issai 100 · issai 100 s fundamenta principes of pubic ssector auditing 11)the...

INTOSAI Standards are issued by the International

Organisation of Supreme Audit Institutions, INTOSAI, as part of

the INTOSAI Framework of Professional Pronouncements.

For more information visit www.issai.org

ISSAI

INTOSAI

100

Fundamental Principles of Public-Sector Auditing

INTOSAI

INTOSAI, 20191) EndorsedasBasicPrinciplesinGovernmentAuditingin20012) RevisedandrenamedFundamentalPrinciplesofPublic-SectorAuditingin 20133) With the establishment of the Intosai Framework of Professional Pronouncements(IFPP),editorialchangesweremadein2019

ISSAI100isavailableinallINTOSAIofficiallanguages:Arabic,English,French,German and Spanish

TABLE OF CONTENTS

1. INTRODUCTION 4

2. PURPOSE AND AUTHORITY OF THE ISSAIS 6

3. FRAMEWORK FOR PUBLIC-SECTOR AUDITING 9

Mandate 9

Public-sector auditing and its objectives 10

Types of public-sector audit 11

4. ELEMENTS OF PUBLIC-SECTOR AUDITING 13

The three parties 13

Subject matter, criteria and subject matter information 14

Types of engagement 15

Confidence and assurance in public-sector auditing 16

5. PRINCIPLES OF PUBLIC-SECTOR AUDITING 18

Organisational requirements 19

General principles 20

Principles related to the audit process 24

4

INTRODUCTION

1) Professionalstandardsandguidelinesareessentialforthecredibility,qualityandprofessionalismofpublic-sectorauditing.The International Standardsof Supreme Audit Institutions (ISSAIs) developed by the InternationalOrganisation of Supreme Audit Institutions (INTOSAI) aim to promoteindependentandeffectiveauditingbysupremeauditinstitutions(SAIs).

2) The ISSAIs support the members of INTOSAI in the development of their own professionalapproachinaccordancewiththeirmandatesandwithnationallawsandregulations.

3) The ISSAIs form part of the INTOSAI Framwork of Professional Pronouncements (IFPP). Within this framework, the INTOSAI Principles(INTOSAI-P)containtheframework’sfoundingprinciplesandcoreprinciplesthatsetoutprerequisitiesfortheproperfunctioningofSAIs.TheInternationalStandardsofSupremeAuditInstitutions(ISSAIs)addresstheconductofauditsand includegenerally-recognisedprofessionalprinciples thatunderpintheeffectiveandindependentauditingofpublic-sectorentities.

4) INTOSAIGuidance(GUIDs)alsoformpartoftheIFPP.Theyprovideguidanceto support SAIs and individual auditors in enchancing organizationalperformanceandimplementingandapplyingtheISSAIsinpractice.

5) The ISSAI 100 - Fundamental Principles of Public-Sector Auditing draw and elaborate on INTOSAI-P 1 The Lima Declarationandprovideanauthoritativeinternationalframeofreferencedefiningpublic-sectorauditing.ThefullsetofISSAIsisbasedontheseprinciples.

1

5

ISSAI 100 - FUNDAMENTAL PRINCIPLES OF PUBLIC-SECTOR AUDITING

6) ISSAI 100 Fundamental Principles of Public-Sector Auditing provides detailed informationon:

• thepurposeandauthorityoftheISSAIs;

• theframeworkforpublic-sectorauditing;

• theelementsofpublic-sectorauditing;

• theprinciplestobeappliedinpublic-sectorauditing.

6

PURPOSE AND AUTHORITY OF THE ISSAIS

7) ISSAI 100 Fundamental Principles of Public-Sector Auditing establishes fundamental principles which are applicable to all public-sector audit engagements,irrespectiveoftheirformorcontext.ISSAI 200 Financial Audit Principles, ISSAI 300 Performance Audit Principles and ISSAI 400 Compliance Audit Principles build on and further develop the principles to be applied in thecontextoffinancial,performanceandcomplianceauditingrespectively.TheyshouldbeappliedinconjunctionwiththeprinciplessetoutinISSAI100.Theprinciplesinnowayoverridenationallaws,regulationsormandatesorpreventSAIsfromcarryingoutinvestigations,reviewsorotherengagementswhicharenotspecificallycoveredbytheexistingISSAIs.

8) The Fundamental Principles of Public-Sector Auditing (ISSAI 100) and the Financial,PerformanceandComplianceAuditingPrinciples1thatflowfromthiscanbeusedtoestablishauthoritativestandardsinthreeways:

• asabasisonwhichSAIscandevelopstandards;

• asabasisfortheadoptionofconsistentnationalstandards;

• asabasisforadoptionoftheISSAIs.

SAIsmaychoosetocompileasinglestandard-settingdocument,aseriesofsuchdocumentsoracombinationofstandard-settingandotherauthoritativedocuments.

1 ISSAIs 200, 300 and 400

2

7


SAIsshoulddeclarewhichstandardstheyapplywhenconductingaudits,andthisdeclarationshouldbeaccessibletousersoftheSAI’sreports.Wherethestandardsarebasedonseveralsourcestakentogether,thisshouldalsobestated. SAIs are encouraged tomake such declarations part of their auditreports;however,amoregeneralformofcommunicationmaybeused.

