Cristina Breden Director Romanian Court of Accounts

Cristina Breden Director Romanian Court of Accounts
INTOSAI’s SDP 2.3 Project “Using ISSAIs in accordance with the SAI’s mandate and carrying out combined audits” Cristina Breden Director Romanian Court of Accounts

Project objectives and specific considerations
The guidance on the strategic decisions of an SAI needs to take on the basis of its mandate and other legislative requirements before it applies the ISSAIs (cf. ISSAI 100) will consider the issues of SAIs on deciding: which auditing standards are applicable, which engagements will be conducted and how they will be prioritised in order to respond to the requirements in their mandate and other legislative requirements. Recognising the fact that some SAIs function as court of auditors, most of them having jurisdictional functions, guidance will consider the specificities of these SAIs’ mandates too. While developing the guidelines, suggestions and comments will be sought from: Professional Standards Committee, Performance Audit Subcommittee, Financial Audit and Accounting Subcommittee, Subcommittee on Internal Control Standards Capacity Building Committee Knowledge Sharing Committee, member SAIs of CAS, INTOSAI Regional Groups, INTOSAI’s Development Initiative Forum of SAIs with Jurisdictional Functions.

Duration of the project and the project team
Duration: 35 months (February 1, 2018 to December 31, 2020) The project is carried out jointly by three subcommittees under Professional Standards Committee (PSC): Compliance Audit Subcommittee (leader of the working group), Financial Audit and Accounting Subcommittee Performance Audit Subcommittee Project team members are SAIs from: Romania (team leader), Brazil, China, European Court of Auditors, Hungary, Tunisia and, in addition, IDI.

Explanation of the need for the project
According to ISSAI 100/7, the Fundamental Auditing Principles can be used to establish authoritative standards in three ways: 1) as a basis on which SAIs can develop standards; 2) as a basis for the adoption of consistent national standards; 3) as a basis for adoption of the General Auditing Guidelines as standards. But the principles in no way override national laws, regulations or mandates or prevent SAIs from carrying out investigations, reviews or other engagements which are not specifically covered by the existing ISSAIs. The XX INCOSAI’s declaration called upon its members and other interested parties: ”to implement the ISSAIs in accordance with their mandate and national legislation and regulations”. The mandate defines the different types of audits and engagements an SAI may carry out and ISSAIs need to be implemented accordingly. Some SAIs might have to comply with other legislative requirements as well. This may involve combined audits (cf. ISSAI 100/23). ISSAI 100/16 states that “An SAI may make strategic decisions in order to respond to the requirements in its mandate and other legislative requirements. Such decisions may include which auditing standards are applicable, which engagements will be conducted and how they will be prioritised”.

There is a lack of clarity in the provisions of some standards and also some inconsistencies between the provisions of different standards: The ISSAI 4200 has been withdrawn at the 2016 INCOSAI which raises the question whether there is a need for new guidance on combined audits to replace this. ISSAI 100/21 states that: “The objectives of any given audit will determine which standards apply.” It is not very clear whether one should apply a different standard for each objective of an audit or only one standard according to the primary objective of that audit. ISSAI 300 states that: “the primary objective of the audit should guide the auditors as to which standards to apply” . ISSAI 400 says “auditors should use their professional judgement to decide whether performance or compliance is the primary focus of the audit, and whether to apply the ISSAIs on performance auditing, compliance auditing or both.” ISSAIs 300 and 400 are thus almost fully consistent with one another, the difference being “or both” in ISSAI 400. The new ISSAI 4000 deals with various aspects of fraud (risk of fraud, considerations related to the reporting of suspected unlawful acts) without making any mention of ISSAI 1240 The auditor’s responsibility relating to fraud in an audit of financial statements. This raises the question which of these ISSAIs should be applied by SAIs who conduct different types of audits simultaneously (financial audit and compliance audit, and even performance audit). Paragraph P5 of the Practice Note to ISSAI 1250 Consideration of Laws and Regulations in an Audit of Financial Statements) currently has the following: “… These additional responsibilities, and related audit and reporting objectives, are dealt with in the INTOSAI Compliance Audit Guidelines (ISSAI 4000 and 4200). Public sector auditors with such additional responsibilities consider ISSAIs 4000 and 4200.”, the new ISSAI 4000 Compliance audit standards is completely silent on the existence of ISSAI This is a potential source of confusion, as it is not very clear what type of compliance engagement is not covered by ISSAI 1250. There also seems to be a need to clarify INTOSAI’s position in comparison with IFAC’s definitions of limited assurance and reasonable assurance.

2. At the moment there is no practical guidance for combined audits 3. Some SAIs are required to report on the reliability of performance data produced by management. As this data is typically produced as a result of a statutory or regulatory requirement, the examination of its reliability might be considered as compliance auditing.

Liaison with other INTOSAI SDP projects
The project will include liaison with the 1.2, 1.3 and 2.1 project teams. SDP projects: 1.2 ”A more principles-based and future-proof ISSAI 200”, 1.3 ”Consolidate and improve INTOSAI practice notes to ISSAIs” and 2.1 ”Provide guidance on financial auditing” may well produce elements relevant to this project.

Survey The survey will also enquire whether there is any need for guidance: on combined financial and compliance audits. If so, this needs to be aligned with ISSAIs 100, 200 and 400. on combined compliance and performance audits. If so, this needs to be aligned with ISSAIs 100, 300 and 400. on the consistency of different ISSAIs, such as ISSAI 1240 (The auditor’s responsibility relating to fraud in an audit of financial statements) with ISSAI 4000, on the applicable standards for SAIs in different circumstances, such as: SAIs which have to consider compliance with laws and regulations in different audits (ISSAI 1250 and ISSAI 4000), or SAIs which, as a result of a statutory or regulatory requirement, have to report on the reliability of performance data produced by management.

Survey The initial needs assessment for the project proposal started with a survey of a sample of SAIs to enquire: what are the provisions of their mandate and if there are any other legal requirements they have to comply with? how do they implement the standards in compliance with the SAI’s mandate and the national legislation and other regulations they have to comply with? do they carry out combined audits or audits that combine elements from different audit types, how is this done and how do they decide which standards are the most appropriate in the circumstances? what problems do they encounter? and the solutions found.

Survey The survey will also enquire whether there is any need for guidance: on combined financial and compliance audits. If so, this needs to be aligned with ISSAIs 100, 200 and 400. on combined compliance and performance audits. If so, this needs to be aligned with ISSAIs 100, 300 and 400. on the consistency of different ISSAIs, such as ISSAI 1240 (The auditor’s responsibility relating to fraud in an audit of financial statements) with ISSAI 4000, on the applicable standards for SAIs in different circumstances, such as: SAIs which have to consider compliance with laws and regulations in different audits (ISSAI 1250 and ISSAI 4000), or SAIs which, as a result of a statutory or regulatory requirement, have to report on the reliability of performance data produced by management. The assessment will establish a clear link between the theory (as outlined in the ISSAIs) and current practice (what auditors are actually doing as part of the audit engagement). It may be considered if any benchmarks or best practice can be drawn from the survey results.

Preliminary results of the Survey

SAIs which sent their responses to the survey:
Asia: Afghanistan, Azerbaijan, Bahrain, China, Iraq, Japan, Kuwait, Malaysia, Maldives, Palestine, Qatar, Thailand, UAE. North America: Canada, USA. Central and South America: Brazil, Ecuador, Mexico. Africa: Cameroon. Europe: Croatia, Cyprus, Denmark, ECA, Estonia, France, Greece, Iceland, Latvia, Lithuania, Romania, Slovenia, Switzerland, Turkey.

SAIs obliged to apply ISSAIs
No obligation to apply ISSAIs SAIs from: By law Due to stakeholder's expectations Other Canada Cameroon China Cyprus Denmark Japan Maldives Romania Switzerland UAE USA Afghanistan Azerbaijan Croatia Greece Iraq Mexico Palestine Thailand Qatar ECA Iceland Kuwait Malaysia Bahrain Brazil Estonia France Latvia Lithuania Slovenia Turkey

SAIs which implemented the ISSAIs
23 SAIs YES: Afghanistan, Azerbaijan ,Bahrain, Brazil,Cyprus, Croatia, Denmark, ECA, Estonia, France, Greece, Iceland, Iraq, Latvia, Lithuania, Maldives, Malaysia, Palestine, Slovenia, Switzerland, Thailand, Turkey, UAE NO: - SAI Qatar – is in the process of developing new methodologies and procedures which will take into consideration the ISSAIs. 8 SAIs national standards: Canada, Cameroon, China, Japan, Kuwait, Mexico, Romania, USA.

Didn’t answer: SAI Kuwait
SAI Japan- We do not directly utilize ISSAIs as our Auditing Standards because ISSAIs provide an auditing system which is different from Japanese auditing system such as the assurance-type financial audit. However, our Auditing Standards correspond to all the main provisions of ISSAIs applicable to the auditing system in Japan. SAI Latvia - selectively

No answer: SAI Kuwait SAI Switzerland: as a basis on which it developed its own standards and as a basis for the adoption of consistent national standards

No answer: SAI Kuwait SAI Latvia: developed its audit methodology based on ISSAI level 3 and ISSAI level 4.

The way SAIs implemented ISSAIs in compliance with legal mandate
SAI from Response Bahrain The NAO mandate and the national legislation do not specify the auditing standards that should be applied. Therefore, NAO management has made the strategic decision to apply ISSAIs in all audits, as they comprise the international standards and best practices to conduct Financial, Performance and Compliance audit. Cameroon Our SAI needs to integrate into the national legislation and regulation, the obligation to use ISSAI. Canada We do not apply ISSAIs Cyprus The ISSAIs are directly applicable to all audit engagements undertaken, through their explicit adoption by the Office and in accordance to the legal mandate of the Office. Furthermore, internal procedures follow ISSAI provisions. The strategic decisions needed relate to the type of the audit to be performed (financial, compliance, performance or combined), so as to determine the applicable standards in each case. Croatia Implementation of ISSAIs is part of strategic plans which is then elaborated further through activities planned in the annual plans of SAO. Since standards are evolving, process of implementation is still in progress.

SAI from Response Denmark The SAI has since 2012 taken new important strategic decisions in the following areas: The SAI has decided to use the three types of auditing defined by the ISSAIs as a basis for defining its auditing tasks. The decision to move to applying auditing standards The decision to develop a set of national standards rather than applying the ISSAIs directly This decision was formed through a gradual process as the ISSAI 100, 200, 300 and 400 were translated into Danish and compared with the SAI’s own mandate, the SAI’s pronouncement on good public sector auditing practice and the SAI’s internal guidance and methodology. This triggered a series of strategic leadership decision which gradually lead to the realization that it would be necessary to define a set of national standards that incorporated all the decisions taken. Four key reasons for this decision were: That ISSAIs do not support combined engagements very well. The ISSAIs 1000s, 3000s and 4000s reflect the organization of the standard-setting work into three different subcommittees and are difficult to unite with the national circumstances of the SAI of Denmark. That a Danish set of standards for public-sector auditing would be more easily accepted within the SAI as well as among the private auditing firms. We have therefore strived to engage the SAI auditors as well as the organization of private auditing firms (national institute of public accounts) as much as possible in the development of the Danish standards. That the national standards would provide the SAI leadership with a new instrument in clarifying and regulating the SAIs auditing practice as well as auditing practices in the wider public-sector. That the INTOSAI organization is still in the process of building a credible, reliable and professional standard-setting function. The SAI leadership is very supportive of that process, but is not at this stage ready to stake the national credibility of the SAI directly on INTOSAI’s current and future work.

SAI from Response France Taken into account for the preparation of our national standards Iraq There are some cases that should be legislative amendments to give the SAI more financial independence and publish reports. Japan We do not directly utilize ISSAIs as our Auditing Standards because ISSAIs provide an auditing system which is different from Japanese auditing system such as the assurance-type financial audit. However, our Auditing Standards correspond to all the main provisions of ISSAIs applicable to the auditing system in Japan. Malaysia During entrance conference in order to get agreement and engagement with the auditees. Mexico The Mexicoan SAI indirectly implements the ISSAIs since it has to observe the National Auditing Standards, which are based on the former. The Mexicoan SAI participates directly in the Committee of the National Anticorruption System, which decides the content and scope of the National Auditing Standards Framework. Palestine Decision was made to amend SAACB Law to comply and adopt the INTOSAI Standards. Qatar Not Applicable Slovenia The standards to be applied are defined by the Court of Audit Act and the choice of standards is not a prerogative of the SAI. We are, however, responsible for maintaining up to date with the developments at the national and international level of standard setting activity and to engage in activities ensuring the standards are published in Slovene language.

