ISSAI 4000: Issues coming out of the maintenance groups Mona Paulsrud CAS meeting, Oslo 17th of September 2014 1 Work ahead December 2014: ISSAI 4000 draft for comments in PSC steering committee May 2015: ISSAI 4000 exposure draft to the PSC steering committee AugustOctober 2015: ISSAI 4000 exposure period May 2016: ISSAI 4000 endorsement version to the PSC steering committee October 2016: ISSAI 4000 endorsement at INCOSAI, Abu Dhabi 2 Further process on ISSAI 4000 draft 15th of October: Deadline for comments and proposals on language and style 31st of October: Deadaline for comments and proposals on substance and contents 3 Prerequisites from ISSAI 100/400 Process oriented approach Risk based auditing Professional judgement & skepticism Covering the variety of compliance audit practices across INTOSAI Both direct reporting and attestation engagements 4 Compliance Audit Subject Matters …the authorities which govern them “Relevant acts or resolutions of the legislature or other statutory instruments, directions and guidance issued by public sector bodies with powers provided for in statute, with which the audited entity is expected to comply.” 6 Authorities the sources of audit criteria Authorities Criteria Narrowing down the audit scope.. Authorities in two forms Authorities Regularity Propriety GREY ZONE OF INTERPRETATION 9 How to draw the line.. REGULARITY The concept that the subject matter is in accordance with authorizing legislation, regulations issued under governing legislation and other relevant legal documents which lay down the rules and procedures to be adhered to by the audited entity which provide a legal framework within which the subject matter is being exercised, and these are properly sanctioned. PROPRIETY General principles of sound public sector financial management and conduct of public sector officials. 10 Issues raised • Does the spirit or intention of laws and regulations belong to regularity or propriety? • A code of conduct or ethics – would it belong to regularity or propriety? • Are fraud risks generally linked to breach of propriety? 11 Assurance Assurance Intended users wish to be confident about the reliability and relevance of the information which they use as the basis for taking decisions. Audits therefore provide information based on sufficient and appropriate evidence, and auditors should perform procedures to reduce or manage the risk of reaching inappropriate conclusions. The level of assurance that can be provided to the intended user should be communicated in a transparent way. However, due to inherent limitations, audits can never provide absolute assurance. ISSAI 100 paragraph 31 The core of assurance Is the audit evidence obtained sufficient and appropriate so as to reduce the audit risk to an acceptably low level? Reconsidering: Materiality Risk assessment Communicating assurance Depending on the audit and the users’ needs, assurance can be communicated - through opinions and conclusions which explicitly convey the level of assurance. ISSAI 100 para. 32 15 Opinion and conclusion – what is the difference? The conclusion is a statement of the auditor covering the audit scope on the basis of the findings assessed against the criteria and conveying explicitly the level of assurance of the audit. NEW ISSAI 4000 para. 158 - 160 An opinion is a statment of the auditor expressed in a standardized form of a clear written expression of modification or unmodification. NEW ISSAI 4000 para. 161-166 16 Issues raised • Is an opinion only relevant in attestation engagements? – NO • Is an opinion only given in relation to the financial statements? – NO • Can an opinion only be given on quantitative subject matters? - NO 17 Opinion and conclusion – what is the difference? “The conclusion may be expressed as an elaborate answer to specific audit questions or take the form of a clear written statement of opinion on compliance, often in addition to the opinion on the financial statements. While an opinion is common in attestation engagements, the answering of specific audit questions is more often used in direct reporting engagements.” NEW ISSAI 4000 para. 160 18 Opinion and conclusion – what is the difference? “Where an opinion is provided the auditor states whether it is unmodified or has been modified on the basis of the evaluation of materiality and pervasiveness. Delivering an opinion would normally require a more elaborate audit strategy and approach that encompasses a tangible population covered both by quantitative and qualitative sampling during the audit.” NEW ISSAI 4000 para. 163 19 Opinion and conclusion – what is the difference? Conclusion Opinion Sampling ISSAI 4000 para. 158 - 160 ISSAI 4000 para. 161- 166 ISSAI 4000 para. 137-141 20 Audit sampling Quantitative Qualitative 21 ISSAI 4000 – in need of further elaboration? • • • • Materiality Reasonable and limited assurance Audit scope Subject matter and criteria in relation to direct reporting and attestation engagements • Understanding the entity 22 ISSAI 4000 – in need of further elaboration? (continuing) • Control environment/ intrenal controls • Risk of non compliance • Documentation • Combinations of compliance with financial and/or performance auditing 23 ISSAI 4000 – the need for further elaborations? Prioritizations and further work of the committee. 24