Control and Audit Law

INTOSAI Auditing Standards

INTOSAI Auditing Standards reflect a “best practices” consensus among SAIs. Although these standards do not have mandatory application or include separate standards for VFM audit, each SAI is expected to apply them where they are compatible with its mandate. The SAI should seek removal of incompatibilities where is necessary to permit the adoption of desirable standards. The Standards consist of four parts as follows:

  1. Basic Postulates in Government Auditing
  2. General Standards in Government Auditing
  3. Field Standards in Government Auditing
  4. Reporting Standards in Government Auditing

These standards provide a framework for the establishment of procedures and practices to be followed in the conduct of an audit. They should be viewed with regard to the particular constitutional, legal and other stances of the Supreme Audit Institution.

Basic Postulates in Government Auditing

The basic postulates for auditing standards are basic assumptions, consistent premises, logical principles and requirements which help in developing auditing standards and serve the auditors in forming their opinions and reports, Auditing standards constitute the criteria or yardstick against which the quality of the audit results are evaluated.

Applicability of Standards

The SAI should consider compliance with the INTOSAI Auditing Standards in all matters that are deemed material. In general terms, a matter may be judged material if knowledge of it would be likely to influence the user of the financial statements. Materiality is often considered in terms of value but the inherent characteristics of an item or a group of items may also render a matter material – for example, where the law or regulation requires it to be disclosed regardless of the amount involved. In addition, a matter can be material because of the context in which it occurs, for example, considering an item in relation to:

  1. the overall view given to the financial information;
  2. the total of which it forms a part;
  3. associated terms; and
  4. the corresponding amount in previous years.

Unbiased Judgment

The SAI should apply its own judgement to the diverse situations that arise in the course of government auditing. The SAI’s audit mandate overrides any accounting or auditing conventions with which they conflict. Consequently, these standards are not prescriptive nor do they have a mandatory application. However, the SAI must judge the extent to which INTOSAI Auditing Standards are compatible with fulfillment of its mandate.

Public Accountability

With increased public consciousness, the demand for public accountability of persons or entities managing public resources has become increasingly evident so that there is a greater need for the accountability process to be in place and operating effectively. Some kind of accountability mechanism exists in every country that requires the entity to be accountable to the higher law- making administrative body for the public funds at its disposal.

Management Responsibility

Management is responsible for correctness and sufficiency of the form and content of the financial report and other information. This standard further emphasizes that development of adequate information, control, evaluation and reporting systems within the government will facilitate the accountability process. It is also the entity’s obligation to design a practical system that will provide relevant and reliable information.

Promulgation of Standards

Appropriate authorities should ensure the promulgation of acceptable accounting standards for financial reporting and disclosure relevant to the needs of the government, and audited entities should develop specific and measurable objectives and performance targets. This implies that the SAIs should :

  1. ensure that proper accounting standards are issued for the government; and
  2. recommend to the audited entities that measurable and clearly stated objectives, along with performance targets, be established.

Consistency of Standards

Consistent application of acceptable accounting standards should result in the fair presentation of the financial position and the results of operations. This implies that an audited entity must comply with accounting standards in a consistent manner. However, an auditor should not consider it as definitive proof of presenting fairly the various financial reports. Fairness is an expression of an auditor’s opinion that goes beyond the limits of consistent application of accounting standards.

Internal Controls

The existence of an adequate system of internal control minimizes the risk of errors or irregularities. This postulate stresses the responsibility of the audited entity to develop and operate adequate internal control systems to protect its resources. While the auditor is not responsible for the development or operation of the internal control system, he is supposed to recommend measures to the audited entity where controls are found to be inadequate or missing.

Access to Data

SAIs must have access to the sources of information and data. Enactment of legislative requirements for access by the auditor to such information and personnel will help minimize future problems in this area.

Audit Mandate

This postulate stipulates that all audit activities should be within the SAI’s audit mandate. SAIs are generally established by the supreme lawmaking body or by the constitutional provisions. However, the essential function of the SAI is to uphold and promote public accountability. The full scope of government auditing includes attestation, regularity and performance audit.