SAI from Response Switzerland Strategic internal decision, forms part of the SAI’s strategy, published on Internet. Thailand SAO Thailand has set up working groups consist of executives, experienced auditors, external experts to implement ISSAIs and then approved by the State Audit commission. Turkey According to The Article 5 of the TCA Law No.6085, Audits shall be carried out in accordance with the generally accepted international auditing standards. So applying İnternational Standards to auditing process is in the TCA’s legal mandate itself. Regularity audits are being carried out with Regularity Audit Guide Book which is published by the TCA back in Regularity Audit Guide Book is based on the generally accepted international auditing standards (ISSAIs). So audits are being implemented by the guide book and ISSAIs are being implemented through the guide book. When the TCA wants to take any strategic decisions about ISSAIs and how they are supposed to be implemented, it needs to change the guide book and make a specific reference to the ISSAIs in accordance with the decision. UAE We apply the financial audit ISSAIs to help us fulfil our financial and compliance audit mandates USA The strategic decisions GAO makes regard the availability of staff to respond to legislative requests. At times, this may cause GAO to defer or even reject some legislative requests. GAO does not encounter situations when is unclear which Government Auditing Standards apply for certain engagements.

Not answered: SAI Kuwait

The way that the type of audits carried out by responding SAIs are influenced by SAIs mandate
SAI from Response Afghanistan As per the mandate under the Audit Law, the SAO Afghanistan carries out external audit and undertakes financial, compliance and performance audit engagements of all the budgetary entities, as well as state owned enterprises (SoEs). Azerbaijan Types of audits mentioned and described in our law Bahrain The mandate specifies the types of audits to be carried out by the office, which include Financial, Performance, Compliance, and IT audit. Brazil The TCU has mandate to carry out financial, compliance and performance audits as per the ISSAIs. Cameroon SAI is expected to perform audit as specified in the mandate (compliance, performance and financial audits Canada The mandate of the Office specifically requires the Auditor General to express a financial audit opinion on the public accounts of Canada. The mandate of the Office specifically directs reporting on economy, efficiency and effectiveness. Cyprus The mandate of the Office is fairly broad, therefore no restrictions are faced when deciding on the type of audit to be carried out. Financial and performance audits are explicitly included in the legal mandate, while the mandate to perform compliance audits is inferred by the Constitutional provisions and other legislation.

SAI from Response China Our SAI carries out combined financial, compliance and performance audits which is not stipulated in our SAI's mandate. Croatia According to Act on the State Audit Office audits are carried out in a way and in accordance with procedures laid down by the framework of the auditing standards of the International Organization of Supreme Audit Institutions and the Code of Professional Ethics of State Auditors. Denmark The mandate provides that all audits are combined audits – An audit of a set of financial statements always involves an obligation for the auditor to undertake work with a financial, compliance and performance focus. On the other hand, there is now requirement that the SAI provides an ‘opinion’ on the financial statements. It is only relatively recently that the SAI has started to report results in the format of a unmodified or modified conclusion in the format of a ISA 700-style auditor’s report. ECA According to the legal mandate the ECA examines whether all EU revenue has been received and all expenditure incurred in a lawful and regular manner and whether the financial management has been sound. Estonia Our SAI can exercise every kind of audit in the public sector with one exception – performance audits are not allowed in local authorities and municipalities. Greece The HCA carries out ex-ante, pre-contractual and ex-post audits, including targeted audits on high-risk areas (which may be either financial, compliance, or performance audits), as well as follow-up audits, in accordance with the Court’s audit manual and the International Auditing Standards (INTOSAI).

SAI from Response Iceland They are influenced by Art. 5 and 6. on financial audit and performance audit, respectively. Art. 5 states that financial audits conducted by the Auditor General shall take account of the following: 1. That financial accounts give a true and fair view of the operation, financial position and changes thereto in conformity with the statutory financial reporting framework for public entities; 2. The examination of internal controls and whether such controls ensure appropriate results; 3. Whether the accounts and scope of activities are in compliance with the fiscal budget, the supplementary fiscal budget and other acts of law, lawful instructions, contracts and procedures, as appropriate. Art. 6 states that the objective of a performance audit is to promote improvements, principally with regard to the following: 1. The disposal and use of State funds; 2. The observance of principles of effectiveness and efficiency in the operation of government agencies and State-owned companies; 3. Whether State allocations are achieving their intended results. In assessing performance, items for consideration shall include whether operations are in line with budget limits, applicable acts of law and generally accepted practices. A performance audit can also include assessment of compliance by public authorities with programmes, stipulation of law and obligations regarding environmental affairs. Iraq The SAI conducts many types of audits according to adopted plan and the activity of the auditee. Japan It is construed that the Board is required to conduct audits to point out and report problematic cases from the audit objectives of accuracy, regularity, economy, efficiency, effectiveness, etc. as a result of audits under the Constitution of Japan and the Board of Audit Act.

SAI from Response Latvia The Annual Audit Plan of the SAO of Latvia includes only those types of audits that are defined by mandate (financial, compliance and performance audits) as well as combined audits. Lithuania Our mandate identifies very clearly the types and subject matter of audit, especially for financial audit. Performance audit is also defined. For now, we have regularity part of compliance audit defined together with financial audit. However, it does not limit us if we want to combine e.g. compliance and performance audit. Malaysia Stated in the Audit Act 1957 Maldives Type of audits mandated is financial, performance and compliance and is at the discretion of the Auditor General. Mexico The constitutional mandate states that the Mexicoan SAI must review the compliance of the legal framework in relation to the use of public funds, as well as the observance of economy, efficiency and effectiveness principles. Palestine The Type of audits are mentioned clearly in the SAACB Law so its obligatory. Qatar Our SAI’s mandate defines the entities subject to audit by SAI, the scope and the types of audit to be carried out, and the controls to be exercised by SAI over public funds, Also the law does not contradict with combined audit. Romania The mandate specifies the types of audits to be carried out by the Romanian Court of Accounts. Slovenia The mandate of our SAI is very broad and does not influence our choice of types of audits we wish to perform. Switzerland professionally Thailand There are five type of audits carried out based on SAI’s mandate: Financial Audit, Procurement Audit, Performance Audit, Investigative Audit, and Revenue Collection Audit.

SAI from Response Turkey According to The Article 4 of the TCA Law No.6085: (1) Turkish Court of Accounts shall audit; a) Public administrations within the scope of the central government budget and social security institutions, local governments, joint stock companies established by special laws and with more than 50% of its capital directly or indirectly owned by the public sector and other public administrations (with the exception of professional organizations having a public status); b) Provided that the public share is no less than 50%, all types of administrations, organizations, institutions, associations, enterprises and companies affiliated to, or founded by the administrations listed in point (a), or those of which the above mentioned administrations are directly or indirectly partners; c) All types of domestic and foreign borrowing, lending, repayments, utilization of foreign grants received, giving grants, Treasury guarantees, Treasury receivables, cash management and other matters related to these, all transfers of resources and their utilization and the utilization of domestic and foreign resources and funds, including European Union funds; d) All public accounts, including private accounts, funds, resources and activities regardless of whether these are in the public administrations budget. (2) Turkish Court of Accounts shall also audit the accounts and transactions of international institutions and organizations within the framework of the principles set out in the relevant treaty or agreement.

SAI from Response UAE Our establishment law defines the types of audits to be carried out. USA GAO is mandated by law to conduct certain financial audits. In addition, GAO is also mandated to produce certain reports that are best addressed through performance audits.

SAI from Response Afghanistan the Supreme Audit Office is organized as per the Westminster model headed by the Auditor General who is responsible for preparation and presentation of the audit reports. The two Deputy Auditors General look after the professional and financial and organizational matters respectively and reports to the Auditor General. There are Directorates headed by Directors that are responsible for undertaking specific types of audit such as financial (Qatia) audit, compliance audit of central, provincial and local budgetary departments, performance audit, revenue audit, audit of state owned enterprises, audit of external grants / assistance, quality control and assurance. Field audit teams report the results of their audit to the Directorates, which, in turn, examines and process them through the Deputy Auditor General for approval and signature of the Auditor General. As such, as per Law and organizational set up, SAO carries out financial, compliance and performance audits. Bahrain Ministries and public authorities are subject to all types of audit (Financial, Performance and Compliance) by NAO Bahrain; while public companies and corporations are subject to Performance and Compliance audits only. The type of audit for each assignment is also recommended during the initial planning and pre-audit phase, and would be based on the result of a detailed risk assessment and understanding of the organization operation, control environment, and the legal framework in which it operates. Brazil There is no influence. Financial and compliance audits are mandatory; the SAI has to carry them out. Performance audit topics are influenced by less-than-expected results.

SAI from Response Cameroon Audit programs in our SAI are subject to prior approvals by the President of our Country. For the moment, and to the best of my knowledge priority is given to compliance audit. Canada Organizations may be required to prepare and submit for audit financial statements by law. Other organizations are subject to financial audit as part of the government reporting entity or are subject to performance audit as government organizations (departments, agencies, other controlled entities, etc.). Cyprus All types of audits are performed, where deemed appropriate, to auditees of any nature (central government bodies, statutory bodies, local government, special funds etc). In certain cases of statutory bodies, where the bodies themselves have assigned the audit of their financial statements to private auditors, with the approval of the Auditor General (as per the provisions of national law), the extent of financial audit is normally limited and reliance is placed on the work of the private auditors after appropriate assessment of their work. In these cases, supplementary compliance and/or performance audit is conducted. China Our SAI has accountability audit which is influenced by the nature of the organization. Croatia Nature of organization allows that all types of audits are carried out. Audit departments are set according to types of audit and audit subjects.

SAI from Response Denmark See the list of key strategic decisions described under question 9. In these decisions the leadership has general aimed to balance a wide range of different considerations including: - the mandate and status of the SAI - the SAI’s relationship with parliament, the ministries and the wider public (the press) - the organizational capabilities of the organization - the speed and direction by which it is possible to change the organization - the changing professional environment, including the development of the ISSAIs Overall it can be said that: - the ISSAI implementation process until 2013 led to solutions that put less emphasize on the mandate and the needs of our primary users – the public accounts committee and parliament – vis-à-vis the management in the ministries - the ISSAI implementation process after 2013 has led to new solutions that are more closely driven by the mandate and represents an increased focus on the ‘core business’ – providing audit reports to the public accounts committee and Parliament that enhance their insight and ability to exercise efficient oversight with the ministries. ECA As the type of audits are specified by the legal base they are not influenced by the nature of the organization. Estonia Financial audit group carries out financial audits, compliance audits combined with financial audits, standalone compliance audits (and sometimes there are elements of performance audit also involved). All other groups carry out performance and compliance audits (taking into account before mentioned limitation to carry out performance audits in local authorities).

SAI from Response Greece Since the Hellenic Court of Audit is a Supreme Court, the compliance aspect is always incorporated in the audits performed. Iceland The size and complexity of projects/entities audited can influence the type of audit carried out. Larger projects/entities are more likely to be the subject of both financial and performance audit. With the smallest projects/entities with a very small budget the focus may be on compliance audit. Iraq Audits conduct in accordance with the adopted plan. Latvia Financial audits are mandatory and performed on annual basis, while the remaining resource is channelled to compliance and performance audits, frequency and topics of which are defined by the SAO of Latvia, based on risk assessment. Lithuania No influence, because we perform one annual financial audit covering state consolidated financial statements, and organizations/auditees are selected within this audit (after risk assessment). For performance audit we have risk-based assessment before topics are selected. Malaysia The type of audits carried out is depend on the legal establishment of the Auditee whether incorporated under act of statutory bodies, local authorities, companies, government agencies, state government or federal government. Maldives The organization is divided into three audit divisions and each division is carry out a specific type of audit. Mexico The type of audits we conduct are mainly driven by our constitutional mandate.

