Compliance Audit

ISSAI Implementation Handbook

Version 1, January 2022

INTOSAI Development Initiative (IDI)

www.idi.no
Compliance Audit
ISSAI Implementation Handbook
Version 1, January 2022

2
Table of Contents
About the Handbook 9

PART A Compliance Audit Basics

Chapter 1: Value and benefits of compliance audits
1.1 What are the value and benefits of compliance audits? 14
1.2 What are the key enablers in delivering value through compliance audits? 17
1.3 High-quality compliance audits and IFPP 18
Chapter 2: General concepts of the compliance audit
2.1 The three parties of a compliance audit 23
2.2 Subject matter and subject matter information of compliance audit 24
2.3 Authorities and criteria in a compliance audit 26
2.4 Compliance audit as an assurance engagement 28
2.5 Different ways of conducting a compliance audit 29
2.6 Steps of a compliance audit 33
PART B Managing Compliance Audit at the SAI Level
Chapter 3: The SAI’s organisational requirements for conducting a compliance audit
3.1 Objectivity and ethics of the auditor 37
3.2 Audit team skills 38
3.3 Audit risk and materiality 38
3.4 Professional judgment and scepticism of the auditor 39
3.5 Documentation of audit work 40
3.6 Communication 41
3.7 Ensuring audit quality 42
Chapter 4: The SAI’s annual work plan for coverage of compliance audit
4.1 Setting the strategic priorities of the SAI 44
4.2 Identification and prioritisation of potential audit tasks 45
4.3 The SAI’s annual or multi-annual work plan 47
4.4 Considerations before initiating an individual compliance audit 48
PART C Conducting Compliance Audit
Chapter 5: Planning a compliance audit
5.1 Developing the audit strategy 54
5.2 Developing the audit plan 56
5.3 Documenting and ensuring the quality of the audit strategy and audit plan 70
Chapter 6: Performing audit procedures, and gathering and evaluating evidence
6.1 Audit evidence 72
6.2 Sufficient and appropriate audit evidence 73
6.3 Evidence-gathering techniques 75
6.4 Determining the sample size 80
6.5 Evaluating audit evidence and forming conclusions 82
6.6 Ensuring quality at the audit field-work stage 86

Chapter 7: Reporting and follow-up compliance audits

7.1 Principles of reporting 88
7.2 Elements of a compliance audit report 89
7.3 Reporting by SAIs with jurisdictional powers 95

3
 7.4 Reporting suspected fraud and unlawful acts 95
7.5 Ensuring the quality of the audit report 96
7.6 Communicating the report to the stakeholders 97
7.7 Audit follow-up 99

PART D Documentation of Compliance Audit

Chapter 8: Audit documentation
8.1 ISSAI requirements for documentation 103
8.2 Purpose of documentation 104
8.3 Elements of documentation 105
8.4 Components of working papers 106
8.5 Organisation of the working paper documentation 107
8.6 Document retention 109
8.7 Confidentiality and transparency issues 110

4
List of Figures
Figure 1.1: Value and benefits for all 15
Figure 2.1: The three parties of the compliance audit 23
Figure 3.1: Fundamental principles of compliance audit 37
Figure 5.1: Audit planning process 54
Figure 5.2: Internal control framework 58
Figure 5.3: The fraud triangle 63
Figure 5.4: Risk assessment process for a direct reporting engagement 64
Figure 6.1: Decision tree – determining the appropriate sample selection method 81
Figure 7.1: Users of SAI audit reports 88

List of Illustrations
Illustration 1.1: Compliance audit value chain 16
Illustration 1.2: Journey towards high-quality compliance audit 19
Illustration 2.1: Case scenario on compliance auditing 30
Illustration 2.2: Combination of levels of assurance and types of engagement in compliance
auditing 32
Illustration 2.3: Steps of a compliance audit 33
Illustration 4.1: Policy and risk review 44
Illustration 4.2: Identifying potential audit tasks 46
Illustration 4.3: Determining the importance of risks 46
Illustration 4.4: Priority ranking of a task 47
Illustration 5.1: Relationship between subject matter, scope and criteria 55
Illustration 5.2: Internal control questionnaire for small entity or subject matter 59
Illustration 5.3: Determining quantitative materiality 67
Illustration 5.4: Audit planning matrix 69
Illustration 5.5: Documenting the audit plan 70
Illustration 6.1: Substantive procedures 78
Illustration 6.2: Findings matrix template 83
Illustration 7.1: Principles of reporting 88

List of Exhibits

Exhibit 4.1: Documenting a potential audit task 113

Exhibit 4.2: Establishing the annual or multi-annual work plan 115
Exhibit 5.1: Audit strategy 121
Exhibit 5.2: Understanding the entity and its environment 123
Exhibit 5.3: Understanding the internal controls and control environment 126
Exhibit 5.4: Assessment of fraud risks 129
Exhibit 5.5: Setting materiality at the planning stage 131
Exhibit 5.6: Risk register 133
Exhibit 5.7: Audit plan 135
Exhibit 6.1: Testing the operating effectiveness of controls 141
Exhibit 6.2: Performing substantive audit procedures 143
Exhibit 6.3: Audit findings matrix 146

5
List of Appendices
Appendix 4-A: Categorisation of entities based on risk value 117
Appendix 4-B: Differing tasks of the auditor in different types of compliance audit 119
Appendix 5-A: Quality review of audit planning 139
Appendix 6-A: Quality review of audit field-work 148
Appendix 7-A: Quality review of audit reporting 150

References

1. ISSAIs on www.issai.org
2. Strategic Development Plan of IFPP 2017-19

List of Acronyms

CA compliance audit
GPG Global Public Good
IDI INTOSAI Development Initiative
IFPP INTOSAI Framework of Professional Pronouncements
INCOSAI International Congress of Supreme Audit Institutions
INTOSAI International Organization of Supreme Audit Institutions
ISSAI International Standards of Supreme Audit Institutions
QA quality assurance
RMNC risk of material non-compliance
SAI Supreme Audit Institution

6
 Quality Statement for Compliance Audit ISSAI Implementation Handbook Version 1
(January 2022)

The INTOSAI Goal Chairs’ and IDI’s joint paper Quality Assuring INTOSAI Public Goods that Are
Developed and Published Outside Due Process identifies three levels of quality assurance, as follows:

QUALITY ASSURING INTOSAI PUBLIC GOODS THAT ARE DEVELOPED AND PUBLISHED OUTSIDE
DUE PROCESS – Levels of Quality Assurance
Level 1: Products that have been subjected to quality assurance processes equivalent to INTOSAI
due process, including an extended period of transparent public exposure (90 days)
Level 2: Products that have been subjected to more limited quality assurance processes involving
stakeholders from outside the body or working group responsible for the products’ initial
development. Quality assurance processes might, for example, include piloting, testing and inviting
comments from key stakeholders, although not go as far as full 90-day public exposure
Level 3: Products that have been subjected to rigorous quality control measures within the body or
working group responsible for their development

Different levels of quality assurance may be appropriate for different Global Public Goods (GPG). This
GPG has been developed according to quality assurance level 1.

Quality Assurance Protocol: Version 2.0

IDI’s Protocol for Quality Assurance (QA) of IDI’s Global Public Goods defines measures to ensure
quality based on the three levels of quality assurance above. For quality assurance level 1, these
measures include:

• approval by the IDI Board to create the GPG;

• formation of a competent product development team;
• peer review by experts external to the development team;
• modification based on review;
• proofreading, editing and translation of the document by competent persons;
• public exposure for a period of 90 days and consultation with relevant stakeholders
representing views from most regions, most models of auditing, developed and developing
countries, and from the perspective of global bodies;
• modifications of the document based on comments received during public exposure; and
• due approvals for the GPG version 1.

Updates to this GPG

To ensure that this GPG stays relevant, IDI will undertake major revision of this Compliance Audit ISSAI
Implementation Handbook whenever there are changes in compliance audit ISSAIs. Major revisions
will follow IDI’s Protocol for Quality Assurance. In addition, light touch reviews may be undertaken as
per need. Such light touch reviews will not normally be subject to this Protocol.

This GPG is owned by IDI’s Professional SAIs work stream, which is responsible for maintenance of this
GPG.

7
Quality Assurance Review Process

Shourjo Chatterjee (Strategic Support Unit, IDI) has undertaken a QA review of the process followed
for the development of this GPG, against QA Protocol Version 2.0. The QA reviewer is familiar with
IDI’s protocol for QA of GPGs and was not involved in development of the GPG. This QA review process
is designed to provide all stakeholders with assurance that the IDI has carried out the quality control
measures stated above, designed to meet quality assurance level 1.

Results of the Quality Assurance Review

The QA review of the process followed in developing this GPG concluded that the Protocol has been
followed as required for quality assurance level 1 in all respects.

Conclusion

Based on the QA review, IDI assures the users of this GPG that this document has been subjected to a
quality assurance process equivalent to due process for INTOSAI Framework of Professional
Pronouncements (IFPP), including an extended period of transparent public exposure.

Einar Gørrissen
Director General
INTOSAI Development Initiative
January 2022

8
 About the Handbook

About the Handbook

Background

The IDI developed the first compliance audit (CA) ISSAI1 Implementation Handbook in 2014, under the
ISSAI Implementation Initiative (3i Programme). At that time, the Handbook was based on the old
level-4 compliance audit ISSAIs (ISSAI 4100 and 4200) and the level-3 ISSAIs (ISSAI 400 and ISSAI 100).
These standards provided the basis of the audit methodology described in the first compliance audit
handbook.

INTOSAI approved the new ISSAI 4000 - Compliance Audit Standard2 at the 2016 INCOSAI. As the
authoritative standard for a compliance audit, the ISSAI 4000 has undergone significant changes from
the earlier version of the CA ISSAIs. Subsequently, to reflect the changes in the ISSAIs, the IDI initiated
the revision of the CA ISSAI Implementation Handbook and developed this Handbook as a Global
Public Good (GPG). The GPGs are products and tools created by the IDI for contributing to global
knowledge creation, capacity development and enhanced performance of SAIs.

1 ISSAI - The International Standards of Supreme Audit Institutions (ISSAI). The complete and updated collection of professional standards
and best practice guidelines for public sector auditors.
2
ISSAI-4000-Compliance-Audit-Standard.pdf

9
Purpose of the Handbook

The purpose of this Handbook is to provide practical guidance for following an ISSAI 4000-compliant
compliance audit process to support SAIs and their auditors in conducting ISSAI-compliant compliance
audits. The Handbook incorporates ISSAI 4000-based audit methodology that contains explanations
of the audit process as well as suggested audit working paper templates.

Process of developing the Handbook

The IDI followed its Protocol for Quality Assurance of its Global Public Goods V2.03 for the development
of this Handbook. Section 6 of the protocol, Conversion of existing products into a Global Public Good,
determines the due process for ensuring the quality of this version of the Handbook. The process first
requires developing Version 0 of the Handbook and exposing it for comments. Based on the comments
and feedback received, Version 0 is then updated and termed as Version 1 of the Handbook.

A product development team from the SAIs of different INTOSAI regions and the IDI staff developed
the first draft of this Handbook. A group of compliance audit experts independently reviewed the draft
Version 0 of the Handbook. After that Version 0 was finalised, the IDI placed it on its website for public
exposure for 90 days.

During exposure, the IDI informed the relevant stakeholders about the availability of Version 0 on the
IDI website and requested their feedback and comments on the Handbook. The stakeholders included,
among others, the SAIs, ISSAI facilitators and auditors who are engaged in IDI’s ISSAI implementation
initiative. Stakeholders also covered were the INTOSAI General Secretariat, INTOSAI regions, INTOSAI
Professional Standards Committee, members of the INTOSAI Compliance Audit Subcommittee,
INTOSAI Knowledge Sharing Committee, IDI’s resource persons and experts, and the donor
community.

At the same time, the IDI translated Version 0 of the Handbook into Spanish, Arabic and French and
placed it on the IDI website for exposure. The IDI sent the Handbook to the OLACEFS (Organization of
Latin American and Caribbean Supreme Audit Institutions), ARABOSAI (Arab Organization of Supreme
Audit Institutions) and CREFIAF (Le Conseil Régional de Formation des Institutions Supérieures de
Contrôle des Finances Publiques de l’Afrique Francophone sub-Saharienne) regional secretariats to
disseminate among the SAIs of these regions for comments.

The IDI acknowledges the valuable comments it has received from the stakeholders on Version 0
exposure. These comments are duly incorporated, which helped immensely to improve the Handbook
and to develop Version 1. As Version 1 of the Handbook now replaces Version 0, the IDI withdraws
Version 0 of the Handbook on the date of availability of Version 1.

Content of the Handbook

The Handbook has eight chapters divided into four parts. Part A covers the compliance audit basics and
explains the fundamental concepts of the compliance audit based on the ISSAIs. Part B is for SAI
management, which provides guidance on managing the compliance audit by an SAI.

3
http://www.idi.no/en/idi-library/global-public-goods

10
Part C is about conducting the compliance audit and describes the audit methodology covering the
planning, gathering and evaluating evidence, and reporting phases. Part C also includes the relevant
working paper templates (as exhibits found at the end of this Handbook), which are designed along
with the audit process to facilitate the application of the ISSAIs in practice. SAIs may need to modify
the working paper templates consistent with the SAI’s mandate, existing documentation and audit
practice. Part D explains the documentation process of a compliance audit.

Who can use this Handbook?

This Handbook would be most useful for SAI auditors and SAIs which have adopted ISSAI 4000 as
authoritative auditing standards or those that plan to adopt ISSAI 4000 as authoritative auditing
standards for conducting compliance audits. This Handbook is not an authoritative document. We
recommend that SAIs adapt the methodology suggested in this Handbook, considering their mandate
and reporting requirements. The SAIs would also need to customise it to suit their audit practice
consistent with the context and environment in which the SAI operates.

How can an SAI use and benefit from this Handbook?

SAIs can use this Handbook in full, or the parts, as required by the SAI, that cover different aspects of
compliance audit practice. Generally, the SAIs are at varying levels of development in their compliance
audit practice, regarding both the organisational requirements for the audit and in the audit practice.
SAIs can use this Handbook based on the identified areas of need for becoming ISSAI compliant.

Part B explains the SAI’s organisational requirements (as per ISSAI 4000) for conducting a compliance
audit. The SAI management and staff who are responsible for methodology may analyse this part and
determine the necessary measures that the SAI needs to take to satisfy the organisational
requirements of ISSAI 4000. The organisational requirements regarding documentation are further
elaborated in Part D to assist the SAI to conduct ISSAI-compliant audits.

SAIs which have a compliance audit methodology and aim to conduct the audit following ISSAI 4000-
based methodology may wish to consider Part C, along with Parts B and D. Part C will assist the SAI to
analyse how the SAI’s existing compliance audit practice corresponds to the ISSAI 4000-based
methodology as suggested in the Handbook. By this analysis, the SAI can determine at which points of
audit process its methodology is deficient in the aspects that are required by ISSAI 4000, as described
in the Handbook.

SAIs can use the ISSAI Compliance Assessment Tool for compliance audit (CA iCAT)4 to identify the gaps
between the SAI’s CA audit practice and the requirements of ISSAI 4000. The iCAT result will reveal
the areas that the SAI needs to address to make the audit practice ISSAI compliant.

4
CA iCAT tool (Version 1) is available on the IDI website: Compliance Audit iCAT V1 (idi.no)

11
 PART A Compliance Audit Basics

Chapter 1: Value and benefits of compliance audits

Chapter 2: General concepts of the compliance audit

12
 Value and benefits of compliance audits

Chapter 1

Value and benefits of compliance audits

1.1 What are the value and benefits of compliance audits?
1.2 What are the key enablers in delivering value through compliance audits?
1.3 High-quality compliance audits and IFPP

13
This chapter reflects on compliance audits within the larger framework of SAI audits, the ISSAIs and
value delivered through compliance audits. The chapter identifies the different ways an SAI can adopt
the ISSAIs on compliance audit and when the SAI can refer to the ISSAIs in its compliance audit reports.
Going beyond the requirements of the standards, the chapter also reflects on the impact of
compliance audits, the mainstreaming of gender and inclusiveness considerations in compliance
audits, and agility of compliance audits to respond to emerging issues like the COVID-19 pandemic.

1.1 What are the value and benefits of compliance audits?

Supreme Audit Institutions contribute value and benefits for all by exercising independent external
oversight to ensure accountability, transparency, inclusiveness, ethical behaviour and effectiveness of
public governance. SAIs provide assurance on financial statements of governments and government
bodies, examine compliance with applicable laws and regulations, and offer recommendations for
enhancing economy, efficiency and effectiveness of service delivery, governance or outcomes that
impact people and planet.

The auditing of government and public sector entities by SAIs has a positive impact on trust in society
because it focuses the minds of the custodians of public resources on how well they use those
resources. Such awareness supports desirable values and underpins accountability mechanisms,
which in turn leads to improved decisions. Once SAIs’ audit results have been made public, citizens
are able to hold the custodians of public resources accountable. In this way SAIs promote the
efficiency, accountability, effectiveness, transparency and inclusiveness of public institutions.

Public-sector auditing is essential in that it provides – to the legislative and oversight bodies, those
charged with governance and the general public – information and independent and objective
assessments concerning the performance of government policies, programmes or operations. Public
sector auditing is described as a systematic process of objectively obtaining and evaluating evidence
to determine whether the information or actual conditions conform to established criteria.5
While SAI mandates and legal frameworks are quite diverse across the INTOSAI community, ISSAI 100
recognises three types of audits usually carried out by SAIs: financial audit, compliance audit and
performance audit. The three audit types are different, considering that each type has its focus area
and audit approach.
The financial audit focuses on determining whether an entity’s financial information is presented
following the applicable financial reporting and regulatory framework. This is accomplished by
obtaining sufficient and appropriate audit evidence to enable the auditor to express an opinion as to
whether the financial information is free from material misstatement due to fraud or error.6
A performance audit is an independent, objective and reliable examination of whether the
government undertakings, systems, operations, programmes, activities or organisations are operating
in accordance with the principles of economy, efficiency and effectiveness, and whether there is room
for improvements.7
A compliance audit is an independent assessment of whether a given subject matter complies with
applicable authorities identified as criteria. This is done by assessing whether activities, financial
transactions and information comply, in all material respects, with the authorities that govern the
audited entity.8

5 ISSAI 100.18
6 ISSAI 100.22
7 ISSAI 300.9
8
ISSAI 400.12

14
Achieving value and benefits through compliance audits
is a complex process. It requires several actors, across
different functions, to work together in a coherent and
coordinated manner. These actors include both state
and non-state actors, as shown in Figure 1.1. In order to
contribute and deliver value, compliance auditors need
to scan the ecosystem in which they operate and
determine the actors and processes that need to be
engaged with throughout the audit.
Compliance audits can add value in many different
ways, through their coverage; high-quality audit reports
in the public domain; and recommendations leading to
more transparent, accountable and inclusive
compliance frameworks, decision making and greater
compliance with applicable authorities by those charged Figure 1.1: Value and benefits for all
with governance.
Compliance audits promote transparency
Transparency can be defined as the basic and commonly agreed-upon principle of disclosure to make
policies, legal and institutional frameworks, and information related to decisions available to the
public in a comprehensible, accessible and timely manner. Through compliance audits, SAIs can
ascertain if audited entities comply with transparency requirements. While publication of an SAI’s
compliance audit reports leads to greater transparency, executive action on the recommendations
made by the SAI lead to more transparent compliance systems in the longer run.
Compliance audits help the citizens in holding to account those charged with governance and
improved accountability mechanisms in the public sector
Accountability is about the relationship between the State and its citizens, and the extent to which
the State is answerable for its actions. The concept of accountability refers to the legal and reporting
framework, organisational structure, strategy, procedures and actions to help ensure that every
organisation that uses public money and makes decisions that affect people’s lives can be held
responsible for its actions. The principles and concepts necessary to public sector accountability
include transparency, fairness, integrity and trust. Compliance audits can ensure accountability by
having a deterrent effect through adequate and regular oversight on compliance with authorities.
Compliance audit reports can help citizens in holding those charged with governance to account.
Action on compliance audit conclusions and recommendations will lead to more accountable systems
and actions by governments in the future.
Compliance audits promote inclusiveness
Besides contributing to transparency and accountability, compliance audits can also contribute to
inclusiveness. Compliance auditors can check if the authorities, rules and regulations that provide for
inclusion in different areas are complied with by those charged with governance. For example,
compliance auditors can check if the socio-economic scheme for beneficiaries from vulnerable groups
is being implemented as per requirements and that the beneficiaries are genuine. Compliance audits
can also comment on the extent to which inclusion considerations find place in government
compliance frameworks.

15
Compliance audits contribute to ethical behaviour
Behaving ethically in all situations is a core value for everyone, especially those charged with
governance. Compliance audits contribute to enhanced ethical behaviour in the public sector by
providing oversight on the extent to which decisions are made in compliance with the requirements
of applicable codes of ethics and making recommendations for improving compliance frameworks for
ethics.
Compliance audits contribute to the fight against fraud and corruption
Compliance audits have both preventive and detection value in case of fraud and corruption in public
institutions. SAIs can build red flags, assess vulnerability of compliance systems and test actual
compliance to detect instances of fraud and corruption. Depending on their mandates and capacities,
SAIs can work together with anti-corruption agencies, hand over their findings to other authorities for
further investigations or conduct such investigations themselves.
Compliance audits contribute to creating a culture for compliance
As mentioned earlier, adequate compliance audit coverage, high-quality compliance audits and
follow-up and executive action on instances of non-compliance can in the long run contribute to
greater awareness of the importance of compliance, act as a deterrent for non-compliance and
facilitate a more compliant culture in government institutions.
By looking at transparency, accountability, inclusiveness and ethical behaviour across different sectors
– public health, education, infrastructure, technology, environment and so on – compliance audits
contribute to value and benefits for both people and planet.
We can also examine the value and benefits of compliance audits from the perspective of a value chain
of outputs, outcomes and contribution to impact. Illustration 1.1 below shows this.

Illustration 1.1: Compliance audit value chain

This value chain leading to value and benefits for all works on certain assumptions of enabling SAI
independence and mandate, adequate SAI resources and capacities, robust audit methodology,
supportive stakeholders, SAI ability to follow up and audited entities that take action on SAI
recommendations. The delivery of value is compromised if any of the links in the chain or the
assumptions don’t work. This value chain is further affected by the political, social, economic and
cultural environment in the country.

16
1.2 What are the key enablers in delivering value through compliance audits?

This section reflects on some of the key enablers for delivering value or contributing to impact through
compliance audits.
1. Enabling SAI mandate and legal framework: The SAI needs an enabling mandate and
independence to be able to determine the compliance audits it will take up, decide on the
methodology, issue and publish its report, and follow up on action taken.
2. SAI leadership: SAI leaders play a key role in strategising to deliver value, mobilising resources,
making decisions and, most importantly, setting the tone and a culture that focuses on
delivering value.
3. High-quality audits: The SAI needs a credible and high-quality product to add value. As such,
compliance with applicable standards and the SAI’s ability to demonstrate such compliance
through robust quality systems is crucial.
4. Impact-driven compliance audits: If the compliance audits are to contribute to impact, the
SAI needs to have processes and practices that mainstream impact considerations throughout
the audit process. This includes planning for impact and focusing on impact while conducting
and reporting on the audit. Ensuring timely reports that reach out to a wide set of stakeholders
is also key.
5. Stakeholder engagement throughout the audit process: SAIs cannot deliver value alone. It
takes a coalition of stakeholders and an entire ecosystem of actors working together to deliver
impact and value of compliance audits. Keeping this in mind, it is important for the SAI to
determine key stakeholders and their engagement right at the beginning of the audit process.
This can be done strategically for the compliance audit practice as a whole and for individual
compliance audits.
6. Robust follow-up of compliance audits: The auditor’s role does not end with the issue of the
report. If the compliance audits conducted by the SAI are to deliver value, the SAI needs to
have a robust follow-up mechanism which clarifies expected corrective action, follows up with
those responsible, and monitors and measures the action taken on compliance audit
conclusions and recommendations.
7. Agile and flexible compliance audits: Given the pace at which things move in these times, it
is important for SAIs to build agile features into their compliance audit practice. Please refer
to chapter 4 of IDI’s practical guide on Audit of Transparency, Accountability and Inclusiveness
(TAI audits) of the use of emergency funding for COVID-19 to learn more about an agile
approach to compliance audits (TAI Guide (idi.no)).
8. Focus on gender and inclusiveness considerations: As it is the vulnerable and marginalised
sections of the population that are most adversely affected by non-compliance and the lack
of integrity and corruption in public institutions, we believe that it is important for SAIs to
reflect on gender and inclusiveness considerations in their compliance audit practice. SAIs can
do this by mainstreaming such considerations in compliance audits across sectors and/or
focusing on specific areas of marginalisation and vulnerability as the subject matter of
compliance audits, e.g., audits of socio-economic packages during COVID-19 for single
mothers. Please refer to the TAI audit question bank (TAI Audit Question Bank (idi.no)) for
examples of inclusiveness questions that can be asked in compliance audits.

17
1.3 High-quality compliance audits and IFPP
In the previous section we discussed how high-quality compliance audits were essential for delivery of value and benefits. In this section, we explore the link between
high-quality compliance audits and the INTOSAI Framework of Professional Pronouncements (IFPP). As a part of this exploration, we will also discuss what it means
for an SAI to adopt compliance audit standards, different ways of referring to the ISSAIs and having in place an ISSAI-compliant compliance audit practice.
The IFPP consists of INTOSAI Principles (INTOSAI-P), International Standards of Supreme Audit Institutions (ISSAI) and INTOSAI Guidance (GUID):
Moving towards high-quality compliance audits through full compliance with ISSAIs
An SAI’s journey towards high-quality
compliance audit practice has the following
key elements (as illustrated in Illustration
1.2):
Adoption of compliance audit ISSAIs
Adoption of compliance audit ISSAIs refers to
Independent the decision-making process in the SAI,
assurance of quality
Implementation of compliance whereby it decides on how it will refer to the
of compliance audits through ISSAIs in its compliance audit practice. As
audit practice as robust quality
explained in ISSAI 100:8, the SAIs can adopt
Adoption of per standards mechanislms
compliance the ISSAIs in different ways.
audit ISSAIs
The Fundamental Principles of Compliance
Auditing (ISSAI 400) provide the SAIs with a
basis for the adoption or development of
Illustration 1.2: Journey towards high-quality compliance audit standards and guidelines in compliance
auditing.

The principles in ISSAI 400 can be used in three ways:

• As a basis for adoption of the compliance audit standards (ISSAI 4000) as the authoritative
standards
• As a basis on which SAIs can develop their auditing standards
• As a basis for the adoption of consistent national standards
As a basis for the adoption of ISSAI 4000 as the authoritative compliance audit standards: SAIs could
consider directly adopting the ISSAI 4000, the compliance audit standards, as their authoritative
compliance auditing standards. As the ISSAI 4000 has been developed to reflect best practices, the
SAIs are encouraged to strive towards adopting them in full as their authoritative standards.9
In some environments, this might not be possible due to the absence of basic administrative structures
or because laws or regulations do not establish the premises for carrying out audits following the ISSAI
4000. In such cases, SAIs have the option of developing standards, based on or adopting national
standards consistent with the Fundamental Principles of Compliance Auditing – ISSAI 400.10
As a basis on which SAIs can develop their own standards: Some SAIs may be conducting compliance
audits as per their mandate, but they may not have any governing auditing framework to support their
work. These SAIs can develop their compliance audit standards considering fundamental principles of
compliance auditing of ISSAI 400. The ISSAIs emphasise the need for SAIs to review their respective
mandate, laws and regulations when adopting the ISSAIs. Thus, these principles do not override the
existing mandates, rules and regulations that govern the SAI audit practices.
As a basis for the adoption of consistent national standards: Some SAIs may already have their
national standards for conducting compliance audits. ISSAI 400 provides a frame of reference as the
fundamental principle for these SAIs. SAIs can analyse their existing practices and standards vis-à-vis
the ISSAIs, identify gaps and modify their governing auditing standards to ensure that they align with
the principles of ISSAI 400.
Implementation of compliance audit practice as per standards

9 ISSAI 400.7
10
ISSAI 400.7
After making a decision on adoption, the SAI would need to put in place mechanisms for implementing
a compliance audit practice that meets the requirements of the adopted standards. In order to do so
the SAI needs:
• A compliance audit methodology that is aligned to the standards: The methodology would
define the compliance audit process and quality mechanisms.
• Competent compliance auditors: There needs to be an adequate number of compliance
auditors who demonstrate required competencies to carry out compliance audits and exercise
professional judgment. Please refer to the Competency Framework for Public Sector Audit
Professionals to read more about competencies of a professional compliance auditor.
• Resources and supporting processes to carry out the compliance audits: This includes financial
resources, infrastructure, support services, etc.

Ensuring audit quality of compliance audits

To ensure high-quality compliance audits, an SAI needs to put in place both quality control and quality
assurance mechanisms. While the quality controls are embedded in the compliance audit process, the
quality assurance mechanisms provide independent assurance on the effectiveness of the quality
controls.
SAIs can claim compliance with CA standards only if their quality assurance mechanism provides
independent assurance that the compliance audit practice fully complies with all applicable
requirements of the CA standards.

Making reference to the ISSAIs in an SAI’s compliance audit report

SAIs should declare which standards they apply when conducting audits, and this declaration should
be accessible to the users of the SAI’s reports. SAIs are encouraged to make such statements a part of
their audit reports.11
The audit report users need to know how the SAIs have conducted the audit and what methodology
they have followed. It is through this declaration that the users can have confidence in the information
provided in the audit report. They recognise that ISSAIs require the SAI to plan and perform the audit
to obtain reasonable assurance about whether the subject matter is or is not in compliance with the
applicable authorities. The user also understands, through this declaration, that the audit includes
examining, on a test basis, evidence supporting the findings and conclusions made in the audit. If the
SAI does not make this declaration in its audit report, the users will not know what process the SAI has
followed. Also, users will not be able to determine the quality of the audits conducted, and this has
the potential of affecting the credibility of audit reports to stakeholders.
When the SAI complies with ISSAIs and refers to the ISSAIs in its compliance audit report, it has two
options:

1. An SAI may fully comply with its national standards, which is consistent with the fundamental
auditing principles: ISSAI 400 for a compliance audit. In such case the SAI can make reference
in the compliance audit report by stating (ISSAI 400.8):

11
ISSAI 100.8

20
 ‘We conducted our audit in accordance with [country national standards], which are based on
[or consistent with] the fundamental auditing principles for compliance audit ISSAI 400 of the
International Standards of Supreme Audit Institutions.’

2. For a compliance audit, an SAI may fully comply with ISSAI 4000 - Compliance Audit Standard.
In such case the SAI can make reference by stating (ISSAI 400.9):
‘… We conducted our [compliance] audit[s] in accordance with the International Standards
of Supreme Audit Institutions [on compliance auditing].

ISSAI 4000.14 states that if all relevant requirements of ISSAI 4000 have not been fulfilled, a reference
to ISSAI 4000 shall not be made without disclosure of that fact and further explanations about the
consequences thereof. Compliance with ISSAI 4000 refers to an SAI’s compliance with all relevant12
requirements of ISSAI 4000 in an audit engagement or the SAI’s overall compliance audit practice.13
This implies that to refer to the ISSAIs in its audit report, the SAI must either have an ISSAI-compliant
audit practice or a specific audit which is ISSAI compliant.

12 SAIs can comply both within an individual compliance audit and across the compliance audit practice.
13 Audit practice refers to a set of audits conducted under the same organisational arrangement that follows the same standards,
methodology, competency requirements for audit teams, quality control and quality assurance arrangements.

21
 General concepts of the compliance audit

Chapter 2

General concepts of the compliance audit

2.1 The three parties of a compliance audit
2.2 Subject matter and subject matter information of compliance audit
2.3 Authorities and criteria in a compliance audit
2.4 Compliance audit as an assurance engagement
2.5 Different ways of conducting a compliance audit
2.6 Steps of a compliance audit

22
This chapter starts by explaining the three parties, subject matter and criteria of a compliance audit.
It introduces the different approaches of conducting compliance audits and highlights the two types
of engagement: direct reporting and attestation engagement. This chapter explains the levels of
assurance that can be provided in the audit report – reasonable or limited. It explores the options
available to an auditor when deciding on the appropriate type of compliance audit to conduct. The
chapter concludes with an illustration of the compliance audit process.

