Professional Documents
Culture Documents
Handbook
It is my immense pleasure to release the Quality Assurance Review Handbook of the Office of
the Auditor General of Nepal. This handbook will be applicable in undertaking quality
assurance review of respective audits of the entities as per the Audit Act, 2075.
The objectives of this Handbook are to highlight the importance and benefit in carrying out
financial, compliance and performance audit of OAGN by generating high quality audit
reports. This Handbook further aims to transform conceptual framework of QAR into practical
application. For smooth transformation of this handbook necessary guidance, tools, templates,
checklists and samples are provided in appendices for easy understanding and assistance to the
users. This handbook includes quality control system, quality assurance function, quality
assurance review process, quality assurance tools, quality assurance of outsourced audits,
quality assurance using NAMS and peer revies with necessary appendixs.
OAGN believes that quality of the audit products can be ensured only having a conceptual
framework in QAR that ensures conformity with the good international practices and
procedures at all the stages of audit and providing high quality reports for information to its
stakeholders.
I believe that this Handbook will facilitate and encourage users in its application and ensure
presentation of high quality audit report and financial information for the use of the
stakeholders with wide range of information.
Our knowledge, skill, and experience with auditing practices continue to evolve, and so will
this handbook. This handbook is expected to be updated for the continuous improvement of
audit practices to meet legal provisions, audit standards, and practices to address emerging
risks.
I appreciate and express my gratitude to all staffs who prepared the handbook and provided
their valuable feedback and comments to make this handbook implementable which, I do hope,
will be of use to conduct audits efficiently and effectively.
The purpose of this handbook is to emphasise the objective and importance of quality
assurance (QA) in audit as it relates to the Office of the Auditor General, Nepal.
Furthermore, this handbook intends to provide a step-by-step approach for
performing Quality Assurance Reviews.
INTOSAI P-12 ‘The Value and Benefits of Supreme Audit Institutions – making a
difference to the lives of citizens’ states the following
ISSAI 140 – Quality Control for SAIs states that – “The purpose of ISSAI 140 - Quality
control for SAIs is to assist SAls to establish and maintain an appropriate system of
quality control which covers all of their work.”
Thus deriving from the standards, it can be concluded that it is important for OAGN to
have a comprehensive system to ensure quality in its work and products.
1
This handbook includes internal quality assurance as well as external quality assurance
reviews of OAGN.
This handbook derives the knowledge from the IFPP (INTOSAI Framework of
Professional Pronouncements) and works of other bodies such as ASOSAI (Asian
Organisation of Supreme Audit Institution), AFROSAI-e (African Organisation of
Supreme Audit Institution), IDI (INTOSAI Development Initiatives) and PASAI (Pacific
Association of Supreme Audit Institution) on quality control and quality assurance.
2
2 Concepts and Related matters
2.1 Definitions
The chapter describes the basic concepts relating to quality, quality control and quality
assurance. Distinctions of these concepts are achieved by explaining the
characteristics of quality, quality assurance and quality control including interrelation
and distinction between them.
Quality
Quality has been defined as the totality of the features and characteristics of a
product or service that bears on its ability to satisfy stated or implied needs.3
Quality Control
and
Quality Assurance
3
2.2 Characteristics of Quality
Characteristics Criteria
Significance How important is the subject matter that was examined in the
audit? This, in turn, can be assessed in several dimensions, such
as the financial size of the audited entity and the effects the
audited entity has on the public at large, or on major national
policy issues.
Scope Did the audit task plan properly address all elements needed for
a successful audit? Did the execution of the audit satisfactorily
complete all the needed elements of the task plan?
Objectivity Was the audit carried out in an objective and fair manner,
without favour or prejudice? The auditors should base their
assessment and opinion purely on the facts and sound analysis
of the available information.
Clarity Was the audit report clear and concise in presenting the results
of the audit? This typically involves being sure that the scope,
findings and any recommendations can be readily understood
by busy executives and parliamentarians who may not be
experts in the matters that are addressed but may need to act
in response to the report.
4
2.3 Quality Assurances Vs Quality Control
Quality Assurance Review in an audit is the process of evaluating and comparing what
is required of an audit and how the audit is conducted and the quality of audit reports
provided to the intended stakeholders. Therefore, Quality Assurance is an
independent review mechanism to assure the Auditor General that the quality control
system established in OAGN are operating effectively and that appropriate audit
reports are being generated.
Quality control involves the policies and procedures through which OAGN ensures
that all phases of an audit process (planning, execution, reporting and follow-up) are
carried out in compliance with applicable auditing standards, laws and regulation and
in line with the best international practices. It is a responsibility of each line function
in at OAGN
Although sometimes quality control and quality assurance are used interchangeably,
there are differences in scope and meaning of the two terms. The following table
presents some of these differences. 6
5
2.4 Types of Quality Assurance Reviews
Quality assurance reviews can be classified based on (1) who does the review or (2) at
what level the review is done or (3) based on the timing of the review.
2.4.1 Reviewer
Internal QAR
An internal QAR carried out by person/s within the OAGN, with knowledge of the audit
procedures, practices, and standards. This could be conducted through different
mechanisms, such as by establishing a specialised Quality Assurance unit within OAGN
or through a peer review mechanism involving different divisions or directorates or
sections. It is essential that the person carrying out the review is independent from
the subject matter that is being reviewed.
External QAR
In an External Review, a peer SAI or other agencies such as a private auditing firm,
management consulting firm, or academic expert could be asked to undertake a
review at either the institutional level or at the audit engagement level, or both. These
reviews should be performed by qualified persons who are independent of the OAGN
and who do not have any real or apparent conflict of interest.
The objective of an institutional level QAR is to assess whether the OAGN has an
adequate quality management system (QMS) in place or not and whether it is
functioning effectively or not. An institutional level QMS is not specifically focused on
any specific audit engagement rather, it covers all types of audits and services that
OAGN is expected to deliver as per its mandate. As such, an institutional level QAR
can provide useful input for developing, or updating, OAGN’s strategic plan.
These are QARs done at the level of individual audit engagements. The primary
objective of audit engagement level QARs is to assess the extent of compliance by
audit teams with the OAGN’s approved audit methodology for the given type of audit.
The review may also draw conclusions on the extent to which audit methodology is
aligned with international best practice. Audit engagement level QARs may be
conducted before issuance of the audit report (pre-issuance) or after (post audit).
6
2.4.3 Timing of review
A pre-issuance review is a review conducted before the audit report has been issued
to ensure that the audit complies with the audit methodology and practices and any
other legal and regulatory requirements, and that the report is appropriate in the
given circumstances.
Does not reduce the review responsibilities of the audit team; and
Does not relieve the auditor from the final responsibility for the issuance of the
audit report.
The audit team may consult the pre-issuance reviewer during the audit without
compromising the independence and objectivity of the reviewer to perform the role.
While pre-issuance QARs less common than post-audit QAR, generally pre-issuance
QAR is undertaken for high risk and sensitive audits. However, this does not preclude
conducting pre-issuance QAR for other audits.
The post audit QAR is that the review is conducted after the audit reports have been
issued by the OAGN. This kind of review may be undertaken as an internal or external
review.
Post audit QARs are usually conducted for a representative sample of completed
audits to draw conclusion on the adequacy and the functioning of the quality control
system.
7
2.5 Benefits of Quality Assurances Reviews
The benefits that can be derived from an effective quality assurance function include
the following:
8
3 Quality Control Systems
(a) personnel comply with professional standards and regulatory and legal
requirements; and
(b) reports issued are appropriate in the circumstances.
OAGN needs to document its quality control policies and procedures and
communicate them to its personnel. 8
Effective management of the established quality control system will enable the OAGN
to:
Assess the overall context of the organisation to define who is affected by OAGN’s
work and what they expect. This will enable OAGN to clearly state its objectives
and identify its responsibilities.
Put the OAGN’s stakeholders first, making sure the OAGN consistently meet its
stakeholders’ needs and enhance their satisfaction. This can lead to delivery of
improved audit services and better standards of living for the citizens.
9
3.3 Elements of Quality Control
ISSAI 140 draws on the private sector IFAC standard - ISQC1 and outlines the main
quality control requirements for OAGN which contain six elements that form part of
the quality control cycle, as shown below.
Leadership
Ethical
Monitoring
Requirements
ISSAI
140
(ISQC1)
Engagement Acceptance &
Perfromance Continuation
Human
Resource
The quality control policies and procedures should not only be adopted, but also
implemented by being communicated to OAGN personnel adhered to and thereto
should be monitored.
10
Auditor General may delegate authority for managing the OAGN’s system of
quality control to a person or persons with sufficient and appropriate experience
to assume that role;
OAGN leadership should establish a quality assurance function to get assurance
that policies and procedures lead to the performance of work that is compliant
with the professional standards and applicable legal and regulatory requirements
and that audit reports that have been issued were appropriate under the
circumstances;
OAGN leadership consistently promotes a quality-oriented internal culture
through communiques, policies, procedures and during meetings; The
identification of weaknesses in the quality control system is viewed as an
opportunity to improve rather than assign blame;
OAGN’s mission, emphasise the paramount importance of audit quality and are
consistently reinforced and followed by the leadership in practice;
OAGN leadership ensures that there are sufficient resources for the development,
documentation and implementation of quality control procedures;
OAGN leadership ensures that its messages and directives to all staff emphasise
the importance of consistently implementing OAGN’s quality control policies and
procedures;
Such messages are incorporated in OAGN’s internal documentation and training
materials and reflected in performance appraisals; and
OAGN leadership “leads by example”.
The second element of a system of quality control described in the ISA 140 is relevant
ethical requirements. As ethical behaviour is a key component in establishing and
sustaining the needed trust and reputation, the fundamental principles of professional
ethics in the OAGN Code of Conduct [which is aligned with INTOSAI Code of Ethics
(ISSAI 130)] is one of the prerequisites for the functioning of OAGN.
(a) Integrity – to act honestly, reliably, in good faith and in the public interest;
(b) Independence and objectivity – to be free from circumstances or influences that
compromise, or may be seen as compromising, professional judgement, and to act
in an impartial and unbiased manner;
(c) Competence – to acquire and maintain knowledge and skills appropriate for the
role, and to act in accordance with applicable standards, and with due care;
11
(d) Professional behaviour – to comply with applicable laws, regulations and
conventions, and to avoid any conduct that may discredit the SAI; and
(e) Confidentiality and transparency – to appropriately protect information, balancing
this with the need for transparency and accountability.
The third element of a system of quality control described in the ISA 140 is acceptance
and continuance. OAGN according to the legal framework mandated to audit public
sector entities. Before the audit assignments the SAI must provide itself with
reasonable assurance that it will only carry out audits and other work where the SAI is
mandated. OAGN may map the entity mandated to be audited with the desired level
of competencies required for auditing such entities and the actual competencies
possessed by OAGN staff currently. The competencies could be determined both in
terms of professional qualification and experience.
14 ISSAI 140
15 ISSAI 130
12
Key principle for OAGN
OAGN’s mandate and scope of work is defined by the legal mandate and OAGN
carries out work in three broad categories:
• Work that is required by the mandate and statute;
• Work that is required by its mandate, but where OAGN has the discretion as to
the timing, scope and/or nature of work; and
• Work that it can choose to carry out. 16
Based on the mapping, a gap if any can be ascertained and addressed accordingly for
audit engagement acceptance and continuance. A template for this mapping exercise
is provided as Appendix 2.
OAGN is required to establish human resource policies and procedures such as having
a ‘Human Resource Management Strategy’ to manage its staff. OAGN’s most
important asset is its staff. In order to fulfil its mandate and perform high quality audits
OAGN must ensure that it has sufficient resources (personnel and, where relevant, any
parties contracted to carry out work for OAGN) with the competence, capabilities and
commitment to ethical principles. OAGN should promote learning and training for all
staff to encourage their professional development and to help ensure that personnel
are trained in current developments in the profession. OAGN should ensure that
quality and ethical principles are key drivers of performance assessment of staff and
any parties contracted to carry out work for OAGN.
13
Key principle for OAGN
OAGN firm shall establish policies and procedures designed to provide it with
reasonable assurance that it has sufficient personnel with the competence,
capabilities and commitment to ethical principles necessary to:
14
Element 5 Performance of Audit and Other Work
OAGN shall establish policies and procedures designed to provide it with reasonable
assurance that engagements are performed in accordance with professional
standards and applicable legal and regulatory requirements, and that the firm or
the engagement partner issue reports that are appropriate in the circumstances.
Such policies and procedures shall include:
OAGN should ensure appropriate policies, procedures and tools, such as audit
methodologies are in place for carrying out the range of works that is the
responsibility of OAGN, including work that is contracted out.
OAGN should create an environment that is stimulating, encourages proper use
of professional judgment and promotes quality improvements. All work carried
out should be subject to review as a means of contributing to quality and
promoting learning and personnel development.
OAGN should ensure appropriate quality control policies and procedures are in
place (such as supervision and review responsibilities and engagement quality
control reviews) for all work carried out (including financial audits, performance
audits, compliance audits, special audits).
OAGN should recognise the importance of engagement quality control reviews
for their work and, where an engagement quality control review is carried out.
matters raised should be satisfactorily resolved before a report is issued.
OAGN should ensure that all documentation (such as audit work papers) is the
property of OAGN, regardless of whether the work has been carried out by OAGN
personnel or contracted out.
OAGN should ensure that they retain all documentation for the periods specified
in laws, regulation, professional standards and guidelines.
OAGN should ensure appropriate procedures are followed for verifying findings
to ensure those parties directly affected by the OAGN's work have an opportunity
15
to provide comments prior to the work being finalised, regardless of whether or
not a report is made publicly available.
Element 6 Monitoring
Monitoring is the last and an important element of SAI’s Quality Control system. It is
the monitoring of SAI’s quality control policies and procedures. This monitoring is
often referred to as Quality Assurance and needs to cover all six elements described
in ISSAI 140, the five elements above as well as the monitoring system itself.
The purpose of monitoring compliance with quality control policies and procedures is
to provide an evaluation of:
OAGN should ensure that its quality control system includes independent
monitoring of the range of controls within OAGN (using personnel not involved in
carrying out the work).
16
Where appropriate, OAGN should consider engaging another organisation or
other suitable body, to carry out an independent review of the overall system of
quality control (such as a peer review – more details can be found at chapter 9).
If work is contracted out, OAGN should seek confirmation that the contracted
firms/persons have effective system of quality control in place.
OAGN should ensure the results of monitoring of the system of quality control are
reported to the Auditor General in a timely manner, to enable the AG to take
appropriate action.
Where appropriate, OAGN may consider other means of monitoring the quality
of their work, which may include, but not be limited to:
Independent academic review;
Stakeholder surveys;
Follow-up reviews of recommendations; or
Feedback from audited organisations (e.g. client surveys).
OAGN should have procedures for dealing with complaints or allegations about
the quality of work performed.
OAGN should consider making monitoring reports public or to make public
complaints or allegations related to the work carried out by OAGN.
ISSAI 140 Quality Controls for SAIs: focuses on the organisational aspects of audit
quality operating throughout SAIs. ISSAI 140 also provides a framework that
complements other INTOSAI pronouncements, including those for quality control at
an individual engagement level.
ISSAI 140 is based on the key principles in the IFAC’s ‘International Standard on
Quality Control, ISQC 1’, adapted as necessary to apply to SAIs.
• Public Sector Auditing: ISSAI 100.38 includes Quality Control under general
principles of public sector auditing
• Financial Audit: see ISSAI 200.42-45, ISSAI 2220 and ISSAI 2620 - provide
requirements in respect of quality control for financial audits.
• Performance Audit: see ISSAI 300.32, ISSAI 3000.79-82 - establishes the
requirement and GUID 3910.100-108 provides further guidance in respect of
quality control for performance audit
• Compliance Audit: see ISSAI 400.44, ISSAI 4000.80-88 - establishes requirements
in respect of quality control for compliance audits.
17
opinion by the auditor on whether the financial statements are prepared, in all
material respects, in accordance with an applicable financial reporting framework.26
Professional standards and guidelines drive the quality and professionalism of public
sector auditing and thereby underpin the credibility of the profession and its work.28
The general principles of public sector auditing are set out in ISSAI 100 , and in
standards on ethics, quality control, and on overall responsibilities of an auditor in an
audit of financial statements.29
ISSAI 200 Fundamental Principles of Financial Audit provides for the following
regarding Quality control.30
The auditor should implement quality control procedures at the engagement level
that provide reasonable assurance that the audit complies with professional
standards and the applicable legal and regulatory requirements, and that the
auditor’s report is appropriate in the circumstances.
As stated in ISSAI 100, OAGN should adopt quality control procedures in
accordance with ISSAI 140 – Quality Control for SAIs, which provides the context
for the IAASB’s International Standards on Quality Control (ISQC 1) in a public-
sector environment.
The Auditor General and senior management has overall responsibility for
introducing and maintaining quality control procedures in OAGN, although day-
to-day operational responsibility may be delegated to others. That is any lead
auditor with responsibility for an audit engagement would ultimately report to
the Auditor General.
Public-sector auditors engaged on audits of financial statements in accordance
with standards based on or consistent with the principles of ISSAI 200 are subject
to quality control requirements at the engagement level. OAGN needs to consider
the following for financial audit engagements:
26 ISSAI 200:16
27 ISSAI 200:17
28 ISSAI 200:2 (EV)
29 ISSAI 200:28 (EV)
30 ISSAI 200:42-45
18
the need for the team leader and/or supervisor to take responsibility for
overall quality in each audit engagement;
to ensure that members of the audit team comply with the relevant ethical
requirements;
the need for the team leader and/or supervisor to form a conclusion
regarding compliance with the independence requirements that apply to the
audit engagement, and to take appropriate action to eliminate threats to
independence;
the need for the team leader and/or supervisor to be satisfied that the audit
team and any external experts collectively have the appropriate competence
and capabilities;
the need for the team leader and/or supervisor to take responsibility for the
performance of the audit, specifically:
leading, supervising and carrying out the audit;
ensuring that reviews are conducted in accordance with the OAGN’s review
policies and procedures.
The recommendations together with the full text of the audit report aims at
contributing to significant improvement of the conduct of government operations and
programmes, by leading to changes such as lowering costs; simplifying administration;
enhancing the quality and quantity of services; or improving effectiveness, impact or
the benefits to society33
Auditors should apply procedures to safeguard quality, ensuring that the applicable
requirements are met and placing emphasis on appropriate, balanced and fair
reports that add value and answer the audit questions. 34
19
Performance audit is a process in which the audit team gathers a large
amount of audit-specific information and exercises a high degree of
professional judgement and discretion concerning the relevant issues. This
must be taken into account in quality control. The need to establish a working
atmosphere of mutual trust and responsibility and provide support for audit
teams should be seen as part of quality management. This may entail
applying quality control procedures that are relevant and easy to manage and
ensuring that auditors are open to feedback received from quality control. If
there is a difference of opinion between supervisors and the audit team,
appropriate steps should be taken to ensure that the audit team’s perspective
is given sufficient consideration and that the OAGN’s policy is consistent.
In performance auditing, even if the report is evidence-based, well-
documented and accurate, it might still be inappropriate or insufficient if it
fails to give a balanced and unbiased view, includes too few relevant
viewpoints or unsatisfactorily addresses the audit questions. These
considerations should therefore be an essential part of measures to
safeguard quality.
As audit objectives vary widely between different audit engagements, it is
important to define clearly what constitutes a high-quality report in the
specific context of an audit engagement. General quality control measures
should therefore be complemented by audit-specific measures.
No quality control procedures at the level of the individual audit can
guarantee high-quality performance audit reports. It is equally important for
auditors to be – and remain – competent and motivated. Control mechanisms
should therefore be complemented by support, such as on-the-job training
and guidance for the audit team.
In establishing a quality control and assurance system (QCA), OAGN can use the
content provided by ISSAI 140, which offers a framework for developing such a
system. It is important to develop QCA policies and procedures that are adequate,
flexible and easy to manage. It is also important to develop consistent policies and
procedures that are communicated to all staff, which can be used to resolve
differences of opinion between supervisors and audit teams. In addition, other
guidance and on-the job training may need to be developed to complement the
quality control mechanisms.
Measures that safeguard the quality of the audit process and the audit report will
be effective if they can ensure that the audit provides a balanced and unbiased
view, adds value, considers all relevant viewpoints and satisfactorily addresses the
audit questions.
An effective QCA system will also have mechanisms to take into account the audit
team’s perspectives ensuring that audit teams are open to feedback received
from the quality control and assurance system.
35 ISSAI 3000:80-82
20
Guidance for quality control while conducting performance audit36
A quality control system includes policies and procedures designed to provide the
OAGN with reasonable assurance that it, and its personnel, comply with
professional standards and applicable legal and regulatory requirements. The
objective is to ensure that audits are conducted at a consistently high level.
Quality control procedures cover matters such as direction, supervision and
review of the audit process and the need for consultation in order to reach
decisions on difficult or contentious matters.
The system of quality control (QC) needs to be designed so it is appropriate to the
OAGN’s mandate and circumstances and able to respond to their risks to quality.
For the system of quality control to be effective, it needs to be part of the SAI’s
strategy, culture, and policies and procedures. This way, quality is built into the
performance of the audit and the production of the report, rather than being an
additional process once the report is produced. Maintaining a system of quality
control requires ongoing monitoring and a commitment to continuous
improvement.
QC procedures need to be an integral part of the conduct of each performance
audit to minimise the risks of error and drive consistency in conduct. Those
procedures need to be documented and include, for example, the various steps
in the audit process, checks to be undertaken (such as management review, peer
review of draft work and editorial review of final reports). It may be helpful for
OAGN to first clearly define the characteristics of what constitutes a high-quality
audit report.
A key aspect of any performance audit is the formal and informal consultation
that takes place within audit teams, between audit teams, and with internal or
external specialists. Consultation during the course of an assurance engagement
is important, as it helps to promote quality and improves the application of
professional judgment, as well as reducing the risk of error. Consultation is
advantageous for reaching sound conclusions, for ensuring that the report is
appropriate, fair and balanced and that it adds value. It is a good practice to
document the key consultations that take place, the nature of the advice received,
and the manner in which the audit team deals with the advice.
A key component of QC is an engagement quality control reviewer (EQCR). An
EQCR is an individual, independent from the audit team, who conducts an
objective evaluation of significant matters, including risks identified and
significant judgments made by the audit team, and the team’s conclusions
reached in formulating the audit report. It is a good practice to appoint an EQCR
to high-risk audits, as defined by OAGN.
It is difficult for OAGN to develop effective quality control procedures on an
individual basis that can guarantee high-quality performance audit reports across
the organisation. It is therefore important to develop such procedures at an
institutional level. It is equally important for the auditor to be – and remain –
competent and motivated as well as open to feedback from quality control.
Control procedures need therefore to be complemented by support, such as on-
the-job training and guidance for the audit team.
36 GUID 3910:100-106
21
OAGN may refer to IAASI 140 Quality Control for SAIs for further guidance in
institution a system of quality control.
To what extent does the report clearly describe the context within which the
area examined is carried out?
To what extent is the report well-structured and well written, and does it
include an effective executive summary?
To what extent is the rationale for the scope clearly set out?
Is the audit methodology clearly set out?
To what extent were the report’s findings, conclusions and recommendations
balanced, logical, consistent and supported by the evidence quoted?
To what extent has the audit been successful in concluding against its
objectives and providing useful information to help improve public services?
To what extent is there sufficient documentation on team competencies,
audit procedures carried out, evidence to support findings, consultations
done and treatment of comments received, and supervision?
37 GUID 3910:107-108
22
3.4.3 Compliance Audits – QCA requirements of standards
OAGN should take responsibility for the overall quality of the audit to ensure that the
audits are carried out in accordance with relevant professional standards, laws and
regulations, and that the reports are appropriate in the circumstances. 42
Within the scope of the quality control procedures, OAGN should have a quality
assurance system in place to secure the overall quality of the audit.
The quality control procedures can be supervision, reviews, consultation and
adequate training and might cover the planning, execution and reporting stage.
The overall quality of OAGN is dependent on a system where roles and
responsibilities are clearly defined.
OAGN should ensure that appropriate procedures are performed and that reviews
are performed throughout the audit process. The quality controls are
documented in the audit file.
38 ISSAI 400:13
39 ISSAI 400:13
40 ISSAI 400:12
41 ISSAI 400:29
42 ISSAI 400:44 and ISSAI 4000:80
43 ISSAI 4000:81-84
23
Quality can be attained if the audits are done by a competent team with skill and
experience. OAGN shall ensure that the audit team collectively has the necessary
professional competence to perform the audit.44
The requirement for competence for the conduct of compliance audit are: 45
Quality control includes considering whether the audit team has sufficient and
appropriate competence to conduct the audit, is capable of selecting criteria free
from bias, has general access to accurate information, has considered available
information, and has had sufficient time to complete the audit assignment.
The audit team is assembled to collectively have the necessary competence,
knowledge, skills and expertise to perform the audit in accordance with
professional standards. Depending on the subject matter, this may include:
OAGN needs to assign adequately skilled resources that are available when
needed in the different phases of the audit process. Where specialized
techniques, methods or skills are not available within OAGN, external experts may
be used in different ways, e.g. to provide knowledge or conduct specific work.
When in need of external expertise, OAGN evaluates whether experts have the
necessary independence, competence, capabilities and objectivity. OAGN also
should determine whether their work is adequate for the purposes of the audit.
Even if external experts perform audit work on behalf of OAGN, OAGN is still
responsible for the conclusion(s).
44 ISSAI 4000:85
45 ISSAI 4000:86-88
24
4 Quality Assurance Function
As per the requirement of ISSAI 140 OAGN should “establish a monitoring process
designed to provide it with reasonable assurance that the policies and procedures
relating to the system of quality control are relevant, adequate and operating
effectively.”
Monitoring also includes evaluating the control system and develop recommendations
if any shortcomings are identified. This monitoring activity of the QC is normally be
conducted by the Quality Assurance Function which has been established for the
purpose.
ISQC 1 (Objective)
In line with ISSAI 140 Quality Control for SAIs OAGN should have a quality assurance
function that monitors quality control policies and procedures and consider objective
evaluation of the following:
The degree of compliance with quality control policies and procedures, and
adherence to professional standards and regulatory and legal requirements;
The appropriateness of audit methodologies, other guidance materials and
technical resources provided to OAGN staff for implementation;
OAGN’s quality assurance and ethics culture;
The content, timing, and effectiveness of communications to OAGN staff
concerning quality control issues
Information on weaknesses within the system which have been identified and any
corrective actions to be taken, as well as suggested improvements to the system
as a result of any evaluations; and
Determination of the effectiveness of the follow-up once the process has been
completed (e.g. necessary modifications undertaken on a timely basis).
25
The objective of the quality assurance function within OAGN is to provide assurance
to the Auditor General that the office’s system of quality control is appropriately
designed and effectively implemented and that audit reports that have been issued
are appropriate. When weaknesses in quality control are identified at either the
institutional or audit engagement levels, the quality assurance function suggests
strategies for correcting those weaknesses. Quality assurance is therefore an ongoing
process to ensure OAGN and its staff follow the quality control system and providing
ongoing assurance to the Auditor General.
To assess the QA system in a SAIs, IDI have developed the SAI Performance
Management Framework47 which is a useful tool to assess the current status of the
OAGN against the QA standards.
The SAI has a system of quality control in place for all its work (audit and non-audit
activities, for example procurement processes) which has the following characteristics:
26
4.4.1 Assessing OAGN’s need for a QA Function49
The assessment exercise could be conducted either by the internal staff of OAGN
(creating a task force) or another SAI and / or organisations of SAIs like ASOSAI,
INTOSAI, IDI, etc.
SAI Performance Management Framework Report, if the SAI had conducted SAI
PMF assessment50. This is the most important tool in measuring the performance
of this function and the overall performance of the SAI.
IDI’s ISSAI Compliance Assessment Report (iCAT), if OAGN has conducted ISSAI
compliance assessment of its audit practices;
QA reports and annual report of OAGN;
Survey, questionnaires, interviews, focus group discussions and review of
documents, including OAGN’s experience in QA.
Factors to be considered while assessing needs for a QA function:
The overall result of this assessment should assist OAGN in determining between the
different models and approaches for setting up a QA function.
27
4.4.2 Developing and implementing QA Policy51
As per ISQC 1, the Auditor General is expected to assume ultimate responsibility for
the system of quality control. A system of quality control for OAGN is an essential
prerequisite for quality assurance to have relevance. A comprehensive QA policy
approved by the Auditor General thus forms the basis for QA function in ensuring
quality.
Auditor General may appoint a team to oversee the drafting a QA policy. The team
generally consists of experienced staff with experienced in OAGN’s work and has a
good knowledge of applicable auditing standards. The team should benchmark the
draft policy to ISQC 1 and ISSAI 140 requirements to ensure that the final agreed policy
is complete and relevant.
When OAGN already has a QA policy in place, the policy can be updated to meet the
requirements of ISSAI 140 or other best practices, and/or to incorporate any changes
in the audit processes including changes in applicable laws and regulation.
OAGN should periodically review the QA policy and when necessary, incorporate
changes to reflect new professional, policy, legal or regulatory requirements. When
undertaking this review, OAGN can consider lessons learnt about past QC and QA
practices and reports as well as international developments in auditing, QC and QA.
28
As part of the understanding of the office’s overall quality control framework, the staff
members should understand the role and importance of the quality assurance
function in contributing to the quality objectives of the organisation. OAGN’s QA unit
together with senior management should create awareness at all levels of staff of the
role and importance of QA and clarify any staff concerns on the QA process.
The QA function may be provided with this responsibility. This will enable greater
understanding of the role and importance of the QA function in contributing to overall
quality in OAGN.
OAGN after formalising the QA policy needs to compile a more detailed Manual to
specify how to conduct QA in practice.
OAGN may customise the available Quality Assurance Manuals of bodies such as
ASOSAI, AFROSAI, PASAI CAROSAI to suit its requirements and circumstances.
Alternatively, OAGN may decide to compile its own QA Manual in that case OAGN
needs a champion to oversee the project and a team should be appointed for the
project.
OAGN must train all its audit staff in QA as soon as the policy and the manual have
been finalised so that the concept is well understood, and it is not seen as a threat by
the staff.
Auditor General
Quality
Assurance
Committee
Quality
Audit Other non-audit
Assurance
Directorates directorates
Directorate
29
The quality assurance committee
The committee will review the adequacy of, and compliance to, QCs at OAGN level as
well as at audit engagement level. The committee will also conduct follow-ups to
assess the status of implementation of the QA recommendations. It will assess the
outcome of those recommendations that were implemented and identify reasons for
non-implementation of any recommendation.
Institutional level
Audit engagement level
Follow up review;
30
Quality Assurance Directorate
OAGN will have a separate Quality Assurance Directorate, which works under the QA
committee. QA Directorate will report with QA committee. The size of the Directorate,
its scope and coverage will depend on the direction of the Auditor General.
Overall QA QA
Leadership Committee
AAG -
Supervisor responsible
for QA
Manager / QA Director
Leader
QA Team
Review Team Members
QA Manager or The QA manager or director, as the head of the QA unit, will report to
Director the Auditor Genera, and will be responsible for overall aspects of the
QA function including the development of the unit operational plan.
He or she will also formulate strategies to undertake the QA function
and measure outcomes of the QA function.
Team leader The team leader will report to the QA Manager or Director and
assume the overall responsibilities in the following stages:
Planning stage:
• establish review objectives, scope, time, and targets;
• formulate the review methodology;
• delegate the responsibilities to team members; and
• design the review programme.
31
Conducting stage:
• provide advice and necessary guidance to the team members
about the plan, objectives, and on conducting the review;
• monitor and assure the QAR process is in keeping with QA
standards, policies, and procedures; and
• analyse the findings and articulate the conclusions and
recommendations.
Reporting and follow-up stage:
• write or review the audit reports and discuss and present the
findings to the QA Manager or Director; and
• follow up on any outstanding issues.
Team members The team members will be responsible to the team leader for the
following:
• conducting the review, based on the plan agreed on in the
planning stage and according to standards and procedures;
• gathering evidence to support findings through interviews,
documentation reviews, and observations;
• preparing and documenting necessary working papers to
support findings; and
• preparing a draft report on the findings.
Competencies of QA staff
• analytical skills;
• ability to synthesise;
• interpersonal skills;
• communication skills;
• facilitation skills;
• audit experience in all areas;
• managerial abilities;
• negotiation skills; and
• assertiveness.
The reviewers should be auditors who are experienced and skilled in implementing
OAGN’s audit procedures. In order to be credible, quality reviewers should have skills
equal to or preferably higher than those who had performed the audit. Possession of
the above-mentioned skills enable team members to implement review practices
effectively and produce a credible report.
It can also add value if the team has other skills relevant to the audit being reviewed
such as IT auditors or those with skills in financial, performance, compliance or special
audits.
32
4.4.6 Managing the QA Function
OAGN is required to develop a plan for the QA function to operate efficiently and
effectively which means assigning the right staff for the function, providing the
required resources, training, monitoring, performance against targets, holding the
team accountable and ensuring continuous improvement. The Quality Assurance
function should meet the following standards:
The QA team should also have appropriate ethical values. These values include the
following:
Integrity
Integrity is the core value of a Code of Ethics. Reviewers have a duty to adhere
to high standards of behaviour (honesty) in their work and in their
relationships with the staff of audited entities and not indulge in any corrupt
practices. To sustain confidence, the conduct of reviewers should be above
suspicion and reproach.
Reviewers should protect their independence and avoid any possible conflict
of interest by refusing gifts or gratuities, which could influence or be
perceived as influencing their independence and integrity.
• Care should be taken that advice and consultation of the reviewer do
not lead to a conflict of interest.
The reviewer should be independent from the audit entities and the audit
team. Quality reviewers should behave in a way that demonstrates their
independence. The following criteria should be considered in this regard:
• The reviewer should not be a member of the audit team, and should
not be selected by the audit team;
• A senior SAI official should be responsible for selection and
appointment of the reviewers;
• The reviewer should not make decisions for the audit team.
33
Competency
Reviewers must not undertake work they are not competent to perform.
Reviewers should know and follow applicable auditing, accounting and
financial management standards, policies, procedures and practices.
Likewise, they must possess a good understanding of the constitutional, legal
and institutional principles and standards governing the operations of OAGN.
They must also have sufficiently long experience of audit work in order to pick
up low quality and identify the root causes.
Professional Behaviour
To guide the activities of the QA function, the Manager of the QA team should prepare
an annual plan, aligned with the OAGN’s strategic plan and that of the QA function.
