess controls over   management has established (or engaged a third party to
financial reporting, and IT governance groups. External        provide) other assurance functions — such as in the ar-
assurance providers are often engaged to communicate           eas of IT projects, manufacturing quality, environmental
an opinion to another auditor regarding specific control       health and safety, controls over financial reporting, and
objectives operated by a service provider. These activities    other regulatory compliance. The purpose of this practice
provide assurance on the areas they assessed and recom-        guide is to provide ideas and ways to leverage the work
mendations to strengthen the related controls, often in        of other assurance providers, whether the assurance is
areas that are within the scope of internal audit’s work.      provided internally within the organization or externally
                                                               to minimize duplication of work and disruption to the op-
This practice guide provides guidance to the CAE and in-       eration, provide enhanced coverage, and conserve audit
ternal audit leadership on an approach for relying on the      resources for high-risk processes.
assurance provided by other internal or external assurance
functions. A continuum of five principles determines the
extent of reliance:                                              Standard 2050: Coordination
                                                                 The chief audit executive should share information and coordinate
1. Purpose.                                                      activities with other internal and external providers of assurance
2. Independence and Objectivity.                                 and consulting services to ensure proper coverage and minimize
3. Competence.                                                   duplication of efforts.

                                                                                              www.globaliia.org/standards-guidance   /   1
IPPF – Practice Guide
                                                       Reliance by Internal Audit on Other Assurance Providers

An added value to the organization of coordinating the          “A department, division, team of consultants, or other
activities of the various assurance providers is limiting du-   practitioner(s) that provides independent, objective assur-
plicate work. Multiple audits or examinations of the same       ance and consulting services designed to add value and
risks and testing of the same controls by multiple assur-       improve an organization’s operations. The internal audit
ance providers is an unnecessary burden on process own-         activity helps an organization accomplish its objectives by
ers and an inefficient use of resources. If one assurance       bringing a systematic, disciplined approach to evaluate
provider, such as internal audit, can rely on the work of       and improve the effectiveness of governance, risk man-
another, the value is clear.                                    agement, and control processes.”

1.2 Who are assurance providers?                                It is noteworthy that this definition emphasizes objective
IIA Practice Advisory 2050-2: Assurance Maps describes          assurance and does not reference an expectation for de-
three classes of assurance providers, differentiated by the     livering audit reports or ensuring compliance. Tradition-
stakeholders they serve, their level of independence from       ally, internal auditors spend a significant amount of time
the activities over which they provide assurance, and the       performing direct inspection audits, but there are other
robustness of that assurance:                                   ways to provide assurance. The typical organization has
                                                                a number of different groups who provide risk manage-
  A. Those who report to management and/or are part             ment, compliance, and assurance activities independently
     of management (management assurance), including            of one another. In many cases these groups are testing
     individuals who perform control self-assessments,          controls deeper and with greater frequency than the inter-
     quality auditors, environmental auditors, and other        nal auditor. Without effective coordination and reporting,
     management- designated assurance personnel.                work can be duplicated or key risks may be missed or mis-
  B. Those who report to the board, including internal          judged. By adopting a more integrated assurance model
     audit.                                                     that includes the internal auditor relying on the work of
  C. Those who report to external stakeholders (such as         others, several benefits accrue to the organization. These
    external audit assurance, which is a role traditionally     include:
    fulfilled by the independent/statutory auditor).              • More precise assurance by involving greater subject
The IIA defines assurance as an objective examination of            matter expertise in audit activities. For example,
evidence for the purpose of providing an independent as-            reliance on an environmental compliance group with
sessment on governance, risk management, and control                specialized knowledge and certifications in the field
processes. The level of assurance desired, and who should           of environmental regulations may improve the level
provide that assurance, will vary depending on the risk             of insight into operations and the quality of assur-
and stakeholder expectations. The scope of the internal             ance provided.
audit function covers the entire organization, including          • Reduced redundancy of effort (audit once, audit
risk management processes (both their design and oper-              well) and ‘audit fatigue’ for the organization.
ating effectiveness), and the management of those risks           • Expanded coverage of the enterprise without increas-
classified as “key” or significant (including the effective-        ing direct audit hours. (Reliance on others may allow
ness of the related controls).                                      internal audit to reduce the hours spent in that area
                                                                    and allocate them to other risk areas.)
1.3 Benefits
                                                                  • Shortened time to management action. For example,
The IIA’s Standards define an internal audit activity as:           the other assurance provider may have continuous

                                                                                         www.globaliia.org/standards-guidance   /   2
IPPF – Practice Guide
                                                      Reliance by Internal Audit on Other Assurance Providers