9) AnSAImaydeclarethatthestandardsithasdevelopedoradoptedarebasedonorareconsistentwiththeprinciplesoftheISSAIsonlyifthestandardsfullycomplywithallrelevantprinciplesinISSAIs100,200,300and400.

Audit reportsmay include a reference to the fact that the standards usedwere based on or consistent with the ISSAI or ISSAIs relevant to the audit work carriedout.Suchreferencemaybemadebystating:

… We conducted our audit[s] in accordance with [standards], which are based on [or consistent with] ISSAI 100 Fundamental Principles of Public-Sector Auditing [and the principles of ISSAI 200 Financial Audit Principles / ISSAI 300 Performance Audit Principles / ISSAI 400 Compliance Audit Principles] of the International Standards of Supreme Audit Institutions.

In order to properly adopt or develop auditing standards based on theseauditing principles, an understanding of the entire text of theprinciples isnecessary.Toachievethis,itmaybehelpfultoconsulttherelevantfinancialaudit standards (ISSAIs 2000-2899), performance audit standards (ISSAIs 3000-3899)andcomplianceauditstandards(ISSAIs4000-4899).

10) SAIsmaychoosetoadopttheISSAIsastheirauthoritativestandards.InsuchcasestheauditormustcomplywithallISSAIsrelevanttotheaudit.ReferencetotheISSAIsappliedmaybemadebystating:

…We conducted our audit[s] in accordance with the International Standards of Supreme Audit Institutions (ISSAIs).

Inordertoenhancetransparency,thestatementmayfurtherspecifywhichauditing standardswithin the ISSAIs2000-4899 theauditorhas consideredrelevantandapplied.Thismaybedonebyaddingthefollowingphrase:

The audit[s] was [were] based on ISSAI[s] xxx [number and name of the ISSAI or range of ISSAIs].

8


11) The International Standards on Auditing (ISAs) issued by the InternationalFederationofAccountants(IFAC)areincorporatedintotheINTOSAIfinancialaudit standards (ISSAIs 2000-2899). In financial audits, reference maythereforebemadeeithertotheISSAIsortotheISAs.TheISSAIsmayprovideadditionalpublic-sectorapplicationmaterial,buttherequirementsupontheauditorinfinancialauditsarethesame.TheISAsconstituteanindivisiblesetofstandardsandtheISSAIsinwhichtheyareincorporatedmaynotbereferredtoindividually.IftheISSAIsortheISAshavebeenadoptedastheSAI’sstandardsforfinancialaudits,theauditor’sreportshouldincludeareferencetothosestandards.Thisappliesequallytofinancialauditsconductedincombinationwithothertypesofaudit.

12) AuditsmaybeconductedinaccordancewithboththeISSAIsandstandardsfrom other sources provided that no contradictions arise. In such casesreference should be made both to the ISSAIs and to the other standards concerned.

9

FRAMEWORK FORPUBLIC-SECTOR AUDITING

Mandate

13) An SAI will exercise its public-sector audit function within a specificconstitutionalarrangementandbyvirtueof itsofficeandmandate,whichensure sufficient independence andpower of discretion in performing itsduties.ThemandateofanSAImaydefineitsgeneralresponsibilitiesinthefieldofpublic-sectorauditingandprovidefurtherprescriptionsconcerningtheauditsandotherengagementstobeperformed.

14) SAIsmaybemandatedtoperformmanytypesofengagementsonanysubjectofrelevancetotheresponsibilitiesofmanagementandthosechargedwithgovernanceandtheappropriateuseofpublicfundsandassets.TheextentorformoftheseengagementsandthereportingthereonwillvaryaccordingtothelegislatedmandateoftheSAIconcerned.

15) Incertaincountries,theSAIisacourt,composedofjudges,withauthorityoverStateaccountantsandotherpublicofficialswhomustrenderaccounttoit.Thereexistsanimportantrelationshipbetweenthisjurisdictionalauthorityandthecharacteristicsofpublic-sectorauditing.ThejurisdictionalfunctionrequirestheSAItoensurethatwhoeverischargedwithdealingwithpublicfundsisheldaccountableand,inthisregard,issubjecttoitsjurisdiction.

16) AnSAImaymakestrategicdecisionsinordertorespondtotherequirementsin its mandate and other legislative requirements. Such decisions mayincludewhichauditingstandardsareapplicable,whichengagementswillbe

3

10


conductedandhowtheywillbeprioritised.

Public-sector auditing and its objectives

17) Thepublic-sectorauditenvironmentisthatinwhichgovernmentsandotherpublic-sectorentitiesexerciseresponsibilityfortheuseofresourcesderivedfrom taxation andother sources in the delivery of services to citizens andother recipients.Theseentitiesareaccountable for theirmanagementandperformance, and for the use of resources, both to those that provide the resources and to those, including citizens, who depend on the servicesdeliveredusingthoseresources.Public-sectorauditinghelpstocreatesuitableconditionsandreinforcetheexpectationthatpublic-sectorentitiesandpublicservantswill perform their functions effectively, efficiently, ethically and inaccordancewiththeapplicablelawsandregulations.

