INTOSAI Compliance Audit Guidelines ISSAI 4100 Exposure Draft June 2007 Exposure Draft INTOSAI Compliance Audit Guidelines ISSAI 4100 Contents I. II. III. IV. V. VI. Introduction .................................................................................................................. 3 Scope of the Guidelines ................................................................................................ 3 Authority of the Guidelines ......................................................................................... 5 Objectives to be achieved ............................................................................................. 5 Definitions ..................................................................................................................... 5 Recommendations ........................................................................................................ 6 Considerations in regard to Audit Criteria ............................................................. 6 Considerations in regard to Quality Control .......................................................... 7 Considerations when Planning and Designing the Audit ..................................... 7 Initial Considerations ......................................................................................... 7 Developing the Audit Strategy and Plan ............................................................ 7 Materiality and Risk Assessments...................................................................... 8 Risk Assessment Considerations in regard to Fraud .......................................... 9 Risk Assessment Considerations in regard to Related Parties ........................... 9 Assessments of Internal Control ...................................................................... 10 Considerations when Performing the Audit ......................................................... 10 Audit Procedures .............................................................................................. 10 Audit Evidence ................................................................................................. 11 Considerations when Evaluating Compliance Deviations ............................... 11 Audit Documentation ....................................................................................... 11 Written Representations from Responsible Officials ....................................... 12 Considering Subsequent Events ....................................................................... 12 Communications............................................................................................... 12 Reporting Considerations...................................................................................... 12 Compliance Opinions as Part of the Auditor's Report on the Financial Statements ........................................................................................................ 13 Other Compliance Reports ............................................................................... 14 Reporting the Views of Responsible Officials of the Audited Entity .............. 14 Considerations related to the Reporting of Suspected Fraud ........................... 15 Reporting Considerations for SAIs in a Court of Accounts Environment ....... 15 Response to Reported Non-Compliance .......................................................... 15 INTOSAI Compliance Audit Subcommittee I. Introduction 1. The full scope of public sector auditing includes financial and performance audit. In the public sector, financial audit comprises the audit of financial statements and aspects related to compliance audit. Compliance audit is interrelated to the audit of financial statements and is typically performed together with the audit of financial statements. As a result, the audit of financial statements in the public sector generally has a broader scope than the audit of financial statements in the private sector. The scope of a compliance audit depends on the mandate of the SAI and the laws and regulations that are relevant to the audited entity. In addition, the approved budget of the audited entity and relevant budgetary legislation are significant in this context. These elements taken together are often a natural starting point for developing the approach to compliance audit. 2. Compliance audit comprises the assessment of whether the activities, financial transactions and information reflected in the financial statements are in accordance with the authorities which govern them. Such authorities may include applicable resolutions of the legislature, including budgetary laws or resolutions, and documented intentions and premises for such, provisions for funds and contracts, grant agreements, etc. In addition, compliance audit is aimed at helping ensure sound public sector financial management and that public funds are collected and used for those purposes approved by the legislature or other appropriate bodies. Furthermore, compliance audit may also include aspects related to public expectations, especially in regard to the actions and behaviour of public sector officials. 3. The Compliance Audit Guidelines provide guidance to support Supreme Audit Institutions (SAIs) and public sector auditors in their work on reporting on compliance with authorities. The Compliance Audit Guidelines are written from the perspective of compliance audit performed together with the audit of financial statements. Separate compliance audits may also be performed, for example audits of procurement or funding arrangements. In such cases the guidelines may be applied, adapted as appropriate in the circumstances. In these cases it is important that public sector auditors understand the subject matter and scope of the audit, the criteria to be applied, relevant materiality considerations and reporting responsibilities. II. Scope of the Guidelines 4. The Compliance Audit Guidelines, together with the Financial Audit Guidelines and Performance Audit Guidelines, constitute the fourth level in the existing hierarchy of standards in INTOSAI, which consists of the Lima Declaration, the Code of Ethics, and the INTOSAI Auditing Standards. 