The annual plan should be reflective of the operational plan for the QA activities
proposed by the SAI and identify the resources required for the reviews. The annual
QA plan should be submitted to the Auditor General for approval.
In preparing the annual QA plan, the QA manager and the teams within the
division/departments may select the audit engagement mainly based on risks faced
by the entity and, significant issues highlighted in the previous audit reports.
3 Supervision
The AAG responsible for QA and QA Director should maintain adequate supervision
over the team and monitor the progress of the work. To ensure that all work is carried
out in a professional and timely manner and in accordance with the QA policy and
procedures, there should be evidence of supervisory reviews in the QA review
documentation.
The extent and nature of the supervision will depend upon such factors as the number
of persons in the team, their experience, expertise, qualifications and aptitude. To
enhance the supervisory and review function, the QA function could consider using a
checklist for monitoring and supervising QA reviews.
34
4 Accountability and Reporting
OAGN should, as part of its strategies to improve the QA team, evaluate everyone’s
performance annually. This will enable OAGN to identify the strengths of individuals
and identify the areas that need improvement to be more effective and efficient in
their respective roles.
In order to ensure that the review team comply with the principles of the QAR a
declaration should be taken from those involved. An example of such declaration is
included at Appendix 6.
To ensure that the Quality Assurance Review process provides useful outcomes
(improved audit quality) based on evidence, the following principles must be adhered
to by all members of the Quality Assurance Team. At all times the members of QA
reviewer team will demonstrate:
35
5 Quality Assurance Review Process
55
36
36
Scope, timeline and approach of the review: Scope of the review will be determined
by the objective of the review it may include the following;
ToR of QAR
Extent of review
Starting and completion of the review.
checklists,
interview questionnaires,
discussion agenda.
After planning the QA team engages in conducting QA review. In this phase the review
team uses different QA tools for:
identifying observations
obtain evidences to support findings
37
Performing General Procedures for QA review: QA review team also needs to perform
the general procedures in addition to the compliance of the standards and record the
conclusion accordingly. (Appendix 7)
Monitor the quality of review: the review team would consist of a team leader and
team members. The work done by the team members should be reviewed by the team
leader and should be monitored by the QA manager / supervisor to ensure the quality
of the review.
During completion and review phase a information gathered and observations made
must be recorded and supported by the evidences on conclusions drawn by the
reviewers. QA team evaluates and validates the findings. The completion and review
stage of the QA involves the following activities:
38
Discuss findings with the audit engagement team: This stage may include the
following:
discuss with the audit engagement team before finalisation and issuance of the
report
provide an opportunity for the team to explain further and produce documents
on the observations raised by the QAR team.
Draw conclusion and make recommendations: This stage may include the following:
Discuss preliminary QA review findings with the management: This is the initial stage
of reporting and involves:
hold discussions with management to ensure that the findings are clearly
understood and accurate.
discussion should be based on the findings, evidences and the explanations /
responses provided to the team.
Prepare a draft report on the overall review results: After the discussion with
management, the team should:
39
Conduct further investigation based on additional evidence presented
especially for those significant matters on which there were differing opinions;
Discuss and agree on the findings;
Agree on the amendments to be made to the draft report including additional
findings to be included in the report to be submitted to the Head of SAI; and
Discuss the recommendations and the implementation timeline.
Exit Meeting: The draft QA review report should be discussed at a meeting with the
Auditor General and / or with senior management. The purpose of the discussion will
be as follows
Action plan: Response to the draft QAR report should include an action plan to
implement the recommendations provided in the report. OAGN management will be
required to prioritise which recommendations to implement first. Some factors that
may be considered in prioritising recommendations for implementation are:
40
Issuance of QA Report: The final report of each QA review should be
Follow-up is an integral part of the quality review process. It ensures that action plan
proposed by the management to continuously improve the quality has been
implemented. The follow-up can be commenced after a time frame as specified in the
OAGN QAR policy. Follow-up actions are carried out by the QA review team to ensure
that the agreed action plan has been implemented or adequate steps are being taken
to implement. QA review policy should stipulate the timeframe for management to
report on their progress with the implementation of the corrective actions. The QA
review team should perform follow-up tests to confirm the effectiveness of the
corrective actions.
OAGN level review is the institutional level review which focuses not just on audit
issues but on the OAGN’s institutional quality management system. It is recommended
that personnel with managerial skills and experience in areas like human resources
and adequate understanding of the accountability processes and relationships in the
public sector should be used to carry out reviews at institutional level.
41
The staff who carry out institutional level reviews should have a good knowledge and
understanding of NGAS/ISSAIs especially the following:
Before starting on the review, the reviewers need to understand the quality control
system of OAGN. During this process, they should gather background information
which would be used to come up with the review plan.
The need for quality assurance at the institutional level is to ensure that the quality
control systems put in place for all functionalities including its core function of auditing
provide for quality both about its output as well as to the organisation. The quality
assurance at the institutional level should encompass the review of the elements on
quality control systems as mentioned in ISSAI 140.
During a review at institutional level the reviewers should interview the line function
management at different levels in OAGN and staff in research and development,
training, quality assurance, governance and human resources. The team should among
other things perform reviews on the policies and procedures of OAGN.
The basis for the establishment of the quality control system is ISSAI 140 which
provides for the standards on quality control systems. The review of each element
within the Quality Control System will provide OAN with reasonable assurance that
the policies and procedures relating to the system of quality control are relevant and
adequately designed and are being effectively implemented. The Quality Assurance
review should, therefore, be conducted for each element, i.e:
4) Human Resources;
42
5) Performance of Audits and other Works; and
QAR team should use the Institutional Review checklist which is at Appendix 5 for the
Institutional Level reviews. By using the checklist, the review team will be able to
determine whether OAGN’s processes and procedures adhere to the requirements of
standards and are in accordance with the institutional perspective framework.
Apart from the questionnaire, other data gathering techniques include interviews,
focus groups, examination of documented policies, procedures, and physical
observations. The team should note that data and information should be gathered
from different levels of staff across functional units. This is important to ensure data
quality and to understand different perspectives on the same issues.
The objective of QAR at OAGN level is to assess whether the OAGN has an adequate
quality management framework in place to assure the quality of all it products and
services, and the extent to which the system is functioning effectively. As such, while
reviewing at the QAR of OAGN, the QA function may consider the following issues:
43
Determine the quality of audit reports and services and their impact on the
accountability and transparency in the public sector, and the overall improvement
in the financial management practices of the government.
Overview
OAGN is responsible for delivering its mandate to the satisfaction of its stakeholders’
needs. A useful tool for ensuring the achievement of the goal is through OAGN
establishing a Quality Management System (QMS) designed to provide it with
reasonable assurance that:
(a) OAGN and its personnel comply with professional standards, regulatory and legal
requirements; and
(b) The reports issued by OAGN are appropriate in the circumstances.
The QMS is a broad concept that comprises the organisational structures, resources,
processes and products needed to implement a quality management framework. It
involves all processes in the operational life cycle of OAGN’s operations that affect
quality – from initial identification of stakeholders’ needs to final satisfaction of
requirements. It is designed to give confidence to the clients and stakeholders that
quality requirements will be achieved in delivered products and services.
The SAI-QMS Framework consists of structures and processes relating to certain key
management functions of any SAI. The SAI-QMS proposed in this chapter is based on
a comparative study of various frameworks undertaken by IDI.
SAI-QMS framework identifies the following seven domains impacting the functioning
of supreme audit institution like OAGN and its ability to effectively deliver its mandate:
If each of the above seven domains are functioning effectively and delivering the
desired results, it can be reasonably assumed that OAGN as a whole will deliver
products and services of high quality. While the above seven domains can be
separated from each other and treated as standalone components, at the same time
they interact and influence each other. As such, all the above seven domains with their
inter-relationships constitute the quality management framework of OAGN.
44
IDI’s suggested SAI-QMS Framework
The above figure shows the seven domains where each of the overall domains has a
pre-defined desired condition, which is the overall position the SAI should aim for with
regard to the particular domain.
The seven desired conditions and good international practices are summarised as
below:
45
Desired Conditions and good international practices for the Seven Domain of the
SAI-QMS
Each of the seven domains, in turn, consists of various components or, what we call,
elements. The IDI’s suggested SAI-QMS framework with the domains and elements
within each is shown in the diagram below. The SAI should consider actions at the
elements level when considering changes for improvements to the performance of
the SAI.
46
SAI-QMS framework with its elements
1 2 3 4 5 6 7
Independence Human Resource Audit Standards, Leadership and Administrative External Results
and Legal Methodology and Internal Support Stakeholder
Framework Performance Governance Relations
1.1. Independence
Although state SAIs cannot be absolutely independent because they are part of the
state as a whole, SAIs should have both the functional and organisational
independence required to accomplish their tasks. The SAI should be free to determine
the nature of its organisational structure and functional processes without outside
interference.
47
Ideally, the establishment of SAIs and the necessary degree of their independence
should be laid down in the relevant Constitution. The details, however, may be set out
in legislation such as in a separate Audit Law. The Lima Declaration recommends that
adequate legal protection by a supreme court against any interference with an SAI’s
independence and audit mandate should be guaranteed.
b) Independence of the Head of the SAI and officials of Supreme Audit Institutions
In their professional careers, audit staff of Supreme Audit Institutions must not be
influenced by the audited organisations and must not be dependent on such
organisations.
SAIs should be provided with the financial means to enable them to accomplish their
tasks effectively. If required, SAIs should be entitled to apply directly for the necessary
financial means to the public body deciding on the national budget, for example, the
Parliament, instead of depending on the ministry of finance that is one of the audited
entities of an SAI. In addition, SAIs should be entitled to use and re-allocate the funds
allotted to them under a separate budget heading in ways that they consider to be
appropriate.
1.2. Mandate
The mandate of the SAI shall be clearly defined in the country’s constitution and / or
in separate audit legislation. It should clearly spell out the powers and responsibilities
of the SAI regarding access to information, the nature of entities over which it has
audit jurisdiction and nature, scope and timing of audits. The Mexico Declaration on
SAI Independence recommends the following on a SAI’s mandate:
2. Human Resources
People are the most valuable assets of an audit institution. Sound human resources
management should provide employees a rewarding and professional environment,
48
as well as maintaining and enhancing the capabilities of the people. As a result, a
motivated and professionally competent workforce plays a significant role in achieving
the required high quality of audit processes and outputs.
2.1. Recruitment
SAIs should adopt policies and procedures to recruit personnel with suitable
qualifications and SAI personnel should possess relevant academic qualifications and
be equipped with appropriate training and experience. The SAI should establish, and
regularly review, minimum educational requirements for the appointment of auditors.
2.2. Retention
Salaries and allowances, personnel welfare and benefits for SAI employees are usually
covered under the public service regulations in most countries, and so it may not
always be possible for SAIs to provide attractive salaries to retain qualified staff.
49
Therefore, it becomes even more important that SAI management ensures that the
working conditions are sufficiently attractive to retain the services of experienced
personnel. At the same time, to the extent possible, SAIs may work towards a separate
salary structure for its personnel. In cases where the SAI requires expert staff who
cannot be recruited on the basis of conditions of the civil service, special arrangements
should be concluded with them, placing them outside the regular wage scales.
SAIs should adopt policies and procedures to develop and train SAI employees to
enable them to perform their task effectively, and to define the basis for the
advancement of auditors and other staff. Training plays a critical role to enhance
knowledge and skills of the staff to enable the SAI to deliver with quality audit products
and services to its stakeholders. Training is one of the key components of the
professional staff development activities such as upgrading professional related
academic qualification, attachment with similar organisations, study tours, seminars
and Workshops etc.
However, the Professional Staff development is a concept that goes beyond just
training of individuals. The term staff includes people at all levels within SAI right from
the SAI top management to those at the lower levels of the organisation hierarchy.
Staff development is the process of managing the professional life, learning and work
over the lifespan of an individual. It integrates, providing for career development
priorities of the employees. It also needs to identify staff learning needs and provide
for appropriate learning opportunities through which employees acquire knowledge
and skills needed to accomplish their assigned tasks. To ensure proper career
development the SAIs should specifically:
The SAI should take adequate steps to provide for continuing professional
development of its staff, including, as appropriate, provision of in-house training and
encouragement of attendance at external courses. The SAI should maintain an
inventory of skills of personnel to assist in the planning of audits as well as to identify
professional development needs. The SAI should establish and regularly review
criteria, including educational requirements, for the advancement of auditors and
other staff of the SAI. The SAI should also establish and maintain policies and
procedures for the professional development of audit staff regarding the audit
techniques and methodologies applicable to the range of audits it undertakes
2.4. Welfare
The SAI should take effective steps to create a motivating working environment that
takes care of the psychological and physical well-being of its staff. Measures should
include health care programmes, social, recreational and sporting facilities, fitness
50
programmes, housing and counselling services. Some welfare measures could be
gender- specific, such as flexible work timing for female staff who are nursing mothers,
or who have children to look after.
The senior management of SAI should set the overall policy on performance
management and monitor its implementation vis a vis the appraisal standards and
policies.
The system should provide the SAI management with the information to recognise and
reward high performers, as well as information needed to deal with inadequate
performance. SAIs should have a suitable reward system to reward employees who
meet or exceed clearly defined and transparent standards of high performance. In this
connection, SAIs may consider the following kinds of incentives:
The performance management system should also enable SAI employees to discuss
performance requirements with their supervisors, to become familiar with the critical
elements and performance standards that apply to them, prepare self-assessments
and seek feedback from the supervisors, when appropriate.
SAI top management need to steer the process of re-examining and refining the SAI’s
audit methodologies, processes and procedures and all other SAI factors affecting
SAI’s fulfilment of its mission and goals, and adherence to its professional standards
and core values.
51
The quality management system designed by the SAI should provide reasonable
assurance that appropriate standards, manuals, methodology, tools and techniques
are in place, useful and applied consistently. The domain Audit Standards,
Methodology and Audit Performance have five elements as shown below:
3.1. Standards
Auditing standards constitute the criteria or yardstick against which the qualities of
audit results are to be evaluated. The auditing standards governing the conduct of an
audit determine what the auditor should do. The fact that an audit has been
conducted in accordance with certain standards gives necessary reassurance to
people making use of the accounts. The objectives of the particular type of work or
the particular assignment should dictate the specific standards that are followed. Each
SAI should develop or adopt appropriate standards which are preferably in compliance
with national and INTOSAI standards. The SAI’s policy should require all staff to comply
with those standards relevant to the specific nature of their responsibilities.
ISSAI 100 requires a SAI to consider compliance with the INTOSAI auditing standards
in all matters that are deemed material. The SAI should determine the applicable
standards for such work to ensure that it is of consistently high quality. The SAI should
ensure that applicable standards are followed on both pre-audits and post-audits and
that deviation from the standards which are determined to be appropriate are
documented.” In addition to auditing standards, a SAI is also expected to comply with
standards of ethics that determine the conduct of its staff.
The INTOSAI standard provides for SAIs to prepare manuals and other written
guidance and instructions concerning the conduct of audits. The audit methodology
should be supported by manuals, guidance and other job aids. In addition to assisting
the staff to effectively perform their duties, such guidance would constitute the quality
control documents that would form the basis for planning and conducting quality
assurance reviews. These manuals and guidance should, of course, be aligned to the
auditing standards adopted by the SAI. SAIs should have in place detailed manuals and
guidelines for three clear streams of audit, Financial Audit, Performance Audit and
Compliance Audit to help guide the audit teams in carrying out audits.
52
Adequate monitoring and review of the quality assurance systems.
a) Audit Planning
In planning the audit, the most important process is to identify the audit scope and
determine audit objectives and methodology to enable auditors to focus on areas that
needs review. The appropriate design of audit methodology will ensure sufficient,
competent and relevant evidence to achieve the objective of the audit. The auditor
should plan the audit in a manner that ensures that an audit of high quality is carried
out in an economic, efficient and effective way and in a timely manner.
The auditing should be taken up by the competent- Knowledge, abilities and skills, and
dedicated staff for quality audit products.
c) IT Tools
SAIs may consider using IT-based tools for different states of the audit process, as well
as for support activities e.g. Computer Assisted Audit Techniques to enhance their
productivity and audit functions particularly in gathering audit evidence.
For other tools and guidance wherever is supporting for the quality audit has been
applied.
53
f) Consultation and Advice
The SAI may consider consultation with external specialists and experts if available in-
house staff lack required competencies in chosen audit areas.
Audit evidence should be sufficient and appropriate. Sufficiency refers to the measure
of quantity of audit evidence, while competence, relevance and reasonableness,
which are the characteristics of appropriateness, are the measures of quality of audit
evidence. Auditors should adequately document the audit evidence, including the
basis and extent of the planning, work performed and the findings of the audit for the
following reasons:
The work of the audit staff at each level and audit phase should be properly supervised
during the audit, and documented work should be reviewed by a senior member of
the audit staff. It is important that the supervision should be directed both to the
substance and to the method of auditing. All audit work should be reviewed by a
senior member of the audit staff before the audit opinions or reports are finalised, and
it should be carried out as each part of the audit progresses.
The audit report is the reflection of the quality of all audit processes of an SAI, and
thus, the SAI is ultimately judged by the quality or the kind of its audit report. The audit
report has to be written to:
54
Make the results available for public inspection; and
Facilitate follow-up to determine appropriate corrective actions have been taken
by the concern entities or not.
The SAI has to develop a strategy and process for consistent and systematic follow-up
process to enable it to contribute significantly to the effectiveness of audit in bringing
systematic improvement in the functioning of the entity.
the longer term. SAI top management, through its actions, will have to make clear that
mechanisms are in place to ensure quality and high performance and to promote
continuous improvement. They must continuously send appropriate signals that
inspire the staff to comply with the approved standards and procedures, and make
their best efforts to deliver quality services and products. The elements of the domain
Leadership and Internal Governance are as following:
Organisations that consistently perform at high levels are generally those that are
results-oriented and demonstrate a clear idea of their long-term intent. This is where
strategic planning can play a pivotal role in ensuring consistent high-quality
performance by SAIs.
1. Strategic Planning
a. Vision statement
Very early in the strategic planning process, the SAI’s top management needs to pose
a set of questions: “What is our vision for the SAI? Where should the SAI be heading
and what should its future technology-resource product-client focus be? What kind of
an organisation do we want to become?” Drawing a carefully reasoned conclusion
about its long-term direction should push top management to take a long hard look at
the SAI’s external and internal environment and form a clearer sense of whether and
how its present operational needs will change over the years. The strategic vision can
be an immensely valuable direction-setting and strategy-making tool.
The vision statement should clearly state where the SAI wants to be positioned in the
longer term. At the same time, it should be inspiring and galvanise organisation-wide
commitment and action. Ownership of the strategic vision by all levels of SAI staff is
almost as important as setting the organisation’s long-term direction. People need to
believe in the destiny of their organisation, and that their efforts can make a difference
in shaping that destiny.
55
b. Mission Statement
c. Core Values
The SAI needs to identify the core values which constitute the defining principles of
the organisation and individuals that work within it. These values should reflect the
fundamental characteristics and criteria on which delivery of the vision and mission is
based. In discharging their responsibilities, the government auditors need to observe
the principles of serving the public interest and maintaining the highest degree of
integrity, objectivity, professionalism and independence. These principles should be
the cornerstone of the responsibilities and conduct of the auditors.
The mission, vision and core values need to be developed to ensure that they truly
reflect the goals and aspirations of the SAI in relation to its mandate and those who
work in it.
2. Operational planning
Once the overall direction and targets have been set, the SAI’s commitment to them
should be complete. Every target should be assigned to an organisational unit with
specific individual responsibility for achieving the target in question. The responsible
officials should have sufficient authority to be able to overcome any difficulties that
may arise. The SAI should have proper dissemination of the organisational strategy
and the progress reports so that the staffs are genuinely involved in its delivery, and
they contribute to the planning efforts. To facilitate this, there should be a wide
dissemination of ideas, information and good practices within the organisation.
b. Performance Measurement
56
remain valid, relevant and useful. To facilitate performance monitoring, measurement
and reporting, the SAI may consider setting up a unit or committee assigned with this
responsibility.
4.3. Accountability
While promoting accountability in the public sector, the SAI must remain accountable
for its performance. In some countries, the legal framework requires the SAI
performance to be independently evaluated by an external agency. Even where this is
not a legal requirement, SAIs may consider periodic evaluation of its performance by
external agencies, including peer SAIs. In addition, the quality assurance function of
the SAI should periodically conduct institutional-level quality assurance reviews and
report to the top management on the SAI’s performance, along with
recommendations for improvements. Accountability will also be promoted if the SAI
implements a system of performance measurement and reporting discussed above
under strategic planning.
The SAI should establish policies and procedures designed to provide it with
reasonable assurance that the SAI and its personnel comply with relevant ethical
requirements.
Integrity is the core value of a ‘Code of Ethics’. Auditors have a duty to adhere to the
highest standards of behaviour in the course of their work and their relationships with
the staff of the audited entities. An SAI should develop and disseminate to its staff a
code of professional ethics and conduct that is applicable to the institution and to its
employees. At the same time, there should be procedures in place that ensure
compliance with the codes of ethics and conduct.
The INTOSAI Code of Ethics highlights some of the major aspects of ethical conduct –
namely, integrity, independence and objectivity, competence, professional behaviour
and confidentiality & transparency.
57
SAI top management should ensure the existence and implementation of appropriate
structures, rules, regulations and procedures that ensure achievement of the desired
objectives. These structures, rules, regulations and procedures in their entirety are
what constitute the internal control system of an SAI. The quality of the SAI’s products
and services are ensured by the adequacy and correct implementation of the internal
controls.
The COSO framework defines internal control as a process designed and affected by
those charged with governance, management, and other personnel to provide
reasonable assurance about the achievement of the entity’s objectives with regard to
reliability of financial reporting, effectiveness and efficiency of operations and
compliance
with applicable laws and regulations. It follows that internal control is designed and
implemented to address identified business risks that threaten the achievement of
any of these objectives.
The COSO framework provides for the following five interrelated components of an
internal control system. These components provide an effective framework for
describing and analysing the internal control system implemented in an organisation.
The five components are:
I. Control environment
The control environment includes the governance and management functions and
attitudes, awareness and actions of those charged with governance and management
concerning the SAI’s internal control and its importance in the entity. The control
environment sets the tone of the SAI, influencing the control consciousness of its
people. It is the foundation for effective internal control, providing the necessary
discipline and structure.
The SAI management should obtain an understanding of the SAI’s processes for
identifying business risks, and take actions to address those risks, and the results
thereof. The process is described as the “entity’s risk management process” and forms
the basis for how management determines the risks to be managed.
Control activities are the policies and procedures that help ensure that management
directives are carried out; for example, that necessary actions are taken to address
risks that threatens the achievement of the entity’s objectives. Examples of specific
58
control activities include those relating to: authorisation, performance reviews,
information processing, physical controls, and segregation of duties.
The information system comprises the procedures and records established to initiate,
record, process and report on the SAI’s performance against planned objectives.
V. Monitoring
It is the responsibility of each line functionary to ensure compliance with the internal
controls relevant to the work of that functionary.
The SAI should be in a state of readiness to address current issues more effectively,
deal satisfactorily with emerging issues, and take advantage of new opportunities. The
SAI should continuously upgrade its organisational capacity and competence of its
personnel to remain abreast of developments in the field of auditing and be able to
address emerging issues in the rapidly changing audit environment. SAIs should
update their strategic plans at periodic intervals to make sure that their efforts are
aligned to the major auditable issues facing the particular country.
Change management actions should be integrated with any action plan for initiating
new approaches. For example, an SAI that does not have a QA function should include
change management measures in its action plan for setting up the QA function. If
necessary, SAIs should consider training some members of management and staff to
become champions of change management, whose services could then be used to
coordinate change management processes whenever the SAI undertakes any major
change initiative.
5. Administrative Support
59
5.1. Monetary resources
There are two dimensions to this element that need consideration. One is the
availability of adequate budget for the SAI as a whole. This was discussed earlier under
the section ‘Independence and legal framework’. The other dimension is the optimal
utilisation of the budget to procure and provide the required infrastructure and
material support to the various functions. It is the responsibility of the administrative
support division.
The SAI should have sufficient material resources, including physical infrastructure, to
enable its staff to perform their duties satisfactorily. Material resources include office
buildings, working space for each employee, furniture and fittings, electric and water
supply, training facilities, library, document storage facilities, and transportation.
There might also be a need for gender specific infrastructure such as separate leisure
rooms for female and male staff, depending on the cultural environment of the SAI.
5.3. Technology
The SAI should sustain effective working relationships and communication with
external stakeholders to ensure sufficient impact of its audit reports and other
products and services. It also needs inputs from external stakeholders in order to
improve the quality of its work processes and products. The overall effectiveness of
the SAI in promoting greater accountability, economy, efficiency and effectiveness in
the functioning of public sector entities depends critically on the relationships it
establishes and maintains with external stakeholders.
The SAI’s stakeholders include the audited entities, parliament (or equivalent bodies),
political executives, public, peers (other SAIs), donors, international organisations,
60
media, professional and academic institutions, private sector auditing firms and others
who have an interest or are affected by the SAI’s products and services.
While it may not be feasible to deal with all stakeholders, SAIs should conduct
stakeholder analysis to identify their significant stakeholders and their interests and
influence on the SAI’s functioning. Based on the stakeholder analysis, SAIs should
implement measures to establish and maintain such relations with them that will help
to leverage its efforts without compromising its independence and objectivity.
The following table briefly outlines the SAI’s External Stakeholder Relationships, by
stating the key requirement of each external stakeholder and key audit mechanisms
that can help in meeting these requirements.
7. Results
61
The elements of the domain as follows:
Quality of its outputs (that is, the SAI’s audit reports and services); and
Longer-term impact of it products and services.
7.1. Quality
The SAI is required to deliver quality audit reports and other services that promote
accountability, transparency, value for money in the use of public resources and
contribute towards good governance. Towards this end, SAIs should implement
mechanisms for measuring the:
With regard to the preliminary audit reports, audit opinions, management letters and
annual reports the performance measures could be following:
Significance: How important is the matter that was examined in the audit? This, in
turn, can be assessed in several ways, such as the financial outlay of the audited
entities and the effects of the audited entity's performance on the public at large or
on major national policy issues.
Reliability: Are all opinions and observations in the audit reports and management
letters fully supported by valid and sufficient evidence?
Objectivity: Did the SAI duly consider the audited entity's responses to preliminary
audit observations? Did the working papers demonstrate an impartial consideration
and analysis of all evidence gathered?
Clarity: Are the audit reports and other products clear and concise in presenting the
results of the audit? This typically involves being sure that the scope, findings and any
recommendations can be easily understood by users of the audit report who may not
be experts in the matters that are addressed, but that they may need to act in
response to the report.
Timeliness: Were the audit reports, management letters and services delivered at an
appropriate time? This may involve meeting a statutory deadline or delivering audit
results when they are needed for a policy decision or when they will be most useful in
correcting management weaknesses.
7.2. Impact
62
Progress that management has made in reducing the number of unresolved errors
and irregularities identified during audits;
Percentage of audit recommendations accepted by audited entities;
Percentage of audit recommendations implemented by audited entities;
Percentage of Public Accounts Committee (or similar authority) directives to
audited entities that are based on audit observations; and
Extent of satisfaction of PAC (or similar authority) and audited entities with SAI’s
products and services.
The QA review at the OAGN level is a comprehensive review that deals with the key
result areas within the OAGN that affects its performance in all streams of auditing.
Based on the observations, the purpose is to identify the gaps in relation to the desired
condition for each key result area, the factors contributing to the gaps and strategies
for addressing the gaps. Before starting the process of gathering data, the review team
should carefully develop a QAR plan. The plan should, inter alia, state the review
objectives, scope, likely sources of data and information, data gathering methods and
tools to be used, limitations, if any in the review approach, resources required and
timelines. The plan should be supported with the tools proposed in the plan, such as
survey questionnaire, document review checklists, interview questionnaires, focus
group facilitation materials, and physical observation checklist.
The team should set up contact meetings with the different department heads before
starting the reviews. Personnel with the relevant skills should be involved in
conducting the review. These skills include, amongst others, those relating to project
management, facilitation, interviewing, communication, auditing and data analysis. If
these skills are not all available within the Quality Assurance function, then the OAGN
can consider seconding staff both internally and externally to the team. This can also
assist in providing capacity building to the QA team members.
Quality Assurance Review Team is expected to conduct the review of the QMS
established in OAGN. This can be a very challenging task for several reasons, including:
63
Inquiring about processes that may not fall within the expertise of the reviewer.
Gathering evidences
64
QMS Sources Methods
Element
d Welfare Human Resources Policies and Interview Document Review
Guidance Group Discussions
Activities of the Staff Welfare
Unit/Branch
OAGN Staff
e Performance Performance Appraisal System Document Review, Interviews,
Management Human Resources Policies and Focus Group Discussions,
Guidance Browsing,
Physical Observation, and
Counselling, Guidance andMonitoring
Survey
Processes
Professional Development through
such means as on-the- job training,
self-directed studies,
internal and external assignments
3. Audit Methodology, Standards and Audit Performance
a Standards Policy decisions Document Review, Browsing,
NGAS / INTOSAI Standards and Interviews
NSA / ISA (IFAC) Standards
b Manuals and Audit Manuals Document Review, Focus
Other Guidance Audit Guidelines Group Discussions
c Tools OAGN Staff Document Review, Interviews,
Audit Working Papers Focus Group Discussions
d Quality QAR Committee Interview, Document Review,
Assurance QAR Policy Interviews, and
Focus Group Discussions
Peer Review reports
e Audit Senior Management Interview, Document Review,
Performance Audit Manuals and Guidelines Interviews, and
Focus Group Discussions
External Stakeholders (Auditee / PAC)
Audit reports
4. Leadership and Internal Governance
a Strategic and Strategic Plan, Acts & Constitution Document Review, Interviews,
Operational Annual Activity / Performance Report and Focus Group Discussions
Planning
Auditing Standards of the OAGN
Code of Ethics
b Internal Strategic Plan Interview, Document Review,
Communication Annual Audit Plans Browsing, and Focus Group
Discussions
OAGN’s Organizational Structure or
Organogram
OAGN issuances andinstructions
c Accountability Office Instructions Manual Document Review, Browsing,
OAGN Annual Audit Report Interviews, and Focus Group
Discussions
OAGN Annual Activity Report
d Code of Ethicsor Code of Ethics for PublicOfficers Document Review, Browsing,
Conduct INTOSAI Code of Ethics and Focus Group
Discussions
65
QMS Sources Methods
Element
e Internal Office Instructions Manual Document Review, Browsing,
Controls Organogram and Interviews
f Continuous Strategic Plan Document Review, Browsing,
Improvement Organogram and Interviews
Office Instructions Manual
5. Administrative Support
a Monetary Annual Estimates Document Review and
Resources Procedure Manual for preparing Budget Focus Group Discussions
for the OAGN
b Material Annual Activity Report Document Review, Interviews,
Resources Annual Procurement Plan and Focus Group Discussions
Observation
OAGN Staff
c Technology Annual Activity Report Document Review, Browsing,
OAGN Staff Focus Group Discussions, and
Observation
d Support Services Annual Activity Report Document Review, Interviews,
OAGN Staff Focus Group Discussions
6. External Stakeholder Relations
a Key External External stakeholders Document Review, Browsing,
Stakeholder Annual Audit Report Interviews, and Focus Group
Expectations Discussions
Annual Activity Report
Strategic Plan
b Communicating Communication Strategy Document Review, Interviews,
with External OAGN’s Press Relations Office,if any and Focus Group Discussions
Stakeholders
Annual Audit Report
PAC Reports
Websites & Media
Professional and Academic Institutions
7. Results
a Outputs Report on the QAR Document Review, Browsing,
(Quality, Annual Audit Report of the OAGN and Interviews
Quantity) Performance Report of OAGN
PAC Resolutions
Parliament and Other Stakeholders
b Impact External Stakeholders Document Review, Browsing,
Audit Follow Up Report Interviews, and Focus Group
Annual Audit Report Discussions
Audit Performance Reports
Audited entities, PAC Members
a) Document Review
66
Establish communication with the contact point within OAGN well ahead of time;
Provide a comprehensive list of documents that the QAR team would require;
Agree on a date by which the documents would be made available;
Once the documents are received, establish if they correlate to the documents
requested; and
Organize the material in such a way that it is available to all members of the QAR
team.
b) Physical Observation
Physical observation is a visual process made by the QAR team to record what they
see using a checklist sheet. Observation may be on physical surroundings or of ongoing
activities, processes or discussions. It is used to verify the existence and appraise the
sufficiency, adequacy and convenience of the OAGN’s material resources, technology
and support services. Observation checklists can also be developed to observe the
behaviours of the OAGN’s personnel for the particular processes or activities offered
at that particular time and whether these are in compliance with official requirements.
In addition, it may provide an overview of the OAGN’s relationship with its
stakeholders (Audited entities, Parliament, Executive, etc.).
d) Interview
e) Survey Questionnaire
For assessing an OAGN’s QMS, key domains and Elements of the SAI level QMS
Framework suggested by IDI (included in 5.2.3) provides a comprehensive framework.
From this framework, a questionnaire for QAR of OAGN can be prepared. This can
obviously be modified to suit specific needs.
67
Stakeholder survey – Stakeholder survey may provide information on the quality
of OAGN’s work. External stakeholders of OAGN include Head of State,
Parliament, Head of the Executive, Audited Entities, Internal Audit, Public, Media,
Professional Associations and Private Sector Auditors, Peer SAIs, Development
Partners, etc. There may be other methods for getting information from external
stakeholders.
f) Content Analysis
a) Report preparation
Based on the observations and findings at the QAR of OAGN, the quality assurance
review team should prepare a Quality Assurance Review Report.
b) Reviewing completeness
The QAR team should review the completeness of information collection by ensuring
that all information related to the checklists has been collected and reviewed. The
review team should go through all the documents and analyse the responses by
making sure that there is a logical flow of information. The reviewer must exercise
professional judgment when reviewing the information gathered. If information
gathered is not consistent, the reviewer must seek further clarification from the
working papers. If the working papers are not sufficiently clear, the reviewer should
discuss it with the team leader and make a decision on how to resolve the situation.
As a first step for reporting and identifying individual findings. The QAR team should
consider the following information:
Findings: All material findings should be recorded precisely. Findings need not
always be negative. The QA team should keep a record of significant positive
observations so that those can be included in the QAR report. This will ensure
balanced reporting. Describing the findings in the draft QAR report, the team
should
68
Impact: This attribute identifies the real or potential effect of the findings. The
review team should consider how the existence of problems, gaps or findings may
influence the OAGN’s policy, independence and audit processes in future.