The way that responding SAIs are carrying out combined audits and how they decide which standards are the most appropriate in the circumstances SAI from Response Afghanistan In case of financial audit, when compliance audit is conducted as part of financial audit, compliance standards relevant to financial audit available in financial audit standards as well as compliance audit standards are applied. Similarly, in case of performance audit, when compliance audit is conducted as part of performance audit, compliance standards relevant to performance audit available in performance audit standards as well as compliance audit standards are applied. Bahrain NAO generally conducts compliance audit in relation with the audit of financial statements, or in combination with performance auditing, so NAO applies ISSAI 4000 in both cases together with Financial audit standards (ISSAI to ISSAI 1810) and Performance audit standards (ISSAIs 3000,3100,3200). Brazil The definition of the relevant standards that must be applied gains emphasis when general opinion or audit opinion is required for both the general audit objective and the other aspects of the work. For example, an audit on financial statements may require an opinion on these financial statements (financial audit), other opinion on compliance of the transactions (compliance audit), and a conclusion on the effectiveness of internal control related to the preparation of the financial statements (performance audit). In this case, all relevant standards of the three audit types should be observed. In case the application of different standards in the same work is not feasible, the primary audit objective will guide the auditors as to the standard to be applied (ISSAI 300/14).

The way that responding SAIs are carrying out combined audits and how they decide which standards are the most appropriate in the circumstances SAI from Response Cameroon We perform most often compliance audit. However, there are some projects in which we combine compliance and performance audit. In this case, the audit team decides which standard to apply. Canada Canadian Auditing Standards, and their underlying source, International Standards on Auditing, acknowledge and permit reporting on other reporting responsibilities in a separate section of the auditor’s report to be titled “Report on Legal and Other Regulatory Requirements”. Our compliance with authorities mandate is conducted in conjunction with our financial audit work and is broadly governed by financial auditing standards and reported in accordance with Canadian Auditing Standards and additional Canadian Assurance Guidelines. Our reporting practice is consistent with that permitted by ISAs. Cyprus The majority of audits performed by our Office involve elements of financial, compliance and performance audit, with other combinations (with environmental or technical audit) also possible, depending on the audit objective. The relevant standards are applied to the respective aspect of each audit (e.g. financial audit will be based on ISSAIs 200 and , compliance audit on ISSAIs 400 and 4000, and performance audit on ISSAIs 300 and ). Therefore there arises no issue in deciding which standards are the most appropriate. China National Auditing Standards should be followed in the process of audits, no matter what the objectives of given audits are.

The way that responding SAIs are carrying out combined audits and how they decide which standards are the most appropriate in the circumstances SAI from Response Croatia SAI is applying standards that are relevant for each objective in case of combined financial and compliance audit (for objectives which are related to financial audit standards for financial audit and for objectives which are related to compliance audit standards for compliance audits are used, etc.) When performing performance audit with some objectives related to compliance audit we apply standards according to the primary objective of audit which is economy, effectiveness or efficiency. Denmark The standards used are SOR and are developed in order to reflect the different engagements. SOR 1, SOR 2 and SOR 3 applies to major examinations. SOR 1, SOR 2 and SOR 4, SOR 5, SOR 6 and SOR 7 applies to the SAI’s engagements to audit financial statements (type b and c). Engagements of type d are decided on by a case to case basis. ECA Depending on the main objective of the audit ECA applies the relevant standard. In our annual report we issue two opinions, one on the reliability of the accounts and one on the legality and regularity of the spending of EU budget. For the work on the accounts we use the financial audit standards and for the compliance audit part we apply the compliance audit standards.

The way that responding SAIs are carrying out combined audits and how they decide which standards are the most appropriate in the circumstances SAI from Response Estonia Financial audits apply financial audit standards and compliance audit standards. Two different opinions are provided (separately on financial and compliance issues + relevant recommendations). Audits in local authorities apply compliance audit standards. The long form of reporting is used (opinion + findings, reasons of irregularities and recommendations). All other audits are considered performance audits (although they contain some compliance elements) and are carried out applying performance audit standards which in our view are more suitable for such type of combined audits. Greece Audits are executed in accordance with the HCA’s audit manual which is based on the International Auditing Standards (INTOSAI). The audit manual provides guidance for both financial and compliance aspects and has plenty of examples to take into consideration when combined audits are performed (such as audit programs with assertions for financial and compliance criteria, structure for combined reports etc.) However, depending on the circumstances of each audit, the audit team formulates its audit criteria and decides which standards are the most appropriate (for example in the Audit Planning Memorandum). Iceland The combined audits carried out are either financial and compliance or performance and compliance. As stated in the answer to question 12, the mandate for both financial and performance audit includes some form of compliance audit. Combined financial and performance audits are not carried out. The standards most appropriate in the circumstances are most often either ISSAIs or

The way that responding SAIs are carrying out combined audits and how they decide which standards are the most appropriate in the circumstances SAI from Response Iraq The INTOSAI standards are guided by the audits carried out by the SAI, for example: if the federal board of supreme audit conduct performance audit on one of the auditees, it shall be guided by INTOSAI standard (ISSAI-300, ISSAI-3000) so on other types of auditing. Japan Because our Auditing Standards show the framework relating to the minimum basic audit procedures and audit quality necessary for audits, they are different from any audit manuals that show detailed practical knowledge and audit procedures. That is, the Board does not have different auditing standard for each objective of audit. Latvia The approach of conducting combined audits is as follows: we use a relevant ISSAI standard for each objective of an audit. Financial/compliance audits: opinion on accuracy of financial statements result from audit procedures performed in accordance with ISSAIs for financial auditing; compliance issues to be assessed within the financial audit and forming a subject to a separate opinion are explicitly defined and reviewed in accordance with ISSAIs 400 and 4000. Compliance/performance audits include both – (1) assessment of compliance and (2) assessment of “EEE”s. Usually – two separate audit question “trees” are developed – one for compliance issues, one for performance issues. We do not estimate the share of compliance and performance issues in the combined audit, since ISSAIs are quite modest on methodology for such an assessment. We call them compliance/performance audits, even if one type of issues constitutes a comparatively minor share in the audit.

The way that responding SAIs are carrying out combined audits and how they decide which standards are the most appropriate in the circumstances SAI from Response Lithuania We consider that those parts of combined audit should comply with certain type of standards, e.g. financial and compliance audit should comply with ISSAIs and ISSAI 4000. Malaysia Our SAI will decide standards in accordance to the types of audit conducted to the Auditee either performance audit, compliance audit or financial audit. Mexico The main scope we focus on is compliance, and therefore, we prioritize compliance standards as the main reference for our work. Palestine We work upon ISSAI 300 and 400 Qatar Our SAI is in the process of developing methodologies and procedures in this regard Romania We don't perform combined audits. Slovenia The objective(s) of the audit are identified and defined in the audit plan, which is a result of an informed discussion in the planning stage. Central to this issue is the decision as to what aim do we wish to achieve with the audit in question. Switzerland Don’t understand question Thailand SAO Thailand carry out combined audits: Financial audit combine with compliance audit, Performance audit combine with compliance audit. In selecting the appropriate standards this depends on which one is the main type of audit. In case Financial and compliance audit that is separate report while in case Performance and compliance audit that is single report.

The way that responding SAIs are carrying out combined audits and how they decide which standards are the most appropriate in the circumstances SAI from Response Turkey According to The Article 35 of the TCA Law No.6085: Audit shall be carried out in accordance with the generally accepted international auditing standards (ISSAIs). Regularity audits are being carried out with Regularity Audit Guide Book which is published by the TCA back in Regularity Audit Guide Book is based on the generally accepted international auditing standards (ISSAIs). In the book it doesn’t specify which ISSAI will be applied for any topic but it says when Regularity audit is being conducted; The Lima Declaration-ISSAI 1 Prerequisites For The Functioning Of SAIs(ISSAI 10-40) Fundamental Principles of Public-Sector Auditing (ISSAI ) Financial Audit Standard( ) Compliance Audit Standard( ) Should be taken into consideration.

The way that responding SAIs are carrying out combined audits and how they decide which standards are the most appropriate in the circumstances SAI from Response UAE We perform a risk-based annual audit by applying the financial audit ISSAIs. Our audit scoping includes compliance risks that are addressed as part of our annual audit process. Our audit reporting is performed in accordance with our annual audit methodology which is in compliance with relevant laws and regulations. USA We do not perform combined audits as described in ISSAI 400 paragraph 9. Not answered: SAI Azerbaijan, SAI Kuwait

Not answered: SAI Kuwait

Problems encountered by SAIs when deciding which standards are the most appropriate in certain circumstances Afghanistan Such a problem arises in cases where along with assurance on financial statements specifically seeks compliance assurance as well. In such cases, based on the dominant requirement and priority, the relevant standard is adopted. Cameroon Especially in carrying out combined audit. The problem is whether to apply compliance audit standards or performance audit standards. Croatia In performing combined audits deciding which standard are most appropriate can be an issue. Denmark The main problem in using the ISSAIs has been: - that ISSAI 200 (and/or 400) is not well developed in the context of the task of auditing the state accounts - the financial statements documenting that the national budget and budget regulations are observed. Nor is it very well developed in the context of auditing other financial statements where the relevant reporting framework is an approved budget and the financial statements are prepared under a general assumption that the expenses (or income) reflected has been used (or obtained) in accordance with a related set of rules. - that the ISSAIs define different requirements for each type of audit even in areas where there is no need to distinguish or where other distinctions than the type of audit is more relevant (different reporting formats, different levels of assurance etc.). In SOR 3 (major examinations), SOR 6 (compliance audit) and SOR 7 (performance audit) a number of requirements are formulated using identical wording. SOR has therefore had to incorporate various unnecessary differences between ISSAI 300 and 400. - the ISSAI 300 describes a general audit process that proved largely suitable for ‘major examinations’ regardless of whether they focus on compliance or performance issues. On the other hand it lacked content on performance auditing. ISSAI 400 equally lacks content on the various legal considerations relevant for compliance audits.

Problems encountered by SAIs when deciding which standards are the most appropriate in certain circumstances Iraq There are not problems, but rather an adjustment of the INTOSAI standards and national standards Latvia Compliance/performance audits include both – (1) assessment of compliance and (2) assessment of “EEE”s. Usually – two separate audit question “trees” are developed – one for compliance issues, one for performance issues. We do not estimate the share of compliance and performance issues in the combined audit, since ISSAIs are quite modest on methodology for such an assessment. We call them compliance/performance audits, even if one type of issues constitutes a comparatively minor share in the audit. Lithuania When we tried to perform compliance and performance audits, we applied ISSAI and ISSAI (at that time they were these). However, the practical problems arise in the process of audit planning when setting audit questions. The structure that is used in performance audit does not always apply to compliance audit questions (it is not the problem of ISSAIs). On the other hand, when problems and questions are 50/50 (compliance/performance) it is difficult to decide which are dominating.

Solutions identified by SAIs in deciding on which standards are the most appropriate in certain circumstances (some of the answers given by SAIs) Denmark In our view: The ISSAIs should be the set of standards that is relevant for all SAIs audits (perhaps except pure financial audits where only the ISAs are applied). In order to work the ISSAIs has to be an indivisible set of standards so they can be referred to in audit reports in a simple way – we conducted our audit in accordance with the international standards of supreme audit institutions. Because each SAI has its own individual mandate and their engagements differ there will always be underlying differences with regard to the subject matters and criteria of the various compliance/performance audit aspects considered in the audit. It therefore has to be clear for each requirement in the ISSAIs (or each section in a ISSAI or each ISSAI-document) under which circumstances the requirement applies. Estonia Financial audit standards for financial audits, compliance audit standards for compliance audits combined with financial audits, and performance audit standards for other performance or combined audits (performance + compliance). We never combine financial audits with performance audits – they are different types of engagements (one is attestation and other is direct engagement). Latvia The key issue is to understand which type of audit corresponds completely to the audited question. There are usually separate main questions for performance and compliance assessment. Relevant sub- and sub/sub- questions (and related assessment criteria) further develop the approach to answering the particular main question. Lithuania We consider that those parts of combined audit should comply with certain type of standards, e.g. financial and compliance audit should comply with ISSAIs and ISSAI 4000

Solutions identified by SAIs in deciding on which standards are the most appropriate in certain circumstances (some of the answers given by SAIs) Mexico The key solution is the way we plan our audits, as well as the definition of our audit objective. Qatar Yes We have established standardized methodologies to enable our SAI and our employees to exercise their knowledge and utilize defined methodologies in a certain circumstances and different audit based on the identified risks. Slovenia In general we apply the standards as defined in the Court of Audit Act, which are the national auditing standards and ISSAI. In individual cases/audits we apply the standard according to the primary objective of an audit as is identified in the audit plan.