5. The Financial Audit Guidelines consist of relevant International Standards on Auditing (ISAs) issued by IFAC's International Auditing and Assurance Standards Board (IAASB), together with Practice Notes developed by INTOSAI. The Practice Notes outline the applicability of the ISA in public sector auditing, and provide additional guidance on public sector issues. Due to the extended mandate of SAIs, the scope of a financial audit in the public sector is generally broader than an audit of financial statements carried out in accordance with the ISAs. Consequently, a need has been identified for further guidance Exposure Draft Compliance Audit Guidelines Page 3 of 15 INTOSAI Compliance Audit Subcommittee on compliance audit in a SAI context. The Financial Audit Guidelines, together with the Compliance Audit Guidelines, are intended to provide public sector auditors with a comprehensive set of guidelines for audits of financial statements in the public sector. 6. The requirements and application material contained throughout the body of the ISAs are in most cases relevant to the various phases of compliance audit. Therefore references to various ISAs with Practice Notes have been included throughout the Compliance Audit Guidelines. 7. Compliance audit has a broader scope than [Proposed] ISA 250 (Redrafted) The Auditor's Responsibilities Relating to Laws and Regulations in an Audit of Financial Statements. The objective of this ISA is for the auditor to obtain sufficient appropriate audit evidence that the financial statements are not materially misstated due to non-compliance with laws and regulations, and to respond appropriately to identified or suspected non-compliance with laws and regulations. As described in the introduction above, the Compliance Audit Guidelines are intended to provide further guidance on compliance audit from the broader public sector perspective. 8. Although many SAIs include the audit of compliance issues within their concept of an audit of financial statements, some SAIs include compliance audit within their concept of performance audit. Some SAIs regard compliance audit as a separate audit type altogether. In general, elements of compliance audit are normally included in all types of audit. From the perspective of the Financial Audit Guidelines however, requirements of compliance audit and compliance reporting are regarded as related to the audit of the financial statements if the audit opinion on compliance forms part of the auditor's report on the audit of the financial statements. Requirements of compliance audit and a separate opinion on compliance are regarded as related to the audit of the financial statements if the financial statements have been prepared in accordance with a financial reporting framework that includes compliance with laws and regulations. 9. The Compliance Audit Guidelines provide guidance for public sector auditors reporting in the form of reasonable assurance opinions on an entity's compliance with authorities. 10. Depending on the structure of the public sector and the mandate of the SAI, the Compliance Audit Guidelines are relevant to compliance audit at all levels of government, including audits of central government financial statements or the equivalent, audits of public agencies and audits of local government financial statements. Depending on the mandate of the SAI, the guidelines may be relevant to audits of private sector entities when such entities are involved in the management of public services, for instance through partnership arrangements or as recipients of public grants or subsidies. The guidelines are relevant to compliance audit in SAIs representing both the Auditor General system and the Court of Accounts system, but do not cover particularities related to the judgement part of compliance auditing in SAIs of the court type. 11. The audit of compliance with budgetary laws or other relevant budgetary resolutions, includes the audit of state revenues, such as taxes, customs and excise duties, proceeds and sales revenues; and contributions and funding from external sources including international or regional bodies or financial institutions. Exposure Draft Compliance Audit Guidelines Page 4 of 15 INTOSAI Compliance Audit Subcommittee 12. If stipulated in the audit mandate, a SAI may audit the documented budgetary assumptions and premises prior to the applicable resolution of the legislature. 13. References to "compliance audit" throughout this document are understood to be in the context of work carried out by SAIs or for which the SAI is responsible. III. Authority of the Guidelines 14. The Compliance Audit Guidelines provide guidance for compliance audit in the public sector, but do not have a mandatory application within INTOSAI. Each SAI must judge the extent to which the guidelines are compatible with the achievement of its mandate. The guidelines were endorsed by INCOSAI …… (meeting and date). IV. Objectives to be achieved 15. According to [Proposed] ISA 200 (Revised and Redrafted) Overall Objective of the Independent Auditor, and Concepts Relevant to an Audit of Financial Statements, the objective of an audit of financial statements is to enable the auditor to express an opinion whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework. 