Auditing standards by the
Comptroller and Auditor General of India
Supreme Audit Institution of India
·
·
|
CHAPTER-I
Introduction |
· Introduction · Purpose and Authority of the Standards · Mandate · Prerequisites for functioning |
|
CHAPTER-II
General Standards |
· Public Sector Auditing and its Objectives · Types of Public Sector Audits · Elements of Public Sector Auditing · Confidence and Assurance in Public Sector Auditing · Principles of Public Sector Auditing |
|
CHAPTER-III
Specific Standards |
· Introduction ·
Financial Audit ·
Performance Audit ·
Compliance Audit |
Preface
The Indian Audit
and Accounts Department has been continuously striving to upgrade and update
its auditing practice as part of its overall endeavour to achieve professional
excellence. The Auditing Standards were first brought out by the Department in
1994 and were subsequently revised in 2002.
I am pleased to
release the third edition of the Auditing Standards, which is the result of a
structured and diligent process of internal consultation at various levels.
This edition takes into account the prerequisites for functioning of the
Supreme Audit Institution and is suitably aligned with existing fundamental
auditing principles of the framework of International Standards of Supreme
Audit Institutions.
I trust that all
officers and staff of the Department would abide by these Auditing Standards
and apply them conscientiously in auditing for achieving the mission of
promoting accountability, transparency and good governance.
March
2017
Shashi
Kant Sharma
Comptroller and Auditor General of India
CHAPTER-I Introduction
1.1 Introduction
The Comptroller
and Auditor General of India (CAG) who is the head of Supreme Audit Institution
of India (SAI India) discharges his constitutional functions through the Indian
Audit and Accounts Department. The Constitution of India provides for the
Comptroller and Auditor General of India who is appointed by the President of
India by warrant under his hand and seal. The Constitution provides that the
salary and other conditions of service as well as the duties and powers of CAG
may be determined by Parliament by law. In pursuance of these provisions, the
Parliament enacted the CAG’s (Duties, Powers and Conditions of Service) Act,
1971 (DPC Act) to determine the conditions of service of the CAG and to
prescribe his duties and powers. In exercise of powers conferred by the DPC
Act, as amended from time to time, the CAG framed the Regulations on Audit and
Accounts, 2007, which provide the overarching governance framework for both
accounting and auditing functions. The CAG’s Auditing Standards constitute the
next layer of the audit governance framework and set out the professional
standards of auditing for the organisation as well as for its personnel - the
individual auditors. As an ongoing initiative for continuous improvement and
benchmarking, these standards are periodically reviewed, restructured and
updated.
1.2 Purpose and
Authority of the Standards
These standards
establish the norms which are applicable to all public sector audit
engagements, irrespective of their form or context. These standards incorporate
the Prerequisites for the functioning of Supreme Audit Institutions and
Fundamental Auditing Principles of the International Standards of Supreme Audit
Institutions, which have been suitably adapted with due consideration of the audit
mandate and rules applicable to SAI India. These standards determine the audit
procedures that shall be applied in audit and constitute the criteria or
benchmark against which the quality of audit results is evaluated. These
Auditing Standards are effective from 1 April 2017. All audit engagements as
per the audit mandate of SAI India on or after this date shall be conducted in
accordance with these standards.
1.3 Audit Mandate
The audit mandate
is laid down in the Constitution of India, DPC Act and specific legislations
enacted over time by the Parliament and State Legislatures.
1.3.1 Article
149 of the Constitution of India envisages that CAG shall perform such duties
and exercise such powers in relation to the accounts of the Union and of the
States and of any other authority or body as may be prescribed by or under any
law made by Parliament. Article 151 envisages that the reports of the CAG
relating to the accounts of the Union shall be submitted to the President, who
shall cause them to be laid before each House of Parliament and that the
reports relating to the accounts of a State shall be submitted to the Governor,
who shall cause them to be laid before the Legislature of the State.
Additionally, Article 279 envisages that ‘net proceeds’ in relation to any tax
or duty means the proceeds thereof reduced by the cost of collection and that
the net proceeds of any tax or duty, or of any part of any tax or duty, in or
attributable to any area shall be ascertained and certified by the CAG, whose
certificate shall be final. Further, the Sixth Schedule of the Constitution of
India also envisages audit of accounts of District and Regional Councils of
autonomous regions.
1.3.2 The
general provisions relating to audit are elaborated in Sections 13 to 21 and 24
of the DPC Act. There are also other legislations providing for audit of
specific entities by the CAG. The audit mandate of CAG extends to bodies or
authorities such as statutory corporations, government companies, autonomous
bodies constituted as societies, trusts or not for profit companies, urban and
rural local bodies and also to any other body or authority whose audit may be
entrusted to CAG under law. To fulfil its mandate, SAI India undertakes
financial audit, compliance audit, performance audit and combination of such
audits.
1.4 Prerequisites
for functioning
The
pre-requisites constitute the principles that are essential for the functioning
of SAI, India and for proper practice of public sector auditing within the SAI.
1.
Independence
2.
Accountability and Transparency
3.
Ethics
4.
Quality assurance
1.4.1 Independence
An adequate
degree of independence from both the Legislative and Executive branch of the
Government is essential for the conduct of audit and for the credibility of its
results. Independence of a Supreme Audit Institution (SAI) is secured through
certain principles and conditions that are institutionalised through
established mechanisms and processes. The principles and conditions that define
an independent SAI are elaborated below.
1.4.1.1 The
existence of an appropriate and effective constitutional/statutory/legal
framework and its application. This framework shall establish provisions that
secure the functional independence of the Head of the SAI including security of
tenure. The Constitution of India stipulates that the CAG shall only be removed
from office in like manner and on like grounds as a Judge of the Supreme Court
of India. The other terms for appointment and demitting of office of the CAG
are provided under the DPC Act that ensures due autonomy and security of
tenure.
1.4.1.2 SAI
shall have a sufficiently broad mandate and full discretion in the discharge of
its functions
While conforming
to the Constitutional provisions and laws enacted by the legislatures, SAI
India has the functional and organisational autonomy required for carrying out
its mandate and is free from direction or interference from the Legislature or
the Executive in the:
1.
selection of audit issues;
2.
planning, programing, conduct, reporting and follow up of audits; and
3.
organisation and management of its office.
SAI India may
accept specific requests for audits made by Legislature as expressed as a whole
or through one of its committees or by the Government while retaining its right
to decline such requests. SAI India may be consulted by the Executive in
matters such as financial legislations, accounting standards and policies,
public accounts, form of financial statements and for draft laws or rules affecting
its competence or authority ensuring, however, that rendering such advice or
assistance does not either implicitly or explicitly impair independent exercise
of its audit mandate.
1.4.1.3 SAI
shall have unrestricted access to information
The DPC Act empowers
SAI India to inspect any office of accounts under the control of the Executive
and to require the production of all necessary documents and information
necessary for the proper discharge of its statutory responsibilities. SAI India
thus shall have access to premises, operations, systems including Information
Technology systems and records of auditable entities1 which include the
implementing arms of Government and to obtain relevant information from persons
or entities possessing it.
1.4.1.4 SAI
shall have the freedom to decide the form, content and timing of audit reports,
to publish and disseminate them SAI India shall be free to decide the form and
content of its audit reports and to make observations and recommendations
therein, taking into consideration, the views of the audited entity. SAI shall
be free to decide the timing of its audit reports except where specific
reporting requirements are prescribed by law. It is also free to disseminate
its reports once they have been formally tabled in the appropriate legislature
as required by law.
1.4.1.5 There
shall exist effective follow up mechanisms on SAI’s recommendations
SAI India may
submit its reports to the Legislature or an audited entity’s governing body as
appropriate for follow up of specific recommendations for corrective action.
SAI India shall have its own follow up procedures to monitor and report on the
action taken by the Executive on its observations and implementation of
recommendations made in its reports as well as those made by the Legislature or
the audited entity’s governing board, as appropriate.
1.4.1.6 SAI
shall have financial and managerial/administrative autonomy and the
availability of appropriate human, material and monetary resources
The Constitution
provides that the conditions of service of persons serving in the Indian Audit
and Accounts Department and the administrative powers of the CAG shall be such
as may be prescribed by rules made by the President after consultation with the
CAG. Thus, SAI India shall have the necessary empowerment to manage the human
and budgetary resources available to it. The Legislature is responsible for
ensuring that SAI India has the resources necessary to fulfil its mandate.
SAI India’s
functional autonomy does not preclude arrangements with auditable entities in
regard to matters such as personnel management, property management or common
purchasing of equipment and stores.
1.4.2 Accountability and
Transparency
Accountability
and transparency are two important elements of good governance. Accountability
refers to the legal and reporting framework, organisational structure,
strategy, procedures and actions to ensure that the SAI meets its legal
obligations with regard to its audit mandate and reporting and that the SAI and
its personnel can be held responsible for their actions.
Transparency
refers to the SAI’s timely, reliable, clear and relevant public reporting on
its status, mandate, strategy, activities and performance as also of the audit
findings, conclusions and public access to information about the SAI. The
principles of accountability and transparency are as under:
1.4.2.1 SAI
shall perform its duties under a legal framework that provides for
accountability and transparency.
SAI India shall
perform its duties in accordance with the constitutional and statutory
framework which cover the audit authority, jurisdiction and responsibilities,
conditions for appointment and removal of the CAG, publishing of audit reports,
oversight of activities and balance between public access to information and
confidentiality of audit evidence and other information.
1.4.2.2 SAI
shall make public its mandate, mission and responsibilities.
The mandate,
mission and responsibilities of SAI India shall be in public domain.
1.4.2.3 SAI
shall adopt audit standards, processes and methods that are objective and
transparent.
The standards and
methodologies adopted by SAI India shall be consistent with the fundamental
auditing principles elaborated under the International Standards of Supreme
Audit Institutions (ISSAIs) of International Organisation of Supreme Audit
Institutions (INTOSAI). While conducting its audits, SAI India shall
communicate the criteria on which opinions would be based to the auditable
entities and keep them informed about the audit objectives, methodology and
findings. SAI India shall also communicate the scope of audits undertaken as
part of the reporting process. Its audit findings and recommendations shall be
subject to procedures of comment, discussion and responses from the audited
entity.
1.4.2.4 SAI
shall manage its operations economically, efficiently, effectively and in
accordance with laws and regulations and report publicly on these matters.