Did not answer: SAI Kuwait, SAI Azerbaijan

Did not answer : SAI Kuwait

Did not answer : SAI Kuwait, SAI China

SAIs carrying out audits that would be defined as combined financial and compliance audit. The need for combining financial and compliance audits Afghanistan combining is done to (i) obtain compliance assurance for budgetary authorities and satisfy the assertion of compliance in case of Government’s financial statements, (ii) to provide compliance assurance with donor’s financing agreement in case of statement of expenditure of projects grants and (iii) to obtain assurance on internal controls Bahrain All financial audits performed by NAO Bahrain includes compliance audit of a limited scope, which helps in enhancing the efficiency and utilization of the audit team performing the financial audit; and also it helps in highlighting the incompliance areas that might need further detailed compliance audit assignments in the future. Brazil The financial and compliance audits are required by legal mandate, which requires an opinion on the accounts rendered annually by the President of the Republic (Article 71, I, of the Constitution of the Federative Republic of Brazil) and judgment based on the exactitude of the financial statements, the regularity and propriety of the management acts of the public entities; (Art. 16 of the Organic Law of the Brazil Court of Audit). Cameroon Both audits are authorized by law but no financial audit project has been approved yet. However, auditors have combined the two types of audits in some projects with compliance audit aspects dominating. Canada The Office of the Auditor General of Canada conducts financial audits that also, in many cases, include an opinion on compliance with authorities. The requirement to express an opinion on compliance with authorities comes from the audit mandate (typically legislation). Where no mandate exists to express an opinion on compliance with authorities, our audit methodology still requires work to be performed of this nature.

SAIs carrying out audits that would be defined as combined financial and compliance audit. The need for combining financial and compliance audits Cyprus In conducting financial audits in the public sector, it is necessary to assess the legality of the transactions included in the financial statements. Assessing the legality implies testing for compliance of the auditee’s actions with the provisions of EU or national legislation, regulations or internal procedures. Croatia The State Audit Office performs financial audits which include examination of documents, reports, internal control systems and internal audit, accounting and financial procedures and other records to verify that financial statements present a true and fair financial position and results of financial activities in line with the accepted accounting standards and principles and compliance audit which include examination of financial transactions in terms of legal utilization of funds. When conducting audit this two aspects uUSAlly are combined in order to fulfil our role as public sector auditors.

SAIs carrying out audits that would be defined as combined financial and compliance audit. The need for combining financial and compliance audits Denmark There are essentially two needs: 1) The need to separate out compliance issues that could strictly speaking also be regarded part of the financial audit. This concerns situations where the financial statements is elaborated for the purpose of a specific user (the parliament, the city council or a ministry providing state grants) for the purpose of documenting towards that user, that public funds have been used in compliance with the conditions stipulated by that user. The financial statements are prepared under a general assumption that all expenses (or income) are used (or obtained) in compliance with the stipulated rules and conditions. In case of any non-compliance the right to obtain the public-funding accounted for is either lost completely or the non-compliance will in significant ways influence the decisions normally taken by the user on the basis of the financial statements. In this case the distinction between financial and compliance audits is therefore difficult. These situations concern a substantial part of our work (ans also some of the engagements by private auditing firms): - the state accounts - annual financial statements of entities financed through state grants - statements from receivers who has received a limited state grant where the use of the grant is accounting for by relating it to the approved budget In the case of the state accounts there is a further complication: The principle of legality implies that most government spending require an appropriate legal basis (an act of law and/or administrative act) in addition to an appropriation in the budget law. Applying ISAs (an only ISAs) under these special public-sector circumstances creates a situation where the extent of the auditors responsibilities is rather unclear but could arguably be rather far reaching with regard to compliance (probably more than intended by IAASB when they formulated ISAs 200 and ISA 250). For the SAI of Denmark it would not be an achievable objective to seek to obtain reasonable assurance that laws and regulations that could be considered to have direct effect on the state accounts have been complied with. At the same time our users (public accounts committee) would be confused if compliance issues where ‘mixed-up’ with our financial audit conclusion. Our need has therefore been to (i) define our financial auditing responsibilities in a way that is more clear (and perhaps also a little less demanding than the ISAs) and (ii) define our additional compliance audit responsibilities in a way that the SAI is able to deliver in high quality and which meets the needs and expectations of our users (public accounts committee and parliament) in a better way. This has been done by SOR 4 and SOR 6. 2) The need to live up to the obligations under our mandate: We also have a range of engagements to audit financial statements, which are prepared in accordance with general purpose reporting frameworks in line with private enterprises. In this case our financial audit based on SOR 4 is in all practical aspects a regular ISA-audit. Our compliance audit is an added obligation that is stipulated in section 3 of the auditor general’s act (‘and the compliance of the transactions covered by the financial reporting with the appropriations granted, statutes, other regulations, agreements and usual practice’).

SAIs carrying out audits that would be defined as combined financial and compliance audit. The need for combining financial and compliance audits ECA According to the legal requirements ECA has to examine the accounts of all revenue and expenditure of the Union and also examine whether all revenue has been received and all expenditure incurred in a lawful and regular manner and whether the financial management has been sound. Estonia According to our State Budget Act we are obliged to audit the states financial statements and the regularity of underlying transactions (see question 3). Greece Compliance with laws and regulations has always been a focus for the activities of the Court. Therefore compliance audits are either performed alone or combined with financial audits Iceland As stated in the answer to question 12, INOA has a legal mandate to take into account whether the accounts and scope of activities are in compliance with the fiscal budget, the supplementary fiscal budget and other acts of law, lawful instructions, contracts and procedures, as appropriate. Iraq In accordance with the legal framework of the SAI, the types of compliance audit and financial audit are often integrated and this justifies the need for a process of adjustment the two types of auditing according to the INTOSAI standards. Japan Please note that the Board does not conduct assurance-type audits, as the Board is not required to conduct assurance-type audits as certified public accountants audit private companies’ financial statements under the existing law. It is construed that we are required to conduct audits to point out and report problematic cases from the audit objectives of accuracy, regularity, economy, efficiency, effectiveness, etc. as a result of audits under the Constitution of Japan and the Board of Audit Act. From these objectives, the Board steadily audits the accuracy of the central government and other auditees’ financial accounting information, such as the final accounts.

SAIs carrying out audits that would be defined as combined financial and compliance audit. The need for combining financial and compliance audits Latvia Accuracy of accounting and compliance of financial statements with the reporting framework seems not to be an issue anymore in our country. Instead, tax payers as users of our reports are more and more interested in compliance of expenditure with laws and regulations (including those, indirectly affecting financial statements) and best practices. Therefore compliance of selected relevant transactions reflected in the financial statements (and underlying projects or programmes or systems affecting the statement), which are assessed by the audit team as such being of the highest risk, are additionally verified during financial audit process, fully applying compliance audit procedures. Lithuania Mostly the need arises from stakeholders (the Parliament), which wants to know not only if financial statements are correct, but if operations were performed in compliance with requirements. Malaysia Audit of Corporate Governance which combined of analysis of financial audit, compliance audit and performance audit Maldives When conducting financial audits, compliance issues arise sometimes. Therefore, compliance is combined with financial audit. Mexico Since, in Mexico, we are in the process of implementing the National Accounting Law, we need to combine both type of audits (financial and compliance).

SAIs carrying out audits that would be defined as combined financial and compliance audit. The need for combining financial and compliance audits Palestine To match between legal framework with the International accounting standards Qatar To maximize the audit coverage in terms of scope and entities covered with optimum utilization of limited audit resources. To avoid multiple audit in short duration in auditee units. Slovenia As we are free to design and plan almost all of our audits we make these choices on a case by case basis, focused on designing such audits that would make the most impact with the resources available and actual circumstances. Switzerland Related objectives & efficiency gains; e.g. IT audits as part of financial audits Thailand To ensure that intended users gain more benefits from audit report. UAE Financial audits may be required to also express a conclusion on compliance with authorities

The challenges that SAIs face that would require guidance from INTOSAI
SAIs carrying out audits that would be defined as combined financial and compliance audit. The challenges that SAIs face that would require guidance from INTOSAI Afghanistan One of the basic constraints / challenges is how to determine the scope of compliance tests and its priority vis-à- vis financial audit (when as part of financial audit) when there is absence of internal controls or controls do not work. This is true for Afghanistan, as due to political and conflict situations, as per experience, there is very low reliance. Brazil The challenge we will face and which currently lacks INTOSAI guidance is qualitative materiality, especially for compliance audits combined with financial audits. Cameroon The choice of the standard to apply is a main challenge. Expertise too could be a problem. Maybe assistance from INTOSAI could help at the beginning. Cyprus A usual challenge is deciding on the type of audit opinion to be issued on financial statements, where compliance findings are identified in a combined audit and a single auditor’s report is prepared. In particular, a decision would need to be made (possibly through INTOSAI guidance) on whether to issue a separate report on the financial statements and a separate compliance report, or a single auditor’s report on the combined audit. This is not currently clear in the ISSAIs. Croatia There is no practical guidance for combined audits since ISSAI 4200 has been withdrawn

SAIs carrying out audits that would be defined as combined financial and compliance audit. The challenges that SAIs face that would require guidance from INTOSAI Denmark In light of the practical experiences we have had over the last 10 years.. Key needs are: 1) Better recognition in INTOSAI’s standards/guidance that SAI define their own engagements and combine the three types of audits in different ways in order to meet the needs of their users in line with the national circumstances The leadership of the SAI of Denmark has an ongoing conversation with ministries, the parliament and various experts and national opinion leaders over the ways we perform our duties. It is therefore highly important that the professional pronouncements of INTOSAI clearly support us in carrying out high quality audits that are in line with our mandate. It would not be helpful if INTOSAI issue principles, standards or guidance that contradicts our mandate and the obligation and practice of combining financial audits with performance and compliance audit work. 2) A set of clear warnings to SAIs (so they do not repeat our mistakes): - Before implementing ISSAIs make sure you have clearly defined the engagements (assignments/tasks) you are supposed to undertake. The ISSAIs defines how a SAI should conducts its audit engagements not which engagements a SAI should undertake. (One of our mistakes in our first attempt to implement ISSAIs was that it lead to ISA-style audits at the level of individual entities in the ministry. We were using our resources on reporting opinions to the responsible party rather than focusing on our main task and primary users: The audit of the final financial statements, the state accounts). - Be clear about the different audit objectives and demand a consistent planning and audit documentation so you ensure sufficient appropriate evidence for each conclusion. (In our case the close integration of financial, compliance and performance aspects without clear objectives has caused quality issues – we are now separating the financial, compliance and performance audit objectives out from each other). 3) Guidance on the challenges involved in applying ISAs in various different circumstances in the public-sector and how they can be solved. Even if this is descriptive rather than giving clear recommendations it would be very helpful. 4) Guidance on how the compliance audit process of ISSAI 400 and financial audit process of ISSAI 200 can best be united – how are we supposed to read and apply these principles together, if we are doing both?

SAIs carrying out audits that would be defined as combined financial and compliance audit. The challenges that SAIs face that would require guidance from INTOSAI Denmark Two aspects are: - the fact that a number of simple general requirements seems to differ (are there different requirements to the audit plan, the audit report etc. or are the differences in the ISSAIs unintended?) Perhaps a GUID could do the comparison and explain what a SAI could do in practice? - the more technical understanding of the requirements. As an example: In ISSAI 200 (and ISAs) ‘materiality’ is a concept that is generally understood in a rather specific way (the auditor will select a relevant benchmark and set a quantitative thresholds). When ISSAI 400 and 200 is applied together, does that mean that ‘materiality’ in ISSAI 400 should be understood in the same way? Is it good or bad practice to apply the same treshholds for both set of audit objectives (financial and compliance)? Are the figures in the financial statements a relevant benchmark for materiality in compliance auditing (or is it somehow more important how large the economic impact of a non-compliance is for other parties involved – e.g. citizens who may suffer a loss due to the non-compliance by the ministry). How about non-economic aspects? 5) Guidance that can help SAIs go through the process of ISSAI implementation in a better and more structured way than we did The list of strategic decisions under question 9 also represents a long list of difficult challenges in terms of: - realising and agreeing on the need to implement ISSAIs - realising and agreeing on each of strategic decision through a rather chaotic process of organisational learning and step-by- step decision-making It has costed a lot of difficulties, confusions and mistakes over the last 10 years. Some of these could perhaps have been avoided if better guidance had been available. . Just a list of key strategic considerations and decisions to take would have been very helpful!

