Considerations when Performing the Audit

advertisement
INTOSAI
Compliance Audit Guidelines
ISSAI 4100
Exposure Draft
June 2007
Exposure Draft
INTOSAI Compliance Audit Guidelines
ISSAI 4100
Contents
I.
II.
III.
IV.
V.
VI.
Introduction .................................................................................................................. 3
Scope of the Guidelines ................................................................................................ 3
Authority of the Guidelines ......................................................................................... 5
Objectives to be achieved ............................................................................................. 5
Definitions ..................................................................................................................... 5
Recommendations ........................................................................................................ 6
Considerations in regard to Audit Criteria ............................................................. 6
Considerations in regard to Quality Control .......................................................... 7
Considerations when Planning and Designing the Audit ..................................... 7
Initial Considerations ......................................................................................... 7
Developing the Audit Strategy and Plan ............................................................ 7
Materiality and Risk Assessments...................................................................... 8
Risk Assessment Considerations in regard to Fraud .......................................... 9
Risk Assessment Considerations in regard to Related Parties ........................... 9
Assessments of Internal Control ...................................................................... 10
Considerations when Performing the Audit ......................................................... 10
Audit Procedures .............................................................................................. 10
Audit Evidence ................................................................................................. 11
Considerations when Evaluating Compliance Deviations ............................... 11
Audit Documentation ....................................................................................... 11
Written Representations from Responsible Officials ....................................... 12
Considering Subsequent Events ....................................................................... 12
Communications............................................................................................... 12
Reporting Considerations...................................................................................... 12
Compliance Opinions as Part of the Auditor's Report on the Financial
Statements ........................................................................................................ 13
Other Compliance Reports ............................................................................... 14
Reporting the Views of Responsible Officials of the Audited Entity .............. 14
Considerations related to the Reporting of Suspected Fraud ........................... 15
Reporting Considerations for SAIs in a Court of Accounts Environment ....... 15
Response to Reported Non-Compliance .......................................................... 15
INTOSAI Compliance Audit Subcommittee
I. Introduction
1. The full scope of public sector auditing includes financial and performance audit. In the
public sector, financial audit comprises the audit of financial statements and aspects
related to compliance audit. Compliance audit is interrelated to the audit of financial
statements and is typically performed together with the audit of financial statements. As a
result, the audit of financial statements in the public sector generally has a broader scope
than the audit of financial statements in the private sector. The scope of a compliance
audit depends on the mandate of the SAI and the laws and regulations that are relevant to
the audited entity. In addition, the approved budget of the audited entity and relevant
budgetary legislation are significant in this context. These elements taken together are
often a natural starting point for developing the approach to compliance audit.
2. Compliance audit comprises the assessment of whether the activities, financial
transactions and information reflected in the financial statements are in accordance with
the authorities which govern them. Such authorities may include applicable resolutions of
the legislature, including budgetary laws or resolutions, and documented intentions and
premises for such, provisions for funds and contracts, grant agreements, etc. In addition,
compliance audit is aimed at helping ensure sound public sector financial management
and that public funds are collected and used for those purposes approved by the legislature
or other appropriate bodies. Furthermore, compliance audit may also include aspects
related to public expectations, especially in regard to the actions and behaviour of public
sector officials.
3. The Compliance Audit Guidelines provide guidance to support Supreme Audit Institutions
(SAIs) and public sector auditors in their work on reporting on compliance with
authorities. The Compliance Audit Guidelines are written from the perspective of
compliance audit performed together with the audit of financial statements. Separate
compliance audits may also be performed, for example audits of procurement or funding
arrangements. In such cases the guidelines may be applied, adapted as appropriate in the
circumstances. In these cases it is important that public sector auditors understand the
subject matter and scope of the audit, the criteria to be applied, relevant materiality
considerations and reporting responsibilities.
II. Scope of the Guidelines
4. The Compliance Audit Guidelines, together with the Financial Audit Guidelines and
Performance Audit Guidelines, constitute the fourth level in the existing hierarchy of
standards in INTOSAI, which consists of the Lima Declaration, the Code of Ethics, and
the INTOSAI Auditing Standards.
