INTOSAI Standards are issued by the International
Organisation of Supreme Audit Institutions, INTOSAI, as part of
the INTOSAI Framework of Professional Pronouncements.
For more information visit www.issai.org
ISSAI
INTOSAI
100
Fundamental Principles of Public-Sector Auditing
INTOSAI
INTOSAI, 20191) EndorsedasBasicPrinciplesinGovernmentAuditingin20012) RevisedandrenamedFundamentalPrinciplesofPublic-SectorAuditingin 20133) With the establishment of the Intosai Framework of Professional Pronouncements(IFPP),editorialchangesweremadein2019
ISSAI100isavailableinallINTOSAIofficiallanguages:Arabic,English,French,German and Spanish
TABLE OF CONTENTS
1. INTRODUCTION 4
2. PURPOSE AND AUTHORITY OF THE ISSAIS 6
3. FRAMEWORK FOR PUBLIC-SECTOR AUDITING 9
Mandate 9
Public-sector auditing and its objectives 10
Types of public-sector audit 11
4. ELEMENTS OF PUBLIC-SECTOR AUDITING 13
The three parties 13
Subject matter, criteria and subject matter information 14
Types of engagement 15
Confidence and assurance in public-sector auditing 16
5. PRINCIPLES OF PUBLIC-SECTOR AUDITING 18
Organisational requirements 19
General principles 20
Principles related to the audit process 24
4
INTRODUCTION
1) Professionalstandardsandguidelinesareessentialforthecredibility,qualityandprofessionalismofpublic-sectorauditing.The International Standardsof Supreme Audit Institutions (ISSAIs) developed by the InternationalOrganisation of Supreme Audit Institutions (INTOSAI) aim to promoteindependentandeffectiveauditingbysupremeauditinstitutions(SAIs).
2) The ISSAIs support the members of INTOSAI in the development of their own professionalapproachinaccordancewiththeirmandatesandwithnationallawsandregulations.
3) The ISSAIs form part of the INTOSAI Framwork of Professional Pronouncements (IFPP). Within this framework, the INTOSAI Principles(INTOSAI-P)containtheframework’sfoundingprinciplesandcoreprinciplesthatsetoutprerequisitiesfortheproperfunctioningofSAIs.TheInternationalStandardsofSupremeAuditInstitutions(ISSAIs)addresstheconductofauditsand includegenerally-recognisedprofessionalprinciples thatunderpintheeffectiveandindependentauditingofpublic-sectorentities.
4) INTOSAIGuidance(GUIDs)alsoformpartoftheIFPP.Theyprovideguidanceto support SAIs and individual auditors in enchancing organizationalperformanceandimplementingandapplyingtheISSAIsinpractice.
5) The ISSAI 100 - Fundamental Principles of Public-Sector Auditing draw and elaborate on INTOSAI-P 1 The Lima Declarationandprovideanauthoritativeinternationalframeofreferencedefiningpublic-sectorauditing.ThefullsetofISSAIsisbasedontheseprinciples.
1
5
ISSAI 100 - FUNDAMENTAL PRINCIPLES OF PUBLIC-SECTOR AUDITING
6) ISSAI 100 Fundamental Principles of Public-Sector Auditing provides detailed informationon:
• thepurposeandauthorityoftheISSAIs;
• theframeworkforpublic-sectorauditing;
• theelementsofpublic-sectorauditing;
• theprinciplestobeappliedinpublic-sectorauditing.
6
PURPOSE AND AUTHORITY OF THE ISSAIS
7) ISSAI 100 Fundamental Principles of Public-Sector Auditing establishes fundamental principles which are applicable to all public-sector audit engagements,irrespectiveoftheirformorcontext.ISSAI 200 Financial Audit Principles, ISSAI 300 Performance Audit Principles and ISSAI 400 Compliance Audit Principles build on and further develop the principles to be applied in thecontextoffinancial,performanceandcomplianceauditingrespectively.TheyshouldbeappliedinconjunctionwiththeprinciplessetoutinISSAI100.Theprinciplesinnowayoverridenationallaws,regulationsormandatesorpreventSAIsfromcarryingoutinvestigations,reviewsorotherengagementswhicharenotspecificallycoveredbytheexistingISSAIs.
8) The Fundamental Principles of Public-Sector Auditing (ISSAI 100) and the Financial,PerformanceandComplianceAuditingPrinciples1thatflowfromthiscanbeusedtoestablishauthoritativestandardsinthreeways:
• asabasisonwhichSAIscandevelopstandards;
• asabasisfortheadoptionofconsistentnationalstandards;
• asabasisforadoptionoftheISSAIs.
SAIsmaychoosetocompileasinglestandard-settingdocument,aseriesofsuchdocumentsoracombinationofstandard-settingandotherauthoritativedocuments.
1 ISSAIs 200, 300 and 400
2
7
ISSAI 100 - FUNDAMENTAL PRINCIPLES OF PUBLIC-SECTOR AUDITING
SAIsshoulddeclarewhichstandardstheyapplywhenconductingaudits,andthisdeclarationshouldbeaccessibletousersoftheSAI’sreports.Wherethestandardsarebasedonseveralsourcestakentogether,thisshouldalsobestated. SAIs are encouraged tomake such declarations part of their auditreports;however,amoregeneralformofcommunicationmaybeused.