Cause: The reason for identified findings or gaps and problems. The reasons
underlying the identified gaps or problems form the basis for making appropriate
recommendations.
Comments made by the management: The reviewer should obtain and record all
comments from the senior managers on the observations made.
Name of reviewer: It is necessary to state the name of the reviewer who made a
particular observation.
The next step is to bring together all significant individual findings in a way that
provides an effective overview. This is to records each material finding, the
corresponding risk assessment, likely impact, probable causes, management’s
comments, and the QA team’s recommendations.
The summary recording form can help the QA review team to arrange their findings
logically and prepare for effective meetings with senior management of the OAGN.
d) Discussing findings with, and obtain feedback from OAGN senior management
The review team should meet with the OAGN senior management to discuss the
findings or gaps and ensure they are clearly understood. If required, the gaps
identified by the reviewing team should be corrected on the working papers.
Go through the recorded observation forms, and summarise and agree on the
observations;
Agree on the most effective way of presenting the observations;
Make an appointment with the Senior Management for the meeting;
Arrange the documents that should be available during the meeting;
Agree among the team who should lead the discussions, and who should record
the conclusions arrived at; and
Agree on the sequence of presenting the issues. It is advisable to start with the
good practices (positive findings) before highlighting the weaknesses.
However, there are certain things the team should try to avoid when giving feedback
to Senior Management. These include:
69
An aggressive way of talking, especially when commenting on the gaps or
weaknesses;
Destructive criticism of the work of the OAGN;
Giving unmerited praise; and
Generalise comments that in fact only apply to a specific issue or audit work. After
the meeting, the team should:
Verify the issues that the Senior Managers claimed are in place;
Summarise the observations obtained during the discussion;
Finalise the observations at this point; and
Extend thanks for their cooperation during the meeting.
After discussion with senior management, the QAR team is required to:
The QAR team leader should discuss with the head of the SAI the summary of findings
and recommendations. To make the discussion effective:
Be punctual;
Start to present the good practices;
Continue to present the weaknesses;
Be brief and to the point with the presentation;
Record both the matters that are accepted and not accepted by the AG;
When disagreement arises, do not remove or disclose any findings on which the
AG disagrees without being convinced with the evidence presented during the
discussion;
Note all disagreements for further clarification;
Ask whether there are any questions, recommendations or comments;
Thank the AG and staff for assistance; and
Close the meeting.
To finalise the report, members of the team are required to have a meeting and
discuss the observations obtained during the discussion with the AG.
The team is required to consider all the points indicated above, and to then prepare
the final report. The final report should be signed by the QA Team Leader.
70
5.3 QAR Process at the Audit Engagement Level
Individual level QARs are carried out on audit engagements to assess the adequacy of
the audit in keeping with NGAS/ISSAI and the SAI’s audit manual, guidelines policies,
and procedures including compliance with the laws and regulation. QARs at individual
level can be carried out pre-issuance or post-audit.
71
6 Quality Assurance Tools
OAGN’s quality control policies and procedures should comply with professional
standards, the aim being to ensure that audits are conducted at a consistently
high level. Quality control procedures should cover matters such as the direction,
review and supervision of the audit process and the need for consultation in order
to reach decisions on difficult or contentious matters
The QA tools are regarded as a review and assessment product that has been
specifically tailored to assist the quality assurance reviewers to conduct the QA review
of three types of audits conducts by OAGN. The focus of the QA tools is to produce a
linkage between the audit process and the NGAS/ISSAIs to review whether the
NGAS/ISSAI’s have been implemented in the audit process to promote reliable,
relevant and credible audits.
These tools will assist the QA reviewer to review the audit conducted in accordance
with the ISSAIs, and the basis to conclude to what extent an audit has met the
requirements of ISSAIs, and recommend the measures for further improvement.
The ISSAI Compliance Assessment Tool (iCAT)59 has been made available to the users
as a needs assessment tool in implementing the ISSAIs, it has been, at the same time,
been repositioned as the QA tool by the INTOSAI Development Initiatives (IDI).
These are based on three types of audits as defined in ISSAI 100, namely
OAGN can adapt (and modify if required) these tools based on its audit methodology.
58 ISSAI 100:38
59 https://www.idi.no/elibrary/professional-sais/icats/icats-english/
72
6.3 QA Tools60
Considering the audit manuals and the NGAS/ISSAIs following approach can be
followed to develop the QA tool(s).
•what is
Audit Process the audit
process
•what are
Standards applicable
standards
•what
Key audit is
Requirements suppose
d to do
•checklists
Compliance
to test
checklist compliance
•what are QA
Conclusion reviewers
comclusions
This reflects the entire audit process from pre-engagement to reporting and follow-
up. To justify that the audit was conducted in accordance with NGAS/ISSAIs, the
auditors should have followed the audit process as per NGAS/ISSAI requirements and
documented it accordingly in the audit files which provides the evidence of
compliance with all the requirements that are relevant to an audit. By incorporating
NGAS/ISSAI requirements in the QA tools, it enables the QA reviewer to see that the
auditor has followed the audit process accordingly in conducting the audit.
The tool includes ISSAI numbers and name of ISSAIs, and these are accordingly linked
to each stage of the audit process. This ensures that all ISSAIs are included in the audit
(NGAS includes the same ISSAI numbering as pronounced under IFPP).
73
6.3.3 Audit Objective
The objective of the audit is reflected under NGAS (under each ISSAI). This clearly
specify what the auditor is supposed to do, and they are again linked to each stage of
the audit process. It provides the basis to synthesise key requirements from ISSAIs
suggesting checklist to check the compliance to those requirements in an audit.
The objective of the auditor under each NGAS/ ISSAI defines the requirements to be
met in an audit of financial statements. The key requirements addresses the objective
of the audit should be included in the tool to guide the FA /PA/ CA QA reviewer that
those requirements were met in the audit. A number of requirements under each
NGAS /ISSAI are summarised and written as key requirements.
The auditing standards (NGAS /ISSAIs) prescribe what needs to be done in an audit.
The audit methodology on the other hand, guides the auditor how the audit can be
conducted in accordance with the requirements of the standards.
The audit methodologies are suggested in the specific audit manuals (Financial Audit
Manual, Performance Audit Manual and Compliance Audit Manual) and guidelines
that may include suggested working papers and processes.
The tool has to include a suggested compliance checklist. Once the strategies, policies,
procedures and audit methodology are developed and aligned with the requirements
of NGAS/ISSAIs, auditor is supposed to conduct the audits in accordance with OAGN
strategy, policy guidance and audit methodology.
This will guide the QA reviewer to review and verify that line managers and auditors
have followed the NGAS / ISSAI based audit methodology and the quality control
process has been followed in an audit.
6.3.7 Conclusion
The tool should provide a field for recording the conclusion of the QA review of an
audit. The completion of the QA checklist should provide the basis to record the
conclusion of the QA review.
At the end of each of each sub-part, an option can be provided to the evaluator to add
a narrative on the overall status of the particular section, by combining the results of
the status of all requirements of the section. Based on the section narrative, at the
very end of the tool, an overall assessment on the evaluation can be made by the
evaluator for the audit.
74
6.4 Financial Audit QA Tools
75
Audit Process Standards (NGAS/ISSAI) Audit Methodology Compliance checklist
• ISSAI 200:46, 68, 70, Other procedures
74-75
• ISSAI 2501;
• ISSAI 2510;
• ISSAI 2550;
• ISSAI 2560;
• ISSAI 2570;
• ISSAI 2710;
• ISSAI 2720
• ISSAI 2500; Written
• ISSAI 2580 Representation
• ISSAI 100:43 Exit Meeting
• ISSAI 2260:16, A17-18:
ISSAI 2450:8
76
6.5 Performance Audit QA Tools
77
6.6 Compliance Audit QA Tools
78
6.7 Other Audits - QA Tools
• Environment audit
• IT audit
• SDG audit
• Disaster Audit
QA tools for these audits have to be specifically designed in line with their unique
requirements.
79
7 Quality Assurance of Outsourced Audits
OAGN may not have the capacity for pre-issuance reviews on audits that are
contracted out. However, the audits outsourced by PAGN must be considered for
QARs.
It is a good practice to compile a list of audit firms / accounting professionals that can
conduct work on behalf of OAGN and document the capacity to conduct audits,
including any services that the firms offer to the OAGN auditees.
OAGN may nominate a QA team with suitable skills and experience from within or
outside of OAGN.
OAGN should communicate in writing its requirements to the audit firm / professional
accountants before the start of the assignment. All relevant documents relating to
audit approach, guidelines, QA policy, and QC Manual should be made available to the
firm. If the firm is not willing to accept the requirements, OAGN should consider
awarding the contract to another firm / professional accountant.
It is also good practice to bring the contracted auditors together from time to time to
inform them on new developments in OAGN and address issues for improvements
noted from previous work done. Organising orientation programmes, giving an
overview of the OAGN’s vision, mission, core values, audit methodologies and
techniques, policies, and procedures, should be facilitated through contractual
agreements between OAGN and the audit firm / professional accountant.
61 Use of private sector accounting firms / professional accountants to carry out audits on behalf of OAGN
80
The contract should be carefully examined for legal implications to protect the OAGN’s
interest.
OAGN shall evaluate and review the adequacy of the outsourced auditors work for the
relevance and reasonableness of the findings are conclusions and the consistency with
respect to the auditing standards and legal requirements.
Specific procedures to evaluate the adequacy of outsourced auditor’s work for the
purpose of QA may include
A checklist has been provided at Appendix 9 for measuring the quality of contracted
out audits.
81
8 Quality Assurance of Audits using NAMS
Very often there may be no audit trails of the changes made to the electronic working
papers if they have been overwritten. Therefore, it is important for the reviewer to
review the IT controls in this regard. OAGN must recognise the need for increased
assurances regarding critical data and information systems security in an IT dominated
environment such as use of NAMS in audits. The sufficiency of evidence in a
compliance or performance audit more frequently requires consideration of IT
controls over data reliability and integrity.
QA reviewers should ensure that there is proper version control over the electronic
working paper files and that the latest copy has been submitted for review. The QAR
team should not accept the electronic working paper files if no back-up is maintained.
Following consideration must be made for Quality Assurance Review using NAMS
The review team must be trained and well versed with NAMS so that the
reviewers can navigate through the process flow, audit activities undertaken and
documented in NAMS;
Access authority should be given to the QAR team in NMAS for the conduct of the
review:
NAMS administrator should provide QAR access in NAMS. (this may be
relevant to the peer review process as well)
Extent of access depend on the scope and nature of the review;
Access should be read only, so that the review team may not make any
alteration to the documents, working paper in NAMS;
Access should be for the period covered under the review
The review team must adhere to the ethical codes;
Review in NAMS is same as reviewing in manual work environment except for the
fact that the working papers and evidences are recorded electronically and the
reports are supported or generated though the systems itself.
82
8.2 Other processes
NAMS is used for document review relating to audit and audit related procedures;
Other documents review may still have to be done for policy, manuals, guidelines,
directives;
Other review procedures such as survey, interviews, focused group discussions
etc. may still be relevant while conducting QAR in NAMS environment
83
9 Peer Review
The term “peer review” refers to an external and independent review of one or more
elements of the organisation and/or operation of OAGN by a team of professional
peers from one or more SAIs. OAGN may also consider including experts from non-
SAI institutions.
A peer review is not an audit but an assessment and advice provided voluntarily by
peers. The decision to undergo a peer review is generally voluntary. The voluntary
nature of a peer review is also reflected in all contacts and exchanges between OAGN
and the peer review team during the course of the exercise.
OAGN is not bound to the conclusions and recommendations of the peer review team,
and can decide, as appropriate and necessary, on how to use the results of the
assessment. The fact that a peer review is carried out by external, independent
professional peers provides an essential added level of assurance of quality and
credibility to the process.
To ensure that the investment reaps worthwhile results, OAGN while planning for a
peer review will benefit from having a clear view on the following:
purpose of the proposed peer review, including expected outcomes and benefits;
focus and scope of the peer review, considering of resources and constraints; and
standards and criteria to be applied.
84
Peer Review Focus
For a peer review to be as useful as possible, the decision on its precise focus and
scope should be very much influenced by the reasons that prompted the review and
its expected benefits. This makes it necessary for OAGN to clearly define what exactly
it plans to have reviewed, and the boundaries of the exercise. Possible areas or topics
for inclusion in a peer review include all or some of the following:
Due to the nature of the peer review process and the likely publicity given to its
findings, the SAI could consider preceding the peer review with a self- assessment and
initiate remedial actions before the review takes place. There are different self-
assessment tools available.
IT Self-Assessment (ITSA)
85
Refer to www.eurosai-it.org
Developed by IDI
Is a tool to assist SAIs in mapping their current audit practices to ISSAI
requirements
Refer to www.idi.no
Developed by AFROSAI-E
For self-assessments in five institutional development areas: (1) independence
and legal framework; (2) organisation and management; (3) human resources; (4)
audit standards and methodology; and (5) communication and stakeholder
management.
Refer to www.afrosai-e.org.za
Developed by PASAI
Capability Model focuses on high-priority improvement actions that are likely to
have the greatest positive impact;
Refer to www.pasai.org
IntoSAINT
The selection of the peer review partner SAIs and team members depends, to a large
extent, on the objectives, scope and expected benefits of the review, the type of
reviewed SAI and language considerations. Peer reviews can be conducted by staff
from one SAI alone, or from several SAIs.
86
Criteria for selecting in partner SAI
Before inviting potential partners to provide reviewers, OAGN may consider a number
of criteria such as:
relevant expertise and experience in the areas to be covered by the peer review;
previous experience with peer reviews;
any factors which could affect the perceived or actual independence of the
reviewing SAI and individual team members or situations of conflict of interest
(for example, potential reviewing SAI was a donor or consultant to OAGN);
preferred professional background of the individual peer reviewers, particularly
when specialisation is required;
sufficient resources (both quantitative and qualitative) for carrying out the
proposed peer review;
communication and language skills, as they have significant practical implications
for interviews and translation needs;
organisational structure. It can be an advantage to be peer reviewed by SAI(s) with
a similar structure (auditor general model), but it can also bring added value to be
reviewed by SAI(s) that have a different perspective, and
geographical distance. A culturally different perspective can be an advantage, but
geographical distance may also lead to increased costs and organisational
complications (different time zones);
Once OAGN and the reviewing SAIs have reached a basic agreement on conducting a
peer review, the scope, objective, timing and criteria of the peer review proposed as
well as the conditions to be met in order to help make the review a success can be
incorporated into a written agreement, e.g. in the form of a Memorandum of
Understanding (MoU). This exercise is meant to ensure mutual consent on the
fundamental aspects of the review and to avoid any potential misunderstanding.
Both parties should decide and agree on the matters to be covered in the MoU and
this should be before initiating the project. When preparing the MoU, they should take
care not to limit the review team’s scope to conduct the work necessary to accomplish
the objectives of the review. The MoU is usually signed by the head of the SAI or
authorised representatives.
In preparing an MoU the peer review guide issued by INTOSAI GUID 1900 should be
taken into account.
A. Definitions
The MoU should include the definitions of the main terminologies used to ensure that
partner SAIs have the same understanding of the main aspects of the peer review.
87
These include clear terms of reference for the peer review including the format of the
review, its objectives, reporting arrangements and the principles or national and
international professional and ethical standards to which those undertaking the
review agree to adhere (e.g. impartiality, objectivity, confidentiality and
transparency). The MoU may stipulate the application of ISSAIs, e.g. with regard to the
ethical standards, the application of INTOSAI's Code of Ethics (ISSAI 130) may be
agreed.
B. Objective
The MoU may state the reasons why OAGN has decided to undergo a peer review, e.g.
as part of a regular review process, as part of putting in place a new system, or as part
of an overall strategy review and development procedure. The purpose of the peer
review should be stated in order to better explain the scope of the objectives pursued.
C. Timetable
The start and the end of the peer review as well as the main milestones may be
determined to help the reviewing SAI make informed decisions on the use of staff and
OAGN to be informed on the development of the work and to forecast when the
report on the findings will be available. Due care should be given to the fact that
interpretation, translation and submission of documents, minutes and findings may
significantly extend the overall timeframe. Furthermore, both partners may
reasonably forecast and agree on the input of resources needed. The schedule should
allow sufficient time to deal with any unforeseen aspect. Both the reviewing and
reviewed SAIs need to ensure having sufficient free capacity. An appropriate lead time
may be agreed, to enable the SAIs to include the peer review in their work plan.
D. Language
E. Staffing
The number, functions and profile of the staffing needed by the partner SAIs should
also be roughly determined, thus helping reach a better decision on what staff to
assign to the exercise and better estimate the costs likely to arise. On the one hand,
arrangements may be made on keeping staff originally assigned to the job to the
extent possible so as to help implement the peer review speedily. On the other hand,
SAIs may wish to make specific arrangements on any reasons for substituting staff
assigned at the request of OAGN. It is of particular importance, that the staff maintains
their independence, unbiased attitude, accuracy and objectivity, and treats the entire
review process confidentially.
When selecting the review team, the reviewing SAIs need to assess and evaluate the
particular skills required for the peer review focus. The team leader will need to
confirm necessary skills, such as specific language and IT audit skills, prior to finalising
the staffing structure proposed.
88
Where the team leader identifies gaps in the expertise of the staff proposed, it may
be appropriate for the team leader and OAGN to consider relying on external experts
at appropriate stages during the peer review.
The peer review may cover the audit area of the SAI and/or organisational functions
of the SAI in general, or may be limited to specific matters (see chapter 2 Definition).
In this case the matters exempt from review work should be explicitly stated to ensure
that the review staff keep well within these borders. Matters to be exempt may be
politically sensitive or classified procedures or topics/areas that are susceptible to lead
to any unknown or undesired consequences once they are submitted to an external
study.
SAIs may also place focus on any matters where expertise is sought or which should
for other reasons be examined thoroughly. The peer review may be extended to
additional focus areas if requested by OAGN.
The partner SAIs should expressly determine how and to what extent the reviewing
SAI's staffs are granted access to the records held by OAGN.
The reviewers shall respect the confidentiality of information that comes to their
attention during the review. As a rule, OAGN wishes that the contents of files and
other records as well as of interviews conducted as part of the peer review are treated
confidentially.
H. Procedural matters
To ensure the smooth conduct of the peer review all procedural matters may be
determined beforehand in the MoU. Such matters may include the following:
A peer review may require the reviewing SAIs to understand legal, accounting or
regulatory requirements which are peculiar to the jurisdiction of OAGN.
It is beneficial if, as part of the consultation process, OAGN nominates specific
groups or individuals for different types of issues.
89
The decision whether the delegates of the reviewing SAI may conduct interviews
and if so with what officials and whether they may disclose the purpose of the
peer review should be documented in the MoU. Free and open access to OAGN's
staff and other relevant aspects of the organisation are essential to the open and
transparent conduct of the peer review.
The participants may consider confirming the procedures for consulting with
external local experts. Matters to be considered will include who the nominated
experts will be, issues of confidentiality, cost and whether the consultation will be
direct between the reviewing SAIs and the experts or via OAGN.
It should be defined which documents may be transferred to the reviewer's home
office, e.g. originals, copies, confidential documents. Arrangements to ensure the
security of communication between the participating SAIs should be agreed in
advance, particularly in respect of confidential documents which may need to be
sent via the internet when completing work in the SAIs' home countries.
The MoU should include a process to clear these matters.
The partner SAIs may wish to discuss how to proceed with the peer review, initial
results achieved, preliminary findings and final report.
Relevant dates, intervals, issues due to be discussed and reasons for such discussions
may be stipulated in the MoU.
J. Documentation
Partner SAIs should determine how to record the peer review findings. Documentation
requirements may include the overall strategy and review plan, the completeness of
records and review evidence, the timing for communicating them to OAGN and their
final destination. The MoU may specify if and what data should be retained by the
peer reviewers, and for what periods. It may also stipulate, what data should not be
kept by the peer reviewers once the review is completed. Partner SAIs might wish to
avoid placing too high requirements on documentation, because this may render the
whole procedure rather cumbersome. The reliability of findings should be the first
priority.
Given the fact that the documents required by the peers are written in OAGN's
language, translation requirements may be integrated in the MoU. Partner SAIs should
agree on which documents need to be translated, who will be in charge of the
translation, and how it will be funded.
K. Final report
The SAIs involved in the peer review may consider and agree beforehand on the nature
and length of the final report, e.g. a short report setting out key findings, a detailed
report of all findings or alternatively two reports – an abridged version for public use
and a long form report for internal use.
90
The SAIs involved may also wish to determine what procedure to use for drafting the
final report. For this purpose, they may arrange for preparatory liaison, e.g. establish
an editorial team.
The decision on the timing of the implementation of recommendations will lie with
OAGN. The reviewed and reviewing SAIs may agree to divide the recommendations
into short-term (up to one year) and long-term (up to three years for implementation).
Suggestions may be helpful if implementing one specific recommendation is a pre-
condition for recommendations to follow.
The report will remain the property of OAGN. In case OAGN intends to involve further
addressees, this might influence the drafting of the report especially so if audit
concepts and terms need to be explained in the report.
So it might be advisable to deal with the following topics within the MoU:
The INTOSAI community is keen on receiving peer review reports in accordance with
their principle of “Experientia mutua omnibus prodest”.
SAIs may also determine – by taking into account any applicable standards or country-
specific laws – whether the final report should be published fully or in part. OAGN
may also decide that the final report will not be published at all, and that it will be
designed for internal use of OAGN only.
L. Cost
MOU should explicitly clarify who is to bear the cost which may be considerable for
conducting the peer review (including report drafting and translation). The peer
review programme might also be supported and funded by community donors in
accordance with the INTOSAI principles of independence.
The SAIs may wish to agree on procedural and administrative matters on subsistence
and travelling costs. In view of cost efficiency, the delegation should preferably be
composed of staff directly connected with the review and should be limited to the
minimum number of staff needed to perform it.
OAGN may provide support to the peer review exercise in manifold ways, for example
by sending documents on the legal principles and the audit environment to the
reviewing SAI's staff, making introductory presentations to help them familiarise
91
themselves with these relevant situations before arriving in country, providing the
review staff with office accommodation equipped with telephone and IT connections
as well as security features necessary to protect the received information, designating
contacts at OAGN, and providing hospitality to the review staff. These inputs may be
documented in the MoU
Peer review of OAGN will involve the planning, field work, reporting and where
applicable implementation and follow-up. Each stage is described as follows.
9.6.1 Planning67
When planning the reviewing SAIs may wish to build into their timetable an
opportunity to meet post field work, to discuss their findings and conclusions and
consider the structure and subject matter of the peer review report.
Planning should be based on the MoU. It might be done beforehand on the reviewing
SAI's premises, thus leaving more time for the implementation and reporting stages
and thereby reducing costs. The plan should document:
Similar to any other plan peer review plan should be prepared before the review and
should aim to address the following questions about the organisation, execution and
management of the assignment:
WHAT?,
WHEN?,
WHO?,
HOW?, and
HOW MUCH?
The planning for the peer review should ultimately serve as a means for ensuring that
the assessment remains focused on the core issues, the project is adequately defined
and resourced, the process is concluded on time and on budget, and the final report
is objective, complete, clear, convincing, relevant and accurate.
92
9.6.2 Fieldwork68
The fieldwork stage of the peer review process involves gathering the essential
evidence to support the peer review observations, as well as analysing the findings.
Fieldwork should follow the plan developed by the peer review team and agreed with
OAGN. It should also reflect any adjustments made to the plan during the course of
the review due.
the agreed terms of reference, including the focus and scope of the peer review
and any changes since;
any new developments and related issues;
timetable and the work to be done;
list of interviewees/targeted respondents inside and outside OAGN;
matters related to access to documentation, information systems and staff;
translation or interpretation requirements;
logistical and liaison coordination;
expenses and reimbursement rules;
envisaged timeframes and milestones; and
arrangements for reporting and clearance.
93
use persuasive arguments (as in the case of performance audits) to point toward
a specific conclusion and the resulting recommendation (in contrast to the
conclusive “right/wrong” nature of many financial and compliance audits);
keep appropriate supporting documentation and analytical notes; and
draft and discuss findings and observations as a basis for the report.
9.6.3 Reporting 69
The reporting phase of the peer review includes the preparation of a draft report,
clearance of the findings, conclusions and recommendations with OAGN, the receipt
of written comments and the preparation of the final peer review report.
The peer review report is the main output of the peer review process. Its purpose is
to add value to OAGN and:
present the objectives, scope and nature of the work done and the rationale
behind them;
communicate clearly and objectively the main observations and conclusions
resulting from the peer review;
make practical and relevant recommendations on areas where there is a scope
for further improvement; as well as
serve as a useful baseline against which improvements or changes made by OAGN
can in the future be benchmarked and followed up.
Recommendations for improvement are often conceived during the fieldwork and
finalised during the reporting stage. They should:
94
Conclusions and Recommendations, providing clear and succinct answers /
conclusions to the objectives set for the peer review as well as related practical
recommendations for improvement.
The final draft report should be presented to OAGN’s internal team, inviting
comments and suggestions. This part of the process is typically concluded with one or
more final clearance meetings. It may also be agreed that OAGN will provide a written
response to the peer review report, indicating for example its position on the
observations and recommendations, including any reasons for not accepting them.
These responses can be published.
Once the final report is completed and published, the peer review leader – subject to
prior agreement with OAGN - can take the opportunity to send a copy to INTOSAI.
In order to aid implementation, it may be useful for the peer review team to rank or
classify recommendations according to different criteria, such as:
It is good practice for OAGN to systematically report (in its annual report) on the
progress being made to implement the accepted peer review recommendations.
Follow-up
OAGN might also request the original peer review team to verify the extent to which
recommendations have been followed after an agreed time, depending on the level
of importance and significance of the recommendation. After verification, the team
may prepare a further report on the degree of implementation of the
recommendations as well as on possible updates to the original recommendations.
Especially in those cases in which the first peer review results had been published, it
is good practice for the results of the follow up peer review to be also published, in
the interest of transparency and accountability.
95
The peer review evaluation by the peer reviewing team (lead) and OAGN may be
performed. IT is encouraged to evaluate the performed peer reviews in order to
establish best practice and publish experiences.
A sample peer review checklist (that can also used by OAGN for self assessment) is
given in Appendix 10
96
Appendices
(This page is intentionally left blank)
97
Appendix 1 OAGN QAR Policy
1. Background
The OAGN aims to continually improve the quality of its processes, products and
services. For this purpose, OAGN has decided to issue a quality assurance review (QAR)
policy in order to comply with the relevant and applicable quality control standards,
thereby improving the quality of the organisation as a whole and the audit
engagements it performs.
2. Introduction
ISSAI 140 - Quality control for SAIs requires OAGN ‘to establish and maintain an
appropriate system of quality control which covers all of their work. This document
should help OAGN design a system of quality control which is appropriate to their
mandate and circumstances and which responds to their risks to quality.’?
A major challenge facing OAGN is to consistently deliver high quality audits and other
works under its scope. The quality of work performed by OAGN affects its reputation
and credibility, and ultimately their ability to fulfil its mandate.
The key objective of the quality assurance function is to assist the Office of the Auditor
General to provide reasonable assurance that its policies and procedures relating to
the system of quality control are relevant, adequate, and functioning effectively. The
purpose of the policy is to ensure that the Quality Assurance Review process is
approved and implemented in line with the OAGN's strategic imperatives.
The QA function is responsible for coordinating and managing all activities and is
intended to review and strengthen the quality management system of OAGN. It will
develop and implement strategies and annual quality assurance plans for regular
conduct of quality assurance reviews at both audit engagement level and at OAGN
level. It will submit proposals on the appropriate approach to be adopted for different
quality assurance reviews. It will be responsible for monitoring ongoing quality
98
assurance reviews and follow-up of actions taken on quality assurance
recommendations.
It will also submit annual reports to the Auditor General on the various quality
assurance reviews undertaken during the year and the significant actions that need to
be taken to address gaps in the OAGN’s quality management system.
The need assessment exercise can be conducted either by the internal OAGN staff
(middle and higher management levels) or by another external organisation or agency
or together. While conducting an assessment the following aspects should be
considered:
The need assessment tools can be QA surveys, questionnaires, interviews, focus group
discussions and reviews of documents, including documents within OAGN. While
assessing the needs of the QA function, the following factors should be considered:
99
4.2. Creating Awareness among Staff on QA
Quality assurance is, therefore, a constant process to improve the quality control
system and ensure compliance with the quality controls. This, in turn, should increase
the quality of OAGN’s processes, products and services, with consequent positive
impact on OAGN’s credibility.
Although it may be possible to produce isolated audits of high quality without a proper
system of quality assurance, it is not possible to do it continually for all the audit
products issued by OAGN unless there is widespread awareness among and
acceptance by, OAGN staff on the importance of quality. Ultimately, it is OAGN’s
employees who are the key drivers of its performance. Therefore, staff awareness of
quality requirements and OAGN’s QA policy is of critical importance.
Quality assurance is the responsibility of all the staff at the OAGN, right up to the
Auditor General. Quality assurance also requires a clear understanding of where the
responsibility lies for particular decisions. Thus, OAGN’s general quality assurance
policies and procedures should be clearly communicated to its personnel in a manner
that provides reasonable assurance that the policies are well understood and
implemented.
The responsible unit of OAGN together with the top management should prioritise the
generation of awareness at all levels of staff on QA matters. Staff awareness can be
created through staff meetings, discussion forums, office circulars, newsletters, essay-
poster competitions, trainings etc. Above all, OAGN top management must, through
its actions and communications, repeatedly spread the message about the importance
of quality and quality assurance.
After adopting a QA policy and creating staff awareness on QA there will be a need for
OAGN to compile a manual or guidelines that specifies how to conduct QA in practice.
The manual should form the basis of standard operating procedures (SOP) of the QA
function.
For the easy implementation of the manual, it should incorporate related toolkits as
well as required checklists that are developed based on applicable Standards and best
practices recommended by bodies such as INTOSAI, ASOSAI, AFROSAI-e, PASAI IDI etc.
100
ISSAI 140 OAGN should “establish a monitoring process designed to provide it with
reasonable assurance that the policies and procedures relating to the system of quality
control are relevant, adequate and operating effectively.”
OAGN has to form a QA Committee and establish separate QA Unit under the oversight
of the QA Committee. OAGN has to allocate required staffs to the QA unit. Trained
QAR team members should be assigned with QAR duties. OAGN can also arrange QA
reviews by other SAIs, other professional bodies; and can hire external experts to
periodically assess the OAGN’s quality control systems.
OAGN may acquire expertise from qualified specialists, consultants and technical
experts, professional associations and other organisations as needed to conduct QA
reviews. The experts may give technical advice to the OAGN. The OAGN should ensure
that the specialists and experts are qualified and have competence in their areas of
specialisation, and should document such assurance.
The OAGN must ensure that their entire audit staffs are aware of the function and
importance of QA as soon as the QA policy and QA handbook have been finalised, so
that the concepts and new practices are well understood and accepted. OAGN should
invest considerable resources in providing effective training for the staff. Workshops,
seminars, talk programmes, focus group discussions, and panel discussions, should be
organised regularly to upgrade the competence of QA staff in the following aspects:
Importance of QA;
Quality control system in audit;
QC standards, QA procedures and best practices;
Roles and responsibilities of QA staff;
Roles and responsibilities of auditing and support staff vis-à-vis the QA
function;
Ethical requirements; and
Soft skills relating to presentation, negotiation, group leading, etc.
OAGN may also consider secondment of QA staff to, and from other SAIs with proven
strong QA practices and traditions.
While managing the QA function in OAGN, the management should also consider
availability of appropriate working environment of the QA staff. Following trainings
can be conducted to develop professional skills of staffs:
101
Improving and standardising courseware to maintain training quality; if
necessary, outsource development of courseware.
Encouraging audit personnel to become members of various professional
bodies relevant to their work for continuing professional education, and to
participate in the activities of professional bodies through suitable incentives.
Encouraging audit employees to enrol in academic institutions to obtain
relevant professional and academic certifications / degrees.
OAGN may assist in developing a certificate course in public sector auditing in
collaboration with a university or any other reputed academic institution. The
certificate should be designed to provide a structured development
programme for performance and financial auditors.
Providing audit employees with the opportunity to have work experience in
other public or private agencies, including other SAIs to gain insights into the
operations of other peers.
In addition to the secondments of OAGN staff to other agencies, OAGN may
accept staff on secondment from other agencies and other SAIs, who can share
their knowledge and experiences with OAGN staff.
Providing opportunities to participate in training courses, seminars and
workshops held by international or regional institutions, universities and other
SAIs, e.g. training courses provided by ASOSAI and the IDI.
Equipping personnel to audit effectively in new or special areas such as
procurement, revenue audit, sustainable development, environment auditing,
forensic auditing, and IT auditing.
To assist newly employed staff to assimilate into the new work environment,
the OAGN should develop and implement an induction programme or
orientation programme, giving an overview of OAGN vision, mission, core
values, audit methodologies and techniques, policies, procedures and
practices and general information relating to OAGN operating environment.
Audit of financial statements requires training in accounting, knowledge of
legislation and executive orders affecting the accountability of audited entity.
Performance audit requires training in public administration, management,
economics and social sciences.
As a part of knowledge dissemination, audit reports from different SAIs may be
reviewed and discussed in presentation sessions participated by staff at all
levels.
OAGN personnel should be encouraged to prepare individual development
plans, in consultation with a designated performance manager. The approved
plan should be an action-oriented plan that should focus on a few specific
competencies to address individual development needs.
Continuing professional education should be established at each level of
OAGN, which should be monitored and appropriate documentation
maintained. Professional development programmes should be reviewed
periodically.
5. Institutional Arrangements
102
AG may form a Quality Assurance committee comprising following members:
OAGN will establish a separate Quality Assurance Directorate, which works under QA
committee. QA Directorate will report to QA committee however QAR team will
continue to be responsible for the Auditor General. . The size of the Directorate will
depend on the AG’s decision and span of OAGN’s audit coverage and also the stage of
its technical development.
The Director of QA Directorate will be the Team Manager of QA function of OAGN and
necessary team leader, team member and supporting staffs are provided to assist him
or her. OAGN will use only auditors who have demonstrated a good understanding of
the OAGN’s audit procedures. However, the OAGN may commit resources to QA to
103
the extent that it may compromise the timely completion of the actual audits. There
could be exceptional cases which might demand that the OAGN increases its number
of reviewers in case of OAGN is in the process of rolling out new audit procedures and
systems, there are new standards to comply with; and/or there are new audit areas
to review.