SAI India shall
employ sound management practices including appropriate internal controls over
its financial management and performance and reports on all areas of
performance including various audits carried out covering compliance,
performance and financial audits. SAI India’s financial statements are open to
Parliamentary review and its budget, financial resources and use of resources
are in the public domain.
1.4.2.5 SAI
shall report publicly on the results of audits and on conclusions regarding
overall public sector activities
The audit reports
of SAI India that include its conclusions and recommendations resulting from
its audits shall be tabled in the concerned Legislature or presented to the
audited entity’s governing body as required and shall thereafter be in the
public domain.
1.4.2.6 SAI
shall communicate timely and widely on its activities and audit results through
the website, media and other means.
Once the Audit
Reports are tabled in the concerned legislature, SAI India shall communicate
audit results through website and other means and may communicate with the
media or other stakeholders on matters included in the reports thereby
enhancing transparency and accountability of the audit work. Public and
academic interest in important conclusions shall be encouraged. Its reports
shall be made understandable to the wide public through various means e.g.
summaries, graphics, video presentations and press releases.
1.4.3 SAI shall apply
high standards of integrity and ethics for staff of all levels.
SAI India shall
have a Code of Ethics that is aligned with the Code of Ethics (ISSAI 30)
elaborated under the ISSAIs. The fundamental principles of ethics are
integrity, independence, objectivity and impartiality, confidentiality and
competence. SAI India shall ensure transparency and legality of its operations
and actively promotes ethical behaviour throughout the organisation.
1.4.4 Quality Assurance
and Quality Control
As an over-riding
objective SAI India shall consider the risks to the quality of its work and
establish a system of quality control that is designed to mitigate such
identified risks. The risks to quality control depend upon the mandate and
functions, conditions and environment under which it operates.
1.4.4.1 SAI
shall establish policies and procedures designed to promote an internal culture
recognising that quality is essential in performing all of its work. The Head
of SAI shall retain overall responsibility for the system of quality control.
SAI India shall
strive to achieve a culture that recognises and rewards high quality work
throughout the SAI. It shall ensure that sufficient resources are available
within the organisation to maintain the system of quality control.
1.4.4.2 SAI
shall establish policies and procedures designed to provide it with reasonable
assurance that the SAI, including all personnel and any parties contracted to
carry out work for the SAI comply with the relevant ethical requirements.
SAI India shall
recognize the importance of meeting relevant ethical requirements in carrying
out its work. Policies and procedures shall be in place to reinforce the
fundamental principles of ethics as defined in the code of ethics including
rotation of key audit personnel to reduce the risk of familiarity with the
entity being audited and to ensure that they remain and appear to remain
objective obviating any possibility of conflict of interests. All personnel of
SAI India and any parties engaged to carry out any task for the SAI shall have
to demonstrate appropriate ethical behaviour.
1.4.4.3 SAI
shall establish policies and procedures designed to provide reasonable
assurance that its audits and other work are carried out in accordance with
relevant standards, applicable legal and regulatory requirements, that SAI
issues reports that are appropriate in the circumstances and that it has
sufficient resources with the competence, capabilities and commitment to
ethical principles as required to carry out its range of work.
SAI India shall
have an Audit Quality Management Framework that establishes appropriate quality
control policies and procedures such as supervision and review responsibilities
and ensures tools such as audit methodologies for all work carried out. It
shall ensure that applicable standards are followed in all work carried out and
if any requirement in a standard is not followed, the reasons are appropriately
documented, approved and reported.
SAI India may
draw on a number of different sources to ensure that it has the necessary
skills and expertise to carry out its range of work. It may collaborate with
academic/ research institutions in order to avail of the experienced members of
the profession at large and may enter into formal relationships with
professional bodies provided the relationships do not inhibit its independence
and objectivity. As resources are limited, SAI India may prioritise its work in
a manner that takes into account the need to maintain quality.
1.4.4.4 SAI
shall establish a monitoring process designed to provide it with reasonable
assurance that the policies and procedures relating to the system of quality
control are relevant and adequate and is operating effectively.
SAI India shall
ensure that its quality control system includes independent monitoring of the
range of controls within the SAI.
SAI India may
invite external independent assessment of its activities and implementation of
standards through a peer review. Where appropriate, SAI India may consider
other means of monitoring the quality of its work which may include but not be
limited to independent academic review, stakeholder surveys and follow up
reviews of recommendations or feedback from audited entities. There are
procedures for dealing with complaints about the quality of work performed by
SAI.
CHAPTER-II General
Standards
Public Sector
Auditing and its Objectives
2.1.1 Public
sector2 audit environment is that in which governments and other entities
exercise responsibility for the use of national wealth, natural resources,
resources derived from taxation and other sources in the delivery of services
to citizens and other recipients. These entities are accountable for their
management, performance and use of resources, both to those providing the
resources and to those, including citizens, who depend on the services
delivered using those resources. Public sector auditing helps to create
suitable conditions and reinforce the expectation that public sector entities
and public servants will perform their functions effectively, efficiently,
ethically and in accordance with the applicable laws and regulations.
2.1.2 In
general, public sector auditing can be described as a systematic process of
objectively obtaining and evaluating evidence to determine whether information
or actual conditions conform to established criteria. Public sector auditing is
essential in that it provides legislature and oversight bodies, those charged
with governance and the general public with information, independent and
objective assessments concerning the stewardship and performance of public
sector policies, programmes or operations.
2.1.3 All
public sector audits start from objectives, which may differ depending on the
type of audit being conducted. However, public sector auditing contributes to
good governance by:
1.
providing the intended users with independent, objective and reliable
information, conclusions or opinions based on sufficient and appropriate
evidence relating to public sector entities;
2.
enhancing accountability and transparency, encouraging continuous
improvement and sustained confidence in the appropriate use of public funds and
assets and the performance of public administration;
3.
reinforcing the effectiveness of those bodies that exercise general
monitoring and corrective functions over public sector and those responsible
for the management of publicly funded activities; and
4.
creating incentives for change by providing knowledge, comprehensive
analysis and well-founded recommendations for improvement.
2.2.1 Financial
Audit: focuses on determining whether an entity’s financial information is
presented in accordance with the applicable financial reporting and regulatory
framework. This is accomplished by obtaining sufficient and appropriate audit
evidence to enable the auditor to express an opinion as to whether the
financial information is free from material misstatement due to fraud or error.
2.2.2 Compliance
Audit: focuses on whether a particular subject matter is in compliance with the
criteria. Compliance auditing is performed by assessing whether activities,
financial transactions and information are, in all material aspects, in compliance
with the applicable authorities which include the Constitution, Acts, Laws,
rules and regulations, budgetary resolutions, policy, contracts, agreements,
established codes, sanctions, supply orders, agreed terms or the general
principles governing sound public sector financial management and the conduct
of public officials.
2.2.3 Performance
Audit: focuses on whether interventions, programmes and institutions are
performing in accordance with the principles of economy, efficiency and
effectiveness and whether there is room for improvement. Performance is
examined against suitable criteria and the causes of deviations from those
criteria or other problems are analysed. The aim is to answer key audit
questions and to provide recommendations for improvement.
SAI, India may
carry out audits or engagements on any subject of relevance to the
responsibilities of executive and those charged with governance and the
appropriate use of public resources, within its given mandate. These
engagements may include, but not be restricted to, reporting on the
quantitative outputs and outcomes of the auditable entity’s service delivery
activities, sustainability reports, future resource requirements, and adherence
to internal control standards, near real time audits or other matters. It may
also conduct combined audits incorporating financial, performance and /or
compliance aspects.
2.3 Elements of
Public Sector Auditing
Public sector
auditing is indispensable for the public administration, as the management of
public resources is a matter of trust. Responsibility for the management of
public resources in line with intended purposes is entrusted to an entity or
person who acts on behalf of the public. Public sector auditing enhances the
confidence of the intended users by providing information and independent and
objective assessments concerning deviations from accepted standards or
principles of good governance. All public sector audits have the same basic
elements:
1.
The three parties
2.
Subject matter, criteria and subject matter information
3.
Types of engagement
2.3.1 The Three Parties
Public sector
audits involve at least three separate parties: the auditor, the responsible
party and intended users. The relationship between the parties should be viewed
within the context of the specific arrangements for each type of audit.
The auditor: In
public sector auditing the role of auditor is fulfilled by SAI, India and by
its personnel delegated with the task of conducting audits.
The responsible party:
In public sector auditing, the relevant responsibilities are determined by
constitutional or legislative arrangement. The responsible parties may be
responsible for the subject matter information, for managing the subject matter
or for addressing recommendations and may be individuals or organizations.
Generally, auditable entities and those charged with governance of the
auditable entities would be the responsible parties.
Intended users:
The intended users are the individuals, organizations or classes thereof for
whom the auditor prepares the audit report. The intended users may be
legislative or oversight bodies, those charged with governance or the general
public. The intended user is primarily the Parliament or the Legislature which
represents the citizens by determining the priorities of public finance,
purpose and content of public spending and income.
2.3.2 Subject
Matter, Criteria and Subject Matter Information Subject matter refers to the
information, condition or activity that is measured or evaluated against
certain criteria. It can take many forms and have different characteristics
depending on the audit objective. An appropriate subject matter is identifiable
and capable of consistent evaluation or measurement against the criteria, such that
it can be subjected to procedures for gathering sufficient and appropriate
audit evidence to support the audit opinion or conclusion.
The criteria are
the benchmarks used to evaluate the subject matter. Each audit shall have
criteria suitable to the circumstances of that audit. In determining the
suitability of criteria the auditor considers their relevance and
understandability for the intended users, as well as their completeness,
reliability and objectivity (neutrality, general acceptance and comparability
with criteria used in similar audits). The criteria used may depend on a range
of factors, including the objectives and the type of audit. Criteria can be
specific or more general and may be drawn from various sources, including the
Constitution of India, laws, regulations, standards, sound principles and best
practices. They shall be made available to the intended users to enable them to
understand how the subject matter has been evaluated or measured.
Subject matter
information refers to the outcome of evaluating or measuring the subject matter
against the criteria. It can take many forms and have different characteristics
depending on the audit objective and audit scope.
2.3.3 Types of Engagement
There are two
types of engagement: Attestation Engagements and Direct Reporting Engagements.
In attestation
engagements, the responsible party measures the subject matter against the
criteria and presents the subject matter information, on which the auditor then
gathers sufficient and appropriate audit evidence to provide a reasonable basis
for expressing a conclusion.