5. The Financial Audit Guidelines consist of relevant International Standards on Auditing
(ISAs) issued by IFAC's International Auditing and Assurance Standards Board (IAASB),
together with Practice Notes developed by INTOSAI. The Practice Notes outline the
applicability of the ISA in public sector auditing, and provide additional guidance on
public sector issues. Due to the extended mandate of SAIs, the scope of a financial audit
in the public sector is generally broader than an audit of financial statements carried out in
accordance with the ISAs. Consequently, a need has been identified for further guidance
Exposure Draft Compliance Audit Guidelines
Page 3 of 15
INTOSAI Compliance Audit Subcommittee
on compliance audit in a SAI context. The Financial Audit Guidelines, together with the
Compliance Audit Guidelines, are intended to provide public sector auditors with a
comprehensive set of guidelines for audits of financial statements in the public sector.
6. The requirements and application material contained throughout the body of the ISAs are
in most cases relevant to the various phases of compliance audit. Therefore references to
various ISAs with Practice Notes have been included throughout the Compliance Audit
Guidelines.
7. Compliance audit has a broader scope than [Proposed] ISA 250 (Redrafted) The Auditor's
Responsibilities Relating to Laws and Regulations in an Audit of Financial Statements.
The objective of this ISA is for the auditor to obtain sufficient appropriate audit evidence
that the financial statements are not materially misstated due to non-compliance with laws
and regulations, and to respond appropriately to identified or suspected non-compliance
with laws and regulations. As described in the introduction above, the Compliance Audit
Guidelines are intended to provide further guidance on compliance audit from the broader
public sector perspective.
8. Although many SAIs include the audit of compliance issues within their concept of an
audit of financial statements, some SAIs include compliance audit within their concept of
performance audit. Some SAIs regard compliance audit as a separate audit type
altogether. In general, elements of compliance audit are normally included in all types of
audit. From the perspective of the Financial Audit Guidelines however, requirements of
compliance audit and compliance reporting are regarded as related to the audit of the
financial statements if the audit opinion on compliance forms part of the auditor's report
on the audit of the financial statements. Requirements of compliance audit and a separate
opinion on compliance are regarded as related to the audit of the financial statements if the
financial statements have been prepared in accordance with a financial reporting
framework that includes compliance with laws and regulations.
9. The Compliance Audit Guidelines provide guidance for public sector auditors reporting in
the form of reasonable assurance opinions on an entity's compliance with authorities.
10. Depending on the structure of the public sector and the mandate of the SAI, the
Compliance Audit Guidelines are relevant to compliance audit at all levels of government,
including audits of central government financial statements or the equivalent, audits of
public agencies and audits of local government financial statements. Depending on the
mandate of the SAI, the guidelines may be relevant to audits of private sector entities
when such entities are involved in the management of public services, for instance
through partnership arrangements or as recipients of public grants or subsidies. The
guidelines are relevant to compliance audit in SAIs representing both the Auditor General
system and the Court of Accounts system, but do not cover particularities related to the
judgement part of compliance auditing in SAIs of the court type.
11. The audit of compliance with budgetary laws or other relevant budgetary resolutions,
includes the audit of state revenues, such as taxes, customs and excise duties, proceeds
and sales revenues; and contributions and funding from external sources including
international or regional bodies or financial institutions.
Exposure Draft Compliance Audit Guidelines
Page 4 of 15
INTOSAI Compliance Audit Subcommittee
12. If stipulated in the audit mandate, a SAI may audit the documented budgetary assumptions
and premises prior to the applicable resolution of the legislature.
13. References to "compliance audit" throughout this document are understood to be in the
context of work carried out by SAIs or for which the SAI is responsible.
III. Authority of the Guidelines
14. The Compliance Audit Guidelines provide guidance for compliance audit in the public
sector, but do not have a mandatory application within INTOSAI. Each SAI must judge
the extent to which the guidelines are compatible with the achievement of its mandate.