The Director of Assurance Directorate also will be the Team Manager of the QA
function of OAGN. QA committee may invite other expert or professional persons as
invitee. This committee will be responsible for carry out overall QA function of OAGN
and report to the Auditor General.
The team manager, as the head of the QA unit, will report to QA committee and / or
AG, and will be responsible for overall aspects of the QA function. He or she will also
formulate strategies to undertake the QA function and measure outcomes of the QA
function.
The team manager will be responsible for the overall performance of the unit. This will
involve setting out the strategic direction and ensuring that it has appropriate capacity
to fulfil the demands set. The performance will also be assessed on a pre-determined
basis, and information systems will be put in place to provide efficient reporting on
performance. Key discussions and negotiations with, in particular, senior personnel to
resolve disputes and disagreements will be required, and ongoing monitoring of staff
performance will be expected.
104
Ensuring adequate management of human resources, including identifying
recruitment needs, training requirements and other areas of development of
staff;
Liaison with senior management as and when required for among others,
dispute resolution;
Commenting on advice, guidance and documents issued within the OAGN from
a quality assurance perspective;
Tracking the progress of the review;
Considering the capabilities and competence of individual members of the
team, whether they have sufficient time to carry out their work, whether they
understand their instructions, and whether the work is being carried out in
accordance with the planned approach to the review;
Addressing significant matters arising during the review, considering their
significance and modifying the planned approach appropriately; and
Identifying matters for consultation or consideration by more experienced staff
during the review.
The team leader for the QA review will report to the Team Manager and should
assume the overall responsibilities of the QA review. Team Leader will establish review
objectives, scope, time and targets and formulate the review methodology. He or she
will delegate the responsibilities to team members and design the review program.
The team leader will provide advice and necessary guidance to the team members
about the plan, objectives and on conducting the review. He or she will also monitor
and assure the QAR process is in accordance with QA standards, policies and
procedures. He or she will analyses the findings and articulate the conclusions and
recommendations and the write or review the audit working papers and reports and
discuss and present the findings to OAGN management. He or she will also follow up
on any outstanding issues.
The team leader is responsible for the day-to-day activities of the QA function
involving: preparing planning, progress or final reports for the Team Manager. The
team leader also should undertake function of Team Leader in his/her absence. The
management and the development of the reviewers is a fundamental part of the
leader’s role, and they need to ensure they support reviewers when dealing with the
audit teams during various interactions.
105
Summarizing the key findings on the individual level reviews.
Commenting on policies and procedures relating to quality assurance as they
are required;
Providing inputs into the budget submission;
Identifying resource requirements and training needs for the review team;
Maintaining relevant management information to be used for reporting
purposes;
Coordinating arrangement for the reviewer’s visits and liaising with the audit
teams accordingly;
Commenting on advice and guidance and documents issued within the OAGN
from a quality assurance perspective;
Managing the reviewers in terms of planning and controlling;
Undertaking reviews of the work completed by the reviewers to ensure that:
Sufficient evidence has been gathered to support the findings;
work is carried out in line with prescribed methodology of quality
assurance function;
Findings and recommendations are appropriately based on sound analysis
and evidence;
Assessment of the significance of the findings is appropriate;
Judgment are reasonable and appropriately documented;
Time management of reviewers is in line with budget, or other measures;
and
Reviewer conduct is professional and all feedback from the audit team is
noted and/or followed up.
Leading discussions with the audit teams’ management to discuss review
findings and recommendations;
Monitoring progress from management information on a regular basis and
identifying any corrective steps required to be taken;
The work has been performed in accordance with professional standards and
regulatory and legal requirements;
Significant matters have been raised for further consideration;
Appropriate consultations have taken place and the resulting conclusions have
been documented and implemented;
There is a need to revise the nature, timing and extent of review work
performed;
The work performed supports the conclusions reached and is appropriately
documented;
The evidence obtained is sufficient and appropriate to support the reviews
report; and
The objectives of the review procedures have been achieved.
Team members for the QA review will be responsible to the team leader, and will
conduct the review based on the plan agreed upon in the planning stage and according
to standards and procedures. They will gather evidence to support findings through
106
interviews, documentation reviews, and observations. They will also prepare and
document necessary working papers to support their findings. Finally, they will
prepare a draft report on the findings.
The Team Member will be responsible for assessing whether the overall quality of the
audits is in line with the audit methodology and standards. This will be undertaken
through selected reviews over a number of audits and audit teams. The reviewer will
be responsible for assessing audit files and other documentation. Based on the above,
the reviewer will often be expected to justify findings in discussion with more senior
managerial level personnel. The reviewer will also be required to assist management
as and when they require it. This can include: assistance with information gathering,
maintenance of information systems, and providing assistance with logistical
arrangements etc. Key roles and responsibilities of team members may include:
The QA staffs should collectively possess the competencies, Analytical skills, Ability to
synthesis, Interpersonal skills, Communication skills, Facilitation skills, Audit
experience in all areas and Managerial abilities. QA reviewers should be dedicated to
the QA function. The reviewers should be auditors who have demonstrated a good
understanding of the OAGN’s audit procedures.
Possession of the above-mentioned skills will enable the team members to use all the
review practices effectively. It should also add value if the team is multidisciplinary,
consisting of practitioners who have audit (regularity, performance, IT, etc.) and
management experience. Understandably, it can be a significant challenge to identify
107
and establish such a team, and in many cases all the requisite skills and experience
may not be available in the QA team. In such cases, the possibility of using experts for
limited purposes should be considered.
108
Articulated communication, negotiation and interpersonal skills to motivate
staff and undertake dispute resolution; ability to analyse information and
present the findings in a user friendly manner;
Strong application of professional scepticism to assess responses provided by
the audit or management to initial findings; and
High level of integrity to not be affected by the influences such as seniority and
personnel relationships.
b. Experience and qualifications
Understanding the OAGN’s environment at an operational level;
At least three years working knowledge;
A formal accounting / auditing qualification; and
Project management experience and training is desirable.
The planning process involves the preparation of an operational plan and selection of
the type of review to be conducted according to the conditions present at the OAGN.
109
The OAGN’s QA function should prepare an annual operational plan, which should be
approved by the QA committee. The Operational Plan may cater for QARs at both the
OAGN and audit engagement levels. The review at the OAGN level is comprehensive
in scope, addressing all areas within the OAGN that affect its audit performance, while
the audit engagement level reviews will be for selected audits only.
The Operational Plan for QA may contain, among others, the following components:
The reviews may include both the OAGN Level Review and the Audit Engagement Level
Reviews. The plan should also indicate the nature of the reviews – i.e., internal or
external, pre-issuance or post issuance.
The scope of the reviews may vary according to the type of review to be conducted
(pre- issuance or post audit, internal or external). In some cases, the QA review may
be restricted to only one stage of the audit (e.g., planning stage), while in others, all
stages of the audit may be included in the scope of the review. In the case of OAGN-
level review, the scope may be restricted to selected domains of the OAGN’s quality
management framework or may include all domains. Ideally, the operational plan
should also provide for follow-up QA reviews to assess the extent to which action was
taken on previous QAR recommendations.
Generally, the audit engagement level review should be conducted every year
depending upon the availability of resources. However, the OAGN level review needs
a longer timeframe, and ideally, after conducting such a review for the first time, it
can be conducted at the beginning of each strategic planning cycle of the OAGN.
The QA function needs to have sufficient resources to conduct the reviews; therefore,
a separate budget for the reviews may be included in the operational plan for approval
and subsequent incorporation in the OAGN’s overall budget.
e. Team Composition
Ideally, a team leader should be nominated for each review and the review team
should consist of staff with suitable qualifications and experience to conduct these
reviews, depending on the type of review. If possible, the names of the team members
for each review, or at least that of the team leaders, should be mentioned in the plan.
110
Special considerations if any, such as engagement of external reviewers or experts for
certain reviews, or reasons for significant increase/decrease in the number of reviews
as compared to earlier years, should be separately stated in the plan.
B. Scope
The scope of quality assurance reviews (QARs) can extend to all the activities being
carried out by the OAGN.
OAGN level QAR: Conducting QAR’s at the OAGN level is discussed in detail in Chapter
5 of this Manual.
Financial audit level QAR: Conducting a QAR at the audit engagement level is
discussed in detail in chapter 6 of this Manual.
Performance audit level QAR: Conducting a QAR at the performance audit level is
discussed in detail in Chapter 6 of this Manual.
Compliance audit level QAR: Conducting a QAR at the performance audit level is
discussed in detail in Chapter 6 of this Manual.
Conducting the QARs should be based on the approved QAR plans. The plans should
be supported by appropriate checklists to ensure comprehensiveness and consistency
of checks. The checklists for the OAGN level and audit engagement level QARs and the
methods for gathering and analysing evidence are documented in the appendix of this
manual. However, they may have to be customised to suit the needs of each type of
audits or QAR assignments. The primary purpose of the conducting phase of QAR is to
collect reliable, relevant and sufficient evidence to support all QAR observations and
recommendations.
The result of the independent peer reviews of activities undertaken within OAGN to
assess the overall quality of the work performed should be reported to the AG at least
annually. The ultimate purpose of conducting regular quality assurance reviews even
at audit engagement levels is to help strengthen the overall quality management
system (QMS) of OAGN.
As such, it is important that the QA unit of the OAGN submits annual QA reports to
the QAC and QAC submits to AG, in addition to the usual reports based on individual
QARs. Unlike individual QAR reports, the annual QA reports should summarise the
variety of QARs completed during the year, as well as the significant findings from
those QARs in a way that will help the OAGN top management to take appropriate
decisions on the actions necessary to further strengthen the overall QMS of OAGN:
111
‘The report on the quality assurance review program should summarise the results of
all the reviews including the tasks selected (number and type), the findings and any
recommendations. The report should not focus on individual audits but be a summary
of those findings identified during the review programme’.71
As in the case of audit work, all QA findings and observations must be supported by
sufficient, relevant and reliable evidence. Working papers of the QAR team should be
documented methodically to enable easy referencing. The draft findings and
recommendations should be discussed with management of the OAGN before
including them in the final report. The report should include a summary of
observations and recommendations on how to improve.
At the end of the review, the reviewers should prepare an overall summary
report for the Assistant Auditor General responsible for the audit;
The reviewer's report on individual engagements should be discussed with the
relevant AAG and Audit Director prior to finalisation;
Upon completion of the review, every team should submit a report to the QA
unit;
Summarised results and the follow-up recommendations for improvement
should be prepared and presented to the Auditor General:
Details of timing of the review and the names of review team members; and
A description of the scope of the review (general approach, extent of coverage
of the general quality control aspects and the description of individual audit
engagement).
The reviewer should highlight other pertinent issues that may be of interest to all
other Audit Divisions.
71 ASOSAI
112
9.4. Follow-up the QAR reporting
The reports of the QARs will not gain impetus if appropriate follow-up actions are not
undertaken. Follow-up reviews may be undertaken either by the Quality Assurance
Directorate or other QA committee. On the other hand, such a responsibility can also
be delegated on to the QA review team. Based on the QAR report, the line functions
should prepare and implement the Action Plans. The Action Plans will facilitate
undertaking proper follow- up of the QAR report.
A. Requirement of QA follow-up
Audit teams and the departments reviewed should compile action plans on
how they are going to correct the shortcomings stated in the QA review
reports.
These action plans should indicate what, who, where when and how these are
going to be corrected.
The action plans should be prepared in consultation with the QA unit and
approved by the Auditor General or senior management with appropriate
delegated authority.
The audit teams and different audit directorates should report back on their
progress with the implementation of the corrective actions.
The QA unit should perform tests to confirm the effectiveness of the corrective
actions.
OAGN should also use the results of the QA reviews to determine the training
needs of its staff in general and compile a training programme to address these
issues.
Soon after receiving the quality assurance review (QAR) reports, the concerned audit
department/division in the OAGN should prepare Action Plan/s to implement the
recommendations provided in the QAR reports.
All deficiencies and recommendations pointed out in the QAR report should be
communicated to the respective officials or units for taking appropriate measures and
remedial actions. Thereafter, OAGN should organise a brainstorming session involving
people from all levels of the management. The session could focus on, at least, the
following areas:
113
d) Responsible official/unit/division/department required to implement the
action; and/or
e) Deadline for the implementation of the actions and/or recommendations
adopted.
Depending on the level of the QAR, the recommendations or the areas needing
improvements must be prioritised for their effective implementation. Although the
QAR team may rate the risk of each of their findings and observations as High, Medium
and Low, OAGN management should again go through the same process of prioritising
the same findings and observations.
However, besides prioritising as High, Medium and Low, it must also see whether they
are applicable given the circumstances under which the OAGN is operating. In
addition, the criteria for prioritising/rating is also different and is normally decided
during the brainstorming session. The following are some of the commonly used
criteria:
a) The expected impact on OAGN and the audit engagement that will include both
the positive impact from implementing the recommendation, and negative
impact from not implementing the recommendation or not taking action/s;
b) Seriousness of the deficiency;
c) The applicability in relation to OAGN mandate, overall government policy and
the country’s development stage; e.g. one cannot expect OAGN to use the
latest auditing software when there is hardly any IT development in the
country itself; and
d) Availability of resources, such as time and money.
Based on the above criteria, including other criteria identified during the
brainstorming session, the recommendations or areas needing further improvements
can be rated as High, Medium or Low
114
E. QA Follow-up Action
Based on the Action Plan, the follow-up can be undertaken to see whether the actions
have been taken by the concerned person, divisions, department or directorate within
the given timeframe. Wherever possible, the follow-up team should also comment on
the impact of the actions on the OAGN or an audit engagement. The team should also
look for reasons for not taking the actions and suggest alternative options wherever
possible. It could be possible that although the OAGN may have the will and desire to
implement the actions but due to certain constraining factors such as time, resource
etc. the actions remain unimplemented.
The follow-up action report should be submitted to the AG for taking further action/s.
The further actions may include, but are not restricted to, the following:
a) Seeking explanation against those who have not taken any action/done
anything to implement the proposed actions;
b) Cautioning those who are lagging behind the scheduled deadlines;
c) Looking into the alternative options and making relevant persons/s or units
study the options for their applicability and practicality; and
d) Re-prioritising and dropping certain proposed plans of action that cannot be
implemented at all.
The follow-up on QARs can also be conducted by the internal Quality Assurance Unit
on a continuous basis by monitoring their implementation against the scheduled
deadlines. Therefore, it is important to involve people from the internal Quality
Assurance Unit during any Quality Assurance Reviews.
The results of QA follow-up can be utilised as input for the next QA planning process.
Follow-up can be undertaken by the QA unit to see whether the actions have been
implemented within the given timeframe. The QA unit considers:
If actions have not been implemented as planned, the QA function looks for reasons
therein and suggests alternative options wherever possible. It may be possible that
although OAGN has the will and desire to implement the actions, constraining factors
such as time, resources etc limit OAGN’s ability to implement the action plan.
The follow-up action report should be submitted to the AG or the relevant delegated
authority for taking further actions. The further actions may include, but not restricted
to, the following:
115
a) Seeking additional explanations from those responsible for implementing the
actions;
b) Cautioning those who are lagging behind the scheduled deadlines;
c) Looking into the alternative options and making relevant persons or units to
study the options for their applicability and practicality; or
d) Re-prioritising and dropping certain proposed plans of action, which are not
be implementable.
Every function within OAGN is accountable to deliver the desired results in order to
demonstrate its value to OAGN. This applies equally to the QA function. While the
outputs of a QA function may be several QA reports, the outcomes
OAGN senior management may select capable personnel or an external body such as
a private professional entity to measure and evaluate the effectiveness of the QA
function based on the improvement implemented as a result of the reviewing
function.
While evaluating the impact of the QA function on the OAGN as a whole, consideration
may also be given to Public Expenditure and Financial Accountability’s public financial
management performance measurement indicators relating to external audit,
particularly Performance Indicator such as:
To measure outcomes of the QA function, the following are some of the performance
indicators that OAGN may consider:
116
9.6. Working Environment
While managing the QA function in OAGN, management should also consider the
appropriateness of the working environment of the QA staff. Availability of the
infrastructure and resources required for comfortable working and well-being of the
QA staff can contribute to their motivation and, consequently, the quality of their
work.
Office of the Auditor General may consider the following criteria to select audit for
QAR:
Audits classified as high risk under the set criteria for QAR will be selected and
reviewed. QA Review of OAGN will be conducted when Auditor General requires but
OAG-level reviews will be generally performed at the beginning of the OAG’s strategic
planning cycle in order to provide inputs for developing the strategic plan of OAGN.
QA Team for OAGN-level may be selected internally or externally by the AG. For audit
engagement level at least one audit file of every audit team leader will be reviewed
each year after issuance of audit report. The pre issuance QAR is conducted on the
basis of criteria approved by Quality Assurance Committee. OAGN can take service of
external reviewer, if AG or QA Committee feels so.
The ultimate purpose of conducting regular quality assurance reviews (QARs) even at
audit engagement levels is to help strengthen the overall quality management system
(QMS) of OAGN. As such, it is important that the QA unit of OAGN submits annual QA
reports to the AG. Unlike individual QAR reports, the annual QA reports should
summarise the variety of QARs completed during the year, as well as the significant
117
findings from those QARs – in a way that will help the OAGN top management to take
appropriate decisions on the actions necessary to further strengthen the overall QMS
of the OAGN.
A sound system of monitoring and supervision is essential for high quality QARs.
Supervision involves directing QA staff and monitoring their work to ensure that the
QA objectives are met. Supervision involves assigning responsibilities and providing
sufficient guidance to staff members. It also involves staying informed about
significant problems encountered, reviewing the work performed, overseeing
individual development, coaching, and providing periodic feedback and effective on-
the-job training.
QA staff should receive an appropriate level of leadership and direction so that they
are encouraged to perform up to their potential and to ensure that reviews are
properly carried out. All work is reviewed by the team leader before the QA reports
are finalised. This is to bring more than one level of experience and judgment in the
review process, and to ensure that evaluations and conclusions are soundly based and
are supported by competent, relevant and reasonable evidence as a foundation for
the final opinion or report.
The Supervisor of the QA reviews should ensure that the reviewing team adheres and
conforms to the policies and procedures prescribed by the management.
The reviewing team should use the QA plan as a tool to ensure focused fieldwork by
the audit team, and also to facilitate monitoring by the team leader of the progress of
QA reviews.
In addition, the QA reviewer may use the following checklist as a guide in the
supervision and monitoring function of QAR.
118
Ensuring that all envisaged tests for evaluation and reliability of internal
controls are used during audit process.
The team leader should evaluate the effect of deficiencies noted as a result of
the monitoring process, and should determine whether -
Ensure that appropriate analytical procedures are used and the reliability,
independence and quality of relevant supporting data are assessed during the
audit process.
Sampling methods are used according to QA guidelines.
All tests of transactions clearly indicate QA objectives, adequately explain
nature and extent of QA work, and provide an overall conclusion as to the
results of QA work.
Full investigation is made of all queries during the QA review.
Existence of adequate working papers for all phases of the QA reviews
15. Repeal
The Quality Assurance policy approved in 12 February 2013 is, hereby, repealed.
119
Appendix 2 Competency Matrix
Nature Competencies
Entity and Existing Required
Mandated Gaps
to be Type of
or not if any
audited the Qualification Experience Qualification Experience
audit
OR
Based on the above mapping, certain gaps were observed in terms of required
competencies for conducting the audit of …….... number of mandated entities. These
gaps will be addressed through various interventions in the short term to achieve the
quality of audits.
72
Based on ASOSAI and PASAI
120
Appendix 3 Resource mapping 73
(Entities to Auditors)
Conclusion:
1. OAGN has an adequate staff and financial resources for the coverage of mandated
audits annually.
OR
2. OAGN does not have adequate staff to carry out the mandate audits annually. At the
same time, OAGN is constrained with limited budget cover the staff and other
operation costs for conducting the audit on an annual basis.
73
Based on ASOSAI and PASAI
121
Appendix 4 Know Your Auditee 74
Client: Period:
Prepared by:
Reviewed by:
Date: Date:
NB: The key issues noted from this document must be recorded in the relevant areas
of the audit file and should feed through into the risk assessment, audit approach
and fieldwork.
Which members of the client staff and the audit team have been involved in the
preplanning process and what are their roles?
N.B. If the Auditor’s Checklist noted that there are members of Management with whom matters
should be communicated in addition to Those Charged with Governance, there needs to be
communication with both Those Charged with Governance, and Management ~ this may,
however, be at the same time
Scope of discussion (add additional points as appropriate) ~ note that all points
should be discussed, and key issues highlighted:
74
Based on ASOSAI and PASAI
122
5. New law or regulations applying to the
organisation or changes in existing legislation;
123
Appendix 5 OAGN Level QAR Questionnaire
DATE(s) OF REVIEW:
124
No. Requirement Commentary
1.3 Relevant Ethical Requirement
What are the policies and procedures to provide reasonable assurance that OAGN and
its personnel comply with relevant ethical requirements?
An SAI should establish policies and procedures designed to provide it with reasonable
1.3.1
assurance that the SAI, including all personnel and any parties contracted to carry out
work for the SAI, comply with relevant ethical requirements.
[ISQC1 para 20 and element 2 - ISSAI 140]
How do the policies and procedures reinforce the fundamental principles?
For example:
the leadership of the SAI;
1.3.2
education and training;
monitoring; and
processes for dealing with non-compliance. [ISQC1 para A9 and element 2 - ISSAI 140]
What are the policies and procedures for dealing with and recording incidents which
have, or may have, serious consequences for the integrity of OAGN’s audit and
1.3.3 assurance activities?
[ISQC1 2016 para 20D-1 and element 2 - ISSAI 140]
What are the policies and procedures to provide reasonable assurance that OAGN, its
personnel and, where applicable, others subject to independence requirements,
maintain independence?
Such policies and procedures should enable the:
communication of independence requirements to personnel; and
1.3.4
identification and evaluation of circumstances and relationships that create
threats to independence, and taking appropriate action to eliminate those
threats or reduce them to an acceptable level by applying safeguards, or, if
considered appropriate, to withdraw from the engagement.
[ISQC1 para 21 and element 2 - ISSAI 140]
What are the policies and procedures to prevent, identify, eliminate or manage and
disclose any threats to OAGN’s independence required by the ISSAI 130 Ethical
1.3.5
Standards?
[ISQC1 2016 21D-1 and element 2 - ISSAI 140]
What are the policies and procedures to require:
engagement leads to provide OAGN with relevant information about client
engagements, including the scope of services, to enable OAGN to evaluate the
overall impact, if any, on independence requirements;
personnel to promptly notify OAGN of circumstances and relationships that
create a threat to independence so that appropriate action can be taken; and
the accumulation and communication of relevant information to appropriate
1.3.6
personnel so that:
(i) OAGN and its personnel can readily determine whether they satisfy
independence rquirements;
(ii) OAGN can maintain and update its records relating to independence; and
(iii) OAGN can take appropriate action regarding identified threats to
independence?
[ISQC1 para 22 and element 2 - ISSAI 140]
What are the policies and procedures to provide reasonable assurance that you are
notified of breaches of independence requirements (if so, to whom), and to enable
1.3.8
appropriate action to be taken to resolve such situations?
This should include requirements for:
125
No. Requirement Commentary
all who are subject to independence requirements to promptly notify the SAI of
independence breaches of which they become aware; and
the SAI to promptly communicate identified breaches of these policies and
procedures to:
(i) the engagement lead who, with the SAI, needs to address the breach; and
(ii) other relevant personnel in the SAI and those subject to the independence
requirements who need to take appropriate action; and
(iii) prompt communication to the SAI, if necessary, by the engagement lead and
the other relevant individuals of the actions taken to resolve the matter, so that
the SAI can determine whether it should take further action.
[ISQC1 para 23 and element 2 - ISSAI 140]
At least annually, do you obtain written confirmation of compliance with the policies
1.3.9 and procedures on independence from all personnel?
[ISQC1 para 24 and element 2 - ISSAI 140]
Are the same confirmation obtained for sub-contracted or agency or temporary staff, or
1.3.10
new starts before they undertake any audit work?
How does OAGN ensure that it satisfies the terms of the appointment regarding the
rotation of senior personnel (e.g. engagement lead, engagement QC reviewer and
1.3.11
senior manager?)
[ISQC1 para 25]
1.4 Acceptance and continuation
What are the policies and procedures for the acceptance and continuance of client
relationships and specific engagements, to provide reasonable assurance that OAGN will
only undertake or continue relationships and engagements where it:
is competent to perform the engagement and has the capabilities, time and
resources to do so;
can comply with ethical requirements; and
has considered the integrity of the client and does not have information that
1.4.1 would lead it to conclude that the client lacks integrity?
An SAI should establish policies and procedures designed to provide the SAI with
reasonable assurance that it will only carry out audits and other work where the
SAI: a) is competent to perform the work and has the capabilities, including time
and resources, to do so; b) can comply with relevant ethical requirements; and
c) has considered the integrity of the organisation being audited and has
considered how to treat the risk to quality that arises.
[ISQC1 paras 26 and 27 and element 3 - ISSAI 140]
What are the policies and procedures to ensure and document that before accepting an
engagement whether:
OAGN complies with relevant independence and objectivity requirements of
the ISSAI 130 Ethical Standard;
1.4.2 there are any threats to OAGN’s independence, and the safeguards applied to
mitigate those threats; and
OAGN has the competent personnel, time and resources needed in order to
carry out an audit in the appropriate manner.
[ISQC1 para 27D-1 & 57D-2 and element 3 - ISSAI 140]
Where information obtained would have caused OAGN to decline an engagement if that
information had been available earlier, do the policies and procedures on the
continuance of the engagement and the client relationship include consideration of:
1.4.3
• the professional and legal responsibilities that apply to the circumstances, including
whether there is a requirement for OAGN to report to the person or persons who made
the appointment or, in some cases, to regulatory authorities; and
126
No. Requirement Commentary
• the possibility of withdrawing from the engagement or from both the engagement
and the client relationship?
[ISQC1 para 28 and element 3 - ISSAI 140]
What are the policies and procedures to provide the sub-contractor with access to all
relevant information concerning the entity, including information concerning the most
1.4.4
recent audit?
[ISQC1 para 28D-1 and element 3 - ISSAI 140]
1.5 Human Resources
What are the policies and procedures to provide reasonable assurance that OAGN has
sufficient personnel with the capabilities, competence and commitment to ethical
principles necessary to perform its engagements in accordance with professional
standards and regulatory and legal requirements, and to enable OAGN or engagement
leads to issue reports that are appropriate in the circumstances?
1.5.1 “The SAI shall establish policies and procedures designed to provide it with reasonable
assurance that it has sufficient personnel with the competence, capabilities and
commitment to ethical principles necessary to: a) perform engagements in accordance
with professional standards and applicable legal and regulatory requirements; and b)
enable the SAI to issue reports that are appropriate in the circumstances”.
[ISQC1 paras 29 and A24 and element 4 - ISSAI 140]
What are the policies and procedures to:
ensure that the OAGN’s personnel and any other individuals whose services are
placed at the OAGN’s disposal or under the OAGN’s control, and who are
directly involved in audit activities, have appropriate knowledge and experience
for the duties assigned; and
1.5.2 provide sufficient performance incentives to secure audit quality, including
provision that the amount of revenue that OAGN derives from providing non-
audit services to the audited entity shall not form part of the performance
evaluation and remuneration of any person involved in, or able to influence the
carrying out of, the audit?
[ISQC1 para 29D-1 and element 4 - ISSAI 140]
What are the policies and procedures to ensure that outsourcing of important audit
functions is not undertaken in such a way as to impair the quality of OAGN’s internal
quality control and the ability of the competent authority to supervise OAGN’s
1.5.3
compliance with professional standards and applicable legal and regulatory
requirements ?
[ISQC1 para 29D-2 and element 4 - ISSAI 140]
What are the policies and procedures to ensure that staff engaged in audit work are,
and remain, technically up to date with general and OAGN’s requirements, and sector-
specific and other specialist requirements?
1.5.4
For example: Code of Audit Practice; international standards on auditing; technical
updates, performance audit methodologies etc.
[element 4 - ISSAI 140]
What are the policies and procedures to assign responsibility for each engagement to an
engagement lead? How do the policies and procedures ensure that:
the identity and role of the engagement lead are communicated to key
members of the audited body’s management and those charged with
1.5.6 governance;
the engagement lead has the appropriate competence, capabilities and
authority to perform the role; and
the responsibilities of the engagement lead are clearly defined and
communicated to that person?
127
No. Requirement Commentary
[ISQC1 para 30 and element 4 - ISSAI 140]
How do you monitor the workload and availability of engagement leads so as to enable
these individuals to have sufficient time to adequately discharge their responsibilities?
1.5.6
[ISQC1 para A30 and element 4 - ISSAI 140]
What are the policies and procedures to ensure the assignment of appropriate staff
with the necessary competence and capabilities to:
perform engagements in accordance with professional, regulatory and legal
1.5.7 requirements, and
enable OAGN or engagement leads to issue reports that are appropriate in the
circumstances?
[ISQC1 para 31 and element 4 - ISSAI 140]
What are the policies and procedures to ensure they have sufficient resources and with
personnel that have the necessary competence and capabilities to carry out OAGN’s
1.5.8
duties appropriately?
[ISQC1 para 31D-1
How does OAGN manage periods of peak workload? For example, are temporary staff
1.5.9 employed, or staff transferred from other (non-public sector) parts of OAGN who may
have less audit or public sector experience than other staff?
For the current audit year what proportion of the public sector audit work does OAGN
1.5.10
expect to be undertaken by such staff?
Are there any aspects of the staffing profile that OAGN has reservations about now or
1.5.11
may give you cause for concern in the future?
1.6 Engagement Performance
What are the policies and procedures to provide reasonable assurance that
engagements are performed in accordance with professional standards and regulatory
and legal requirements, and that OAGN or the engagement lead issue reports that are
appropriate in the circumstances?
This should include:
Matters relevant to promoting consistency in the quality of engagement
performance;
supervision responsibilities; and
review responsibilities, in particular that the work of less experienced
staff is reviewed by more experienced staff.
This may be achieved through the provision of manuals, electronic tools,
standardised documentation and other guidance material which address the
following:
how engagement teams are briefed to obtain an understanding of the
objectives of their work;
engagement supervision and reviewing the work performed, including
the significant judgements made and the form of report being issued;
and
appropriate documentation of the work being performed and the
timing and extent of review.
[ISQC1 paras 32 and A32 and element 5 - ISSAI 140]
What are the policies and procedures to:
establish an internal quality control system to ensure the quality of the audit
which covers at least the policies and procedures required by paragraph 32D-
1(c);
ensure that responsibility for the internal quality control system lies with a
person who is eligible for appointment as a statutory auditor;
128
No. Requirement Commentary
establish appropriate policies and procedures for carrying out audits, coaching,
supervising and reviewing the activities of OAGN’s personnel and organizing the
structure of the audit file; and
use appropriate systems, resources and procedures to ensure continuity and
regularity in the carrying out of the OAGN’s audit activities?
[ISQC1 para 32D-1 and element 5 - ISSAI 140]
What are the policies and procedures to provide reasonable assurance that:
appropriate consultation takes place on difficult or contentious matters;
sufficient resources are available to enable appropriate consultation to take
place;
the nature and scope of such consultations are documented; and
conclusions resulting from consultations are documented and
implemented?
[ISQC1 para 34 and element 5 - ISSAI 140]
1.7 Engagement quality control reviews
What are the policies and procedures to determine the criteria against which audits are
evaluated to determine whether an engagement quality control review should be
1.7.1 performed to ensure that an engagement quality control review is performed on such
audits?
[ISQC1 para 35 (b) & (c) and element 5 - ISSAI 140]
What are the policies and procedures setting out the nature, timing and extent of an
engagement quality control review?
Such policies and procedures shall require that the engagement report not be dated until
the completion of the engagement quality control review.
The Engagement Quality Control Review includes:
(i) discussion of significant matters with the engagement partner;
(ii)review of the financial statements or other subject matter information and the
proposed report;
(iii) review of selected engagement documentation relating to significant judgments the
engagement team made and the conclusions it reached; and
1.7.2
(iv) evaluation of the conclusions reached in formulating the report and consideration of
whether the proposed report is appropriate.
the engagement quality control reviewer:
(i) consider the SAI’s compliance with the FRC’s Ethical Standard in relation to the
engagement;
(ii) forms an independent opinion as to the appropriateness and adequacy of the
safeguards applied; and
(iii) considers the adequacy of the documentation of the engagement partner’s
consideration of the objectivity and independence of the SAI and its personnel.
[ISQ1 para 36, 37 & 37-1 and element 5 - ISSAI 140]
What are the policies and procedures to address the appointment of engagement
quality control reviewers and establish their eligibility through:
the technical qualifications required to perform the role, including the
necessary experience and authority; and
1.7.3
the degree to which an engagement quality control reviewer can be consulted
on the engagement without compromising the reviewer’s objectivity;
and to maintain the objectivity of the engagement quality control reviewer?
[ISQC1 para 39 & 40 and element 5 - ISSAI 140]
What are the policies and procedures for dealing with and resolving differences of
1.7.4 opinion within the engagement team, with those consulted and, where applicable,
between the engagement partner and the engagement quality control reviewer?
129
No. Requirement Commentary
Such policies and procedures require that conclusions reached should be documented
and implemented; and
the report should not be issued until the matter is resolved?
[ISQC1 paras 43 & 44 and element 5 - ISSAI 140]
1.8 Documentation
What are the policies and procedures on appropriate documentation to provide
1.8.1 evidence of the operation of each element of the system of quality control?
[ISQC1 para 57 and element 5 - ISSAI 140]
What are the policies and procedures:
to maintain confidentiality, safe custody, integrity, accessibility and
retrievability of engagement documentation; and
1.8.2 for the retention of engagement documentation for a period sufficient to meet
the needs of OAGN or as required by law or regulation and that is in any case
not less than six years from the date of the auditor’s report?
[ISQC1 paras 46, 47, 58 & 58R-1 and element 5 - ISSAI 140]
1.9 Development of quality control systems
Are there any aspects of the systems of quality control, described above, which OAGN
plans to develop, improve or otherwise change in the coming year?
1.9.1
If so, please summarise what changes are planned and the reasons for doing so. If
necessary, add additional lines to the table if outlining a number of developments.
2.1 Monitoring the Quality Control Policies and Procedures
Who has been assigned ultimate responsibility for policies and procedures on quality
2.1.1
monitoring, and how are they supported in implementing this role by others?
How does OAGN ensure that the person(s) assigned operational responsibility for
quality monitoring have sufficient and appropriate experience and authority, to assume
2.1.2
that responsibility?