SAIs carrying out audits that would be defined as combined financial and compliance audit. The challenges that SAIs face that would require guidance from INTOSAI Estonia We don’t see an urgent need for guidance. Guidance on these matters would be helpful. Latvia ISSAI 4000 clearly limits its scope by stipulating that ISSAI 4000 “does not provide detailed explanations on how to do combined audits” . Therefore further guidance on the techniques of integration of compliance or performance issues in financial audits would be crucial. This would also avoid: - confusion with the perception that ISSAI 1250 can be used as a combined audit standard (see the answer on 28) and - excessive and inadequate use of financial auditing techniques for verifying compliance/performance issues in financial audits (former ISSAI 4200, in our view, was also excessively financial audit “driven”). In our view, SAIs should be encouraged, for example, to (1) define separate objective(s) for compliance component in financial audits, (2) perform subject matter focused risk assessment, instead of using the one performed for the needs of financial auditing, (3) define materiality differing from that defined for the needs of financial auditing (if one plans to develop a GUID on combined audits – examples would be of utmost importance here), etc. Further clarity on selected level of assurance, contents and templates of reports and in particular - opinions would be helpful. Criteria for different types of compliance audit opinion seem to be one of the most crucial issues.

SAIs carrying out audits that would be defined as combined financial and compliance audit. The challenges that SAIs face that would require guidance from INTOSAI Lithuania When combining financial and compliance audit the biggest challenge is to define subject matter of compliance part in the beginning of the audit. The challenge lies in the fact, that we perform one annual audit for state consolidated financial statements and there are around 900 auditees in this audit. The challenge of compliance part is in that you find risk only when you perform certain procedures at certain auditee. Therefore, defining subject matter at the start of the audit is almost impossible, also it is not possible to provide reasonable assurance for all transactions of all auditees (after risk analysis). The guidance from INTOSAI is needed at higher level of ISSAIs (e.g. 2 level) on how to plan certain types of audit and their scope in SAI or what could be the principles of such planning. Malaysia Audit of Corporate Governance which needed guidelines the best way of conducting audit. The expectation of stakeholder is to evaluate the good governance implemented to the any companies related to the government (Government linked-companies), the accomplishment to their function and objectives as well as financial performance whether the companies can survive and sustain for a long period. Palestine Audit scope, contradiction between local legal frameworks with international standards. Secondly, there may also be cases where non-compliance with budget authorities or certain laws would be considered material though without material misstatements in terms of money value i.e., no error or fraud. Qatar To be shared if any challenges are faced or expected. Thailand The auditor need elaborate Compliance audit guideline/practice notes

Did not answer: SAI Kuwait, SAI China

The need for combining compliance and performance audits
SAIs carrying out audits that would be defined as combined compliance and performance audits. The need for combining compliance and performance audits Afghanistan Compliance audit is generally undertaken as part of performance audit to (i) see how far non-compliance results in non-economic, inefficient and ineffective operations, (ii) how far non-compliance with project parameters and performance targets affect the achievement of goals, etc. Bahrain The compliance objectives are needed as a part of performance audit because in some cases there are weaknesses in the compliance or legal framework on an organization that affects its performance. It is different depending on each case and the nature of the audited organization, but the incompliance issues usually have effects on performance. Brazil In our environment, it is very likely that important compliance issues, that affect performance, raises when we are planning the audit. Cameroon Besides compliance audit, there exist a public demand for performance audit. Cyprus A frequent scenario would be where criteria for a performance audit are partly derived from legislation. This, by definition, would require the performance audit to incorporate elements of compliance audit in order to reach a conclusion regarding the audit objective. Croatia As public sector auditors we assess economy and efficiency of operations, or effectiveness of financial transactions, programs and projects but also SAO need to asses weather public sector entities are operating in accordance with the provisions of the relevant laws, regulations and other authorities governing them.

SAIs carrying out audits that would be defined as combined compliance and performance audits. The need for combining compliance and performance audits Denmark For major examinations: We produce reports to the public accounts committee (constitutional auditors) in order to hold the ministers and their ministries accountable and as part of a yearly national budgeting and accounting cycle defined by the Danish constitution. These reports needs to be clear and readable for members of parliament and understandable for the general media. They are often problem- oriented and need to give the ‘full picture’ of the situation we describe and do not structured according to the ‘technical’ distinctions between the three types of audit. They are nevertheless audit reports and based on suitable criteria. Based on the criteria reflected in our conclusions, we have therefore tried to measure to what extent they include performance or compliance aspects. The picture is that one thirds of the reports are mainly focused on compliance one thirds includes both performance and compliance aspects, whereas the rest is either somethings else (financial/accounting aspects, the correctness of the minister’s information to parliament, various requests from the public accounts committee) or in some cases pure performance audit reports. It is a target under the official strategy of the SAI to increase the number of reports with a focus on performance (rather than only compliance) aspects. For audit of financial statements: It is an obligation to undertake performance as well as compliance audit as part of an engagement of financial statements. Some of the relevant subject matters are identical or closely related – for example the ministries’ administration of schemes of grants. For these subject matters we will usually do performance and compliance work in the same year in the same ministry simply because most of the relevant procedures are the same. At a more general level: The distinction between compliance and performance auditing is a matter of grey-zones rather than black and white: It is a general legal requirement that public funds should be used as economically and effectively as possible. In some cases this general requirement is supported by clear and detailed regulation and the audit becomes a compliance audit. In other cases there are only vague principles of sound economic management and the criteria of the audit are based on principles of economics, effectiveness and effectiveness. In any case our audits share some key characteristics: They are not designed to provide assurance about a report elaborated by the ministry. They are designed to result in a long form report elaborated by the SAI on a subject matter selected by the SAI, were we apply the criteria the SAI find relevant in order to enhance the transparency and accountability in public government.

SAIs carrying out audits that would be defined as combined compliance and performance audits. The need for combining compliance and performance audits ECA In some of our performance audits we analyse the implementation of EU projects or instruments and we also need to analyse the legality of such operations, beside their performance. Estonia In performance auditing we usually select an important topic to audit, determine focus of an audit as well as main and sub-questions to be answered. Occasionally some questions we consider to be taken in account do not refer to 3E principles (as audit criteria) and are more compliance character (especially if our audit is targeted on one single entity or institution). In these cases performance audit standards are applied, because they allow us to disclose the compliance issues also and in the way we find it useful for stakeholders. Greece Compliance with laws and regulations has always been a focus for the activities of the Court. Therefore compliance audits are either performed alone or combined with financial audits Iceland As stated in the answer to question 12, INOA has a legal mandate to take into account whether operations are in line with budget limits, applicable acts of law and generally accepted practices. Iraq The main tasks of the SAI are protection of the public funds wherever it is found, when the audit units conduct the financial audit on the financial statements of the auditees, all notices of violations of laws, regulations, instructions for disbursement of public funds. As well as assessing the financial and administrative systems that affects the public funds.

SAIs carrying out audits that would be defined as combined compliance and performance audits. The need for combining compliance and performance audits Japan Please note that the Board does not conduct assurance-type audits, as the Board is not required to conduct assurance- type audits as certified public accountants audit private companies’ financial statements under the existing law. It is construed that we are required to conduct audits to point out and report problematic cases from the audit objectives of accuracy, regularity, economy, efficiency, effectiveness, etc. as a result of audits under the Constitution of Japan and the Board of Audit Act. From these objectives, the Board steadily audits the accuracy of the central government and other auditees’ financial accounting information, such as the final accounts. Latvia During the risk assessment in each sector of national economy, the SAO of Latvia identifies high risk areas. Usually there are both – compliance and “EEE” risks. Lithuania Sometimes in performance audits there are audit questions related to compliance. But it is always a question if it is a combinations of audit types, or just part of performance audit, as compliance usually is a cause or consequence of a problem. Malaysia Audit of Corporate Governance and Audit of ICT Project

SAIs carrying out audits that would be defined as combined compliance and performance audits. The need for combining compliance and performance audits Mexico According to the legal framework in Mexico, performance audits cannot entail a legal consequence to the civil servants that do not fulfil the institutional objectives. By combining performance with compliance, the SAI of Mexico has the possibility to issue observations that could imply the promotion of administrative or criminal actions. Palestine To meet the stakeholder’s expectations. Qatar The option of combined performance and compliance audit is under discussion within our SAI. Slovenia As we are free to design and plan almost all of our audits we make these choices on a case by case basis, focused on designing such audits that would make the most impact with the resources available and actual circumstances. Switzerland Related objectives & efficiency gains; e.g. IT audits as part of financial audits. Thailand To ensure that intended users gain more benefits from audit report. Moreover, in regional office, combined audit would spend less audit resources especially in the remote area.

SAIs carrying out audits that would be defined as combined compliance and performance audits.
The challenges that SAIs expect to face that would require guidance from INTOSAI Afghanistan One of the issues is how to designate the audit as a performance audit when there are substantial non-compliance with applicable budgetary authorities, terms of financing, project targets and achievements and the audit observations are predominantly relating to non-compliance. Secondly, how to report the results of performance audit when operations are uneconomic, inefficient and ineffective mainly due to non-compliance. Bahrain The most important challenge is in the planning phase, where comprehensive considerations need to be taken to cover both types of audits, including risk assessment and designing audit program. Another challenge is the composition of the audit team, as it requires diversified experience and expertise among them. Brazil We do not expect to face any challenges that would require INTOSAI guidance. Cameroon Identification of appropriate standard and tools to be used. Cyprus Such cases cause a blurred distinction between the aspects of performance and compliance audit in the combined audit, hence causing difficulties in deciding which standards to apply. The issue of guidelines on how to distinguish between the types of audits in such circumstances would be particularly useful. Croatia Guidance regarding conducting combined audits could be beneficiary for SAIs since ISSAI recognize possibility and need for conducting combined audits .

SAIs carrying out audits that would be defined as combined compliance and performance audits.
The challenges that SAIs expect to face that would require guidance from INTOSAI Denmark Key needs are: Better recognition in INTOSAI’s standards/guidance that SAI define their own engagements and combine the three types of audits in different ways in order to meet the needs of their users under the national circumstances. In addition: It has been a key challenge in implementing the ISSAIs that the ISSAIs 300/3000 and ISSAIs 400/4000 can not easily be applied together. It would have provided a much better starting point for us if there had been some guidance based on these sources that would define a more generic audit process applicable in cases where it is not a report that is being audited but a subject matter selected by the SAI. Estonia We don’t see an urgent need for guidance. Latvia To be aware that it’s difficult to set into standards, there is a risk that due to the complexity of the performance aspects audit questions regarding performance will not be fully assessed and compliance issues will prevail, as they are easier to evaluate and less time consuming. SAO of Latvia reduces the risk due to its own internal procedures. During the audits there are some cases when the type of audit has been changed (for example, from compliance/ performance audit to performance audit). Lithuania Sometimes in performance audits there are audit questions related to compliance. But it is always a question if it is a combinations of audit types, or just part of performance audit, as compliance usually is a cause or consequence of a problem. Malaysia Audit of Corporate Governance and ICT Project which needed a guidelines which given the best way of doing audit. The expectation of stakeholder is to evaluate the good governance implemented, the accomplishment their function and objectives as well as financial performance whether it meet the 3Es. Palestine Difficulty in separation between compliance and performance audit

The need for combining financial and performance audits
SAIs carrying out audits that would be defines as combined financial and performance audits. The need for combining financial and performance audits Cameroon The two types are authorized by law, and there is a public demand for the two types of audits Cyprus This may be the case where, during the annual financial audit of an auditee, performance issues of limited scope are incorporated in the audit plan. Such topics may arise from citizen reports/complaints to our Office or findings of the financial audit or prior audits/document reviews that indicate the existence of a significant performance issue within the entity audited. Croatia Non-profit organizations define their goals through programs. SAO assess effectiveness of implementation of those goals. Data in financial statements are connected with implementation of those goals. Denmark It is a direct requirement in our mandate. It is also (at least in some cases) an underlying general assumption of the financial statements that the public expenses reflected in the financial statements have been used in line with sound financial management. The underlying reason behind this requirement in our mandate is also: Most of the financial statements audited by us serve to ensure a basis for policy-makers who take decisions on the use of public funds. The parliament (as well as other public bodies among our users) use the accounting figures to prioritize across a large number of different political objectives that may be achieved through public funding. For these users the figures in the financial statements have little value if they do not represent the funds that are actually used in a reasonably effective way to achieve the stipulated objective. For these users it often equally important whether the figures in the financial statements hide a potential saving or loss of public funds than whether they are free from misstatements.