2.1 The three parties of a compliance audit

Compliance audits are carried out by assessing whether activities, transactions and information
comply, in all material respects, with the authorities that govern the audited entity.14 The ISSAIs on
compliance audit identify the three related parties involved in an audit and explain the relationships
among them. ISSAI 400.35 states that ‘compliance auditing is based on a three-party relationship in
which the auditor aims to obtain sufficient appropriate audit evidence in order to make a conclusion
designed to enhance the degree of confidence of the intended users, other than the responsible party,
about the measurement or evaluation of a subject matter against criteria.’

In a compliance audit:
• The auditor refers to the SAI.
• The intended users are the individuals, organisations or classes for whom the auditor prepares
the audit report. In compliance auditing, the legislature, as the representative of the people,
is the ultimate user of the audit reports. However, according to the standards, the users can
also be oversight bodies, those charged with governance or the general public.15
• The responsible party is the executive branch of government and/or its underlying hierarchy
of public officials and entities responsible for the management of public funds and the
exercise of authority under the control of the legislature. The responsible party in compliance
auditing is responsible for the audit’s subject matter.16

Legislature

Intended
users

Elements of
an audit
The Government
Responsible entity
SAI Auditor party

Figure 2.1: The three parties of the compliance audit

It is essential to consider the relationship between the three parties; the responsibilities of each party,
expectations from the other and how to meet these expectations. Although there are different
models, usually the legislature empowers the government entities to perform specific duties by

14 ISSAI 400.12
15 ISSAI 100.25
16
ISSAI 400.37

23
providing them with the budget, and by establishing a legal framework to govern budget spending on
different activities and services. The executive branch of government (e.g. the entities, public officials)
is responsible for the management of public funds. The public officials’ exercise of authority is under
the control of the legislature. But establishing this control depends on receiving timely and accurate
information on how the entities are fulfilling their responsibilities. The legislature needs information
about the entities and their activities for public policy decision-making purposes. The SAI is responsible
for providing this information to the legislature. As such, the SAI should have a proper understanding
of the needs and expectations of its intended users. The SAI has to be aware of the evolving
environment in the government, the changing need of information from the users and how it can
provide the appropriate information to the users through its audit report.

2.2 Subject matter and subject matter information of compliance audit

The auditor’s responsibility in compliance auditing includes determining whether the information
related to a particular subject matter, in all material respects, is in compliance with the relevant criteria
such as applicable laws, regulations, directives, terms of contracts and agreements, among others.

The audit subject matter is decided based on the SAI’s mandate, the relevant authorities and the audit
scope. The content and scope of the subject matter can vary widely in a compliance audit.17 For SAIs
which have mandated requirements for compliance audits, selection of the subject matter should be
based on their mandated tasks. Where the SAI has the discretion to select the coverage of compliance
audits, it performs the procedures necessary to identify significant and relevant areas and/or areas
with a potential risk of non-compliance. From the area identified, the auditor defines the audit’s
subject matter. The subject matter of a compliance audit can be an entity, activities, operations,
financial transactions or information.

Once the subject matter is known, auditors can identify related authorities and criteria for the
compliance audit. The objective of an audit is to provide the intended user(s) with information on
whether the audited public entities and subject matters follow laws, legislative acts or decisions,
regulations, policy, established codes and agreed-upon terms. These form the relevant authorities
governing the subject matter or the entity.18

Subject matter information refers to the outcome of evaluating or measuring the subject matter
against the criteria. The subject matter and subject matter information in compliance audit is
associated with the concepts of direct reporting engagement and attestation engagements (explained
in section 2.5).

Identifying the subject matter of compliance audit

For some SAIs, the respective law or audit mandate sets the subject matter of the audit. In other cases,
the selection of the subject matter is a strategic choice operationalised in the SAI’s annual plan based
on risk assessment and professional judgment. Subject matter should be of such nature that it enables
the auditor to gather sufficient and appropriate audit evidence to support an audit conclusion or
opinion on it with the necessary level of assurance. How the subject matter is selected has an impact
on the audit approach when it comes to audit evidence and resources.19

For example, if the subject matter of a compliance audit consists of ‘an entity’ and the subject matter
information could be taken as the ‘accounts of the entity’ without defining a more specific scope. But

17 ISSAI 100.28, ISSAI 400.33

18 ISSAI 4000.23
19
ISSAI 4000.43

24
looking at the definition, it is also possible to take the ‘entity’ as the subject matter, and subject matter
information could be the entity’s activities and transactions and all authorities governing them.
Providing a conclusion on such a broad audit scope would require more time and resources for the
SAI.

For this reason, ISSAIs recognise the relationship between the subject matter and the scope of
compliance audits to narrow the issue, which would be manageable to audit. When the auditors plan
a compliance audit, they will usually start with a broad subject matter such as the entity. Still, as they
become more knowledgeable during the audit process, they may modify the subject matter and scope
it to a more focused audit, which will make the results more meaningful for the users.

The audit scope defines the subject matter and what the auditor is going to audit. The scope depends
on the needs of the intended user(s), the decided level of assurance, the assessed risk, and the
competence and resources (both human and financial) available in the SAI.20

In some countries, the subject matter of the compliance audit may be indicated in the relevant laws,
while for others, it may be determined through risk assessment and professional judgment. In some
SAIs, auditable entities might have been classified into high-, medium- or low-risk entities. These SAIs
can choose to conduct compliance audits of high-risk entities every year, while medium- to low-risk
entities will be audited once every two to three years.

For some subject matters, it might be relevant to include more than one responsible party, especially
for subject matters where more than one entity is involved in the operation or execution of the
budget. In those cases, the number of the intended user(s) may also increase.21 SAIs should, by
considering their circumstances and mandate, establish a process to systematically determine the
subject matter for conducting compliance audit in line with the ISSAIs.
The auditor may consider the following list of possible subject matters as a reference:

• Financial performance:
o use of appropriated funds (budget execution)
o use of grants and loans
• Procurement
• Revenue collection, e.g., taxes, customs, excises
• Expenditures
• Service delivery – medical, education, etc.
• Public complaints
• Heritage protection
• Propriety of auditee officials and decision making
• Health and safety
• Environmental protection
• Internal control framework
• Payments of social benefits, pensions
• Physical characteristics, zoning density, access to government buildings

20 ISSAI 4000.44
21
ISSAI 4000.106

25
2.3 Authorities and criteria in a compliance audit

Definition of authorities
Authorities are the most fundamental element of compliance auditing. The structure and content of
authorities furnish the audit criteria and therefore form the basis of how the audit is to proceed under
a specific constitutional arrangement. In general, authorities include the rules, laws and regulations,
budgetary resolutions, policies, established codes, agreed terms or general principles governing sound
public sector financial management, and the conduct of public officials.22

The extent of the auditor’s work to obtain a sufficient understanding of the legal and regulatory
framework will depend on the nature and complexity of the laws and regulations. However, the
auditor needs to understand the provisions of the legislation that are relevant to the audit task. In all
cases, the audited entity retains the responsibility for ensuring compliance with applicable criteria.

Hierarchy of authorities
Because of the variety of possible authorities, they may have mutually conflicting provisions and be
subject to differing interpretations. Also, subordinate authorities may not be consistent with the
requirements or limits of the enabling legislation, and there may be gaps in the legislation. To assess
the compliance with authorities, the auditor needs to have sufficient knowledge of the structure and
content of the authorities themselves.23

When the auditor identifies conflicting authorities, it is essential to consider the hierarchy of the
authorities; the higher level of authority will prevail over the subordinate authorities. For example, if
an operational procedure or activity of a subject matter or an entity has been defined in the law, the
internal regulations of the subject matter or entity must be in line with this law. If they are not,
auditors should point out the contradiction, and if their mandate allows, recommend a change in the
subordinate authority. This could also be audit evidence if following the internal regulation has caused
a non-compliance with the higher authority.

Similarly, when auditors are in doubt about the correct interpretation of authority, they should review
the background and context of the law to understand the intent and premises before using the
authority as the benchmark. When faced with such a situation, auditors may bring it to the attention
of their superiors so that they can take an appropriate course of action during the audit.

Criteria
Criteria are the benchmarks derived from authorities used to evaluate the subject matter. Criteria can
be specific or more general and may be drawn from various sources, including laws, regulations,
standards, sound principles and best practices.

In compliance audits, the criteria may differ significantly from one audit to the other. The criteria
should be included in the report itself or the report may refer to the criteria if they are contained in
an assertion from management or are otherwise available from a readily accessible and reliable
source.

Whichever of these options are chosen, the auditor should identify the criteria in the compliance audit
report so that the report users can understand the basis for the auditors’ work and conclusions.
Criteria should be made available to the intended users to enable them to understand how the subject
matter has been evaluated or measured. Without the frame of reference provided by suitable criteria,
any conclusion is open to individual interpretation and misunderstanding. The responsible party

22 ISSAI 400.28 and 29

23
ISSAI 400.30

26
should be able to comment on the audit criteria before the start of the audit to make sure that the
audit will have the desired effect. Communication with the responsible party can prevent the audit
results from being ignored in the discussion on the criteria when the conclusions are reported.

If criteria have not been defined from authorities, it is essential to identify criteria that carry the
qualities described in the ISSAIs. Criteria must be relevant, complete, reliable, neutral,
understandable, useful, comparable, acceptable and available.24

Types of criteria
Compliance auditing may be concerned with regularity (adherence to formal criteria such as relevant
laws, regulations and agreements) or with propriety (observance of the general principles governing
sound financial management and the conduct of public officials) aspects of the subject matter. Criteria
for regularity and propriety are different.
Regularity: Regularity criteria can derive from rules and regulations, international treaties and other
agreements and codes of conduct.25 These criteria also derive from the constitution, statutory
instruments, orders, governmental or ministerial directives, guidelines and agreed-upon terms and
conditions.
Propriety: Depending on the SAI’s mandate and the nature of laws and regulations in the public sector
context of the SAI, the audit scope may include aspects of propriety. Propriety is defined as
‘observance of the general principles governing sound financial management and the conduct of
public officials.’26 The use of propriety as a basis for the audit may be common practice in some SAIs,
but others may lack the relevant mandate to assess the propriety. Some SAIs use this approach in
‘management audits’ conducted at the request of a legislative body.

Propriety criteria are either the generally accepted principles or national/international best practices
when the country’s legislative body has not ratified it. When the legislature approves it, the criteria
become part of the regulations. In some cases, they may be uncodified, implicit or based on overriding
principles of law, which provide sufficient flexibility to the SAIs to adopt propriety criteria for an audit
relevant to their context. However, compliance with the best practices may not be perceived
mandatory in some jurisdictions or may not be suitable according to the mandate of some SAIs.

The auditor may face difficulty to envision the aspects of propriety in public financial management.
Generally, there are elaborate provisions under the country’s financial rules, public expenditure
management rules, procurement rules or in other regulations and the strict codes of conduct for
ethical behaviour.

The examples below, which are extracts from the discussion of the public accounts committee of a
country, highlight the audit’s propriety aspect:
‘The auditors estimated that Mr… had authorised the charging to the Corporation of £xxxx of his
private expenditure and a further £xxxx of private expenses for other members of staff. The
Committee considers that Mr…’s conduct, while Chief Executive…, did not meet the standards
expected of those entrusted with the use of public funds, notably in his handling of travel and personal
expenditure.’27

24 ISSAI 4000.118
25 ISSAI 4000.114
26 ISSAI 400.13
27
https://www.public-audit-forum.org.uk/wp-content/uploads/2015/04/Propriety-and-conduct-in-the-public-sector.pdf, page 13-14

27
‘The former Institute Director was able to draw up his own rules for handling grievances or complaints,
even for complaints involving himself. As a result, some individuals had to use outside channels such
as the press…This was an unacceptable way to deal with the legitimate concerns of staff about the
management of the Institute and its governance. We consider it inappropriate that severance
settlements should include increased benefits to reflect the personal circumstances of individuals.’

‘To avoid any question of impropriety, specific reasons should always be recorded whenever a
contract is not awarded to a tenderer who submits the lowest bid and is judged capable of meeting
the key performance criteria. This would also provide a basis for informing the other short-listed firms
why their bids had been unsuccessful.’

‘.. the catalogue of mismanagement at the College’s Training Shop including what seems a disregard
for basic tenets of financial control, and exposure to potential conflicts of interest. For example, over
£xxxx was paid for driving services provided by a son of the head of the Shop, but there was no
evidence that the work was completed.’

Once the auditor identifies the suitable criteria for regularity or propriety, they are operationalised for
the particular circumstances of each audit so as to be able to reach meaningful conclusions.28 The
quality of the auditor’s opinion or conclusion in a compliance audit largely depends on how the auditor
establishes and applies the audit criteria in the audit.

2.4 Compliance audit as an assurance engagement

Public officials are responsible for running the government entities in compliance with the authorities
governing the entity’s activities and for achieving the level of performance expected of them. If for
some reason the entity fails to comply with authorities, the responsible officials are held accountable.

The auditor audits an issue or subject matter to provide the intended user with some level of
confidence whether the entity complies with the applicable authorities. For the auditor to conclude
on the status compliance of the entity or subject matter, in all material respects, the auditor must
have sufficient audit evidence to support that conclusion. When the users (the legislature, e.g., the
Parliament) need information about the operations of the responsible party (the entity), the users
may request the SAI for an independent assessment of the actual conditions of the responsible party.
The SAI then conducts an audit and provides an ‘assurance’ on the situation to the users.

As such, an audit conducted by the SAI is an assurance engagement. An assurance engagement

compliance audit enhances the credibility of the information provided by the responsible party. The
auditor can provide this assurance through opinions and conclusions which explicitly convey the level
of confidence, or in other forms.29 The auditor will check whether the information provided by the
government entities or actual conditions in these entities comply with authorities (the relevant laws
and regulations, etc.). Following the audit, the SAI will prepare a report for the users, which includes
a conclusion on the subject matter. Thus, the auditor will be providing an ‘assurance’ that reduces the
risk to the users when using the specific information and that helps them to make informed decisions.

28 ISSAI 4000.119
29
ISSAI 100.32

28
In ISSAI 4000.19(b) this is referred to as ‘… to enhance the degree of confidence of the intended
user(s).’ So, assurance is linked to how the auditor can gather audit evidence and how much work s/he
must perform to be sure of the conclusions. When the auditor provides conclusion with reasonable
assurance, the auditor must decide which audit techniques to use, combine them, and then be able
to conclude that ‘the information provided is, in all material respects, correct.’
The intended users wish to be confident about the reliability and relevance of the information they
receive and use the information as a basis for their policy-decision making. Audits, therefore, provide
information based on sufficient and appropriate evidence, and for that, the auditors should perform
procedures to reduce or manage the risk of reaching inappropriate conclusions.30
An auditor performs procedures to reduce or manage the risk of providing incorrect conclusions,
recognising that due to the inherent limitations in all audits, no audit can ever provide absolute
assurance on the condition of the subject matter. The auditor should transparently communicate this
limitation. In most cases, a compliance audit will not cover all elements of the subject matter but will
rely on a degree of qualitative or quantitative sampling.31
Reasonable assurance and limited assurance engagement
ISSAI 4000.30 states that the compliance audit report can provide either reasonable assurance or
limited assurance to the users. These two levels of engagements are different in using the types of
criteria, sampling, evidence-gathering procedures and reporting formats.

The two levels of assurance in compliance auditing convey the message differently to the users. In a
reasonable assurance engagement, audit expresses that, in the auditor’s opinion, the subject matter
is or is not in compliance, in all material respects, with the stated criteria. In a limited assurance
engagement, it conveys that nothing has come to the auditor’s attention to cause him/her to believe
that the subject matter is not in compliance with the criteria.

The auditor uses the terms reasonable or limited, because even if they are meticulous in their work,
there is always a chance that they may not identify every instance of non-compliance, and therefore
can make a wrong conclusion. It is not possible to provide an absolute (or 100%) assurance. Levels of
assurance will be examined further in planning the audit since the decision to give a limited or
reasonable assurance will have an impact on the audit design. Reasonable or limited assurance can be
provided both for direct reporting and attestation engagements in compliance auditing.32

2.5 Different ways of conducting a compliance audit

There are two different types of compliance audit engagements: attestation engagements and direct
reporting engagements.33 Attestation engagements and direct reporting engagements differ based on
who prepares and measures or evaluates the subject matter.
• In attestation engagements the responsible party, i.e., the entity, measures the subject matter
against the criteria and presents the subject matter information on which the auditor then
gathers sufficient and appropriate audit evidence to provide a reasonable basis for expressing
a conclusion. Attestation engagements can be both reasonable and limited assurance
engagements.

30 ISSAI 100.31
31 ISSAI 400.40
32 ISSAI 400.41
33
ISSAI 100.24

29
 • In direct reporting engagements, it is the auditor who measures or evaluates the subject
matter against the criteria. The auditor selects the subject matter and criteria, taking into
consideration risk and materiality.
The auditor presents the outcome of measuring the subject matter against the criteria in the audit
report in the form of findings, conclusions, recommendations or an opinion. The audit of the subject
matter may also provide new information, analysis or insights.34 The auditor may also express the
outcome as an elaborate answer to specific audit questions.35
Each assurance engagement (reasonable or limited) is either an attestation engagement or a direct
reporting engagement. The subject matter could be either set out in the SAI’s mandate or selected by
the SAI.36 The difference between the two types of audit is linked to subject matter and subject matter
information.

In attestation engagements, the auditor attests the subject matter information, which may be a
statement of compliance under an established and standardised reporting framework.37 Here the
audit criteria are implicitly given by the presentation of the subject matter information. In these cases,
the auditor needs to identify relevant audit criteria to conclude correctness of criteria provided in the
subject matter information by the responsible party.38

The example in Illustration 2.1 below illustrates a compliance audit case scenario for two countries for
direct reporting engagement and attestation engagement. Both countries have a similar responsible
party as the entity, and the same subject matter and scope for audit, but they differ in the aspect of
subject matter information.

Considering who prepares the subject matter information influences the audit decisions; in the two
country scenarios below, this consideration will lead either to a direct reporting engagement or to an
attestation engagement.

Country X Country Y
Responsible party National Tax Office (NTO) of country National Tax Office (NTO) of country Y
X
The subject Tax revenues of Value Added Tax Tax revenues of Value Added Tax
matter of the (VAT) (VAT)
audit
Subject matter - Financial information related to VAT
information revenues
Audit criteria VAT law and other laws and VAT law and other laws and
regulations governing the collection regulations governing the collection of
of taxes taxes
User Parliament Parliament

Illustration 2.1: Case scenario on compliance auditing

34
ISSAI 100.29
35 ISSAI 400.59
36 ISSAI 4000.31
37 ISSAI 100.30
38
ISSAI 4000.113

30
The scenario of country X:

Direct reporting engagement

National Tax Office (NTO) of country X does not publish reports on tax collection. The website
provides some statistics, but these are usually outdated and not detailed. The NTO is a part of the
government budget system, and due to the financial management framework does not produce a
separate set of financial statements. Due to the way accounts are prepared, it is not possible to
isolate tax revenues collected by NTO from tax revenues from other sources. Recently, the
Parliament of country X has been discussing a reform initiative that aims to improve tax collection
from VAT. SAI management decided to conduct an audit on tax revenues of VAT and submit it to
Parliament.

In the scenario given above, no subject matter information has been made available by the NTO
(responsible party), despite the need for this information. Therefore, the SAI, through its audit,
decided to provide the information to the users. The audit will directly evaluate the tax revenues of
VAT (subject matter) based on the applicable criteria and will give a conclusion. Based on the
evaluation of the subject matter by the auditor, the SAI prepares the audit report and submits it to
Parliament.

This form of audit is called direct reporting engagement. In a direct reporting engagement, the audit
is conducted directly, by the auditor measuring or evaluating the subject matter, rather than on the
subject matter information.

The scenario of country Y:

Attestation engagement

National Tax Office (NTO) of country Y presented a report to the Parliament regarding tax
collection. Subject matter information has been produced by the NTO (responsible party) and
presented to the Parliament (users) in the form of a report. (This information could also be in the
form of a statement, statistics, etc.) When officials were producing the subject matter information,
they were obliged to follow relevant legislation and other laws and regulations governing these tax
revenues of VAT.

Standards refer to producing subject matter information as ‘evaluation of subject matter against
criteria.’ In the scenario, NTO has provided subject matter information (evaluation), in the form of a
report. With the report, the officials of the responsible party are making explicit or implicit claims
(assertions) that the information (evaluation) on the tax revenues of VAT (subject matter) is true and
fair in light of the laws and regulations (criteria).

The auditor’s role in this scenario is to attest the assertion – in the form of conclusion or opinion – on
whether the claim made by the NTO (responsible party) about the evaluation it provided is correct or
not; and whether the officials have indeed followed the laws and regulations as they have claimed
(explicitly or implicitly). This conclusion enhances the confidence of the Parliament about the report
(subject matter information) it has received.

To appreciate the broad scope of the compliance audit, the auditor should understand the link
between assurance levels and types of audit. The table in Illustration 2.2 illustrates how the auditor

31
can accomplish these levels and types of audit in practice. Each compliance audit conducted by the
SAI may fall into one of the four cells of combinations illustrated in the table.

Engagement type
Assurance
Direct Attestation
level
reporting (DR) engagement (AE)
Reasonable
assurance (RA) RA-DR RA-AE

Limited
assurance (LA) LA-DR LA-AE

Illustration 2.2: Combination of levels of assurance and types of engagement in compliance auditing

Compliance audit: Stand-alone or combined with other types of audits

ISSAI 4000.15 states that compliance audits may be conducted either as a stand-alone engagement
following ISSAI 4000 or combined with financial or performance audit.39 Different SAIs may be using
different approaches in carrying out compliance audits in combination with other types of audit.
Compliance auditing is generally conducted as a separate compliance audit, in relation with the audit
of financial statements or in combination with performance auditing.40 The ISSAI 4000 does not
provide detailed explanations on how to do combined audits.41
A stand-alone compliance audit engagement is performed separately, not in conjunction with financial
auditing (which exists in some SAIs) or performance auditing. The ISSAIs state that compliance auditing
conducted independently may be planned, performed and reported separately from an audit of
financial statements and performance audits. It may be conducted regularly or on an ad-hoc basis, as
distinct and clearly defined audits each related to a specific subject matter.42 The ISSAI 4000 explains
the process applicable when SAIs conduct compliance audits as a stand-alone engagement.
Accordingly, this Handbook explains the methodology for conducting a stand-alone compliance audit
as per ISSAI 4000.

39 ISSAI 4000.15
40 ISSAI 4000.27
41 ISSAI 4000.28
42
ISSAI 400.25

32
2.6 Steps of a compliance audit

Illustration 2.3 below shows the compliance audit process.

SAI’s annual work plan (covered in chapter 4)

• Select compliance audit topics
• Annual compliance audit plan
• Determine attestation or direct reporting
• Determine level of assurance
• Consider principles with ethical significance
• Ensure quality control procedure

Planning individual audit Performing audit procedures and gathering

(covered in chapter 5) evidence (covered in chapter 6)
• Identify subject matter, scope and criteria • Gather evidence by performing audit
• Determine audit objective procedures
• Understand the entity and environment • Update planning and risk assessment
• Understand internal control • Ongoing documentation, communication and
• Assess risk and materiality quality control
• Develop audit strategy and plan

Evaluating evidence and forming Reporting and follow-up

conclusion (covered in chapter 7)
(covered in chapter 6) • Prepare reports
• Evaluate whether sufficient appropriate • Include recommendations and responses from
evidence obtained entity as appropriate
• Consider materiality for reporting purpose • Follow up previous reports as necessary
• Form conclusions
• Address subsequent events as necessary

Audit documentation (covered in chapter 8)

Illustration 2.3: Steps of a compliance audit

SAI’s annual work plan for compliance audit

At this stage, the SAI selects the topics and subject matters and prepares annual or multi-annual plans
for a compliance audit. The SAI decides if the engagement will be attestation or direct report, and
whether to provide reasonable or limited assurance in the report. The SAI considers the principles of
ethical significance (independence and objectivity of the auditor) and team competency, and ensures

33
that quality control procedures are in place. The SAI also makes sure that the team can conduct the
audit with required documentation and communication throughout the process.
Planning individual audit
In the planning phase, the auditor looks into the relationship between the subject matter, criteria and
scope of the compliance audit. In planning the audit, auditors should exercise professional judgment
and consider the needs of the intended users of the audit report. Once the auditors decide on the
subject matter, criteria and scope of the individual compliance audit engagement, they set the audit
strategy and audit plan. The auditors should understand the entity and its internal control, establish
materiality, assess risks to the entity and plan audit procedures as part of designing the audit.
Gathering audit evidence
In this phase, auditors primarily gather and document evidence to form a conclusion or opinion as to
whether the subject matter, in all material respects, complies with established criteria. In some cases,
auditors may have to change the scope of a compliance audit if they come across audit evidence
suggesting a need for that change. For instance, while gathering evidence, if auditors find cases that
are indicative of fraud, they may have to modify their procedures.
Evaluating evidence and forming conclusions
At the end of the execution phase, auditors examine the evidence for sufficiency and appropriateness
to form a conclusion or opinion as to whether the subject matter complies with the established
criteria. At this stage, auditors consider materiality for reporting purposes.
Reporting and follow-up
The conclusion or opinion is presented in the form of a report to the intended user. Here the auditor
includes the recommendations and the entity’s responses to them, as appropriate.
Illustration 2.2 on page 32 shows the combinations of the levels of assurance and types of
engagements possible in conducting a compliance audit. The SAIs may not necessarily perform all
these combinations in practice. The most common audit process is the direct reporting and reasonable
assurance engagement which is explained in this Handbook. While explaining this process, where
relevant, the Handbook also includes the process for a reasonable assurance – attestation
engagement.

34
 PART B Managing Compliance Audit at the SAI Level

Chapter 3: The SAI’s organisational requirements for conducting a compliance audit

Chapter 4: The SAI’s annual work plan for coverage of a compliance audit

35
The SAI’s organisational requirements for conducting a compliance audit

Chapter 3

The SAI’s organisational requirements for conducting a

compliance audit

3.1 Objectivity and ethics of the auditor

3.2 Audit team skills
3.3 Audit risk and materiality
3.4 Professional judgment and scepticism of the auditor
3.5 Documentation of audit work
3.6 Communication
3.7 Ensuring audit quality

36
This chapter describes the principles which are fundamental to the conduct of an audit. As the nature
of the audit is iterative and cumulative, the fundamental principles are related to the SAI’s
organisational requirements. The SAI and the auditor should consider these principles before starting
and at more than one point during the audit.43 The SAI needs to make sure that it has established the
required systems and mechanisms and has competent staff to conduct the audit considering these
elements.

ISSAI 100 - Fundamental

principles of public-sector
auditing and ISSAI 400 -
Compliance audit principles
highlight eight principles of the
compliance audit, as shown in
Figure 3.1. ISSAI 4000 includes
these principles as ‘the general
requirements for compliance
auditing.’
Implementing these general
principles of compliance audit
will facilitate the SAI auditors to
comply with the ISSAI
requirements related to an Figure 3.1: Fundamental principles of compliance audit
individual compliance audit
engagement. This chapter explains how the SAI and its auditors could consider these principles from
an organisational perspective. The relevant chapters of this Handbook will further elaborate on these,
at the different application points of the audit process.

3.1 Objectivity and ethics of the auditor

ISSAI 4000.45 states, ‘The auditor shall comply with the relevant procedures relating to objectivity and
ethics, which in turn shall comply with the related ISSAIs on objectivity and ethics.’ ISSAI 4000.48
states, ‘The auditor shall take care to remain objective so that findings and conclusions will be
impartial and shall be seen as such by third parties.’44

The auditor is to demonstrate professional behaviour and integrity, be objective, possess the required
professional competence and exercise due care. The auditor is also to maintain independence in fact
and appearance and confidentiality regarding all audit matters.
The auditors should demonstrate objectivity in selecting their audit objectives and identifying the
criteria. The auditors need to ensure that communication with stakeholders does not compromise the
SAI’s objectivity. The auditors also need to avoid undue influence from any stakeholders in formulating
a balanced report and maintaining objectivity so that their work and report will be seen as impartial
by third parties.
The SAI should establish appropriate measures to ensure that its staff follows and complies with the
ethical requirements. The SAI code of ethics can assist the auditor in this. The SAI can refer to INTOSAI-
P 10 - Mexico Declaration on SAI Independence, INTOSAI GUID 9030 - Good Practices Related to SAI
Independence, and ISSAI 130 - Code of Ethics. For ensuring the objectivity of the audit team members,
SAIs can use predesigned templates for declaration of no conflict/conflict of interest and conformance

43 ISSAI 100.34
44
ISSAI 4000.48

37
to the code of ethics. Based on the SAI’s requirement, the SAI auditors can sign these declarations
once (or, if necessary, for individual audits on a case-by-case basis) before the start of an audit cycle.

3.2 Audit team skills

ISSAI 4000.85 states that the SAI shall ensure that the audit team collectively has the necessary
professional competence to perform the audit. The SAI constitutes the audit team as to collectively
possess the required ability, knowledge, skills and expertise to perform the audit following
professional standards. Also, ISSAI 4000.87 states that depending on the subject matter, this may
include:

• Auditing skills and abilities regarding data collection and analysis

• Legal competence
• An understanding and practical experience of the type of audit undertaken
• Knowledge of applicable standards and the authorities
• An understanding and experience of various types of entities and their operations
• The ability and experience to exercise professional judgment
• The preparation of an auditor’s report that is appropriate in the circumstances

The SAI needs to assign adequately skilled resources that are available when required for the different
phases of the audit process. The SAI needs to recruit personnel with suitable qualifications, offer staff
development and training, prepare manuals and other written guidance and instructions concerning
the conduct of audits, and assign sufficient and appropriate audit resources. The SAI should arrange
for the auditors to maintain their professional competence through ongoing professional
development.45
Where specialised knowledge, techniques or skills required for the audit are not available within the
team, the SAI may use external experts in different ways, e.g., to provide knowledge or conduct
specific work. When external expertise is required, the SAI evaluates whether the experts have the
necessary independence, competence, capabilities and objectivity. The SAI also determines whether
the experts’ work is adequate for the audit. The SAI is responsible for the conclusions made by the
external experts as they perform audit work on behalf of the SAI.

3.3 Audit risk and materiality

ISSAI 4000.52 states, ‘The auditor shall perform procedures to reduce the risk of producing incorrect
conclusions to an acceptable low level.’ Also, ISSAI 4000.58 states, ‘The auditor shall consider the risk
of fraud throughout the audit process, and document the result of the assessment.’

Audit risk is the risk that the auditor’s report, conclusion or opinion may be inappropriate. A
compliance audit should be performed to reduce the audit risk to an acceptable low level in the
circumstances of the audit.
Decreasing the audit risk includes anticipating the possible or known risks of the work envisaged and
consequences thereof, developing procedures to address those risks during the audit and
documenting which and how those risks will be addressed. The auditors need to evaluate whether the
scope of the work performed is sufficient. Also, when concluding, the auditors need to assess whether
they have sufficient and appropriate audit evidence when assessing subject matter against criteria to
form conclusion(s), based on the level of risk involved.

45
ISSAI 400.45

38
In an attestation engagement, the three components – the inherent risks, control risks and detection
risks – are considered altogether during the evaluation of the audit risk. In a direct reporting
engagement, the auditor is involved in producing the subject matter information. The auditor may
apply the audit risk model in forming a conclusion on the subject matter.
ISSAI 400.47 states that auditors should consider materiality throughout the audit process.
Determining materiality is a matter of professional judgment and depends on the auditor’s
interpretation of the users’ needs. Audit risk and materiality are further explained in Part C: chapter 5.

3.4 Professional judgment and scepticism of the auditor

ISSAI 4000.71 states, ‘The auditor shall exercise professional judgment throughout the audit process.’
Also, according to ISSAI 4000.77, ‘The auditor shall exercise professional scepticism, and maintain an
open and objective mind.’
During the audit, the auditor’s attitude should be characterised by professional scepticism and
professional judgment, which are to be applied when forming decisions about the appropriate course
of action. Auditors should exercise due care to ensure that their professional behaviour is
appropriate.46

Professional scepticism and professional judgment are two separate requirements, different in their
meaning and in their application. However, each complements the other in the auditor’s work.