Performance audit is concerned with the audit of economy, efficiency and effectiveness and embraces:

(a) audit of the economy of administrative activities in accordance with sound administrative principles and practices, and management policies;

(b) audit of the efficiency of utilisation of human, financial and other resources, including examination of information systems, performance measures and monitoring arrangements, and procedures followed by audited entities for remedying identified deficiencies; and

(c) audit of the effectiveness of performance in relation to the achievement of the objectives of the audited entity, and audit of the actual impact of activities compared with the intended impact.

In practice there can be an overlap between regularity and performance auditing, and in such cases classification of a particular audit will depend on the primary purpose of that audit.

In many countries the mandate for performance auditing will stop short of review of the policy bases of government programs. In any case, the mandate should clearly delineate the SAI's powers and responsibilities in relation to performance auditing in all areas of government activity, among other things to facilitate the application of appropriate auditing standards by the SAI.

Improving Audit Techniques

This postulate states that SAIs should work toward improving techniques for auditing the validity of performance measures used by the audited entity. Auditors should avail themselves of techniques and methodologies of other disciplines.

Conflict of Interest

The SAI performs its role by carrying out audits of the accountable entities, which includes the government as a whole as well as other bodies and authorities and reporting the results. Therefore the SAI needs to maintain independence and objectivity. The SAI should avoid conflict of interest with the entity under audit. The scope of the audit mandate will determine the scope of the standards to be applied by the SAI.

General Standards in Government Auditing

The general auditing standards describe the qualifications of the auditor and/or the auditing institution so that they may carry out the tasks related to field and reporting standards in a competent and effective manner. The general auditing standards include standards that apply both to the auditors and to the SAIs, and standards that apply to SAIs.

Independence

An adequate degree of independence from both the legislature and the executive branch of government is essential to the conduct of the audit and to the credibility of the results. The SAI must maintains its independence from political influence in order to preserve an impartial approach to its audit responsibilities. It should not be subject to direction by the legislature in the programming, planning and conduct of audits. The SAI needs freedom to set priorities and program its work in accordance with the mandate, and adopt methodologies appropriate to the audits to be undertaken. At the same time, the legislature must provide the SAI with sufficient resources for the effective exercise of its mandate.

The SAI’s relationship with the executive branch of the government is that of an external auditor. As such, the SAI’s reports assist the executive by drawing attention to deficiencies in administration and recommending improvements. The auditor must avoid participation in executive functions of the kind that would militate against the SAI’s independence and objectivity in the discharge of its mandate. Likewise, there should be no direction by the executive in relation to the SAI’s performance and its mandate. The SAI should not be obliged to carry out, modify or refrain from carrying out an audit or suppress or modify audit findings, conclusions and recommendations. A good relationship with the executive can help the SAI obtain information promptly and to conduct discussions in an atmosphere of mutual respect and understanding.

The SAI should not participate in the management or operations of an audited entity. If some advice is to be given, it should be conveyed as audit advice. Any SAI personnel having close affiliations with the management of an audited entity that are conducive to lessening of objectivity should not be assigned to audit that entity.

Competence

The general standards for the auditor and the SAI states, “The auditor and the SAI must possess the required competence.”

Generally, the mandate of a SAI imposes a duty of forming and reporting audit opinions, conclusions and recommendations. Since the duties and responsibilities are crucial to the concept of public accountability, this standard implies that a SAI must apply methodologies and practices to its audits of the highest quality. For that purpose, a SAI should command the range of skills and experience necessary for effective discharge of its audit mandate. Audit work should be carried out by persons whose education and experience are commensurate with the nature, scope and complexities of the audit task.

The SAI should equip itself with a full range of up-to-date audit methodologies including:

  • systems-based techniques;

  • analytical review methods;

  • statistical sampling; and

  • audit of information systems.

To discharge these duties and responsibilities, a high standard of management within the SAI is imperative.

Due Care

The SAI must be objective in its audits of entities and public enterprises. It should also be fair in its evaluations and in its reporting of the outcome of audits. Performance and exercise of technical skill should be of a quality appropriate to the complexities of a particular audit. Auditors need to be alert for:

  • control weaknesses;

  • inadequacies in record keeping;

  • errors; and

  • unusual transactions or results which could be indicative of :

  • fraud

  • improper or unlawful expenditure

  • unauthorized operations

  • waste

  • inefficiency, or

  • lack of probity.

