How external auditors evaluate internal audit work, specialists, and service organization evidence without giving up audit responsibility.
Auditors often use work performed by internal auditors, specialists, service auditors, and other parties. That work can improve audit quality and efficiency, but it does not transfer responsibility for the audit opinion. The external auditor must decide whether the work is relevant, reliable, and sufficient for the planned audit response.
The AUD exam usually tests this topic through responsibility traps. A qualified specialist, a strong internal audit department, or a SOC 1 report can support audit evidence, but the external auditor still evaluates the work, resolves gaps, and performs additional procedures when needed.
flowchart TD
A["Work of others may be useful"] --> B{"Relevant to audit objective?"}
B -- "No" --> C["Do not rely for this objective"]
B -- "Yes" --> D["Evaluate competence and objectivity"]
D --> E["Understand scope, methods, and evidence"]
E --> F{"Sufficient and appropriate?"}
F -- "Yes" --> G["Use with documented evaluation"]
F -- "No" --> H["Perform additional audit procedures"]
Internal auditors may test controls, review compliance, evaluate operational processes, investigate issues, or monitor risk management. Their work can be useful when it overlaps with the external auditor’s audit objectives.
Before using internal audit work, the external auditor evaluates:
| Factor | What the external auditor considers |
|---|---|
| Objectivity | Reporting line, audit committee oversight, freedom from management pressure, and conflicts of interest |
| Competence | Training, certifications, experience, supervision, work quality, and continuing education |
| Systematic approach | Whether internal audit uses disciplined planning, documentation, quality control, and review |
| Relevance | Whether the work addresses financial statement assertions and assessed risks |
| Quality | Whether testing, sampling, evidence, and conclusions are documented well enough to support reliance |
The stronger these factors are, the more the external auditor may be able to use internal audit work. If objectivity or competence is weak, reliance should be reduced or avoided.
The exam may distinguish between using internal audit’s completed work and obtaining direct assistance.
| Approach | Meaning | External auditor responsibility |
|---|---|---|
| Using internal audit’s work | The external auditor evaluates work already performed by internal audit | Review relevance, quality, evidence, and conclusions before using it |
| Direct assistance | Internal auditors perform procedures under the external auditor’s direction, supervision, and review | Control the work, supervise the procedures, and evaluate results |
Direct assistance is not appropriate for every task. Internal auditors should not make significant audit judgments, evaluate areas where objectivity is impaired, or perform procedures that create self-review concerns. The external auditor should retain judgment-heavy work, especially for significant risks, fraud risks, and complex estimates.
Some audit areas require expertise beyond the engagement team’s normal accounting and auditing knowledge. Examples include actuarial assumptions, environmental obligations, complex valuation models, fair value measurements, mineral reserves, legal interpretations, and information technology risks.
Using a specialist involves more than checking credentials. The auditor should evaluate:
| Evaluation area | Audit question |
|---|---|
| Competence | Does the specialist have the necessary skill, knowledge, and experience? |
| Capability | Can the specialist perform the work within the audit timetable and scope? |
| Objectivity | Are there relationships or incentives that may bias the specialist’s work? |
| Methods | Are the models, methods, and assumptions appropriate for the audit objective? |
| Source data | Is the data used by the specialist complete, accurate, and relevant? |
| Findings | Are the specialist’s conclusions consistent with other audit evidence? |
The auditor does not need to become an actuary or valuation expert, but must understand enough to evaluate whether the specialist’s work is suitable as audit evidence. If assumptions appear unreasonable or data is unreliable, the auditor performs additional procedures or seeks further expertise.
A service organization processes transactions or maintains systems for the audit client. Payroll processors, benefit administrators, cloud accounting platforms, claims processors, custodians, and outsourced IT providers can all affect financial reporting.
The external auditor considers whether the service organization affects relevant assertions. If it does, the auditor needs evidence about controls at the service organization and the user entity’s own controls.
| Evidence source | What it helps answer |
|---|---|
| SOC 1 Type 1 report | Whether controls were suitably designed at a point in time |
| SOC 1 Type 2 report | Whether controls were suitably designed and operating effectively over a period |
| Complementary user entity controls | Controls the client must perform for the service organization’s controls to work as intended |
| Bridge letter | Whether material changes occurred after the SOC report period |
| Direct testing | Evidence when SOC coverage is missing, incomplete, or not relevant |
A SOC report is not automatically sufficient. The auditor evaluates the report period, control objectives, subservice organizations, exceptions, user control considerations, and whether the report covers the transactions and assertions relevant to the audit.
Reliance is strongest when another party’s work is relevant, objective, competent, well documented, and tied directly to the auditor’s assessed risks. Reliance is weaker when the work is vague, old, outside the audit period, unsupported, performed by someone with conflicts, or unrelated to financial statement assertions.
| Situation | Likely audit response |
|---|---|
| Strong internal audit function tested low-risk controls well | Use some work after review and possible reperformance |
| Internal audit reports to management with limited audit committee oversight | Reduce reliance and perform more external audit procedures |
| Specialist uses unsupported assumptions | Challenge assumptions and perform additional procedures |
| SOC 1 Type 2 report covers the full audit period and relevant controls | Consider relying on controls, subject to exceptions and user controls |
| SOC report omits a key control objective | Perform alternative procedures for the gap |
The core principle is consistent: the external auditor can use the work of others, but must still obtain sufficient appropriate audit evidence.
Avoid answer choices that say another party’s work eliminates the external auditor’s responsibility. Internal auditors, specialists, and service auditors can contribute evidence, but the external auditor signs the audit report and owns the audit conclusion.
Also be careful with SOC reports. SOC 1 reports are relevant to user entities’ financial reporting controls; other SOC reports may address security, availability, confidentiality, privacy, or processing integrity, but may not provide the financial reporting evidence needed for the audit objective.