The guidelines were endorsed by INCOSAI …… (meeting and date).
IV. Objectives to be achieved
15. According to [Proposed] ISA 200 (Revised and Redrafted) Overall Objective of the
Independent Auditor, and Concepts Relevant to an Audit of Financial Statements, the
objective of an audit of financial statements is to enable the auditor to express an opinion
whether the financial statements are prepared, in all material respects, in accordance with
an applicable financial reporting framework.
16. Depending on the mandate and constitutional role of the SAI, the overall objective of
compliance audit is to enable public sector auditors to report to the legislature and/or other
bodies as appropriate, on whether the activities, financial transactions and information
reflected in the financial statements are, in all material respects, in compliance with the
authorities which govern them; and, for SAIs representing the Court of Accounts system,
to communicate judgements on such matters to the appropriate bodies.
V. Definitions
For purposes of these guidelines the following terms have the meanings set out below:
17. Compliance audit – Depending on the mandate of the SAI, an audit of whether the
activities, financial transactions, and information – which are reflected in the financial
statements of an audited entity, or for which the audited entity, the government, a minister
or public officials are accountable – are in accordance with:
a) Budgetary laws or the legislature's budgetary or other relevant resolutions or
provisions for funds and balances, and documented intentions and premises for
such;
b) Other relevant laws, regulations and agreements;
c) General principles for sound public sector financial management and conduct
of public sector officials.
18. Legislature – The law-making authority of a country, for example a Parliament. In the
context of compliance audit, the legislature may also include other public sector bodies
with authority for budget legislation or resolutions.
Exposure Draft Compliance Audit Guidelines
Page 5 of 15
INTOSAI Compliance Audit Subcommittee
19. Authorities – Relevant acts or resolutions of the legislature or other statutory instruments,
directions and guidance issued by public sector bodies with powers provided for in statute,
with which the audited entity is expected to comply.
20. Assertion – a representation by public sector officials, explicit or otherwise, that is
embodied in the activities, financial transactions and information pertaining to the audited
entity, used by the auditor in considering different types of potential deviations. In the
context of compliance audit, the compliance assertion would mean that the entity,
including responsible public sector officials, is acting in accordance with applicable
authorities and relevant public expectations.
21. Compliance deviation – the audited entity's failure to comply with authorities, including
provisions for the use of approved appropriations, funds or balances, terms of contracts
and agreements, or with general principles for sound public sector financial management
or public expectations in regard to the actions and behaviour of public officials.
VI. Recommendations
Considerations in regard to Audit Criteria
22. Audit criteria are benchmarks or standards against which the subject matter of the audit
can be assessed. Compliance audit criteria can be formal, as for example the applicable
law, regulation or contract, or less formal, as for example documented intentions or
premises for resolutions of the legislature, general principles for sound public sector
financial management or public expectations in regard to the actions and behaviour of
public officials.
23. Public sector auditors establish suitable audit criteria that are relevant to the particular
audit and free from any bias on their part or on the part of the audited entity. Suitable
criteria result in reasonably consistent assessments when used in similar circumstances by
another auditor. This is of particular importance when the compliance audit is based on
less formal audit criteria. Furthermore, suitable criteria are understandable and sufficient
for the intended purpose.
24. In establishing audit criteria for compliance audit, public sector auditors consider:
a) Documents of the legislature related to budgetary laws or resolutions, and to
the premises or particular provisions for use of approved appropriations, or for
financial transactions, funds and balances;
b) Other relevant laws, regulations and agreements of a general nature or
particular to the audited entity or similar entities;
c) Written or unwritten principles for sound public sector financial management
and conduct of public sector officials. Principles of conduct may arise from the
legislature's or public expectations regarding the behaviour of public sector
officials, and may be documented in only fragmentary ways. They may, in
some cases, only be defined as a result of their breach.
