ISSAI Guidelines on Compliance Audit - Comptroller … 100 Fundamental Principles of Public Sector...

Office of the Comptroller and Auditor General of Bangladesh

ISSAI Guidelineson Compliance

Audit

SPEMP-B : Strengthening the Office of the Comptroller and Auditor General


Audit

Office of the Comptroller and Auditor General of Bangladesh


AuditISSAI Guidelineson Compliance

Audit

Preface

Masud AhmedComptroller and Auditor General of BangladeshDated, Dhaka 3.11.2015

The Supreme Audit Institution of Bangladesh has always been striving to keep itself abreast of what is happening in modern auditing. INTOSAI, the global platform of the Auditors General issues guidelines and standards which work as benchmarks for conducting government audit across the nations. After extensive research and hard work put together by member nations, INTOSAI published International Standards of Supreme Audit Institutions, commonly known as ISSAIs in 2010.

To meet country specific requirements, SAI Bangladesh has its own audit codes and standards. The ‘Audit Code’, ‘Government Auditing Standards’ and ‘Code of Ethics for Government Auditors’ were published as per the best international practices prevailing at the time of issue. The ISSAIs came into audit domain later on. So, Audit Codes and Standards need to be updated in line with ISSAIs. The SAI Bangladesh is working in that direction.

Through the project, titled “Strengthening Public Expenditure Management Program” (SPEMP-B) a good number of ISSAI-based financial, compliance and performance audits had been conducted on pilot basis. The audit reports were highly appreciated by the executives and other stakeholders. These audits were administered by respective audit directorates with active cooperation from national and international consultants of SPEMP-B.

The ISSAI-based audits have shown performance excellence which need to be mainstreamed in the Audit Directorates. Formal instructions have been issued to audit directorates to replicate ISSAI-based audit done under the said project. ISSAI-based Audit Manuals are also being finalized which, if made available in handy form to the auditors, would enable them to conduct field audit smoothly and skillfully.

The present compilation of ISSAIs is issued as “Compliance Audit Guidelines” to be followed by Bengali translation. During application of the ISSAIs if any error or omission is noticed, the matter may please be intimated to the Office of the Comptroller and Auditor General of Bangladesh.

01 ISSAI 100 : Fundamental Principles of PublicSector Auditing

01-21

02 ISSAI 400 : Fundamental Principles of Compliance Auditing

23-43

03 ISSAI 4000 : Compliance Audit Guidelines-General Introduction

49-52

04 ISSAI 4100 : Compliance Audit Guidelines –For Audits Performed Separately from the Audit of Financial Statements

59-126

05 ISSAI 4200 : Compliance Audit Guidelines -Compliance Audit Related to the Audit of FinancialStatements

133-207

06 ISSAI 5010 : Guidance for Supreme Audit Institutions

215-236

Sl. No Description Pages

Table of Contents

ISSAI 100Fundamental Principles of

Public Sector Auditing

The International Standards of Supreme Audit Institutions, ISSAI, are issued by the International Organization of Supreme Audit Institutions, INTOSAI. For more

information visit www.issai.org

1 | C o m p l i a n c e A u d i t G u i d e l i n e s

Page No. INTRODUCTION 5 Purpose and authority of the ISSAIS 5 FRAMEWORK FOR PUBLIC SECTOR AUDITING 7

Mandate 7 Public sector auditing and its objectives 8 Types of public sector audit 9

ELEMENTS OF PUBLIC SECTOR AUDITING 9 The three parties 10 Subject matter, criteria and subject matter information 10 Types of engagement 11 Confidence and assurance in public sector auditing 12 The need for confidence and assurance 12 Forms of providing assurance 12 Levels of assurance 12

PRINCIPLES OF PUBLIC SECTOR AUDITING 13 Organisational requirements 14 General principles 14 Ethics and independence 14Professional judgment, due care and skepticism 14 Quality control 15 Audit team management and skills 15 Audit risk 16 Materiality 16 Documentation 16 Communication 17

PRINCIPLES RELATED TO THE AUDIT PROCESS 17 Planning an audit 17 Conducting an audit 18 Reporting and follow-up 19


Table of contents of ISSAI 100

INTRODUCTION1. Professional standards and guidelines are essential for the credibility, quality and

professionalism of public sector auditing. The International Standards of Supreme Audit Institutions (ISSAIs) developed by the International Organisation of Supreme Audit Institutions (INTOSAI) aim to promote independent and effective auditing by Supreme Audit Institutions (SAIs).

2. The ISSAIs encompass public sector auditing requirements at the organisational (SAI) level, while on the level of individual audits they aim to support the members of INTOSAI in the development of their own professional approach in accordance with their mandates and with national laws and regulations.

3. INTOSAI’s Framework of Professional Standards has four levels. Level 1 contains the framework’s founding principles. Level 2 (ISSAIs 10-99) sets out prerequisites for the proper functioning and professional conduct of SAIs in terms of organisational considerations that include independence, transparency and accountability, ethics and quality control, which are relevant for all SAI audits. Levels 3 and 4 address the conduct of individual audits and include generally recognised professional principles that underpin the effective and independent auditing of public sector entities.

4. The Fundamental Auditing Principles at level 3 (ISSAIs 100-999) draw and elaborate on ISSAI 1 – The Lima Declaration and the ISSAIs at level 2 and provide an authoritative international frame of reference defining public sector auditing.

5. Level 4 translates the Fundamental Auditing Principles into more specific and detailed operational guidelines that can be used on a daily basis in the conduct of an audit and as auditing standards when national auditing standards have not been developed. This level comprises General Auditing Guidelines (ISSAIs 1000-4999) which set the requirements for financial, performance and compliance auditing.

6. ISSAI 100 – Fundamental Principles of Public Sector Auditing provides detailed information on:

• the purpose and authority of the ISSAIs;• the framework for public sector auditing; • the elements of public sector auditing; • the principles to be applied in public sector auditing.

PURPOSE AND AUTHORITY OF THE ISSAIs7. ISSAI 100 establishes fundamental principles which are applicable to all public

sector audit engagements, irrespective of their form or context. ISSAIs 200, 300 and 400 build on and further develop the principles to be applied in the context of financial, performance and compliance auditing respectively. They should be applied in conjunction with the principles set out in ISSAI 100. The principles in no way override national laws, regulations or mandates or prevent SAIs from carrying out investigations, reviews or other engagements which are not specifically covered by the existing ISSAIs.


8. The Fundamental Auditing Principles form the core of the General Auditing Guidelines at level 4 of the ISSAI framework. The principles can be used to establish authoritative standards in three ways:

• as a basis on which SAIs can develop standards; • as a basis for the adoption of consistent national standards; • as a basis for adoption of the General Auditing Guidelines as standards.

SAIs may choose to compile a single standard -setting document, a series of such documents or a combination of standard-setting and other authoritative documents.

SAIs should declare which standards they apply when conducting audits, and this declaration should be accessible to users of the SAI’s reports. Where the standards are based on several sources taken together, this should also be stated. SAIs are encouraged to make such declarations part of their audit reports; however, a more general form of communication may be used.

9. An SAI may declare that the standards it has developed or adopted are based on or are consistent with the Fundamental Auditing Principles only if the standards fully comply with all relevant principles.

Audit reports may include a reference to the fact that the standards used were based on or consistent with the ISSAI or ISSAIs relevant to the audit work carried out. Such reference may be made by stating:

… We conducted our audit in accordance with [standards], which are based on [or consistent with] the Fundamental Auditing Principles (ISSAIs 100-999) of the International Standards of Supreme Audit Institutions.

In order to properly adopt or develop auditing standards based on the Fundamental Auditing Principles, an understanding of the entire text of the principles is necessary. To achieve this, it may be helpful to consult the relevant guidance in the General Auditing Guidelines.

10. SAIs may choose to adopt the General Auditing Guidelines as their authoritative standards. In such cases the auditor must comply with all ISSAIs relevant to the audit. Reference to the ISSAIs applied may be made by stating:

… We conducted our audit[s] in accordance with the International Standards of Supreme Audit Institutions.

In order to enhance transparency, the statement may further specify which ISSAI or range of ISSAIs the auditor has considered relevant and applied. This may be done by adding the following phrase:


The audit[s] was [were] based on ISSAI[s] xxx [number and name of the ISSAI or range of ISSAIs].

11. The International Standards on Auditing (ISAs) issued by the International Federation of Accountants (IFAC) are incorporated into the financial audit guidelines (ISSAIs 1000-2999). In financial audits reference may therefore be made either to the ISSAIs or to the ISAs. The ISSAIs provide additional public-sector guidance ( Practice Notes’), but the requirements of the auditor in financial audits are the same. The ISAs constitute an indivisible set of standards and the ISSAIs in which they are incorporated may not be referred to individually. If the ISSAIs or the ISAs have been adopted as the SAI’s standards for financial audits, the auditor’s report should include a reference to those standards. This applies equally to financial audits conducted in combination with other types of audit.

12. Audits may be conducted in accordance with both the General Auditing Guidelines and standards from other sources provided that no contradictions arise. In such cases reference should be made both to such standards and to the ISSAIs.

FRAMEWORK FOR PUBLIC SECTOR AUDITING

Mandate13. An SAI will exercise its public sector audit function within a specific constitutional

arrangement and by virtue of its office and mandate, which ensure sufficient independence and power of discretion in performing its duties. The mandate of an SAI may define its general responsibilities in the field of public sector auditing and provide further prescriptions concerning the audits and other engagements to be performed.

14. SAIs may be mandated to perform many types of engagements on any subject of relevance to the responsibilities of management and those charged with governance and the appropriate use of public funds and assets. The extent or form of these engagements and the reporting thereon will vary according to the legislated mandate of the SAI concerned.

15. In certain countries, the SAI is a court, composed of judges, with authority over State Accountants and other public officials who must render account to it. There exists an important relationship between this jurisdictional authority and the characteristics of public sector auditing. The jurisdictional function requires the SAI to ensure that whoever is charged with dealing with public funds is held accountable and, in this regard, is subject to its jurisdiction.

16. An SAI may make strategic decisions in order to respond to the requirements in its mandate and other legislative requirements. Such decisions may include which auditing standards are applicable, which engagements will be conducted and how they will be prioritised.


Public sector auditing and its objectives

17. The public sector audit environment is that in which governments and other publicsector entities exercise responsibility for the use of resources derived from taxation and other sources in the delivery of services to citizens and other recipients. These entities are accountable for their management and performance, and for the use of resources, both to those that provide the resources and to those, including citizens, who depend on the services delivered using those resources. Public-sector auditing helps to create suitable conditions and reinforce the expectation that public-sector entities and public servants will perform their functions effectively, efficiently, ethically and in accordance with the applicable laws and regulations.

18. In general public sector auditing can be described as a systematic process of objectively obtaining and evaluating evidence to determine whether information or actual conditions conform to established criteria. Public sector auditing is essential in that it provides legislative and oversight bodies, those charged with governance and the general public with information and independent and objective assessments concerning the stewardship and performance of government policies, programmes or operations.

19. SAIs serve this aim as important pillars of their national democratic systems and governance mechanisms and play an important role in enhancing public sector administration by emphasising the principles of transparency, accountability, governance and performance. ISSAI 20 – Principles of Transparency and Accountability contains guidance in this regard.

20. All public sector audits start from objectives, which may differ depending on the type of audit being conducted. However, all public sector auditing contributes to good governance by:

• providing the intended users with independent, objective and reliable information, conclusions or opinions based on sufficient and appropriate evidence relating to public entities;

• enhancing accountability and transparency, encouraging continuous improvement and sustained confidence in the appropriate use of public funds and assets and the performance of public administration;

• reinforcing the effectiveness of those bodies within the constitutional arrangement that exercise general monitoring and corrective functions over government, and those responsible for the management of publicly-funded activities;

• creating incentives for change by providing knowledge, comprehensive analysis and well-founded recommendations for improvement.

21. In general, public sector audits can be categorised into one or more of three main


types: audits of financial statements, audits of compliance with authorities and performance audits. The objectives of any given audit will determine which standards apply.

Types of public sector audit

22. The three main types of public sector audit are defined as follows:

Financial audit focuses on determining whether an entity’s financial information is presented in accordance with the applicable financial reporting and regulatory framework. This is accomplished by obtaining sufficient and appropriate audit evidence to enable the auditor to express an opinion as to whether the financial information is free from material misstatement due to fraud or error.

Performance audit focuses on whether interventions, programmes and institutions are performing in accordance with the principles of economy, efficiency and effectiveness and whether there is room for improvement. Performance is examined against suitable criteria, and the causes of deviations from those criteria or other problems are analysed. The aim is to answer key audit questions and to provide recommendations for improvement.

Compliance audit focuses on whether a particular subject matter is in compliance with authorities identified as criteria. Compliance auditing is performed by assessing whether activities, financial transactions and information are, in all material respects, in compliance with the authorities which govern the audited entity. These authorities may include rules, laws and regulations, budgetary resolutions, policy, established codes, agreed terms or the general principles governing sound public-sector financial management and the conduct of public officials.

23. SAIs may carry out audits or other engagements on any subject of relevance to the responsibilities of management and those charged with governance and the appropriate use of public resources. These engagements may include reporting on the quantitative outputs and outcomes of the entity’s service delivery activities, sustainability reports, future resource requirements, adherence to internal control standards, real-time audits of projects or other matters. SAIs may also conduct combined audits incorporating financial, performance and/or compliance aspects.

ELEMENTS OF PUBLIC SECTOR AUDITING

24. Public sector auditing is indispensable for the public administration, as the management of public resources is a matter of trust. Responsibility for the management of public resources in line with intended purposes is entrusted to an entity or person who acts on behalf of the public. Public sector auditing enhances the confidence of the intended users by providing information and independent and objective assessments concerning deviations from accepted standards or principles of good governance.


All public sector audits have the same basic elements: the auditor, the responsible party, intended users (the three parties to the audit), criteria for assessing the subject matter and the resulting subject matter information. They can be categorised as two different types of audit engagement: attestation engagements and direct reporting engagements.

The three parties

25. Public sector audits involve at least three separate parties: the auditor, a responsible party and intended users. The relationship between the parties should be viewed within the context of the specific constitutional arrangements for each type of audit.

• The auditor: In public sector auditing the role of auditor is fulfilled by the Head of the SAI and by persons to whom the task of conducting the audits is delegated. The overall responsibility for public sector auditing remains as defined by the SAI’s mandate.

[

• The responsible party: In public sector auditing the relevant responsibilities are determined by constitutional or legislative arrangement. The responsible parties may be responsible for the subject matter information, for managing the subject matter or for addressing recommendations, and may be individuals or organisations.

• Intended users: The individuals, organisations or classes thereof for whom the auditor prepares the audit report. The intended users may be legislative or oversight bodies, those charged with governance or the general public.

Subject matter, criteria and subject matter information

26. Subject matter refers to the information, condition or activity that is measured or evaluated against certain criteria. It can take many forms and have different characteristics depending on the audit objective. An appropriate subject matter is identifiable and capable of consistent evaluation or measurement against the criteria, such that it can be subjected to procedures for gathering sufficient and appropriate audit evidence to support the audit opinion or conclusion.

27. The criteria are the benchmarks used to evaluate the subject matter. Each audit should have criteria suitable to the circumstances of that audit. In determining the suitability of criteria the auditor considers their relevance and understandability for the intended users, as well as their completeness, reliability and objectivity (neutrality, general acceptance and comparability with the criteria used in similar audits). The criteria used may depend on a range of factors, including the objectives and the type of audit. Criteria can be specific or more general, and may be drawn from various sources, including laws, regulations, standards, sound principles and


best practices. They should be made available to the intended users to enable them to understand how the subject matter has been evaluated or measured.

28. Subject matter information refers to the outcome of evaluating or measuring the subject matter against the criteria. It can take many forms and have different characteristics depending on the audit objective and audit scope.

Types of engagement

29. There are two types of engagement:

• In attestation engagements the responsible party measures the subject matter against the criteria and presents the subject matter information, on which the auditor then gathers sufficient and appropriate audit evidence to provide a reasonable basis for expressing a conclusion.

• In direct reporting engagements it is the auditor who measures or evaluates the subject matter against the criteria. The auditor selects the subject matter and criteria, taking into consideration risk and materiality. The outcome of measuring the subject matter against the criteria is presented in the audit report in the form of findings, conclusions, recommendations or an opinion. The audit of the subject matter may also provide new information, analyses or insights.

30. Financial audits are always attestation engagements, as they are based on financial information presented by the responsible party. Performance audits are normally direct reporting engagements. Compliance audits may be attestation or direct reporting engagements, or both at once. The following constitute the subject matter or the subject matter information in the three types of audit covered by the ISSAIs:

• Financial audit: The subject matter of a financial audit is the financial position, performance, cash flow or other elements which are recognised, measured and presented in financial statements. The subject matter information is the financial statements.

• Performance audit: The subject matter of a performance audit is defined by the audit objectives and audit questions. The subject matter may be specific programmes, entities or funds or certain activities (with their outputs, outcomes and impacts), existing situations (including causes and consequences) as well as non-financial or financial information about any of these elements. The auditor measures or evaluates the subject matter to assess the extent to which the established criteria have or have not been met.

• Compliance audit: The subject matter of a compliance audit is defined by the scope of the audit. It may be activities, financial transactions or information. For attestation engagements on compliance it is more relevant to focus on the subject matter information, which may be a statement of compliance in accordance with an established and standardised reporting framework.


Confidence and assurance in public sector auditing

The need for confidence and assurance

31. The intended users will wish to be confident about the reliability and relevance of the information which they use as the basis for taking decisions. Audits therefore provide information based on sufficient and appropriate evidence, and auditors should perform procedures to reduce or manage the risk of reaching inappropriate conclusions. The level of assurance that can be provided to the intended user should be communicated in a transparent way. Due to inherent limitations, however, audits can never provide absolute assurance.

Forms of providing assurance

32. Depending on the audit and the users’ needs, assurance can be communicated in two ways:

• Through opinions and conclusions which explicitly convey the level of assurance. This applies to all attestation engagements and certain direct reporting engagements.

• In other forms, in some direct reporting engagements the auditor does not give an explicit statement of assurance on the subject matter. In such cases the auditor provides the users with the necessary degree of confidence by explicitly explaining how findings, criteria and conclusions were developed in a balanced and reasoned manner, and why the combinations of findings and criteria result in a certain overall conclusion or recommendation.

Levels of assurance

33. Assurance can be either reasonable or limited.

Reasonable assurance is high but not absolute. The audit conclusion is expressed positively, conveying that, in the auditor's opinion, the subject matter is or is not compliant in all material respects, or, where relevant, that the subject matter information provides a true and fair view, in accordance with the applicable criteria.

When providing limited assurance, the audit conclusion states that, based on the procedures performed, nothing has come to the auditor’s attention to cause the auditor to believe that the subject matter is not in compliance with the applicable criteria. The procedures performed in a limited assurance audit are limited compared with what is necessary to obtain reasonable assurance, but the level of assurance is expected, in the auditor's professional judgment, to be meaningful to the intended users. A limited assurance report conveys the limited nature of the assurance provided.


PRINCIPLES OF PUBLIC SECTOR AUDITING

34. The principles detailed below are fundamental to the conduct of an audit. Auditing is a cumulative and iterative process. However, for the purposes of presentation the fundamental principles are grouped by principles related to the SAI’s organisational requirements, general principles that the auditor should consider prior to commencement and at more than one point during the audit and principles related to specific steps in the audit process.

Areas covered by the principles for public sector auditing

GENERAL PRINCIPLES

Ethics & Professional Quality control Audit teamindependence judgment, due

management & skillscare andskepticism

Audit risk Materiality Documentation Communication

PRINCIPLES RELATED TO THE AUDIT PROCESS

Planning the audit

Establish the terms of the auditObtain understandingConduct risk assessment or problem analysisIdentify risks of fraudDevelop an audit plan

Conducting the audit Reporting and follow-up

• Perform the planned Prepare a reportaudit procedures to based on theobtain audit evidence conclusions reached• Evaluate audit Follow up onevidence and draw reported matters asconclusions relevant


• •

•••

•

•

Organisational requirements

35. SAIs should establish and maintain appropriate procedures for ethics and quality control Each SAI should establish and maintain procedures for ethics and quality control on an organisational level that will provide it with reasonable assurance that the SAI and its personnel are complying with professional standards and the applicable ethical, legal and regulatory requirements. ISSAI 30 – Code of Ethics and ISSAI 40 – Quality Control for SAIs contain guidance in this regard. The existence of these procedures at SAI level is a prerequisite for applying or developing national standards based on the Fundamental Auditing Principles.

General principles

Ethics and independence

36. Auditors should comply with the relevant ethical requirements and be independent Ethical principles should be embodied in an auditor’s professional behaviour. The SAIs should have policies addressing ethical requirements and emphasising the need for compliance by each auditor. Auditors should remain independent so that their reports will be impartial and be seen as such by the intended users.

Auditors can find guidance on independence in the ISSAI 10 – Mexico Declaration on SAI Independence. Guidance on the key ethical principles of integrity, objectivity, professional competence and due care, confidentiality and professional behaviour are defined in ISSAI 30 –Code of Ethics.

Professional judgment, due care and skepticism

37. Auditors should maintain appropriate professional behaviour by applying professional skepticism, professional judgment and due care throughout the audit The auditor’s attitude should be characterised by professional skepticism and professional judgment, which are to be applied when forming decisions about the appropriate course of action. Auditors should exercise due care to ensure that their professional behaviour is appropriate.

Professional skepticism means maintaining professional distance and an alert and questioning attitude when assessing the sufficiency and appropriateness of evidence obtained throughout the audit. It also entails remaining open-minded and receptive to all views and arguments. Professional judgment implies the application of collective knowledge, skills and experience to the audit process. Due care means that the auditor should plan and


conduct audits in a diligent manner. Auditors should avoid any conduct that might discredit their work.

Quality control

38. Auditors should perform the audit in accordance with professional standards on quality control An SAI’s quality control policies and procedures should comply with professional standards, the aim being to ensure that audits are conducted at a consistently high level. Quality control procedures should cover matters such as the direction, review and supervision of the audit process and the need for consultation in order to reach decisions on difficult or contentious matters. Auditors can find additional guidance in ISSAI 40 – Quality Control for SAIs.

Audit team management and skills

39. Auditors should possess or have access to the necessary skills The individuals in the audit team should collectively possess the knowledge, skills and expertise necessary to successfully complete the audit. This includes an understanding and practical experience of the type of audit being conducted, familiarity with the applicable standards and legislation, an understanding of the entity’s operations and the ability and experience to exercise professional judgment. Common to all audits is the need to recruit personnel with suitable qualifications, offer staff development and training, prepare manuals and other written guidance and instructions concerning the conduct of audits, and assign sufficient audit resources. Auditors should maintain their professional competence through ongoing professional development.

Where relevant or necessary, and in line with the SAI’s mandate and the applicable legislation, the auditor may use the work of internal auditors, other auditors or experts. The auditor’s procedures should provide a sufficient basis for using the work of others, and in all cases the auditor should obtain evidence of other auditors’ or experts’ competence and independence and the quality of the work performed. However, the SAI has sole responsibility for any audit opinion or report it might produce on the subject matter; that responsibility is not reduced by its use of work done by other parties.

The objectives of internal audit are different from those of external audit. However, both internal and external audit promote good governance through contributions to transparency and accountability for the use of public resources, as well as economy, efficiency and effectiveness in public administration. This offers opportunities for coordination and cooperation and the possibility of eliminating duplication of effort.

Some SAIs use the work of other auditors at state, provincial, regional, district or local level, or of public accounting firms that have completed audit work related to the audit objective. Arrangements should be made to ensure that any such work was


carried out in accordance with public sector auditing standards. Audits may require specialised techniques, methods or skills from disciplines not available within the SAI. In such cases experts may be used to provide knowledge or carry out specific tasks or for other purposes.

Audit risk

40. Auditors should manage the risks of providing a report that is inappropriate in the circumstances of the audit The audit risk is the risk that the audit report may be inappropriate. The auditor performs procedures to reduce or manage the risk of reaching inappropriate conclusions, recognising that the limitations inherent to all audits mean that an audit can never provide absolute certainty of the condition of the subject matter.

When the objective is to provide reasonable assurance, the auditor should reduce audit risk to an acceptably low level given the circumstances of the audit. The audit may also aim to provide limited assurance, in which case the acceptable risk that criteria are not complied with is greater than in a reasonable assurance audit. A limited assurance audit provides a level of assurance that, in the auditor’s professional judgment, will be meaningful to the intended users.

Materiality

41. Auditors should consider materiality throughout the audit process

Materiality is relevant in all audits. A matter can be judged material if knowledge of it would be likely to influence the decisions of the intended users. Determining materiality is a matter of professional judgment and depends on the auditor’s interpretation of the users’ needs. This judgment may relate to an individual item or to a group of items taken together. Materiality is often considered in terms of value, but it also has other quantitative as well as qualitative aspects. The inherent characteristics of an item or group of items may render a matter material by its very nature. A matter may also be material because of the context in which it occurs.

Materiality considerations affect decisions concerning the nature, timing and extent of audit procedures and the evaluation of audit results. Considerations may include stakeholder concerns, public interest, regulatory requirements and consequences for society.

Documentation

42. Auditors should prepare audit documentation that is sufficiently detailed to provide a clear understanding of the work performed, evidence obtained and conclusions reached Audit documentation should include an audit strategy and audit plan. It should


record the procedures performed and evidence obtained and support the communicated results of the audit. Documentation should be sufficiently detailed to enable an experienced auditor, with no prior knowledge of the audit, to understand the nature, timing, scope and results of the procedures performed, the evidence obtained in support of the audit conclusions and recommendations, the reasoning behind all significant matters that required the exercise of professional judgment, and the related conclusions.

Communication

43. Auditors should establish effective communication throughout the audit process It is essential that the audited entity be kept informed of all matters relating to the audit. This is key to developing a constructive working relationship. Communication should include obtaining information relevant to the audit and providing management and those charged with governance with timely observations and findings throughout the engagement. The auditor may also have a responsibility to communicate audit-related matters to other stakeholders, such as legislative and oversight bodies.

Principles related to the audit process

Planning an audit

44. Auditors should ensure that the terms of the audit have been clearly established Audits may be required by statute, requested by a legislative or oversight body, initiated by the SAI or carried out by simple agreement with the audited entity. In all cases the auditor, the audited entity’s management, those charged with governance and others as applicable should reach a common formal understanding of the terms of the audit and their respective roles and responsibilities. Important information may include the subject, scope and objectives of the audit, access to data, the report that will result from the audit, the audit process, contact persons, and the roles and responsibilities of the different parties to the engagement.

45. Auditors should obtain an understanding of the nature of the entity/programme to be audited

This includes understanding the relevant objectives, operations, regulatory environment, internal controls, financial and other systems and business processes, and researching the potential sources of audit evidence. Knowledge can be obtained from regular interaction with management, those charged with governance and other relevant stakeholders. This may mean consulting experts and examining documents (including earlier studies and other sources) in order to gain a broad understanding of the subject matter to be audited and its context.


46. Auditors should conduct a risk assessment or problem analysis and revise this as necessary in response to the audit findings The nature of the risks identified will vary according to the audit objective. The auditor should consider and assess the risk of different types of deficiencies, deviations or misstatements that may occur in relation to the subject matter. Both general and specific risks should be considered. This can be achieved through procedures that serve to obtain an understanding of the entity or programme and its environment, including the relevant internal controls. The auditor should assess the management’s response to identified risks, including its implementation and design of internal controls to address them. In a problem analysis the auditor should consider actual indications of problems or deviations from what should be or is expected. This process involves examining various problem indicators in order to define the audit objectives. The identification of risks and their impact on the audit should be considered throughout the audit process.

47. Auditors should identify and assess the risks of fraud relevant to the audit objectives Auditors should make enquiries and perform procedures to identify and respond to the risks of fraud relevant to the audit objectives. They should maintain an attitude of professional skepticism and be alert to the possibility of fraud throughout the audit process.

48. Auditors should plan their work to ensure that the audit is conducted in an effective and efficient manner

Planning for a specific audit includes strategic and operational aspects. Strategically, planning should define the audit scope, objectives and approach. The objectives refer to what the audit is intended to accomplish. The scope relates to the subject matter and the criteria which the auditors will use to assess and report on the subject matter, and is directly related to the objectives. The approach will describe the nature and extent of the procedures to be used for gathering audit evidence. The audit should be planned to reduce audit risk to an acceptably low level.

Operationally, planning entails setting a timetable for the audit and defining the nature, timing and extent of the audit procedures. During planning, auditors should assign the members of their team as appropriate and identify other resources that may be required, such as subject experts.

Audit planning should be responsive to significant changes in circumstances and conditions. It is an iterative process that takes place throughout the audit.

Conducting an audit

49. Auditors should perform audit procedures that provide sufficient appropriate audit evidence to support the audit report


The auditor’s decisions on the nature, timing and extent of audit procedures will impact on the evidence to be obtained. The choice of procedures will depend on the risk assessment or problem analysis.

Audit evidence is any information used by the auditor to determine whether the subject matter complies with the applicable criteria. Evidence may take many forms, such as electronic and paper records of transactions, written and electronic communication with outsiders, observations by the auditor, and oral or written testimony by the audited entity. Methods of obtaining audit evidence can include inspection, observation, inquiry, confirmation, recalculation, reperformance, analytical procedures and/or other research techniques. Evidence should be both sufficient (quantity) to persuade a knowledgeable person that the findings are reasonable, and appropriate (quality) – i.e. relevant, valid and reliable. The auditor’s assessment of the evidence should be objective, fair and balanced. Preliminary findings should be communicated to and discussed with the audited entity to confirm their validity.

The auditor must respect all requirements regarding confidentiality.

50. Auditors should evaluate the audit evidence and draw conclusions After completing the audit procedures, the auditor will review the audit documentation in order to determine whether the subject matter has been sufficiently and appropriately audited. Before drawing conclusions, the auditor reconsiders the initial assessment of risk and materiality in the light of the evidence collected and determines whether additional audit procedures need to be performed.

The auditor should evaluate the audit evidence with a view to obtaining audit findings. When evaluating the audit evidence and assessing materiality of findings the auditor should take both quantitative and qualitative factors into consideration.

Based on the findings, the auditor should exercise professional judgment to reach a conclusion on the subject matter or subject matter information.

Reporting and follow-up

51. Auditors should prepare a report based on the conclusions reached The audit process involves preparing a report to communicate the results of the audit to stakeholders, others responsible for governance and the general public. The purpose is also to facilitate follow-up and corrective action. In some SAIs, such as courts of audit with jurisdictional authority, this may include issuing legally binding reports or judicial decisions.

Reports should be easy to understand, free from vagueness or ambiguity and complete. They should be objective and fair, only including information which is supported by sufficient and appropriate audit evidence and ensuring that findings are put into perspective and context.


The form and content of a report will depend on the nature of the audit, the intended users, the applicable standards and legal requirements. The SAI’s mandate and other relevant laws or regulations may specify the layout or wording of reports, which can appear in short form or long form.

Long-form reports generally describe in detail the audit scope, audit findings and conclusions, including potential consequences and constructive recommendations to enable remedial action.

Short-form reports are more condensed and generally in a more standardised format.

Attestation engagements In attestation engagements the audit report may express an opinion as to whether the subject matter information is, in all material respects, free from misstatement and/or whether the subject matter complies, in all material respects, with the established criteria. In an attestation engagement the report is generally referred to as the Auditor’s Report.

Direct engagementsIn direct engagements the audit report needs to state the audit objectives and describe how they were addressed in the audit. It includes findings and conclusions on the subject matter and may also include recommendations. Additional information about criteria, methodology and sources of data may also be given, and any limitations to the audit scope should be described.

The audit report should explain how the evidence obtained was used and why the resulting conclusions were drawn. This will enable it to provide the intended users with the necessary degree of confidence.

OpinionWhen an audit opinion is used to convey the level of assurance, the opinion should be in a standardised format. The opinion may be unmodified or modified. An unmodified opinion is used when either limited or reasonable assurance has been obtained. A modified opinion may be:

• Qualified (except for) – where the auditor disagrees with, or is unable to obtain sufficient and appropriate audit evidence about, certain items in the subject matter which are, or could be, material but not pervasive;

• Adverse – where the auditor, having obtained sufficient and appropriate audit evidence, concludes that deviations or misstatements, whether individually or in the aggregate, are both material and pervasive;

• Disclaimed – where the auditor is unable to obtain sufficient and appropriate audit evidence due to an uncertainty or scope limitation which is both material and


pervasive.

Where the opinion is modified the reasons should be put in perspective by clearly explaining, with reference to the applicable criteria, the nature and extent of the modification. Depending on the type of audit, recommendations for corrective action and any contributing internal control deficiencies may also be included in the report.

Follow-upSAIs have a role in monitoring action taken by the responsible party in response to the matters raised in an audit report. Follow-up focuses on whether the audited entity has adequately addressed the matters raised, including any wider implications. Insufficient or unsatisfactory action by the audited entity may call for a further report by the SAI.


ISSAI 400Fundamental Principles of

Compliance Auditing


information visit www.issai.org.



Page No.INTRODUCTION 27PURPOSE AND AUTHORITY OF THE FUNDAMENTAL PRINCIPLES OF COMPLIANCE AUDITING

27

FRAMEWORK FOR COMPLIANCE AUDITING 29The objective of compliance auditing 29Characteristics of compliance auditing 30The different perspectives of compliance auditing 31Compliance auditing in relation with the audit of financial statements

31

Compliance auditing in combination with performance auditing 32ELEMENTS OF COMPLIANCE AUDITING 32Subject matter 33The three parties in compliance auditing 33Assurance in compliance auditing 34

PRINCIPLES OF COMPLIANCE AUDITING 35General principles 35Professional judgment and skepticism 35Quality control 36Audit team management and skills 36Audit risk 36Materiality 37Documentation 37Communication 38Principles related to the audit process 38Planning and designing a compliance audit 38Audit evidence 40Evaluating audit evidence and forming conclusions 41Reporting 42Follow-up 43


INTRODUCTION

1. Professional standards and guidelines are essential for the credibility, quality and professionalism of public sector auditing. The International Standards of Supreme Audit Institutions (ISSAIs) developed by the International Organisation of Supreme Audit Institutions (INTOSAI) aim to promote independent and effective auditing and support the members of INTOSAI in the development of their own professional approach in accordance with their mandates and with national laws and regulations.

2. ISSAI 100 – Fundamental Principles of Public Sector Auditing provides the fundamental principles for public sector auditing in general and defines the authority of the ISSAIs. ISSAI 400 – Fundamental Principles of Compliance Auditing builds on and further develops the fundamental principles of ISSAI 100 to suit the specific context of compliance auditing. ISSAI 400 should be read and understood in conjunction with ISSAI 100, which also applies to compliance auditing.

3. ISSAI 400 therefore constitutes the basis for compliance auditing standards in accordance with the ISSAIs. This document provides detailed information on the following:

• The purpose and authority of the ISSAIs on compliance auditing ;

• The compliance auditing framework and the different ways in which audits are conducted ;

• The elements of compliance auditing ;

• The principles of compliance auditing.

PURPOSE AND AUTHORITY OF THE FUNDAMENTAL PRINCIPLES OF COMPLIANCE AUDITING

4. The purpose of the ISSAIs on compliance auditing1is to provide a comprehensive set of principles, standards and guidelines for the compliance auditing of subject matter, both qualitative and quantitative, that varies widely in scope and can be addressed through a range of audit approaches and reporting formats.

5. ISSAI 400 provides SAIs with a basis for the adoption or development of standards and guidelines in compliance auditing. The principles in ISSAI 400 can be used in

1 ISSAI 400 and ISSAIs 4000-4999.


three ways: • as a basis for the development of standards; • as a basis for the adoption of consistent national standards; • as a basis for adoption of the Compliance Auditing Guidelines as authoritative

standards.

6. SAIs should only make reference to the Fundamental Principles of Compliance Auditing in audit reports – whether in the Auditor’s Report or other reporting formats – if the standards they have developed or adopted fully comply with all relevant principles of ISSAI 400. The principles in no way override national laws, regulations or mandates.

7. As the Compliance Audit Guidelines (ISSAIs 4000-4999) have been developed to reflect best practice, SAIs are encouraged to strive towards adopting them in full as their authoritative standards. INTOSAI recognizes that, in some environments, this might not be possible due to the absence of basic administrative structures or because laws or regulations do not establish the premises for carrying out audits in accordance with the Compliance Audit Guidelines. Where this is the case, SAIs have the option of developing standards based on, or adopting national standards consistent with, the Fundamental Principles of Compliance Auditing.

8. Where an SAI’s auditing standards are based on or consistent with the INTOSAI Fundamental Auditing Principles, these may be referred to in audit reports by stating:

---- We conducted our audit in accordance with [standards], which are based on [or consistent with] the Fundamental Auditing Principles (ISSAIs 100-999) of the International Standards of Supreme Audit Institutions.

9. SAIs in some jurisdictions may choose to adopt the Compliance Audit Guidelines as the authoritative standards for their work. In this case, reference may be made by stating:

… We conducted our [compliance] audit[s] in accordance with the International Standards of Suprem e Audit Institutions [on compliance auditing].

The reference may be included in the audit report or communicated by the SAI in a more general form covering a defined range of engagements.

Depending on their mandate, SAIs may conduct combined audits incorporating financial, compliance and/or performance aspects. In such cases the standards relevant to each audit type should be complied with. The above text may then be combined with the similar references in ISSAIs 200 and 300 respectively to the financial and performance audit guidelines.


10. ISSAI 100 – Fundamental Principles of Public Sector Auditing gives further information on the authority attached to the INTOSAI Fundamental Principles.

11. When the General Auditing Guidelines (ISSAIs 1000-4999) are used as the authoritative standards for a compliance audit conducted together with an audit of financial statements, the public sector auditors should respect the authority of both the Compliance Audit Guidelines (ISSAIs 4000-4999) and the Financial Audit Guidelines (ISSAIs 1000-2999).2

FRAMEWORK FOR COMPLIANCE AUDITING

The objective of compliance auditing

12. Compliance auditing is the independent assessment of whether a given subject matter is in compliance with applicable authorities3 identified as criteria. Compliance audits are carried out by assessing whether activities, financial transactions and information comply, in all material respects, with the authorities which govern the audited entity.

13. The objective of public sector compliance auditing, therefore, is to enable the SAI to assess whether the activities of public sector entities are in accordance with the authorities governing those entities. This involves reporting on the degree to which the audited entity complies with established criteria. Reporting may vary between brief standardised opinions and various forms of conclusions, presented in short or long form. Compliance auditing may be concerned with regularity (adherence to formal criteria such as relevant laws, regulations and agreements) or with propriety(observance of the general principles governing sound financial management and the conduct of public officials). While regularity is the main focus of compliance auditing, propriety may also be pertinent given the public-sector context, in which there are certain expectations concerning financial management and the conduct of officials. Depending on the mandate of the SAI, the audit scope may therefore include aspects of propriety4.

14. Compliance auditing may also lead SAIs with jurisdictional powers to pronounce judgments and sanctions on those responsible for managing public funds. Some SAIs are mandated to refer facts liable to criminal prosecution to the judicial authorities. In this context, the objective of the compliance audit may be extended, and the auditor should take due account of the relevant specific requirements when devising the audit strategy or planning and throughout the audit process.

2Currently ISSAIs 1000–1810. 3See paragraphs 28–29 on the concept of authorities. 4See paragraph 32.


Characteristics of compliance auditing

15. Compliance auditing may cover a wide range of subject matter and can be performed to provide either reasonable or limited assurance, using several types of criteria, evidence-gathering procedures and reporting formats. Compliance audits may be attestation or direct reporting engagements, or both at once. The audit report may be either long- or short-form, and conclusions may be expressed in various ways: as a single clear written statement of opinion on compliance or as a more elaborate answer to specific audit questions.

16. Compliance auditing is often an integral part of an SAI’s mandate for the audit of public sector entities. This is because legislation and other authorities are the primary means by which legislatures exercise control of income and expenditure, management and the rights of citizens to due process in their relations with the public sector. Public-sector entities are entrusted with the sound management of public funds. It is the responsibility of public sector bodies and their appointed officials to be transparent about their actions and accountable to citizens for the funds with which they are entrusted, and to exercise good governance over those funds.

17. Compliance auditing promotes transparency by providing reliable reports as to whether funds have been administered, management exercised and citizens’ rights to due process honoured as required by the applicable authorities. It promotes accountability by reporting deviations from and violations of authorities, so that corrective action may be taken and those accountable may be held responsible for their actions. It promotes good governance both by identifying weaknesses and deviations from laws and regulations and by assessing propriety where there are insufficient or inadequate laws and regulations. Fraud and corruption are, by their very nature, elements which counteract transparency, accountability and good stewardship. Compliance auditing therefore promotes good governance in the public sector by considering the risk of fraud in relation to compliance.

18. Depending on the organisational structure of the public sector and the mandate of the SAI, compliance auditing may cover all levels of government: central, regional and local. Compliance audits of private entities are also possible, focusing, for revenue, on tax payers and, for expenditure, on those involved in the management of public property or services, for instance through partnership arrangements or as recipients of public grants or subsidies.

19. In certain countries the SAI is a court, composed of judges, with authority over State accountants and other public officials who must render account to it. This jurisdictional function requires the SAI to ensure that whoever is charged with governance over public funds is held accountable for those funds and, in this regard, is subject to its jurisdiction. There exists an important complementary relationship between this jurisdictional authority and the characteristics of compliance auditing. This may entail additional requirements for auditors operating in an environment


with a judicial role, such as a court of accounts.

The different perspectives of compliance auditing

20. Compliance auditing can be part of a combined audit that may also include other aspects. Though other possibilities exist, compliance auditing is generally conducted either:

• in relation with the audit of financial statements (see ISSAI 4200 for additional guidance in this regard), or

• separately from the audit of financial statements (see ISSAI 4100), or• in combination with performance auditing.

Compliance auditing in relation with the audit of financial statements

21. The legislature, as an element of public democratic process, establishes the priorities for public sector income and expenditure and for the calculation and attribution of expenditure and income. The underlying premises of legislative bodies, and the decisions they take, are the source of the authorities governing cash flow in the public sector. Compliance with those authorities constitutes a broader perspective alongside the audit of financial statements in budgetary execution.

22. The audit of compliance with relevant authorities is often an important part of the mandate of an SAI, where it is combined with the audit of financial statements as part of reporting on the execution of public budgets.

23. Laws and regulations are important both in compliance auditing and in the audit of financial statements. Which laws and regulations apply in each field will depend on the audit objective. Compliance auditing is the independent assessment of whether a given subject matter is in compliance with applicable authorities identified as criteria; it focuses on obtaining sufficient and appropriate evidence regarding compliance with those criteria. The audit of financial statements seeks to ascertain whether the financial statements of the entity concerned were prepared in accordance with an acceptable financial reporting framework and to obtain sufficient and appropriate audit evidence regarding the laws and regulations that have a direct and material effect on the financial statements5. Whereas, in the audit of financial statements, only those laws and regulations with a direct and material effect on the financial statement are relevant, in compliance auditing any laws and regulations relevant to the subject matter may be relevant for the audit.

24. ISSAI 4200 provides guidance to compliance auditing in combination with the audit of financial statements. These guidelines should be read together with the Financial Audit Guidelines (ISSAI 1000-2999).

5Cf. ISSAI 1250.


Compliance auditing conducted separately

25. Compliance audits may also be planned, performed and reported on separately from the audit of financial statements and from performance audits. ISSAI 4100 provides guidance in this regard. Compliance audits may be conducted separately on a regular or an ad hoc basis, as distinct and clearly-defined audits each related to a specific subject matter.

Compliance auditing in combination with performance auditing

26. When compliance auditing is part of a performance audit, compliance is seen as one of the aspects of economy, efficiency and effectiveness. Non-compliance may be the cause of, an explanation for, or a consequence of, the state of the activities that are the subject of the performance audit. In combined audits of this kind, auditors shoulduse their professional judgment to decide whether performance or compliance is the primary focus of the audit, and whether to apply the ISSAIs on performance auditing, compliance auditing or both.

ELEMENTS OF COMPLIANCE AUDITING

27. The elements of public sector auditing are described in ISSAI 100. This section outlines additional aspects of the elements relevant to compliance auditing, which should be identified by the auditor before commencing the audit.

Authorities and criteria

28. Authorities are the most fundamental element of compliance auditing, since the structure and content of authorities furnish the audit criteria and therefore form the basis of how the audit is to proceed under a specific constitutional arrangement.

29. Authorities may include rules, laws and regulations, budgetary resolutions, policy, established codes, agreed terms or the general principles governing sound public-sector financial management and the conduct of public officials. Most authorities originate in the basic premises and decisions of the national legislature, but they may be issued at a lower level in the organisational structure of the public sector.

30. Because of the variety of possible authorities, they may have mutually conflicting provisions and be subject to differing interpretations. In addition, subordinate authorities may not be consistent with the requirements or limits of the enabling legislation, and there may be legislative gaps. As a result, to assess compliance with authorities in the public sector it is necessary to have sufficient


knowledge of the structure and content of the authorities themselves. This is of particular importance when it comes to identifying the audit criteria, as the sources of the criteria may themselves feature in the audit, both when determining the audit scope and when drawing up the audit findings.

31. Criteria are the benchmarks used to evaluate or measure the subject matter consistently and reasonably. The auditor identifies criteria on the basis of the relevant authorities. To be suitable, compliance audit criteria must be relevant, reliable, complete, objective, understandable, comparable, acceptable and available. Without the frame of reference provided by suitable criteria, any conclusion is open to individual interpretation and misunderstanding.

32. Compliance auditing generally comprises the assessment of compliance with formal criteria, such as authorising legislation, regulations issued under framework legislation and other relevant laws, regulations and agreements, including budgetary laws (regularity). Where formal criteria are absent or there are obvious shortcomings in the legislation concerning their application, audits may also examine compliance with the general principles governing sound financial management and the conduct of public officials (propriety). Suitable criteria are needed both in audits focusing on regularity and in audits focusing on propriety. Suitable criteria for a compliance audit of propriety will be either generally-accepted principles or national or international best practice. In some cases they may be uncodified, implicit or based on overriding principles of law.

Subject matter

33. The subject matter of a compliance audit is defined in the scope of the audit. It may take the form of activities, financial transactions or information. For attestation engagements on compliance it is more relevant to identify the subject matter information, which may be a statement of compliance prepared in accordance with an established and standardised reporting framework.

34. The subject matter depends on the mandate of the SAI, the relevant authorities and the scope of the audit. Hence the content and scope of compliance audit subject matter can vary widely. The subject matter of an audit may be either general or specific. Some types of subject matter are quantitative and, often, easily measured (for example payments which do not satisfy certain conditions), while others are qualitative and more subjective in nature (for example behaviour or adherence to procedural requirements).

The three parties in compliance auditing

35. Compliance auditing is based on a three-party relationship in which the auditoraims to obtain sufficient appropriate audit evidence in order to express a conclusion designed to enhance the degree of confidence of the intended users, other than the


responsible party, about the measurement or evaluation of a subject matter against criteria.

36. In compliance auditing the responsibility of the auditor is to identify the elements of the audit, assess whether a particular subject matter is compliant with the established criteria and issue a compliance audit report.

37. The responsible party is the executive branch of government and/or its underlying hierarchy of public officials and entities responsible for the management of public funds and the exercise of authority under the control of the legislature. The responsible party in compliance auditing is responsible for the subject matter of the audit.

38. The intended users are the individuals, organizations or classes thereof for whom the auditor prepares the audit report. In compliance auditing the users generally include the legislature as representatives of the people, who are the ultimate users of compliance audit reports. The legislature makes decisions and sets priorities concerning the calculation and purpose of public sector expenditure and income. The primary user in compliance auditing is often the entity that issued the authorities identified as audit criteria.

39. The relationship between the three parties should be viewed in the context of each audit and may be different in direct reporting as opposed to attestation engagements. The definition of the three parties may also vary according to the public sector entities involved.

Assurance in compliance auditing

40. An auditor performs procedures to reduce or manage the risk of providing incorrect conclusions, recognising that, owing to the inherent limitations in all audits, no audit can ever provide absolute assurance of the condition of the subject matter. This should be communicated in a transparent way. In most cases, a compliance audit will not cover all elements of the subject matter but will rely on a degree of qualitative or quantitative sampling.

41. Compliance auditing carried out by obtaining assurance enhances the confidence of the intended users in the information provided by the auditor or another party. In compliance auditing there are two levels of assurance: reasonable assurance,conveying that, in the auditor's opinion, the subject matter is or is not in compliance, in all material respects, with the stated criteria; and limited assurance, conveying that nothing has come to the auditor’s attention to cause him/her to believe that the subject matter is not compliant with the criteria. Both reasonable and limited assurances are possible in both direct reporting and attestation engagements in compliance auditing.


PRINCIPLES OF COMPLIANCE AUDITING

42. A compliance audit is a systematic process of objectively obtaining and evaluating evidence as to whether a given subject matter is in compliance with applicable authorities identified as criteria. The principles below are fundamental to the conduct of a compliance audit. The nature of the audit is iterative and cumulative, but for the purposes of presentation this section is divided into principles that the auditor should consider prior to commencement and at more than one point during the audit process (general principles) and those related to steps in the audit process itself.

General principles

Professional judgment and skepticism

43. Auditors should plan and conduct the audit with professional skepticism and exercise professional judgment throughout the audit process.

The terms "professional skepticism" and "professional judgment" are relevant when formulating requirements regarding the auditor's decisions about the appropriate course of action. They express the attitude of the auditor, which must include a questioning mind.

The auditor must apply professional judgment at all stages of the audit process. Theconcept refers to the application of relevant training, knowledge and experience, within the context provided by auditing standards, so that informed decisions can be made about the courses of action that are appropriate given the circumstances of the audit.

The concept of professional skepticism is fundamental to all audits. The auditor should plan and conduct the audit with an attitude of professional skepticism, recognising that certain circumstances may cause the subject matter to diverge from the criteria. An attitude of professional skepticism means the auditor making a critical assessment, with a questioning mind, of the sufficiency and appropriateness of evidence obtained throughout the audit.

Professional judgment and skepticism are used throughout the compliance audit process to assess the elements of the audit, the subject matter, suitable criteria, the audit scope, risk, materiality and the audit procedures to be used in response to the defined risks. The two concepts are also used in the evaluation of evidence and instances of non-compliance, in reporting and in determining the form, content and frequency of communication throughout the audit. Specific requirements for maintaining professional judgment and skepticism in compliance auditing are the ability to analyse the structure and content of public authorities as a basis for identifying suitable criteria or gaps in legislation, in the event that laws and


regulations are entirely or partially lacking, and to apply professional audit conceptsin the approach to known and unknown subject matter. The auditor should be capable of appraising a variety of types of audit evidence by their source and relevance to the audit scope and subject matter, and of evaluating the sufficiency and appropriateness of all evidence obtained during the audit.

Quality control

44. Auditors should take responsibility for the overall quality of the audit.

The auditor is responsible for the performance of the audit and should implement quality control procedures throughout the audit process. Such procedures should be aimed at ensuring that the audit complies with the applicable standards and that the audit report, conclusion or opinion is appropriate given the circumstances.

Audit team management and skills

45. Auditors should have access to the necessary skills.

The individuals in the audit team should collectively possess the knowledge, skills and expertise necessary to successfully complete the audit. This includes an understanding and practical experience of the type of audit being undertaken, familiarity with the applicable standards and authorities, an understanding of the audited entity’s operations and the ability and experience to exercise professional judgment. Common to all audits is the need to recruit personnel with suitable qualifications, offer staff development and training, prepare manuals and other written guidance and instructions concerning the conduct of audits, and assign sufficient audit resources. Auditors should maintain their professional competence through ongoing professional development.

Audits may require specialised techniques, methods or skills from disciplines not available within the SAI. External experts may be used in different ways, e.g. to provide knowledge or conduct specific work. Auditors should evaluate whether experts have the necessary competence, capabilities and objectivity and determine whether their work is adequate for the purposes of the audit.

Audit risk

46. Auditors should consider audit risk throughout the audit process.

Audits should be conducted in such a way as to manage, or reduce the audit risk to an acceptable level. The audit risk is the risk that the audit report – or more specifically the auditor's conclusion or opinion -will be inappropriate in the circumstances of the audit. Consideration of audit risk is relevant in both attestation and direct engagements. The auditor should consider three different dimensions of audit risk – inherent risk,


control risk and detection risk – in relation to the subject matter and the reporting format, i.e. whether the subject matter is quantitative or qualitative and whether the audit report is to include an opinion or a conclusion. The relative significance of these dimensions of audit risk depends on the nature of the subject matter, whether the audit is to provide reasonable or limited assurance and whether it is a direct reporting or an attestation engagement.

Materiality

47. Auditors should consider materiality throughout the audit process.

Determining materiality is a matter of professional judgment and depends on the auditor’s interpretation of the users’ needs. A matter can be judged material if knowledge of it would be likely to influence the decisions of the intended users. This judgment may relate to an individual item or to a group of items taken together. Materiality is often considered in terms of value, but it also has other quantitative as well as qualitative aspects. The inherent characteristics of an item or group of items may render a matter material by its very nature. A matter may also be material because of the context in which it occurs.

As stated above, materiality in compliance auditing has both quantitative and qualitative aspects, although the qualitative aspects generally play a greater role in the public sector. Materiality should be considered for the purposes of planning, evaluating the evidence obtained and reporting. An essential part of determining materiality is to consider whether reported cases of compliance or non-compliance (potential or confirmed) could reasonably be expected to influence decisions by the intended users. Factors to be considered within this judgment assessment are mandated requirements, public interest or expectations, specific areas of legislative focus, requests and significant funding. Issues at a lower level of value or incidence than the general determination of materiality, such as fraud, may also be considered material. The assessment of materiality requires comprehensive professional judgment on the part of the auditor and is related to the audit scope.

Documentation48. Auditors should prepare sufficient audit documentation.

Documentation should be prepared at the appropriate time and should provide a clear understanding of the criteria used, the scope of the audit, the judgments made, the evidence obtained and the conclusions reached. Documentation should be sufficiently detailed to enable an experienced auditor, with no prior knowledge of the audit, to understand the following: the relationship between the subject matter, the criteria, the audit scope, the risk assessment, the audit strategy and audit plan and the nature, timing, extent and results of the procedures performed; the evidence obtained in support of the auditor’s conclusion or opinion; the reasoning behind all significant matters that required the exercise of professional judgment; and the related conclusions. The auditor should prepare relevant audit documentation before the audit report is issued, and the documentation should be retained for an


appropriate period of time.

Communication

49. Auditors should maintain effective communication throughout the audit process.

Communication takes place at all audit stages; before the audit starts, during initial planning, during the audit proper, and at the reporting phase. Any significant difficulties encountered during the audit, as well as instances of material non-compliance, should be communicated to the appropriate level of management or those charged with governance. The auditor should also inform the responsible party of the audit criteria.

Principles related to the audit process

Planning and designing a compliance audit

Audit scope

50. Auditors should determine the audit scope.

Where the SAI’s mandate or the applicable legislation does not prescribe the scope of the audit, this should be decided by the auditor. The audit scope is a clear statement of the focus, extent and limits of the audit in terms of the subject matter’s compliance with the criteria. The scoping of an audit is influenced by materiality and risk, and it determines which authorities and parts thereof will be covered. The audit process as a whole should be designed to cover the entire audit scope.

Subject matter and criteria

51. Auditors should identify the subject matter and suitable criteria.

Determination of the subject matter and criteria is one of the first steps in a compliance audit. The subject matter and criteria may be laid down by law or in the mandate of the SAI. Alternatively, it may be identified by the auditor. For attestation engagements it may also be relevant to identify the subject matter information presented by the responsible party concerning the compliance of a given subject matter with certain criteria.

The subject matter may take many forms and have a variety of characteristics. When identifying the subject matter, the auditor should employ professional judgment and skepticism to analyse the audited entity and assess materiality and risk.

The subject matter should be identifiable, and it should be possible to assess it against suitable criteria. It should be of such a nature that it enables sufficient and appropriate audit evidence to be gathered in support of the audit report, conclusion or opinion.


The auditor should identify suitable criteria to provide a basis for evaluating the audit evidence and developing audit findings and conclusions. The criteria should be made available to the intended users and others as appropriate. They should also be communicated to the responsible party.

Understanding the entity

52. Auditors should understand the audited entity in the light of the relevant authorities. Compliance auditing may cover all levels of the executive and can include various administrative levels, types of entities and combinations of entities. The auditor should therefore be familiar with the structure and operations of the audited entity and its procedures for achieving compliance. The auditor will use this knowledge to determine materiality and assess the risk of non-compliance.

Understanding internal controls and the control environment

53. Auditors should understand the control environment and the relevant internal controls and consider whether they are likely to ensure compliance. An understanding of the audited entity and/or the subject matter relevant to the audit scope depends on the auditor’s knowledge of the control environment. The control environment is the culture of honesty and ethical behaviour that provides the foundation for the system of internal controls to ensure compliance with the authorities. In compliance auditing, a control environment that focuses on achieving compliance is of particular importance.

In order to understand the audited entity or the subject matter, the auditor also needs to understand the system of internal controls. The particular type of controls which the auditor focuses on will depend on the subject matter and the specific nature and scope of the audit. As the subject matter may be qualitative or quantitative, the auditor will focus on quantitative or qualitative internal controls, or a combination thereof, according to the audit scope. In evaluating internal controls, the auditor assesses the risk that they may not prevent or detect material instances of non-compliance. The auditor should consider whether the internal controls are in harmony with the control environment so as to ensure compliance with the authorities in all material respects.

Risk assessment

54. Auditors should perform a risk assessment to identify risks of non-compliance. In the light of the audit criteria, the audit scope and the characteristics of the audited entity, the auditor should perform a risk assessment to determine the nature, timing and extent of the audit procedures to be performed. In this the auditor should consider the risks that the subject matter will not comply with the criteria. Non-compliance may arise due to fraud, error, the inherent nature of the subject matter


and/or the circumstances of the audit. The identification of risks of non-compliance and their potential impact on the audit procedures should be considered throughout the audit process. As part of the risk assessment, the auditor should evaluate any known instances of non-compliance in order to determine whether they are material.

Risk of fraud

55. Auditors should consider the risk of fraud. If the auditor comes across instances of non-compliance which may be indicative of fraud, he or she should exercise due professional care and caution so as not to interfere with any future legal proceedings or investigations.

Fraud in compliance auditing relates mainly to the abuse of public authority, but also to fraudulent reporting on compliance issues. Instances of non -compliance with authorities may constitute deliberate misuse of public authority for improper benefit.The execution of public authority includes decisions, non-decisions, preparatory work, advice, information handling and other acts in the public service. Improper benefits are advantages of a non-economic or economic nature gained by an intentional act by one or more individuals among management, those charged with governance, employees or third parties.

While detecting fraud is not the main objective of compliance audit, auditors should include fraud risk factors in their risk assessments and remain alert to indications of fraud when carrying out their work.

Audit strategy and audit plan

56. Auditors should develop an audit strategy and an audit plan.

Audit planning should involve discussion between members of the audit team with a view to developing an overall audit strategy and an audit plan. The purpose of the audit strategy is to devise an effective response to the risk of non-compliance. It should include consideration of the planned audit responses to specific risks through the development of an audit plan. Both the audit strategy and the audit plan should be documented in writing. Planning is not a distinct phase of the audit, but a continuous and iterative process.

Audit evidence

57 Auditors should gather sufficient appropriate audit evidence to cover the audit scope.The auditor should gather sufficient and appropriate audit evidence to provide the basis for the conclusion or opinion. Sufficiency is a measure of the quantity of evidence, while appropriateness relates to the quality of evidence – its relevance, validity and reliability. The quantity of evidence required depends on the audit risk (the greater the risk, the more evidence is likely to be required) and on the quality of such evidence (the higher the quality, the less may be required). Accordingly, the sufficiency and appropriateness of evidence are interrelated. However, merely


obtaining more evidence does not compensate for its poor quality. The reliability of evidence is influenced by its source and nature, and is dependent on the specific circumstances in which it was obtained. The auditor should consider both the relevance and the reliability of the information to be used as audit evidence, and must respect the confidentiality of all audit evidence and information received.

The audit procedures should be appropriate in the circumstances of the audit and suited to the purpose of obtaining sufficient and appropriate audit evidence. The nature and sources of the necessary audit evidence are determined by the criteria, the subject matter and the scope of the audit. As the subject matter may be qualitative or quantitative, the auditor will focus on quantitative or qualitative audit evidence, or a combination thereof, according to the audit scope. Compliance auditing thus includes a variety of procedures for gathering evidence of both a quantitative and a qualitative nature.

The compliance auditor will often need to combine and compare evidence from different sources in order to meet the requirements for sufficiency and appropriateness.

Evaluating audit evidence and forming conclusions

58. Auditors should evaluate whether sufficient and appropriate audit evidence has been obtained and form relevant conclusions. After completing the audit proper the auditor will review the audit evidence in order to reach a conclusion or issue an opinion. The auditor should evaluate whether the evidence obtained is sufficient and appropriate so as to reduce the audit risk to an acceptably low level. The evaluation process entails considering evidence that bothsupports and seems to contradict the audit report, conclusion or opinion on compliance or non-compliance. It also includes considerations of materiality. After evaluating whether the evidence is sufficient and appropriate given the assurance level of the audit, the auditor should consider how best to conclude in the light of the evidence.

If audit evidence obtained from one source is inconsistent with that obtained from another, or if there are any doubts about the reliability of the information to be used as evidence, the auditor should determine what modifications or additions to the audit procedures would resolve the matter and consider the implications, if any, for other aspects of the audit.

After completing the audit, the auditor will review the audit documentation to determine whether the subject matter has been sufficiently and appropriately examined. The auditor should also determine whether the risk assessment and initial determination of materiality were appropriate in the light of the evidence collected, or whether they need to be revised.


Reporting

59. Auditors should prepare a report based on the principles of completeness, objectivity, timeliness and a contradictory process.

The principle of completeness requires the auditor to consider all relevant audit evidence before issuing a report. The principle of objectivity requires the auditor to apply professional judgment and skepticism in order to ensure that all reports are factually correct and that findings or conclusions are presented in a relevant and balanced manner. The principle of timeliness implies preparing the report in due time. The principle of a contradictory process implies checking the accuracy of facts with the audited entity and incorporating responses from responsible officials as appropriate. In both form and content, a compliance audit report should conform to all these principles.

The forms of reporting may be defined in law or by the mandate of the SAI. Nonetheless, the audit report normally contains a conclusion based on the audit work performed. The report may also provide constructive and practical recommendations for improvement where appropriate. In an attestation engagement the report is generally referred to as the Auditor’s Report.

Reporting may vary between brief standardised opinions and various forms of conclusions, presented in short or long form. However it appears, the report should be complete, accurate, objective, convincing and as clear and concise as the subject matter permits. Any limitations in the audit scope should be described. The report should clearly state the relevance of the criteria used and the level of assurance provided.

The conclusion may take the form of a clear written statement of opinion on compliance, often in addition to the opinion on the financial statements. It may also be expressed as a more elaborate answer to specific audit questions. While an opinion is common in attestation engagements, the answering of specific audit questions is more often used in direct reporting engagements. Where an opinion is provided the auditor should state whether it is unmodified or has been modified on the basis of the evaluation of materiality and pervasiveness. Delivering an opinion would normally require a more elaborate audit strategy and approach.Compliance audit reports should include the following elements (although not necessarily in this order):

1 Title 2 Addressee 3 Scope of the audit, including the time period covered 4 Identification or description of the subject matter


5 Identified criteria 6 Identification of the auditing standards applied in performing the

work 7 A summary of the work performed 8 Findings 9 A conclusion/opinion 10 Replies from the audited entity (as appropriate) 11 Recommendations (as appropriate) 12 Report date 13 Signature

Follow-up

60. Auditors should follow up instances of non-compliance when appropriate.

A follow-up process facilitates the effective implementation of corrective action and provides useful feedback to the audited entity, the users of the audit report and the auditor (for future audit planning). The need to follow up previously reported instances of non-compliance will vary with the nature of the subject matter, the non-compliance identified and the particular circumstances of the audit. At some SAIs, including courts of accounts, the follow-up may include issuing legally binding reports or judicial decisions. In audits carried out on a regular basis the follow-upprocedures may form part of the subsequent year’s risk assessment.


ISSAI 4000Compliance Audit Guidelines-

General Introduction





Page No.

Introduction 49

Authority of the Guidelines 50

Diversity in Organizing and Reporting on Compliance Audit 50

Relationship to Other Auditing Standards 51


1. Introduction

1. Compliance audit deals with the responsibility of the SAI to audit whether the activities of public sector entities are in accordance with the relevant laws, regulations and authorities that govern such entities. This involves reporting on the degree to which the audited entity is accountable for its actions and exercises good public governance. More specifically, these elements may involve auditing to what extent the audited entity follows rules, laws and regulation, budgetary resolutions, policy, established codes, or agreed upon terms, such as the terms of a contract or the terms of a funding agreement. Compliance audit tasks performed by SAIs may cover a wide range of subject matters and may vary widely on an international basis.

2. The objective, scope and nature of a particular compliance audit depends on a number of factors, including the mandate and constitutional role of the SAI, as well as laws and regulations that are relevant to the audited entity. However, in general, the objective of compliance auditing is to enable the SAI to report to the appropriate bodies on the audited entity's compliance with a particular set of criteria. Such criteria may be derived from relevant financial reporting frameworks, laws, regulations, parliamentary decisions, terms of contracts or agreements, or may be other criteria deemed by the auditor to be suitable criteria.

3. The Compliance Audit Guidelines represent the fourth level (Auditing Guidelines) of the International Standards of Supreme Audit Institutions (ISSAI) Framework, where the Founding Principles constitute level 1, the Codes for SAIs the second level and the Fundamental Auditing Principles the third level (including the INTOSAI Auditing Standards).

4. For compliance audits performed together with the audit of financial statements, the Compliance Audit Guidelines supplement the INTOSAI Financial Audit Guidelines (ISSAI 1000 – 2999).

5. Depending on the structure of the public sector and the mandate of the SAI, the Compliance Audit Guidelines cover compliance audit at all levels of government: central, regional as well as local. Furthermore, the guidelines may also be applied to audits of private entities when they are involved in the management of public property or services, for instance through partnership arrangements or as recipients of public grants or subsidies.


6. The Compliance Audit Guidelines are written from two main perspectives:

• ISSAI 4100 deals with compliance audit performed separately from the audit of financial statements, for example as a separate audit task or related to performance audit

• ISSAI 4200 deals with compliance audit related to the audit of financial statements

The two ISSAIs are written as consistent, stand-alone documents. Much of the material related to planning and performing compliance audit is therefore very similar or even the same. However, where there is a need to differentiate, the guidance has been tailored to the specific purposes.

2. Authority of the Guidelines

7. The INTOSAI Compliance Audit Guidelines have been developed to assist SAIs in applying the INTOSAI Auditing Standards, particularly in their work on reporting on compliance. As is the case for the INTOSAI Auditing Standards, the Compliance Audit Guidelines do not have mandatory application within INTOSAI and each SAI must judge the extent to which they are compatible with the SAI's mandate.

8. The guidelines are intended to be relevant to compliance audit in SAIs representing both the Auditor General system and the Court of Account system, but do not cover particularities related to the judgment part of compliance auditing in SAIs of the court type.

3. Diversity in Organizing and Reporting on Compliance Audit

9. SAIs organize compliance audit in the way that is deemed most efficient in light of the mandate and role of the SAI within the particular constitutional system. In practice, this gives rise to a great degree of international diversity in organizing and reporting on compliance audit. Compliance audit may be carried out as part of the audit of financial statements or as part of a performance audit. Compliance audit may also be carried out as a separate audit task, for example at the request of the legislature or other bodies to which the SAI reports, or at the initiative of the SAI itself.6

10.In addition, some SAIs may have special compliance audit tasks and

6 Compliance audit is the typical audit in the case of the 'a priori audit' foreseen by the audit mandate of several SAIs.


responsibilities established by their mandate or otherwise. Such tasks may include: (a) The judicial function of SAIs organised as Courts of Accounts, (b) Activities related to suspected fraud and corruption, (c) Investigation of suspected illegal acts or other misconduct for the purpose of

decisions on the sanctioning of individuals or reporting to law enforcement authorities,

(d) Assessment of the truth and completeness of information submitted by ministers to a parliament.

11. Compliance audit reports may take different forms, such as: (a) Separate compliance audit reports which may be either short form or long

form reports depending on the needs of the users of the report, (b) Opinions on compliance, which may be included in the auditor's report on

the financial statements, or in a separate report, (c) Opinions stating whether activities or transactions that have come to

public sector auditors' attention in the course of discharging other audit responsibilities were carried out in compliance with authorities,

(d) Reports on specific instances of non-compliance, (e) Reports that no instances of non-compliance have come to the auditors'

attention during the course of the audit.

12. These variations are discussed in the Compliance Audit Guidelines together with examples of reports where appropriate.

4. Relationship to Other Auditing Standards 13. The Compliance Audit Guidelines build upon INTOSAI's Fundamental Auditing

Principles and standards promulgated by other standard setting organisations with which INTOSAI has a cooperation agreement, such as IFAC and The Institute of Internal Auditors (IIA).

14. The International Framework for Assurance Engagements, issued by IFAC's International Auditing and Assurance Standards Board, concerns engagements in which a practitioner expresses a conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the outcome of the evaluation or measurement of a subject matter against criteria. Within this framework the International Standards on Auditing (ISAs) apply to engagements of assurance of financial statements (historical financial


information). The International Standards on Assurance Engagements (ISAEs) apply to engagements on assurance of other subject matter information than financial statements.

15. SAIs carry out compliance audit by virtue of their mandate and role within the constitutional system. They have an important role in promoting public accountability and in contributing to improved public sector management. Although the ISAs and ISAEs are relevant for work carried out by public sector auditors, the scope of compliance audits and related reporting responsibilities are often broader than those envisaged in the ISAs and ISAEs.

16. International Standards for the Professional Practice of Internal Auditing issued by the IIA define internal auditing as an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. The internal audit activity should evaluate risk exposures and the adequacy and effectiveness of controls encompassing the organization's governance, operations, and information systems including compliance with laws, regulations, and contract terms and conditions. If the compliance audit activities of a SAI involve reliance on internal auditors, the SAI may also consider to what extent the IIA standards have been applied by internal auditors.

===


ISSAI 4100

Compliance Audit Guidelines –For Audits Performed Separately from the

Audit of Financial Statements




Preface

The suite of compliance audit guidelines comprises the following:

• ISSAI 4000: A general introduction to guidelines on compliance

audit ;

• ISSAI 4100: Compliance audit guidelines for audits performed

separately from the audit of financial statements. Such work may be

carried out as part of a performance audit or as a separate audit type;

• ISSAI 4200: Compliance audit guidelines related to the audit of

financial statements.


Table of Contents of ISSAI 4100

Page No.

1 Introduction 59

2 Scope of the guidelines 62

2.1 Scope and Nature of a Compliance Audit 62

2.2 Reasonable vs. Limited Assurance 63

2.3 Assertion Based Reporting vs. Direct Reporting 64

3 Objectives to be Achieved 65

4 Definitions 66

5 Initial Considerations 68

5.1 Ethical Considerations 68

5.2 Quality Control 68

6 Planning and Designing a Compliance Audit 69

6.1 Identification of the Parties Involved / Legal Basis 69

6.2 Subject Matter and Subject Matter Information 70

6.3 Criteria 70

6.4 Understanding the Audited Entity and its Environment 74

6.5 Audit Strategy and Plan 74

6.6 Understanding Internal Control at the Audited Entity 76

6.7 Materiality 76

6.8 Risk Assessment 78

6.8.1 Risk Assessment Considerations in regard to Fraud 79

6.8.2 Risk Assessment Considerations in regard to Relationships between Public Sector Entities

79

6.9 Planning Audit Procedures 80

7 Performing Compliance Audits and Gathering Evidence 80

7.1 Gathering and Evaluating Evidence 81

7.1.1 Observation 82

7.1.2 Inspection 82

7.1.3 Inquiry 83

7.1.4 Confirmation 83

7.1.5 Re-performance 84

7.1.6 Analytical Procedures 84


7.2 Documentation 85

7.3 Communications 86

7.4 Considerations related to the Reporting of Suspected Unlawful Acts

87

8 Evaluating Evidence and Forming Conclusions 88

8.1 General Considerations on Evaluating Evidence and Forming Conclusions

88

8.2 Written Representations from Responsible Officials 90

8.3 Subsequent Events 90

9 Reporting 90

9.1 Form and Content of Compliance Audit Reports 91

9.1.1 Compliance Audit Reports 91

9.1.2 Compliance Audit Special Reports 95

9.2 Follow-up Processes 99

10 Additional Guidance for Public Sector Auditors Operating in a Court of Accounts Environment

99

10.1 Performing Audits in a Court of Accounts 99

10.2 Communicating and Enforcing the Law 101

10.3 Processes in Various Models of Courts of Accounts 101102

107

109

113

115

117

119

Appendix 1 Examples of Subject Matters, Subject Matter Information and Criteria in Compliance Auditing

Appendix 2 Examples of Sources to be used in Gaining an Understanding of the Audited Entity and Identifying Suitable Criteria

Appendix 3 Examples of Factors Related to Assessing Risk in Compliance Auditing

Appendix 4 - Examples of Risk Factors Related to a Particular Subject Matter

Appendix 5 - Examples of Compliance Audit Procedures for Selected Subject Matters

Appendix 6 - Examples of Compliance Deviations

Appendix 7 - Example of a Compliance Audit 'Short Form' Report

Appendix 8 - Example of a Qualified Compliance Audit ConclusionAppendix 9 -

-

Example of an Adverse Compliance Audit Conclusion 122123

124

125

121

Appendix 10 Example of a Compliance Audit Disclaimer

Appendix 11 - Example of an Emphasis of Matter and Other Matter(s) Paragraph

Appendix 12 - Example of a Compliance Review Report Expressing Limited Assurance


1. Introduction

1. The concept of compliance audit is encompassed by the description of the purpose of a public sector audit as set out in INTOSAI's Lima Declaration: 'The concept and establishment of audit is inherent in public financial administration as the management of public funds represents a trust. Audit is not an end in itself but an indispensable part of a regulatory system whose aim is to reveal deviations from accepted standards and violations of the principles of legality, efficiency, effectiveness and economy of financial management early enough to make it possible to take corrective action in individual cases, to make those accountable accept responsibility, to obtain compensation, or to take steps to prevent – or at least render more difficult – such breaches.'

2. Compliance audit deals with the degree to which the audited entity follows rules, laws and regulation, policy, established codes, or agreed upon terms, such as the terms of a contract or the terms of a funding agreement. The concept of compliance audit is introduced in INTOSAI's Fundamental Auditing Principles (ISSAI 100.38 and 39). The concept is further described in ISSAI 4000 –Introduction to the Compliance Audit Guidelines.

3. In the public sector, the concepts of transparency, accountability, stewardship and good governance are basic and important principles. Laws and regulations may set out what activities public sector entities are charged with carrying out for the citizens, any limits or restrictions on such activities, the overall objectives to be achieved and how due process rights of individual citizens are protected. Furthermore, public funds are entrusted to public sector entities for their proper management. It is the responsibility of these public sector bodies and their appointed officials to be transparent about their actions, accountable to the citizens for the funds with which they are entrusted, and to exercise good stewardship over such funds.

4. The need to monitor that the activities of public sector entities are in accordance with the relevant authorities that govern them, and that the due process rights of citizens are protected are important public sector control functions. Through public sector auditing in general, and compliance auditing specifically, public sector auditors help to monitor that the basic principles set out above are being followed and put into operation. In the context of compliance auditing, this responsibility includes determining whether information related to a particular


subject matter is in compliance, in all material respects, with relevant criteria such as relevant laws, regulations, directives, terms of contracts and agreements, etc. The result of such auditing is reported to the audited entity and the legislature. In addition, the result is normally made available to the general public. This is done to support accountability and transparency in the public sector.

5. These guidelines address aspects of compliance audit in the public sector which, in many countries, is subject to very different mandates and objectives. In a democratic system of government, accountability to the public, and particularly to its designated representatives, is an overriding aspect of the management of a public sector entity and an essential element of good public governance. Public sector entities are usually established by legislation and their operations governed by various authorities derived from legislation. Management of public sector entities is accountable for operating in accordance with the provisions of the relevant laws, regulations and other authorities governing them. Since legislation and other authorities are the primary means by which legislators control the raising and spending of money by the public sector, auditing for compliance with relevant authorities is usually an important and integral part of the audit mandate, or terms of engagement, for most audits of public sector entities. Because of the variety of authorities, their provisions may be conflicting with one another and may be subject to differing interpretations. Also, subordinate authorities may not be consistent with the directions or limits prescribed by the enabling legislation. As a result, an assessment of compliance with authority in the public sector requires considerable professional judgment and is of particular importance.

6. These guidelines (ISSAI 4100 on Compliance Audit Performed Separately from the Audit of Financial Statements) deal with compliance audit as an audit type of its own or as a part of performance audit, and not when specifically performed together with an audit of financial statements. They build upon INTOSAI's Fundamental Auditing Principles (referenced within this document as ISSAI 100 – ISSAI 400, previously referred to as the 'INTOSAI Auditing Standards') and have been designed to assist public sector auditors and SAIs in applying these principles.

7. The process generally followed in carrying out compliance audits is shown in the figure below (in the following page) and is described in the subsequent sections of the guidelines.



Doc

umen

tatio

n, C

omm

unic

atio

n, Q

ualit

y C

ontr

ol

InitialConsiderations

(chapters 3,4,5)

Determine compliance audit objective and scope

Planningthe Audit

(chapter 6)

Performingthe Audit

Gathering Evidence(chapter 7)

Evaluating Evidenceand FormingConclusions

(chapter 8)

Reporting(chapter 9)

Consider principles with ethical significance(eg independence and objectivity)Ensure quality control procedures in place

Prepare reportInclude recommendations and responsesfrom entity as appropriateFollow-up previous reports as necessary

Determine parties involved / legal basisIdentify subject matter and criteriaUnderstand the entity and it’s environmentDevelop audit strategy and planUnderstand internal controlEstablish materiality for planning purposesAssess riskPlan audit procedures enable reasonableassurance

Evaluate whether sufficient appropriateevidence obtained Consider materiality for reporting purposesForm conclusionsObtain written representations as necessaryAddress subsequent events as necessary

Gether evidence through various meansContinually update planning and riskassessmentOngoing documentation, communicationand controlConsider non-compliance that may indicatesuspected unlawful acts

Compliance Audit Process

2. Scope of the guidelines2.1 Scope and Nature of a Compliance Audit

8. In general, the mandate of the SAI determines whether the SAI carries out compliance audit activities or not. When the SAI carries out compliance audits, it is the SAI itself that is normally responsible for determining the scope and nature of the work to be performed and the appropriate audit approach. In some cases, the legislative body, such as a parliament, may request the SAI to perform a certain type of audit. Such requests may be accepted as long as the auditor's independence is not compromised. (ISSAI 200,2.2.16) Nonetheless, it should be up to the SAI to determine the appropriate audit approach and methodology to be employed.

9. The subject matters of compliance audits are wide ranging and may vary significantly from one audit to the next. A subject matter may be general in nature or may be very specific. More guidance on compliance audit subject matters is set out in section 6.2 below.

10. The Fundamental Auditing Principles explain that compliance audit is important because government agencies, programs and activities are often the result ofparticular laws and regulations. Decision makers need to know whether relevant laws and regulations are being followed, whether they have the desired results, and if not, what revisions are necessary (ISSAI 300, 3.4.2). Laws, regulations, and other compliance requirements pertaining to the audited entity may be significant to the particular audit objectives, whether it is performed as a separate audit type, or related to performance audit or to an audit of financial statements. Public sector auditors therefore plan and perform work of a scope and nature that will allow them to provide a constructive report to the appropriate parties.

11. In some cases, the audit mandate may set out the audit subject matter and scope of a particular compliance audit. In other cases, the subject matter and scope of the compliance audit may be based on the professional judgment of the public sector auditor. Factors that may influence public sector auditors' determination of the audit subject matter and scope may include:

(a) Requirements set out in the audit mandate or relevant laws and regulations, such as an appropriations act or procurement act

(b) Previous instances of non-compliance by the entity, for example compliance deviations identified in previous audits


(c) Findings and recommendations in audits performed by auditors outside the SAI

(d) Risk assessments performed in connection with financial or performance audits indicating specific areas where there is risk of non-compliance (for example across sectors such as procurement, or large sector-specific program areas such as revenue collection, defence, welfare benefits, etc)

(e) Public interest or expectations (for example suspected fraud, mismanagement or areas of non-compliance identified by the media etc)

(f) Specific areas that are the subject of significant legislative focus (for example environmental issues and compliance with international environmental agreements)

(g) Requests by legislative bodies, funding agencies or donor organisations (for example compliance with the terms of funding agreements)

(h) Significant funding is received by the entity from donor organisations and the continued provision of such funding is subject to compliance with the terms of a contract or agreement

12. In situations where the scope and nature of the compliance audit do not follow directly from the audit mandate or relevant legislation, but are based on the public sector auditor's professional judgment, it may be useful to inform the audited entity of the scope and nature of the audit in writing. This may assist in clarifying the understanding of the roles and responsibilities of the various parties, including what is to be covered by the audit and any particular limitations, information to be provided, the type of report to be issued and to whom, timetables, etc.

13. References to 'compliance audit' throughout this document are understood to be in the context of work carried out by SAIs, or for which the SAI is responsible.

14. Additional guidance on informing the entity about the scope and nature of the audit may be found in:

• ISSAI 1210 and 1300 • INTOSAI's Implementation Guidelines for Performance Auditing section

2.3 – The institutions concerned should be properly informed • IFAC's International Standard for Assurance Engagements (ISAE) 3000

2.2 Reasonable vs. Limited Assurance 15. The Fundamental Auditing Principles related to compliance state that the


audit should be designed to provide reasonable assurance of detecting errors, irregularities and illegal acts that may significantly affect the audit objectives (ISSAI 300, 3.4.1).

16. In most types of engagements there are two types of assurance levels: reasonable (positive) assurance and limited (negative) assurance. Reasonable assurance is high, but not absolute assurance. Due to the inherent limitationsof an audit (see section on risk assessment below), an audit does not normally provide 100% assurance. In general, reasonable assurance audits are designed to result in a positive form of expressing a conclusion, such as 'in our opinion the subject matter is / is not in compliance, in all material respects, with the stated criteria…' Limited assurance work is not considered an audit, but rather a review-level engagement. It provides a lower level of assurance than an audit, and is designed to result in a negative form of expressing a conclusion, such as 'nothing has come to our attention that would indicate that the subject matter is not in compliance, in all material respects, with the criteria…'

17. Both reasonable assurance audits and limited assurance reviews involve understanding the subject matter and obtaining sufficient appropriate evidence to support the public sector auditor's conclusion. Reasonable assurance audits include assessing risks, performing audit procedures to respond to the assessed risks, and evaluating the sufficiency and appropriateness of the evidence obtained. In performing a limited assurance review, procedures are usually limited to analytical procedures and inquiries. The nature, timing and extent of procedures performed in both reasonable assurance audits and limited assurance reviews are determined by public sector auditors applying professional judgment. A limited assurance review may be appropriate for subject matters across entities, which may involve more complex issues than subject matters within a specific entity.

18. These guidelines apply to auditing tasks where the purpose is to obtain sufficient appropriate evidence to support the findings. The conclusion may be expressed in a formalized statement of assurance or in a more elaborated form.

2.3 Assertion Based Reporting vs. Direct Reporting 19. In some cases, management at the audited entity may prepare a specific

assertion or a statement of compliance. In other instances the assertion may be implicit.


20. For example, in compliance audits performed as a separate audit task or together with performance audits, the assertion could be a statement of compliance with laws or regulations, a statement of compliance with the terms of a contract, or a statement as to the effectiveness of a specific process or system. An example of an implicit assertion may be when key performance indicators are subject to audit and they are presented on the inherent assumption that there has been no undisclosed non-compliance in achieving the levels of performance as set out in the key performance indicators.

21. In many public sector audits, there are no specific assertions or statements of compliance that the audited entity makes available to users. Rather, the subject matter information is embedded in the auditor's report – either in the form of data/information or as an explicit statement in the form of a conclusion. These types of audits are referred to as direct reporting audits. Audit findings are reported in an appropriate manner to relevant parties such as the audited entity and the legislature. Reports are usually made available to the general public.

22. The form of reporting may vary depending on the auditor's professional judgment as to how to communicate most effectively with the intended users. Reports may be either short-form or long-form reports. More guidance on reporting is set out in the reporting section of this document.

23. These guidelines are developed based on direct reporting audits, but may be applied to assertion based reporting as appropriate.

3. Objectives to be Achieved 24. The particular objectives of a compliance audit must be tailored to the

circumstances, based on the subject matter and criteria involved. In general, the objectives of public sector auditors in performing compliance audits are to:

a) Gather sufficient appropriate audit evidence to conclude whether the information on a particular subject matter is in compliance, in all material respects, with a particular set of criteria, and

b) Report the findings and conclusions to the legislature and/or other bodies as appropriate.

25. For SAIs representing the Court of Accounts system, the objective is also to communicate compliance deviations to the appropriate bodies or open the process leading to a formal judgment in aspects related to the judicial function of the courts such as identification of the responsible authority/agent and determination of any potential offence.


4.Definitions 26. For purposes of these guidelines the following terms have the meanings set out

below: 1. Assertion – a representation, explicit or implicit, that is embodied in the

activities, financial transactions and information pertaining to the audited entity, used by the auditor in considering different types of potential deviations. In the context of compliance audit, the compliance assertion would mean that the entity, including responsible public sector officials, is acting in accordance with applicable authorities (and for audits of propriety -relevant public expectations). Assertions may be embodied in subject matter information presented by the audited entity or stated explicitly in a management representation letter.

[

2. Authorities – Relevant acts or resolutions of the legislature or other statutory instruments, directions and guidance issued by public sector bodies with powers provided for in statute, with which the audited entity is expected to comply. These elements are sometimes collectively referred to as 'legislative authorities' or just 'authorities'. This should not be confused with 'authorities' in the sense of bodies or persons exercising power or command such as 'law enforcement authorities' or 'regulatory authorities'. Where the intention is to refer to such bodies or persons, they are referred to specifically as 'law enforcement authorities, 'regulatory authorities,' etc.

3. Compliance audit – compliance audit deals with the degree to which the audited entity follows rules, laws and regulation, policies, established codes, or agreed upon terms and conditions, etc. Compliance auditing may cover a wide range of subject matters. In general, the purpose of a compliance audit is to provide assurance to intended users about the outcome of the evaluation or measurement of a subject matter against suitable criteria.

In performing compliance audits in the context of the INTOSAI Fundamental Auditing Principles, there are two concepts of significant relevance:

a) Regularity – the concept that activities, transactions and informationpertaining to an audited entity are in accordance with authorising legislation, regulations issued under governing legislation and other relevant, laws, regulations and agreements, including budgetary laws and are properly sanctioned.


b) Propriety – general principles of sound public sector financial management and conduct of public sector officials.

Depending on the mandate of the SAI, a compliance audit may be an audit of regularity, or propriety, or both.

Because propriety is not readily susceptible to objective verification, it may be difficult, and in some cases impossible to audit propriety to a level of reasonable assurance. There are often no clear and objective benchmarks against which to measure propriety – what may be acceptable in one p art of the public sector may not be acceptable elsewhere.

Where SAIs have a mandate to audit propriety, criteria may not be clearly defined at the outset. The issue of suitable criteria is addressed in more detail in the following sections of this document. Where the audit mandate requires an audit of propriety, the principles outlined in these guidelines may be applied as appropriate in the circumstances. The form and content of reports on propriety may vary depending on the mandate of the SAI and the particular circumstances.

4. Compliance deviation – The audited entity's failure to comply with:a) Authorities – for compliance audits of regularity; or b) General principles for sound public sector financial management and

conduct of public sector officials – for compliance audits of propriety.

5. Conclusion – The auditor's report on compliance subject matters normally contains a conclusion based on the audit work performed. When compliance audit is performed together with the audit of financial statements, the conclusion may take the form of an opinion (see Opinion). The conclusion may also be expressed as a more elaborated answer to specific audit questions.

6. Legislature – The law-making authority of a country, for example a parliament. In the context of compliance audit, the legislature may also include other public sector bodies with authority for budget legislation or resolutions.

7. Opinion – The auditor's report on the financial statements may contain a clear written expression of opinion on compliance in addition to the opinion on the financial statements. An unqualified opinion may be expressed when


the auditor concludes that, in all material respects, the activities, financial transactions and information reflected in the financial statements are in compliance with the authorities which govern them.

8. Stakeholders – persons, groups, organizations or other types of entities with a concern or interest in public sector activities and operations, funding of public sector entities and the successful delivery of publicly funded programs.

5. Initial Considerations5.1 Ethical Considerations

27. The Fundamental Auditing Principles set out principles with ethical significance that are taken into consideration prior to commencing the audit (ISSAI 200, 2.2.1). These principles relate to:

a) The independence of the SAI and the auditor, including political neutrality ;

b) Avoidance of conflict of interest between the auditor and the audited entity ;

c) The need for the auditor and the SAI to possess the necessary competence ;

d) Exercise of due care and concern by the SAI and the auditor in complying with the Fundamental Auditing Principles.

28. If for some reason, the SAI or the auditor is not in a position to comply with the Fundamental Auditing Principles that have ethical significance, appropriate actions are taken to ensure that the threats to non-compliance are eliminated before commencing the audit. This may, for example, involve re-allocating staff assigned to the audit, additional training or involvement of experts.

29. Additional guidance may also be found in: • INTOSAI's Code of Ethics • INTOSAI's Implementation Guidelines for Performance Auditing Section

2.2 and 2.3 • IFAC's ISAE 3000

[

5.2 Quality Control 30. As with other types of auditing, it is important in performing compliance audits

that the SAI have processes and procedures in place to ensure that the work


carried out is of sufficient quality, that the public sector auditors performing such audits collectively have the necessary competence and skills, and that the work of the team is appropriately directed, supervised and reviewed. INTOSAI's Fundamental Auditing Principles establish benchmarks and provide guidance for ensuring the quality of work (ISSAI 200, 2.1.26 and 2.2.36).

31. Further guidance on quality control may be found in:

• INTOSAI's [proposed] Code of Quality and ISSAI 1220 • INTOSAI's Implementation Guidelines for Performance Auditing

Appendix 4 • IFAC's International Standard on Quality Control (ISQC)1 • IFAC's ISAE 3000

6. Planning and Designing a Compliance Audit

32. The Fundamental Auditing Principles state that the auditor should plan the audit in a manner which ensures that an audit of high quality is carried out in an economic, efficient and effective way and in a timely manner (ISSAI 300 3.1.1). Furthermore, those planning the audit need to be knowledgeable of the compliance requirements that apply to the entity being audited (ISSAI 300, 3.4.3).

33. Public sector auditors plan and perform audits while maintaining an attitude of professional skepticism.

6.1 Identification of the Parties Involved / Legal Basis 34. Public sector auditors ensure that the necessary preconditions exist in order to

effectively perform the audit. In planning compliance audits, this may involve identifying at the outset the relevant parties involved. This is important in order to establish the legal basis for performing the audit, such as the mandate of the SAI, including the responsibilities of public sector auditors, and the constitutional status and responsibilities of the audited entity.

35. In addition, it is important to identify the users of the audit report. The form and content of the report are influenced by the auditor's professional judgment as to how to communicate most effectively with the intended users. The needs of users may vary depending upon whether the users are the legislature, a funding agency, a donor organisation, the citizens or other relevant stakeholders.


6.2 Subject Matter and Subject Matter Information 36. The determination of the subject matter and the subject matter information is

one of the first steps to be carried out in planning and performing a compliance audit.

37. Subject matters take many forms and have many different characteristics. Subject matters may be general or very specific in nature. Some are quantitative and can often be easily measured (for example financial performance or condition), while others are qualitative and more subjective in nature (for example behaviour). Nonetheless, the subject matter should be identifiable and it should be possible to assess the subject matter against suitable criteria. Furthermore, the subject matter should be of a nature such that it is possible to gather sufficient evidence about the subject matter information to support a conclusion.

38. In some cases the subject matter may be set out in the relevant law or audit mandate. In other cases the selection of the subject matter is a strategic choice to be made by the SAI or public sector auditors, and is based on risk assessment and professional judgment.

39. When compliance audit encompasses budgetary laws, or other relevant budgetary resolutions, the entity's revenue and financing are included, as well as its expenditure.

40. A SAI's mandate may also encompass audits of compliance with the documented budgetary assumptions and premises, prior to the applicable resolution of the legislature.

41. Some examples of subject matters and subject matter information in relation to compliance auditing are set out in Appendix 1.

6.3 Criteria 42. The criteria, or the benchmarks against which the subject matter will be

compared, must also be identified. In performing compliance audits, the identification of the criteria is an essential step in the audit planning process. Some examples of criteria in relation to compliance auditing are set out in Appendix 1.

43. Criteria may be formal, such as a law or regulation, ministerial directive or the terms of a contract or agreement. Criteria may also be less formal such as a code


of conduct or principles of propriety, or they may relate to expectations regarding behaviour, for example what may be considered acceptable in regard to class of travel or levels of hospitality and entertainment at government expense if such limits are not explicitly stated elsewhere. Administrative guidelines used as criteria should be in compliance with laws and regulations. The sources used as a basis for the audit criteria can in itself be part of the compliance audit.

44. The criteria should be suitable. This means that the criteria should have the following characteristics: a) Relevant – relevant criteria provide meaningful contributions to the information

and decision making needs of the intended users of the audit report b) Reliable – reliable criteria result in reasonably consistent conclusions when

used by another auditor in the same circumstances c) Complete – complete criteria are those that are sufficient for the audit

purpose and do not omit relevant factors. They are meaningful and make it possible to provide the intended users with a practical overview for their information and decision making needs.

d) Objective – objective criteria are neutral and free from any bias on the part of the auditor or on the part of management of the audited entity. This means that criteria cannot be so informal such that assessment of the subject matter information against the criteria would be very subjective, and may lead other public sector auditors to reach a very different conclusion.

e) Understandable – understandable criteria are those that are clearly stated,contribute to clear conclusions and that are comprehensible to the intended users. They are not subject to wide variations in interpretation.

f) Comparable - comparable criteria are consistent with those used in similaraudits of other similar agencies or activities, and with those used in previous audits of the entity

g) Acceptable - acceptable criteria are those to which independent experts in the field, audited entities, the legislature, the media and the general public are generally agreeable

h) Available – criteria should be made available to intended users such that theyunderstand the nature of the audit work performed and the basis for the audit report

45. Criteria include matters that may have a significant impact on the objective of a particular audit. Therefore, in performing compliance audit, public sector


auditors determine that the criteria are suitable and relevant to the subject matter and the objectives of the particular audit being performed. Once suitable criteria have been identified based on the characteristics set out above, they then must be appropriately 'operationalised' for the particular circumstances of each audit so as to be able to reach meaningful audit conclusions.

46. The determination of criteria can be straight forward, but in some cases the identification may be more complex. In some cases public sector auditors may find checklists a helpful means in gaining an overview of the suitable criteria to be used. Public sector auditors use a number of sources to assist in the identification of criteria. Some examples of such sources are set out in Appendix 2.

47. In many compliance audits, the applicable criteria will be clearly identifiable. This may be the case where a clear and uncomplicated law or regulation forms the criteria. The documented intentions or premises for resolutions of the legislature may also assist the auditor in identifying the appropriate criteria.

48. If situations arise where there may be doubt as to what is the correct interpretation of the relevant law, regulation or authority, public sector auditors may find it useful to consider the intentions and premises set out in developing the law, or to consult with the particular body responsible for the legislation. The auditors may also consider relevant earlier decisions made by judicial authorities.

49. However, when propriety is the subject matter of the compliance audit, the criteria may become more difficult to identify as it may be less formal and may include public expectations in regard to the actions and behaviour of public officials. In these cases, public sector auditors must be more thorough in their work to identify suitable criteria. The need to identify suitable criteria does not preclude public sector auditors from reporting identified breaches of what may be considered acceptable behaviour by public officials, if circumstances so warrant.

50. In the process of identifying suitable criteria, public sector auditors consider materiality related to the risk of potential non-compliance for each topic subject to audit (budgetary law, other specific laws, terms of a contract etc, as well as propriety where relevant). Materiality considerations include both quantitative aspects (size) and qualitative aspects (nature and characteristics).


51. Public sector auditors ensure that the criteria to be used adequately reflect the topic subject to audit in its entirety. In rare cases, where the audit may be of limited scope and may only cover certain parts of a law or regulation, this limited scope should be clearly stated in the auditor's report. If public sector auditors make use of guidelines, checklists or other material provided by the audited entity or other administrative authorities for the purpose of identifying the suitable audit criteria, they must take due care in assuring through appropriate audit procedures that the material used adequately reflects the applicable law, regulation, etc.

52. In some cases, provisions of relevant legislation may be unclear, for example where an act of legislation provides that more specific provisions should be set out by the relevant administrative body and these provisions have not yet been developed. In such cases, public sector auditors clearly state in the audit report what they believe the relevant legislation requires, or that the scope of the audit has been limited and the reasons for this limitation. For example, the report may state that insufficient clarity of law has limited the audit criteria applied and that there is a need for remedial measures to be taken.

53. In some rare cases, the criteria may be conflicting, for example when there is a conflict between different sources of law and the issue has not been solved by the relevant administrative or judicial authorities. In such cases it is very important to understand the intentions behind the particular criteria and to identify any consequences arising from such conflict. It may also be necessary to elaborate on instances of conflicting criteria in the auditor's report such that remedial measures may be taken by the appropriate bodies.

54. Approaches to help identify suitable criteria in these types of dilemmas may include:

a) Applying a ‘theoretical’ approach, by allowing experts in the field to answer questions such as: 'what ought to be the ideal results under perfect conditions according to rational thinking or best-known comparable practice?' or

b) Defining and obtaining support for well-founded and realistic criteria by applying an ‘empirical’ approach involving discussions with stakeholders and decision makers

55. The audit approach may also be broken down into parts, or the scope narrowed, such that clearly identifiable criteria may be applied.


56. Notwithstanding the above, the criteria should be made available to the intended users and others as appropriate, for example by including the criteria in the auditor's report, or making reference to the criteria if they are readily available in another format.

57. In situations where the audit criteria are, for whatever reason, not considered suitable, the SAI may encourage the appropriate bodies to formulate clearly the general principles to be followed in public sector entities for such matters.

6.4 Understanding the Audited Entity and its Environment 58. Determining the subject matter and suitable criteria as explained above are

among the first steps in performing compliance audits. The process of determining the subject matter and the criteria involves public sector auditors obtaining an understanding of the audited entity and the circumstances surrounding the audit. This understanding provides public sector auditors with a frame of reference to be used in applying professional judgment throughout the entire auditing process. An understanding of the entity, its environment and relevant program areas is especially important as it will be used in determining materiality and in assessing risks. Some examples of sources that may be used in gaining this understanding are set out in Appendix 2.

59. According to ISSAI 4000, paragraph 5, the Compliance Audit Guidelines cover compliance audit at all levels of government. As a consequence, the guidelines are applicable as appropriate for a combination of entities for which an audit across the entities is planned and performed. The auditor(s)'s responsibility for the audit across entities should be clearly set out.

6.5 Audit Strategy and Plan 60. Planning the audit so that it will be performed effectively involves discussions

with relevant members of the audit team, and developing an overall audit strategy and an audit plan. Both the audit strategy and the audit plan should be documented in writing. Planning is not a distinct phase of the audit, but is a continual and iterative process. The overall audit strategy and plan are updated as necessary throughout the audit. Planning also involves considerations related to the direction, supervision and review of the engagement team.

61. In establishing the overall audit strategy for the compliance audit, public sector auditors consider:

a) The objectives, scope, subject matter, criteria and other characteristics of


the compliance audit, taking into account the mandate of the SAI and the elements contained in the compliance audit definition ;

b) Reporting responsibilities and objectives, as well as to whom and when such reporting will take place, and in what form ;

c) Significant factors that may influence the direction of the audit ; d) Materiality and audit risk assessment ; e) Knowledge gained from previous or related audits ; f) Composition and work allocation of the audit team, including any need

for experts ; g) Timing of the audit.

62. Public sector auditors develop an audit plan for the compliance audit. The audit strategy is essential input to the audit plan. The audit plan includes:

a) A description of identified criteria related to the scope and characteristics of the compliance audit and to the legal, regulatory or appropriations framework;

b) A description of the nature, timing and extent of risk assessment procedures sufficient to assess the risks of non-compliance, related to the various audit criteria;

c) A description of the nature, timing and extent of planned audit procedures related to the various compliance audit criteria and risk assessments.

63. Planning also involves: a) Obtaining a general understanding of the legal, regulatory and

appropriations framework, as well as relevant, agreed upon terms and conditions applicable to the scope of the audit and to the audited entity ;

b) Obtaining an understanding of management's assessment of applicable laws and regulations including management's internal controls that help ensure compliance with authorities ;

c) Obtaining an understanding of the relevant authorities, including rules, laws, regulations, policies, codes, significant contracts or grant agreements etc ; and

d) For audits of propriety – obtaining an understanding of relevant principles of sound public sector financial management and expectations regarding the conduct of public sector officials.

64. Further guidance on audit planning and on audit criteria may be found in: • ISSAIs 1210 and 1300 • INTOSAI's Implementation Guidelines for Performance Auditing Part 3


and Appendix 2

• IFAC's Assurance Framework and ISAE 3000

6.6 Understanding Internal Control at the Audited Entity 65. Understanding internal control is normally an integral part of understanding the

entity and the relevant subject matter. The Fundamental Auditing Principles explain that in performing an audit, public sector auditors understand andevaluate the reliability of internal control (ISSAI 300, 3.3.1). In compliance audit, this includes understanding and evaluating controls that assist management in complying with laws and regulations (ISSAI 300, 3.3.2).

66. The particular type of controls evaluated depends on the subject matter, and the nature and scope of the particular compliance audit. In evaluating internal control, public sector auditors assess the risk that the control structure may not prevent or detect material non-compliance (ISSAI 300, 3.4.6). The internal control system in an entity may also include controls designed to correct identified instances of non-compliance. Public sector auditors obtain an understanding of internal control relevant to the audit objective, and test controls on which they expect to rely. The assurance derived from the assessment of the internal controls will help the auditors determine the confidence level and hence, the extent of the audit procedures to perform.

67. Further guidance on understanding the audited entity may be found in: • ISSAI 1315 • INTOSAI's Implementation Guidelines for Performance Auditing Section

3.3, Subsection- Understanding the program and Appendix 1, Subsection 2-Formulating the audit question or defining the audit problem

• INTOSAI Guidelines for Internal Control Standards for the Public Sector • IFAC's ISAE 3000

6.7 Materiality 68. Materiality consists of both quantitative and qualitative factors. In performing

compliance audits, materiality is determined for: a) Planning purposes ; b) Purposes of evaluating the evidence obtained and the effects of identified

instances of non-compliance ; and c) Purposes of reporting the results of the audit work.

69. Public sector auditors plan and perform the audit to determine whether the


subject matter information, in all material respects, is in compliance with the stated criteria.

70. As stated in the Fundamental Auditing Principles, 'Materiality is often considered in terms of value but the inherent nature or characteristics of an item or group of items may also render a matter material--for example, where the law or regulation requires it to be disclosed separately regardless of the amount involved.' (ISSAI 100, 1.0.10) Furthermore, the principles explain that in cases where compliance audit is carried out in relation to performance auditing, materiality by nature or by context is a more important consideration than materiality by amount (ISSAI 400, 4.0.29).

71. During the planning process, information is gathered about the entity in order to assess risk and establish materiality levels for designing audit procedures. Evidence gathered must then be evaluated as a basis for forming conclusions and for reporting purposes. Materiality is significant to this evaluation.

72. The determination of materiality for planning purposes may be straight forward. This might be the case in situations where a law or regulation, or agreed-uponterms establish an unconditional requirement for compliance, for example if the constitution prohibits overspending in relation to the approved budget.

73. Other matters that may be considered material at a lower level of value or incidence than the general determination of materiality include:

1. Fraud ; 2. Intentional unlawful acts or non-compliance ; 3. Incorrect or incomplete information to management, the auditor or to the

legislature (concealment) ; 4. Intentional disregard for follow-up of requests made by management,

authoritative bodies or auditors ; 5. Events and transactions made despite knowledge of the lack of legal basis

to carry out the particular event or transaction.

74. In other cases the determination of materiality is normally a matter for professional judgment.

75. When evaluating evidence obtained, the determination of materiality may be influenced by quantitative factors such as the number of persons or entities affected by the particular subject matter, or the monetary amounts involved. In some cases, the qualitative factors are more important than the quantitative


factors. The nature, visibility and sensitivity of the particular program area or subject matter may play a role. For example, the emphasis placed on the subject matter by users, a public accounts committee or similar committee of the legislature, or regulatory bodies may influence the determination of materiality. Public expectations and public interest are also qualitative factors that may impact the public sector auditor's determination of materiality. The seriousness of the non-compliance is also considered. While not necessarily unlawful, instances of excess spending over appropriations authorized by the legislature or introduction of a new service not provided for in the approved appropriations, may be serious instances of non-compliance by their nature.

76. In evaluating the materiality of any non-compliance identified, matters such as the criteria, the conditions, the cause and the effect of non-compliance are also considered.

77. Further guidance on materiality in relation to identified non-compliance is discussed in the section on Evaluating Evidence and Forming Conclusions below.

78. Further guidance on materiality may be found in: • ISSAIs 1320 and 1450 • INTOSAI's Implementation Guidelines for Performance Auditing Section

5.3, Subsection – Materiality, relevance and objectivity, and Appendix 3 part 1.2, Subsection - Sufficiency of evidence

• IFAC's ISAE 3000

6.8 Risk Assessment 79. Risk assessment is an essential part of performing a reasonable assurance audit.

Due to the inherent limitations of an audit, a compliance audit does not provide a guarantee or absolute assurance that all instances of non-compliance will be detected. Inherent limitations in a compliance audit may include factors such as:

a) Judgment may be applied by management in interpreting laws and regulations ;

b) Human errors occur ; c) Systems may be improperly designed or function ineffectively ; d) Controls may be circumvented ; e) Evidence may be concealed or withheld.


80. In performing compliance audits, public sector auditors assess risk and perform audit procedures as necessary throughout the audit. This is done in order to reduce audit risk to an acceptably low level in the particular circumstances, so as to obtain reasonable assurance as the basis for the auditor's conclusion.

81. The risks and the factors that may give rise to such risks will vary depending on the particular subject matter and circumstances of the audit. In general, public sector auditors consider the three elements of audit risk - inherent risk, control risk and detection risk in relation to the subject matter and the particular situation. In addition, the probability that the matter will occur, and the possible consequences arising if the matter should occur, are also taken into account in assessing risk.

6.8.1 Risk Assessment Considerations in regard to Fraud 82. As part of the audit, public sector auditors identify and assess fraud risk and

gather sufficient appropriate evidence related to identified fraud risks through the performance of suitable audit procedures. When suspected fraud has been identified, public sector auditors take action to ensure that they respond appropriately based upon the mandate of the SAI and the particular circumstances.

83. Fraud risks and assessments of materiality in relation to fraud are considered in the context of the broader scope of public sector auditing. Examples of areas and situations that may typically give rise to fraud risks in the public sector include:

a) Grants and benefits to third parties ; b) Procurement ; c) Exercise of public officials' duties and power ; d) Intentional misstatement or misrepresentation of results or information ; e) Privatization of government entities ; f) Relationships between public sector officials or entities.


84. Relationships between various public sector entities are considered when assessing audit risk, and especially when assessing the risk of fraud or non-compliance. Such risks may, for example, relate to one entity exerting influence over another entity to take inappropriate actions. The result of these actions may be non-compliance with authorities, and in some cases the result may be an


unlawful act. Furthermore, in the public sector there may be specific requirements related to activities and transactions between various public sector entities. There may also be specific reporting requirements related to such activities or transactions that may impact the planned audit procedures, the audit conclusion or the auditor's report.

85.Examples of factors related to assessing risk in compliance audits are set out in Appendix 3. In addition, an illustrative example of risk factors related to a compliance audit of procurement is set out in Appendix 4.

86. Further guidance on risk assessment, and fraud risk may be found in: • ISSAIs 1240, 1315 and 1550 • INTOSAI's Implementation Guidelines for Performance Auditing

Part 3.2, Subsection - Risks or uncertainties • IFAC's Assurance Framework and ISAE 3000

6.9 Planning Audit Procedures 87. Planning audit procedures involves designing procedures to respond to the

identified risks of non-compliance. The exact nature, timing and extent of the audit procedures to be performed may vary widely from one audit to the next. Nonetheless, compliance audit procedures in general involve establishing the relevant criteria, i.e., the authorities which govern the entity, and then measuring the relevant subject matter information against such authorities. More information on audit procedures is provided in the section on performing compliance audits and gathering evidence below.

7 Performing Compliance Audits and Gathering Evidence

88. The Fundamental Auditing Principles state that public sector auditors choose and perform audit steps and procedures that, in their professional judgment, are appropriate in the circumstances. (ISSAI 300, 3.4.5). The Fundamental Auditing Principles also state that the steps and procedures are designed to obtain sufficient, competent, and relevant evidence that will provide a reasonable basis for the auditor's judgments and conclusions (ISSAI 300, 3.5.1). Evaluating the entity's internal control systems and assessing the risks that the control systems may not prevent or detect instances of non-compliance are a normal part of performing compliance audits (ISSAI 300 3.4.6).

89. The audit procedures to be performed will depend on the particular subject matter and criteria identified, as well as the auditor's professional judgment. The


procedures should be clearly linked to the identified risks. When the risks of non-compliance are significant and public sector auditors plan to rely on the controls in place, such controls must be tested. When controls are not considered reliable, public sector auditors plan and perform substantive procedures to respond to the identified risks. Furthermore, additional substantive procedures are performed when there are significant risks of non-compliance. If the audit approach consists only of substantive procedures, tests of details (not only analytical tests) are performed.

90. In some rare cases it may be difficult or almost prohibitively expensive to obtain sufficient, appropriate audit evidence in order to form conclusions. In these cases, public sector auditors must consider the relationship between the costs and the benefits of gathering the evidence, as well as the consequences lack of sufficient appropriate evidence will have on the achievement of the audit objectives and on the auditor's report. The auditor's response to this situation may vary in the circumstances depending on the mandate, public interest considerations, public expectations and the ability to report such findings. The auditor may find it necessary to report on this matter specifically to the legislature or other intended users. However, such difficulty or expense is not, in itself, sufficient grounds for omitting the planned evidence-gathering procedures, even if there are no satisfactory alternative procedures.

91. Some examples of compliance audit procedures for selected subject matters are set out in Appendix 5.

7.1 Gathering and Evaluating Evidence 92. In performing a reasonable assurance audit, public sector auditors gather

sufficient appropriate audit evidence to provide a basis for the auditors' conclusions. The Fundamental Auditing Principles state that 'competent, relevant and reasonable evidence should be obtained to support the auditor's judgment and conclusions regarding the organisation, program, activity or function under audit' (ISSAI 300, 3.5.1).

93. The sufficiency of evidence relates to the quantity of the evidence. The competence, relevance, reliability and appropriateness of evidence relates to the quality of the evidence. Public sector auditors exercise professional judgment in making the determination of sufficiency and appropriateness throughout the evidence gathering process.

94. The evidence gathering process is systematic and iterative and involves:


a) Gathering evidence by performing appropriate audit procedures ; b) Evaluating the evidence obtained as to its sufficiency (quantity) and

appropriateness (quality) ; c) Re-assessing risk and gathering further evidence as necessary.

95. The evidence gathering process continues until the public sector auditor is satisfied that sufficient, appropriate evidence exists to provide a basis for the auditor's conclusion.

96. In many cases, audit sampling may be used as a means of testing to detect instances of non-compliance with authorities. The use of IT audit techniques is often helpful and in many cases is an integrated part of a compliance audit.

97. Audit evidence is gathered using a variety of techniques such as: a) Observationb) Inspectionc) Inquiryd) Re-performancee) Confirmationf) Analytical procedures.

98. Procedures to gather audit evidence are generally grouped into two major categories:

a) Tests of controls ;b) Substantive tests, such as analytical procedures or tests of details.

7.1.1 Observation 99. Observation involves looking at a process or procedure being performed. In

performing compliance audit, this may include looking at how a bid tendering process is carried out or observing how benefit payments are processed.

7.1.2 Inspection 100. Inspection involves examining books, records and other case files or physical

assets. In performing compliance audit, inspection may include examining the books and records to determine how project funds have been accounted for and comparing the accounting to the terms of the project agreement. Inspection of case files may involve examining all relevant documents to determine if recipients of benefits met eligibility requirements. Inspection may also involve examining an asset, such as a bridge or a building, to determine if it meets the applicable building specifications.


101. Public sector auditors consider the reliability of any documents inspected and keep in mind the risk of fraud and the possibility that documents inspected may not be authentic. In cases of fraud, sometimes two different sets of books and records have been kept. Public sector auditors may also inquire with different persons as to the source of the documents, or the controls over their preparation or maintenance.

7.1.3 Inquiry 102. Inquiry involves seeking information from relevant persons, both within and

outside the audited entity. Inquiry may range from formal written inquiries to more informal oral discussions. It may involve interviewing and asking questions of relevant persons, including experts. Such interviews may take place in person or virtually (for example phone calls or web-meetings). Inquiry may also involve preparing and sending questionnaires or surveys.

103. Inquiry is generally used extensively throughout an audit and complements other audit procedures. For example, when observing processes being performed, such as the benefits payment process mentioned above, inquiries are often made of relevant persons in regard to how relevant legislation, including changes and updates, is identified and interpreted. Results of inquiries may indicate that the processes are performed in different ways in different locations; which may lead to instances of non-compliance.

104. Inquiries are often made of persons outside the particular function subject to audit. For example, in addition to making inquiries of accounting personnel, it may also be relevant to make inquiries of legal or technical personnel.

105. Inquiry is generally not sufficient appropriate evidence on its own. In order to obtain sufficient appropriate evidence, inquiry is performed together with other types of procedures. Inquiry is most effective when conducted with relevant and knowledgeable persons, i.e., persons in positions of authority who are authorised to speak or give opinions on behalf of the entity.

7.1.4 Confirmation 106. Confirmation is a type of inquiry and involves obtaining, independently from

the audited entity, a reply from a third party in regard to some particular information. In compliance audits, confirmation may involve the auditor obtaining feedback directly from beneficiaries that they have received the grants or other funds that the audited entity asserts have been paid out, or


confirming that funds have been used for the particular purpose set out in the terms of a grant or funding agreement. Confirmation may also involve receiving guidance from the legislature as to how a specific piece of legislation is meant to be interpreted.

107. Written confirmations may also be obtained from management in regard to oral representations made during the audit. These written management representations may, for example, relate to:

a) Management's assertion of compliance with a relevant piece of legislation, the terms of an agreement, etc ;

b) Management's disclosure of all instances of non-compliance of which it is aware ;

c) Management having provided the auditor with complete information about the subject matter.

7.1.5 Re-performance 108. Re-performance involves independently carrying out the same procedures

already performed by the audited entity. Re-performance may be done manually or by computer assisted audit techniques. For example, case file studies may be performed to test whether the audited entity made the correct decisions or provided the appropriate service in accordance with the relevant criteria. Process steps may be re-performed to test the appropriateness of visasor resident permits issued, or the exercise of budget authority. If the criteria for making child benefit payments involve payments to parents with children under a certain age, the audited entity's selection of recipients from a public database may be re-performed by public sector auditors using computer assisted audit techniques to test the accuracy of the entity's process. Also, if the selection of bids from a tender process is dependent upon meeting certain criteria, the bid selection process may be re-performed to test that the correct bids have been selected. Where highly technical matters are involved (for example re-performance of pension calculations or engineering models), experts may be involved.

7.1.6 Analytical Procedures

109. Analytical procedures involve comparing data, or investigating fluctuations or relationships that appear inconsistent. In compliance auditing, such procedures may, for example, involve comparing an increase in pension benefits payments


from one year to the next with demographic information such as the number of citizens having reached retirement age within the last year. If the criteria relate to the terms of an agreement which state, for example, that project funding is provided based on performance levels such as the number of job placements made, then any changes in project funding might be compared to changes in employment statistics.

110. Regression analysis techniques or other mathematical methods may assist public sector auditors in comparing actual to expected results.

111. Further guidance related to evidence and evidence gathering procedures may be found in:

• ISSAIs 1330, 1450, 1500, 1505, 1520, 1530, 1610 and 1620 • INTOSAI's Implementation Guidelines for Performance Auditing Part

4 and Appendix 3 • IFAC's Assurance Framework and ISAE 3000

7.2 Documentation 112. The Fundamental Auditing Principles state that audit evidence gathered must

be adequately documented (ISSAI 300, 3.5.5 and 3.5.6). Documentation in regard to compliance audits includes documenting sufficiently matters that are significant in providing evidence to support the conclusions drawn and the report issued. The audit documentation should be sufficiently complete and detailed to enable an experienced auditor, having no previous connection with the audit, to understand what work was performed in support of the conclusions (ISSAI 300, 3.5.7).

113. Documentation takes place throughout the entire audit process. Public sector auditors prepare compliance audit documentation on a timely basis, and maintain such documentation which records the criteria used, the work done, evidence obtained, judgments made and review performed. Public sector auditors prepare relevant audit documentation before the auditor's report is issued. Audit documentation is retained for an appropriate period of time.

114. Further relevant guidance for documenting compliance audits may be found in:

• ISSAI 1230 • INTOSAI's Implementation Guidelines for Performance Auditing

Appendix 3



7.3 Communications 115. Good communication with the audited entity throughout the audit process may

help make the process more effective and constructive. Communication takes place at various phases and at various levels, for example:

a) During the initial planning phase, including discussing with the appropriate level of management, and those charged with governance as appropriate - within the limits of laws and regulations - the audit strategy, timing, logistics, responsibilities, suitable audit criteria and other elements of planning ;

b) During the performance phase and throughout the audit, including gathering evidence and making inquiries of relevant persons as appropriate. Any significant difficulties encountered during the audit, as well as instances of material non-compliance are promptly communicated to the appropriate level of management, or to those charged with governance. Other less significant findings that are not deemed material, or do not warrant inclusion in the public sector auditor's report, may also be communicated to management during the audit. Communicating such less significant findings may also help the audited entity to remedy instances of non-compliance and avoid similar instances in the future. For this reason, many public sector auditors communicate all identified instances of non-compliance to management;

c) During the reporting phase, including issuing written reports on a timely basis to the intended users, the audited entity and others as appropriate.

116. Some SAIs can, according to their audit mandate, order the audited entity to correct identified instances of non-compliance. In doing so, public sector auditors determine whether their independence and objectivity will be impaired, and take appropriate action to avoid such impairment.

117. Further relevant guidance on communication may be found in: • ISSAI 1260• INTOSAI's Implementation Guidelines for Performance Auditing

Appendix 4




118. While detecting potential unlawful acts, including fraud, is normally not the main objective of performing a compliance audit, public sector auditors do include fraud risk factors in their risk assessments, and remain alert for indications of unlawful acts, including fraud, in carrying out their work.

119. In performing compliance audits, if public sector auditors come across instances of non-compliance which may be indicative of unlawful acts or fraud, they exercise due professional care and caution so as not to interfere with potential future legal proceedings or investigations. Public sector auditors may consider consulting with legal counsel or appropriate regulatory authorities (ISSAI 300, 3.4.7). Furthermore, they may communicate their suspicions to the appropriate levels of management or to those charged with governance, and then follow up to ascertain that appropriate action has been taken. In regard to instances of non-compliance related to fraud or serious irregularities, because of the different mandates and organisational structures that exist internationally, it is up to the SAI to determine the appropriate action to be taken (ISSAI 400, 4.0.7b).

120. Due to the inherent limitations of an audit, there is an unavoidable risk that unlawful acts, including fraud, corruption or theft may occur and not be detected by public sector auditors. Fraud may consist of acts designed to intentionally conceal its existence. There may be collusion between management, employees or third parties, or falsification of documents. For example, it is not reasonable to expect public sector auditors to identify forged documentation in support of claims for grants and benefits, unless they are reasonably obvious forgeries. In addition, public sector auditors may not have investigative powers or rights of access to individuals or organisations making such claims.

121. Only a court of law can determine whether a particular transaction is illegal. Although public sector auditors do not determine if an illegal act has occurred, they do have a responsibility to assess whether the transactions concerned are in compliance with applicable laws and regulations.

122. Fraudulent transactions are, by their nature, not in compliance with the applicable law. Public sector auditors may also determine that transactions


where fraud is suspected, but not yet proven, are not in compliance with the applicable law. Material unlawful acts normally result in a modified audit conclusion.

123. If suspicion of unlawful acts arises during the audit, public sector auditors, where permitted by law, may communicate to the appropriate levels of management and those charged with governance. In this case, those charged with governance are likely to be ministerial or administrative bodies higher up in the reporting hierarchy. Public sector auditors follow up and ascertain that management or those charged with governance have taken appropriate action in response to the suspicion, for example by reporting the incident to the relevant law enforcement authorities. Public sector auditors may also report such incidents directly to the relevant law enforcement authorities.

124. Further guidance on considerations when dealing with suspected fraud may be found in :

• ISSAI 1240 • INTOSAI's Implementation Guidelines for Performance Auditing

Part 3, Subsection – Compliance with laws and regulations

8. Evaluating Evidence and Forming Conclusions8.1 General Considerations on Evaluating Evidence and Forming

Conclusions 125. Public sector auditors evaluate whether the evidence obtained is sufficient and

appropriate so as to reduce audit risk to an acceptably low level. This evaluation includes exercising professional judgment and professional skepticism, and consideration of evidence that both supports, and seems to contradict, the subject matter information.

126. Evidence obtained is evaluated in relation to identified materiality levels in order to identify potential instances of material non-compliance. Determining the significance of findings is based on the concept of materiality as set out above. Findings from compliance audits must also be placed in proper perspective, for example reported instances of non-compliance may be based on the number of cases of non-compliance or the related monetary value (ISSAI 400, 4.0.19). SAIs operating in a Court of Accounts environment have the ability to render judgment on the accounts. In cases of non-compliance, this


may result in imposing reimbursements, fines or other penalties. 127 . Public sector auditors evaluate whether, based on the evidence obtained, there

is reasonable assurance that the subject matter information is in compliance, in all material respects, with the identified criteria. Due to the inherent limitations of an audit, public sector auditors cannot be expected to detect all occurrences of non-compliance.

128 . Public sector auditors' assessment of what represents a material compliance deviation is a matter of professional judgment and includes considerations of context as well as quantitative and qualitative aspects of the transactions or issues concerned.

129 . A number of factors are taken into account in applying professional judgment to determine whether or not the non-compliance is material. Such factors may include the:

a) Importance of amounts involved (monetary amounts or other quantitative measures such as number of citizens or entities involved, carbon emissions levels, time delays in relation to deadlines, etc) ;

b) Circumstances ;c) Nature of the non-compliance ;d) Cause leading to the non-compliance ;e) Possible effects and consequences non-compliance may have ; f) Visibility and sensitivity of the program in question, (for example, is it

the subject of significant public interest, does it impact vulnerable citizens, etc) ;

g) Needs and expectations of the legislature, the public or other users of the audit report ;

h) Nature of the relevant authorities ; i) Extent or monetary value of the non-compliance.

130 . Some examples of compliance deviations and considerations related to materiality and forming conclusions are set out in Appendix 6.

131 . Further guidance on forming conclusions may be found in: ISSAI 1700 INTOSAI's Implementation Guidelines for Performance Auditing

Section 4.5 IFAC's ISAE 3000


8.2 Written Representations from Responsible Officials 132. In evaluating evidence and forming conclusions, written representations may

be obtained, as considered necessary in the circumstances, to support audit evidence obtained by public sector auditors. Such representations may state that the activities, financial transactions and information of the entity are in compliance with the authorities who govern them, or that particular control systems have functioned effectively throughout the period under audit.

133. Further guidance on written representations may be found in ISSAI 1580.

8.3 Subsequent Events 134. Public sector auditors perform audit procedures to determine if there are

events that have occurred after the completion of the field work and up until the date of the compliance audit report that may result in material non-compliance, and therefore may require particular disclosure or may impact the auditor's conclusion or report. Such procedures normally involve inquiry, obtaining written representations from management or reviewing relevant correspondence, minutes from meetings, published reports or financial information for subsequent periods (monthly, quarterly) etc. The amount of subsequent events work done may depend on the nature of the matters involved and the elapsed time between the completion of field work and the issuance of the report.

135. Further guidance on subsequent events may be found in: • ISSAI 1560 • IFAC's ISAE 3000

9. Reporting 136. Reporting is an essential part of a public sector audit and involves reporting

deviations and violations so that corrective actions may be taken, and so that those accountable may be held responsible for their actions. To this end, the Fundamental Auditing Principles state that a written report, setting out findings in an appropriate form, should be prepared at the end of each audit (ISSAI 400, 4.0.7a).

137. The principles of completeness, objectivity and timeliness are important in reporting on compliance audits. Public sector auditors take care to ensure that reports presented are factually correct, and that findings are presented in the proper perspective and in a balanced manner. This involves applying the


principle of contradiction which involves checking facts with the audited entity and incorporating responses from responsible officials as appropriate.

9.1 Form and Content of Compliance Audit Reports 138. The form of the written report may vary depending on the circumstances.

However, some consistency in the auditor's report may help users of the report to understand the audit work done and conclusions reached, and to identify unusual circumstances when they arise.

139. The factors that may influence the form of the compliance audit report are numerous. These factors include, but are not limited to, the mandate of the SAI, applicable legislation or regulation, the objective of the particular compliance audit, customary reporting practice and the complexity of the reported issues. Furthermore, the form of the report may depend on the needs of the intended users, including whether the report is to be submitted to the legislature or to other third parties such as donor organizations, international or regional bodies, or financial institutions.

140. Depending on the abovementioned factors, a SAI may find it appropriate to prepare either a short form report or a long form report. Long form reports (sometimes referred to as 'compliance audit special reports')generally describe in detail the audit findings and conclusions, including potential consequences and constructive recommendations, while short form reports are more condensed and generally in a more standardized format.

141. Guidance is given below on the form and content of reports. For the practical purposes of these guidelines, the illustrative examples provided in Appendices 7-12 are short form reports. Due to the lengthy nature of long form reports, specific examples have not been included in the guidelines. Public sector auditors are however encouraged to browse websites of SAIs for suitable examples of compliance audit special reports.

142. In cases where the mandate of the SAI establishes a form of reporting that differs from that envisioned in these guidelines, the guidelines may, nonetheless, be useful to public sector auditors and may be applied, adapted as appropriate in the particular circumstances.

9.1.1 Compliance Audit Reports 143. In general, the compliance audit report itself includes the following elements

(although not necessarily in the following order): 1. Title


2. Addressee 3. Objectives and scope of the audit, including the time period

covered 4. Identification or description of the subject matter information (and

where appropriate, the subject matter) 5. Identified criteria 6. Responsibilities of the various parties (legal basis) 7. Identification of the auditing standards applied in performing the

work 8. A summary of the work performed 9. A conclusion 10. Responses from the audited entity (as appropriate) 11. Recommendations (as appropriate) 12. Report date 13. Signature

144. Guidance on elements of a compliance audit report that warrant significant consideration by public sector auditors are set out below.

9.1.1.1 Identified Criteria 145. The criteria against which the subject matter is assessed are identified in the

auditor's report. In performing compliance audits, the criteria may differ greatly from audit to audit. Clear identification of the criteria in the compliance audit report is therefore important so that the users of the report can understand the basis for public sector auditors' work and conclusions. The criteria may be included in the report itself, or the report may make reference to the criteria if they are contained in an assertion from management, or otherwise available from a readily accessible and reliable source.

146. In cases where the criteria are not readily identifiable, or have had to be derived from relevant sources, the criteria applied in the audit are clearly stated in the relevant section of the auditor's report. In cases where the criteria are conflicting, the conflict is explained. In such a case, the potential consequences of the situation are explained to the extent possible and recommendations are provided as appropriate.

9.1.1.2 Conclusions

147. Depending on the scope and mandate of the audit, the conclusion may be expressed as a statement of assurance or as a more elaborated answer to specific audit questions. The nature of the wording may be influenced by the mandate of the SAI and the legal framework under which the audit is


conducted.

148. Where no material instances of non-compliance have been identified, the conclusion is unqualified. An example of the form for an unqualified conclusion (where appropriate wording is inserted in the brackets as applicable) may be as follows:

'Based on the audit work performed, we found that [the audited entity's subject matter information] is in compliance, in all material respects, with [the applied criteria].'

149. Public sector auditors modify their conclusions appropriately in cases of: a) Material instances of non-compliance. Depending on the extent of the non-

compliance, this may result in: i. A qualified conclusion ('Based on the audit work performed, we found

that, except for [describe exception], the audited entity's subject matter information is in compliance, in all material respects with [the applied criteria]…') , or

ii. An adverse conclusion ('Based on the audit work performed, we found that the subject matter information is not in compliance…') ; or

b) Scope limitation. Depending on the extent of the limitation, this may result in:

i. A qualified conclusion ('Based on the audit work performed, we foundthat, except for [describe exception], the audited entity's subject matter information is in compliance, in all material respects with [the applied criteria]…') , or

ii. A disclaimer ('Based on the audit work performed, we are unable to, and therefore do not express a conclusion…')

150. Public sector auditors provide information as to the reasons for the modified conclusions. This may be done by describing the particular instances of significant non-compliance in the report, for example in a paragraph or section preceding the conclusion and that describes the basis for that conclusion.

151. Public sector auditors may conclude that there is a need to elaborate on particular matters which do not affect the compliance conclusion. In these circumstances, public sector auditors disclose these matters through the use of an:

(a) Emphasis of Matter paragraph (when the matter is presented and disclosed in the management assertions and is not materially misstated, for example to highlight a systematic weakness or an uncertainty


dependent on future events such as when a competent authority has yet to determine if an item complies with the law); or

(b) Other Matter(s) paragraph (for matters other than those presented and disclosed in the management assertions, and not affecting the conclusion on compliance, for example the need for the legislature to take action when a conflict between different sources of law has been identified).

Examples are set out in Appendix 11.

9.1.1.3 Responses from the Audited Entity 152. Incorporating responses from the audited entity by reporting the views of

responsible officials is part of the principle referred to as the principle of contradiction. The principle of contradiction is a unique and important feature of public sector auditing. It relates to the presentation of weaknesses or critical findings in such a way as to encourage correction (ISSAI 400, 4.0.20 and 4.0.24). This involves agreeing the facts with the audited entity to help ensure that they are complete, accurate and fairly presented. It may also involve, as appropriate, incorporating the audited entity's response to matters raised, whether verbatim or in summary.

9.1.1.4 Providing Constructive Recommendations 153.The Fundamental Auditing Principles also emphasize the need for reports to be

constructive. This means that the auditor's report may include, as appropriate, recommendations designed to result in improvements. While such recommendations may be constructive for the audited entity, they should not be of such a detailed nature that the public sector auditor's objectivity may be impaired in future audits (ISSAI 400, 4.0.4, 4.0.20 and 4.0.25).

9.1.1.5 Report Date 154. The report is dated no earlier than the date public sector auditors have obtained

sufficient appropriate audit evidence to support the conclusion.

9.1.1.6 Signature 155. The report is signed by the person with appropriate authority to represent the

SAI. This may be the Auditor General, an authorized officer, or possibly co-signatures of two officers to whom appropriate authority has been delegated.

9.1.1.7 Limited Assurance Reports 156. On an exceptional basis, these guidelines may be applied, adapted as

appropriately, to limited assurance reviews. As explained in the scope section


of these guidelines, in a limited assurance review, the conclusion (with appropriate wording inserted in the brackets as applicable) is normally expressed as follows: 'Nothing has come to our attention that leads us to believe that [the audited entity's subject matter information] is not in compliance, in all material respects, with [the applied criteria].'

157. Limited assurance reviews require a sufficient amount of work to be done in order to express a conclusion, albeit less work than that necessary to express a conclusion with reasonable assurance. Nonetheless, public sector auditors evaluate whether sufficient, appropriate audit evidence has been obtained in order to express a limited assurance conclusion.

9.1.1.8 Incidental Findings 158. Public sector auditors may often come across examples of non-compliance in

connection with other types of audit work being performed. Even though the auditor was not actively looking for the existence or absence of the particular condition, public expectations might influence the decision to report such incidental findings. Although public sector auditors may report such findings, these findings are outside the scope of the compliance audit. Unless the scope of the audit is re-evaluated and the incidental findings are incorporated into the ongoing compliance audit, the auditor does not obtain or provide reasonable assurance with respect to the existence or absence of the condition related to the incidental findings. It may, however, be possible to express a conclusion with limited assurance depending on the circumstances. In any event, when such situations are reported, it is important to inform the reader of the relevant assurance level (reasonable or limited), if any.

9.1.2 Compliance Audit Special Reports (long form reports)159. Depending on the needs of users, and the particular objective of the compliance

audit, a SAI may decide to report the results of a compliance audit in a compliance audit special report. Such special reports are more akin to those reports common in performance audits and set out in greater detail the observations, conclusions and recommendations arising from the audit than the short form reports envisaged in the preceding section. In some cases, this type of report may be in addition to a compliance audit short form report.

160. As with compliance audit reports, some consistency in the form of compliance audit special reports may help users of the report to understand the audit work


done and conclusions reached, and to identify unusual circumstances when they arise.

161. In general, compliance audit special reports include all of the elements set out in the guidance on compliance audit reports, but are normally structured into the following sections (the order of which may vary):

a) Title page b) Table of contents c) Glossary (if necessary) d) Executive summary e) Introduction, objectives and scope f) Observations and findings g) Conclusions and recommendations h) Responses from the audited entity i) Appendices (if necessary)

9.1.2.1 Title page, table of contents and glossary 162. The title page clearly sets out the title of the report, the report date, to whom

the report is addressed and the preparer of the report. The preparer of the report is normally the SAI.

163. Including a table of contents, especially if the report is voluminous, helps give the report structure and guide the reader to areas of particular interest.

164. A glossary may also be helpful to readers if technical or unfamiliar terminology, acronyms, abbreviations or words with a particular contextual meaning are used repeatedly throughout the report.

9.1.2.2 Executive Summary 165. The executive summary is critical as it is often the part of the report most read

by users. The executive summary should reflect fully and accurately, while at the same time in a concise and balanced fashion, the content of the report. To be effective, an executive summary is normally one to two pages in length.

166. The main focus of the executive summary is on the identified criteria (significant questions to be answered) and a summary of the main audit conclusions and recommendations in relation to such criteria (answers to the questions).

167. In some cases, a chart or diagram may display significant audit conclusions in a form that makes it easier for users to grasp complicated or voluminous


information. In such cases it may be helpful to users to include graphical information in the executive summary.

9.1.2.3 Introduction, objectives and scope 168. The introduction sets out the context of the audit including the objectives and

scope of the audit, identification or description of the subject matter or subject matter information, the identified criteria, the responsibilities of the various parties involved and the auditing standards applied in performing the work.

169.The introduction is generally short without a lot of detail. If necessary, relevant detailed information may be included in appendices.

9.1.2.4 Observations and findings 170.The observations and findings section comprises the main body of the

compliance audit special report. This section describes the audit work performed and related findings. It is structured in a logical manner, normally around the identified criteria, and in a way that assists the reader in following the logical flow of a particular argument.

171.When presenting audit observations and findings, making the following four elements apparent to users assists them in gaining a better understanding of the audit work performed and the significance and consequences of the audit findings:

a) Criteria – the benchmark or measure against which performance is compared or evaluated ;

b) Conditions – the situation observed ; c) Cause – the source and reasons giving rise to the conditions observed ;d) Effect – the impact and consequences of the conditions observed (the

materiality of the findings, their impact on the budget, citizens or users, implications for principles of sound public sector management, etc).

172. When significant amounts of data are included to support audit findings, such data may be more appropriately included in appendices.

9.1.2.5 Conclusions and recommendations 173.The primary purpose of the conclusions and recommendations section of the

report is two-fold: a) to provide clear answers (conclusions) to the audit questions (identified

criteria), and b) to provide constructive and practical recommendations for improvement


where appropriate.

174.Recommendations are most effective when they are positive in tone and results-oriented, setting out clearly what needs to be done, when and by whom. Cost considerations are borne in mind when determining the practicality of recommendations.

175.Where significant compliance deviations are reported, recommendations are provided in cases where there is potential for significant improvement. It may be helpful to users for public sector auditors to highlight ongoing corrective actions.

176.While constructive and practical recommendations assist in promoting sound public sector management, public sector auditors are careful not to provide such detailed recommendations so as to be taking on the role of management and thereby impairing their own objectivity.

9.1.2.6 Responses from the audited entity

177. As set out in the guidance above on compliance audit reports, the principle of contradiction – agreeing facts and incorporating responses - is also applied in preparing compliance audit special reports. Responses from the audited entity to matters raised may be incorporated in the report, either verbatim or in summary.

178.Responses from the audited entity may be included in a separate section of the special report or as an appendix, depending on the volume of the responses.

179. Incorporating the views of responsible officials assists in ensuring the practicality of the recommendations and in making the responsible officials accountable for their actions.

9.1.2.7 Appendices 180.Where appropriate, appendices may be used to provide users with detailed or

supplementary information related to the audit. The information may be in text or table format, or it may be more graphical in nature such as diagrams, charts or pictures. Such information may assist users in understanding the audit findings, as well as the causes and effects thereof.

181.Further guidance on reporting may be found in: • ISSAI 1700, 1705 and 1706 • INTOSAI's Implementation Guidelines for Performance Auditing

Part 5


• IFAC's ISAE 3000 and International Standard on Review Engagements 2400

9.2 Follow-up Processes182.The Fundamental Auditing Principles place emphasis on the reporting of

constructive recommendations and additional follow-up as necessary in regard to correction of identified weaknesses (ISSAI 400, 4.0.26). The need for any follow-up of previously reported instances of non-compliance will vary with the nature of the non-compliance and the particular circumstances. This may include formal reporting by the auditor to the legislature, as well as to the audited entity or other appropriate bodies. Other follow-up processes may include reports, internal reviews and evaluations prepared by the audited entity or others, a follow-up audit, conferences and seminars held for, or by, the audited entity, etc. In general, a follow-up process facilitates the effective implementation of corrective actions and provides useful feedback to the audited entity and to the users of the report and to public sector auditors in planning future audits. Follow-up processes may be set out in the mandate of the SAI.

183.Further guidance on follow-up processes may be found in: INTOSAI's Implementation Guidelines for Performance Auditing Part 5.5

10.Additional Guidance for Public Sector Auditors Operating in a Court of Accounts Environment 184.Because of the jurisdictional status conferred on SAIs that operate in a Court of

Accounts environment, such SAIs have the power to exercise judgments and decisions over the accounts and over responsible persons, including accountants and administrators (ISSAI 100, 1.0.21).

10.1 Performing Audits in a Court of Accounts 185.When performing compliance audits of individual public accounts or of the

general state budget, public sector auditors in a Court of Accounts environment also:

a) Obtain reasonable assurance about whether the information presented in the individual public accounts and the underlying transactions are in compliance, in all material respects, with the authorities that govern them ;

b) Determine whether the execution of the state budget has been carried


out in compliance, in all material respects, with the authorities governing it and with individual public accounts ; and

c) Report the findings to the appropriate parties.

186. The unique jurisdictional status described above may also give rise to the need for additional considerations by public sector auditors operating in a Court of Accounts environment when planning and performing compliance audits. Suchmatters may include:

(a) Identifying the person(s) who may be held responsible for acts of non-compliance due to the potential legal implications the SAI's judgment may have on such persons. Public officials may be held personally liable for the loss or waste of public funds, requiring them to repay the full amount of any such losses ;

(b) Taking into consideration the applicable prescriptive period, the actions interrupting prescription of personal liability and the exact time period for which public officials may be held liable ;

(c) Distinguishing personal liability for acts of non-compliance from the liability for unlawful acts (suspected fraud). For unlawful acts there may be a need to perform additional audit procedures ;

(d) Liaising with prosecutors and police as appropriate in understanding the audited entity and its environment, assessing risks of non-compliance, dealing with instances of non-compliance that may indicate fraud, and reporting on such matters ;

(e) Considering the need for addition al levels of, or more formalised procedures for quality control ;

(f) Performing inquiry in written form (as opposed to orally) ;(g) Ensuring that audit documentation complies with relevant rules of

evidence ;(h) Communicating in a highly formalised manner ;(i) Including in the report the explicit criteria against which public officials

may be held liable, including any amounts likely to be involved ;(j) Considering the most appropriate form of conclusions, including

recommendations, identification of damages, or court orders that may lead to a formal discharge of responsibility or to a formal determination of liability.


10.2 Communicating and Enforcing the Law 187. Public sector auditors in Court SAIs also communicate compliance issues that

may result in legal action, damages or prosecution for a criminal offence to the judge, attorney or section responsible for dealing with judgment issues within the Court, or to other bodies as appropriate. In addition, Court SAIs may also communicate remarks of a more general, or informative nature resulting from the audit work to appropriate officials of the audited entity.

188. When enforcing the law regarding public officials, decisions taken by Court SAIs are subject to:

a) Due process of law and public hearing ;b) Public disclosure ;c) Communication to appropriate law enforcement authorities when there is

evidence of a criminal offence.

10.3 Processes in Various Models of Courts of Accounts 189.For SAIs operating in a Court of Accounts environment, the work performed

may involve various phases including audit, instruction and formal judgment.

190. Some SAIs operating in a Court of Accounts environment follow the audit process as it is described in these guidelines. However, following the planning, performance and evidence gathering phases, there may then be additional and specific issues that may lead to opening the process of instruction and to a final formal judgment.

191.In the event a judge or attorney decides on instructing a case, the objective of instruction is to gather enough evidence on the guilt or innocence of the public official who allegedly caused a damage, so as to allow a judgment to be made.

192.In some SAIs operating in a Court of Accounts environment, the auditors may also act in the role of judges and may be empowered to both audit and give formal judgments. In these cases, the instruction phase is an integral part of the audit planning, performance and evidence gathering phases, such that the audit is planned with a view to covering all these phases.


Appendix 1 - Examples of Subject Matters, Subject Matter Information and Criteria in Compliance Auditing

The follow table is intended to give examples of subject matters, subject matter information and relevant criteria. The list is not intended to be an exhaustive overview. The particular subject matter, subject matter information and criteria will vary depending on a variety of matters such as the mandate of the SAI and the objective of the particular audit.

Subject matter Subject matter information Criteria

1 Financial information such Relevant budget legislationas financial statements such as an appropriations act

More specific guidanceon this particular topicis included in ISSAI4200 -Appendix 1-A.

2 Project financial information/ project accounts

The mandated activities of the audited entity.


Appendix 1 -Information and Criteria in Compliance Auditing

The follow table is intended to give examples of subject matters, subject matter information and relevant criteria. The list is not intended to be an exhaustive overview. The particular subject matter, subject matter information and criteria will vary depending on a variety of matters such as the mandate of the SAI and the objective of the particular audit.


1 Financial information such Relevant budget legislationas financial statements. such as an appropriations act.

- -

2 Financial performancefor example revenuesin the form of :

Project financial information Relevant legislation relating touse of federal government funds (eg a 'single audit act') .

/ project accounts.

from donoragencies The mandated activities of the

audited entity.• funds from

The terms of the fundingagreement.

federalgovernments

• other similartypes of funds

and how they have used.

| C o m p l i a n c e A u d i t G u i d e l i n e s

• project funds

Financial performance and use of appropri-ated funds This may involve budget execu-tion, including testing that funds have been used in accordance with the purposes and intentions as decided by the legislature. In many SAIs this type of compliance audit may be related to regularity audit, including the audit of financial state-ments.


3 Financial information relatedto the use of the grant.

4 Financial information relatedto the contract or loanagreement

5 Procurement Financial information

6 Expenditures Financial informationStatement of compliance

Relevant budget legislationsuch as an appropriations actOther relevant legislation

Relevant ministerial directives,government policy requirementsand resolutions of the legislature.

The terms of a contract.

7 Program activities Activity indicators or reports


Financial performance, for example revenues in the form of grants, and how the revenues have been used.

Financial performance, for example revenues or expenditures in accord-ance with a contract or loan agreement, and how they have been used.

The mandated activities of the audited entity The terms of the grant agreement.

The terms of the contract or loan agreement.

Relevant agreed levels of performance such as those set out in laws and regulations, ministerial directives, goals agreed by the legislature or the entity, international treaties, protocols, conven-tions or agreements, a service level agreement, the terms of a contract, generally estab-lished industry standards, or reasonable public expecta-tions.

Relevant procurement legislat-ion and regulations (national andinternational) The terms of acontractwith a supplier.


For example:

8 Service delivery

9 Citizen complaints register

Publicly reported information

10 A statement of compliance Relevant legislation or directi-ves in areas such as human andcivil rights, gender equality, wor-kplace, environment, etc.

with CSR (or lack thereof)

11 Behaviour / Propriety A statement of compliance, Relevant legislation or directiv-es covering behaviour of publicsector officials A code of ethicsinternally.

for example a statement ofindependence (legalcompetence)


Corporate Social Respon-sibility (CSR), for examp-le the audit of publicly fun-ded projects in developingcountries

measures of results related to water quality, etc.

Relevant legislation or directivesA statement of service delivery Publicly reported information

Relevant legislation or directives

number of building inspec-tions to be performed within a particular time period

frequency and quality of accounting information to be provided by a service organisation

number of months required to process benefit payments or building permits

number of miles of road paved

number of qualified nurses and doctors per number of citizens

number of kindergarten places related to number of eligible children

Probity of a public admin-istrative decision


. developed code of conduct.

. Stated values or leadershipprinciples,

. Internal policies, manuals andguidelines,

. The terms of reference of theorganisation, the bylaws orsimilar,

. The terms of a contract (egag- reed confidentiality or quara- ntine arrangements subsequent to certain employment situations).

12 Membership A statement of compliance Agreed terms of membership.obligations

13 Processes related to A statement of compliance . Relevant occupational healthhealth and safety and safety legislation, for exa-

mple, related to handicap accessFinancial transactions

. Policies, processes, manuals,guidelines etc

14 Processes related to A statement of compliance . Relevant environmental legislation, for example, related to water quality, waste disposal or carbon emissions levels

environmentalprotection Financial transactions

. The terms of international environmental treaties, protocols, conventions or agreements

. Policies, processes, manuals.


In the public sector this be implicit and related to the concepts of probity and criteria above).

Subject matterSubject matter information Criteria

15 Internal Control processes A statement of ComplianceFinancial transactions

7

16 A statement of compliance

17 Physical characteristics A specifications document or the physical object itself

18 Tax revenues, taxpayer obli-gations or other obligationsinvolving reporting to regu-latory authorities

Individual or corporate tax returns

7 COSO – Committee of Sponsoring Organizations of the Tread way Commission. Coco = Criteria of Control Board, The Canadian Institute of Chartered Accountants.

106| C o m p l i a n c e A u d i t G u i d e l i n e s

Processes particular to the entity's activities payment of pensions or social benefits, procesing passport or citizenship applications, assessing fines or other forms of penal sentences

Other tax forms submitted to regulatory authorities (such as VAT forms, reporting forms for agencies operating within regulated industries such as banking and finance, pharmaceuticals, etc)

similar, or internal control requirements set out in relevant legislation or generally accepted within a jurisdiction,

Policies, processes, manu-als, guidelines etc.

.

Relevant legislation or directives,

.

Policies, processes, manu-als, guidelines etc.

.

A building code (size, height, purpose, density measures for a particular zoned area, etc),

The terms of a construc-tion contract, or other type of contract.

.

Relevant legislation or industry specific codes,

.

A tax code, revenue code or similar.

.

.

.

Appendix 2 – Examples of Sources to be used in Gaining an Understanding of the Audited Entity and Identifying Suitable CriteriaThe following is an illustrative, but not exhaustive list of sources that public sector auditors may use in identifying suitable audit criteria:

a) Laws and regulations, including the documented intentions and premises for establishing such legislation ;

b) Budgetary legislation / approved budget or appropriations ; c) Documents of the legislature related to budgetary laws or resolutions, and to the

premises or particular provisions for use of approved appropriations, or for financial transactions, funds and balances ;

d) Legislative or ministerial directives ; e) Information from regulatory authorities ; f) Official records of meetings of the legislature, public accounts committee or

similar committee of the legislature, or other public bodies ; g) Principles of law ; h) Legal precedent ;i) Codes of practice or codes of conduct ; j) Internal descriptions of policies, strategic and operational plans and procedures ; k) Manuals or written guidelines ; l) Formal agreements, such as contracts ; m) Loan or grant agreements ;n) Industry standards ; o) Well established theory (for example theory for which there is general

consensus. Such theory may be obtained, for example, from published information such as technical literature and methods, professional journals, etc, or through inquiry with knowledgeable sources such as experts in a particular field) ;

p) Generally accepted standards for a particular area (such standards are normally clearly identifiable standards that have their source in some form of legislation and that are a result of established practice and legal precedent, for example 'generally accepted accounting principles' in a particular country) ;

q) For audits of propriety: Principles for sound public sector financial management and conduct of public sector officials. Principles of conduct may arise from the legislature's or public expectations regarding the behaviour of public sector officials. In some cases, these principles may be documented in only fragmentary


ways. They may, in some cases, only be defined as a result of their breach.

Additional sources which public sector auditors may use to obtain an understanding about the audited entity, its environment and relevant program areas may include:

a) The entity's annual report ; b) Legislative propositions and speeches ; c) Websites ; d) Published reports, articles in newspapers or journals, other media sources, etc ;e) Knowledge obtained from previous audits ;f) Information gathered through meetings and other communication ; g) Minutes of Board or other management meetings ; h) Internal audit reports ;i) Official statistics.


Appendix 3 – Examples of Factors Related to Assessing Risk in Compliance Auditing

The following are examples of factors that may be considered in assessing risk in a compliance audit. The list is not intended to be exhaustive, and the factors will depend on the particular audit circumstances.

The Audited Entity's Objective and Mandate1. Are the audited entity's objective, mandate and legal capacity clearly stated and

readily available? 2. Have there been recent changes in mandate, objectives or program areas? 3. Are program areas or relevant subject matters clearly identifiable? 4. Do program areas overlap considerably with other entities such that there is a

risk of duplication or of fragmentation?

Organisational Structure1. What is the legal basis of the entity (ministry, directorate, agency etc) and from

where does it derive its authority? 2. Does the audited entity have clearly defined roles and responsibilities, and

related authority attaching to these? 3. Are these roles, responsibilities and authorities clearly communicated and

understood throughout the entity? 4. If the entity is part of a hierarchic structure, and another entity is responsible for

supervision of the audited entity, how does such supervision take place? 5. Does the organisation focus on risk assessment and risk management, including

risks of non-compliance, in its operations? 6. Have there been recent organisational changes? 7. Are any activities outsourced to other entities? 8. If activities are outsourced, how is compliance and performance monitored? 9. Are there other potential risks associated with outsourcing? 10. Do personnel have adequate competence and ethical behaviour? 11. Do personnel seek relevant information and is relevant information easily

accessible? 12. Is information communicated on a timely basis in the organisation? 13. Are there any aspects of organisational structure that could give rise to greater

risk of fraud?


Political Considerations1. To which level of government does the particular entity belong and does it have

relations to other levels of government? 2. What are the responsibilities (constitutional or other) of the relevant minister, or

of entity management? 3. What is experience in dealing with the entity's political vs. administrative

management? 4. Is there political consensus, or are differing views freely expressed? 5. How is the political management comprised? 6. What are program areas of political focus, visibility and sensitivity? 7. How does the working relationship between political and administrative

management function? 8. Are there any areas of particular public interest? 9. What is experience in relation to one entity exercising unfavourable influence on

other related entities in the public sector hierarchy? 10. Are there any political considerations that could give rise to greater risk of fraud? 11. Do laws and regulations contain requirements for political neutrality related to

the use of resources and funds, and what is past experience in this area?

Laws, Regulations and Other Relevant Authorities1. Is it clear which laws, regulations and authorities apply to the audited entity and

the particular subject matter? 2. Are there overlaps or inconsistencies between different sets of legislation? 3. Is the entity a lawmaking body, and if so what impact can the lawmaking process

have on the rights of individuals? 4. If the entity is a lawmaking body, has it delegated any authority to other entities,

such as regulatory authorities or private sector entities? 5. Is relevant legislation relatively new, or is it well established? 6. If new, is it clear in terms of form and content such that it may be clearly

understood and applied? 7. If well established, has legal precedent been consistent such that the legislation is

clearly understood and applied? 8. Is the relevant program area subject to significant application of judgment in its

operations? 9. If a significant amount of judgment is applied, is this done in accordance with


the intentions behind the laws and regulations? 10. If a significant amount of judgment is applied, is it applied consistently? 11. Are other bodies involved in interpreting or supplementing the relevant

legislation? 12. Has the entity carried out its duties on a timely basis such that individual rights

have not been compromised, and there have not been significant negative financial consequences due to passiveness?

13. Have channels for complaints and appeals for affected parties been used appropriately?

14. Have any individual's / organisation's rights been compromised in any way through the entity's interpretation and application of particular legislation or regulations?

15. Are there any aspects of laws, regulations or other authorities that could give riseto greater risk of fraud?

Significant Events and Transactions1. Are there any significant events or transactions that may give rise to significant

risks or fraud risks (e.g., significant procurement contracts, long term construction contracts, dealings in financial instruments such as foreign exchange contracts, significant loans or financial speculation, privatisation etc)?

2. Does the entity possess the necessary authority and competence to enter into and carry out significant events and transactions?

3. Have experts been engaged in connection with significant events and transactions?

4. If experts have been engaged, what precautions have been taken to ensure their competence and objectivity?

5. How is the work of experts monitored? Management

1. Is there stability in the management team or have there been changes in key personnel?

2. How members of management are recruited (open and transparent processes with real competition or token process)?

3. Is management actively involved in assessing risk on a continual basis? 4. Has management considered the consequences of changes in the entity's environment

and the impact this may have on the audited entity? 5. Is management conservative in its approach or more willing to take risks (e.g.,what

is the 'risk appetite')?


6. What initiatives has management taken to identify and avoid significant risks thatcould have an adverse impact on the entity?

7. Are risk evaluations that are performed throughout the entity effectively communicated to management at the appropriate levels?

8. Does management actively monitor and evaluate the consequences of their decisions and actions?

9. Have previous audits identified instances of non-compliance, fraud, unlawful acts, unethical behaviour, management bias, etc?

10. How does management balance the achievement of program objectives with the need to manage risk, and ensure compliance with laws and regulations etc?


Appendix 4 - Examples of Risk Factors Related to a Particular Subject Matter

Procurement is a typical subject matter for compliance audits. The following table gives some examples of risk factors relating to a compliance audit of procurement. The list is not intended to be exhaustive. The relevant risks and risk factors will vary depending on the subject matter and the circumstances of the particular audit.

Examples of Risk Factors Related to the Audit of ProcurementInherent risk

1. Lack of relevant procurement legislation ; 2. Recent changes to the procurement legislation (e.g., to conform to international

legislation) ; 3. Complex or unclear legislation, or legislation open for interpretation ;4. Significant monetary amounts are involved such as defence procurement ; 5. Audit findings from the prior year revealed compliance deviations in regard to

procurement legislation and directives ; 6. Previous suspicions or instances of fraud and corruption involving management

and key staff ;7. Inspections by regulatory authorities (e.g., competition authorities) ;8. Complaints received from potential suppliers about unfair practices related to

awarding tenders ;9. Potential conflicts of interest .

Control risk1. Lack of good internal guidelines, including lack of clear and objective

criteria ; 2. Recent changes in general or application controls related to procurement IT

systems ;3. Poor quality-control or weak monitoring activities related to suppliers ;4. Weak or non-existent controls regarding suppliers' compliance with ethical

guidelines ;5. Non-existent or poor quality monitoring activities related to compliance with relevant

legislation.


Detection risk1. Audit procedures are ineffectively designed (e.g., performing procedures that only

involve checking transactions that are recorded, and not checking for completeness; or making inquiries only of staff in the procurement department and not of others such as administration or facilities management staff, suppliers or agencies that register complaints) ;

2. Incentives may lead management to intentionally withhold or conceal evidence (for example, suppliers may make bribes or give kickbacks) ;

3. Possible management collusion or override of controls.


Appendix 5 - Examples of Compliance Audit Procedures for Selected Subject Matters

This table shows illustrative examples of possible compliance audit procedures in the areas of environmental legislation and project funds from donor organisations. It is not intended to be an exhaustive list of procedures. Audit procedures must be designed for the particular audit circumstances and objectives.

Sample audit procedures

Subject matter: Environmental legislation

1. Obtain an overview of relevant environmental legislation to which the entity is required to adhere.

2. Inquire with management, and internal audit as applicable, as to the processes and routines in place to ensure compliance with relevant environmental legislation.

3. Review manuals and systems descriptions to understand the processes and relevant controls. Document the process and identify key controls. Test key controls as necessary.

4. Perform a media search, and other databases as applicable, to identify previous instances of non-compliance by the entity.

5. Review any inspection reports, including those of internal audit as applicable. Follow up any areas that may indicate significant risks of non-compliance with environmental legislation.

6. Confirm that the audited entity has necessary permits and registration certificates as appropriate. Evaluate procedures to ensure that these remain valid and up to date.

7. Review minutes of meetings of environmental, or health and safety committees. Follow up as necessary.

8. Interview selected staff as to their understanding of relevant policies and procedures in place, including training, and how these procedures operate in practice.

9. Inquire with management, and legal counsel as appropriate, as to any previous, existing or potential environmental liability claims. Consider the causes and effects/impacts of any such claims.

10. Observe processes and routines in practice (e.g., waste disposal – properly stored and disposed of, etc) and document appropriately (e.g., photo or video evidence may be relevant).



Subject matter: Project funds received from a donor organisation

1. Obtain an overview of the funding agreement and any relevant legislation, directives, mandates, etc to which the entity is required to adhere.

2. Inquire with management, and internal audit as applicable, as to the processes and routines in place to ensure compliance with the terms of the funding agreement and relevant legislation, directives, mandates, etc. Inquire as to routines to ensure appropriate accounting and disclosure.

3. Review manuals and systems descriptions to understand the processes and relevant controls related to compliance with such funding agreements. Document the process and identify key controls. Test key controls as necessary.

4. Perform analytical procedures for assessing risks, and substantive procedures as considered necessary. For example, compare any financial information, including project accounts, with budget and prior year(s). Follow up suspected deviations as necessary in the circumstances. Review project accounts for unusual or significant transactions. Follow up as necessary.

5. Select a sample of transactions related to project funds. For each transaction selected, test compliance with the terms of the funding agreement and any relevant legislation, for example:

• requirements related to use of funds ; • proper approval and authorization ; • reporting requirements ; • proper accounting and disclosure, including appropriate accounting policies

and recording transactions in the appropriate periods, etc.

6. Where project funds have been used for specific purposes, assess the need to perform physical inspections. Follow up as appropriate.

7. Review related correspondence, minutes of meetings etc to identify any relevant matters. Follow up as necessary.

8. Consider the need to obtain any written confirmations from third parties and follow up as appropriate.

9. Consider the need to obtain specific written representations from management in regard to the funding agreement.

10. Perform cut-off testing and review after the period end as necessary to ensure funds are accounted for in the appropriate period.


Appendix 6 - Examples of Compliance Deviations

The following table provides some examples of compliance deviations and includes considerations related to materiality and forming conclusions. The comments related to materiality and forming conclusions are not intended to be definitive assessments of whether the particular example constitutes a material compliance deviation or not, but rather to highlight relevant considerations. The determination of materiality will depend on the particular circumstances and the professional judgment of the public sector auditor.

Considerations Related to Materiality andForming Conclusions

1. Based on the legislation governing the government agency, the agency did not have the power to make grants to overseas bodies. The non-compliance may be material because the grant expenditure was paid out to overseas bodies and was therefore not in compliance with relevant authorities, nor was it applied to the purposes intended by the legislature.

2.

3.

4.


Example of Compliance Deviation

During the year, a government agency received budget appro-priations through the Ministry of Education for national educa-tional purposes. The agency's grant expenditure for the year included $10 million to overseas high tech manufacturers.

During the year, a government agency incurred expenditures of $100 in excess of the total expenditure of $5000 authorised by the budget approved by the legislature.

A citizen is entitled to a monthly pension of $1000. The govern-ment agency has only been paying out $900 per month. The payments were also made after the dates stipulated in the legis-lation.

A single mother is entitled to monthly child benefits for each child under age 18. The govern-ment agency has paid out

In this case, actual expenditures were in excess of amounts authorised through the approved budget. This non-compliance may be material because it was a clear violation of clearly established authori-ties. Depending on the circu mstances, including the type of expenditures, it may also be very sensi-tive in nature.

Although the monetary amounts involved may not be material to the financial statements of the government agency, the consequences of the non-compliance are likely to be very significant to the individual pensioner living on a fixed income. If the non-compliance is due to a system weakness, the non-compliance may also affect many other citizens. The non-compliance may therefore be material in terms of the impact on citizens and society in general.While this compliance deviation may have been positive for the recipient, it is not in accordance with the legislation and its intentions, and may therefore be unfair to other beneficiaries. If the

Example of Compliance Deviation Considerations Related to Materiality andForming Conclusions

child benefits for a 19 year oldchild.

5.

6.

7.


The terms of a building code require annual inspections to be performed. The government agency has not performed inspections for the past five years.

non-compliance is due to a system weakness, the non-compliance may also affect many other citizens. The non-compliance may therefore be material in terms of the impact on citizens and society in general.

The non-compliance may be significant due to qualitative aspects such as safety implications. Although no particular monetary amounts are involved, the non-compliance may be material due to the potential consequences it may have on the safety of the building occupants. In the event of a disaster, there is also a risk that the non-compliance may result in significant liability claims which could have material financial impli-cations for the government agency as well.

The non-compliance may or may not be material depending on whether or not the financial state-ments were subsequently prepared and sent, the extent of the delay, the reasons for the delay, any consequences that may arise as a result of the non-compliance, etc.

This type of compliance deviation relates to the due process rights of individual citizens. Certain citizens were being assessed too much tax, while others were not being assessed at all. Depending on the circumstances, and because it involves a system weakness, the deviation may be material.

The terms of a funding agree-ment state that the recipient of the funds must prepare finan-cial statements and send them to the donor organisation by a certain date. The financial statements have not been prepared and sent by this date.

Significant system weaknesses were identified in relation to revenues collec ted in accord-ance with a tax code. The weak-nesses were due to incorrect interpretation of the tax code by the audited entity. Numerous instances of taxpayers being assessed more than they were obligated to pay were identified.

Appendix 7 - Example of a Compliance Audit 'Short Form' Report

As explained in the body of this document, the format of compliance audit reports may vary depending on a number of factors, such as the mandate of the SAI, relevant legislation, customary reporting practices or the complexity of issues being reported. However, some consistency in the reporting format may help users of the auditor's report to understand the work performed and the conclusions reached, as well as to identify unusual circumstances when they arise.

The following short form report example is for illustrative purposes only. Some SAIs may use a long form report where findings are described in more detail in the body of the report.

Compliance Audit Report by the SAI of XXX

[Appropriate Addressee, e.g., Donor Organisation XYZ]

Report on [Government Agency ABC's Compliance with the Terms of the Funding Agreement with Donor Organisation XYZ dated xx.xx.20XX]

We have audited [government agency ABC's compliance with the terms of the funding agreement with donor organisation XYZ dated xx.xx.20XX as set out the project accounts for the year ended 31.12.20XX showing total expenditures of $ xxxxxx.xx].

Management's ResponsibilityAccording to [the terms of the funding agreement with donor organisation XYZ dated xx.xx.20XX], management of government agency ABC is responsible for [preparing complete project accounts in compliance with the terms of the funding agreement].

Auditor's ResponsibilityOur responsibility is to independently express a conclusion on [the project accounts] based on our audit. Our work was conducted in accordance with the [INTOSAI Fundamental Auditing Principles and Guidelines for Compliance Audit]. Those principles require that we comply with ethical requirements and plan and perform the audit so as to obtain reasonable assurance as to whether [the use of the project funds are in compliance, in all material respects, with the terms of the funding agreement dated xx.xx.20XX].


An audit involves performing procedures to obtain sufficient appropriate evidence to support our conclusion. The procedures performed depend on the auditor's professional judgment, including assessing the risk of material non-compliance, whether due to fraud or error. The audit procedures performed are those we believe are appropriate in the circumstances. We believe that the audit evidence gathered is sufficient and appropriate to provide the basis for our conclusion.

ConclusionBased on the audit work performed, we found that [government agency ABC's use of project funds received from donor organisation XYZ] is in compliance, in all material respects, with [the terms of the funding agreement dated xx.xx.20XX].

[Responses from the audited entity as appropriate, for example in summary under a heading 'Responses from the Audited Entity,' or as an appendix].

[Recommendations as appropriate, for example under a heading 'Recommendations' or as an appendix].

[Date of auditor's report]

[Auditor's signature]


Appendix 8 - Example of a Qualified Compliance Audit Conclusion

In this example, the compliance subject matter relates to the terms of a rental agreement, and the audit revealed an instance of non-compliance which resulted in additional charges and penalties to the audited entity. The compliance deviation is not so material so as to warrant an adverse conclusion. The introductory sections on management's and the auditor's responsibilities, and final sections of the report are similar to those set out in the example in Appendix 7.


........ [appropriate introductory sections of the report]……

[We have audited government agency ABC's compliance with the terms of the rental agreement with landlord DEF dated xx.xx.20XX.

Basis for the Qualified Conclusion

The terms of the rental agreement state that monthly rent for premises BBB in the amount of $xxxxx.xx is payable in advance on the first day of the month. During 20XX, one of the rental payments was made after the due date. This has resulted in government agency ABC being assessed late payment charges and penalties for the year amounting to $xx.xx.

Qualified ConclusionBased on the audit work performed, we found that, except for the instance of non-compliance noted in the Basis for the Qualified Conclusion paragraph above, government agency ABC is in compliance, in all material respects, with the terms of the rental agreement with landlord DEF dated xx.xx.20XX].

…….. [appropriate concluding sections of the report ]……


Appendix 9 - Example of an Adverse Compliance AuditConclusion

In this example, the compliance subject matter relates to the terms of a rental agreement, and the audit revealed that none of the monthly rental payments were made by the due date. This resulted in additional charges and penalties to the audited entity. The compliance deviation is considered to be material. The introductory sections on management's and the auditor's responsibilities, and final sections of the report are similar to those set out in the example in Appendix 7.



[We have audited government agency ABC's compliance with the terms of the rental agreement with landlord DEF dated xx.xx.20XX.

Basis for the Adverse Conclusion

The terms of the rental agreement state that monthly rent for premises BBB in the amount of $xxxxx.xx is payable in advance the first day of the month. During 20XX, none of the rental payments were made by the due date. This has resulted in government agency ABC being assessed late payment charges and penalties for the year amounting to $xxxx.xx.

Adverse Conclusion

Based on the audit work performed, we found that, because of the significance of the matter noted in the Basis for the Adverse Conclusion paragraph above, government agency ABC is not in compliance, in all material respects, with the terms of the rental agreement with landlord DEF dated xx.xx.20XX].



Appendix 10 - Example of a Compliance Audit Disclaimer

A disclaimer is issued when the public sector auditor has not been able to reach a conclusion.In this example, a compliance audit was to be conducted on government agency ABC's compliance with terms of building code CCC. Building BBB comprises 95% of ABC's building mass. Building BBB was recently damaged by an earthquake such that it is not safe to enter. The introductory sections on management's and the auditor's responsibilities, and final sections of the report are similar to those set out in the example in Appendix 7.

The following short form report example is for illustrative purposes only. Some SAIs may use a long form report where findings are described in more detail in the body of the report......... [appropriate introductory sections of the report]……

[We have audited government agency ABC's compliance with the terms of building code CCC dated xx.xx.20XX.

Basis for the DisclaimerThe evidence available to us for determination of whether government agency ABC was in compliance with the terms of building code CCC was limited because we were unable to obtain access to building BBB, located at address XYZ, due to earthquake damage. Building BBB comprises 95% of the building mass for which government agency ABCis responsible. There were no other satisfactory procedures we could carry out to determine if government agency ABC was in compliance with the terms of building code CCC.

DisclaimerBased on the audit work performed, because of the significance of the matter noted in the Basis for the Disclaimer paragraph above, we are unable to, and therefore do not express a conclusion on government agency ABC's compliance with the terms of building code CCC dated xx.xx.20XX].…….. [appropriate concluding sections of the report ]……

(Note that in situations where management is responsible for the scope limitation, this may give rise to a fundamental question as to management's integrity. In such situations, careful consideration must be given as to how, and to whom, this should be reported).



In some situations there may be a need to elaborate on particular matters which do not affect the compliance conclusion. An Emphasis of Matters or Other Matters paragraph is used in such circumstances as illustrated by the following examples. The introductory sections on management's and the auditor's responsibilities, and final sections of the report are similar to those set out in the example in Appendix 7.


Conclusion

Based on the audit work performed, we found that [government agency ABC's use of project funds received from donor organisation XYZ] is in compliance, in all material respects with [the terms of the funding agreement dated xx.xx.20XX].

Emphasis of Matter

We draw attention to Note xx to the project accounts which details total administrative costs of $xxxx.xx related to the agency's reporting on compliance with the terms of thefunding agreement. Our conclusion has not been qualified in respect of this matter.

Other Matter

We draw attention to the fact that this report has been prepared for the use of Donor Organisation XYZ and may therefore not be suitable for another purpose.



Appendix 12 - Example of a Compliance Review Report ExpressingLimited AssuranceAs explained in the body of this document, the mandate of the SAI may influence the

work performed and the type of conclusion expressed. The mandate of some SAIs may

limit the work performed on compliance to stating that no instances of non-compliance

with authorities have come to the auditors' attention during the audit that would result in

the subject matter not being in compliance, in all material respects, with the applied

criteria.

The following short form limited assurance report example is for illustrative purposes

only. Some SAIs may use a long form report where findings are described in more detail

in the body of the report.

Compliance Review Report by the SAI of XXX

[Appropriate Addressee, e.g., Donor Organisation XYZ]

Report on [Government Agency ABC's Compliance with the Terms of the Funding

Agreement with Donor Organisation XYZ dated xx.xx.20XX]

We have reviewed [government agency ABC's compliance with the terms of the funding

agreement with donor organisation XYZ dated xx.xx.20XX as set out the project

accounts for the year ended 31.12.20XX showing total expenditures of $ xxxxxx.xx].

Management's Responsibility

According to [the terms of the funding agreement with donor organisation XYZ dated

xx.xx.20XX], management of [government agency ABC] is responsible for [preparing

complete project accounts in compliance with the terms of the funding agreement].


Auditor's Responsibility

Our responsibility is to independently express a conclusion on the project accounts

based on our review. Our work was conducted in accordance with the [INTOSAI

Fundamental Auditing Principles and Guidelines for Compliance Audit]. Those

principles require that we comply with ethical requirements and plan and perform the

review so as to obtain limited assurance as to whether [the use of the project funds are in

compliance, in all material respects, with the terms of the funding agreement dated

xx.xx.20XX].

A review is limited primarily to analytical procedures and to inquiries applied to the

project accounts, and therefore provides less assurance than an audit. We have not

performed an audit, and, accordingly, express our conclusion in the form of limited

assurance, which is consistent with the more limited work we have performed under this

compliance review.

Conclusion

Based on the work performed, nothing has come to our attention that would indicate that

[the project accounts prepared by government agency ABC] are not in compliance, in all

material respects, with [the terms of the funding agreement with donor organisation

XYZ dated xx.xx.20XX].

[Responses from the audited entity as appropriate, for example in summary under a

heading 'Responses from the Audited Entity,' or as an appendix]

[Recommendations as appropriate, for example under a heading 'Recommendations' or

as an appendix]

[Date of auditor's report]

[Auditor's signature]

=====


The International Standards of Supreme Audit Institutions, ISSAI, are issued by the

International Organization of Supreme Audit Institutions, INTOSAI. For more



Compliance Audit Guidelines-Compliance Audit Related to the Audit of

Financial Statements

ISSAI 4200

Preface

The suite of compliance audit guidelines comprises the following:

• ISSAI 4000: A general introduction to guidelines on compliance audit ;

• ISSAI 4100: Compliance audit guidelines for audits performed separately from the audit of financial statements. Such work may be carried out as part of a performance audit or as a separate audit type ;

• ISSAI 4200: Compliance audit guidelines related to the audit of financial statements.



1 Introduction 133

Page No

2 Scope of the guidelines 136136

138139140141143143144144144

145146149150151152

153

154154

155155156157157158158

159

160161162163

2.1 Scope and Nature of a Compliance Audit

2.2 Reasonable vs. Limited Assurance

2.3 Assertion Based Reporting vs. Direct Reporting

3 Objectives to be Achieved4 Definitions5 Initial Considerations

5.1 Ethical Considerations

5.2 Quality Control

6 Planning and Designing a Compliance Audit6.1 Identification of the Parties Involved / Legal Basis

6.2 Subject Matter and Subject Matter Information

6.3 Criteria

6.4 Understanding the Audited Entity and its Environment

6.5 Audit Strategy and Plan

6.6 Understanding Internal Control at the Audited Entity

6.7 Materiality

6.8 Risk Assessment

6.8.1 Risk Assessment Considerations in regard to Fraud


6.9 Planning Audit Procedures

7 Performing Compliance Audits and Gathering Evidence7.1 Gathering and Evaluating Evidence

7.1.1 Observation

7.1.2 Inspection

7.1.3 Inquiry

7.1.4 Confirmation

7.1.5 Re-performance

7.2 Documentation

1597.1.6 Analytical Procedures

7.3 Communications


8 Evaluating Evidence and Forming Conclusions


8.1 General Considerations on Evaluating Evidence and Forming Conclusions

8.2 Written Representations from Responsible Officials

8.3 Subsequent Events

163

164165165

165

166171

172173

173174174176

183

185

189

190

192

194

198199200

202

204

9 Reporting9.1 Form and Content of Compliance Audit Reports

9.1.1 Compliance Audit Reports

9.1.2 Reporting on Compliance Audit related to the Audit of Financial Statements

9.2 Follow-up Processes

10 Additional Guidance for Public Sector Auditors Operating in a Court of Accounts Environment

10.1 Performing Audits in a Court of Accounts

10.2 Communicating and Enforcing the Law

10.3 Processes in Various Models of Courts of Accounts

Appendix 1 Examples of Subject Matters, Subject Matter Information and Criteria in Compliance Auditing

Appendix 2 –

–

Examples of Sources to be used in Gaining an Understanding of the Audited Entity and Identifying Suitable CriteriaAppendix 3 – Examples of Factors Related to Assessing Risk in

Compliance AuditingAppendix 4 Examples of Risk Factors Related to a Particular Subject

MatterAppendix 5 Examples of Compliance Audit Procedures for Selected

Subject MattersAppendix 6 Examples of Compliance DeviationsAppendix 7 –

–

–

–

Example of a Compliance Audit Opinion as part of the Auditor's Report on the Financial Statements

Appendix 8 –

–

Example of a Qualified Opinion on ComplianceAppendix 9 – Example of an Adverse Opinion on ComplianceAppendix 10 – Example of a Disclaimer on ComplianceAppendix 11 Example of an Emphasis of Matter and Other Matter(s)

ParagraphAppendix12 – Example of an Auditor's Report on the Financial Statements with a Reasonable Assurance Opinion on the Financial Statements and a Limited Assurance Conclusion on Compliance


1 Introduction 1. The concept of compliance audit is encompassed by the description of the

purpose of a public sector audit as set out in INTOSAI's Lima Declaration: 'The concept and establishment of audit is inherent in public financial administration as the management of public funds represents a trust. Audit is not an end in itself but an indispensable part of a regulatory system whose aim is to reveal deviations from accepted standards and violations of the principles of legality, efficiency, effectiveness and economy of financial management early enough to make it possible to take corrective action in individual cases, to make those accountable accept responsibility, to obtain compensation, or to take steps to prevent – or at least render more difficult – such breaches.'

2. Compliance audit deals with the degree to which the audited entity follows rules, laws and regulation, policy, established codes, or agreed upon terms, such as the terms of a contract or the terms of a funding agreement. The concept of compliance audit is introduced in INTOSAI's Fundamental Auditing Principles (ISSAI 100.38 and 39). The concept is further described in ISSAI 4000 –Introduction to the Compliance Audit Guidelines.

3. In the public sector, the concepts of transparency, accountability, stewardship and good governance are basic and important principles. Laws and regulations may set out what activities public sector entities are charged with carrying out for the citizens, any limits or restrictions on such activities, the overall objectives to be achieved and how due process rights of individual citizens are protected. Furthermore, public funds are entrusted to public sector entities for their proper management. It is the responsibility of these public sector bodies and their appointed officials to be transparent about their actions, accountable to the citizens for the funds with which they are entrusted, and to exercise good stewardship over such funds.

4. The need to monitor that the activities of public sector entities are in accordance with the relevant authorities that govern them, and that the due process rights of citizens are protected are important public sector control functions. Through public sector auditing in general, and compliance auditing specifically, public sector auditors help to monitor that the basic principles set out above are being followed and put into operation. In the context of compliance auditing, this responsibility includes determining whether information related to a particular


subject matter is in compliance, in all material respects, with relevant criteria such as relevant laws, regulations, directives, terms of contracts and agreements, etc. The result of such auditing is reported to the audited entity and the legislature. In addition, the result is normally made available to the general public. This is done to support accountability and transparency in the public sector.

5. These guidelines address aspects of compliance audit in the public sector which, in many countries, is subject to very different mandates and objectives. In a democratic system of government, accountability to the public, and particularly to its designated representatives, is an overriding aspect of the management of a public sector entity and an essential element of good public governance. Publicsector entities are usually established by legislation and their operations governed by various authorities derived from legislation. Management of public sector entities is accountable for operating in accordance with the provisions of the relevant laws, regulations and other authorities governing them. Since legislation and other authorities are the primary means by which legislators

control the raising and spending of money by the public sector, auditing for compliance with relevant authorities is usually an important and integral part of the audit mandate, or terms of engagement, for most audits of public sector entities. Because of the variety of authorities, their provisions may be conflicting with one another and may be subject to differing interpretations. Also, subordinate authorities may not be consistent with the directions or limits prescribed by the enabling legislation. As a result, an assessment of compliance with authority in the public sector requires considerable professional judgment and is of particular importance.

6. These guidelines (ISSAI 4200 on Compliance Audit related to the Audit of Financial Statements), concern situations where compliance audit is performed together with an audit of financial statements. They build upon INTOSAI's Fundamental Auditing Principles (referenced within this document as ISSAI 100 – ISSAI 400, previously referred to as the 'INTOSAI Auditing Standards') and have been designed to assist public sector auditors and SAIs in applying these principles. These guidelines supplement, and should be read together with, INTOSAI's Financial Audit Guidelines (ISSAI 1000-2999, referred to in this document as the 'Financial Audit Guidelines').

7. These guidelines, when applied together with the Financial Audit Guidelines, areintended to provide public sector auditors with a comprehensive set of guidance


for audits of financial statements in the public sector.

8. The process generally followed in carrying out compliance audits is shown in the figure below and is described in the subsequent sections of the guidelines.


Compliance Audit Process

Doc

umen

tatio

n, C

omm

unic

atio

n, Q

ualit

y C

ontr

ol

InitialConsiderations

(chapters 3,4,5)

Determine compliance audit objective and scope

Planningthe Audit

(chapter 6)

Performingthe Audit

Gathering Evidence(chapter 7)

Evaluating Evidenceand FormingConclusions

(chapter 8)

Reporting(chapter 9)

Consider principles with ethical significance(eg independence and objectivity)Ensure quality control procedures in place

Prepare reportInclude recommendations and responsesfrom entity as appropriateFollow-up previous reports as necessary

Determine parties involved / legal basisIdentify subject metter and criteriaUnderstand the entity and it’s environmentDevelop audit strategy and planUnderstand internal controlEstablish materiality for planning purposesAssess riskPlan audit procedures enable reasonableassurance

Evaluate whether sufficient appropriateevidence obtained Consider meteriality for reporting purposesForm conclusionsObtain written representations as necessaryAddress subsequent events as necessary

Gether evidence through various meansContinually update planning and riskassessmentOngoing documentation, communicationand controlConsider non-compliance that may indicatesuspected unlawful acts

2. Scope of the guidelines2.1 Scope and Nature of a Compliance Audit

9. In general, the mandate of the SAI determines whether the SAI carries out compliance audit activities or not. When the SAI carries out compliance audits, it is the SAI itself that is normally responsible for determining the scope and nature of the work to be performed and the appropriate audit approach. In some cases, the legislative body, such as a parliament, may request the SAI to perform a certain type of audit. Such requests may be accepted as long as the auditor's independence is not compromised. (ISSAI 200, 2.2.16) Nonetheless, it should be up to the SAI to determine the appropriate audit approach and methodology to be employed.

10. The subject matters of compliance audits are wide ranging and may vary significantly from one audit to the next. A subject matter may be general in nature or may be very specific. More guidance on compliance audit subject matters is set out in section 6.2 below.

11. The Fundamental Auditing Principles explain that compliance audit is important because government agencies, programs and activities are often the result of particular laws and regulations. Decision makers need to know whether relevant laws and regulations are being followed, whether they have the desired results, and if not, what revisions are necessary (ISSAI 300, 3.4.2). Laws, regulations, and other compliance requirements pertaining to the audited entity may be significant to the particular audit objectives, whether it is performed as a separate audit type, or related to performance audit or to an audit of financial statements. Public sector auditors therefore plan and perform work of a scope and nature that will allow them to provide a constructive report to the appropriate parties.

12. In some cases, the audit mandate may set out the audit subject matter and scope of a particular compliance audit. In other cases, the subject matter and scope of the compliance audit may be based on the professional judgment of the public sector auditor. Factors that may influence public sector auditors' determination of the audit subject matter and scope may include:

(a) Requirements set out in the audit mandate or relevant laws and regulations, such as an appropriations act or procurement act ;

(b) Previous instances of non-compliance by the entity, for example compliance deviations identified in previous audits ;


(c) Findings and recommendations in audits performed by auditors outside the SAI ;

(d) Risk assessments performed in connection with financial or performance audits indicating specific areas where there is risk of non-compliance (for example across sectors such as procurement, or large sector-specific program areas such as revenue collection, defence, welfare benefits, etc) ;

(e) Public interest or expectations (for example suspected fraud, mismanagement or areas of non-compliance identified by the media etc) ;

(f) Specific areas that are the subject of significant legislative focus (forexample environmental issues and compliance with international environmental agreements) ;

(g) Requests by legislative bodies, funding agencies or donor organisations (for example compliance with the terms of funding agreements) ;

(h) Significant funding is received by the entity from donor organisations and the continued provision of such funding is subject to compliance with the terms of a contract or agreement.

13. In situations where the scope and nature of the compliance audit do not follow directly from the audit mandate or relevant legislation, but are based on the public sector auditor's professional judgment, it may be useful to inform the audited entity of the scope and nature of the audit in writing. This may assist in clarifying the understanding of the roles and responsibilities of the various parties, including what is to be covered by the audit and any particular limitations, information to be provided, the type of report to be issued and to whom, timetables, etc.

14. References to 'compliance audit' throughout this document are understood to be in the context of work carried out by SAIs, or for which the SAI is responsible.

15. For the purposes of these guidelines, compliance audit and compliance reporting are regarded as related to the audit of the financial statements if: a) The audit opinion on compliance forms part of the auditor's report on the

audit of the financial statements, or b) The financial statements have been prepared in accordance with a financial

reporting framework that requires the financial statements to reflect compliance with laws and regulations.

16. Due to the extended mandate of SAIs, in performing an audit of financial


statements in the public sector, the scope and objective of the auditor is generally broader than that set out in ISA 200 (Revised and Redrafted) Overall Objectives of the Independent Auditor and the Conduct of an Audit in accordance with International Standards on Auditing. In conducting an audit of financial statements, the overall objectives of the auditor as set out in ISA 200 are:

(a) To obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, thereby enabling the auditor to express an opinion on whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework; and

(b) To report on the financial statements, or otherwise and communicate as required by the ISAs, in accordance with the auditor's findings.

17. Compliance audit in the public sector normally has a broader scope than that set out in Redrafted ISA 250 Consideration of Laws and Regulations in an Audit of Financial Statements. The objective of the auditor as set out in ISA 250 is three-part:

a) To obtain sufficient appropriate audit evidence regarding compliance with the provisions of those laws and regulations generally recognized to have a direct effect on the determination of material amounts and disclosures in the financial statements;

b) To perform specified audit procedures to help identify instances of non-compliance with other laws and regulations that may have a material effect on the financial statements; and

c) To respond appropriately to non-compliance or suspected non-compliance with laws and regulations identified during the audit.

18. Additional guidance on informing the entity about the scope and nature of theaudit may be found in:

• ISSAI 1210 and 1300 • INTOSAI's Implementation Guidelines for Performance Auditing section

2.3 – The institutions concerned should be properly informed • IFAC's International Standard for Assurance Engagements (ISAE) 3000

2.2 Reasonable vs. Limited Assurance 19. The Fundamental Auditing Principles related to compliance state that the audit

should be designed to provide reasonable assurance of detecting errors,


irregularities and illegal acts that may significantly affect the audit objectives (ISSAI 300, 3.4.1).

20. In most types of engagements there are two types of assurance levels: reasonable (positive) assurance and limited (negative) assurance. Reasonable assurance is high, but not absolute assurance. Due to the inherent limitations of an audit (see section on risk assessment below), an audit does not normally provide 100% assurance. In general, reasonable assurance audits are designed to result in a positive form of expressing an opinion /conclusion, such as 'in our opinion the subject matter is/is not in compliance, in all material respects, with the stated criteria…' Limited assurance work is not considered an audit, but rather a review-level engagement. It provides a lower level of assurance than an audit, and is designed to result in a negative form of expressing a conclusion, such as 'nothing has come to our attention that would indicate that the subject matter is not in compliance, in all material respects, with the criteria…'

21. Both reasonable assurance audits and limited assurance reviews involve understanding the subject matter and obtaining sufficient appropriate evidence to support the public sector auditor's opinion. Reasonable assurance audits include assessing risks, performing audit procedures to respond to the assessed risks, and evaluating the sufficiency and appropriateness of the evidence obtained. In performing a limited assurance review, procedures are usually limited to analytical procedures and inquiries. The nature, timing and extent of procedures performed in both reasonable assurance audits and limited assurance reviews are determined by public sector auditors applying professional judgment. A limited assurance review may be appropriate for subject matters across entities, which may involve more complex issues than subject matters within a specific entity.

22. These guidelines are written in the context of reasonable assurance audits. For compliance audit performed together with the audit of financial statements, these guidelines provide guidance for public sector auditors reporting in the form of reasonable assurance opinions on an entity's compliance with authorities.

23. When a limited assurance review on compliance is combined with a reasonable assurance audit of the financial statements, the different responsibilities of the auditor should be clearly described.

2.3 Assertion Based Reporting vs. Direct Reporting 24. In some cases, management at the audited entity may prepare a specific assertion


or a statement of compliance. In other instances the assertion may be implicit. 25. For example, when issuing financial statements, management makes implicit

financial reporting assertions that having prepared those financial statements in accordance with the applicable financial reporting framework, such as International Public Sector Accounting Standards (IPSAS) or generally accepted government accounting standards in the particular country, the financial statements are prepared in accordance with the applicable framework, assets exist, and are owned by the entity and properly valued, etc. Similarly, management may make implicit assertions related to compliance with authorities.

26. In many public sector audits, there are no specific assertions or statements of compliance that the audited entity makes available to users. Rather, the subject matter information is embedded in the auditor's report – either in the form of data/information or as an explicit statement in the form of an opinion. These types of audits are referred to as direct reporting audits. Audit findings are reported in an appropriate manner to relevant parties such as the audited entity and the legislature. Reports are usually made available to the general public.

27. The form of reporting may vary depending on the auditor's professional judgment as to how to communicate most effectively with the intended users. Reports may be either short-form or long-form reports. More guidance on reporting is set out in the reporting section of this document.

28. These guidelines are developed based on direct reporting audits, but may be applied to assertion based reporting as appropriate.

3. Objectives to be Achieved 29. As noted above, ISA 200.11 (Revised and Redrafted) explains that in

performing an audit of financial statements, the objective of the auditor is to obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, thereby enabling the auditor to express an opinion on whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework and to report and communicate in accordance with the auditor's findings.

30. Depending on the mandate and constitutional role of the SAI, the overall objectives of public sector auditors in performing compliance audit in connection with the audit of financial statements are to:


a) Obtain reasonable assurance about whether the activities, financial transactions and information reflected in the financial statements are, in all material respects, in compliance with the authorities which govern them, and

b) Report the findings and conclusions to the legislature and/or other bodies as appropriate.

31. For SAIs representing the Court of Accounts system, the objective is also to communicate compliance deviations to the appropriate bodies or open the process leading to a formal judgment in aspects related to the judicial function of the courts such as identification of the responsible authority/agent and determination of any potential offence.

4. Definitions 32. For purposes of these guidelines the following terms have the meanings set out

below: 1) Assertion – a representation, explicit or implicit, that is embodied in the

activities, financial transactions and information pertaining to the audited entity, used by the auditor in considering different types of potential deviations. In the context of compliance audit, the compliance assertion would mean that the entity, including responsible public sector officials, is acting in accordance with applicable authorities (and for audits of propriety -relevant public expectations). Assertions may be embodied in subject matter information presented by the audited entity or stated explicitly in amanagement representation letter.

2) Authorities – Relevant acts or resolutions of the legislature or other statutoryinstruments, directions and guidance issued by public sector bodies with powers provided for in statute, with which the audited entity is expected to comply. These elements are sometimes collectively referred to as 'legislative authorities' or just 'authorities'. This should not be confused with 'authorities' in the sense of bodies or persons exercising power or command such as 'law enforcement authorities' or 'regulatory authorities'. Where the intention is to refer to such bodies or persons, they are referred to specifically as 'law enforcement authorities, 'regulatory authorities,' etc.

3) Compliance audit – compliance audit deals with the degree to which the audited entity follows rules, laws and regulation, policies, established codes, or agreed upon terms and conditions, etc. Compliance auditing may cover a


wide range of subject matters. In general, the purpose of a compliance audit is to provide assurance to intended users about the outcome of the evaluation or measurement of a subject matter against suitable criteria.

In performing compliance audits in the context of the INTOSAI Fundamental Auditing Principles, there are two concepts of significant relevance:

a) Regularity – the concept that activities, transactions and information which are reflected in the financial statements of an audited entity are in accordance with authorising legislation, regulations issued under governing legislation and other relevant, laws, regulations and agreements, including budgetary laws and are properly sanctioned.

b) Propriety – general principles of sound public sector financial management and conduct of public sector officials.

Depending on the mandate of the SAI, a compliance audit may be an audit of regularity, or propriety, or both.

Because propriety is not readily susceptible to objective verification, it may be difficult, and in some cases impossible to audit propriety to a level of reasonable assurance. There are often no clear and objective benchmarks against which to measure propriety – what may be acceptable in one p art of the public sector may not be acceptable elsewhere.

Where SAIs have a mandate to audit propriety, criteria may not be clearlydefined at the outset. The issue of suitable criteria is addressed in more detail in the following sections of this document. Where the audit mandate requires an audit of propriety, the principles outlined in these guidelines may be applied as appropriate in the circumstances. The form and content of reports on propriety may vary depending on the mandate of the SAI and the particular circumstances.

4) Compliance deviation – the audited entity's failure to comply with:i. Authorities – for compliance audits of regularity; or

ii. General principles for sound public sector financial management and conduct of public sector officials – for compliance audits of propriety.

5) Conclusion – The auditor's report on compliance subject matters normally contains a conclusion based on the audit work performed. When compliance audit is performed together with the audit of financial statements, the conclusion may take the form of an opinion (see Opinion). The conclusion may also be expressed as a more elaborated answer to specific audit questions.

6) Legislature – The law -making authority of a country, for example a


parliament. In the context of compliance audit, the legislature may also include other public sector bodies with authority for budget legislation or resolutions.

7) Opinion – The auditor's report on the financial statements may contain a clear written expression of opinion on compliance in addition to the opinion on the financial statements. An unqualified opinion may be expressed when the auditor concludes that, in all material respects, the activities, financial transactions and information reflected in the financial statements are in compliance with the authorities which govern them.

8) Stakeholders – persons, groups, organizations or other types of entities with a concern or interest in public sector activities and operations, funding of public sector entities and the successful delivery of publicly funded programs.

5. Initial Considerations5.1 Ethical Considerations 33. The Fundamental Auditing Principles set out principles with ethical significance

that are taken into consideration prior to commencing the audit (ISSAI 200, 2.2.1). These principles relate to:

a) The independence of the SAI and the auditor, including political neutrality ;

b) Avoidance of conflict of interest between the auditor and the audited entity ;

c) The need for the auditor and the SAI to possess the necessary competence ; d) Exercise of due care and concern by the SAI and the auditor in

complying with the Fundamental Auditing Principles .

34. If for some reason, the SAI or the auditor is not in a position to comply with the Fundamental Auditing Principles that have ethical significance, appropriate actions are taken to ensure that the threats to non-compliance are eliminated before commencing the audit. This may, for example, involve re-allocating staff assigned to the audit, additional training or involvement of experts.

35. Additional guidance may also be found in:

• INTOSAI's Code of Ethics

• INTOSAI's Implementation Guidelines for Performance Auditing Section 2.2 and 2.3



5.2 Quality Control 36. As with other types of auditing, it is important in performing compliance audits

that the SAI have processes and procedures in place to ensure that the work carried out is of sufficient quality, that the public sector auditors performing such audits collectively have the necessary competence and skills, and that the work of the team is appropriately directed, supervised and reviewed. INTOSAI's Fundamental Auditing Principles establish benchmarks and provide guidance for ensuring the quality of work (ISSAI 200, 2.1.26 and 2.2.36).

37. Further guidance on quality control may be found in: • INTOSAI's [proposed] Code of Quality and ISSAI 1220 • INTOSAI's Implementation Guidelines for Performance Auditing

Appendix 4 • IFAC's International Standard on Quality Control (ISQC)1 • IFAC's ISAE 3000

6 Planning and Designing a Compliance Audit 38. The Fundamental Auditing Principles state that the auditor should plan the audit

in a manner which ensures that an audit of high quality is carried out in an economic, efficient and effective way and in a timely manner (ISSAI 300 3.1.1). Furthermore, those planning the audit need to be knowledgeable of the compliance requirements that apply to the entity being audited (ISSAI 300, 3.4.3).

39. Public sector auditors plan and perform audits while maintaining an attitude of professional skepticism.

6.1 Identification of the Parties Involved / Legal Basis 40. Public sector auditors ensure that the necessary preconditions exist in order to

effectively perform the audit. In planning compliance audits, this may involve identifying at the outset the relevant parties involved. This is important in order to establish the legal basis for performing the audit, such as the mandate of the SAI, including the responsibilities of public sector auditors, and the constitutional status and responsibilities of the audited entity.

41. In addition, it is important to identify the users of the audit report. The form and content of the report are influenced by the auditor's professional judgment as to how to communicate most effectively with the intended users. The needs of users


may vary depending upon whether the users are the legislature, a funding agency, a donor organisation, the citizens or other relevant stakeholders.

6.2 Subject Matter and Subject Matter Information 42. The determination of the subject matter and the subject matter information is one

of the first steps to be carried out in planning and performing a compliance audit. 43. Subject matters take many forms and have many different characteristics. Subject

matters may be general or very specific in nature. Some are quantitative and can often be easily measured (for example financial performance or condition), while others are qualitative and more subjective in nature (for example behaviour). Nonetheless, the subject matter should be identifiable and it should be possible to assess the subject matter against suitable criteria. Furthermore, the subject matter should be of a nature such that it is possible to gather evidence about the subject matter information sufficient to support reporting in the form of a reasonable assurance opinion.

44. In some cases the subject matter may be set out in the relevant law or audit mandate. In other cases the selection of the subject matter is a strategic choice to be made by the SAI or public sector auditors, and is based on risk assessment and professional judgment.

45. When compliance audit encompasses budgetary laws, or other relevant budgetary resolutions, the entity's revenue and financing are included, as well as its expenditure.

46. A SAI's mandate may also encompass audits of compliance with the documented budgetary assumptions and premises, prior to the applicable resolution of the legislature.

47. When performed in connection with an audit of financial statements, the subject matter of a compliance audit is generally decisions and financial management in relation to the use of appropriated funds and execution of the budget. Such a compliance audit comprises the assessment of whether the activities, financial transactions and information reflected in the financial statements (the subject matter information) are in accordance with the authorities which govern them (the criteria). Such authorities may include the applicable law, including budgetary law in particular, basic principles of law, legislative acts, parliamentary decisions, and other authoritative decisions, directions and guidelines, and agreed upon terms and conditions. Whether the entity's income and expenditure have been applied to the purposes intended by the legislature, and to the entity's mandated


program objectives and activities is generally also encompassed. 48. Some examples of subject matters and subject matter information in

relation to compliance auditing are set out in Appendix 1.

6.3 Criteria 49. The criteria, or the benchmarks against which the subject matter will be

compared, must also be identified. In performing compliance audits, the identification of the criteria is an essential step in the audit planning process. Some examples of criteria in relation to compliance auditing are set out in Appendix 1 and 1-A.

50. Criteria may be formal, such as a law or regulation, ministerial directive or the terms of a contract or agreement. Criteria may also be less formal such as a code of conduct or principles of propriety, or they may relate to expectations regarding behaviour, for example what may be considered acceptable in regard to class of travel or levels of hospitality and entertainment at government expense if such limits are not explicitly stated elsewhere. Administrative guidelines used as criteria should be in compliance with laws and regulations. The sources used as a basis for the audit criteria can in itself be part of the compliance audit.

51. The criteria should be suitable. This means that the criteria should have the following characteristics: a) Relevant – relevant criteria provide meaningful contributions to the

information and decision making needs of the intended users of the audit report.

b) Reliable – reliable criteria result in reasonably consistent conclusions whenused by another auditor in the same circumstances.

c) Complete – complete criteria are those that are sufficient for the audit purpose and do not omit relevant factors. They are meaningful and make it possible to provide the intended users with a practical overview for their information and decision making needs.

d) Objective – objective criteria are neutral and free from any bias on the part of the auditor or on the part of management of the audited entity. This means that criteria cannot be so informal such that assessment of the subject matter information against the criteria would be very subjective, and may lead other public sector auditors to reach a very different conclusion.

e) Understandable – understandable criteria are those that are clearly stated,contribute to clear conclusions and that are comprehensible to the intended


users. They are not subject to wide variations in interpretation. f) Comparable - comparable criteria are consistent with those used in similar

audits of other similar agencies or activities, and with those used in previous audits of the entity.

g) Acceptable - acceptable criteria are those to which independent experts in the field, audited entities, the legislature, the media and the general public are generally agreeable.

h) Available – criteria should be made available to intended users such that they understand the nature of the audit work performed and the basis for the audit report.

52. Criteria include matters that may have a significant impact on the objective of a particular audit. Therefore, in performing compliance audit, public sector auditors determine that the criteria are suitable and relevant to the subject matter and the objectives of the particular audit being performed. Once suitable criteria have been identified based on the characteristics set out above, they then must be appropriately 'operationalised' for the particular circumstances of each audit so as to be able to reach meaningful audit conclusions.

53. The determination of criteria can be straight forward, but in some cases the identification may be more complex. In some cases public sector auditors may find checklists a helpful means in gaining an overview of the suitable criteria to be used. Public sector auditors use a number of sources to assist in the identification of criteria. Some examples of such sources are set out in Appendix 2.

54. In many compliance audits, the applicable criteria will be clearly identifiable. This may be the case where a clear and uncomplicated law or regulation forms the criteria. The documented intentions or premises for resolutions of the legislature may also assist the auditor in identifying the appropriate criteria.

55. If situations arise where there may be doubt as to what is the correct interpretation of the relevant law, regulation or authority, public sector auditors may find it useful to consider the intentions and premises set out in developing the law, or to consult with the particular body responsible for the legislation. The auditors may also consider relevant earlier decisions made by judicial authorities.

56. However, when propriety is the subject matter of the compliance audit, the criteria may become more difficult to identify as it may be less formal and may include public expectations in regard to the actions and behaviour of public


officials. In these cases, public sector auditors must be more thorough in their work to identify suitable criteria. The need to identify suitable criteria does not preclude public sector auditors from reporting identified breaches of what may be considered acceptable behaviour by public officials, if circumstances so warrant.

57. In the process of identifying suitable criteria, public sector auditors consider materiality related to the risk of potential non-compliance for each topic subject to audit (budgetary law, other specific laws, terms of a contract etc, as well as propriety where relevant). Materiality considerations include both quantitative aspects (size) and qualitative aspects (nature and characteristics).

58. Public sector auditors ensure that the criteria to be used adequately reflect the topic subject to audit in its entirety. In rare cases, where the audit may be of limited scope and may only cover certain parts of a law or regulation, this limited scope should be clearly stated in the auditor's report. If public sector auditors make use of guidelines, checklists or other material provided by the audited entity or other administrative authorities for the purpose of identifying the suitable audit criteria, they must take due care in assuring through appropriate audit procedures that the material used adequately reflects the applicable law, regulation, etc.

59. In some cases, provisions of relevant legislation may be unclear, for example where an act of legislation provides that more specific provisions should be set out by the relevant administrative body and these provisions have not yet been developed. In such cases, public sector auditors clearly state in the audit report what they believe the relevant legislation requires, or that the scope of the audit has been limited and the reasons for this limitation. For example, the report may state that insufficient clarity of law has limited the audit criteria applied and that there is a need for remedial measures to be taken.

60. In some rare cases, the criteria may be conflicting, for example when there is a conflict between different sources of law and the issue has not been solved by the relevant administrative or judicial authorities. In such cases it is very important to understand the intentions behind the particular criteria and to identify any consequences arising from such conflict. It may also be necessary to elaborate on instances of conflicting criteria in the auditor's report such that remedial measures may be taken by the appropriate bodies.

61. Approaches to help identify suitable criteria in these types of dilemmas may include:


a) Applying a ‘theoretical’ approach, by allowing experts in the field to answer questions such as: 'what ought to be the ideal results under perfect conditions according to rational thinking or best-known comparable practice?' or

b) Defining and obtaining support for well-founded and realistic criteria by applying an ‘empirical’ approach involving discussions with stakeholders and decision makers.

62. The audit approach may also be broken down into parts, or the scope narrowed, such that clearly identifiable criteria may be applied.

63. Notwithstanding the above, the criteria should be made available to the intended users and others as appropriate, for example by including the criteria in the auditor's report, or making reference to the criteria if they are readily available in another format.

64. In situations where the audit criteria are, for whatever reason, not considered suitable, the SAI may encourage the appropriate bodies to formulate clearly the general principles to be followed in public sector entities for such matters.

6.4 Understanding the Audited Entity and its Environment 65. Determining the subject matter and suitable criteria as explained above are among

the first steps in performing compliance audits. The process of determining the subject matter and the criteria involves public sector auditors obtaining an understanding of the audited entity and the circumstances surrounding the audit. This understanding provides public sector auditors with a frame of reference to be used in applying professional judgment throughout the entire auditing process. An understanding of the entity, its environment and relevant program areas is especially important as it will be used in determining materiality and in assessing risks. Some examples of sources that may be used in gaining this understanding are set out in Appendix 2.

66. According to ISSAI 4000, paragraph 5, the Compliance Audit Guidelines cover compliance audit at all levels of government. As a consequence, the guidelines are applicable as appropriate for a combination of entities for which an audit across the entities is planned and performed. The auditor(s)'s responsibility for the audit across entities should be clearly set out.


6.5 Audit Strategy and Plan 67. Planning the audit so that it will be performed effectively involves

discussions with relevant members of the audit team, and developing an overall audit strategy and an audit plan. Both the audit strategy and the audit plan should be documented in writing. Planning is not a distinct phase of the audit, but is a continual and iterative process. The overall audit strategy and plan are updated as necessary throughout the audit. Planning also involves considerations related to the direction, supervision and review of the engagement team.

68. In establishing the overall audit strategy for the compliance audit, public sector auditors consider:

a) The objectives, scope, subject matter, criteria and other characteristics of the compliance audit, taking into account the mandate of the SAI and the elements contained in the compliance audit definition ;

b) Reporting responsibilities and objectives, as well as to whom and when such reporting will take place, and in what form ;

c) Significant factors that may influence the direction of the audit ; d) Materiality and audit risk assessment ; e) Knowledge gained from previous or related audits ;f) Composition and work allocation of the audit team, including any need

for experts ; g) Timing of the audit.

69. Public sector auditors develop an audit plan for the compliance audit. The audit strategy is essential input to the audit plan. The audit plan includes:

a) A description of identified criteria related to the scope and characteristics of the compliance audit and to the legal, regulatory or appropriations framework;

b) A description of the nature, timing and extent of risk assessment procedures sufficient to assess the risks of non-compliance, related to the various audit criteria;

c) A description of the nature, timing and extent of planned audit procedures related to the various compliance audit criteria and risk assessments.

70. Planning also involves: a) Obtaining a general understanding of the legal, regulatory and

appropriations framework, as well as relevant, agreed upon terms and


conditions applicable to the scope of the audit and to the audited entity ; b) Obtaining an understanding of management's assessment of applicable laws

and regulations including management's internal controls that help ensure compliance with authorities ;

c) Obtaining an understanding of the relevant authorities, including rules, laws, regulations, policies, codes, significant contracts or grant agreements etc ; and

d) For audits of propriety – obtaining an understanding of relevant principles of sound public sector financial management and expectations regarding the conduct of public sector officials.

71. Further guidance on audit planning and on audit criteria may be found in: • ISSAIs 1210 and 1300

• INTOSAI's Implementation Guidelines for Performance Auditing Part 3 and Appendix 2


6.6 Understanding Internal Control at the Audited Entity 72. Understanding internal control is normally an integral part of understanding the

entity and the relevant subject matter. The Fundamental Auditing Principles explain that in performing an audit, public sector auditors understand and evaluate the reliability of internal control (ISSAI 300, 3.3.1). In compliance audit, this includes understanding and evaluating controls that assist management in complying with laws and regulations (ISSAI 300, 3.3.2).

73. The particular type of controls evaluated depends on the subject matter, and the nature and scope of the particular compliance audit. In evaluating internal control, public sector auditors assess the risk that the control structure may not prevent or detect material non-compliance (ISSAI 300, 3.4.6). The internal control system in an entity may also include controls designed to correct identified instances of non-compliance. Public sector auditors obtain an understanding of internal control relevant to the audit objective, and test controls on which they expect to rely. The assurance derived from the assessment of the internal controls will help the auditors determine the confidence level and hence, the extent of the audit procedures to perform.

74. Further guidance on understanding the audited entity may be found in: • ISSAI 1315


• INTOSAI's Implementation Guidelines for Performance Auditing Section 3.3, Subsection - Understanding the program and Appendix 1, Subsection 2-Formulating the audit question or defining the audit problem

• INTOSAI Guidelines for Internal Control Standards for the Public Sector • IFAC's ISAE 3000

6.7 Materiality 75. Materiality consists of both quantitative and qualitative factors. In performing

compliance audits, materiality is determined for: a) Planning purposes ; b) Purposes of evaluating the evidence obtained and the effects of identified

instances of non-compliance ; and c) Purposes of reporting the results of the audit work.

76. Public sector auditors plan and perform the audit to determine whether the subject matter information, in all material respects, is in compliance with the stated criteria.

77. As stated in the Fundamental Auditing Principles, 'Materiality is often considered in terms of value but the inherent nature or characteristics of an item or group of items may also render a matter material-for example, where the law or regulation requires it to be disclosed separately regardless of the amount involved.' (ISSAI 100, 1.0.10)

78. During the planning process, information is gathered about the entity in order to assess risk and establish materiality levels for designing audit procedures. Evidence gathered must then be evaluated as a basis for forming conclusions and for reporting purposes. Materiality is significant to this evaluation.

79. The determination of materiality for planning purposes may be straight forward. This might be the case in situations where a law or regulation, or agreed-uponterms establish an unconditional requirement for compliance, for example if the constitution prohibits overspending in relation to the approved budget.

80. Other matters that may be considered material at a lower level of value or incidence than the general determination of materiality include:

a) Fraud ; b) Intentional unlawful acts or non-compliance ;c) Incorrect or incomplete information to management, the auditor or to the

legislature (concealment) ; d) Intentional disregard for follow-up of requests made by management,


authoritative bodies or auditors ; e) Events and transactions made despite knowledge of the lack of legal basis

to carry out the particular event or transaction.

81. In other cases the determination of materiality is normally a matter for professional judgment.

82. When evaluating evidence obtained, the determination of materiality may be influenced by quantitative factors such as the number of persons or entities affected by the particular subject matter, or the monetary amounts involved. In some cases, the qualitative factors are more important than the quantitative factors. The nature, visibility and sensitivity of the particular program area or subject matter may play a role. For example, the emphasis placed on the subject matter by users, a public accounts committee or similar committee of the legislature, or regulatory bodies may influence the determination of materiality. Public expectations and public interest are also qualitative factors that may impact the public sector auditor's determination of materiality. The seriousness of the non-compliance is also considered. While not necessarily unlawful, instances of excess spending over appropriations authorized by the legislature or introduction of a new service not provided for in the approved appropriations, may be serious instances of non-compliance by their nature.

83. In evaluating the materiality of any non-compliance identified, matters such as the criteria, the conditions, the cause and the effect of non-compliance are also considered.

84. Further guidance on materiality in relation to identified non-compliance is discussed in the section on Evaluating Evidence and Forming Conclusions below.

85. Further guidance on materiality may be found in:

ISSAIs 1320 and 1450

INTOSAI's Implementation Guidelines for Performance Auditing Section 5.3, Subsection – Materiality, relevance and objectivity , and Appendix 3 part 1.2, Subsection - Sufficiency of evidence

IFAC's ISAE 3000

6.8 Risk Assessment 86. Risk assessment is an essential part of performing a reasonable assurance audit.

Due to the inherent limitations of an audit, a compliance audit does not provide a guarantee or absolute assurance that all instances of non-compliance will be detected. Inherent limitations in a compliance audit may include factors such as:


• Judgment may be applied by management in interpreting laws and regulations ;

• Human errors occur ; • Systems may be improperly designed or function ineffectively ;• Controls may be circumvented ; • Evidence may be concealed or withheld.

87. In performing compliance audits, public sector auditors assess risk and perform audit procedures as necessary throughout the audit. This is done in order to reduce audit risk to an acceptably low level in the particular circumstances, so as to obtain reasonable assurance as the basis for the auditor's conclusion.

88. The risks and the factors that may give rise to such risks will vary depending on the particular subject matter and circumstances of the audit. In general, public sector auditors consider the three elements of audit risk - inherent risk, control risk and detection risk in relation to the subject matter and the particular situation. In addition, the probability that the matter will occur, and the possible consequences arising if the matter should occur, are also taken into account inassessing risk.

6.8.1 Risk Assessment Considerations in regard to Fraud 89. As part of the audit, public sector auditors identify and assess fraud risk and

gather sufficient appropriate evidence related to identified fraud risks through the performance of suitable audit procedures. When suspected fraud has been identified, public sector auditors take action to ensure that they respond appropriately based upon the mandate of the SAI and the particular circumstances.

90. Fraud risks and assessments of materiality in relation to fraud are considered in the context of the broader scope of public sector auditing. Examples of areas and situations that may typically give rise to fraud risks in the public sector include:

a) Grants and benefits to third parties ;b) Procurement ;c) Exercise of public officials' duties and power ;d) Intentional misstatement or misrepresentation of results or information ;e) Privatization of government entities ; f) Relationships between public sector officials or entities.



91. Relationships between various public sector entities are considered when assessing audit risk, and especially when assessing the risk of fraud or non-compliance. Such risks may, for example, relate to one entity exerting influence over another entity to take inappropriate actions. The result of these actions may be non-compliance with authorities, and in some cases the result may be an unlawful act. Furthermore, in the public sector there may be specific requirements related to activities and transactions between various public sector entities. There may also be specific reporting requirements related to such activities or transactions that may impact the planned audit procedures, the audit opinion or the auditor's report.

[

92. Examples of factors related to assessing risk in compliance audits are set out in Appendix 3. In addition, an illustrative example of risk factors related to a compliance audit of procurement is set out in Appendix 4.

93. Further guidance on risk assessment, and fraud risk may be found in: • ISSAIs 1240, 1315 and 1550 • INTOSAI's Implementation Guidelines for Performance Auditing Part 3.2,

Subsection - Risks or uncertainties • IFAC's Assurance Framework and ISAE 3000

6.9 Planning Audit Procedures 94. Planning audit procedures involves designing procedures to respond to the

identified risks of non-compliance. The exact nature, timing and extent of the audit procedures to be performed may vary widely from one audit to the next. Nonetheless, compliance audit procedures in general involve establishing the relevant criteria, i.e., the authorities which govern the entity, and then measuring the relevant subject matter information against such authorities. More information on audit procedures is provided in the section on performing compliance audits and gathering evidence below.

7. Performing Compliance Audits and Gathering Evidence 95. The Fundamental Auditing Principles state that public sector auditors choose and

perform audit steps and procedures that, in their professional judgment, are appropriate in the circumstances. (ISSAI 300, 3.4.5). The Fundamental Auditing Principles also state that the steps and procedures are designed to obtain sufficient, competent, and relevant evidence that will provide a reasonable basis for the auditor's judgments and conclusions (ISSAI 300, 3.5.1). Evaluating the


entity's internal control systems and assessing the risks that the control systems may not prevent or detect instances of non-compliance are a normal part ofperforming compliance audits (ISSAI 300 3.4.6).

96. The audit procedures to be performed will depend on the particular subject matter and criteria identified, as well as the auditor's professional judgment. The procedures should be clearly linked to the identified risks. When the risks of non-compliance are significant and public sector auditors plan to rely on the controls in place, such controls must be tested. When controls are not considered reliable, public sector auditors plan and perform substantive procedures to respond to the identified risks. Furthermore, additional substantive procedures are performed when there are significant risks of non-compliance. If the audit approach consists only of substantive procedures, tests of details (not only analytical tests) are performed.

97. In some rare cases it may be difficult or almost prohibitively expensive to obtain sufficient, appropriate audit evidence in order to form conclusions. In these cases, public sector auditors must consider the relationship between the costs and the benefits of gathering the evidence, as well as the consequences lack of sufficient appropriate evidence will have on the achievement of the audit objectives and on the auditor's report. The auditor's response to this situation may vary in the circumstances depending on the mandate, public interest considerations, public expectations and the ability to report such findings. The auditor may find it necessary to report on this matter specifically to the legislature or other intended users. However, such difficulty or expense is not, in itself, sufficient grounds for omitting the planned evidence-gathering procedures, even if there are no satisfactory alternative procedures.

98. Some examples of compliance audit procedures for selected subject matters are set out in Appendix 5.

7.1 Gathering and Evaluating Evidence 99. In performing a reasonable assurance audit, public sector auditors gather

sufficient appropriate audit evidence to provide a basis for the auditors' conclusions. The Fundamental Auditing Principles state that 'competent, relevant and reasonable evidence should be obtained to support the auditor's judgment and conclusions regarding the organisation, program, activity or function under audit' (ISSAI 300, 3.5.1)

100. The sufficiency of evidence relates to the quantity of the evidence. The


competence, relevance, reliability and appropriateness of evidence relates to the quality of the evidence. Public sector auditors exercise professional judgment in making the determination of sufficiency and appropriateness throughout the evidence gathering process.

101.The evidence gathering process is systematic and iterative and involves: a) Gathering evidence by performing appropriate audit procedures ; b) Evaluating the evidence obtained as to its sufficiency (quantity) and

appropriateness (quality) ; c) Re-assessing risk and gathering further evidence as necessary.

102.The evidence gathering process continues until the public sector auditor is satisfied that sufficient, appropriate evidence exists to provide a basis for the auditor's conclusion.

103. In many cases, audit sampling may be used as a means of testing to detect instances of non-compliance with authorities. The use of IT audit techniques is often helpful and in many cases is an integrated part of a compliance audit.

104.Audit evidence is gathered using a variety of techniques such as: a) Observation b) Inspection c) Inquiry d) Re-performance e) Confirmation f) Analytical procedures.

Procedures to gather audit evidence are generally grouped into two major categories:

a. Tests of controls ; b. Substantive tests, such as analytical procedures or tests of details.

7.1.1 Observation 106. Observation involves looking at a process or procedure being performed. In

performing compliance audit, this may include looking at how a bid tendering process is carried out or observing how benefit payments are processed.

7.1.2 Inspection 107. Inspection involves examining books, records and other case files or physical

assets. In performing compliance audit, inspection may includes examining the books and records to determine how project funds have been accounted for and comparing the accounting to the terms of the project agreement. Inspection of


105.

case files may involve examining all relevant documents to determine if recipients of benefits met eligibility requirements. Inspection may also involves examining an asset, such as a bridge or a building, to determine if it meet the applicable building specifications.

108. Public sector auditors consider the reliability of any documents inspected and keep in mind the risk of fraud and possibility that the documents inspected may not be authentic. In cases of fraud, sometimes to different sets of books and records have been kept. Public sector auditor may also inquire with different persons as to the source of the documents, or the controls over their preparation or maintenance.

7.1.3 Inquiry 109. Inquiry involves seeking information from relevant persons, both within and

outside the audited entity. Inquiry may range from formal written inquiries to more informal oral discussions. It may involve interviewing and asking questions of relevant persons, including experts. Such interviews may take place in person or virtually (for example phone calls or web-meetings). Inquiry may also involve preparing and sending questionnaires or surveys.

110. Inquiry is generally used extensively throughout an audit and complements other audit procedures. For example, when observing processes being performed, such as the benefits payment process mentioned above, inquiries are often made of relevant persons in regard to how relevant legislation, including changes and updates, is identified and interpreted. Results of inquiries may indicate that the processes are performed in different ways in different locations; which may lead to instances of non-compliance.

111. Inquiries are often made of persons outside the particular function subject to audit. For example, in addition to making inquiries of accounting personnel, it may also be relevant to make inquiries of legal or technical personnel.

112. Inquiry is generally not sufficient appropriate evidence on its own. In order to obtain sufficient appropriate evidence, inquiry is performed together with other types of procedures. Inquiry is most effective when conducted with relevant and knowledgeable persons, i.e., persons in positions of authority who are authorised to speak or give opinions on behalf of the entity.

7.1.4 Confirmation 113.Confirmation is a type of inquiry and involves obtaining, independently from the


audited entity, a reply from a third party in regard to some particular information. In compliance audits, confirmation may involve the auditor obtaining feedback directly from beneficiaries that they have received the grants or other funds that the audited entity asserts have been paid out, or confirming that funds have been used for the particular purpose set out in the terms of a grant or funding agreement. Confirmation may also involve receiving guidance from the legislature as to how a specific piece of legislation is meant to be interpreted.

114.Written confirmations may also be obtained from management in regard to oral representations made during the audit. These written management representations may, for example, relate to:

a) Management's assertion of compliance with a relevant piece of legislation, the terms of an agreement, etc ;

b) Management's disclosure of all instances of non-compliance of which it is aware ;

c) Management having provided the auditor with complete information about the subject matter.

7.1.5 Re-performance 115.Re-performance involves independently carrying out the same procedures

already performed by the audited entity. Re-performance may be done manually or by computer assisted audit techniques. For example, case file studies may be performed to test whether the audited entity made the correct decisions or provided the appropriate service in accordance with the relevant criteria. Process steps may be re-performed to test the appropriateness of visas or resident permits issued, or the exercise of budget authority. If the criteria for making child benefit payments involve payments to parents with children under a certain age, the audited entity's selection of recipients from a public database may be re-performed by public sector auditors using computer assisted audit techniques to test the accuracy of the entity's process. Also, if the selection of bids from a tender process is dependent upon meeting certain criteria, the bid selection process may be re-performed to test that the correct bids have been selected. Where highly technical matters are involved (for example re-performance of pension calculations or engineering models), experts may be involved.

7.1.6 Analytical Procedures 116. Analytical procedures involve comparing data, or investigating fluctuations or

relationships that appear inconsistent. In compliance auditing, such procedures


may, for example, involve comparing an increase in pension benefits payments from one year to the next with demographic information such as the number of citizens having reached retirement age within the last year. If the criteria relate tothe terms of an agreement which state, for example, that project funding is provided based on performance levels such as the number of job placements made, then any changes in project funding might be compared to changes in employment statistics.

117.Regression analysis techniques or other mathematical methods may assist public sector auditors in comparing actual to expected results.

118. Further guidance related to evidence and evidence gathering procedures may be found in:

• ISSAIs 1330, 1450, 1500, 1505, 1520, 1530, 1610 and 1620 • INTOSAI's Implementation Guidelines for Performance Auditing Part 4

and Appendix 3


7.2 Documentation 119.The Fundamental Auditing Principles state that audit evidence gathered must be

adequately documented (ISSAI 300, 3.5.5 and 3.5.6). Documentation in regard to compliance audits includes documenting sufficiently matters that are significant in providing evidence to support the conclusions drawn and the report issued. The audit documentation should be sufficiently complete and detailed to enable an experienced auditor, having no previous connection with the audit, to understand what work was performed in support of the conclusions (ISSAI 300, 3.5.7).

120.Documentation takes place throughout the entire audit process. Public sector auditors prepare compliance audit documentation on a timely basis, and maintain such documentation which records the criteria used, the work done, evidence obtained, judgments made and review performed. Public sector auditors prepare relevant audit documentation before the auditor's report is issued. Audit documentation is retained for an appropriate period of time.

121.Further relevant guidance for documenting compliance audits may be found in: a) ISSAI 1230 b) INTOSAI's Implementation Guidelines for Performance Auditing

Appendix 3


c) IFAC's ISAE 3000

7.3 Communications 122. Good communication with the audited entity throughout the audit process may

help make the process more effective and constructive. Communication takes place at various phases and at various levels, for example:

a) During the initial planning phase, including discussing with the appropriate level of management, and those charged with governance as appropriate - within the limits of laws and regulations - the audit strategy, timing, logistics, responsibilities, suitable audit criteria and other elements of planning.

b) During the performance phase and throughout the audit, including gathering evidence and making inquiries of relevant persons as appropriate. Any significant difficulties encountered during the audit, as well as instances of material non-compliance are promptly communicated to the appropriate level of management, or to those charged with governance. Other less significant findings that are not deemed material, or do not warrant inclusion in the public sector auditor's report, may also be communicated to management during the audit. Communicating such less significant findings may also help the audited entity to remedy instances of non-compliance and avoid similar instances in the future. For this reason, many public sector auditors communicate all identified instances of non-compliance to management.

c) During the reporting phase, including issuing written reports on a timely basis to the intended users, the audited entity and others as appropriate.

123. Some SAIs can, according to their audit mandate, order the audited entity to correct identified instances of non-compliance. In doing so, public sector auditors determine whether their independence and objectivity will be impaired, and take appropriate action to avoid such impairment.

124. Further relevant guidance on communication may be found in: a) ISSAI 1260 b) INTOSAI's Implementation Guidelines for Performance Auditing

Appendix 4 c) IFAC's ISAE 3000



125. While detecting potential unlawful acts, including fraud, is normally not the main objective of performing a compliance audit, public sector auditors do include fraud risk factors in their risk assessments, and remain alert for indications of unlawful acts, including fraud, in carrying out their work.

126. In performing compliance audits, if public sector auditors come across instances of non-compliance which may be indicative of unlawful acts or fraud, they exercise due professional care and caution so as not to interfere with potential future legal proceedings or investigations. Public sector auditors may consider consulting with legal counsel or appropriate regulatory authorities (ISSAI 300, 3.4.7). Furthermore, they may communicate their suspicions to the appropriate levels of management or to those charged with governance, and then follow up to ascertain that appropriate action has been taken. In regard to instances of non-compliance related to fraud or serious irregularities, because of the different mandates and organisational structures that exist internationally, it is up to the SAI to determine the appropriate action to be taken (ISSAI 400, 4.0.7b).

127. Due to the inherent limitations of an audit, there is an unavoidable risk that unlawful acts, including fraud, corruption or theft may occur and not be detected by public sector auditors. Fraud may consist of acts designed to intentionally conceal its existence. There may be collusion between management, employees or third parties, or falsification of documents. For example, it is not reasonable to expect public sector auditors to identify forged documentation in support of claims for grants and benefits, unless they are reasonably obvious forgeries. In addition, public sector auditors may not have investigative powers or rights of access to individuals or organisations making such claims.

128. Only a court of law can determine whether a particular transaction is illegal. Although public sector auditors do not determine if an illegal act has occurred, they do have a responsibility to assess whether the transactions concerned are in compliance with applicable laws and regulations.

129. Fraudulent transactions are, by their nature, not in compliance with the applicable law. Public sector auditors may also determine that transactions where fraud is suspected, but not yet proven, are not in compliance with the applicable law. Material unlawful acts normally result in a modified audit opinion or conclusion.

130. If suspicion of unlawful acts arises during the audit, public sector auditors, where


permitted by law, may communicate to the appropriate levels of management and those charged with governance. In this case, those charged with governance are likely to be ministerial or administrative bodies higher up in the reporting hierarchy. Public sector auditors follow up and ascertain that management or those charged with governance have taken appropriate action in response to the suspicion, for example by reporting the incident to the relevant law enforcement authorities. Public sector auditors may also report such incidents directly to the relevant law enforcement authorities.

131. Further guidance on considerations when dealing with suspected fraud may be found in: • ISSAI 1240

• INTOSAI's Implementation Guidelines for Performance Auditing Part 3, Subsection – Compliance with laws and regulations

8. Evaluating Evidence and Forming Conclusions8.1 General Considerations on Evaluating Evidence and Forming

Conclusions 132. Public sector auditors evaluate whether the evidence obtained is sufficient and

appropriate so as to reduce audit risk to an acceptably low level. This evaluation includes exercising professional judgment and professional skepticism, and consideration of evidence that both supports, and seems to contradict, the subject matter information.

133. Evidence obtained is evaluated in relation to identified materiality levels in order to identify potential instances of material non-compliance. Determining the significance of findings is based on the concept of materiality as set out above. Findings from compliance audits must also be placed in proper perspective, for example reported instances of non-compliance may be based on the number of cases of non- compliance or the related monetary value (ISSAI 400, 4.0.19). SAIs operating in a Court of Accounts environment have the ability to render judgment on the accounts. In cases of non-compliance, this may result in imposing reimbursements, fines or other penalties.

134. Public sector auditors evaluate whether, based on the evidence obtained, there is reasonable assurance that the subject matter information is in compliance, in all material respects, with the identified criteria. Due to the inherent limitations of an audit, public sector auditors cannot be expected to detect all occurrences of non-


compliance.

135. Public sector auditors' assessment of what represents a material compliance deviation is a matter of professional judgment and includes considerations of context as well as quantitative and qualitative aspects of the transactions or issues concerned.

136. A number of factors are taken into account in applying professional judgment to determine whether or not the non-compliance is material. Such factors may include the:

a) Importance of amounts involved (monetary amounts or other quantitative measures such as number of citizens or entities involved, carbon emissions levels, time delays in relation to deadlines, etc) ;

b) Circumstances ;c) Nature of the non-compliance ; d) Cause leading to the non-compliance ;e) Possible effects and consequences non-compliance may have ;f) Visibility and sensitivity of the program in question, (for example, is it

the subject of significant public interest, does it impact vulnerable citizens, etc) ;

g) Needs and expectations of the legislature, the public or other users of the audit report ;

h) Nature of the relevant authorities ;i) Extent or monetary value of the non-compliance.

137. Some examples of compliance deviations and considerations related to materiality and forming conclusions are set out in Appendix 6.

138. Further guidance on forming conclusions may be found in: • ISSAI 1700 • INTOSAI's Implementation Guidelines for Performance Auditing Section

4.5• IFAC's ISAE 3000

8.2 Written Representations from Responsible Officials

139. In evaluating evidence and forming conclusions, written representations may be obtained, as considered necessary in the circumstances, to support audit evidence obtained by public sector auditors. Such representations may state that the activities, financial transactions and information reflected in the financial


statements of the entity are in compliance with the authorities which govern them, or that particular control systems have functioned effectively throughout the period under audit.

140.Further guidance on written representations may be found in ISSAI 1580.

8.3 Subsequent Events

141.Public sector auditors perform audit procedures to determine if there are events that have occurred after the completion of the field work and up until the date of the compliance audit report that may result in material non-compliance, and therefore may require particular disclosure or may impact the auditor's conclusion or report. Such procedures normally involve inquiry, obtaining written representations from management or reviewing relevant correspondence, minutes from meetings, published reports or financial information for subsequent periods (monthly, quarterly) etc. The amount of subsequent events work done may depend on the nature of the matters involved and the elapsed time between the completion of field work and the issuance of the report.

142. Further guidance on subsequent events may be found in: • ISSAI 1560 • IFAC's ISAE 3000

9. Reporting 143.Reporting is an essential part of a public sector audit and involves reporting

deviations and violations so that corrective actions may be taken, and so that those accountable may be held responsible for their actions. To this end, the Fundamental Auditing Principles state that a written report, setting out findings in an appropriate form, should be prepared at the end of each audit (ISSAI 400, 4.0.7a).

144.The principles of completeness, objectivity and timeliness are important in reporting on compliance audits. Public sector auditors take care to ensure that reports presented are factually correct, and that findings are presented in the proper perspective and in a balanced manner. This involves applying the principle of contradiction which involves checking facts with the audited entity and incorporating responses from responsible officials as appropriate.

9.1 Form and Content of Compliance Audit Reports 145.The form of the written report may vary depending on the circumstances.

However, some consistency in the auditor's report may help users of the report to


understand the audit work done and conclusions reached, and to identify unusual circumstances when they arise.

146.The factors that may influence the form of the compliance audit report are numerous. These factors include, but are not limited to, the mandate of the SAI, applicable legislation or regulation, the objective of the particular compliance audit, customary reporting practice and the complexity of the reported issues. Furthermore, the form of the report may depend on the needs of the intended users, including whether the report is to be submitted to the legislature or to otherthird parties such as donor organizations, international or regional bodies, or financial institutions.

147.Depending on the abovementioned factors, a SAI may find it appropriate to prepare either a short form report or a long form report. Long form reports(sometimes referred to as 'compliance audit special reports')generally describe in detail the audit findings and conclusions, including potential consequences and constructive recommendations, while short form reports are more condensed and generally in a more standardized format. When compliance audit is performed together with the audit of financial statements, an opinion on compliance may form part of the auditor's report on the audit of the financial statements. In such cases, the opinion on compliance is clearly set apart from the opinion on the financial statements and from the 'report on other legal and regulatory requirements' included in ISA 700.

148.Guidance is given below on the form and content of reports. For the practical purposes of these guidelines, the illustrative examples provided in Appendices 7-12 are short form reports. Due to the lengthy nature of long form reports, specific examples have not been included in the guidelines.

149.In cases where the mandate of the SAI establishes a form of reporting that differs from that envisioned in these guidelines, the guidelines may, nonetheless, be useful to public sector auditors and may be applied, adapted as appropriate in the particular circumstances.

9.1.1 Compliance Audit Reports 150.In general, the compliance audit report itself includes the following elements

(although not necessarily in the following order): a) Title b) Addressee c) Objectives and scope of the audit, including the time period covered


d) Identification or description of the subject matter information (and where appropriate, the subject matter)

e) Identified criteria f) Responsibilities of the various parties (legal basis) g) Identification of the auditing standards applied in performing the

work h) A summary of the work performed i) An opinion j) Responses from the audited entity (as appropriate) k) Recommendations (as appropriate) l) Report date m) Signature.

151.Guidance on elements of a compliance audit report that warrant significant consideration by public sector auditors are set out below.

[

[

9.1.1.1 Identified Criteria 152.The criteria against which the subject matter is assessed are identified in the

auditor's report. In performing compliance audits, the criteria may differ greatly from audit to audit. Clear identification of the criteria in the compliance audit report is therefore important so that the users of the report can understand the basis for public sector auditors' work and conclusions. The criteria may be included in the report itself, or the report may make reference to the criteria if they are contained in an assertion from management, or otherwise available from a readily accessible and reliable source.

153.In cases where the criteria are not readily identifiable, or have had to be derived from relevant sources, the criteria applied in the audit are clearly stated in the relevant section of the auditor's report. In cases where the criteria are conflicting, the conflict is explained. In such a case, the potential consequences of the situation are explained to the extent possible and recommendations are provided as appropriate.

9.1.1.2 Opinions and Conclusions 154.For items tested for compliance based on a reasonable assurance audit, the

conclusion is expressed clearly as a statement of positive assurance. When compliance audit is performed together with the audit of financial statements, the conclusion may take the form of an opinion (see section below on reporting on compliance audit related to the audit of financial statements). The nature of the


wording may be influenced by the mandate of the SAI and the legal framework under which the audit is conducted.

155. Where no material instances of non-compliance have been identified, the conclusion is unqualified. An example of the form for an unqualified opinion or conclusion (where appropriate wording is inserted in the brackets as applicable) may be as follows: 'Based on the audit work performed, we found that [the audited entity's subject matter information] is in compliance, in all material respects, with [the applied criteria].'

156. Public sector auditors modify their conclusions appropriately in cases of: a) Material instances of non-compliance. Depending on the extent of the

non-compliance, this may result in: i. A qualified opinion or conclusion ('Based on the audit work

performed, we found that, except for [describe exception], the audited entity's subject matter information is in compliance, in all material respects with [the applied criteria]…') , or

ii. An adverse opinion or conclusion ('Based on the audit work performed, we found that the subject matter information is not in compliance…') ; or

b) Scope limitation. Depending on the extent of the limitation, this may result in:

i. A qualified opinion or conclusion ('Based on the audit work performed, we found that, except for [describe exception], the audited entity's subject matter information is in compliance, in all material respects with [the applied criteria]…') , or

ii. A disclaimer ('Based on the audit work performed, we are unable to,and therefore do not express a conclusion…')

157. Public sector auditors provide information as to the reasons for the modified conclusions. This may be done by describing the particular instances of significant non-compliance in the report, for example in a paragraph or section preceding the conclusion and that describes the basis for that conclusion.

158. Public sector auditors may conclude that there is a need to elaborate on particular matters which do not affect the compliance opinion or conclusion. In these circumstances, public sector auditors disclose these matters through the use of an:

a) Emphasis of Matter paragraph (when the matter is presented and


disclosed in the financial statements and is not materially misstated, for example to highlight a systematic weakness or an uncertainty dependent on future events such as when a competent authority has yet to determine if an item complies with the law); or

b) Other Matter(s) paragraph (for matters other than those presented and disclosed in the financial statements, and not affecting the opinion or conclusion on compliance, for example the need for the legislature to take action when a conflict between different sources of law has been identified).

Examples are set out in Appendix 11.

9.1.1.3 Responses from the Audited Entity 159.Incorporating responses from the audited entity by reporting the views of

responsible officials is part of the principle referred to as the principle of contradiction. The principle of contradiction is a unique and important feature of public sector auditing. It relates to the presentation of weaknesses or critical findings in such a way as to encourage correction (ISSAI 400, 4.0.20 and 4.0.24). This involves agreeing the facts with the audited entity to help ensure that they are complete, accurate and fairly presented. It may also involve, as appropriate, incorporating the audited entity's response to matters raised, whether verbatim or in summary.

9.1.1.4 Providing Constructive Recommendations 160.The Fundamental Auditing Principles also emphasize the need for reports to be

constructive. This means that the auditor's report may include, as appropriate, recommendations designed to result in improvements. While such recommendations may be constructive for the audited entity, they should not be of such a detailed nature that the public sector auditor's objectivity may be impaired in future audits. (ISSAI 400, 4.0.4, 4.0.20 and 4.0.25)

9.1.1.5 Report Date 161.The report is dated no earlier than the date public sector auditors have obtained

sufficient appropriate audit evidence to support the opinion or conclusion.

9.1.1.6 Signature 162.The report is signed by the person with appropriate authority to represent the

SAI. This may be the Auditor General, an authorized officer, or possibly co-signatures of two officers to whom appropriate authority has been delegated.


9.1.1.7 Limited Assurance Reports 163.These guidelines are written from the perspective of reasonable assurance audits.

However, on an exceptional basis, they may be applied, adapted as appropriately, to limited assurance reviews. As explained in the scope section of these guidelines, in a limited assurance review, the conclusion (with appropriate wording inserted in the brackets as applicable) is normally expressed as follows: 'Nothing has come to our attention that leads us to believe that [the audited entity's subject matter information] is not in compliance, in all material respects, with [the applied criteria].'

164.Limited assurance reviews require a sufficient amount of work to be done in order to express a conclusion, albeit less work than that necessary to express a conclusion with reasonable assurance. Nonetheless, public sector auditors evaluate whether sufficient, appropriate audit evidence has been obtained in order to express a limited assurance conclusion.

165.In the special circumstances where limited assurance compliance audit work is performed as part of a reasonable assurance audit of financial statements, the limited assurance on compliance is clearly stated in the auditor's report and set apart from the opinion on the financial statements. An example of an auditor's report with a reasonable assurance opinion on the financial statements and a limited assurance conclusion on compliance is set out in Appendix 12.

9.1.1.8 Incidental Findings 166.Public sector auditors may often come across examples of non-compliance in

connection with other types of audit work being performed. Even though the auditor was not actively looking for the existence or absence of the particular condition, public expectations might influence the decision to report such incidental findings. Although public sector auditors may report such findings, these findings are outside the scope of the compliance audit. Unless the scope of the audit is re-evaluated and the incidental findings are incorporated into the ongoing compliance audit, the auditor does not obtain or provide reasonable assurance with respect to the existence or absence of the condition related to the incidental findings. It may, however, be possible to express a conclusion with limited assurance depending on the circumstances. In any event, when such situations are reported, it is important to inform the reader of the relevant assurance level (reasonable or limited), if any.


9.1.2 Reporting on Compliance Audit related to the Audit of Financial Statements 167.When performing compliance audit related to the audit of financial statements,

the conclusion on compliance with authorities may be incorporated as a compliance opinion in the auditor's report on the financial statements. In some cases a separate compliance audit report may be issued. Guidance on auditor's reports on the financial statements is set out in the ISSAI 1700 and 1800 series. Further guidance on separate compliance audit reports is provided in ISSAI 4100. Sample reports including compliance opinions are set out in Appendices 7-11.

9.1.2.1 Unmodified Compliance Opinions 168.When public sector auditors conclude that the activities, financial transactions

and information reflected in the financial statements are, in all material respects, in compliance with the authorities which govern them, an unmodified opinion is expressed.

9.1.2.2 Modified Compliance Opinions 169.When public sector auditors conclude that there are material compliance

deviations, the opinion expressed is either: a) qualified (if compliance deviations are material, but not pervasive, or if

public sector auditors are unable to obtain sufficient, appropriate audit evidence, and the possible effects are material, but not pervasive); or

b) adverse (if compliance deviations are material and pervasive).

170.When public sector auditors are unable to obtain sufficient, appropriate audit evidence on compliance with authorities, and the possible effects are material and pervasive, public sector auditors disclaim an opinion on compliance.

171.When the compliance opinion is modified, the reasons for the modification are explained in an appropriate 'Basis for the Modified Opinion' paragraph. Some examples of modified compliance opinions are provided in Appendices 8-10.

172.When the compliance opinion is modified, public sector auditors consider the wider implications for the financial statements as a whole and for the auditor's opinion thereon.

9.1.2.3 Additional Reporting Considerations 173. In addition to the auditor's report on the financial statements (which may include

opinions on both the financial statements and compliance), in some cases a SAI may issue a more detailed compliance audit special report. The purpose of such a


report may be to provide the legislature, public accounts committee or similar committee of the legislature, the audited entity, or other bodies charged with governance as appropriate, with a detailed explanation beyond that given in the auditor's report on the financial statements. Public sector auditor’s report such compliance issues in sufficient detail to enable the relevant users to properly understand and consider these matters. Further guidance on compliance audit special reports is set out in ISSAI 4100.

174.In other cases, SAIs may issue a report with an opinion on compliance which is separate from the auditor's report on the financial statements. When such a separate report with an opinion on compliance is issued, public sector auditors may include appropriate references to the separate report in the auditor's report on the financial statements.

175.Further guidance on reporting may be found in:

• ISSAI 1700, 1705 and 1706

• INTOSAI's Implementation Guidelines for Performance Auditing Part 5

• IFAC's ISAE 3000 and International Standard on Review Engagements 2400

9.2 Follow-up Processes 176.The Fundamental Auditing Principles place emphasis on the reporting of

constructive recommendations and additional follow-up as necessary in regard to correction of identified weaknesses (ISSAI 400, 4.0.26). The need for any follow-up of previously reported instances of non-compliance will vary with the nature of the non-compliance and the particular circumstances. This may include formal reporting by the auditor to the legislature, as well as to the audited entity or other appropriate bodies. Other follow-up processes may include reports, internal reviews and evaluations prepared by the audited entity or others, a follow-up audit, conferences and seminars held for, or by, the audited entity, etc. In general, a follow-up process facilitates the effective implementation of corrective actions and provides useful feedback to the audited entity and to the users of the report and to public sector auditors in planning future audits. Follow-up processes may be set out in the mandate of the SAI.

177.Further guidance on follow-up processes may be found in: • INTOSAI's Implementation Guidelines for Performance Auditing Part 5.5


10. Additional Guidance for Public Sector Auditors Operating in a Court of Accounts Environment

178.Because of the jurisdictional status conferred on SAIs that operate in a Court of Accounts environment, such SAIs have the power to exercise judgments and decisions over the accounts and over responsible persons, including accountants and administrators (ISSAI 100, 1.0.21).

10.1 Performing Audits in a Court of Accounts 179.When performing compliance audits of individual public accounts or of the

general state budget, public sector auditors in a Court of Accounts environment also:

a) Obtain reasonable assurance about whether the information presented in the individual public accounts and the underlying transactions are in compliance, in all material respects, with the authorities that govern them ;

b) Determine whether the execution of the state budget has been carried out in compliance, in all material respects, with the authorities governing it and with individual public accounts ; and

c) Report the findings to the appropriate parties. 180.The unique jurisdictional status described above may also give rise to the need

for additional considerations by public sector auditors operating in a Court of Accounts environment when planning and performing compliance audits. Such matters may include:

a) Identifying the person(s) who may be held responsible for acts of non-compliance due to the potential legal implications the SAI's judgment may have on such persons. Public officials may be held personally liable for the loss or waste of public funds, requiring them to repay the full amount of any such losses ;

b) Taking into consideration the applicable prescriptive period, the actions interrupting prescription of personal liability and the exact time period for which public officials may be held liable ;

c) Distinguishing personal liability for acts of non -compliance from the liability for unlawful acts (suspected fraud). For unlawful acts there may be a need to perform additional audit procedures ;

d) Liaising with prosecutors and police as appropriate in understanding the audited entity and its environment, assessing risks of non-compliance,


dealing with instances of non-compliance that may indicate fraud, and reporting on such matters ;

e) Considering the need for additional levels of, or more formalised procedures for quality control ;

f) Performing inquiry in written form (as opposed to orally) ;g) Ensuring that audit documentation complies with relevant rules of

evidence ;h) Communicating in a highly formalised manner ; i) Including in the report the explicit criteria against which public officials

may be held liable, including any amounts likely to be involved ; j) Considering the most appropriate form of conclusions, including

recommendations, identification of damages, or court orders that may lead to a formal discharge of responsibility or to a formal determination of liability.

10.2 Communicating and Enforcing the Law 181.Public sector auditors in Court SAIs also communicate compliance issues that

may result in legal action, damages or prosecution for a criminal offence to the judge, attorney or section responsible for dealing with judgment issues within the Court, or to other bodies as appropriate. In addition, Court SAIs may also communicate remarks of a more general, or informative nature resulting from theaudit work to appropriate officials of the audited entity.

182.When enforcing the law regarding public officials, decisions taken by Court SAIs are subject to:

a) Due process of law and public hearing ;b) Public disclosure ;c) Communication to appropriate law enforcement authorities when there

is evidence of a criminal offence .

10.3 Processes in Various Models of Courts of Accounts 183.For SAIs operating in a Court of Accounts environment, the work performed

may involve various phases including audit, instruction and formal judgment. 184.Some SAIs operating in a Court of Accounts environment follow the audit

process as it is described in these guidelines. However, following the planning, performance and evidence gathering phases, there may then be additional and specific issues that may lead to opening the process of instruction and to a final


formal judgment.

185.In the event a judge or attorney decides on instructing a case, the objective of instruction is to gather enough evidence on the guilt or innocence of the public official who allegedly caused a damage, so as to allow a judgment to be made.

186.In some SAIs operating in a Court of Accounts environment, the auditors may also act in the role of judges and may be empowered to both audit and give formal judgments. In these cases, the instruction phase is an integral part of the audit planning, performance and evidence gathering phases, such that the audit is planned with a view to covering all these phases.


Appendix 1-Examples of Subject Matters, Subject Matter Information and Criteria in Compliance AuditingThe follow table is intended to give examples of subject matters, subject matter information and relevant criteria. The list is not intended to be an exhaustive overview. The particular subject matter, subject matter information and criteria will vary depending on a variety of matters such as the mandate of the SAI and the objective of the particular audit.

Subject matterSubject matter

information Criteria

1.

More specific guidanceon this particular topicis included in Appendix1-A.

Financial information suchas financial statements

2. Financial performance, Project financial informationfor example revenues / project accountsin the form of:


Financial performance and use of appropriated funds This may involve budget execution, including testing that funds have been used in accordance with the purposes and intentions as decided by the legis-lature. In many SAIs this type of compliance audit may be related to regularity audit, includ-ing the audit of finan-cial statements.

Relevant legislation relating to use of federal government funds (eg a 'single audit act'). The mandated activities of the audited entity. The terms of the funding agreement

Relevant budget legis-lation such as an appro-priations act approved budget

other similar types of funds and how they have been used

funds from federal governments

project funds from donor agencies



3 Financial information relatedto the use of the grant.

4 Financial information relatedto the contract or loanagreement

5 Procurement Financial information

6 Expenditures Financial informationStatement of compliance

Relevant budget legislationsuch as an appropriations actOther relevant legislation

Relevant ministerial directives,government policy requirementsand resolutions of the legislature.

The terms of a contract.

7 Program activities Activity indicators or reports

Financial performance, for example revenues in the form of grants, and how the revenues have been used.

Financial performance, for example revenues or expenditures in accord-ance with a contract or loan agreement, and how they have been used.

The mandated activities of the audited entity The terms of the grant agreement.

The terms of the contract or loan agreement.

Relevant agreed levels of performance such as those set out in laws and regulations, ministerial directives, goals agreed by the legislature or the entity, international treaties, protocols, conven-tions or agreements, a service level agreement, the terms of a contract, generally estab-lished industry standards, or reasonable public expecta-tions.

Relevant procurement legislat-ion and regulations (national andinternational) The terms of acontractwith a supplier.



For example:

number of qualified nursesand doctors per number ofcitizensnumber of miles of roadpavednumber of months requiredto process benefit payments or building permits

frequency and quality ofaccounting information tobe provided by a serviceorganisation

measures of results relatedto water quality, etc.

8 Service delivery Relevant legislation or directives

9 Probity of a public Citizen complaints register Relevant legislation or directivesadministrative decision

Publicly reported information

10 A statement of compliance Relevant legislation or directi-ves in areas such as human andcivil rights, gender equality, wor-kplace, environment, etc.

with CSR (or lack thereof)

11 Behaviour / Propriety A statement of compliance, Relevant legislation or directiv-es covering behaviour of publicsector officials A code of ethicsinternally.

for example a statement ofindependence (legalcompetence)

Corporate Social Respon-sibility (CSR), for examp-le the audit of publicly fun-ded projects in developingcountries

number of kindergarten places related to number of eligible children

number of building inspec-tions to be performed within a particular time period

A statement of service delivery Publicly reported information


12. Membership A statement of compliance Agreed terms of membership.obligations

13. Processes related to A statement of compliancehealth and safety

Financial transactions

14. Processes related to A statement of complianceenvironmentalprotection Financial transactions

15. Internal control processes

A statement of compliance . An internal control framework, for example COSO, CoCo8 or

8 COSO – Committee of Sponsoring Organizations of the Treadway Commission. CoCo = Criteria of Control Board, The Canadian Institute of Chartered Accountants.


. developed code of conduct.

. Stated values or leadershipprinciples,

. Internal policies, manuals andguidelines,

. The terms of reference of theorganisation, the bylaws orsimilar,

. The terms of a contract (egag- reed confidentiality or quara- ntine arrangements subsequent to certain employment situations).

In the public sector this 'state-ment' may sometimes be implicit and related to the concepts of probity and propriety. (see section on criteria above).

. Relevant occupational healthand safety legislation, for exa-mple, related to handicap access

. Policies, processes, manuals,guidelines etc.

. Relevant environmental legislation, for example, related to water quality, waste disposal or carbon emissions levels

. The terms of international environmental treaties, protocols, conventions or agreements

. Policies, processes, manuals.



16. A statement of compliance


17. Physical characteristics

18.


similar, or internal control requirements set out in relevant legislation or gener-ally accepted within a jurisdiction, Policies, processes, manuals, guidelines etc.

.

Processes particular to the entity's activities and operations, such as payment of pensions or social benefits, procesing passport or citizenship applications, assessing fines or other forms of penal sentences

Tax revenues, taxpayer obli-gations or other obligationsinvolving reporting to regu-latory authorities

A specifications document or the physical object itself

Individual or corporate tax returns

Other tax forms submitted to regulatory authorities (such as VAT forms, reporting forms for agencies operating within regulated industries such as banking and finance, pharmaceuticals, etc)

Relevant legislation or directives,

.

Policies, processes, manuals, guidelines etc.

.

.

. The terms of a constru-ction contract, or othertype of contract.

A building code (size,height, purpose, densi-ty measures for a parti-cular zoned area, etc),

Relevant legislation or industry specific codes,

.

A tax code, revenue code or similar.

.

Appendix 1-A – Examples of Audit Criteria when Compliance Audit is Performed together with the Audit of Financial Statements

The following are illustrative examples of audit criteria that may be applied when examining whether the income and expenditures of the audited entity are in compliance with authorities, including budget legislation.

Income and revenues1. constitutional provisions or other basic principles concerning the government'

authority to impose taxes, demand fees or sell goods and services or real estate ; 2. provisions of tax law determining the object of taxation ; 3. provisions on the calculation of taxes, custom duties and other levies ; 4. provisions on the systems and procedures to withhold and collect taxes ; 5. provisions on tax control ; 6. provisions and principles of budgetary, competition or other law regulating sales of

goods and services or real estate by public authorities ; 7. provisions and principles on the proper calculation of prices and fees ; 8. budget appropriations to obtain income ; 9. provisions or common practice that serves to prevent corruption and ensure that

sales of goods, services and real estate are processed through transparent procedures in accordance with principles of legality and equality ; principles that serve to maximize revenue and prevent loss of payments ; 10.

11. provisions and principles regarding the terms of payment, the access to give credit, demand guarantees and on the collection of debts.

Operational expenditures1. principles that serve to ensure economy and efficiency by optimizing the number

and composition of the staff ; 2. provisions regulating the salaries, pension and other remuneration of staff ; 3. provisions regulating the number and categories of staff that may be employed ; 4. provisions and principles on reimbursement of personal expenses of staff ; 5. provisions and principles of budgetary, competition or other law on the procedures

of public procurements ; 6. provisions and principles for acquiring goods and services ; 7. principles on rights and obligations in contracts and provisions of agreements with

suppliers of goods and services ; 8. provisions, principles and common practice limiting the use of funds for external


representation or internal staff purposes ;

9. provisions and principles regarding housing rents, and rental and leasing of goods ; 10. provisions and common practice regarding the procedures for processing of

payments and internal controls .

Expenditure on construction, infrastructure, IT-systems and other large scale investments (in addition to operational expenditure)

1. provisions in regard to feasibility studies, projecting and budgeting ; 2. provisions and principles of sound management of public funds concerning public

tenders and the choice of suppliers ; 3. industry standards and standard contracts ; 4. principles concerning contracting provisions, sound project management and

budget control ; 5. provisions and principles of adequate quality management in the

construction/development phase and at deliverance ; 6. measures against corruption and uncompetitive behaviour.

Grants, entitlements, guarantees and other financial contributions to enterprises, organisations or individuals

1. provisions on the purpose of the scheme and limits on how the funds may be used 2. principles of equality, objectivity and transparency in the process of inviting

applications and allocating grants ; 3. criteria of eligibility ; 4. provisions regarding accounting, control and audit of recipients ;5. conditions imposed by the administration's decisions or agreements with

beneficiaries ; 6. provisions on the coverage of guarantees and the conditions under which they

should be paid ; 7. provisions on calculation of amounts ; 8. provisions on the process of payment including conditions concerning advance

payments, subsequent reimbursements and/or the final settlement .


Appendix 2 – Examples of Sources to be used in Gaining an Understanding of the Audited Entity and Identifying Suitable CriteriaThe following is an illustrative, but not exhaustive list of sources that public sector auditors may use in identifying suitable audit criteria:

a) Laws and regulations, including the docu mented intentions and premises for establishing such legislation ;

b) Budgetary legislation / approved budget or appropriations ; c) Documents of the legislature related to budgetary laws or resolutions, and to the

premises or particular provisions for use of approved appropriations, or for financial transactions, funds and balances ;

d) Legislative or ministerial directives ; e) Information from regula tory authorities ; f) Official records of meetings of the legislat ure, public accounts committee or

similar committee of the legislature, or other public bodies ; g) Principles of law ; h) Legal precedent ; i) Codes of practice or codes of conduct ; j) Internal descriptions of policies, strategic and operational plans and procedures ; k) Manuals or written guidelines ; l) Formal agreements, such as contracts ; m) Loan or grant agreements ; n) Industry standards ; o) Well established theory (for example theory for which there is general consensus.

Such theory may be obtained, for example, from published information such as technical literature and methods, professional journals, etc, or through inquiry with knowledgeable sources such as experts in a particular field) ;

p) Generally accepted standards for a particular area (such standards are normally clearly identifiable standards that have their source in some form of legislation and that are a result of established practice and legal precedent, for example 'generally accepted accounting principles' in a particular country) ;

q) For audits of propriety: Principles for sound public sector financial management and conduct of public sector officials. Principles of conduct may arise from the legislature's or public expectations regarding the behaviour of public sector officials. In some cases, these principles may be documented in only fragmentary ways. They may, in some cases, only be defined as a result of their breach.


Additional sources which public sector auditors may use to obtain an understanding about the audited entity, its environment and relevant program areas may include:

a) The entity's annual report ; b) Legislative propositions and speeches ; c) Websites ; d) Published reports, articles in newspapers or journals, other media sources, etc ; e) Knowledge obtained from previous audits ; f) Information gathered through meetings and other communication ; g) Minutes of Board or other management meetings ; h) Internal audit reports ; i) Official statistics.


Appendix 3 – Examples of Factors Related to Assessing Risk in Compliance Auditing

The following are examples of factors that may be considered in assessing risk in a compliance audit. The list is not intended to be exhaustive, and the factors will depend on the particular audit circumstances.

The Audited Entity's Objective and Mandate1. Are the audited entity's objective, mandate and legal capacity clearly stated and

readily available? 2. Have there been recent changes in mandate, objectives or program areas? 3. Are program areas or relevant subject matters clearly identifiable? 4. Do program areas overlap considerably with other entities such that there is a risk

of duplication or of fragmentation?

Organisational Structure1. What is the legal basis of the entity (ministry, directorate, agency etc) and from

where does it derive its authority? 2. Does the audited entity have clearly defined roles and responsibilities, and related

authority attaching to these? 3. Are these roles, responsibilities and authorities clearly communicated and

understood throughout the entity? 4. If the entity is part of a hierarchic structure, and another entity is responsible for

supervision of the audited entity, how does such supervision take place? 5. Does the organisation focus on risk assessment and risk management, including

risks of non-compliance, in its operations? 6. Have there been recent organisational changes? 7. Are any activities outsourced to other entities? 8. If activities are outsourced, how is compliance and performance monitored? 9. Are there other potential risks associated with outsourcing?

10. Do personnel have adequate competence and ethical behaviour? 11. Do personnel seek relevant information and is relevant information easily

accessible? Is information communicated on a timely basis in the organisation? 12.

13. Are there any aspects of organisational structure that could give rise to greater risk of fraud?

Political Considerations1. To which level of government does the particular entity belong and does it have


relations to other levels of government? 2. What are the responsibilities (constitutional or other) of the relevant minister, or

of entity management? 3. What is experience in dealing with the entity's political vs. administrative

management? 4. Is there political consensus, or are differing views freely expressed? 5. How is the political management comprised? 6. What are program areas of political focus, visibility and sensitivity? 7. How does the working relationship between political and administrative

management function? 8. Are there any areas of particular public interest? 9. What is experience in relation to one entity exercising unfavourable influence on

other related entities in the public sector hierarchy? 10. Are there any political considerations that could give rise to greater risk of fraud? 11. Do laws and regulations contain requirements for political neutrality related to the

use of resources and funds, and what is past experience in this area?

Laws, Regulations and Other Relevant Authorities1. Is it clear which laws, regulations and authorities apply to the audited entity and

the particular subject matter? 2. Are there overlaps or inconsistencies between different sets of legislation? 3. Is the entity a lawmaking body, and if so what impact can the lawmaking process

have on the rights of individuals? 4. If the entity is a lawmaking body, has it delegated any authority to other entities,

such as regulatory authorities or private sector entities? 5. Is relevant legislation relatively new, or is it well established? 6. If new, is it clear in terms of form and content such that it may be clearly

understood and applied? 7. If well established, has legal precedent been consistent such that the legislation is

clearly understood and applied? 8. Is the relevant program area subject to significant application of judgment in its

operations? 9. If a significant amount of judgment is applied, is this done in accordance with the

intentions behind the laws and regulations? 10. If a significant amount of judgment is applied, is it applied consistently? 11. Are other bodies involved in interpreting or supplementing the relevant

legislation?


12. Has the entity carried out its duties on a timely basis such that individual rights have not been compromised, and there have not been significant negative financial consequences due to passiveness?

13. Have channels for complaints and appeals for affected parties been used appropriately?

14. Have any individual's / organisation's rights been compromised in any way through the entity's interpretation and application of particular legislation or regulations?

15. Are there any aspects of laws, regulations or other authorities that could give rise to greater risk of fraud?

Significant Events and Transactions1. Are there any significant events or transactions that may give rise to significant

risks or fraud risks (eg significant procurement contracts, long term construction contracts, dealings in financial instruments such as foreign exchange contracts, significant loans or financial speculation, privatisation etc)?

2. Does the entity possess the necessary authority and competence to enter into and carry out significant events and transactions?

3. Have experts been engaged in connection with significant events and transactions?

4. If experts have been engaged, what precautions have been taken to ensure their competence and objectivity?

5. How is the work of experts monitored?

Management1. Is there stability in the management team or have there been changes in key

personnel? 2. How members of management are recruited (open and transparent processes with

real competition, or token process)? 3. Is management actively involved in assessing risk on a continual basis? 4. Has management considered the consequences of changes in the entity's

environment and the impact this may have on the audited entity? 5. Is management conservative in its approach or more willing to take risks (eg what is

the 'risk appetite ')? 6. What initiatives has management taken to identify and avoid significant risks that

could have an adverse impact on the entity? 7. Are risk evaluations that are performed throughout the entity effectively

communicated to management at the appropriate levels?


8. Does management actively monitor and evaluate the consequences of their decisions and actions?

9. Have previous audits identified instances of non-compliance, fraud, unlawful acts, unethical behaviour, management bias, etc?

10. How does management balance the achievement of program objectives with the need to manage risk, and ensure compliance with laws and regulations etc?


Appendix 4 - Examples of Risk Factors Related to a Particular Subject MatterProcurement is a typical subject matter for compliance audits. The following table gives some examples of risk factors relating to a compliance audit of procurement. The list is not intended to be exhaustive. The relevant risks and risk factors will vary depending on the subject matter and the circumstances of the particular audit.

Examples of Risk Factors Related to the Audit of Procurement

Inherent risk1. Lack of relevant procurement legislation ; 2. Recent changes to the procurement legislation (e.g. to conform to international

legislation) ; 3. Complex or unclear legislation, or legislation open for interpretation ; 4. Significant monetary amounts are involved such as defence procurement ; 5. Audit findings from the prior year revealed compliance deviations in regard to

procurement legislation and directives ; 6. Previous suspicions or instances of fraud and corruption involving management and key

staff ; 7. Inspections by regulatory authorities (eg competition authorities) ; 8. Complaints received from potential suppliers about unfair practices related to awarding

tenders ; 9. Potential conflicts of interest.

Control risk1. Lack of good internal guidelines, including lack of clear and objective criteria ; 2. Recent changes in general or application controls related to procurement IT systems ; 3. Poor quality-control or weak monitoring activities related to suppliers ; 4. Weak or non-existent controls regarding suppliers' compliance with ethical guidelines ; 5. Non-existent or poor quality monitoring activities related to compliance with relevant

legislation.

Detection risk1. Audit procedures are ineffectively designed (eg performing procedures that only

involve checking transactions that are recorded, and not checking for completeness; or making inquiries only of staff in the procurement department and not of others such as administration or facilities management staff, suppliers or agencies that register complaints) ;

2. Incentives may lead management to intentionally withhold or conceal evidence (for example, suppliers may make bribes or give kickbacks) ;

3. Possible management collusion or override of controls.


Appendix 5 - Examples of Compliance Audit Procedures for Selected Subject MattersThis table shows illustrative examples of possible compliance audit procedures in the areas of environmental legislation and project funds from donor organisations. It is not intended to be an exhaustive list of procedures. Audit procedures must be designed for the particular audit circumstances and objectives.


Subject matter: Environmental legislation1. Obtain an overview of relevant environmental legislation to which the entity is

required to adhere ; 2. Inquire with management, and internal audit as applicable, as to the processes

and routines in place to ensure compliance with relevant environmental legislation ;

3. Review manuals and systems descriptions to understand the processes and relevant controls. Document the process and identify key controls. Test key controls as necessary ;

4. Perform a media search, and other databases as applicable, to identify previous instances of non-compliance by the entity ;

5. Review any inspection reports, including those of internal audit as applicable. Follow up any areas that may indicate significant risks of non-compliance with environmental legislation ;

6. Confirm that the audited entity has necessary permits and registration certificates as appropriate. Evaluate procedures to ensure that these remain valid and up to date ;

7. Review minutes of meetings of environmental, or health and safety committees. Follow up as necessary ;

8. Interview selected staff as to their understanding of relevant policies and procedures in place, including training, and how these procedures operate in practice ;

9. Inquire with management, and legal counsel as appropriate, as to any previous, existing or potential environmental liability claims. Consider the causes and effects/impacts of any such claims ;

10. Observe processes and routines in practice (eg waste disposal – properly stored and disposed of, etc) and document appropriately (eg photo or video evidence may be relevant).



Subject matter: Project funds received from a donor organisation1. Obtain an overview of the funding agreement and any relevant legislation,

directives, mandates, etc to which the entity is required to adhere ; 2. Inquire with management, and internal audit as applicable, as to the processes

and routines in place to ensure compliance with the terms of the funding agreement and relevant legislation, directives, mandates, etc. Inquire as to routines to ensure appropriate accounting and disclosure ;

3. Review manuals and systems descriptions to understand the processes and relevant controls related to compliance with such funding agreements. Document the process and identify key controls. Test key controls as necessary ;

4. Perform analytical procedures for assessing risks, and substantive procedures as considered necessary. For example, compare any financial information, including project accounts, with budget and prior year(s). Follow up suspected deviations as necessary in the circumstances. Review project accounts for unusual or significant transactions. Follow up as necessary ;

5. Select a sample of transactions related to project funds. For each transaction selected, test compliance with the terms of the funding agreement and any relevant legislation, for example:

• requirements related to use of funds • proper approval and authorization • reporting requirements • proper accounting and disclosure, including appropriate accounting

policies and recording transactions in the appropriate periods, etc.6. Where project funds have been used for specific purposes, assess the

need to perform physical inspections. Follow up as appropriate ; 7. Review related correspondence, minutes of meetings etc to identify any

relevant matters. Follow up as necessary ;8. Consider the need to obtain any written confirmations from third parties and

follow up as appropriate ;9. Consider the need to obtain specific written representations from

management in regard to the funding agreement ; 10. Perform cut-off testing and review after the period end as necessary to

ensure funds are accounted for in the appropriate period.


Appendix 6 - Examples of Compliance DeviationsThe following table provides some examples of compliance deviations and includes considerations related to materiality and forming conclusions. The comments related to materiality and forming conclusions are not intended to be definitive assessments of whether the particular example constitutes a material compliance deviation or not, but rather to highlight relevant considerations. The determination of materiality will depend on the particular circumstances and the professional judgment of the public sector auditor.


1.

2.

3.

4. While this compliance deviation may have beenpositive for the recipient, it is not in accordancewith the legislation and its intentions, and maytherefore be unfair to other beneficiaries. If the


During the year, a government agency received budget appro-priations through the Ministry of Education for national educational purposes. The agency's grant expenditure for the year included $10 million to overseas high tech manu-facturers.

During the year, a government agency incurred expenditures of $100 in excess of the total expenditure of $5000 author-ised by the budget approved by the legislature.

A citizen is entitled to a monthly pension of $1000. The government agen cy has only been paying out $900 per month. The payments were also made after the dates stipu-lated in the legislation.

A single mother is entitled to monthly child benefits for each child under age 18. The govern-ment agency has paid out

Based on the legislation governing the govern-ment agency, the agency did not have the power to make grants to overseas bodies. The non-compliance may be material because the grant expenditure was paid out to overseas bodies and was therefore not in compliance with relevant authorities, nor was it applied to the purposes intended by the legislature.

In this case, actual expenditures were in excess of amounts authorised through the approved budget. This non-compliance may be material because it was a clear violation of clearly estab-lished authorities. Depending on the circum-stances, including the type of expenditures, it may also be very sensitive in nature.

Although the monetary amounts involved may not be material to the financial statements of the government agency, the consequences of the non-compliance are likely to be very significant to the individual pensioner living on a fixed income. If the non-compliance is due to a system weakness, the non-compliance may also affect many other citizens. The non-compliance may therefore be material in terms of the impact on citizens and society in general.


5.

6.

7.


child benefits for a 19 year old child.

non-compliance is due to a system weakness, the non-compliance may also affect many other citizens. The non-compliance may therefore be material in terms of the impact on citizens and society in general.

The non-compliance may be significant due to qualitative aspects such as safety implications. Although no particular monetary amounts are involved, the non-compliance may be material due to the potential consequences it may have on the safety of the building occupants. In the event of a disaster, there is also a risk that the non-compliance may result in significant liability claims which could have material financial impli-cations for the government agency as well.

The non-compliance may or may not be material depending on whether or not the financial state-ments were subsequently prepared and sent, the extent of the delay, the reasons for the delay, any consequences that may arise as a result of the non-compliance, etc.

This type of compliance deviation relates to the due process rights of individual citizens. Certain citizens were being assessed too much tax, while others were not being assessed at all. Depending on the circumstances, and because it involves a system weakness, the deviation may be both

The terms of a building code require annual inspections to be performed. The government agency has not performed inspections for the past five years.

The terms of a funding agree-ment state that the recipient of the funds must prepare financial statements and send them to the donor organisation by a certain date. The financial statements have not been prepared and sent by this date.

Significant system weaknesses were identified in relation to revenues collected in accord-ance with a tax code. The weak-nesses were due to incorrect interpretation of the tax code by the audited entity. Numerous instances of taxpayers being assessed more than they were obligated to pay were identified.

Appendix 7 – Example of a Compliance Audit Opinion as part of the Auditor's Report on the Financial StatementsAs explained in the body of this document, the reporting format may vary depending on the mandate of the SAI, relevant legislation, customary reporting practices, the complexity of the issues to be reported, etc. However, some consistency in the reporting format may help users of the auditor's report to understand the work performed and the conclusions reached, as well as to identify unusual circumstances when they arise.

The following 'short form' report example is for illustrative purposes only. Some SAIs may use a 'long form' report where findings are described in more detail in the body of the report, before the conclusion or opinion section. The form and content of the opinion section may also vary depending on the particular mandate of the SAI.

Audit Report by the SAI of XXX

[Appropriate Addressee, eg Legislature, Parliament, etc]

Report on the Financial StatementsWe have audited the accompanying financial statements of government agency ABC, which comprise the statement of financial position as at December 31, 20X1, and the statement of financial performance, statement of changes in net assets/equity and cash flow statement for the year then ended, and a summary of significant accounting policies and other explanatory notes.

Management’s Responsibility for the Financial StatementsAccording to [State name of legislation/regulations setting out management'sresponsibilities], management is responsible for the preparation and presentation of these financial statements9 in accordance with [State the applicable accounting standards: International Public Sector Accounting Standards, generally accepted government accounting principles for country XYZ, etc]. This responsibility includes the design, implementation and maintenance of internal control relevant to the preparation and presentation of financial statements that are free from material misstatement, whether due to fraud or error.

9 Wording is based on ISA 700 and compliance frameworks common in the public sector. For wording in relation to fair presentation frameworks, see ISA 700.


Auditor’s ResponsibilityOur responsibility is to express an opinion on these financial statements based on our audit. We conducted our audit in accordance with [State the applicable auditing standards: for example the INTOSAI Fundamental Auditing Principles and Guidelines, International Standards on Auditing10, generally accepted government auditing standards for country XYZ, etc]. Those standards require that we comply11 with ethical requirements and plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement.

An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The procedures selected depend on the auditor's judgment, including the assessment of the risks of material misstatement of the financial statements, whether due to fraud or error. In making those risk assessments, internal control relevant to the entity's preparation and presentation of financial statements is considered in order to design audit procedures that are appropriate in the circumstances, but not for the purposes of expressing an opinion on the effectiveness of internal control.12 An audit also includes evaluating the appropriateness of accounting policies used, the reasonableness of accounting estimates made by management, as well as evaluating the presentation of the financial statements.

We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our opinion.

Opinion

In our opinion, the financial statements of government agency ABC for the year ended December 31, 20X1 are prepared, in all material respects, in accordance with [State theapplicable accounting standards: International Public Sector Accounting Standards, generally accepted government accounting principles for country XYZ, etc].Report on Other Legal and Regulatory Requirements[Form and content of this section of the auditor's report will vary depending on the nature of the auditor's other reporting responsibilities.]

[In some jurisdictions, the auditor may have additional responsibilities to report on

10 Auditors may not state compliance with ISAs unless auditors have complied with ISA 200 and all ISAs relevant to the audit. If stating compliance with ISAs, auditors are directed to ISA 700 for more specific wording.

11 Wording to be adapted as necessary based on the standards / guidance applied 12 Wording to be revised appropriately if an opinion on internal control is to be expressed


other matters that are supplementary to the auditor's responsibility to express an opinion on the financial statements, as described in ISA 700, paragraphs 35-36 and A37-A38.]

Report on Compliance[Note: The form and content of this part of the audit report will vary with the circumstances and depending on the SAI's mandate and other reporting responsibilities].

Management's Responsibility for Compliance

In addition to the responsibility for the preparation and presentation of the financial statements described above, management is also responsible for ensuring that the activities, financial transactions and information reflected in the financial statements are in compliance with the authorities which govern them.

Auditor's ResponsibilityIn addition to the responsibility to express an opinion on the financial statements described above, our responsibility includes expressing an opinion on whether the activities, financial transactions and information reflected in the financial statements are, in all material respects, in compliance with the authorities which govern them. This responsibility includes performing procedures to obtain audit evidence about whether the agency's expenditure and income have been applied to the purposes intended by the legislature. Such procedures include the assessment of the risks of material non-compliance.


Opinion on Compliance

In our opinion, in all material respects, the activities, financial transactions and information reflected in the financial statements are in compliance with the authorities which govern them.

[Include responses from the audited entity as appropriate, for example after the Opinion paragraph, in summary under a heading 'Responses from the Audited Entity,' or as a separate appendix]


[Include constructive recommendations as appropriate, for example after the Opinion paragraph, in summary under a heading 'Recommendations' or as a separate appendix]

[Auditor’s signature]

[Date of the auditor’s report]

[Auditor’s address]


Appendix 8 – Example of a Qualified Opinion on ComplianceThis example reflects the situation where there has been non-compliance with authorities, in particular the relevant legislation and the purposes and intentions of the legislature. The auditor has determined that the effects are material, but not pervasive. The introductory sections of the report, and sections following the compliance opinion, are unchanged from the example in Appendix 7.


Report on Compliance

........ [appropriate introductory text]……

Basis for Qualified Opinion on ComplianceDuring the year, government agency ABC received budget appropriations through the Ministry of Education for national educational purposes. Our audit revealed that grant expenditure for the year included $10 million to overseas high tech manufacturers.Based on [the legislation governing the audited entity], government agency ABC did not have the power to make grants to overseas bodies. The expenditure related to grants paid out to overseas bodies has not been applied to the purposes intended by the legislature and is therefore not in compliance with the authorities which govern it.

Opinion on ComplianceIn our opinion, except for the expenditures to overseas bodies as described in the Basis for Qualified Opinion on Compliance above, in all material respects the activities, financial transactions and information reflected in the financial statements are in compliance with the authorities which govern them.



Appendix 9 – Example of an Adverse Opinion on Compliance

This example reflects the situation where there has been non-compliance with authorities, in particular the relevant legislation and the purposes and intentions of the legislature. The auditor has determined that the effects are material and pervasive. The introductory sections of the report, and sections following the compliance opinion, are unchanged from the example in Appendix 7.




Basis for Adverse Opinion on ComplianceDuring the year, government agency ABC paid out social welfare benefits totaling $500 million. Pension payments accounted for 90% of the total welfare benefits paid out. The financial statements fairly reflect the amounts paid out. However, weaknesses identified in the controls surrounding the IT systems used for making pension payments revealed that the payments were not being made on a timely basis in accordance with [State the relevant social welfare legislation, regulations, etc]. The consequence of this weakness may be a breach of the legal rights of eligible pensioners.


In our opinion, because of the significance of the matter discussed in the Basis for Adverse Opinion on Compliance paragraph above, the activities, financial transactions and information reflected in the financial statements are not in compliance with the authorities which govern them.



Appendix 10 – Example of a Disclaimer on Compliance

This example reflects the situation where the auditor has not been able to obtain sufficient, appropriate audit evidence in regard to expenditures being in compliance with authorities, in particular the relevant legislation and the purposes and intentions of the legislature. The auditor has determined that the effects are material and pervasive. The introductory sections of the report, and sections following the compliance opinion, are unchanged from the example in Appendix 7.




Basis for Disclaimer on Compliance

During the year, government agency ABC received budget appropriations through the Ministry of Education for national educational purposes. Our audit revealed that grant expenditure for the year as reflected in the financial statements included $10 million to a private research institution. This grant accounted for 90% of the total grant expenditures for the year.

The evidence available to us for determination of whether the grant expenditure was paid out in accordance with [State the relevant legislation, regulations, etc] was limited. Due to hurricane damage, government agency ABC was unable to provide sufficient documentation to demonstrate that the private research institution was eligible to receive such grants. There were no other satisfactory procedures we could carry out to determine if the payments were paid out in accordance with relevant legislation and therefore applied to the purposes intended by the legislature.


Disclaimer on Compliance

Because of the scope limitation described in the Basis for Disclaimer on Compliance paragraph above, we are unable to form an opinion as to whether the activities, financial transactions and information reflected in the financial statements are in compliance with the authorities which govern them.

…….. [appropriate concluding sections of the report]……



In some situations there may be a need to elaborate on particular matters which do not affect the compliance opinion. An Emphasis of Matters or Other Matters paragraph is used in such circumstances as illustrated by the following examples. The introductory sections of the report, and sections following the compliance opinion, are unchanged from the example in Appendix 7.





In our opinion, in all material respects, the activities, financial transactions and information reflected in the financial statements are in compliance with the authorities which govern them.

Emphasis of Matter

We draw attention to Note xx to the financial statements. This note explains the uncertainty related to the pending legal decision regarding the agency's interpretation of the requirements of environmental legislation dated xx.xx.20xx. Our opinion has not been qualified in respect of this matter.

Other Matter

We draw attention to the agency's compliance with procurement legislation datedxx.xx.20xx in force for agency ABC's jurisdiction. The terms of this legislation are contradictory to the terms of procurement legislation dated yy.yy.20yy, which is being implemented for all jurisdictions that are parties to the ZZZ general trade agreement.


This includes agency ABC's jurisdiction. There is a need for the legislature to give this matter further attention such that necessary conforming amendments to procurement legislation dated xx.xx.20xx may be enacted.



Appendix 12 – Example of an Auditor's Report on the Financial Statements with a Reasonable Assurance Opinion on the Financial Statements and a Limited Assurance Conclusion on Compliance

These guidelines are written to provide guidance for public sector auditors reporting in the form of reasonable assurance opinions on an entity's compliance with authorities. However, as explained in the body of this document, the mandate of some SAIs limits the compliance audit opinion to stating whether transactions that have come to public sector auditors' attention in the course of discharging other audit responsibilities were carried out in compliance with authorities, or stating that no instances of non-compliance with authorities have come to their attention during the audit.

The following 'short form' report example is for illustrative purposes only for use in the small number of special situations where limited assurance is provided. Some SAIs may use a 'long form' report where findings are described in more detail in the body of the report, before the conclusion or opinion section. The form and content of the opinion section may also vary depending on the particular mandate of the SAI.

Report by the SAI of XXX

[Appropriate Addressee, eg Legislature, Parliament, etc]

Report on the Financial Statements

We have audited the accompanying financial statements of government agency ABC, which comprise the statement of financial position as at December 31, 20X1, and the statement of financial performance, statement of changes in net assets/equity and cash flow statement for the year then ended, and a summary of significant accounting policies and other explanatory notes.Management’s Responsibility for the Financial Statements

According to [State name of legislation/regulations setting out management'sresponsibilities], management is responsible for the preparation and presentation of these financial statements13 in accordance with [State the applicable

13 Wording is based on ISA 700 and compliance frameworks common in the public sector. For wording in relation to fair presentation frameworks, see ISA 700.


accounting standards

International Public Sector Accounting Standards, generally accepted government accounting principles for country XYZ, etc]. This responsibility includes the design, implementation and maintenance of internal control relevant to the preparation and presentation of financial statements that are free from material misstatement, whether due to fraud or error.

Auditor’s Responsibility

Our responsibility is to express an opinion on these financial statements based on our audit. We conducted our audit in accordance with [State the applicable auditing standards: for example the INTOSAI Fundamental Auditing Principles and Guidelines, International Standards on Auditing14, generally accepted government auditing standards for country XYZ, etc]. Those standards require that we comply 15with ethical requirements and plan and perform the audit to obtain reasonable assurance about whether the financial statements are free from material misstatement.

An audit involves performing procedures to obtain audit evidence about the amounts and disclosures in the financial statements. The procedures selected depend on the auditor's judgment, including the assessment of the risks of material misstatement of the financial statements, whether due to fraud or error. In making those risk assessments, internal control relevant to the entity's preparation and presentation of financial statements is considered in order to design audit procedures that are appropriate in the circumstances, but not for the purposes of expressing an opinion on the effectiveness of internal control.16 An audit also includes evaluating the appropriateness of accounting policies used, the reasonableness of accounting estimates made by management, as well as evaluating the presentation of the financial statements.


14 Auditors may not state compliance with ISAs unless auditors have complied with ISA 200 and all ISAs relevant to the audit. If stating compliance with ISAs, auditors are directed to ISA 700 for more specific wording.

15 Wording to be adapted as necessary based on the standards / guidance applied 16 Wording to be revised appropriately if an opinion on internal control is to be expressed


Opinion

In our opinion, the financial statements of government agency ABC for the year ended December 31, 20X1 are prepared, in all material respects, in accordance with [State the applicable accounting standards: International Public Sector Accounting Standards, generally accepted government accounting principles for country XYZ, etc].

Review of ComplianceIn addition to our audit of the financial statements, a compliance review was planned and performed to express a conclusion with limited assurance as to whether, in all material respects, the activities, financial transactions and information reflected in the financial statements are in compliance with the authorities that govern them. The nature, timing and extent of the compliance work were limited compared to that designed to express an opinion with reasonable assurance on the financial statements.

Auditor's ResponsibilityOur responsibility is to express a conclusion based on our review. Our work was conducted in accordance with the [INTOSAI Fundamental Auditing Principles and Guidelines for Compliance Audit]. Those principles require that we comply with ethical requirements and plan and perform the review so as to obtain limited assurance as to whether the activities, financial transactions and information reflected in the financial statements are in compliance, in all material respects, with the authorities that govern them.