[ISQC1 para 48b]
What are OAGN’s policies and procedures to:
monitor and evaluate the adequacy and effectiveness of OAGN’s systems,
internal quality control mechanisms and arrangements established in
accordance with the ISQC and taking appropriate measures to address any
deficiencies;
2.1.3
carry out an annual evaluation of the internal quality control system, referred
to in paragraph 32D-1(a); and
keep records of the findings of the evaluation required by paragraph 48D-1(b)
and any proposed measure to modify the internal quality control system.
[ISQC1 48D-1]
2.2 Quality Monitoring Reviews
What are OAGN’s policies and procedures to review completed public sector audit
engagements in OAGN, for example:
coverage of all engagement leads over a specified period;
2.2.1
the criteria for selecting individuals and specific engagements for review; and
the timing of reviews, including any that are unannounced? [ISQC1 paras A66-
A67]
How does OAGN select individuals to lead or participate in quality monitoring reviews?
Please cover issues such as:
the technical qualifications, experience and seniority required of such
2.2.2 individuals;
the use of specialist reviewers;
ensuring the independence of review teams from the engagement lead and
team under review.
130
No. Requirement Commentary
How does OAGN ensure that reviewers understand the objectives of, and approach to,
2.2.3 quality monitoring reviews?
For example: experience, training, guidance material etc.
How are OAGN’s quality monitoring reviews performed and documented?
Please cover issues such as:
the use of checklists;
documentation requirements;
2.2.4 the extent of coverage of individual reviews (e.g. if these are scoped on a risk
basis is there reasonable coverage of all Code of Audit Practice areas over the
annual quality monitoring programme - and is grant claim work covered?); and
follow up of issues identified in previous quality monitoring programmes and
any action plans
Does OAGN’s approach involve evaluating the effect of deficiencies noted as a result of
the monitoring process and determining whether they are either:
instances that do not necessarily indicate that the SAI's system of quality
control is insufficient to provide it with reasonable assurance that it complies
2.2.5 with professional standards and regulatory and legal requirements, and that
the reports issued by the SAI is appropriate in the circumstances; or
systemic, repetitive or other significant deficiencies that require prompt
corrective action?
[ISQC1 para 49]
How does OAGN ensure the consistency of quality monitoring review judgements and
2.2.6
assessments?
2.3 Reporting results of quality monitoring reviews
What reporting criteria OAGN use to assess the overall quality of the engagements that
2.3.1
are reviewed?
How does OAGN communicate the results of quality monitoring reviews to relevant
engagement leads and other appropriate personnel, along with any deficiencies noted
as a result of the monitoring process and recommendations for appropriate remedial
action?
The evaluation of each type of deficiency should result in recommendations for one or
more of the following
taking appropriate remedial action in relation to an individual engagement or
2.3.2
member of personnel;
the communication of the findings to those responsible for training and
professional development;
changes to the quality control policies and procedures; and
disciplinary action against those who fail to comply with the policies
and procedures of the SAI, especially those who do so repeatedly. [ISQC1 para
50 & 51]
How does OAGN determine, where the results of the monitoring procedures indicate
that a report may be inappropriate or that procedures were omitted during the
2.3.3 performance of the engagement, what further action is appropriate to comply with
relevant professional standards and regulatory and legal requirements?
[ISQC1 para 52]
How does OAGN communicate the results of the quality monitoring programme to
engagement leads and other appropriate individuals within OAGN, including OAGN's
chief executive officer or, if appropriate, its managing board of partners?
2.3.4
Such communications should enable the SAI and these individuals to take prompt and
appropriate action where necessary in accordance with their defined roles and
responsibilities. Information communicated should include:
131
No. Requirement Commentary
a description of the monitoring procedures performed;
the conclusions drawn from the monitoring procedures; and
where relevant, a description of systemic, repetitive or other significant
deficiencies and of the actions taken to resolve or amend those deficiencies.
[ISQC1 para 53]
2.4 Quality monitoring of reporting deadlines
How does OAGN ensure compliance with, and monitor OAGN’s performance against,
key reporting deadlines or your own target submission dates?
2.4.1 For example: annual audit plans; reports to management; certification deadlines; and
annual audit reports to audited bodies or audit progress reports; information returns;
current issues returns; and minimum datasets to the SAI.
What procedures are in place to ensure that any issues identified by OAGN relating to
2.4.2
the submission and completion of such returns are rectified on future submissions?
2.5 Satisfaction Surveying
What are OAGN’s arrangements for assessing the satisfaction of audited bodies with the
firm's audit work?
2.5.1 Please describe the approach taken, frequency, coverage and how the results of your
satisfaction surveys are used and reported.
Do you consider any such work by The SAI to avoid any perception of duplication?
2.6 Development of quality control systems
How does the SAI assess the impact of OAGN’s audit work?
This could consider:
2.6.1 the work of auditors at individual audited bodies;
impact of the audit regime on wider numbers of audited bodies; and
work in a single year or over a longer period.
2.7 Development of quality control systems
Please provide a summary describing any other quality monitoring procedures applied
to OAGN work.
This could include:
'office' reviews (i.e. monitoring of compliance with general quality control
procedures that are not specific to individual audit engagements, e.g.
independence/attendance at training etc);
'hot' reviews of work prior to reporting or completion;
independent review of outputs; and
any other quality monitoring procedures you consider relevant to the quality
appraisal process.
2.8 Development of quality control systems
Are there any aspects of your systems of quality monitoring, described above, which
you plan to develop, improve or otherwise change in the coming year?
If so, please summarise what changes are planned and the reasons for doing so. If
necessary, add additional lines to the table if outlining a number of developments.
132
Appendix 6 Ethical and Professional declaration76
No. Principles
P03 Present fairly through the obligation to report truthfully and accurately.
Exercise due professional care through the application of diligence and fair judgement in
P04
conducting the QA review.
Maintain an objective state of mind and ensure the findings and conclusions are based only
P05
on the evidence.
Team Leader/Member
Dated:
76
Based on ASOSAI and PASAI
133
Appendix 7 QAR General Procedures77
77
Based on ASOSAI and PASAI
134
Appendix 8 QAR Report Content78
1. Date
2. Address
This is usually the physical address of QAR team at the time of writing the report.
3. Addressee
The report is addressed to the division/unit of the audit manager of which the QAR
has been done for the audit engagement, to the Auditor General if the QAR is of
OAGN as a whole..
4. Heading
5. Introduction
6. Expected outputs
The expected outputs would normally include feedback to OAGN management. The
feedback will not be on one file but will include findings from a number of files. The
output would include:
collated findings;
trends and possible recommendations; and
assessment of the OAGN’S QA system.
This would include the actual work done and the procedures followed by the QAR
team. This would cover items such as:
78
Based on ASOSAI and PASAI
135
entrance conference conducted to reference to OAGN, it’s the mandate and to
provide a briefing on how the process has evolved;
main focus of the review;
number of files reviewed and procedures followed;
the criteria applied on choice of files to be reviewed;
discussions with the team members; and
the OAGN’s QA model and auditing standards (e.g. NGAS) on issues such as
review and documentation to be used.
In this paragraph, the review team will make a list of good practices. Although this has
not been the trend, we propose that issues relating to the good practices noted on the
audit assignment be incorporated. Good practices to be considered would range from
planning to reporting. They should illustrate the strengths/strong points of the SAI
being reviewed. Issues to be raised here may include the following:
Examples of areas at audit engagement level are highlighted below. At this level, areas
for improvement may cover:
Planning: Some of the items that normally require improvement in planning are:
Fieldwork issues: Some of the issues that may be included for improvement in
fieldwork are:
136
the index related to the WPs;
irrelevant materials were filed;
WPs were signed by the reviewers;
tick marks or work performed were explained;
the reviewer checklist was on file;
core issues are considered in the recommendations; and
Auditor General has ownership of the audit files for work done.
Suggestions for the AG for review of OAGN and head of the department / division /
directorate for review at audit level: The review team should make suggestions for
consideration to improve its operations.
strengthening reporting;
streamlining the documentation requirements;
reviewing the QA system;
making field inspections more efficient;
presentation on the importance of documentation; and
familiarity with the QA questionnaire.
The conclusion is based on all findings from the review performed on the audit
engagement level (files). The review team may give its general perception on the
whole exercise and what effect the review has on the files being examined.
The head of the QAR team signs the report before sending it to the head of the unit
that was reviewed.
If shortcomings were identified during the review, these must be corrected before the
review leader can sign off the review. If there are unresolved differences between the
review team and the audit team, this must be resolved before the report is signed. In
such instances, the prescribed process in OAGN's QA policy should be followed to
resolve the differences.
The findings should be discussed with the audit team. For every finding, the team
should indicate whether there is agreement/disagreement on the finding.
137
the audit team should ensure that the matters are addressed in a timely
manner; and
the review team should perform additional review work to confirm that the
matter has been addressed and should indicate whether the matter has been
resolved to their satisfaction and the date on which the reviewer confirmed
that it was resolved.
Where there was disagreement on a high-risk matter, or other important matter, the
audit team should clearly state the reason for the disagreement and ensure that
OAGN’s process for differences of opinion is followed to resolve the matter before the
audit report is issued. Detail on such a process should be included in the working
paper.
Where a difference of opinion between the review team and the audit team exists,
the following procedures for dealing with differences of opinion can be followed by
OAGN:
The steps in the process to be followed by the audit team to resolve differences of
opinion include:
Research:
138
Consideration of similar circumstances or experience among senior staff in OAGNI or
the region may provide guidance for consensus in the resolution of the difference of
opinion.
Mediation:
139
Appendix 9 Outsourced Audits’ QAR79
SECTION/UNIT/GROUP
DIRECTOR
DATE OF REVIEW
FINDINGS DISCUSSED ON
REVIEWER DATE
79
Based on ASOSAI and PASAI
140
13 Has the auditor identified audit procedures in such a way as to enable
the auditor to obtain sufficient appropriate audit evidence to be able
to draw conclusions on which to base the auditor’s opinion?
Audit team management and Skills
14 Has the appointed Auditor ensured that the “engagement team
collectively have the appropriate competence and capabilities? Does
this agree with the original contract/appointment letter conditions?
15 Has the appointed Auditor demonstrated an understanding of
professional standards and the applicable legal and regulatory
requirements?
16 Has the appointed Auditor demonstrated required technical
expertise, including expertise with relevant information technology
and specialised areas of accounting or auditing?
17 Has the appointed Auditor demonstrated knowledge of relevant
sectors in which the audited organisation operates?
18 Has the appointed Auditor undertaken the quality control policies and
procedures as specified with the contract/letter appointment?
19 Has the appointed Auditor demonstrated an understanding of the
applicable reporting arrangements?
20 Has the appointed Auditor demonstrated the knowledge, skills and
expertise required for conducting the contracted financial audit?
21 Has the appointed Auditor demonstrated clear reporting lines and
allocation of responsibilities within the team?
Quality control in financial audit
22 Have OAGN staff been identified to review the appointed Auditors:
• audit plan reviewed,
• working papers
• the work of the Auditor
• to monitor the progress of the audit
Financial Audit Process
23 For environments that do not have authorised or recognised standard
setting organisations or financial reporting frameworks prescribed by
law or regulation, has the auditor determined whether the financial
reporting framework is acceptable.
24 Is there evidence that the appointed auditor determined materiality
for the financial statements as a whole, the materiality level or levels
to be applied to particular classes of transactions, account balances or
disclosures and should also have determined performance materiality
(including assessment of materiality by value, nature and context)
25 Is there evidence that the appointed auditor identified the
appropriate contact person(s) within the audited entity’s governance
structure and communicated with them regarding the planned scope
and timing of the audit and agreed the terms of the audit engagement
with management or those charged with governance.
26 Is there evidence that the appointed auditor developed an overall
audit strategy that includes the scope, timing and direction of the
audit, the nature, timing and extent of resources necessary to carry
out the engagement, and plan the audit properly to ensure that it is
conducted in an effective and efficient manner including the nature,
timing and extent of planned risk assessment procedures and the
nature, timing and extent of planned further audit procedures at the
assertion level.
141
27 Is there evidence that the appointed auditor understands the audited
entity and its environment.
28 Is there evidence that the appointed auditor evaluated the overall
internal control environment.
29 Is there evidence that the appointed auditor an understanding of
internal control relevant to financial reporting.
30 Is there evidence that the appointed auditor assessed the risks of
material misstatement at the financial statement level.
31 Is there evidence that the appointed auditor identified and assessed
the risks of material misstatement of the financial statements due to
fraud.
32 Is there evidence that the appointed auditor identified the risks of
material misstatement of the financial statements due to material
non- compliance with laws and regulations.
33 Has the appointed Auditor confirmed that he/she has complied with
the OAGN’s ethical requirements: integrity, independence and
objectivity, competence, professional behaviour, confidentiality and
transparency. (E.g. by avoiding long-term engagements with the same
audited entity, and requiring appropriate declarations from staff in
relation to ethics and independence)
Executing Financial Audit
34 Has the appointed Auditor responded to assessed risks by designing
audit procedures such as substantive procedures and tests of
controls? The nature, timing and extent of audit procedures are based
on and are responsive to the assessed risks including the inherent risk
and the control risk.
35 Has the appointed Auditor obtained sufficient appropriate audit
evidence regarding the assessed risks of material misstatement due to
fraud and when relevant responded appropriately to fraud or
suspected fraud identified during the audit?
36 Has the appointed Auditor obtained sufficient appropriate audit
evidence regarding compliance with the laws and regulations that are
generally recognised to have a direct and material effect on the
determination of material amounts and disclosures in financial
statements?
37 Where relevant: During the audit has the appointed Auditor obtained
sufficient appropriate audit evidence in relation to:
• The use of external confirmations as audit evidence;
• Audit evidence from analytical procedures and different audit
sampling techniques;
• Audit evidence from using the work of internal audit functions;
• Audit evidence from external experts.
38 Confirm that the appointed Auditors audit procedures [were
performed] in such a way as to obtain sufficient appropriate audit
evidence and thus draw conclusions on which to base the auditor’s
opinion.
39 Confirm that the appointed Auditors planned audit procedures were
performed, or where planned audit procedures were not performed,
an explanation as to why not is retained on the audit file and this has
been approved by those responsible for the audit.
Evaluating Audit Evidence, Concluding and Reporting in FA
40 Confirm that the appointed Auditors have prepared audit
documentation that is sufficient to enable an experienced auditor,
142
with no prior knowledge of the audit, to understand the nature,
timing and extent of the audit procedures performed the results and
the audit evidence obtained.
41 Confirm that the appointed Auditors documentation procedures have
been followed regarding: the timely preparation of audit
documentation; the form, content and extent of documentation; the
assembly of the final audit file.
42 Confirm that the auditor identified the appropriate contact person(s)
within the audited entity’s governance structure and communicated
with them regarding any significant findings, all misstatements
recorded during the course of the audit.
43 Confirm that the Auditors audit findings are subject to procedures of
comment and the recommendations [or observations] to discussions
and responses from the audited entity.
44 Has the auditor accumulated misstatements identified during the
audit, and communicated with management and those charged with
governance as appropriate on a timely basis all misstatements
accumulated during the course of the audit?
45 Confirm that uncorrected misstatements have been evaluated by the
Auditor for materiality, individually or in aggregate.
46 Has the appointed Auditor formed an opinion based on an evaluation
of the conclusions drawn from the audit evidence obtained, as to
whether the financial statements as a whole are prepared in
accordance with the applicable financial reporting framework.
Confirm that the form of audit opinion provided is appropriate
considering guidance in ISSAI 200, as follows:
i. An unmodified opinion if it is concluded that the financial
statements are prepared, in all material respects, in
accordance with the applicable financial framework.
(Including the use of Emphasis of Matter Paragraphs)
Otherwise a modified opinion which can be in three forms:
ii. A qualified opinion if: (1) the auditor concludes that
misstatements [are] material, but not pervasive, to the
financial statements; or (2) the auditor was unable to obtain
sufficient appropriate audit evidence on which to base an
opinion, but the possible effects could be material but not
pervasive.
iii. An adverse opinion if the auditor concludes that
misstatements are both material and pervasive.
iv. Disclaim an opinion if, having been unable to obtain sufficient
appropriate audit evidence on which to base the opinion, the
auditor concludes that the effects could be both material and
pervasive.
47 Confirm that the appointed Auditor’s report is in a written form and
contain the following elements:
(i) A title;
(ii) An addressee as required by the circumstances of the
engagement;
(iii) An introductory paragraph that identifies whose financial
statements have been audited;
(iv) A section with the heading ‘Management’s responsibility for
the financial statements’;
143
(v) A section with the heading ‘Auditor’s Responsibility’, stating
that the responsibility of the auditor is to express an opinion
based on the audit of the financial statements;
(vi) A section with the heading ‘Opinion’;
(vii) The auditor’s signature;
(viii) The date on which the auditor obtained sufficient appropriate
evidence on which to base the auditor’s opinion on the
financial statements;
(ix) The location in the jurisdiction where the auditor practices.
48 Is the Report easy to understand, free from vagueness and ambiguity
and complete?
It should be objective and fair, only including information which is
supported by sufficient and appropriate audit evidence and
ensuring that findings are put into perspective and context.
49 Confirm that any audit observations and recommendations are
written clearly and concisely, and are directed to those responsible
for ensuring they are implemented.
50 Confirm Where relevant: “If the conditions [for the acceptance of the
financial reporting framework] are not met, has the Auditor evaluated
the effect of the misleading nature of the financial statements on the
Auditor’s report and the opinion, and consider the need to inform the
AG/legislature about the matter.
51 Confirm Where relevant: The Auditor’s report on special-purpose
financial statements [i.e. budget execution reports], the report
should: describe the purpose for which the financial statements are
prepared and the Auditor should include an Emphasis of Matter
paragraph alerting users to the fact that the financial statements have
been prepared in accordance with a special-purpose framework.
144
Appendix 10 Peer Review Checklist80
SECTION/UNIT/GROUP
DIRECTOR
DATE OF REVIEW
FINDINGS DISCUSSED ON
REVIEWER DATE
________________________________________________________________ Introduction
The following pages are designed to serve as a framework regarding issues that might be addressed in the
course of a peer review. They include a checklist of questions. This checklist furnishes a catalogue of issues
that may be covered in a peer review. It is neither a prescriptive list of issues that should or must be
included nor is the checklist exhaustive. A peer review might certainly also cover other topics which are
not mentioned in the checklist.
This checklist may be used for self-assessment before the conduct of the external peer review
Particulars Comments
1 Understanding the General Framework
1.1 Legal independence Comments
The peers may gain an understanding as to how the Declaration of Lima’s postulates
regarding independence are met. Experience has shown that the legal provisions on
independence are the key element of the general framework and understanding them is a
key element of a successful peer review. Thus, they might wish to see how the
establishment of OAGN and the necessary degree of their independence is laid down in the
Constitution and/or applicable legislation; how the independence of its members and
officials is guaranteed and what provisions are in place with a view to financial
independence and relevant INTOSAI guidelines.
Does OAGN provide parliament with independent, objective and reliable information
on Government performance?
How is the head of SAI appointed?
How long is his/her term of office?
1.2 Financial independence
Is OAGN’s financial independence guaranteed legally and evidenced in practice?
Does OAGN receive sufficient funds to achieve its mandate, including accessing funds
to buy in external advice and support if needed?
Does OAGN present its budget to the parliament directly or indirectly – after
discussion with the MOF?
Is OAGN authorised to use the funds allotted to it under a separate budget heading as
it sees fit or is the budget subject to any interference by the executive power or
parliament?
1.3 Organisational independence
80
Based on ASOSAI and PASAI
145
Particulars Comments
Is OAGN’s organisational structure (court system, auditor general or board system,
etc.) set forth in legal provisions or in some other way formally approved?
Is the organisation structure suitable to fulfil OAGN’s mandate?
1.4 Audit mandate
Are the powers of action open to OAGN laid down in the constitution and/or
applicable legislation and do these specify its missions, powers and responsibilities?
This chiefly concerns its right to freely to decide upon the selection, implementation,
reporting and follow up on audits.
Does OAGN’s mandate describe the procedures for reporting audit findings and
audited entity’s obligation to fully cooperate with its auditors by giving them free
access to all the information or documents they seek?
1.5 Audit functions and approach
What precisely are the audit functions of OAGN?
May OAGN exercise its audit functions at its own discretion or are there also
mandatory audits to perform?
Do they cover the central government level or do they also extend to regional and
local government as well as to state owned enterprises or other entities?
Do they encompass private entities as well, for example if they receive public funds?
Does OAGN’s audit cover all government operations and transactions that have a
financial impact?
Are OAGN’s basic audit powers, duties and reporting responsibilities embodied in the
Constitution or other legislation?
Are rules in place that defines the relationship with internal auditors and with other
government entities and with private audit firms that carry out external audits in the
public sector?
1.6 Strategy
Has OAGN imposed upon itself a performance standard that it strives to achieve?
Are those standards adhered to by its staff and do key stakeholders perceive OAGN to
be working to sound professional standards?
Has OAGN developed strategic goals based upon this self-imposed standard, which
govern the achievement of its aims, (for example its advisory functions, real-time audit
etc.), its focus on audit standards (financial and performance audit etc.) and the
proper and effective use of public funds as well as the development of sound financial
management?
May employees participate in the definition of OAGN's strategic goals?
Does OAGN have, and implement, an audit strategy and performance indicators that
constitute guidance allowing it to address its tasks and evaluate the impact for the
audited bodies as well as for public finances?
1.7 Internal governance
Does audit legislation authorise OAGN to issue rules and regulations for the internal
governance of the organisation, including such matters as selection, training, functions
and promotion of staff?
Has OAGN developed an ethics code describing what is expected of staff and
formalising processes to avoid conflicts of interest and other improper actions?
Does OAGN effectively formalise and implement the values of ethics and integrity
based on the principles generally accepted by the INTOSAI community?
Does OAGN encourage the development of an auditor’s behaviour that is consistent
with these values?
Does a policy exist to monitor compliance to ethics and independence requirements?
Does OAGN regularly review its working methods, manuals and practices to improve
its effectiveness?
1.8 Accountability
146
Particulars Comments
To whom does OAGN report on its activities and performance?
Is this done by means of periodic public reporting?
Is OAGN subjected to periodic external scrutiny and/or audit? Is it ensured that the
scope of this audit does not interfere with OAGN’s independence?
Are the processes for selecting the external auditors transparent?
Are the results of the external scrutiny process made publicly available and are agreed
recommendations acted on by OAGN?
Does OAGN report regularly on how its resources have been used and what results
have been achieved?
1.9 Legal / administrative recommendations
Is OAGN authorised to propose recommendations for amendments to draft laws and
administrative procedures when it notes room for improvement?
Is OAGN authorised to draw attention to audit findings that have a bearing on the
rationale for policy decisions or on the impact of such decisions?
Is OAGN authorised to recommend legislative amendments, if it has found evidence
that applicable legal provisions have or may have effects not desired by the Legislature
or if OAGN finds that the Legislature's objectives can be achieved more efficiently?
Does OAGN make use of these authorisations?
2 Internal standards and regulations/quality control procedure
2.1 Audit types
What types of audit does OAGN perform?
How does OAGN balance the different types of audit, i.e. regularity/compliance,
financial and performance audit, and combinations thereof?
2.1.1 Financial audit
Does OAGN have a mandate for auditing the adherence to regulations providing the
basis for disbursements, collection of revenues and commitment of funds?
Does the mandate cover the accuracy with which revenues and expenditures are
calculated, supported by vouchers and stated in the accounts as well as compliance
with applicable financial management, provisions and principles?
Does OAGN have jurisdictional functions? What are the procedures and sanctions
applied?
2.1.2 Performance audit
Does OAGN carry out various methods of performance audits such as: process- based
studies, organisational studies, impact and outcome studies, cost benefit analysis,
specific service and quality management studies, environmental and IT audits?
Are provisions in place with regard to looking into whether the optimum ratio
between the objectives pursued and the resources utilised has been sought and
obtained?
Does OAGN examine the economy, efficiency and effectiveness of measures?
Does the audit cover the effectiveness of government operations and transactions
including the extent to which agreed targets have been achieved (effectiveness)?
Does the audit cover the examination of the extent to which the input of resources
was kept to the minimum necessary to achieve the pre-set objectives (efficiency)?
Does the audit also imply a need for evaluating programme results? As a matter of
principle, such an evaluation should address the following aspects:
- target achievement;
- outcomes;
- performance (efficiency of implementation and efficiency of the programme
itself?); and
- the impact on the general public
2.1.2 Compliance audit
147
Particulars Comments
Does OAGN have a mandate for auditing the adherence to regulations providing the
basis for disbursements, collection of revenues and commitment of funds?
Does the mandate cover the accuracy with which revenues and expenditures are
calculated, supported by vouchers and stated in the accounts as well as compliance
with applicable financial management, provisions and principles?
Does OAGN have jurisdictional functions? What are the procedures and sanctions
applied?
2.1.3 Exceptions and materiality of findings
Is it laid down that OAGN should avoid audit gaps whenever possible, i.e. is it ensured
that the widest possible overview over public financial management is achieved?
Especially, is the avoidance of audit gaps that impose a material risk laid down?
2.1.4 Real-time audit
Are there any rules authorising OAGN to perform audit work at an early stage of a
project or programme, e.g. once a decision has been taken but expenditure has not
yet been incurred and any potential damage might still be avoided?
2.2 Audit standards
• Does OAGN use audit standards which clearly set out how audit work has to be
performed?
Do these standards align with the audit tasks, INTOSAI standards (ISSAIs) as well as
other guidelines and professional standards?
If yes, how does OAGN make sure that these standards are implemented?
If the auditors follow international / external standards – do they need to give a
reason when they decide not to adhere to them in an individual case?
Does OAGN conduct audit missions in accordance with its own standards?
Does OAGN see to it that its standards are regularly updated?
Are the standards easily available for all auditors (e.g. in libraries, in the form of
electronic records or via the Internet)?
Is there a procedure in place to verify that all auditors know the standards?
Are the audit standards disseminated?
Are the standards clearly authorised and are SAI staff obliged to adhere to them when
carrying out their audit work?
How are auditors encouraged to master and widely use the standards?
Has OAGN, as a first step, defined and decided upon the appropriate standards and
level of quality for its outputs and then established comprehensive procedures
designed to ensure that this level of quality is attained?
Does OAGN have a role in (national) standard setting for) government accounting and
auditing standards?
If not, is the relationship between OAGN and the entity responsible for developing
government accounting standards defined?
Is OAGN involved in legislation concerning audit procedures?
2.3 Quality control
Do the audit standards provide for reviews of quality control?
Are there systems and procedures in place to:
- confirm that integral quality assurance processes have operated satisfactorily;
- ensure the quality of the audit report;
- ensure improvements and avoid repetition of weaknesses;
- make sure that there is a good communication flow;
- make sure that there is a feedback process;
- implement the principles of ISSAI 40.
Has OAGN also established its own quality control arrangements regarding audit
planning, conducting and reporting?
148
Particulars Comments
May audits be reviewed in depth by suitably qualified SAI staff not involved in those
audits and is this actually done?
Is there a guarantee that audit work is performed by one official and authorised by
another?
Are there processes in place to identify generic lessons from these quality reviews and
to disseminate these within OAGN?
Does OAGN have a quality assurance manual in compliance with international
standards?
Does the manual set up the goals and demand of audit quality?
Does the manual describe responsibilities, processes, methodologies as well as the
means to measure the quality of SAIs audits?
Does OAGN have a detailed plan of each audit it plans to deliver that sets clearly as to
how the audit will be conducted?
Does the team of each audit report regularly about the development of audit work
and compliance with the planning as well as with the quality assurance manual?
2.4 Internal / external review
Has OAGN instituted its own internal audit function with a wide charter to assist it to
achieve effective management of its own operations and sustain the quality of its
performance?
Does this internal audit function report directly to the head of OAGN?
Is there a formal process for ensuring that the recommendations of the internal audit
function are acted on, once OAGN has accepted them?
Does OAGN set an internal review to prevent risks and provide a reasonable assurance
to fulfil in good conditions the missions it is assigned according to its objectives,
strategy and performance criteria (see also point 3.2.3 Economy, efficiency and
effectiveness)?
Does OAGN seek the views of audited entities regarding the quality of its audit
reports?
Has a team of quality assurance auditors been formed to carry out these tasks?
Does OAGN periodically evaluate its work methods by self-assessments in order to
implement a process of continuous improvement?
Does OAGN undergo periodic external evaluation, e.g. peer reviews, of its work as part
of a commitment to a continuous improvement process?
2.5 Relations to other public entities
Is the relationship between OAGN and Legislature and also Government clearly
defined by law according to the conditions and requirements of the national situation,
with SAI independence as the guiding principle?
2.6 Security of information
Does OAGN have clear standards in place to assure that information is treated with
due confidentiality?
Does OAGN ensure that privileged information acquired is made available only to the
addressee and not to third parties?
Does OAGN ensure the communication of these standards among the auditors as well
as their application?
3 Structural aspects
3.1 Formal rules
3.1.1 Structure and responsibilities
Does OAGN possess an organisational structure that enables it to fulfil its tasks in good
conditions of effectiveness, economy and efficiency?
Are functions and responsibilities defined clearly and transparently for all staff and are
overlaps avoided?
149
Particulars Comments
On the other hand, is the full coverage of all SAI tasks ensured?
Does OAGN have an efficient system of internal reporting and communication?
Does OAGN have a mechanism in place to ensure quality control and quality assurance
within the overall structure?
Is there a commitment on the part of OAGN’s top executive to promote and ensure
that quality control is practised?
3.1.2 Alterations in the audit tasks
Is OAGN able and flexible enough to respond to changes in its audit tasks in a timely
manner, provided the law permits?
3.2 Functional areas
3.2.1 The audit process – structure and documentation
Is the entire audit process clearly structured and are the roles of all those involved
defined clearly and transparently?
Is there a clear procedure for resolving differences of opinion?
Is the audit process adequately and continuously documented?
Does OAGN have a wide field of attributions to evaluate and decide on all aspects that
are essential for the accomplishment of its missions?
3.2.2 Technical and administrative requirements
• Does OAGN possess the technical and communicational means needed to fulfil its
tasks?
Is the IT equipment adequate?
Does OAGN foster the use and the development of information technologies, including
the use of computer-based auditing methods?
Have training events on computer-assisted auditing been held?
Does an audit manual on IT assisted audit exist?
Does this include an (electronic) archiving function and the internet/intranet?
Are there administrative units within OAGN which support the work of audit teams by
carrying out clerical, IT and publishing tasks?
3.2.3 Economy, efficiency and effectiveness
• Are there provisions (e.g. financial and human resources, logistical and transport
provisions) to ensure that OAGN performs its tasks in an economic, efficient and
effective way?
Does OAGN have benchmarks to monitor its performance and does it address
weaknesses?
Is information about weaknesses in OAGN’s performance reported to senior
management and consistently acted upon?
3.2.4 Human resources
3.2.4.1 General strategy
Has OAGN established a clear strategy providing adequate assurance it has the
necessary staff, both in numbers and skills, to address its tasks (workforce plan)?
Are there clear policies in place covering such human resource issues as staff
entitlements to training and development, staff appraisals, pay and remuneration,
dealing with conflicts of interest, and staff rotation?
Does OAGN have a policy in place to identify the staff having the skills currently
needed by OAGN?
Does OAGN provide for maintaining know-how of staff leaving the organisation? •
Does OAGN lay stress on personal/social skills as well as technical skills?
3.2.4.2 Recruitment strategy
Has OAGN established a clear strategy for recruiting and selecting new staff members?
Does OAGN seek excellence and anticipate its future needs according to the type of
work OAGN expects to perform in the future?
150
Particulars Comments
Is the recruitment strategy separated from the general strategy?
Does it provide for education objectives and programmes, or are these drawn up in a
separate document?
Can OAGN access persons with specialised knowledge such as engineers, architects or
IT specialists?
Does OAGN use adequate ways of recruiting (e.g. assessment centres etc.) and is it
independent in selecting new staff?
Does OAGN ensure that its staffing needs are publicly known so as to make the hiring
process transparent and generally open to applicants, thus providing for equal
opportunities?
Does OAGN place adequate emphasis on professional education and experience when
recruiting staff?
3.2.4.3 Initial and induction training
Does OAGN provide initial training and induction training designed to help new
arrivals? This concerns (among other things) such matters as organisational structure,
internal and external working relationships, ethical standards, performance standards,
etc
Does induction training include a trial period and a period of practical field work?
Does OAGN prefer recruiting skilled/experienced staff or does it want to train the
newcomers itself?
3.2.4.4 Technical and skills training
Does OAGN provide for technical and skills training intended to equip auditors with
the methodological knowledge and skills needed to plan, conduct and report on
whatever type of audit (compliance, regularity, financial or performance) the
individual auditor is expected to perform, and to do so efficiently and at a high level of
quality?
Does OAGN have a dedicated technical support unit that updates technical documents
and provides support?
Does OAGN use staff as facilitators who have considerable expertise/experience in the
knowledge and skill areas which shall be trained?
Are staff training needs evaluated?
Are auditors given the chance to point out training opportunities at home or abroad?
3.2.4.5 Managerial training
Is there managerial training for those supervising an audit team?
Does this ensure that managers have the skills required as they progress within the
organisation, for example operational and strategic planning, budgeting for time and
money, analysing of results, communication, presentation and social skills?
Is there a strategy in place to identify and train future managers?
3.2.4.6 Continued training
Is there a policy in place to ensure that auditors routinely undergo training to
continuously maintain and enhance their professional capabilities?
Does OAGN have a commitment to life-long learning?
Is there a training programme detailed by weeks and months, and are education
objectives determined for a year or a longer period?
Is there a mechanism in place to ensure that all auditors take part in training?
In order to improve the knowledge and know-how of staff, and help them deal with
the increasing diversity of the tasks they have to undertake, do they have the
opportunity to benefit from external training courses, internships, or secondments-
including the opportunity to participate in joint audit missions with other SAIs?
Are employees adequately motivated to develop their professional skills?
3.2.4.7 Evaluation
151
Particulars Comments
Is staff performance evaluated on a regular basis?
Are the evaluation criteria generally known?
Is the evaluation performed objectively?
Are the objectives and the proposed use of evaluation results been defined?
3.2.4.8 Employee feedback
Does OAGN ensure that staff are treated fairly and equally? Does OAGN obtain
feedback on these issues?
Is a mechanism in place allowing staff to express their opinions confidentially and
permitting that the suggestions made are considered?
4 Audit approach
Audit approaches vary according to the mandates of SAIs. The following subparagraph
therefore deals first with questions that apply to all forms and mandates, while the second
subparagraph lists questions that will only be asked if OAGN’s audit mandate provides for
the specific type of audit.
