ISA 610 (Revised 2013) – Using the Work of Internal Auditors

by

ISA 610 (Revised) DEALS with the external auditor’s responsibilities if USING the work of internal auditors.

International Standard on Auditing
Effective: Dec 15, 2013 / 2014 Revised 2013 · Updated 2022 Issued by IAASB / IFAC
Overview

What Is ISA 610?

ISA 610 (Revised 2013), titled Using the Work of Internal Auditors, is an International Standard on Auditing issued by the International Auditing and Assurance Standards Board (IAASB) under the International Federation of Accountants (IFAC). It governs the responsibilities of the external auditor when an entity has an internal audit function.

The standard recognises that many entities establish internal audit functions as part of their broader internal control, risk management, and governance structures. When this is the case, effective coordination between external and internal auditors can improve both the efficiency and effectiveness of the external audit.

ISA 610 covers two distinct scenarios: (1) using the work product of the internal audit function as audit evidence, and (2) using internal auditors to provide direct assistance under the external auditor’s direction, supervision, and review.

⚖️
Overriding principle The external auditor has sole responsibility for the audit opinion expressed on the financial statements. That responsibility is not diminished by any use made of internal auditors or their work.

Scope and Application

ISA 610 applies where the entity has an internal audit function and the external auditor determines that the function is relevant to the audit. It does not apply where the entity has no internal audit function, in which case no requirements under ISA 610 are triggered.

Activities resembling those of an internal audit function may be performed by other departments or outsourced to third-party service providers, ISA 610 applies equally to those circumstances.

Objectives

Objectives of the External Auditor

Where an entity has an internal audit function, ISA 610 sets out three distinct objectives for the external auditor. These are not sequential, they operate in tandem throughout audit planning and execution.

01

Determine Relevance & Usability

Determine whether the work of the internal audit function or direct assistance from internal auditors can be used, and if so, in which areas and to what extent.

02

Assess Adequacy of Work

Where the decision is made to use the internal audit function’s work, determine whether that work is adequate for the purposes of the external audit.

03

Direct, Supervise & Review

Where internal auditors provide direct assistance, appropriately direct, supervise, and review their work to ensure it meets the external auditor’s standards.

Core Assessment

Evaluating the Internal Audit Function

Before relying on internal audit work, the external auditor must evaluate three interrelated factors. Crucially, these factors form a continuum; strength in one cannot compensate for a deficiency in another.

Low objectivity / competence → Less reliance High objectivity & competence → More reliance

Note: Strong objectivity cannot compensate for insufficient competence, and vice versa. Both must meet an adequate threshold independently.

1. Objectivity

Objectivity concerns the degree to which the internal audit function’s organisational status and policies support internal auditors in performing their work free from bias. Key considerations include:

  • Whether the internal audit function reports to those charged with governance (e.g. the audit committee) rather than to management
  • Whether there are policies prohibiting internal auditors from auditing areas where they have recently worked
  • Absence of conflicts of interest or relationships creating threats to objectivity
⚠️
High-risk signal If the internal audit function reports to management rather than to those charged with governance, this represents a significant threat to objectivity and warrants heightened scrutiny.

2. Competence

Competence relates to whether internal auditors possess the technical skills, professional qualifications, and experience required to perform the planned audit procedures adequately. The external auditor considers:

  • Educational attainment and professional certifications
  • Ongoing professional development and training
  • Experience relevant to the areas of proposed audit work
  • Existence and application of quality control policies

3. Systematic and Disciplined Approach

The function must apply a systematic, disciplined methodology including quality controls over its planning, performance, and documentation for its work to be considered reliable audit evidence.

Assessment Framework

FactorIndicator of StrengthIndicator of WeaknessExternal Auditor Action
Organisational StatusReports to audit committee / boardReports to managementReduce or eliminate reliance on function work
Objectivity PoliciesRotation policies, independence rules in placeNo relevant policies; undisclosed conflictsInquire further; increase direct testing
Technical CompetenceQualified auditors; relevant experience; CPDUnqualified staff; limited experiencePerform more procedures directly
Systematic ApproachDocumented methodology; quality reviewAd-hoc procedures; no documentationCannot use work as audit evidence
Scope & FindingsFindings consistent with external audit evidenceScope limitations; unexplained inconsistenciesInvestigate and verify before reliance
Using Internal Audit Work

Using the Work of the Internal Audit Function

Where the external auditor determines it is appropriate to use the internal audit function’s work, ISA 610 establishes a structured process for doing so. The amount of work the external auditor performs directly will vary inversely with the assessed quality of the internal audit function.

01

Initial Evaluation

Evaluate objectivity, competence, and systematic approach to determine whether, and to what extent, the internal audit function’s work can be used in specific audit areas.

02

Determine Nature and Extent

Identify which audit areas are suitable for reliance and determine the nature, timing, and extent of procedures needed to evaluate whether the internal audit work is adequate. Areas requiring significant judgment by the external auditor are generally unsuitable for reliance.

03

Read Internal Audit Reports

Review internal audit reports on work planned to be used, to understand the procedures performed, findings reached, and whether the work was conducted to an adequate standard.

04

Perform Evaluation Procedures

Carry out procedures to confirm the adequacy of specific internal audit work including making inquiries, observing work performed, reviewing working papers, and testing whether conclusions are appropriate.

05

Reperformance Where Required

Where appropriate, independently re-execute a sample of the internal audit procedures to validate conclusions. The extent of reperformance required increases as the assessed quality of the internal audit function decreases.

