Summary note on cross-cutting issues in the exposure comments
In this paper we have briefly tried to summarize the main cross cutting issues from the exposure
comments. The summary is based on those comments that had been marked “Wait/secr”) in the table
we forwarded to you on 19 February.
We have divided these into 10 different lists – concerning different issues (We have allowed some
comments to appear on more than one list).
We hope this will help provide an improved overview
List 1. Assurance
40 of the comments marked “Wait/secr” touch upon the issue of assurance. The comments can be
grouped in two general “camps”: Those emphasizing the importance of the assurance concept and
asking for a more consistent use of the concept across all four drafts and those emphasizing that
SAIs have special role, i.e. in the field of performance audit that makes it difficult to apply the
assurance concept in all cases.
Some issues raised by individual SAIs:
1.1 Emphasizing the general importance of assurance
The ISSAI definition of “audit” should be aligned with IAASB’s definition of assurance engagements
a) References to the levels of assurance are not consistent across the drafts. It should be mentioned
in ISSAI 100 and possibly also in the other drafts
b) Attestation engagements standards should be incorporated in the ISSAI in a manner that applies
beyond compliance audit. Text should be moved from ISSAI 400 to ISSAI 100.
c) The concept of (reasonable) assurance is critical to all audits, including performance auditing, and
ISSAI 300 should reflect this. Each type of audit should include a discussion of assessment of
audit evidence and the provision of assurance.
d) In ISSAI 300 audits that aim to provide assurance have been set apart as non-typical. This is not
acceptable. Legitimate approaches and objectives should be portrayed with an even hand.
1.2 Need to consider the special role of SAIs
e) Some SAIs do not issue an opinion
f) It should be clearly stated in ISSAI 300 that the PA auditor is not normally expected to provide an
overall opinion on the 3 E’s.
g) Are the concepts of direct/attestation engagements and limited/reasonable assurance
fundamental principles of compliance auditing?
h) The forms of compliance auditing (direct / attestation engagements) have no influence on
assurance
i) Important to state that a compliance audit may result in an opinion or in a (non-standardised)
conclusion or report.
j) “Two levels of assurance” in compliance audit should be avoided.
Paragraphs on related to assurance highlighted by the comments:
100
15, 22, 25, 27, 28, 34, 49-50,
200
163
300
2, 5, 7, 30
400
49, 50, 53-56, 74
List 2. Reporting formats / different conclusions
Some issues raised by individual SAIs:
a) Not all SAIs issue opinions
b) The section on reporting should be expanded in ISSI 100 (cf. “old ISSAI 400”) and a more uniform
description of reporting applied in the other 3 drafts
c) Report writing in PA differs from FA and CA – the analysis is done as a part of analytical writing.
This is not done “after the audit procedures”.
NB! We have also asked the individual drafting groups to look at a number of comments regarding
reporting.
List 3. Consistency in the use of key concepts (see separate paper)
A lot of comments stress the need for more consistent use (and definitions) of key concepts in all four
documents, and several comments ask for more simple (less technical) language where it is possible.
See a separate paper - What do we mean by the words we use?
List 4. The SAI’s/auditor’s selection of what to audit (objectives/subject matters/topics)
Some comments reflect that SAIs may select/determine both the subject matters that they audit, the
objectives of the audit and the scope of the audit work.
Some issues raised by individual SAIs:
a) It is important to emphasize that the SAI determine the objectives of the audit and the scope of
the audit work
b) Principles on the selection (based on risks and materiality)
List 5. Relationship between financial, performance and compliance auditing
a) Definitions of the three different types of audit should be taken into ISSAI 100 (extracted from
level 4) and should be consistently described in 200, 300, 400
b) Some confusion regarding the definitions of legality and regularity and how they relate to the
definitions of FA, PA, CA
c) Some confusion and different perspectives regarding the definitions of subject matter in the
three areas of auditing
d) Reporting in performance audit is different from FA and CA – writing is a part of the analytical
process not something done after completing the audit procedures
e) The definition of scope in compliance audit should be amended (400/42) – the way it is
formulated at present seems to say that any audit of subject matter information is a
compliance audit
List 6. The structure of the package (outline, level of detail, repetitions)
A large number of SAIs ask for a more similar structure of ISSAI 100 – 400.
Some issues are raised by individual SAIs:
a)
b)
c)
d)
e)
f)
Same headlines (table of content),
Same order/sequencing of principles and different subjects
Consistent use of terminology
Level of detail
Length
Should the documents be stand-alone or build on ISSAI 100? – there is a substantial amount of
repetition at present – both between the documents and in the separate documents
g) Key concepts common for all audit areas (quality control, professional judgment, documentation,
fraud) should be addressed primarily in ISSAI 100 and only referenced to in the other level 3
drafts if necessary
h) Some of the language (level of detail) would be better suited to level 4 – level 3 should be the
core and the detailed operational guidelines should be in level 4. (example ISSAI 200 – materiality
and reporting)
i) A number of suggested text reductions, especially to ISSAI 200 and ISSAI 400
List 7. Re. level 2 of the ISSAI framework
a) A number of SAIs asks for a more consistent reference to level 2.
b) Some ask for a more elaborate description of quality control at engagement level or quality control
systems in general
List 8. Authority
Comments reflects a general appreciation that the authority of level 3 and references to ISSAIs is
clarified and support for the overall solution
Some issues are raised by individual SAIs:
a) a number of suggestions to apply the general ‘read 100 in conjunction’-solution and avoid
duplication of the authority section in ISSAIs 200, 300 and 400.
b) some asks for a simpler use of language in the section in 100
c) proposals to explain the expression ‘authoritative auditing standards as well as to clarify that
some SAIs issue auditing standards
d) some uncertainty over whether it is possible to refer to ISSAI 100 only (and ignore 200,300 and
400)
e) one mentioning that guidelines at level 4 are not yet fit for being applied as standards
f) inconsistencies between 100 and 200 regarding ISAs (emphasizing that unless it is a
compliance/performance ISSAIs and ISAs is the same)
g) a proposal that the preference in the ISSAIs must be for referring to ISSAIs rather than ISAs
h) a proposal to take out the possibility to ‘communicate in a more general form’ as an alternative to
including the statement on standards in each single report
i) suggestion to include language on what to do if some (relevant) principles are deviated from
(reflecting that especially ISSAI 200 is too detailed)
j) some points out that the reality in performance auditing may be that no standards exists and
suggests that the principles in themselves may be valuable as a basis for internal quality control
k) confusion over audit report/auditor’s report
List 9. Other comments on language
a) Need to simplify the language used whenever possible (will also greatly facilitate translation)
b) The level 3 ISSAIs should be reviewed to identify inconsistencies
c) Some editing of language (i.e. English / American) is needed
d) Some language is better suited for level 4 (detailed operational guidelines)
e) A few specific issues - auditor/auditors
List 10. Additional comments
(3 comments that can perhaps be dealt with by the respective drafting groups)