ISA 610 (Revised 2013) — Using the Work of Internal Auditors: Complete Guide

Key Takeaways

ISA 610 distinguishes two modes of involvement for internal auditors: the external auditor may use the work of the internal audit function, or may obtain direct assistance from internal auditors — each mode has distinct requirements.
Before using internal audit work or obtaining direct assistance, the external auditor must evaluate the internal audit function's objectivity (reporting lines, governance oversight) and competence (qualifications, experience, quality control).
The external auditor cannot use the work of internal audit in areas involving significant judgments in the audit, areas of higher assessed risk of material misstatement, or work relating to matters where the internal audit function's objectivity or competence is in doubt.
Direct assistance is prohibited in some jurisdictions — law or regulation may restrict or prohibit the external auditor from obtaining direct assistance from internal auditors (for example, in PIE audits in the Netherlands and the UK).
Even where direct assistance is permitted, internal auditors providing direct assistance must not perform procedures involving significant judgments, areas of higher assessed risk, work relating to decisions under ISA 610 itself, or work that creates self-review threats.
The external auditor has sole responsibility for the audit opinion expressed — that responsibility is not reduced by using the work of the internal audit function or by obtaining direct assistance from internal auditors.

What is ISA 610?

ISA 610 (Revised 2013), titled "Using the Work of Internal Auditors," addresses the external auditor's responsibilities when the entity being audited has an internal audit function whose work may be relevant to the audit of the financial statements. It establishes requirements and guidance for when and how the external auditor can leverage internal audit work — and where the boundaries lie.

The practical reality: many entities — particularly listed companies, financial institutions, and larger organisations — maintain internal audit functions that perform work closely related to the external audit. This work might include testing internal controls, performing substantive procedures on financial data, or evaluating compliance with regulatory requirements. Ignoring this work entirely would be inefficient; relying on it uncritically would be dangerous. ISA 610 provides the framework for navigating between these two extremes.

The standard distinguishes two fundamentally different modes of involvement:

Using the work of the internal audit function — evaluating and using work that internal audit has performed (or plans to perform) as part of its own mandate.
Obtaining direct assistance from internal auditors — having internal auditors perform audit procedures under the external auditor's direction, supervision, and review.

When the standard does not apply: ISA 610 does not apply when the entity does not have an internal audit function. It also does not apply when internal audit work is entirely unrelated to the financial statement audit. If the entity has individuals performing monitoring activities that are not part of an internal audit function, those activities are addressed by ISA 315 (Revised 2019) rather than ISA 610.

Using the Work of the Internal Audit Function

The first — and more common — mode of involvement is using work that the internal audit function has already performed or plans to perform. This requires a structured evaluation process before the external auditor can place any reliance on that work.

Evaluating the internal audit function

ISA 610.15 requires the external auditor to evaluate the internal audit function against three criteria:

Objectivity. The extent to which the internal audit function's organisational status and relevant policies support the objectivity of the internal auditors. Key indicators include:

Reporting lines: Does internal audit report functionally to those charged with governance (the audit committee) rather than to management? If the head of internal audit reports to the CFO, objectivity is inherently weaker than if they report directly to the audit committee chair.
Governance oversight: Does the audit committee approve the internal audit plan, review results, and have authority over the appointment and removal of the head of internal audit?
Freedom from conflicting responsibilities: Are internal auditors free from operational responsibilities that might compromise their ability to evaluate activities objectively?

Competence. Whether the internal audit function has adequate competence for the work being considered. This includes:

Qualifications: Do internal auditors hold relevant professional qualifications (CIA, CISA, CPA/RA/WP equivalents)?
Experience: Do they have sufficient experience in the relevant areas — financial reporting, internal controls, the entity's industry?
Quality control: Does the function have its own quality control processes, including supervision, review, and documentation standards?

Systematic and disciplined approach. Whether the internal audit function applies a systematic and disciplined approach, including quality control. This is evidenced by the existence of documented methodologies, work programmes, and working papers — and by whether the function's activities are planned, performed, supervised, reviewed, and documented in a manner consistent with its mandate.

