ISSAI 4000:
Issues coming out of the maintenance
groups
Mona Paulsrud
CAS meeting, Oslo
17th of September 2014
1
Work ahead
December 2014:
ISSAI 4000 draft for
comments in PSC
steering committee
May 2015:
ISSAI 4000
exposure draft
to the PSC
steering
committee
AugustOctober 2015:
ISSAI 4000
exposure
period
May 2016:
ISSAI 4000
endorsement
version to the
PSC steering
committee
October 2016:
ISSAI 4000
endorsement at
INCOSAI,
Abu Dhabi
2
Further process on ISSAI 4000 draft
15th of October:
Deadline for comments
and proposals on
language and style
31st of October:
Deadaline for comments
and proposals on
substance and contents
3
Prerequisites from ISSAI 100/400
Process oriented approach
Risk based auditing
Professional judgement & skepticism
Covering the variety of compliance audit
practices across INTOSAI
Both direct reporting and attestation
engagements
4
Compliance Audit Subject Matters
…the authorities which govern them
“Relevant acts or resolutions of
the legislature or other
statutory instruments,
directions and guidance issued
by public sector bodies with
powers provided for in statute,
with which the audited entity
is expected to comply.”
6
Authorities the sources of audit criteria
Authorities
Criteria
Narrowing down the audit scope..
Authorities in two forms
Authorities
Regularity
Propriety
GREY ZONE OF INTERPRETATION
9
How to draw the line..
REGULARITY
The concept that the subject matter
is in accordance with authorizing
legislation, regulations issued under
governing legislation and other
relevant legal documents which lay
down the rules and procedures to be
adhered to by the audited entity
which provide a legal framework
within which the subject matter is
being exercised, and these are
properly sanctioned.
PROPRIETY
General principles of sound
public sector financial
management and conduct of
public sector officials.
10
Issues raised
• Does the spirit or intention of laws and
regulations belong to regularity or propriety?
• A code of conduct or ethics – would it belong
to regularity or propriety?
• Are fraud risks generally linked to breach of
propriety?
11
Assurance
Assurance
Intended users wish to be confident about the reliability and
relevance of the information which they use as the basis for
taking decisions. Audits therefore provide information based on
sufficient and appropriate evidence, and auditors should
perform procedures to reduce or manage the risk of reaching
inappropriate conclusions. The level of assurance that can be
provided to the intended user should be communicated in a
transparent way. However, due to inherent limitations, audits
can never provide absolute assurance.
ISSAI 100 paragraph 31
The core of assurance
Is the audit evidence obtained
sufficient and appropriate so as to
reduce the audit risk to an acceptably
low level?
Reconsidering:
Materiality
Risk
assessment
Communicating assurance
Depending on the audit
and the users’ needs,
assurance can be
communicated - through
opinions and conclusions
which explicitly convey
the level of assurance.
ISSAI 100 para. 32
15
Opinion and conclusion – what is the
difference?
The conclusion is a
statement of the auditor
covering the audit scope
on the basis of the
findings assessed against
the criteria and conveying
explicitly the level of
assurance of the audit.
NEW ISSAI 4000 para. 158 - 160
An opinion is a statment
of the auditor expressed
in a standardized form of a
clear written expression of
modification or
unmodification.
NEW ISSAI 4000 para. 161-166
16
Issues raised
• Is an opinion only relevant in attestation
engagements? – NO
• Is an opinion only given in relation to the financial
statements? – NO
• Can an opinion only be given on quantitative subject
matters? - NO
17
Opinion and conclusion – what is
the difference?
“The conclusion may be expressed as
an elaborate answer to specific audit
questions or take the form of a clear
written statement of opinion on
compliance, often in addition to the
opinion on the financial statements.
While an opinion is common in
attestation engagements, the
answering of specific audit questions
is more often used in direct reporting
engagements.”
NEW ISSAI 4000 para. 160
18
Opinion and conclusion – what is
the difference?
“Where an opinion is provided the
auditor states whether it is
unmodified or has been modified on
the basis of the evaluation of
materiality and pervasiveness.
Delivering an opinion would normally
require a more elaborate audit
strategy and approach that
encompasses a tangible population
covered both by quantitative and
qualitative sampling during the
audit.”
NEW ISSAI 4000 para. 163
19
Opinion and conclusion – what is
the difference?
Conclusion
Opinion
Sampling
ISSAI 4000 para.
158 - 160
ISSAI 4000 para.
161- 166
ISSAI 4000 para.
137-141
20
Audit sampling
Quantitative
Qualitative
21
ISSAI 4000 – in need of further
elaboration?
•
•
•
•
Materiality
Reasonable and limited assurance
Audit scope
Subject matter and criteria in relation to direct
reporting and attestation engagements
• Understanding the entity
22
ISSAI 4000 – in need of further
elaboration? (continuing)
• Control environment/ intrenal controls
• Risk of non compliance
• Documentation
• Combinations of compliance with financial
and/or performance auditing
23
ISSAI 4000 – the need for further
elaborations?
Prioritizations and further work of the
committee.
24