18) In general public-sector auditing can be described as a systematic processof objectively obtaining and evaluating evidence to determine whetherinformation or actual conditions conform to established criteria. Public-sectorauditingisessentialinthatitprovideslegislativeandoversightbodies,thosechargedwithgovernanceandthegeneralpublicwithinformationandindependent and objective assessments concerning the stewardship andperformanceofgovernmentpolicies,programmesoroperations.

19) SAIsservethisaimasimportantpillarsoftheirnationaldemocraticsystemsandgovernancemechanismsandplayanimportantroleinenhancingpublic-sectoradministrationbyemphasisingtheprinciplesoftransparency,accountability,governanceandperformance. INTOSAIP-20PrinciplesofTransparencyandAccountabilitycontainINTOSAIcoreprinciplesinthisregard.

20) All public-sector audits start from objectives, which may differ dependingon the type of audit being conducted. However, all public-sector auditingcontributestogoodgovernanceby:

• providing the intendeduserswith independent,objectiveand reliableinformation,conclusionsoropinionsbasedonsufficientandappropriateevidencerelatingtopublicentities;

11


• enhancing accountability and transparency, encouraging continuousimprovementandsustainedconfidenceintheappropriateuseofpublicfundsandassetsandtheperformanceofpublicadministration;

• reinforcing the effectiveness of those bodieswithin the constitutionalarrangementthatexercisegeneralmonitoringandcorrectivefunctionsovergovernment,andthoseresponsibleforthemanagementofpublicly-fundedactivities;

• creatingincentivesforchangebyprovidingknowledge,comprehensiveanalysisandwell-foundedrecommendationsforimprovement.

21) In general, public-sector audits can be categorised into one or more ofthreemaintypes:auditsoffinancialstatements,auditsofcompliancewithauthorities and performance audits. The objectives of any given auditwilldeterminewhichstandardsapply.

Types of public-sector audit

22) Thethreemaintypesofpublic-sectorauditaredefinedasfollows:

Financial audit focuses on determiningwhether an entity’s financial informationispresented in accordancewith theapplicablefinancial reportingand regulatoryframework. This is accomplished by obtaining sufficient and appropriate auditevidence toenable theauditor toexpressanopinionas towhether thefinancialinformationisfreefrommaterialmisstatementduetofraudorerror.

Performance auditfocusesonwhetherinterventions,programmesandinstitutionsare performing in accordance with the principles of economy, efficiency andeffectivenessandwhetherthereisroomforimprovement.Performanceisexaminedagainstsuitablecriteria,andthecausesofdeviationsfromthosecriteriaorotherproblemsare analysed. Theaim is to answer key audit questions and toproviderecommendationsforimprovement.

Compliance auditfocusesonwhetheraparticularsubjectmatterisincompliancewithauthoritiesidentifiedascriteria.Complianceauditingisperformedbyassessingwhether activities, financial transactions and information are, in all material

12


respects,incompliancewiththeauthoritieswhichgoverntheauditedentity.Theseauthoritiesmay includerules, lawsandregulations,budgetaryresolutions,policy,establishedcodes,agreedtermsorthegeneralprinciplesgoverningsoundpublic-sectorfinancialmanagementandtheconductofpublicofficials.

23) SAIsmaycarryoutauditsorotherengagementsonanysubjectofrelevanceto the responsibilitiesofmanagementand those chargedwithgovernanceandtheappropriateuseofpublicresources.Theseengagementsmayincludereportingon thequantitativeoutputsandoutcomesof theentity’s servicedelivery activities, sustainability reports, future resource requirements,adherencetointernalcontrolstandards,real-timeauditsofprojectsorothermatters. SAIs may also conduct combined audits incorporating financial,performanceand/orcomplianceaspects.

13

ELEMENTS OFPUBLIC-SECTOR AUDITING

24) Public-sectorauditingisindispensableforthepublicadministration,asthemanagementofpublicresourcesisamatteroftrust.Responsibilityforthemanagementofpublicresourcesinlinewithintendedpurposesisentrustedtoanentityorpersonwhoactsonbehalfofthepublic.Public-sectorauditingenhances the confidence of the intended users by providing informationand independent and objective assessments concerning deviations fromacceptedstandardsorprinciplesofgoodgovernance.

All public-sector audits have the same basic elements: the auditor, theresponsibleparty,intendedusers(thethreepartiestotheaudit),criteriaforassessingthesubjectmatterandtheresultingsubjectmatterinformation.They can be categorised as two different types of audit engagement:attestationengagementsanddirectreportingengagements.

The three parties

25) Public-sector audits involve at least three separate parties: the auditor,a responsible party and intended users. The relationship between theparties should be viewedwithin the context of the specific constitutionalarrangementsforeachtypeofaudit.

