1 INTOSAI Compliance Audit Guidelines (ISSAI 4000-4200) Presentation by (name and tittle)Venue and date
2 Content 1 4 2 3 INTOSAI and ISSAI framework Implementation The Professional Standards Committee (PSC) andthe Compliance Audit Subcommittee (CAS)2Compliance AuditISSAI3This presentation gives an overview of the ISSAI framework and its role and function within the INTOSAI community. It further elaborates on the role and objectives of the PSC and CAS and introduces you to the Compliance Audit Guidelines, its contents and the value and benefits of implementing them.
3 INTOSAI INCOSAI Regional Working Groups Governing Board Secretary GeneralProfessional Standards CommitteeCapacity Building CommitteeKnowledge Sharing CommitteeFinance and Administration CommitteePerformance Audit SubcommitteeIDIInternational Journal of Government AuditingThe strategic goal nr. 1 of INTOSAI is to promote strong, independent and multidisciplinary SAIs and encourage good governance by:Providing and maintaining international standards of supreme audit institutions (ISSAI) andContributing to the development and adaptation of appropriate and effective professional standards.The Professional Standards Committee is responsible for achieving this goal within INTOSAI, and the Compliance Audit Subcommitte (CAS) is one of its subcommittees responsible for issuing and maintaining standards under the PSC.Financial Audit SubcommitteeCompliance Audit Subcommittee
4 The South Africa Declaration XX INCOSAI (2010) resolves to call upon its members and other interested parties to:Use the ISSAI framework as a common frame of reference for public sector auditing;Measure their own performance and auditing guidance against the ISSAIs;Implement the ISSAIs in accordance with their mandate and national legislation and regulations;Raise the awareness of the ISSAIs and INTOSAI GOVs globally, regionally and at the national level;Share experience, good practice and challenges in implementing the ISSAIs and INTOSAI GOVs with those responsible for developing and revising the ISSAIs and INTOSAI GOVsAt INCOSAI 2010 the PSC launched a full set of ISSAIs on Financial, Compliance and Performance Audit, and the INTOSAI community united encouraged its members to use the ISSAI framework as a common frame of reference for public sector auditing in the South Africa Declaration.
5 The Purpose and Authority of the ISSAIs provides an Institutionalised Framework for SAIs to:promote development and transfer of knowledgeimprove public sector auditing worldwideenhance the professional capacities, standing and influence of its members in their respective countriesTwo sets of professional standards:ISSAIs - the International Standards of Supreme Audit InstitutionsINTOSAI Gov - the Guidance for Good GovernanceThe ISSAIs consist of two sets of professional standards:ISSAIs – which are auditing standardsINTOSAI GOV – which are standards for good goveranance in the public sector.
6 ISSAI Framework Level Subject ISSAI No 1 Founding Principles Lima Declaration2Prerequisites for functioning of SAIsIndependenceTransparency and AccountabilityEthicsQuality10-403Fundamental Auditing PrinciplesBasic PrinciplesGeneral -, Field – and Reporting Standards4Auditing GuidelinesFinancial Audit GuidelinesPerformance Audit GuidelinesCompliance Audit GuidelinesSpecific GuidelinesThe ISSAI framework of auditing standards has four levels:The Lima declaration – which are the founding principles of INTOSAI and public sector auditing.Prerequisites for the functioning of SAIs – dealing with the institutinal aspect of a SAIFundamental Auditing Principles – are currently under revision, and a new set of fundamental auditing principles will be presented for INCOSAI 2013Auditing guidelines – operational guidance in conducting an audit
7 ISSAIs add value to the work of SAIs Adherence to the ISSAIsPromotes transparency in the public sector and adds Credibility to our work as auditorsImproves the effectiveness and efficiency of the work of the SAI and provide the basis for high Quality auditsIncreases the perceived level of Professionalism of the SAIThe development and use of professional standards for public sector auditing is aiming at improving credibility, quality and professionalism of the work of SAIs.
8 Content 1 4 2 3 INTOSAI and ISSAI framework Implementation The Professional Standards Committee (PSC) andthe Compliance Audit Subcommittee (CAS)2Compliance Audit ISSAI3It is the work of the PSC and its subcommittees tho develop and maintain the standards.