The objectivity spectrum in practice

Objectivity is not binary — it exists on a spectrum. An internal audit function that reports to the audit committee, has its plan approved by the board, and operates under an IIA-compliant charter sits at the stronger end. An internal audit function that reports to the CFO, has its scope determined by management, and performs consulting work alongside assurance work sits at the weaker end. The external auditor's evaluation must reflect where the function falls on this spectrum, and the planned extent of use must be calibrated accordingly.

Determining the extent of use

ISA 610.18 establishes that the external auditor must determine the planned nature and extent of use based on four factors:

The nature and scope of the specific work performed or to be performed by the internal audit function.
The evaluated objectivity of the internal audit function.
The evaluated competence of the internal audit function.
Whether a systematic and disciplined approach is applied.

There is an inverse relationship between these factors and the degree of reliance: the more judgment involved in the area, the higher the assessed risk of material misstatement, or the weaker the evaluation of the internal audit function, the less the external auditor can use the work. For areas involving significant judgments or higher assessed risks of material misstatement, the external auditor must perform more of the work directly.

Evaluating specific work

ISA 610.23–24 requires the external auditor to evaluate the specific work of the internal audit function that the external auditor plans to use. This evaluation must include:

Whether the work was properly planned, performed, supervised, reviewed, and documented.
Whether sufficient appropriate evidence was obtained to draw reasonable conclusions.
Whether the conclusions reached are appropriate in the circumstances and consistent with the evidence obtained.
Whether any unusual matters or exceptions identified by internal audit were properly resolved.
Whether reperformance of some of the work is necessary — the external auditor must perform sufficient procedures (including reperformance) to evaluate the adequacy of the work for the external auditor's purposes.

Direct Assistance

The second mode — direct assistance — is fundamentally different from using the work of internal audit. Here, internal auditors perform audit procedures under the external auditor's direction, supervision, and review as if they were temporary members of the external audit team.

What is direct assistance?

Direct assistance means the external auditor uses internal auditors to carry out specific audit procedures. The external auditor provides direction (what to do and how to do it), supervision (monitoring progress and addressing questions), and review (evaluating whether the work performed meets the external auditor's requirements). The internal auditors are, for the duration of this work, effectively acting under the external auditor's instructions rather than internal audit's own plan.

Common examples of direct assistance include: performing tests of details on lower-risk transaction classes, attending inventory counts at remote locations, testing controls over routine processes, and confirming receivable balances.

Prerequisites for direct assistance

ISA 610.26–29 establishes three prerequisites that must be satisfied before direct assistance can be obtained:

Evaluate objectivity and competence. The external auditor must evaluate the objectivity and competence of the internal auditors who will provide direct assistance — not just the function as a whole, but the specific individuals. Greater objectivity and competence are required for direct assistance than for using work, because the internal auditors are effectively acting as members of the external audit team.
Written agreement from the entity. The external auditor must obtain written agreement from an authorised representative of the entity (typically those charged with governance) that the internal auditors will be allowed to follow the external auditor's instructions and that the entity will not intervene in the work.
Written agreement from the internal auditors. The internal auditors themselves must agree in writing to keep specific matters confidential as instructed by the external auditor and to inform the external auditor of any threats to their objectivity.

Prohibited activities for direct assistance

ISA 610.30 explicitly prohibits internal auditors providing direct assistance from performing procedures that involve:

Significant judgments in the audit — for example, evaluating the reasonableness of accounting estimates or assessing the adequacy of disclosures requiring substantial professional judgment.
Higher assessed risks of material misstatement where the judgment required is more than limited — the more risk, the more the external auditor must be personally involved.
Work relating to decisions made under ISA 610 itself — the internal auditors cannot evaluate whether their own function's work should be used or determine the scope of their own direct assistance.
Situations where self-review threats arise — internal auditors cannot provide direct assistance in testing areas where they previously performed internal audit work, as this would create a self-review threat to their objectivity.

Direct assistance is prohibited in several jurisdictions

Law or regulation in some jurisdictions prohibits or restricts direct assistance. In the Netherlands, the Wet toezicht accountantsorganisaties (Wta) effectively prohibits direct assistance for PIE audits. In the United Kingdom, direct assistance from internal auditors is prohibited for PIE audit engagements under the FRC's Ethical Standard. Before planning to use direct assistance, the external auditor must always verify whether local law, regulation, or ethical requirements permit it. Even where permitted, firms may have policies that restrict or prohibit it as a matter of practice.