Exposure Draft Compliance Audit Guidelines
Page 6 of 15
INTOSAI Compliance Audit Subcommittee
25. In situations where the audit criteria are less formal, the SAI may encourage the
appropriate bodies to formulate clearly the general principles to be followed in public
sector entities.
26. Public sector auditors make the audit criteria available to the audited entity and other
appropriate bodies.
Considerations in regard to Quality Control
27. Public sector auditors consider the requirements of [Proposed] ISA 220 (Redrafted)
Quality Control for Audits of Historical Financial Information together with the guidance
provided in the Practice Note. Public sector auditors carry out compliance audits in
accordance with applicable ethical and professional standards. Furthermore, public sector
auditors satisfy themselves that the audit team carrying out the work collectively has the
appropriate knowledge and skills, and that the work of the team is appropriately directed,
supervised and reviewed.
Considerations when Planning and Designing the Audit
Initial Considerations
28. Where relevant, public sector auditors consider the requirements of [Proposed] ISA 210
(Redrafted) Terms of Audit Engagements together with the guidance provided in the
Practice Note.
Developing the Audit Strategy and Plan
29. Public sector auditors consider the requirements of ISA 300 (Redrafted) Planning an
Audit of Financial Statements together with the guidance provided by the Practice Note.
In establishing the overall audit strategy for the compliance audit, public sector auditors
also:
a) Determine the scope and characteristics of the compliance audit, taking into
account the mandate of the SAI and the elements contained in the definition of
compliance audit;
b) Obtain a general understanding of the legal, regulatory and appropriations
framework applicable to the scope of the audit and to the audited entity;
c) Obtain an understanding of management's assessment of applicable laws and
regulations including management's internal controls that help ensure
compliance with authorities.
d) Obtain an understanding of significant contracts or grant agreements that may
be relevant;
Exposure Draft Compliance Audit Guidelines
Page 7 of 15
INTOSAI Compliance Audit Subcommittee
e) Obtain an understanding of relevant principles of sound public sector financial
management and expectations regarding the conduct of public sector officials;
f) Consider the results of earlier financial, compliance or performance audits of
the audited entity or comparable entities, and other matters relevant to planning
the compliance audit;
g) Consider the reporting requirements of the compliance audit of the audited
entity;
h) Ascertain the resources needed to perform the audit, perhaps including use of
the work of internal audit or the work of experts.
30. Based on the overall audit strategy, public sector auditors develop an audit plan for the
compliance audit that includes:
a) A description of audit criteria related to the scope and characteristics of the
compliance audit and to the legal, regulatory and appropriations framework;
b) A description of the nature, timing and extent of planned risk assessment
procedures sufficient to assess the risks of non-compliance, related to the
various audit criteria;
c) A description of the nature, timing and extent of planned further audit
procedures, related to the various compliance audit criteria.
Materiality and Risk Assessments
31. Public sector auditors consider the requirements of [Proposed] ISA 320 (Revised and
Redrafted) Materiality in Planning and Performing an Audit and ISA 315 (Redrafted)
Identifying and Assessing the Risks of Material Misstatement Through Understanding the
Entity and Its Environment together with the guidance provided in the Practice Notes.
32. Where specific authorities govern the activities, financial transactions and information
reflected in the financial statements of an audited entity, public sector auditors plan and
perform procedures to determine whether in all material respects the activities,
transactions and information comply with those authorities.
33. Materiality affects both the way in which public sector auditors plan and design the
compliance audit and how public sector auditors evaluate and report the results of the
audit. The principles and procedures applied to obtain sufficient appropriate audit
evidence to support an opinion or conclusion on compliance are the same as those applied
to the audit of any other financial statement assertion. There may however be particular
considerations in respect of the auditor's assessment of materiality, risk and the design of
audit procedures in relation to compliance audit.
34. In planning compliance audit, public sector auditors may often set lower materiality levels
than would be the case for an audit of financial statements. This is due to a variety of
factors such as the public accountability of government entities, legal and regulatory
requirements, the visibility and sensitivity of programs, public expectations and other
Exposure Draft Compliance Audit Guidelines
Page 8 of 15
INTOSAI Compliance Audit Subcommittee
qualitative aspects.