9 Professional Standards Committee (PSC) ObjectivesPromote strong, independent and multidisciplinary SAIs by:Encoururaging SAIs to lead by exampleContributing to the development and adoption of appropriate and effective professional standardsPartnersThe PSC is working together with other international, recognized standard-setting bodies:The International Federation of Accountants (IFAC)The Institute of Internal Auditors (IIA)The PSC is reaching these objectives by a twofold approach, named «the dual approach», which implies that in areas where other standard setters have developed standards, INTOSAI will build upon their work. That is why the PSC and INTOSAI is working closely with partners as IFAC and the IIA. In areas specific for public sector auditing, where there are no other standard setters, INTOSAI needs to develop its own standards.
10 Compliance Audit Subcommittee One of the areas specific for public sector auditing, where INTOSAI is the sole standard setter, is in Compliance Audit. The need for independent standard setting in this area was the origin of the establishment of the Compliance Audit Subcommittee.
11 Compliance Audit Subcommittee (CAS) ObjectiveDevelop high quality, globally accepted guidelines for Compliance Audit in the public sectorStrategyThe objective will be reached by cooperation, participation and commitment by all committee members and the INTOSAI community, and by cooperation with other standard setting bodies.The objective and strategy of CAS are the above mentioned.
12 Content 1 4 2 3 Implementation INTOSAI and ISSAI framework The Professional Standards Committee (PSC) andthe Compliance Audit Subcommittee (CAS)2Compliance AuditISSAI3CAS has developed a set of ISSAIs with operational guidance as how to conduct Compliance Audit in the public sector in the ISSAI 4000 series: Compliance Audit Guidelines.
13 Three Audit types Financial audit Compliance audit Performance audit The reliability of financial reportingCompliance auditCompliance of a subject matter with criteriaPerformance auditEconomy Efficiency EffectivenessThe Compliance Audit Guidelines are completing the picture of public sector auditing as consisting of three basic audit types:Financial audit – dealing with the reliability of financial reportingCompliance audit – dealing with the compliance of any subject matter against identified criteriaPerformance audit – dealing with the economy, efficiency and effectiveness of public measures and programmes
14 Compliance Audit – bridging the gap Compliance Audit may be seen as bridging the gap between financial and performance audit, in the sense of covering auditing performed by SAIs that do not fall within the scope of the two former types of auditing. Compliance Audit is also bridging the gap in the sense of building upon audit terminology, theory and approaches of both financial and performance auditing, in addition to adding the specifics of Compliance Audit.Compliance Audit may also be seen as a bridge in the sense of bridging the gap between the technical terminology of the audit profession and the structure and language of the public sector.
15 Compliance AuditThe independent asessment of whether a particular subject matter is in compliance applicable authorities identified as criteria.Compliance Audit may be pictured as a measuring tape: it is the independent asessment of whether a particular subject matter is in compliance applicable authorities identified as criteria.
16 The Compliance Audit Guidelines - two main perspectives ISSAI General introduction to compliance auditISSAI deals with compliance audit performed separately from the audit of financial statements, for example as a separate audit task or related to performance auditISSAI deals with compliance audit related to the audit of financial statements Written as consistent, stand-alone documentsThe Compliance Audit Guildlines are two consistent, stand alone documents, dealing with two basic ways of performing Compliance Audit; either separately from or related to the audit of financial statements.
17 Compliance audit: the extended perspective Origins of cash flow in the public sector are the decisions and premises of the legislatureCompliance audit provides guidance for compliance audit related to the audit of financial statements in the public sector, including;concerns that public funds are used for the intended purposesprinciples of sound management are followed in the execution of the budgetsThe premises and decisions of the legislature are the origins of the authorities (i.e. any law, regulation or general principle of sound public sector management or conduct of public sector officials) governing cash flow in the public sector. The legislature as a part of a public democratic process, establishes the priorities concerning public sector income and expenditure, and concerning calculations of and purpose of expenditure and income. These decisions and premises of the legislature form the basis of compliance as the broader perspective of the audit of financial statements in the execution of the budget. This includes concerns that public funds are used for the intended purpose and that principles of sound management are followed in the execution of the budgets.
18 Compliance Audit Guidelines: integrated approach with Financial Audit Guidelines Compliance Audit guidelines developed within the same structureCross-references made to other relevant ISSAIsIssues on compliance audit dealt with in the context of the audit of financial statementsThe extended perspective is also the reason why the Compliance Audit Guidelines are developed within the same structure as the financial audit guidelines, that the ISSAIs on Financial and Compliance Audit make systematic references to each other and that issues of compliance audit are dealt with in the context of the audit of financial statements.