16. Depending on the mandate and constitutional role of the SAI, the overall objective of compliance audit is to enable public sector auditors to report to the legislature and/or other bodies as appropriate, on whether the activities, financial transactions and information reflected in the financial statements are, in all material respects, in compliance with the authorities which govern them; and, for SAIs representing the Court of Accounts system, to communicate judgements on such matters to the appropriate bodies. V. Definitions For purposes of these guidelines the following terms have the meanings set out below: 17. Compliance audit – Depending on the mandate of the SAI, an audit of whether the activities, financial transactions, and information – which are reflected in the financial statements of an audited entity, or for which the audited entity, the government, a minister or public officials are accountable – are in accordance with: a) Budgetary laws or the legislature's budgetary or other relevant resolutions or provisions for funds and balances, and documented intentions and premises for such; b) Other relevant laws, regulations and agreements; c) General principles for sound public sector financial management and conduct of public sector officials. 18. Legislature – The law-making authority of a country, for example a Parliament. In the context of compliance audit, the legislature may also include other public sector bodies with authority for budget legislation or resolutions. Exposure Draft Compliance Audit Guidelines Page 5 of 15 INTOSAI Compliance Audit Subcommittee 19. Authorities – Relevant acts or resolutions of the legislature or other statutory instruments, directions and guidance issued by public sector bodies with powers provided for in statute, with which the audited entity is expected to comply. 20. Assertion – a representation by public sector officials, explicit or otherwise, that is embodied in the activities, financial transactions and information pertaining to the audited entity, used by the auditor in considering different types of potential deviations. In the context of compliance audit, the compliance assertion would mean that the entity, including responsible public sector officials, is acting in accordance with applicable authorities and relevant public expectations. 21. Compliance deviation – the audited entity's failure to comply with authorities, including provisions for the use of approved appropriations, funds or balances, terms of contracts and agreements, or with general principles for sound public sector financial management or public expectations in regard to the actions and behaviour of public officials. VI. Recommendations Considerations in regard to Audit Criteria 22. Audit criteria are benchmarks or standards against which the subject matter of the audit can be assessed. Compliance audit criteria can be formal, as for example the applicable law, regulation or contract, or less formal, as for example documented intentions or premises for resolutions of the legislature, general principles for sound public sector financial management or public expectations in regard to the actions and behaviour of public officials. 23. Public sector auditors establish suitable audit criteria that are relevant to the particular audit and free from any bias on their part or on the part of the audited entity. Suitable criteria result in reasonably consistent assessments when used in similar circumstances by another auditor. This is of particular importance when the compliance audit is based on less formal audit criteria. Furthermore, suitable criteria are understandable and sufficient for the intended purpose. 24. In establishing audit criteria for compliance audit, public sector auditors consider: a) Documents of the legislature related to budgetary laws or resolutions, and to the premises or particular provisions for use of approved appropriations, or for financial transactions, funds and balances; b) Other relevant laws, regulations and agreements of a general nature or particular to the audited entity or similar entities; c) Written or unwritten principles for sound public sector financial management and conduct of public sector officials. Principles of conduct may arise from the legislature's or public expectations regarding the behaviour of public sector officials, and may be documented in only fragmentary ways. They may, in some cases, only be defined as a result of their breach. Exposure Draft Compliance Audit Guidelines Page 6 of 15 INTOSAI Compliance Audit Subcommittee 25. In situations where the audit criteria are less formal, the SAI may encourage the appropriate bodies to formulate clearly the general principles to be followed in public sector entities. 26. Public sector auditors make the audit criteria available to the audited entity and other appropriate bodies. Considerations in regard to Quality Control 27. Public sector auditors consider the requirements of [Proposed] ISA 220 (Redrafted) Quality Control for Audits of Historical Financial Information together with the guidance provided in the Practice Note. Public sector auditors carry out compliance audits in accordance with applicable ethical and professional standards. Furthermore, public sector auditors satisfy themselves that the audit team carrying out the work collectively has the appropriate knowledge and skills, and that the work of the team is appropriately directed, supervised and reviewed. Considerations when Planning and Designing the Audit Initial Considerations 28. Where relevant, public sector auditors consider the requirements of [Proposed] ISA 210 (Redrafted) Terms of Audit Engagements together with the guidance provided in the Practice Note. Developing the Audit Strategy and Plan 29. Public sector auditors consider the requirements of ISA 300 (Redrafted) Planning an Audit of Financial Statements together with the guidance provided by the Practice Note. In establishing the overall audit strategy for the compliance audit, public sector auditors also: a) Determine the scope and characteristics of the compliance