35. In assessing risk, public sector auditors consider the possibility that an inappropriate
conclusion or audit opinion will be given on compliance with authorities. Audit risk in the
compliance context is a function of the risk of material non-compliance and the risk that
public sector auditors will not detect such non-compliance (detection risk). The risk of
material non-compliance at the assertion level consists of inherent risk and control risk.
36. To assess the inherent risk of non-compliance, public sector auditors use judgement to
evaluate a range of factors, e.g. related to the complexity of, or changes in, relevant laws
and regulations, including the documented intentions and premises for such laws and
regulations. Control risk in the context of compliance audit is the risk that non-compliance
would not be prevented, or detected, by the entity's own control systems.
37. Where public sector auditors expect to be able to rely on the internal controls to reduce the
extent of substantive compliance audit procedures, public sector auditors make a
preliminary assessment of control risk and plan and perform tests of compliance-related
controls to support the preliminary assessment.
Risk Assessment Considerations in regard to Fraud
38. Public sector auditors consider the requirements in relation to fraud as set out in ISA 240
(Redrafted) The Auditor's Responsibilities Relating to Fraud in an Audit of Financial
Statements together with the guidance in the Practice Note. In the public sector,
assessments of materiality in relation to fraud may not be restricted to risks of material
misstatements in the financial statements, as is the main focus of ISA 240, but relate to
fraud risks in the context of the broader scope of public sector auditing. Examples of areas
which may typically give rise to fraud risks and where public sector auditors are alert in
performing risk assessments include:
a) Grants and benefits to third parties;
b) Procurement;
c) Exercise of public officials' duties and power;
d) Intentional misstatement or misrepresentation of results or information;
e) Privatization of government entities.
Risk Assessment Considerations in regard to Related Parties
39. Public sector auditors consider the requirements of [Proposed] ISA 550 (Revised and
Redrafted) Related Parties together with the guidance in the Practice Note. Authorities
may set out specific requirements related to the conduct of business with related parties.
Public sector auditors address the risks of non-compliance with such authorities. Public
sector auditors also determine if there are specific reporting requirements for related party
relationships and transactions.
Exposure Draft Compliance Audit Guidelines
Page 9 of 15
INTOSAI Compliance Audit Subcommittee
Assessments of Internal Control
40. Public sector auditors obtain an understanding of the audited entity's internal control
relevant to the compliance audit. In some cases internal control requirements may be
specifically set out in laws and regulations. They may also be established in general
principles for sound public sector financial management. In addition to addressing any
specific requirements, public sector auditors perform assessments of internal control
relevant to planning and designing compliance audit as would be the case for internal
control related to any other aspect of the audit of the financial statements.
Considerations when Performing the Audit
Audit Procedures
41. Public sector auditors consider the requirements of ISA 330 (Redrafted) The Auditor's
Responses to Assessed Risks together with the guidance provided in the Practice Note.
42. Audit procedures designed to test compliance will usually be based on a mix of tests of
controls and substantive audit procedures. Public sector auditors may seek to reduce the
extent of substantive procedures where satisfactory evidence as to the effectiveness of the
entity's internal control systems has been obtained.
43. In addition to assessments of internal control relevant to planning and designing
compliance audit, public sector auditors also test elements of internal control in
performing compliance audit. When public sector auditors conclude that the controls
designed to help ensure compliance are not effective, public sector auditors do not rely on
them, but perform additional procedures as necessary.
44. Public sector auditors design and perform substantive procedures to evaluate compliance,
in particular for those elements that are deemed to be material in the context of the audit.
The extent of substantive procedures performed will depend on the auditors' assessments
of control risk and on any evidence obtained relating directly to compliance or noncompliance provided by tests of controls. The characteristics of the substantive
compliance procedures performed will depend on the particular audit criteria.