19 Compliance Audit Guidelines: Compliance Audit performed separately from the audit of financial statementsWhen Compliance Audit is performed separately from the audit of financial statements, the scope and subject matter of the audit is extended even further, and could be compliance with any law, regulation or general principle of sound public sector management or conduct of public sector officials – as for instance:Calculations of payments or taxesThe number of schools constructed for a specific amount of money grantedWhether a forest is managed in accordance with an environmental protection act
20 Caracteristics of Compliance Audit TransparencyAccountabilityStewardshipGood governanceThe purpose of laws, regulations and principles of sound financial management and conduct of public sector officials (authorities) is to regulate the activities public sector entities carry out for the citizens, any limits or restrictions on such activities, the overall objectives to be achieved and how due process rights of individual citizens are protected. Furthermore, public funds are entrusted to public sector entities for their proper management. It is the responsibility of these public sector bodies and their appointed officials to be transparent about their actions, accountable to the citizens for the funds with which they are entrusted, and to exercise good stewardship over such funds.Compliance auditing promotes transparency by providing reliable reports as to whether funds, management and due process rights of citizens are dealt with in accordance with laws and regulations and by identifying the legal basis of an entity, hence contributing to improved transparency of the division of responsibility within the state. Compliance auditing promotes accountability by reporting deviations and violations from laws and regulations, so that corrective action may be taken, and so that those accountable may be held responsible for their actions. Compliance auditing promotes good stewardship both by revealing weaknesses and deviations from laws and regulations and by assessing propriety where appropriate laws and regulations are insufficient or where there are obvious gaps in legislation. Fraud and corruption are by their nature elements undermining transparency, accountability and good stewardship. Hence, compliance auditing promotes good governance in the public sector by addressing the risk of fraud in relation to compliance.
21 Compliance Audit – The extended perspective Compliance Audit is covering the extended perspective of public sector auditing in the sense of widening the audit scope from the financial statements into covering compliance with all authorities originating from the decisions and premises of the legislature.Going into the technical contents of the ISSAIs, Compliance Audit is also extending the perspective of public sector auditing by streching the contents and use of professional audit concepts to this specific constitutional arrangement of the SAI.
22 The specific constitutional arrangemement of the SAI THE LEGISTALURETHE EXECUTIVETHE ENTITYAUTHORITIESAUTHORITIESCompliance Audit as an audit type is placed within the context of auditing in the public sector and the specific constitutional arrangement of the SAI, where the power to mange funds and exercise authority is delegated through a public sector hierarchy.The delegation of power is done through «authorities», which is a basic concept in Compliance Audit. Authorities include rules, laws and regulation, budgetary resolutions, policy, established codes, agreed upon terms or general principles of sound public sector financial management and conduct of public sector officials. Most authorities originate from the premises and decisions of the legislature, but may be issued at a lower level of the organizational structure of the public sector.AUTHORITIESCompliance Audit
23 The three parties of an audit THE LEGISLATUREINTENDED USERPRACTITIONERELEMENTS OF AN AUDITRESPONSIBLE PARTYTHE SAITHE EXECUTIVEThe Compliance Audit Guidelines are also adjusted to the context of auditing in the public sector by adapting the three party relationship of an audit to the constitutional arrangement of a SAI in the following manner:An audit is a three party relationship, where an auditor aims to obtain sufficient, appropriate audit evidence in order to express a conclusion designed to enhance the degree of confidence of the intended users, other than the responsible party, about the measurement or evaluation of a subject matter against criteria.In compliance auditing the responsibility of the auditor is to identify the legal basis of the entity, assess whether a particular subject matter is in compliance with the identified criteria and issue a compliance audit report.The responsible party is the executive branch of government and/or its underlying hierarchy of public sector officials and entities responsible for the management of public funds and the exercise of authority under the control of the legislature. Their responsibility is to manage funds and exercise authority in accordance with the authorities. The responsible party in compliance auditing is responsible for the subject matter of the audit.The intended users are the individuals, organizations or classes thereof for whom the auditor prepares the audit report. In compliance auditing the users usually include the legislature as representatives of the citizens, who are the ultimate users of compliance audit reports. The legislature is making decisions and fixing priorities concerning calculations of and purpose of public sector expenditure and income. The primary user in compliance auditing is often the entity issuing the authorities identified as criteria of the audit.
