Learning Outcomes
After reading this article, you should be able to explain what IT general and application controls are and why they matter for audit reliability. You will understand the nature, objectives, and limitations of internal audit, and learn how external auditors assess and use internal audit work—especially IT controls. You should be able to describe the factors influencing reliance, how to evaluate internal audit’s competence, objectivity, and systematic approach, and identify when and how to use their evidence as part of your audit approach.
ACCA Audit and Assurance (AA) Syllabus
For ACCA Audit and Assurance (AA), you are required to understand the key principles for IT controls and the use of internal audit by external auditors. In particular, revision should focus on:
- The classification and purpose of IT controls: general controls and application controls.
- The role, structure, and objectives of internal audit within an organisation.
- The differences between internal and external audit: objectives, reporting, and independence.
- The procedures the external auditor must follow to evaluate internal audit’s objectivity, competence, and systematic approach before relying on their work (ISA 610).
- How to decide when and to what extent external auditors can rely on the work of internal audit for both controls testing and substantive procedures.
- The practical limitations and risks of relying on internal audit, especially in the area of IT.
- Communication requirements regarding use of internal audit work.
Test Your Knowledge
Attempt these questions before reading this article. If you find some difficult or cannot remember the answers, remember to look more closely at that area during your revision.
- What is an IT general control, and how does it differ from an IT application control in the context of an external audit?
- List three key factors the external auditor must evaluate before deciding to place reliance on the work of internal audit.
- True or false? If internal audit performs detailed testing of a revenue process, the external auditor can always place full reliance on that work.
- In what circumstances is it inappropriate for the external auditor to use internal audit to provide direct assistance during an external audit?
Introduction
Modern audits increasingly rely on IT environments and well-designed controls. At the same time, many organisations employ an internal audit function that monitors these systems and controls. Isa 610, "Using the Work of Internal Auditors," guides external auditors on how to evaluate and use internal audit work—particularly over IT controls. Understanding how to assess internal audit’s objectivity, competence, and systematic discipline is essential to optimising resources and delivering an effective audit.
Key Term: IT general control
Policies or procedures that relate to the overall IT environment and support the effective operation of application controls, e.g., access management, program change controls, and data backup.Key Term: IT application control
Procedures or checks within an IT system designed to ensure the accuracy, completeness, and validity of specific accounting transactions, e.g., input/edit checks in sales systems.Key Term: internal audit
An organisation’s independent assurance function responsible for objectively evaluating and improving the effectiveness of risk management, control, and governance processes.Key Term: objectivity (in internal audit)
The degree to which the internal audit function is free from bias, undue influence, or conflicts of interest in performing its work and reporting findings.Key Term: competence (in internal audit)
The knowledge, skills, and experience of internal audit staff to undertake assigned audit work effectively and with due professional care.Key Term: systematic and disciplined approach
The use of documented methodologies and quality control policies by internal audit to plan, perform, supervise, review, and report on their work.
IT CONTROLS IN AUDIT
IT controls underpin the reliability of accounting systems. Controls in IT environments are divided into two categories:
IT General Controls (ITGCs)
These set the basis for operations, supporting the integrity of all systems and data:
- User access controls (passwords, permissions)
- Program change management (approval and testing)
- Data backup and recovery
- Physical security of equipment
IT Application Controls
These address specific transaction processing to reduce the risk of errors and fraud:
- Input controls (validation, completeness checks)
- Processing controls (logic checks, sequence tests)
- Output controls (reconciliations, exception reports)
A weakness in ITGCs can undermine the effectiveness of all application controls, increasing audit risk.
Worked Example 1.1
ACCA Foods Ltd processes orders using a custom-built system. IT general controls include password-protected access and managed change approvals. Application controls in the system require that orders cannot be saved unless all key fields (date, quantity, customer code) are entered. During testing, internal audit found that users could override validation by editing the source code.
Question: Why should the external auditor be cautious about relying on substantive output from this sales application?
Answer:
Although application controls appear effective, the weak general control (poor change management—allowing users to alter source code) means fraudulent or erroneous transactions could bypass the designed controls. The external auditor cannot rely on the completeness/accuracy of sales data unless ITGC weaknesses are addressed.
OVERVIEW OF INTERNAL AUDIT
Organisations may establish their own internal audit (IA) department to review the adequacy and effectiveness of controls and risk management.
- Objectives: Provide assurance and recommendations for improving controls, risk management, compliance, and governance.
- Activities: Process reviews, compliance checks, IT audits, fraud investigations, operational audits, and value for money studies.
- Reporting Line: Usually to the audit committee or those charged with governance.