9) AnSAImaydeclarethatthestandardsithasdevelopedoradoptedarebasedonorareconsistentwiththeprinciplesoftheISSAIsonlyifthestandardsfullycomplywithallrelevantprinciplesinISSAIs100,200,300and400.
Audit reportsmay include a reference to the fact that the standards usedwere based on or consistent with the ISSAI or ISSAIs relevant to the audit work carriedout.Suchreferencemaybemadebystating:
… We conducted our audit[s] in accordance with [standards], which are based on [or consistent with] ISSAI 100 Fundamental Principles of Public-Sector Auditing [and the principles of ISSAI 200 Financial Audit Principles / ISSAI 300 Performance Audit Principles / ISSAI 400 Compliance Audit Principles] of the International Standards of Supreme Audit Institutions.
In order to properly adopt or develop auditing standards based on theseauditing principles, an understanding of the entire text of theprinciples isnecessary.Toachievethis,itmaybehelpfultoconsulttherelevantfinancialaudit standards (ISSAIs 2000-2899), performance audit standards (ISSAIs 3000-3899)andcomplianceauditstandards(ISSAIs4000-4899).
10) SAIsmaychoosetoadopttheISSAIsastheirauthoritativestandards.InsuchcasestheauditormustcomplywithallISSAIsrelevanttotheaudit.ReferencetotheISSAIsappliedmaybemadebystating:
…We conducted our audit[s] in accordance with the International Standards of Supreme Audit Institutions (ISSAIs).
Inordertoenhancetransparency,thestatementmayfurtherspecifywhichauditing standardswithin the ISSAIs2000-4899 theauditorhas consideredrelevantandapplied.Thismaybedonebyaddingthefollowingphrase:
The audit[s] was [were] based on ISSAI[s] xxx [number and name of the ISSAI or range of ISSAIs].
8
ISSAI 100 - FUNDAMENTAL PRINCIPLES OF PUBLIC-SECTOR AUDITING
11) The International Standards on Auditing (ISAs) issued by the InternationalFederationofAccountants(IFAC)areincorporatedintotheINTOSAIfinancialaudit standards (ISSAIs 2000-2899). In financial audits, reference maythereforebemadeeithertotheISSAIsortotheISAs.TheISSAIsmayprovideadditionalpublic-sectorapplicationmaterial,buttherequirementsupontheauditorinfinancialauditsarethesame.TheISAsconstituteanindivisiblesetofstandardsandtheISSAIsinwhichtheyareincorporatedmaynotbereferredtoindividually.IftheISSAIsortheISAshavebeenadoptedastheSAI’sstandardsforfinancialaudits,theauditor’sreportshouldincludeareferencetothosestandards.Thisappliesequallytofinancialauditsconductedincombinationwithothertypesofaudit.
12) AuditsmaybeconductedinaccordancewithboththeISSAIsandstandardsfrom other sources provided that no contradictions arise. In such casesreference should be made both to the ISSAIs and to the other standards concerned.
9
FRAMEWORK FORPUBLIC-SECTOR AUDITING
Mandate
13) An SAI will exercise its public-sector audit function within a specificconstitutionalarrangementandbyvirtueof itsofficeandmandate,whichensure sufficient independence andpower of discretion in performing itsduties.ThemandateofanSAImaydefineitsgeneralresponsibilitiesinthefieldofpublic-sectorauditingandprovidefurtherprescriptionsconcerningtheauditsandotherengagementstobeperformed.
14) SAIsmaybemandatedtoperformmanytypesofengagementsonanysubjectofrelevancetotheresponsibilitiesofmanagementandthosechargedwithgovernanceandtheappropriateuseofpublicfundsandassets.TheextentorformoftheseengagementsandthereportingthereonwillvaryaccordingtothelegislatedmandateoftheSAIconcerned.
15) Incertaincountries,theSAIisacourt,composedofjudges,withauthorityoverStateaccountantsandotherpublicofficialswhomustrenderaccounttoit.Thereexistsanimportantrelationshipbetweenthisjurisdictionalauthorityandthecharacteristicsofpublic-sectorauditing.ThejurisdictionalfunctionrequirestheSAItoensurethatwhoeverischargedwithdealingwithpublicfundsisheldaccountableand,inthisregard,issubjecttoitsjurisdiction.
16) AnSAImaymakestrategicdecisionsinordertorespondtotherequirementsin its mandate and other legislative requirements. Such decisions mayincludewhichauditingstandardsareapplicable,whichengagementswillbe
3
10
ISSAI 100 - FUNDAMENTAL PRINCIPLES OF PUBLIC-SECTOR AUDITING
conductedandhowtheywillbeprioritised.
Public-sector auditing and its objectives
17) Thepublic-sectorauditenvironmentisthatinwhichgovernmentsandotherpublic-sectorentitiesexerciseresponsibilityfortheuseofresourcesderivedfrom taxation andother sources in the delivery of services to citizens andother recipients.Theseentitiesareaccountable for theirmanagementandperformance, and for the use of resources, both to those that provide the resources and to those, including citizens, who depend on the servicesdeliveredusingthoseresources.Public-sectorauditinghelpstocreatesuitableconditionsandreinforcetheexpectationthatpublic-sectorentitiesandpublicservantswill perform their functions effectively, efficiently, ethically and inaccordancewiththeapplicablelawsandregulations.
