ISA 610 (Revised 2013): Using the Work of Internal Auditors: Complete Guide

What is ISA 610?

ISA 610 (Revised 2013), titled “Using the Work of Internal Auditors,” addresses a practical reality: many entities have IA functions that perform work directly relevant to the external audit. Using this work efficiently (while maintaining audit quality and independence) can benefit all parties.

The standard distinguishes clearly between two modes of involvement. The first, using the work of the IA function, means the external auditor relies on work the IA function has already performed (or plans to perform) as part of its own mandate. The second, direct assistance, means internal auditors temporarily join the external auditor’s team and perform procedures at the external auditor’s direction.

The standard does not apply when the entity has no IA function, or when the external auditor determines not to use the work of IA or direct assistance.

Using the work of the internal audit function

Evaluating the internal audit function

ISA 610.15 requires the external auditor to evaluate:

We assess objectivity by examining the function’s organisational status and relevant policies supporting the control environment. Key factors include whether IA reports to those charged with governance or an audit committee (rather than to operational management), whether internal auditors are free from conflicting operational responsibilities, and whether those charged with governance oversee employment decisions related to the head of IA.

We also evaluate competence: whether the function has adequate resources and the internal auditors have appropriate technical training and proficiency. Factors include professional qualifications, relevant experience, existence of quality control policies, and whether work is properly supervised and reviewed.

Finally, we consider whether the function applies a systematic and disciplined approach. This means assessing whether the function’s work is properly planned, performed, supervised, reviewed, and documented, including the existence of quality control processes and adequate WPs.

Determining the extent of use

ISA 610.18 establishes that the planned extent of use is influenced by:

• The nature and scope of the specific work performed by IA.
• The assessed risk of material misstatement at the assertion level.
• The degree to which the IA function’s objectivity is supported.
• The level of competence of the function.

The more judgment involved in planning and performing the work, the higher the assessed risk, the lower the objectivity, or the lower the competence, the less the external auditor can use the work. In areas of significant risk or significant judgment, the external auditor must always perform the work directly.

Evaluating specific internal audit work

ISA 610.23–24 requires the external auditor to evaluate the adequacy of specific work for the external audit’s purposes. This includes:

• Whether the work was properly planned, performed, supervised, reviewed, and documented.
• Whether sufficient appropriate evidence was obtained to support reasonable conclusions.
• Whether conclusions are consistent with the circumstances and the reports are consistent with the results.
• Whether any exceptions or unusual matters are properly resolved.
• Reperformance: testing some of the same items to verify results.

Direct assistance

What is direct assistance

Direct assistance means internal auditors perform specific audit procedures under the direction, supervision, and review of the external auditor. The internal auditors work as part of the external audit team, though they are not formally members of the engagement team under ISA 220.

Prerequisites for direct assistance

Before using direct assistance, the external auditor must:

• Evaluate the objectivity and competence of the specific internal auditors who will provide assistance, not just the function as a whole.
• Obtain written agreement from an authorised representative of the entity that internal auditors will follow the external auditor’s instructions.
• Obtain written agreement from the internal auditors that they will keep matters confidential as instructed.
• Confirm that using direct assistance is not prohibited by law or regulation in the relevant jurisdiction.

Prohibited activities under direct assistance

ISA 610.30 limits what internal auditors can do when providing direct assistance. They must not perform procedures that:

• Involve making significant judgments in the audit.
• Relate to higher assessed risks of material misstatement where the judgment required is more than limited.
• Relate to decisions the external auditor makes under ISA 610 (about whether and how to use internal audit work).
• Relate to work the internal auditor has already been involved in and reported on to management (to prevent self-review threats).

The external auditor’s sole responsibility

ISA 610 is unambiguous: using the work of internal auditors or direct assistance does not reduce the external auditor’s sole responsibility for the audit opinion. The external auditor must:

• Make all significant judgments.
• Perform sufficient procedures directly to maintain the quality and integrity of the audit.
• Not use internal audit work as a complete substitute for the external auditor’s own procedures.
• Not refer to the work of internal auditors in the auditor’s report.

Worked example: Hartmann Industrieholding GmbH

Hartmann Industrieholding GmbH is a German industrial conglomerate with €95M revenue, four production facilities, and a 31 December year-end. The entity has an IA function of three professionals that reports to the audit committee. During planning, the external audit team identifies inventory (€28M across four locations) as a significant area. IA completed a review of inventory controls at two of the four facilities in Q3.