4.1 Audit selection
4.1.1 General strategy
The general strategy may differ in respect to mandatory financial audits – with the legal
obligation to cover all entities – and performance audits that are fully under discretion of
the individual SAI.
Does OAGN consider the following when it decides what areas to audit and when to
perform those audits:
- the assessment of risks and the significance, sensitivity and materiality and added
value of the audit topics;
- the financial and human resources required for the performance of particular
audits, including consideration of the availability of audit staff with the required
skills, also considering the size and complexity of the audited entity;
- the time at which the results of particular audits are likely to prove most useful,
including consideration of timing requirements imposed by law;
- the potential need to revise audit priorities in response to changing
circumstances; and
- the selection and timing of audits may also be influenced by the work of internal
auditors or other auditors performing audits on the same bodies.
4.1.2 Priority of audit tasks
When selecting audit tasks to be included in audit planning, does OAGN take due care
to avoid audit gaps?
Does OAGN use relevant criteria to prioritise audit topics?
How does OAGN handle relative priority among potential audit subjects, considering
audits required by law, where applicable, and the limits of the mandate?
Do indicators exist for quickly and reliably measuring the financial weight, materiality
and risk of the audit?
Is OAGN free to use a sampling technique?
Is OAGN free to leave specific accounts unaudited?
4.1.3 Selection of bodies to be audited
Does OAGN select audit subjects with a view to generating audit findings that provide
an overview of the government operations that come under its audit authority?
Does OAGN collect information about the audited subjects and use this to identify
areas which merit inspection?
4.1.4 Cost efficiency
Cost-consciousness may require that preference be given to audits which, based on
previous knowledge, are likely to generate significant findings.
Are new audit areas also adequately considered?
Are there rules to this effect?
152
Particulars Comments
4.2 Audit planning
4.2.1 Resources
Does the reviewed SAI have an effective process in place by which it decides on how to
use its discretionary resources to best effect?
Are resources used in audit(..) missions allocated appropriately?
Are audits delivered within the deadlines?
Does OAGN use any information collected during previous audit(..) work or
benchmarking exercises to help it estimate adequately resources and timeframe of the
audits?
Are contingency plans in place to reduce the delays caused by the assignment of staff
to other tasks, leave of absence or sick leave?
Does OAGN have a policy of considering the need for financial and human resources
required for the performance of particular audits, in particular:
- the number and skills of the staff available for the audit;
- the resources such as time, funding and others including external expertise, when
relevant, necessary for conducting audit work; and
- the risks that may be encountered in the audit?
4.2.2 Adequacy
Does OAGN develop an understanding of the environment, accountability and key
management systems of the audited body prior to the actual audit?
Are there procedures in place to ensure the quality of the audit questions and
methods, which are supposed to be used in the audit?
Does OAGN provide for a follow-up review to determine whether appropriate action
has been taken on audit findings and recommendation previously reported?
Does OAGN ensure that the audits delivered by OAGN are in accordance with its
applicable standards?
Does OAGN identify the key elements of the internal control system?
4.3 Audit implementation
4.3.1 Staff
Does OAGN have a policy to ensure that:
all those involved in the audit understand the plan as a whole and the tasks assigned
to that person;
each official involved in the audit has the skills needed to carry out the assigned tasks;
and
there are no conflicts of interest or other factors that might impede any official
involved in the audit from carrying out the assigned tasks in a competent and
objective manner?
Is the non-existence of conflicts of interest recorded?
prior to the approval of the plan, those involved have been given the opportunity to
express an opinion on the tasks assigned to them and to participate in the
development of the plan.
4.3.2 Documentation and procedures
Is the audit process documented adequately and transparently? Is the same true for
internal decision-making?
Are the audit records duly registered to facilitate finding them?
Are the physical and environmental conditions appropriate to ensure the adequate
preservation of the records irrespective of whether they are on paper or in electronic
form?
Are appropriate steps taken in the following areas:
- audit documentation is properly kept, adequately describes audit tests and
findings, is referenced and is easily traced to the relevant elements of the task
plan and detailed audit programmes;
153
Particulars Comments
- the audit plan provides the links under which the working papers can be found;
- treatment of printed evidence in a computer-assisted audit;
- audit evidence is sufficient and appropriate;
- audit evidence procedures are properly followed;
- security levels are in place to limit the access to documents which form part of
the audit evidence;
- the planned audit approach remains appropriate in the light of information
gathered in the audit or appropriate changes are made;
- internal control systems of the audited body are properly documented,
evaluated and tested;
- controls of an IT nature are adequately considered;
- proper sampling, analytical procedures, data gathering and information analysis
techniques are used, where appropriate;
- working papers include relevant, reliable and sufficient evidence supporting all
findings, opinions, conclusions and recommendations;
- auditors have documented the work performed in such a manner that an
independent person should be able to re-perform the work and be able to
understand the nature, timing and extent of the work that was done; and
- a checklist is drafted to ensure that the work done is properly documented.
4.3.3 Review before field work
Before starting actual field work, is the plan reviewed to assure that it can be properly
implemented?
Are all members of the audit team involved in this review to ensure that everyone
understands the plan as a whole as well as their roles in the audit, and to give them an
opportunity to raise any concerns that they may have?
Are auditors encouraged to point out possible shortcomings in the audit task plan and
in the quality control system?
Is the audit scope and/or task plan adjusted if significant unanticipated problems
arise?
Are these modifications submitted to the manager in charge for approval?
Does OAGN adopt and implement professional standards; strengthen methods and
techniques for preventing and detecting fraud and corruption; enhance
communication and reporting, and foster the publication and use of Manual and
procedure manuals?
4.3.4 Continuous documentation
Is the completion of individual tasks in the audit plan documented and reviewed,
evidenced and approved by the immediate supervisor of the auditor responsible? •
Are audit working papers systematically collected, reviewed and maintained?
Are changes in the approved audit plan documented, along with the reasons for then,
especially if they significantly alter the audit methodology or the timetable or other
resources required to carry it out?
Are those changes reviewed and approved by the official, if any, who approved the
original plan?
4.3.5 Supervision during audit
Does the organisational structure include a supervision department or is the
supervisor part of the audit team?
Or who else is in charge of supervision?
Does the audit team leader adequately supervise those involved in the audit to ensure
that the audit tasks are carried out properly?
4.3.6 Review upon audit completion
With a view to identify changes and improvements necessary for future audits: Does
the audit team leader, and his/her supervisors, if any, review all aspects of the audit
154
Particulars Comments
tasks performed during the audit, including tests carried out, findings and working
papers and document such reviews?
Does the relevant auditor/audit team examine the causes and consequences of the
shortcomings found during the audit process?
4.3.7 External expertise
Does OAGN seek assistance from external experts if unexpected problems or technical
issues are encountered during the audit work requiring skills beyond those
represented in the team?
Does OAGN ensure that the work performed by the expert is properly documented
and evaluated?
Is a glossary drawn up of the technical terms used by the external experts in order to
ensure understandability?
4.4 Audit reporting
4.4.1 Methodology
Are reported audit issues properly analysed and concluded?
Have all audit findings been evaluated as to their materiality, legality and factual
evidence and all relevant material findings included?
Are all the facts fairly presented?
Are sources of facts, figures and quotations mentioned?
Are relevant and material events subsequent to the audit considered, to the extent
that the auditor is aware of and documents them?
Is there documentary evidence in support of all conclusions and opinions?
Is there a clear audit trail for audit steps, findings, conclusions and recommendations
prepared by the auditor and his assistants?
Are the working papers fully cross-referenced?
Are reports concise, clear, timely, precise, simple, objective, balanced and
constructive?
Are they clearly perceived and well understood by the audited entity and the various
stakeholders?
Are all findings and conclusions supported by adequate and reliable audit evidence in
the audit working papers?
Are the recommendations developed by OAGN in accordance with standards of good
professional practice?
Do reports, where applicable, expressly present positive conclusions or state relevant
measures and sanctions to be taken by OAGN?
If so, does the auditor ensure there is sufficient evidence to support such positive
conclusions?
Are time limits adhered to?
Are applicable procedures followed with regard to serious irregularities and fraud
discovered in the audit?
Is the full methodology of the audit performed well described in the reports providing
therefore more transparency and credibility to the findings?
4.4.2 Internal procedure
Who is involved in drafting the report?
Is it ensured that the report is in line with the audit findings?
Are the reports reviewed for adequacy, conclusiveness, properness, readability
etc. by an experienced auditor, audit panels and/or a prosecutor general office which
are independent of the audit team?
If applicable, is this review coupled with or followed by further reviews of the draft
report at higher levels or other parts of the organisation, especially if the subject of
the report is sensitive or the material is unusually complex or technical? Such review
155
Particulars Comments
by a transversal department is recommended to avoid, especially on legal issues,
successive inconsistent opinions stemming from different units, issued by OAGN.
Is there any clear statutory provision and internal guidance as to who has the
authority to approve and issue the audit report (audit manager, audit panel, other)?
4.4.3 Different viewpoints conflicting evidence
Is the draft audit report, after internal review, provided to the audited body for review
and comment within a specified time frame?
To what extent are comments received from an audited body considered by OAGN?
Are these comments published in the report?
How are factual disagreements resolved?
Is all material conflicting evidence acknowledged in the report, together with an
explanation of why it has been rejected or is not reflected in the report conclusions?
4.4.4 Reporting on misdemeanour
• Does reporting take place in accordance with OAGN’s mandate and relevant
legislation?
Does the audit process foresee and OAGN ensure that cases of misdemeanour, such as
fraudulent behaviour, violation of contracts or other criminal offences are reported to
the prosecuting authorities without delay?
4.5 Follow-up and further treatment of OAGN’s findings
4.5.1 Follow-up
Are follow-up audits conducted?
Is there adequate and sufficient monitoring that the audit recommendations are
followed in due course?
Is the time period between completion of the audit and the follow-up on the
implementation of the recommendations specified?
Are there methods governing the implementation of follow-ups, as well as definite
criteria specifying when a follow-up is to be made?
Does OAGN comply with it?
In case the recommendations are not implemented or not implemented in due course
– does OAGN ensure this is documented and justified by the audited entity?
4.5.2 Impact of performance audits performed by OAGN
Does OAGN assess the impact of its audits on the performance of the audited entity?
Does the evaluation consider the views of the various stakeholders?
Are there quantifiable indicators for measuring the impact of the audit?
Did implemented recommendations achieve improvements in performance?
4.5.3 Perception of OAGN
Are there indicators of the way OAGN, its tasks, mission performance, and
professional competence is perceived?
Is OAGN a body held in high esteem for the work it performs?
Is OAGN regarded as an independent and professional organisation and respected by
the public in general and the various stakeholders in particular as having positive
influence on the improvement of state activities?
Is the perception of OAGN evaluated?
In what way are the results obtained from the evaluation to be used?
What types of mechanisms have been considered to improve the perception of OAGN
from its stakeholders’ perspective?
4.4.4 Publication
If audit legislation empowers OAGN to publish the results of its work: are those
publications elaborated with a view to being understandable to report users and to
the general public?
In what form are the reports distributed?
156
Particulars Comments
Does OAGN publish on the internet as well?
What type of relationship does OAGN have with the media?
4.5.5 Managing institutional risk
How does OAGN handle potential cases of audit failure, i.e. when complex audits,
possibly also involving matters which are highly visible and/or politically sensitive,
might undermine its credibility?
Has it established a clear procedure for assessing these institutional risks and for
adapting to them, considering such matters as complexity of the audit, audit costs,
controversy associated with the matters being audited and likely cooperation or
resistance by the audited body?
4.5.6 Managing external relations
Does OAGN devote management time and attention to strengthening relations with:
parliament and its committees;
the government to achieve improvements in government accounting and internal
controls;
line ministries and state agencies, to enable auditors to do their work efficiently,
without interference and impediments;
the media, to assure that the public is aware of key OAGN products and of the actions
taken (or not taken) in response;
private sector auditors and relevant professional associations, as to sharing
experiences that can strengthen quality in both sectors;
the academic community to facilitate drawing on that source of specialised expertise,
when needed, and in recruiting high quality graduates; and
the audit community, including co-operation at the bilateral and multilateral level, to
facilitate benchmarking, sharing of knowledge, experiences, techniques and
information on good practices?
157
Appendix 11 FAM Compliance
Audit Process Standards (NGAS/ISSAI) Audit FAM Reference Compliance checklist Comments
Methodology Para (section)
Audit Prerequisite • OAGN Public Audit Audit 2.3.1 Audit has been separated as FA
Restructuring Framework segregation where opinion on financial
statements have to be issued
• Risk based audit framework Risks Based 2.3.2 Auditees have been selected using
of OAGN Selection OAGN’s risk-based framework
• OAGN AAP Annual Audit 2.3.3 AAP clearly outlines financial audits
Plan of OAGN for to be undertaken
FA
• ISSAI 200:9: 200:16 Evaluation of 2.3.4 Assessment has been done to
Financial ensure appropriateness of the
Reporting financial reporting framework
Framework applied
Pre engagement • ISSAI 100:39 Team 3.3.1 Appropriate teams have been
• ISSAI 2220:14; Composition assigned to plan and execute the
audit
• OAGN Code of Ethics Ethical 3.3.2 All personnel involved in the audit
• ISSAI 130 Declaration have committed themselves to the
• ISSAI 2300:6(b); ISSAI ethical requirements of OAGN
2220:9-11; ISSAI 2200:14
• OAGN Record of Activities Record of 3.3.3 A system is in place to record the
Activities activities performed including the
duration of the works undertaken
158
Audit Process Standards (NGAS/ISSAI) Audit FAM Reference Compliance checklist Comments
Methodology Para (section)
• ISSAI 100:44 Terms of 3.3.4 Audit Engagement Letter has been
• ISSAI 200:30 engagement signed outlining roles and
• ISSAI 2210; ISSAI 2300:6(c) responsibilities
Audit Planning • ISSAI 100:45-48; Overall Audit 4.3.1 - understanding the entity and
• ISSAI 200:33-40, 44-45, 49- Strategy its environment
53 - identify risk of material
• ISSAI 2300:8; misstatements including due to
• ISSAI 2300:12(a); fraud
• ISSAI 2240; - identify internal controls
• ISSAI 2250; - determine materiality
• ISSAI 2315; - analytical procedures
• ISSAI 2320; - assess risk assessment
• ISSAI 2520 procedures of the entity
• ISSAI 100:48; Detailed audit 4.3.2 Risk response has been made in
• ISSAI 200:32, 41-43 plan / (Audit preparing audit plan (in the form of
• ISSAI 2300:8; checklist / audit audit checklists or audit
• ISSAI 2300:12(b); programme) programmes)
• ISSAI 2330
Audit Execution • ISSAI 100:43 Authorisation 5.3.1 All filed auditors have received
• ISSAI 2210 letter formal authorisation to conduct
audit on behalf of the auditor
general
• ISSAI 100:43 Entry Meeting 5.3.2 The discussion about the conduct
• ISSAI 2260:14-17, 19-22, A54 and scope of the audit is done with
the auditee and documented as
entry meeting minutes
• Allocation of 5.3.3 Field works have been allocated to
work cover all identified audit areas in
the plan
• ISSAI 200:42-43 Test of Controls 5.3.4 The functioning of the control
• ISSAI 2330:8-9,14-15 systems of the auditee are being
tested
159
Audit Process Standards (NGAS/ISSAI) Audit FAM Reference Compliance checklist Comments
Methodology Para (section)
• Change of audit 5.3.5 Any modification to the audit plan
plan is properly authorised
• ISSAI 2500:A55, A57; ISSAI Sampling 5.3.6 Sampling is done to gather audit
2530 evidence in accordance with the
applicable standards
• ISSAI 2330:4(a), 18-19, 20- Substantive 5.3.7 Audit testing procedures have been
21,52; Procedures performed and documented
• ISSAI 2505;
• ISSAI 2520:5, A6
• ISSAI 200.54; ISSAI 2500.4 Audit evidence 5.3.8 Sufficient and appropriate audit
evidence have been recorded to
support the audit opinion and to
indicate that audit has been
conducted in accordance with
applicable standards
• ISSAI 200:46, 68, 70, 74-75 Other 5.3.9 Other applicable audit procedures
• ISSAI 2501; procedures have been applied and recorded
• ISSAI 2510; appropriately
• ISSAI 2550;
• ISSAI 2560;
• ISSAI 2570;
• ISSAI 2710;
• ISSAI 2720
• ISSAI 2500; Written 5.3.11 Written representation is obtained
• ISSAI 2580 Representation and recorded
• ISSAI 100:43 Exit Meeting 5.3.12 Findings observed during the audit
• ISSAI 2260:16, A17-18: ISSAI is discussed with the auditee
2450:8 management and recorded in the
form of exit meeting minutes
Audit Reporting • ISSAI 100:50; Evaluation of 6.3.1 - The findings and observations
• ISSAI 200:57 misstatements 6.3.2 have been evaluated for their
• ISSAI 2450:5, 11, A42-A25; and Supervisory impact on the opinion on the
• ISQC-1:A35 review financial statements
160
Audit Process Standards (NGAS/ISSAI) Audit FAM Reference Compliance checklist Comments
Methodology Para (section)
- Supervisor has conducted
review before the issue of PAR
and audit opinion to ensure
that audit was conducted as
planned
• ISSAI 200:56 Preliminary 6.3.3 Audit observations have been
• ISSAI 2250:6, 14, A5, A12; Audit Report communicated with the auditee
• ISSAI 2260:16; formally allowing them appropriate
• ISSAI 2265:6 time to respond
• ISSAI 100:50; ISSAI 200:58- Audit Report 6.3.4 Audit opinion is supported by the
62 (audit opinion) 6.3.5 work performed and is appropriate
• ISSAI 2700; as per the judgement of the auditor
• ISSAI 2701;
• ISSAI 2705;
• ISSAI 2706
Audit Follow-up • INTOSAI-P20:3, Periodic follow 7.3.2 Legal requirements for audit follow-
• ISSAI 100:51 up as per the up have been complied with
• Audit Act 2075, Fin law and
Procedure & Fin standards
Accountability Act 2076
Documentation • ISSAI 2230 Working papers 1.4.1 Audit works are appropriately
documented
Review • Review process 1.4.2 Work is reviewed by the team
leader and the supervisor
161
Appendix 12 FA iCAT81
81 https://www.idi.no/elibrary/professional-sais/icats/icats-english/752-template-disposition-of-comments-for-fa-icat-version-0-english/file
162
7 If law or regulation prescribes in sufficient detail the terms of the audit engagement referred to in paragraph 10, the auditor need ISSAI 2210.11 Para. A22,
not record them in a written agreement, except for the fact that such law or regulation applies and that management A26-A27
acknowledges and understands its responsibilities as set out in paragraph 6(b).
8 If law or regulation prescribes responsibilities of management similar to those described in paragraph 6(b), the auditor may ISSAI 2210.12 Para. A26
determine that the law or regulation includes responsibilities that, in the auditor’s judgment, are equivalent in effect to those set
out in that paragraph. For such responsibilities that are equivalent, the auditor may use the wording of the law or regulation to
describe them in the written agreement. For those responsibilities that are not prescribed by law or regulation such that their
effect is equivalent, the written agreement shall use the description in paragraph 6(b).
9 On recurring audits, the auditor shall assess whether circumstances require the terms of the audit engagement to be revised and ISSAI 2210.13 Para.A28
whether there is a need to remind the entity of the existing terms of the audit engagement.
10 The auditor shall not agree to a change in the terms of the audit engagement where there is no reasonable justification for doing ISSAI 2210.14 Para. A29-
so. A31
11 If, prior to completing the audit engagement, the auditor is requested to change the audit engagement to an engagement that ISSAI 2210.15 Para. A32-
conveys a lower level of assurance, the auditor shall determine whether there is reasonable justification for doing so. A33
12 If the terms of the audit engagement are changed, the auditor and management shall agree on and record the new terms of the ISSAI 2210.16
engagement in an engagement letter or other suitable form of written agreement.
13 If the auditor is unable to agree to a change of the terms of the audit engagement and is not permitted by management to ISSAI 2210.17
continue the original audit engagement, the auditor shall:(a) Withdraw from the audit engagement where possible under
applicable law or regulation; and(b) Determine whether there is any obligation, either contractual or otherwise, to report the
circumstances to other parties, such as those charged with governance, owners or regulators.
14 If financial reporting standards established by an authorized or recognized standards setting organization are supplemented by ISSAI 2210.18 Para. A34
law or regulation, the auditor shall determine whether there are any conflicts between the financial reporting standards and the
additional requirements. If such conflicts exist, the auditor shall discuss with management the nature of the additional
requirements and shall agree whether:(a) The additional requirements can be met through additional disclosures in the financial
statements; or(b) The description of the applicable financial reporting framework in the financial statements can be amended
accordingly. If neither of the above actions is possible, the auditor shall determine whether it will be necessary to modify the
auditor’s opinion in accordance with ISA 705 (Revised).
163
15 If the auditor has determined that the financial reporting framework prescribed by law or regulation would be unacceptable but ISSAI 2210.19 Para. A35
for the fact that it is prescribed by law or regulation, the auditor shall accept the audit engagement only if the following conditions
are present: (a) Management agrees to provide additional disclosures in the financial statements required to avoid the financial
statements being misleading; and(b) It is recognized in the terms of the audit engagement that:(i) The auditor’s report on the
financial statements will incorporate an Emphasis of Matter paragraph, drawing users’ attention to the additional disclosures, in
accordance with ISA 706 (Revised); and(ii) Unless the auditor is required by law or regulation to express the auditor’s opinion on
the financial statements by using the phrases “present fairly, in all material respects,” or “give a true and fair view” in accordance
with the applicable financial reporting framework, the auditor’s opinion on the financial statements will not include such phrases.
16 If the conditions outlined in paragraph 19 are not present and the auditor is required by law or regulation to undertake the audit ISSAI 2210.20
engagement, the auditor shall:(a) Evaluate the effect of the misleading nature of the financial statements on the auditor’s report;
and(b) Include appropriate reference to this matter in the terms of the audit engagement.
17 In some cases, law or regulation of the relevant jurisdiction prescribes the layout or wording of the auditor’s report in a form or in ISSAI 2210.21 Para. A36-
terms that are significantly different from the requirements of ISAs. In these circumstances, the auditor shall evaluate:(a) Whether A37
users might misunderstand the assurance obtained from the audit of the financial statements and, if so,(b) Whether additional
explanation in the auditor’s report can mitigate possible misunderstanding. If the auditor concludes that additional explanation in
the auditor’s report cannot mitigate possible misunderstanding, the auditor shall not accept the audit engagement, unless
required by law or regulation to do so. An audit conducted in accordance with such law or regulation does not comply with ISAs.
Accordingly, the auditor shall not include any reference within the auditor’s report to the audit having been conducted in
accordance with ISAs.
18 If matters come to the engagement partner’s attention through the firm’s system of quality control or otherwise that indicate that ISSAI 2220.10 Para. A5
members of the engagement team have not complied with relevant ethical requirements, the engagement partner, in
consultation with others in the firm, shall determine the appropriate action.
19 The engagement partner shall form a conclusion on compliance with independence requirements that apply to the audit ISSAI 2220.11
engagement. In doing so, the engagement partner shall: (a) Obtain relevant information from the firm and, where applicable, Para. A5-
network firms, to identify and evaluate circumstances and relationships that create threats to independence; (b) Evaluate A7
information on identified breaches, if any, of the firm’s independence policies and procedures to determine whether they create a
threat to independence for the audit engagement; and(c) Take appropriate action to eliminate such threats or reduce them to an
acceptable level by applying safeguards, or, if considered appropriate, to withdraw from the audit engagement, where withdrawal
is possible under applicable law or regulation. The engagement partner shall promptly report to the firm any inability to resolve
the matter for appropriate action.
20 The engagement partner shall be satisfied that appropriate procedures regarding the acceptance and continuance of client ISSAI 2220.12 Para. A8-
relationships and audit engagements have been followed, and shall determine that conclusions reached in this regard are A9
appropriate.
164
21 If the engagement partner obtains information that would have caused the firm to decline the audit engagement had that ISSAI 2220.13 Para. A9
information been available earlier, the engagement partner shall communicate that information promptly to the firm, so that the
firm and the engagement partner can take the necessary action.
22 The engagement partner shall be satisfied that the engagement team, and any auditor’s experts who are not part of the ISSAI 2220.14 Para. A10-
engagement team, collectively have the appropriate competence and capabilities to:(a) Perform the audit engagement in A12
accordance with professional standards and applicable legal and regulatory requirements; and(b) Enable an auditor’s report that
is appropriate in the circumstances to be issued.
23 The engagement partner shall take responsibility for:(a) The direction, supervision and performance of the audit engagement in ISSAI 2220.15 Para. A13-
compliance with professional standards and applicable legal and regulatory requirements; and (b) The auditor’s report being A15, A20
appropriate in the circumstances.
24 The engagement partner shall take responsibility for reviews being performed in accordance with the firm’s review policies and ISSAI 2220.16 Para. A16-
procedures. A17, A20
25 On or before the date of the auditor’s report, the engagement partner shall, through a review of the audit documentation and ISSAI 2220.17 Para. A18-
discussion with the engagement team, be satisfied that sufficient appropriate audit evidence has been obtained to support the A20
conclusions reached and for the auditor’s report to be issued.
26 The engagement partner shall:(a) Take responsibility for the engagement team undertaking appropriate consultation on difficult ISSAI 2220.18 Para. A21-
or contentious matters;(b) Be satisfied that members of the engagement team have undertaken appropriate consultation during A22
the course of the engagement, both within the engagement team and between the engagement team and others at the
appropriate level within or outside the firm;(c) Be satisfied that the nature and scope of, and conclusions resulting from, such
consultations are agreed with the party consulted; and (d) Determine that conclusions resulting from such consultations have
been implemented.
27 For audits of financial statements of listed entities, and those other audit engagements, if any, for which the firm has determined ISSAI 2220.19 Para. A23-
that an engagement quality control review is required, the engagement partner shall:(a) Determine that an engagement quality A25
control reviewer has been appointed;(b) Discuss significant matters arising during the audit engagement, including those
identified during the engagement quality control review, with the engagement quality control reviewer; and(c) Not date the
auditor’s report until the completion of the engagement quality control review.
28 The engagement quality control reviewer shall perform an objective evaluation of the significant judgments made by the ISSAI 2220.20 Para. A26–
engagement team, and the conclusions reached in formulating the auditor’s report. This evaluation shall involve: (a) Discussion of A27a,
significant matters with the engagement partner; (b) Review of the financial statements and the proposed auditor’s report; (c) A29–A31
Review of selected audit documentation relating to the significant judgments the engagement team made and the conclusions it
reached; and(d) Evaluation of the conclusions reached in formulating the auditor’s report and consideration of whether the
proposed auditor’s report is appropriate.
165
29 For audits of financial statements of listed entities, the engagement quality control reviewer, on performing an engagement ISSAI 220.21 Para. A28–
quality control review, shall also consider the following: (a) The engagement team’s evaluation of the firm’s independence in A31
relation to the audit engagement; (b) Whether appropriate consultation has taken place on matters involving differences of
opinion or other difficult or contentious matters, and the conclusions arising from those consultations; and (c) Whether audit
documentation selected for review reflects the work performed in relation to the significant judgments and supports the
conclusions reached.
30 If differences of opinion arise within the engagement team, with those consulted or, where applicable, between the engagement ISSAI 2220.22
partner and the engagement quality control reviewer, the engagement team shall follow the firm’s policies and procedures for
dealing with and resolving differences of opinion.
31 The auditor shall include in the audit documentation: (a) Issues identified with respect to compliance with relevant ethical ISSAI 2220.24 Para. A35
requirements and how they were resolved.(b) Conclusions on compliance with independence requirements that apply to the
audit engagement, and any relevant discussions with the firm that support these conclusions.(c) Conclusions reached regarding
the acceptance and continuance of client relationships and audit engagements.(d) The nature and scope of, and conclusions
resulting from, consultations undertaken during the course of the audit engagement.
32 The engagement quality control reviewer shall document, for the audit engagement reviewed, that:(a) The procedures required ISSAI 2220.25
by the firm’s policies on engagement quality control review have been performed;(b) The engagement quality control review has
been completed on or before the date of the auditor’s report; and(c) The reviewer is not aware of any unresolved matters that
would cause the reviewer to believe that the significant judgments the engagement team made and the conclusions it reached
were not appropriate.
33 In documenting the nature, timing and extent of audit procedures performed, the auditor shall record: (a) The identifying ISSAI 2230.9 Para. A12-
characteristics of the specific items or matters tested; (b) Who performed the audit work and the date such work was completed; A13
and (c) Who reviewed the audit work performed and the date and extent of such review.
34 The auditor shall document discussions of significant matters with management, those charged with governance, and others, ISSAI 2230.10 Para. A14
including the nature of the significant matters discussed and when and with whom the discussions took place.
35 If the auditor identified information that is inconsistent with the auditor’s final conclusion regarding a significant matter, the ISSAI 2230.11 Para. A15
auditor shall document how the auditor addressed the inconsistency.
36 If, in exceptional circumstances, the auditor judges it necessary to depart from a relevant requirement in an ISA, the auditor shall ISSAI 2230.12 Para. A18-
document how the alternative audit procedures performed achieve the aim of that requirement, and the reasons for the A19
departure.
37 If, in exceptional circumstances, the auditor performs new or additional audit procedures or draws new conclusions after the date ISSAI 2230.13 Para. A20
of the auditor’s report, the auditor shall document: (a) The circumstances encountered;(b) The new or additional audit
procedures performed, audit evidence obtained, and conclusions reached, and their effect on the auditor's report; and(c) When
and by whom the resulting changes to audit documentation were made and reviewed.
166
38 The auditor shall assemble the audit documentation in an audit file and complete the administrative process of assembling the ISSAI 2230.14 Para. A21-
final audit file on a timely basis after the date of the auditor’s report. A22
39 In circumstances other than those envisaged in paragraph 13 where the auditor finds it necessary to modify existing audit ISSAI 2230.16 Para. A24
documentation or add new audit documentation after the assembly of the final audit file has been completed, the auditor shall,
regardless of the nature of the modifications or additions, document: (a) The specific reasons for making them; and(b) When and
by whom they were made and reviewed.
40 ISA 315 (Revised) requires a discussion among the engagement team members and a determination by the engagement partner ISSAI 2240.15 Para. A10-
of which matters are to be communicated to those team members not involved in the discussion. This discussion shall place A11
particular emphasis on how and where the entity's financial statements may be susceptible to material misstatement due to
fraud, including how fraud might occur. The discussion shall occur setting aside beliefs that the engagement team members may
have that management and those charged with governance are honest and have integrity.
41 When performing risk assessment procedures and related activities to obtain an understanding of the entity and its environment, ISSAI 2240.16
including the entity’s internal control, required by ISA 315 (Revised), the auditor shall perform the procedures in paragraphs 17-24
to obtain information for use in identifying the risks of material misstatement due to fraud.
42 The auditor shall make inquiries of management regarding:(a) Management’s assessment of the risk that the financial statements ISSAI 2240.17 Para. A12-
may be materially misstated due to fraud, including the nature, extent and frequency of such assessments; (b) Management’s A14
process for identifying and responding to the risks of fraud in the entity, including any specific risks of fraud that management has
identified or that have been brought to its attention, or classes of transactions, account balances, or disclosures for which a risk of
fraud is likely to exist; (c) Management’s communication, if any, to those charged with governance regarding its processes for
identifying and responding to the risks of fraud in the entity; and(d) Management’s communication, if any, to employees
regarding its views on business practices and ethical behavior.
43 The auditor shall make inquiries of management, and others within the entity as appropriate, to determine whether they have ISSAI 2240.18 Para. A15-
knowledge of any actual, suspected or alleged fraud affecting the entity. A17
44 For those entities that have an internal audit function, the auditor shall make inquiries of internal audit to determine whether it ISSAI 2240.19 Para. A18
has knowledge of any actual, suspected or alleged fraud affecting the entity, and to obtain its views about the risks of fraud
45 Unless all of those charged with governance are involved in managing the entity, the auditor shall obtain an understanding of how ISSAI 2240.20 Para. A19-
those charged with governance exercise oversight of management’s processes for identifying and responding to the risks of fraud A21
in the entity and the internal control that management has established to mitigate these risks.
46 Unless all of those charged with governance are involved in managing the entity, the auditor shall make inquiries of those charged ISSAI 2240.21
with governance to determine whether they have knowledge of any actual, suspected or alleged fraud affecting the entity. These
inquiries are made in part to corroborate the responses to the inquiries of management.
167
47 The auditor shall evaluate whether unusual or unexpected relationships that have been identified in performing analytical ISSAI 2240.22
procedures, including those related to revenue accounts, may indicate risks of material misstatement due to fraud.
48 The auditor shall consider whether other information obtained by the auditor indicates risks of material misstatement due to ISSAI 2240.23 Para. A22
fraud.
49 The auditor shall evaluate whether the information obtained from the other risk assessment procedures and related activities ISSAI 2240.24 Para. A23-
performed indicates that one or more fraud risk factors are present. While fraud risk factors may not necessarily indicate the A27
existence of fraud, they have often been present in circumstances where frauds have occurred and therefore may indicate risks of
material misstatement due to fraud.
50 In accordance with ISA 315 (Revised), the auditor shall identify and assess the risks of material misstatement due to fraud at the ISSAI 2240.25
financial statement level, and at the assertion level for classes of transactions, account balances and disclosures.
51 When identifying and assessing the risks of material misstatement due to fraud, the auditor shall, based on a presumption that ISSAI 2240.26 Para.A28-
there are risks of fraud in revenue recognition, evaluate which types of revenue, revenue transactions or assertions give rise to A30
such risks. Paragraph 47 specifies the documentation required where the auditor concludes that the presumption is not applicable
in the circumstances of the engagement and, accordingly, has not identified revenue recognition as a risk of material
misstatement due to fraud
52 The auditor shall treat those assessed risks of material misstatement due to fraud as significant risks and accordingly, to the ISSAI 2240.27 Para. A31-
extent not already done so, the auditor shall obtain an understanding of the entity’s related controls, including control activities, A32
relevant to such risks.
53 In accordance with ISA 330, the auditor shall determine overall responses to address the assessed risks of material misstatement ISSAI 2240.28 Para. A33
due to fraud at the financial statement level.