If the SAI employs external experts or consultants, it must exercise due care to assure itself of the consultant’s competence and aptitude for the particular tasks involved. Likewise when the SAI uses the work of another auditor(s), it must apply adequate procedures to provide assurance that the other auditor(s) has exercised due care and complied with relevant auditing standards. Further, it is essential that the SAIs maintain confidentiality regarding audit matters and information arising from its audit task.

Other General Standards for SAIs

The other general standards for SAIs include:

  1. SAI personnel should possess suitable academic qualifications and be equipped with appropriate training and experience.
  2. The SAI should establish, and regularly review, minimum educational requirements for appointment of auditors.
  3. The SAI should take adequate steps to provide for continuing professional development of its personnel. This includes:

  • appropriate in-house training; and

  • encouragement of attendance at external courses.

  1. The SAI should maintain an inventory of skills of personnel to assist in the planning of audits as well as to identify professional development needs.
  2. SAI personnel should have a good understanding of the government environment.
  3. The SAI should encourage its personnel to become members of a professional body relevant to their work.
  4. The SAI should prepare manuals and other written guidance and instructions to maintain the quality of audits.
  5. The SAI should ensure that audits are planned and supervised by auditors who are competent and knowledgeable in the SAI’s standards and methodologies.
  6. The SAI should maintain a portfolio of data pertaining to the structure, functions and operations of audited entities. This will help the SAI in identifying areas of materiality and vulnerability and areas holding potential for improvements in administration.
  7. The SAI should establish systems and procedures to:

  • confirm that internal quality assurance processes have operated satisfactorily;

  • ensure the quality of the audit report; and

  • secure improvements and avoid repetition of weakness.

The aforementioned system should be supported by a built-in quality assurance arrangement. It may be appropriate for the SAI to institute its own internal audit function with a wide charter to assist it to achieve effective management of its own operations and sustain the quality of its performance.

Finally, the SAI should ensure that applicable standards are followed on both pre-audits and post-audits and that deviations from standards that are determined to be appropriate are documented.

Field Standards in Government

Auditing

The purpose of field standards is to establish the criteria or overall framework for conducting and managing audit work. They are linked to the general standards, which set out the basic requirements for undertaking the tasks covered by the field standards, and are also related to reporting standards, which cover the communication aspects of auditing.

The field standards applicable to all types of audit include the following:

  1. The auditor should plan the audit in a manner that ensures that an audit of high quality is carried out in an economic, efficient and effective way and in a timely manner.
  2. The work of the audit staff at each level and audit phase should be properly supervised during the audit; and documented work should be reviewed by a senior member of the audit staff.
  3. The auditor, in determining the extent and scope of the audit, should study and evaluate the reliability of internal control.
  4. In conducting performance audits, an assessment should be made of compliance with applicable laws and regulations when necessary to satisfy the audit objectives. The auditor should design the audit to provide reasonable assurance of detecting illegal acts that could significantly affect audit objectives. The auditor also should be alert to situations or transactions that could be indicative of illegal acts that may have an indirect effect on the audit results. Any indication that an irregularity, illegal act, fraud or error may have occurred which could have a material effect on the audit should cause the auditor to extend procedures to confirm or dispel such suspicions.
  5. Competent, relevant and reasonable evidence should be obtained to support the auditor’s judgment and conclusions regarding the organization, program, activity or function under audit.

Planning

The auditor should plan the audit in a manner which ensures that an audit of high quality is carried out in an economical, efficient and effective way and in a timely manner. The following paragraphs explain planning as an auditing standard.

The SAI should give priority to any audit tasks which must be undertaken by law and assess priorities for discretionary areas within the SAI's mandate.