SAIs carrying out audits that would be defines as combined financial and performance audits. The need for combining financial and performance audits Greece The audit strategy of the SAI focuses on sound financial management which comprises the notion of effectiveness, efficiency and economy. Therefore in certain cases financial and performance audits are combined. Iraq The main tasks of the SAI are protection of the public funds wherever it is found, when the audit units conduct the financial audit on the financial statements of the auditees, all notices of violations of laws, regulations, instructions for disbursement of public funds. As well as assessing the financial and administrative systems that affects the public funds. Japan Please note that the Board does not conduct assurance-type audits, as the Board is not required to conduct assurance-type audits as certified public accountants audit private companies’ financial statements under the existing law. It is construed that we are required to conduct audits to point out and report problematic cases from the audit objectives of accuracy, regularity, economy, efficiency, effectiveness, etc. as a result of audits under the Constitution of Japan and the Board of Audit Act. From these objectives, the Board steadily audits the accuracy of the central government and other auditees’ financial accounting information, such as the final accounts.

SAIs carrying out audits that would be defines as combined financial and performance audits. The need for combining financial and performance audits Latvia This depends on (1) what we understand with propriety audits (under the compliance headline) and (2) how do we distinguish between propriety audits and effectiveness audits (which are under performance headline). ISSAIs define propriety as “observance of the general principles governing sound financial management and the conduct of public officials” , while sound financial management is a budgetary principle according to which budget appropriations must be used according to economy, efficiency and effectiveness considerations. However, according to ISSAI – effectiveness is also a subject to performance auditing . Consequently, if we undertake to assess the level of achievement of policy objectivities by specific budget programmes within a financial audit (see 20a), we are in a difficulty to define, whether this is a combined financial/compliance (propriety) audit or financial/performance (effectiveness) audit. We do not exclude that in near future our SAI could consider performing also financial/performance (all 3”E”s) audits. Malaysia Corporate Governance’s Audit Qatar To maximize the audit coverage in terms of scope and entities covered with optimum utilization of limited audit resources. To avoid multiple audit in short duration in auditee units. Slovenia As we are free to design and plan almost all of our audits we make these choices on a case by case basis, focused on designing such audits that would make the most impact with the resources available and actual circumstances.

SAIs carrying out audits that would be defines as combined financial and performance audits. The challenges that SAIs face that would require guidance from INTOSAI Cameroon The choice of the standard to apply. Cyprus In these cases there is a fairly clear distinction between the types of audit involved, therefore no particular challenges are faced with regard to ISSAI implementation Denmark Key needs are: Better recognition in INTOSAI’s standards/guidance that SAI define their own engagements and combine the three types of audits in different ways in order to meet the needs of their users in line with the national circumstances In addition: A key challenge in implementing ISSAIs has been whether the users of our reports understands and value a financial audit conclusion which does not provide any assurance with regard to economics, efficiency and effectiveness. It has been a key concern (and still is) whether the introduction of the ISA-style ‘ auditor’s report’ will back-fire on the SAI because many users will expect that the financial ‘auditors conclusion’ (opinion) does also (implicitly) provide assurance that funds are used economically and effectively. For private entities ‘going concern’ is a key assumption which the auditor is expected to consider. Many of the financial statements in the public-sector are prepared for the purpose of controlling that funds are used for a certain specific purpose. Some users can (perhaps with some right) expect the auditor to verify that the funds reflected in the financial statements are used for that purpose rather than waisted. A key area for guidance could therefore be to describe some different ways SAI may integrate reporting on performance issues into their financial audit reporting. How do we reflect the ‘added’ public-sector perspective/responsibility to also consider that funds are used economically/efficiently/effectively and not waisted?

SAIs carrying out audits that would be defines as combined financial and performance audits. The challenges that SAIs face that would require guidance from INTOSAI Latvia Could be similar to those of financial/compliance audits. Malaysia The audit guidelines as reference to auditor in conducting audit. The expectation of stakeholder is to evaluate the good governance implemented to the any companies related to the government (Government linked-companies), the accomplishment their function and objectives as well as financial performance whether the companies can survive and sustain for a long time. Qatar To be shared if any challenges are faced or expected.

Did not answer: SAI Kuwait

SAIs applying ISSAI 4000 and ISSAI 1240 when conducting different types of audit simultaneously and assessing fraud Afghanistan In conducting different type of audits simultaneously and assessing fraud, ISSAI (Compliance audit) e.g., Section (risk assessment in regard to fraud and with regard to relations between public sector entities) is helpful. Bahrain ISSAI 1240 deals with the auditor’s responsibilities relating to fraud in an audit of financial statements only. It does not apply on compliance with specific law, regulation, procedure or practice. So NAO applies both ISSAI 4000 and ISSAI 1240 when in conduct of different types of audit simultaneously to insure that we cover all types of compliance. Brazil We are currently implementing the rule that, in any type of audit, the risk of fraud is assessed. If in any audit a suspected fraud is identified, it will be reported. The investigation of whether a fraud has actually occurred will be made in another engagement, which is not an audit, since the requirements for both types of work are not only different, but require different skills and conclusions. Cameroon The use of ISSAI 4000 and 1240 are not mandatory in our SAI but auditors appreciate themselves which aspects of the standards are appropriate in the circumstance.

SAIs applying ISSAI 4000 and ISSAI 1240 when conducting different types of audit simultaneously and assessing fraud Canada We do not perform combined engagements of this type. ISSAI 1240 (ISA 240) is integral to a financial audit, we would not consider the application of ISA 240 as part of a financial audit to be a “combined” audit. Cyprus Where financial audit is part of the combined audit, ISSAI 1240 is applied, since financial audit will normally be the primary audit type in the combined audit. In other cases of combined audits (not involving financial audit), ISSAI 4000 is considered applicable. In any case, the suspected instances of fraud are communicated to the responsible body (Attorney General), as per the provisions of paragraph 225 of ISSAI 4000. Croatia For combined financial and compliance audit we apply booth standards when assessing fraud. Denmark Because of the nature of fraud, most risks/indications/cases of fraud will affect all three sets of audit objectives – the financial statements, performance/economy as well as compliance. This is also the case for many deficiencies in the internal control, which could potentially lead to fraud as well as errors. Our approach has been that ISSAI 100 defines the main requirement. The different language in ISSAI 200, 300 and 400 also has to be observed. We have solved this by ensuring that the requirements on fraud are well aligned across the audit types in our national standards, so they can be applied together in a seamless way. ECA The two standards are not mutually exclusive. We apply ISSAI 4000 when dealing with compliance and if needed we can also apply provisions from the ISSAI 1240, which is more detailed on the aspect of addressing fraud.

SAIs applying ISSAI 4000 and ISSAI 1240 when conducting different types of audit simultaneously and assessing fraud Estonia ISSAI 1240 is meant for financial audits, its scope and objective are connected to the correctness of financial statements and it is used in financial statement audits. In the compliance part of combined audits we apply ISSAI 4000, because its scope and objectives are much wider and appropriate for public sector, so that it includes in addition fraudulent activities that do not have any impact to the correctness of financial statements. France We use national regulations Greece ISSAI 4000 in combination with ISSAI Depending on special circumstances of the audit, audit teams refer to the standard which is more pertinent or has more guidance on the subject matter. The Court has also the mandate to impose sanctions for fraudulent transactions, so all aspects are considered with high professionalism. Iceland When conducting financial and compliance audit ISSAI 1240 is applied as a method to assess fraud, whereas ISSAI 4000 is used as a guide for the reporting standard. Iraq The audit conduct within SAI according to SAI law and local audit evidence, guided by INTOSAI standards and 4000, 1240 standards. That is often combined different types of audit. Japan As was explained in Q6, the Board does not directly utilize ISSAIs as our Auditing Standards. Latvia Basically, SAO of Latvia uses the ISSA 1240 requirements because they contain wider recommendations and guidance on how to act in assessing fraud. Lithuania Both, what is the difference?

SAIs applying ISSAI 4000 and ISSAI 1240 when conducting different types of audit simultaneously and assessing fraud Malaysia Both ISSAI will be used in order to conduct different types of audits simultaneously Mexico Given the Mexicoan context, we use the National Standard linked to ISSAI Our approach has been that ISSAI 100 defines the main requirement. The different language in ISSAI 200, 300 and 400 also has to be observed. We have solved this by ensuring that the requirements on fraud are well aligned across the audit types in our national standards, so they can be applied together in a seamless way. Palestine ISSAI 4000, we have our own manual which comply with INTOSAI Standards and makes it is easier to measure the commitment by the auditors. Qatar Both the ISSAIs applicable as these standards are helpful and work as guiding principles in achieving the audit objectives by SAB Qatar in entities subject to its audit. Our SAI is in the process of developing methodologies and procedures in this regard. Romania We don't perform different type of audits simultaneously. Slovenia The mandate and the authorities of SAI Slovenia regarding detecting fraud are such, that we are obliged to report to the appropriate bodies on detected instances of possible fraud and not investigate the instances further, that is to establish if there has indeed been fraud committed or not. In line with these authorities we consider our audit work to be by nature an exercise of assessment of compliance and therefore appropriately elaborated in ISSAI 4000. Switzerland ISSAI 1240 Thailand Regard to assessing fraud in financial audit combine with compliance audit SAI apply ISSAI 1240.

SAIs applying ISSAI 4000 and ISSAI 1240 when conducting different types of audit simultaneously and assessing fraud Turkey According to The Article 2 of the TCA Law No.6085, Regularity audit means financial audit and compliance audit, so when TCA implements its audit function it combines financial audit and compliance audit named “Regularity audit”. According to The Article 35 of the TCA Law No.6085: Audit shall be carried out in accordance with the generally accepted international auditing standards(ISSAIs). Regularity audits are being carried out with Regularity Audit Guide Book which is published by the TCA back in Regularity Audit Guide Book is based on the generally accepted international auditing standards(ISSAIs). In the book it doesn’t specify which ISSAI will be applied for any topic but it says when Regularity audit is being conducted; The Lima Declaration-ISSAI 1 Prerequisites For The Functioning Of SAIs(ISSAI 10-40) Fundamental Principles of Public-Sector Auditing (ISSAI ) Financial Audit Standard( ) Compliance Audit Standard( ) Should be taken into consideration. Regularity Audit Guide Book does not go into details about which of the standards should be used for any specific case. It only gives broader perspective and leave it up to auditor to decide which standards should be used when regularity audit being implemented. UAE We do not perform combined engagements of this type. ISSAI 1240 (ISA 240) is integral to a financial audit, we would not consider the application of ISA 240 as part of a financial audit to be a “combined” audit. USA We do not conduct combined audits.

SAI face challenges regarding applying standards ISSAI 1240 or ISSAI 4000 in different audits when it is assessing various aspects of fraud. The challenges experienced by SAIs and in which areas guidance from INTOSAI would be necessary. Afghanistan In certain areas/situations which may typically give rise to fraud such as exercise of public officials' duties and power and relationships between public sector officials or entities (Section 6.8.1, paragraph 83), it is challenging to attribute fraud to an individual where no systemic improvement has taken place and internal controls have been consistently neglected by the management. Cameroon Not yet mandatory.…but used in compliance audit. Major difficulty involves defining responsibilities in matters of fraud and lack of forensic expertise to completely prove fraud. Cyprus There is difficulty in standardising the process of assessing the risk of fraud, as required by both standards, i.e. defining factors to be considered or red flags to be identified at the planning and conducting stages of the audit. Both standards lack practical guidance as to the way such risk is assessed. Croatia It would be beneficiary to have one standard which could be used when assessing fraud regardless of audit type Maldives Staff has limited exposure to the standards. They need awareness sessions.