Maintaining professional judgment and scepticism in compliance auditing requires the ability to
analyse the structure and content of authorities as a basis for identifying suitable criteria or gaps in
the legislation if laws and regulations are entirely or partially lacking. It also requires the ability to
apply the audit concepts in the approach to a known or unknown subject matter.

Professional judgment
The auditor uses professional judgment when deciding the level of assurance, assessing risk and
materiality, and defining the subject matter, scope and corresponding audit criteria. Also, the auditor
uses professional judgment to evaluate procedures necessary to gather sufficient and appropriate
audit evidence and the evaluation thereof. The use of professional judgment is crucial when analysing
the audit evidence and forming conclusions based on the findings.47

Professional judgment is a skill the auditor acquires over time by obtaining relevant training and
experience. That is why the application of professional judgment also means the use of the auditor’s
training, skill and expertise. Moreover, only an auditor with the knowledge and expertise specific to a
given circumstance is expected to exercise reasonable professional judgment in that circumstance. In
short, professional judgment is circumstance-based and not every auditor is expected to be
competent for every assignment.

Knowledgeable, experienced and objective persons can reach different conclusions in applying
professional standards, despite similar facts and circumstances. It does not necessarily mean that one
conclusion is right and the other is wrong. Appropriate questioning is to be expected to understand
the procedures performed and the basis for conclusions reached.

Documentation of the decisions, based on the auditor’s professional judgment at different stages of
the audit, is essential to demonstrate that a sound process was followed and to help develop a well-

46 ISSAI 100.37
47
ISSAI 4000.73

39
reasoned conclusion. When a professional judgment is challenged, documentation shows the analysis
of the facts, circumstances and alternatives considered as well as the basis for the conclusions
reached.

Professional scepticism
Professional scepticism is an attitude that includes maintaining an open and objective mind by being
alert to conditions, circumstances and information which may indicate possible non-compliance due
to error or fraud. Professional scepticism is essential when evaluating audit evidence contradicting
other audit evidence already obtained and information that brings into question the reliability of audit
evidence, such as documents and responses to inquiries.48
Exercising professional scepticism is necessary to ensure that the auditor avoids personal bias and to
make sure that the auditor is not overgeneralising when drawing conclusions from observations.
Besides, the auditor will act rationally based on a critical assessment of all the evidence collected.
When exercising professional scepticism, auditors keep an open and reasonably questioning mind
without being overly suspicious. The auditors do not assume that management is dishonest, nor do
they believe that it is honest. Auditors always keep it in the back of their mind that fraud can exist,
and they should not be satisfied with less than persuasive evidence because they believe that
management is honest.
Maintaining professional scepticism throughout the audit is necessary if the auditor is to reduce the
risks of:
• Failing to notice unusual circumstances
• Overgeneralising when concluding from audit observations
• Using inappropriate assumptions in determining the nature, timing and extent of the audit
procedures and evaluating the results thereof

3.5 Documentation of audit work

ISSAI 4000.89 states, ‘The auditor shall prepare audit documentation that is sufficiently detailed to
provide a clear understanding of the work performed, evidence obtained and conclusions reached.’
Sufficient audit documentation is essential in all the steps of the compliance audit. The purpose of
documenting the audit work performed is to enhance transparency about the work performed. Also,
it enables an experienced auditor having no previous connection with the audit to understand the
significant matters arising during the audit, the conclusion(s) or opinion(s) reached thereon and
professional judgments made in reaching those conclusion(s) or opinion(s).
Documentation needs to be sufficient to demonstrate how the auditor has defined the audit objective,
subject matter, criteria and scope, as well as the reasons behind choosing a specific method of
analysis. For this purpose, the auditor organises documentation to provide a clear and direct link
between the findings and the evidence that supports them. Adequate documentation of the audit is
essential for supervisory reviews and other quality control and quality assurance tasks. Part D: chapter
8 provides further explanation on documentation.

48
ISSAI 4000.78

40
3.6 Communication

ISSAI 4000.96 states, ‘The auditor shall communicate in an effective manner with the audited entity
and those charged with governance throughout the audit process.’

Stages of communication
Communication takes place at all stages of the audit, before the audit starts, during planning, during
the audit execution and at the reporting phase. Any significant difficulties encountered during the
audit, as well as instances of material non-compliance, should be communicated to the appropriate
level of management or those charged with governance. The auditor should also inform the
responsible party (i.e., the entity) of the audit criteria.

ISSAI 4000.99 states, ‘Instances of material non-compliance shall be communicated with the
appropriate level of management and (if applicable) those charged with governance. Other significant
matters arising from the audit that are directly relevant to the entity shall also be communicated.’

Excellent communication with the audited entity throughout the audit process may help make the
process more effective and constructive. Effective two-way communication is vital in:
• Assisting the auditor and those charged with governance to understand the matters related
to the audit with its context and to develop a constructive working relationship. The auditor
develops this relationship while maintaining independence and objectivity.
• Enhancing the auditor’s sensitivity to the legislature’s needs and expectations about matters
communicated to others, mainly where the issues may be of broad public interest.
• Engaging the auditor with those charged with governance to acquire information relevant to
the audit. For example, those charged with governance may assist the auditor in
understanding the entity and its environment, in identifying appropriate sources of audit
evidence and in providing information about specific transactions or events.
The communication processes
SAIs need to have a system in place that requires the auditor to ensure two-way communication
between the auditor and those charged with governance that is adequate for the audit. If bidirectional
communication is not sufficient, the auditor should take appropriate action. These may include
communicating with the legislature or the relevant regulators.
The matters communicated in writing to the audited entity may include:
• The audit subject matter
• Audit criteria
• The level of assurance
• The period for the audit
• The government undertakings, organisations and programmes to be included in the audit, i.e.,
confirming the terms of engagement
Communicating these matters can help in achieving a mutual understanding of the audit process and
auditees’ operations.
The form of communication with those charged with governance throughout the audit process needs
to be adapted to the conditions. The auditor considers the timing of communications and whether
they are conducted orally or in writing or both.

41
3.7 Ensuring audit quality

ISSAI 4000.80 states, ‘The SAI shall take responsibility for the overall quality of the audit to ensure that
the audits are carried out in accordance with relevant professional standards, laws and regulations,
and that the reports are appropriate in the circumstances.’
A significant challenge facing all SAIs is to deliver high-quality audits consistently. The quality of an
SAI’s audit work affects its reputation and credibility, and ultimately its ability to fulfil its mandate. For
a system of quality control to be effective, it needs to be part of the SAI’s strategy, culture and policies,
and procedures regarding quality.49
Quality control
This refers to the ongoing processes at the SAI for reviewing the quality at each stage of the audit.
Quality control aims to ensure that the audit complies with applicable standards and that the audit
report, conclusion or opinion issued is appropriate in the circumstances. The SAI should establish the
quality control mechanisms as a line function for this purpose, and the SAI’s audit report should be
issued after it has gone through the quality control process.
The quality control procedures can consist of supervision, reviews and consultation, and can cover the
planning, execution and reporting stages of the audit. Quality control includes whether the audit team
has sufficient and appropriate competence to conduct the audit and is capable of selecting criteria
without bias. At the same time, quality control includes whether the team has access to accurate
information, has considered available data and has had sufficient time to complete the audit
assignment.
Quality assurance
Within the scope of the quality control procedures, the SAI may have a quality assurance system in
place. Quality assurance is the process established by an SAI to ensure that the required quality
controls are in place and implemented adequately.
The SAI should communicate its general quality control policies and procedures to its personnel in a
manner that provides reasonable assurance that they have understood and implemented the policies.
Quality control requires a clear understanding of where the responsibility lies for particular decisions
made during the audit. Everyone involved in the audit should identify and understand his/her
responsibility. Quality control processes should be carried out and documented in a prescribed way.
The SAI may support these processes with specified forms of questionnaires and checklists.
This Handbook covers the quality control processes for conducting a compliance audit with the review
of the relevant working paper documents. It provides quality control checklists for the planning,
conducting and reporting phases of the audit.
With the launch of International Standards on Quality Management (ISQM) 1 & 2,50 the international
audit community is moving from process-based quality control and quality assurance systems to a risk-
based approach to audit quality management.

INTOSAI is working on updating ISSAI 140. At the same time, IDI plans to develop a framework for
using a risk-based approach to ensuring audit quality. The framework will reflect on key principles of
audit quality management and provide options for SAIs with diverse capacities and contexts to ensure
audit quality.

49 ISSAI 140
50
Getting Started on the New IAASB Quality Management Standards: An Overview | IFAC

42
 The SAI’s annual work plan for coverage of compliance audit

Chapter 4

The SAI’s annual work plan for coverage of compliance audit

4.1 Setting the strategic priorities of the SAI
4.2 Identification and prioritisation of potential audit tasks
4.3 The SAI’s annual or multi-annual work plan
4.4 Considerations before initiating an individual compliance audit

43
SAIs generally plan their audit work on an annual or multi-annual basis. Based on the SAI’s legal
framework, the plan specifies the types of audit it can conduct: financial, compliance or performance.
The SAI considers the resources available to it while it undertakes the audits for a given period. It sets
aside the necessary resources first, to accomplish the mandatory audit tasks. The remaining resources
available determine the extent to which the SAI can include additional audit tasks in its annual or
multi-annual work plan. This chapter describes the process an SAI can follow to determine the audit
tasks and to prepare an annual or multi-annual plan for a compliance audit. Although the chapter
restricts itself to the compliance audit, a similar process can be used for other types of audit as well.
ISSAI 4000.64 includes the selection of audit coverage as part of the general requirements for a
compliance audit. It states, ‘Where the SAI has discretion to select the coverage of compliance audits
it shall identify areas that are of significance for the intended user(s).’
Some SAIs perform audits on request from the legislative body, e.g., Parliament, while other SAIs have
the option to select the coverage of their compliance audits or both. Where the SAI has the discretion
to choose the coverage, it may establish a system to recognise the significant audit issues and the
areas with the potential risk of non-compliance. The steps to identify the possible audit tasks for
compliance audits (i.e., subject matters) and, accordingly, to make an annual plan may typically
involve:
• Setting the SAI’s strategic priorities;
• Identifying and prioritising the potential audit tasks; and
• Preparing an annual or multi-annual work plan.

4.1 Setting the strategic priorities of the SAI

The SAI generally derives the strategic priorities from the policy and risk review. The review helps
ensure that the SAI selects audit tasks that best reflect the risks, public interests and potential for the
SAI to add value, and that contribute to the country’s accountability framework. Strategic priorities
provide a high-level orientation for the annual or multi-annual work plan. SAI priorities could include,
among others, policy areas requiring particular attention, such as social security and housing, and
emerging risks from the evolving environment in which the SAI operates, such as big data and new
technologies. Priorities could also include cross-cutting audit topics, such as gender, climate change
and procurement.
The policy and risk review take into account the country’s strategic development priorities and goals,
the stakeholders’ interests, audits performed in the other countries that the SAI considers pertinent,
as well as developments in the professional audit practices. The policy and risk review should consider,
in particular, the pre-legislative process to determine the optimum delivery time of audit reports to
ensure the best possible impact. In performing the policy and risk review, the auditor may consider,
among others, the following51:
Review of: In the areas of: Output:
Stakeholders’ • Public or legislative interests or expectations The output is a list
priorities and • Strategic goals of the country, e.g., achievement of Sustainable of the issues and
interests Development Goals risk areas, linked to
• The interest of citizens (the SAI may provide options on its website the stakeholders’
to gather citizen input) priorities and
• Donors’ or funding agencies’ interests or expectations
interests.
• Interests of beneficiaries of public funds
• Media coverage on issues of public interest
• Non-compliance signalled by third parties

51
ISSAI 4000.67

44
 Review of: In the areas of: Output:
Changes to • Developments and changes in the legal framework in different The output is a list
the legal areas of issues and risk
framework • Significance of specific provisions of the law, and their areas linked to the
and other interpretation by the entities recent changes and
developments • Principles of good governance developments in
in the area • Other significant changes and developments in the different areas the country.
• Roles of different public sector bodies, situation and changes to
that
• Rights of citizens and public sector bodies
• Potential breaches of applicable laws and other regulations, as
well as financing agreements with donors that govern the entity’s
activity, or the public debt, public deficit and external obligations
• Projects with significant public funding
Results of • Non-compliance with internal controls or the absence of an The output is a list
recent audits adequate internal control system of issues and risk
and • Findings identified in the SAI’s previous audits areas identified in
developments • Works of other SAIs and similar entities recent audits.
in the audit • Recent developments in the audit profession
• Mandate and audit coverage of the SAI

Illustration 4.1: Policy and risk review

The policy and risk review maps the main developments in the country and identifies the relevant
high-level issues and risk areas. When performing the review, the auditor may analyse the budget
proposals, related public-sector publications and evaluation reports. Engaging with the stakeholders
and taking part in the discussions in different forums may enrich the auditor with valuable
information, to form the basis for selecting the appropriate and timely subject matters and to reduce
the risk of auditing low-risk areas. The auditor may often come across examples of non-compliance in
connection with other types of audit performed by the SAI. It can, therefore, be useful to include such
findings to the risk assessment process for the coming year.
The accumulated outputs of the policy and risk review process is a list of the SAI’s strategic priorities.
The SAI could align these priorities with its strategic plan to achieve the yearly operational targets.
Besides audit tasks, the SAI could consider establishing a strategic approach for other activities it
would like to accomplish, as an organisation, in the medium and long term. These may include, among
others, the development of its staff capacity, strengthening compliance audits or ensuring that a
certain percentage of SAI staff obtain a professional qualification.

4.2 Identification and prioritisation of potential audit tasks

SAIs should consider their strategic priorities while identifying possible audit tasks. The potential audit
tasks include a list of proposed audit topics, an estimate of resources required for each and
information on their relative significance. The audit tasks could be identified by following a bottom-
up and top-down approach, and the SAI should document the process.
The top-down approach flows from the SAI’s strategic plan, which spans a set number of years. The
strategic plan is operationalised in multi-annual and annual plans and priorities. These priorities
determine what the SAI wants to achieve as an organisation through its audits as short-, medium- and
long-term objectives. In this process, the SAI identifies broad themes and areas of significance that are
of national or international interest, e.g., information technology, Sustainable Development Goals and
the environment.

45
In the bottom-up approach, the audit managers propose potential audit tasks. These are generally
relevant to the audit priorities established and thus are related to the SAI strategy.
Illustration 4.2 explains the key features of the two approaches.
Bottom-up: Determine audit tasks

- Audit managers propose - What does the SAI want to

potential audit tasks achieve via its audits?

Top-down: Determine SAI priority

- Tasks are relevant to the - SAI audit strategy covering
audit priorities established a set number of years
and thus linked to the SAI's - SAI's medium- and long-
strategy term objectives as an
- The proposals cover organisation
essential elements - Identify broad themes and
- Tasks are established in areas
predefined templates

Illustration 4.2: Identifying potential audit tasks

The auditor can use the template provided in Exhibit 4.1: Documenting a potential audit task to
facilitate the bottom-up approach to identifying the tasks. Also, an example of the process for
categorisation of entities based on risk value is provided in Appendix 4-A. The key aspects of
identifying an audit task include the following.
Assessing priority
The SAI compares all proposed tasks with the strategic priorities for the respective planning period
and assesses the extent to which it covers the priorities. This analysis identifies the audit tasks best
suited to address the strategic priorities and the priorities that have not been sufficiently covered by
the proposed audit tasks.
Such an analysis should use a set of criteria such as the relevance to the strategic priorities, significance
of the risks, political and public interest and the potential added value the audit would generate. The
latter can include, among others, considerations of economic importance, past coverage and
auditability. This analysis should also rank the proposed audit tasks and document the process. The
relevance of an audit task to the strategic priorities could be assessed as low, medium or high.
Assessing risk
The risk associated with a proposed audit topic could be assessed as low, medium or high, depending
on the likelihood of occurrence of the main factors identified and their potential impact. An auditor
can document the risk assessment of a topic using Illustration 4.3.

Audit task: ………

Potential impact Likelihood of occurrence
Low High
Substantial Medium risk High risk
Minimum Low risk Medium risk
Illustration 4.3: Determining the importance of risks

46
Assessing political and public interest
The tasks considered for audit should be of interest to the SAI’s main stakeholders such as Parliament.
The auditor deliberates on the decisions made by Parliament, the reports and the policy documents it
has produced as the possible sources of information. At the same time, the auditor bears in mind the
interests of the executive and media, and the impact on the lives of citizens. For each proposed audit
task, the auditor should determine the level of public interest (low, medium or high).
Assessing potential added value
SAIs can consider the topic’s potential added value in terms of its economic importance. Also, SAIs
need to assess whether the audit report would provide information which is new and useful to the
users. For this, SAIs can take into account the audits, the control reviews and the evaluations that have
recently been carried out or planned by the SAIs and by other agencies. The SAI may prioritise the
areas and topics that have never been audited, were audited partially or were audited many years
previously.
• Consider the potential impact in terms of identifying weaknesses and making recommendations.
• Timeliness is a crucial element. The selection of topics should match the timing to contribute to
changes, such as significant reforms or the introduction of new initiatives. A delayed report will not
influence events, and therefore, it loses its relevance.
• Auditability or feasibility should also be considered and assessed; that is, whether it is technically
or practically possible to carry out the audit and whether the SAI has the capacity and skills needed.
External expertise, for example, might be needed.
For each task, the SAI should translate the result of the assessment of these four pre-established
criteria into a priority ranking. The SAI could allocate the degree of priority to the audit tasks in terms
of the total score achieved. The topics are then ranked following their level of significance based on
the overall score. Illustration 4.4 proposes how the auditor can allocate the degree of priority to a
particular audit task using the total score.
Audit task: ………
a. Priority b. Risk c. Public interest d. Added value
Score Score Score Score
Low 1 Low 1 Low 1 Low 1
Medium 2 Medium 2 Medium 2 Medium 2
High 3 High 3 High 3 High 3
Total score:

Illustration 4.4: Priority ranking of a task

4.3 The SAI’s annual or multi-annual work plan

The yearly or multi-annual work plan includes information on the audit tasks to be carried out, a brief
description of each job, the human resources and other resources (e.g., travel costs, expertise needed)
to be allocated to each task, and the intended implementation and reporting calendar.
Establishing an annual or multi-annual work plan is based on each SAI’s internal process. SAIs may
consider doing the following:
• Determine the total staff resources available and establish the standard number of days
(excluding the yearly non-workdays as regulated by the SAI) for full-time staff.
• From the total staff resources available, deduct the resources needed for mandatory and other
recurrent tasks, including non-audit work. Allocate other resources for these tasks.

47
 • After determining the remaining staff and other resources, identify the number of potential
audit tasks, ranked with the highest priority, that the SAI could carry out in the given planning
period.
The SAI may apply these considerations and document the process using Exhibit 4.2: Establishing the
annual or multi-annual work plan.
The SAI might consider setting realistic timelines and spreading the workload over the planning period.
To this end, SAIs should make sure that the resources allocated to each task are sufficient in terms of
quantity and quality. The SAIs can take into consideration a margin for contingencies and unforeseen
events that could affect the plan during the implementation of the tasks.
The implementation of the annual or multi-annual work plan should be monitored regularly by the SAI
to inform the management on the progress made in implementing the plan, the use of resources, the
milestones attained, the objectives achieved and the work still pending. The SAI could establish a half-
yearly reporting system on the annual work plan implementation. Based on the monitoring results,
the plan can be revised if the underlying assumptions change, the priority ranking is no longer valid or
other reasons for needed change become apparent.

4.4 Considerations before initiating an individual compliance audit

After the SAI has established the organisational requirements for conducting compliance audits
(explained in chapter 3), has prepared its annual work plan and has allocated the required resources,
it will start performing the audits. At this point, the SAI has also identified the prioritised subject
matters and topics for compliance audits. Before the SAI’s compliance audit teams begin with planning
and performing the audits according to the SAI’s annual work plan, the SAI management may like to
ensure that the teams apply the audit methodology consistently in all compliance audits. For this, the
SAI management needs to make informed choices on when to conduct a direct reporting engagement
or an attestation engagement, and when to provide reasonable or limited assurance in its audit
reports. Accordingly, the management could communicate these options to the auditors and the
respective functional heads of compliance audit (or as appropriate in the respective SAIs).
Direct reporting engagement or attestation engagement
The availability or unavailability of the subject matter information leads the auditor to decide whether
to carry out an attestation engagement or a direct reporting engagement. The SAI would choose to
conduct attestation engagements for the subject matters and prioritised topics where the responsible
party or entity prepares the information, and the auditor would attest that. In the absence of such
information, SAIs would conduct direct reporting engagements. As per ISSAI 4000, these two
approaches may vary in audit sampling and the risk assessment process.

Generally, the availability of the subject matter information (prepared by the entity) is limited for a
compliance audit. In most cases, the auditor will decide the subject matter and provide a conclusion
on that. With this consideration, the SAI may choose to conduct its planned compliance audits as direct
reporting engagements except where the information to attest is available.
Reasonable assurance or limited assurance
ISSAI 4000.121 states, ‘Depending on the mandate of the SAI, the characteristics of the subject matter,
and the needs of the intended user(s), the auditor shall decide whether the audit shall provide
reasonable or limited assurance.’
While determining the scope and subject matter of an audit, the auditor considers the level of
assurance provided. The SAI decides on whether to conduct a limited or a reasonable assurance audit
by considering the following:

48
 • Needs of the intended user
• Availability of and access to information
• Extent of audit procedures
• Competency of the auditors
Needs of the intended user
The SAI has to assess the needs of the intended users of the audit report to determine which type of
assurance is more appropriate. The assessment process requires an understanding of the decisions
made by the users and the kind of information they use for decision making. Some SAIs have mandated
requirements which already define the level of assurance they should provide in their reports.
Availability of and access to information
Providing reasonable assurance requires more extensive audit work.52 A reasonable assurance
engagement needs the auditor to have access to the systems and processes used in the subject matter
(e.g., internal controls of an entity), and therefore, demand more information than a limited assurance
audit, which focuses on a narrower area. Thus, limitations on accessing the data would likely lead to
a limited assurance audit.
The extent of audit procedures
In a reasonable assurance engagement, the auditor is likely to perform the test of controls as well as
detailed substantive testing to reach an overall conclusion about the subject matter. The auditor can
identify a sample of transactions that are representative of the total population and extrapolate the
results of sampling to the whole. The auditor is likely to evaluate the systems and processes of the
subject matter to reach an overall conclusion in a reasonable assurance engagement.
In a limited assurance engagement, the aim is to obtain a level of assurance meaningful to the
intended users. The auditor gathers sufficient and appropriate evidence to address the engagement
objective; however, the procedures are limited compared with what is necessary for a reasonable
assurance engagement.53
Competency of the auditors
Reasonable assurance and limited assurance engagements both would require competent staff. ISSAI
4000.85 states, ‘The SAI shall ensure that the audit team collectively has the necessary professional
competence to perform the audit.’
SAIs can use an audit team competency matrix to map their auditor competency. Based on
professional judgment, the matrix could include assessing whether the members demonstrate the
required cross-cutting and functional competencies and have experience in conducting compliance
audits, including the sector or area under audit. Some SAIs may have fixed audit teams with designated
supervisors for one audit cycle year. In that case, instead of selecting audit teams for each
engagement, it is sufficient (and manageable) to make the selection of teams based on the
competency matrix once a year. If there is a change in the team composition, it can be updated
periodically as necessary.

Appendix 4-B explains the four stages of a compliance audit and how the auditor’s tasks differ at each
of the steps in different types of compliance audit.
Considering these issues and the SAI’s context, the SAI management may decide that, generally, the
SAI’s compliance audit engagements will be direct reporting - reasonable assurance engagements.
And based on this decision, SAI teams will initiate the individual audits as direct reporting
engagements. Part C of this Handbook explains the methodology for conducting such engagements.

52 ISSAI 4000.34
53
ISSAI 4000.201

49
50
 PART C Conducting Compliance Audit
Chapter 5: Planning a compliance audit
Chapter 6: Performing audit procedures, and gathering and evaluating evidence
Chapter 7: Reporting and follow-up compliance audits

51
 Planning a compliance audit

Chapter 5

Planning a compliance audit

5.1 Developing the audit strategy

5.2 Developing the audit plan
5.3 Documenting and ensuring the quality of the audit strategy and audit plan

52
This chapter explains the planning of an individual compliance audit engagement. There are two steps
in planning a compliance audit. In the first step, the auditors develop the overall audit strategy for the
audit’s scope, emphasis, timing and conduct. In the second step, based on the strategy, auditors
prepare an audit plan that shows a detailed approach and specific steps for the nature, timing and
extent of procedures to be performed, and the reasons for selecting them. The chapter includes the
suggestive working paper templates for the auditors to document the development process of the
audit strategy and the plan.

The planning activities will vary, among others, with the circumstances of the audit, the complexity of
the underlying subject matter and the criteria.
In planning a compliance audit, the SAI auditors generally consider the following elements:

Scope, subject
Characteristics of Understanding of
matter and Intended users
the audit the entity
criteria

Entity's control
Components of Relevance of
environment and Materiality
audit risk fraud risk
internal control

Internal audit Resources Nature and Timing and

function and necessary for the extent of experts nature of
coverage audit required communication

These elements are illustrated in Figure 5.1 as the generic steps of a compliance audit planning
process.

53
 Figure 5.1: Audit planning process

ISSAI 4000.137 states, ‘The auditor shall develop and document an audit strategy and an audit plan that together describe how the audit will be performed
to issue reports that will be appropriate in the circumstances, the resources needed to do so and the time schedule for the audit work.’ The process for
developing the audit strategy and audit plan is explained in the next sections.
5.1 Developing the audit strategy

The audit strategy is the basis for deciding whether it is possible to execute the audit. The audit
strategy describes what to do, and the audit plan describes how to do it. The purpose of the audit
strategy is to design and document the overall decisions made by the auditors. It may contain the
following54:

Elements of an audit 1. Characteristics of the compliance audit

strategy
2. The audit objective
3. Subject matter, scope, criteria
4. The entities covered by the audit
5. The type of engagement
6. The level of assurance to be provided
7. Composition of the audit team
8. Quality control mechanisms
9. Communication
10. Reporting responsibilities

An audit strategy facilitates the coordination between the audit team members and the SAI on the
audit approach. The audit team develops the audit strategy based on the SAI’s organisational
requirements for conducting an audit.
Characteristics of the compliance audit
The audit team takes into account the SAI’s mandate and strategic plan when determining the
characteristics of an audit. The team includes an introductory description of the audit and a
background.
The audit objective
The audit objective determines what the auditor aims to answer in the audit. The auditors ensure
objectivity in formulating the audit objectives, including identifying the criteria. Audit findings depend
entirely on the purposes of the audit, and findings are complete to the extent that the audit’s goals
are satisfied. The audit objective should be answerable and should identify the audit subject matter,
the entity or activities under the audit.
The subject matter, scope and criteria
The subject matter, scope and criteria are interrelated. The auditor scopes the subject matter in such
a manner that it is sufficiently covered to conduct a meaningful audit and to add value for the intended
users.
Subject matter
Section 2.2 (chapter 2) introduced the concept of the subject matter. The SAI’s annual compliance
audit plan may identify and include audit subject matter. The subject matter should be identifiable
and assessable against suitable audit criteria. It should be of a nature that enables the auditor to
conclude with the required level of assurance.
Scope
Audit scope refers to the area, extent and period covered in the audit of a given subject matter.
Scoping involves narrowing the audit subject matter to relatively fewer issues of significance that
pertain to the audit objective, and that can be audited with the resources available to the audit team.
In a multi-entity or thematic compliance audit, the scope includes identifying the entities that will be

54
ISSAI 4000.139

54
included in the audit. Clearly defining the audit scope is important in determining the budget,
human resources and time required for the audit, and in deciding what the auditor will include in the
report.
The statement of scope should be clear about any areas that are related to but not included in the
audit. The scope of a compliance audit may change while conducting the audit if the auditors identify
material information that makes it necessary to reconsider the scope. Section 2.2 of chapter 2 explains
scoping of a subject matter with an illustration.
Criteria
Section 2.3 (chapter 2) explains authorities and criteria. For a direct reporting engagement, the auditor
has to make sure that there are corresponding audit criteria. The subject matter and relevant audit
criteria might already be defined by the SAI’s mandate or national legislation. In an attestation
engagement, the audit criteria are implicitly given by the presentation of the subject matter
information, based on which the information has been prepared. In such a case, the auditor needs to
conclude on the correctness of the criteria implicit in the subject matter information.
The case scenario in Illustration 5.1 below demonstrates the relationship between the subject matter,
scope and criteria.

Example: Identifying the subject matter, scope and criteria

Case
The audit aims to review the National Health Service’s (NHS) procurement policy against the
national procurement requirements, and the extent to which the procurement practices followed
by the NHS comply with the guidelines for government procurement. In this respect, the audit will
cover the procurement policy as well as the planning and sourcing stages of the procurement life
cycle. It will encompass an assessment of all procurement activities for the 18 months from 1 July
2017 to 31 December 2018. The subject matter, the scope and the audit criteria are:
Subject The activity, project, process or programme the auditor decides to examine. In this
matter case, the subject matter is the procurement practices of the National Health Service.
Audit Audit scope explains the coverage and extent of the audit examinations. In this case,
scope the audit scope is the planning and sourcing stages of the procurement life cycle,
covering all procurement activities for the 18 months from 1 July 2017 to 31
December 2018.

Criteria Audit criteria are the benchmarks used to measure the subject matter. Criteria are
derived from the authorities (e.g., laws and regulations, policies, guidelines). In this
case, the criteria will derive from the:
• Section xx of the guidelines for government procurement
• Section xx of the national procurement policies

Illustration 5.1: Relationship between subject matter, scope and criteria

The entities covered by the audit

The subject matter relates to a theme or an entity. Thematic subject matter may include multiple
entities across the government; for example, the environment and procurement. They require careful
planning and execution of the audit to ensure that all entities related to the subject matter are
adequately covered to reach an audit conclusion.
The type of engagement
The team decides whether the audit is an attestation engagement or a direct reporting engagement
considering the subject matter. The team follows the decisions made by the SAI management, as
explained in section 4.4 (chapter 4).

55
The level of assurance to be provided
In most cases, the audit team decides for a reasonable assurance compliance audit engagement. The
team considers the subject matter and the SAI management decisions, as explained in section 4.4
(chapter 4).
Composition of the audit team
The team should be composed of adequately skilled resources to conduct the audit. The audit team
determines if there is a need for external experts for skills that are not available within the team. The
team considers how the SAI manages the audit team’s skills, as discussed in section 3.2 (chapter 3).
Quality control mechanisms
The team takes into account the quality control mechanism for the audit, as discussed in section 3.7,
to ensure a high-quality audit is undertaken.
Communication
The team determines how it will communicate with the auditee and those charged with governance
throughout the audit process.
Reporting responsibilities
The team determines to whom and when the reporting will take place, and in what form the team
will prepare the report.
As required by ISSAI 4000.137, the audit team can document the audit strategy covering all elements
with the working paper template provided in Exhibit 5.1.
Note: In a less complicated audit, a small team may conduct the audit. With a smaller team,
coordination and communication between team members and the SAI management are easier.
Establishing the overall audit strategy in such cases need not be a complicated or time-consuming
exercise. When documenting the audit strategy, the team can modify Exhibit 5.1, considering the
specific context of the audit, the subject matter, complexity and criteria.