In direct
reporting engagements, it is the auditor who measures or evaluates the subject
matter against the criteria. The auditor selects the subject matter and
criteria, taking into consideration risk and materiality. The outcome of
measuring the subject matter against the criteria is presented in the audit
report in the form of findings, conclusions, recommendations or an opinion. The
audit of the subject matter may also provide new information, analyses or
insights.
Financial audits
are always attestation engagements, as they are based on financial information
presented by the responsible party. Performance audits and compliance audits
are generally direct reporting engagements.
2.4 Confidence and
Assurance in Public Sector Auditing
Audit has to
provide reliable and relevant information to the intended users based on
sufficient and appropriate evidence. Auditors shall perform procedures to
reduce or manage the risk of reaching inappropriate conclusions.
2.4.1 Forms of providing
assurance
Depending on the
audit and the users’ needs, assurance can be communicated in two ways:
1.
Through opinions and conclusions: which explicitly convey the level of
assurance. This applies to all attestation engagements and certain direct
reporting engagements.
2.
In other forms: In some direct reporting engagements the auditor does
not give an explicit statement of assurance on the subject matter. In such
cases, the auditor provides the users with the necessary degree of confidence
by explicitly explaining how findings, criteria and conclusions were developed
in a balanced and reasoned manner, and why the combinations of findings and
criteria result in a certain overall conclusion or recommendation.
2.4.2 Levels of assurance
Assurance can be
either reasonable or limited. Reasonable assurance is high, but not absolute,
given the inherent limitations of an audit, the result of which is that most of
the audit evidence obtained by the auditor will be persuasive rather than
conclusive. In reasonable assurance the audit conclusion is expressed
positively, either explicitly or in other forms conveying the necessary degree
of confidence as stated at para 2.4.1 above.
A limited
assurance conveys the limited nature of the assurance provided and the audit
conclusion is expressed in a negative manner stating that based on the
procedures performed, nothing has come to the auditor’s attention to cause the
auditor to believe that the subject matter is not in compliance with the
applicable criteria. The procedures performed in a limited assurance audit are
limited compared with what is necessary to obtain reasonable assurance, but the
level of assurance is expected, in the auditor's professional judgement, to be
meaningful to the intended users.
2.5 Principles of
Public Sector Auditing
Auditing is a
cumulative and iterative process. The principles of public sector auditing
constitute the general standards that apply to SAI India’s personnel as
auditors and are fundamental to the conduct of all types of public sector
audits. The principles to be observed by all individual auditors are
categorized into two distinct groups as shown in the diagram below.
·
General principles
·
Principles related to the audit process
2.5.1 General Principles
General
principles relate to the basic audit concepts, which shall be considered by
auditors prior to commencement and at more than one point during the audit
process and comprise the following:
2.5.1.1 Ethics and
Independence
Auditors hall
comply with the relevant ethical requirements and be independent
Ethical
principles shall be embodied in an auditor’s professional behaviour and the
auditors shall comply with SAI India’s code of ethics. Auditors shall remain
independent so that their reports are impartial and be seen as such by the
intended users.
2.5.1.2 Professional
Judgement, Due Care and Scepticism
Auditors shall
maintain appropriate professional behaviour by applying professional
scepticism, professional judgment and due care throughout the audit
The auditor’s
attitude shall be characterised by professional scepticism and professional
judgement, which are to be applied when forming decisions about the appropriate
course of action. Auditors shall exercise due care to ensure that their
professional behaviour is appropriate.
Professional
scepticism refers to maintaining professional distance, an alert and
questioning attitude when assessing the sufficiency and appropriateness of
evidence obtained throughout the audit. It also entails remaining open-minded
and receptive to all views and arguments. Professional judgement implies the
application of collective knowledge, skills and experience to the audit
process. Due care denotes that auditors shall plan and conduct audits in a
diligent manner. Auditors shall avoid any conduct that might discredit their
work.
2.5.1.3 Quality Control
Auditors shall
perform the audit in accordance with professional standards on quality control
Auditors shall
comply with professional standards on quality control, the aim being to ensure
that audits are conducted at a consistently high level. Quality control
procedures shall cover matters such as the direction, review and supervision of
the audit process and the need for consultation in order to reach decisions on
difficult or contentious matters.
2.5.1.4 Audit Team
Management and Skills
Auditors shall
possess or have access to the necessary skills
The audit team
shall collectively possess the knowledge, skills expertise and competence
necessary to successfully complete the audit. This includes an understanding
and practical experience of the type of audit being conducted, familiarity with
the applicable standards and legislation, an understanding of the entity’s
operations and the ability and experience to exercise professional judgement.
Auditors shall maintain their professional competence through ongoing
professional development.
Where relevant or
necessary, and in line with SAI India’s mandate and applicable legislation, the
auditor may use the work of internal auditors, other auditors or experts. The
auditor’s procedures shall provide a sufficient basis for using the work of
others, and in all cases the auditor shall obtain evidence of other auditors’
or experts’ competence, independence and the quality of work performed. However,
SAI, India has the sole responsibility for any audit opinion or report it might
produce on the subject matter and that responsibility is not reduced by its use
of work done by other parties.
SAI, India may
use the work of other auditors at state, provincial, regional, district or
local level, or of public accounting firms that have completed audit work
related to the audit objective. Audits may require specialised techniques,
methods or skills from disciplines not available within SAI, India. In such cases,
experts may be used to provide knowledge or carry out specific tasks or for
other purposes.
2.5.1.5 Audit Risk
Auditors shall
manage the risks of providing a report that is inappropriate in the
circumstances of the audit
The audit risk is
the risk that the audit report may be inappropriate. The auditor performs
procedures to reduce or manage the risk of reaching inappropriate conclusions,
recognising that the limitations inherent to all audits mean that an audit can
never provide absolute certainty of the condition of the subject matter. When
the objective is to provide reasonable assurance, the auditor shall reduce
audit risk to an acceptably low level given the circumstances of the audit. The
audit may also aim to provide limited assurance, in which case the acceptable
risk that criteria are not complied with is greater than in a reasonable
assurance audit. A limited assurance audit provides a level of assurance that,
in the auditor’s professional judgment, will be meaningful to the intended
users.
2.5.1.6 Materiality
Auditors shall
consider materiality throughout the audit process
Materiality is
relevant in all audits. A matter can be judged material if knowledge of it
would be likely to influence the decisions of the intended users. Determining
materiality is a matter of professional judgement and depends on the auditor’s
interpretation of the users’ needs. This judgement may relate to an individual
item or to a group of items taken together. Materiality is often considered in
terms of value, but it also has other quantitative as well as qualitative
aspects. The inherent characteristics of an item or group of items may render a
matter material by its very nature. A matter may also be material because of
the context in which it occurs. Materiality shall be considered for the
purposes of planning, evaluating the evidence obtained and reporting, though
the materiality levels could differ for each of the processes. Materiality
considerations affect decisions concerning the nature, timing and extent of audit
procedures and the evaluation of audit results. Considerations may include
stakeholder concerns, public interest, regulatory requirements and consequences
for society.
2.5.1.7 Documentation
Auditors shall
prepare audit documentation that is sufficiently detailed to provide a clear
understanding of the work performed, evidence obtained and conclusions reached.
Audit
documentation shall include an audit strategy and audit plan. It shall record
the procedures performed and evidence obtained and support the communicated
results of the audit. Documentation shall be sufficiently detailed to enable an
experienced auditor, with no prior knowledge of the audit, to understand the
nature, timing, scope and results of the procedures performed, the evidence
obtained in support of the audit conclusions and recommendations, the reasoning
behind all significant matters that required the exercise of professional
judgement and the related conclusions. Adequate audit documentation is
important for several reasons. It will:
1.
confirm and support the auditor’s opinions and reports;
2.
serve as a source of information for preparing reports or answering any
enquiries from the audited entity or any other party;
3.
serve as evidence of the auditor's compliance with the auditing
standards;
4.
facilitate planning, supervision and review; help with the auditor’s
professional development;
5.
help to ensure that delegated work has been satisfactorily executed; and
6.
provide evidence of work done for future reference.
Further
requirements relating to documentation in the following areas also need to be
met:
1.
the timely preparation of documentation;
2.
the form, content and extent of documentation;
3.
documentation requirements where the auditor judges it necessary to
depart from a relevant requirement in the applied auditing standards;
4.
documentation requirements where the auditor performs new or additional
audit procedures or draws new conclusions after the date of the auditor’s
report; and
5.
the assembly of the final audit file.
2.5.1.8 Communication
Auditors shall
establish effective communication throughout the audit process
It is essential
that the entity being audited be kept informed of all matters relating to the
audit. This is key to developing a constructive working relationship.
Communication shall include obtaining information relevant to the audit and
providing management/ those charged with governance with timely observations
and findings throughout the engagement. It is important to promote effective
two-way communication throughout the engagement. Written communication is vital
for significant audit findings, which auditors are required to communicate to
those charged with governance. The auditor may also have a responsibility to
communicate audit-related matters to other stakeholders, such as legislative
and oversight bodies.
2.5.2 Principles related
to the audit process
Principles
related to the audit process relate to the specific steps in the audit process
and comprise the following:
2.5.2.1 Planning an audit
Auditors shall
ensure that the terms of the audit have been clearly established. Most of the
audits undertaken by SAI, India are as per the constitutional mandate, which
may not require formal agreement with the auditable entities on terms of audit.
In some cases, such as in case of an entrusted audit, there is a need for
arriving at an agreement on the terms of audit with the auditable entity.
Important information like the subject, scope and objectives of audit, access
to data, the audit process, roles and responsibilities of different parties to
the engagement shall be firmed up before audit is carried out.
This includes
understanding the relevant objectives, operations, regulatory environment,
internal controls, financial and other systems and business processes, and
researching the potential sources of audit evidence. Knowledge can be obtained
from interaction with management, other relevant stakeholders and experts.
Documents (including earlier studies and other sources) shall be examined in
order to gain a broad understanding of the subject matter to be audited and its
context.
