ISSAI 400 · 2019. 8. 9. · ISSAI 400 - Compliance Audit Principles builds on and further develops...

INTOSAI Standards are issued by the International

Organisation of Supreme Audit Institutions, INTOSAI, as part of

the INTOSAI Framework of Professional Pronouncements.

For more information visit www.issai.org

ISSAI

INTOSAI

400

Compliance Audit Principles

INTOSAI

INTOSAI, 20191) EndorsedasReportingStandardsinGovernmentAuditingin20012) Content reformulated and endorsed as Fundamental Principles of ComplianceAuditingin20133) WiththeestablishmentoftheIntosaiFrameworkofProfessionalPronouncements(IFPP),renamedComplianceAuditPrincipleswitheditorialchangesin2019

ISSAI400isavailableinallINTOSAIofficiallanguages:Arabic,English,French,GermanandSpanish

TABLE OF CONTENTS

1. INTRODUCTION 5

2. PURPOSE AND AUTHORITY OF THE COMPLIANCE

AUDIT PRINCIPLES 6

3. FRAMEWORK FOR COMPLIANCE AUDITING 8

The objective of compliance auditing 8

Characteristics of compliance auditing 9

The different perspectives of compliance auditing 10

Complianceauditinginrelationwiththeauditoffinancialstatements 11

Complianceauditingconductedseparately 12

Complianceauditingincombinationwithperformanceauditing 12

4. ELEMENTS OF COMPLIANCE AUDITING 13

Authorities and criteria 13

Subject matter 14

The three parties in compliance auditing 15

Assurance in compliance auditing 16

5. PRINCIPLES OF PERFORMANCE AUDITING 17

GENERAL PRINCIPLES 17

Professionaljudgementandscepticism 17

Qualitycontrol 18

Auditteammanagementandskills 19

Auditrisk 19

Materiality 20

Documentation 21

Communication 21

PRINCIPLES RELATED TO THE AUDIT PROCESS 22

Planninganddesigningacomplianceaudit 21

Auditevidence 25

Evaluatingauditevidenceandformingconclusions 26

Reporting 27

Follow-up 28

5

INTRODUCTION

1) Professionalstandardsandguidelinesareessentialforthecredibility,qualityandprofessionalismofpublic-sectorauditing.The International Standardsof Supreme Audit Institutions (ISSAIs) developed by the InternationalOrganisation of Supreme Audit Institutions (INTOSAI) aim to promoteindependent and effective auditing and support themembers of INTOSAIinthedevelopmentoftheirownprofessionalapproachinaccordancewiththeirmandatesandwithnationallawsandregulations.

2) ISSAI 100 - Fundamental Principles of Public-Sector Auditing provides thefundamentalprinciplesforpublic-sectorauditingingeneralanddefinestheauthorityoftheISSAIs.ISSAI 400 - Compliance Audit PrinciplesbuildsonandfurtherdevelopsthefundamentalprinciplesofISSAI100tosuitthespecificcontextofcomplianceauditing.ISSAI400shouldbereadandunderstoodinconjunctionwithISSAI100,whichalsoappliestocomplianceauditing.

3) ISSAI400thereforeconstitutesthebasisforcomplianceauditingstandardsinaccordancewiththeISSAIs.Thisdocumentprovidesdetailedinformationonthefollowing:

• ThepurposeandauthorityoftheISSAIsoncomplianceauditing

• Thecomplianceauditingframeworkandthedifferentwaysinwhichaudits are conducted

• Theelementsofcomplianceauditing

• Theprinciplesofcomplianceauditing

1

6

THE COMPLIANCE AUDIT PRINCIPLES

PURPOSE AND AUTHORITY OF

4) The purpose of the ISSAIs on compliance auditing1 is to provide acomprehensivesetofprinciples,requirementsandapplicationmaterialforthecomplianceauditingofsubjectmatter,bothqualitativeandquantitative,thatvarieswidelyinscopeandcanbeaddressedthrougharangeofauditapproachesandreportingformats.

5) ISSAI400providesSAIswithabasisfortheadoptionordevelopmentofstandardsoncomplianceauditing.TheprinciplesinISSAI400canbeusedinthreeways:

• asabasisforthedevelopmentofstandards;

• asabasisfortheadoptionofconsistentnationalstandards;

• asabasisforadoptionoftheISSAIsastheauthoritativestandardsoncomplianceauditing.

6) SAIsshouldonlymakereferencetotheComplianceAuditPrinciplesinauditreports –whether in theAuditor’sReportor other reporting formats – ifthestandardstheyhavedevelopedoradoptedfullycomplywithallrelevantprinciples of ISSAI 400. The principles in no way override national laws,regulationsormandates.

7) AstheComplianceAuditStandards(ISSAIs4000-4899)havebeendevelopedto reflect best practice, SAIs are encouraged to strive towards adoptingthem in full as their authoritative standards. INTOSAI recognizes that, insomeenvironments,thismightnotbepossibleduetotheabsenceofbasic

1 ISSAI400andISSAIs4000-4899

2

7

ISSAI 400 - COMPLIANCE AUDIT PRINCIPLES

administrativestructuresorbecauselawsorregulationsdonotestablishthepremises for carrying out audits in accordancewith the Compliance AuditStandards.Wherethisisthecase,SAIshavetheoptionofdevelopingstandardsbased on, or adopting national standards consistentwith, the ComplianceAuditPrinciples.