    monitoring methods in place, or management may             Since external and internal assurance providers and the
    have integrated responses to issues detected by other      internal auditor may have different purposes, it is impor-
    assurance groups into routine business processes.          tant to manage expectations beforehand regarding the
  • Strategic collaboration, transparency, and better gov-     purpose of the review, the objectivity and competence of
    ernance for meeting organizational objectives result-      the evaluator, the rigor of the assessment and testing pro-
    ing in predictable compliance. When all the groups         cesses, and the timeliness of the conclusion.
    involved in assurance cooperate and share informa-
    tion, insights, and best practices, the quality of the     1.5 Opportunity
    whole effort is likely to rise.                            Other sources or forms of assurance can advance innova-
Reliance on other assurance groups may enable the CAE          tive models for communicating assurance as an alterna-
to redirect scarce audit resources to other areas of sig-      tive to the traditional inspect-and-report model. Practices
nificant risk to the enterprise. For example, the audit plan   such as continuous monitoring, self-reported issues, and
may be expanded to include additional strategic risks, or      macro-assurance planning are designed to assess and
risks in connection with mergers and acquisitions, major       strengthen internal controls by identifying issues prompt-
IT and other initiatives and capital programs, and research    ly and reducing the time to management action:
and development processes.                                       • Continuous Monitoring: Monitoring controls to de-
                                                                   tect potential failures, or transactions to identify pos-
The IIA’s Practice Guide, Coordinating Risk Management             sible errors and defects, enables management to see
and Assurance, advises the CAE to help in the creation             and respond to risk early, as it emerges. Continuous
of an assurance map for the organization to create a more          monitoring reduces the time to action, sustains the
connected assurance and governance community. Assur-               resolution, and extends assurance. When manage-
ance maps help identify duplication and overlap in assur-          ment has continuous monitoring practices in place,
ance coverage, define scope boundaries and roles for vari-         internal audit may be able to assess the programs and
ous assurance providers and determine gaps in assurance            then rely on them as part of a continuous auditing or
coverage that need to be addressed.                                assurance program.
                                                                 • Self-reported Issues: This practice empowers man-
1.4 Risk                                                           agement to raise issues and track remediation to
Relying on other assurance providers, however, can add             advance corrective action. Internal auditors gain
audit risks such as:                                               comfort when management promptly addresses root
  • Missing a control weakness or deficiency and reach-            causes for the self-reported issues.
    ing the wrong conclusion due to defects in the work          • Macro-assurance: Pervasive themes can be high-
    or coverage of the other assurance provider.                   lighted by comparing and trending common issues
  • Failing to identify issues that are not shared by the          raised by the governance community. Coordinating
    other assurance provider due to their lack of inde-            principle-based assessments performed by other as-
    pendence from management.                                      surance providers in sequence with internal audit en-
                                                                   gagements could give an over-arching macro-opinion
  • Raising as an exception and issuing a matter out of            across multiple entities or processes.
    context that would not ordinarily be considered sig-
    nificant by internal audit, due to differences in risk     In addition, efficiency and effectiveness of overall assur-
    assessment processes.                                      ance activities may be improved when common tools are

                                                                                         www.globaliia.org/standards-guidance   /   3
IPPF – Practice Guide
                                                     Reliance by Internal Audit on Other Assurance Providers

used by the internal auditor and other assurance provid-      2.2 Five Principles in Determining Reliance
ers. For example, multiple assurance functions can use
                                                              The extent of reliance to be placed on the other internal
an integrated platform to manage the assessment process,
                                                              or external assurance providers depends on the following
share results, and track remediation of significant issues.
                                                              five principles:
The sharing of schedules and plans, and the results of as-
                                                              1. Purpose: The assurance provider is clear in purpose
sessments, can avoid duplicate work. It also can highlight
                                                              and committed to providing assurance on a specified risk
areas of increased risk. For example, multiple compliance
                                                              area and their work is relevant to internal audit’s objec-
issues raised by other assurance groups (such as noncom-
                                                              tives and scope. This is a fundamental principle which
pliance with trade compliance regulations) may indicate
                                                              must be in place before proceeding further with an evalu-
a need to address entity-level controls (such as the avail-
                                                              ation to determine reliability. For internal providers, the
ability of experts in trade compliance regulations).
                                                              purpose should be established in a charter or other similar
                                                              documentation. For external providers this should be pro-
Principles for Relying on the                                 vided for in a contract or statement of work.

Work of Internal or External                                  2. Independence & Objectivity: The professional judg-
Assurance Providers                                           ment of the assurance provider is impartial, without in-
                                                              appropriate interference from others. The assurance pro-
2.1 Prior Guidance                                            vider should demonstrate a sufficient degree of objectivity
The CAE can look to several authoritative sources for         in the course of its work. Although internal assurance
guidance on how the internal auditor may rely on the          providers often report to management and thus are not
work of others. The IIA’s Practice Guide, Formulating and     truly independent, they can be relied on when they dem-
Expressing Internal Audit Opinions (April 2009), defines      onstrate appropriate objectivity and competence.
other assurance providers and provides guidance for a
CAE to assess their competency, independence, and ob-         3. Competence: The assurance provider is knowledge-
jectivity.                                                    able of the risks to the organizational processes, how con-
                                                              trols are designed to operate in response to the risks, and
According to The IIA’s Practice Advisory 2050-3: Relying      what constitutes a weakness or deficiency. Characteristics
on the Work of Other Assurance Providers, the decision to     of proficiency for internal or external assurance providers
rely on the work of other assurance providers can be made     include organizational process expertise, education level,
for a variety of reasons:                                     professional experience, relevant professional certifica-
                                                              tions, continuing education, and the assurance provider’s
  • To address areas falling outside of the competence of
                                                              reputation for sound judgment.
    the internal audit activity.
  • To gain knowledge transfer from other assurance           4. Elements of Practice: The assurance provider has
    providers.                                                established policies, programs, and procedures and fol-
  • To efficiently enhance coverage of risk beyond the        lows them. In execution, assurance work is appropriately
    audit plan.                                               planned, supervised, documented, and reviewed. Results
                                                              are based on persuasive evidence sufficient to support the
                                                              level of assurance. They also should have the authority to
                                                              access sufficient information to reach a conclusion.