The nature of the
risks identified will vary according to the audit objectives. The auditor shall
consider and assess the risk of different types of deficiencies, deviations or
misstatements that may occur in relation to the subject matter. Both general
and specific risks shall be considered. This can be achieved through procedures
that serve to obtain an understanding of the entity or programme and its
environment, including the relevant internal controls. The auditor shall assess
the management’s response to identified risks, including its implementation and
design of internal controls to address them. In a problem analysis the auditor
shall consider actual indications of problems or deviations from what should be
or is expected. This process involves examining various problem indicators in
order to define the audit objectives. To facilitate the process of risk
assessment or problem analysis data from multiple sources may be collated
and/or combined to gain insights and discern patterns. Technology and data
analytical techniques may be appropriately utilised in the process. The
identification of risks and their impact on the audit shall be considered
throughout the audit process.
The primary
responsibility for the prevention and detection of fraud rests with the
entity’s management and those charged with governance. It is important that
management, under the oversight of those charged with governance, strongly
emphasise fraud prevention (limiting opportunities for fraud to take place) and
fraud deterrence (dissuading individuals from committing fraud because of the
likelihood of detection). Fraud is a broad legal concept and the auditor does
not make legal determination of fraud. Auditors shall make enquiries and
perform procedures to identify and respond to the risks of fraud relevant to
the audit objectives. They shall maintain an attitude of professional
scepticism and be alert to the possibility of fraud throughout the audit
process.
1.
Auditors shall obtain an understanding of the nature of the
entity/programme to be audited
2.
Auditors shall conduct a risk assessment or problem analysis and revise
this as necessary in response to the audit findings
3.
Auditors shall identify and assess the risks of fraud relevant to the
audit objectives
4.
Auditors shall plan their work to ensure that the audit is conducted in
an effective and efficient manner
Planning for a
specific audit includes strategic and operational aspects. Strategically,
planning shall define the audit scope, objectives and approach. The objectives
refer to what the audit is intended to accomplish. The scope relates to the
subject matter and the criteria which the auditors will use to assess and
report on the subject matter and is directly related to the objectives. The
approach will describe the nature and extent of the procedures to be used for
gathering audit evidence. The audit shall be planned to reduce audit risk to an
acceptably low level. Professional judgement shall be exercised to decide on a
suitable sampling methodology depending upon the subject matters, audit
objectives being pursued and the envisaged scope of audit.
Operationally,
planning entails setting a timetable for audit and defining the nature, timing
and extent of the audit procedures. During planning, auditors shall assign the
members of their team as appropriate and identify other resources that may be
required, such as subject experts. Audit planning shall be responsive to
significant changes in circumstances and conditions. It is an iterative process
that takes place throughout the audit.
2.5.2.2 Conducting an Audit
The auditor’s
decisions on the nature, timing and extent of audit procedures will impact on
the evidence to be obtained. The choice of procedures will depend on the risk
assessment or problem analysis. Audit evidence is any information used by the
auditor to determine whether the subject matter complies with the applicable
criteria. Evidence may take many forms, such as electronic and paper records of
transactions, written and electronic communication with outsiders, and
observations by the auditor and oral or written testimony by the audited
entity. Methods of obtaining audit evidence can include inspection,
observation, inquiry, confirmation, recalculation, re-performance, analytical
procedures and/or other research techniques.
After completing
the audit procedures, the auditor will review the audit documentation in order
to determine whether the subject matter has been sufficiently and appropriately
audited. Before drawing conclusions, the auditor reconsiders the initial assessment
of risk and materiality in the light of the evidence collected and determines
whether additional audit procedures need to be performed. The auditor shall
evaluate the audit evidence with a view to obtaining audit findings. When
evaluating the audit evidence and assessing materiality of findings the auditor
shall take both quantitative and qualitative factors into consideration. Based
on the findings, the auditor shall exercise professional judgement to reach a
conclusion on the subject matter or subject matter information.
1.
Auditors shall perform audit procedures that
provide sufficient and appropriate audit evidence to support the audit report
2.
Evidence shall be both sufficient (quantity) to
persuade a knowledgeable person that the findings are reasonable, and
appropriate (quality) – i.e. relevant, valid and reliable. The quantity of
evidence required depends on the risk of material misstatement or
non-compliance of the subject matter information (the greater the risk, the
more evidence is likely to be required) and on the quality of such evidence
(the higher the quality, the less may be required). Accordingly, the
sufficiency and appropriateness of evidence are interrelated. However, merely
obtaining more evidence does not compensate for its poor quality. The
reliability of evidence is influenced by its source and nature, and is
dependent on the specific circumstances in which the evidence was obtained.
While recognizing that exceptions may exist, the following generalizations
about the reliability of evidence may be useful:
1.
Evidence is more reliable when it is obtained from
sources external to the responsible party.
2.
3.
Evidence that is generated internally is more
reliable when the related controls are effective
4.
Evidence obtained directly by the auditor (for
example, through observation of the application of a control) is more reliable
than evidence obtained indirectly or by inference (for example, through inquiry
into the application of a control).
5.
Evidence is more reliable when it exists in
documentary form, whether paper, electronic, or other media (for example, a
simultaneous written record of a meeting is more reliable than a subsequent
oral report of what was discussed).
6.
Evidence provided by original documents is more
reliable than evidence provided by photocopies or facsimiles.
The auditor’s
assessment of the evidence shall be objective, fair and balanced. Preliminary
findings shall be communicated to and discussed with the entity being audited
to confirm their validity. The auditor must respect all requirements regarding
confidentiality.
3.
Auditors shall evaluate the audit evidence and draw
conclusions
2.5.2.3 Reporting and
Follow-up
The audit process
involves preparing a report to communicate the results of the audit to
stakeholders, others responsible for governance and the general public. The
purpose is also to facilitate follow-up and corrective action. Reports shall be
easy to understand, free from vagueness or ambiguity and complete. They shall
be objective and fair, only including information which is supported by
sufficient and appropriate audit evidence and ensuring that findings are put
into perspective and context. The form and content of a report will depend on
the nature of the audit, the intended users, the applicable standards and legal
requirements. The reports can appear in short form or long form. Long-form
reports generally describe in detail the audit scope, audit findings and
conclusions, including potential consequences and constructive recommendations
to enable remedial action. Short-form reports are more condensed and generally
in a more standardized format.
i. Attestation engagements
In attestation
engagements the audit report may express an opinion as to whether the subject
matter information is, in all material respects, free from misstatement and/or
whether the subject matter complies, in all material respects, with the
established criteria. In an attestation engagement the report is generally
referred to as the Auditor’s Report.
ii. Direct reporting engagements
In direct
reporting engagements the audit report needs to state the audit objectives and
describe how they were addressed in the audit. It includes findings and
conclusions on the subject matter and may also include recommendations.
Additional information about criteria, methodology and sources of data may also
be given, and any limitations to the audit scope shall be described. The audit
report shall explain how the evidence obtained was used and why the resulting
conclusions were drawn.
When an audit
opinion or conclusion is used to convey the level of assurance, the opinion or
conclusion shall be in a standardised format. It may be unmodified or modified.
An unmodified opinion/conclusion is used when either limited or reasonable
assurance has been obtained. A modified opinion or conclusion may be:
Where the opinion
or conclusion is modified the reasons shall be put in perspective by clearly
explaining, with reference to the applicable criteria, the nature and extent of
the modification. Conveying an opinion is generally related to financial audits
and expression of conclusion is relevant to compliance audits. Depending on the
type of audit, recommendations for corrective action and any contributing
internal control deficiencies may also be included in the report.
SAI India shall
monitor action taken by the responsible party in response to the matters raised
in an audit report. Follow-up focuses on whether the audited entity has
adequately addressed the matters raised. Insufficient or unsatisfactory action
by the audited entity may call for a further report by SAI India.
1.
Auditors shall prepare a report based on the
conclusions reached.
2.
Opinion or conclusion
1.
Qualified (except for) – where
the auditor disagrees with, or is unable to obtain sufficient and appropriate
audit evidence about certain items in the subject matter which are, or could
be, material but not pervasive;
2.
Adverse – where
the auditor, having obtained sufficient and appropriate audit evidence,
concludes that deviations or misstatements, whether individually or in the
aggregate, are both material and pervasive;
3.
Disclaimed – where
the auditor is unable to obtain sufficient and appropriate audit evidence due
to an uncertainty or scope limitation which is both material and pervasive.
3.
Follow-up
CHAPTER-III
Specific Standards
3.1 Introduction
The general
principles relating to the basic audit concepts and those relating to the audit
process applicable to all types of public sector audits constituting the
general standards have been described in Chapter 2. In addition, this section
contains the specific considerations regarding their applicability to
financial, compliance and performance audits, which the auditors shall observe
as specific standards during the conduct of these audits.
Financial Audit
The purpose of an
audit of financial statements is to enhance the degree of confidence of
intended users in the financial statements. This is achieved through the
expression of an opinion by the auditor as to whether the financial statements
are prepared, in all material respects, in accordance with an applicable
financial reporting framework, or – in the case of financial statements
prepared in accordance with a fair presentation financial reporting framework –
whether the financial statements are presented fairly, in all material
respects, or give a true and fair view, in accordance with that framework.
3.2.1
In conducting an audit of financial statements, the overall objectives of the
auditor are:
The objectives of
financial audit in public sector are often broader than expressing an opinion
on the financial statements. The audit mandate arising from legislations,
regulation and government policy requirements may result in additional
objectives.
3.2.2
Financial Reporting Frameworks
Financial
reporting frameworks may be for general or specific use. A framework designed
to meet the information needs of a wide range of users is referred to as a
general-purpose framework, while special-purpose frameworks are designed to
meet the specific needs of a specific user or group of users.
1.
To obtain reasonable assurance about whether the financial statements as
a whole are free from material misstatement, whether due to fraud or error,
thereby enabling the auditor to express an opinion on whether the financial
statements are prepared,in all material respects, in accordance with an
applicable financial reporting framework; and
2.
To report on the financial statements, and communicate the result of the
audit in accordance with the auditor’s findings.
In addition to
preparing general-purpose financial statements, a public sector entity may
prepare financial statements for other parties (such as governing bodies, the
legislature or other parties with an oversight function), which may require
financial statements tailored to meet their specific information needs. In some
environments financial statements of this kind are the only financial
statements prepared by the public sector entity. Special-purpose frameworks
relevant to the public sector may include:
Frameworks
prescribed by law or regulation will often be deemed acceptable by the auditor.
Such frameworks invariably require presentation of original and final budget
amounts and actual amounts on a comparable basis to complete the accountability
cycle by enabling users of financial statements to identify whether the
resources were obtained and used in accordance with the approved budget.