18) In general public-sector auditing can be described as a systematic processof objectively obtaining and evaluating evidence to determine whetherinformation or actual conditions conform to established criteria. Public-sectorauditingisessentialinthatitprovideslegislativeandoversightbodies,thosechargedwithgovernanceandthegeneralpublicwithinformationandindependent and objective assessments concerning the stewardship andperformanceofgovernmentpolicies,programmesoroperations.
19) SAIsservethisaimasimportantpillarsoftheirnationaldemocraticsystemsandgovernancemechanismsandplayanimportantroleinenhancingpublic-sectoradministrationbyemphasisingtheprinciplesoftransparency,accountability,governanceandperformance. INTOSAIP-20PrinciplesofTransparencyandAccountabilitycontainINTOSAIcoreprinciplesinthisregard.
20) All public-sector audits start from objectives, which may differ dependingon the type of audit being conducted. However, all public-sector auditingcontributestogoodgovernanceby:
• providing the intendeduserswith independent,objectiveand reliableinformation,conclusionsoropinionsbasedonsufficientandappropriateevidencerelatingtopublicentities;
11
ISSAI 100 - FUNDAMENTAL PRINCIPLES OF PUBLIC-SECTOR AUDITING
• enhancing accountability and transparency, encouraging continuousimprovementandsustainedconfidenceintheappropriateuseofpublicfundsandassetsandtheperformanceofpublicadministration;
• reinforcing the effectiveness of those bodieswithin the constitutionalarrangementthatexercisegeneralmonitoringandcorrectivefunctionsovergovernment,andthoseresponsibleforthemanagementofpublicly-fundedactivities;
• creatingincentivesforchangebyprovidingknowledge,comprehensiveanalysisandwell-foundedrecommendationsforimprovement.
21) In general, public-sector audits can be categorised into one or more ofthreemaintypes:auditsoffinancialstatements,auditsofcompliancewithauthorities and performance audits. The objectives of any given auditwilldeterminewhichstandardsapply.
Types of public-sector audit
22) Thethreemaintypesofpublic-sectorauditaredefinedasfollows:
Financial audit focuses on determiningwhether an entity’s financial informationispresented in accordancewith theapplicablefinancial reportingand regulatoryframework. This is accomplished by obtaining sufficient and appropriate auditevidence toenable theauditor toexpressanopinionas towhether thefinancialinformationisfreefrommaterialmisstatementduetofraudorerror.
Performance auditfocusesonwhetherinterventions,programmesandinstitutionsare performing in accordance with the principles of economy, efficiency andeffectivenessandwhetherthereisroomforimprovement.Performanceisexaminedagainstsuitablecriteria,andthecausesofdeviationsfromthosecriteriaorotherproblemsare analysed. Theaim is to answer key audit questions and toproviderecommendationsforimprovement.
Compliance auditfocusesonwhetheraparticularsubjectmatterisincompliancewithauthoritiesidentifiedascriteria.Complianceauditingisperformedbyassessingwhether activities, financial transactions and information are, in all material
12
ISSAI 100 - FUNDAMENTAL PRINCIPLES OF PUBLIC-SECTOR AUDITING
respects,incompliancewiththeauthoritieswhichgoverntheauditedentity.Theseauthoritiesmay includerules, lawsandregulations,budgetaryresolutions,policy,establishedcodes,agreedtermsorthegeneralprinciplesgoverningsoundpublic-sectorfinancialmanagementandtheconductofpublicofficials.
23) SAIsmaycarryoutauditsorotherengagementsonanysubjectofrelevanceto the responsibilitiesofmanagementand those chargedwithgovernanceandtheappropriateuseofpublicresources.Theseengagementsmayincludereportingon thequantitativeoutputsandoutcomesof theentity’s servicedelivery activities, sustainability reports, future resource requirements,adherencetointernalcontrolstandards,real-timeauditsofprojectsorothermatters. SAIs may also conduct combined audits incorporating financial,performanceand/orcomplianceaspects.
13
ELEMENTS OFPUBLIC-SECTOR AUDITING
24) Public-sectorauditingisindispensableforthepublicadministration,asthemanagementofpublicresourcesisamatteroftrust.Responsibilityforthemanagementofpublicresourcesinlinewithintendedpurposesisentrustedtoanentityorpersonwhoactsonbehalfofthepublic.Public-sectorauditingenhances the confidence of the intended users by providing informationand independent and objective assessments concerning deviations fromacceptedstandardsorprinciplesofgoodgovernance.
All public-sector audits have the same basic elements: the auditor, theresponsibleparty,intendedusers(thethreepartiestotheaudit),criteriaforassessingthesubjectmatterandtheresultingsubjectmatterinformation.They can be categorised as two different types of audit engagement:attestationengagementsanddirectreportingengagements.
The three parties
25) Public-sector audits involve at least three separate parties: the auditor,a responsible party and intended users. The relationship between theparties should be viewedwithin the context of the specific constitutionalarrangementsforeachtypeofaudit.
• Theauditor:Inpublic-sectorauditingtheroleofauditorisfulfilledbytheHeadoftheSAIandbypersonstowhomthetaskofconductingtheauditsisdelegated.Theoverallresponsibilityforpublic-sectorauditingremainsasdefinedbytheSAI’smandate.