1. The engagement partner (EP) evaluates the IA function under ISA 610.15. The function reports directly to the audit committee (strong organisational independence), internal auditors hold CIA certifications, and the head of IA has 12 years of experience. The function follows IIA Standards and maintains its own quality review process. The EP concludes that objectivity and competence are sufficient to consider using the function’s work.

Documentation note: record the evaluation of objectivity (reporting lines, organisational status, oversight by audit committee) and competence (qualifications, experience, quality processes) in the planning file. Reference ISA 610.15 criteria explicitly.

1. The EP reviews IA’s inventory control testing at the two facilities. IA tested 45 inventory transactions across receiving, warehousing, and dispatch controls. The work was properly planned, supervised by the head of IA, and documented with clear conclusions. No exceptions were identified. The external team reperforms testing on 8 of the 45 items (approximately 18%) and confirms consistent results.

Documentation note: document the nature of IA’s work reviewed, the reperformance sample (items selected and results), and the conclusion on adequacy of the work for external audit purposes per ISA 610.23-24.

1. Based on the evaluation, the EP decides to use IA’s control testing for the two facilities where work was completed. For the remaining two facilities, the external team performs its own tests of controls on inventory processes. The team does not reduce substantive testing at any facility because inventory is assessed as a significant risk area requiring direct external auditor involvement.

Documentation note: record the scoping decision showing which facilities rely on IA work and which require direct external procedures. Document why substantive testing was not reduced (ISA 610.18; higher assessed risk limits the extent of reliance).

1. The EP confirms that direct assistance is not used on this engagement. Under the German Berufssatzung independence requirements, direct assistance would require additional safeguards, and the EP determines that using the work of the IA function is sufficient for the audit’s purposes.

Documentation note: note the decision not to use direct assistance and the jurisdictional basis. This prevents questions at review about whether direct assistance rules were considered.

The file shows a structured ISA 610.15 evaluation, a documented reperformance of IA’s work, a clear scoping decision that limits reliance in higher-risk areas, and an explicit consideration of direct assistance rules. A reviewer would see that the team used IA work appropriately without substituting it for direct procedures where significant judgment was required.

Practical checklist

Nobody enjoys reperforming IA work the night before sign-off, especially when you suspect your team’s own procedures would have been faster in the first place. Documenting the reliance decision properly up front is the only thing that saves you from that scramble later.

1. Evaluate the IA function’s objectivity and competence at the planning stage using the ISA 610.15 criteria (reporting lines, organisational status, qualifications, quality processes). Document the evaluation even if you decide not to use IA’s work.
2. For any IA work you plan to use, review the specific procedures performed, the evidence obtained, and the conclusions reached. Confirm the work was properly planned, supervised, and documented (ISA 610.23-24).
3. Reperform a sample of the IA procedures to verify results. Ticking and bashing a handful of items without engaging with the underlying work is precisely what AFM and FRC inspectors flag. The reperformance percentage should be higher where assessed risk is elevated or where the evaluation of objectivity raised any concerns.
4. Do not use IA work for areas involving significant judgment or higher assessed risk of material misstatement without performing your own direct procedures in those same areas (ISA 610.18).
5. Verify whether direct assistance is permitted in your jurisdiction before planning any such arrangement. In the Netherlands (Wta) and the UK (FRC Ethical Standard for PIE audits), direct assistance is prohibited for statutory audits.
6. Document your conclusion on the extent of reliance, including what IA work was used and what the external team performed directly. The file should tell a story about why reliance was calibrated the way it was, and make clear that sole responsibility for the opinion was not delegated.

Common mistakes

• Using IA work without performing reperformance procedures. The AFM’s 2024 EQCR inspection found that in 26 of 30 assessed engagement quality reviews at non-PIE firms, the depth of review was insufficient (AFM EQCR Report, March 2024). Where IA reliance is part of the audit approach, reviewers expect to see documented reperformance, not just a reference to IA’s conclusions.
• Relying on IA for areas of significant risk without supplementing with direct external procedures. ISA 610.18 explicitly limits reliance where judgment is significant or risk is higher. The FRC’s 2025 inspection cycle identified weaknesses in EP and EQR oversight as a contributory factor on the majority of Tier 3 inspections (FRC Annual Review of Audit Quality 2025), and insufficient direct involvement was a common root cause.
• Failing to evaluate whether IA’s organisational status genuinely supports objectivity. A function that reports to the CFO rather than the audit committee has a structural objectivity limitation that should reduce the extent of permissible reliance, regardless of the individuals’ qualifications.