• Theauditor:Inpublic-sectorauditingtheroleofauditorisfulfilledbytheHeadoftheSAIandbypersonstowhomthetaskofconductingtheauditsisdelegated.Theoverallresponsibilityforpublic-sectorauditingremainsasdefinedbytheSAI’smandate.

4

14


• The responsible party: In public-sector auditing the relevantresponsibilities are determined by constitutional or legislativearrangement. The responsible parties may be responsible for thesubject matter information, for managing the subject matter or foraddressingrecommendations,andmaybeindividualsororganisations.

• Intended users: The individuals, organisations or classes thereof forwhom theauditorprepares theaudit report. The intendedusersmaybelegislativeoroversightbodies,thosechargedwithgovernanceorthegeneralpublic.

Subject matter, criteria and subject matter information

26) Subjectmatterreferstotheinformation,conditionoractivitythatismeasuredorevaluatedagainstcertaincriteria.Itcantakemanyformsandhavedifferentcharacteristics depending on the audit objective. An appropriate subjectmatteris identifiableandcapableofconsistentevaluationormeasurementagainstthecriteria,suchthatitcanbesubjectedtoproceduresforgatheringsufficient and appropriate audit evidence to support the audit opinion orconclusion.

27) The criteria are thebenchmarksused toevaluate the subjectmatter. Eachaudit should have criteria suitable to the circumstances of that audit. Indetermining the suitability of criteria the auditor considers their relevanceandunderstandabilityfortheintendedusers,aswellastheircompleteness,reliability and objectivity (neutrality, general acceptance and comparabilitywiththecriteriausedinsimilaraudits).Thecriteriausedmaydependonarangeoffactors,includingtheobjectivesandthetypeofaudit.Criteriacanbespecificormoregeneral,andmaybedrawnfromvarioussources,includinglaws,regulations,standards,soundprinciplesandbestpractices.Theyshouldbe made available to the intended users to enable them to understand how thesubjectmatterhasbeenevaluatedormeasured.

28) Subjectmatterinformationreferstotheoutcomeofevaluatingormeasuringthe subject matter against the criteria. It can take many forms and havedifferentcharacteristicsdependingontheauditobjectiveandauditscope.

15


Types of engagement

29) Therearetwotypesofengagement:

• Inattestationengagementstheresponsiblepartymeasuresthesubjectmatteragainstthecriteriaandpresentsthesubjectmatterinformation,on which the auditor then gathers sufficient and appropriate auditevidencetoprovideareasonablebasisforexpressingaconclusion.

• In direct reporting engagements it is the auditor who measures orevaluatesthesubjectmatteragainstthecriteria.Theauditorselectsthesubjectmatterandcriteria,takingintoconsiderationriskandmateriality.The outcome of measuring the subject matter against the criteria ispresented in the audit report in the form of findings, conclusions,recommendationsoranopinion. Theauditof the subjectmattermayalsoprovidenewinformation,analysesorinsights.

30) Financial audits are always attestation engagements, as they are basedonfinancialinformationpresentedbytheresponsibleparty.Performanceauditsare normally direct reporting engagements. Compliance audits may beattestationordirectreportingengagements,orbothatonce.ThefollowingconstitutethesubjectmatterorthesubjectmatterinformationinthethreetypesofauditcoveredbytheISSAIs:

a) Financial audit:Thesubjectmatterofafinancialauditisthefinancialposition, performance, cash flow or other elements which arerecognised, measured and presented in financial statements. Thesubjectmatterinformationisthefinancialstatements.

b) Performance audit:Thesubjectmatterofaperformanceauditisdefinedbytheauditobjectivesandauditquestions.Thesubjectmattermaybespecificprogrammes,entitiesorfundsorcertainactivities(withtheiroutputs,outcomesandimpacts),existingsituations(includingcausesand consequences) as well as non-financial or financial informationaboutanyoftheseelements.Theauditormeasuresorevaluatesthe

16


subjectmatter toassess theextent towhich theestablished criteriahaveorhavenotbeenmet.

c) Compliance audit:Thesubjectmatterofacomplianceauditisdefinedby the scopeof theaudit. Itmaybeactivities,financial transactionsorinformation.Forattestationengagementsoncomplianceitismorerelevant to focus on the subject matter information, whichmay bea statement of compliance in accordance with an established and standardisedreportingframework.

Confidence and assurance in public-sector auditing

The need for confidence and assurance

31) The intended users will wish to be confident about the reliability andrelevanceoftheinformationwhichtheyuseasthebasisfortakingdecisions.Audits therefore provide information based on sufficient and appropriateevidence,andauditorsshouldperformprocedurestoreduceormanagetherisk of reaching inappropriate conclusions. The level of assurance that canbe provided to the intended user should be communicated in a transparent way.Duetoinherentlimitations,however,auditscanneverprovideabsoluteassurance.

Forms of providing assurance

32) Dependingontheauditandtheusers’needs,assurancecanbecommunicatedintwoways:

• Throughopinions and conclusionswhich explicitly convey the level ofassurance.Thisappliestoallattestationengagementsandcertaindirectreportingengagements.