4
14
ISSAI 100 - FUNDAMENTAL PRINCIPLES OF PUBLIC-SECTOR AUDITING
• The responsible party: In public-sector auditing the relevantresponsibilities are determined by constitutional or legislativearrangement. The responsible parties may be responsible for thesubject matter information, for managing the subject matter or foraddressingrecommendations,andmaybeindividualsororganisations.
• Intended users: The individuals, organisations or classes thereof forwhom theauditorprepares theaudit report. The intendedusersmaybelegislativeoroversightbodies,thosechargedwithgovernanceorthegeneralpublic.
Subject matter, criteria and subject matter information
26) Subjectmatterreferstotheinformation,conditionoractivitythatismeasuredorevaluatedagainstcertaincriteria.Itcantakemanyformsandhavedifferentcharacteristics depending on the audit objective. An appropriate subjectmatteris identifiableandcapableofconsistentevaluationormeasurementagainstthecriteria,suchthatitcanbesubjectedtoproceduresforgatheringsufficient and appropriate audit evidence to support the audit opinion orconclusion.
27) The criteria are thebenchmarksused toevaluate the subjectmatter. Eachaudit should have criteria suitable to the circumstances of that audit. Indetermining the suitability of criteria the auditor considers their relevanceandunderstandabilityfortheintendedusers,aswellastheircompleteness,reliability and objectivity (neutrality, general acceptance and comparabilitywiththecriteriausedinsimilaraudits).Thecriteriausedmaydependonarangeoffactors,includingtheobjectivesandthetypeofaudit.Criteriacanbespecificormoregeneral,andmaybedrawnfromvarioussources,includinglaws,regulations,standards,soundprinciplesandbestpractices.Theyshouldbe made available to the intended users to enable them to understand how thesubjectmatterhasbeenevaluatedormeasured.
28) Subjectmatterinformationreferstotheoutcomeofevaluatingormeasuringthe subject matter against the criteria. It can take many forms and havedifferentcharacteristicsdependingontheauditobjectiveandauditscope.
15
ISSAI 100 - FUNDAMENTAL PRINCIPLES OF PUBLIC-SECTOR AUDITING
Types of engagement
29) Therearetwotypesofengagement:
• Inattestationengagementstheresponsiblepartymeasuresthesubjectmatteragainstthecriteriaandpresentsthesubjectmatterinformation,on which the auditor then gathers sufficient and appropriate auditevidencetoprovideareasonablebasisforexpressingaconclusion.
• In direct reporting engagements it is the auditor who measures orevaluatesthesubjectmatteragainstthecriteria.Theauditorselectsthesubjectmatterandcriteria,takingintoconsiderationriskandmateriality.The outcome of measuring the subject matter against the criteria ispresented in the audit report in the form of findings, conclusions,recommendationsoranopinion. Theauditof the subjectmattermayalsoprovidenewinformation,analysesorinsights.
30) Financial audits are always attestation engagements, as they are basedonfinancialinformationpresentedbytheresponsibleparty.Performanceauditsare normally direct reporting engagements. Compliance audits may beattestationordirectreportingengagements,orbothatonce.ThefollowingconstitutethesubjectmatterorthesubjectmatterinformationinthethreetypesofauditcoveredbytheISSAIs:
a) Financial audit:Thesubjectmatterofafinancialauditisthefinancialposition, performance, cash flow or other elements which arerecognised, measured and presented in financial statements. Thesubjectmatterinformationisthefinancialstatements.
b) Performance audit:Thesubjectmatterofaperformanceauditisdefinedbytheauditobjectivesandauditquestions.Thesubjectmattermaybespecificprogrammes,entitiesorfundsorcertainactivities(withtheiroutputs,outcomesandimpacts),existingsituations(includingcausesand consequences) as well as non-financial or financial informationaboutanyoftheseelements.Theauditormeasuresorevaluatesthe
16
ISSAI 100 - FUNDAMENTAL PRINCIPLES OF PUBLIC-SECTOR AUDITING
subjectmatter toassess theextent towhich theestablished criteriahaveorhavenotbeenmet.
c) Compliance audit:Thesubjectmatterofacomplianceauditisdefinedby the scopeof theaudit. Itmaybeactivities,financial transactionsorinformation.Forattestationengagementsoncomplianceitismorerelevant to focus on the subject matter information, whichmay bea statement of compliance in accordance with an established and standardisedreportingframework.
Confidence and assurance in public-sector auditing
The need for confidence and assurance
31) The intended users will wish to be confident about the reliability andrelevanceoftheinformationwhichtheyuseasthebasisfortakingdecisions.Audits therefore provide information based on sufficient and appropriateevidence,andauditorsshouldperformprocedurestoreduceormanagetherisk of reaching inappropriate conclusions. The level of assurance that canbe provided to the intended user should be communicated in a transparent way.Duetoinherentlimitations,however,auditscanneverprovideabsoluteassurance.
Forms of providing assurance
32) Dependingontheauditandtheusers’needs,assurancecanbecommunicatedintwoways:
• Throughopinions and conclusionswhich explicitly convey the level ofassurance.Thisappliestoallattestationengagementsandcertaindirectreportingengagements.
• Inotherforms.Insomedirectreportingengagementstheauditordoesnot give an explicit statement of assurance on the subjectmatter. Insuchcasestheauditorprovidestheuserswiththenecessarydegreeofconfidencebyexplicitlyexplaininghowfindings,criteriaandconclusions
17
ISSAI 100 - FUNDAMENTAL PRINCIPLES OF PUBLIC-SECTOR AUDITING
were developed in a balanced and reasoned manner, and why thecombinationsoffindingsandcriteriaresultinacertainoverallconclusionorrecommendation.