24 Extension in terms of AUDIT PRINCIPLES ProprietyRegularityDue to this context of auditing in the public sector, Compliance Audit is extended to cover two basic audit principles: regularity and propriety.Compliance auditing generally comprises the assessment of compliance with formal criteria, such as authorizing legislation, regulations issued under governing legislation and other relevant laws, regulations and agreements, including budgetary laws (regularity: what should be). Where formal criteria are absent or there are obvious gaps in legislation due to a lack of formalization of requirements, compliance auditing may also encompass compliance with the general principles of sound public sector financial management and conduct of public sector officials (propriety: what is expected). A compliance audit of propriety is based on suitable criteria, either generally accepted or national or international best practice. In some cases criteria may be uncodified, implicit or based on overriding principles of law.
25 Extension in terms of AUDIT APPROACH QuantitativeQualitativeCompliance audit subject mattes may be both of a quantitative and qualitative nature. Some subject matters are quantitative and can often be easily measured (for example; payments which do not fulfill certain conditions), while others are qualitative and more subjective in nature (for example; behavior or adherence to procedural requirements).Hence, both quantitative and qualitative audit approaches are needed all through the audit process, when applying the audit concepts and when designing appropriate audit procedures.The audit procedures to be applied should be appropriate in the circumstances, for the purpose of obtaining sufficient and appropriate audit evidence to cover the scope of the audit. The nature and sources of the audit evidence required are determined by the subject matter and the scope of the audit. The scope of the audit may be to assess a qualitative or quantitative subject matter, and hence the auditor will focus on quantitative or qualitative audit evidence, or a combination thereof, according to the scope of the audit. Hence, audit evidence in compliance auditing includes a variety of evidence gathering procedures of both quantitative and qualitative nature.
26 Extension in terms of Reporting formats Attest engagementsDirect reportingLong form reportingShort form reportingFindings, conclusions, opinionsThe objective of Compliance Audit is to enable the SAI to report to the appropriate bodies on the audited entity's compliance with a particular set of criteria. The reporting take different forms, either as brief standardized opinions, various forms of conclusions, short or long form reporting.The audit approach in compliance auditing may take two basic forms; either as attestation engagements or as direct engagements. In attestation engagements a party other than the auditor measures and evaluates the underlying subject matter against established criteria. A party other than the auditor, which may be the responsible party, also often presents the resulting subject matter information in a report or statement (e.g. a statement of compliance). The purpose of the audit in an attestation engagement is to obtain sufficient and appropriate audit evidence as to whether the subject matter information is in compliance with the identified criteria or with the underlying subject matter. Attestation engagements are often related to situations where there is established a standardized reporting framework as criteria of the audit.In direct engagements the subject matter information is provided by the auditor (during or after having finalized the audit process), sometimes with the same purpose as when information is provided by the responsible party, but sometimes also to provide new information on compliance with authorities, and where appropriate, to issue recommendations. Direct engagements often occur when the auditor needs to identify the criteria of the audit.
27 Variations of Compliance Audit SCOPE & SUBJECT MATTERAUDITAPPROACHHence, Compliance Audit, aiming at covering the various audit practices across the INTOSAI community, is depicted in the Compliance Audit Guidelines on a very high level to encompass the variations in scope and subject matter, in audit principles, audit approaches and reporting formats - still identifying the common steps and quality requirements in compliance auditing.AUDIT PRINCIPLESREPORTING FORMATS
28 Compliance Audit Process Initial conciderationsPlanning the auditDocumentation, Communication, Quality ControlPerforming the audit and gather evidenceEvaluating evidence & forming ConclutionsThe basic audit steps are covered in this Compliance Audit Process, as elaborated in the Compliance Audit Guidelines.Reporting
29 Court of Accounts issues The Compliance Audit Guidelines also contains additional guidance for public sector auditors operating in a Court of Accounts environment.
30 Summing upCompliance audit is the missing link between financial audit and performance audit.Compliance audit profits from structure and continuity of financial audit, and the political relevance and methodologically diversity of performance audit.Compliance audit adds power and relevance to the annual audit report.Compliance audit can be integrated in a variety of subject matters and audit approaches, tailored to different audit mandates and different jurisdictions.