audit, taking into account the mandate of the SAI and the elements contained in the definition of compliance audit; b) Obtain a general understanding of the legal, regulatory and appropriations framework applicable to the scope of the audit and to the audited entity; c) Obtain an understanding of management's assessment of applicable laws and regulations including management's internal controls that help ensure compliance with authorities. d) Obtain an understanding of significant contracts or grant agreements that may be relevant; Exposure Draft Compliance Audit Guidelines Page 7 of 15 INTOSAI Compliance Audit Subcommittee e) Obtain an understanding of relevant principles of sound public sector financial management and expectations regarding the conduct of public sector officials; f) Consider the results of earlier financial, compliance or performance audits of the audited entity or comparable entities, and other matters relevant to planning the compliance audit; g) Consider the reporting requirements of the compliance audit of the audited entity; h) Ascertain the resources needed to perform the audit, perhaps including use of the work of internal audit or the work of experts. 30. Based on the overall audit strategy, public sector auditors develop an audit plan for the compliance audit that includes: a) A description of audit criteria related to the scope and characteristics of the compliance audit and to the legal, regulatory and appropriations framework; b) A description of the nature, timing and extent of planned risk assessment procedures sufficient to assess the risks of non-compliance, related to the various audit criteria; c) A description of the nature, timing and extent of planned further audit procedures, related to the various compliance audit criteria. Materiality and Risk Assessments 31. Public sector auditors consider the requirements of [Proposed] ISA 320 (Revised and Redrafted) Materiality in Planning and Performing an Audit and ISA 315 (Redrafted) Identifying and Assessing the Risks of Material Misstatement Through Understanding the Entity and Its Environment together with the guidance provided in the Practice Notes. 32. Where specific authorities govern the activities, financial transactions and information reflected in the financial statements of an audited entity, public sector auditors plan and perform procedures to determine whether in all material respects the activities, transactions and information comply with those authorities. 33. Materiality affects both the way in which public sector auditors plan and design the compliance audit and how public sector auditors evaluate and report the results of the audit. The principles and procedures applied to obtain sufficient appropriate audit evidence to support an opinion or conclusion on compliance are the same as those applied to the audit of any other financial statement assertion. There may however be particular considerations in respect of the auditor's assessment of materiality, risk and the design of audit procedures in relation to compliance audit. 34. In planning compliance audit, public sector auditors may often set lower materiality levels than would be the case for an audit of financial statements. This is due to a variety of factors such as the public accountability of government entities, legal and regulatory requirements, the visibility and sensitivity of programs, public expectations and other Exposure Draft Compliance Audit Guidelines Page 8 of 15 INTOSAI Compliance Audit Subcommittee qualitative aspects. 35. In assessing risk, public sector auditors consider the possibility that an inappropriate conclusion or audit opinion will be given on compliance with authorities. Audit risk in the compliance context is a function of the risk of material non-compliance and the risk that public sector auditors will not detect such non-compliance (detection risk). The risk of material non-compliance at the assertion level consists of inherent risk and control risk. 36. To assess the inherent risk of non-compliance, public sector auditors use judgement to evaluate a range of factors, e.g. related to the complexity of, or changes in, relevant laws and regulations, including the documented intentions and premises for such laws and regulations. Control risk in the context of compliance audit is the risk that non-compliance would not be prevented, or detected, by the entity's own control systems. 37. Where public sector auditors expect to be able to rely on the internal controls to reduce the extent of substantive compliance audit procedures, public sector auditors make a preliminary assessment of control risk and plan and perform tests of compliance-related controls to support the preliminary assessment. Risk Assessment Considerations in regard to Fraud 38. Public sector auditors consider the requirements in relation to fraud as set out in ISA 240 (Redrafted) The Auditor's Responsibilities Relating to Fraud in an Audit of Financial Statements together with the guidance in the Practice Note. In the public sector, assessments of materiality in relation to fraud may not be restricted to risks of material misstatements in the financial statements, as is the main focus of ISA 240, but relate to fraud risks in the context of the broader scope of public sector auditing. Examples of areas which may typically give rise to fraud risks and where public sector auditors are alert in performing risk assessments include: a) Grants and benefits to third parties; b) Procurement; c) Exercise of public officials' duties and power; d) Intentional misstatement or misrepresentation of results or information; e) Privatization of government entities. Risk Assessment Considerations in regard to Related Parties 39. Public sector auditors consider the requirements of [Proposed] ISA 550 (Revised and Redrafted) Related Parties together with the