Using the Work of Others
Auditors do not operate in isolation. Modern audits frequently rely on the work of internal auditors, specialists, component auditors, and IT auditors to address the complexity and breadth of today's business environment. However, the external auditor must carefully evaluate the competence, objectivity, and reliability of anyone whose work is used—because the ultimate responsibility for the audit opinion can never be shared or delegated.
This section covers how auditors use internal auditors (including direct assistance), how they rely on the work of specialists, the role of component auditors in group audits, IT auditors as engagement team members, and the critical principle of what the external auditor cannot share responsibility for.
The use of others' work is addressed in multiple standards: AU-C 610 (using internal auditors), AU-C 620 (using specialists), and AU-C 600 (group audits/component auditors) under AICPA standards. PCAOB equivalents include AS 2605 and AS 1205.
Using Internal Auditors
Internal auditors are employees (or outsourced professionals) who perform assurance and consulting activities within an organization. Their work can be a valuable resource for the external auditor—but it comes with important limitations.
Two Ways to Use Internal Auditors
The external auditor can use internal auditors' work in two distinct ways:
| Approach | Description | Key Consideration |
|---|---|---|
| Using the work of internal auditors | The external auditor considers and evaluates work already performed by the internal audit function | The external auditor assesses whether the internal auditors' work is adequate for the external auditor's purposes |
| Using internal auditors for direct assistance | Internal auditors perform audit procedures under the direction, supervision, and review of the external auditor | The external auditor treats these individuals as extensions of the engagement team (with limitations) |
Assessing Competence and Objectivity
Before relying on the work of internal auditors—whether performed independently or as direct assistance—the external auditor must evaluate the internal auditors' competence and objectivity.
Competence Factors
- Educational qualifications and professional certifications (e.g., CIA designation)
- Relevant experience and technical training
- Quality of work documentation and adherence to professional standards
- Adequacy of audit programs, workpapers, and conclusions
Objectivity Factors
- Organizational status — Does the internal audit function report to an appropriate level within the organization (ideally to the audit committee or board)?
- Freedom from conflicting responsibilities — Are internal auditors required to perform operational or management functions that could impair their objectivity?
- Independence from the activities they audit — Do internal auditors audit areas for which they have previously had operational responsibility?
- Policies and procedures supporting objectivity — Does the entity have policies promoting internal auditor independence?
Example: Gies Co.'s internal audit department reports directly to the audit committee and is led by a Certified Internal Auditor (CIA) with fifteen years of experience. Internal auditors do not perform any operational duties. The external auditor evaluates these factors positively and determines that the internal audit function has both competence and objectivity sufficient to rely on their work.
Even when the internal audit function has strong competence and objectivity, the external auditor must always re-perform or independently test areas involving significant judgments, significant risks, or matters requiring extensive professional judgment. Internal auditor work can supplement—but not replace—the external auditor's own procedures in these areas.
Direct Assistance: Special Requirements
When internal auditors provide direct assistance (performing procedures under the external auditor's direction), additional requirements apply:
- The external auditor must direct, supervise, and review the internal auditors' work, just as they would for any engagement team member
- The external auditor must evaluate threats to objectivity specific to the direct assistance arrangement
- Internal auditors providing direct assistance must follow the external auditor's instructions and the firm's quality control policies
- The external auditor must obtain written acknowledgment from the internal auditors that they will keep the audit matters confidential
PCAOB restriction: Under PCAOB standards (for issuer audits), external auditors are prohibited from using internal auditors to provide direct assistance. The PCAOB takes a stricter position because internal auditors are employees of the entity and cannot meet the independence requirements for public company audits. Direct assistance is permitted only under AICPA standards for nonissuer engagements.
Using the Work of a Specialist
A specialist (also called an "auditor's specialist" or "management's specialist") is an individual or organization possessing expertise in a field other than accounting or auditing. Auditors engage specialists when the audit requires knowledge beyond the engagement team's competence.
Common Areas Requiring Specialists
| Specialist Type | Engagement Example |
|---|---|
| Valuation expert | Fair value of complex financial instruments, real estate, or business combinations |
| Actuary | Pension obligations, insurance reserves |
| Engineer | Useful lives of assets, environmental remediation estimates |
| Legal counsel | Litigation contingencies, regulatory compliance |
| Geologist | Mineral or petroleum reserves |
| IT security expert | Cybersecurity controls, data integrity |
Evaluating the Specialist
Before relying on a specialist's work, the external auditor must evaluate:
- Competence — Does the specialist have the necessary credentials, experience, and reputation?
- Capabilities — Can the specialist perform the work required for the specific engagement?
- Objectivity — Is the specialist free from bias or conflicts of interest with the entity?
Example: BIF Partners is auditing Kingfisher Industries, which holds significant real estate investments. The engagement team lacks expertise in commercial real estate valuation, so BIF Partners engages an independent appraiser to determine the fair value of the properties. The auditor evaluates the appraiser's credentials (MAI designation), reviews their methodology, and considers whether the appraiser has any financial relationship with Kingfisher Industries that could impair objectivity.