• Inotherforms.Insomedirectreportingengagementstheauditordoesnot give an explicit statement of assurance on the subjectmatter. Insuchcasestheauditorprovidestheuserswiththenecessarydegreeofconfidencebyexplicitlyexplaininghowfindings,criteriaandconclusions

17


were developed in a balanced and reasoned manner, and why thecombinationsoffindingsandcriteriaresultinacertainoverallconclusionorrecommendation.

Levels of assurance

33) Assurancecanbeeitherreasonableorlimited.

Reasonable assurance is high but not absolute. The audit conclusion isexpressed positively, conveying that, in the auditor’s opinion, the subjectmatterisorisnotcompliantinallmaterialrespects,or,whererelevant,thatthesubjectmatterinformationprovidesatrueandfairview,inaccordancewiththeapplicablecriteria.

Whenprovidinglimitedassurance,theauditconclusionstatesthat,basedontheproceduresperformed,nothinghas come to the auditor’s attention tocausetheauditortobelievethatthesubjectmatterisnotincompliancewiththeapplicablecriteria.Theproceduresperformedinalimitedassuranceauditarelimitedcomparedwithwhatisnecessarytoobtainreasonableassurance,butthelevelofassuranceisexpected,intheauditor’sprofessionaljudgement,tobemeaningfultotheintendedusers.Alimitedassurancereportconveysthelimitednatureoftheassuranceprovided.

18

PRINCIPLES OFPUBLIC-SECTOR AUDITING

34) Theprinciplesdetailedbelowarefundamentaltotheconductofanaudit.

Auditingisacumulativeanditerativeprocess.However,forthepurposesof

presentationthe fundamentalprinciplesaregroupedbyprinciples related

totheSAI’sorganisationalrequirements,generalprinciplesthattheauditor

shouldconsiderpriortocommencementandatmorethanonepointduring

theauditandprinciplesrelatedtospecificstepsintheauditprocess.

5

19


Areascoveredbytheprinciplesforpublic-sectorauditing

Ethics &Independence

Professional judment, due

care and scepticism

Audit team management

& skills

Quality control

Audit risk Materiality CommunicationDocumentation

Planning the audit Conducting the audit Reporting and follow-up

Establish the terms of the audit

Obtain understanding

Conduct risk assessment of problem analysis

Identify risks of fraud

Develop an audit plan

Prepare a report based on the conclusions reached

Follow up on reported matters as relevant

Perform the planned audit procedures to obtain audit evidence

Evaluate audit evidence and draw conclusions

GENERAL PRINCIPLES

PRINCIPLES RELATED TO THE AUDIT PROCESS

Organisational requirements

35) SAIs should establish and maintain appropriate procedures for ethics and quality control

Each SAI should establish and maintain procedures for ethics and qualitycontrolonanorganisationallevelthatwillprovideitwithreasonableassurance

20


thattheSAIanditspersonnelarecomplyingwithprofessionalstandardsandtheapplicableethical,legalandregulatoryrequirements.ISSAI 130 - Code of Ethics and ISSAI 140 - Quality Control for provides principles, requirementsandapplicationmaterialinthisregard.TheexistenceoftheseproceduresatSAIlevelisaprerequisiteforapplyingordevelopingnationalstandardsbasedontheFundamentalAuditingPrinciples.

General principles

Ethics and independence

36) Auditors should comply with the relevant ethical requirements and be independent. Ethical principles should be embodied in an auditor’s professional behaviour. The SAIs should have policies addressing ethicalrequirements and emphasising the need for compliance by each auditor.Auditorsshouldremainindependentsothattheirreportswillbeimpartialandbeseenassuchbytheintendedusers.

Auditors canfind INTOSAICorePrincipleson independence in the INTOSAI P-10 Mexico Declaration on SAI Independence.Thekeyethicalprinciplesofintegrity,independenceandobjectivity,competence,professionalbehaviorandconfidentialityandtransparencyaredefinedin ISSAI 130 Code of Ethics, togetherwithrelatedrequirementsandapplicationmaterial.

Professionaljudgement,duecareandscepticism

37) Auditors should maintain appropriate professional behaviour by applying professional scepticism, professional judgment and due care throughout the audit. The auditor’s attitude should be characterised by professionalscepticismandprofessionaljudgement,whicharetobeappliedwhenformingdecisions about the appropriate courseof action.Auditors should exerciseduecaretoensurethattheirprofessionalbehaviourisappropriate.

Professionalscepticismmeansmaintainingprofessionaldistanceandanalertandquestioningattitudewhenassessingthesufficiencyandappropriatenessofevidenceobtained throughout theaudit. It alsoentails remainingopen-

21


mindedandreceptivetoallviewsandarguments.

Professionaljudgementimpliestheapplicationofcollectiveknowledge,skillsandexperiencetotheauditprocess.Duecaremeansthattheauditorshouldplan and conduct audits in a diligent manner. Auditors should avoid anyconductthatmightdiscredittheirwork.

