Factors to Consider Before Relying on Internal Auditors’ Work – A Complete Guide

While internal auditors play a key role in evaluating controls, over-reliance on their work can undermine objectivity. With rising regulatory expectations and financial risks, determining when and how much to rely on internal audit requires careful judgment.

The key is striking the right balance between leveraging capable internal resources and maintaining skepticism regarding their conclusions. Understanding limitations around competence, objectivity, and work scope provides a clear framework for relying on internal auditors judiciously.

Here I will help you explore prerequisites and precautions around relying on internal auditors. It equips readers with an objective lens for determining appropriate, customized reliance levels based on rigorous evaluation of internal audit capabilities and deliverables. Read on to make informed, risk-based reliance decisions that withstand scrutiny.

Factors to Consider Before Relying on Internal Auditors' Work
Internal Auditors’ Work

Prerequisites for Relying on Internal Audit Work

Relying on internal audit work begins with verifying that fundamental requirements are in place. Unless these prerequisites are met, external stakeholders cannot place reasonable reliance on internal audit conclusions.

1. Established Internal Audit Function with Adequate Competence and Objectivity

The starting point is ensuring the organization has an independent internal audit function staffed with competent, objective professionals. Key indicators include:

  • Formal internal audit charter sanctioned by the Audit Committee delineating purpose, authority, and responsibilities. This charter should be aligned with Institute of Internal Auditors (IIA) standards.
  • Organizational independence with a direct reporting line to the Audit Committee, enabling impartial reviews and unfettered reporting.
  • Adequate size and structure commensurate with the organization’s complexity. The function should have sufficient bandwidth for on-demand requests.
  • Knowledgeable internal auditors with certifications (e.g. CIA), degrees in relevant fields, industry experience, and institutional knowledge. The mix of backgrounds provides a multidimensional perspective.
  • Annual confirmation of internal auditor objectivity, covering aspects like conflicts of interest, rotation policies, incentives linked to audit outcomes, etc.
  • Ongoing training to stay updated on regulations, risks, controls, and assurance practices.

Without these fundamentals, internal audit work cannot be considered reliable enough for external reliance.

2. Audit Committee Oversight of Internal Audit

The Audit Committee must actively oversee internal audits to ensure it retains competence, objectivity, and sufficient authority to fulfill its mandate. Specific oversight activities include:

  • Reviewing internal audit’s charter, resources, budget and staffing
  • Approving annual risk-based audit plan
  • Monitoring delivery and retention of qualified audit professionals
  • Tracking auditor independence measures and rotation
  • Evaluating Internal Audit Leadership
  • Reviewing key audit results and remediation status of issues
  • Meeting separately with the Chief Audit Executive

Visible involvement and scrutiny from the Audit Committee provides assurance that internal audit adherence to IIA standards is sustained.

3. Conformance to Professional Internal Auditing Standards

Internal audit’s processes, deliverables, and operations must fully comply with IIA standards and guidelines. This conformance should be validated periodically via:

  • External Quality Assessment (EQA) is conducted by qualified, independent reviewers at least once every 5 years.
  • Ongoing internal assessments against evolving IIA standards and best practices.
  • Certification that audit manual, testing methodologies, work programs, documentation formats, etc. adhere to IIA practices.

Confirming alignment with professional standards provides confidence in the rigor of internal audit work.

4. Well-documented internal Audit Work Programs and Results

A structured audit process with evidence of planning, execution, supervision, and reporting provides credibility. Key aspects include:

  • Audit programs describing the scope, timing, resource allocation, sampling, methodology, documentation requirements, etc.
  • Documented risk and control assessments highlighting deficiencies, root causes, and financial impacts.
  • Clear audit testing results linked to specific controls and risks, with adequate samples.
  • Formal work papers evidencing planning, execution, supervision, conclusions, and quality control for each audit.
  • Audit reports detailing ratings, issues, recommendations, management responses and corrective action plans. Distribution to senior leadership demonstrates authority.

With this audit trail, external stakeholders can better judge the rigor of procedures performed and the validity of internal audit opinions.

5. No Material Unresolved Internal Audit Issues

Unremediated deficiencies, especially in key controls, diminish the reliability of that area’s audit work. Pending issues indicate potential control gaps that internal audit may not have fully identified.

Prior to relying on internal audit, external parties should ensure:

  • No high-rated outstanding observations related to the area of intended reliance.
  • Progress per remediation timelines for other unresolved observations.
  • No major internal audit findings in audits of the relevant function over the past 2-3 years.

Essentially, the area being evaluated should have a generally clean track record, signaling stability. Unaddressed concerns raise uncertainty.

With these fundamentals verified, the stage is set for calibrated reliance on specific internal audit work. However, the prerequisites alone are insufficient – appropriate reliance levels still require rigorous validation of competence, objectivity, and work scope on each engagement.

Key Factors to Consider When Evaluating Reliance on a Specific Internal Audit

Once satisfied that the fundamentals are sound, external parties must critically examine three central factors on every audit they intend to rely upon.

Assess Competence and Objectivity of Assigned Internal Auditors

Who exactly performed the work? Their skills and mindset determine the reliability of results. Consider:

  • Experience conducting similar audits: Number of years spent in related roles and types of past engagements completed.
  • Relevant certifications and qualifications: Appropriate knowledge background, such as CIA for controls testing.
  • Depth of business and process knowledge: Familiarity with operations, key risks, and nuances.
  • Specialization fits the work: Aligned area of expertise, like IT audits done by tech-skilled staff.
  • No conflicts of interest or bias: Objectively evaluate activities without undue influence. Rotates periodically off areas.
  • Track record and reputation: Consistency, quality, and mindset on past engagements.
  • Oversight and mentoring: Work guided and reviewed by senior auditors.