Management's Specialist vs. Auditor's Specialist
| Feature | Management's Specialist | Auditor's Specialist |
|---|---|---|
| Engaged by | Management (the entity) | The auditor or the audit firm |
| Relationship | Works for or on behalf of the entity | Works for or on behalf of the auditor |
| Auditor's evaluation | Must evaluate competence, capabilities, and objectivity; also evaluate appropriateness of the specialist's work as audit evidence | Must evaluate competence, capabilities, and objectivity |
| Reference in audit report | Generally not referenced in an unmodified opinion | Generally not referenced in an unmodified opinion |
The auditor does not mention the specialist in the audit report when issuing an unmodified opinion—doing so might be misunderstood as a qualification of the opinion or a division of responsibility. The specialist may be referenced only in a modified opinion to explain the basis for the modification.
Component Auditors in Group Audits
A group audit occurs when the financial statements include the financial information of more than one component (e.g., subsidiaries, divisions, or branches). When different auditors are responsible for different components, the auditor of the group financial statements (the group engagement partner) must coordinate with the component auditors.
Role of the Group Engagement Partner
The group engagement partner is responsible for:
- Overall direction, supervision, and performance of the group audit
- Determining the type of work to be performed on each component (full audit, specified procedures, or analytical procedures)
- Evaluating the component auditor's competence, independence, and compliance with ethical requirements
- Communicating with component auditors about the scope of work, significant risks, and reporting requirements
- Evaluating the component auditor's work and conclusions
Evaluating the Component Auditor
Before involving a component auditor, the group engagement partner must assess:
- Professional competence — Is the component auditor qualified and experienced?
- Independence — Does the component auditor meet all applicable independence requirements?
- Regulatory environment — Does the component auditor operate in a jurisdiction with adequate professional oversight?
- Resources — Does the component auditor have the capacity to perform the required work?
Example: Illini Entertainment has a foreign subsidiary, MAS Inc., that operates in a different country. The group engagement partner determines that a component auditor in that jurisdiction should perform audit procedures on MAS Inc.'s financial information. The group engagement partner evaluates the component auditor's firm—reviewing their regulatory standing, independence, and experience with entertainment industry clients—before providing instructions on the scope of work and the group's materiality thresholds.
The group engagement partner must be involved in the component auditor's work at a level sufficient to obtain adequate audit evidence. The group engagement partner cannot simply accept the component auditor's report without evaluation—this would be an abdication of responsibility.
IT Auditors as Engagement Team Members
IT auditors (also called IT specialists or IT audit professionals) are individuals with specialized knowledge of information technology who assist the engagement team in understanding and evaluating IT-related controls.
When IT Auditors Are Needed
IT auditors are typically involved when:
- The entity has complex IT systems that process significant financial transactions
- The auditor needs to evaluate general IT controls (access controls, change management, computer operations, program development)
- The engagement involves testing automated application controls (e.g., automated three-way matching, system-generated calculations)
- There are concerns about data integrity, cybersecurity, or IT governance
Role on the Engagement Team
Unlike external specialists, IT auditors who are part of the engagement team or the audit firm are treated as members of the engagement team. This means:
- Their work is subject to the same supervision and review requirements as other team members
- They must comply with the firm's independence and quality management requirements
- The engagement partner is responsible for directing and overseeing their work
Example: Illini Security processes millions of security monitoring transactions through an automated billing system. The engagement team includes an IT auditor from the firm who evaluates the general IT controls over the billing system—testing logical access controls, change management procedures, and automated calculations—to determine whether the engagement team can rely on system-generated reports as audit evidence.
What the External Auditor Cannot Share Responsibility For
One of the most fundamental principles in auditing is that the external auditor bears sole responsibility for the audit opinion expressed. This responsibility cannot be reduced, shared, or delegated—regardless of how much the auditor relies on the work of others.
Key Principles
| Principle | Explanation |
|---|---|
| Sole responsibility for the opinion | The external auditor's report is the auditor's alone. The auditor cannot divide or share responsibility for the opinion with internal auditors, specialists, or component auditors |
| No reduction of responsibility | Using the work of internal auditors, specialists, or others does not reduce the external auditor's responsibility in any way |
| Reference to others in the report | Under AICPA standards, the group engagement partner may make reference to a component auditor in the audit report (dividing responsibility), but this is an exception specific to group audits. Under PCAOB standards, the auditor generally may not divide responsibility |
| Supervision obligation | The external auditor must supervise and review the work of anyone whose work is used, ensuring it meets the auditor's standards |
| Professional judgment | All significant judgments and conclusions must ultimately be evaluated and approved by the external auditor |
A common exam trap: the fact that the auditor used a specialist, internal auditor, or component auditor does not allow the auditor to disclaim responsibility. If the auditor references a specialist in an unmodified opinion, this is generally inappropriate. The auditor is always responsible for the audit opinion.
Example: BIF Partners engages a valuation specialist to assist with auditing the fair value of MSA Records' catalog of music rights. Even though the specialist performs the valuation analysis, BIF Partners remains solely responsible for the audit opinion on MSA Records' financial statements. If the valuation is materially wrong and the financial statements are misstated as a result, BIF Partners cannot shift blame to the specialist.
Summary
| Topic | Key Takeaway |
|---|---|
| Internal auditors | External auditor must assess competence and objectivity; can use their work or (for nonissuers only) use them for direct assistance |
| Direct assistance | External auditor directs, supervises, and reviews internal auditors' work; prohibited under PCAOB standards |
| Specialists | Used for expertise outside accounting/auditing; auditor evaluates competence, capabilities, and objectivity |
| Component auditors | Group engagement partner evaluates and supervises their work; responsible for overall group audit |
| IT auditors | Members of the engagement team; subject to same supervision and quality requirements |
| Sole responsibility | External auditor's responsibility for the opinion is never reduced by using others' work |