guidance in the Practice Note. Authorities may set out specific requirements related to the conduct of business with related parties. Public sector auditors address the risks of non-compliance with such authorities. Public sector auditors also determine if there are specific reporting requirements for related party relationships and transactions. Exposure Draft Compliance Audit Guidelines Page 9 of 15 INTOSAI Compliance Audit Subcommittee Assessments of Internal Control 40. Public sector auditors obtain an understanding of the audited entity's internal control relevant to the compliance audit. In some cases internal control requirements may be specifically set out in laws and regulations. They may also be established in general principles for sound public sector financial management. In addition to addressing any specific requirements, public sector auditors perform assessments of internal control relevant to planning and designing compliance audit as would be the case for internal control related to any other aspect of the audit of the financial statements. Considerations when Performing the Audit Audit Procedures 41. Public sector auditors consider the requirements of ISA 330 (Redrafted) The Auditor's Responses to Assessed Risks together with the guidance provided in the Practice Note. 42. Audit procedures designed to test compliance will usually be based on a mix of tests of controls and substantive audit procedures. Public sector auditors may seek to reduce the extent of substantive procedures where satisfactory evidence as to the effectiveness of the entity's internal control systems has been obtained. 43. In addition to assessments of internal control relevant to planning and designing compliance audit, public sector auditors also test elements of internal control in performing compliance audit. When public sector auditors conclude that the controls designed to help ensure compliance are not effective, public sector auditors do not rely on them, but perform additional procedures as necessary. 44. Public sector auditors design and perform substantive procedures to evaluate compliance, in particular for those elements that are deemed to be material in the context of the audit. The extent of substantive procedures performed will depend on the auditors' assessments of control risk and on any evidence obtained relating directly to compliance or noncompliance provided by tests of controls. The characteristics of the substantive compliance procedures performed will depend on the particular audit criteria. 45. In determining whether individually material items require detailed testing, public sector auditors take into account the assessment of inherent and control risk. In some unusual circumstances the auditors' assessment of risk may necessitate that all individually material transactions are compliance tested. 46. Analytical procedures may in certain circumstances assist public sector auditors in evaluating compliance. For example, where allowances under a grants scheme are subject to a maximum value and the number of recipients is known, public sector auditors may use analytical procedures to identify whether the permitted maximum may have been breached. Analytical procedures on their own are, however, unlikely to provide public sector auditors with sufficient appropriate audit evidence in support of compliance. Further guidance on performing analytical procedures is set out in ISA 520 Analytical Exposure Draft Compliance Audit Guidelines Page 10 of 15 INTOSAI Compliance Audit Subcommittee Procedures, together with the guidance provided in the Practice Note. Audit Evidence 47. Public sector auditors consider the requirements of [Proposed] ISA 500 (Redrafted) Audit Evidence, together with the guidance provided in the Practice Note. 48. The concept of materiality applies to assertions in relation to compliance audit as to the other assertions in relation to the audit of financial statements. Public sector auditors therefore obtain sufficient appropriate audit evidence to conclude with reasonable assurance and express an opinion on whether the activities, financial transactions and information reflected in the financial statements comply with the authorities which govern them 'in all material respects'. Due to the inherent limitations of an audit, public sector auditors cannot be expected to detect all occurrences of non-compliance through the audit work. 49. Public sector auditors use professional judgement and exercise professional scepticism in evaluating the sufficiency and appropriateness of evidence obtained and in concluding with reasonable assurance. Public sector auditors consider the validity, reliability and consistency of the audit evidence obtained, particularly when the audit criteria are less formal. Considerations when Evaluating Compliance Deviations 50. When evaluating the audit evidence obtained, and assessing any compliance deviations, public sector auditors consider the requirements of [Proposed] ISA 450 (Redrafted) Evaluation of Misstatements Identified during the Audit, together with the guidance in the Practice Note. 51. Public sector auditors' assessment of what represents a material compliance deviation is a matter of judgement and includes considerations of context as well as quantitative aspects (size) and qualitative aspects (nature) of the transactions or issues concerned. For example, public sector auditors consider the needs and expectations of the legislature and other users of the audit report, the nature of the relevant authorities and the extent or monetary value of the non-compliance. Audit Documentation 52. Public sector auditors consider the requirements of [Proposed] ISA 230 (Redrafted) Audit Documentation, together with the guidance in the Practice Note. Public sector auditors prepare and maintain compliance audit documentation which contains