                                                                                       www.globaliia.org/standards-guidance   /   4
IPPF – Practice Guide
                                                                      Reliance by Internal Audit on Other Assurance Providers

5. Communication of Results & Impactful Reme-                                 factors in balancing lower objectivity and establishing
diation: The assurance provider communicates results                          reliance.
and ensures management takes timely action. Weak-
nesses and deficiencies are reported to the person directly                   Competence: Assurance providers can bring a high level
responsible for taking corrective actions and to the mem-                     of expertise relevant to the specific business process while
bers of management that have oversight responsibilities.                      exercising sufficient objectivity. Although internal auditors
Ongoing monitoring ensures the resolution is sustained                        provide a high degree of objectivity, they may not have the
as intended. Rigorous process and persuasive and reliable                     depth of knowledge needed to provide the desired level of
communication results in prompt corrective action. In                         assurance in certain organizational processes or technical
turn, management action validates an effective assurance                      areas.
process that internal audit can place greater reliance on.
                                                                              Elements of Practice: The external and internal assur-
                                                                              ance providers’ discipline to practice standard procedures
                                 High Reliance
                                                                              is directly related to their capability for timely and persua-
                                                                              sive conclusions. Consistency and rigor in practice should
                                   Elements of Practice

                                                                              raise the internal auditor’s confidence in the assurance
                    Competency

                                                                              provider’s work.
   Objectivity

                                                          Impact

                                                                    Level
                                                                   of Risk    Impact: Internal assurance providers who are in close
                                                                              proximity to the business process may communicate risk
                                                                              and influence management to remediate control deficien-
                                                                              cies quickly, perhaps more quickly than would a tradi-
                                                                              tional internal audit. By monitoring risk and responding
                                         Purpose                              promptly, internal assurance providers may shorten the
                                 Low Reliance                                 time to management action.
                 Assessment of each factor plus consideration
                        of risk determines reliability                        These principles are interdependent and operate at differ-
                                                                              ent levels, proportionate to risk. The internal auditor must
The application of these principles is further described in                   evaluate each of these principles in relation to each other
this diagram. The upward arrows depict a continuum. As                        and to the overall risk of the relevant processes to arrive at
the assurance provider puts these principles into practice,                   a decision on whether to and how much to rely on another
the CAE can place higher reliance on the provider’s work.                     source of assurance provided outside of internal audit. For
                                                                              example, an assurance activity that has a clear purpose
Purpose: When the assurance provider is committed and                         and is found to be objective and competent, but does not
its purpose is aligned with internal audit’s objectives, au-                  effectively communicate results or affect constructive
ditors will find the work more relevant.                                      change, would likely lead the CAE to rely on it to a much
                                                                              lesser extent. It also is important to note the positive role
Objectivity: The assurance provider can demonstrate                           the internal audit function can play in raising the perfor-
credibility and deliver value to the internal auditor even                    mance bar for other assurance providers through sharing
where independence is lacking. The assurance provider’s                       of best practices and insight into risk management, con-
competence, elements of practice and impact are key                           trols, and audit principles.

                                                                                                        www.globaliia.org/standards-guidance   /   5
IPPF – Practice Guide
                                                                          Reliance by Internal Audit on Other Assurance Providers

Relying on Internal                                                                          • Objectivity.
                                                                                             • Technical competence.
Assurance Providers                                                                          • Due professional care.
3.1 Who are Internal Assurance Providers?                                                    • Regular communication.
Internal assurance providers (other than the indepen-                                     IAS 620, Using the Work of an Auditor’s Expert, names
dent internal audit function) are groups that may report                                  competence, capability, and objectivity as essential factors
to the board, management, or are part of management.                                      when considering reliance on the work of others’ exper-
These members of the governance community may con-                                        tise. Competence relates to the nature and level of exper-
duct control self-assessments, continuous monitoring                                      tise of the auditor’s expert. Capability relates to the ability
and compliance inspections, quality audits, or a variety                                  to exercise that competence in carrying out the engage-
of other activities by other names which are designed to                                  ment. Objectivity relates to the possible effects that bias,
provide assurance of achievement of some key organiza-                                    conflict of interest, or the influence of others may have on
tional objectives or requirements. Organizationally, these                                the expert’s judgment.
individuals and groups may report to the legal department
(common for regulatory compliance functions); finance                                     Similarly, the U.S. Public Company Accounting Oversight
(common for financial reporting control focused or regu-                                  Board (PCAOB), a private corporation that oversees the
latory compliance functions); information security (com-                                  auditors of public companies in the United States, has
mon for security functions under the chief information                                    provided guidance1 to external auditors on relying on the
officer); environmental, health and safety; or to any op-                                 work of others. The same principles and considerations
erational unit that has decided to invest in a compliance                                 should be applied in relation to internal audit relying on
program. All of these are groups the CAE should consider                                  the work of others. The level of reliance should be based
when developing audit plans with the potential to rely on                                 on a careful evaluation of the competence, practices, and
their work.                                                                               objectivity of the persons whose work the auditor plans to
                                                                                          rely. A higher degree of competence and objectivity results
3.2 Considerations for Internal                                                           in greater reliance.
Assurance Provider
The International Accounting Standards Board (IASB) is                                    For purposes of relying on the work of others, the PCAOB
an independent accounting standard-setter with the ob-                                    defines competence as the attainment and maintenance
jective of establishing globally accepted financial report-                               of a level of understanding and knowledge that enables a
ing standards based on clear accounting principles. The                                   person to perform assigned tasks. Objectivity means the
IASB gives guidance on using the work of component                                        ability to perform those tasks impartially and with intel-
auditors, internal auditors, and auditor’s experts in Inter-                              lectual honesty. When assessing the internal assurance
national Standard on Auditing (IAS) Nos. 600, 610, and                                    provider’s competence, the CAE should evaluate such
620, respectively. IAS 610 describes the following factors                                factors as:
that primarily affect the external auditors’ determination                                   • Educational level and professional experience of
for using the work of internal auditors:                                                       staff.

1 Auditing Standard No. 5: An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements; PCAOB Release No. 2007-005A; AU
  Section 322 — The Auditor’s Consideration of the Internal Audit Function in an Audit of Financial Statements

                                                                                                                                           www.theiia.org/guidance     /     6
IPPF – Practice Guide
                                                     Reliance by Internal Audit on Other Assurance Providers

  • Professional certification and continuing education.        • Sufficient expertise regarding the organizational
  • Audit policies, programs, and procedures.                     process and risk.