Qualitycontrol

38) Auditors should perform the audit in accordance with professional standards onqualitycontrol

ASAI’squalitycontrolpoliciesandproceduresshouldcomplywithprofessionalstandards,theaimbeingtoensurethatauditsareconductedataconsistentlyhigh level. Quality control procedures should cover matters such as thedirection, review and supervision of the audit process and the need forconsultation inordertoreachdecisionsondifficultorcontentiousmatters.AuditorscanfindfurtherinformationinISSAI 140 Quality Control for SAIs.

Auditteammanagementandskills

39) Auditors should possess or have access to the necessary skills

Theindividualsintheauditteamshouldcollectivelypossesstheknowledge,skills and expertise necessary to successfully complete the audit. Thisincludes an understanding and practical experience of the type of auditbeingconducted,familiaritywiththeapplicablestandardsandlegislation,anunderstandingoftheentity’soperationsandtheabilityandexperienceto exercise professional judgement. Common to all audits is the need torecruitpersonnelwithsuitablequalifications,offerstaffdevelopmentandtraining, prepare manuals and other written guidance and instructionsconcerning the conduct of audits, and assign sufficient audit resources.Auditors shouldmaintain theirprofessional competence throughongoingprofessionaldevelopment.

Where relevant or necessary, and in line with the SAI’s mandate and theapplicablelegislation,theauditormayusetheworkofinternalauditors,otherauditorsorexperts.Theauditor’sproceduresshouldprovideasufficientbasis

22


forusingtheworkofothers,andinallcasestheauditorshouldobtainevidenceofotherauditors’orexperts’competenceandindependenceandthequalityoftheworkperformed.However,theSAIhassoleresponsibilityforanyauditopinionorreportitmightproduceonthesubjectmatter;thatresponsibilityisnotreducedbyitsuseofworkdonebyotherparties.

Theobjectivesofinternalauditaredifferentfromthoseofexternalaudit.However, both internal and external audit promote good governancethrough contributions to transparency and accountability for the use ofpublicresources,aswellaseconomy,efficiencyandeffectivenessinpublicadministration.Thisoffersopportunitiesforcoordinationandcooperationandthepossibilityofeliminatingduplicationofeffort.

SomeSAIsusetheworkofotherauditorsatstate,provincial,regional,districtorlocallevel,orofpublicaccountingfirmsthathavecompletedauditworkrelatedtotheauditobjective.Arrangementsshouldbemadetoensurethatany such work was carried out in accordance with public-sector auditingstandards.

Auditsmayrequirespecialisedtechniques,methodsorskillsfromdisciplinesnotavailablewithin theSAI. In suchcasesexpertsmaybeused toprovideknowledgeorcarryoutspecifictasksorforotherpurposes.

Audit risk

40) Auditors should manage the risks of providing a report that is inappropriate in the circumstances of the audit

Theauditriskistheriskthattheauditreportmaybeinappropriate.Theauditorperformsprocedurestoreduceormanagetheriskofreachinginappropriateconclusions,recognisingthatthelimitationsinherenttoallauditsmeanthatanauditcanneverprovideabsolutecertaintyoftheconditionofthesubjectmatter.

Whentheobjective is toprovidereasonableassurance, theauditorshouldreduceauditrisktoanacceptably lowlevelgiventhecircumstancesoftheaudit. The auditmay also aim to provide limited assurance, inwhich case

23


theacceptable risk that criteria arenot compliedwith is greater than in areasonable assurance audit. A limited assurance audit provides a level ofassurancethat, intheauditor’sprofessional judgment,willbemeaningfultotheintendedusers.

Materiality

41) Auditors should consider materiality throughout the audit process

Materiality is relevant in all audits. A matter can be judged material ifknowledgeofitwouldbelikelytoinfluencethedecisionsoftheintendedusers.Determiningmaterialityisamatterofprofessionaljudgementanddependson the auditor’s interpretation of the users’ needs. This judgement mayrelatetoanindividualitemortoagroupofitemstakentogether.Materialityis often considered in termsof value, but it alsohas other quantitative aswellasqualitativeaspects.Theinherentcharacteristicsofanitemorgroupofitemsmayrenderamattermaterialbyitsverynature.Amattermayalsobematerialbecauseofthecontextinwhichitoccurs.

Materialityconsiderationsaffectdecisionsconcerningthenature,timingandextentofauditproceduresandtheevaluationofauditresults.Considerationsmay include stakeholder concerns,public interest, regulatory requirementsandconsequencesforsociety.

Documentation

42) Auditors should prepare audit documentation that is sufficiently detailed to provide a clear understanding of the work performed, evidence obtained and conclusions reached

Audit documentation should include an audit strategy and audit plan. Itshould record the procedures performed and evidence obtained and support thecommunicatedresultsoftheaudit.Documentationshouldbesufficientlydetailed toenableanexperiencedauditor,withnopriorknowledgeof theaudit,tounderstandthenature,timing,scopeandresultsoftheproceduresperformed, the evidence obtained in support of the audit conclusions and recommendations,thereasoningbehindallsignificantmattersthatrequiredtheexerciseofprofessionaljudgement,andtherelatedconclusions.