45. In determining whether individually material items require detailed testing, public sector
auditors take into account the assessment of inherent and control risk. In some unusual
circumstances the auditors' assessment of risk may necessitate that all individually
material transactions are compliance tested.
46. Analytical procedures may in certain circumstances assist public sector auditors in
evaluating compliance. For example, where allowances under a grants scheme are subject
to a maximum value and the number of recipients is known, public sector auditors may
use analytical procedures to identify whether the permitted maximum may have been
breached. Analytical procedures on their own are, however, unlikely to provide public
sector auditors with sufficient appropriate audit evidence in support of compliance.
Further guidance on performing analytical procedures is set out in ISA 520 Analytical
Exposure Draft Compliance Audit Guidelines
Page 10 of 15
INTOSAI Compliance Audit Subcommittee
Procedures, together with the guidance provided in the Practice Note.
Audit Evidence
47. Public sector auditors consider the requirements of [Proposed] ISA 500 (Redrafted) Audit
Evidence, together with the guidance provided in the Practice Note.
48. The concept of materiality applies to assertions in relation to compliance audit as to the
other assertions in relation to the audit of financial statements. Public sector auditors
therefore obtain sufficient appropriate audit evidence to conclude with reasonable
assurance and express an opinion on whether the activities, financial transactions and
information reflected in the financial statements comply with the authorities which govern
them 'in all material respects'. Due to the inherent limitations of an audit, public sector
auditors cannot be expected to detect all occurrences of non-compliance through the audit
work.
49. Public sector auditors use professional judgement and exercise professional scepticism in
evaluating the sufficiency and appropriateness of evidence obtained and in concluding
with reasonable assurance. Public sector auditors consider the validity, reliability and
consistency of the audit evidence obtained, particularly when the audit criteria are less
formal.
Considerations when Evaluating Compliance Deviations
50. When evaluating the audit evidence obtained, and assessing any compliance deviations,
public sector auditors consider the requirements of [Proposed] ISA 450 (Redrafted)
Evaluation of Misstatements Identified during the Audit, together with the guidance in the
Practice Note.
51. Public sector auditors' assessment of what represents a material compliance deviation is a
matter of judgement and includes considerations of context as well as quantitative aspects
(size) and qualitative aspects (nature) of the transactions or issues concerned. For
example, public sector auditors consider the needs and expectations of the legislature and
other users of the audit report, the nature of the relevant authorities and the extent or
monetary value of the non-compliance.
Audit Documentation
52. Public sector auditors consider the requirements of [Proposed] ISA 230 (Redrafted) Audit
Documentation, together with the guidance in the Practice Note. Public sector auditors
prepare and maintain compliance audit documentation which contains sufficient
information to enable an experienced auditor, who has had no previous connection with
the audit, to ascertain from the audit documentation the evidence that supports the
significant judgements made and conclusions reached. Public sector auditors prepare audit
documentation that contains the established audit criteria, and support for findings,
conclusions and recommendations before the auditor's opinion or separate compliance
Exposure Draft Compliance Audit Guidelines
Page 11 of 15
INTOSAI Compliance Audit Subcommittee
report is issued.
Written Representations from Responsible Officials
53. Public sector auditors consider the requirements of [Proposed] ISA 580 (Revised and
Redrafted) Written Representations, together with the guidance in the Practice Note. To
corroborate evidence obtained, public sector auditors obtain written representations from
responsible officials of the audited entity as necessary. Such representations may state that
all relevant information has been made available to public sector auditors and that, to the
best of the officials' knowledge and belief, the activities, financial transactions and
information reflected in the financial statements of the entity are in compliance with the
authorities which govern them.
Considering Subsequent Events
54. Public sector auditors consider the requirements of [Proposed] ISA 560 (Redrafted)
Subsequent Events, together with the guidance in the Practice Note. Public sector auditors
perform audit procedures to determine if there are events occurring after the end of the
reporting period and up until the date of the auditor's report that may result in material
non-compliance and respond as appropriate in the circumstances.