  • Supervision and review of staff activities.                 • Disciplined, repeatable processes.

  • Quality of workpaper documentation, reports, and            • Communication of results, risks, or control concerns
    recommendations.                                              and remediation tracking.

  • Evaluation of staff performance.                          It also is critical to understand the scope of assurance work
                                                              performed by an internal assurance provider and how it
Assessing the objectivity of other assurance providers can    may fit into the internal auditor’s assurance objectives and
be a challenge as most of these groups report to manage-      audit plans. Even though internal audit can bring value to
ment and not an independent body such as the audit            the enterprise through objective quality reviews of inter-
committee of the board of directors, supervisory board, or    nal assurance and compliance functions, there is limited
head of an agency. There are several factors the CAE may      value if this work does not extend coverage and help the
consider when determining if the assurance group dem-         CAE provide greater assurance to its stakeholders.
onstrates sufficient objectivity to be relied on:
  • The reporting lines for the other assurance group and     3.4 A Process for Relying on the Work
    the level of management to which they report.             of Others
  • Whether the scope of work, including the tests per-       The internal auditor should develop a consistent process
    formed or the assessment and reporting of the other       for how it will place reliance on the work of others. The
    assurance provider are inappropriately influenced by      following is a basic approach that has been successful for
    management.                                               some internal audit functions. It involves the basic steps
  • Policies and practices preventing the assurance           of identification, evaluation, adjustment, and monitoring.
    provider from auditing areas where the individuals
    involved have current or recent operational responsi-
    bilities.
                                                                                     Identify
  • The internal auditor’s assessment of the quality of
    work performed by the assurance function, including
    fact-based conclusions, reporting, and follow-up to
    identified issues.                                                  Monitor                     Evaluate

3.3 Know When to Rely and Not to Rely
Before investing any significant time in evaluating a par-                            Adjust
ticular internal assurance function, the CAE can consider
some key factors to determine the extent of potential reli-
ance. These include:                                          Identify — Locate internal assurance groups and deter-
                                                              mine maturity and priority based on preliminary assess-
  • A charter or similar statement of clear objectives and    ment. In large, complex enterprises this can be a chal-
    well-defined responsibilities.                            lenge. If an organization has an enterprise risk management
  • Objective reporting relationships and/or conflicting      process, this can be a good single source for identifying
    operational duties.                                       additional groups. As other assurance providers are identi-

                                                                                        www.globaliia.org/standards-guidance   /   7
IPPF – Practice Guide
                                                                          Reliance by Internal Audit on Other Assurance Providers

fied, the internal auditor also must consider how their                                   surance internal audit provides management, and where
scope fits into internal audit’s own view of the overall risk                             there are opportunities to reduce internal audit’s own test-
and control environment and the potential benefits for in-                                ing. Internal audit should communicate expectations, ob-
tegrating these assurance activities. Priorities should be                                jectives, and responsibilities in a memo of understanding
based on a measurable value to the organization. This val-                                with other assurance providers regarding the portion of
ue includes expanding coverage and minimizing fatigue                                     their work that will be relied on.
caused by redundant audit activities.
                                                                                          Monitor — Maintain close communication with each
Evaluate — Perform an evaluation of individual groups                                     group, sharing risk assessments, audit plans, and results.
to determine the extent the internal auditor can rely on                                  It is important to establish strong communication and
the work of others. This is the most critical and time-con-                               sharing protocol following the evaluation of the assurance
suming phase of the reliance model, where internal au-                                    providers. This will help ensure the most efficient and ef-
dit carefully considers the competency and objectivity of                                 fective use of internal audit resources as well as maintain
the assurance work performed by others. This evaluation                                   confidence in relying on the work of the other providers.
also can bring value to the enterprise by providing rec-                                  A re-evaluation of the assurance providers should be per-
ommendations to improve the effectiveness of assurance                                    formed on a periodic basis (see section 3.6).
activities. As the evaluation is concluded, there should be
a clear communication of how internal audit intends to                                    3.5 Reliance Continuum: Levels of Value
use the assurance work on an ongoing basis. Additional                                    The value the internal auditor can derive from an effective
guidance is provided below on how to evaluate the assur-                                  partnership with other assurance groups will vary. There
ance provider.                                                                            is a continuum of reliance moving from one side of the
                                                                                          spectrum, where the auditor determines the work of the
Adjust — Modify audit plans and scope to eliminate du-                                    other assurance provider is useful but places little reli-
plicative testing and expand risk coverage. To realize the                                ance, moving across the spectrum to where an assurance
full value from a more integrated assurance model, careful                                provider is fully relied on.
consideration must be carried out to determine how these
other activities can be used to bolster the independent as-
                                                                                                                                            High Reliance
                    Low Reliance

                                   • Program commitment • Common purpose              • Common purpose       • Integral purpose/priority
                                   • Broad expertise        • Process expertise       • Process expertise    • Technical expertise
                                   • Assess and report risk • Inspection discipline   • Repeatable testing   • Rigorous practice
                                                            • Point-in-time           • Issue tracking       • Sustained remediation
                                                              conclusion              • Analytics            • Continuous monitoring
                                                                                                             • Communicate emerging
                                                                                                               risk

                                                                                                                              www.globaliia.org/standards-guidance   /   8
IPPF – Practice Guide
                                                         Reliance by Internal Audit on Other Assurance Providers

At a minimum, an effective assurance or compliance
function should be regularly assessing and communicat-            Considerations for the CAE – A Case Study
ing risk for its area of responsibility. If the risk assessment   Complex and business critical processes compel an approach for rely-
process is determined to be sound, it can provide valu-           ing on other assurance providers:
able information to help the internal auditor develop audit       A global provider of computer products and services relies on a
plans and priorities.                                             complex and multichannel sales process involving thousands of
                                                                  third-party distributors around the world. Effectively managing this
More robust assurance functions, which begin to incor-            mix of sales channels can be a competitive advantage and is es-
porate periodic testing of controls, may allow the internal       sential for the long-term success of the business. Management has
auditor to rely on their conclusions at a particular point        implemented numerous control processes to mitigate a range of risks
in time. As these assessments become more frequent and            inherent in this area. Some examples of risk include compliance (e.g.,
extensive, the internal auditor may be able to place more         doing business with restricted parties), financial (e.g., unprofitable
reliance and further reduce the depth or frequency of its         sales discounting), and operational (e.g., non-standard and inefficient
own testing.                                                      processes).