Levels of assurance
33) Assurancecanbeeitherreasonableorlimited.
Reasonable assurance is high but not absolute. The audit conclusion isexpressed positively, conveying that, in the auditor’s opinion, the subjectmatterisorisnotcompliantinallmaterialrespects,or,whererelevant,thatthesubjectmatterinformationprovidesatrueandfairview,inaccordancewiththeapplicablecriteria.
Whenprovidinglimitedassurance,theauditconclusionstatesthat,basedontheproceduresperformed,nothinghas come to the auditor’s attention tocausetheauditortobelievethatthesubjectmatterisnotincompliancewiththeapplicablecriteria.Theproceduresperformedinalimitedassuranceauditarelimitedcomparedwithwhatisnecessarytoobtainreasonableassurance,butthelevelofassuranceisexpected,intheauditor’sprofessionaljudgement,tobemeaningfultotheintendedusers.Alimitedassurancereportconveysthelimitednatureoftheassuranceprovided.
18
PRINCIPLES OFPUBLIC-SECTOR AUDITING
34) Theprinciplesdetailedbelowarefundamentaltotheconductofanaudit.
Auditingisacumulativeanditerativeprocess.However,forthepurposesof
presentationthe fundamentalprinciplesaregroupedbyprinciples related
totheSAI’sorganisationalrequirements,generalprinciplesthattheauditor
shouldconsiderpriortocommencementandatmorethanonepointduring
theauditandprinciplesrelatedtospecificstepsintheauditprocess.
5
19
ISSAI 100 - FUNDAMENTAL PRINCIPLES OF PUBLIC-SECTOR AUDITING
Areascoveredbytheprinciplesforpublic-sectorauditing
Ethics &Independence
Professional judment, due
care and scepticism
Audit team management
& skills
Quality control
Audit risk Materiality CommunicationDocumentation
Planning the audit Conducting the audit Reporting and follow-up
Establish the terms of the audit
Obtain understanding
Conduct risk assessment of problem analysis
Identify risks of fraud
Develop an audit plan
Prepare a report based on the conclusions reached
Follow up on reported matters as relevant
Perform the planned audit procedures to obtain audit evidence
Evaluate audit evidence and draw conclusions
GENERAL PRINCIPLES
PRINCIPLES RELATED TO THE AUDIT PROCESS
Organisational requirements
35) SAIs should establish and maintain appropriate procedures for ethics and quality control
Each SAI should establish and maintain procedures for ethics and qualitycontrolonanorganisationallevelthatwillprovideitwithreasonableassurance
20
ISSAI 100 - FUNDAMENTAL PRINCIPLES OF PUBLIC-SECTOR AUDITING
thattheSAIanditspersonnelarecomplyingwithprofessionalstandardsandtheapplicableethical,legalandregulatoryrequirements.ISSAI 130 - Code of Ethics and ISSAI 140 - Quality Control for provides principles, requirementsandapplicationmaterialinthisregard.TheexistenceoftheseproceduresatSAIlevelisaprerequisiteforapplyingordevelopingnationalstandardsbasedontheFundamentalAuditingPrinciples.
General principles
Ethics and independence
36) Auditors should comply with the relevant ethical requirements and be independent. Ethical principles should be embodied in an auditor’s professional behaviour. The SAIs should have policies addressing ethicalrequirements and emphasising the need for compliance by each auditor.Auditorsshouldremainindependentsothattheirreportswillbeimpartialandbeseenassuchbytheintendedusers.
Auditors canfind INTOSAICorePrincipleson independence in the INTOSAI P-10 Mexico Declaration on SAI Independence.Thekeyethicalprinciplesofintegrity,independenceandobjectivity,competence,professionalbehaviorandconfidentialityandtransparencyaredefinedin ISSAI 130 Code of Ethics, togetherwithrelatedrequirementsandapplicationmaterial.
Professionaljudgement,duecareandscepticism
37) Auditors should maintain appropriate professional behaviour by applying professional scepticism, professional judgment and due care throughout the audit. The auditor’s attitude should be characterised by professionalscepticismandprofessionaljudgement,whicharetobeappliedwhenformingdecisions about the appropriate courseof action.Auditors should exerciseduecaretoensurethattheirprofessionalbehaviourisappropriate.
Professionalscepticismmeansmaintainingprofessionaldistanceandanalertandquestioningattitudewhenassessingthesufficiencyandappropriatenessofevidenceobtained throughout theaudit. It alsoentails remainingopen-
21
ISSAI 100 - FUNDAMENTAL PRINCIPLES OF PUBLIC-SECTOR AUDITING
mindedandreceptivetoallviewsandarguments.
Professionaljudgementimpliestheapplicationofcollectiveknowledge,skillsandexperiencetotheauditprocess.Duecaremeansthattheauditorshouldplan and conduct audits in a diligent manner. Auditors should avoid anyconductthatmightdiscredittheirwork.
