Understanding SA610: Using the Work of Internal Auditors

I. Introduction to SA610

In the intricate landscape of financial auditing, the relationship between external and internal auditors is pivotal for audit efficiency and effectiveness. This is where International Standard on Auditing (ISA) 610 (Revised 2013), "Using the Work of Internal Auditors," comes into play. Known in some jurisdictions by specific codes such as SA610 (the designation often used in standards derived from ISAs), this standard provides a comprehensive framework for external auditors to determine if, to what extent, and how they can use the work of an entity's internal audit function. The standard is crucial in contexts where robust internal audit functions exist, such as in many listed companies and financial institutions in Hong Kong. The objective of the external auditor, as enshrined in SA610, is not to delegate audit responsibility but to use the work of internal auditors to modify the nature, timing, or extent of the external auditor's own procedures. This requires a rigorous evaluation process. For instance, when auditing a complex Hong Kong-based manufacturing firm that utilizes specialized inventory management systems, the external auditor might consider the work of internal auditors who have conducted detailed quarterly reviews of the YPM106E YT204001-FN component stock, provided certain criteria are met. Understanding SA610 is fundamental for external auditors aiming to conduct audits that are both thorough and resource-efficient, without compromising on the quality and independence required by professional standards.

II. Evaluating the Internal Audit Function

Before an external auditor can contemplate using specific work performed by internal auditors, a foundational assessment of the internal audit function itself is mandated by SA610. This evaluation is not a mere formality but a deep, evidence-based analysis focusing on three core attributes: objectivity, technical competence, and a systematic approach. Assessing objectivity involves examining the organizational status of the internal audit function. Does it report to the audit committee or board, insulating it from management influence? Are internal auditors free from conflicts of interest? In Hong Kong, the HKICPA's guidelines emphasize that internal audit functions reporting directly to a strong, independent audit committee, as seen in major Hang Seng Index constituents, typically score high on objectivity. Technical competence is evaluated through the qualifications, experience, and ongoing professional development of the internal audit team. For example, an internal auditor specializing in IT controls for a bank should hold relevant certifications like CISA. The third pillar, a systematic and disciplined approach, encompasses risk-based planning, proper documentation, supervision, and quality assurance. The external auditor reviews internal audit manuals, working papers, and reports. A function that employs a structured methodology, perhaps aligned with the International Professional Practices Framework (IPPF) from The Institute of Internal Auditors, demonstrates this approach. This tripartite assessment is continuous, not a one-time event. If any of these elements are deemed lacking, the external auditor's ability to use the function's work becomes severely restricted or impossible. This rigorous gatekeeping ensures that reliance is placed only on work of sufficient quality to inform the external audit opinion.

III. Using the Work of Internal Auditors

Once the internal audit function as a whole is judged to be competent and objective, SA610 guides the external auditor in making precise decisions about using specific work. This process is highly nuanced. Determining the extent of use involves considering the risk of material misstatement. Work related to areas of significant risk, such as complex fair value estimations or high-risk IT systems, generally requires more direct involvement by the external auditor. Conversely, work related to routine operational controls over fixed asset additions might be suitable for greater reliance. The external auditor must also evaluate the adequacy of the specific work performed. This includes reviewing the scope, objectives, and conclusions of the internal audit work, the sufficiency of evidence obtained, and the reasonableness of findings. For instance, if internal auditors tested controls over the procurement cycle, the external auditor would examine their sampling methodology, test results, and how exceptions were followed up. Finally, SA610 requires appropriate direction, supervision, and review by the external auditor. Even when using internal audit work, the external auditor must be actively involved. This may involve discussing the audit plan with internal auditors, reviewing their working papers in detail, and reperforming some of their procedures. The nature, timing, and extent of this oversight are dictated by the assessed risk. In a Hong Kong context, where regulatory scrutiny is high, external auditors often document this process meticulously, sometimes referencing their firm's specific audit methodologies like PM632, which may provide detailed guidance on coordinating with internal audit functions for financial institutions.

IV. Reporting

The communication of the external auditor's use of the internal audit function is a critical component of transparency and governance. SA610 does not require a separate statement or a specific paragraph in the auditor's report solely for disclosing this reliance. However, the standard mandates that if the external auditor uses the work of the internal audit function to provide audit evidence, this fact must be documented in the audit working papers. More importantly, the implications of this use are inherently reflected in the overall audit approach and the support for the audit opinion. In practice, the external auditor's report itself does not typically state, "We relied on the internal audit work." The responsibility for the audit opinion remains solely with the external auditor. Nevertheless, effective communication with those charged with governance, such as the audit committee, is essential. The external auditor should discuss the planned use of internal audit work, the results of the evaluation of the function, and the extent of reliance placed. This is often detailed in the audit plan and findings presented to the audit committee. In Hong Kong, under the Corporate Governance Code, such dialogues are a key expectation. Clear reporting ensures that the audit committee understands the scope of both internal and external audit work and the rationale behind the external auditor's strategy, thereby strengthening the overall assurance framework.

V. Case Studies and Examples

Applying SA610 in real-world scenarios illuminates its practical value and challenges. Consider a large retail conglomerate in Hong Kong with extensive point-of-sale (POS) systems across hundreds of stores. The internal audit function, which is well-staffed and reports to the audit committee, performs annual IT general control reviews, including testing of the YPM106E YT204001-FN payment gateway interface. The external auditor, planning the financial statement audit, evaluates the function as objective and competent. Given the materiality of sales transactions, the external auditor decides to use this work. They review the internal audit's scope, sample selections, and test results. Satisfied, they reduce their own substantive testing on revenue recognition related to POS transactions but perform their own tests on the overall IT environment control effectiveness. Another example involves a fund management company. The internal auditors have a dedicated team reviewing valuation models for complex financial instruments. The external auditor, while assessing the function as technically strong, determines that due to the high inherent risk and subjectivity in valuations, they cannot rely on this specific work for their audit evidence on fair value Level 3 investments. They perform their own independent valuation analysis. Common challenges include management pressuring internal auditors to limit scope, or turnover within the internal audit team affecting consistency. Overcoming these requires open communication with the audit committee and a conservative, risk-based approach by the external auditor, potentially guided by internal firm protocols like PM632 for assessing specialist work.

VI. Conclusion

The effective implementation of SA610 represents a sophisticated balancing act in modern auditing. The key takeaway is that the standard provides a structured pathway for collaboration, not a shortcut. It enables external auditors to leverage the deep, continuous access of internal auditors to enhance audit coverage and focus on areas of highest risk, potentially leading to more efficient audits. However, this reliance is never unconditional or blind. It is predicated on a rigorous, ongoing evaluation of the internal audit function's foundational qualities and the specific work planned for use. The ultimate responsibility for the audit opinion remains unambiguously with the external auditor. For audit professionals in Hong Kong's dynamic and regulated market, a thorough understanding and correct application of SA610 is indispensable. It ensures that audits are conducted with due professional skepticism while making intelligent use of all available assurance resources. This not only upholds the quality of the audit but also strengthens the entity's overall control environment and governance, providing greater confidence to investors, regulators, and the public in the integrity of financial reporting.