The accounting
base, basis of classification, the level of aggregation of budget heads for
presentation in financial statements are determined by law, rules and
regulations. Such financial reporting frameworks are thus invariably governed
by standards, which are rule based and could be different from the principles
envisaged in general purpose frameworks. The Government Accounting Rules, 1990,
General Financial Rules, 2005, Delegation of Financial Powers Rules, 1978 and
List of Major and Minor Heads, Annual Appropriation Acts,Finance and Accounts
Codes and rules that govern preparation and compilation of finance and
appropriation accounts of the Union and the States constitute the rule based
standards. These auditing standards would apply to audits of such frameworks
with appropriate modifications.
1. General
Purpose frameworks:
The International
Public Sector Accounting Standards (IPSASs), International Financial Reporting
Standards (IFRSs), the Indian Accounting Standards, or other national financial
reporting frameworks for use in public sector constitute general purpose
frameworks. A complete set of financial statements for a public sector entity
prepared in accordance with such a financial reporting framework, normally
consists of:
1.
a statement of financial position;
2.
a statement of financial performance;
3.
a statement of changes in net assets/equity;
4.
a cash flow statement;
5.
a comparison of budget and actual amounts – either as a separate
additional financial statement or as a reconciliation;
6.
notes, comprising a summary of significant accounting policies and other
explanatory information.
7.
In certain environments a complete set of financial statements may also
include other reports, such as reports on performance and appropriation
reports.
If the financial
statements are prepared in accordance with a framework for other accounting
bases, such as modified accrual or cash basis (e.g. Indian Government
Accounting Standards – IGAS), a complete set of financial statements may not
include all of the above.
2. Special-Purpose
Frameworks:
1.
the cash receipts and disbursements, basis of accounting for cash flow
information that an entity may be required to prepare for a governing body;
2.
the financial reporting provisions established by an international
funding organization or mechanism;
3.
the financial reporting provisions established by a governing body, the
legislature or other parties that perform an oversight function to meet the
requirements of that body; or
4.
the financial reporting provisions of a contract, such as a project
grant.
3. Frameworks
prescribed by law or regulation:
3.2.3
Materiality
The auditor shall
apply the concept of materiality in an appropriate manner when planning and
performing the audit.
A misstatement is
material, individually or when aggregated with other misstatements, if it could
reasonably be expected to influence the decisions taken by users on the basis
of the financial statements. When planning the audit strategy, the auditor
shall assess materiality for the financial statements as a whole. However,
where one or more classes of transactions, account balances or disclosures
could reasonably be expected to influence the decisions of users on the basis
of the financial statements, the auditor shall also determine the materiality
level or levels for the classes of transactions, account balances or disclosures
concerned.
3.2.4
Audit risk
The audit risk in
an audit of financial statements is the risk that the auditor will express an
inappropriate conclusion if the subject matter information is materially
misstated.
The auditor will
reduce the risk to an acceptably low level in the circumstances of the audit to
obtain reasonable assurance as the basis for expressing a conclusion in a
positive form. In general, the audit risk depends on the inherent risk and
control risk, which constitute the risks of material misstatement and the
detection risk:
1. Inherent
risk – the susceptibility of the subject matter information to material
misstatement, assuming that there are no related controls;
2. Control
risk – the risk that a material misstatement could occur and will not be
prevented or detected and corrected at the appropriate time by related
controls. Some control risk will always exist due to the limitations inherent
in the design and operation of internal controls.
3. Detection
risk – the risk that the auditor will not detect a material misstatement.
The risk
assessment is a matter of professional judgement and is not capable of precise
measurement. The degree to which the auditor considers each element of risk
will depend on the circumstances of each audit.
3.2.5
Risk Assessment
The auditor shall
assess the risks of material misstatement at the financial statement level and
the assertion level for classes of transactions, account balances and
disclosures so as to provide a basis for designing and performing further audit
procedures.
For this purpose,
the auditor needs to:
1.
identify risks throughout the process of obtaining an understanding of
the entity being audited and its environment, by examining relevant controls
that relate to the risks and considering the classes of transactions, account
balances and disclosures in the financial statements;
2.
assess the risks identified and evaluate whether they relate more
pervasively to the financial statements as a whole and could potentially affect
many assertions;
3.
relate the risks identified to what could go wrong at the assertion
level, taking account of relevant controls that the auditor intends to test;
and
4.
consider the likelihood of misstatement, including the possibility of
multiple misstatements, whether the potential for misstatement is such as to
render it material.
As part of the
risk assessment, the auditor determines whether any of the risks identified is,
in the auditor’s judgment, significant. When judging which risks are significant,
the auditor needs to consider at least the following:
1.
risk of fraud;
2.
recent significant economic, accounting or other developments, which
requires specific attention;
3.
the complexity of transactions;
4.
significant transactions with related parties;
5.
the degree of subjectivity in the measurement of financial information
related to the risk, especially measurements which involve a wide range of
measurement uncertainty;
6.
significant transactions that are outside the entity’s normal course of
business, or that otherwise appear to be unusual; and
7.
compliance with laws and regulations.
The auditor shall
act appropriately to address the assessed risks of material misstatement in the
financial statements. Responses to assessed risks include designing audit procedures
that address the risks, such as substantive procedures and test of controls.
Substantive procedures include both tests of details and substantive analysis
of classes of transactions, account balances and disclosures.
3.2.6
Going Concern Considerations
The auditor shall
consider whether there are events or conditions that may cast significant doubt
on the entity’s ability to continue as a going concern.
Financial
statements are normally prepared on the assumption that the entity is a going
concern and will continue to meet its statutory obligations for the foreseeable
future. In assessing whether the going-concern assumption is appropriate, those
responsible for preparation of the financial statements take into account all
available information for the foreseeable future. General-purpose financial
statements are typically prepared on a going-concern basis.
The going-concern
concept may have little or no relevance for public-sector entities such as
those funded through appropriations on the public sector budget. When such
organizations are abolished or merged with others, their liabilities and assets
are usually taken over by other public-sector entities. For some other types of
entities, such as public sector business enterprises and joint ventures with other
principals (including private sector entities operating in legal forms that
provide for limited owner liability), this may not be the case. The
responsibility for implementing public sector programmes may also be contracted
out to private sector organizations, such as NGOs and private companies, but
the programmes may still be audited by SAI, India, making the going-concern
concept and the auditor’s judgement in this regard relevant to public-sector
financial audit.
3.2.7
Considerations Relating to Fraud in an Audit of Financial Statements
The auditor shall
identify and assess the risks of material misstatement in the financial
statements due to fraud, shall obtain sufficient and appropriate audit evidence
regarding the assessed risks of material misstatement due to fraud and shall
respond appropriately to fraud or suspected fraud identified during the audit.
The auditor is
responsible for obtaining reasonable assurance that the financial statements
taken as a whole are free from material misstatement, whether caused by fraud
or error. Misstatements in the financial statements can arise from either fraud
or error. The distinguishing factor is whether the action resulting in a
misstatement was intentional or unintentional. Fraud is a broad legal concept and
the auditor does not make legal determination of fraud. The auditor is
concerned only with fraud that causes a material misstatement in the financial
statements. Two types of intentional misstatements are relevant to the auditor
- misstatements resulting from fraudulent financial reporting and those
resulting from the misappropriation of assets.
Areas in which
auditors shall be alert to fraud risks leading to material misstatement may
include procurement, grants, privatisations, intentional misrepresentation of
results or information and misuse of authority or power. Auditors shall also
consider that the use of public monies tends to raise the profile of fraud. As
a result auditors may need to be responsive to public expectations regarding
fraud detection.
3.2.8
Considerations Relating to Laws and Regulations in an Audit of Financial
Statements
The auditor shall
identify the risks of material misstatement due to direct and material
non-compliance with laws and regulations.
The auditor shall
obtain sufficient and appropriate audit evidence regarding compliance with the
laws and regulations such as the Appropriation Acts (which prescribe budgetary
allocations against which expenditures are incurred and are subject to audit)
that are generally recognised to have a direct and material effect on the
determination of material amounts and disclosures in financial statements.
However, the auditor is not responsible for preventing non-compliance and
cannot be expected to detect all breaches of laws and regulations.
The effect of
laws and regulations on the financial statements varies considerably. The
provisions of some laws or regulations have a direct effect on the financial
statements in that they determine the nature of reported amounts and
disclosures while other laws or regulations, which are to be complied with by
management, may not have a direct effect on the entity’s financial statements.
Non-compliance with laws and regulations may result in fines, litigation or
other consequences for the audited entity that may have a material effect on
the financial statements. Matters involving non-compliance with laws and
regulations that come to the auditor's attention during the course of the audit
shall be communicated to management/those charged with governance, save where
the matters are clearly inconsequential.
3.2.9
Consideration of Subsequent Events
The auditor shall
obtain sufficient and appropriate audit evidence that all events occurring
between the date of the financial statements and the date of the auditor’s report
that require an adjustment to, or disclosure in, the financial statements have
been identified.
Financial
statements may be affected by certain types of subsequent events (those
occurring after the date of the financial statements). Many financial reporting
frameworks specifically refer to such events. Ordinarily, two types of events
are identified:
1.
Events that provide evidence of conditions that existed at the date of
the financial statements; and
2.
Events that provide evidence of conditions that arose after the date of
the financial statements.
Procedures shall
be designed, as nearly as possible, to cover the period from the date of the
financial statements to the date of the auditor’s report. The auditor is not,
however, expected to perform additional audit procedures on matters to which
previous audit procedures have provided satisfactory conclusions. Procedures
for obtaining sufficient and appropriate audit evidence may include:
1.
steps to obtain an understanding of any procedures established by
management to ensure that subsequent events are identified;
2.
inquiries of management;
3.
scrutiny of minutes of the Board / those charged with governance;
4.
scrutiny of the entity’s most recent interim financial statements, if
any
5.
written confirmation from the management /those charged with governance.
The auditor is
under no obligation to perform any audit procedures on the financial statements
after the date of the auditor’s report. However, if, after the date of the
auditor’s report but before the financial statements have been issued, a fact
becomes known to the auditor that, had it been known at the date of the
auditor’s report, might have caused an amendment to the report, appropriate
action shall be taken. Such action may include:
1.
discussing the matter with the management and, where appropriate, those
charged with governance,
2.
determining whether the financial statements need amendment and, if so,
3.
inquiring how the management intends to address the matter in the financial
statements.