sufficient information to enable an experienced auditor, who has had no previous connection with the audit, to ascertain from the audit documentation the evidence that supports the significant judgements made and conclusions reached. Public sector auditors prepare audit documentation that contains the established audit criteria, and support for findings, conclusions and recommendations before the auditor's opinion or separate compliance Exposure Draft Compliance Audit Guidelines Page 11 of 15 INTOSAI Compliance Audit Subcommittee report is issued. Written Representations from Responsible Officials 53. Public sector auditors consider the requirements of [Proposed] ISA 580 (Revised and Redrafted) Written Representations, together with the guidance in the Practice Note. To corroborate evidence obtained, public sector auditors obtain written representations from responsible officials of the audited entity as necessary. Such representations may state that all relevant information has been made available to public sector auditors and that, to the best of the officials' knowledge and belief, the activities, financial transactions and information reflected in the financial statements of the entity are in compliance with the authorities which govern them. Considering Subsequent Events 54. Public sector auditors consider the requirements of [Proposed] ISA 560 (Redrafted) Subsequent Events, together with the guidance in the Practice Note. Public sector auditors perform audit procedures to determine if there are events occurring after the end of the reporting period and up until the date of the auditor's report that may result in material non-compliance and respond as appropriate in the circumstances. Communications 55. Public sector auditors consider the requirements of [Proposed] ISA 260 (Revised and Redrafted) Communication with Those Charged with Governance, together with the guidance in the Practice Note. Public sector auditors communicate on a timely basis to those charged with governance identified instances of material or other non-compliance arising from the audit that are relevant to their responsibilities in overseeing the activities and financial reporting of the entity. Reporting Considerations 56. Public sector auditors consider the requirements of [Proposed] ISA 700 (Redrafted) The Independent Auditor's Report on a Complete Set of General Purpose Financial Statements, [Proposed] ISA 705 (Redrafted) Modifications to the Opinion in the Independent Auditor's Report, [Proposed] ISA 706 (Redrafted) Emphasis of Matter Paragraphs and Other Matter(s) Paragraphs in the Independent Auditor's Report and [Proposed] ISA 800 (Revised and Redrafted) Special Considerations – Audits of Special Purpose Financial Statements and Specific Elements, Accounts or Items of a Financial Statement together with the guidance in the Practice Notes. 57. The form of the compliance audit report depends on the mandate of the SAI, applicable legislation or regulation and the complexity of the reported issues. Furthermore, the form of the report depends on the intended recipients, including whether the report is to be submitted to the legislature or other bodies, or to third parties such as donor organizations, Exposure Draft Compliance Audit Guidelines Page 12 of 15 INTOSAI Compliance Audit Subcommittee international or regional bodies or financial institutions. 58. A SAI may, according to its mandate, be required to report to the legislature on significant compliance issues related to: a) the overall central government financial statements or the equivalent; b) individual central government or similar entities; or c) other areas for which the government, a minister or public sector officials are accountable. 59. Reporting on compliance with authorities may be incorporated as a compliance opinion in the auditor's report on the financial statements, or a separate compliance audit report may be issued. Compliance Opinions as Part of the Auditor's Report on the Financial Statements 60. Public sector auditors include, in the relevant sections of the auditor's report, appropriate descriptions of: a) the responsibilities of management and of the auditor as they relate to compliance with authorities; b) the scope of work performed and the standards applied; c) whether the work performed provided sufficient, appropriate audit evidence as a basis for an opinion on compliance. 61. Public sector auditors express an opinion on compliance. When the opinion on compliance is incorporated in the auditor's report on the financial statements, the compliance opinion is clearly set apart from the opinion on the financial statements. 62. When public sector auditors conclude that the activities, financial transactions and information reflected in the financial statements are, in all material respects, in compliance with the authorities which govern them, an unqualified opinion is expressed. Modified Compliance Opinions 63. When public sector auditors conclude that there are material compliance deviations, the opinion expressed is either: a) qualified (if compliance deviations are material, but not pervasive, or if public sector auditors are unable to obtain sufficient, appropriate audit evidence, and the possible effects are material, but not pervasive); or b) adverse (if compliance deviations are material and pervasive). 64. When public sector auditors are unable to obtain sufficient, appropriate audit evidence on compliance with authorities, and the possible effects are material and pervasive, public sector auditors disclaim an opinion on compliance. 