5.2 Developing the audit plan

This section describes the process of developing an audit plan, including the required documentation
of the process with working paper templates. The output of the planning phase is a written plan for
carrying out the audit field-work. The plan describes the potential risks of non-compliance to the entity
and the required audit procedures for the risks identified.
The audit strategy provides essential input to the audit plan by defining the audit objectives, scope,
subject matter and criteria. Planning is an iterative process throughout the audit. The auditors may
need to modify the objectives, scoping, methodology and timing as the audit work progresses. The
audit plan includes the following elements (ISSAI 4000.140):

The elements of an An assessment of risk

audit plan:
An assessment of internal controls relevant to the audit

The audit procedures designed as a response to the risks identified

Nature, timing and extent of planned audit procedures

When the audit procedures will be performed

The potential audit evidence to be collected during the audit

The assessment of the risks and internal control requires having an understanding of the entity or the
subject matter and its internal control systems, and identifying the inherent risks, control risks and

56
risks due to fraud. The auditor then applies the set materiality level on the risks identified and designs
the audit procedures for the identified risks. While conducting the audit, the auditor performs the
audit procedures according to the audit plan, and gathers sufficient and appropriate audit evidence
to fulfil the audit objectives and to make a conclusion on the subject matter.
Understanding the entity or the subject matter
ISSAI 4000.131 states, ‘The auditor shall have an understanding of the audited entity and its
environment, including the entity’s internal control, to enable effective planning and execution of
audit.’
The objective of understanding the audited entity and subject matter is to identify the risks of non-
compliance in the entity that will determine the audit approach.
If it is a thematic compliance audit (e.g., procurement, gender), which covers more than one entity,
the auditors obtain an understanding of all entities whose activities fall under the audit scope. Some
SAIs conduct a compliance audit of the utilisation of a fund that is
used by more than one entity. In such audits, the auditor may Understanding the entity
need to consider the strategies, operations and governance of all or the subject matter
relevant entities utilising the fund.
• Relevant business
The auditor should understand and evaluate the activities and • Laws and regulations
operations that are directed towards the attainment of the • Nature of entity operations
audited entity’s goals and objectives, which in turn should • Governance arrangements
respond to all of the entity’s compliance requirements. Also, the • Objectives and strategies
auditor evaluates that the legal acts applied to the entity’s • Performance measures
operations and other authorities, such as administrative policies,
internal procedures and instructions and orders, do not contradict the normative legal acts.
To obtain an understanding of the entity and its environment, the auditor may consider the relevant
business, laws and regulations, other external factors, the nature of the entity’s operations,
governance arrangements, objectives and strategies or performance measures.55 The auditor may
acquire an understanding of the following:

Legal framework Legal basis for the activity, and relevant parts of the financial regulation,
implementing rules and regulations.

Organisation and
governance Of the subject matter, activity and audited entity, including operational structure,
resources, organisation chart and management arrangements.

Business processes and

operations The key policies, objectives and strategies, locations, and types, volume and
values of the programmes, functions and projects.

Business process Key businesss process maps, flowcharts, risk and control matrices, process
analysis narratives for an overview of functions and operations of the entity or the
subject matter.

Business and
operational risks Related to the entity's objectives and strategies that may result in material non-
compliance.

Performance Performance indicators, variance analysis to consider whether pressures to

measures achieve performance targets may result in management actions that increase the
risk of non-compliance.

55
ISSAI 4000.133

57
A thorough understanding of the audited entity as outlined in the laws, policies or standards helps the
auditors to recognise when non-compliance has occurred and to obtain evidence through performing
the audit procedures. The audit team can document the process of understanding the entity and its
environment with the suggestive working paper template provided in Exhibit 5.2.

Understanding the internal control system

ISSAI 4000.134 states, ‘The auditor needs to obtain an understanding of the entity’s internal control
relevant to the audit.’ The auditor identifies the internal controls that are in place to reduce the risk
of non-compliance with criteria in the subject matter. By using professional judgment, the auditor
decides whether the control is relevant to the audit or not.

Internal control is a necessary process – a series of actions that permeate an entity’s activities –
affected by entity management and personnel. It is composed of the policies, structures, procedures,
processes and tasks that help ensure that management directives are carried out and improve the
audited entity to respond appropriately to any risks of non-compliance. Internal control is designed to
address the risks and to provide reasonable assurance that, in pursuit of the entity’s mission, it:

• Fulfils the accountability obligations;

• Complies with the applicable laws and regulations;
• Safeguards resources against loss, misuse and damage; and
• Executes orderly, ethical, economic, efficient and effective operations.
The auditor makes a preliminary evaluation of the internal control system to:

• Gain an understanding of the extent to which improvements in internal control systems are
being made year-on-year;
• Conclude on the effectiveness of the internal control system and identify the control risks; and
• Design the nature, timing and extent of audit procedures.
The auditor may obtain an understanding of the following five interconnected components of the
internal control system relevant to the audit56:
1. The control environment
2. The entity’s risk assessment process
3. Information and communication systems
4. The control activities
5. The monitoring of the controls
Generally, the controls are established in the entity to Monitoring
mitigate the risks. In other words, the entity’s ‘assessment
of risk’ in the organisation and its operation creates the Information and communication
need for controls. After the entity identifies the risks it
faces, it needs to design controls (the control activities, Control activities
e.g., approval, authorisations, verifications, reviews,
Risk assessment
segregation of duties) to mitigate those risks, and these
controls need to be shared among the staff throughout Control environment
the organisation (information and communication
systems). Those who are responsible for managing the Figure 5.2: Internal control framework

entity should respect the rules and not override controls

to ensure that the entity’s ‘control environment’ is efficient and effective. The entity management

56
ISSAI 4000.135

58
needs to set up a process for ‘monitoring’ of controls to ensure that the controls are working as
planned.
The audit team can document the understanding of the entity’s internal control system with the
suggestive working paper template provided in Exhibit 5.3.
(Note: For a small entity, and, if in the auditor’s professional judgment, the entity does not have a
matured internal control system covering the five elements, applying the Exhibit 5.3 to document the
internal control system might not be appropriate. In such cases, the auditor can document the
understanding of the internal control system following a different approach as explained below.)
Internal control for small entity or subject matter
Small entities may not be able to apply the five elements of the framework for the internal control
system. They neither have a monitoring system in place nor a formal risk assessment system. Some
entities are so small (or their control systems are so weak) that often they do not have any formal
controls in place at all. A large and well-organised government entity can manage the whole spectrum
of the internal control framework because they have the required financial and human resources,
leadership and a highly motivating fear of the authorities constantly checking their compliance. These
are factors that allow them to establish the control framework in full. In smaller entities, or entities
with weaker control systems, rather than covering the full details of the five elements, the auditors
may ask the questions in Illustration 5.2 to understand their internal control system.

Components of Questions to ask

internal control
Control • How does the entity ensure that it complies with the relevant rules and
activities regulations for its functions? What mechanisms does it have for that?
• How does the entity ensure that its existing control mechanisms for
complying with the rules and regulations are operating effectively and
efficiently?
Risk assessment • How does the entity determine that specific control activity(ies) is/are
essential to ensure compliance?
Information and • How does the entity notify its staff responsible for operations that a certain
communication control activity or mechanism is required for compliance?
Monitoring • What is/are the process(es) used by the entity to ensure that the control
activity(ies) is/are performed correctly and consistently to ensure
compliance?
Control • What is the attitude of entity management about the control mechanisms?
environment (The control environment is a summary of the other four components.)
Illustration 5.2: Internal control questionnaire for small entity or subject matter
The auditor can document the internal control system using this questionnaire, instead of using Exhibit
5.3, for the entities or subject matters which do not have an established system of internal control.
Identification and assessment of risks
Risk assessment guides the auditor to focus on the critical issues of the subject matter or entity under
audit, considering the resource and time constraints. The outcomes of the risk identification activities
are documented using the ‘understanding of the entity’ and ‘understanding the entity’s internal
control system’ templates. It includes identifying the inherent risks and control risks and determining
the detection risks. The audit risk model helps the auditors to determine how comprehensive the audit
work should be to attain the desired level of assurance for their conclusions on the subject matter.

59
In an attestation engagement, the audit risk has three components57:
1. The subject matter’s inherent risk (IR); the risk of material non-compliance occurring
regardless of existing internal controls
2. The control risk (CR); the risk that the relevant internal controls associated with the entity
are inappropriate or do not work properly to prevent material non-compliance
3. The detection risk (DR); the risk that material non-compliance will not be detected by the
auditor, which will lead to an incorrect conclusion or opinion.
Risk assessment activities include, among others, inquiry (with management, key officials, internal
audit), inspection (of entity premises, internal documents and records, website and media, previous
audits), observation (of the entity’s operations being carried out) and analysis (of financial and non-
financial information with analytical procedures).
Identifying subject matter’s inherent risk (IR)
Auditors estimate the inherent risk based on their understanding of the entity’s activities and
operations. Inherent risk is described as the ‘risk in the absence of controls.’ In audit terms, inherent
risk is the risk related to the nature of the activities, operations and management structures that non-
compliance will occur if not prevented or detected and corrected by the internal control. The auditor
can determine the inherent risks by considering the following:
• Generic risks of the entity or subject matter
• The ‘reverse of criteria’ risks
• Predicting ‘what could go wrong’
• Previous audit results
• Entity’s risk assessment process
To identify the inherent risks, the audit team may hold a brainstorming session, and consider all the
conditions and events at the entity that may indicate the risks of non-compliance.

Generic risks of the entity or subject matter: It is the risks that arise every time the entity takes action.
During the risk identification and assessment process, the auditor considers the risks that are
embedded within the function of the entity or subject matter as the generic risks.
Reverse of criteria risk: This is a risk originating from the premise that the entity might not comply
with the authorities, i.e., the audit criteria. When the auditor analyses criteria applicable for a subject
matter or entity, the reverse of that criteria might lead the auditor to envision the potential risks of
non-compliance.

Example: The reverse of criteria risk

An auditor is evaluating whether the entity meets a regulation (audit criteria) that requires all
beneficiaries of a government support programme, operated by the entity, to have an annual
income below the poverty level. The criterion here is the poverty level set by the regulation. The
reverse of this criterion (i.e. the inherent risk) is that there are beneficiaries in the programme who
are above the set poverty level and therefore are not eligible for the programme support. The
inherent risk is that those who should benefit from the programme are not benefiting and that
people who are above the set poverty level could be receiving resources which are designed to help
the poor.

Predicting what could go wrong: The auditor exercises professional scepticism in anticipating the risks
of non-compliance in the subject matter under audit. Assessing the inherent risks requires the auditor
to analyse the entity and forecast what could go wrong at the entity. The auditors consider the criteria
against which they are evaluating the subject matter and seek to find out the purpose of the criteria.

57
ISSAI 4000.54

60
What did the lawmakers or authorities intend to achieve with that law or regulation? The auditor can
then envision whether the event that the regulators were trying to prevent might have happened.
Previous audit results: The previous audit reports can also be a good measure of risk assessment in
the area at the time of audit planning. The auditor should follow up with the recommendations to
confirm if the previous incidents of non-compliance were corrected or addressed by the entity. The
auditor can review the prior working papers to set linkages with the current risk assessment process.
Entity’s risk assessment process: The entity’s risk-assessment process, if it exists, can also be a source
of information on the risks of non-compliance. The entity’s annual plan may contain the critical risks
identified for particular areas of the entity concerned, and its annual activity report provides an
overview of the critical risks encountered and their impact on the achievement of the entity’s
objectives. However, the auditor should exercise professional scepticism, as risks identified by the
audited entity may not address those that are important for audit purposes, and such information
may be biased. The auditor can also consider the entity’s internal audit report, if it exists, for
identifying the potential areas of concern.

By noting down all the potential areas identified, the auditor will have a list of inherent risks of non-
compliance to the entity or the subject matter.

Identifying control risks (CR)

Control risk is the risk that the relevant internal controls associated with the inherent risks are
inappropriate or do not work properly, and as a result, the entity will fail to prevent material non-
compliances or detect and correct them on a timely basis. The auditor assesses the control risks based
on the understanding and evaluation of the entity’s internal control system.

Auditors would ask questions regarding controls structured around the five components (i.e., control
activities, risk assessment, information and communication, monitoring, control environment) of the
internal control system. The auditor’s primary consideration is whether, and how, a specific control
prevents or detects and corrects a non-compliance. If an expected control does not exist, the auditor
enquires about any compensating controls that may be in a place that would have the same effect of
the original control.

Walk-through tests: To determine the proper functioning of control, the auditor carries out ‘walk-
through tests’ of a small number of transactions (if the audit’s subject matter is budget execution or
expenditure) or the operations of the entity under audit. Note that obtaining an understanding of an
entity’s controls should not be considered to be a test of its operating effectiveness; such testing is
carried out in the audit conducting phase.

Focus on relevant controls: The auditor considers only those controls that are relevant to the audit
objective. It is a matter for the auditor’s professional judgment as to whether a control, individually
or in combination with others, is relevant to the inherent risks of the subject matter. Furthermore, the
auditor determines which controls are to be considered as key. The auditor selects an appropriate
number of key controls for testing to ensure that all relevant risks are covered. While choosing the
controls, the auditor may consider the following:

- Significance of the related risk (materiality) - Applicable legal and regulatory requirements
- Nature of the entity’s business, including its - Circumstances and the applicable component of
organisation internal control
- Diversity and complexity of the entity’s - Nature and complexity of the systems that are
operations part of the entity’s internal control
- Size of the entity - Whether, and how, a specific control prevents,
or detects and corrects non-compliance

61
There is a direct relationship between the entity objectives, which the entity strives to achieve, and
the internal control components, which represent what is needed to achieve the objectives. All
components are relevant to each category of entity objectives. When looking at any one category –
the effectiveness and efficiency of operations, for instance – all five components of internal control
must be present and functioning effectively to conclude that internal control over the entity
operations is effective.
The detection risk (DR)
Detection risk is under the auditor’s control. It is the risk that the auditor will not be able to detect
non-compliance that has not been corrected by the organisation’s internal controls. ISSAI 4000.52
states, ‘The auditor shall perform procedures to reduce the risk of producing incorrect conclusions to
an acceptable low level.’ Reducing audit risk includes58:
• Anticipating the possible or known risks of the work envisaged and the consequences thereof,
and
• Developing procedures to address those risks during the audit and documenting which and
how those risks will be addressed.
The auditor can reduce detection risk by auditing the subject matter in a planned and structured
manner, and by identifying the inherent and control risks to the greatest extent possible. In the audit
assurance model, 95% confidence is required through substantive procedures or in combination with
tests of controls. The assurance level of 95% corresponds to an audit risk of 5%.

The auditor designs appropriate audit procedures to reduce the detection risks to an appropriately
low level; it is recommended to keep the overall audit risk at 5%. Detection risk, however, can only be
reduced, not eliminated, because of the inherent limitations of an audit. Accordingly, some detection
risk will always exist.

To enhance the effectiveness of an audit procedure and its application, and to reduce the possibility
that the auditor might select an inappropriate audit procedure or misinterpret the audit results, it is
essential to ensure:
• Adequate risk assessment in the planning phase
• Assignment of competent personnel to the engagement team
• That the auditor exercises professional scepticism
• Supervision and review of the audit work performed
The following table shows the components of the audit risk and the resulting assurance that can be
derived from the control test and substantive procedures.
Assessed Evaluation of Assurance from Confidence from inherent and Substantive
inherent entity internal combined risk control assurance testing to be
risk control system assessment carried out
Adequate High control Both inherent assurance and control Minimum
assurance assurance
Low
Not adequate No control Inherent assurance, but no control Standard
assurance assurance
Adequate High control No inherent assurance, but control Standard
assurance assurance; control test can be
extended to reduce substantive test
High
Not adequate No control No inherent assurance, and no Maximum and
assurance control assurance; assurance only focused
from the substantive test

58
ISSAI 4000.53

62
Auditors use this table to determine and develop the audit approach. It demonstrates that the extent
of the audit work is based on the perceived risks and the effectiveness of controls to mitigate the risks.
In the case of an audit where the inherent risk is high, and the internal control is not adequate, the
auditor develops the plan considering no inherent and control assurance. The auditor will perform,
applying professional judgment, a focused audit with maximum substantive procedures, as explained
in chapter 6.
Identifying fraud risk
ISSAI 4000.58 states, ‘The auditor shall consider the risk of fraud throughout the audit process, and
document the result of the assessment.’ While detecting potential unlawful acts, including fraud,
usually is not the main objective of the compliance audit,
auditors do include fraud risk factors in their risk assessments,
and remain alert for indications of unlawful acts, including fraud,
in carrying out their work.
Auditors looking for material fraud risks should exercise
professional scepticism, discuss the issues with management,
apply the audit tests unpredictably and follow up on
management override of controls. Auditors also analyse the
elements generally present in a fraud. The elements are
presented in what is commonly referred to as the fraud triangle: Figure 5.3: The fraud triangle
• Incentive or pressure to commit fraud
• Opportunity to commit the fraud
• An attitude or rationalisation to justify the fraud
The opportunity to commit fraud generally arises due to inadequate, ineffective or missing internal
controls. Auditors should use their professional judgment in assessing the risk of non-compliance due
to fraud according to four risk attributes:
• Type of risk involved
• Significance of the risk (materiality)
• Likelihood of the risk causing a material non-compliance
• The pervasiveness of the risk
Auditors should be alert to the possibility of fraud and set risk-based priorities for their tests to detect
the different types of deliberate non-compliance possible and to report on fraudulent financial
reporting, misappropriation of assets and corruption. SAIs with sufficient resources may establish a
risk assessment team which can provide input on fraud risks to the audit team.
If suspicion of unlawful acts arises during the audit, the auditor may communicate this to the
appropriate levels of management and those charged with governance. Those charged with
governance are likely to be administrative bodies higher up in the reporting hierarchy. Where
appropriate and reasonable, the auditor may follow up and ascertain that management or those
charged with governance have taken appropriate action in response to the suspicion, for example by
reporting the incident to the relevant law enforcement authorities. The auditor may also report such
incidents directly to the relevant law enforcement authorities.59
Note: Because of the different mandates and organisational structures that exist internationally, it is
up to the SAI to determine the appropriate action to be taken regarding instances of non-compliance
related to fraud or serious irregularities.60 The auditors take action to ensure that they respond
appropriately based on the SAI’s mandate and the particular circumstances.
The audit team can document the fraud risks with the suggestive working paper template provided in
Exhibit 5.4.

59 ISSAI 4000.231
60
ISSAI 400

63
ISSAI 4000.55 states that, in a direct reporting engagement, ‘The auditor may apply the audit risk
model in forming a conclusion on the subject matter.’ The auditor can follow an abridged process. By
identifying and assessing the entity’s inherent and control risks, the auditor can define the nature and
extent of the evidence-gathering procedures required to test compliance with the criteria. The higher
the level of risk, the greater the extent of audit work required to lower detection risk sufficiently to
achieve the acceptable level of audit risk.61
The risk identification and assessment process for planning a direct reporting engagement may consist
of the four steps in Figure 5.4.62

Figure 5.4: Risk assessment process for a direct reporting engagement

The process allows the auditor to start with the acquired knowledge of the subject matter and to
eventually focus on the critical risks that lead to the relevant audit questions. The auditor can apply
the process of identifying inherent and controls risks in step 1, following the stages of understanding
the entity and the internal control, as explained above.
Assessment of the risks
The auditor assesses all risks identified in the previous steps. As part of the risk assessment, the auditor
determines which of the inherent risks identified are, in his/her judgment, risks that require special
audit consideration (significant risks), which are derived from business or operational risks that may
result in non-compliance. The auditor should evaluate the design of the related controls and
determine through testing whether these controls have been implemented effectively and
continuously throughout the period under review.
For example, if the subject matter of an audit is the expenditure of the entity, the auditor considers
whether the risk:
• Involves significant transactions;
• Involves significant non-routine transactions that are outside the normal course of operation
for the entity or that appear to be unusual;

61 ISSAI 4000.56
62
https://www.eca.europa.eu/Lists/ECADocuments/GUIDELINE_RISK_102013/GUIDELINE_RISK_102013_EN.pdf

64
 • Is a risk of fraud; and
• Is related to any recent developments and therefore requires specific attention.
The auditor considers the complexity of transactions and the degree of subjectivity in the
measurement of financial information related to the risks.
The assessment of risks, based on the determination of significant risks, is a matter for the auditor’s
professional judgment. To determine whether the risk would require audit consideration, the auditor
examines the nature of the risk, the likely impact of the potential non-compliance and the likelihood
of the risk materialising.
Deciding on the likelihood of the risks materialising is a fundamental difficulty in the risk assessment
process. The auditor will work based on assumptions, and these assumptions should be reasonable
and should be documented.
The auditor then has to determine what the likely impacts or consequences are on the organisation
and the achievement of relevant objectives, if the risk should materialise.

Example:
The auditor may determine a level – high, medium or low – of occurrence (likelihood) and
seriousness (impact) for each risk using the risk matrix below. The overall evaluation of the risks is
the result of the combination of both elements.63

Impact
Likelihood Low Medium High
Low
Medium
High

Overall risk evaluation: Low Medium High

Risk can be ignored Judgment based on the Risk must be followed
characteristic of the risk up by the audit
An illustration of the risks assessment in planning is provided below.

Example: Risk assessment of the operations of a city council

Background The subject matter of the audit is ‘the operations of a city council’ responsible for city
governance. The council has various operations, e.g. land management, building
management, licensing, revenue collection and tax collection. It also has the budget
execution and expenditure aspect of its operations. The auditor scoped the audit on the
activities and services of the city council, specifically the land management and building
management and how the entity is complying with the applicable criteria in accomplishing
the two functions.
The auditor identifies the risks, using the process described in section 5.2, by assessing the
Risk inherent and control risks. The risks are identified by analysing the process flow of each
assessment function – building management and land management – while understanding the entity
and its control environment. The audit team has assessed the risks and documents in the
significant risks in the risk register. Only those risks identified were taken to the risk register,
and the audit procedures were designed accordingly. While conducting the audit, the team
has identified additional risks for both the land and building management. The team
documented the new risks and modified the audit plan accordingly.
If the audit’s subject matter is the council’s expenditure and budget execution, the auditor
can perform the risk assessment considering all operations related to the expenditure.

63
https://www.eca.europa.eu/Lists/ECADocuments/GUIDELINE_RISK_102013/GUIDELINE_RISK_102013_EN.pdf

65
Determine materiality
ISSAI 4000.125 states, ‘The auditor shall determine materiality to form a basis for the design of the
audit, and re-assess it throughout the audit process.’ After selecting the significant audit areas, the
auditor determines materiality.64 The auditor then selects the subject matter and criteria, taking into
consideration the risk and materiality.65

• Helps the auditor to identify the audit questions which are of

Assessing materiality importance to the intended user(s).
in planning phase • Helps assess the material risks and determine the nature, timing and
extent of audit procedures (ISSAI 4000.70).

• The auditor uses materiality in deciding the extent of audit procedures

to be executed and in the evaluation of audit evidence.
Assessing materiality in
conducting phase • In evaluating evidence and concluding the audit, the auditor uses
materiality to evaluate the scope of work and the level of non-
compliance to determine the impact on the conclusion or opinion.

• In a direct reporting – reasonable assurance engagement, the audit

Assessing materiality in conclusion expresses the auditor's view that the subject matter is or is
reporting not compliant in all material respects with the applicable criteria (ISSAI
4000.38).

While planning the audit, the auditor chooses the materiality, based on the needs of the intended
user(s).66 Determining materiality is a matter of professional judgment and depends on the auditor’s
interpretation of the users’ needs. The intended user may judge a matter material if information about
it is likely to influence the user’s decision-making process.
ISSAI 4000.127 states, ‘Materiality may focus on quantitative factors such as the number of persons
or entities affected by the particular subject matter or the monetary amounts involved as well as the
misuse of public funds, regardless of the amount.’

Quantitative materiality: ISSAI 4000.129 states, ‘Quantitative materiality is determined by applying a

percentage to a chosen benchmark as a starting point… This involves the exercise of professional
judgment and reflects, in the auditor’s judgment, the measures that user(s) of the information are
most likely to consider important.’
ISSAI 4000.186 states that materiality by value can involve, based on the subject matter, the amounts
(monetary amounts) or other quantitative measures such as the number of citizens or entities
involved, the carbon emission levels and delays concerning deadlines.
The auditor can apply the threshold percentage between 0.5% and 5% for quantitative materiality.
This choice is a matter of judgment, based on the auditor’s assessment of internal control, risk
assessment, the sensitivity of the subject matter and needs of the intended users. The auditor can
apply a different threshold percentage considering the users’ needs. In addition to the threshold
percentage, a ceiling may also be set in terms of the absolute amount.
Quantitative materiality is mostly used in attestation engagement. When performing such
engagements, the auditor might want to select separate levels of materiality for classes of transactions
or balances that are more important to the account user(s) or that have a higher risk of non-

64 ISSAI 4000.128
65 ISSAI 4000.37
66
ISSAI 4000.103

66
compliance material by nature or context. For a direct reporting engagement, when the subject matter
is the expenditure of an entity, the auditor can apply quantitative materiality.

Example: Calculation of overall quantitative materiality

Determination of quantitative materiality requires the auditor to identify the materiality base and
the percentage to be applied on the gross amount. The percentage is determined based on the
status of risks and controls, the sensitivity of the subject matter and user needs. In this example,
the auditor is using 1.5%, considering that the subject matter is relatively sensitive.
Sensitivity of the subject matter
0.5% --------> 5%
Materiality base Materiality threshold – 1.5%
Gross expenditure amount 345,000,000
Materiality level 345,000,000 x 1.5% = 5,175,000
The quantitative materiality level is 5,175,000. This means that if the value of non-compliance
exceeds this limit, it can be considered material and would affect the audit conclusion. Auditors
should consider the pervasiveness of the non-compliance.

Illustration 5.3: Determining quantitative materiality

The level of materiality will influence the amount of audit work the auditor undertakes. The
percentage ranges to be used are set by the audit team depending on the materiality basis adopted.
The choice of percentage should be based on the risk profile and characteristics of the subject matter
being audited, i.e., the level of public and parliamentary interest in them, particularly if the audit
report is going to be used as a means of holding the responsible party accountable.
Because the risk profiles, the sensitivity of the transactions and the effectiveness of internal controls
may be different for different areas of the subject matter, materiality threshold may also be set
differently. The auditor may consider setting up materiality thresholds separately from the overall
materiality. This can be done by applying the overall threshold percentage used to determine the
overall materiality level on the population value of that particular area of the subject matter. Or, if the
risk profiles, sensitivity and effectiveness of internal control varies significantly, the auditor may apply
an appropriate threshold percentage to reflect that.
In a compliance audit, there could be situations where quantitative materiality does not apply to a
particular subject matter under audit. Hence, the qualitative aspects of materiality become more
pertinent.

Qualitative materiality: ISSAI 4000.130 states, ‘In some cases, the qualitative factors are more
important than the quantitative factors. Public expectations and public interest are examples of
qualitative factors that may impact the auditor’s determination of materiality.’
The relative importance of qualitative factors when considering materiality in a particular audit is a
matter of the auditor’s professional judgment. The qualitative factors may include:
• The relationship between various parts of the subject matter if non-compliance in one area of
the subject matter affects the others
• The nature of observed non-compliance with a control when the subject matter information
is a statement that the control is effective
• Whether non-compliance is the result of an intentional or unintentional act

67
 • When the subject matter is a government programme or an entity, whether a particular
aspect of the programme or entity is significant with regard to the nature, visibility and
sensitivity of the programme or entity
• When the subject matter information relates to a conclusion on compliance with law or
regulation, the seriousness of the consequences of non-compliance
The scenario below illustrates the aspects of qualitative materiality.
Example: Consideration of qualitative materiality

The terms of a building code require the building inspector to perform several annual inspections.
The government agency has not performed inspections for the past five years. This non-compliance
may be significant due to qualitative aspects such as safety implications. Although no monetary
amounts are involved, the non-compliance may be considered material due to the potential
consequences it may have on the safety of the building occupants. Moreover, in the event of a
disaster, there is also a risk that the non-compliance may result in significant liability claims, which
could have material financial implications for the government agency.

As stated in ISSAI 4000.127, the inherent nature or characteristics of an item or group of items may
also render a matter material (qualitative materiality). Qualitative materiality is determined by the
nature and context of the subject matter.
Material by nature is related to inherent characteristics and concerns issues where there may be
specific disclosure requirements or high political or public interest. It includes any suspicion of serious
mismanagement, fraud, illegality or irregularity or intentional misstatement or misrepresentation of
results or information. Materiality by nature may arise due to non-compliance:
• Of high officials who raise suspicion involving conflicts of interest
• That may suggest fraudulent activity or corruption
• In an area where there is a high degree of public interest
• Where the legislation or regulations make clear that it is a serious offence, regardless of the
monetary value
Material by context concerns items that are material by their circumstance, so that they change the
impression given to the users. It includes instances where a minor error or non-compliance may have
a significant effect, e.g., misclassification of expenditure as income so that an actual deficit is reported
as a surplus.

For example, where the total value of non-compliance is below the materiality threshold, but the
auditor is aware that the stakeholder, such as Parliament, has expressed a special interest in the
apparent irregularities in the subject matter, the auditor thus considers the issue material, even
though its value is not material.
Setting a qualitative threshold is sometimes advisable when a quantitative materiality threshold
cannot be established, because the non-compliance cannot always be quantified with amounts or
monetary values. It could be more appropriate for the audit team to set a tolerable rate of non-
compliance as a threshold, on the subject matter as a whole, and to different areas of the subject
matter where appropriate. However, the auditor should also define what constitutes a material non-
compliance, as non-compliance with varying levels of authorities such as parliamentary legislation,
regulations or guidelines will differ in their hierarchy and significance.

68
If the profile of the subject matter is sensitive and there is high interest from the Parliament, the public
and the media, a lower tolerable non-compliance rate would entail more audit tests and greater
assurance on the areas assessed.
ISSAI 4000.92 states that at the audit planning stage, the documentation kept by the auditor needs to
contain the assessment of the materiality of the subject matter. The auditor can document the
evaluation of materiality at the planning stage with the working paper template in Exhibit 5.5.

Result of risk assessment: Risk register

Once the auditor identifies and assesses all risks, and determines the material risks, the risks are then
listed in a risk register and considered for audit testing. This listing is to document all potential risks of
non-compliance in a step-by-step, systematic process. The audit team may consider other appropriate
forms of documentation of the risks. From the risk register, the audit team may further elaborate the
risks with a suggestive tool – the audit planning matrix – with the suitable audit procedures to be
performed and evidence to be collected. The audit team can document the risks identified for the
audit with the suggestive working paper template provided in Exhibit 5.6.
Design audit procedures to respond to the assessed risks
ISSAI 4000.149 states that the auditor needs to plan appropriate responses to assessed risks (identified
and documented in the risk register). Responses to the assessed risks include designing audit
procedures that address the risks.
The nature, timing and extent of the audit procedures to be performed may vary from one audit to
the other. Nonetheless, compliance audit procedures, in general, involve establishing the relevant
criteria, i.e., the authorities that govern the entity, and then measuring the relevant subject matter
against those authorities.
The auditor can use an audit planning matrix (shown in Illustration 5.4) for documenting the responses
to the assessed risks. The matrix provides a structure for the essential design components and makes
the planning a systematic and directed one. The aim is to facilitate communication of the decisions on
the methodology and assist with the field-work. The matrix outlines the requirements and procedures
necessary to implement the audit objective and to make assessments against the audit criteria for
each identified risk in the risk register.
The matrix is flexible, and the team should update or modify its contents as the audit work progresses.
It establishes a relationship between the audit objectives, audit procedures and the audit field-work.
It also facilitates audit supervision and review for quality control.
1 2 3 4 5
No. Risks identified Criteria Required Source of Audit
(from the risk register evidence or evidence or procedures to
Exhibit 5.6) information information perform
1. Risk 1
2. Risk 2
3. …

Illustration 5.4: Audit planning matrix

Audit procedures include substantive procedures and tests of controls. Substantive procedures
include both tests of details and analytical procedures. If auditors intend to rely on the operating
effectiveness of control, they need to obtain evidence that the controls are operating effectively when
determining the nature, timing and extent of substantive procedures. The design and implementation
of key controls relevant to the subject matter might be evaluated as adequate.

69
The audit team can document the audit procedures to perform in the matrix with the suggestive
working paper template provided in Exhibit 5.7. Based on the designed audit procedures for the risks
identified, and the potential audit evidence to be collected during the audit, the auditors perform the
audit, which is explained in chapter 6.

