Using the Work of Internal Audit for SOC Engagements
In September, the Auditing Standards Board (ASB) issued a proposed Statement on Standards for Attestation
Engagements (SSAE) that would clarify the criteria for using internal auditors in a service auditor’s engagement.
The SSAE would apply to examination engagements undertaken by a service auditor to report on controls at
organizations that provide services to user entities when those controls are likely to be relevant to user entities’
internal control over financial reporting, i.e., Service Organization Control (SOC) reports.
Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control over
Financial Reporting: Clarification and Recodification would replace and supersede existing AT Section 801,
originally issued in April 2010 as Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on
Controls at a Service Organization.
While the effective date of the proposal has not been determined, it is anticipated the proposal will take effect no
earlier than for reports for periods ending on or after December 15, 2016.
Scope
Revisions included in the exposure draft (ED) are broad and cover many areas, including the introduction and
definition of new terms, the service auditor’s risk assessment requirements and clarifications, application
guidance, illustrative paragraphs and reports and requirements of the service auditor regarding management’s
assertion, among others. This paper focuses on clarifications related to using the work of internal auditors in a
service auditor’s engagement.
Background
Reason for Clarified Attestation Standard
Alignment with SAS 128 for Financial Statement Audits
The proposed SSAE follows Statement of Auditing Standard (SAS) 128, Using the Work of Internal Auditors, issued
by the Financial Accounting Standards Board (FASB) in February 2014, effective for audits of financial statements
for periods ending on or after December 15, 2014. SAS No. 128 supersedes SAS No. 65, The Auditor’s
Consideration of the Internal Audit Function in an Audit of Financial Statements. SAS No. 128 represents the last of
the ASB’s project to rewrite its auditing technical literature in a clarified format, i.e., the clarity project, and the
ASB currently is clarifying its standards for attestation engagements.
Alignment with SSAE Initiatives
SSAEs, or attestation standards, establish requirements and application guidance for examining, reviewing and
applying agreed-upon procedures to subject matter other than historical financial statements, such as SOC reports.
The ASB has proposed revision to Attestation Standards (AT) Section 801 for various reasons. The proposal
conforms to the most recent version of the revised ED, Attestation Standards: Clarification and Recodification*
presented at the July 2014 ASB meeting. A practitioner performing services under the proposed SSAE would be
required to understand all standards for attestation engagements, including proposed Chapters 1 and 2. In
addition, the proposed SSAE is aligned with certain application guidance included in the May 1, 2013, edition of the
AICPA guide Service Organizations: Reporting on Controls at a Service Organization Relevant to User Entities’
Internal Control Over Financial Reporting and addresses certain issues confronted in practice.
Using the Work of Internal Audit for SOC Engagements
*The Auditing Standards Board (ASB) is currently revising the July 2013 ED, “Attestation Standards: Clarification
and Recodification.” Chapters 1 and 2 referenced above are included in this ED.
Internal Audit Clarifications
Definition of Internal Audit Function
The ASB references Chapter 1, “Concepts Common to All Attestation Engagements,” of the July 24, 2013, ED for
the definition of internal audit (IA) function. The 2013 ED defines the IA function as “a function of an entity that
performs assurance and consulting activities designed to evaluate and improve the effectiveness of the entity’s
governance, risk management, and internal control processes.” This is a change from the existing Section AT 801,
which more broadly defined the IA function as “the service organization’s internal auditors and others, for
example, members of a compliance or risk department, who perform activities similar to those performed by
internal auditors.”
Understanding the IA Function
If the service organization has an IA function, the service auditor should understand this function as part of its risk
assessment procedures. This includes understanding the nature of the responsibilities and how the IA function fits
in the service organization’s organizational structure, as well as the activities performed or to be performed by the
IA function as it relates to the service organization.
Using the Work of the IA Function
The ASB references Chapter 2, “Examination Engagements,” of the July 24, 2013, ED several times in this guidance.
The service auditor is not required to use the IA function and will determine whether the IA function will be used
based on its understanding of the IA function, which may change during the engagement. If the service auditor
evaluates the IA function as appropriate for the engagement, he or she may choose to use the work of the service
organization’s IA function in two ways: to obtain audit evidence and to provide direct assistance under the
direction, supervision and review of the external auditor.
When the service auditor intends to use the work of the IA audit function, he or she should first determine
whether the work of the IA function is likely to be adequate for purposes of the engagement. The service auditor
should evaluate the objectivity and technical competence of the members of the internal audit function by
performing the following three procedures:
1.
Evaluating the extent to which the IA function’s organizational status and relevant policies and procedures
support objectivity of the internal auditors
2.
Evaluating the level of competence of the IA function
3.
Evaluating the application by the IA function of a systematic and disciplined approach, including quality
control
For example, the service organization auditor evaluates the internal audit function’s work against Criterion No. 3
above to provide assurance the IA function’s approach includes planning, performing, supervising, reviewing and
documenting its activities—similar to the service organization auditor’s requirements. This also helps ensure the
service organization auditor is using only the work of the IA function, rather than some other monitoring control
activities performed within the service organization. Refer to BKD’s in-depth paper, “Using Internal Auditors’ Work
Requires Extra Steps,” applicable to SAS 128, for additional guidance.
In order for the service auditor to use specific work of the IA audit function, the service auditor should evaluate
and perform sufficient procedures, including reperformance, on that work to evaluate whether such work is
adequate for the service auditor’s purpose.
2
Using the Work of Internal Audit for SOC Engagements
Using the Work of the IA Function for Direct Assistance
When using internal auditors to provide direct assistance, the proposed SSAE requires the service organization
auditor to direct, supervise and review the work of the internal auditors.
Conclusion
As a practical note, a service organization looking to have its service organization auditors use the work of its
internal audit function should understand the guidance sooner rather than later. The internal audit department
will want to consider the effects, if any, of the changes required by the 2013 Updated COSO Framework. The
nature, extent and timing of the service auditor’s evaluation of the IA function will vary by entity based on the IA
function’s size and complexity and the service auditor’s intended use. Under the proposed guidance, the service
organization auditor will not use the work of the IA function if it determines the function lacks sufficient
competence, the function’s objectivity is not adequately supported by the organization or the function does not
apply a systematic and disciplined approach, including quality control.
For more information, contact your local BKD advisor.
Related Information
Using Internal Auditors’ Work Requires Extra Steps
COSO’s Internal Control Framework: In Depth
Contributor
Connie Spinelli
Director
303.861.4545
cspinelli@bkd.com
3