24


Communication

43) Auditors should establish effective communication throughout the audit process

Itisessentialthattheauditedentitybekeptinformedofallmattersrelatingto the audit. This is key to developing a constructiveworking relationship.Communication should includeobtaining information relevant to the auditandprovidingmanagementandthosechargedwithgovernancewithtimelyobservations and findings throughout the engagement. The auditor mayalso have a responsibility to communicate audit-related matters to otherstakeholders,suchaslegislativeandoversightbodies.

Principles related to the audit process

Planninganaudit

44) Auditors should ensure that the terms of the audit have been clearly established

Auditsmay be required by statute, requested by a legislative or oversightbody,initiatedbytheSAIorcarriedoutbysimpleagreementwiththeauditedentity. In all cases the auditor, the audited entity’s management, thosechargedwithgovernanceandothersasapplicableshouldreachacommonformalunderstandingofthetermsoftheauditandtheirrespectiverolesandresponsibilities. Important informationmay include the subject, scope andobjectivesof theaudit, access todata, the report thatwill result from theaudit,theauditprocess,contactpersons,andtherolesandresponsibilitiesofthedifferentpartiestotheengagement.

45) Auditors should obtain an understanding of the nature of the entity/programme to be audited

This includes understanding the relevant objectives, operations, regulatoryenvironment, internal controls, financial and other systems and businessprocesses,andresearchingthepotentialsourcesofauditevidence.Knowledge

25


canbeobtainedfromregular interactionwithmanagement, thosechargedwithgovernanceandotherrelevantstakeholders.Thismaymeanconsultingexpertsandexaminingdocuments(includingearlierstudiesandothersources)inordertogainabroadunderstandingofthesubjectmattertobeauditedanditscontext.

46) Auditors should conduct a risk assessment or problem analysis and revise this as necessary in response to the audit findings

Thenatureoftherisksidentifiedwillvaryaccordingtotheauditobjective.Theauditorshouldconsiderandassesstheriskofdifferenttypesofdeficiencies,deviationsormisstatementsthatmayoccurinrelationtothesubjectmatter.Bothgeneraland specific risks shouldbeconsidered.This canbeachievedthroughprocedures that serve toobtainanunderstandingof theentityorprogramme and its environment, including the relevant internal controls.The auditor should assess the management’s response to identified risks,including its implementation and design of internal controls to addressthem. In a problemanalysis the auditor should consider actual indicationsofproblemsordeviationsfromwhatshouldbeorisexpected.Thisprocessinvolves examining various problem indicators in order to define the auditobjectives.Theidentificationofrisksandtheirimpactontheauditshouldbeconsideredthroughouttheauditprocess.

47) Auditors should identify and assess the risks of fraud relevant to the audit objectives.

Auditors should make enquiries and perform procedures to identify andrespond to the risksof fraud relevant to theaudit objectives. They shouldmaintainanattitudeofprofessionalscepticismandbealerttothepossibilityoffraudthroughouttheauditprocess.

48) Auditors should plan their work to ensure that the audit is conducted in an effective and efficient manner

Planningforaspecificauditincludesstrategicandoperationalaspects.

Strategically,planningshoulddefinetheauditscope,objectivesandapproach.

26


Theobjectivesrefertowhattheauditisintendedtoaccomplish.Thescoperelatestothesubjectmatterandthecriteriawhichtheauditorswillusetoassessandreportonthesubjectmatter,andisdirectlyrelatedtotheobjectives.Theapproachwill describe thenature andextentof theprocedures tobeused for gathering audit evidence. The audit should be planned to reduceauditrisktoanacceptablylowlevel.

Operationally,planningentailssettingatimetablefortheauditanddefiningthe nature, timing and extent of the audit procedures. During planning,auditorsshouldassignthemembersoftheirteamasappropriateandidentifyotherresourcesthatmayberequired,suchassubjectexperts.

Auditplanningshouldberesponsivetosignificantchangesincircumstancesandconditions.Itisaniterativeprocessthattakesplacethroughouttheaudit.

Conductinganaudit

49) Auditors should perform audit procedures that provide sufficient appropriate audit evidence to support the audit report

Theauditor’sdecisionsonthenature,timingandextentofauditprocedureswill impact on theevidence tobeobtained. The choiceof procedureswilldependontheriskassessmentorproblemanalysis.

Auditevidenceisanyinformationusedbytheauditortodeterminewhetherthe subjectmatter complieswith the applicable criteria. Evidencemay takemanyforms,suchaselectronicandpaperrecordsoftransactions,writtenandelectroniccommunicationwithoutsiders,observationsbytheauditor,andoralorwrittentestimonybytheauditedentity.Methodsofobtainingauditevidencecan include inspection, observation, inquiry, confirmation, recalculation,reperformance, analytical procedures and/or other research techniques.Evidence should be both sufficient (quantity) to persuade a knowledgeableperson that the findings are reasonable, and appropriate (quality) – i.e.relevant,validandreliable.Theauditor’sassessmentoftheevidenceshouldbeobjective,fairandbalanced.Preliminaryfindingsshouldbecommunicatedtoanddiscussedwiththeauditedentitytoconfirmtheirvalidity.

Theauditormustrespectallrequirementsregardingconfidentiality.