8) Where an SAI’s auditing standards are based on or consistent with theComplianceAuditPrinciples,thesemaybereferredtobystating:

… We conducted our audit[s] in accordance with [standards], which are based on [or consistent with] ISSAI 100 Fundamental Principles of Public-Sector Auditing and ISSAI 400 Compliance Audit Principles of the International Standards of Supreme Audit Institutions.

9) SAIsinsomejurisdictionsmaychoosetoadopttheComplianceAuditStandardsastheauthoritativestandardsfortheirwork.Inthiscase,referencemaybemadebystating:

… We conducted our [compliance] audit[s] in accordance with the International Standards of Supreme Audit Institutions [on compliance auditing].

ThereferencemaybeincludedintheauditreportorcommunicatedbytheSAIinamoregeneralformcoveringadefinedrangeofengagements.

Dependingontheirmandate,SAIsmayconductcombinedauditsincorporatingfinancial, compliance and/or performance aspects. In such cases thestandardsrelevanttoeachaudittypeshouldbecompliedwith.Thestatementofstandardsapplied intheaudit (paragraph8or9above)mayneedtobeadjustedinaccordancewithISSAI100,paragraph9or10.

10) ISSAI 100 - Fundamental Principles of Public-Sector Auditing gives furtherinformationontheauthorityattachedtotheINTOSAIFundamentalPrinciples.

11) WhentheISSAIsareusedastheauthoritativestandardsforacomplianceauditconductedtogetherwithanauditoffinancialstatements,thepublic-sector auditors should respect the authority of the compliance auditstandards(ISSAIs4000-4899)aswellasthefinancialauditstandards(ISSAIs2000-2899)

8

FRAMEWORK FOR COMPLIANCE AUDITING

THE OBJECTIVE OF COMPLIANCE AUDITING

12) Compliance auditing is the independent assessment of whether a givensubject matter is in compliance with applicable authorities2 identified ascriteria.Complianceauditsarecarriedoutbyassessingwhetheractivities,financialtransactionsandinformationcomply,inallmaterialrespects,withtheauthoritieswhichgoverntheauditedentity.

13) Theobjectiveofpublic-sectorcomplianceauditing,therefore,istoenabletheSAItoassesswhethertheactivitiesofpublic-sectorentitiesareinaccordancewith the authorities governing those entities. This involves reporting onthedegree towhich theauditedentitycomplieswithestablishedcriteria.Reportingmayvarybetweenbriefstandardisedopinionsandvariousformsofconclusions,presented in shortor long form.Complianceauditingmaybeconcernedwithregularity(adherencetoformalcriteriasuchasrelevantlaws, regulations and agreements) or with propriety (observance of thegeneralprinciplesgoverningsoundfinancialmanagementandtheconductofpublicofficials).Whileregularityisthemainfocusofcomplianceauditing,proprietymay also bepertinent given thepublic-sector context, inwhichthere are certain expectations concerning financialmanagement and theconductofofficials.DependingonthemandateoftheSAI,theauditscopemaythereforeincludeaspectsofpropriety.3

2 Seeparagraphs28-29ontheconceptofauthorities.3 Seeparagraph32.

3

9


14) Compliance auditing may also lead SAIs with jurisdictional powers topronounce judgments and sanctions on those responsible for managingpublic funds. Some SAIs are mandated to refer facts liable to criminalprosecutiontothejudicialauthorities.Inthiscontext,theobjectiveofthecomplianceauditmaybeextended,andtheauditorshouldtakedueaccountof the relevant specific requirementswhendevising theaudit strategyorplanningandthroughouttheauditprocess.

CHARACTERISTICS OF COMPLIANCE AUDITING

15) Complianceauditingmaycoverawiderangeofsubjectmatterandcanbeperformedtoprovideeither reasonableor limitedassurance,usingseveraltypes of criteria, evidence-gathering procedures and reporting formats.Compliance audits may be attestation or direct reporting engagements,or both at once. The audit reportmay be either long- or short-form, andconclusions may be expressed in various ways: as a single clear writtenstatementofopiniononcomplianceorasamoreelaborateanswertospecificauditquestions.

16) ComplianceauditingisoftenanintegralpartofanSAI’smandatefortheauditof public-sector entities. This is because legislation and other authoritiesaretheprimarymeansbywhichlegislaturesexercisecontrolofincomeandexpenditure,managementandtherightsofcitizenstodueprocess intheirrelationswiththepublicsector.Public-sectorentitiesareentrustedwiththesoundmanagementofpublic funds. It is the responsibilityofpublic-sectorbodiesandtheirappointedofficialstobetransparentabouttheiractionsandaccountabletocitizensforthefundswithwhichtheyareentrusted,andtoexercise good governanceoverthosefunds.

17) Complianceauditingpromotestransparencybyprovidingreliablereportsastowhetherfundshavebeenadministered,managementexercisedandcitizens’rights to due process honoured as required by the applicable authorities.It promotes accountability by reporting deviations from and violations ofauthorities, so that corrective actionmay be taken and those accountablemaybeheldresponsiblefortheiractions.Itpromotesgoodgovernanceboth

10


by identifying weaknesses and deviations from laws and regulations andbyassessingproprietywhere thereare insufficientor inadequate lawsandregulations.Fraudandcorruptionare,bytheirverynature,elementswhichcounteract transparency, accountability and good stewardship. Complianceauditing therefore promotes good governance in the public sector byconsideringtheriskoffraudinrelationtocompliance.