Related content

• Tests of controls. Glossary entry explaining how tests of controls work under ISA 330, which is directly relevant when evaluating whether IA’s control testing meets the external auditor’s evidence requirements.
• ISA 530 sampling calculator. When reperforming IA procedures, use this calculator to determine an appropriate sample size based on your confidence level and expected error rate.
• ISA 315: Risk assessment guide. The external auditor’s understanding of the IA function is part of the ISA 315 risk assessment. This guide covers how IA fits into the broader understanding of the entity’s control environment.

ISA 610 in your jurisdiction

Netherlands. COS 610 follows ISA 610 (Revised 2013) but prohibits direct assistance for statutory audits of PIEs under the Wta. The AFM examines whether auditors who use the work of IA have adequately evaluated the function’s objectivity and competence, and whether sufficient reperformance was conducted.

Germany. IDW PS 610 adapts ISA 610 (Revised 2013). German practice has a strong tradition of internal revision (Interne Revision), and the interaction between external and internal audit is well-established. Direct assistance is subject to the independence requirements of the Berufssatzung. The WPK’s inspections focus on whether the external auditor’s reliance on IA work is proportionate to the evaluated quality of the function.

United Kingdom. ISA (UK) 610 (Revised June 2013) is substantively aligned with ISA 610 (Revised 2013) but prohibits direct assistance for PIE audits under the FRC’s Ethical Standard. The FRC emphasises that the external auditor must perform sufficient work directly to form an independent conclusion, and that reliance on IA should be documented with clear justification.

France. NEP 610 implements ISA 610. French practice recognises the role of the audit interne within the entity but maintains strict boundaries on the commissaire aux comptes’s independence. Direct assistance arrangements must comply with the Code de déontologie. The H3C’s inspections examine whether the commissaire aux comptes has maintained sufficient direct involvement in areas where IA work was used.

Frequently asked questions

Can the external auditor rely entirely on internal audit for any area?

No. The external auditor must always perform sufficient procedures directly. IA work can reduce the extent of the external auditor’s direct testing, but it cannot replace it entirely, particularly in areas of significant risk or where significant judgment is required.

What is the difference between “using the work” and “direct assistance”?

Using the work means relying on work the IA function has already performed (or planned independently) as part of its own mandate. Direct assistance means the external auditor directs internal auditors to perform specific external audit procedures under the external auditor’s supervision. The key distinction is who controls the work: in “using the work,” IA planned and performed it; in “direct assistance,” the external auditor directs it.

Does internal audit need to follow IIA Standards for the external auditor to rely on their work?

ISA 610 does not specifically require compliance with IIA Standards. However, adherence to recognised professional standards (such as the IIA’s International Standards for the Professional Practice of Internal Auditing) is a strong indicator of competence and a systematic approach, and will positively influence the external auditor’s evaluation.

Can internal auditors attend inventory counts on behalf of the external auditor?

This depends on the jurisdiction and whether the attendance constitutes direct assistance (which may be prohibited). If direct assistance is permitted, internal auditors could attend counts under the external auditor’s instructions, but not for areas of significant risk. If using the work of IA, the external auditor may rely on IA’s own attendance but must evaluate and reperform aspects of the work.

Further reading and source references

• IAASB Handbook 2024: ISA 610 (Revised 2013) full text. The authoritative source including all application material.
• ISA 315 (Revised 2019): Identifying and Assessing Risks. Addresses how the IA function affects the external auditor’s risk assessment.
• ISA 220 (Revised): Quality Management for an Audit. Governs the EP’s responsibilities, relevant when internal auditors provide direct assistance.
• IIA International Standards: The professional framework for internal auditing.

This guide reflects the ISA 610 (Revised 2013) text as published in the IAASB 2024 Handbook. National implementations may include additional requirements. Always consult the applicable national standard alongside the international text. This content is for educational purposes and does not constitute legal or professional advice.

Related ciferi content

Related guides:

Put audit concepts into practice with these free tools: