INTOSAI Standards are issued by the International
Organisation of Supreme Audit Institutions, INTOSAI, as part of
the INTOSAI Framework of Professional Pronouncements.
For more information visit www.issai.org
ISSAI
INTOSAI
400
Compliance Audit Principles
INTOSAI
INTOSAI, 20191) EndorsedasReportingStandardsinGovernmentAuditingin20012) Content reformulated and endorsed as Fundamental Principles of ComplianceAuditingin20133) WiththeestablishmentoftheIntosaiFrameworkofProfessionalPronouncements(IFPP),renamedComplianceAuditPrincipleswitheditorialchangesin2019
ISSAI400isavailableinallINTOSAIofficiallanguages:Arabic,English,French,GermanandSpanish
TABLE OF CONTENTS
1. INTRODUCTION 5
2. PURPOSE AND AUTHORITY OF THE COMPLIANCE
AUDIT PRINCIPLES 6
3. FRAMEWORK FOR COMPLIANCE AUDITING 8
The objective of compliance auditing 8
Characteristics of compliance auditing 9
The different perspectives of compliance auditing 10
Complianceauditinginrelationwiththeauditoffinancialstatements 11
Complianceauditingconductedseparately 12
Complianceauditingincombinationwithperformanceauditing 12
4. ELEMENTS OF COMPLIANCE AUDITING 13
Authorities and criteria 13
Subject matter 14
The three parties in compliance auditing 15
Assurance in compliance auditing 16
5. PRINCIPLES OF PERFORMANCE AUDITING 17
GENERAL PRINCIPLES 17
Professionaljudgementandscepticism 17
Qualitycontrol 18
Auditteammanagementandskills 19
Auditrisk 19
Materiality 20
Documentation 21
Communication 21
PRINCIPLES RELATED TO THE AUDIT PROCESS 22
Planninganddesigningacomplianceaudit 21
Auditevidence 25
Evaluatingauditevidenceandformingconclusions 26
Reporting 27
Follow-up 28
5
INTRODUCTION
1) Professionalstandardsandguidelinesareessentialforthecredibility,qualityandprofessionalismofpublic-sectorauditing.The International Standardsof Supreme Audit Institutions (ISSAIs) developed by the InternationalOrganisation of Supreme Audit Institutions (INTOSAI) aim to promoteindependent and effective auditing and support themembers of INTOSAIinthedevelopmentoftheirownprofessionalapproachinaccordancewiththeirmandatesandwithnationallawsandregulations.
2) ISSAI 100 - Fundamental Principles of Public-Sector Auditing provides thefundamentalprinciplesforpublic-sectorauditingingeneralanddefinestheauthorityoftheISSAIs.ISSAI 400 - Compliance Audit PrinciplesbuildsonandfurtherdevelopsthefundamentalprinciplesofISSAI100tosuitthespecificcontextofcomplianceauditing.ISSAI400shouldbereadandunderstoodinconjunctionwithISSAI100,whichalsoappliestocomplianceauditing.
3) ISSAI400thereforeconstitutesthebasisforcomplianceauditingstandardsinaccordancewiththeISSAIs.Thisdocumentprovidesdetailedinformationonthefollowing:
• ThepurposeandauthorityoftheISSAIsoncomplianceauditing
• Thecomplianceauditingframeworkandthedifferentwaysinwhichaudits are conducted
• Theelementsofcomplianceauditing
• Theprinciplesofcomplianceauditing
1
6
THE COMPLIANCE AUDIT PRINCIPLES
PURPOSE AND AUTHORITY OF
4) The purpose of the ISSAIs on compliance auditing1 is to provide acomprehensivesetofprinciples,requirementsandapplicationmaterialforthecomplianceauditingofsubjectmatter,bothqualitativeandquantitative,thatvarieswidelyinscopeandcanbeaddressedthrougharangeofauditapproachesandreportingformats.
5) ISSAI400providesSAIswithabasisfortheadoptionordevelopmentofstandardsoncomplianceauditing.TheprinciplesinISSAI400canbeusedinthreeways:
• asabasisforthedevelopmentofstandards;
• asabasisfortheadoptionofconsistentnationalstandards;
• asabasisforadoptionoftheISSAIsastheauthoritativestandardsoncomplianceauditing.
6) SAIsshouldonlymakereferencetotheComplianceAuditPrinciplesinauditreports –whether in theAuditor’sReportor other reporting formats – ifthestandardstheyhavedevelopedoradoptedfullycomplywithallrelevantprinciples of ISSAI 400. The principles in no way override national laws,regulationsormandates.
7) AstheComplianceAuditStandards(ISSAIs4000-4899)havebeendevelopedto reflect best practice, SAIs are encouraged to strive towards adoptingthem in full as their authoritative standards. INTOSAI recognizes that, insomeenvironments,thismightnotbepossibleduetotheabsenceofbasic
1 ISSAI400andISSAIs4000-4899
2
7
ISSAI 400 - COMPLIANCE AUDIT PRINCIPLES
administrativestructuresorbecauselawsorregulationsdonotestablishthepremises for carrying out audits in accordancewith the Compliance AuditStandards.Wherethisisthecase,SAIshavetheoptionofdevelopingstandardsbased on, or adopting national standards consistentwith, the ComplianceAuditPrinciples.
8) Where an SAI’s auditing standards are based on or consistent with theComplianceAuditPrinciples,thesemaybereferredtobystating:
… We conducted our audit[s] in accordance with [standards], which are based on [or consistent with] ISSAI 100 Fundamental Principles of Public-Sector Auditing and ISSAI 400 Compliance Audit Principles of the International Standards of Supreme Audit Institutions.
9) SAIsinsomejurisdictionsmaychoosetoadopttheComplianceAuditStandardsastheauthoritativestandardsfortheirwork.Inthiscase,referencemaybemadebystating:
… We conducted our [compliance] audit[s] in accordance with the International Standards of Supreme Audit Institutions [on compliance auditing].
ThereferencemaybeincludedintheauditreportorcommunicatedbytheSAIinamoregeneralformcoveringadefinedrangeofengagements.
Dependingontheirmandate,SAIsmayconductcombinedauditsincorporatingfinancial, compliance and/or performance aspects. In such cases thestandardsrelevanttoeachaudittypeshouldbecompliedwith.Thestatementofstandardsapplied intheaudit (paragraph8or9above)mayneedtobeadjustedinaccordancewithISSAI100,paragraph9or10.
10) ISSAI 100 - Fundamental Principles of Public-Sector Auditing gives furtherinformationontheauthorityattachedtotheINTOSAIFundamentalPrinciples.
11) WhentheISSAIsareusedastheauthoritativestandardsforacomplianceauditconductedtogetherwithanauditoffinancialstatements,thepublic-sector auditors should respect the authority of the compliance auditstandards(ISSAIs4000-4899)aswellasthefinancialauditstandards(ISSAIs2000-2899)
8
FRAMEWORK FOR COMPLIANCE AUDITING
THE OBJECTIVE OF COMPLIANCE AUDITING
12) Compliance auditing is the independent assessment of whether a givensubject matter is in compliance with applicable authorities2 identified ascriteria.Complianceauditsarecarriedoutbyassessingwhetheractivities,financialtransactionsandinformationcomply,inallmaterialrespects,withtheauthoritieswhichgoverntheauditedentity.
13) Theobjectiveofpublic-sectorcomplianceauditing,therefore,istoenabletheSAItoassesswhethertheactivitiesofpublic-sectorentitiesareinaccordancewith the authorities governing those entities. This involves reporting onthedegree towhich theauditedentitycomplieswithestablishedcriteria.Reportingmayvarybetweenbriefstandardisedopinionsandvariousformsofconclusions,presented in shortor long form.Complianceauditingmaybeconcernedwithregularity(adherencetoformalcriteriasuchasrelevantlaws, regulations and agreements) or with propriety (observance of thegeneralprinciplesgoverningsoundfinancialmanagementandtheconductofpublicofficials).Whileregularityisthemainfocusofcomplianceauditing,proprietymay also bepertinent given thepublic-sector context, inwhichthere are certain expectations concerning financialmanagement and theconductofofficials.DependingonthemandateoftheSAI,theauditscopemaythereforeincludeaspectsofpropriety.3
2 Seeparagraphs28-29ontheconceptofauthorities.3 Seeparagraph32.
3
9
ISSAI 400 - COMPLIANCE AUDIT PRINCIPLES
14) Compliance auditing may also lead SAIs with jurisdictional powers topronounce judgments and sanctions on those responsible for managingpublic funds. Some SAIs are mandated to refer facts liable to criminalprosecutiontothejudicialauthorities.Inthiscontext,theobjectiveofthecomplianceauditmaybeextended,andtheauditorshouldtakedueaccountof the relevant specific requirementswhendevising theaudit strategyorplanningandthroughouttheauditprocess.
CHARACTERISTICS OF COMPLIANCE AUDITING
15) Complianceauditingmaycoverawiderangeofsubjectmatterandcanbeperformedtoprovideeither reasonableor limitedassurance,usingseveraltypes of criteria, evidence-gathering procedures and reporting formats.Compliance audits may be attestation or direct reporting engagements,or both at once. The audit reportmay be either long- or short-form, andconclusions may be expressed in various ways: as a single clear writtenstatementofopiniononcomplianceorasamoreelaborateanswertospecificauditquestions.
16) ComplianceauditingisoftenanintegralpartofanSAI’smandatefortheauditof public-sector entities. This is because legislation and other authoritiesaretheprimarymeansbywhichlegislaturesexercisecontrolofincomeandexpenditure,managementandtherightsofcitizenstodueprocess intheirrelationswiththepublicsector.Public-sectorentitiesareentrustedwiththesoundmanagementofpublic funds. It is the responsibilityofpublic-sectorbodiesandtheirappointedofficialstobetransparentabouttheiractionsandaccountabletocitizensforthefundswithwhichtheyareentrusted,andtoexercise good governanceoverthosefunds.
17) Complianceauditingpromotestransparencybyprovidingreliablereportsastowhetherfundshavebeenadministered,managementexercisedandcitizens’rights to due process honoured as required by the applicable authorities.It promotes accountability by reporting deviations from and violations ofauthorities, so that corrective actionmay be taken and those accountablemaybeheldresponsiblefortheiractions.Itpromotesgoodgovernanceboth
10
ISSAI 400 - COMPLIANCE AUDIT PRINCIPLES
by identifying weaknesses and deviations from laws and regulations andbyassessingproprietywhere thereare insufficientor inadequate lawsandregulations.Fraudandcorruptionare,bytheirverynature,elementswhichcounteract transparency, accountability and good stewardship. Complianceauditing therefore promotes good governance in the public sector byconsideringtheriskoffraudinrelationtocompliance.
18) DependingontheorganisationalstructureofthepublicsectorandthemandateoftheSAI,complianceauditingmaycoveralllevelsofgovernment:central,regional and local. Compliance audits of private entities are also possible,focusing,forrevenue,ontaxpayersand,forexpenditure,onthoseinvolvedin the management of public property or services, for instance throughpartnershiparrangementsorasrecipientsofpublicgrantsorsubsidies.
19) IncertaincountriestheSAIisacourt,composedofjudges,withauthorityoverStateaccountantsandotherpublicofficialswhomustrenderaccounttoit.ThisjurisdictionalfunctionrequirestheSAItoensurethatwhoeverischargedwithgovernanceoverpublicfundsisheldaccountableforthosefundsand,inthisregard,issubjecttoitsjurisdiction.Thereexistsanimportantcomplementaryrelationshipbetween this jurisdictional authority and the characteristicsofcompliance auditing. This may entail additional requirements for auditorsoperatinginanenvironmentwithajudicialrole,suchasacourtofaccounts.
THE DIFFERENT PERSPECTIVES OF COMPLIANCE AUDITING
20) Complianceauditingcanbepartofacombinedauditthatmayalsoincludeotheraspects.Thoughotherpossibilitiesexist,complianceauditingisgenerallyconductedeither:
• inrelationwiththeauditoffinancialstatementsor
• separatelyor
• incombinationwithperformanceauditing.
11
ISSAI 400 - COMPLIANCE AUDIT PRINCIPLES
» Compliance auditing in relation with the audit of financial statements
21) Thelegislature,asanelementofpublicdemocraticprocess,establishestheprioritiesforpublic-sectorincomeandexpenditureandforthecalculationand attribution of expenditure and income. The underlying premisesof legislative bodies, and the decisions they take, are the source of theauthoritiesgoverningcashflowinthepublicsector.Compliancewiththoseauthoritiesconstitutesabroaderperspectivealongsidetheauditoffinancialstatementsinbudgetaryexecution.
22) Theauditofcompliancewithrelevantauthoritiesisoftenanimportantpartof themandateofanSAI,where it is combinedwith theauditoffinancialstatementsaspartofreportingontheexecutionofpublicbudgets.
23) Lawsandregulationsareimportantbothincomplianceauditingandintheauditoffinancialstatements.Whichlawsandregulationsapplyineachfieldwilldependontheauditobjective.Complianceauditingistheindependentassessmentofwhetheragivensubjectmatterisincompliancewithapplicableauthorities identified as criteria; it focuses on obtaining sufficient andappropriateevidenceregardingcompliancewiththosecriteria.Theauditoffinancialstatementsseekstoascertainwhetherthefinancialstatementsoftheentityconcernedwerepreparedinaccordancewithanacceptablefinancialreportingframeworkandtoobtainsufficientandappropriateauditevidenceregardingthelawsandregulationsthathaveadirectandmaterialeffectonthefinancialstatements.4Whereas,intheauditoffinancialstatements,onlythoselawsandregulationswithadirectandmaterialeffectonthefinancialstatement are relevant, in compliance auditing any laws and regulationsrelevanttothesubjectmattermayberelevantfortheaudit.
24) (This paragraph has been deleted)
4 Cf.ISSAI2250.
12
ISSAI 400 - COMPLIANCE AUDIT PRINCIPLES
» Compliance auditing conducted separately
25) Compliance audits may also be planned, performed and reported onseparately from the audit of financial statements and from performanceaudits.Complianceauditsmaybeconductedseparatelyona regularoranad hocbasis,asdistinctandclearly-definedauditseachrelatedtoaspecificsubjectmatter.
» Compliance auditing in combination with performance auditing
26) When compliance auditing is part of a performance audit, compliance isseenasoneoftheaspectsofeconomy,efficiencyandeffectiveness.Non-compliancemaybethecauseof,anexplanationfor,oraconsequenceof,the state of the activities that are the subject of the performance audit.In combined audits of this kind, auditors should use their professionaljudgement to decidewhether performance or compliance is the primaryfocusoftheaudit,andwhethertoapplytheISSAIsonperformanceauditing,complianceauditingorboth.
13
ELEMENTS OF COMPLIANCE AUDITING
4
27) Theelementsofpublic-sectorauditingaredescribedinISSAI100.Thissectionoutlinesadditionalaspectsoftheelementsrelevanttocomplianceauditing,whichshouldbeidentifiedbytheauditorbeforecommencingtheaudit.
AUTHORITIES AND CRITERIA
28) Authorities are the most fundamental element of compliance auditing,sincethestructureandcontentofauthoritiesfurnishtheauditcriteriaandtherefore form the basis of how the audit is to proceed under a specificconstitutionalarrangement.
29) Authoritiesmayincluderules,lawsandregulations,budgetaryresolutions,policy,establishedcodes,agreedtermsorthegeneralprinciplesgoverningsoundpublic-sectorfinancialmanagementandtheconductofpublicofficials.Mostauthoritiesoriginateinthebasicpremisesanddecisionsofthenationallegislature, but theymay be issued at a lower level in the organisationalstructureofthepublicsector.
30) Because of the variety of possible authorities, they may have mutuallyconflictingprovisionsandbesubjecttodifferinginterpretations.Inaddition,subordinateauthoritiesmaynotbeconsistentwiththerequirementsorlimitsof theenabling legislation, and theremaybe legislativegaps.Asa result,toassesscompliancewithauthoritiesinthepublicsectoritisnecessarytohave sufficient knowledgeof the structure and contentof the authoritiesthemselves. This is of particular importancewhen it comes to identifying
14
ISSAI 400 - COMPLIANCE AUDIT PRINCIPLES
theauditcriteria,asthesourcesofthecriteriamaythemselvesfeatureintheaudit,bothwhendeterminingtheauditscopeandwhendrawinguptheauditfindings.
31) Criteriaarethebenchmarksusedtoevaluateormeasurethesubjectmatterconsistentlyandreasonably.Theauditoridentifiescriteriaonthebasisoftherelevantauthorities.Tobesuitable,complianceauditcriteriamustberelevant,reliable, complete, objective, understandable, comparable, acceptable andavailable.Withouttheframeofreferenceprovidedbysuitablecriteria,anyconclusionisopentoindividualinterpretationandmisunderstanding.
32) Compliance auditing generally comprises the assessment of compliancewith formal criteria, suchasauthorising legislation, regulations issuedunderframework legislation and other relevant laws, regulations and agreements,includingbudgetarylaws(regularity).Whereformalcriteriaareabsentorthereareobviousshortcomingsinthelegislationconcerningtheirapplication,auditsmay also examine compliance with the general principles governing soundfinancialmanagementandtheconductofpublicofficials(propriety).Suitablecriteriaareneededbothinauditsfocusingonregularityandinauditsfocusingonpropriety.Suitablecriteriaforacomplianceauditofproprietywillbeeithergenerally-acceptedprinciplesornationalorinternationalbestpractice.Insomecasestheymaybeuncodified,implicitorbasedonoverridingprinciplesoflaw.
SUBJECT MATTER
33) Thesubjectmatterofacomplianceauditisdefinedinthescopeoftheaudit.Itmaytaketheformofactivities,financial transactionsor information.Forattestation engagements on compliance it ismore relevant to identify thesubjectmatterinformation,whichmaybeastatementofcompliancepreparedinaccordancewithanestablishedandstandardisedreportingframework.
34) ThesubjectmatterdependsonthemandateoftheSAI,therelevantauthoritiesand the scope of the audit. Hence the content and scope of complianceauditsubjectmattercanvarywidely.Thesubjectmatterofanauditmaybeeithergeneralorspecific.Sometypesofsubjectmatterarequantitativeand,
15
ISSAI 400 - COMPLIANCE AUDIT PRINCIPLES
often,easilymeasured (forexamplepaymentswhichdonot satisfycertainconditions),whileothersarequalitativeandmoresubjective innature (forexamplebehaviouroradherencetoproceduralrequirements).
THE THREE PARTIES IN COMPLIANCE AUDITING
35) Compliance auditing is based on a three-party relationship in which the auditor aims to obtain sufficient appropriate audit evidence in order toexpressaconclusiondesigned toenhance thedegreeofconfidenceof the intended users,otherthanthe responsible party,aboutthemeasurementorevaluationofasubjectmatteragainstcriteria.
36) In compliance auditing the responsibility of the auditor is to identify theelementsoftheaudit,assesswhetheraparticularsubjectmatteriscompliantwiththeestablishedcriteriaandissueacomplianceauditreport.
37) The responsible party is the executive branch of government and/or itsunderlying hierarchy of public officials and entities responsible for themanagementofpublicfundsandtheexerciseofauthorityunderthecontrolofthelegislature.Theresponsiblepartyincomplianceauditingisresponsibleforthesubjectmatteroftheaudit.
38) The intended users are the individuals, organizationsor classes thereof forwhomtheauditorpreparestheauditreport.Incomplianceauditingtheusersgenerallyincludethelegislatureasrepresentativesofthepeople,whoaretheultimateusersofcomplianceauditreports.Thelegislaturemakesdecisionsand sets priorities concerning the calculation andpurposeof public-sectorexpenditureandincome.Theprimaryuserincomplianceauditingisoftentheentitythatissuedtheauthoritiesidentifiedasauditcriteria.
39) Therelationshipbetweenthethreepartiesshouldbeviewedinthecontextofeachauditandmaybedifferentindirectreportingasopposedtoattestationengagements.Thedefinitionofthethreepartiesmayalsovaryaccordingtothepublic-sectorentitiesinvolved.
16
ISSAI 400 - COMPLIANCE AUDIT PRINCIPLES
ASSURANCE IN COMPLIANCE AUDITING
40) Anauditorperformsprocedures to reduceormanagetheriskofprovidingincorrectconclusions,recognisingthat,owingtotheinherentlimitationsinallaudits,noauditcaneverprovideabsoluteassuranceoftheconditionofthesubjectmatter.Thisshouldbecommunicatedinatransparentway.Inmostcases,acomplianceauditwillnotcoverallelementsofthesubjectmatterbutwillrelyonadegreeofqualitativeorquantitativesampling.
41) Compliance auditing carried out by obtaining assurance enhances theconfidenceoftheintendedusersintheinformationprovidedbytheauditororanotherparty.
In compliance auditing there are two levels of assurance: reasonable assurance,conveyingthat, intheauditor’sopinion,thesubjectmatterisoris not in compliance, in allmaterial respects,with the stated criteria; andlimited assurance,conveyingthatnothinghascometotheauditor’sattentiontocausehim/hertobelievethatthesubjectmatterisnotcompliantwiththecriteria. Both reasonable and limited assurance are possible in both directreportingandattestationengagementsincomplianceauditing.
17
PRINCIPLES OF PERFORMANCE AUDITING
42) A compliance audit is a systematic process of objectively obtaining andevaluatingevidenceastowhetheragivensubjectmatteris incompliancewith applicable authorities identified as criteria. The principles beloware fundamental to theconductofa complianceaudit. Thenatureof theauditis iterativeandcumulative,butforthepurposesofpresentationthissection isdivided intoprinciples that theauditor shouldconsiderprior tocommencementandatmorethanonepointduringtheauditprocess(generalprinciples)andthoserelatedtostepsintheauditprocessitself.
GENERAL PRINCIPLES
» Professional judgement and scepticism
43) Auditors should plan and conduct the audit with professional scepticism and exercise professional judgement throughout the audit process.
The terms “professional scepticism” and “professional judgement” arerelevantwhen formulating requirements regarding theauditor’sdecisionsabout the appropriate course of action. They express the attitude of theauditor,whichmustincludeaquestioningmind.
The auditormust apply professional judgement at all stages of the auditprocess.Theconceptreferstotheapplicationofrelevanttraining,knowledgeand experience, within the context provided by auditing standards, so
5
18
ISSAI 400 - COMPLIANCE AUDIT PRINCIPLES
that informeddecisions canbemadeabout the coursesof action that areappropriategiventhecircumstancesoftheaudit.
Theconceptofprofessionalscepticismisfundamentaltoallaudits.Theauditorshouldplanandconducttheauditwithanattitudeofprofessionalscepticism,recognisingthatcertaincircumstancesmaycausethesubjectmattertodivergefrom thecriteria.Anattitudeofprofessional scepticismmeans theauditormakingacriticalassessment,withaquestioningmind,ofthesufficiencyandappropriatenessofevidenceobtainedthroughouttheaudit.
Professionaljudgementandscepticismareusedthroughoutthecomplianceauditprocesstoassesstheelementsoftheaudit,thesubjectmatter,suitablecriteria, the audit scope, risk, materiality and the audit procedures to beusedinresponsetothedefinedrisks.Thetwoconceptsarealsousedintheevaluationofevidenceandinstancesofnon-compliance,inreportingandindeterminingtheform,contentandfrequencyofcommunicationthroughouttheaudit.Specificrequirementsformaintainingprofessionaljudgementandscepticismincomplianceauditingaretheabilitytoanalysethestructureandcontentofpublicauthoritiesasabasisforidentifyingsuitablecriteriaorgapsinlegislation,intheeventthatlawsandregulationsareentirelyorpartiallylacking,andtoapplyprofessionalauditconceptsintheapproachtoknownandunknownsubjectmatter.Theauditorshouldbecapableofappraisingavarietyoftypesofauditevidencebytheirsourceandrelevancetotheauditscopeandsubjectmatter,andofevaluatingthesufficiencyandappropriatenessofallevidenceobtainedduringtheaudit.
» Quality control
44) Auditors should take responsibility for the overall quality of the audit.
The auditor is responsible for the performance of the audit and shouldimplement quality control procedures throughout the audit process. Suchprocedures should be aimed at ensuring that the audit complieswith theapplicable standards and that the audit report, conclusion or opinion isappropriategiventhecircumstances.
19
ISSAI 400 - COMPLIANCE AUDIT PRINCIPLES
» Audit team management and skills
45) Auditors should have access to the necessary skills.
Theindividualsintheauditteamshouldcollectivelypossesstheknowledge,skills and expertise necessary to successfully complete the audit. Thisincludes an understanding and practical experience of the type of auditbeingundertaken,familiaritywiththeapplicablestandardsandauthorities,an understanding of the audited entity’s operations and the ability andexperiencetoexerciseprofessional judgement.Commontoallaudits istheneedtorecruitpersonnelwithsuitablequalifications,offerstaffdevelopmentand training,preparemanualsandotherwrittenguidanceand instructionsconcerning the conduct of audits, and assign sufficient audit resources.Auditors should maintain their professional competence through ongoingprofessionaldevelopment.
Auditsmayrequirespecialisedtechniques,methodsorskillsfromdisciplinesnotavailablewithintheSAI.Externalexpertsmaybeusedindifferentways,e.g.toprovideknowledgeorconductspecificwork.Auditorsshouldevaluatewhetherexpertshavethenecessarycompetence,capabilitiesandobjectivityanddeterminewhethertheirworkisadequateforthepurposesoftheaudit.
» Audit risk
46) Auditors should consider audit risk throughout the audit process.
Auditsshouldbeconductedinsuchawayastomanage,orreducetheauditrisktoanacceptablelevel.Theauditriskistheriskthattheauditreport–ormorespecificallytheauditor’sconclusionoropinion-willbeinappropriateinthecircumstancesoftheaudit.
Consideration of audit risk is relevant in both attestation and directengagements. The auditor should consider three different dimensions ofauditrisk–inherentrisk,controlriskanddetectionrisk–inrelationtothesubject matter and the reporting format, i.e. whether the subject matterisquantitativeorqualitativeandwhether theaudit report is to includean
20
ISSAI 400 - COMPLIANCE AUDIT PRINCIPLES
opinionoraconclusion.Therelativesignificanceofthesedimensionsofauditrisk depends on the nature of the subjectmatter,whether the audit is toprovidereasonableorlimitedassuranceandwhetheritisadirectreportingoranattestationengagement.
» Materiality
47) Auditors should consider materiality throughout the audit process.
Determiningmaterialityisamatterofprofessionaljudgementanddependsontheauditor’s interpretationoftheusers’needs.Amattercanbejudgedmaterial ifknowledgeofitwouldbelikelytoinfluencethedecisionsoftheintendedusers.Thisjudgementmayrelatetoanindividualitemortoagroupof items taken together.Materiality is often considered in terms of value,butitalsohasotherquantitativeaswellasqualitativeaspects.Theinherentcharacteristicsofanitemorgroupofitemsmayrenderamattermaterialbyitsverynature.Amattermayalsobematerialbecauseofthecontextinwhichitoccurs.
Asstatedabove,materialityincomplianceauditinghasbothquantitativeandqualitativeaspects,althoughthequalitativeaspectsgenerallyplayagreaterrole inthepublicsector.Materialityshouldbeconsideredforthepurposesof planning, evaluating the evidence obtained and reporting. An essentialpart of determining materiality is to consider whether reported cases ofcompliance or non-compliance (potential or confirmed) could reasonablybe expected to influence decisions by the intended users. Factors to beconsidered within this judgment assessment are mandated requirements,public interest or expectations, specific areas of legislative focus, requestsandsignificantfunding.Issuesatalowerlevelofvalueorincidencethanthegeneraldeterminationofmateriality,suchasfraud,mayalsobeconsideredmaterial.Theassessmentofmaterialityrequirescomprehensiveprofessionaljudgementonthepartoftheauditorandisrelatedtotheauditscope.
21
ISSAI 400 - COMPLIANCE AUDIT PRINCIPLES
» Documentation
48) Auditors should prepare sufficient audit documentation.
Documentation should be prepared at the appropriate time and shouldprovide a clear understanding of the criteria used, the scopeof the audit,the judgmentsmade, the evidenceobtained and the conclusions reached.Documentation should be sufficiently detailed to enable an experiencedauditor,withnopriorknowledgeoftheaudit,tounderstandthefollowing:therelationshipbetweenthesubjectmatter,thecriteria,theauditscope,theriskassessment,theauditstrategyandauditplanandthenature,timing,extentandresultsoftheproceduresperformed;theevidenceobtainedinsupportof the auditor’s conclusion or opinion; the reasoning behind all significantmattersthatrequiredtheexerciseofprofessionaljudgement;andtherelatedconclusions.Theauditorshouldpreparerelevantauditdocumentationbeforetheauditreportisissued,andthedocumentationshouldberetainedforanappropriateperiodoftime.
» Communication
49) Auditors should maintain effective communication throughout the audit process.
Communicationtakesplaceatallauditstages:beforetheauditstarts,duringinitial planning, during the audit proper, and at the reporting phase. Anysignificantdifficultiesencounteredduring theaudit,aswellas instancesofmaterialnon-compliance,shouldbecommunicatedtotheappropriatelevelofmanagementorthosechargedwithgovernance.Theauditorshouldalsoinformtheresponsiblepartyoftheauditcriteria.
22
ISSAI 400 - COMPLIANCE AUDIT PRINCIPLES
PRINCIPLES RELATED TO THE AUDIT PROCESS
» Planning and designing a compliance audit
Audit scope
50) Auditors should determine the audit scope.
WheretheSAI’smandateortheapplicablelegislationdoesnotprescribethescopeof theaudit, this shouldbedecidedby theauditor. Theaudit scopeisaclearstatementof thefocus,extentand limitsof theaudit intermsofthesubjectmatter’scompliancewiththecriteria.Thescopingofanauditisinfluencedbymaterialityandrisk,and itdetermineswhichauthoritiesandpartsthereofwillbecovered.Theauditprocessasawholeshouldbedesignedtocovertheentireauditscope.
Subject matter and criteria
51) Auditors should identify the subject matter and suitable criteria.
Determinationofthesubjectmatterandcriteriaisoneofthefirststepsinacomplianceaudit.ThesubjectmatterandcriteriamaybelaiddownbylaworinthemandateoftheSAI.Alternatively,itmaybeidentifiedbytheauditor.Forattestationengagementsitmayalsoberelevanttoidentifythesubjectmatterinformationpresentedbytheresponsiblepartyconcerningthecomplianceofagivensubjectmatterwithcertaincriteria.
Thesubjectmattermaytakemanyformsandhaveavarietyofcharacteristics.Whenidentifyingthesubjectmatter,theauditorshouldemployprofessionaljudgementandscepticismtoanalysetheauditedentityandassessmaterialityandrisk.
Thesubjectmattershouldbeidentifiable,anditshouldbepossibletoassessitagainstsuitablecriteria.Itshouldbeofsuchanaturethatitenablessufficientandappropriateauditevidencetobegatheredinsupportoftheauditreport,conclusionoropinion.
23
ISSAI 400 - COMPLIANCE AUDIT PRINCIPLES
Theauditorshouldidentifysuitablecriteriatoprovideabasisforevaluatingtheauditevidenceanddevelopingauditfindingsandconclusions.Thecriteriashouldbemadeavailabletothe intendedusersandothersasappropriate.Theyshouldalsobecommunicatedtotheresponsibleparty.
Understanding the entity
52) Auditors should understand the audited entity in the light of the relevant authorities.
Compliance auditing may cover all levels of the executive and can includevariousadministrativelevels,typesofentitiesandcombinationsofentities.Theauditorshouldthereforebefamiliarwiththestructureandoperationsoftheauditedentityanditsproceduresforachievingcompliance.Theauditorwillusethisknowledgetodeterminematerialityandassesstheriskofnon-compliance.
Understanding internal controls and the control environment
53) Auditors should understand the control environment and the relevant internal controls and consider whether they are likely to ensure compliance.
Anunderstandingof theauditedentityand/or the subjectmatter relevantto the audit scope depends on the auditor’s knowledge of the controlenvironment.Thecontrolenvironmentisthecultureofhonestyandethicalbehaviour that provides the foundation for the systemof internal controlstoensurecompliancewiththeauthorities.Incomplianceauditing,acontrolenvironmentthatfocusesonachievingcomplianceisofparticularimportance.
Inordertounderstandtheauditedentityorthesubjectmatter,theauditoralsoneedstounderstandthesystemofinternalcontrols.Theparticulartypeofcontrolswhichtheauditorfocusesonwilldependonthesubjectmatterandthespecificnatureandscopeoftheaudit.Asthesubjectmattermaybequalitativeorquantitative,theauditorwillfocusonquantitativeorqualitativeinternalcontrols,oracombinationthereof,accordingtotheauditscope.Inevaluatinginternalcontrols,theauditorassessestheriskthattheymaynotpreventordetectmaterialinstancesofnon-compliance.Theauditorshouldconsider whether the internal controls are in harmony with the control
24
ISSAI 400 - COMPLIANCE AUDIT PRINCIPLES
environmentsoastoensurecompliancewiththeauthoritiesinallmaterialrespects.
Risk assessment
54) Auditors should perform a risk assessment to identify risks of non-compliance.
Inthelightoftheauditcriteria,theauditscopeandthecharacteristicsoftheauditedentity, theauditor shouldperforma risk assessment todeterminethenature,timingandextentof theauditprocedures tobeperformed. Inthis the auditor should consider the risks that the subjectmatterwill notcomplywiththecriteria.Non-compliancemayariseduetofraud,error,theinherentnatureofthesubjectmatterand/orthecircumstancesoftheaudit.Theidentificationofrisksofnon-complianceandtheirpotentialimpactontheauditproceduresshouldbeconsideredthroughouttheauditprocess.Aspartoftheriskassessment,theauditorshouldevaluateanyknowninstancesofnon-complianceinordertodeterminewhethertheyarematerial.
Risk of fraud
55) Auditors should consider the risk of fraud.
If the auditor comes across instances of non-compliance which may beindicativeoffraud,heorsheshouldexercisedueprofessionalcareandcautionsoasnottointerferewithanyfuturelegalproceedingsorinvestigations.
Fraudincomplianceauditingrelatesmainlytotheabuseofpublicauthority,but also to fraudulent reporting on compliance issues. Instances of non-compliance with authorities may constitute deliberate misuse of publicauthority for improper benefit. The execution of public authority includesdecisions,non-decisions,preparatorywork,advice,informationhandlingandotheractsinthepublicservice.Improperbenefitsareadvantagesofanon-economicoreconomicnaturegainedbyan intentionalactbyoneormoreindividualsamongmanagement,thosechargedwithgovernance,employeesorthirdparties.
25
ISSAI 400 - COMPLIANCE AUDIT PRINCIPLES
Whiledetectingfraudisnotthemainobjectiveofcomplianceaudit,auditorsshouldincludefraudriskfactorsintheirriskassessmentsandremainalerttoindicationsoffraudwhencarryingouttheirwork.
Audit strategy and audit plan
56) Auditors should develop an audit strategy and an audit plan.
Audit planning should involve discussion between members of the auditteamwithaviewtodevelopinganoverallauditstrategyandanauditplan.Thepurposeof theaudit strategy is todeviseaneffective response to theriskofnon-compliance.Itshouldincludeconsiderationoftheplannedauditresponsestospecificrisksthroughthedevelopmentofanauditplan.Boththeauditstrategyandtheauditplanshouldbedocumentedinwriting.Planningisnotadistinctphaseoftheaudit,butacontinuousanditerativeprocess.
» Audit evidence
57) Auditors should gather sufficient appropriate audit evidence to cover the audit scope.
The auditor should gather sufficient and appropriate audit evidence toprovidethebasisfortheconclusionoropinion.Sufficiencyisameasureofthequantityofevidence,whileappropriatenessrelatestothequalityofevidence– its relevance, validity and reliability. The quantity of evidence requireddependson theaudit risk (thegreater the risk, themoreevidence is likelytoberequired)andonthequalityofsuchevidence(thehigherthequality,the lessmayberequired).Accordingly, thesufficiencyandappropriatenessofevidenceareinterrelated.However,merelyobtainingmoreevidencedoesnotcompensateforitspoorquality.Thereliabilityofevidenceisinfluencedbyitssourceandnature,andisdependentonthespecificcircumstancesinwhichitwasobtained.Theauditorshouldconsiderboththerelevanceandthereliabilityoftheinformationtobeusedasauditevidence,andmustrespecttheconfidentialityofallauditevidenceandinformationreceived.
The audit procedures should be appropriate in the circumstances of theaudit and suited to the purpose of obtaining sufficient and appropriate
26
ISSAI 400 - COMPLIANCE AUDIT PRINCIPLES
auditevidence.Thenatureandsourcesofthenecessaryauditevidencearedeterminedbythecriteria,thesubjectmatterandthescopeoftheaudit.Asthesubjectmattermaybequalitativeorquantitative,theauditorwillfocusonquantitativeorqualitativeauditevidence,oracombinationthereof,accordingtotheauditscope.Complianceauditingthusincludesavarietyofproceduresforgatheringevidenceofbothaquantitativeandaqualitativenature.
Thecomplianceauditorwilloftenneed tocombineandcompareevidencefromdifferentsourcesinordertomeettherequirementsforsufficiencyandappropriateness.
» Evaluating audit evidence and forming conclusions
58) Auditors should evaluate whether sufficient and appropriate audit evidence has been obtained and form relevant conclusions.
Aftercompletingtheauditpropertheauditorwillreviewtheauditevidencein order to reach a conclusion or issue an opinion. The auditor shouldevaluatewhethertheevidenceobtained issufficientandappropriatesoasto reduce theaudit risk toanacceptably low level.Theevaluationprocessentailsconsideringevidencethatbothsupportsandseemstocontradicttheauditreport,conclusionoropiniononcomplianceornon-compliance.Italsoincludesconsiderationsofmateriality.Afterevaluatingwhethertheevidenceissufficientandappropriategiventheassuranceleveloftheaudit,theauditorshouldconsiderhowbesttoconcludeinthelightoftheevidence.
Ifauditevidenceobtainedfromonesourceisinconsistentwiththatobtainedfromanother,orifthereareanydoubtsaboutthereliabilityoftheinformationtobeusedasevidence,theauditorshoulddeterminewhatmodificationsoradditionstotheauditprocedureswouldresolvethematterandconsidertheimplications,ifany,forotheraspectsoftheaudit.
Aftercompletingtheaudit,theauditorwillreviewtheauditdocumentationtodeterminewhetherthesubjectmatterhasbeensufficientlyandappropriatelyexamined.Theauditor shouldalsodeterminewhether the riskassessmentandinitialdeterminationofmaterialitywereappropriate inthe lightoftheevidencecollected,orwhethertheyneedtoberevised.
27
ISSAI 400 - COMPLIANCE AUDIT PRINCIPLES
» Reporting
59) Auditors should prepare a report based on the principles of completeness, objectivity, timeliness and a contradictory process.
Theprincipleof completeness requires theauditor to consider all relevantauditevidencebefore issuinga report.Theprincipleofobjectivity requiresthe auditor to apply professional judgement and scepticism in order toensurethatallreportsarefactuallycorrectandthatfindingsorconclusionsarepresentedinarelevantandbalancedmanner.Theprincipleoftimelinessimplies preparing the report in due time. The principle of a contradictoryprocess implies checking the accuracyof factswith the auditedentity andincorporatingresponsesfromresponsibleofficialsasappropriate.Inbothformandcontent,acomplianceauditreportshouldconformtoalltheseprinciples.
TheformsofreportingmaybedefinedinlaworbythemandateoftheSAI.Nonetheless, theaudit reportnormallycontainsaconclusionbasedontheauditworkperformed.Thereportmayalsoprovideconstructiveandpracticalrecommendations for improvement where appropriate. In an attestationengagementthereportisgenerallyreferredtoastheAuditor’sReport.
Reportingmayvarybetweenbriefstandardisedopinionsandvariousformsofconclusions,presentedinshortorlongform.Howeveritappears,thereportshouldbecomplete,accurate,objective,convincingandasclearandconciseasthesubjectmatterpermits.Any limitations intheauditscopeshouldbedescribed.Thereportshouldclearlystatetherelevanceofthecriteriausedandthelevelofassuranceprovided.
Theconclusionmaytaketheformofaclearwrittenstatementofopiniononcompliance,ofteninadditiontotheopiniononthefinancialstatements.Itmayalsobeexpressedasamoreelaborateanswertospecificauditquestions.Whileanopinioniscommoninattestationengagements,theansweringofspecificauditquestionsismoreoftenusedindirectreportingengagements.Whereanopinionisprovidedtheauditorshouldstatewhetheritisunmodifiedorhasbeenmodifiedonthebasisoftheevaluationofmaterialityandpervasiveness.Deliveringanopinionwouldnormallyrequireamoreelaborateauditstrategyandapproach.
28
ISSAI 400 - COMPLIANCE AUDIT PRINCIPLES
Compliance audit reports should include the following elements (althoughnotnecessarilyinthisorder):
1.Title
2.Addressee
3.Scopeoftheaudit,includingthetimeperiodcovered
4.Identificationordescriptionofthesubjectmatter
5.Identifiedcriteria
6.Identificationoftheauditingstandardsappliedinperformingthework
7.Asummaryoftheworkperformed
8.Findings
9.Aconclusion/opinion
10.Repliesfromtheauditedentity(asappropriate)
11.Recommendations(asappropriate)
12.Reportdate
13.Signature
» Follow-up
60) Auditors should follow up instances of non-compliance when appropriate.
A follow-up process facilitates the effective implementation of correctiveactionandprovidesuseful feedback to theauditedentity, theusersof theauditreportandtheauditor(forfutureauditplanning).Theneedtofollowuppreviouslyreportedinstancesofnon-compliancewillvarywiththenatureof the subject matter, the non-compliance identified and the particularcircumstancesof theaudit.AtsomeSAIs, includingcourtsofaccounts, thefollow-upmayincludeissuinglegallybindingreportsorjudicialdecisions.Inauditscarriedoutonaregularbasisthefollow-upproceduresmayformpartofthesubsequentyear’sriskassessment.
Top Related