18) DependingontheorganisationalstructureofthepublicsectorandthemandateoftheSAI,complianceauditingmaycoveralllevelsofgovernment:central,regional and local. Compliance audits of private entities are also possible,focusing,forrevenue,ontaxpayersand,forexpenditure,onthoseinvolvedin the management of public property or services, for instance throughpartnershiparrangementsorasrecipientsofpublicgrantsorsubsidies.

19) IncertaincountriestheSAIisacourt,composedofjudges,withauthorityoverStateaccountantsandotherpublicofficialswhomustrenderaccounttoit.ThisjurisdictionalfunctionrequirestheSAItoensurethatwhoeverischargedwithgovernanceoverpublicfundsisheldaccountableforthosefundsand,inthisregard,issubjecttoitsjurisdiction.Thereexistsanimportantcomplementaryrelationshipbetween this jurisdictional authority and the characteristicsofcompliance auditing. This may entail additional requirements for auditorsoperatinginanenvironmentwithajudicialrole,suchasacourtofaccounts.

THE DIFFERENT PERSPECTIVES OF COMPLIANCE AUDITING

20) Complianceauditingcanbepartofacombinedauditthatmayalsoincludeotheraspects.Thoughotherpossibilitiesexist,complianceauditingisgenerallyconductedeither:

• inrelationwiththeauditoffinancialstatementsor

• separatelyor

• incombinationwithperformanceauditing.

11


» Compliance auditing in relation with the audit of financial statements

21) Thelegislature,asanelementofpublicdemocraticprocess,establishestheprioritiesforpublic-sectorincomeandexpenditureandforthecalculationand attribution of expenditure and income. The underlying premisesof legislative bodies, and the decisions they take, are the source of theauthoritiesgoverningcashflowinthepublicsector.Compliancewiththoseauthoritiesconstitutesabroaderperspectivealongsidetheauditoffinancialstatementsinbudgetaryexecution.

22) Theauditofcompliancewithrelevantauthoritiesisoftenanimportantpartof themandateofanSAI,where it is combinedwith theauditoffinancialstatementsaspartofreportingontheexecutionofpublicbudgets.

23) Lawsandregulationsareimportantbothincomplianceauditingandintheauditoffinancialstatements.Whichlawsandregulationsapplyineachfieldwilldependontheauditobjective.Complianceauditingistheindependentassessmentofwhetheragivensubjectmatterisincompliancewithapplicableauthorities identified as criteria; it focuses on obtaining sufficient andappropriateevidenceregardingcompliancewiththosecriteria.Theauditoffinancialstatementsseekstoascertainwhetherthefinancialstatementsoftheentityconcernedwerepreparedinaccordancewithanacceptablefinancialreportingframeworkandtoobtainsufficientandappropriateauditevidenceregardingthelawsandregulationsthathaveadirectandmaterialeffectonthefinancialstatements.4Whereas,intheauditoffinancialstatements,onlythoselawsandregulationswithadirectandmaterialeffectonthefinancialstatement are relevant, in compliance auditing any laws and regulationsrelevanttothesubjectmattermayberelevantfortheaudit.

24) (This paragraph has been deleted)

4 Cf.ISSAI2250.

12


» Compliance auditing conducted separately

25) Compliance audits may also be planned, performed and reported onseparately from the audit of financial statements and from performanceaudits.Complianceauditsmaybeconductedseparatelyona regularoranad hocbasis,asdistinctandclearly-definedauditseachrelatedtoaspecificsubjectmatter.

» Compliance auditing in combination with performance auditing

26) When compliance auditing is part of a performance audit, compliance isseenasoneoftheaspectsofeconomy,efficiencyandeffectiveness.Non-compliancemaybethecauseof,anexplanationfor,oraconsequenceof,the state of the activities that are the subject of the performance audit.In combined audits of this kind, auditors should use their professionaljudgement to decidewhether performance or compliance is the primaryfocusoftheaudit,andwhethertoapplytheISSAIsonperformanceauditing,complianceauditingorboth.

13

ELEMENTS OF COMPLIANCE AUDITING

4

27) Theelementsofpublic-sectorauditingaredescribedinISSAI100.Thissectionoutlinesadditionalaspectsoftheelementsrelevanttocomplianceauditing,whichshouldbeidentifiedbytheauditorbeforecommencingtheaudit.

AUTHORITIES AND CRITERIA

28) Authorities are the most fundamental element of compliance auditing,sincethestructureandcontentofauthoritiesfurnishtheauditcriteriaandtherefore form the basis of how the audit is to proceed under a specificconstitutionalarrangement.

29) Authoritiesmayincluderules,lawsandregulations,budgetaryresolutions,policy,establishedcodes,agreedtermsorthegeneralprinciplesgoverningsoundpublic-sectorfinancialmanagementandtheconductofpublicofficials.Mostauthoritiesoriginateinthebasicpremisesanddecisionsofthenationallegislature, but theymay be issued at a lower level in the organisationalstructureofthepublicsector.