4.
obtaining written confirmation from the management.
If the management
does not take the necessary steps and does not amend the financial statements,
the auditor shall notify the management and those charged with governance that
the auditor will seek to prevent future reliance on the auditor’s report. This
may entail seeking legal advice and reporting to the appropriate statutory
body.
3.2.10
Evaluating Misstatements
Uncorrected
misstatements shall be evaluated for materiality, individually or in aggregate,
to determine their effect on the opinion to be given in the auditor’s report.
The auditor needs
to determine whether uncorrected misstatements are material, individually or in
the aggregate. To this end, the auditor shall consider
1.
the size and nature of the misstatements, in relation both to particular
classes of transactions, account balances or disclosures and to the financial
statements as a whole, and the particular circumstances of their occurrence;
and
2.
the effect of uncorrected misstatements from prior periods on the
relevant classes of transactions, account balances or disclosures, and on the
financial statements as a whole.
The auditor shall
invite the management to correct misstatements, and if the management refuses
to correct some or all communicated misstatements the auditor shall ascertain
the reasons. When evaluating whether the financial statements as a whole are
misstated, the auditor shall consider the reasons given for not making
corrections. Those charged with governance shall be notified of uncorrected
misstatements and the effect that they may have, individually or in aggregate,
on the opinion in the auditor's report. The auditor’s notification shall
individually identify uncorrected material misstatements in classes of
transactions, account balances or disclosures. Misstatements that are clearly
trivial need not normally be communicated, save where the auditor is required
by mandate to report all misstatements.
3.2.11
Forming an Opinion and Reporting on the Financial Statements
The auditor shall
form an opinion based on an evaluation of the conclusions drawn from the audit
evidence obtained, as to whether the financial statements as a whole are
prepared in accordance with the applicable financial reporting framework. The
opinion shall be expressed clearly in a written report that also describes the
basis for the opinion.
In order to form
an opinion, the auditor must first conclude whether reasonable assurance has
been obtained as to whether the financial statements as a whole are free from
material misstatement, whether due to fraud or error. The conclusion shall take
into account:
1.
Whether sufficient and appropriate evidence has been obtained;
2.
Whether uncorrected misstatements are material, individually or in
aggregate; and
3.
The auditor’s evaluations of the financial statements.
The auditor shall
express an unmodified opinion if it is concluded that the financial statements
are prepared, in all material respects, in accordance with the applicable
financial framework. If the auditor concludes that, based on the audit evidence
obtained, the financial statements as a whole are not free from material
misstatement, or is unable to obtain sufficient and appropriate audit evidence
to conclude that the financial statements as a whole are free from material
misstatement, the auditor shall modify the opinion in the auditor’s report.
Auditors may provide three types of modified opinions: a qualified opinion, an
adverse opinion and a disclaimer of opinion as envisaged in para 2.5.2.3 of
Chapter 2.
The decision
regarding which type of modified opinion is appropriate depends upon:
If financial
statements prepared in accordance with the requirements of a fair presentation
framework do not achieve fair presentation, the auditor shall discuss the
matter with the management and, depending on the requirements of the applicable
financial reporting framework and how the matter is resolved, determine whether
it is necessary to modify the audit opinion.
The expression of
opinion in the Auditor’s Report shall use one of the following equivalent
phrases when expressing an unmodified opinion on the financial statements
prepared in accordance with a fair presentation framework:
When expressing
an unmodified opinion on financial statements prepared in accordance with a
compliance framework, the auditor’s opinion shall be that the financial
statements are prepared, in all material respects, in accordance with [the
applicable financial reporting framework]. When expressing a modified opinion,
the auditor shall also modify the heading to correspond with the type of
opinion expressed.
Apart from the
section that contains the Opinion, Auditor’s Report may include separate
sections on a) responsibility of Management for the financial statements,
stating that the management is responsible for the financial statements in
accordance with the applicable financial reporting framework, b) responsibility
of Auditors, stating that the responsibility of the auditor is to express an
opinion based on the audit of the financial statements and describing the scope
of audit and audit procedures carried out, c) Emphasis of Matter and Other
Matters paragraphs and d) other regulatory and reporting responsibilities of
auditors.
If the auditor
considers it necessary to draw users’ attention to a matter presented or
disclosed in the financial statements that is of such importance that it is
fundamental to their understanding of the financial statements, but there is
sufficient and appropriate evidence that the matter is not materially misstated
in the financial statements, the auditor shall include an Emphasis of Matter
paragraph in the auditor’s report. Emphasis of Matter paragraphs shall only
refer to information presented or disclosed in the financial statements.
If the auditor considers
it necessary to communicate a matter, other than those that are presented or
disclosed in the financial statements, which, in the auditor’s judgement, is
relevant to users’ understanding of the audit, the auditor’s responsibilities
or the auditor’s report, and provided this is not prohibited by law or
regulation, this shall be done in a paragraph with the heading “Other Matter,”
or another appropriate heading. This paragraph shall appear immediately after
the opinion and any Emphasis of Matter paragraph.
1.
Form of Opinion
2.
Determining the type of modification to the auditor’s opinion -
1.
The nature of the matter giving rise to the modification – that is,
whether the financial statements are materially misstated or, in the event that
it was impossible to obtain sufficient and appropriate audit evidence, may be
materially misstated; and
2.
The auditor’s judgment about the pervasiveness of the effects or
possible effects of the matter on the financial statements.
3.
Expression of opinion in the Auditor’s Report -
1.
The financial statements present fairly, in all material respects... in
accordance with [the applicable reporting framework]; or
2.
The financial statements give a true and fair view of ... in accordance
with [the applicable financial reporting framework]
4.
Emphasis of Matter and Other Matters Paragraphs in the Auditor’s Report
3.2.12
Comparative information – ‘Corresponding figures and comparative financial
statements Comparative information’ refers to amounts and disclosures included
in the financial statements in respect of one or more prior periods. The
auditor shall evaluate whether:
1.
the comparative information agrees with the amounts and other
disclosures that were presented in the prior period or, where appropriate, have
been restated; and
2.
the accounting policies reflected in the comparative information are
consistent with those applied in the current period or, if there have been
changes in accounting policies, whether those changes have been properly
accounted for and adequately presented and disclosed.
If the auditor
becomes aware, during the current period, of a possible material misstatement
in the comparative information, the auditor shall perform such additional audit
procedures as are necessary in the circumstances to obtain sufficient and
appropriate audit evidence as to whether a material misstatement exists.
3.2.13
Special Considerations – Audits of financial statements prepared in accordance
with Special-Purpose Frameworks
The auditor is
required to determine the acceptability of the financial reporting framework
that was applied when preparing the financial statements. In an audit of
special-purpose financial statements, the auditor shall obtain an understanding
of:
1.
the purpose for which the financial statements are prepared;
2.
the intended users; and
3.
the steps taken by management to determine that the applicable financial
reporting framework is acceptable in the circumstances.
In planning and
performing an audit of special-purpose financial statements, the auditor shall
determine whether the circumstances of the engagement require special
consideration to be given to application of these standards. When forming an
opinion and reporting on special-purpose financial statements, the auditor
shall comply with the same requirements as for general-purpose financial
statements. The auditor’s report on special-purpose financial statements shall:
1.
describe the purpose for which the financial statements have been
prepared; and
2.
make reference to the management’s responsibility for determining that
the applicable financial reporting framework is acceptable in the circumstances
where the management has a choice of frameworks to use in preparing the
financial statements.
The auditor shall
include an Emphasis of Matter paragraph alerting users to the fact that the
financial statements have been prepared in accordance with a special-purpose
framework and that, as a result, they may not be suitable for another purpose.
3.2.14
Special Considerations – Audits of single financial statements and specific
elements, accounts or items of a financial statement
In the case of an
audit of a single financial statement, or of a specific element of a financial
statement, the auditor shall first determine whether the audit is practicable.
These standards also apply to audits of a single financial statement, or of a
specific element of a financial statement, irrespective of whether the auditor
is also engaged to audit the entity’s complete set of financial statements.
The auditor shall
consider whether the expected form of opinion is appropriate in the
circumstances of the engagement, and shall adapt the reporting requirements as
necessary. If the auditor is engaged to report on a single financial statement,
or on a specific element of a financial statement, in conjunction with an
engagement to audit the entity’s complete set of financial statements, the
auditor shall express a separate opinion for each engagement.
If the opinion in
the auditor’s report on an entity’s complete financial statements is modified,
or the report includes an Emphasis of Matter paragraph or Other Matter
paragraph, the auditor shall determine the effect this may have on the
auditor’s report on a single financial statement or a specific element of a
financial statement. Where appropriate, the auditor shall modify the auditor’s
report on the single financial statement or specific element of a financial
statement.
3.2.15
Considerations relevant to audits of Consolidated Financial Statements
(including Whole of Public Sector Financial Statements)
While auditing
the group financial statements, auditors shall obtain sufficient and
appropriate audit evidence regarding the financial information of all components
and the consolidation process to express an opinion as to whether the
Consolidated Financial Statements (including whole-of-public sector financial
statements) are prepared, in all material respects, in accordance with the
applicable financial reporting framework.
In situations
where the audit is of consolidated financial statements, such as
whole-of-public sector accounts, specific requirements and considerations may
apply. The auditor carrying out an audit of consolidated financial statements
is referred to as the principal auditor. The principal auditor shall establish
a consolidated audit strategy and develop a consolidated audit plan. The
principles for understanding the entity shall include an understanding of the
group, its components and their environments, including group-wide controls, as
well as the consolidation process. The understanding thus obtained shall be
sufficient to confirm or revise the initial identification of components that
are likely to be significant for the consolidated financial statements, and to
assess the risks of material misstatement, whether due to fraud or error, of
the consolidated financial statements.
Performance Audit
3.3.1
Performance audit is an independent, objective and reliable examination of
whether public sector undertakings, systems, operations, programmes, activities
or organizations are operating in accordance with the principles of economy,
efficiency and effectiveness.The main objective of
performance audit is to constructively promote economical, effective and
efficient governance.It also contributes to accountability and transparency. Performance
audit promotes accountability by assisting those charged with governance and
oversight responsibilities to improve performance through an examination of whether:
1.
decisions by the legislature or the executive are efficiently and
effectively prepared and implemented and
2.
tax payers or citizens have received value for money.
It does not
question the intentions and decisions of the legislature, but examines whether
any shortcomings in the implementation of the law and framing of regulations
have prevented the specified objectives from being achieved. Performance audit
focuses on areas in which it can add value for citizens and which have the
greatest potential for improvement.It provides constructive incentives for the
responsible parties to take appropriate action.
Performance audit
promotes transparency by affording all stakeholders an insight into the
management and outcomes of different public sector activities. It thereby
directly contributes to providing useful information to the citizen, while also
serving as a basis for learning and improvements.
3.3.2
Perspective of Performance Audit
Performance
audits undertaken by SAI, India may have overlaps with other audit types(or
combined audits)and in such circumstances the following points shall be
considered:
1.
Elements of performance audit can be part of a more extensive audit that
also covers compliance and financial auditing aspects.
2.
In the event of an overlap, the primary objective of the audit shall
guide the auditors as to which standards to apply.
In determining
whether performance considerations form the primary objective of the audit
engagement, it should be borne in mind that performance auditing focuses on
activity and results rather than reports or accounts, and that its main
objective is to promote economy, efficiency and effectiveness rather than
report on compliance.
3.3.3
Type of Engagement and Assurance
Performance
audits are essentially direct reporting engagements where the auditor measures
or evaluates the subject matter against the criteria. Performance audits are
not normally expected to provide an overall opinion, comparable to the opinion
on financial statements, on the audited entity’s achievement of economy,
efficiency and effectiveness.The degree of economy, efficiency and
effectiveness achieved may be conveyed in the performance audit report in
different ways:
1.
either through an overall view on aspects of economy,efficiency and
effectiveness, where the audit objective, the subject matter, the evidence
obtained and the findings reached allow for such a conclusion;
2.
or by providing specific information on a range of points including the
audit objective, the questions asked, the evidence obtained, the criteria used,
the findings reached and the specific conclusions. Performance audits are
designed to provide a reasonable assurance with a set of conclusions and,if applicable,a
single overall conclusion and to present a balanced report by taking into
account all relevant viewpoints.
3.3.4
Audit Risk
Auditors
shall actively manage audit risk, which is the risk of obtaining incorrect or
incomplete conclusions, providing unbalanced information or failing to add
value for users.Many topics in performance auditing are complex and
sensitive. The risk that an audit will fail to add value ranges from the
likelihood of not being able to provide new information or perspectives to the
risk of neglecting important factors and consequently not being able to provide
users of the audit report with knowledge or recommendations that would make a
real contribution to better performance. Important aspects of risk may include
not possessing the competence to conduct sufficiently broad or deep analysis,
lacking access to quality information, obtaining inaccurate information (e.g.
because of fraud or irregular practices), being unable to put all findings in
perspective, and failing to collect or address the most relevant arguments.
Auditors shall therefore actively manage risk. Dealing with audit risk is
embedded in the whole process and methodology of performance audit.
3.3.5
Selection of topics
Auditors
shall select audit topics through the strategic planning process by analysing
potential topics and conducting research to identify risks and problems.Determining
which audits will be pursued is usually part of SAI India’s strategic planning
process. If appropriate, auditors shall contribute to this process in their
respective fields of expertise. They may share knowledge from previous audits,
and information from the strategic planning process may be relevant for the
auditor’s subsequent work. In this process, auditors shall consider that audit
topics are sufficiently significant as well as auditable and in keeping with
SAI India’s mandate. The topic selection process shall aim to maximise the
expected impact of the audit while taking account of audit capacities (e.g.
human resources and professional skills). Formal techniques to prepare the
strategic planning process, such as risk analysis or problem assessments, can
help structure the process but need to be complemented by professional
judgement to avoid one-sided assessments. Performance auditing generally
requires that audit-specific, substantive and methodological knowledge be
acquired before the audit is launched (“pre-study/ pilot study”).
3.3.6
Audit design
Auditors
shall plan the audit in a manner that contributes to a high-quality audit that
will be carried out in an economical,efficient, effective and timely manner and
in accordance with the principles of good project management.
In planning an
audit, it is important to consider:
1.
the background knowledge and information required for an understanding
of the audited entities so as to allow an assessment of the problem and risk,
possible sources of evidence, auditability and the significance of the area
considered for audit, consultation with stakeholders,if necessary,including
domain specialists or experts in the field to build up proper knowledge
2.
the audit objectives, questions, criteria, subject matter and
methodology (including techniques to be used for gathering evidence and
conducting the audit analysis);
3.
the necessary activities, staffing and skills requirements (including
the independence of the audit team, human resources and possible external
expertise), the key project timeframes and milestones and the main points for
control.
The planning
phase shall also involve research work aimed at building knowledge, testing
various audit designs and checking whether the necessary data are available.
This may involve combining and comparing data from different sources, drawing
preliminary conclusions and compiling findings in order to build hypotheses
that can be tested, if necessary, against additional data. This makes it easier
to choose the most appropriate audit method. Technology and data analytics may
be optimally utilised to facilitate this process.
3.3.7
Audit approach
Auditors
shall choose a result, problem or system-oriented approach, or a combination
thereof, to facilitate the soundness of audit design.
It determines the
nature of the examination to be made and defines the necessary knowledge,
information,data and the audit procedures needed to obtain and analyse
them.Performance auditing generally follows one of three approaches:
1.
a system-oriented approach, which examines the proper functioning of
management systems, e.g. financial management systems;
2.
a result-oriented approach, which assesses whether outcome or output
objectives have been achieved as intended or programmes and services are
operating as intended;
3.
a problem-oriented approach, which examines, verifies and analyses the
causes of particular problems or deviations from criteria.
All three
approaches can be pursued from a top-down or bottom-up perspective. Top-down
audits concentrate mainly on the requirements, intentions, objectives and
expectations of the legislature and central public sector. A bottom-up
perspective focuses on problems of significance to people and the community.
3.3.8
Audit procedures
When
planning the audit, the auditor shall design the audit procedures to be used
for gathering sufficient and appropriate audit evidence.
The methods
chosen shall e those which best allow evidence to be gathered in an efficient
and effective manner. This can be approached in several stages:
1.
deciding on the overall audit design (which questions to
ask,e.g.explanatory/descriptive/evaluative);
2.
determining the level of observation (e.g. looking at a process or
individual files) and methodology (e.g. full analysis or sample);
3.
specific data-collection techniques (e.g. analysis of records,
questionnaire, interview or focus group). Data-collection methods and sampling
techniques shall be carefully chosen. While the auditors shall aim to adopt
best practices, practical considerations such as the availability of data may
restrict the choice of methods. It is therefore advisable that planning be
flexible and pragmatic. For this reason, performance audit procedures shall not
be overly standardised. Excessive prescriptiveness may hamper the flexibility,
professional judgement and high levels of analytical skills that are required
in a performance audit. In certain cases–where, for example, the audit requires
data to be gathered in many different regions or areas or the audit is to be
conducted by a large number of auditors –there may be a need for a more
detailed audit plan in which audit questions and procedures are explicitly
defined. When planning an audit, auditors shall also assess the risk of fraud.
If this is significant within the context of the audit objectives, the auditors
shall obtain an understanding of the relevant internal control systems and
examine whether there are signs of irregularities that hamper performance. The
overall aim at the planning stage is to decide, by building up knowledge and
considering a variety of strategies, how best to conduct the audit. Auditors
shall establish suitable criteria which correspond to the audit questions and
are related to the principles of economy, efficiency and effectiveness. Diverse
sources can be used to identify criteria, including performance measurement
frameworks. The criteria shall be discussed with the auditable entities, but it
is ultimately the auditor’s responsibility to select suitable criteria. While
defining and communicating suitable criteria during the planning phase may
enhance their reliability and general acceptance, in audits covering complex
issues it is not always possible to set criteria in advance and instead they
will be defined during the audit process.
3.3.9
Quality Control
Auditors
shall apply procedures to safeguard quality, ensuring that the applicable
requirements are met and placing emphasis on appropriate, balanced and fair
reports that add value and answer the audit questions.In
the conduct of performance audits the following specific issues need to be
addressed:
1.
Performance audit is a process in which the audit team gathers a large
amount of audit-specific information and exercises a high degree of
professional judgement and discretion concerning the relevant issues. This must
be taken into account in quality control.The need to establish a working
atmosphere of mutual trust and responsibility and provide support for audit
teams shallbe seen as part of quality management.
2.
In performance auditing, even if the report is evidence-based,
well-documented and accurate, it might still be inappropriate or insufficient
if it fails to give a balanced and unbiased view, includes too few relevant
viewpoints or unsatisfactorily addresses the audit questions. These
considerations shall therefore be an essential part of measures to safeguard
quality.
3.
As audit objectives vary widely between different audit engagements, it
is important to define clearly what constitutes a high-quality report in the
specific context of an audit engagement. General quality control measures shall
therefore be complemented by audit-specific measures.
No quality
control procedures at the level of the individual audit can guarantee
high-quality performance audit reports. It is equally important for auditors to
be –and remain –competent,motivated and willing to innovate. Control mechanisms
shall therefore be complemented by support, such as on-the-job training and
guidance for the audit team.
3.3.10
Reporting
Auditors
shall strive to provide audit reports which are comprehensive, convincing,
timely, reader-friendly and balanced.
To be
comprehensive, the report shall include information about the audit objective,
audit questions and answers to those questions, the subject matter, criteria,
methodology, sources of data, any limitations to the data used, and audit
findings. The audit findings shall be put into perspective.It shall clearly
answer the audit questions or explain why this was not possible. To be
convincing, it shall be logically structured and present a clear relationship
between the audit objective, criteria, findings, conclusions and
recommendations. All relevant arguments shall be addressed. The report shall
explain why and how problems observed in the findings hamper performance in
order to encourage the audited entity or the user to initiate corrective
action. It shall, where appropriate, include recommendations for improvements
to performance. The report shall be as clear and concise as the subject matter
permits and phrased inunambiguous language. As a whole it shall be
constructive, contribute to better knowledge and highlight any necessary
improvements.
Being balanced
means that preparation of the report needs to be impartial in content and tone.
In preparing a balanced and constructivereport the auditors shall strive to
present (i) findings objectively and fairly. The facts shall be presented and
interpreted in neutral terms, avoiding biased information or language that can
generate defensiveness and opposition (ii) different perspectives and
viewpoints. Where different interpretations of the evidence can legitimately be
made, they need to be presented to ensure fairness and balance and (iii) both
positive and negative aspects and give credit where it is due.