54 In determining overall responses to address the assessed risks of material misstatement due to fraud at the financial statement ISSAI 2240.29 Para. A34-
level, the auditor shall:(a) Assign and supervise personnel taking account of the knowledge, skill and ability of the individuals to be A35 Para.
given significant engagement responsibilities and the auditor’s assessment of the risks of material misstatement due to fraud for A36
the engagement; (b) Evaluate whether the selection and application of accounting policies by the entity, particularly those related
to subjective measurements and complex transactions, may be indicative of fraudulent financial reporting resulting from
management’s effort to manage earnings; and(c) Incorporate an element of unpredictability in the selection of the nature, timing
and extent of audit procedures.
55 In accordance with ISA 330, the auditor shall design and perform further audit procedures whose nature, timing and extent are ISSAI 2240.30 Para. A37-
responsive to the assessed risks of material misstatement due to fraud at the assertion level. A40
168
56 Irrespective of the auditor’s assessment of the risks of management override of controls, the auditor shall design and perform ISSAI 2240.32 Para. A41-
audit procedures to:(a) Test the appropriateness of journal entries recorded in the general ledger and other adjustments made in A48
the preparation of the financial statements. In designing and performing audit procedures for such tests, the auditor shall:(i) Make
inquiries of individuals involved in the financial reporting process about inappropriate or unusual activity relating to the
processing of journal entries and other adjustments;(ii) Select journal entries and other adjustments made at the end of a
reporting period; and(iii) Consider the need to test journal entries and other adjustments throughout the period. (b) Review
accounting estimates for biases and evaluate whether the circumstances producing the bias, if any, represent a risk of material
misstatement due to fraud. In performing this review, the auditor shall:(i) Evaluate whether the judgments and decisions made by
management in making the accounting estimates included in the financial statements, even if they are individually reasonable,
indicate a possible bias on the part of the entity’s management that may represent a risk of material misstatement due to fraud. If
so, the auditor shall re-evaluate the accounting estimates taken as a whole; and(ii) Perform a retrospective review of
management judgments and assumptions related to significant accounting estimates reflected in the financial statements of the
prior year(c) For significant transactions that are outside the normal course of business for the entity, or that otherwise appear to
be unusual given the auditor’s understanding of the entity and its environment and other information obtained during the audit,
the auditor shall evaluate whether the business rationale (or the lack thereof) of the transactions suggests that they may have
been entered into to engage in fraudulent financial reporting or to conceal misappropriation of assets.
57 The auditor shall determine whether, in order to respond to the identified risks of management override of controls, the auditor ISSAI 2240.33
needs to perform other audit procedures in addition to those specifically referred to above (that is, where there are specific
additional risks of management override that are not covered as part of the procedures performed to address the requirements in
paragraph 32).
58 The auditor shall evaluate whether analytical procedures that are performed near the end of the audit, when forming an overall ISSAI 2240.34 Para. A50
conclusion as to whether the financial statements are consistent with the auditor’s understanding of the entity, indicate a
previously unrecognized risk of material misstatement due to fraud.
59 If the auditor identifies a misstatement, the auditor shall evaluate whether such a misstatement is indicative of fraud. If there is ISSAI 2240.35 Para. A51
such an indication, the auditor shall evaluate the implications of the misstatement in relation to other aspects of the audit,
particularly the reliability of management representations, recognizing that an instance of fraud is unlikely to be an isolated
occurrence.
60 If the auditor identifies a misstatement, whether material or not, and the auditor has reason to believe that it is or may be the ISSAI 2240.36 Para. A52
result of fraud and that management (in particular, senior management) is involved, the auditor shall reevaluate the assessment
of the risks of material misstatement due to fraud and its resulting impact on the nature, timing and extent of audit procedures to
respond to the assessed risks. The auditor shall also consider whether circumstances or conditions indicate possible collusion
involving employees, management or third parties when reconsidering the reliability of evidence previously obtained.
61 If the auditor confirms that, or is unable to conclude whether, the financial statements are materially misstated as a result of ISSAI 2240.37 Para. A53
fraud the auditor shall evaluate the implications for the audit.
169
62 If, as a result of a misstatement resulting from fraud or suspected fraud, the auditor encounters exceptional circumstances that ISSAI 2240.38 Para. A54-
bring into question the auditor’s ability to continue performing the audit, the auditor shall:(a) Determine the professional and A57
legal responsibilities applicable in the circumstances, including whether there is a requirement for the auditor to report to the
person or persons who made the audit appointment or, in some cases, to regulatory authorities;(b) Consider whether it is
appropriate to withdraw from the engagement, where withdrawal is possible under applicable law or regulation; and(c) If the
auditor withdraws:(i) Discuss with the appropriate level of management and those charged with governance the auditor’s
withdrawal from the engagement and the reasons for the withdrawal; and(ii) Determine whether there is a professional or legal
requirement to report to the person or persons who made the audit appointment or, in some cases, to regulatory authorities, the
auditor’s withdrawal from the engagement and the reasons for the withdrawal.
63 The auditor shall obtain written representations from management and, where appropriate, those charged with governance ISSAI 2240.39 Para. A58-
that:(a) They acknowledge their responsibility for the design, implementation and maintenance of internal control to prevent and A59
detect fraud;(b) They have disclosed to the auditor the results of management's assessment of the risk that the financial
statements may be materially misstated as a result of fraud;(c) They have disclosed to the auditor their knowledge of fraud or
suspected fraud affecting the entity involving:(i) Management;(ii) Employees who have significant roles in internal control; or(iii)
Others where the fraud could have a material effect on the financial statements; and(d) They have disclosed to the auditor their
knowledge of any allegations of fraud, or suspected fraud, affecting the entity’s financial statements communicated by
employees, former employees, analysts, regulators or others.
64 If the auditor has identified a fraud or has obtained information that indicates that a fraud may exist, the auditor shall ISSAI 2240.40 Para. A60
communicate these matters on a timely basis to the appropriate level of management in order to inform those with primary
responsibility for the prevention and detection of fraud of matters relevant to their responsibilities.
65 Unless all of those charged with governance are involved in managing the entity, if the auditor has identified or suspects fraud ISSAI 2240.41 Para. A61-
involving:(a) management;(b) employees who have significant roles in internal control; or(c) others where the fraud results in a A63
material misstatement in the financial statements, the auditor shall communicate these matters to those charged with
governance on a timely basis. If the auditor suspects fraud involving management, the auditor shall communicate these suspicions
to those charged with governance and discuss with them the nature, timing and extent of audit procedures necessary to complete
the audit.
66 The auditor shall communicate with those charged with governance any other matters related to fraud that are, in the auditor’s ISSAI 2240.42 Para. A64
judgment, relevant to their responsibilities.
67 If the auditor has identified or suspects a fraud, the auditor shall determine whether there is a responsibility to report the ISSAI 2240.43 Para. A65-
occurrence or suspicion to a party outside the entity. Although the auditor’s professional duty to maintain the confidentiality of A67
client information may preclude such reporting, the auditor’s legal responsibilities may override the duty of confidentiality in
some circumstances.
170
68 The auditor shall include the following in the audit documentation of the auditor’s understanding of the entity and its ISSAI 2240.44
environment and the assessment of the risks of material misstatement required by ISA 315 (Revised): (a) The significant decisions
reached during the discussion among the engagement team regarding the susceptibility of the entity’s financial statements to
material misstatement due to fraud; and (b) The identified and assessed risks of material misstatement due to fraud at the
financial statement level and at the assertion level.
69 The auditor shall include the following in the audit documentation of the auditor’s responses to the assessed risks of material ISSAI 2240.45
misstatement required by ISA 330: (a) The overall responses to the assessed risks of material misstatement due to fraud at the
financial statement level and the nature, timing and extent of audit procedures, and the linkage of those procedures with the
assessed risks of material misstatement due to fraud at the assertion level; and (b) The results of the audit procedures, including
those designed to address the risk of management override of controls.
70 The auditor shall include in the audit documentation communications about fraud made to management, those charged with ISSAI 2240.46
governance, regulators and others.
71 If the auditor has concluded that the presumption that there is a risk of material misstatement due to fraud related to revenue ISSAI 2240.47
recognition is not applicable in the circumstances of the engagement, the auditor shall include in the audit documentation the
reasons for that conclusion.
72 As part of obtaining an understanding of the entity and its environment in accordance with ISA 315 (Revised), the auditor shall ISSAI 2250.12 Para. A7
obtain a general understanding of:(a) The legal and regulatory framework applicable to the entity and the industry or sector in
which the entity operates; and(b) How the entity is complying with that framework.
73 The auditor shall obtain sufficient appropriate audit evidence regarding compliance with the provisions of those laws and ISSAI 2250.13 Para. A8
regulations generally recognized to have a direct effect on the determination of material amounts and disclosures in the financial
statements.
74 The auditor shall perform the following audit procedures to help identify instances of non-compliance with other laws and ISSAI 2250.14 Para. A9-
regulations that may have a material effect on the financial statements: (a) Inquiring of management and, where appropriate, A10
those charged with governance, as to whether the entity is in compliance with such laws and regulations; and(b) Inspecting
correspondence, if any, with the relevant licensing or regulatory authorities.
75 The auditor shall request management and, where appropriate, those charged with governance to provide written ISSAI 2250.16 Para. A12
representations that all known instances of non-compliance or suspected non-compliance with laws and regulations whose
effects should be considered when preparing financial statements have been disclosed to the auditor.
76 In the absence of identified or suspected non-compliance, the auditor is not required to perform audit procedures regarding the ISSAI 2250.17
entity’s compliance with laws and regulations, other than those set out in paragraphs 12-16.
77 If the auditor becomes aware of information concerning an instance of non-compliance or suspected non-compliance with laws ISSAI 2250.18 Para. A13
and regulations, the auditor shall obtain: (a) An understanding of the nature of the act and the circumstances in which it has Para. A14
occurred; and(b) Further information to evaluate the possible effect on the financial statements.
171
78 If the auditor suspects there may be non-compliance, the auditor shall discuss the matter with management and, where ISSAI 2250.19 Para. A15-
appropriate, those charged with governance. If management or, as appropriate, those charged with governance do not provide A16
sufficient information that supports that the entity is in compliance with laws and regulations and, in the auditor’s judgment, the
effect of the suspected non-compliance may be material to the financial statements, the auditor shall consider the need to obtain
legal advice.
79 If sufficient information about suspected non-compliance cannot be obtained, the auditor shall evaluate the effect of the lack of ISSAI 2250.20
sufficient appropriate audit evidence on the auditor’s opinion.
80 The auditor shall evaluate the implications of non-compliance in relation to other aspects of the audit, including the auditor’s risk ISSAI 2250.21 Para.A17-
assessment and their liability of written representations, and take appropriate action. A18
81 Unless all of those charged with governance are involved in management of the entity, and therefore are aware of matters ISSAI 2250.22
involving identified or suspected non-compliance already communicated by the auditor, the auditor shall communicate with those
charged with governance matters involving non-compliance with laws and regulations that come to the auditor’s attention during
the course of the audit, other than when the matters are clearly inconsequential.
82 If, in the auditor’s judgment, the non-compliance referred to in paragraph 22 is believed to be intentional and material, the ISSAI 2250.23
auditor shall communicate the matter to those charged with governance as soon as practicable.
83 If the auditor suspects that management or those charged with governance are involved in non-compliance, the auditor shall ISSAI 2250.24
communicate the matter to the next higher level of authority at the entity, if it exists, such as an audit committee or supervisory
board. Where no higher authority exists, or if the auditor believes that the communication may not be acted upon or is unsure as
to the person to whom to report, the auditor shall consider the need to obtain legal advice.
84 If the auditor concludes that the non-compliance has a material effect on the financial statements, and has not been adequately ISSAI 2250.25
reflected in the financial statements, the auditor shall, in accordance with ISA 705 (Revised), express a qualified opinion or an
adverse opinion on the financial statements.
85 If the auditor is precluded by management or those charged with governance from obtaining sufficient appropriate audit evidence ISSAI 2250.26
to evaluate whether non-compliance that may be material to the financial statements has, or is likely to have, occurred, the
auditor shall express a qualified opinion or disclaim an opinion on the financial statements on the basis of a limitation on the
scope of the audit in accordance with ISA 705 (Revised).
86 If the auditor is unable to determine whether non-compliance has occurred because of limitations imposed by the circumstances ISSAI 2250.27
rather than by management or those charged with governance, the auditor shall evaluate the effect on the auditor’s opinion in
accordance with ISA 705 (Revised).
87 If the auditor has identified or suspects non-compliance with laws and regulations, the auditor shall determine whether the ISSAI 2250.28 Para. A19-
auditor has a responsibility to report the identified or suspected non-compliance to parties outside the entity. A20
88 The auditor shall include in the audit documentation identified or suspected non-compliance with laws and regulations and the ISSAI 2250.29 Para. A21
results of discussion with management and, where applicable, those charged with governance and other parties outside the
entity.
172
89 The auditor shall determine the appropriate person(s) within the entity’s governance structure with whom to communicate. ISSAI 2260.11 Para. A1-
A4
90 If the auditor communicates with a subgroup of those charged with governance, for example, an audit committee, or an ISSAI 2260.12 Para. A5-
individual, the auditor shall determine whether the auditor also needs to communicate with the governing body. A7
91 In some cases, all of those charged with governance are involved in managing the entity, for example, a small business where a ISSAI 2260.13 Para. A8
single owner manages the entity and no one else has a governance role. In these cases, if matters required by this ISA are
communicated with person(s) with management responsibilities, and those person(s) also have governance responsibilities, the
matters need not be communicated again with those same person(s) in their governance role. These matters are noted in
paragraph 16(c). The auditor shall nonetheless be satisfied that communication with person(s) with management responsibilities
adequately informs all of those with whom the auditor would otherwise communicate in their governance capacity.
92 The auditor shall communicate with those charged with governance the responsibilities of the auditor in relation to the financial ISSAI 2260.14 Para. A9-
statement audit, including that:(a) The auditor is responsible for forming and expressing an opinion on the financial statements A10
that have been prepared by management with the oversight of those charged with governance; and(b) The audit of the financial
statements does not relieve management or those charged with governance of their responsibilities.
93 The auditor shall communicate with those charged with governance an overview of the planned ISSAI 2260.15 Para. A11–
scope and timing of the audit, which includes communicating about the significant risks identified by the auditor. A16
94 The auditor shall communicate with those charged with governance: (a) The auditor’s views about significant qualitative aspects ISSAI 2260.16 Para. A17–
of the entity’s accounting practices, including accounting policies, accounting estimates and financial statement disclosures. When A28
applicable, the auditor shall explain to those charged with governance why the auditor considers a significant accounting practice,
that is acceptable under the applicable financial reporting framework, not to be most appropriate to the particular circumstances
of the entity; (b) Significant difficulties, if any, encountered during the audit; (c) Unless all of those charged with governance are
involved in managing the entity: (i) Significant matters arising during the audit that were discussed, or subject to correspondence,
with management; and (ii) Written representations the auditor is requesting; (d) Circumstances that affect the form and content
of the auditor’s report, if any; and (e) Any other significant matters arising during the audit that, in the auditor’s professional
judgment, are relevant to the oversight of the financial reporting process.
95 In the case of listed entities, the auditor shall communicate with those charged with governance: (a) A statement that the ISSAI 2260.17 Para. A29–
engagement team and others in the firm as appropriate, the firm and, when applicable, network firms have complied with A32
relevant ethical requirements regarding independence; and (i) All relationships and other matters between the firm, network
firms, and the entity that, in the auditor’s professional judgment, may reasonably be thought to bear on independence. This shall
include total fees charged during the period covered by the financial statements for audit and non-audit services provided by the
firm and network firms to the entity and components controlled by the entity. These fees shall be allocated to categories that are
appropriate to assist those charged with governance in assessing the effect of services on the independence of the auditor; and
(ii) The related safeguards that have been applied to eliminate identified threats to independence or reduce them to an
acceptable level.
173
96 The auditor shall communicate with those charged with governance the form, timing and expected general content of ISSAI 2260.18 Para. A37–
communications. A45
97 The auditor shall communicate in writing with those charged with governance regarding significant findings from the audit if, in ISSAI 2260.19 Para. A46–
the auditor’s professional judgment, oral communication would not be adequate. Written communications need not include all A48
matters that arose during the course of the audit.
98 The auditor shall communicate in writing with those charged with governance regarding auditor independence when required by ISSAI 2260.20
paragraph 17.
99 Where matters required by this ISA to be communicated are communicated orally, the auditor shall include them in the audit ISSAI 2260.23 Para. A54
documentation, and when and to whom they were communicated. Where matters have been communicated in writing, the
auditor shall retain a copy of the communication as part of the audit documentation.
100 The auditor shall determine whether, on the basis of the audit work performed, the auditor has identified one or more ISSAI 2265.7. Para. A1-
deficiencies in internal control. A4
101 If the auditor has identified one or more deficiencies in internal control, the auditor shall determine, on the basis of the audit ISSAI 2265.8. Para. A5-
work performed, whether, individually or in combination, they constitute significant deficiencies. A11
102 The auditor shall communicate in writing significant deficiencies in internal control identified during the audit to those charged ISSAI 2265.9. Para. A12-
with governance on a timely basis. A18, A27
103 The auditor shall also communicate to management at an appropriate level of responsibility on a timely basis: (a) In writing, ISSAI 2265.10. Para. A19-
significant deficiencies in internal control that the auditor has communicated or intends to communicate to those charged with 27
governance, unless it would be inappropriate to communicate directly to management in the circumstances; and (b) Other
deficiencies in internal control identified during the audit that have not been communicated to management by other parties and
that, in the auditor’s professional judgment, are of sufficient importance to merit management’s attention.
104 The auditor shall include in the written communication of significant deficiencies in internal control:(a) A description of the ISSAI 2265.11. Para. A28
deficiencies and an explanation of their potential effects; and (b) Sufficient information to enable those charged with governance Para. A29-
and management to understand the context of the communication. In particular, the auditor shall explain that: (i) The purpose of A30
the audit was for the auditor to express an opinion on the financial statements;(ii) The audit included consideration of internal
control relevant to the preparation of the financial statements in order to design audit procedures that are appropriate in the
circumstances, but not for the purpose of expressing an opinion on the effectiveness of internal control; and(iii) The matters being
reported are limited to those deficiencies that the auditor has identified during the audit and that the auditor has concluded are
of sufficient importance to merit being reported to those charged with governance.
105 The engagement partner and other key members of the engagement team shall be involved in planning the audit, including ISSAI 2300.5. Para. A4
planning and participating in the discussion among engagement team members.
174
106 The auditor shall undertake the following activities at the beginning of the current audit engagement:(a) Performing procedures ISSAI 2300.6. Para. A5-
required by ISA 220 regarding the continuance of the client relationship and the specific audit engagement; (b) Evaluating A7
compliance with relevant ethical requirements, including independence, in accordance with ISA 220;2 and(c) Establishing an
understanding of the terms of the engagement, as required by ISA 210.
107 The auditor shall establish an overall audit strategy that sets the scope, timing and direction of the audit, and that guides the ISSAI 2300.7.
development of the audit plan.
108 In establishing the overall audit strategy, the auditor shall:(a) Identify the characteristics of the engagement that define its ISSAI 2300.8. Para. A8-
scope;(b) Ascertain the reporting objectives of the engagement to plan the timing of the audit and the nature of the A11
communications required;(c) Consider the factors that, in the auditor’s professional judgment, are significant in directing the
engagement team’s efforts;(d) Consider the results of preliminary engagement activities and, where applicable, whether
knowledge gained on other engagements performed by the engagement partner for the entity is relevant; and(e) Ascertain the
nature, timing and extent of resources necessary to perform the engagement.
109 The auditor shall develop an audit plan that shall include a description of:(a) The nature, timing and extent of planned risk ISSAI 2300.9. Para. A12
assessment procedures, as determined under ISA 315 (Revised).(b) The nature, timing and extent of planned further audit
procedures at the assertion level, as determined under ISA 330. (c) Other planned audit procedures that are required to be carried
out so that the engagement complies with ISAs.
110 The auditor shall update and change the overall audit strategy and the audit ISSAI 2300.10. Para. A13
plan as necessary during the course of the audit
111 The auditor shall plan the nature, timing and extent of direction and supervision of engagement team members and the review of ISSAI 2300.11. Para. A14-
their work. A15
112 The auditor shall include in the audit documentation:(a) The overall audit strategy;(b) The audit plan; and(c) Any significant ISSAI 2300.12 Para. A16-
changes made during the audit engagement to the overall audit strategy or the audit plan, and the reasons for such changes. A19
113 The auditor shall undertake the following activities prior to starting an initial audit:(a) Performing procedures required by ISA 220 ISSAI 2300.13 Para. A20
regarding the acceptance of the client relationship and the specific audit engagement; and(b) Communicating with the
predecessor auditor, where there has been a change of auditors, in compliance with relevant ethical requirements.
114 The auditor shall perform risk assessment procedures to provide a basis for the identification and assessment of risks of material ISSAI 2315.5 Para. A1–
misstatement at the financial statement and assertion levels. Risk assessment procedures by themselves, however, do not provide A5
sufficient appropriate audit evidence on which to base the audit opinion
115 The risk assessment procedures shall include the following:(a) Inquiries of management, and of others within the entity who in ISSAI 2315.6 Para. A6–
the auditor’s judgment may have information that is likely to assist in identifying risks of material misstatement due to fraud or A13
error. (b) Analytical procedures. (c) Observation and inspection. Para.
A14–A17
Para. A18
175
116 The auditor shall consider whether information obtained from the auditor’s client acceptance or continuance process is relevant ISSAI 2315.7
to identifying risks of material misstatement.
117 If the engagement partner has performed other engagements for the entity, the engagement partner shall consider whether ISSAI 2315.8
information obtained is relevant to identifying risks of material misstatement.
118 Where the auditor intends to use information obtained from the auditor’s previous experience with the entity and from audit ISSAI 2315.9 Para. A19–
procedures performed in previous audits, the auditor shall determine whether changes have occurred since the previous audit A20
that may affect its relevance to the current audit.
119 The engagement partner and other key engagement team members shall discuss the susceptibility of the entity’s financial ISSAI 2315.10 Para. A21–
statements to material misstatement, and the application of the applicable financial reporting framework to the entity’s facts and A23
circumstances. The engagement partner shall determine which matters are to be communicated to engagement team members
not involved in the discussion.
120 The auditor shall obtain an understanding of the following:(a) Relevant industry, regulatory, and other external factors including ISSAI 2315.11 Para. A24-
the applicable financial reporting framework. (b) The nature of the entity, including:(i) its operations;(ii) its ownership and A48
governance structures;(iii) the types of investments that the entity is making and plans to make, including investments in special-
purpose entities; and(iv) the way that the entity is structured and how it is financed to enable the auditor to understand the
classes of transactions, account balances, and disclosures to be expected in the financial statements.(c) The entity’s selection and
application of accounting policies, including the reasons for changes thereto. The auditor shall evaluate whether the entity’s
accounting policies are appropriate for its business and consistent with the applicable financial reporting framework and
accounting policies used in the relevant industry. (d) The entity’s objectives and strategies, and those related business risks that
may result in risks of material misstatement. (e) The measurement and review of the entity’s financial performance.
121 The auditor shall obtain an understanding of internal control relevant to the audit. Although most controls relevant to the audit ISSAI 2315.12 Para. A49-
are likely to relate to financial reporting, not all controls that relate to financial reporting are relevant to the audit. It is a matter of A72
the auditor’s professional judgment whether a control, individually or in combination with others, is relevant to the audit.
122 When obtaining an understanding of controls that are relevant to the audit, the auditor shall evaluate the design of those controls ISSAI 2315.13
and determine whether they have been implemented, by performing procedures in addition to inquiry of the entity’s personnel. Para. A73-
A75
123 The auditor shall obtain an understanding of the control environment. As part of obtaining this understanding, the auditor shall ISSAI 2315.14 Para. A76-
evaluate whether:(a) Management, with the oversight of those charged with governance, has created and maintained a culture of A86
honesty and ethical behavior; and(b) The strengths in the control environment elements collectively provide an appropriate
foundation for the other components of internal control, and whether those other components are not undermined by
deficiencies in the control environment.
124 The auditor shall obtain an understanding of whether the entity has a process for:(a) Identifying business risks relevant to financial ISSAI 2315.15 Para. A87
reporting objectives;(b) Estimating the significance of the risks;(c) Assessing the likelihood of their occurrence; and(d) Deciding
about actions to address those risks.
176
125 If the entity has established such a process (referred to hereafter as the “entity’s risk assessment process”), the auditor shall ISSAI 2315.16
obtain an understanding of it, and the results thereof. If the auditor identifies risks of material misstatement that management
failed to identify, the auditor shall evaluate whether there was an underlying risk of a kind that the auditor expects would have
been identified by the entity’s risk assessment process. If there is such a risk, the auditor shall obtain an understanding of why
that process failed to identify it, and evaluate whether the process is appropriate to its circumstances or determine if there is a
significant deficiency in internal control with regard to the entity’s risk assessment process.
126 If the entity has not established such a process or has an ad hoc process, the auditor shall discuss with management whether ISSAI 2315.17 Para. A88
business risks relevant to financial reporting objectives have been identified and how they have been addressed. The auditor shall
evaluate whether the absence of a documented risk assessment process is appropriate in the circumstances, or determine
whether it represents a significant deficiency in internal control.
127 The auditor shall obtain an understanding of the information system, including the related business processes, relevant to ISSAI 2315.18 Para. A89-
financial reporting, including the following areas:(a) The classes of transactions in the entity’s operations that are significant to the A93
financial statements;(b) The procedures, within both information technology (IT) and manual systems, by which those
transactions are initiated, recorded, processed, corrected as necessary, transferred to the general ledger and reported in the
financial statements;(c) The related accounting records, supporting information and specific accounts in the financial statements
that are used to initiate, record, process and report transactions; this includes the correction of incorrect information and how
information is transferred to the general ledger. The records may be in either manual or electronic form;(d) How the information
system captures events and conditions, other than transactions, that are significant to the financial statements;(e) The financial
reporting process used to prepare the entity’s financial statements, including significant accounting estimates and disclosures;
and(f) Controls surrounding journal entries, including non-standard journal entries used to record non-recurring, unusual
transactions or adjustments.
128 The auditor shall obtain an understanding of how the entity communicates financial reporting roles and responsibilities and ISSAI 2315.19 Para. A94-
significant matters relating to financial reporting, including: (a) Communications between management and those charged with A95
governance; and(b) External communications, such as those with regulatory authorities.
129 The auditor shall obtain an understanding of control activities relevant to the audit, being those the auditor judges it necessary to ISSAI 2315.20 Para. A96-
understand in order to assess the risks of material misstatement at the assertion level and design further audit procedures A102
responsive to assessed risks. An audit does not require an understanding of all the control activities related to each significant
class of transactions, account balance, and disclosure in the financial statements or to every assertion relevant to them.
130 In understanding the entity’s control activities, the auditor shall obtain an understanding of how the entity has responded to risks ISSAI 2315.21 Para.
arising from IT. A103-105
131 The auditor shall obtain an understanding of the major activities that the entity uses to monitor internal control over financial ISSAI 2315.22 Para.
reporting, including those related to those control activities relevant to the audit, and how the entity initiates remedial actions to A110-
deficiencies in its controls. A112
177
132 If the entity has an internal audit function, the auditor shall obtain an understanding of the following in order to determine ISSAI 2315.23 Para.
whether the internal audit function is likely to be relevant to the audit:(a) The nature of the internal audit function’s A109-
responsibilities and how the internal audit function fits in the entity’s organizational structure; and(b) The activities performed, or A116 See
to be performed, by the internal audit function. 2610
133 The auditor shall obtain an understanding of the sources of the information used in the entity’s monitoring activities, and the ISSAI 2315.24 Para. A117
basis upon which management considers the information to be sufficiently reliable for the purpose.
134 The auditor shall identify and assess the risks of material misstatement at:(a) the financial statement level; and (b) the assertion ISSAI 2315.25 Para.
level for classes of transactions, account balances, and disclosures to provide a basis for designing and performing further audit A118-
procedures. A126
see also
Para. A113
of 2315
135 For this purpose, the auditor shall:(a) Identify risks throughout the process of obtaining an understanding of the entity and its ISSAI 2315.26 Para.
environment, including relevant controls that relate to the risks, and by considering the classes of transactions, account balances, A127-
and disclosures in the financial statements; (b) Assess the identified risks, and evaluate whether they relate more pervasively to A131
the financial statements as a whole and potentially affect many assertions;(c) Relate the identified risks to what can go wrong at see also
the assertion level, taking account of relevant controls that the auditor intends to test; and (d) Consider the likelihood of Para. A113
misstatement, including the possibility of multiple misstatements, and whether the potential misstatement is of a magnitude that of 2315
could result in a material misstatement.
136 As part of the risk assessment as described in paragraph 25, the auditor shall determine whether any of the risks identified are, in ISSAI 2315.27
the auditor’s judgment, a significant risk. In exercising this judgment, the auditor shall exclude the effects of identified controls
related to the risk.
137 In exercising judgment as to which risks are significant risks, the auditor shall consider at least the following:(a) Whether the risk is ISSAI 2315.28 Para.
a risk of fraud;(b) Whether the risk is related to recent significant economic, accounting or other developments and, therefore, A132-
requires specific attention;(c) The complexity of transactions;(d) Whether the risk involves significant transactions with related A136
parties;(e) The degree of subjectivity in the measurement of financial information related to the risk, especially those
measurements involving a wide range of measurement uncertainty; and(f) Whether the risk involves significant transactions that
are outside the normal course of business for the entity, or that otherwise appear to be unusual.
138 If the auditor has determined that a significant risk exists, the auditor shall obtain an understanding of the entity’s controls, ISSAI 2315.29 Para.
including control activities, relevant to that risk. A137-
A139
139 In respect of some risks, the auditor may judge that it is not possible or practicable to obtain sufficient appropriate audit evidence ISSAI 2315.30 Para.
only from substantive procedures. Such risks may relate to the inaccurate or incomplete recording of routine and significant A140-
classes of transactions or account balances, the characteristics of which often permit highly automated processing with little or no A142
manual intervention. In such cases, the entity’s controls over such risks are relevant to the audit and the auditor shall obtain an
understanding of them .
178
140 The auditor’s assessment of the risks of material misstatement at the assertion level may change during the course of the audit as ISSAI 2315.31 Para. A143
additional audit evidence is obtained. In circumstances where the auditor obtains audit evidence from performing further audit
procedures, or if new information is obtained, either of which is inconsistent with the audit evidence on which the auditor
originally based the assessment, the auditor shall revise the assessment and modify the further planned audit procedures
accordingly.
141 The auditor shall include in the audit documentation:(a) The discussion among the engagement team where required by ISSAI 2315.32 Para.
paragraph 10, and the significant decisions reached;(b) Key elements of the understanding obtained regarding each of the aspects A144-
of the entity and its environment specified in paragraph 11 and of each of the internal control components specified in A147
paragraphs 14-24; the sources of information from which the understanding was obtained; and the risk assessment procedures
performed;(c) The identified and assessed risks of material misstatement at the financial statement level and at the assertion level
as required by paragraph 25; and(d) The risks identified, and related controls about which the auditor has obtained an
understanding, as a result of the requirements in paragraphs 27-30.
142 When establishing the overall audit strategy, the auditor shall determine materiality for the financial statements as a whole. If, in ISSAI 2320.10 Para. A2-
the specific circumstances of the entity, there is one or more particular classes of transactions, account balances or disclosures for A11
which misstatements of lesser amounts than materiality for the financial statements as a whole could reasonably be expected to
influence the economic decisions of users taken on the basis of the financial statements, the auditor shall also determine the
materiality level or levels to be applied to those particular classes of transactions, account balances or disclosures.
143 The auditor shall determine performance materiality for purposes of assessing the risks of material misstatement and determining ISSAI 2320.11 Para. A12
the nature, timing and extent of further audit procedures.
144 The auditor shall revise materiality for the financial statements as a whole (and, if applicable, the materiality level or levels for ISSAI 2320.12 Para. A13
particular classes of transactions, account balances or disclosures) in the event of becoming aware of information during the audit
that would have caused the auditor to have determined a different amount (or amounts) initially.
145 If the auditor concludes that a lower materiality for the financial statements as a whole (and, if applicable, materiality level or ISSAI 2320.13
levels for particular classes of transactions, account balances or disclosures) than that initially determined is appropriate, the
auditor shall determine whether it is necessary to revise performance materiality, and whether the nature, timing and extent of
the further audit procedures remain appropriate.
146 The auditor shall include in the audit documentation the following amounts and the factors considered in their determination:(a) ISSAI 2320.14
Materiality for the financial statements as a whole (see paragraph 10);(b) If applicable, the materiality level or levels for particular
classes of transactions, account balances or disclosures (see paragraph 10);(c) Performance materiality (see paragraph 11); and(d)
Any revision of (a)-(c) as the audit progressed (see paragraphs 12-13).
147 The auditor shall design and implement overall responses to address the assessed risks of material misstatements at the financial ISSAI 2330.5 Para. A1-
statement level. A3
148 The auditor shall design and perform further audit procedures whose nature, timing, and extent are based on and are responsive ISSAI 2330.6 Para. A4-
to the assessed risks of material misstatement at the assertion level. A8
179
149 In designing the further audit procedures to be performed, the auditor shall:(a) Consider the reasons for the assessment given to ISSAI 2330.7 Para. A9-
the risk of material misstatement at the assertion level for each class of transactions, account balance, and disclosure, including:(i) A19
The likelihood of material misstatement due to the particular characteristics of the relevant class of transactions, account balance,
or disclosure (that is, the inherent risk); and(ii) Whether the risk assessment takes account of relevant controls(that is, the control
risk), thereby requiring the auditor to obtain audit evidence to determine whether the controls are operating effectively (that is,
the auditor intends to rely on the operating effectiveness of controls in determining the nature, timing and extent of substantive
procedures); and (b) Obtain more persuasive audit evidence the higher the auditor’s assessment of risk.
150 The auditor shall design and perform tests of controls to obtain sufficient appropriate audit evidence as to the operating ISSAI 2330.8 Para. A20-
effectiveness of relevant controls if:(a) The auditor’s assessment of risks of material misstatement at the assertion level includes A24
an expectation that the controls are operating effectively (that is, the auditor intends to rely on the operating effectiveness of
controls in determining the nature, timing and extent of substantive procedures); or(b) Substantive procedures alone cannot
provide sufficient appropriate audit evidence at the assertion level
151 In designing and performing tests of controls, the auditor shall:(a) Perform other audit procedures in combination with inquiry to ISSAI 2330.10 Para. A26-
obtain audit evidence about the operating effectiveness of the controls, including:(i) How the controls were applied at relevant A31
times during the period under audit;(ii) The consistency with which they were applied; and(iii) By whom or by what means they
were applied. (b) Determine whether the controls to be tested depend upon other controls(indirect controls) and, if so, whether it
is necessary to obtain audit evidence supporting the effective operation of those indirect controls.