Qualitycontrol
38) Auditors should perform the audit in accordance with professional standards onqualitycontrol
ASAI’squalitycontrolpoliciesandproceduresshouldcomplywithprofessionalstandards,theaimbeingtoensurethatauditsareconductedataconsistentlyhigh level. Quality control procedures should cover matters such as thedirection, review and supervision of the audit process and the need forconsultation inordertoreachdecisionsondifficultorcontentiousmatters.AuditorscanfindfurtherinformationinISSAI 140 Quality Control for SAIs.
Auditteammanagementandskills
39) Auditors should possess or have access to the necessary skills
Theindividualsintheauditteamshouldcollectivelypossesstheknowledge,skills and expertise necessary to successfully complete the audit. Thisincludes an understanding and practical experience of the type of auditbeingconducted,familiaritywiththeapplicablestandardsandlegislation,anunderstandingoftheentity’soperationsandtheabilityandexperienceto exercise professional judgement. Common to all audits is the need torecruitpersonnelwithsuitablequalifications,offerstaffdevelopmentandtraining, prepare manuals and other written guidance and instructionsconcerning the conduct of audits, and assign sufficient audit resources.Auditors shouldmaintain theirprofessional competence throughongoingprofessionaldevelopment.
Where relevant or necessary, and in line with the SAI’s mandate and theapplicablelegislation,theauditormayusetheworkofinternalauditors,otherauditorsorexperts.Theauditor’sproceduresshouldprovideasufficientbasis
22
ISSAI 100 - FUNDAMENTAL PRINCIPLES OF PUBLIC-SECTOR AUDITING
forusingtheworkofothers,andinallcasestheauditorshouldobtainevidenceofotherauditors’orexperts’competenceandindependenceandthequalityoftheworkperformed.However,theSAIhassoleresponsibilityforanyauditopinionorreportitmightproduceonthesubjectmatter;thatresponsibilityisnotreducedbyitsuseofworkdonebyotherparties.
Theobjectivesofinternalauditaredifferentfromthoseofexternalaudit.However, both internal and external audit promote good governancethrough contributions to transparency and accountability for the use ofpublicresources,aswellaseconomy,efficiencyandeffectivenessinpublicadministration.Thisoffersopportunitiesforcoordinationandcooperationandthepossibilityofeliminatingduplicationofeffort.
SomeSAIsusetheworkofotherauditorsatstate,provincial,regional,districtorlocallevel,orofpublicaccountingfirmsthathavecompletedauditworkrelatedtotheauditobjective.Arrangementsshouldbemadetoensurethatany such work was carried out in accordance with public-sector auditingstandards.
Auditsmayrequirespecialisedtechniques,methodsorskillsfromdisciplinesnotavailablewithin theSAI. In suchcasesexpertsmaybeused toprovideknowledgeorcarryoutspecifictasksorforotherpurposes.
Audit risk
40) Auditors should manage the risks of providing a report that is inappropriate in the circumstances of the audit
Theauditriskistheriskthattheauditreportmaybeinappropriate.Theauditorperformsprocedurestoreduceormanagetheriskofreachinginappropriateconclusions,recognisingthatthelimitationsinherenttoallauditsmeanthatanauditcanneverprovideabsolutecertaintyoftheconditionofthesubjectmatter.
Whentheobjective is toprovidereasonableassurance, theauditorshouldreduceauditrisktoanacceptably lowlevelgiventhecircumstancesoftheaudit. The auditmay also aim to provide limited assurance, inwhich case
23
ISSAI 100 - FUNDAMENTAL PRINCIPLES OF PUBLIC-SECTOR AUDITING
theacceptable risk that criteria arenot compliedwith is greater than in areasonable assurance audit. A limited assurance audit provides a level ofassurancethat, intheauditor’sprofessional judgment,willbemeaningfultotheintendedusers.
Materiality
41) Auditors should consider materiality throughout the audit process
Materiality is relevant in all audits. A matter can be judged material ifknowledgeofitwouldbelikelytoinfluencethedecisionsoftheintendedusers.Determiningmaterialityisamatterofprofessionaljudgementanddependson the auditor’s interpretation of the users’ needs. This judgement mayrelatetoanindividualitemortoagroupofitemstakentogether.Materialityis often considered in termsof value, but it alsohas other quantitative aswellasqualitativeaspects.Theinherentcharacteristicsofanitemorgroupofitemsmayrenderamattermaterialbyitsverynature.Amattermayalsobematerialbecauseofthecontextinwhichitoccurs.
Materialityconsiderationsaffectdecisionsconcerningthenature,timingandextentofauditproceduresandtheevaluationofauditresults.Considerationsmay include stakeholder concerns,public interest, regulatory requirementsandconsequencesforsociety.
Documentation
42) Auditors should prepare audit documentation that is sufficiently detailed to provide a clear understanding of the work performed, evidence obtained and conclusions reached
Audit documentation should include an audit strategy and audit plan. Itshould record the procedures performed and evidence obtained and support thecommunicatedresultsoftheaudit.Documentationshouldbesufficientlydetailed toenableanexperiencedauditor,withnopriorknowledgeof theaudit,tounderstandthenature,timing,scopeandresultsoftheproceduresperformed, the evidence obtained in support of the audit conclusions and recommendations,thereasoningbehindallsignificantmattersthatrequiredtheexerciseofprofessionaljudgement,andtherelatedconclusions.