30) Because of the variety of possible authorities, they may have mutuallyconflictingprovisionsandbesubjecttodifferinginterpretations.Inaddition,subordinateauthoritiesmaynotbeconsistentwiththerequirementsorlimitsof theenabling legislation, and theremaybe legislativegaps.Asa result,toassesscompliancewithauthoritiesinthepublicsectoritisnecessarytohave sufficient knowledgeof the structure and contentof the authoritiesthemselves. This is of particular importancewhen it comes to identifying

14


theauditcriteria,asthesourcesofthecriteriamaythemselvesfeatureintheaudit,bothwhendeterminingtheauditscopeandwhendrawinguptheauditfindings.

31) Criteriaarethebenchmarksusedtoevaluateormeasurethesubjectmatterconsistentlyandreasonably.Theauditoridentifiescriteriaonthebasisoftherelevantauthorities.Tobesuitable,complianceauditcriteriamustberelevant,reliable, complete, objective, understandable, comparable, acceptable andavailable.Withouttheframeofreferenceprovidedbysuitablecriteria,anyconclusionisopentoindividualinterpretationandmisunderstanding.

32) Compliance auditing generally comprises the assessment of compliancewith formal criteria, suchasauthorising legislation, regulations issuedunderframework legislation and other relevant laws, regulations and agreements,includingbudgetarylaws(regularity).Whereformalcriteriaareabsentorthereareobviousshortcomingsinthelegislationconcerningtheirapplication,auditsmay also examine compliance with the general principles governing soundfinancialmanagementandtheconductofpublicofficials(propriety).Suitablecriteriaareneededbothinauditsfocusingonregularityandinauditsfocusingonpropriety.Suitablecriteriaforacomplianceauditofproprietywillbeeithergenerally-acceptedprinciplesornationalorinternationalbestpractice.Insomecasestheymaybeuncodified,implicitorbasedonoverridingprinciplesoflaw.

SUBJECT MATTER

33) Thesubjectmatterofacomplianceauditisdefinedinthescopeoftheaudit.Itmaytaketheformofactivities,financial transactionsor information.Forattestation engagements on compliance it ismore relevant to identify thesubjectmatterinformation,whichmaybeastatementofcompliancepreparedinaccordancewithanestablishedandstandardisedreportingframework.

34) ThesubjectmatterdependsonthemandateoftheSAI,therelevantauthoritiesand the scope of the audit. Hence the content and scope of complianceauditsubjectmattercanvarywidely.Thesubjectmatterofanauditmaybeeithergeneralorspecific.Sometypesofsubjectmatterarequantitativeand,

15


often,easilymeasured (forexamplepaymentswhichdonot satisfycertainconditions),whileothersarequalitativeandmoresubjective innature (forexamplebehaviouroradherencetoproceduralrequirements).

THE THREE PARTIES IN COMPLIANCE AUDITING

35) Compliance auditing is based on a three-party relationship in which the auditor aims to obtain sufficient appropriate audit evidence in order toexpressaconclusiondesigned toenhance thedegreeofconfidenceof the intended users,otherthanthe responsible party,aboutthemeasurementorevaluationofasubjectmatteragainstcriteria.

36) In compliance auditing the responsibility of the auditor is to identify theelementsoftheaudit,assesswhetheraparticularsubjectmatteriscompliantwiththeestablishedcriteriaandissueacomplianceauditreport.

37) The responsible party is the executive branch of government and/or itsunderlying hierarchy of public officials and entities responsible for themanagementofpublicfundsandtheexerciseofauthorityunderthecontrolofthelegislature.Theresponsiblepartyincomplianceauditingisresponsibleforthesubjectmatteroftheaudit.

38) The intended users are the individuals, organizationsor classes thereof forwhomtheauditorpreparestheauditreport.Incomplianceauditingtheusersgenerallyincludethelegislatureasrepresentativesofthepeople,whoaretheultimateusersofcomplianceauditreports.Thelegislaturemakesdecisionsand sets priorities concerning the calculation andpurposeof public-sectorexpenditureandincome.Theprimaryuserincomplianceauditingisoftentheentitythatissuedtheauthoritiesidentifiedasauditcriteria.

39) Therelationshipbetweenthethreepartiesshouldbeviewedinthecontextofeachauditandmaybedifferentindirectreportingasopposedtoattestationengagements.Thedefinitionofthethreepartiesmayalsovaryaccordingtothepublic-sectorentitiesinvolved.

16


ASSURANCE IN COMPLIANCE AUDITING

40) Anauditorperformsprocedures to reduceormanagetheriskofprovidingincorrectconclusions,recognisingthat,owingtotheinherentlimitationsinallaudits,noauditcaneverprovideabsoluteassuranceoftheconditionofthesubjectmatter.Thisshouldbecommunicatedinatransparentway.Inmostcases,acomplianceauditwillnotcoverallelementsofthesubjectmatterbutwillrelyonadegreeofqualitativeorquantitativesampling.

41) Compliance auditing carried out by obtaining assurance enhances theconfidenceoftheintendedusersintheinformationprovidedbytheauditororanotherparty.

In compliance auditing there are two levels of assurance: reasonable assurance,conveyingthat, intheauditor’sopinion,thesubjectmatterisoris not in compliance, in allmaterial respects,with the stated criteria; andlimited assurance,conveyingthatnothinghascometotheauditor’sattentiontocausehim/hertobelievethatthesubjectmatterisnotcompliantwiththecriteria. Both reasonable and limited assurance are possible in both directreportingandattestationengagementsincomplianceauditing.