Communications
55. Public sector auditors consider the requirements of [Proposed] ISA 260 (Revised and
Redrafted) Communication with Those Charged with Governance, together with the
guidance in the Practice Note. Public sector auditors communicate on a timely basis to
those charged with governance identified instances of material or other non-compliance
arising from the audit that are relevant to their responsibilities in overseeing the activities
and financial reporting of the entity.
Reporting Considerations
56. Public sector auditors consider the requirements of [Proposed] ISA 700 (Redrafted) The
Independent Auditor's Report on a Complete Set of General Purpose Financial
Statements, [Proposed] ISA 705 (Redrafted) Modifications to the Opinion in the
Independent Auditor's Report, [Proposed] ISA 706 (Redrafted) Emphasis of Matter
Paragraphs and Other Matter(s) Paragraphs in the Independent Auditor's Report and
[Proposed] ISA 800 (Revised and Redrafted) Special Considerations – Audits of Special
Purpose Financial Statements and Specific Elements, Accounts or Items of a Financial
Statement together with the guidance in the Practice Notes.
57. The form of the compliance audit report depends on the mandate of the SAI, applicable
legislation or regulation and the complexity of the reported issues. Furthermore, the form
of the report depends on the intended recipients, including whether the report is to be
submitted to the legislature or other bodies, or to third parties such as donor organizations,
Exposure Draft Compliance Audit Guidelines
Page 12 of 15
INTOSAI Compliance Audit Subcommittee
international or regional bodies or financial institutions.
58. A SAI may, according to its mandate, be required to report to the legislature on significant
compliance issues related to:
a) the overall central government financial statements or the equivalent;
b) individual central government or similar entities; or
c) other areas for which the government, a minister or public sector officials are
accountable.
59. Reporting on compliance with authorities may be incorporated as a compliance opinion in
the auditor's report on the financial statements, or a separate compliance audit report may
be issued.
Compliance Opinions as Part of the Auditor's Report on the Financial
Statements
60. Public sector auditors include, in the relevant sections of the auditor's report, appropriate
descriptions of:
a) the responsibilities of management and of the auditor as they relate to
compliance with authorities;
b) the scope of work performed and the standards applied;
c) whether the work performed provided sufficient, appropriate audit evidence as
a basis for an opinion on compliance.
61. Public sector auditors express an opinion on compliance. When the opinion on
compliance is incorporated in the auditor's report on the financial statements, the
compliance opinion is clearly set apart from the opinion on the financial statements.
62. When public sector auditors conclude that the activities, financial transactions and
information reflected in the financial statements are, in all material respects, in
compliance with the authorities which govern them, an unqualified opinion is expressed.
Modified Compliance Opinions
63. When public sector auditors conclude that there are material compliance deviations, the
opinion expressed is either:
a) qualified (if compliance deviations are material, but not pervasive, or if public
sector auditors are unable to obtain sufficient, appropriate audit evidence, and
the possible effects are material, but not pervasive); or
b) adverse (if compliance deviations are material and pervasive).
64. When public sector auditors are unable to obtain sufficient, appropriate audit evidence on
compliance with authorities, and the possible effects are material and pervasive, public
sector auditors disclaim an opinion on compliance.
65. When the compliance opinion is modified, public sector auditors consider the wider
implications for the financial statements as a whole and for the auditor's report thereon.
Emphasis of Matter and Other Matters Paragraphs
Exposure Draft Compliance Audit Guidelines
Page 13 of 15
INTOSAI Compliance Audit Subcommittee
66. Public sector auditors may conclude that there is a need to elaborate on particular matters
which are not expressly covered in the compliance opinion. For example, this may be
relevant in regard to specific instances of non-compliance with general principles for
sound public sector financial management or public expectations in regard to the actions
and behaviour of public sector officials. In these circumstances, public sector auditors
consider if appropriate disclosure in the auditor's report is possible through the use of an:
a) Emphasis of Matters paragraph (when the matter is presented and disclosed in
the financial statements and is not materially misstated); or an
b) Other Matters paragraph (for matters other than those presented and disclosed
in the financial statements).