31 Content 1 4 2 3 Implementation ISSAI 4000-4200 INTOSAI and ISSAI framework14ImplementationThe Professional Standards Committee (PSC) andthe Compliance Audit Subcommittee (CAS)2ISSAI3So – if a SAI percieve that the ISSAIs on Compliance Audit are covering their audit practice – how to go about implementing them?
32 Adoption and implementation It is the responsibility of all INTOSAI members to help establish the ISSAI framework as a common frame of reference for public sector auditing.In doing so, there are two main aspects to address:The decision of adopting the ISSAIs by the SAI;The implementation process.Implementation of the ISSAIs starts at the top management level of a SAI with a strategic decision on whether and how to implement them.
33 ISSAIs can be implemented in two ways By developing national standards on the basis of ISSAI 400 Fundamental Principles of Compliance AuditingBy adopting the Compliance Audit Guidelines as authoritative standardsThe upcoming ISSAI 400 gives a SAI two options as how to implement the ISSAIs on Compliance Audit.
34 Implementation steps Sustaining the results Applying the standards Learning the standardsLink the ISSAIs to the priority needs of SAIAwareness ( highlighting the benefits of using the ISSAIs)The implementation of the ISSAIs and the continued development and improvement of the framework, will be an ongoing process that can be illustrated by these steps illustrating the ISSAI implementation process:The first step is the question of awareness – highlighting the benefits of using the ISSAIs, that is communicating the fact that adherence to the ISSAIs will add credibility, quality and professionalism to the work performed by SAIs.Next the SAI will have to link the standards to its priority needs.Learning and application of standards will be an ongoing process, and as the last step is:sustaining the results derived from implementing the standards in work performed by the SAI.
35 Implementation: to improve audit quality How does this – possibly long and winding – road of implementation add vaule to the work of a SAI?First and foremost because the ISSAs provide a transparent tool in improving and approving the audit quality of the SAI.
36 Implementation: quality in SAI core business The core process of a SAI is its audit processes. It is the quality of how the audits are conducted that gives quality in audit reports, which is the main SAI output. Quality and relevance of SAI reporting is the most important factor in assuring the impact foreseen by compliance auditing in promoting transparency, accuntability, stewardship and good governance.The Compliance Audit guidelines provide those quality requirements to which a SAI need to adhere to in order to achive such an impact. Some of the most important requirements are:
37 Suitable audit criteria Criteria are the benchmarks used to evaluate or measure consistently and reasonably a subject matter. The auditor identifies criteria on the basis of authorities. Suitable criteria should be relevant, reliable, complete, objective, understandable, comparable, acceptable and available. Criteria should be suitable both in the audit of regularity and of propriety. Without the frame of reference provided by suitable criteria, any conclusion is open to individual interpretation and misunderstanding.
38 Sufficient and appropriate audit evidence The auditor should gather sufficient appropriate audit evidence to provide the basis for the report, conclusion or opinion. Sufficiency is the measure of the quantity of evidence. Appropriateness is the measure of the quality of evidence; that is its relevance and its reliability. The quantity of evidence needed is affected by the audit risk (the greater the risk, the more evidence is likely to be required) and also by the quality of such evidence (the higher the quality, the less may be required). Accordingly, the sufficiency and appropriateness of evidence are interrelated. However, merely obtaining more evidence does not compensate for its poor quality. The reliability of evidence is influenced by its source and nature, and is dependent on the individual circumstances under which the evidence is obtained. The auditor should consider both the relevance and reliability of information to be used as audit evidence.
39 Assurance & confidence of users Compliance auditing performed by obtaining assurance enhances the confidence of the intended users in the information provided by the auditor or a party other than the auditor. The users of the audit reports expect that the conclusions are well founded, balanced and reliable.And in being assured abut the state of affairs, the users might dare to jump.
40 ISSAIs on Compliance Audit Outlines the basic steps and requirements on how to perform the SAI core process of Compliance Audit – adjusted to the specific constitutional arrangement of the SAI.Summing up – you have been introduced to the basic requirements, process steps, purpose and contents of the ISSAIs on Compliance Audit.
41 Compliance Audit Compliance Audit Transparency Accountability StewardshipGood governanceWe hope this will encourage you to further develop and improve your audit proceses and interest in Compliance Audit so as to promote transparency, accountability, stewardship and good governance in the public sector.