17

PRINCIPLES OF PERFORMANCE AUDITING

42) A compliance audit is a systematic process of objectively obtaining andevaluatingevidenceastowhetheragivensubjectmatteris incompliancewith applicable authorities identified as criteria. The principles beloware fundamental to theconductofa complianceaudit. Thenatureof theauditis iterativeandcumulative,butforthepurposesofpresentationthissection isdivided intoprinciples that theauditor shouldconsiderprior tocommencementandatmorethanonepointduringtheauditprocess(generalprinciples)andthoserelatedtostepsintheauditprocessitself.

GENERAL PRINCIPLES

» Professional judgement and scepticism

43) Auditors should plan and conduct the audit with professional scepticism and exercise professional judgement throughout the audit process.

The terms “professional scepticism” and “professional judgement” arerelevantwhen formulating requirements regarding theauditor’sdecisionsabout the appropriate course of action. They express the attitude of theauditor,whichmustincludeaquestioningmind.

The auditormust apply professional judgement at all stages of the auditprocess.Theconceptreferstotheapplicationofrelevanttraining,knowledgeand experience, within the context provided by auditing standards, so

5

18


that informeddecisions canbemadeabout the coursesof action that areappropriategiventhecircumstancesoftheaudit.

Theconceptofprofessionalscepticismisfundamentaltoallaudits.Theauditorshouldplanandconducttheauditwithanattitudeofprofessionalscepticism,recognisingthatcertaincircumstancesmaycausethesubjectmattertodivergefrom thecriteria.Anattitudeofprofessional scepticismmeans theauditormakingacriticalassessment,withaquestioningmind,ofthesufficiencyandappropriatenessofevidenceobtainedthroughouttheaudit.

Professionaljudgementandscepticismareusedthroughoutthecomplianceauditprocesstoassesstheelementsoftheaudit,thesubjectmatter,suitablecriteria, the audit scope, risk, materiality and the audit procedures to beusedinresponsetothedefinedrisks.Thetwoconceptsarealsousedintheevaluationofevidenceandinstancesofnon-compliance,inreportingandindeterminingtheform,contentandfrequencyofcommunicationthroughouttheaudit.Specificrequirementsformaintainingprofessionaljudgementandscepticismincomplianceauditingaretheabilitytoanalysethestructureandcontentofpublicauthoritiesasabasisforidentifyingsuitablecriteriaorgapsinlegislation,intheeventthatlawsandregulationsareentirelyorpartiallylacking,andtoapplyprofessionalauditconceptsintheapproachtoknownandunknownsubjectmatter.Theauditorshouldbecapableofappraisingavarietyoftypesofauditevidencebytheirsourceandrelevancetotheauditscopeandsubjectmatter,andofevaluatingthesufficiencyandappropriatenessofallevidenceobtainedduringtheaudit.

» Quality control

44) Auditors should take responsibility for the overall quality of the audit.

The auditor is responsible for the performance of the audit and shouldimplement quality control procedures throughout the audit process. Suchprocedures should be aimed at ensuring that the audit complieswith theapplicable standards and that the audit report, conclusion or opinion isappropriategiventhecircumstances.

19


» Audit team management and skills

45) Auditors should have access to the necessary skills.

Theindividualsintheauditteamshouldcollectivelypossesstheknowledge,skills and expertise necessary to successfully complete the audit. Thisincludes an understanding and practical experience of the type of auditbeingundertaken,familiaritywiththeapplicablestandardsandauthorities,an understanding of the audited entity’s operations and the ability andexperiencetoexerciseprofessional judgement.Commontoallaudits istheneedtorecruitpersonnelwithsuitablequalifications,offerstaffdevelopmentand training,preparemanualsandotherwrittenguidanceand instructionsconcerning the conduct of audits, and assign sufficient audit resources.Auditors should maintain their professional competence through ongoingprofessionaldevelopment.

Auditsmayrequirespecialisedtechniques,methodsorskillsfromdisciplinesnotavailablewithintheSAI.Externalexpertsmaybeusedindifferentways,e.g.toprovideknowledgeorconductspecificwork.Auditorsshouldevaluatewhetherexpertshavethenecessarycompetence,capabilitiesandobjectivityanddeterminewhethertheirworkisadequateforthepurposesoftheaudit.

» Audit risk

46) Auditors should consider audit risk throughout the audit process.

Auditsshouldbeconductedinsuchawayastomanage,orreducetheauditrisktoanacceptablelevel.Theauditriskistheriskthattheauditreport–ormorespecificallytheauditor’sconclusionoropinion-willbeinappropriateinthecircumstancesoftheaudit.

Consideration of audit risk is relevant in both attestation and directengagements. The auditor should consider three different dimensions ofauditrisk–inherentrisk,controlriskanddetectionrisk–inrelationtothesubject matter and the reporting format, i.e. whether the subject matterisquantitativeorqualitativeandwhether theaudit report is to includean

20


opinionoraconclusion.Therelativesignificanceofthesedimensionsofauditrisk depends on the nature of the subjectmatter,whether the audit is toprovidereasonableorlimitedassuranceandwhetheritisadirectreportingoranattestationengagement.

» Materiality

47) Auditors should consider materiality throughout the audit process.