27


50) Auditors should evaluate the audit evidence and draw conclusions

After completing the audit procedures, the auditor will review the auditdocumentationinordertodeterminewhetherthesubjectmatterhasbeensufficiently and appropriately audited. Before drawing conclusions, theauditorreconsiderstheinitialassessmentofriskandmaterialityinthelightoftheevidencecollectedanddetermineswhetheradditionalauditproceduresneedtobeperformed.

Theauditorshouldevaluatetheauditevidencewithaviewtoobtainingauditfindings.When evaluating the audit evidence and assessingmateriality offindingstheauditorshouldtakebothquantitativeandqualitativefactorsintoconsideration.

Basedonthefindings,theauditorshouldexerciseprofessionaljudgementtoreachaconclusiononthesubjectmatterorsubjectmatterinformation.

Reportingandfollow-up

51) Auditors should prepare a report based on the conclusions reached

Theauditprocessinvolvespreparingareporttocommunicatetheresultsoftheaudittostakeholders,othersresponsibleforgovernanceandthegeneralpublic.Thepurposeisalsotofacilitatefollow-upandcorrectiveaction.InsomeSAIs, such as courts of auditwith jurisdictional authority, thismay includeissuinglegallybindingreportsorjudicialdecisions.

Reportsshouldbeeasytounderstand,freefromvaguenessorambiguityandcomplete.Theyshouldbeobjectiveandfair,onlyincludinginformationwhichissupportedbysufficientandappropriateauditevidenceandensuringthatfindingsareputintoperspectiveandcontext.

The form and content of a report will depend on the nature of the audit, the intendedusers, the applicable standards and legal requirements. The SAI’smandate and other relevant laws or regulationsmay specify the layout orwordingofreports,whichcanappearinshortformorlongform.

28


Long-form reports generally describe in detail the audit scope, auditfindingsandconclusions,includingpotentialconsequencesandconstructiverecommendationstoenableremedialaction.

Short-formreportsaremorecondensedandgenerallyinamorestandardisedformat.

» Attestationengagements

In attestation engagements the audit reportmay express an opinion as towhetherthesubjectmatterinformationis,inallmaterialrespects,freefrommisstatement and/or whether the subjectmatter complies, in allmaterialrespects, with the established criteria. In an attestation engagement thereportisgenerallyreferredtoastheAuditor’sReport.

» Directengagements

Indirectengagements theaudit reportneeds to state theauditobjectivesanddescribehowtheywereaddressedintheaudit.Itincludesfindingsandconclusionsonthesubjectmatterandmayalso includerecommendations.Additionalinformationaboutcriteria,methodologyandsourcesofdatamayalsobegiven,andanylimitationstotheauditscopeshouldbedescribed.

The audit report should explain how the evidence obtainedwas used andwhytheresultingconclusionsweredrawn.Thiswillenableittoprovidetheintendeduserswiththenecessarydegreeofconfidence.

» Opinion

Whenanauditopinionisusedtoconveythelevelofassurance,theopinionshould be in a standardised format. The opinion may be unmodified ormodified.Anunmodifiedopinionisusedwheneitherlimitedorreasonableassurancehasbeenobtained.Amodifiedopinionmaybe:

• Qualified (except for) –wheretheauditordisagreeswith,orisunabletoobtainsufficientandappropriateauditevidenceabout,certainitemsinthesubjectmatterwhichare,orcouldbe,materialbutnotpervasive;

• Adverse – wheretheauditor,havingobtainedsufficientandappropriate

29


audit evidence, concludes that deviations or misstatements, whetherindividuallyorintheaggregate,arebothmaterialandpervasive;

• Disclaimed – where the auditor is unable to obtain sufficient andappropriate audit evidence due to an uncertainty or scope limitationwhichisbothmaterialandpervasive.

Wheretheopinionismodifiedthereasonsshouldbeputinperspectivebyclearlyexplaining,with reference to theapplicable criteria, thenatureandextentofthemodification.Dependingonthetypeofaudit,recommendationsfor correctiveactionandanycontributing internal controldeficienciesmayalsobeincludedinthereport.

» Follow-up

SAIshavearoleinmonitoringactiontakenbytheresponsiblepartyinresponsetothemattersraised inanauditreport.Follow-upfocusesonwhethertheaudited entity has adequately addressed thematters raised, including anywiderimplications.InsufficientorunsatisfactoryactionbytheauditedentitymaycallforafurtherreportbytheSAI.

INTRODUCTIONPURPOSE AND AUTHORITY OF THE ISSAIS

FRAMEWORK FORPUBLIC-SECTOR AUDITING

Public-sector auditing and its objectivesTypes of public-sector auditELEMENTS OFPUBLIC-SECTOR AUDITING

Subject matter, criteria and subject matter informationTypes of engagementConfidence and assurance in public-sector auditingPRINCIPLES OFPUBLIC-SECTOR AUDITING

Organisational requirementsGeneral principlesPrinciples related to the audit process

issai 100 · issai 100 s fundamenta principes of pubic ssector auditing 11)the...

Documents