💡
Judgment-intensive areas ISA 610 restricts reliance on internal audit work in areas requiring significant judgment by the external auditor such as high-risk assertions, complex accounting estimates, and areas involving elevated risk of material misstatement.
Direct Assistance

Using Internal Auditors for Direct Assistance

ISA 610 (Revised 2013) introduced requirements governing a second and distinct scenario: the external auditor using internal audit personnel to directly perform audit procedures, rather than merely relying on their completed work product.

This is permitted only where it is not prohibited by law or regulation and only under the external auditor’s direction, supervision, and review. The direction, supervision, and review required is more extensive than if members of the external auditor’s own engagement team had performed the work, because internal auditors are not independent of the entity.

Pre-Conditions for Direct Assistance

Before using internal auditors for direct assistance, the external auditor must obtain written agreements from two parties:

🏢

From an Authorised Entity Representative

Written agreement that internal auditors will be permitted to follow the external auditor’s instructions, and that the entity will not intervene in the work assigned to them.

👤

From the Internal Auditors Themselves

Written agreement that internal auditors will keep confidential all specific matters as instructed by the external auditor, and will disclose any threats to their objectivity.

Factors Influencing the Extent of Direct Assistance

The external auditor determines the nature and extent of work assignable to internal auditors based on:

  • The significance of threats to the internal auditor’s objectivity
  • The level of competence of the individual internal auditors to be used
  • The degree of judgment required in the work to be assigned
  • The assessed risk of material misstatement in the areas where assistance is sought
Prohibitions

When Internal Auditors Cannot Be Used

ISA 610 imposes absolute prohibitions on the use of direct assistance in certain circumstances, regardless of the quality of the internal audit function. Additionally, there are grounds for withholding reliance on internal audit work entirely.

🚫

Significant Objectivity Threats

Internal auditors may not provide direct assistance where there are significant threats to their objectivity for example, where they have a financial or personal interest in the areas being audited.

🚫

Insufficient Competence

Direct assistance is prohibited when the specific internal auditor proposed for the task lacks sufficient competence to perform the assigned work to the standard required.

🚫

Significant Audit Judgments

Internal auditors must not be used for procedures involving significant judgments in the audit such as evaluating complex estimates or assessing the adequacy of management’s disclosures.

🚫

High Risk of Material Misstatement

Direct assistance is restricted in areas where the risk of material misstatement is high, as these areas demand closer external auditor involvement and independent assessment.

🚫

Prohibited by Law or Regulation

In some jurisdictions, laws or regulations prohibit the external auditor from using internal auditors to provide direct assistance. ISA 610 defers entirely to such local requirements.

🚫

Function Quality Too Low

Where aggregate weaknesses in objectivity, competence, and systematic approach are too significant, the external auditor must conclude that no reliance is appropriate on any of the function’s work.

Documentation

Documentation Requirements

ISA 610 requires the external auditor to document conclusions reached regarding the use of internal audit work. The documentation requirements cover both the overall evaluation of the function and the specific procedures performed on any work used.

RequirementWhat to DocumentApplies To
Evaluation of the functionAssessment of objectivity, competence, and systematic approach; overall conclusion on whether and to what extent work can be usedAll engagements where internal audit function exists
Specific work usedNature, timing, and extent of procedures performed to evaluate adequacy of work; conclusions reachedWhenever work of the function is used as audit evidence
Direct assistanceWritten agreements obtained; nature of work assigned; direction and review procedures; conclusions on adequacyWhenever internal auditors provide direct assistance
RestrictionsBasis for any limitation on the use of internal audit work, including where prohibited by law or regulationAs applicable
📁
Working paper integration Documentation under ISA 610 is part of the overall audit file and subject to the retention and assembly requirements of ISQC 1 and ISA 230. Internal audit reports and working papers reviewed by the external auditor should be referenced or cross-indexed appropriately.
FAQ

Frequently Asked Questions on ISA 610

Using the work of the function means the external auditor relies on completed internal audit reports and working papers as evidence, the internal auditors have already finished their work independently. Direct assistance means the external auditor uses internal audit personnel to actively carry out audit procedures during the external audit, under the external auditor’s direction, supervision, and review.
No. ISA 610 is explicit: the external auditor retains sole responsibility for the audit opinion. Using internal auditors whether their work or their direct assistance does not transfer or diminish any of that responsibility. The external auditor must apply professional judgment throughout and cannot “outsource” their accountability.
Reporting to management is considered a significant threat to objectivity. This does not automatically mean the external auditor cannot use any of the function’s work, but it increases the burden of evaluation significantly. In such cases, the external auditor would need to perform substantially more direct procedures and exercise greater skepticism about the reliability of internal audit conclusions.
No. ISA 610 is explicit that competence and objectivity are independent requirements and cannot substitute for each other. A highly competent internal audit team with low objectivity cannot be relied upon, and an objective but under-skilled team similarly cannot meet the standard. Both must independently meet an adequate threshold.
Yes. ISA 610 states that the activities of an internal audit function may be outsourced to third-party service providers. In those circumstances, the same evaluation requirements apply; the external auditor must still assess objectivity, competence, and systematic approach of the outsourced function before relying on its work or using its personnel for direct assistance.
Two written agreements are mandatory. First, from an authorised entity representative: confirming that internal auditors will follow the external auditor’s instructions without entity interference. Second, from the internal auditors themselves: confirming they will maintain the confidentiality of specific matters as directed and will disclose any threats to their objectivity.