5.3 Documenting and ensuring the quality of the audit strategy and audit plan

Documenting the audit strategy and the audit plan is the final step of the planning process. By this
point, the audit team has examined all critical aspects of the audit. Team members have reached an
understanding on what they will do in the audit (documented in the audit strategy) and how they will
do it (documented in the audit plan).
Planning also involves considerations related to the direction, supervision and review of the audit
team and its work. The auditor can prepare both the audit strategy and audit plan together as one
document for approval by the SAI management before starting the audit field-work. In the process,
the auditor should review the audit plan and strategy, and address the significant matter(s) raised in
the review, revision, finalisation and sign-off of the strategy and plan by the management.
All exhibits provided in this chapter will form the basis for input to the development of the audit plan
document. The interlinkages between the exhibits and their output can be shown as in Illustration 5.5.

Illustration 5.5: Documenting the audit plan

Exhibits 5.2 to 5.5 identify the risks relevant to the audit. The audit procedures and audit evidence to
be collected are documented in Exhibit 5.7, along with the matrix. The auditor updates both the audit
strategy and the audit plan as necessary throughout the audit process.
The audit plan should be reviewed, modified if necessary and approved by the appropriate official
who has supervisory authority over the audit team. If the SAI structure does not have such a
supervisory layer, the plan should be reviewed by another auditor of adequate seniority and authority
within the SAI who has successfully performed audits of similar type and complexity, and who is
independent of the audit team. All such reviews, and any approvals, should be documented. Those
responsible for reviewing the audit plan may consider the suggestive quality checklist provided in
Appendix 5-A.

70
Performing audit procedures, and gathering and evaluating evidence

Chapter 6

Performing audit procedures, and gathering and

evaluating evidence

6.1 Audit evidence

6.2 Sufficient and appropriate audit evidence
6.3 Evidence-gathering techniques
6.4 Determining the sample size
6.5 Evaluating audit evidence and forming conclusions
6.6 Ensuring quality at the audit field-work stage

71
In the audit field-work phase, the auditors perform the audit procedures on the risks identified in the
audit plan. In this phase, the auditors select samples, if required, from the subject matter, gather
evidence and evaluate the audit evidence. This chapter begins with the types and characteristics of
sufficient and appropriate audit evidence. It then describes the suitable sampling method to use for
the particular kind of engagement. It explains the various evidence-gathering techniques and how the
auditor can evaluate the evidence gathered to form the conclusion for a direct reporting engagement.
6.1 Audit evidence

Audit evidence is the information on which the auditor’s conclusion or opinion is based. Auditors
design and apply necessary audit procedures to obtain sufficient and appropriate audit evidence to
form a conclusion or opinion as to whether a subject matter complies, in all material respects, with
the established criteria.
To cover the audit scope, the auditor has to decide when the audit evidence is sufficient and
appropriate to give provision for the basis of a conclusion or an opinion. In the planning phase,
auditors review the:
• Internal controls established by the audited entity to prevent, detect and rectify instances of
non-compliance, and
• Whether there is an organisational unit within the audited entity for management of controls
and other risks.
Based on this review, auditors identify control risks and other risks and take these into consideration
while they start gathering audit evidence. Following are the different types of evidence.
Testimonial evidence
This evidence is what the audited entity staff say to the auditor. Although it is the weakest form of
evidence, some testimonial evidence is stronger than others. For example, the staff who perform the
task can explain better how the task is actually performed than the supervisor of the staff who is aware
of how the task should be performed. Testimonial evidence from two or more people is stronger than
it is from one person.
Documentary evidence
This type of evidence is contained in the documents. It is the second strongest type of evidence;
however, it is important to consider the source of the document. Records produced by the entity’s
information systems are a common form of evidence used by auditors. Documents from sources
external to the organisation are stronger than internal documents; however, they are not as strong as
the documents sent directly to the auditors. For example, an entity employee might produce a
fictitious invoice which is from a non-existent vendor.
Physical evidence
This type of evidence is what the auditors see or observe while auditing. Most common is, for example,
the evidence auditors see when conducting an inventory count or observing the areas where toxic
chemicals are released by an entity. This is considered the strongest form of evidence. The auditor
needs to consider what the evidence proves and what it does not prove.
Analytical evidence
The auditor obtains this type of evidence by comparing, computing or otherwise analysing the data.
Auditors can review the budget to actual expenditure comparisons. Analytical evidence proves that
there are certain relationships among the data analysed. The auditor usually investigates further to
identify the causes of such relationships.
Circumstantial evidence
This is not direct evidence but is related to the circumstances. In this case, the auditor presents
evidence of other facts that based on a reasonable inference would lead the auditor to believe the
intended fact to be proved. In other words, circumstantial evidence means all proof other than direct

72
proof of non-compliance. Usually, this evidence is used in ascertaining non-compliance due to fraud.
For example, in a potential fraud or corruption scenario, it is evidence of the standard behaviour, the
employee’s breach and the irregular payments.

6.2 Sufficient and appropriate audit evidence

Sufficiency and appropriateness are interrelated. The auditor exercises professional judgment and
scepticism in considering the quantity (sufficiency) and quality (appropriateness) of evidence while
determining the nature, timing and extent of the audit procedures to be performed.
The auditor will often need to combine and compare evidence from different sources to meet the
requirements for sufficiency and appropriateness of audit evidence. The nature and sources of
necessary audit evidence are determined by the following:

Level of
Subject matter Audit scope Criteria Materiality
assurance

Sufficiency of audit evidence: Quantity

Sufficiency is a measure of the quantity of evidence needed to support the audit findings and
conclusions. There is no formula to express in absolute terms how much evidence there must be to
be considered sufficient. In assessing the sufficiency of the evidence, the auditor needs to determine
whether enough evidence has been obtained to persuade a knowledgeable person that the findings
are reasonable.67
The quantity of the audit evidence needed is related to the nature of the audit task. For example, to
form a conclusion in a reasonable assurance engagement, the auditor needs to obtain more evidence
than in a limited assurance engagement.68 Also, a wider audit scope normally requires more audit
evidence than a narrower scope.
The quantity of evidence depends on audit risk. The higher the risk, the more evidence is likely to be
required. For the quality of evidence, the higher the quality, the less evidence may be required.69
However, merely obtaining more evidence does not compensate for poor quality.70
What constitutes the evidence as sufficient and appropriate is the auditor’s professional judgment,
and it is influenced by the following:

Auditor's judgment Significance of a potential non-compliance

on the evidence is
based on the: Likelihood of non-compliance having a material effect on the subject matter

Effectiveness of the responses by the entity to address risk of non-compliance

Experience from previous audits with similar non-compliance

Results of the audit procedures performed

Source and reliability of the available information

Persuasiveness of the evidence

Understanding of the responsible party and its environment

67 ISSAI 4000.147
68 ISSAI 4000.146
69 ISSAI 4000.151
70
ISSAI 4000.152

73
Appropriateness of audit evidence: Quality

Appropriateness is a measure of the audit evidence’s quality. It includes relevance, validity and
reliability.71

Relevance

• The extent to which evidence has a logical relationship with and

importance to the issue being addressed.
• Evidence helps to answer the audit objective.
• Evidence applies to the period under review.

Validity

• The extent to which the evidence is a meaningful or a reasonable basis for

measuring what is being evaluated.
• Evidence represents what it is purported to represent.

Reliability

• The extent to which the audit evidence has been gathered and produced
following a transparent method.
• Evidence fulfils the requirements for credibility.
• The reliability of evidence is affected by its source (internal or external),
type (physical, documentary, oral or analytical) and the circumstances.

While recognising that exceptions may exist, audit evidence is more reliable when it is:
Obtained from From outside the entity, e.g., confirmation received from a
independent sources third party, as opposed to being generated internally
Subject to effective Internally generated
related controls
Obtained directly by For example, direct observation of the application of control,
the auditor rather than indirect enquiry about the implementation of a
control
In documentary form Whether paper, electronic or another medium, rather than
verbal statements
Provided in original Rather than photocopy
documents

71
ISSAI 4000.148

74
Other considerations on audit evidence

Auditors should adequately document the audit evidence in the working papers. Such documentation
includes the work performed, findings and conclusions, and the rationale for major decisions.
Information that is not pertinent to work done or conclusions reached should not be included.
Auditors also consider:

Corroborating the Obtaining evidence from different sources or of a different nature may
evidence either corroborate other evidence or indicate that an individual item of
evidence is not reliable.

Performing additional In cases where evidence obtained from one source is inconsistent with
procedrues that obtained from another, the auditor needs to determine what
additional procedures are needed to resolve the inconsistency.

Use of confidential If documents produced by management are classified as confidential, the

evidence auditor or his/her superior at the appropriate level will discuss how this
confidential information might best be used.

Evidence on
fraud Information and documentation relating to cases of discovered or
suspected fraud should be handled with particular care.

6.3 Evidence-gathering techniques

ISSAI 4000.144 states, ‘The auditor shall plan and perform procedures to obtain sufficient and
appropriate audit evidence to form a conclusion with the selected level of assurance.’ Obtaining
sufficient and appropriate audit evidence is a systemic and iterative process as it involves the
following:

Gathering the Evaluating the Re-assessing risk

evidence evidence

•By performing •As to its sufficiency •Gathering further

appropriate audit (quantity) and evidence as
procedures as appropriateness necessary
planned (quality)

As the auditor performs planned audit procedures, the audit evidence obtained may lead the auditor
to modify the nature, timing or extent of other planned audit procedures. Information may come to
the auditor’s attention that differs significantly from the information on which the risk assessments
were based at the outset.
For example, the extent of non-compliance that the auditor detects by performing audit procedures
may alter the auditor’s judgment about the risk assessments and may indicate a material weakness in
internal control. In such circumstances, the auditor should re-evaluate the planned audit procedures
based on a revised consideration of assessed risks.

75
ISSAI 4000.158 states, ‘The auditor shall select a combination of audit techniques to be able to form a
conclusion with the selected level of assurance.’
Evidence may be obtained by carrying out a variety of techniques. The auditor should make a
judgment as to which method (or a combination thereof) for obtaining audit evidence will be suitably
reliable and should balance the reliability of the evidence against the cost of getting it. Commonly
used evidence gathering techniques are72 the test of controls (observation, inspection, inquiry, re-
performance) and substantive procedures (test of details and analytical procedures).

Test of controls
Test of controls involves testing the controls that management has put in place to reduce the risk of
non-compliance or the risk that the subject matter information is materially misstated. For most
subject matters, testing key controls is an effective way to collect audit evidence.73
The auditor performs tests of controls to confirm the preliminary assessment of those key controls
upon which s/he intends to rely. The objective of tests of controls is to evaluate whether those key
controls operated effectively and continuously during the period under review.
• If the tests of controls confirm that the controls have operated continuously and effectively
throughout the period under review, then reliance can be placed on these controls and minimum
substantive testing can be performed. When these controls are found not to have operated
continuously and effectively throughout the period under review, the auditor should reassess the
audit approach, and increase the extent of substantive testing to be performed.
• The techniques that are generally used to test key controls are observation and enquiry,
inspection and re-calculation, or a combination thereof. The auditor can document testing
operating effectiveness of controls using the working paper template provided in Exhibit 6.1.

Observation involves looking at a process or procedure being performed by others. Observation

provides audit evidence of the performance of a method or system but is limited to the point in time
at which the observation takes place, and by the fact that the act of being observed may affect how
the process or procedure is performed.74 In performing a compliance audit, this may, for example,
include looking at how a bid tendering process is carried out or observing how benefit payments are
processed in practice.
The inspection involves examining books, records or documents, whether internal or external, either
in paper form, electronic form or a physical examination. The auditor considers the reliability of any
documents inspected and remains conscious of the risk of fraud and the possibility that papers
examined may not be authentic.75 In performing a compliance audit, the inspection may, for example,
include reviewing case files or other relevant documents to determine if recipients of benefits met
eligibility requirements, or examining an asset such as a bridge or a building to determine if it meets
the applicable building specifications.
Inquiry involves seeking information from relevant persons, both within and outside the audited
entity. Depending on the subject matter and the scope, interviews and questionnaires alone will, in
most cases, not be sufficient and appropriate evidence. Other relevant evidence-gathering methods

72 ISSAI 4000.160
73 ISSAI 4000.168
74 ISSAI 4000.161
75
ISSAI 4000.162

76
to be considered are, for example, written documentation from the audited entity.76 The inquiry is
generally used extensively throughout an audit and complements other audit procedures. For
example, when observing processes being performed, such as the benefits payment process within a
country or state, inquiries could be made of officers as to how relevant legislation, including changes
and updates, is identified and interpreted.
SAIs with jurisdictional powers may use the method of inquiry as set out in the laws governing the
auditing procedures. An inquiry may involve preparing and sending a written communication to the
relevant responsible persons asking for specific information that the audit team considers to be
necessary to support the conclusions.77
External confirmation represents audit evidence obtained by the auditor as a direct written response
to the auditor from a third party. The auditor is getting feedback directly from the beneficiaries or
third parties which have received the grants. The audited entity asserts that they have been paid or
confirms that funds have been used for the particular purpose set out in terms of a grant or funding
agreement.78
Re-performance involves independently carrying out the same procedures already performed by the
audited entity, controls that were initially performed as part of the entity’s internal control. Re-
performance may be done manually or by computer-assisted audit techniques. Where highly technical
matters are involved, external experts may be needed.79
Re-calculation consists of checking the mathematical accuracy of documents or records. Re-
calculation may be performed manually or electronically.80 Some examples of re-performance are:
• Review of individual case files to test whether the audited entity made the correct
decisions or provided the appropriate service in accordance with the relevant criteria
• Re-performance of process steps to test the appropriateness of visas or residence permits
issued
• Re-computation of taxation deductions on audited entity staff payroll to confirm the
correct amounts payable in taxes

Substantive procedures
Substantive procedures include tests of details and analytical procedures.
Tests of details involve testing detailed transactions or activities against the audit criteria. Substantive
testing must always be included in attestation engagements.81 In most direct reporting engagements,
auditors conduct substantive testing. This is because at the planning stage while identifying the risks,
auditors have determined that there are very limited or non-existent internal controls in the entity.
Depending on how well the entity has managed the subject matter, the auditors may decide not to
separately test and evaluate internal controls but rather look into relevant controls along with
substantive testing.

The substantive procedures were designed during the planning phase to be responsive to the related
risk assessment; their purpose is to obtain audit evidence to detect non-compliance. However,
irrespective of the assessed risk and level of reliance, the auditor should design and perform

76 ISSAI 4000.163
77
ISSAI 4000.171
78 ISSAI 4000.164
79 ISSAI 4000.165
80 ISSAI 4000.166
81
ISSAI 4000.167

77
substantive procedures (tests of details) for each material area. Substantive testing typically includes
the following:
Substantive test Areas
Computation • Re-performance of calculations of claims, grants
Analysis • Analysis of findings of work by internal and other auditors
(excluding Analysis of legal basis, legal and budgetary commitments, eligibility, tendering
analytical review) procedures
Re-performance • Re-performance of already inspected or audited transactions
Inspection • Physical assets
• Contracts
• Claims
• Ex-ante and ex-post control reports
• Audit reports (internal and external)
• Monitoring reports
• Supporting documents, e.g., invoices, public procurement
documents, cost–benefit analysis, photos, records of
beneficiaries
Inquiry and • Inquiry of auditee management and staff
confirmation • Circularisation of bank balances
• Circularisation of receivables
Observation • On-the-spot checks
Illustration 6.1: Substantive procedures

The auditor should carry out substantive tests as designed in the planning phase unless the evaluation
of the results of tests of controls requires him/her to reconsider the nature, timing and extent of the
tests of details. The auditor can document the substantive testing procedures using the working paper
template provided in Exhibit 6.2.
Analytical procedures involve acquiring information from various sources to determine what is
expected, comparing the actual situation with that expectation, investigating the reasons for any
discrepancies arising and evaluating the results. These procedures can be used both as part of the risk
analysis and when collecting audit evidence. Audit evidence can be obtained either by comparing data
and investigating fluctuations or by identifying relationships that appear inconsistent with what was
expected based on either historical data or the auditor’s experience. Regression analysis techniques
or other mathematical methods may assist public sector auditors in comparing actual with expected
results.
In a limited assurance engagement, analytical procedures and inspections usually are enough to form
a conclusion with limited assurance. In contrast, a conclusion with reasonable assurance must be
formed based on a combination of the audit techniques.82
However, in a compliance audit, analytical procedures may, only in certain circumstances, assist the
auditor in evaluating compliance. For example, where allowances under a grants scheme are subject
to a maximum value and the number of recipients is known, the auditor may use analytical procedures
to establish whether the permitted maximum has been breached. These techniques or combinations
thereof may be used for tests of controls or substantive procedures.

82
ISSAI 4000.169

78
Considerations in gathering evidence
The auditor may consider the level of reliability of evidence as a general guideline, and it may vary
across the entities. The following is the hierarchy of the reliability of the types of evidence83:
Level of reliability Types of evidence
High - Physical examination
- Re-performance
Medium - Documentation
- Confirmation
- Analytical procedures
Low - Inquiries of entity personnel or management
- Observation

In some situations, the auditor may view confirmations as a highly reliable source of evidence, when
an independent third party is qualified to respond to the auditor’s request. So, the level of reliability
is subject to a number of exceptions considering the audit context.
The auditor may use one or more of these procedures based on the risks of non-compliance to criteria
and other information under audit. The following table84 shows the types of evidence and relevant
audit procedures to gather evidence.
Types of evidence Evidence-gathering procedures
Auditor’s calculations Recalculation by the auditor
Physical observation, inspection Observation and examination by the auditor
Statements by independent parties Confirmation by a letter
Statements by entity personnel Verbal inquiry and written representations
Documents prepared by independent Examination of documents (vouching or tracing)
parties
Documents prepared by the audited entity Examination of documents (vouching or tracing)
Data relationships Scanning
Analytical procedures

Examination of documents: Vouching

Vouching is taking information from one document or record backwards to an asset, document or
record that was prepared earlier. For example, auditors might vouch for information on a computer-
generated report to the source documents from which the information was input to the entity
information system and verify the validity of the information.
Examination of documents: Tracing
Tracing is taking information from one document, record or asset forward to a document or record
that was prepared later. For example, if the auditor counts inventory, they would trace their count
forward to the entity records of inventory and verify the completeness of inventory as required by the
records.
Scanning
Scanning is the way auditors exercise their general watchfulness to unusual items or events in the
audited entity documentation. In general, scanning is the ‘keeping eyes open’ approach of looking for
anything uncommon. Auditors need to consider that the scanning procedure generally does not
produce a piece of direct evidence itself, but it can assist auditors in raising questions on which they
need to obtain evidence.

83 William F. Messier, Jr., Auditing and Assurance Services: A Systematic Approach, third edition, p. 152
84
Jack C. Robertson and Timothy J. Louwers, Auditing and Assurance Services, tenth edition, p. 93

79
6.4 Determining the sample size

ISSAI 4000.172 states, ‘The auditor shall use audit sampling, where appropriate, to provide a sufficient
amount of items to draw conclusions about the population from which the sample is selected. When
designing an audit sample, the auditor shall consider the purpose of the audit procedure and the
characteristics of the population from which the sample will be drawn.’
Audit sampling is defined as the application of audit procedures to less than 100% of items within a
population of audit relevance. A sample may be quantitative or qualitative, depending on the audit
scope and the need for information to analyse the subject matter from several angles.
Quantitative sampling is used when the auditor seeks to draw conclusions about the whole population
by testing a sample of items selected from it. In quantitative sampling, the sample risk must be
reduced to an acceptable low level. However, the technical approach to quantitative sampling may
require statistical techniques. If the audit team does not have the skills to apply them, an expert
statistician may be required.
Qualitative sampling is a selective procedure conducted as a deliberate and systematic process to
identify the factors of variation in the subject matter. The auditor might sample based on
characteristics of individuals, groups, activities, processes or the audited entity as a whole. Qualitative
sampling always requires careful assessment and sufficient knowledge of the subject matter.
When the auditor selects cases for in-depth study, it usually results in relatively small samples that
can answer more explorative questions and provide new information, analyses and insight into the
subject matter. It may be appropriate to use risk-based sampling instead of a statistical approach when
selecting items for testing; for instance, when addressing a specific significant risk.

Selecting samples for testing

When deciding which sample items to test, the auditor can:

• Select all items (100% examination);

• Select specific items; or
• Use audit sampling.
The choice of a particular method is a matter of an auditor’s professional judgment based on risk
assessment, materiality, audit efficiency and cost. But the method chosen should be effective in
meeting the purpose of the audit procedure.
When to select all items
Selecting all items is appropriate when the number of items is small but of high value, when the risk
is high or when computer-assisted audit techniques (CAATs) allow all items to be tested efficiently. It
is more common for substantive testing (tests of details) than for tests of controls.
When to select specific items
The auditor selects certain items from a population because of the specific characteristics they
possess. These are typically high-value or high-risk items (e.g., relatively high or low amounts) or items
that represent a large proportion of the subject matter. It is useful for tests of controls and substantive
testing, and also to gain an understanding of the entity or to confirm the auditor’s risk assessment.
While it is an efficient method of gathering audit evidence, it is not comparable to audit sampling, and
so the results cannot be projected to the entire population. However, it may play a role as part of an
audit approach that provides reasonable assurance without using audit sampling methods.

80
When to use audit sampling
The sampling method to be used in selecting the sample should match the characteristics of the
population. The audit team should decide the most appropriate method of selecting the samples. The
auditor can determine the suitable sampling method by using the decision tree in Figure 6.1 below.

Figure 6.1: Decision tree – determining the appropriate sample selection method

Judgmental sampling (risk-based sampling): This involves selecting items from a population in
accordance with predetermined and documented criteria based on the auditor’s judgment.
Judgmental or risk-based sampling cannot be used if the objective of the sample is to extrapolate the
results. When reporting results, auditors should take care to ensure that readers are not misled into
thinking that the results are representative of the population.

Simple random sampling: The main characteristic of simple random sampling is that all transactions
or sampling units have the same chance of being selected for testing. A high-value transaction is no
more likely to be chosen than one of low value. While the method is the most straightforward to apply,
its use for tests of detail is generally restricted to situations where the sampling units making up an
area of the subject matter are fairly homogeneous.

Systematic sampling is a method of statistical sampling in which every item has an equal chance of
selection. The practical implementation of a systematic sampling method uses a random starting point
and then an average sampling interval for progression through the expenditure. For example, if the
auditor wishes to select 100 items from a population of 20,000 items, the uniform interval is every
200th item. The auditor selects the first item within the first interval and selects every 200th item. The
first item is selected randomly.

Monetary unit sampling (MUS): Monetary unit sampling is a statistical sampling method in which a
high-value transaction is more likely to appear in the sample than one of lower value. The chance of a
transaction being selected is in direct proportion to its size. Any transaction above the average
sampling interval will certainly be selected. Monetary unit sampling is more widely used than the
simple random sampling because it is usually more efficient, as the margins of uncertainty in the
estimates of error are generally narrower.

81
However, the calculations involved in extracting a monetary unit sample can be cumbersome, and the
method is practical if it can be automated. Also, statistically, this method is valid only for populations
with low error rates.

Stratified MUS: Stratified monetary unit sampling divides the population into several subgroups
(strata). The strata have to be predefined according to different characteristics within the population,
e.g., according to risk. The auditor should use professional judgment when determining these
characteristics, including his/her knowledge of the population subject to audit. In each stratum, a
number of items are selected with MUS. The number of items to be selected can be different in every
stratum.

For the particular type of engagement and subject matter, using any of these methods, the auditor
selects the samples to perform the audit procedures on the risks identified to gather sufficient and
appropriate audit evidence.

Considerations in selecting samples for testing

It is important to note that determining sample size requires documenting the underlying
considerations of the subject matter. The support for the sample size used in an audit is based on
auditor judgment. It depends on factors such as the significance of the control tested or the risk of
material non-compliance, which are important in documenting the application of sampling
procedures.

Also, SAIs may use their internal guidance that results in a sample size that is different from the
approach suggested here. When an auditor determines a sample size using SAI-suggested methods,
the basis for that determination would also be important in documenting the sampling applications
and procedures.

6.5 Evaluating audit evidence and forming conclusions

ISSAI 4000.179 states, ‘The auditor shall compare the obtained audit evidence with the stated audit
criteria to form audit findings for the audit conclusion(s).’ For a balanced and objective view, the
evaluation process entails considering all evidence provided in relation to the audit findings. By
evaluating the scope of work performed, the auditor determines whether s/he is able to draw a
conclusion. If the scope of work is insufficient, the auditor might consider performing further
procedures or modifying the opinion or conclusion due to a scope limitation.
Whether the evidence gathered is sufficient and appropriate
The evidence-gathering process continues until the auditor is confident that sufficient and appropriate
evidence exists to support the agreed level of assurance that will support the auditor’s conclusion or
opinion.85 The auditor maintains professional scepticism throughout the audit to reduce the risks of:
• Overlooking unusual circumstances;
• Overgeneralising when drawing conclusions from observations; and
• Using inappropriate assumptions in determining the nature, timing and extent of procedures
and evaluating the results thereof.
In the assessment of the evidence gathered, the auditor exercises professional scepticism by
questioning the inconsistent evidence and the reliability of documents and responses to inquiries.
Also, the auditor considers the sufficiency and appropriateness of evidence obtained in light of the
circumstances.

85
ISSAI 4000.150

82
The auditor should not disregard past experience with the honesty and integrity of those who provide
evidence. Nevertheless, a belief that those who provide evidence are honest and have integrity does
not relieve the auditor of the need to maintain professional scepticism during the audit. It is also
equally important to consider:
• The nature, timing and extent of procedures used to obtain evidence
• Whether sufficient appropriate evidence has been obtained
• Whether more needs to be done to achieve the objectives of relevant auditing standards
• The appropriate conclusions to draw based on the evidence obtained
In the direct reporting engagement, auditors plan audit procedures to gather evidence on the risks
identified at the planning phase. The audit strategy and audit plan document include the audit
planning matrix (Exhibit 5.7), which lists all risks for the audit testing by applying various audit
procedures. Once the auditor performs the audit procedures for the identified risks, based on the
information and analysis of those, the auditor formulates audit findings.
Audit findings and observations
An audit finding describes the compliance deviation, based on the information gathered during field-
work, between the existing situation and the criteria. The common elements of a finding are criteria
(authorities to comply with), condition (what is the situation found vis-à-vis the criteria), cause (why
there is a deviation from the criteria) and effect (what are the consequences of the non-compliance).
The findings and information obtained during the audit, conclusions and recommendations can be
recorded in the findings matrix. The findings matrix is a useful tool to facilitate the assessment of the
findings, whether they are based on sufficient appropriate evidence, as well as to prepare a coherent
audit report.
The narrative of the findings originates from the substantive tests of details (or the procedures
performed) for all risks identified. The table in Illustration 6.2 below shows the elements of an audit
findings matrix.

Risk/Audit question: …….

Finding
Audit Condition/ Cause Effect
criteria evidence

Conclusion:
…..
Recommendation (if applicable):
….
Illustration 6.2: Findings matrix template
The auditor determines the causes of the non-compliance and its effect. The effect of non-compliance
may be monetary or other losses to the entity, and it can also point to the party responsible for the
non-compliance. While identifying the cause is important, it is more important to determine the root
cause of a particular non-compliance.

The auditor can make appropriate and implementable recommendations based on the root cause
identified. If the root cause cannot be identified, a recommendation will not address the core problem,
and the entity will fail to rectify the particular non-compliance. Identifying the root cause requires the

83
auditor to focus on the underlying cause of the non-compliance and not on the surface-level cause or
the obvious cause. The root cause analysis process is explained below.

Root cause analysis

The root cause is identified with the use of appropriate root cause analysis tools, e.g., brainstorming,
fishbone diagram, flowcharting or answering the ‘five whys.’ The five whys tool is the simplest root
cause analysis tool. It uses a question-asking method to explore the cause-and-effect relationship
underlying the problem. Essentially, the auditor keeps asking ‘why’ until a meaningful conclusion is
reached. Generally, a minimum of five questions should be asked, although additional questions
are sometimes required if the real cause is yet to be identified. An illustrative example86 is provided
below.
A finding on non- The entity’s fleet of vehicles did not meet the set availability target: the entity failed to
compliance comply with the criteria to provide the required service with the delivery of vehicles.

Obvious cause The entity did not have enough vehicles.

Recommendation Aimed at a symptom or apparent cause:

The entity should ensure that the fleet of vehicles meets the availability target.
Identifying the Identifying the root cause of the non-compliance for vehicle service using the ‘five whys’
root cause tool:
Why 1 The vehicles were often not available due to mechanical problems.
Why 2 There were not enough technicians on site to fix the mechanical
repairs.
Why 3 Too few technicians have completed training in recent years.
Why 4 Not enough instructors were available to provide the required
training.
Why 5 Many instructors retired in the same year, in the absence of any
succession plan or recruitment strategy.
Recommendation Aimed at the root cause:
The entity should establish a succession plan and recruitment strategy to support vehicle
maintenance activities.

By answering the five ‘whys’ using the root cause analysis, the auditor found that the entity was not
able to provide the vehicle service due to a budget cut to driver training. Besides, there were not
enough skilled drivers for service delivery. Had the auditor ended the analysis with the surface-level
or the obvious cause, the recommendation would have been that the entity should ensure that vehicle
service is provided as per the required rules. Since this does not address the core problem of the non-
compliance, it would not lead to any improvement in the entity’s system, and the non-compliance
would recur.
Considering materiality
While completing the findings matrices for the risks identified, the auditor determines if the non-
compliances are material or not. Here the auditor applies the concept of materiality for value and
nature or context. ISSAI 4000.37 states that the auditor uses materiality in deciding the extent of audit
procedures to be executed and in the evaluation of audit evidence. In evaluating evidence and
concluding the audit, the auditor uses materiality to evaluate the scope of work and the level of non-
compliance to determine the impact on the conclusion or opinion.

If the non-compliance can be quantified, the quantitative materiality determined at the planning stage
can be applied. Where the non-compliance is non-monetary and qualitative, the auditor could apply

86
https://www.caaf-fcar.ca/images/pdfs/research-publications/RootCauseAnalysisEN.pdf

84
the materiality threshold identified at the planning stage. The auditor uses professional judgment to
determine if non-compliance is material or not by considering:

The amount involved… can be a monetary amount or other measures such as the number of people
involved, delays in days or time, etc.
The visibility and of the subject matter under audit, and effects and consequences of non-
sensitivity… compliance
Expectations… of the legislative body, the general public or other stakeholders and end users of
the audit report
Nature and significance… of the authorities governing the subject matter

The auditor can document the findings on the identified risks using the working paper template
provided in Exhibit 6.3: Audit findings matrix. Below is an illustrative example of a findings matrix
prepared based on the example of operations of a city council provided in planning (section 5.2).

Example: Performing audit procedures for operations of the city council

Risk/audit question:
The entity may not have the provision of adequate fire security arrangements in the completed buildings.

Finding
Audit criteria Condition/evidence Cause Effect

As per clause 1.1.20xx The audit team checked and verified The city authority didn’t Due to this, the
of the 20xx-Fire the approved building drawings. Also, enforce the requirement prior completed
Safety, ‘All new the team compared the to approving the application of buildings are
buildings should be implementations of the requirement the building drawings and vulnerable to the
provided with at least during a physical verification to designs. Also, the clause didn’t risk of fire and
one fire extinguisher selected sites from 20/7/20xx to include any provision for potential risks to
on each floor.’ 22/7/20xx in conformity with the penalty for not having a fire human lives.
clause 1.1.20xx. extinguisher; the city authority
couldn’t impose a penalty for
The team found that in the majority of
such cases.
the buildings, fire safety equipment was
not in place as required by the clause.

Conclusion
The entity didn’t comply with the requirements to have at least one fire extinguisher in each floor of the building as per
1.1.20xx of the 20xx-Fire Safety.

Recommendation
The management should put in place proper controls to ensure that the provisions of the clause are strictly complied with
in future approvals, besides enforcing the penalty rule against the non-compliances in line with the amended 1.1.20xx of
the 20xx-Fire Safety.