                                                                  Based on management’s assessment of the risks and identified control
Finally, where an effective assurance program is coupled          weaknesses, management has invested in a compliance program that
with reliable monitoring mechanisms embedded at the               includes regular self-assessments by trained, objective assessors
control level, the internal auditor may place the maximum         outside of internal audit, who test the operating effectiveness of key
degree of reliance and confidence in the activity.                controls, report findings, and recommend corrective actions. Internal
                                                                  audit provided consultation to help management develop the control
3.6 Importance of Periodic Evaluation of the                      framework and key compliance program elements with the intent to
Other Assurance Provider                                          rely on this work. This model promoted management ownership of risk
                                                                  and control and more frequent monitoring and testing of controls than
Where internal audit will rely to any measurable extent           the internal audit function could realistically provide due to resource
on the work of other assurance providers, regular assess-         constraints and other enterprise risks to be monitored.
ments should be made of the assurance providers’ pro-
grams. This is a critical element for internal audit to in-       Once the compliance program was implemented and stabilized,
clude in any reliance model to mitigate the risks described       internal audit performed a review to validate that it was operating
earlier (see section 1.4). These assessments should ad-           as intended, providing factual and objective assurance and driving
dress the continued adequacy of the assurance providers’:         positive change in the business. As part of the review, internal audit
                                                                  also connected the compliance program scope with the audit plan and
  • Objectivity.                                                  determined how and when the work would be leveraged, and agreed
  • Competence.                                                   with management on how the two groups would communicate on a
                                                                  regular basis, share information, and collaborate to form a trusted
  • Practices.                                                    partnership.
  • Communication that enacts change.
                                                                  Internal audit has significantly reduced the frequency and depth of
                                                                  their control testing, which is now covered by management’s compli-
The assessment should include performing tests suffi-
                                                                  ance process, and has been able to focus on other areas historically
cient to provide objective evidence supporting the reliance
                                                                  not audited such as product lifecycle management, strategic sourcing,
placed by internal audit. Opportunities for improving the         and IT project management.
work of the other assurance provider should be reported,
consistent with standard internal audit practices.

                                                                                                www.globaliia.org/standards-guidance   /    9
IPPF – Practice Guide
                                                        Reliance by Internal Audit on Other Assurance Providers

Relying on the Work of                                           fairness and accuracy of financial statements; performing
                                                                 performance audits to give assurance that appropriate val-
External Assurance Providers                                     ue for money is being achieved from various activities and
                                                                 projects; conducting reviews of compliance with laws and
4.1 Introduction                                                 regulations; assessing the effectiveness of internal con-
A wide variety of external groups provide assurance ser-         trols over financial reporting; and attest to engagements
vices to organizations worldwide to ensure that internal         covering system security, availability, processing integrity,
controls and risk management procedures are in place             confidentiality, and privacy.
and operating effectively. External assurance providers
also provide these services at third-party service organiza-     Consulting companies – provide many services simi-
tions for the benefit of the service organization and their      lar to those of public accounting firms mentioned above.
respective business clients. The purpose of this section is      However, they are not licensed or registered to issue an
to examine some of the services offered by external assur-       opinion on the fairness of financial statements.
ance providers and discuss key areas that the CAE should
consider before placing reliance on their work.                  Legal firms – provide services to help organizations and
                                                                 third-party service providers to assess compliance with
4.2 Who Are External Assurance Providers?                        various laws and regulations in jurisdictions where they
                                                                 do business. Legal firms also bring a wealth of knowledge
Common external assurance providers include public ac-
                                                                 when assisting organizations in completing privacy and le-
counting firms, government auditor general offices, con-
                                                                 gal risk assessments.
sulting companies, legal firms, security organizations, and
internal audit departments of third-party service provid-
                                                                 Security organizations – provide specialized assurance
ers. The following provides a description of each.
                                                                 services such as validating compliance with requirements
                                                                 of the Payment Card Industry Data Security Standards
Public accounting firms – provide many assurance
                                                                 (PCI-DSS) as a qualified security assessor (QSA), con-
services such as opining on the fairness and accuracy of
                                                                 ducting network penetration assessments, and perform-
financial statements; performing International Organiza-
                                                                 ing system vulnerability assessments for security patches,
tion of Standards (ISO) certification reviews to ensure that
                                                                 viruses, and fixes. They also provide services related to
an organization conforms to the requirements specified in
                                                                 fraud and IT risk assessments.
an ISO standard; conducting reviews of compliance with
laws and regulations; assessing the effectiveness of inter-
                                                                 The internal audit function of service providers —
nal controls over financial reporting; reporting on a service
                                                                 like other internal audit departments, provide many audit-
provider’s privacy program and assessing the protection of
                                                                 ing and consulting services to ensure that internal con-
personal information; and attest engagements covering
                                                                 trols are working effectively and efficiently, and verify that
system security, availability, processing integrity, confiden-
                                                                 management has programs in place to address significant
tiality, and privacy.
                                                                 IT infrastructure risk, application risk, and business pro-
                                                                 cess risk relevant to the organization.
Government auditor general offices – provide ser-
vices similar to public accounting firms; however, they
                                                                 Internal audit functions of user entities – often the
are usually government appointed functions that report to
                                                                 service organization is contacted by internal audit func-
the overall government rather than to shareholders. They
                                                                 tions of their customers, user entities, to provide assur-
provide many assurance services such as opining on the
                                                                 ance regarding a particular service or organizational pro-