24
ISSAI 100 - FUNDAMENTAL PRINCIPLES OF PUBLIC-SECTOR AUDITING
Communication
43) Auditors should establish effective communication throughout the audit process
Itisessentialthattheauditedentitybekeptinformedofallmattersrelatingto the audit. This is key to developing a constructiveworking relationship.Communication should includeobtaining information relevant to the auditandprovidingmanagementandthosechargedwithgovernancewithtimelyobservations and findings throughout the engagement. The auditor mayalso have a responsibility to communicate audit-related matters to otherstakeholders,suchaslegislativeandoversightbodies.
Principles related to the audit process
Planninganaudit
44) Auditors should ensure that the terms of the audit have been clearly established
Auditsmay be required by statute, requested by a legislative or oversightbody,initiatedbytheSAIorcarriedoutbysimpleagreementwiththeauditedentity. In all cases the auditor, the audited entity’s management, thosechargedwithgovernanceandothersasapplicableshouldreachacommonformalunderstandingofthetermsoftheauditandtheirrespectiverolesandresponsibilities. Important informationmay include the subject, scope andobjectivesof theaudit, access todata, the report thatwill result from theaudit,theauditprocess,contactpersons,andtherolesandresponsibilitiesofthedifferentpartiestotheengagement.
45) Auditors should obtain an understanding of the nature of the entity/programme to be audited
This includes understanding the relevant objectives, operations, regulatoryenvironment, internal controls, financial and other systems and businessprocesses,andresearchingthepotentialsourcesofauditevidence.Knowledge
25
ISSAI 100 - FUNDAMENTAL PRINCIPLES OF PUBLIC-SECTOR AUDITING
canbeobtainedfromregular interactionwithmanagement, thosechargedwithgovernanceandotherrelevantstakeholders.Thismaymeanconsultingexpertsandexaminingdocuments(includingearlierstudiesandothersources)inordertogainabroadunderstandingofthesubjectmattertobeauditedanditscontext.
46) Auditors should conduct a risk assessment or problem analysis and revise this as necessary in response to the audit findings
Thenatureoftherisksidentifiedwillvaryaccordingtotheauditobjective.Theauditorshouldconsiderandassesstheriskofdifferenttypesofdeficiencies,deviationsormisstatementsthatmayoccurinrelationtothesubjectmatter.Bothgeneraland specific risks shouldbeconsidered.This canbeachievedthroughprocedures that serve toobtainanunderstandingof theentityorprogramme and its environment, including the relevant internal controls.The auditor should assess the management’s response to identified risks,including its implementation and design of internal controls to addressthem. In a problemanalysis the auditor should consider actual indicationsofproblemsordeviationsfromwhatshouldbeorisexpected.Thisprocessinvolves examining various problem indicators in order to define the auditobjectives.Theidentificationofrisksandtheirimpactontheauditshouldbeconsideredthroughouttheauditprocess.
47) Auditors should identify and assess the risks of fraud relevant to the audit objectives.
Auditors should make enquiries and perform procedures to identify andrespond to the risksof fraud relevant to theaudit objectives. They shouldmaintainanattitudeofprofessionalscepticismandbealerttothepossibilityoffraudthroughouttheauditprocess.
48) Auditors should plan their work to ensure that the audit is conducted in an effective and efficient manner
Planningforaspecificauditincludesstrategicandoperationalaspects.
Strategically,planningshoulddefinetheauditscope,objectivesandapproach.
26
ISSAI 100 - FUNDAMENTAL PRINCIPLES OF PUBLIC-SECTOR AUDITING
Theobjectivesrefertowhattheauditisintendedtoaccomplish.Thescoperelatestothesubjectmatterandthecriteriawhichtheauditorswillusetoassessandreportonthesubjectmatter,andisdirectlyrelatedtotheobjectives.Theapproachwill describe thenature andextentof theprocedures tobeused for gathering audit evidence. The audit should be planned to reduceauditrisktoanacceptablylowlevel.
Operationally,planningentailssettingatimetablefortheauditanddefiningthe nature, timing and extent of the audit procedures. During planning,auditorsshouldassignthemembersoftheirteamasappropriateandidentifyotherresourcesthatmayberequired,suchassubjectexperts.
Auditplanningshouldberesponsivetosignificantchangesincircumstancesandconditions.Itisaniterativeprocessthattakesplacethroughouttheaudit.
Conductinganaudit
49) Auditors should perform audit procedures that provide sufficient appropriate audit evidence to support the audit report
Theauditor’sdecisionsonthenature,timingandextentofauditprocedureswill impact on theevidence tobeobtained. The choiceof procedureswilldependontheriskassessmentorproblemanalysis.
Auditevidenceisanyinformationusedbytheauditortodeterminewhetherthe subjectmatter complieswith the applicable criteria. Evidencemay takemanyforms,suchaselectronicandpaperrecordsoftransactions,writtenandelectroniccommunicationwithoutsiders,observationsbytheauditor,andoralorwrittentestimonybytheauditedentity.Methodsofobtainingauditevidencecan include inspection, observation, inquiry, confirmation, recalculation,reperformance, analytical procedures and/or other research techniques.Evidence should be both sufficient (quantity) to persuade a knowledgeableperson that the findings are reasonable, and appropriate (quality) – i.e.relevant,validandreliable.Theauditor’sassessmentoftheevidenceshouldbeobjective,fairandbalanced.Preliminaryfindingsshouldbecommunicatedtoanddiscussedwiththeauditedentitytoconfirmtheirvalidity.