Forming an overall conclusion on the subject matter

ISSAI 4000.184 states, ‘Based on the audit findings, and the materiality, the auditor shall draw a
conclusion whether the subject matter is, in all material respects, in compliance with the applicable
criteria.’
The auditor forms the overall conclusion, or audit opinion, in evaluating all relevant evidence in
relation to the identified materiality. Based on the materiality, the auditor evaluates whether the audit
findings are material enough to conclude on the subject matter.
In evaluating audit results of subject matters with non-monetary compliance attributes, the
qualitative materiality threshold (the tolerable level of non-compliance) set at the planning stage is to
be used. A threshold can also be set for each area of the subject matter as well as for the subject

85
matter as a whole. A materiality threshold for each area of the subject matter apart from the overall
materiality threshold may be helpful in evaluating the sample results and forming a conclusion.
Example
If the subject matter is the procurement practice of the Ministry of Infrastructure:
• Overall threshold (tolerable level of non-compliance) could be set at 4%.
• The threshold for individual areas of the subject matter may be set as:
Procurement planning 3%, sourcing 5%, contract management 4%.
The threshold for individual areas has to be set after considering the risks involved in each area, the
status of controls and the entity’s past compliance record in these areas.
Forming a conclusion with the results of the test of controls is a process common to both attestation
engagements and direct reporting engagements. It is the usual audit process followed to arrive at
audit conclusion when the test of controls and statistical sampling is used for subject matters that are
value-driven and the instances of non-compliance can be quantified. If statistical sampling is applied
in a direct reporting engagement, the subject matter is value-driven and the non-compliances are
quantifiable, the same process can be followed to form the conclusion.

In formulating the overall conclusion, the auditor has to calculate the actual non-compliance rate. For
that, the auditor determines the instances of non-compliance observed in the tests. For example, if
the total sample size tested was 40, and the instances of non-compliance identified were 5, then the
actual non-compliance rate would be (5/40) x 100 = 12.50%. If judgmental sampling was used, the
auditor might directly compare this non-compliance rate with the tolerable level of non-compliance
(threshold) set for the subject matter. If the non-compliance rate exceeds the threshold, the auditor
may conclude that the subject matter is not in compliance with the established criteria.
However, it may be possible that instances of non-compliance identified are from one particular area
of the subject matter and not spread across the entire subject matter. In other words, the non-
compliance is not pervasive. In that case, the auditor has to modify the conclusion in such a way that
this is clearly communicated.
When the auditor can quantify the non-compliance, the value of non-compliance is compared against
the qualitative materiality level set to form the conclusion. The auditors also consider the
pervasiveness of the non-compliance and may modify the conclusion depending on the circumstances.

6.6 Ensuring quality at the audit field-work stage

Ensuring quality during the audit field-work, while gathering and evaluating audit evidence, is a
fundamental component of the audit practice. Upon completion of the field-work, the audit supervisor
should review all aspects of the audit tasks performed during the audit – including audit tests carried
out, the findings and the working papers – and should document such reviews. It is helpful, in this
review process, to identify the changes and improvements necessary for current and future audits.
The reviewer may consider the checklist provided in Appendix 6-A to quality review the audit field-
work.

86
 Reporting and follow-up compliance audits

Chapter 7

Reporting and follow-up compliance audits

7.1 Principles of reporting
7.2 Elements of a compliance audit report
7.3 Reporting by SAIs with jurisdictional powers
7.4 Reporting suspected fraud and unlawful acts
7.6 Ensuring the quality of the audit report
7.6 Communicating the report to the stakeholders
7.7 Audit follow-up

87
This chapter covers the reporting and follow-up phases of the compliance audit process. It describes
the principles of reporting, the structure, and the reports’ form and content for a direct reporting
engagement and an attestation engagement.
The SAI provides information to the intended users
(Figure 7.1), through its audit reports, on whether the
audited entities have followed the legislative
decisions, laws, legal acts, policies, established codes
and agreed-upon terms. The auditor performs the
audit procedures to reduce the audit risk and to
ensure that the conclusion or opinion provided in the
report is appropriate in the circumstances of the
audit. This assurance, in effect, forms the basis for the
compliance audit report.
Figure 7.1: Users of SAI audit reports
The auditors begin reporting with the drafting of the
preliminary findings or observations. The SAI
management approves the initial observations, after which the team completes the contradiction
procedures with the audited entity. The auditor finalises the report for SAI approval, and issues and
submits to the respective users according to the SAI’s mandate.

7.1 Principles of reporting

To ensure that the report is produced in accordance with the standards of quality and is relevant for
all its users, it should conform to the five principles of reporting. ISSAI 4000.202 states, ‘The auditor
shall prepare an audit report based on the principles of completeness, objectivity, timeliness, accuracy
and contradiction.’

requires the auditor to apply professional judgment and scepticism to ensure

Objectivity that the report is factually correct and that findings and conclusions are
presented in a relevant, fair and balanced manner.

requires the auditor to consider all relevant audit findings before issuing the
Completeness report. The relationship between audit objectives, findings and conclusions
needs to be completely and clearly stated.

Timeliness requires the auditor to prepare the report in due time when the findings are
applicable and relevant for the intended users.

Accuracy and consultation require the auditor to check the accuracy of facts with the audited entity, and
to ensure that the findings portray a correct and logical picture.

Contradiction requires that the auditor incorporate responses from the responsible party as
appropriate and give answers to and assessments of the responses.
Illustration 7.1: Principles of reporting

The key to an excellent report is effective communication, with clear and objective findings and
conclusions on the audit objectives. It allows the reader to understand what was done, why and how.
It also provides practical recommendations, without impairing the auditor’s objectivity.
Proper planning and conducting with adequate quality control measures during the process provide
the basis for a quality compliance audit report. Additionally, reports should be clear – with simple
language for easy understanding, free from vagueness or ambiguity – and be concise and balanced. In

88
the report, the auditor should present persuasive arguments, with illustrative examples. Such a report
helps the responsible party to take appropriate corrective actions towards addressing the instances
of non-compliance and for the auditor to plan for following up on its findings. In deciding on how to
prepare the report, the auditor considers the following:

Relevant legislation Level of assurance

Users’ needs SAI mandate
and regulation provided

Type of SAI's reporting Complexity of the

engagement practice reported issues

7.2 Elements of a compliance audit report

Considering the types of engagement and the degree of assurance provided, compliance audit reports
can mainly be for a reasonable assurance – direct reporting engagement or attestation engagement.
The structure and content of these two types are described below. To decide on the length and
structure of its compliance audit reports, the audit team needs to consider the SAI mandate and legal
framework along with the ISSAI requirements.
The elements of the audit report for a direct reporting engagement87 and attestation engagement88
are:
Direct reporting engagement Attestation engagement
1. Title 1. Title
2. Addressee
2. Identification of the auditing standards 3. Identification of the auditing standards and
level of assurance
3. Executive summary (as appropriate)
4. Description of the subject matter and the scope 4. Description of the subject matter information,
(extent and limits of the audit) and when appropriate, the underlying subject
matter
5. Extent and limits of the audit including the
period covered
6. Responsibilities of the responsible party and the
auditor
5. Audit criteria 7. Audit criteria
6. Explanation and reasoning for the methods used 8. A summary of the work performed and methods
used
7. Findings
8. Conclusion(s) based on answers to specific audit 9. Opinion or conclusion
questions or opinion
9. Replies from the audited entity (as appropriate) 10. Replies from the audited entity (as appropriate)
10. Recommendations (as appropriate)
11. Report date
12. Signature

Some of these elements are common for both direct reporting and attestation engagement. Some
elements are specific to each type of engagement. These are explained below.

87 ISSAI 4000.210
88
ISSAI 4000.218

89
Elements common for both direct reporting and attestation engagements
Title The title of the report briefly mentions the audit subject matter in a way that can be
clearly understood by readers.
Identification of the In its audit reports, the SAI declares which standards it follows when conducting the
auditing standards audit. Also, in the audit report, the SAI should refer to the auditing standards it
applied and level of followed in conducting the particular audit.
assurance
A direct reporting engagement report differs from an attestation engagement report
in the requirement regarding conveying assurance.
In a direct reporting engagement, the auditor might not give an explicit statement of
assurance on the subject matter but must provide the users with the necessary
degree of confidence. The auditor explicitly explains how the findings, criteria and
conclusions were developed in a balanced and reasoned manner, and why the
combinations of findings and criteria result in a particular overall conclusion or
recommendation.
In an attestation engagement report, opinions and conclusions should explicitly
convey the level of assurance.
Description of the The subject matter is described in the audit report. The report’s introduction sets out
subject matter and the audit scope in the form of a clear statement of the audit’s focus, extent and limits.
the scope It also includes the period covered by the audit.
Audit criteria The criteria against which the subject matter is assessed should be identified in the
auditor’s report. The criteria may be included in the report itself or the report may
refer to the criteria if they are contained in an assertion from management or
otherwise available from a readily accessible and reliable source.
In cases where the criteria applied in the audit are not readily identifiable or have had
to be derived from relevant sources, the criteria are clearly stated in the relevant
section of the auditor’s report. In cases where the criteria are conflicting, the conflict
is explained.
Explanation and The report should include a clear statement on the procedures performed to gather
reasoning for the evidence in answering the audit questions. This will enable a user to read and follow
methods used the report and have confidence that the conclusions made are correct.
It is important to write the methodological summary in an objective way that allows
intended users to understand the work done as the basis for the auditor’s conclusion.
However, the summary should not be so brief as to make it difficult to understand
the auditors’ work, especially how the auditors arrived at a conclusion or opinion.
Conclusion(s) or The conclusion or opinion is expressed as an answer to specific audit questions. The
opinion based on nature of the wording may be influenced by the SAI mandate and the legal framework
answers to specific under which the audit is conducted. ISSAI 4000.191 states, ‘The auditor shall
audit questions communicate the conclusion in an audit report. The conclusion can be expressed
either as an opinion, conclusion, answer to specific audit questions or
recommendations.’
In a direct reporting engagement, the auditor provides assurance by measuring the
subject matter against the criteria and forms a conclusion. The audit conclusion
expresses the auditor’s view that the subject matter is or is not compliant in all
material respects with the applicable criteria. The conclusion is expressed in the form
of findings, answers to specific audit questions, recommendations or opinion.
For attestation engagements, the level of assurance will be conveyed by the
appropriate use of standardised audit opinions. Forms of opinion and conclusion for
attestation engagement are explained in section 7.2.

90
 Replies from the Incorporating the responses to the findings from the audited entity is part of the
audited entity (as principle of contradiction. It involves agreeing on the facts with the audited entity to
appropriate) help ensure that findings are complete, accurate and fairly presented. It also involves,
as appropriate, incorporating the audited entity’s response to the matters raised,
whether verbatim or in summary.
Timely clearing of the findings creates the basis for a sound report and reduces the
time it takes to agree on the final report with the audited entity. The team sends the
draft report, with the SAI approval, to the audited entity for comment. During the
conducting phase of the audit, the team already has discussed the individual findings
with the entity. With this, the entity was up to date on the audit’s progress.
The medium used to present the findings to the audited entity can be based on the
SAI’s regular forms, e.g. a management letter or draft findings. The auditee is required
to respond to the draft report. Once the team receives comments from the entity,
the auditor analyses the response and ensures that valid issues raised by the auditee
are taken into account while finalising the report.
Based on the SAI’s legal framework, the auditor may publish the report with the
comments in full, or in a summary or an edited version, or not include the comments.

Elements specific to a direct reporting engagement

Executive summary The executive summary of the work performed and methods used help the intended
users understand the auditor’s conclusion. Hence, the executive summary needs to
give a reader a brief explanation of how the audit was performed.

The executive summary includes a paragraph on the entity’s background, explaining

the main topic and its importance. It also consists of the objective, audit questions
and audit approach, and describes the key audit findings and conclusions in a
summary form, easy to read and understand. From this, the reader gets an overview
of the topic’s critical issues. The executive summary includes the audit’s main
recommendations and a statement that confirms that the audited entity had the
opportunity to comment on the report. The executive summary typically ranges from
two to three pages but can be shorter, depending on the particular audit.

Findings The findings section includes the auditor’s description of the gathered evidence
compared with the criteria. The audit finding is structured to assist the reader to
understand the audit question – with analysis of risk, based on the evidence – to the
conclusion on the problem. The auditor uses the completed audit finding matrices as
working papers (explained in chapter 6) to draft the findings. If there is a significant
amount of information to support the audit findings, the auditor may include that
information in the appendices.

Recommendations The report includes, as appropriate, recommendations designed to result in

improvements. While such recommendations may be constructive for the audited
entity, they should not be so detailed that the auditor’s objectivity may be impaired
in future audits. If the auditor makes a specific recommendation and the responsible
party does not implement that but considers another option, the auditor may in
subsequent audits be tempted to judge this as non-compliance. In such instances,
the key is to determine whether recommendations leave room for the entity to use
whatever mechanism it considers suitable in the circumstances to achieve
compliance.

91
 It is a good practice to discuss the recommendations with the entity. The auditor
might assume that suggested recommendation is useful for the entity, but during the
discussion, the entity can clarify the practicality of implementing the
recommendation or explain the difficulties of doing so. Based on the discussion, the
auditor can modify and finalise the recommendations.

Elements specific to an attestation engagement

Addressee An addressee identifies the party or parties to whom the audit report is directed. The
audit report is ordinarily addressed to the responsible party, but in some cases, there
may be other intended users. The intended users may be legislative or oversight
bodies, those charged with governance, the public prosecutor or the general public.

Extent and limits of The report sets out the audit scope as a clear statement of the audit’s focus, extent
the audit including and limits in terms of the subject matter’s compliance with the criteria. The
the period covered introduction also includes the period covered by the audit.

Responsibilities of Identifying relative responsibilities informs the intended users that the responsible
the responsible party is responsible for the underlying subject matter. It also confirms that the
party and the measurer or evaluator is responsible for the measurement or evaluation of the
underlying subject matter against the applicable criteria and that the auditor’s role is
auditor
to independently express an opinion or conclusion about the subject matter
information. These responsibilities can be expressed as follows:
Responsibility of the responsible party: According to [the terms of the agreement with
the organisation XYZ dated xx.xx.20XX], management of government agency ABC is
responsible for [preparing complete accounts in compliance with the terms of the
agreement].
Responsibility of the auditor: Our responsibility is to independently express a
conclusion or opinion on [the project accounts] based on our audit. Our work was
conducted in accordance with the [Compliance Audit ISSAIs]. Standards require that
we comply with ethical requirements and plan and perform the audit to obtain
reasonable assurance as to whether [the use of the project funds are in compliance,
in all material respects, with the terms of the funding agreement dated xx.xx.20XX].
An audit involves performing procedures to obtain sufficient and appropriate
evidence to support our conclusion. The procedures performed depend on the
auditor’s professional judgment, including assessing the risk of material non-
compliance, whether due to fraud or error. The audit procedures we performed are
those we believe are appropriate in the circumstances. We believe that the audit
evidence gathered is sufficient and appropriate to provide the basis for our
conclusion.

Report date The audit report should be dated. The auditor should ensure that the report is not to
be dated before s/he has obtained sufficient and appropriate audit evidence to
support the opinion or conclusion.

Signature The audit report should be signed by someone with appropriate authority to do so,
namely the Head of the SAI, or someone to whom authority has been delegated.

92
Opinion or conclusion in an attestation engagement
In an attestation engagement, the auditor provides assurance by making a clear statement of the level
of assurance, through either standardised opinions or conclusions.
In formulating the opinion, the auditor considers the level of assurance provided. An opinion is a clear
written statement expressed in a standardised format, either unmodified or modified. It is stated in
the audit report whether instances of non-compliance are pervasive.
Unmodified opinion
Where no material instances of non-compliance have been identified, the opinion is unmodified.89 An
example of the form for an unmodified opinion for a reasonable assurance engagement (where
appropriate wording is inserted in the brackets as applicable) may be as follows:
Unmodified opinion
‘In our opinion, [the audited entity’s subject matter] is in compliance, in all material
respects, with [the applied criteria].’

Modified opinion
The auditor modifies his/her opinion90 in cases of:
a. Material instances of non-compliance, and for
b. Scope limitation.
a. For the material instances of non-compliance, depending on the extent of the non-compliance, this
may result in:

i. A qualified opinion ii. An adverse opinion

If compliance deviations are material, but If compliance deviations are material and
not pervasive, the opinion is: pervasive, the opinion is:
‘Based on the audit work performed, we ‘In our opinion, [the subject matter] is not in
found that except for [describe exception], compliance, in all material respect with (the
the audited entity's subject matter is in applied criteria) … and compliance
compliance, in all material respects with deviations are pervasive.’
[the applied criteria]…’, or

b. For scope limitation, depending on the extent of the limitation, this may result in:

iii. A qualified opinion iv. A disclaimer

If the auditor is unable to obtain sufficient If the auditor is unable to obtain sufficient
and appropriate audit evidence, and the and appropriate audit evidence on
possible effects are material, but not compliance with authorities and the possible
pervasive, the opinion is: effects are material and pervasive, the
opinion is:
‘In our opinion, except for [describe
exception], the auditor was unable to ‘We do not express an opinion on the subject
obtain sufficient and appropriate audit matter. We have not been able to obtain
evidence, and the possible effects are sufficient and appropriate audit evidence to
material, but not pervasive.’, or provide a basis for an opinion…’.

89 ISSAI 4000.193
90
ISSAI 4000.194

93
Conclusion
Conclusions in the attestation engagement are presented in the same manner as in a direct reporting
engagement. Conclusions expressed in a form appropriate to a reasonable assurance engagement
include the following:
• When expressed in terms of the underlying subject matter and the applicable criteria, ‘In our
opinion, the entity has complied, in all material respects, with criteria’
• When expressed in terms of the subject matter information and the applicable criteria, ‘In our
opinion, the forecast of the entity’s activity is properly prepared, in all material respects,
based on criteria’

Limited assurance engagement

In a limited assurance engagement, the format of an unmodified opinion may be:
‘Based on the work performed described in this report, nothing has come to our attention that
causes us to believe that the subject matter is not in compliance, in all material respects with
the [applied criteria].’
A modified opinion could state that:
‘Based on the work performed described in this report, except for [describe exception] nothing
has come to our attention that causes us to believe that the subject matter is not in compliance,
in all material respects with the [applied criteria].’91
In a limited assurance engagement, the auditor gathers sufficient and appropriate evidence to address
the engagement objective; however, the procedures are limited compared with what is necessary for
a reasonable assurance engagement.

91
ISSAI 4000.195

94
7.3 Reporting by SAIs with jurisdictional powers

ISSAI 4000.221 states, ‘In the SAIs with jurisdictional powers, the auditor shall consider the role of the
prosecutor or those responsible for dealing with judgment issues within the SAI, and shall also include
as appropriate, the following elements in both direct reporting and attestation engagements:’
Report structure: SAIs with jurisdictional powers
1. Identification of the responsible parties and the audited entity
2. The responsible person(s) involved and their responsibilities
3. Identification of the auditing standards applied in performing the work
4. Responsibilities of the auditor
5. A summary of the work performed
6. Operations and procedures, etc. that are affected by non-compliance acts and possible unlawful acts.
This needs to include, as appropriate:
o A description of the finding and its cause
o The legal act which has been infringed (the audit criteria)
o The consequences of the non-compliance acts and possible unlawful acts
7. The responsible persons and their explanations regarding their non-compliance acts and possible
unlawful acts, when appropriate
8. The auditor’s professional judgment that determines whether there is personal liability for non-
compliance acts
9. The value of the loss, misuse or waste created and the amount to be paid due to personal liability
10. Any measures taken by responsible persons during the audit to repair the loss, misuse or waste created
11. Management’s arguments on the non-compliance or unlawful acts

In audits conducted by SAIs with jurisdictional powers, the users of compliance audit reports include
the prosecutor or those responsible for dealing with judgment issues within the SAI.
SAIs with jurisdictional powers may determine personal liability for acts of non-compliance. Usually
these are the proposals and final decisions – on personal liability and sanctions – taken in a
jurisdictional process. Personal liability can be measured by the extent of the participation of the
person in a non-compliant (illegal, unnecessary, excessive, extravagant, unconscionable) transaction
as indicated in the transactions documents that s/he signed.
In the report, the auditor needs to explain the methods used to determine whether each responsible
person involved in administering, managing, using or controlling public funds or assets is liable for the
acts of non-compliance or not.

7.4 Reporting suspected fraud and unlawful acts

ISSAI 4000.225 states, ‘In conducting compliance audits, if the auditor comes across instances of non-
compliance which may be indicative of unlawful acts or fraud, s/he shall exercise due professional care
and caution and communicate those instances to the responsible body. The auditor shall exercise due
care not to interfere with potential future legal proceedings or investigations.’

Reporting suspected unlawful acts

While detecting potential unlawful acts, including fraud, is not the main objective of conducting a
compliance audit, auditors do include fraud risk factors in their risk assessments. Auditors remain alert
to indications of unlawful acts, including fraud, in carrying out their work.
Auditors may consider consulting with legal counsel or appropriate regulatory authorities.
Furthermore, they may communicate their suspicions to the appropriate levels of management or

95
those charged with governance, and then follow up to ascertain that appropriate action has been
taken. Because of the different mandates and organisational structures that exist internationally, it is
up to the SAI to determine the appropriate action to be taken regarding instances of non-compliance
related to fraud or serious irregularities.
A court of law can determine whether a particular transaction is illegal and constitutes a criminal
offence. But SAIs with jurisdictional powers may also conclude that a specific transaction is illegal. The
SAI may justify imposing sanctions on the responsible person and determining the reimbursements of
funds, misappropriated assets and undue or improper payments.
Although auditors do not determine whether an illegal act constitutes a criminal offence or civil
liability has occurred, they do have a responsibility to assess whether the transactions concerned
comply with applicable laws and regulations and whether they constitute infringements that will lead
the court to impose sanctions or reimbursement of undue or improper payments or misappropriated
assets.
Fraudulent acts are, by their nature, not in compliance with relevant regulations. The auditor may also
determine that transactions where fraud is suspected, but not yet proven, are not in compliance with
authorities. Fraud results typically in the qualification of the compliance opinion in the auditor’s
report.

SAIs with jurisdictional powers

If suspicion of unlawful acts arises during the audit, the auditor may communicate this to the
appropriate levels of management and those charged with governance. Those charged with
governance are likely to be administrative bodies higher up in the reporting hierarchy. Where
appropriate and reasonable, the auditor may follow up and ascertain that management or those
charged with governance have taken appropriate action in response to the suspicion, for example by
reporting the incident to the relevant law enforcement authorities. The auditor may also report such
incidents directly to the relevant law enforcement authorities.

7.5 Ensuring the quality of the audit report

Ensuring the quality of the audit report by considering the principles of reporting is essential for the
auditor. All findings and conclusions must be supported by adequate, reliable audit evidence in the
audit working papers. Reported audit issues need to be adequately analysed and concluded on.
Viewpoints on significant matters of auditees expressed during the audit on the issues raised by
auditors should be mentioned and discussed in the report. The auditor should acknowledge material
conflicting evidence along with an explanation of why it was rejected or otherwise not reflected in the
report conclusions. The standards of materiality and significance will depend on the nature of the
audit and the type of report or other output.
The draft report prepared by the team should be carefully reviewed for adequacy by the team leader
or supervisor and by an experienced auditor who is independent of the audit team. The team should
respond appropriately to any comments by this reviewer. This review, any comments by the reviewer
and actions taken in response should be documented and retained in the audit working papers.
After the draft report is reviewed internally, it should be provided to the auditee, for review and
comment within a specified timeframe. Comments received from an auditee should be carefully
considered by the auditor. Factual disagreements should be resolved, possibly necessitating additional
audit work. The audit report should be adjusted, if appropriate, in response to the auditee comments.
The reviewer can use the checklist provided in Appendix 7-A to quality review the audit report.

96
7.6 Communicating the report to the stakeholders

It is a good practice for the SAI to develop a communication strategy or policy to provide guidance on
how to engage with the audited entity and relevant stakeholders during the reporting process.
Communication with key stakeholders is explained below.

The audited entity The communication process between the auditor and the audited entity begins at
the planning stage of the audit and continues throughout the audit process. The SAI
must always provide the audited entities with an opportunity to comment on the
audit findings, conclusions and recommendations. After issuing the draft report, the
SAI should ask the entity management to provide, within a specified time frame,
comments on agreement or disagreement with the validity and completeness of the
draft report’s content.
The audit team may meet with entity officials to discuss the entity’s comments, to
gain a full understanding of the comments and to obtain any additional significant
information related to the comments. If conflicts occur, efforts must be made to solve
contradictory opinions to make the final picture as true and fair as possible. Such
meetings are usually limited in number and should be scheduled within a period that
meets the SAI’s report production schedule.

Legislative body Communication with the legislative body, e.g. the Parliament, is equally important
because it is the Parliament that will use the SAI’s reports to improve government
management and accountability. If reports are ignored or messages are
misunderstood, audit resources could be wasted and the SAI’s credibility could be
called into question.
SAIs assist the legislative bodies such as the Public Accounts Committee (PAC) by
debriefing the Parliament members and providing relevant information regarding
reported audit findings. In addition to prior communication, it is vital that SAI
representative(s) attend the PAC hearings where audit reports are discussed.

The media When the report is tabled in Parliament, it becomes a public document. The report
and news releases are posted in the media. The SAI should ensure that the
information provided to the media is timely, accurate and clear. In providing the
information, the SAI should be responsive, helpful and informative, without
compromising its independence or political neutrality or offending parliamentary
privilege. Communication with the media is facilitated by:
• Responding to media inquiries;
• Developing news releases in conjunction with audit teams;
• Organising and managing media events such as news conferences and
interviews;
• Assisting staff in developing questions and answers in media lines;
• Providing staff with media training;
• Monitoring news and public discussions about the SAI;
• Informing senior management about emerging issues in the media; and
• Conducting media analyses to assist in improving message development.

Citizens and other Citizens are a source of ideas for public sector auditing, a source of demand for
stakeholders auditing and users of the audit reports. They may be contacted directly or through
non-government organisations that represent them. Depending on the
circumstances in the SAI’s country, this communication could include a mix of
television interviews, articles, leaflets and the SAI’s website.
Other relevant stakeholders are representatives of the academic community. They
have expert knowledge in specific audit areas and may provide a more objective view,
less restricted by personal interest. Non-government organisations can be a useful

97
source of ideas. They may have conducted their research through surveys and case
studies and may have a range of relevant contacts. Civil society can be motivated to
put pressure on the legislature to act, particularly if the SAI is providing information
on a topic that is of their interest.

98
7.7 Audit follow-up

At some time after an audit report is issued, an SAI should take appropriate steps to determine what
action, if any, an auditee has taken to correct problems disclosed in the audit report and what effect
such action(s) may have had. ISSAI 4000.232 states, ‘The auditor shall decide follow up on
opinions/conclusions/recommendations of instances of non-compliance in the audit report when
appropriate.’
It should be noted that the follow-up process may not be applicable in all cases and all SAIs. The SAI’s
mandate, along with the nature of the audit, will determine if a follow-up is relevant. For example, if
the SAI has the mandate to conduct a compliance audit of the state-owned enterprises or the public
sector undertakings, the SAI may perform follow-up audits of these entities.
Why follow up
The SAI has a role in monitoring actions taken by the responsible party in response to matters raised
in an audit report. The need to follow up on the previously reported instances of non-compliance
would vary with the nature of the subject matter, the non-compliance identified and the audit’s
particular circumstances. The follow-up process facilitates the effective implementation of corrective
actions. It provides useful feedback to the audited entity, the report users and the auditors in planning
future audits. Follow-up serves different purposes for the three parties:

For the responsible Demonstrates the audited entity’s effectiveness in addressing the issues. One is to
party encourage an appropriate response to audit findings on the part of the auditee or other
responsible entities. If an auditee has acted to overcome problems found during an
audit, it is appropriate for the SAI to recognise that fact. If, on the other hand, the
auditee has not acted in response to the audit, it is also appropriate for the SAI to
disclose that the problem(s) persist.

For the intended Provides an update on what has been achieved by the responsible party and the
user existing gaps if any.

For the auditor To assess the effectiveness of its audit. Another purpose of audit follow-up is to lay the
foundation for future audit work. If previously disclosed problems are believed to have
been resolved, subsequent audit work in that area may require only minimal testing to
confirm that the problem no longer persists. If the problem has not been overcome,
further audit work may be warranted to establish the nature and significance of the
problem, to evoke a more appropriate response from the auditee.

What to follow up
Follow-up focuses on whether the audited entity has adequately addressed the matters raised, in a
specific audit report.
The auditors generally follow up on the:
• Recommendations in the audit report
• Issues raised by intended users; for example, the legislature, Public Accounts Committee
or the public
It is important to note that the auditor may expand the scope to include other relevant aspects outside
of its recommendations. The key here is to determine whether the entity has complied with all the
necessary directives.

99
When to follow up
The decision as to when to follow up would be based on several factors. If the audit was a one-off
attestation engagement, then follow-up may not be necessary. However, if auditors come out with
significant deviations having implications for the citizens, even if the audit engagement is a one-off,
its results should be followed up. If the engagement is direct engagement and is conducted at specific
periods, then follow-up may be necessary.
The auditor should allow the responsible party sufficient time to implement the recommendations
and yet still ensure that the follow-up is relevant to the intended users. The auditor would exercise
professional judgment in this regard. Some SAIs may, depending on the frequency of an audit
engagement, conduct follow-up procedures while performing current audits.
How to follow up
SAIs may have established policies and procedures for conducting follow-up. The auditor may prepare
an audit plan identifying the resources to be used, the recommendations and audit findings to be
examined and the timeframe in which to complete the follow-up.
Some audit procedures that were used during the initial audit engagement may be applicable during
the follow-up. The auditor should assess to determine the adequacy of these procedures. Other
follow-up processes may include internal reviews and evaluations prepared by the audited entity or
others.
Regardless of the form, the auditor should obtain sufficient and appropriate audit evidence to support
the findings and conclusions. The follow-up report could follow the same reporting lines as the audit
engagement, including submission to relevant intended users.
The SAI may decide, based on the results of the follow-up, to continue monitoring the audited entity’s
implementation measures or it may take the decision to undertake an entirely new audit engagement.
In audits carried out regularly, the follow-up procedures may form part of the subsequent year’s risk
assessment.

100
 PART D Documentation of Compliance Audit

Chapter 8: Audit documentation

101
 Audit documentation

Chapter 8

Audit documentation
8.1 ISSAI requirements for documentation
8.2 Purpose of documentation
8.3 Elements of documentation
8.4 Components of working papers
8.5 Organisation of the working paper documentation
8.6 Document retention
8.7 Confidentiality and transparency issues

102
This chapter explains the documentation and working papers of a compliance audit as required by the
ISSAIs and the relevant good practices. Proper documentation throughout an audit – from the
planning to the reporting stages – forms the basis of a high-quality audit, which will have the desired
credibility among the users.

In the audit process, auditors gather evidence and organise it in the folders, either in paper or in
electronic form. However, often an auditor asks, ‘Exactly what do I have to document?’ The ISSAIs
answer this question to assist the auditor in documenting with the required working papers. Part C of
this Handbook identifies the documentation and quality control measures needed in different phases
of the audit with the suggestive working paper templates. This chapter further describes how the
auditor can arrange for adequate documentation to ensure the audit’s overall quality.
The ISSAIs provide direction regarding the content, sequence and format of the audit documentation.
ISSAIs leave the form of the documentation up to the professional judgment of the auditors and the
SAI. Often the auditors need to be innovative in the documentation to support their audit conclusions.
This chapter elaborates on the purpose and elements of documentation and the components of the
working papers.

8.1 ISSAI requirements for documentation

ISSAI 4000.89 states, ‘The auditor shall prepare audit documentation that is sufficiently detailed to
provide a clear understanding of the work performed, evidence obtained and conclusions reached.
The auditor shall prepare the audit documentation in a timely manner, keep it up to date throughout
the audit, and complete the documentation of the evidence supporting the audit findings before the
audit report is issued.’

Audit An explanation of the subject matter of the audit.

documentation
includes as A risk assessment, audit strategy and plan, and related documents.
appropriate (ISSAI
4000.90): The methods applied and the scope and time period covered by the audit.
The nature, the time and extent of the audit procedures performed.
The results of the audit procedures performed, and the audit evidence obtained.
Evaluation of the evidence forming findings, conclusions and recommendations.
Judgments made in the audit process, and the reasoning behind them.
Communication with and feedback from the audited entity.
Supervisory reviews and other quality control safeguards undertaken.