The External Auditor's Sole Responsibility

ISA 610 repeatedly emphasises a fundamental principle: the external auditor's opinion is the external auditor's alone. No amount of internal audit involvement changes this. Specifically:

The external auditor has sole responsibility for the audit opinion expressed, and that responsibility is not reduced by the external auditor's use of the work of the internal audit function or by obtaining direct assistance from internal auditors (ISA 610.5).
The external auditor must make all significant judgments in the audit engagement — judgments about materiality, risk assessment, the sufficiency and appropriateness of evidence, the evaluation of accounting estimates, and the formation of the audit opinion.
The external auditor must be sufficiently involved in the audit to take responsibility for the overall direction, supervision, and performance of the engagement in accordance with ISA 220.
The external auditor must not refer to internal audit in the auditor's report as a basis for conveying a reduced responsibility — the report expresses the external auditor's opinion, and no qualification or modification arises from the involvement (or absence) of internal audit.

ISA 610 in Your Jurisdiction

Netherlands. COS 610 follows ISA 610 closely. However, for OOB (organisatie van openbaar belang) engagements, the Wta and the Bta effectively prohibit direct assistance from internal auditors. The AFM has indicated that external auditors should exercise particular caution when using the work of internal audit, especially where the internal audit function reports to management rather than the audit committee. In practice, Dutch audit firms tend to perform their own substantive work and use internal audit work primarily for understanding the control environment.

Germany. The German adaptation follows ISA 610, recognising the role of the Interne Revision (internal audit). German companies, particularly in the financial sector, often have well-established internal audit functions with qualified staff (including Certified Internal Auditors and Wirtschaftsprüfer). The IDW has provided guidance on how external auditors should evaluate the internal audit function, with particular emphasis on the organisational independence requirements under the German Corporate Governance Code.

United Kingdom. ISA (UK) 610 is substantively aligned with ISA 610, but with an important restriction: the FRC's Revised Ethical Standard prohibits the use of direct assistance from internal auditors for PIE audit engagements. For non-PIE engagements, direct assistance is permitted subject to ISA 610's requirements. The FRC's inspection findings have highlighted cases where external auditors placed excessive reliance on internal audit work without adequate evaluation or reperformance.

France. French practice under NEP standards and H3C supervision follows ISA 610 principles. The French system of joint audit creates additional considerations — both joint auditors must agree on the extent of reliance on internal audit, and the allocation of areas must reflect both firms' evaluations of the internal audit function. In practice, internal audit reliance is common in large French groups, particularly for testing controls at subsidiaries.

Frequently Asked Questions

Can the external auditor rely entirely on the work of internal audit?

No. ISA 610 explicitly states that the external auditor has sole responsibility for the audit opinion expressed. The external auditor cannot use the work of the internal audit function to the extent that the external auditor would effectively be substituting internal audit work for their own. The external auditor must always perform sufficient procedures to obtain reasonable assurance and must apply professional judgment in determining the nature and extent of work that can be used.

What is the difference between using the work of internal audit and direct assistance?

Using the work of internal audit means the external auditor evaluates and uses audit work that internal audit has already performed (or plans to perform) as part of its own function. Direct assistance means internal auditors perform audit procedures under the direction, supervision, and review of the external auditor — effectively acting as temporary members of the external audit team. The two modes have different requirements, different prerequisites, and different risk profiles.

Does internal audit need to follow IIA Standards for ISA 610 to apply?

ISA 610 does not require internal audit to follow the IIA's International Standards for the Professional Practice of Internal Auditing. However, the external auditor must evaluate whether the internal audit function applies a systematic and disciplined approach, including quality control. Adherence to IIA Standards is a strong indicator of a systematic approach and will positively influence the external auditor's evaluation, but it is not a prerequisite.

Can internal auditors attend inventory counts as direct assistance?

Yes, provided the prerequisites for direct assistance are met — the external auditor has evaluated objectivity and competence, obtained written agreement from the entity and from the internal auditors, and the work does not involve significant judgments or areas of higher assessed risk. Inventory counts involving routine procedures at lower-risk locations are a common example of direct assistance in practice. However, the external auditor must verify that direct assistance is permitted in the applicable jurisdiction.