The guideline is presented in the following sections:
- Guideline purpose and linkage to standards
- Guideline content
- Linkage to standards and COBIT 5 processes
- Effective date
1. Guideline Purpose and Linkage to Standards
This section clarifies the:
1.1 Purpose of the guideline
1.2 Linkage to standards
1.3 Term usage of ‘audit function’ and ‘professionals’
1.1.1 This guideline provides guidance to IS audit and assurance professionals when considering the use of work of other experts. The guideline assists in assessing the adequacy of the experts, reviewing and evaluating the work of other experts, assessing the need for performing additional test procedures and expressing an opinion for the audit engagement, while taking into account the work performed by other experts.
1.1.2 IS audit and assurance professionals should consider this guideline when determining how to implement the standard, use professional judgement in its application, be prepared to justify any departure and seek additional guidance if considered necessary.
1.2 Linkage to Standards
1.2.1 Standard 1007 Assertions
1.2.2 Standard 1203 Performance and Supervision
1.2.3 Standard 1206 Using the Work of Other Experts
1.3 Term Usage
- ‘IS audit and assurance function’ is referred to as ‘audit function’
- ‘IS audit and assurance professionals’ are referred to as ‘professionals’
2. Guideline Content
The guideline content section is structured to provide information on the following key audit and assurance engagement topics:
2.1 Considering the use of work of other experts
2.2 Assessing the adequacy of other experts
2.3 Planning and reviewing the work of other experts
2.4 Evaluating the work of other experts who are not part of the audit engagement team
2.5 Additional test procedures
2.6 Audit opinion or conclusion
2.1 Considering the Use of Work of Other Experts
2.1.1 When professionals do not have the required competencies to perform (part of) the audit engagement, they should consider seeking assistance from other experts with the required skills.
2.1.2 Using the work of other experts should be considered when there are constraints that could impair the audit work to be performed, e.g., technical knowledge required by the nature of the tasks to be performed, scarce audit resources, time constraints and to address potential independence issues. The use of other experts should also be considered if this results in a gain in the quality of the engagement.
2.1.3 Professionals should have sufficient knowledge of the work performed to guide and review the work, but should not be expected to have a knowledge level equivalent to the experts.
2.1.4 Professionals should base their choice of specific experts and the use of the other experts’ work on objective criteria.
2.1.5 Professionals should communicate and document the performance requirements to other experts in a contract or agreement prior to the other experts beginning work on the engagement.
2.1.6 Where other expert’s access to records or systems is prohibited by enterprise internal policies, professionals should determine the appropriate extent of the use and reliance on the other expert’s work.
2.1.7 If the necessary experts cannot be obtained, professionals should document the impact on achieving the audit objectives and include specific tasks in the audit plan to manage the resulting audit risk. If the resulting audit risk cannot be managed, professionals may need to decline the audit engagement.
2.2 Assessing the Adequacy of Other Experts
2.2.1 When an audit engagement involves using the work of other experts, professionals should consider the adequacy of the other experts whilst planning the IS audit work. This includes:
2.2.2 Professionals should consider carefully the independence and objectivity of other experts when using their work. The processes for selection and appointment, the organisational status, the reporting line and the effect of their recommendations on management practices are typical indicators of the independence and objectivity of other experts.
- Assessing the independence and objectivity of the other experts
- Assessing their professional qualifications, competencies, relevant experience, resources and use of quality control processes
2.3 Planning and Reviewing the Work of Other Experts
2.3.1 Professionals should consider the activities of other experts and their effect on the IS audit objectives while planning the IS audit work. This includes:
2.3.2 Professionals should verify that the audit charter or engagement letter specifies their right of access to the other experts’ work. Professionals should have access to all work papers, supporting documentation and reports created by the other experts, where such access does not create legal issues.
- Obtaining an understanding of their scope of work, approach, timing and use of quality control processes
- Determining the level of review required
2.3.3 The nature, timing and extent of audit evidence required will depend upon the significance and scope of the other experts’ work. During the planning process, professionals should identify the level of review that is required to provide sufficient and appropriate audit evidence to achieve the overall IS audit objectives effectively. Professionals should review the other experts’ final report, methodology or audit programme(s), and work papers.
2.3.4 In reviewing other experts’ work papers, professionals should assess that the other experts’ work was appropriately planned, supervised, documented and reviewed, to consider the appropriateness and sufficiency of the audit evidence provided by them, and to determine the extent of use and reliance on the expert’s work. This assessment may include a retest of the work of other experts. Compliance with relevant professional standards should also be assessed. Overall, professionals should assess whether the work of other experts is adequate and complete to enable them to conclude on the current IS audit objectives and document a conclusion.
2.3.5 Professionals should perform sufficient reviews of the other experts’ final report(s) to confirm that:
- The scope specified in the audit charter, terms of reference or letter of engagement has been met.
- Any significant assumptions used by the other experts have been identified.
- The findings and conclusions reported are adequately supported by evidence.
2.4 Evaluating the Work of Other Experts Who Are Not Part of the Audit Engagement Team
2.4.1 Today’s interdependencies between customers and suppliers regarding the processing and outsourcing of non-core activities leads to a more complex audit environment. Parts of the environment being audited can be controlled and audited by other independent functions or organisations. As a result, the outsourcing organisation will receive reports from those third parties about the control environment of the outsourced operations. In some cases this may lessen the need for IS audit coverage even though professionals do not have access to supporting documentation and work papers. Professionals should be cautious in providing an opinion on such cases.
2.4.2 Professionals should assess the usefulness and appropriateness of reports issued by the other experts, and should consider any significant findings reported by the other experts. It is the professionals’ responsibility to determine whether the work of other experts will be relied upon and incorporated directly or referred to separately in the report. Professionals should also assess the effect of the other experts’ findings and conclusions on the overall IS audit objective, and verify that any additional work required to meet the overall IS audit objective is completed. All assertions made by the other experts should be verified and formally approved by management; detailed guidance on this topic can be found in Standard 1007 Assertions.
2.5 Additional Test Procedures
2.5.1 Based on the assessment of the work of other experts, professionals should apply additional test procedures to gain sufficient and appropriate audit evidence in circumstances where the work of other experts does not provide such evidence.
2.5.2 Professionals should also consider whether supplemental testing of the other experts’ work is required.
2.6 Audit Opinion or Conclusion
2.6.1 It remains professionals’ ultimate responsibility to formulate an audit opinion or conclusion. Professionals need to determine if the work performed by other experts was sufficient to arrive to the audit opinion or conclusion.
2.6.2 If additional test procedures performed do not provide sufficient and appropriate audit evidence, professionals should provide an appropriate audit opinion or conclusion and include scope limitations where required.
2.6.3 Professionals’ views and comments on the adoptability and relevance of the other experts’ report should form a part of the audit engagement report if the experts’ report is utilised in forming professionals’ opinion.
2.6.4 Where appropriate, professionals should consider the extent to which management has implemented any recommendations of other experts. This should include assessing whether management has committed to remediation of issues identified by other experts within appropriate time frames and the current status of remediation.
3. Linkage to Standards and COBIT 5 Processes
This section provides an overview of relevant:
3.1 Linkage to standards
3.2 Linkage to COBIT 5 processes
3.3 Other guidance
3.1 Linkage to Standards
The table provides an overview of:
- The most relevant ISACA IS audit and assurance standards that are directly supported by this guideline
- Those standard statements that are most relevant to this guideline
Note: Only those standard statements relevant to this guideline are listed.
Relevant Standard Statements
||IS audit and assurance professionals shall review the assertions against which the subject matter will be assessed to determine that such assertions are capable of being audited and that the assertions are sufficient, valid and relevant.|
|1203 Performance and Supervision
||IS audit and assurance professionals shall accept only tasks that are within their knowledge and skills or for which they have a reasonable expectation of either acquiring the skills during the engagement or achieving the task under supervision.|
IS audit and assurance professionals shall obtain sufficient and appropriate evidence to achieve the audit objectives. The audit findings and conclusions shall be supported by appropriate analysis and interpretation of this evidence.
|1206 Using the Work of Other Experts
||IS audit and assurance professionals shall consider using the work of other experts for the engagement, where appropriate.|
IS audit and assurance professionals shall assess and approve the adequacy of the other experts’ professional qualifications, competencies, relevant experience, resources, independence and quality-control processes prior to the engagement.
IS audit and assurance professionals shall assess, review and evaluate the work of other experts as part of the engagement, and document the conclusion on the extent of use and reliance on their work.
IS audit and assurance professionals shall determine whether the work of other experts, who are not part of the engagement team, is adequate and complete to conclude on the current engagement objectives, and clearly document the conclusion.
IS audit and assurance professionals shall determine whether the work of other experts will be relied upon and incorporated directly or referred to separately in the report.
IS audit and assurance professionals shall apply additional test procedures to gain sufficient and appropriate evidence in circumstances where the work of other experts does not provide sufficient and appropriate evidence.
IS audit and assurance professionals shall provide an appropriate audit opinion or conclusion, and include any scope limitation where required evidence is not obtained through additional test procedures.
3.2 Linkage to COBIT 5 Processes
The table provides an overview of the most relevant:
- COBIT 5 process
- COBIT 5 process purpose
Specific activities performed as part of executing these processes are contained in COBIT 5: Enabling Processes.
COBIT 5 Process
|MEA02 Monitor, evaluate and assess the system of internal control.
||Obtain transparency for key stakeholders on the adequacy of the system of internal controls and thus provide trust in operations, confidence in the achievement of enterprise objectives and an adequate understanding of residual risk.|
3.3 Other Guidance
When implementing standards and guidelines, professionals are encouraged to seek other guidance when considered necessary. This could be from IS audit and assurance:
- Colleagues from within the enterprise
- Governance bodies within the enterprise, e.g., audit committee
- Professional organisations or professional media groups
- Other professional guidance (e.g., books, papers, other guidelines)
||Internal or external to an enterprise, other expert could refer to:
- An IS auditor from the external accounting firm
- A management consultant
- An expert in the area of the engagement who has been appointed by top management or by the team
5. Effective Date
5.1 Effective Date
This revised guideline is effective for all IS audit/assurance engagements beginning on or after 1 September 2014.