In planning an audit, the auditor should:

  1. identify important aspects of the environment in which the audited entity operates;
  2. develop an understanding of the accountability relationships;
  3. consider the form, content and users of audit opinions, conclusions or reports;
  4. specify the audit objectives and the tests necessary to meet them;
  5. identify key management systems and controls and carry out a preliminary assessment to identify both their strengths and weaknesses;
  6. determine the materiality of matters to be considered;
  7. review the internal audit of the audited entity and its work program;
  8. assess the extent of reliance that might be placed on other auditors, for example, internal audit;
  9. determine the most efficient and effective audit approach;
  10. provide for a review to determine whether appropriate action has been taken on previously reported audit findings and recommendations; and
  11. provide for appropriate documentation of the audit plan and for the proposed fieldwork.

The following planning steps are normally included in an audit:

  1. collect information about the audited entity and its organization in order to assess risk and to determine materiality;
  2. define the objective and scope of the audit;
  3. undertake preliminary analysis to determine the approach to be made later;
  4. highlight special problems foreseen when planning the audit;
  5. prepare a budget and a schedule for the audit;
  6. identify staff requirements and a team for the audit; and
  7. familiarize the audited entity with the cope, objectives and the assessment criteria of the audit and discuss with them as necessary.

The SAI may revise the plan during the audit when necessary.

Supervision and Control

Supervision is essential to ensure the fulfillment of audit objectives and the maintenance of the quality of the audit work. Proper supervision and control is therefore necessary in all cases, regardless of the competence of individual auditors.

All audit work should be reviewed by a senior member of the audit staff before audit opinions or reports are finalized.It should be carried out as each part of the audit progresses. Review brings more than one level of experience and judgment to the audit task.

Study and Evaluation of Internal Control

The auditor, in determining the extent and scope of the audit, should study and evaluate the reliability of internal control.

Internal control as an auditing standard is explained as follows:

The study and evaluation of internal control should be carried out according to the type of audit undertaken. In the case of performance audit, they are done on controls that assist in conducting the business of the audited entity in an economical, efficient and effective manner, ensuring adherence to management policies, and producing timely and reliable financial and management information.

Compliance with Applicable Laws and Regulations

In conducting performance audits, an assessment should be made of compliance with applicable laws and regulations when necessary to satisfy the audit objectives. The auditor should design the audit to provide reasonable assurance of detecting illegal acts that could significantly affect audit objectives. The auditor also should be alert to situations or transactions that could be indicative of illegal acts that may have an indirect effect on the audit results.

Generally, management is responsible for establishing an effective system of internal controls to ensure compliance with laws and regulations. In designing steps and procedures to test or assess compliance, auditors should evaluate the entity’s internal controls and assess the risk that the control structure might not prevent or detect non-compliance.

Without affecting the SAI’s independence, auditors should exercise due professional care and caution in extending audit steps and procedures relative to illegal acts so as not to interfere with potential future investigations or legal proceedings. Due care would include consulting appropriate legal counsel and the applicable law enforcement organization to determine the audit steps and procedures to be followed.

Audit Evidence

Audit findings, conclusions and recommendations must be based on evidence. Since auditors seldom have the opportunity to consider all information about the audited entity, it is crucial that the data collection and sampling techniques are carefully chosen.

When computer-based system data are an important part of the audit and the data reliability is crucial to accomplishing the audit objective, auditors need to satisfy themselves that the data are reliable and relevant.

Auditors should have a sound understanding of techniques and procedures such as inspection, observation, inquiry and confirmation, to collect audit evidence. The SAI should ensure that the techniques employed are sufficient to reasonably detect all quantitatively material errors and irregularities.

In choosing approaches and procedures, consideration should be given to the quality of evidence, i.e., the evidence should be competent, relevant and reasonable.

Auditors should adequately document the audit evidence in working papers, including the basis and extent of the planning work performed and the findings of the audit.

The auditor should bear in mind that the content and arrangement of the working papers reflect the degree of the auditor’s proficiency, experience and knowledge. Working papers should be sufficiently complete and detailed to enable an experienced auditor having no previous connection with the audit to subsequently ascertain from them what work was performed to support the conclusions.

Analysis of Financial Statements

Financial statement analysis aims at determining the existence of the expected relationship within and between the various elements of the financial statements, and identifying any unexpected relationships and any unusual trends. The auditor should therefore thoroughly analyze the financial statements and ascertain whether:

  1. financial statements are prepared in accordance with acceptable accounting standards;
  2. financial statements are presented with due consideration to the circumstances of the audited entity;
  3. sufficient disclosures are presented about various elements of financial statements; and
  4. the various elements of financial statements are properly evaluated, measured and presented.