Documentation needs to be sufficient to demonstrate how the auditor defined the audit objective,
subject matter, criteria and scope, as well as the reasons why a specific method of analysis was chosen.
For this purpose, documentation needs to be organised to provide a clear and direct link between the
findings and the evidence that support them (ISSAI 4000.91).

Specifically related to the audit planning stage, the documentation kept by the auditor needs to
contain (ISSAI 4000.92):
a. The information required to understand the entity being audited and its
environment, which enable the assessment of the risk.

103
 b. The evaluation of the materiality of the subject matter.
c. The identification of possible sources of evidence.
The auditor needs to adopt appropriate procedures to maintain the confidentiality and safe custody
of the audit documentation. The auditor retains it for a period sufficient to meet the needs of the
legal, regulatory, administrative and professional requirements of record retention and to enable the
conduct of audit follow-up activities (ISSAI 4000.93).
Documenting the critical decisions made is essential to demonstrate the independence and
impartiality of auditors in their analysis. ‘The existence of sensitive issues demands the documentation
of the relevant facts considered by the auditor in choosing a particular course of action or in taking a
certain decision. In this way, the actions and decisions are explained and transparent’ (ISSAI 4000.94).
‘In the context of SAIs with jurisdictional powers, documentation needed to provide proposals of
personal liability is outside the scope of this professional standard’ (ISSAI 4000.95).

According to the standards, the essential aspects of documentation and working papers are:

Purpose of Elements of Organisation of Documentation at Maintaining

documentation documentation documentation audit stages confidentiality

These aspects are described below.

8.2 Purpose of documentation

ISSAI 4000.90 states that the purpose of documentation is to:

• Enhance the transparency of the work performed.
• Enable an experienced auditor with no previous connection to the audit to understand
matters arising from the audit.
It makes significant audit tasks more manageable and helps the audit supervisor and the reviewer to
provide their review comments. The process of preparing and reviewing audit documentation
contributes to the quality of an audit. Audit documentation serves to:
• Provide support for the auditors’ report.
• Assist the auditors in conducting and supervising the audit.
• Assist the quality reviewer in the review of audit quality.

Quality review of the audit

The audit team, team supervisors, managers, audit quality reviewers and peer reviewers are the
primary users of the audit working papers. Looking at it from a user’s point of view, the auditor needs
to think about what the reviewers would want to see and what requirements they would want the
audit team to comply with. For a compliance audit, the benchmark is the requirements of ISSAI 4000.
The ISSAIs require the auditors to maintain audit documentation in such a manner that an experienced
auditor will be able to follow and understand. A qualified auditor is an individual (whether internal or

104
external to the SAI) who possesses the competencies and skills that would have enabled him/her to
conduct the audit. These competencies and skills include an understanding of:

Standards and Audited entity

The audit process The subject matter
legal requirements environment

Auditors need to do documentation adequately at every stage of the audit process. Proper
documentation helps reviewers to understand what was done, how it was done and why it was done.
Generally, the SAI prepares a standardised set of working papers (as part of audit documentation) and
ascertains what makes them compliant and satisfactory to the supervisor or reviewer. Setting clear
expectations regarding documentation and communicating that to its staff will significantly facilitate
the quality review process for both auditors and reviewers.

8.3 Elements of documentation

The auditor’s documentation of evidence regarding identified or suspected non-compliance with

authorities may include, for example, copies of records or documents, and minutes of discussions held
with management, those charged with governance or other parties inside or outside the entity.
Auditors are required to document the audit procedures performed, evidence obtained and
conclusions reached concerning compliance audit criteria used in the audit. Auditors will develop and
maintain documents that will clearly show that the work was performed.
In determining the nature and extent of the documentation for a compliance audit, auditors may
consider the:
Nature of the auditing procedures performed
Risks of material non-compliance and auditors’ response to the assessed risks
Extent to which professional judgment was applied (in making decisions)
Materiality of the evidence obtained against criteria

As mentioned above, documentation should be sufficiently detailed to enable an experienced auditor,

with no prior knowledge of the audit, to understand the:

Relationship between the subject matter, criteria and audit scope

Risk assessment

Audit strategy and audit plan

Nature, timing, extent and results of the procedures performed

Evidence obtained in support of the auditor’s conclusion or opinion

Reasoning behind the matters where the auditor exercised professional judgment

Related conclusions

105
8.4 Components of working papers

Based on the standards and best practices, the following are some common components of working
papers that most audit documentation follows:

The working paper has:

• Name of audit, title, auditor’s initials

• Date completed, page number and reference
• Source, purpose, procedures, results and conclusions
• Two-way cross-references

The working paper is:

• Neat and legible

• Referenced to the audit programme
• Understandable without further explanation

In the working papers:

• Calculations are verified

• Source documents are included as necessary
• If a document was produced by the entity, it is written on the working paper
• A review has been indicated and all points were cleared

Source, purpose, procedures, results and conclusions in the working paper

The source, purpose, procedures, results and conclusions should be included on the first page of each
unique working paper. Each element should answer the following:
Source Purpose Procedures Results Conclusion

•Where did the •What question •What did the •What did the •What is the
auditor get the does this working auditor do on this procedures yield? answer to the
evidence on the paper seek to working paper? questions posed
working paper? answer? •What were the in the purpose?
•What procedure results of applying
•Who gave it to •Why was this did the auditor the procedure? •Was the step
the auditor? working paper use? satisfied?
created, and why
•Which evidence was this work •What were the •What did the
did the auditor done? detailed steps and auditor do with
look at? procedures the any issues found?
•What step does it auditor
•Where is the satisfy? performed? •Did the auditor
evidence and how
take the issues to
can the auditor
a finding?
get to it again?

This information is helpful to an audit supervisor or reviewer, as, without these elements, the
supervisor or the reviewer has to make assumptions while reviewing the working papers. The auditor
needs to make it easier for the reviewer to reach the conclusions and guide them to follow the process
smoothly.
The linkage among the elements is also essential. When the linkage is appropriately established, the
purpose and conclusions match, and the procedures and results also match. This demonstrates clarity
of thought and supports logical conclusions made by the auditor. In most cases, the audit findings
matrices (explained in chapter 7) cover these elements in a compliance audit.

106
8.5 Organisation of the working paper documentation

According to the ISSAIs, documentation needs to be organised in a way that provides a clear and direct
link between findings and evidence that supports them. It is the auditor who determines how to do it,
following existing systems or practices in the SAI. The auditor may have prepared numerous working
papers supporting the audit, but for the reviewer or supervisor to understand and analyse, the auditor
needs to explain and systematically organise them. Using a summary memo may facilitate this process.
Summary memo
The summary memo can also be called a lead sheet, a conclusions form or a top memo, based on the
SAI practice and norms. The memo summarises a group of working papers. Note that the SAI might
also have components in the summary memo that differ from those described here.
The summary memos will assist the supervisor or the reviewer in completing the review process
efficiently and effectively. Besides that, preparing these memos requires the auditors to articulate
their judgments clearly and to document the decisions made while performing the audit, which makes
it easier to recognise the logical connection among the working papers.
In the hierarchy of working papers, a summary memo usually comes third, even though it may be
written last. The hierarchy is as follows:

Audit objective

Audit programme based on the plan

Summary memo

Detailed working papers

Example: Summary memo

In an audit of a purchasing department, after gathering the information and assessing
Audit
the risks, the auditor decides that the objective is to determine whether the
Objective
purchasing department complies with required purchasing policies.
Under the objective, there are three sub-objectives to determine:
Sub-
objectives • Are purchases of equipment exceeding $9000 conducted in accordance with
policy?
• Are purchasing procedures established by the entity in accordance with policy?
• Are professional contracts awarded in accordance with policy?
Working The auditor will prepare a set of working papers to support each sub-objective and
papers will use letters to designate the groups of working papers, like:
1. Working paper set A answers sub-objective 1: whether purchases of equipment
exceeding $9000 were conducted in accordance with policy.
2. Working paper set B answers sub-objective 2: whether purchasing procedures
are written in accordance with policy.

107
 3. Working paper set C answers sub-objective 3: whether professional contracts
are in accordance with policy.
The summary memo for sub-objective 1 summarises what working paper series A
accomplished and how the auditor answered the audit objective, with all the related
evidence. Then A1, A2, A3, etc. explains the performance and results of each audit
procedure.

The summary memo is a kind of narrative version of the audit programme and in the hierarchy might
fall above or beneath the programme. The working paper hierarchy might look like this:

Summary
memo

Audit
programme

A1 A2 A3 A4

A1-1 A3-1 A4-1 A4-2

A1-2 A3-2 A4-1-1

A1-3 A3-3 A4-1-2

There can be a ‘meta’ or master summary memo that summarises working paper series A, B and C and
speaks to the overarching audit objective: ‘Does the purchasing department comply with significant
policies?’ The auditor can prepare a summary memo for each audit procedure. The working paper
series A-4 above contains plenty of working papers and may warrant a summary to help the reviewer
sort through the group and discern what the auditor did.

The summary memo includes the components of the working paper – source, purpose, procedure,
results and conclusion – with a narrative description of these five components in every working paper.
Below is an example of a summary memo for series A.

Example: Working paper format

Source Interviews, observations and testing described in working paper series A
Purpose To answer the sub-objective ‘Are purchases of equipment exceeding $9000
conducted in accordance with state law?’
Procedure We satisfied programme steps in the area decided, which called on us to:
• Reiterate step 1
• Reiterate step 2
• Reiterate step 3
Results We noted several significant items of non-compliance:
• Summarise results of step 1

108
 • Summarise results of step 2
• Summarise results of step 3
Conclusion The purchasing department did not comply with purchasing policy section XX
regarding purchases of equipment exceeding $9000. In particular, the
department allowed the same person to initiate, approve and receive
equipment purchases over $9000. This issue has been developed into a finding
for the report.

The summary memo can be:

A source of an initial draft of the report

• Instead of referring to a finding in a working paper outside of the summary memo, the
auditor can include it in the summary memo, or
• can formalise the section where the auditor discusses the objective and conclusion and
later add it to the report.

Detailed or summarised
• A summary memo can be a restatement of each supporting working paper under it, plus an
overarching conclusion that sums up the whole set, or
• It can be an overarching conclusion that sums up the whole set. A good way to determine
how much detail the summary memo should contain is to refer to the practices set at the
SAI.

Include working paper contents and document the following:

• Objective, scope and methodology
• Nature, timing and extent of procedures
• Audit evidence obtained and its source and the conclusions reached
• Support for significant judgments, findings, conclusions and recommendations
• Evidence of supervisory review

Although the standards do not require maintaining a summary memo, it may be considered a good
practice for the auditor that will facilitate the work of the reviewer. Auditors could consider the audit
findings matrices to cover the part of documentation requirements in the detailed and supporting
working papers.

8.6 Document retention

Some SAIs may have policies and procedures consistent with their laws and auditing standards to
maintain documentation of their work. Documentation retention policies ensure that relevant records
are available for use for a certain number of years after an audit. These policies and procedures usually
describe:

• Documents covered in their scope

• Form in which the documents would be kept or archived
• Period for which the documents would be retained
• How these documents can be accessed when needed

The auditor should check whether the SAI has policies and procedures for document retention and if
they are adequate or not. In the case of inadequacies, the SAI may consider strengthening its policies
and procedures with sufficient requirements for the retention of audit documentation.

109
These requirements may be due to the historical significance of certain types of documents which, for
example, may require indefinite retention in the country’s national archives. There may also be
additional requirements related to national security classifications, including how documentation is
stored. Auditors should familiarise themselves with applicable legislation regarding the retention of
documentation.

8.7 Confidentiality and transparency issues

SAIs need to ensure that auditors comply with the ethical requirements to maintain the confidentiality
of information gathered during the audit documentation. The auditor should maintain such
confidentiality unless the entity authorises expressly to disclose such information or there is a legal or
professional duty to do so. There is an ongoing need in the public sector to balance confidentiality
with the need for transparency and accountability. The balance between confidentiality and
transparency requires professional judgment to ensure that documentation of a confidential nature
is identified and treated as such, while at the same time granting access as appropriate. It is therefore
vital for the auditor to become familiar with the SAI’s policies and procedures addressing
confidentiality. SAI procedures might include the types of audit documentation to be considered
confidential and the types of audit documentation to be made available to the public.

SAIs should clearly define lines of responsibility for authorising disclosure of audit documentation and
routines for making such information available if required. Furthermore, auditors may have additional
statutory duties related to confidentiality. These responsibilities may be based on the SAI’s mandate
or legislation related to official secrets or privacy. Such legislation, for example, could relate to audits
of defence, health, social services or tax agencies.

Auditors familiarise themselves with the particular local requirements related to confidentiality by
which they are bound. Auditors also familiarise themselves with any legislation that grants public
access to audit correspondence. This type of communication may include letters to and from the
audited entity or other parties, related to the gathering of audit evidence, as well as considerations
and judgments related to audit issues. In the public sector, the entities might require by law to respond
to the requests received from outside parties to have access to the audit documentation. The third-
party attempts can be especially sensitive as they try to obtain information indirectly from the SAI
when it is unable to get it directly from the audited entity.

As a matter of principle, when the audited entity has a statutory obligation to gather and retain certain
information, requests from outside parties for such information are generally referred to the audited
entity. In situations where auditors consider granting access to audit documentation, they usually
consult with relevant parties (such as the audited entity to whom the request relates) before disclosing
the information.

In some environments, the SAI contracts out some of its auditing responsibilities to private-sector
auditors. The acceptance of such appointments typically requires the contracted auditor performing
the work to acknowledge that the audit documentation may be subject to inspection by the SAI. The
audit documentation may also be subject to investigation by the agencies that have statutory rights
of access to information relevant to the auditor’s duties.

110
 Exhibits and appendices

Exhibits and appendices

NOTE: This section includes the working paper templates, as exhibits, and appendices as referenced
in the respective chapters of the Handbook. The templates are designed to facilitate the application
of the compliance audit ISSAI requirements in practice. Please note that the working paper templates
are suggestive, not prescriptive, for appropriate audit documentation. SAIs may need to modify the
working paper templates and make them consistent with the SAI’s mandate and audit practice, and
align them with their current working papers.

111
Exhibits for Chapter 4: The SAI’s annual work plan for coverage of compliance audit

Exhibit 4.1: Documenting a potential audit task

Exhibit 4.2: Establishing the annual or multi-annual work plan

Appendix 4-A: Categorisation of entities based on risk value

Appendix 4-B: Differing tasks of the auditor in different types of compliance audit

112
Exhibit 4.1: Documenting a potential audit task
ISSAI requirement: ISSAI 4000.64

Audit task assessed by Signature Reviewed and approved by Signature

Name:
Designation:
Date:

Potential Audit Tasks

Organisation unit Title of task Reference:

Link to SAI strategic priority:

I – Audit field/area
Main activities:
Legal framework:
Financial and other information:
Roles and responsibilities:
II – Reasons for the audit
Risks
Relevance:
Public and stakeholder
interest Materiality:

Previous audits:
Potential added value
(including impact,
Timeliness:
timeliness and coverage)
III – Audit organisation
Audit question (main question and possible sub-questions) or what could be assessed by the audit:
Audit criteria (or sources for criteria):
Main sources of audit evidence:
Audited bodies:

IV – Remarks
Feasibility (possible difficulties in the audit/auditability issues..):
Estimated audit resources:
Use of existing audit findings:

Yes

No

V – Team members

113
Process guide to complete the audit task documentation template

The objective of the To document the process of identification of potential audit tasks. There can be
template different audit tasks identified by different teams in the SAI. This process needs to be
repeated for each audit task identified to enable management to agree on a list of
audit tasks. The supervisor or management will address the defined tasks in the SAI-
level overall planning for a compliance audit.

ISSAI requirement ISSAI 4000.64

Guide Consider the explanation provided in section 4.2 of chapter 4 along with this process
guide. On the top row, write the linkage with the SAI strategic priorities. This may
come from the SAI strategic plan where it has identified the key priority areas on
which the SAI will focus on its strategic planning period. If there is no apparent link
with the strategic plan, but the team feels that the topic needs to be considered, write
the reason for it.
Row I Refers to main activities of the audit field or area; legal, financial
and other relevant information; and who is responsible for the
area. This will give an overview of the area to be considered.
Row II The critical risks perceived at this point from the field. Also, from
public and stakeholder interest, or from any potential added value
including impact, timeliness and coverage. Materiality by nature is
covered at this stage of SAI-level planning as well.
Row III Refers to how the audit would be organised. At this point, it is not
required to be precise, the tentative audit questions could be
assessed, along with possible audit criteria, potential sources of
audit evidence and the entities under the audit.
Row IV The conceivable difficulties in the audit. Auditability, audit
resources and possible use of existing audit findings. This will assist
management in deciding whether it should be included in the plan.
Row V Include the details of the team members who proposed the tasks for
audit.

Review A person senior to the auditor may review the proposal keeping in mind SAI context
with pragmatism. This could be documented in the template. It will be based on the
SAI structure and the form of the audit teams. The reviewer signs off the proposal
and sends it to the management or the supervisor.

Conclusion The audit supervisor and management are to conclude whether the task proposed
has the potential for audit. This process will assist management in aligning the
strategic priorities set by the strategic plan and in achieving the planned goals.

114
Exhibit 4.2: Establishing the annual or multi-annual work plan
ISSAI requirement: ISSAI 4000.64

Plan prepared by Signature Reviewed and approved by Signature

Name: Assessed by
Designation:
Date:

Annual Plan Period:

(………..)
Planned Tasks and Resources
Description Total person Total person Costs Planned Planned Comments
week for the week for the (travel, start end
entire task planning experts, date date
period etc.)
Non-audit Example:
tasks Annual
planning
Task 1
Task 2 etc.
Non-audit
tasks total
Mandatory Task 1
audit tasks Task 2 etc.
Mandatory
tasks total
Selected Task 1
audit tasks Task 2 etc.
Selected
tasks total
Support Example:
functions Legal
services
IT services,
etc.
Support
total
Total resources

Conclusion
Annual and multi-annual audit tasks and corresponding resources have been prepared considering
the above.

(Signature) (Signature)
Name: Reviewer:
Date: Date:

115
Process guide to complete the annual or multi-annual work plan

The objective of the The objective is to prepare a work plan that includes all the SAI’s tasks and to guide
template how the SAI can identify resources for the selected audit tasks in compliance audits.

ISSAI requirement ISSAI 4000.64

Guide The audit plan period is mentioned at the top. Planned tasks are covered in the rows
and resources required are in the columns. Rows are explained below. Resource
columns include person week, cost and timeline. These are covered along with the
tasks in rows below:

Row 1 Write all non-audit tasks that the SAI conducts. These can be the
SAI’s annual plan, administrative work, training, other consultation
work, specific tasks allocated by the stakeholders unrelated to audit,
etc. For each non-audit task, complete the respective row
considering the resources columns, e.g., person weeks required,
costs and timeline. Once all tasks are recorded with resources, add
the columns in the ‘total’ row for all non-audit jobs.
Row 2 Similarly, write all mandatory audit tasks the SAI is required to
conduct under its legal mandate each year. These could include
financial audit, performance audit, compliance audit and other audit
requirements mandated by the legislation. Complete the resources
column for each task and calculate the total resources of all
mandatory assignments.
Row 3 The selected audit task row should be filled in a similar manner. For
each task chosen, complete the columns with person weeks, costs
and timelines. Calculate the total resources required for the selected
tasks.
Row 4 Complete the resources required for all support functions of the SAI.
These include IT, legal, advisory, external training, etc. Add the rows
for each service to get the full picture of resources required to
provide support functions.
Row 5 Determine the total resources required by the SAI to conduct all
activities or tasks. From here, it would be evident what resources the
SAI has and what it would need to complete the mandatory, non-
audit tasks and support functions. Deduct all these from the total
resources, and the remaining resources can be allocated to the
selected audit tasks.

Overall conclusion Based on the information gathered in the table, and the analysis of the resources, the
by the audit team resources available for the selected tasks are determined and submitted for approval.
member

Review by The supervisor reviews and sends it to SAI management for consideration in future
supervisor audit assignments for the teams.

116
Appendix 4-A: Categorisation of entities based on risk value92
Audited entities are classified as apex auditable entity, audit unit and implementing units. Audit units are based
on delegation of powers, functional autonomy and operational significance. Audited entities are categorised as
high-, medium- and low-risk entities based traditionally on the budget and expenditure levels. The government
database on the expenditure of the entities facilitates the application of the risk analysis framework.
Assessment of inherent risk: Expenditure is categorised in the Broad classes of expenditure:
accounts of all entities under 70 different primary heads of I. Personnel services and benefits
expenditure by all audited entities. These 70 primary heads of II. Administrative expenses
expenditure in accounts are regrouped under the following seven III. Contractual services and supplies
broad classes of expenditures: IV. Grants
V. Other expenditure
Expenditure of each audited entity is identified and assessed against VI. Acquisition of capital assets and
capital expenditures
seven inherent risk parameters on a 1–5 scale. VII. Accounting adjustments

No. Inherent risk Remarks Risk score

factor (1 – 5)
1 Estimation Transactions and decisions involving estimation have a higher
inherent risk.
2 Discretion Transactions involving discretionary powers have an inherent risk
of misuse of such powers.
3 Complexity in the Transactions like capital acquisitions and project execution
transaction involve complexity and, therefore, have a higher level of inherent
risk.
4 Transfer of funds Some entities only transfer funds to implementing agencies and
do not implement projects or programmes and have low risk.
5 Involvement of Private agencies engaged in programme delivery may have
private agencies interests which lead to higher inherent risk.
6 Human resources Adequate due diligence may suffer in entities having an acute
workforce shortage, leading to higher inherent risk.
7 Direct public Entities having direct public dealings have relatively higher
dealing inherent risk on account of external influence, etc.
The inherent risk for primary expenditure Risk score
/35
Based on the inherent risk score of each class of primary head of expenditure under the entity, the entity’s total
inherent risk value is calculated by aggregating the inherent risk value of all the classes of primary expenditure
of that entity and multiplying the same by actual expenditure.
Class of Name of the class of the primary head Inherent Actual Risk-weighted
expenditure of expenditure risk score expenditure expenditure
I Personnel services and benefits R1 E1 R1*E1
II Administrative expenses R2 E2 R2*E2
III Contractual services and supplies R3 E3 R3*E3
IV Grants R4 E4 R4*E4
V Other expenditure R5 E5 R5*E5
VI Acquisition of capital assets R6 E6 R6*E6
VII Accounting adjustments R7 E7 R7*E7
Inherent risk value = Grand total

Assessment of control risk: Entities having a weak control environment will have higher control risk. The control
risk is assessed through four parameters:
• Expenditure and related controls
• Technology-related controls

92 Based on the presentation by SAI India at the XV Compliance Audit Subcommittee meeting, 9–10 October 2018, Luxembourg

117
 • Internal and external audit outputs
• Other factors
Each parameter has sub-parameters, of a total number of 100.
Control risk factor Risk score Control risk factor Risk score
Expenditure and related controls (1 – 5) Internal/external audit (1 – 5)
Budget procedure and control Internal audit and inspection
Increase in expenditure Quality of record maintenance
Reported cases of fraud, etc. Audit observations
Idling of funds / Pending utilisation Assessment from performance audit
certificates reports and evaluations
Technology-related controls (1 – 5) Other factors (1 – 5)
Direct transfer of benefits to beneficiaries Assessment based on data analytics
Linking of beneficiaries to a unique ID Quality control mechanism
Use of e-tendering in procurement Human resources shortage
Online monitoring of the programme Media reports
Online delivery of services
Public financial management system
Use of remote sensing/Geographic
Information System
IT controls-assessment based on IT audit
Control risk = Total control risk score / 100

Risk value and categorisation of entities

After computation of inherent and control risks, the
No. Categorisation Ceiling risk in US$
risk score of the audited entity can be determined as:
1. High risk 3.5 million
The risk score of the entity = 2. Medium risk 70 000 to 3.5 million
(Total inherent risk score of the entity in monetary 3. Low risk Below 70 000
value) × (Control risk score of the entity)
Risk categorisation of the audited entity
Audited entities are categorised as high, medium and low risk based on the risk score. Periodicity of
audit and composition of audit team are decided based on the level of risk categorisation.

118
Appendix 4-B: Differing tasks of the auditor in different types of compliance audit
Audit Reasonable assurance (RA) Limited assurance (LA)
stages Direct reporting – RA Attestation engagement – RA Direct reporting – LA Attestation engagement – LA
The auditor selects the The responsible party The auditor selects the The responsible party
subject matter and produces presents subject matter subject matter and produces presents subject matter
subject matter information. information on which the subject matter information. information on which the
auditor then gathers auditor then gathers
sufficient and appropriate sufficient and appropriate
audit evidence. audit evidence.
More extended procedures in More extended procedures Less extended procedures in Less extended procedures in
Planning

risk assessments, in risk assessments, risk assessments, risk assessments,

understanding the entity and understanding the entity and understanding of entity understanding of entity
environment, evaluation of environment, evaluation of environment and in the environment and the
internal control. internal control. evaluation of internal evaluation of internal
control. control.
The three components of Auditor has to cover the The three components of Auditor has to cover the
audit risks (inherent, control three components of the risk audit risks (inherent, control three components of the
and detection risks) model model. and detection risks) model risk.
may be used. may be used.
Combination of different audit Combination of different It is possible to conclude It is possible to conclude
techniques is important. audit techniques is based on the analytical based on the analytical
important. procedures and inspection. procedures, substantive
Gathering audit evidence

testing and inspection.

Substantive testing must Analytical procedures and Substantive testing,
always be included. inspections are sufficient. analytical procedures and
inspections are sufficient.
The auditor gathers sufficient The auditor gathers The procedures are limited The procedures are limited
and appropriate audit sufficient and appropriate compared with what is compared with what is
evidence to conclude whether audit evidence to conclude necessary for a reasonable necessary for a reasonable
the subject matter complies in whether the subject matter assurance engagement. assurance engagement.
all material respects with complies in all material
identified suitable criteria. respects with identified
suitable criteria.
The conclusion is expressed in The auditor provides The conclusion is expressed The auditor provides
the form of findings, answers assurance either through in the form of findings, assurance either through
Evaluating evidence and

to specific audit questions, standardised opinions or answers to specific audit standardised opinions or
forming conclusion

recommendations or opinion. conclusions. An opinion is questions, recommendations conclusions. An opinion is

normally used. or opinion. normally used.
The audit conclusion The auditor’s conclusion or The conclusion conveys that The conclusion or opinion
expresses the auditor’s view opinion expresses the nothing has come to the conveys that nothing has
that the subject matter is/is auditor’s view that the auditor’s attention that the come to the auditor’s
not compliant in all material subject matter information findings are not in attention that the findings
respects with the applicable is/is not in accordance with compliance with the audit are not in compliance with
criteria. the applicable criteria. criteria. the audit criteria.
Report structure in ISSAI Report structure in ISSAI Report structure in ISSAI Report structure in ISSAI
4000.210 4000.218 4000.210 4000.218
The auditor needs to implicitly The auditor provides The auditor needs to The auditor provides
state whether the conclusion assurance by making a clear implicitly state whether the assurance by making a clear
is given with limited or statement of the level of conclusion is given with statement of the level of
reasonable assurance. assurance. limited or reasonable assurance.
assurance.
Reporting and
follow-up

The auditor can provide The auditor can provide

assurance either through (a) assurance either through (a)
conclusions which explicitly conclusions which explicitly
convey the level of assurance convey the level of assurance
or (b) explaining how findings, or (b) explaining how
criteria and conclusions were findings, criteria and
developed. conclusions were developed.
A limited assurance report A limited assurance report
conveys the limited nature of conveys the limited nature of
the assurance provided. the assurance provided.

119
Exhibits for Chapter 5: Planning a compliance audit

Exhibit 5.1: Audit strategy

Exhibit 5.2: Understanding the entity and its environment
Exhibit 5.3: Understanding the internal controls and control environment
Exhibit 5.4: Assessment of fraud risks
Exhibit 5.5: Setting materiality at the planning stage
Exhibit 5.6: Risk register
Exhibit 5.7: Audit plan

Appendix 5-A: Quality review of audit planning

120
Exhibit 5.1: Audit strategy
ISSAI requirement: ISSAI 4000.137

Entity name
Audit period

Audit strategy matrix prepared by Signature Reviewed and approved by Signature

Name:
Designation:
Date:

No. 1 2 3
Elements of the audit strategy Description Comments
1 Characteristics of the audit
2 The audit objective
3 The audit’s subject matter, scope and
criteria
4 The entities covered by the audit
5 The type of engagement
6 The level of assurance to be provided
7 Composition of the audit team
8 Quality control mechanisms for the
audit
9 Communication with the auditee and
those charged with governance
10 Reporting responsibilities
Other significant matters, if any

121
Process guide to complete the template for the audit strategy

The objective of The objective of this working paper template is to prepare an overall audit strategy
completing the detailing the elements of the strategy and to see how each item will impact planning
template and conducting the audit, and at the reporting phase of the audit.
ISSAI requirement ISSAI 4000.137

Guide
Column 2 Describe based on the decisions made on each element of the
strategy mentioned in column 1.
Column 3 Provide comments, if the auditor thinks the strategic elements will
have any impact in planning, conducting phase of the audit

Conclusion The audit team leader and supervisor need to conclude that adequate consideration
has been given to all significant areas affecting the audit, and an appropriate strategy
put in place to deal with the matters that were likely to influence planning and to
perform the audit. Audit strategy working paper document should be updated
continuously.

Evidence from The table indicating the name of a person who prepared and documented the
preparer and material and the reviewer’s name need to be completed at the end.
reviewer

122
Exhibit 5.2: Understanding the entity and its environment
ISSAI requirement: ISSAI 4000.131

Entity name
Audit period

Prepared by Signature Reviewed and approved by Signature

Name:
Designation:
Date:

Questions Description
The entity’s legal framework
1. The authorising legislation for the entity and the
activities authorised by the legislation
2. The regulations issued under authorising legislation
and their effect on the entity’s operations
3. How does the entity comply with the legal framework?

4. Is there any provision in regulation regarding the rules

and regulations for financial management?

The entity’s objectives and strategies

5. The entity’s objectives

6. The key policies and strategies to achieve the

objectives
The entity’s organisation and governance
7. The entity’s governance structures

8. The operational structure, organisation chart and

management arrangements
9. The financial, human resources and other resources

The entity’s business processes and operations

10. What is the nature of the entity’s operations? The
entity’s core functions.
11. How the significant audit areas relate to the entity’s
operations
12. The types of the programmes, functions or projects
managed by the entity
13. The process narratives for an overview of the
functions and operations of the entity or the subject
matter

123
 Questions Description
14. The critical business process maps, flowcharts of the
operations
15. The operational risks related to the entity’s objectives
and strategies that may result in material non-
compliance
The entity’s financial management systems
16. Financial reporting framework the entity used for
financial reporting
17. Entity’s budgeting process

18. Entity’s accounting system, reporting requirements

and deadline of reporting
19. Internal audit and external audit function of the entity

The entity’s performance measures

20. How is the entity’s performance measured and
reviewed?
21. What are the entity’s performance reporting
requirements?
22. Are there performance targets that may result in
management actions increasing the risk of non-
compliance?