                                                                                           www.globaliia.org/standards-guidance   /   10
IPPF – Practice Guide
                                                       Reliance by Internal Audit on Other Assurance Providers

cess or to gain visibility throughout a specific time period.         the International Organization of Supreme Audit
It’s not unusual for the service organization to be audited           Institutions (INTOSAI), and other similar govern-
by multiple user entities. Analyzing the audit results and            ing bodies.
issues raised through assessments conducted by user en-            • Ensure that the external assurance provider is
tities can provide the service organization with common              in good standing with their respective governing
themes providing a unique view to its capability for carry-          body and place greater reliance on the work of
ing out control activities consistently.                             compliant external assurance providers compared
                                                                     to those not subject to professional standards.
Specific services provided by external assurance providers
can be found in appendix A.                                        • Determine if the external assurance provider is
                                                                     subject to professional ethics requirements to en-
4.3 Considerations for the CAE When                                  sure the assurance work is performed by qualified
Relying on External Assurance Providers                              individuals, and done in an objective and inde-
                                                                     pendent manner.
It is important for management and the CAE to under-
stand the relevance of assurance work completed by ex-             • Confirm that due diligence was performed on
ternal assurance providers within the organization. It also          the external assurance provider that includes
is important for management and the CAE to have the                  background checks, financial stability, years in
same understanding if the organization is outsourcing key            business, confidentiality agreement, references,
business processes to third-party service providers. The             and a review of resumes of provider’s engagement
CAE also must assess the impact their assurance work                 employees.
may have on the internal audit function.                           • Obtain evidence, as necessary, to confirm that the
                                                                     individuals performing the work meet competen-
For information on the role of the CAE in sharing information        cy and experience requirements, that the work is
and coordinating activities with other providers of assurance        performed and supervised consistent with quality
and consulting services, refer to The IIA’s Practice Guide on        standards, and that the assessment and report are
Co-coordinating Risk Management and Assurance.                       free from inappropriate influence from manage-
                                                                     ment. Consideration should be given to whether
Some common questions are outlined below, along with                 the assurance provider performs other consult-
points for consideration:                                            ing work for management which might influence
                                                                     their assurance activities, including whether there
1. Are the external assurance providers sufficiently                 is either a real or perceived independence and
   qualified, objective, and independent to perform                  objectivity issue.
   the necessary assurance work? How much reliance
                                                                2. What is the impact to the annual internal audit plan
   should the CAE place on the work of external assur-
                                                                   if the CAE either places reliance or does not place
   ance providers?
                                                                   reliance on the work of external assurance providers?
    The CAE should:
                                                                   The CAE should:
    • Determine if the external assurance provider is
                                                                   • Be aware of the scope, objectives, and findings of
      subject to professional performance standards and
                                                                     the external assurance engagement to determine
      guidance such as those prescribed by The IIA, the
                                                                     the impact to the annual audit plan.
      International Federation of Accountants (IFAC),

                                                                                        www.globaliia.org/standards-guidance   /   11
IPPF – Practice Guide
                                                     Reliance by Internal Audit on Other Assurance Providers

    • Determine if there is duplication of audit cover-           • Before additional audit work is planned by the
      age as a result of the engagement. Alternatively,             organization’s third-party service provider(s),
      the CAE should determine if there are coverage                identify the right-to-audit clauses contained in the
      gaps in the engagement that may require addi-                 service agreement with the service provider.
      tional audit work by internal audit.
    • If the engagement is performed at the organization,     5. Should internal audit reperform audit work com-
      determine if there is an opportunity to co source          pleted by external assurance providers?
      the engagement, or at a minimum, participate in             • The level of expertise brought to the engagement
      the tracking of audit findings and resolutions.               and the rigor practiced by the other assurance
                                                                    provider will determine the extent of diligence
    • If the engagement was conducted by the organiza-
                                                                    conducted by internal audit to accept their audit
      tion’s third-party service provider, reach out to the
                                                                    work. In most cases internal audit would not re-
      service provider to obtain information about the
                                                                    perform testing; rather, the CAE should conduct
      engagement.
                                                                    a suitable analysis to determine if the audit work
    • Consider the need for any preliminary audit work              completed was commensurate with the assertions
      prior to the start of the engagement.                         as intended based on risk, scope, and competence
                                                                    of the external service providers.
3. Do the objectives and scope of work performed by
   external assurance providers address key risks of the          • For specialist reviews like penetration and net-
   organization?                                                    work vulnerability engagements or income tax
                                                                    consulting, the CAE should understand that this
    The CAE should:                                                 area is technical in nature, so the skill set of each
    • Carefully review and understand the scope and                 auditor should include a solid background in
      objectives of the external assurance engagement               network and information security, income taxes,
      before determining the impact it may have on                  or the relevant specialty.
      internal audit.
                                                              6. Should the CAE pursue co sourcing arrangements
    • Keep in mind that an external assurance engage-
                                                                 with external assurance providers?
      ment typically will not cover all the business risks,
      key controls, and concerns.                                 • The CAE should consider separate (from manage-
                                                                    ment) co sourcing arrangements with the external
4. Should internal audit complete additional assurance
                                                                    assurance provider that would provide the ap-
   work to supplement the work of external assurance
                                                                    propriate skill sets and add to the efficiency and
   providers?
                                                                    effectiveness of the audit engagement.
    • An external assurance engagement typically will
                                                              Co sourcing arrangements may include preliminary au-
      not cover all the risks and exposures related to the
                                                              dit work prior to the start of the engagement, conduct-
      organization. As such, the CAE and internal audit
                                                              ing some audit work during the engagement under the
      may have to perform additional audit work based
                                                              supervision of the external service provider, and complet-
      on its risk assessment.
                                                              ing post-audit work to validate on-going compliance and
    • Consider the scope, objectives, and results of the      remediation efforts.
      engagement before finalizing any additional audit
      work.