Other Compliance Reports
67. Depending on mandate and legislation, other types of compliance reports may be
appropriate, such as:
a) an opinion stating whether transactions that have come to public sector
auditors' attention in the course of discharging other audit responsibilities were
carried out in compliance with authorities; or
b) reporting on specific instances of non-compliance.
68. In addition to the opinion on compliance included in the auditor's report on the financial
statements, public sector auditors may issue another, more detailed, report on compliance.
Such an additional report on compliance may be appropriate when the opinion is qualified
as a consequence of material non-compliance or where it follows from the mandate for the
SAI's reporting procedures. The purpose of such a report is to provide the legislature, the
audited entity, and/or other bodies as appropriate, with a detailed explanation beyond that
given in the auditor's report on the financial statements. Public sector auditors report such
compliance issues in sufficient detail to enable the legislature or relevant committee to
properly consider these matters.
69. Public sector auditors may issue a report with an opinion on compliance which is separate
from the auditor's report on the financial statements. When such a separate report with an
opinion on compliance is issued, public sector auditors include appropriate references to
the separate report in the auditor's report on the financial statements. Such references
describe that the separate report is an integral part of the public sector audit and is
considered in assessing the results of the audit. When the separate report does not include
an opinion on compliance, the references are modified accordingly.
Reporting the Views of Responsible Officials of the Audited Entity
70. In the interest of fairness and transparency, public sector auditors obtain and report as
appropriate, the views of responsible officials of the audited entity on significant issues.
Such issues may include the established audit criteria or the audit findings.
Exposure Draft Compliance Audit Guidelines
Page 14 of 15
INTOSAI Compliance Audit Subcommittee
Considerations related to the Reporting of Suspected Fraud
71. Due to the nature of fraud, and the inherent limitations of an audit, there is an unavoidable
risk that fraud may occur and not be detected. Fraud may consist of acts designed to
intentionally conceal its existence. There may be collusion between management,
employees or third parties, or falsification of documents. For example, it is not reasonable
to expect public sector auditors to identify forged documentation in support of claims for
grants and benefits, other than obvious forgeries. In addition, public sector auditors may
not have investigative powers or rights of access to individuals or organisations making
such claims.
72. Only a court of law, Court SAIs with the authority to reinforce the law regarding public
officials, or specialized entities, can determine whether a particular transaction is
fraudulent. Although public sector auditors do not legally determine if fraud has occurred,
they do have a responsibility to assess whether the transactions concerned are in
compliance with relevant authorities.
73. When reinforcing the law regarding public officials, decisions taken by Court SAIs are
subject to:
a) due process of law and public hearing;
b) public disclosure;
c) communication to appropriate law enforcement authorities when there is
evidence of a criminal offence.
74. Fraudulent transactions are, by their nature, not in compliance with relevant authorities.
Public sector auditors may also determine that transactions where fraud is suspected, but
not yet proven, are not in compliance with authorities. Fraud which is material normally
results in qualification of the compliance opinion in the auditor's report.
75. If suspicion of fraudulent activity arises during the audit, public sector auditors
communicate to the appropriate levels of management and those charged with
governance. Public sector auditors also report the suspicion to the proper regulatory
bodies for appropriate follow-up and response.
Reporting Considerations for SAIs in a Court of Accounts Environment
76. SAIs of the court type communicate judgements on compliance issues to the appropriate
bodies as required by the SAI's mandate. In addition, Court SAIs may also communicate
remarks of a more general, or informative nature resulting from the audit work to
appropriate officials of the audited entity.
Response to Reported Non-Compliance
77. Public sector auditors consider the need to report on the activities carried out by the
audited entity in response to non-compliance previously reported by the auditors. If a need
for such further reporting is identified, public sector auditors include an assessment of the
activities performed by the entity in a report to the legislature as well as to the audited
entity and/or other appropriate bodies.
Exposure Draft Compliance Audit Guidelines
Page 15 of 15
Download