List of significant risks affecting the entity (linked to the inherent risks)

124
Process guide to complete the template for understanding the entity and its environment

The overall The objective of this audit working paper template is to establish and document an
objective of understanding of the entity and its environment relevant to an audit. ISSAI 4000.131
completing the requires the auditor to assess the risk of non-compliance through understanding the
template entity and its environment.
[Note: The template could be adapted to the subject matters, e.g., for a programme, a
particular operation of an entity, a contract or procurement.]
ISSAI requirement ISSAI 4000.131
Guidance The auditor needs to understand the entity and its environment to assess the risk of non-
compliance in its operations and financial activities.
Based on the list provided in the template above, the auditor can gather a general
understanding of the entity, taking into account both internal and external factors. The
auditor must understand the entity’s core business. While documenting the
understanding of the entity and its environment, the auditor needs to bear in mind the
risk related to the entity (business risks or entity risk) that may occur during its operations
and that may result in material non-compliance in the entity.
Consider the list of source documents provided in the table below as a possible source
for finding and documenting the information required.
Conclusion The team should ensure that this documentation is linked to assessing the risk of material
non-compliance (inherent risks) and assessing the control environment.
Evidence from The table indicating the name of a person who prepared and documented the material
preparer and and the reviewer’s name need to be completed at the end.
reviewer

Potential sources of documents to understand the entity:

No. Documents
1 Mandate and roles and responsibilities of the organisation
2 Draft financial statements
3 Approved budget of the government, projects and NGOs
4 Plan documents
5 List of major activities carried out during the period to be audited
6 Project organisation
7 Accounts of grants and borrowings
8 Project documents
9 List of laws, rules and regulations that are relevant and applicable
10 Loans and grant agreements
11 Consolidated budget fund accounts
12 Other sources of funding of the entity
13 List of major agencies incurring expenditure
14 Minutes of review meetings
15 Important correspondence files
16 The standard financial reporting requirement
17 Fund flow procedures including reimbursement and repayments
18 Past audit reports and internal audit reports
19 List of bank accounts and statements
20 Financial rules and regulations
21 Procurement rules

125
Exhibit 5.3: Understanding the internal controls and control environment
ISSAI reference: ISSAI 4000.134

Entity name
Audit period

Prepared by Signature Reviewed and approved by Signature

Name:
Designation:
Date:

[Note: The fundamental concepts of the internal control framework are formulated as 17 principles associated with the
five components of the framework.93 The questions below are based on these principles, which are relevant to all entities
and need to be present, functioning and operating together in an integrated manner to have an effective system of internal
control.]

Questions on the internal control components Description

Control environment
1. How does the entity ensure its commitment to
integrity and ethical values?
2. What mechanisms or bodies exist to assume the
oversight responsibilities for the entity management’s
design, implementation and conduct of internal
control?
3. How do the entity’s organisational structure and
assignment of authority and responsibility contribute
to maintaining an appropriate control environment?
4. How do the entity’s human resources policies and
procedures demonstrate commitment to have the
competence and the required level of skills and
expertise?
5. How does the organisation enforce accountability on
the overall conduct and hold individuals accountable
for their internal control responsibilities?
Risk assessment
6. Does the entity have a risk assessment process and
consider the significant risks to the achievement of its
objectives?
7. How does the management use the risk assessment
process to effectively identify, analyse and respond to
the risks of non-compliance?
8. How does the entity management consider the
potential for fraud in assessing the risks to the
achievement of its objectives?

93
https://www.coso.org/Documents/COSO-CROWE-COSO-Internal-Control-Integrated-Framework.pdf

126
 Questions on the internal control components Description
9. How does the management identify and analyse the
changes that could significantly impact the internal
control system, and the management override of
internal controls?
Control activities
10. How does the entity select and develop control
activities that contribute to the mitigation of risks to
the achievement of its objectives?
11. Does the entity ensure that the general control
activities are designed effectively and operating as
intended to address the risks over use of technology?
12. How does the entity, through its policies that establish
what is expected and procedures that put the policies
into action, ensure the selection, development and
deployment of appropriate control activities in
significant risk areas?
Information and communication
13. How does the entity obtain or generate and use
relevant, quality information to support the
functioning of internal control?
14. How does the entity internally communicate
information, including objectives and responsibilities
for internal control, necessary to support the
functioning of internal control?
15. How does the entity communicate with external
parties regarding matters affecting the functioning of
internal control?
Monitoring
16. How does the entity select, develop and perform
ongoing and separate evaluations to ascertain whether
the components of internal control are present and
functioning?
17. How does the entity evaluate and communicate
internal control deficiencies on time to those parties
responsible for taking corrective action, including the
senior management and the governing body, as
appropriate?

127
Process guide to complete the template for understanding the internal control

The objective of This template provides an understanding of the five interrelated components of an
completing the entity’s internal control system. The auditor’s role within this system focuses on the
template internal controls over the entity’s operations, financial reporting and the processes in
place.
ISSAI reference ISSAI 4000.134
Guide Control
The control environment is the set of standards, processes and
environment
structures that provide the basis for carrying out internal
control across the organisation. The senior management
establishes the tone at the top regarding the importance of
internal control and expected standards of conduct.
Risk Risk assessment involves a dynamic and iterative process for
assessment identifying and analysing risks to achieving the entity’s
objectives, forming a basis for determining how risks should be
managed.

Control Control activities are the actions established by policies and

activities procedures to help ensure that management directives to
mitigate risks related to the achievement of objectives are
carried out. Control activities are performed at all levels of the
entity and at various stages within business processes, and
throughout the technology environment.
Information Information is necessary for the entity to carry out internal
and control responsibilities in support of the achievement of its
communication objectives. Communication occurs both internally and
externally and provides the organisation with the information
needed to carry out day-to-day controls. Communication
enables personnel to understand internal control
responsibilities and their importance to the achievement of
objectives.
Monitoring Ongoing evaluations, separate evaluations or some
activities combination of the two are used to ascertain whether each of
the five components of internal control, including controls to
affect the principles within each segment, is present and
functioning. Findings are evaluated and deficiencies are
communicated on time, with serious matters reported to senior
management and the board.

Conclusion The audit team concludes on the significant areas of the control environment under
evaluation.
Evidence from The team and the reviewer, usually the audit supervisor, should sign off this
preparer and document to ensure that the work done by the team has been reviewed and
reviewer documented.

128
Exhibit 5.4: Assessment of fraud risks
ISSAI requirement: ISSAI 4000.58

Entity name
Audit period

Prepared by Signature Reviewed and approved by Signature

Name:
Designation:
Date:

[The checklist below is not inclusive of all questions needed to assess fraud risks in an organisation. It might require follow-up
questions that depend on the answers to previous questions. Accordingly, auditors may use this as a start to create their tools
and to brainstorm to identify the fraud risks that could apply to the entity or subject matter.]

Questions Description
1. Does the entity have a fraud governance structure in place
that assigns responsibilities for fraud investigations?
2. Does the entity have a fraud policy in place?
3. Has the entity identified laws and regulations relating to
fraud in jurisdictions where it operates?
4. Does the entity’s fraud management programme include
coordination with, if one exists, its internal audit function?
5. Does the entity have a fraud hotline?
6. Has responsibility for fraud detection, prevention, response
and awareness been assigned within the entity?
7. Does entity management promote fraud awareness and
training within the organisation?
8. What processes have been put in place for identifying and
responding to the risks of fraud in the entity?
9. Are periodic fraud awareness and training programmes
provided to all employees?
10. Are any automated tools available to those responsible for
preventing, detecting and investigating fraud?
11. Has the entity management identified the types of potential
fraud risks in its areas of responsibility?
12. Has entity management incorporated appropriate controls
to prevent, detect and investigate fraud?
13. Does entity management have the appropriate skill sets in
place to perform fraud investigations?
14. Does entity management periodically assess the
effectiveness and efficiency of fraud controls?
15. Are fraud investigation work papers and supporting
documents appropriately secured and retained?

129
Process guide to complete the template for assessment of fraud risks at the audit planning stage

The objective of The objective of this template is to have information regarding fraud risk as part of
completing the an overall understanding of the entity and control environment.
template
ISSAI requirement ISSAI 4000.58

Guide
The fraud risk assessment team identifies potential fraudulent schemes using
brainstorming, management interviews, analytical procedures and review of prior
frauds. During this process, the fraud risk assessment team reviews the
organisation’s activities and schemes relevant to the industry, geography and
programmes, always considering the essential characteristics of fraud (pressure,
opportunity and rationalisation), asking:
• Where are the opportunities for fraud?
• What is the level of pressure that management is under that would lead it to
override internal controls?
• Are there any consequences if management fails to reach goals?

Specific fraud areas should be identified without consideration of existing or

effectiveness of internal controls. The evaluation considers whether the fraud
could be committed by an individual alone or requires collusion among employees
or external persons.

The auditor may consider the following factors while prioritising fraud risks:
• Financial impact
• Impact on the organisation’s reputation
• Potential criminal or civil actions
• Regulatory non-compliance
• Integrity and security over data
• Loss of assets
• Location and size of operations and units
• Entity culture
• Management and employee turnover
• Liquidity of entity assets
• Volume and size of transactions
• Outsourcing

Conclusion The audit team concludes on the potential fraud risks to be documented in the risk
register.

Evidence from The team and the reviewer, usually the audit supervisor, sign off this document to
preparer and ensure that the work done by the team has been reviewed and documented.
reviewer

130
Exhibit 5.5: Setting materiality at the planning stage
ISSAI requirement: ISSAI 4000.92

Entity name
Audit period

Prepared by Signature Reviewed and approved by Signature

Name:
Designation:
Date:

1 2 3 4 5 6
Benchmark Threshold Materiality % used Population amount Materiality amount Revised materiality
amount
Payment amount 1 to 5% x% Xxxx xxxx xxxx
Revision 1 to x% x% Xxxx xxxx xxxx
Setting quantitative materiality (if subject matter includes transactions, financial information)
Justification for benchmark used (how the total amount is derived)

Justification for percentage used

Reason for revised materiality

Setting qualitative materiality

Materiality by nature

Materiality by context

131
Process guide to complete the template for setting materiality at the planning stage

The objective The objective of completing this working paper template is to determine materiality for
of the planning and performing the audit, and this is carried out as a part of the overall audit strategy.
template The materiality determined at the planning stage can be revised as the audit progresses.
ISSAI ISSAI 4000.92
requirement
Guide The purpose of materiality is to identify the audit questions, based on the risk assessment, and
ensure that any non-compliance below the materiality level will not affect the conclusion and
will not affect the purpose for which the reports are used by users.
Column 1 Select an appropriate benchmark in determining the planning materiality for the
subject matter under consideration. While choosing this benchmark, the auditor
needs to consider whether this item is critical to the users.
Column 2 Determine the threshold of materiality. The limit will depend on the SAI’s policy,
and it could be, for example, between 0.5% to 2% or 1% to 5%. This may also
depend on the type of benchmark chosen from the audit’s overall subject
matter.
Column 3 From the given threshold, select a percentage to be applied to the total
population value to arrive at the materiality amount. The auditor applies a
percentage of the materiality considering the sensitivity of items. The
percentage to be applied may be decided as follows:
Very sensitive: 1%, sensitive: 2.5%, not sensitive: 5%
Column 4 Record the total population amount of the chosen benchmark derived from the
subject matter.
Column 5 Derive the materiality amount by applying the chosen percentage (from Column
3) to the total population amount (Column 4). This is the planning materiality
amount for the subject matter if it is a transaction or financial information.
Column 6 To arrive at a revised value, repeat the same process as above. Using
professional judgment, the auditor may also simply state the revised materiality
amount without having to apply the revised percentage to the total population.
Recording descriptions related to determining materiality:
1. Under row 1, record the description for using the chosen benchmark, how the total
amount is derived and used as a benchmark.
2. Under row 2, record the justification; primarily it is dependent on sensitivity. It may also
depend on the nature of the entity and the financial discipline.
3. Under row 3, record the reason for revising the materiality, to keep track of why the
materiality amount was revised and why there was a need to revise the materiality.
Under qualitative materiality:
1. Under row 1, record the consideration of materiality by nature that needs to be considered
throughout the audit. This particular aspect is crucial in public sector auditing.
2. Under row 2, record the consideration of materiality by the context that needs to be
considered throughout the audit. This is sometimes minor non-compliance but may have
a significant effect.
Evidence The reviewer, usually the audit supervisor, should sign off this document to ensure that it has
from been reviewed.
preparer
and
reviewer

132
Exhibit 5.6: Risk register
ISSAI requirement: ISSAI 4000.52

Entity name
Audit period

Prepared by Signature Reviewed and approved by Signature

Name:
Designation:
Date:

1 2 3
No. Risk identified (inherent/ Link to the area under the Assessment
control/fraud risks) subject matter (High, low, medium)
1. ..
2. ..
1.

133
Process guide to complete the template for risk register

The objective of The objective of this working paper template is to record the risks of non-compliance
completing the identified while completing the risk assessment process. ISSAI requires the auditor to
template assess the risks of material non-compliance through understanding the entity and its
environment.

ISSAI requirement ISSAI 4000.52

Guide
Overall The recording of risks in the risk register may take place
simultaneously while determining the inherent, control and fraud
risks. During the audit, this risk register can be updated based on
new risks identified, without having to go through the whole
process again. Risks from the register are elaborated in the
planning matrix with the audit procedures to be performed.
Column 1 In this column, the auditor records the risks identified in different
areas. While recording these risks, the auditor gets the input from
the inherent risks, control risks and fraud risks identified.

Column 2 The auditor records the relevant areas of the subject matter where
the risks are linked.

Column 3 The risks identified and recorded in the risk register are assessed
considering the impact and likelihood, and the auditor’s
conclusion on the risk is recorded.

Evidence from The names of a person who prepared this risk register and the reviewer at the end. The
preparer and preparer, who could be a team leader or one of the team members, needs to sign off
reviewer accordingly.

The reviewer, usually the audit supervisor, should sign off this document to ensure that
the work done by the team has been reviewed accordingly.

134
Exhibit 5.7: Audit plan
ISSAI reference: ISSAI 4000.137, ISSAI 4000.140, ISSAI 4000.149

Entity name
Audit period

Prepared by Signature Reviewed and approved by Signature

Name:
Designation:
Date:
[Note: The audit plan has the following parts: Part A: Assessment of risk and internal control; Part B: Audit Planning Matrix covering
the risks; Part C: Audit schedule covering who and when the audit procedures will be performed. The SAI team can combine the
audit strategy and audit plan in one continuous document for approval by the SAI management.]

PART A: Assessment of risks and internal control

1. Assessment of risks

2. Assessment of internal control

3. Result of risk assessment: risk register

4. Materiality assessment

135
PART B: Audit planning matrix

No. 1 2 3 4 5
Risks identified Criteria Required Sources of Audit procedures to perform
(from risk register) evidence/information evidence/information
1

..

..

136
Part C: Audit schedule

Audit stages Planned date Achieved date Comments

Audit plan
Prepared
Reviewed
Approved by management
Audit execution: Field work
Start
Completion
Audit reporting
Draft report prepared
Reviewed
Approved by management
Audit report issued

137
Process guide to completing the template for audit plan

The objective This working paper creates the basis for the audit strategy and audit plan document that the
of the audit team will submit to the management for approval.
template
ISSAI ISSAI 4000.137, ISSAI 4000.140, ISSAI 4000.149
references

Part A: Assessment of risks and internal control

Assessment The risk assessment process followed. Mention the overall information
of risks from the understanding of the entity and the fraud risk identified. These
should come from the completed working paper templates.
Assessment Write the assessment of overall control risk, based on the results of the
of internal understanding of the subject matter and initial assessment of control risks.
control
Result of the Document the risk assessment results and the assurance required to give
risk reasonable assurance on the subject matter. The risks are listed in the risk
assessment register.

Materiality Describe both quantitative and qualitative aspects of materiality, as

applicable, considering the exhibit on materiality.

Part B: Audit planning matrix

Risks Bring all risks of material non-compliance in this column as the audit
identified questions from Exhibit 5.6 on the risk register list.
Criteria In audit strategy, all applicable criteria are identified for the subject matter.
Here the specific criteria that the entity should comply with regard to the
Guide respective risk in column 1 needs to be mentioned.
Required What evidence or information does the auditor need to answer the audit
evidence question regarding the risk of non-compliance against criteria?
Sources of Where is the evidence or information available? Write a list of possible
evidence sources of evidence for the audit.
Audit Write what audit procedures the team plans to confirm whether the
procedures condition complies with the criteria to answer the question. For example:
to perform make inquiries with staff and document discussions, review policies and
note non-compliance, for further discussions with the entity.

Part C: Audit schedule

Detail the dates planned for the audit. When the audit is going on, there may be changes so
the ‘achieved date’ part will have to be filled in later and comments added based on the
progress of the audit.

138
Appendix 5-A: Quality review of audit planning

Purpose Quality review of audit planning

Reference Section 5.3
[The review checklist provided below is suggestive. The SAI may already have a quality review mechanism with an agreed
list. The SAI team can compare the two and finalise the checklist for the quality review at the planning stage.]

The reviewer, while reviewing the adequacy of audit planning, may consider the following matters:
Checklist Review comment
1 Ensuring that planning is carried out following auditing policies,
standards, manuals, guidelines and practices of the SAI
2 Obtaining relevant information regarding laws and regulations that
might have a significant impact on the audit objectives
3 Preliminary investigative audit (an audit that aims to conduct an
initial study of specific issues to help prepare the audit plan)
4 Determining objectives and scope of audit
5 Identification of sources (e.g., media, findings of auditee’s internal
audit, inspection and other control bodies) as background for audits
6 Determining the list of activities for audit
7 Highlighting of unique problems foreseen when planning the audit
8 Ensuring that members of the audit team have a clear and
consistent understanding of the audit plan
9 Follow-up is made of issues in previous related audits
10 Understanding the finance, accounting and other relevant functions
of the entity and subject matter
11 Identification of critical elements of internal control system of
auditee
12 Using appropriate analytical procedures
13 Identification and analysis of relevant ratios and comparative figures
14 Identification of trends or deviations from predicted amounts
15 Choice of relevant performance indicators
16 Assessment of inherent and control risks
17 Establishment of materiality criteria and thresholds
18 Preparation of the audit planning matrix with the risks identified
19 Choice of appropriate experts, if required
20 Preparation of budget and schedule, assessment of resources
necessary, staff requirements and team allocated for audit
21 Investigation and settlement of queries raised during the review
stage
22 Drawing up, approval, review of audit plan by supervisors, if
applicable
23 Other procedures and practices used in the planning phase of an
audit
24 Practices to continuously enhance quality control procedures in the
planning phase of audit

139
Exhibits for Chapter 6: Performing audit procedures, and gathering and
evaluating evidence

Exhibit 6.1: Testing the operating effectiveness of controls

Exhibit 6.2: Performing substantive audit procedures
Exhibit 6.3: Audit findings matrix

Appendix 6-A: Quality review of audit field-work

140
Exhibit 6.1: Testing the operating effectiveness of controls
ISSAI references: ISSAI 4000.144–149

Entity name
Audit period

Prepared by Signature Reviewed and approved by Signature

Name:
Designation:
Date:

Step 1: Link from planning to risk, control activities, test procedures

1 2 3 4 5 6
Control Risk Risk reference Control Control Comments
reference activity for testing
number the risk procedures
performed
Link to… Link to… Link to…

Step 2: Test of control procedures performed

1 2 3 4
Sample Sample Item tested in the sample Conclusion
reference no. Item 1 Item 2 Item 3 Item 4 Item 5
1
2
3
4

Overall conclusion on control testing

141
Process guide to complete the template for testing operating effectiveness of controls
Objective of The objective of this working paper template is to document the control testing procedures
the performed by the auditor. Test objective is linked to identified risks; the audit procedure is
template performed on the samples selected.
ISSAI ISSAI 4000.144–149
Guide Step 1: Link the risks from the planning document that were considered for testing and record
in the field provided above. Against this, trace the risks, control activities and control testing
procedures identified from the planning document.
Step 2: Select samples to be tested for one control activity at a time. First record the control
reference number and risk reference number, to confirm which control was tested. Record this
in the field provided in the template and then record the details of samples in the given table.
Step 1: Link from planning to risk, control activities, test procedures
Column 1 In this column, trace the control activity reference number from the Log
of Control Activity or from the RMNC (risk of material non-
compliance)/risk register table completed at the planning stage of the
audit. Column 1 records the control reference number and thus provides
a status of controls being tested.
Column 2 Trace risks identified in the RMNC/risk register table and record them in
this column. First, trace the risks assessed as significant.
Column 3 It is optional to trace the name of the risk or the risk reference in this
documentation. The risk reference number can be traced from the
RMNC/risk register table and recorded in this column.
Column 4 Trace the name of the control activity from the RMNC/risk register table
and record it in this column. It should correspond to the control activity
reference number recorded in column 1 and the risks traced from the
RMNC/risk register.
Column 5 In this column, add a comment on control testing procedures designed at
the planning stage from the RMNC/risk register table. This is the work that
needs to be performed by the auditor.
Step 2: Test of control procedures performed
Column 1 In this column, record the sample numbers. This indicates how many
samples were tested.
Column 2 Document the sample reference number in this column. Typically, it could
be a payment voucher or receipt voucher number, a date or similar.
Column 3 In this column, record the details of items tested in that particular sample
against the control. Items to be tested in a particular sample will be
determined by the control testing procedures designed at the planning
stage and by the test objective.
Column 4 Arrive at a conclusion on every sample tested and record it in this column.
This will form the basis to arrive at an overall conclusion.
Conclusion Based on controls identified against each risk tested, conclude as to whether the controls put
on control in place are operating effectively. To do so, first record the basis for the conclusion, and then
testing conclude with either of the following statements.
1. The controls were operating effectively.
2. The controls were not operating effectively.
This conclusion should then be traced back to the RMNC/risk register table under the column
specified as ‘Conclusion of control testing procedure’ and recorded as either ‘Effective’ or ‘Not
effective’ against each control testing procedure.
Evidence The table indicating the names of a person who prepared and completed this working paper
from and the reviewer needs to be completed at the end. The preparer could be a team leader or
preparer one of the team members who could then sign off accordingly. The reviewer, usually the audit
and supervisor, should sign off this document to ensure that the work done by the team has been
reviewed accordingly.
reviewer

142
Exhibit 6.2: Performing substantive audit procedures
ISSAI references: ISSAI 4000.144–149

Entity name
Audit period

Prepared by Signature Reviewed and approved by Signature

Name:
Designation:
Date:

Step 1: Link from planning to risk and substantive audit procedures

1 2 3 4
Risk Risk reference Substantive audit procedures Comments
performed
Link to… Link to…

Step 2: Substantive audit procedures performed

1 2 3 4
Sample Sample Item tested in sample Conclusion
reference no. Item 1 Item 2 Item 3 Item 4 Item 5
1
2
3
4

Overall conclusion on the substantive audit procedures

143
Completing the template for substantive audit procedures: Suggested process guide
The The objective of this audit working paper template is to document the substantive audit
objective of procedures performed by the auditor in the execution phase of the audit to ensure that the
the work performed by the auditor is documented accordingly. Test objective is linked to identified
template risk; the audit procedure is performed on the samples selected.
ISSAI ISSAI 4000.144–149
Guide Step 1: Link the risks from the planning document that were considered for testing and record
in the field provided above. Against this, link the risks and the substantive audit procedures
identified from the planning document.
Step 2: Select samples for testing. Usually, the samples selected for substantive testing are
larger than for control testing. Therefore, the auditor needs first to record the risk reference
number, so that it is quite clear which risk will be addressed by performing substantive audit
procedures. The particulars or items to be tested in the given sample would depend on the
test objective and what needs to be tested should be drawn from the substantive audit
procedures.
Step 1: Link to the risk and substantive audit procedures from planning
After recording the risks to be tested, proceed to complete the table having four elements. The
auditor should first focus on significant risk, and design and perform substantive audit
procedures that are responsive to such risks.
Column 1 Link risks identified from the RMNC/risk register table and record in this
column. First link the risks assessed as significant.
Column 2 The risk reference number can be linked from the RMNC/risk register table
and recorded in this column for ease of reference while documenting
substantive audit procedures performed.
Column 3 In this column, link the substantive audit procedures designed at the
planning stage from the RMNC/risk register table. This is the work that
needs to be performed by the auditor.
Column 4 Add a comment here on the process and the outcome. The purpose is to
ensure that the test objective is maintained consistently to arrive at an
appropriate conclusion based on substantive audit procedures
performed.
Step 2: Substantive audit procedures performed
Document the substantive audit procedures performed that are responsive to assessed risks
of material non-compliance. Link risk reference and record in the given field.
Column 1 In this column, record the sample numbers. This indicates how many
samples were tested.
Column 2 Document the sample reference number in this column. Typically, it could
be a payment voucher or receipt voucher number and date.
Column 3 In this column, record the items tested in that sample. Items to be tested
in a sample will be determined by the substantive audit procedures
designed and the test objectives determined in the planning stage.
Column 4 In this column record the conclusion arrived at on every sample tested.
This will form the basis to arrive at an overall conclusion.
Conclusion To arrive at an overall conclusion, first establish the basis of the conclusion. This can be derived
on by summarising the conclusion for each sample under column 4.
substantive The overall conclusion should then be linked back to the specific risks in the risk register so that
audit auditors will know which risks have actually resulted in non-compliance. From that,
procedures constructive recommendations can be suggested.
Any exceptions observed while performing the substantive audit procedures on each sample
selected for testing should be linked to the observation list in the completion and review stage
of the audit to deal appropriately with management and to evaluate the impact on the
objective and subject matter.

144
Evidence The table indicating the names of a person who prepared and completed this working paper
from and the reviewer needs to be completed at the end. The preparer could be a team leader or
preparer one of the team members who could then sign off accordingly.
and The reviewer, usually the audit supervisor, should sign off this document to ensure that the
reviewer work done by the team has been reviewed accordingly.

145
Exhibit 6.3: Audit findings matrix
ISSAI requirement: ISSAI 4000.179

Entity name
Audit period

Prepared by Signature Reviewed and approved by Signature

Name:
Designation:
Date:

1. Risk/audit question: ………..

2. Finding
i. Audit criteria ii. Condition/evidence iii. Cause iv. Effect

3. Conclusion: ….

4. Recommendation (if applicable): ….

146
Completing the template for the audit findings matrix: Suggested process guide

The objective The objective of completing this working paper template is to facilitate systematically preparing
of the the audit findings. The auditor needs to fill in this template for each risk. Based on the information
template gathered in the template, the auditor will prepare the individual narrative finding (the team can
follow the SAI’s finding format). Claims made by the auditor in the narratives in the template
should be supported by the required documentation with references (evidence). This will facilitate
the quality review process during the audit and quality assurance after the audit.
ISSAI ISSAI 4000.179
Guide
Row 1 Audit question or risks identified at the planning phase, which has reference to the risk register.
For each risk/audit question in the register, an audit planning matrix is completed and based on
the audit procedures performed for the risks; this table is completed separately for each risk.
Row 2 Findings, which has four elements:
i. Audit Authorities, rules or regulations governing the particular entity, events or situation used to
criteria determine the answer to the risk; that is, whether it is compliant or not.
ii. Condition/ Condition refers to the existing situation, identified and documented during the audit: What the
evidence auditor found in the audit, the existing situation in the entity, whether it deviates from set criteria
and results of the collection of evidence using different methods, techniques and procedures. The
evidence is linked to the criteria. The auditor analyses the difference between the criteria (what
should be) and the condition (what is there), by assessing the evidence of the condition found
against the criteria. Often there are several items of evidence that form a finding.
iii. Cause The cause is the reason for the difference between the condition and the criterion. If there is non-
compliance, what is the cause? It could be ignorance of the rules in force or overriding of a
management decision. The cause (or the root cause) will be the basis for the recommendations.
To reliably identify the causes of the existing situation, the auditor may require using appropriate
data analysis methodologies.

iv. Effect The effect is the consequence of the difference between condition and criterion, i.e. the non-
compliance. The effect indicates the seriousness of the situation encountered and determines
the intensity of corrective action. What is the effect or consequence of the non-compliance or
deviation with regard to loss or other damage to the entity?
Row 3 Conclusion: Based on the analysis, whether the risk under audit is or is not compliant with the
respective criteria.
Row 4 Recommendations should come from the root cause of the non-compliance determined. It may
be that not all findings have recommendations. When suggesting a recommendation, it is good
practice to discuss with the entity the logic and probability of its implementation. This will
enhance the recommendation’s prospects for implementation.

Documentation:
All columns will have statements, which are based on the auditor’s professional judgment. All
these statements need to be substantiated with sufficient and appropriate evidence and required
documentation. The decisions made by the auditor, application of professional judgment and the
decision-making process need to be documented. The work performed and analysis made of the
data or information gathered to formulate a conclusion also need to be documented
appropriately.

Evidence The table indicating the names of a person who completed the template and who reviewed it is
from completed at the end. It is usually the team leader who would sign off as part of quality control.
preparer and The reviewer, usually the audit supervisor, should sign off this document to ensure that it has been
reviewer reviewed.

147
Appendix 6-A: Quality review of audit field-work
Purpose Quality review of audit field-work
Reference Section 6.6
[The review checklist provided below is suggestive. The SAI may already have a quality review mechanism with an agreed
list. The SAI team can compare the two and finalise the checklist for the quality review at the audit field-work stage.]

The reviewer, while reviewing the adequacy of audit field-work, may consider the following matters:

Checklist Review comment

1 The audit is carried out in accordance with the auditing standards,
manuals, guidelines and practices of the SAI.
2 Auditors have a sound understanding of techniques and procedures
such as inspection, observation, enquiry and interviewing to collect
audit evidence.
3 All phases of the audit have been carried out as planned and
approved.
4 Explanations are available for non-performance of any significant
areas in the audit plan.
5 Appropriate approval exists for significant deviations that have
taken place from the approved audit.
6 Staff resources used for audit are in line with those planned in terms
of time, the grade of staff and expenses entailed.
7 Appropriate audit techniques and audit procedures were used to
fulfil each audit objective in order to provide for effective audit
evidence.
8 Computer-assisted audit techniques (CAATs) were used as
appropriate.
9 Appropriate tests were used for evaluating the reliability of internal
controls.
10 Appropriate analytical procedures were used, and the reliability,
independence and quality of relevant supporting data were
assessed.
11 Sampling methods were used according to the SAI’s manuals and
sound statistical methods.
12 All tests of transactions are related to audit objectives, adequately
explain the nature and extent of audit work and provide an overall
conclusion as to the results of audit work.
13 Audit steps and procedures were designed to obtain sufficient and
appropriate evidence.
14 A full investigation was made of all queries raised during audit.
15 There are adequate working papers in respect of:
- evaluation of internal control systems
- audit of routine procedures
- tests of controls
- analytical review
- substantive tests, and
- audit of computer-based applications.
16 Working papers are appropriately cross-referenced.
17 Audit completion checklists are comprehensive and have been
completed, approved and duly evidenced.

148
Appendix for Chapter 7: Reporting and follow-up compliance audits

Appendix 7-A: Quality review of audit reporting

149
Appendix 7-A: Quality review of audit reporting
Purpose Quality review of audit reporting
Reference Section 7.5
[The review checklist provided below is suggestive. The SAI may already have a quality review mechanism with an agreed
checklist. The SAI team can compare the two and finalise the checklist for the quality review at the reporting stage.]

The reviewer, while reviewing the adequacy of audit reporting, may consider the following matters:
Checklist Review comment
1 Reporting is in accordance with auditing policies, standards, manuals,
guidelines and practices of the SAI.
2 The form and content of reports are in accordance with established
procedures (e.g., title, signature and date, objectives and scope,
addressee, legal basis, timeliness).
3 The terminology used in the report can be easily understood by persons
to whom the report is presented, and technical terms are fully explained.
4 All audit findings have been evaluated in terms of materiality, errors and
other irregularities.
5 All instances of non-compliance, deficiencies and unusual matters have
been properly identified, documented and satisfactorily resolved or
brought to the attention of a senior SAI officer, if applicable.
6 The final audit report covers all areas representing the objectives of the
audit or explanations are provided for omissions.
7 Observations and conclusions in the report are supported and well
documented to ensure completeness, accuracy and validity of working
papers.
8 All evaluations and conclusions are soundly based and supported by
competent, relevant and reasonable audit evidence.
9 Only sufficiently material audit findings are included in the main audit
report.
10 The report is timely, comprehensive, performed by suitably qualified
staff, appropriately documented and adequately incorporates the audit
opinion.
11 Letters of weakness, queries and management letters are submitted to
the auditee in due time.
12 Receipt of relevant and timely replies to SAI reports and other
correspondence is ensured.
13 Replies are carefully studied.
14 All findings, conclusions and recommendations contradicted by the
auditee are duly evaluated.
15 Material relevant comments by the auditee are referred to in the audit
report, if applicable.
16 Relevant significant events occurring following completion of the audit are
taken into account in the final audit report.
17 All significant fraud or other irregularities are reported to appropriate
authorities.
18 Permanent audit files have been updated to take into account the results
of the audit.
19 Material items requiring subsequent follow-up by the SAI have been duly
identified, recorded and taken into account.

150
151
Compliance Audit ISSAI Implementation Handbook, Version 1

INTOSAI Development Initiative (IDI)

152