Determiningmaterialityisamatterofprofessionaljudgementanddependsontheauditor’s interpretationoftheusers’needs.Amattercanbejudgedmaterial ifknowledgeofitwouldbelikelytoinfluencethedecisionsoftheintendedusers.Thisjudgementmayrelatetoanindividualitemortoagroupof items taken together.Materiality is often considered in terms of value,butitalsohasotherquantitativeaswellasqualitativeaspects.Theinherentcharacteristicsofanitemorgroupofitemsmayrenderamattermaterialbyitsverynature.Amattermayalsobematerialbecauseofthecontextinwhichitoccurs.

Asstatedabove,materialityincomplianceauditinghasbothquantitativeandqualitativeaspects,althoughthequalitativeaspectsgenerallyplayagreaterrole inthepublicsector.Materialityshouldbeconsideredforthepurposesof planning, evaluating the evidence obtained and reporting. An essentialpart of determining materiality is to consider whether reported cases ofcompliance or non-compliance (potential or confirmed) could reasonablybe expected to influence decisions by the intended users. Factors to beconsidered within this judgment assessment are mandated requirements,public interest or expectations, specific areas of legislative focus, requestsandsignificantfunding.Issuesatalowerlevelofvalueorincidencethanthegeneraldeterminationofmateriality,suchasfraud,mayalsobeconsideredmaterial.Theassessmentofmaterialityrequirescomprehensiveprofessionaljudgementonthepartoftheauditorandisrelatedtotheauditscope.

21


» Documentation

48) Auditors should prepare sufficient audit documentation.

Documentation should be prepared at the appropriate time and shouldprovide a clear understanding of the criteria used, the scopeof the audit,the judgmentsmade, the evidenceobtained and the conclusions reached.Documentation should be sufficiently detailed to enable an experiencedauditor,withnopriorknowledgeoftheaudit,tounderstandthefollowing:therelationshipbetweenthesubjectmatter,thecriteria,theauditscope,theriskassessment,theauditstrategyandauditplanandthenature,timing,extentandresultsoftheproceduresperformed;theevidenceobtainedinsupportof the auditor’s conclusion or opinion; the reasoning behind all significantmattersthatrequiredtheexerciseofprofessionaljudgement;andtherelatedconclusions.Theauditorshouldpreparerelevantauditdocumentationbeforetheauditreportisissued,andthedocumentationshouldberetainedforanappropriateperiodoftime.

» Communication

49) Auditors should maintain effective communication throughout the audit process.

Communicationtakesplaceatallauditstages:beforetheauditstarts,duringinitial planning, during the audit proper, and at the reporting phase. Anysignificantdifficultiesencounteredduring theaudit,aswellas instancesofmaterialnon-compliance,shouldbecommunicatedtotheappropriatelevelofmanagementorthosechargedwithgovernance.Theauditorshouldalsoinformtheresponsiblepartyoftheauditcriteria.

22


PRINCIPLES RELATED TO THE AUDIT PROCESS

» Planning and designing a compliance audit

Audit scope

50) Auditors should determine the audit scope.

WheretheSAI’smandateortheapplicablelegislationdoesnotprescribethescopeof theaudit, this shouldbedecidedby theauditor. Theaudit scopeisaclearstatementof thefocus,extentand limitsof theaudit intermsofthesubjectmatter’scompliancewiththecriteria.Thescopingofanauditisinfluencedbymaterialityandrisk,and itdetermineswhichauthoritiesandpartsthereofwillbecovered.Theauditprocessasawholeshouldbedesignedtocovertheentireauditscope.

Subject matter and criteria

51) Auditors should identify the subject matter and suitable criteria.

Determinationofthesubjectmatterandcriteriaisoneofthefirststepsinacomplianceaudit.ThesubjectmatterandcriteriamaybelaiddownbylaworinthemandateoftheSAI.Alternatively,itmaybeidentifiedbytheauditor.Forattestationengagementsitmayalsoberelevanttoidentifythesubjectmatterinformationpresentedbytheresponsiblepartyconcerningthecomplianceofagivensubjectmatterwithcertaincriteria.

Thesubjectmattermaytakemanyformsandhaveavarietyofcharacteristics.Whenidentifyingthesubjectmatter,theauditorshouldemployprofessionaljudgementandscepticismtoanalysetheauditedentityandassessmaterialityandrisk.

Thesubjectmattershouldbeidentifiable,anditshouldbepossibletoassessitagainstsuitablecriteria.Itshouldbeofsuchanaturethatitenablessufficientandappropriateauditevidencetobegatheredinsupportoftheauditreport,conclusionoropinion.

23


Theauditorshouldidentifysuitablecriteriatoprovideabasisforevaluatingtheauditevidenceanddevelopingauditfindingsandconclusions.Thecriteriashouldbemadeavailabletothe intendedusersandothersasappropriate.Theyshouldalsobecommunicatedtotheresponsibleparty.

Understanding the entity

52) Auditors should understand the audited entity in the light of the relevant authorities.

Compliance auditing may cover all levels of the executive and can includevariousadministrativelevels,typesofentitiesandcombinationsofentities.Theauditorshouldthereforebefamiliarwiththestructureandoperationsoftheauditedentityanditsproceduresforachievingcompliance.Theauditorwillusethisknowledgetodeterminematerialityandassesstheriskofnon-compliance.