65. When the compliance opinion is modified, public sector auditors consider the wider implications for the financial statements as a whole and for the auditor's report thereon. Emphasis of Matter and Other Matters Paragraphs Exposure Draft Compliance Audit Guidelines Page 13 of 15 INTOSAI Compliance Audit Subcommittee 66. Public sector auditors may conclude that there is a need to elaborate on particular matters which are not expressly covered in the compliance opinion. For example, this may be relevant in regard to specific instances of non-compliance with general principles for sound public sector financial management or public expectations in regard to the actions and behaviour of public sector officials. In these circumstances, public sector auditors consider if appropriate disclosure in the auditor's report is possible through the use of an: a) Emphasis of Matters paragraph (when the matter is presented and disclosed in the financial statements and is not materially misstated); or an b) Other Matters paragraph (for matters other than those presented and disclosed in the financial statements). Other Compliance Reports 67. Depending on mandate and legislation, other types of compliance reports may be appropriate, such as: a) an opinion stating whether transactions that have come to public sector auditors' attention in the course of discharging other audit responsibilities were carried out in compliance with authorities; or b) reporting on specific instances of non-compliance. 68. In addition to the opinion on compliance included in the auditor's report on the financial statements, public sector auditors may issue another, more detailed, report on compliance. Such an additional report on compliance may be appropriate when the opinion is qualified as a consequence of material non-compliance or where it follows from the mandate for the SAI's reporting procedures. The purpose of such a report is to provide the legislature, the audited entity, and/or other bodies as appropriate, with a detailed explanation beyond that given in the auditor's report on the financial statements. Public sector auditors report such compliance issues in sufficient detail to enable the legislature or relevant committee to properly consider these matters. 69. Public sector auditors may issue a report with an opinion on compliance which is separate from the auditor's report on the financial statements. When such a separate report with an opinion on compliance is issued, public sector auditors include appropriate references to the separate report in the auditor's report on the financial statements. Such references describe that the separate report is an integral part of the public sector audit and is considered in assessing the results of the audit. When the separate report does not include an opinion on compliance, the references are modified accordingly. Reporting the Views of Responsible Officials of the Audited Entity 70. In the interest of fairness and transparency, public sector auditors obtain and report as appropriate, the views of responsible officials of the audited entity on significant issues. Such issues may include the established audit criteria or the audit findings. Exposure Draft Compliance Audit Guidelines Page 14 of 15 INTOSAI Compliance Audit Subcommittee Considerations related to the Reporting of Suspected Fraud 71. Due to the nature of fraud, and the inherent limitations of an audit, there is an unavoidable risk that fraud may occur and not be detected. Fraud may consist of acts designed to intentionally conceal its existence. There may be collusion between management, employees or third parties, or falsification of documents. For example, it is not reasonable to expect public sector auditors to identify forged documentation in support of claims for grants and benefits, other than obvious forgeries. In addition, public sector auditors may not have investigative powers or rights of access to individuals or organisations making such claims. 72. Only a court of law, Court SAIs with the authority to reinforce the law regarding public officials, or specialized entities, can determine whether a particular transaction is fraudulent. Although public sector auditors do not legally determine if fraud has occurred, they do have a responsibility to assess whether the transactions concerned are in compliance with relevant authorities. 73. When reinforcing the law regarding public officials, decisions taken by Court SAIs are subject to: a) due process of law and public hearing; b) public disclosure; c) communication to appropriate law enforcement authorities when there is evidence of a criminal offence. 74. Fraudulent transactions are, by their nature, not in compliance with relevant authorities. Public sector auditors may also determine that transactions where fraud is suspected, but not yet proven, are not in compliance with authorities. Fraud which is material normally results in qualification of the compliance opinion in the auditor's report. 75. If suspicion of fraudulent activity arises during the audit, public sector auditors communicate to the appropriate levels of management and those charged with governance. Public sector auditors also report the suspicion to the proper regulatory bodies for appropriate follow-up and response. Reporting Considerations for SAIs in a Court of Accounts Environment 76. SAIs of the court type communicate judgements on compliance issues to the appropriate bodies as required by the SAI's mandate. In addition, Court SAIs may also communicate remarks of a more general, or informative nature resulting from the audit work to appropriate officials of the audited entity. Response to Reported Non-Compliance 77. Public sector auditors consider the need to report on the activities carried out by the audited entity in response to non-compliance previously reported by the auditors. If a need for such further reporting is identified, public sector auditors include an assessment of the activities performed by the entity in a report to the legislature as well as to the audited entity and/or other appropriate bodies. Exposure Draft Compliance Audit Guidelines Page 15 of 15