- Independence: As employees, internal auditors cannot achieve full independence, but strong structures (reporting to the board, not management) help maintain objectivity.
Internal vs. External Audit
| Internal Audit | External Audit | |
|---|---|---|
| Main Purpose | Evaluate, improve controls and processes | Report on true and fair view |
| Users | Management, board, audit committee | Shareholders, third parties |
| Appointment | By board or management | By shareholders |
| Reporting | Internal reports | Independent auditor’s report |
| Independence | Limited—employees of entity | Full (must be independent) |
USING THE WORK OF INTERNAL AUDIT
Rationale
External auditors may use internal audit to:
- Improve efficiency; avoid duplication of effort
- Gain extra understanding of controls and processes
- Increase audit evidence where appropriate
However, any decision to rely on internal audit work is subject to a detailed evaluation.
Evaluation Criteria (ISA 610)
The external auditor must assess:
- Objectivity – Is internal audit organisationally independent? Are there safeguards against management influence?
- Competence – Are team members appropriately trained, qualified, and resourced?
- Systematic and disciplined approach – Is work performed using documented methodology, with evidence of planning, supervision, review, and quality control?
Only when these criteria are met can external auditors consider relying on internal audit’s work for controls testing or substantive audit procedures.
Worked Example 1.2
XYZ Manufacturing’s internal audit team, led by a recently-qualified accountant, performs testing of purchase and payroll controls across multiple locations. The reports are evidence-based and reviewed by a separate quality assurance partner before issuing. The internal audit manager reports directly to the board and cannot be dismissed by management.
Question: Which elements strengthen the external auditor’s ability to rely on IA work?
Answer:
Internal audit shows clear objectivity (reporting line to the board), evidence of competence (qualified staff, external review), and a systematic approach (documented procedures, independent quality review). All three criteria are sufficiently met.
The Process for Using IA Work
- Evaluate overall IA function per above criteria.
- Define relevant areas: Identify specific areas where work may be shared (e.g., payroll controls, IT access controls).
- Test IA’s work: Review and (where necessary) reperform some IA procedures to confirm quality, relevance, and findings.
- Determine extent of use: The more significant the judgement and risk involved in an area, the less the external auditor can rely on IA.
- Direct assistance: In some jurisdictions, IA may provide direct assistance under strict controls (never for areas involving significant judgement).
Extent of Reliance and Limitations
- Limitations: Responsibility for the audit opinion remains solely with the external auditor. Regardless of the quality of internal audit work, external auditors must exercise their own judgement and professional scepticism.
- Not all areas suitable: High-risk areas, significant judgements (like provisions, estimates, or revenue recognition), or where management override risk is present, are not suitable for sole reliance on internal audit.
Worked Example 1.3
The external auditor is considering using internal audit’s 202X review of IT access controls for the payroll system. Internal audit used standardised scripts, tested sample user accounts, and documented all steps. However, the review was performed before a system update implemented later that year.
Question: Can the external auditor use this work as audit evidence?
Answer:
The prior period testing does not cover the system as at year-end after significant changes. The external auditor must perform procedures over the updated environment, as prior work is no longer relevant for the current period.
Exam Warning
Do not assume that the existence of any internal audit function allows the external auditor to reduce their own work. You must document your evaluation of IA’s objectivity, competence, and systematic approach, and test their work before relying on it. Never assume all IA work is audit evidence.
Communication
External auditors must communicate with those charged with governance about:
- The planned use of internal audit work
- The extent and nature of that reliance
- Significant findings or concerns arising from their evaluations
SUMMARY
External auditors can achieve greater efficiency by using internal audit work, provided they thoroughly evaluate internal audit’s objectivity, competence, and approach (as per ISA 610). IT controls—both general and application—are especially important, as control weaknesses in IT threaten the reliability of all data. Auditors must test internal audit work before using it as audit evidence, and cannot rely on it for areas of high judgement or risk. Responsibility for the audit opinion always remains with the external auditor.
Key Point Checklist
This article has covered the following key knowledge points:
- Define IT general controls and IT application controls, explaining their impact on the audit.
- Identify the objectives, scope, and limitations of internal audit.
- Explain how to evaluate internal audit’s objectivity, competence, and methodology.
- Describe the step-by-step process for considering and using internal audit work in an external audit (ISA 610).
- Identify limitations on the extent of reliance and when it is inappropriate to use internal audit evidence.
- List common areas where reliance may be placed and those where it cannot.
Key Terms and Concepts
- IT general control
- IT application control
- internal audit
- objectivity (in internal audit)
- competence (in internal audit)
- systematic and disciplined approach