Understanding internal controls and the control environment

53) Auditors should understand the control environment and the relevant internal controls and consider whether they are likely to ensure compliance.

Anunderstandingof theauditedentityand/or the subjectmatter relevantto the audit scope depends on the auditor’s knowledge of the controlenvironment.Thecontrolenvironmentisthecultureofhonestyandethicalbehaviour that provides the foundation for the systemof internal controlstoensurecompliancewiththeauthorities.Incomplianceauditing,acontrolenvironmentthatfocusesonachievingcomplianceisofparticularimportance.

Inordertounderstandtheauditedentityorthesubjectmatter,theauditoralsoneedstounderstandthesystemofinternalcontrols.Theparticulartypeofcontrolswhichtheauditorfocusesonwilldependonthesubjectmatterandthespecificnatureandscopeoftheaudit.Asthesubjectmattermaybequalitativeorquantitative,theauditorwillfocusonquantitativeorqualitativeinternalcontrols,oracombinationthereof,accordingtotheauditscope.Inevaluatinginternalcontrols,theauditorassessestheriskthattheymaynotpreventordetectmaterialinstancesofnon-compliance.Theauditorshouldconsider whether the internal controls are in harmony with the control

24


environmentsoastoensurecompliancewiththeauthoritiesinallmaterialrespects.

Risk assessment

54) Auditors should perform a risk assessment to identify risks of non-compliance.

Inthelightoftheauditcriteria,theauditscopeandthecharacteristicsoftheauditedentity, theauditor shouldperforma risk assessment todeterminethenature,timingandextentof theauditprocedures tobeperformed. Inthis the auditor should consider the risks that the subjectmatterwill notcomplywiththecriteria.Non-compliancemayariseduetofraud,error,theinherentnatureofthesubjectmatterand/orthecircumstancesoftheaudit.Theidentificationofrisksofnon-complianceandtheirpotentialimpactontheauditproceduresshouldbeconsideredthroughouttheauditprocess.Aspartoftheriskassessment,theauditorshouldevaluateanyknowninstancesofnon-complianceinordertodeterminewhethertheyarematerial.

Risk of fraud

55) Auditors should consider the risk of fraud.

If the auditor comes across instances of non-compliance which may beindicativeoffraud,heorsheshouldexercisedueprofessionalcareandcautionsoasnottointerferewithanyfuturelegalproceedingsorinvestigations.

Fraudincomplianceauditingrelatesmainlytotheabuseofpublicauthority,but also to fraudulent reporting on compliance issues. Instances of non-compliance with authorities may constitute deliberate misuse of publicauthority for improper benefit. The execution of public authority includesdecisions,non-decisions,preparatorywork,advice,informationhandlingandotheractsinthepublicservice.Improperbenefitsareadvantagesofanon-economicoreconomicnaturegainedbyan intentionalactbyoneormoreindividualsamongmanagement,thosechargedwithgovernance,employeesorthirdparties.

25


Whiledetectingfraudisnotthemainobjectiveofcomplianceaudit,auditorsshouldincludefraudriskfactorsintheirriskassessmentsandremainalerttoindicationsoffraudwhencarryingouttheirwork.

Audit strategy and audit plan

56) Auditors should develop an audit strategy and an audit plan.

Audit planning should involve discussion between members of the auditteamwithaviewtodevelopinganoverallauditstrategyandanauditplan.Thepurposeof theaudit strategy is todeviseaneffective response to theriskofnon-compliance.Itshouldincludeconsiderationoftheplannedauditresponsestospecificrisksthroughthedevelopmentofanauditplan.Boththeauditstrategyandtheauditplanshouldbedocumentedinwriting.Planningisnotadistinctphaseoftheaudit,butacontinuousanditerativeprocess.

» Audit evidence

57) Auditors should gather sufficient appropriate audit evidence to cover the audit scope.

The auditor should gather sufficient and appropriate audit evidence toprovidethebasisfortheconclusionoropinion.Sufficiencyisameasureofthequantityofevidence,whileappropriatenessrelatestothequalityofevidence– its relevance, validity and reliability. The quantity of evidence requireddependson theaudit risk (thegreater the risk, themoreevidence is likelytoberequired)andonthequalityofsuchevidence(thehigherthequality,the lessmayberequired).Accordingly, thesufficiencyandappropriatenessofevidenceareinterrelated.However,merelyobtainingmoreevidencedoesnotcompensateforitspoorquality.Thereliabilityofevidenceisinfluencedbyitssourceandnature,andisdependentonthespecificcircumstancesinwhichitwasobtained.Theauditorshouldconsiderboththerelevanceandthereliabilityoftheinformationtobeusedasauditevidence,andmustrespecttheconfidentialityofallauditevidenceandinformationreceived.

The audit procedures should be appropriate in the circumstances of theaudit and suited to the purpose of obtaining sufficient and appropriate

26


auditevidence.Thenatureandsourcesofthenecessaryauditevidencearedeterminedbythecriteria,thesubjectmatterandthescopeoftheaudit.Asthesubjectmattermaybequalitativeorquantitative,theauditorwillfocusonquantitativeorqualitativeauditevidence,oracombinationthereof,accordingtotheauditscope.Complianceauditingthusincludesavarietyofproceduresforgatheringevidenceofbothaquantitativeandaqualitativenature.