A review is limited primarily to analytical procedures and to inquiries, and therefore provides less assurance than an audit. We have not performed an audit, and, accordingly, express our conclusion in the form of limited assurance, which is consistent with the more limited work we have performed under this compliance review.We believe that the audit evidence we have obtained is sufficient and appropriate to provide a basis for our conclusions.

Conclusion on ComplianceBased on our work described in this report, the activities, financial transactions and information reflected in the financial statements that have come to our notice during the audit, are in all material respects, in compliance with the authorities which govern them.

[Alternatively: Furthermore, based on our work described in this report, nothing


has come to our attention that causes us to believe that the activities, financial transactions and information reflected in the financial statements are not in compliance with the authorities which govern them.][Include responses from the audited entity as appropriate, for example after the Opinion paragraph, in summary under a heading 'Responses from the Audited Entity,' or as a separate appendix][Include constructive recommendations as appropriate, for example after the Opinion paragraph, in summary under a heading 'Recommendations' or as a separate appendix]

[Auditor’s signature]

[Date of the auditor’s report]

[Auditor’s address]


The International Standards of Supreme Audit Institutions, ISSAI, are issued by the

International Organization of Supreme Audit Institutions, INTOSAI. For more



ISSAI 5010Guidance for Supreme Audit Institutions

Foreword of ISSAI 5010

Government audit today enjoys worldwide recognition and in this context national supreme audit institutions (SAIs) play a significant role in auditing government accounts and operations and in promoting sound financial management and accountability. As international institutions are basically funded by public contributions from different member states, SAIs have the same fundamental interest in these institutions’ living up to principles of good governance, accountability and transparency. Among auditors general there has for a long time been concern about the accountability for funds granted by their national governments to international institutions.

The International Organization of Supreme Audit Institutions (INTOSAI) is the professional organisation of SAIs. At INTOSAI’s XVII Congress in Seoul 2001, the Auditor General of Norway was appointed Chair of a working group charged with the task of establishing principles for recommended audit arrangements for international institutions.

The working group has been composed of representatives from the SAIs of Austria, Denmark, India, Japan, Korea, Nepal, Norway, Saudi Arabia, South Africa, Tuvalu, United Kingdom, and Venezuela, which means that all regions have been represented, ensuring that views from different regional and national audit systems have been continuously introduced and considered.

The principles for best audit arrangements are primarily intended for international institutions and their management and governing bodies, the latter being responsible for establishing rules and regulations for the institutions. In addition the principles are meant for national authorities/ministries and their representatives in the institutions, and for supreme audit institutions.

The working group has also developed this guidance for supreme audit institutions on best practice in the audit of international institutions. The guidance is available on the INTOSAI website (www.intosai.org).

One expressed objective of INTOSAI is to share experience. The guidance included in this paper is based on many years experience in SAIs that have been active in the audit of a number of different international institutions. It is my belief that an SAI will benefit from taking part in audits of international institutions, and I hope that the



guidance given here on various aspects will be of use to SAIs entering this arena. Audit of international institutions, like other audit areas, are developing, and it is my hope that this paper can be made a living document, that may be regularly updated to reflect best practice.

I would like to thank all the member SAIs of the working group, and all other SAIs that have contributed to our work for their dedication and cooperation. A special recognition to the SAIs of Austria, Canada, Saudi-Arabia, and Venezuela, which generously took on the responsibility to perform all translation tasks.

Oslo, October 2004

Bjarne Mørk-Eidem Auditor General of NorwayChairman of the INTOSAI Working Group on the audit of international institutions



1 INTRODUCTION 215Page no

215216216

216217218

218218

219219221221222

222223

223223224224225226227

228230

230230234234234234235235236

236

236

1.1 BACKGROUND1.2 OUTPUTS1.2.1 Principles for best audit arrangements for

international institutions1.2.2 Definition and list of international institutions1.2.3 Guidance for SAIs2 PROMOTING PRINCIPLES FOR BEST AUDIT

ARRANGEMENTS2.1 INTRODUCTION2.2 BENEFITS FROM USING SAIS AS

EXTERNAL AUDITORS2.3 THE ROLE OF THE INDIVIDUAL SAI2.3.1 In the national context2.3.2 As auditor of an international institution2.4 THE ROLE OF GROUPS OF SAIS3 PREPARING SAIS TO BE THE EXTERNAL

AUDITOR3.1 INTRODUCTION3.2 THE LEGAL/CONSTITUTIONAL

COMPETENCE OF THE SAI3.3 PREPARING THE SAI3.3.1 Policy issues3.3.2 Policy decisions3.3.3 Legal Framework3.3.4 Professional standards and skills3.3.5 Adequate resources3.4 SAIS’ AWARENESS OF AUDIT

OPPORTUNITIES3.5 CONSIDERING A SPECIFIC ASSIGNMENT4 PRACTICAL ADVICE AND GUIDANCE ON

THE AUDIT4.1 INTRODUCTION4.2 PLANNING4.3 ASSESSMENT OF INTERNAL CONTROL4.4 AUDIT EVIDENCE4.5 ANALYSIS OF FINANCIAL STATEMENTS4.6 AUDIT REPORTING4.7 QUALITY ASSURANCE4.8 ASSESSMENT OF AUDIT ARRANGEMENTS

ANNEX: INCOSAI DECISIONSTHE IX INCOSAI – PERU (1977) "LIMA DECLARATION” OF GUIDELINES ON AUDITING PRECEPTSTHE SEOUL ACCORDS 2001

1. Introduction1.1 Background

Currently, there are a large number of international institutions around the world. Some are small with relatively few members, while others are huge with global membership.

International institutions are basically financed through contributions, guarantees or other public funds from the member states. As such, the funds are part of national budgets. Supreme audit institutions (SAIs) have a fundamental interest in good governance, accountability and transparency in international institutions, and strongly believe that good, well-organised and independent audit systems will contribute to better and more transparent control of international institutions, thus contributing to their efficiency, effectiveness and economy.

Issues concerning the audit of international institutions have been on the International Organization of Supreme Audit Institutions’ (INTOSAI’s) agenda over a long time, and INTOSAI has agreed on recommendations at the:

· II INCOSAI in Belgium (1956)

· III INCOSAI in Brazil (1959)

· IX INCOSAI – Peru (1977) "The Lima declaration” of Guidelines on Auditing Precepts

· X INCOSAI in Kenya (1980)

The members of INTOSAI are of the opinion that accountability in a number of international institutions are not entirely in line with present standards for good governance, and that audit arrangements could be substantially improved. Audit arrangements were in many instances established years ago, in an era where focus was more on the success of establishing international cooperation, rather than on ensuring insight into prudent, effective and transparent spending of public money. As a result, audit mandates and arrangements are often outdated, and the accounts and audit more reflect the needs of the budgetary process than the need to ensure that money is spent wisely and with transparency.

INTOSAI believes that an effective external audit is one decisive factor in better governance, and that INTOSAI members are uniquely placed to contribute to achieving this. INTOSAI collectively, and its members individually, have therefore undertaken to promote audit arrangements that encourage the auditing of international


institutions by the community of SAIs, recognising their expertise and independence in the regularity and performance auditing of public money.

The topic was one of the main themes at the XVII INCOSAI in Seoul, Korea in 2001.

1.2 Outputs

1.2.1 Principles for best audit arrangements for international institutionsThe INTOSAI working group on the audit of international institutions has proposed the following principles as essential to the effective audit of international institutions:

To be effective, the audit arrangements for international institutions should ensurethat:

1. All international institutions financed or supported by public money should be subject to

audit by SAIs, to promote better governance, transparency and accountability,

and that the external auditor:2. Is fully independent in the conduct of the audit,

3. Has sufficient authority to carry out the audit in a manner that meets best practice in the

audit of public money,

4. Has adequate resources to carry out the audit,

5. Has the right and obligation to report on the results of the audit to the member states

concerned through the governing body,

6. Meets relevant professional and ethical standards,

7. Is appointed in an open, fair and transparent manner.

The principles are being presented to the XVIII INCOSAI in Budapest, Hungary, in 2004, for approval.

1.2.2 Definition and list of international institutions The working group formulated the following definition of international institutions to guide its work.


Definition:

An international institution is an organisation whether or not established by a treaty, in which two or more states (or government agencies or publicly funded bodies) are members and in which a joint financial interest is overseen by a governing body.The purpose of such an international institution could be to achieve international co-operation in dealing with issues of an economical, technical, social, cultural or humanitarian character. This could be co-operation in the field of governance, security, finance, scientific research, environment or the realization of joint technical, economical, financial or social projects.

A list of the international institutions that meet this definition has been produced by the working group. This list will be presented at the XVIII INCOSAI in Budapest and made available to SAIs through the INTOSAI website (www.intosai.org).

1.2.3 Guidance for SAIs

This document is intended to provide guidance for SAIs in promoting the establishment of better audit arrangements for international institutions and preparing SAIs for undertaking such audits. The guidance does not duplicate standards and guidelines issued elsewhere, nor does it presume to provide a comprehensive summary of all the issues that an individual SAI will need to consider before deciding whether or not to undertake such audits. It does provide a framework for the future work to improve audit arrangements and gives some useful guidance on practical matters for SAIs who are less experienced in auditing international institutions.

The document is divided into 3 chapters:Chapter2 provides guidance on how SAIs might promote the recommended

principles for best audit arrangements in international institutions.Chapter 3 identifies relevant issues concerning the preparation in an SAI wishing to

undertake the audit of international institutions.Chapter 4 refers to the relevant auditing standards, and identifies certain aspects of

the audit of international institutions that may differ from audits in a national context.

The relevant recommendations issued by INTOSAI on this topic are listed in an annex to this document.


2. Promoting principles for best audit arrangements

2.1 Introduction

INTOSAI expressed in the Lima declaration of 1977 that:

1. “International and supranational organisations, whose expenditures are covered by member country contributions, shall require an external, independent audit similar to that of individual countries.

2. Although this audit shall be adapted to the structure and tasks of the respective organisation, it shall be conceived along lines similar to those of the supreme audits of member countries.

3. To ensure the independence of such an audit, the members of the external audit institution shall be appointed mainly from within the Supreme Audit Institutions."

An international institution is, as an autonomous body, responsible for establishing its own rules and regulations, including the audit arrangements. The rules and regulations should be based on internationally accepted principles. International institutions vary in their set-up. Typically, however, they are constituted under international law as a legal entity and may enter into various commitments following their own established rules. A governing body consisting of representatives from all (or some of) the member states decides such rules, among which are financial rules and regulations covering financial management, budgets and accounting as well as auditing. Management carries out the day-to-day management of the international institutions within the framework laid down by the governing body.

The issue of rules and regulations covering audit is outside the direct influence but within the sphere of interest of INTOSAI and the SAIs. Both parties should be consulted on significant issues concerning audit matters.

For INTOSAI and the member SAIs the way forward must be to influence• the national representative to the institutions; and

• the institutions themselves.

2.2 Benefits from using SAIs as external auditors In promoting the adoption of the principles for best audit arrangements of international institutions, SAIs will want to emphasise the major benefits of an audit undertaken by members of the INTOSAI community. The points to draw attention to include:

• the independence of SAIs from Governments within their own countries;


• that SAIs are in many instances institutions with a long history and high standing in matters of propriety;

• the considerable hands-on experience of the SAI community in undertaking international audits to the highest professional standards – i.e. that the majority of international institutions are audited by SAIs;

• that SAIs are non-profit making institutions and will therefore frequently be able to provide audit services cost-effectively;

• the strong links between SAIs established within INTOSAI;

• the mechanisms in place within INTOSAI for establishing and addressing relevant standards for public sector audit and in sharing best practice in every aspect of public sector audit work;

• the experience of SAIs in conducting performance audits in addition to audits of financial statements; and

• the willingness and ability of the SAIs to work in partnership with developing countries.

The external auditor is the only really independent source of information to the governing body and the member states on whether the international institution performs economically, efficiently and effectively to achieve the purpose for which it was established. The members of the governing body of an international institution represent the member states, “the owners”. As the funds allocated to the institutions come from public funds, national authorities are accountable for the use of these funds. INTOSAI believes the best way of achieving a well functioning, transparent system is by employing SAIs for the audit.

2.3 The role of the individual SAI It is the responsibility of governments to ensure that funds entrusted to international institutions are spent well and accounted for in a proper manner. As the auditor of the government, any SAI needs to assure itself that adequate accountability exists for contributions to international institutions. If not satisfied, the SAI may report to management and/or Parliament.

2.3.1 In the national context Where a national SAI is auditing contributions to international institutions made by its government, the SAI should obtain audit assurance in respect of the payment made and ensure that the relevant national agency can gain assurance as to the utilisation of the contributions by the international institution for their intended purpose.


In the case of most international institutions the financial or other rules require the member states to appoint an external auditor with a clearly defined mandate.Members of the institution are expected to draw assurance from the duly appointed external auditor’s work and, if necessary, raise any criticism of that work in the appropriate governing body meeting. National SAIs will not normally have direct access to the records of the institution or to the working papers of the external auditor.

In order to form a view on the adequacy of the arrangements in place at an international institution the SAI could, as part of the annual audit or a special audit, collect information on contributions paid to international institutions. The next step could be to study the accountability systems, including the external audit arrangements of the institution, the reporting requirements established between the international institution and its members, financial statements, annual reports and audit reports issued, and the use of this information by the relevant national ministry or agency.

An assessment of this information against the INTOSAI “Principles for best audit arrangements for international institutions” will enable the SAI to identify international institutions with weak and/or unsatisfactory accountability. These contributions may be considered high-risk areas in the audit and, if applicable, reported on by the SAI.

Example of an audit programmeIn the audit of the financial transactions and the financial statement:

· identify memberships of international institutions through the payment of membership fee or contribution;

· assess the materiality of the amount or the importance of the institution; · collect information on the auditing arrangements of the institution and compare this with

INTOSAI best practice; · collect the last audit report(s) and other papers or reports from the external auditor; · collect minutes from the governing body and/or financial committee meeting where the

audit reports were considered; · collect evidence of how the report has been handled by the (your) national

representative; and · assess whether the management of the contribution is in line with the national

regulations and whether you have sufficient evidence for your audit conclusions.

If your conclusions are negative, try to raise the issue through the normal national channels.

The aim of INTOSAI and its members is to increase accountability in international institutions through improved audits. To achieve this, the “Principles for best audit arrangements for international institutions” must be made known to the national ministries or agencies of the national representatives.

Normally, SAIs will be in a position to give advice to the relevant national institutions


on “good practice” within the area of accountability. This could be done as a separate action, or possibly with better effect, in combination with an audit as described above.

2.3.2 As auditor of an international institution

The individual SAI, as external auditor of an international institution, has an important role in assessing the existing audit arrangements, and it will fall within the mandate to point to possible weaknesses in the accountability arrangements, including the audit arrangements, and if appropriate report to the governing body on deficiencies. See also 4.8 in this paper.

If the audit responsibility is with one single SAI at a time, it may be difficult for the auditor alone to influence the governing body and the management to make changes inthe audit arrangements. If the auditor fails to gain support for change in the audit set-up,there are several options to seek support, such as United Nations (UN) Panel of External Auditors, former auditors of the international institution and INTOSAI. In such cases due consideration should be given to confidentiality of information.

2.4 The role of groups of SAIs Changing existing audit arrangements in an international institution without being the auditor and without support will be difficult. As included in the example of an audit programme and the paragraph above, contacting other SAIs sharing your concerns could be a way forward. If more SAIs can join in a co-ordinated action in influencing national authorities and the international institutions, improving the auditing arrangements should be possible.

Forums of auditors engaged in international audit for continuous exchange of information are important. Examples of such existing forums are the UN Panel of External Auditors and the group of external auditors to international institutions with their headquarters in Europe (EXAWINT). The UN Panel has been formally established by the UN to provide advice on matters affecting the audit of UN institutions e.g. on the applicability and development of UN Accounting Standards. EXAWINT is an informal group meeting to exchange experiences without any formal responsibilities in relation to the international institutions audited by its members. These forums, however, are restricted to auditors who are actually involved in such audits. INTOSAI sees a need for forums also open to representatives from SAIs outside these groups, but with an interest in such audits. Interested SAIs should consult each other with the intention of establishing such forums, for example in the form of international seminars or


conferences.

Some SAIs have extensive experience from being external auditors to various international institutions. Sharing their experience could contribute greatly to the benefit of the entire SAI community. This would also be needed to meet the goal of having more international institutions audited by SAIs to common high standards. Sharing of experience may take the form of partnerships between SAIs and active participation in any forum for exchange of information as mentioned above.

3. Preparing SAIs to be the external auditor3.1 Introduction From the list of international institutions compiled by the working group it would appear that a relatively small number of SAIs undertake the audits of those international institutions who currently have SAIs as their auditors, and have a lot of experience of doing so. Those SAIs with experience of undertaking this work are likely to continue to do so. However, there would be obvious benefits to the SAI community if the number of SAIs taking on audit assignments in international institutions could be increased.

There may be significant benefits for an SAI undertaking the audit of an international institution. These include:

• professional development for the SAI and its employees through exposure to the international environment;

• professional development through working jointly with other SAIs (board of auditors, partnerships with other SAIs etc);

• challenges for staff members from the SAI; and

• getting more insight into institutions receiving contributions from the national budget.

There are also likely to be a number of challenges:

• the need to ensure that the international audit work does not affect national priorities;

• the need for additional training and development of the staff undertaking this work; and

• the need to modify work planning arrangements to accommodate the needs and timetables for an international audit for example the presentation of audit reports and findings.


3.2 The legal/constitutional competence of the SAI An SAI that is considering taking on the role of an external auditor of an international institution must ensure that such a role is within its mandate. Some SAIs may not have the mandate to take on audits of international institutions. Some SAIs may be constrained by their legislation from receiving payment for this kind of work.

The working group has noted that some SAIs are of the opinion that they are able to audit international institutions provided it is not specifically excluded by their legislation. It may also be argued that, based on INTOSAI’s “Lima declaration”, the audit of international institutions should fall under the mandate of an SAI.

3.3 Preparing the SAI To increase the number of audits of international institutions performed by SAIs on a permanent basis, the SAI community must be able to deliver a high quality audit. Given this, there should also be equal opportunities for all SAIs of the member states of an international institution to act as external auditor. SAIs interested in undertaking this work may have to review their skills and capacity to do this work and consider any legal and wider staffing issues arising from participating in such audits.

3.3.1 Policy issues There are a number of areas where care should be taken to ensure that the SAI will be able to deliver the audit services required. SAIs with experience in auditing international institutions will probably have been through most if not all of these issues, but may find the following guidance useful to refine their policies and strategies.

It is important that• the SAI’s work as auditor for international institutions is based on a firm policy

decision and commitment by the leadership of the SAI; • a legal framework for such assignments is established, clarifying the

responsibility of the SAI and of the staff engaged in the audit; • the SAI formally adopts and implements relevant standards and ensures that it

possesses the professional skills to undertake the audit of international institutions; and

• the SAI ensures that it has adequate resources, both financial and personnel to undertake the audit to the appropriate professional standards.

These points are commented on below.


3.3.2 Policy decisions

The SAI needs a firm commitment to undertake international audits. This also needs to include other stakeholders such as budget authorities. The SAI will need allocations for such assignments in the strategic and annual plans and budgets. Some SAIs may not, due to financial restraints, be able to take on such audits, if not fully recompensed. As part of the planning, a desired volume of involvement and the spectrum of auditing should be determined, and the resources for training and preparing staff made available.

It is recommended that the SAI should take full responsibility for the audit even if it has proposed individuals as auditors. The Principles for best audit arrangements forinternational institutions do not encourage audit arrangements where individuals rather than the SAI are appointed as auditors. However, the working group is aware that such audit arrangements currently exist. In such circumstances the SAI should give clear instructions to the appointed staff, and establish a quality assurance system to ensure adherence to the instructions given.

3.3.3 Legal framework

The legal implications arising from the appointment of an SAI as the external auditor of an international institution might be different from those related to national work. SAIs considering taking on international audit assignments will want to consider carefully the legal implications and consequences that could arise from such assignments.

Liabilities for breach of duty

The working group is not aware of any cases where an SAI or its staff members acting as external auditors of an international institution have been taken to court. There has, however, been an increase in litigation against private sector auditing firms. SAIs should be aware of, but not put off by, this issue when considering whether to undertake such audits.

In some countries national legislation concerning the SAI may provide the SAI and its staff with immunity from legal processes of any kind arising from their official duties. Depending on the legislation this could also cover the audit work for an international institution.

The SAI’s responsibility as an employer for auditors involved in audits

Normally the SAI's employees involved in audits abroad are still regarded as being fully employed by the SAI while staying abroad, and the employee receives full benefits from


the SAI on such assignments. However under certain circumstances, especially for long-term engagements, the SAI’s responsibility could be unclear.

In most cases the SAI will be responsible and liable as the employer of its appointed staff on international auditing assignments. Staff undertaking international audit work may be working full or part time in other countries. The SAI will therefore have to consider what additional terms and conditions of employment will apply during the assignment. The SAI will also have to consider other aspects such as the security of staff and arrangements for coping with emergencies. It would usually be appropriate to reflect these additional issues in an agreement or contract between the SAI and the concerned staff, as well as the duties and responsibilities of each party.

Example of matters that could be included in an agreement or contract with a staff memberundertaking an international audit.• a job description/reference to the assignment; • the duty of the performing auditor to carry out the work according to set standards and

with due care etc; • responsibility issues; • reporting requirements to the SAI (including quality assurance requirements); and • benefits due to the personnel (salary, per diem, insurance, cost refund, etc.).

3.3.4 Professional standards and skills

SAIs should formally adopt and implement relevant standards related to international work. International institutions may require audits to be conducted in accordance with the INTOSAI and/or the IFAC Auditing Standards.References to the standards and additional comments on the application of these in an international context are considered in chapter 4 of this paper.

SAIs new to the audit of international institutions could consider starting with the audit of smaller institutions. These SAIs could also work together with more experienced SAIs. The latter should consider whether they would be prepared to take on this role.

Generally speaking, the qualifications and skills needed by the staff involved in the audit of an international institution are the same as for any other audit of comparable size and complexity. Additional factors to consider in selecting staff for such appointments could be:

• language skills required;

• the ability to work alone, abroad and in different cultural environments; and

• knowledge and experience of working to international auditing standards where required.


It must also be considered how to prepare the necessary number of qualified staff. Some SAIs organise workshops for their staff on international audit assignments. For SAIs with little or no experience in auditing international institutions it is recommended to seek assistance from more experienced SAIs. In arranging workshops, consideration can also be given to involving the international institution. On joint audit assignments delegates from the partner SAIs could also be invited.

Typical points for preparatory workshops:

Functional to the audit

• strategic planning (organisational structure of the international institution [governing bodies; secretariat]; main findings from previous audits; changes to or implementation of new systems; accounting processes; indicators of fraud and error; other risk indicators identified, closing of accounts; focus areas and related audit objectives; review of financial statements; need for specialists, reliance on internal audit);

• detail planning and execution (audit working paper requirements; preparation of electronic audit files); and

• reporting (reporting structure at the international institution; deadlines; report writing and e-mail etiquette; report files).

Operational to the audit

• review of previous audit and suggested improvements;

• results of international institution and stakeholder satisfaction surveys and suggested improvements;

• results of quality review and suggested improvements;

• performance appraisals;

• challenges typical to the international environment; and

• team building exercises and focus on strengths.

3.3.5 Adequate resources Before taking on audits of international institutions the SAI must ensure that it has adequate resources, both financial and human resources to undertake the audit to appropriate professional standards.

Whether the audits are small or large, the SAI must ensure that sufficient qualified personnel will be available at relevant periods, even if these might often coincide with peak periods for national audit. Often SAI staff will also need to attend meetings before or after the audit for example to present the findings to the governing body.

An SAI with limited experience of international audits or with limited resources to undertake such work could still take part by entering into a partnership with one or more SAIs, preferably with more experience, so that the joined resources are adequate. An


SAI’s interest in such partnerships could be made known through its international contacts with other SAIs either in relation to a specific audit or more generally.

INTOSAI is of the opinion that the principle of full cost coverage should be respected by SAIs competing for assignments. The situation today, however, is that not all international institutions cover the total cost. Salaries are the element most often not covered. Considerable effort will have to be made by the combined SAI community to correct this situation. Certain preparatory costs are unlikely to be covered by the international institution. Training in general will normally have to be covered by the SAI as part of general development and competence building within the SAI. However,training relating to a specific assignment should usually be budgeted for within the audit fee. Where costs are not fully covered, SAIs should keep records of actual cost, in order to disclose these in its audit report in line with the Principles for best audit arrangements of international institutions.

3.4 SAIs’ awareness of audit opportunities At the XVII INCOSAI in Seoul some SAIs were concerned that they were not being made aware of the opportunities to be appointed and undertake audits of international institutions. There have been cases where national internal audit bodies have been appointed as external auditors after being proposed by national representatives without having consulted the SAI. In other cases SAIs have been recommended for appointmentby their government without being informed.

The following practical steps could be taken by an individual SAI to avoid such situations arising in future:

• establish a complete list of all the international institutions of which the nation is a member;

• contact the national administration officials on the institutions governing body to identify the timing of future appointments as external auditor and the nature of the process to select the external auditor;

• make the national representative aware of the SAI’s desire to be considered for future appointments; and

• active follow-up of the opportunities as they arise. As a further means of keeping SAIs informed of opportunities to undertake international audits, the list of international institutions created by the working group could be enhanced and regularly updated to provide details of forthcoming appointments. These could be publicised through the INTOSAI web-site.


3.5 Considering a specific assignment The decision whether to accept or bid for an assignment as external auditor to an international institution is something for each SAI to consider carefully.

There are no standard arrangements for the selection of a new external auditor of an international institution. Often it will be left to the institution’s executive staff to design and implement a selection process on behalf of the governing body. In some institutions there may be a process of inviting SAIs to undertake the audit in a specific order on rotation. In other institutions there may be a formal request for proposals (bids) from all the SAIs of member states to undertake the audit.

Increasingly, when bids are sought for the audit, the institutions may want to conduct the selection in ways that mirror its normal procurement process. This may result in SAIs being asked to provide detailed technical supporting documentation as well as separately cost proposals.Before deciding to accept a nomination or to bid for an audit assignment, the SAI should:

• consider whether it has the capacity and technical skills to undertake the audit, taking into account the likely timing of the audit, the number and qualifications of staff required and the language skills needed. Information concerning the institution useful for this consideration, like annual reports, budgets, previous audit reports, etc. should be available through the national representative to the institution;

• identify the likely cost of the audit and ascertain whether these costs will be fully met by the institution. It will usually only be possible to prepare a detailed cost estimate by developing an outline plan of how the audit would be conducted if the SAI was nominated or selected. Such plans would need to consider as a minimum the range of audit work required, (i.e. whether the audit will encompass both regularity and performance audit work) the locations the auditor will need to visit (i.e. headquarter and regional offices) and any additional visits needed to present audit plans and reports; and

• consider whether it would be appropriate to undertake the audit in partnership with other SAIs. A positive attitude to bring other, less experienced SAIs along on audits is advocated and the SAI should through its international contacts let other SAIs know of their willingness to do so. Such arrangements should be explicitly mentioned in the bid documentation when a new assignment is taken on.


Where an SAI is required to present a formal bid for the audit, the information required may be specified in detail by the institution issuing the request for proposals. If so, the SAI will need to ensure that it provides all the information sought and complies with any specific conditions. For example there may be a stipulation that the costing proposals are separated from the technical proposals.Clearly, it is for each SAI to decide how best to present its proposals to undertake the audit. However, the box below provides examples of the sort of documentation typically included in bid documents, which may be of interest for SAIs who have not previously prepared such bids.

Examples of documentation:

• an executive summary of the key reasons for selecting the SAI for the audit;

• details of national legislation ensuring independence of the SAI;

• the curriculum vitae of the audit staff who are proposed for the audit;

• the additional professional skills available for the audit;

• details of the national and international activities of the SAI, with an indication of the range of audits completed and the audit specialities that could be of benefit to the institution in question or adapted to its needs;

• a copy of the last annual report of the SAI;

• a description of the audit approach, the number and level of staff to be involved in the audit;

• the audit team’s composition as to the variety of skills to carry out the financial and/or performance audit;

• indication of the nature, extent and timing of requests for information, including access to audit working papers of the outgoing auditor. This should be in accordance with recognized international auditing standards. Furthermore an assurance of the auditor’s co-operation, on completion of an appointment, in responding to similar requests for information by an incoming auditor;

• proficiency in the official languages of the organisation. In case of several official languages of the institution, an indication of the level of proficiency in at least one of them will normally be required;

• estimates of the total number of auditor’s workdays/weeks/months, which would be devoted annually for the regularity and/or performance audit;

• proposed audit fee with an indication of whether it includes both salaries, subsistence allowances and travel costs; and

• the willingness of the candidate as a potential auditor to provide any further information or clarification that may be required during the selection process.

Normally the conditions for the audit assignment will be a consequence of the financial rules and regulations of the international institution and the bid from an SAI to take on the audit. It is recommended that SAIs issue an engagement letter on the lines specified in the International Auditing Standards.


4. Practical advice and guidance on the audit

4.1 Introduction All audits of international institutions should be carried out in accordance with generally accepted auditing standards. The most relevant standards for financial audit are the INTOSAI Auditing Standards and the IFAC International Standards on Auditing (ISA).

The INTOSAI Code of Ethics and Auditing Standards can be found on the website of INTOSAI, http://www.intosai.org. The website of the International Federation of Accountants (IFAC) is http://www.ifac.org. The International Standards on Auditing are being updated on an ongoing basis and it is therefore important for the SAI and the auditor to keep track of relevant changes.

Auditing Standards for performance audits are being presented for approval by INTOSAI at the XVIII INCOSAI in Budapest in 2004.

As auditing standards are well known to SAIs this document only refers to the relevant paragraphs in the standards, and in addition highlights those aspects that may differ most from the traditional work of an SAI and its staff.

It may be relevant to reiterate the importance of independence of the auditor, in this context the independence from the SAI’s national background. In general, financial rules and regulations of international institutions are compromises between best practices in several nations. The auditor should keep in mind that what is national best practice is not necessarily in line with the rules and regulations for the specific international institution.

This section assumes that the audit assignment has been accepted by the SAI and personnel have been appointed for the task so that the work may begin.

If the task as auditor is shared with other SAIs/auditors who are already in place, the starting up work may be easier, as they will have most of the background information. This may be the case in the board of auditors situation.

4.2 Planning . INTOSAI Auditing Standards, paragraph 3.1, Planning

. IFAC International Standards on Auditing, the ISAs 300-320

The planning phase may be the most challenging for an SAI taking on the audit of an international institution. Most audit assignments in their own country will have a known history and will be carried out in a familiar environment. This will not normally be the


case when taking on a new audit of an international institution and it may be necessary to allow for extra time and resources in the first year.Aspects of the planning phase that require careful consideration include:

Knowledge of the institution

Certain background information concerning the international institution should have been collected during the appointment process. Other information may not be readily available until the formal hand-over of the audit has taken place.

Key planning information to be collected should include:• founding documents; • financial rules and regulations; • budgets and financial statements for previous years; • governing body reports and minutes; and• audit reports.

Normally such basic documents will be found on the website of the international institution, but if not they should be obtained direct from the institution.

Audit history

Previous audit reports may indicate issues that warrant follow-up in the current year, and may also provide additional insight into the international institution from an auditor’s perspective.

Not all matters arising during the audit will necessarily be reflected in the formal audit report. Possible sources of information on such matters as well as other sources of useful planning information are:

• handover discussions with the previous auditor; • management letters; • internal audit reports; and • meetings with key staff involved in the audit work, e.g. the finance director

and/or general manager(s).

Hand-over arrangements

The new auditor should arrange a formal handover with the previous auditor. This may be less important where the audit is conducted by a Board of Auditors and where remaining members of the Board have background knowledge of the institution. The previous auditor will have gathered general knowledge of the institution, its customs and practices, which will not necessarily be documented. A meeting with the previous


auditor will therefore usually be appropriate.

The UN Panel of External Auditors has established additional guidance for hand-over arrangements (see box below). The working group considers that these guidelines should apply equally to other international audits. Where private sector accountants have previously undertaken the audit of an international institution the handover should be undertaken in accordance with the relevant auditing standards.

UN Panel of External Auditors – guidance for hand-over arrangements:

“In the event of an a udit assignment being transferred from one External Auditor to another, ensuring a smooth hand over is the joint responsibility of the predecessor and successor auditors. Once officially appointed, the successor auditor initiates contact with the predecess or auditor to organize hand-over arrangements. The Organization is kept informed of these arrangements.

The predecessor auditor shares information with the successor auditor, at least on the following:· audit approach and strategy; · audit areas covered during past financial periods and programme of work for the current

financial period; · important decisions taken on audit matters; · communications to audit committees, or other committees with equivalent authority, regarding fraud

and illegal acts by the Organization, if any; · disagreements with the Organization as to accounting principles, auditing procedures and other

significant matters, if any; and · unresolved audit matters and any other matters that could have an important impact on future

audits, if any.

A formal hand-over is organized between the predecessor and the successor auditors at a time mutuallyagreed. As audit background information, the successor auditor is provided with the followingdocuments, at least:

· management letters and, if applicable, audit observations issued and replies received thereto; · lists recapitulating audit areas covered and field offices visited, if any; and · relevant documentation on unresolved audit matters or matters that could have an important

impact on future audits, if any.

The predecessor auditor is also encouraged to provide access to working papers for specific requests.

A formal record of the hand-over is prepared and kept on file by both the predecessor and successor auditors. It lists notably the documents handed over and the key information provided orally.”

Preparation of an audit plan and time schedule

In line with best practice, the auditor will need to prepare an audit plan and time schedule. These should be discussed and agreed with management of the international institution, as appropriate.

Because there is limited information available before taking over the audit SAIs should be flexible in allocating resources for the first audit to cater for unforeseen activities. This is because the detailed planning work and findings during the first audit may disclose the need for additional work.


Assessment of risk and materialityThe auditor must assess risk and materiality in line with the standards based on the nature of the institution being audited.

The process of assessing risk will not normally be very different from national audit assignments. There may, however, be additional risks to consider, such as the non-payment of member state contributions, foreign currency exposure, pension and other staff liabilities.

In determining materiality SAIs will need to consider whether there are any particular factors to take into account. As with government accounts there may be few, external or third party, users of the information contained in the financial statements. However, member states should be regarded as external users, and there may also be situations where an international institution raises loans. SAIs should therefore consider whether issues other than relative monetary values would be material to the governing bodies and the member states. For example in some international institutions, member states in arrears with their contributions may be unable to vote at governing body meetings. In this situation a misstatement of a relatively small proportion of the institutions’ income could be considered to be material. In determining materiality, SAIs will want to consider the purpose and objectives of the international institution and pay particular attention to the governing body’s consideration of the institution’s work plan and budget. Such a review may also suggest the need for special performance audits.

Communication with the audited institution

It is essential for the auditor to be, and be seen to be, independent from the institution and especially its management. However, to facilitate the audit and the acceptance of the audit findings and recommendations it is important to establish effective communication with both the administration and the governing body of the international institution.

The final communication, the audit report, will always be in writing. The auditor is solely responsible for the content of the audit report. Before issuing the report, the auditor should submit the report to the management for comments.

It will often be easier for the administration/management to accept and implement the audit findings and recommendations if the issues in the report have been discussed in advance. Some of these discussions may be of a more informal character.Additional audits

The planning work may indicate areas for performance audits to be considered for the


current or later years’ audits. Such audits may call for extra resources that may have to

be agreed with the governing body as part of the budget preparations for the

international institution.

4.3 Assessment of internal control . INTOSAI Auditing Standards, paragraph 3.3, Study and Evaluation of Internal Control

. IFAC International Standards on Auditing, the ISAs 400-402,

4.4 Audit evidence . INTOSAI Auditing Standards, paragraph 3.5, Audit Evidence


There are no particular issues arising on the application of these standards to

international audits: the work will be comparable with that required for national audits.

Also for performance audit, the fieldwork should be much the same.

4.5 Analysis of financial statements INTOSAI Auditing Standards, paragraph 3.6, Analysis of Financial Statements IFAC International Standards on Auditing, the ISAs 700-720

The format and contents of the financial statements will often be different from the national accounts, and will be dependent on:

· the nature and purpose of the organisation;

· whether the accounts are prepared on an accruals basis;

· the accounting standards used; and

· historical decisions such as specific requests for additional information from the governing body.

For some international institutions the financial statements and attached documentation are quite extensive, due to special interests and demands by the governing body over the years.The external auditor should comment on deviations from generally accepted accounting standards and on changes that could make the financial statements more readable.

4.6 Audit reporting . INTOSAI Auditing Standards, Chapter IV, Reporting Standards in Government


Auditing


The audit report for an international institution will usually be addressed to the governing body. The financial rules and regulations may require the auditor to produce a “long form” report on specific issues. These may include the results of performance audits undertaken, cases of fraud or suspected fraud, and losses.

SAIs should take care to ensure that material included in any long-form report does not inadvertently cast doubt on the audit opinion provided on the financial statements. They will also want to consider how best to explain their audit findings to a governing body which may be composed of representatives who have a background in the technical purpose of the institution and may be unfamiliar with general administrative and corporate governance issues.The document “Principles for best audit arrangements for international institutions” recommends that the auditor reports on the total cost of the audit so that any costs not covered by the international institution are disclosed.

4.7 Quality assurance . INTOSAI Auditing Standards paragraph 3.2, Supervision and Review IFAC

International Standards on Auditing, the ISA 220

SAIs should ensure that their audits of international institutions meet requisite quality assurance standards, i.e. that they are encompassed within their normal quality control procedures.

Where the audit is undertaken by a board of auditors, the board should establish, as appropriate, supplementary quality assurance arrangements to ensure that all the work is completed according to the standards laid down by the board as a whole.

4.8 Assessment of audit arrangements Auditing arrangements for many international institutions will have been established at the time the institution was created, and may not have been reviewed or changed since then, even if the size and character of the international institution has changed dramatically.

Although the responsibility for establishing adequate audit arrangements rests with the international institution itself it is important that the external auditor regularly assesses the auditing arrangements against the recommended “Principles for best audit arrangements for international institutions”. The auditor should bring any weaknesses to the attention of the governing bodies as appropriate.


Annex: INCOSAI decisionsThe IX INCOSAI – Peru (1977) "Lima declaration” of Guidelines on

Auditing Precepts

Section 25. Audit of international and supranational organisations-

“1. International and supranational organisations, whose expenditures are covered by member country contributions, shall require an external, independent audit similar to that of individual countries.

2 Although this audit shall be adapted to the structure and tasks of the respective organisation, it shall be conceived along lines similar to those of the supreme audits of member countries.

3 To ensure the independence of such an audit, the members of the external audit institution shall be appointed mainly from within the Supreme Audit Institutions."

The Seoul Accords 2001As part of the outcome of the XVII INCOSAI it was decided:

“Recognising the importance that SAIs place on establishing and maintaining adequate auditing of resources administered by international institutions, XVII INCOSAI agreed to continue the work of establishing guidelines on recommended auditing arrangements for international institutions, and supplementary guidance on the application of auditing standards to the audit of such institutions.

Also, recognising the work done by the UN Panel of External Auditors and others on these topics, the continued work should be done in close co-operation with these and other interested parties.

Based on the ideas in the principal paper, the views expressed in country papers and the discussion paper, and the outcome of the discussions during the XVII INCOSAI, it was agreed to establish an ad hoc working group of a limited number of interested SAIs, with a time-restricted mandate up to the next congress, to elaborate and propose supplementary guidance on the audit by SAIs of international institutions. The definition of these international institutions should be more precise and accompanied by examples. It was also agreed that the working group would begin its work by defining its mandate and a related work plan. These will be communicated to the Secretary General and the INTOSAI Governing Board.

The supplementary guidance that the ad hoc working group will propose, would cover issues such as audit mandate, audit arrangements, system of appointment, resources and application of auditing standards. In conducting this, it was concluded that the working group should not cover the established UN audit system.

It was also agreed by delegates that this ad hoc group should reaffirm the benefits of an external audit by SAIs or auditors seconded by SAIs of member states, and consider how best to promote the involvement of SAIs of developing nations in these audits.


ISSAI Guidelines on Compliance Audit - Comptroller … 100 Fundamental Principles of Public Sector...

Documents

Transcript of ISSAI Guidelines on Compliance Audit - Comptroller … 100 Fundamental Principles of Public Sector...