The methods and techniques of financial analysis depend to a large degree on the nature, scope and objective of the audit, and on the knowledge and judgment of the auditor.

Reporting Standards in Government Auditing

It is not practical to lay down a rule for reporting on every specific situation. This standard is to assist and not to supersede the prudent judgement of the auditor in making an opinion or report.

The expression "reporting" embraces both the auditor's opinion and other remarks on a set of financial statements as a result of a regularity (financial) audit and the auditor's report on completion of a performance audit.

In a performance audit, the auditor reports on the economy and efficiency with which resources are acquired and used, and the effectiveness with which objectives are met. Such reports may vary considerably in scope and nature, for example covering whether resources have been applied in a sound manner, commenting on the impact of policies and programs and recommending changes designed to result in improvements.

In order to recognise reasonable user needs, the auditor's report in both regularity and performance auditing may need to have regard to expanded reporting periods or cycles and relevant and appropriate disclosure requirements.

For ease of reference in this chapter, the word "opinion" is used to mean the auditor's conclusions as a result of a regularity (financial) audit; the word "report" is used to mean the auditor's conclusions following a performance audit.

At the end of each audit, the auditor should prepare a written opinion or report, as appropriate, setting out the findings in an appropriate form; its content should be easy to understand and free from vagueness or ambiguity, include only information which is supported by competent and relevant audit evidence, and be independent, objective, fair and constructive.

Individual SAIs must decide finally on the action to be taken in relation to fraudulent practices or serious irregularities discovered by auditors.

With regard to regularity audits, the auditor should prepare a written report, which may either be a part of the report on the financial statements or a separate report, on the tests of compliance with applicable laws and regulations. The report should contain a statement of positive assurance on those items tested for compliance and negative assurance on those items not tested.

With regard to performance audits, the report should include all significant instances of non compliance that are pertinent to the audit objectives.

Performance Audit Report

In contrast to regularity audit, which is subject to fairly specific requirements and expectations, performance audit is wide ranging in nature and is more open to judgement and interpretation; coverage is also more selective and may be carried out over a cycle of several years, rather than in one financial period; and it does not normally relate to particular financial or other statements. As a consequence performance audit reports are varied and contain more discussion and reasoned argument.

The performance audit report should state clearly the objectives and scope of the audit. Reports may include criticism (for example where, in the public interest or on grounds of public accountability, matters of serious waste, extravagance or inefficiency are noted) or may make no significant criticism but give independent information, advice or assurance as to whether and to what extent economy, efficiency and effectiveness are being or have been achieved.

The auditor is not normally expected to provide an overall opinion on the achievement of economy, efficiency and effectiveness by an audited entity in the same way as the opinion on financial statements. Where the nature of the audit allows this to be done in relation to specific areas of an entity's activities, the auditor should provide a report which describes the circumstances and arrives at a specific conclusion rather than a standardised statement. Where the audit is confined to consideration of whether sufficient controls exist to secure economy, efficiency or effectiveness, the auditor may provide a more general opinion.

Performance reports should not concentrate solely on criticism of the past but should be constructive. The auditor's conclusions and recommendations are an important aspect of the audit and, where appropriate, are written as a guide for action. Generally these recommendations suggest what improvements are needed rather than how to achieve them, though circumstances sometimes arise which warrant a specific recommendation, for example to correct a defect in the law in order to bring about an administrative improvement.

In the case of performance audits that judgement will be more subjective as the report does not relate so directly to financial or other statements. Consequently the auditor may find that materiality by nature or by context is a more important consideration than materiality by amount.

Summary

INTOSAI Auditing Standards provide framework for the establishment of procedures and practices to be followed in the conduct of an audit. Because the Auditing Standards cover both regularity and VFM audit standards, some standards may not be applicable to VFM audit. Nevertheless, auditors should pay due professional care to ensure VFM audits are performed pursuant to the INTOSAI Auditing Standards.