Thecomplianceauditorwilloftenneed tocombineandcompareevidencefromdifferentsourcesinordertomeettherequirementsforsufficiencyandappropriateness.

» Evaluating audit evidence and forming conclusions

58) Auditors should evaluate whether sufficient and appropriate audit evidence has been obtained and form relevant conclusions.

Aftercompletingtheauditpropertheauditorwillreviewtheauditevidencein order to reach a conclusion or issue an opinion. The auditor shouldevaluatewhethertheevidenceobtained issufficientandappropriatesoasto reduce theaudit risk toanacceptably low level.Theevaluationprocessentailsconsideringevidencethatbothsupportsandseemstocontradicttheauditreport,conclusionoropiniononcomplianceornon-compliance.Italsoincludesconsiderationsofmateriality.Afterevaluatingwhethertheevidenceissufficientandappropriategiventheassuranceleveloftheaudit,theauditorshouldconsiderhowbesttoconcludeinthelightoftheevidence.

Ifauditevidenceobtainedfromonesourceisinconsistentwiththatobtainedfromanother,orifthereareanydoubtsaboutthereliabilityoftheinformationtobeusedasevidence,theauditorshoulddeterminewhatmodificationsoradditionstotheauditprocedureswouldresolvethematterandconsidertheimplications,ifany,forotheraspectsoftheaudit.

Aftercompletingtheaudit,theauditorwillreviewtheauditdocumentationtodeterminewhetherthesubjectmatterhasbeensufficientlyandappropriatelyexamined.Theauditor shouldalsodeterminewhether the riskassessmentandinitialdeterminationofmaterialitywereappropriate inthe lightoftheevidencecollected,orwhethertheyneedtoberevised.

27


» Reporting

59) Auditors should prepare a report based on the principles of completeness, objectivity, timeliness and a contradictory process.

Theprincipleof completeness requires theauditor to consider all relevantauditevidencebefore issuinga report.Theprincipleofobjectivity requiresthe auditor to apply professional judgement and scepticism in order toensurethatallreportsarefactuallycorrectandthatfindingsorconclusionsarepresentedinarelevantandbalancedmanner.Theprincipleoftimelinessimplies preparing the report in due time. The principle of a contradictoryprocess implies checking the accuracyof factswith the auditedentity andincorporatingresponsesfromresponsibleofficialsasappropriate.Inbothformandcontent,acomplianceauditreportshouldconformtoalltheseprinciples.

TheformsofreportingmaybedefinedinlaworbythemandateoftheSAI.Nonetheless, theaudit reportnormallycontainsaconclusionbasedontheauditworkperformed.Thereportmayalsoprovideconstructiveandpracticalrecommendations for improvement where appropriate. In an attestationengagementthereportisgenerallyreferredtoastheAuditor’sReport.

Reportingmayvarybetweenbriefstandardisedopinionsandvariousformsofconclusions,presentedinshortorlongform.Howeveritappears,thereportshouldbecomplete,accurate,objective,convincingandasclearandconciseasthesubjectmatterpermits.Any limitations intheauditscopeshouldbedescribed.Thereportshouldclearlystatetherelevanceofthecriteriausedandthelevelofassuranceprovided.

Theconclusionmaytaketheformofaclearwrittenstatementofopiniononcompliance,ofteninadditiontotheopiniononthefinancialstatements.Itmayalsobeexpressedasamoreelaborateanswertospecificauditquestions.Whileanopinioniscommoninattestationengagements,theansweringofspecificauditquestionsismoreoftenusedindirectreportingengagements.Whereanopinionisprovidedtheauditorshouldstatewhetheritisunmodifiedorhasbeenmodifiedonthebasisoftheevaluationofmaterialityandpervasiveness.Deliveringanopinionwouldnormallyrequireamoreelaborateauditstrategyandapproach.

28


Compliance audit reports should include the following elements (althoughnotnecessarilyinthisorder):

1.Title

2.Addressee

3.Scopeoftheaudit,includingthetimeperiodcovered

4.Identificationordescriptionofthesubjectmatter

5.Identifiedcriteria

6.Identificationoftheauditingstandardsappliedinperformingthework

7.Asummaryoftheworkperformed

8.Findings

9.Aconclusion/opinion

10.Repliesfromtheauditedentity(asappropriate)

11.Recommendations(asappropriate)

12.Reportdate

13.Signature

» Follow-up

60) Auditors should follow up instances of non-compliance when appropriate.

A follow-up process facilitates the effective implementation of correctiveactionandprovidesuseful feedback to theauditedentity, theusersof theauditreportandtheauditor(forfutureauditplanning).Theneedtofollowuppreviouslyreportedinstancesofnon-compliancewillvarywiththenatureof the subject matter, the non-compliance identified and the particularcircumstancesof theaudit.AtsomeSAIs, includingcourtsofaccounts, thefollow-upmayincludeissuinglegallybindingreportsorjudicialdecisions.Inauditscarriedoutonaregularbasisthefollow-upproceduresmayformpartofthesubsequentyear’sriskassessment.

ISSAI 400 · 2019. 8. 9. · ISSAI 400 - Compliance Audit Principles builds on and further develops...

Documents

Transcript of ISSAI 400 · 2019. 8. 9. · ISSAI 400 - Compliance Audit Principles builds on and further develops...