                                                                                       www.globaliia.org/standards-guidance   /   12
IPPF – Practice Guide
                                                                                Reliance by Internal Audit on Other Assurance Providers

Appendix                                                                                         As a licensed offering, SysTrust engagements are con-
                                                                                                 ducted by certified public accountants (CPAs) or char-
Appendix A: Services Provided by External                                                        tered accountants (CAs). Many organizations, particularly
Assurance Provider                                                                               third-party service providers, request this type of engage-
                                                                                                 ment to demonstrate to their clients that they are con-
The types of services offered by external assurance ser-
                                                                                                 cerned about protecting the information assets entrusted
vice providers include AICPA/CICA SysTrust, ISO/IEC
                                                                                                 to them, and addressing business risks and controls asso-
27002:2005 certifications, SSAE 16/ISAE 3402 reviews,
                                                                                                 ciated with complex IT systems. These reports also can be
internal audit cosourcing, PCI-DSS assessments, network
                                                                                                 used by the service organization in marketing its services
penetration security assessments, vulnerability manage-
                                                                                                 to potential clients/customers.
ment reviews, and many other types of services. A descrip-
tion of some of these common services follows:
                                                                                                 ISO/IEC 27002:2005
AICPA/CICA SysTrust                                                                              The ISO/IEC 27002:2005 – Code of Practice for infor-
                                                                                                 mation security management is one of a set of Informa-
For example, in North America, SysTrust is a branded as-
                                                                                                 tion Security Management System (ISMS) standards
surance service offering licensed by the American Institute
                                                                                                 published by the International Organization for Stan-
of Certified Public Accountants (AICPA) and Canadian
                                                                                                 dardization (ISO) and the International Electrotechnical
Institute of Chartered Accountants (CICA) Trust Servic-
                                                                                                 Commission (IEC). Through the use of these standards,
es Principles and Criteria (Trust Services). Trust Services
                                                                                                 organizations can develop and implement a framework for
are professional attestation and advisory services based on
                                                                                                 managing the security of their information assets such as
principles and criteria that address risks and opportuni-
                                                                                                 financial information, intellectual property, and customer
ties of IT-enabled systems and privacy programs. Specific
                                                                                                 and employee personal information. The ISMS family
areas covered in Trust Services guidance include:2
                                                                                                 of standards consists of the following international stan-
                                                                                                 dards, under the general title of Information technology
  • Security – the system is protected against unauthor-
                                                                                                 – Security techniques:3
    ized access (both physical and logical).
  • Availability – the system is available for operation                                            • ISO/IEC 27000:2009, Information security manage-
    and use as committed or agreed.                                                                   ment systems — Overview and vocabulary.
  • Processing integrity – system processing is complete,                                           • ISO/IEC 27001:2005, Information security manage-
    accurate, timely, and authorized.                                                                 ment systems — Requirements.
  • Confidentiality – information designated as confi-                                              • ISO/IEC 27002:2005, Code of practice for informa-
    dential is protected as committed or agreed.                                                      tion security management.
  • Privacy – personal information is collected, used,                                              • ISO/IEC 27003, Information security management
    retained, disclosed, and destroyed in conformity with                                             system implementation guidance.
    the commitments in the entity’s privacy notice and
                                                                                                    • ISO/IEC 27004, Information security management
    with criteria set forth in generally accepted privacy
                                                                                                      — Measurement.
    principles issued by the AICPA and CICA.
2 Trust Services Principles and Criteria – An Overview, January, 29, 2009, www.aicpa.org/InterestAreas/InformationTechnology/Resources.
3. ISO/IEC 27000:2009, Information technology – Security techniques – Information security management systems – Overview and vocabulary, First edition 2009-05-01, ISO/IEC.
   This material is reproduced from ISO/IEC 27000:2009 with permission from the American National Standards Institute (ANSI) on behalf of the International Organization for
   Standardization (ISO). No part of this material may be copied or reproduced in any form, electronic retrieval system or otherwise or made available on the Internet, a public network,
   by satellite or otherwise without the prior written consent of the ANSI. Copies of this standard may be purchased from ANSI, 25 West 43rd Street, New York, NY 10036, (212) 642-
   4900, http://webstore.ansi.org.

                                                                                                                                        www.globaliia.org/standards-guidance       /   13
IPPF – Practice Guide
                                                                  Reliance by Internal Audit on Other Assurance Providers