3.3.11
Recommendations
Auditors
shall seek to provide constructive recommendations that are likely to
contribute significantly to addressing the weaknesses or problems identified by
the audit.Recommendations shall be well-founded and add
value. They shall address the causes of problems and/or weaknesses. However,
they shall be phrased in such a way that avoids truisms or simply inverting the
audit conclusions and they shall not encroach on the management’s
responsibilities.
It shall be clear
who and what is addressed by eachrecommendation, who is responsible for taking
any initiative and what the recommendations mean –i .e. how they will
contribute to better performance. Recommendations shall be practical and be
addressed to the entities which have responsibility and competence for
implementing them. Recommendations shall be presented in a logical and reasoned
fashion. They shall be linked to the audit objectives, findings and
conclusions. Together with the full text of the report,they shall convince the
reader that they are likely to significantly improve the conduct of public
sector operations and programmes, e.g. by lowering costs,simplifying
administration, enhancing the quality and volume of services, or improving
effectiveness, impact or the benefits to society.
3.3.12
Follow-up
Auditors
shall follow up previous audit findings and recommendations wherever
appropriate. Follow-up shallbe reported appropriately in order to provide
feedback to the legislature together, if possible, with the conclusions and
impacts of all relevant corrective action.
Follow-up refers
to the auditors’ examination of corrective action taken by the audited entity,
or another responsible party, on the basis of the results of a performance
audit. It is an independent activity that increases the value of the audit
process bystrengthening the impact of the audit and laying the basis for
improvements to future audit work. Follow-up is not restricted to the
implementation of recommendations but focuses on whether the audited entity has
adequately addressed the problems and remedied the underlying situation after a
reasonable period of time.
When conducting
follow-up of an audit report, the auditor shall concentrate on findingsand
recommendations that are still relevant at the time of the follow-up and adopt
an unbiased and independent approach. Follow-up results may be reported
individually or as a consolidated report, which may in turn include an analysis
of different audits, possibly highlighting common trends and themes across a
number of reporting areas.
Compliance Audit
3.4.1 Compliance
audit is the independent assessment of whether a given subject matter is in
compliance with applicable authorities identified as criteria. Compliance
audits are carried out by assessing whether activities, financial transactions and
information comply in all material respects, with the authorities which govern
the audited entity. Compliance auditing may be concerned with
1. Regularity
- adherence of the subject matter to the formal criteria emanating from
relevant laws, regulations and agreements applicable to the entity
2. Propriety
- observance of the general principles governing sound financial
management and the ethical conduct of public officials
While regularity
is the main focus of compliance auditing, propriety is equally pertinent in the
public-sector context, in which there are certain expectations concerning
financial management and the conduct of officials.
3.4.2
Objectives of Compliance Audit
Compliance audit
promotes transparency by providing reliable reports as to whether funds have
been administered, management exercised and citizens’ rights to due process
honoured as required by the applicable authorities. It promotes accountability
by reporting deviations from and violations of authorities, so that corrective
action may be taken and those accountable may be held responsible for their
actions. It promotes good governance both by identifying weaknesses and
deviations from laws and regulations and by assessing propriety where there are
insufficient or inadequate laws and regulations. Fraud and corruption are, by
their very nature, elements which counteract transparency, accountability and
good stewardship. Compliance audit therefore also considers the risk of fraud
in relation to compliance.
The objective of
compliance auditing, therefore, is to enable assessment of whether the
activities of auditable entities are in accordance with the authorities
governing those entities in order to express a conclusion designed to enhance
the degree of confidence of the intended users.
3.4.3
Perspectives of Compliance Audit
Compliance audit
can be part of a combined audit that may also include other aspects. Though
other possibilities exist, compliance auditing is generally conducted either:
·
in relation with the audit of financial statements,
or
·
separately as individual compliance audits, or
·
in combination with performance auditing
3.4.3.1
Compliance Audit in relation with the audit of Financial Statements
The legislature,
as an element of public democratic process, establishes the priorities for
public-sector income and expenditure and for the calculation and attribution of
expenditure and income. The underlying premises of legislative bodies, and the
decisions they take are the source of the authorities governing cash flow in
the public sector. Compliance with those authorities constitutes a broader
perspective alongside the audit of financial statements in budgetary execution.
Laws and
regulations are important both in compliance auditing and in the audit of
financial statements. Which laws and regulations apply in each field will
depend on the audit objectives. Compliance audit focusses on obtaining
sufficient and appropriate evidence regarding compliance of a given subject
matter with applicable authorities identified as criteria. Whereas, in the
audit of financial statements, only those laws and regulations with a direct
and material effect on the financial statement are relevant, in compliance
auditing any law and regulation relevant to the subject matter may be relevant
for audit.
3.4.3.2
Compliance Audit conducted separately
Compliance audits
may be planned, performed and reported on separately from the audit of
financial statements and from performance audits. Such audits may be conducted
separately on a regular basis, as distinct and clearly-defined audits each
related to a specific subject matter.
3.4.3.3
Compliance Audit in combination with Performance Auditing
When compliance
audit is part of a performance audit, compliance is seen as one of the aspects
of economy, efficiency and effectiveness. Non-compliance may be the cause of,
an explanation for, or a consequence of the state of the activities that are
the subject of performance audit. In combined audits of this kind, auditors
shall use their professional judgement to decide whether performance or
compliance is the primary focus of the audit and whether to apply the performance
audit standards, compliance audit standards or both.
3.4.4
Type of Engagement in Compliance Audit
Compliance audits
can be conducted as direct reporting engagements or attestation engagements. An
auditor performs procedures to reduce or manage the risk of providing incorrect
conclusions, recognising that, owing to the inherent limitations in all audits,
no audit can ever provide absolute assurance of the condition of the subject
matter. In most cases, a compliance audit will not cover all elements of the
subject matter but will rely on a degree of qualitative or quantitative
sampling. Compliance auditing enhances the confidence of the intended users in
the information provided by the auditor or another party.
3.4.5
Audit Risk
Consideration
of audit risk is relevant in both attestation and direct engagements.
The auditor shall
consider three different dimensions of audit risk – inherent risk, control risk
and detection risk – in relation to the subject matter and the reporting
format, i.e. whether the subject matter is quantitative or qualitative and
whether the audit report is to include an opinion or a conclusion. The relative
significance of these dimensions of audit risk depends on the nature of the
subject matter and whether it is a direct reporting or an attestation
engagement.
3.4.6
Materiality
Materiality
in compliance auditing has both quantitative and qualitative aspects, although
the qualitative aspects generally play a greater role in the public sector.
Materiality shall
be considered for the purposes of planning, evaluating the evidence obtained
and reporting. An essential part of determining materiality is to consider
whether reported cases of compliance or non-compliance (potential or confirmed)
could reasonably be expected to influence decisions by the intended users.
Factors to be considered within this judgment assessment are mandated
requirements, public interest or expectations, specific areas of legislative
focus, requests and significant funding. Issues at a lower level of value or
incidence than the general determination of materiality, such as fraud, may
also be considered material. The assessment of materiality requires
comprehensive professional judgement on the part of the auditor and is related
to the audit scope.
3.4.7
Risk assessment
Auditors
shall perform a risk assessment to identify risks of non-compliance.
In the light of
the audit criteria, the audit scope and the characteristics of the audited
entity, the auditor shall perform a risk assessment to determine the nature,
timing and extent of the audit procedures to be performed. In this process, the
auditor shall consider the risks that the subject matter will not comply with
the criteria. Non-compliance may arise due to fraud, error, the inherent nature
of the subject matter and/or the circumstances of the audit. The identification
of risks of non-compliance and their potential impact on the audit procedures
shall be considered throughout the audit process. As part of the risk
assessment, the auditor shall evaluate any known instances of non-compliance in
order to determine whether they are material.
3.4.8
Risk of fraud, abuse and non-compliance
Auditors
shall consider the risk of fraud, abuse and non-compliance. If the auditor
comes across instances of non-compliance which may be indicative of fraud, the
auditor shall exercise due professional care and caution so as not to interfere
with any future legal proceedings or investigations.
Fraud in
compliance auditing relates mainly to the abuse of public authority, but also
to fraudulent reporting on compliance issues. Abuse occurs when the conduct of
the entity, program, activity or function falls far short of societal
expectations for prudent behaviour. Non-compliance comprises violation of laws,
rules and regulations, provisions of contracts and other agreements. Instances
of non-compliance with authorities may constitute deliberate misuse of public
authority for improper benefit. The execution of public authority includes
decisions, non-decisions, preparatory work, advice, information handling and
other acts in the public service. Improper benefits are advantages of a
non-economic or economic nature gained by an intentional act by one or more
individuals among management, those charged with governance, employees or third
parties. While detecting fraud is not the main objective of compliance audit,
auditors shall include fraud risk factors in their risk assessments and remain
alert to indications of fraud.
3.4.9
Reporting
Auditors
shall prepare a report based on the principles of completeness, objectivity,
timeliness and a contradictory process.
The principle of
completeness requires the auditor to consider all relevant audit evidence
before issuing a report. The principle of objectivity requires the auditor to
apply professional judgement and scepticism in order to ensure that all reports
are factually correct and that findings or conclusions are presented in a
relevant and balanced manner. The principle of timeliness implies preparing the
report in due time. The principle of a contradictory process implies checking
the accuracy of facts with the audited entity and incorporating responses from
responsible officials as appropriate. In both form and content, a compliance
audit report shall conform to all these principles.
Reporting may
vary between various forms of conclusions, presented in short or long form.
However, the report shall be complete, accurate, objective, convincing and as
clear and concise as the subject matter permits. The conclusion may take the
form of a clear written statement on compliance or may be expressed as a more
elaborate answer to specific audit questions. While a conclusion is common in
attestation engagements, the answering of specific audit questions is more
often used in direct reporting engagements.
3.4.10
Follow-up
Auditors
shall follow up instances of non-compliance when appropriate.
A follow-up
process facilitates the effective implementation of corrective action and
provides useful feedback to the audited entity, the users of the audit report
and the auditor (for future audit planning). The need to follow up previously
reported instances of non-compliance will vary with the nature of the subject
matter, the non-compliance identified and the particular circumstances of the
audit.
·
0 Comments