SAI face challenges regarding applying standards ISSAI 1240 or ISSAI 4000 in different audits when it is assessing various aspects of fraud. The challenges experienced by SAIs and in which areas guidance from INTOSAI would be necessary. Turkey According to The Article 2 of the TCA Law No.6085, Regularity audit means financial audit and compliance audit, so when TCA implements its audit function it combines financial audit and compliance audit named “Regularity audit”. Regularity audits are being carried out with Regularity Audit Guide Book which is published by the TCA back in As it is being mentioned in previous answers, when auditor implements regularity audit it is not always clear which of the standards he/she is supposed to apply between ISSAI and ISSAI Auditor has to find out the way to decide if the fraud is about Financial audit or Compliance audit and in many cases it might be about both. There is not always clear distinction in between two audit types. After he/she decides that, he/she needs to have really good understanding about which of the ISSAIS to apply since Regularity Audit Guide Book does not go into detail. That requires auditor to have really good understanding of ISSAIS that not always every auditor has much interest. Did not answer: SAI Kuwait, SAI China, SAI Azerbaijan SAI Denmark: N/A

Opinions regarding the types of compliance engagements not covered by ISSAI 1250
Afghanistan Compliance engagement vis-à-vis terms of financing agreements Azerbaijan N/A Bahrain Compliance during the financial audit assignment is covered by ISSAI 1250; while compliance as a stand-alone assignment or compliance performance combined assignments are not covered. Brazil The ISSAI 1250 covers just non-conformities with laws and regulations that may cause distortions in the financial statements. For example, interpret a tax law that results in recognizing a minor or greater tax liability. So, ISSAI does not cover engagements that are not related to financial statements. Cameroon Reporting on compliance to laws and regulations on issues not directly linked to financial audit or compliance audit. Canada The Scope of ISA250 and therefore ISSAI 1250 is set out in paragraph 1 of the standard with accompanying requirements. The scope of ISA 250/ISSAI 1250 may be quite narrow in comparison with a legislative auditor’s responsibilities in respect of compliance with authorities as set out in the legal mandate of the legislative auditor including the terms of individual engagements. Other assurance engagements where the auditor is specifically engaged to test and report separately on compliance with specific laws or regulations are not in scope.

Cyprus ISSAI 1250 explicitly states that the corresponding ISA 250 is “applicable to auditors of public sector entities in their role as auditors of financial statements”. This appears to exclude compliance-performance combined audits or pure compliance audits or investigations. It should be noted that, in our Office, the standard is construed to apply to the audit of compliance of the auditees with established procedures and directives issued by supervisory authorities, where applicable. Croatia ISSAI 1250 does not cover compliance audit when performed in combination with performance audit and compliance audit of laws and regulations which are relevant to subject matter and do not have direct effect on the financial statements.

Denmark A compliance audit in our standards is defined in this way (translated): The auditor’s objective is to (i) obtain reasonable assurance that there are no undetected material instances of non-compliance with regard to the selected subject matter as a basis for forming a conclusion, and (ii) to form a conclusion on the subject matter, which in an adequate and balanced way describes in what material aspects the subject matter is or is not in compliance with the relevant criteria, which follows from the law, and (iii) to report on the conclusion in the auditor’s communication to those charged with governance and [if there is reason to do so] in the section on ‘other reporting responsibilities’ in the auditor’s report The subject-matter will be a legal decision or action or classes thereof that is registered in the financial statements or the general processes or conditions under which such decisions are taken and carried out. Because the standards are also used by private auditing firms we have very clearly indicated that instances of non- compliance are relevant for the compliance audit even if they have no effect on the information in the financial statements. The ISA 250 (ISSAI 1250) relates to the objective of obtaining reasonable assurance regarding the information in the financial statement. ISA 250 has nothing to do with compliance audit, but concerns the auditor’s considerations of laws and regulations that can have a direct effect on the financial statements. What these laws and regulations are and how much the auditor needs to do to obtain reasonable assurance will therefore depend very much on the relevant financial reporting framework. In order to apply ISSAI 200 (which reflects ISA 250) the SAI needs to decide on this on a case-by case basis.

Denmark With regard to the audit of the state accounts, this has caused us problems. The legal relationship between a minister and a citizen is regulated by public law and government accounting rules creates a rather special and difficult situation if ISSAI 1250 (250) is applied to the full extent. However, one example that does not have effect on the state accounts is if the ministry has obtained the necessary budget appropriation and committed to make a payment to a private party (citizen/enterprise) and this is registered in the state accounts under the relevant budget appropriation. If the audit reveals that this decision (the commitment) does not have a sufficient legal basis or violates provisions in the legal basis this will be relevant for the compliance audit conclusion, but it would not represent a misstatement in the state accounts. (There are also other examples – including cases where a ministry deprives citizens of their rights in a way that will not have effect on the financial statements, but can be detected in a compliance audit). In general a number of observations made by the auditor (for example a control deficiency or unrightfully payment) may have relevance for the financial audit as well as the compliance audit and performance audit conclusions. If something occurs that is not in compliance with the law and leads to a loss of funds this will lead to a critical remark in the section on ‘other reporting responsibilities’ in the auditor’s report. If it also leads to a material misstatement in the financial statements the auditor will also have to modify the conclusion (e.g. give a qualified opinion).

ECA ISSAI 1250 does not cover compliance engagements. Its scope is much more narrow, dealing only to those acts of non- compliance that may lead to material misstatement in the entity’s financial statements. Compliance audit scope is much wider. As mentioned even in the ISSAI A7 : In the public sector, there may be additional audit responsibilities with respect to the consideration of laws and regulations which may relate to the audit of financial statements or may extend to other aspects of the entity’s operations. Estonia ISSAI 1250 is analogically meant for financial audits, its scope and objective are connected to the correctness of financial statements and it is used in financial statement audits. All other relevant compliance issues are covered by ISSAI 4000, because its scope and objectives are much wider and appropriate for public sector, so that it includes in addition irregularities that do not have any impact to the correctness of financial statements (eg public procurements, misuse of public property). Greece The audit of propriety Iceland INAO has not identified any such discrepancies Iraq YES (financial control with compliance, performance control with compliance) Japan The Board does not directly utilize ISSAIs as our Auditing Standards. Latvia In our view, ISSAI 1250 is not applicable (or useful) to combined (financial/compliance) audits. ISSAI 1250 provides a general guidance, how to verify regularity (legality) assertion in pure financial audits. In our view, combined (financial/compliance) are crucial in the public sector, since there may be additional audit responsibilities with respect to the consideration of any laws and regulations which relate to the audit of financial statements or other aspects of the entity’s operations. In such cases, the auditor should distinguish between the scope of work performed to verify compliance with the laws and regulations for the needs of issuing the opinion on the financial statements, and the audit work performed to verify other compliance issues for the needs of issuing a compliance audit opinion and/or report. The latter is the subject of compliance component in the combined audit.

Lithuania None are covered, ISSAI 1250 should be applied when financial audit is performed as stand alone audit (as stated in ISSAI 1250 P5). Malaysia Not applicable. Mexico The main engagements are covered by ISSAI 1250. Slovenia We have not identified any such instances. Switzerland Non-financial & compliance requirements; e.g. export of military goods. Thailand The requirements in this ISSAI are to assist the auditor in identifying material misstatement of the financial statements due to non-compliance with laws and regulations which might not include non-compliance reoccurrence trivial matter. UAE The Scope of ISSAI 1250 is set out in paragraph 1 of the standard with accompanying requirements. The scope of ISSAI 1250 may be quite narrow in comparison with a legislative auditor’s responsibilities in respect of compliance with authorities as set out in the legal mandate of the legislative auditor including the terms of individual engagements. Other assurance engagements where the auditor is specifically engaged to test and report separately on compliance with specific laws or regulations are not in scope. USA As discussed in paragraph 1 of ISSAI 1250, the ISSAI only deals with compliance with laws and regulations in an audit of financial statements. As such, ISSAI 1250 would not address performance audits that require an assessment of compliance with laws and regulations. In addition, ISSAI 1250 does not include compliance with provisions of contracts.

SAIs facing challenges regarding applying standards ISSAI 1250 or ISSAI 4000 in different audits when assessing compliance with laws and regulations. The challenges experienced and the areas where guidance from INTOSAI would be necessary. Brazil As explained in the previous comment, ISSAI 1250 does not cover non-conformities that can not cause material misstatement in the financial statements. Thus, ISSAI 4000 covers other types of non-conformities (and this should be very clear) that do not necessarily distort financial information but cause damage to public finances, for example, prices higher than market prices (overpriced) due to lack of competitiveness in procurement processes. Cameroon Major difficulty involves defining responsibilities in matters of fraud and lack of forensic expertise to completely prove fraud Denmark Note that ISSAI 1250 can not be applied in itself – ISA 250 is part of the ISAs and cannot be applied in isolation. In our view the same must apply for the ISSAIs.The auditor should apply all the applicable standards – the ISSAIs 1000s (ISAs) for the financial audit objective and the ISSAI 4000 for the compliance audit objective. Perhaps that is an important point to make in the new INTOSAI Guidance

SAIs facing challenges regarding applying standards ISSAI 1250 or ISSAI 4000 in different audits when assessing compliance with laws and regulations. The challenges experienced and in which areas guidance from INTOSAI would be necessary. ECA We do not face challenges on deciding which of the two standards to apply. However, we consider that after the withdrawal of ISSAI 4100 and 4200 there is lack of detailed guidance on the various processes of compliance audit. Latvia The main challenge with ISSAI 1250 (“pure” financial auditing) is the distinction between the laws and regulations directly affecting financial statements and those – indirectly affecting the financial statement. In discussions with other SAIs we see that the approaches significantly differ. E.g. there are SAIs, which considers that the whole public procurement legislation package is among those directly affecting financial statement. For ISSAI 4000 and as mentioned above – (1) reasonable and limited assurance; (2) “overlapping” of propriety concept with effectiveness concept in performance auditing. Malaysia Our big challenges are to secure the auditor independence and to give an assurance to the stakeholders that the audits conducted are based on international standards. Thus, SAI Malaysia will always refer to the requirement based on ISSAI standards.

Areas of guidance needed from INTOSAI
SAIs facing challenges regarding the reliability of performance data produced by management as a result of statutory or regulatory requirement. Areas of guidance needed from INTOSAI Brazil There are no clear guidelines about certification of non-financial data as widely as there are for financial data Cameroon Some of the data furnished by the auditee are not reliable. Maybe standards regarding production, storage and retrieval of data could help. Cyprus There have been instances of incomplete or conflicting performance data (where derived from different sources), creating doubts as to the reliability of such data provided by management. Practical guidance from INTOSAI regarding how to assess the reliability of performance data (indicators or red flags for unreliable data) and ways to deal with unreliable data so as to serve the audit objective, would be beneficial. ECA We consider that such guidance would be something to be developed by IPSASB as a standard or RPG that would better …standardise performance reporting or even actively encourage the transition to integrated reporting. Greece Challenges refer to availability and reliability of data provided. Computer assisted auditing techniques must be extensively used in order to ascertain the level of assurance for the appropriateness and the sufficiency of audit evidence.

SAIs facing challenges regarding the reliability of performance data produced by management as a result of statutory or regulatory requirement. Areas of guidance needed from INTOSAI Iceland Most often the challenges regarding the reliability of performance data stem from the fact that the auditee has not set itself a measurable standard and does thus not possess the necessary data or for other reasons does not possess the data required by INAO. As this is a problem with the auditee and a result of a statutory or regulatory requirement, guidance from INTOSAI is not required. Malaysia Our Audit Act 1957 specified that all data or information must be given to Auditor General as requested in order to conduct the audit. The exception of this requirement only for companies incorporated under Companies Act which require the permission by Ministry of Finance. The companies that can be audited by our SAI must meet the condition as stipulated in the Audit Act 1957. Mexico There are different kind of challenges: (1) lack of capacity; (2) misinterpretation of the regulatory framework on performance data, and (3) an incentive to distort the actual performance data in order to hide gaps between formal objectives and the real outcomes. Palestine Week internal control system and leak of experience in dealing with the financial systems. Switzerland Challenges: In case of fraud, non-audited data, analytical accounts as source

Inconsistencies identified by responding SAIs between the provisions of different ISSAIs which need to be clarified. Areas of guidance needed from INTOSAI Brazil There are some inconsistencies, but the specification would need a detailed work, which would require a considerable amount of time. However, specifically about the subject of this survey (combined audits), we explain what we think is an inconsistency in the answer of question 32. Cameroon Auditor’s responsibility in matters of fraud. And materiality issues. The concept of materiality needs to be rendered more practicable and more generalizable. Croatia ISSAI 400 is inconsistent in points regarding compliance audit in relation with the audit of financial statements and separate from the audit of financial statements since ISSAI 4100 and 4200 have been windrow. Denmark The development of our national standards – SOR – has forced us to translate ISSAIs 200, 300 and 400 into Danish and use the text as a basis. We have therefore compared them carefully and tried to unite the different versions of the same requirements. In our own standards we believe we have achieved a much better alignment so there is now: - one set of concepts and requirements which are stated in the same way for all our direct reporting work. The two standards on compliance audit (SOR 6) and performance audit (SOR 7) are identical with regard to 70-80% of the text and the requirements are numbered identically so it is very easy to compare between the two standards and apply them together. SOR 3 on ‘major examinations’ (special reports) also draw on the same basic set of requirements for direct reporting, but the audit process and reporting formats differs. The common denominator is here that the auditor selects a subject matter, identifies criteria and form a conclusion that is more descriptive than in a financial audit and does not follow a standardised format (we do give an ‘opinion’ as in the financial audits). - a financial audit standard that is based on ISSAI 200 but adds and elaborates on the special challenges related to our key task – the state accounts.