Gauging team competency and objectivity prevents blind reliance. For unfamiliar auditors, request bios or credential details.

Scrutinize Scope and Methodology of Performed Audit Work

Exactly what work was done? Were coverage and diligence sufficient to support conclusions? Ask:

  • Is the scope relevant to our requirements? Assess the nature, timing, and extent of procedures versus relied-upon aspects.
  • Were both design and effectiveness tested? Only testing actual operations provides full insights.
  • Did sampling cover adequate transaction populations? High-risk subsets should be oversampled for anomalies.
  • Was the evidence substantive and persuasive? Key assumptions challenged and externally corroborated where possible.
  • Were appropriate tools and techniques applied? e.g. data analytics for entire populations rather than just sampling.
  • Was work performed by competent auditors themselves? Avoid undue delegation of key steps like testing and interviews.
  • Were deficiencies noted aligned with risks? Assess if impacts reflect true exposures.

Gaining comfort with rigor and coverage prevents over-reliance. Request details of programs and actual testing data where needed.

Evaluate Credibility of Audit Results and Reporting

Do the conclusions flow from the work performed? Assess:

  • The soundness of audit ratings: Alignment of deficiencies, impacts, root causes, and remediation needs to ratings.
  • The persuasiveness of conclusions: Correlation to steps executed and results gathered.
  • Clear actionable recommendations: Specificity of suggested remediation for each finding.
  • Completeness of reporting: Evidence of objectivity – nothing unduly downplayed or omitted.
  • Reasonableness of management responses: Viability of proposed corrective actions and timelines.
  • Forthrightness on limitations: Any constraints or restrictions on scope disclosed.

Analyze the output to judge alignment with findings and avoid taking conclusions at face value.

Tips to Balance Reliance and Professional Skepticism

While the above factors facilitate reliance decisions, it is equally crucial to maintain professional skepticism. Over-reliance can undermine objectivity. Key principles include:

  • Link Reliance to Assessed Risk and Materiality: The lower the risk exposure, the more reliance can be placed on improving efficiency. Conversely, where risk is high, optimize direct testing.
  • Specify Reliance and Perform Confirmatory Work: Clearly document what aspects of internal audit work will be relied upon. Then perform targeted verification procedures in those areas.
  • Recalibrate Levels Regularly Based on Performance: Track the quality of internal audit input over time. Enhance or optimize reliance levels accordingly.
  • Discuss Concerns Transparently with Internal Auditors: Provide open feedback to address reliance limitations in certain areas or auditors.
  • Maintain Own Testing of Critical Controls and Risks: Certain key activities may warrant direct examination regardless of internal audit coverage.

With the right balance between smart leverage and professional skepticism, stakeholders can optimize value from internal audit functions.


Relying on internal audit needs a risk-based approach factoring in competence, scope, and results. Verify fundamentals are sound regarding standards, oversight, resources, and quality. Rigorously scrutinize each planned area of reliance on dimensions like skills, techniques, reporting, and limitations. Maintain constructive dialogue and confirmatory procedures rather than blind trust. Link reliance levels to evolving risks.

With the guidelines provided throughout this comprehensive guide, you now have a robust framework for making informed, customized reliance decisions. Optimizing internal audit requires work, but pays dividends across assurance, compliance, and operational effectiveness. The insights you gain will help target your own scope on key risks and collaborate effectively with internal audits. Thanks for reading and good luck as you put these factors into practice! Please leave any other questions in the comments section below.

Frequently Asked Questions

What are some best practices for reliance on internal audit?

Some key best practices include:

  • Clearly define areas of reliance upfront through discussions with internal audit.
  • Assess the competence and objectivity of assigned auditors.
  • Review audit programs to validate scope and methodology suitability.
  • Examine work papers and testing data to confirm execution rigor.
  • Corroborate internal audit conclusions through targeted independent testing.
  • Provide open feedback to internal audit throughout on reliability of work.

When is it appropriate to rely completely on internal audit work?

It is generally not advisable to rely completely on internal audit work without any independent validation. Some confirmatory checking by external parties is always prudent. Full reliance may be acceptable in limited cases for very low-risk, non-critical areas where competent auditors performed extensive testing using sound methodology. However, some minimal verification is still recommended.

What should you do if internal audit work has deficiencies?

If deficits are noted in internal audit work, provide candid feedback directly to the chief audit executive highlighting gaps in competence, scope, or reporting. Recommend additional training or mentoring for assigned auditors if needed. Seek improvement commitments before relying further on such auditors. Supplement with direct testing around affected areas. Adjust future reliance levels based on remediation progress.

How can external auditors rely on internal audit work?

External auditors can rely on specific aspects of internal audit work provided they thoroughly assess competence, scope, and results as outlined in this article. They should directly test and corroborate key high-risk controls and validate sample transactions. Documentation should specify what aspects are relied upon and why. Progressively adapt reliance based on quality feedback shared with internal audit.

What is the external auditor’s responsibility when relying on an internal audit?

The external auditor retains full responsibility for any aspects relied upon from internal audit work. They must justify and document the adequacy of competence and scope as the basis for reliance. Some corroborative testing is required, with higher levels for higher-risk areas. Results should be rigorously evaluated before taking reliance. Any deficiencies noted should lead to reduced reliance and supplemental testing.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top