  • ISO/IEC 27005:2008, Information security risk                         clients that they have good security practices in place to
    management.                                                           protect the information assets that are entrusted to them.
  • ISO/IEC 27006:2007, Requirements for bodies pro-
    viding audit and certification of information security                ISO does not audit or assess an organization to validate
    management system.                                                    that its standards are being implemented in conformity
                                                                          with the requirements. An external independent certifica-
  • ISO/IEC 27007, Guidelines for information security
                                                                          tion body or ISO registrar conducts the audit to deter-
    management systems auditing.
                                                                          mine if the organization conforms to the requirements
  • ISO/IEC 27011, Information security management                        specified in the standard to obtain certification. There are
    guidelines for telecommunications organizations                       numerous certification bodies (assurance service provid-
    based on ISO/IEC 27002.                                               ers) worldwide that carry out certification assessments.
ISO/IEC 27002 provides guidance on the implementa-                        External service providers performing this type of service
tion of 11 commonly accepted security control objectives                  include public accounting firms, consulting companies,
along with best practice controls that can be applied to                  and sole practitioners.
achieve the objectives. The standard also includes com-
ments on risk assessment and treatment. Specific areas                    SSAE 16/ISAE 3402
covered in the standard include:                                          Third party assurance reviews are normally performed for
  • Security policy.                                                      organizations that process financial transactions for their
                                                                          clients or customers. The resulting report is typically used
  • Organization of information security.
                                                                          by internal and external auditors and can potentially re-
  • Asset management.                                                     duce the amount of work required in their audits. The
  • Human resources security.                                             reports describe the service offerings and the control en-
                                                                          vironment surrounding the processing of customer trans-
  • Physical and environmental security.
                                                                          actions.
  • Communications and operations management.
  • Access control.                                                       ISAE 3402

  • Information systems acquisition, development, and                     The International Standard on Assurance Engagements
    maintenance.                                                          No. 3402 (ISAE 3402), Assurance Reports on Controls
                                                                          at a Service Organization, was issued in December 2009
  • Information security incident management.
                                                                          by the International Auditing and Assurance Standards
  • Business continuity management.                                       Board (IAASB) under the International Federation of Ac-
  • Compliance.                                                           countants (IFAC). ISAE 3402 was developed to provide
                                                                          an international assurance standard for allowing public
Many organizations, particularly third-party service pro-                 accountants to issue a report for user organizations and
viders, who have adopted the ISO/IEC 27002 informa-                       their auditors (user auditors) on the controls at a service
tion security management standard, choose to be certified                 organization that are likely to impact or be a part of the
compliant with the standard through a formal indepen-                     user organization’s system of internal control over finan-
dent audit. Third-party service providers often use this                  cial reporting.4 The effective date for this standard applies
certification to demonstrate to current and future business               to periods ending on or after June 15, 2011.

4 2011 IAES3402.com, http://isae3402.com/ISAE3402_overview.html

                                                                                                    www.globaliia.org/standards-guidance   /   14
IPPF – Practice Guide
                                                            Reliance by Internal Audit on Other Assurance Providers

SSAE 16                                                              and substantive tests at the user organization. However,
Statement on Standards for Attestation Engagements                   they are not intended to provide a basis for reducing as-
(SSAE) No. 16, Reporting on Controls at a Service Or-                sessments of control risk below the maximum.
ganization, was finalized by the Auditing Standards Board
                                                                     Type II: Reports on controls placed in operation and
of the AICPA in January 2010. SSAE 16 replaced State-
                                                                     tests of operating effectiveness
ment on Auditing Standards (SAS) No. 70, Service Orga-
nizations, as the authoritative guidance for reporting on            A service auditor’s report on a service organization’s de-
controls at service organizations. SSAE 16 was formally              scription of the controls that may be relevant to a user
issued in April 2010 with an effective date of June 15,              organization’s internal controls, whether such controls
2011.5 SSAE 16 is based on the IAASB assurance stan-                 were suitably designed to achieve specified control objec-
dard for service auditors ISAE 3402. It should be noted              tives, whether they had been placed in operation as of a
that the requirements for auditing the financial state-              specific date, and whether the controls that were tested
ments of entities that use service organizations remains             were operating with sufficient effectiveness to provide
in the auditing standards in a new SAS, Audit Consider-              reasonable, but not absolute, assurance that the related
ations Relating to an Entity Using a Service Organization.           control objectives were achieved during the period speci-
                                                                     fied. Such reports may be useful in providing the user
The AICPA is establishing three reporting options to pro-            auditor with an understanding of the controls necessary
vide a framework for CPAs to examine controls and to                 to plan the audit and may also provide the user auditor
help management understand related risks. The Service                with a basis for reducing his or her assessments of control
Organization Control 1 (SOC 1) report addresses con-                 risk below the maximum.
trols for financial statement audits with guidance pro-
vided by SSAE 16. SOC 2 reports on controls related                  Some common misconceptions about SSAE 16 reports
to compliance or operations with guidance provided by                the CAE should be aware of include:
Attestation Standard (AT) Section 101, Attest Engage-                1. All SOC reports contain the same control objec-
ments. Both SOC 1 and SOC 2 reports are restricted use                  tives. (Control objectives are defined specifically for
reports. SOC 3 reports are the same as a SOC 2 report                   the environment been attested.)
but general use.
                                                                     2. SOC reports are “forward-looking” documents.
The AICPA SSAE 16 or ISAE 3402 allows for two
                                                                     3. Type I vs. Type II reports don’t really make a dif-
types of reports:
                                                                        ference to my audit planning. (Type I only covers
Type I: Reports on controls placed in operation                         control design effectiveness and is point in time.
A service auditor’s report on a service organization’s de-              Type II covers control operating effectiveness for an
scription of the controls that may be relevant to a user                opinion period.)
organization’s internal controls, whether such were suit-
                                                                     4. Exceptions are not reported. (Any exceptions to the
ably designed to achieve specified control objectives, and
                                                                        controls are clearly identified in the test tables even
whether they had been placed in operation as of a specific
                                                                        if it does not rise to the level of being a qualified
date. These reports may be useful in providing a user au-
                                                                        report.)
ditor with an understanding of the controls necessary to
plan the audit, as well as design effective tests of controls        5. Exceptions have no impact on my audit plan.
5 2011 SSAE16.com, http://ssae16.com/SSAE16_overview.html

                                                                                              www.globaliia.org/standards-guidance   /   15
You can also read