Theauditormustrespectallrequirementsregardingconfidentiality.
27
ISSAI 100 - FUNDAMENTAL PRINCIPLES OF PUBLIC-SECTOR AUDITING
50) Auditors should evaluate the audit evidence and draw conclusions
After completing the audit procedures, the auditor will review the auditdocumentationinordertodeterminewhetherthesubjectmatterhasbeensufficiently and appropriately audited. Before drawing conclusions, theauditorreconsiderstheinitialassessmentofriskandmaterialityinthelightoftheevidencecollectedanddetermineswhetheradditionalauditproceduresneedtobeperformed.
Theauditorshouldevaluatetheauditevidencewithaviewtoobtainingauditfindings.When evaluating the audit evidence and assessingmateriality offindingstheauditorshouldtakebothquantitativeandqualitativefactorsintoconsideration.
Basedonthefindings,theauditorshouldexerciseprofessionaljudgementtoreachaconclusiononthesubjectmatterorsubjectmatterinformation.
Reportingandfollow-up
51) Auditors should prepare a report based on the conclusions reached
Theauditprocessinvolvespreparingareporttocommunicatetheresultsoftheaudittostakeholders,othersresponsibleforgovernanceandthegeneralpublic.Thepurposeisalsotofacilitatefollow-upandcorrectiveaction.InsomeSAIs, such as courts of auditwith jurisdictional authority, thismay includeissuinglegallybindingreportsorjudicialdecisions.
Reportsshouldbeeasytounderstand,freefromvaguenessorambiguityandcomplete.Theyshouldbeobjectiveandfair,onlyincludinginformationwhichissupportedbysufficientandappropriateauditevidenceandensuringthatfindingsareputintoperspectiveandcontext.
The form and content of a report will depend on the nature of the audit, the intendedusers, the applicable standards and legal requirements. The SAI’smandate and other relevant laws or regulationsmay specify the layout orwordingofreports,whichcanappearinshortformorlongform.
28
ISSAI 100 - FUNDAMENTAL PRINCIPLES OF PUBLIC-SECTOR AUDITING
Long-form reports generally describe in detail the audit scope, auditfindingsandconclusions,includingpotentialconsequencesandconstructiverecommendationstoenableremedialaction.
Short-formreportsaremorecondensedandgenerallyinamorestandardisedformat.
» Attestationengagements
In attestation engagements the audit reportmay express an opinion as towhetherthesubjectmatterinformationis,inallmaterialrespects,freefrommisstatement and/or whether the subjectmatter complies, in allmaterialrespects, with the established criteria. In an attestation engagement thereportisgenerallyreferredtoastheAuditor’sReport.
» Directengagements
Indirectengagements theaudit reportneeds to state theauditobjectivesanddescribehowtheywereaddressedintheaudit.Itincludesfindingsandconclusionsonthesubjectmatterandmayalso includerecommendations.Additionalinformationaboutcriteria,methodologyandsourcesofdatamayalsobegiven,andanylimitationstotheauditscopeshouldbedescribed.
The audit report should explain how the evidence obtainedwas used andwhytheresultingconclusionsweredrawn.Thiswillenableittoprovidetheintendeduserswiththenecessarydegreeofconfidence.
» Opinion
Whenanauditopinionisusedtoconveythelevelofassurance,theopinionshould be in a standardised format. The opinion may be unmodified ormodified.Anunmodifiedopinionisusedwheneitherlimitedorreasonableassurancehasbeenobtained.Amodifiedopinionmaybe:
• Qualified (except for) –wheretheauditordisagreeswith,orisunabletoobtainsufficientandappropriateauditevidenceabout,certainitemsinthesubjectmatterwhichare,orcouldbe,materialbutnotpervasive;
• Adverse – wheretheauditor,havingobtainedsufficientandappropriate
29
ISSAI 100 - FUNDAMENTAL PRINCIPLES OF PUBLIC-SECTOR AUDITING
audit evidence, concludes that deviations or misstatements, whetherindividuallyorintheaggregate,arebothmaterialandpervasive;
• Disclaimed – where the auditor is unable to obtain sufficient andappropriate audit evidence due to an uncertainty or scope limitationwhichisbothmaterialandpervasive.
Wheretheopinionismodifiedthereasonsshouldbeputinperspectivebyclearlyexplaining,with reference to theapplicable criteria, thenatureandextentofthemodification.Dependingonthetypeofaudit,recommendationsfor correctiveactionandanycontributing internal controldeficienciesmayalsobeincludedinthereport.
» Follow-up
SAIshavearoleinmonitoringactiontakenbytheresponsiblepartyinresponsetothemattersraised inanauditreport.Follow-upfocusesonwhethertheaudited entity has adequately addressed thematters raised, including anywiderimplications.InsufficientorunsatisfactoryactionbytheauditedentitymaycallforafurtherreportbytheSAI.
INTRODUCTIONPURPOSE AND AUTHORITY OF THE ISSAIS
FRAMEWORK FORPUBLIC-SECTOR AUDITING
Public-sector auditing and its objectivesTypes of public-sector auditELEMENTS OFPUBLIC-SECTOR AUDITING
Subject matter, criteria and subject matter informationTypes of engagementConfidence and assurance in public-sector auditingPRINCIPLES OFPUBLIC-SECTOR AUDITING
Organisational requirementsGeneral principlesPrinciples related to the audit process