Inconsistencies identified by responding SAIs between the provisions of different ISSAIs which need to be clarified. Areas of guidance needed from INTOSAI Estonia The concepts and balance of providing assurance and/or added value in different types of audits and different types of assurance engagements (attestation engagement and direct engagement) should be explained in more detail. For example some questions – do we have to expect added value from financial audits (attestation engagements) or is it reasonable to carry out a performance audit providing only assurance and not giving any little piece of added value? In the context of methodology and objectives the differences derive from different types of assurance engagements – attestation engagements (standalone financial audit, and in some occasions compliance audit) and direct engagements (performance audit and most compliance audits) not from different types of audit. That matter should find more attention. Latvia There are a number of inconsistencies in the ISSAI Framework, even at the level of terminology and definitions. However, for the purposes of combined audits – clarification of propriety issue would be the most important.

Inconsistencies identified by responding SAIs between the provisions of different ISSAIs which need to be clarified. Areas of guidance needed from INTOSAI Romania Paragraph 23 of ISSAI 400 states the following: “The audit of financial statements seeks to ascertain whether the financial statements of the entity concerned were prepared in accordance with an acceptable financial reporting framework and to obtain sufficient and appropriate audit evidence regarding the laws and regulations that have a direct and material effect on the financial statements (Cf. ISSAI 1250). Whereas, in the audit of financial statements, only those laws and regulations with a direct and material effect on the financial statement are relevant, in compliance auditing any laws and regulations relevant to the subject matter may be relevant for the audit.” Even though, ISSAI 400 is clear on the necessity of obtaining sufficient and appropriate audit evidence regarding the laws and regulations that have a direct and material effect on the financial statements, when performing financial audits, ISSAI 200 is not mentioning laws with effect on the financial statements. There is some need for clarification. Thailand For examples: 1.the different definition of limited assurance and reasonable assurance between financial audit and compliance audit. 2. Compliance audit - ISSAI 4000 paragraph require auditor to express in unmodified or modified opinion same as financial audit. Consequencely, this might cause confusion among compliance auditor. 3. What are different in terminology using for each audit - “key audit matter” in financial audit, “subject matter” in compliance audit, and “audit finding” in performance audit?

Requirements or features to be used in combined audits that are not covered within the ISSAIs
Afghanistan No comments Azerbaijan N/A Bahrain No specific requirement Brazil The concept of combined audit is not clear in the ISSAIs and the mentions made of combined audit are not consistent among them. For example, ISSAI 100/23 states that “SAIs may also conduct combined audits incorporating financial, performance and/or compliance aspects”. ISSAI 300/14 mentions “overlaps between audit types (or combined types)” and ISSAI 4000/16 explicitly states the need of having separated opinions/conclusions in combined audits. We think those are three different ways of considering combined audits. Cameroon A clear standard for combined audit is not available as well as necessary tools. Canada Methods of scoping authorities to be subject to audit for compliance Cyprus In general, it would be useful to have specific guidelines for combined audits for the most common forms (compliance and financial, compliance and performance, performance and financial), the performance of which is a frequent need for many SAIs. This would reduce the need to refer to a number of different standards, would facilitate all audit stages and might eliminate confusion and time-consuming reference to similar and possibly duplicate provisions in different standards. Croatia Form and content of audit report as well as expressing opinion or providing recommendations or conclusion for different types of audit in combined audits could be further elaborated.

Denmark Overall: We regard it as one of the key strengths of our combined audit engagements that the auditor consider their findings from all three perspectives. The auditor has to report to the users on the consequences of any findings/observations with regard to compliance with the law and potential losses or economic gains (performance) - and not only consider whether or not the findings has effect on the figures of the financial statements for a certain specific year. It is therefore a general weakness of the ISSAIs that they tend to treat financial, compliance and performance audits as if they were separate audits carried out by separated specialized teams within the organisation. In our case they are not, and we believe there are a number of other SAIs where this is not the case either. The ISSAIs on all three audit types needs to be applied together by our auditors. For us the audit of performance and compliance aspects are especially important for the audit of the state accounts. The ministries of government is to a very large extent able to set their own accounting rules. Implementing the financial audit ISSAIs without performance and compliance auditing would therefore work to shift the checks and balances of powers between parliament and government involved in the budget and accounting procedures under the Danish constitution. The performance and compliance audits by the SAI of Denmark in connection with the audit of the state accounts is an important measure to ensure transparency in government and facilitate parliamentary oversight in ways that can not be achieved through a purely financial audit. On a more technical level: A main aspect missing in INTOSAI’s standards/guidance is: If the SAI auditor follows a ISSAI 200/ISA-financial audit process how can the auditor best integrate performance and compliance auditing? This guidance could start by addressing the question: - what are the different possible ways of communicating the results of performance and compliance audit work if you are using the reporting formats and other instruments of written communication defined by the financial audit ISSAIs (ISAs)? And (dependent on the different solutions) what does this mean for each relevant step of the audit process: - to obtain and understanding of the entity and environment, that is also sufficient for compliance and performance auditing purpose - to make a sufficient risk analysis that is relevant to all three audit objectives - to respond to the risks by defining the relevant procedures - to identify and test internal controls that are relevant for your compliance and performance audit objectives - how do you ensure sufficient appropriate evidence as a basis for each set of conclusions –financial, compliance and performance? - how do you ensure the logical relationship between the various detailed conclusions/professional judgements (corresponding to the assertion-level) and the overall conclusion in compliance and performance audits?

Denmark General conclusion – summarizing all answers above There are four areas where guidance would have been extremely useful for us: 1) The different strategic decisions involved in defining the audit engagements and implementing the ISSAIs 2) Guidance on different ways to integrate performance and compliance audit in a financial audit process – including not least how to find a space for communicating performance and compliance audit conclusions if a SAI follows the reporting formats defined by financial audit standards. 3) Guidance on the audits of the state accounts and the difficulties involved in applying ISA-style financial auditing in a way that does not produce a completely unmanageable audit risk. The key issue here is to separate compliance (and performance) aspects out so they are not covered by a conclusion with reasonable assurance (even though the ISAs/ISSAIs and the financial reporting framework and purpose of the financial statement could lead to the result that they do affect the financial statements). 4) Guidance that unites the requirements of ISSAIs 100, 300 and 400 (and/or 3000/4000) in a way that is relevant for direct reporting engagements in cases where it matters less (or is not predetermined) whether the focus will be on performance or compliance or both. In all four areas, we have done a number of mistakes over the years and are still in the process of improving. Overall, it has taken enormous efforts to find workable solutions on how to implement the ISSAIs in a way that is in line with our mandate and national circumstances. Even if there are no clear recommendations at least some descriptive guidance that informs on the different existing solutions within the INTOSAI community would be helpful.

ECA We consider that reporting stage guidelines would be useful in the context of combined audits. Estonia In our view there is no significant absence of such requirements and features within the ISSAI’s that do not allow us to conduct combined audits in appropriate manner. Of course, the financial audit standards are too much business entity targeted, compliance audit standards are strongly influenced by financial audit methodology and are a mixture of attestation engagement and direct engagement requirements and performance audit per se is more like a (scientific) study than an audit in the context of the framework of assurance engagements. But all these are not a topic of present survey. Iceland INAO has not identified any such requirements or features. Iraq Multiple control tasks governed by the laws, regulations and instructions in force and requirements of the existing conditions. Japan The Board does not directly utilize ISSAIs as our Auditing Standards. Latvia ISSAI 4000 clearly limits its scope by stipulating that ISSAI 4000 “does not provide detailed explanations on how to do combined audits” . Therefore further guidance on the techniques of integration of compliance or performance issues in financial audits would be crucial. This would also avoid: - confusion with the perception that ISSAI 1250 can be used as a combined audit standard (see the answer on 28) and excessive and inadequate use of financial auditing techniques for verifying compliance/performance issues in financial audits (former ISSAI 4200, in our view, was also excessively financial audit “driven”). In our view, SAIs should be encouraged, for example, to (1) define separate objective(s) for compliance component in financial audits, (2) perform subject matter focused risk assessment, instead of using the one performed for the needs of financial auditing, (3) define materiality differing from that defined for the needs of financial auditing (if one plans to develop a GUID on combined audits – examples would be of utmost importance here), etc. Further clarity on selected level of assurance, contents and templates of reports and in particular - opinions would be helpful. Criteria for different types of compliance audit opinion seem to be one of the most crucial issues.

Malaysia National Audit Department’s guidelines, Treasury Circular, and Best Audit Practices Mexico When the reliability of the financial information of an entity is audited, as a way to get an input, in order to verify whether a public program has been executed according to the budgetary and expenditure regulations in the aggregate, in addition to the review of individual transactions as to their compliance with specific rules of the program. Palestine There is need for developing the standards of evaluation governmental programs and policies. Qatar The option of combined audit is under discussion within our SAI.

Romania 1. The legal mandate of the Romanian Court of Accounts establishes that the Court has to develop authoritative standards based on ISSAIs, not only on the Fundamental Principles of Financial Auditing. In the Romanian Court of Accounts’ case, the legal mandate refers to financial audit and does link this to financial statements prepared in accordance with a financial reporting framework, but the Court has to develop authoritative standards based on ISSAIs. This is a situation which is not covered by paragraphs 25 and 26 in ISSAI 200, dealing with Preconditions for an audit of financial statements in accordance with the ISSAIs, even though the possibility of developing national standards is mentioned in paragraph 14 of ISSAI 200, dealing with the Purpose and authority of the fundamental principles of financial auditing. According to paragraph 25 in ISSAI 200, Where the audit mandate refers to financial audit but does not link this to financial statements prepared in accordance with a financial reporting framework, it is proposed that the ISSAIs be considered best available practice and the spirit of the ISSAIs be implemented through standards devised for the specific environment. Where the audit mandate refers to audits of single financial statements and specific elements, accounts or items of a financial statement, ISSAI 1805 may be relevant. Also, paragraph 26 of ISSAI 200 states that: If, … the audit mandate allows for a change in audit procedures and the use of acceptable financial reporting frameworks is introduced for the preparation of financial statements, the ISSAIs on financial auditing may be adopted subsequently. At the same time, paragraph 14 states that: When the level 4 ISSAIs are used as authoritative standards, the public-sector auditors should also respect the authority of the ISAs. SAIs are encouraged to strive towards full adoption of the level 4 guidelines as their authoritative standards, as they have been developed to reflect best practice. INTOSAI recognises that in some environments this might not be possible due to the absence of basic administrative structures or because laws or regulations do not establish the same premises for carrying out audits of financial statements in accordance with the Financial Audit Guidelines. Where this is the case, SAIs have the option of developing authoritative standards based on the Fundamental Principles of Financial Auditing. There is some need for clarification and consistency between the provisions of separate sections in ISSAI 200, dealing with the recommended way for an SAI when it has to decide how to implement ISSAIs in accordance with its legal mandate.

We have not detected any such instances
Requirements or features to be used in combined audits that are not covered within the ISSAIs Romania 2. The Romanian Court of Accounts is auditing budget executions, which includes the examination of transactions against the budget for compliance and regularity issues. In Romania, as in most European Union’s member countries, the financial reporting framework is established by the Ministry of Finance and it also has to comply with the requirements of the European Union and of the relevant international professional organizations. Therefore, we cannot agree with the provisions of paragraph 25 in ISSAI 200 which state that in such an environment there is no acceptable financial reporting framework. Slovenia We have not detected any such instances Switzerland None. Professional judgement is a core success factor and should not / cannot be replaced by an additional method. UAE N/A USA We do not utilize combined audits.

THANK YOU FOR YOUR ATTENTION!

Cristina Breden Director Romanian Court of Accounts

Similar presentations

Presentation on theme: "Cristina Breden Director Romanian Court of Accounts"— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Cristina Breden Director Romanian Court of Accounts

Similar presentations

Presentation on theme: "Cristina Breden Director Romanian Court of Accounts"— Presentation transcript:

Similar presentations

About project

Feedback