152 The auditor shall test controls for the particular time, or throughout the period, for which the auditor intends to rely on those ISSAI 2330.11 Para. A32
controls, subject to paragraphs 12 and 15 below, in order to provide an appropriate basis for the auditor’s intended reliance.
153 If the auditor obtains audit evidence about the operating effectiveness of controls during an interim period, the auditor shall:(a) ISSAI 2330.12 Para. A33-
Obtain audit evidence about significant changes to those controls subsequent to the interim period; and(b) Determine the A34
additional audit evidence to be obtained for the remaining period.
154 In determining whether it is appropriate to use audit evidence about the operating effectiveness of controls obtained in previous ISSAI 2330.13 Para. A35
audits, and, if so, the length of the time period that may elapse before retesting a control, the auditor shall consider the
following:(a) The effectiveness of other elements of internal control, including the control environment, the entity’s monitoring of
controls, and the entity's risk assessment process;(b) The risks arising from the characteristics of the control, including whether it
is manual or automated; (c) The effectiveness of general IT-controls;(d) The effectiveness of the control and its application by the
entity, including the nature and extent of deviations in the application of the control noted in previous audits, and whether there
have been personnel changes that significantly affect the application of the control;(e) Whether the lack of a change in a
particular control poses a risk due to changing circumstances; and(f) The risks of material misstatement and the extent of reliance
on the control.
180
155 If the auditor plans to use audit evidence from a previous audit about the operating effectiveness of specific controls, the auditor ISSAI 2330.14 Para. A36-
shall establish the continuing relevance of that evidence by obtaining audit evidence about whether significant changes in those A39
controls have occurred subsequent to the previous audit. The auditor shall obtain this evidence by performing inquiry combined
with observation or inspection, to confirm the understanding of those specific controls, and:(a) If there have been changes that
affect the continuing relevance of the audit evidence from the previous audit, the auditor shall test the controls in the current
audit. (b) If there have not been such changes, the auditor shall test the controls at least once in every third audit, and shall test
some controls each audit to avoid the possibility of testing all the controls on which the auditor intends to rely in a single audit
period with no testing of controls in the subsequent two audit periods.
156 If the auditor plans to rely on controls over a risk the auditor has determined to be a significant risk, the auditor shall test those ISSAI 2330.15
controls in the current period.
157 When evaluating the operating effectiveness of relevant controls, the auditor shall evaluate whether misstatements that have ISSAI 2330.16 Para. A40
been detected by substantive procedures indicate that controls are not operating effectively. The absence of misstatements
detected by substantive procedures, however, does not provide audit evidence that controls related to the assertion being tested
are effective.
158 If deviations from controls upon which the auditor intends to rely are detected, the auditor shall make specific inquiries to ISSAI 2330.17 Para. A41
understand these matters and their potential consequences, and shall determine whether: (a) The tests of controls that have
been performed provide an appropriate basis for reliance on the controls;(b) Additional tests of controls are necessary; or(c) The
potential risks of misstatement need to be addressed using substantive procedures.
159 Irrespective of the assessed risks of material misstatement, the auditor shall design and perform substantive procedures for each ISSAI 2330.18 Para. A42-
material class of transactions, account balance, and disclosure. A47
160 The auditor shall consider whether external confirmation procedures are to be performed as substantive audit procedures. ISSAI 2330.19 Para. A48-
A51
161 The auditor’s substantive procedures shall include the following audit procedures related to the financial statement closing ISSAI 2330.20 Para. A52
process:(a) Agreeing or reconciling the financial statements with the underlying accounting records; and(b) Examining material
journal entries and other adjustments made during the course of preparing the financial statements.
162 If the auditor has determined that an assessed risk of material misstatement at the assertion level is a significant risk, the auditor ISSAI 2330.21 Para. A53
shall perform substantive procedures that are specifically responsive to that risk. When the approach to a significant risk consists
only of substantive procedures, those procedures shall include tests of details.
163 If substantive procedures are performed at an interim date, the auditor shall cover the remaining period by performing:(a) ISSAI 2330.22 Para. A54-
substantive procedures, combined with tests of controls for the intervening period; or(b) if the auditor determines that it is A57
sufficient, further substantive procedures only, that provide a reasonable basis for extending the audit conclusions from the
interim date to the period end.
181
164 If misstatements that the auditor did not expect when assessing the risks of material misstatement are detected at an interim ISSAI 2330.23 Para. A58
date, the auditor shall evaluate whether the related assessment of risk and the planned nature, timing, or extent of substantive
procedures covering the remaining period need to be modified.
165 The auditor shall perform audit procedures to evaluate whether the overall presentation of the financial statements, including the ISSAI 2330.24 Para. A59
related disclosures, is in accordance with the applicable financial reporting framework.
166 Based on the audit procedures performed and the audit evidence obtained, the auditor shall evaluate before the conclusion of ISSAI 2330.25 Para. A60-
the audit whether the assessments of the risks of material misstatement at the assertion level remain appropriate. A61
167 The auditor shall conclude whether sufficient appropriate audit evidence has been obtained. In forming an opinion, the auditor ISSAI 2330.26 Para. A62
shall consider all relevant audit evidence, regardless of whether it appears to corroborate or to contradict the assertions in the
financial statements.
168 If the auditor has not obtained sufficient appropriate audit evidence as to a material financial statement assertion, the auditor ISSAI 2330.27
shall attempt to obtain further audit evidence. If the auditor is unable to obtain sufficient appropriate audit evidence, the auditor
shall express a qualified opinion or disclaim an opinion on the financial statements.
169 The auditor shall include in the audit documentation:(a) The overall responses to address the assessed risks of material ISSAI 2330.28 Para. A63
misstatement at the financial statement level, and the nature, timing and extent of the further audit procedures performed;(b)
The linkage of those procedures with the assessed risks at the assertion level; and(c) The results of the audit procedures, including
the conclusions where these are not otherwise clear.
170 If the auditor plans to use audit evidence about the operating effectiveness of controls obtained in previous audits, the auditor ISSAI 2330.29
shall include in the audit documentation the conclusions reached about relying on such controls that were tested in a previous
audit.
171 The auditor’s documentation shall demonstrate that the financial statements agree or reconcile with the underlying accounting ISSAI 2330.30
records.
172 When obtaining an understanding of the user entity in accordance with ISA 315 (Revised) the user auditor shall obtain an ISSAI 2402.9 Para. A1-
understanding of how a user entity uses the services of a service organization in the user entity’s operations, including:(a) The A11
nature of the services provided by the service organization and the significance of those services to the user entity, including the
effect thereof on the user entity’s internal control; (b) The nature and materiality of the transactions processed or accounts or
financial reporting processes affected by the service organization;(c) The degree of interaction between the activities of the
service organization and those of the user entity; and (d) The nature of the relationship between the user entity and the service
organization, including the relevant contractual terms for the activities undertaken by the service organization.
173 When obtaining an understanding of internal control relevant to the audit in accordance with ISA 315 (Revised) the user auditor ISSAI 2402.10 Para. A12-
shall evaluate the design and implementation of relevant controls at the user entity that relate to the services provided by the A14
service organization, including those that are applied to the transactions processed by the service organization.
182
174 The user auditor shall determine whether a sufficient understanding of the nature and significance of the services provided by the ISSAI 2402.11
service organization and their effect on the user entity’s internal control relevant to the audit has been obtained to provide a basis
for the identification and assessment of risks of material misstatement.
175 If the user auditor is unable to obtain a sufficient understanding from the user entity, the user auditor shall obtain that ISSAI 2402.12 Para. A15-
understanding from one or more of the following procedures:(a) Obtaining a type 1 or type 2 report, if available;(b) Contacting A20
the service organization, through the user entity, to obtain specific information.c)Visiting the service organization and performing
procedures that will provide the necessary information about the relevant controls at the service organization; or(d) Using
another auditor to perform procedures that will provide the necessary information about the relevant controls at the service
organization.
176 In determining the sufficiency and appropriateness of the audit evidence provided by a type 1 or type 2 report, the user auditor ISSAI 2402.13 Para. A 21
shall be satisfied as to:(a) The service auditor’s professional competence and independence from the service organization; and(b)
The adequacy of the standards under which the type 1 or type 2 report was issued.
177 If the user auditor plans to use a type 1 or type 2 report as audit evidence to support the user auditor’s understanding about the ISSAI 2402.14 Para. A22-
design and implementation of controls at the service organization, the user auditor shall:(a) Evaluate whether the description and A23
design of controls at the service organization is at a date or for a period that is appropriate for the user auditor’s purposes;(b)
Evaluate the sufficiency and appropriateness of the evidence provided by the report for the understanding of the user entity’s
internal control relevant to the audit; and(c) Determine whether complementary user entity controls identified by the service
organization are relevant to the user entity and, if so, obtain an understanding of whether the user entity has designed and
implemented such controls.
178 In responding to assessed risks in accordance with ISA 330, the user auditor shall:(a) Determine whether sufficient appropriate ISSAI 2402.15 Para.A24-
audit evidence concerning the relevant financial statement assertions is available from records held at the user entity; and, if A28
not,(b) Perform further audit procedures to obtain sufficient appropriate audit evidence or use another auditor to perform those
procedures at the service organization on the user auditor’s behalf.
179 When the user auditor’s risk assessment includes an expectation that controls at the service organization are operating ISSAI 2402.16 Para. A29-
effectively, the user auditor shall obtain audit evidence about the operating effectiveness of those controls from one or more of A30
the following procedures:(a) Obtaining a type 2 report, if available;(b) Performing appropriate tests of controls at the service
organization; or(c) Using another auditor to perform tests of controls at the service organization on behalf of the user auditor.
183
180 If, in accordance with paragraph 16(a), the user auditor plans to use a type 2 report as audit evidence that controls at the service ISSAI 2402.17 Para. A31-
organization are operating effectively, the user auditor shall determine whether the service auditor’s report provides sufficient A39
appropriate audit evidence about the effectiveness of the controls to support the user auditor’s risk assessment by:(a) Evaluating
whether the description, design and operating effectiveness of controls at the service organization is at a date or for a period that
is appropriate for the user auditor’s purposes;(b) Determining whether complementary user entity controls identified by the
service organization are relevant to the user entity and, if so, obtaining an understanding of whether the user entity has designed
and implemented such controls and, if so, testing their operating effectiveness;(c) Evaluating the adequacy of the time period
covered by the tests of controls and the time elapsed since the performance of the tests of controls; and(d) Evaluating whether
the tests of controls performed by the service auditor and the results thereof, as described in the service auditor’s report, are
relevant to the assertions in the user entity’s financial statements and provide sufficient appropriate audit evidence to support
the user auditor’s risk assessment.
181 If the user auditor plans to use a type 1 or a type 2 report that excludes the services provided by a subservice organization and ISSAI 2402.18 Para. A40
those services are relevant to the audit of the user entity’s financial statements, the user auditor shall apply the requirements of
this ISA with respect to the services provided by the subservice organization.
182 The user auditor shall inquire of management of the user entity whether the service organization has reported to the user entity, ISSAI 2402.19 Para. A41
or whether the user entity is otherwise aware of, any fraud, non-compliance with laws and regulations or uncorrected
misstatements affecting the financial statements of the user entity. The user auditor shall evaluate how such matters affect the
nature, timing and extent of the user auditor’s further audit procedures, including the effect on the user auditor’s conclusions and
user auditor’s report.
183 The user auditor shall modify the opinion in the user auditor’s report in accordance with ISA 705 (Revised) if the user auditor is ISSAI 2402.20 Para. A42
unable to obtain sufficient appropriate audit evidence regarding the services provided by the service organization relevant to the
audit of the user entity’s financial statements.
184 The user auditor shall not refer to the work of a service auditor in the user auditor’s report containing an unmodified opinion ISSAI 2402.21 Para. A43
unless required by law or regulation to do so. If such reference is required by law or regulation, the user auditor’s report shall
indicate that the reference does not diminish the user auditor’s responsibility for the audit opinion.
185 If reference to the work of a service auditor is relevant to an understanding of a modification to the user auditor’s opinion, the ISSAI 2402.22 Para. A44
user auditor’s report shall indicate that such reference does not diminish the user auditor’s responsibility for that opinion.
186 The auditor shall accumulate misstatements identified during the audit, other than those that are clearly trivial. ISSAI 2450.5 Para. A2-
A3
187 The auditor shall determine whether the overall audit strategy and audit plan need to be revised if:(a) The nature of identified ISSAI 2450.6 Para. A4-
misstatements and the circumstances of their occurrence indicate that other misstatements may exist that, when aggregated with A5
misstatements accumulated during the audit, could be material; or (b) The aggregate of misstatements accumulated during the
audit approaches materiality determined in accordance with ISA 320.
184
188 If, at the auditor’s request, management has examined a class of transactions, account balance or disclosure and corrected ISSAI 2450.7 Para. A6
misstatements that were detected, the auditor shall perform additional audit procedures to determine whether misstatements
remain.
189 The auditor shall communicate on a timely basis all misstatements accumulated during the audit with the appropriate level of ISSAI 2450.8 Para. A7-
management, unless prohibited by law or regulation. The auditor shall request management to correct those misstatements. A9
190 If management refuses to correct some or all of the misstatements communicated by the auditor, the auditor shall obtain an ISSAI 2450.9
understanding of management’s reasons for not making the corrections and shall take that understanding into account when Para. A10
evaluating whether the financial statements as a whole are free from material misstatement.
191 Prior to evaluating the effect of uncorrected misstatements, the auditor shall reassess materiality determined in accordance with ISSAI 2450.10 Para. A11-
ISA 320 to confirm whether it remains appropriate in the context of the entity’s actual financial results. A12
192 The auditor shall determine whether uncorrected misstatements are material, individually or in aggregate. In making this ISSAI 2450.11 Para. A13-
determination, the auditor shall consider:(a) The size and nature of the misstatements, both in relation to particular classes of A20
transactions, account balances or disclosures and the financial statements as a whole, and the particular circumstances of their
occurrence; and (b) The effect of uncorrected misstatements related to prior periods on the relevant classes of transactions,
account balances or disclosures, and the financial statements as a whole.
193 The auditor shall communicate with those charged with governance uncorrected misstatements and the effect that they, ISSAI 2450.12 Para. A21-
individually or in aggregate, may have on the opinion in the auditor’s report, unless prohibited by law or regulation. The auditor’s A23
communication shall identify material uncorrected misstatements individually. The auditor shall request that uncorrected
misstatements be corrected.
194 The auditor shall also communicate with those charged with governance the effect of uncorrected misstatements related to prior ISSAI 2450.13
periods on the relevant classes of transactions, account balances or disclosures, and the financial statements as a whole.
195 The auditor shall request a written representation from management and, where appropriate, those charged with governance ISSAI 2450.14 Para. A24
whether they believe the effects of uncorrected misstatements are immaterial, individually and in aggregate, to the financial
statements as a whole. A summary of such items shall be included in or attached to the written representation
196 The auditor shall include in the audit documentation: (a) The amount below which misstatements would be regarded as clearly ISSAI 2450.15 Para. A25
trivial (paragraph 5);(b) All misstatements accumulated during the audit and whether they have been corrected (paragraphs 5, 8
and 12); and(c) The auditor’s conclusion as to whether uncorrected misstatements are material, individually or in aggregate, and
the basis for that conclusion(paragraph 11).
197 If information to be used as audit evidence has been prepared using the work of a management’s expert, the auditor shall, to the ISSAI 2500.8 Para. A34-
extent necessary, having regard to the significance of that expert’s work for the auditor’s purposes: (a) Evaluate the competence, A48
capabilities and objectivity of that expert; (b) Obtain an understanding of the work of that expert; and (c) Evaluate the
appropriateness of that expert’s work as audit evidence for the relevant assertion.
185
198 When using information produced by the entity, the auditor shall evaluate whether the information is sufficiently reliable for the ISSAI 2500.9 Para. A49-
auditor’s purposes, including as necessary in the circumstances:(a) Obtaining audit evidence about the accuracy and A51
completeness of the information; and (b) Evaluating whether the information is sufficiently precise and detailed for the auditor’s
purposes.
199 When designing tests of controls and tests of details, the auditor shall determine means of selecting items for testing that are ISSAI 2500.10 Para. A52-
effective in meeting the purpose of the audit procedure. A56
200 If: (a) audit evidence obtained from one source is inconsistent with that obtained from another; or(b) the auditor has doubts over ISSAI 2500.11 Para. A57
the reliability of information to be used as audit evidence,
the auditor shall determine what modifications or additions to audit procedures are necessary to resolve the matter, and shall
consider the effect of the matter, if any, on other aspects of the audit.
201 If inventory is material to the financial statements, the auditor shall obtain sufficient appropriate audit evidence regarding the ISSAI 2501.4 Para. A1-
existence and condition of inventory by:(a) Attendance at physical inventory counting, unless impracticable, to: (i) Evaluate A8
management’s instructions and procedures for recording and controlling the results of the entity’s physical inventory counting; (ii)
Observe the performance of management’s count procedures; (iii) Inspect the inventory; and (iv) Perform test counts; and (b)
Performing audit procedures over the entity’s final inventory records to determine whether they accurately reflect actual
inventory count results.
202 If physical inventory counting is conducted at a date other than the date of the financial statements, the auditor shall, in addition ISSAI 2501.5 Para. A9-
to the procedures required by paragraph 4, perform audit procedures to obtain audit evidence about whether changes in A11
inventory between the count date and the date of the financial statements are properly recorded.
203 If the auditor is unable to attend physical inventory counting due to unforeseen circumstances, the auditor shall make or observe ISSAI 2501.6
some physical counts on an alternative date, and perform audit procedures on intervening transactions.
204 If attendance at physical inventory counting is impracticable, the auditor shall perform alternative audit procedures to obtain ISSAI 2501.7 Para. A12-
sufficient appropriate audit evidence regarding the existence and condition of inventory. If it is not possible to do so, the auditor A14
shall modify the opinion in the auditor’s report in accordance with ISA 705 (Revised).
205 If inventory under the custody and control of a third party is material to the financial statements, the auditor shall obtain ISSAI 2501.8 Para. A15-
sufficient appropriate audit evidence regarding the existence and condition of that inventory by performing one or both of the A16
following:(a) Request confirmation from the third party as to the quantities and condition of inventory held on behalf of the
entity. (b) Perform inspection or other audit procedures appropriate in the circumstances.
206 The auditor shall design and perform audit procedures in order to identify litigation and claims involving the entity which may give ISSAI 2501.9 Para. A17-
rise to a risk of material misstatement, including: (a) Inquiry of management and, where applicable, others within the entity, A20
including in-house legal counsel;(b) Reviewing minutes of meetings of those charged with governance and correspondence
between the entity and its external legal counsel; and(c) Reviewing legal expense accounts.
186
207 If the auditor assesses a risk of material misstatement regarding litigation or claims that have been identified, or when audit ISSAI 2501.10 Para. A21-
procedures performed indicate that other material litigation or claims may exist, the auditor shall, in addition to the procedures A25
required by other ISAs, seek direct communication with the entity’s external legal counsel. The auditor shall do so through a letter
of inquiry, prepared by management and sent by the auditor, requesting the entity’s external legal counsel to communicate
directly with the auditor. If law, regulation or the respective legal professional body prohibits the entity’s external legal counsel
from communicating directly with the auditor, the auditor shall perform alternative audit procedures.
208 If:(a) management refuses to give the auditor permission to communicate or meet with the entity’s external legal counsel, or the ISSAI 2501.11
entity’s external legal counsel refuses to respond appropriately to the letter of inquiry, or is prohibited from responding; and(b)
the auditor is unable to obtain sufficient appropriate audit evidence by performing alternative audit procedures, the auditor shall
modify the opinion in the auditor’s report in accordance with ISA 705 (Revised).
209 The auditor shall request management and, where appropriate, those charged with governance to provide written ISSAI 2501.12
representations that all known actual or possible litigation and claims whose effects should be considered when preparing the
financial statements have been disclosed to the auditor and accounted for and disclosed in accordance with the applicable
financial reporting framework.
210 The auditor shall obtain sufficient appropriate audit evidence regarding the presentation and disclosure of segment information in ISSAI 2501.13 Para. A26
accordance with the applicable financial reporting framework by: (a) Obtaining an understanding of the methods used by Para. A27
management in determining segment information, and: (i) Evaluating whether such methods are likely to result in disclosure in
accordance with the applicable financial reporting framework; and(ii) Where appropriate, testing the application of such methods;
and(b) Performing analytical procedures or other audit procedures appropriate in the circumstances.
211 When using external confirmation procedures, the auditor shall maintain control over external confirmation requests, ISSAI 2505.7 Para.A1;
including:(a) Determining the information to be confirmed or requested; (b) Selecting the appropriate confirming party(c) Para. A2
Designing the confirmation requests, including determining that requests are properly addressed and contain return information Para A3-
for responses to be sent directly to the auditor; and (d) Sending the requests, including follow-up requests when applicable, to the A6; Para.
confirming party. A7
212 If management refuses to allow the auditor to send a confirmation request, the auditor shall:(a) Inquire as to management’s ISSAI 2505.8 Para. A8-
reasons for the refusal, and seek audit evidence as to their validity and reasonableness; (b) Evaluate the implications of A10
management’s refusal on the auditor’s assessment of the relevant risks of material misstatement, including the risk of fraud, and
on the nature, timing and extent of other audit procedures; and (c) Perform alternative audit procedures designed to obtain
relevant and reliable audit evidence.
213 If the auditor concludes that management’s refusal to allow the auditor to send a confirmation request is unreasonable, or the ISSAI 2505.9
auditor is unable to obtain relevant and reliable audit evidence from alternative audit procedures, the auditor shall communicate
with those charged with governance in accordance with ISA 260 (Revised).The auditor also shall determine the implications for
the audit and the auditor’s opinion in accordance with ISA 705 (Revised).
214 If the auditor identifies factors that give rise to doubts about the reliability of the response to a confirmation request, the auditor ISSAI 2505.10 Para. A11-
shall obtain further audit evidence to resolve those doubts. A16
187
215 If the auditor determines that a response to a confirmation request is not reliable, the auditor shall evaluate the implications on ISSAI 2505.11 Para. A17
the assessment of the relevant risks of material misstatement, including the risk of fraud, and on the related nature, timing and
extent of other audit procedures.
216 In the case of each non-response, the auditor shall perform alternative audit procedures to obtain relevant and reliable audit ISSAI 2505.12 Para. A18-
evidence. A19
217 If the auditor has determined that a response to a positive confirmation request is necessary to obtain sufficient appropriate audit ISSAI 2505.13 Para. A20
evidence, alternative audit procedures will not provide the audit evidence the auditor requires. If the auditor does not obtain such
confirmation, the auditor shall determine the implications for the audit and the auditor’s opinion in accordance with ISA 705
(Revised).
218 The auditor shall investigate exceptions to determine whether or not they are indicative of misstatements. ISSAI 2505.14 Para. A21-
A22
219 Negative confirmations provide less persuasive audit evidence than positive confirmations. Accordingly, the auditor shall not use ISSAI 2505.15 Para. A23
negative confirmation requests as the sole substantive audit procedure to address an assessed risk of material misstatement at
the assertion level unless all of the following are present: (a) The auditor has assessed the risk of material misstatement as low
and has obtained sufficient appropriate audit evidence regarding the operating effectiveness of controls relevant to the
assertion;(b) The population of items subject to negative confirmation procedures comprises a large number of small,
homogeneous, account balances, transactions or conditions;(c) A very low exception rate is expected; and(d) The auditor is not
aware of circumstances or conditions that would cause recipients of negative confirmation requests to disregard such requests.
220 The auditor shall read the most recent financial statements, if any, and the predecessor auditor’s report thereon, if any, for ISSAI 2510.5
information relevant to opening balances, including disclosures.
221 The auditor shall obtain sufficient appropriate audit evidence about whether the opening balances contain misstatements that ISSAI 2510.6 Para. A1–
materially affect the current period’s financial statements by:(a) Determining whether the prior period’s closing balances have A7
been correctly brought forward to the current period or, when appropriate, have been restated;(b) Determining whether the
opening balances reflect the application of appropriate accounting policies; and(c) Performing one or more of the following: (i)
Where the prior year financial statements were audited, reviewing the predecessor auditor’s working papers to obtain evidence
regarding the opening balances;(ii) Evaluating whether audit procedures performed in the current period provide evidence
relevant to the opening balances; or(iii) Performing specific audit procedures to obtain evidence regarding the opening balances.
222 If the auditor obtains audit evidence that the opening balances contain misstatements that could materially affect the current ISSAI 2510.7
period’s financial statements, the auditor shall perform such additional audit procedures as are appropriate in the circumstances
to determine the effect on the current period’s financial statements. If the auditor concludes that such misstatements exist in the
current period’s financial statements, the auditor shall communicate the misstatements with the appropriate level of
management and those charged with governance in accordance with ISA 450.
188
223 The auditor shall obtain sufficient appropriate audit evidence about whether the accounting policies reflected in the opening ISSAI 2510.8
balances have been consistently applied in the current period’s financial statements, and whether changes in the accounting
policies have been appropriately accounted for and adequately presented and disclosed in accordance with the applicable
financial reporting framework.
224 If the prior period’s financial statements were audited by a predecessor auditor and there was a modification to the opinion, the ISSAI 2510.9
auditor shall evaluate the effect of the matter giving rise to the modification in assessing the risks of material misstatement in the
current period’s financial statements in accordance with ISA 315 (Revised).
225 If the auditor is unable to obtain sufficient appropriate audit evidence regarding the opening balances, the auditor shall express a ISSAI 2510.10 Para. A8
qualified opinion or disclaim an opinion on the financial statements, as appropriate, in accordance with ISA 705 (Revised).
226 If the auditor concludes that the opening balances contain a misstatement that materially affects the current period’s financial ISSAI 2510.11
statements, and the effect of the misstatement is not appropriately accounted for or not adequately presented or disclosed, the
auditor shall express a qualified opinion or an adverse opinion, as appropriate, in accordance with ISA 705 (Revised).
227 If the auditor concludes that:(a) the current period’s accounting policies are not consistently applied in relation to opening ISSAI 2510.12
balances in accordance with the applicable financial reporting framework; or (b) a change in accounting policies is not
appropriately accounted for or not adequately presented or disclosed in accordance with the applicable financial reporting
framework, the auditor shall express a qualified opinion or an adverse opinion as appropriate in accordance with ISA 705
(Revised).
228 If the predecessor auditor’s opinion regarding the prior period’s financial statements included a modification to the auditor’s ISSAI 2510.13 Para. A9
opinion that remains relevant and material to the current period’s financial statements, the auditor shall modify the auditor’s
opinion on the current period’s financial statements in accordance with ISA 705 (Revised) and ISA 710.
229 When designing and performing substantive analytical procedures, either alone or in combination with tests of details, as ISSAI 2520.5 Para. A4-
substantive procedures in accordance with ISA 330 the auditor shall: (a) Determine the suitability of particular substantive A15; Para
analytical procedures for given assertions, taking account of the assessed risks of material misstatement and tests of details, if A16
any, for these assertions; (b) Evaluate the reliability of data from which the auditor’s expectation of recorded amounts or ratios is
developed, taking account of source, comparability, and nature and relevance of information available, and controls over
preparation; (c) Develop an expectation of recorded amounts or ratios and evaluate whether the expectation is sufficiently
precise to identify a misstatement that, individually or when aggregated with other misstatements, may cause the financial
statements to be materially misstated; and (d) Determine the amount of any difference of recorded amounts from expected
values that is acceptable without further investigation as required by paragraph 7.
230 The auditor shall design and perform analytical procedures near the end of the audit that assist the auditor when forming an ISSAI 2520.6 Para. A17-
overall conclusion as to whether the financial statements are consistent with the auditor’s understanding of the entity. A19
189
231 If analytical procedures performed in accordance with this ISA identify fluctuations or relationships that are inconsistent with ISSAI 2520.7 Para. A20-
other relevant information or that differ from expected values by a significant mount, the auditor shall investigate such A21
differences by:(a) Inquiring of management and obtaining appropriate audit evidence relevant to management’s responses;
and(b) Performing other audit procedures as necessary in the circumstances.
232 The auditor shall perform audit procedures, appropriate to the purpose, on each item selected. ISSAI 2530.9
233 If the audit procedure is not applicable to the selected item, the auditor shall perform the procedure on a replacement item. ISSAI 2530.10 Para. A14
234 If the auditor is unable to apply the designed audit procedures, or suitable alternative procedures, to a selected item, the auditor ISSAI 2530.11 Para. A15-
shall treat that item as a deviation from the prescribed control, in the case of tests of controls, or a misstatement, in the case of A16
tests of details.
235 The auditor shall investigate the nature and cause of any deviations or misstatements identified and evaluate their possible effect ISSAI 2530.12 Para. A17
on the purpose of the audit procedure and on other areas of the audit.
236 In the extremely rare circumstances when the auditor considers a misstatement or deviation discovered in a sample to be an ISSAI 2530.13
anomaly, the auditor shall obtain a high degree of certainty that such misstatement or deviation is not representative of the
population. The auditor shall obtain this degree of certainty by performing additional audit procedures to obtain sufficient
appropriate audit evidence that the misstatement or deviation does not affect the remainder of the population.
237 For tests of details, the auditor shall project misstatements found in the sample to the population. ISSAI 2530.14 Para. A18-
A20
238 The auditor shall evaluate:(a) The results of the sample; and (b) Whether the use of audit sampling has provided a reasonable ISSAI 2530.15 Para. A21-
basis for conclusions about the population that has been tested. A23
239 When performing risk assessment procedures and related activities to obtain an understanding of the entity and its environment, ISSAI 2540.8 Para. A12-
including the entity’s internal control, as required by ISA 315 (Revised) the auditor shall obtain an understanding of the following 38
in order to provide a basis for the identification and assessment of the risks of material misstatement for accounting estimates: (a)
The requirements of the applicable financial reporting framework relevant to accounting estimates, including related disclosures.
(b) How management identifies those transactions, events and conditions that may give rise to the need for accounting estimates
to be recognized or disclosed in the financial statements. In obtaining this understanding, the auditor shall make inquiries of
management about changes in circumstances that may give rise to new, or the need to revise existing, accounting estimates. (c)
How management makes the accounting estimates, and an understanding of the data on which they are based, including: (i) The
method, including where applicable the model, used in making the accounting estimate; (ii) Relevant controls; (iii) Whether
management has used an expert; (iv) The assumptions underlying the accounting estimates; (v) Whether there has been or ought
to have been a change from the prior period in the methods for making the accounting estimates, and if so, why; and (vi) Whether
and, if so, how management has assessed the effect of estimation uncertainty.
190
240 The auditor shall review the outcome of accounting estimates included in the prior period financial statements, or, where ISSAI 2540.9 Para. A39-
applicable, their subsequent re-estimation for the purpose of the current period. The nature and extent of the auditor’s review A44
takes account of the nature of the accounting estimates, and whether the information obtained from the review would be
relevant to identifying and assessing risks of material misstatement of accounting estimates made in the current period financial
statements. However, the review is not intended to call into question the judgments made in the prior periods that were based on
information available at the time.
241 In identifying and assessing the risks of material misstatement, as required by ISA 315 (Revised) the auditor shall evaluate the ISSAI 2540.10 Para. A45-
degree of estimation uncertainty associated with an accounting estimate. A46
242 The auditor shall determine whether, in the auditor’s judgment, any of those accounting estimates that have been identified as ISSAI 2540.11 Para. A47-
having high estimation uncertainty give rise to significant risks. A51
243 Based on the assessed risks of material misstatement, the auditor shall determine: (a) Whether management has appropriately ISSAI 2540.12 Para. A52-
applied the requirements of the applicable financial reporting framework relevant to the accounting estimate; and (b) Whether 58
the methods for making the accounting estimates are appropriate and have been applied consistently, and whether changes, if
any, in accounting estimates or in the method for making them from the prior period are appropriate in the circumstances.
244 In responding to the assessed risks of material misstatement, as required by ISA 330 the auditor shall undertake one or more of ISSAI 2540.13 Para. A59-
the following, taking account of the nature of the accounting estimate: (a) Determine whether events occurring up to the date of A95
the auditor’s report provide audit evidence regarding the accounting estimate. (b) Test how management made the accounting
estimate and the data on which it is based. In doing so, the auditor shall evaluate whether: (i) The method of measurement used
is appropriate in the circumstances; and (ii) The assumptions used by management are reasonable in light of the measurement
objectives of the applicable financial reporting framework. (c) Test the operating effectiveness of the controls over how
management made the accounting estimate, together with appropriate substantive procedures. (d) Develop a point estimate or a
range to evaluate management’s point estimate. For this purpose: (i) If the auditor uses assumptions or methods that differ from
management’s, the auditor shall obtain an understanding of management’s assumptions or methods sufficient to establish that
the auditor’s point estimate or range takes into account relevant variables and to evaluate any significant differences from
management’s point estimate. (ii) If the auditor concludes that it is appropriate to use a range, the auditor shall narrow the range,
based on audit evidence available, until all outcomes within the range are considered reasonable.
245 In determining the matters identified in paragraph 12 or in responding to the assessed risks of material misstatement in ISSAI 2540.14 Para. A96-
accordance with paragraph 13, the auditor shall consider whether specialized skills or knowledge in relation to one or more A101
aspects of the accounting estimates are required in order to obtain sufficient appropriate audit evidence.
191
246 For accounting estimates that give rise to significant risks, in addition to other substantive procedures performed to meet the ISSAI 2540.15 Para.
requirements of ISA 330, the auditor shall evaluate the following: (a) How management has considered alternative assumptions or A102-
outcomes, and why it has rejected them, or how management has otherwise addressed estimation uncertainty in making the A110
accounting estimate. (b) Whether the significant assumptions used by management are reasonable. (c) Where relevant to the
reasonableness of the significant assumptions used by management or the appropriate application of the applicable financial
reporting framework, management’s intent to carry out specific courses of action and its ability to do so.
247 If, in the auditor’s judgment, management has not adequately addressed the effects of estimation uncertainty on the accounting ISSAI 2540.16 Para.
estimates that give rise to significant risks, the auditor shall, if considered necessary, develop a range with which to evaluate the A111-
reasonableness of the accounting estimate. A112
248 For accounting estimates that give rise to significant risks, the auditor shall obtain sufficient appropriate audit evidence about ISSAI 2540.17 Para.
whether:(a) management’s decision to recognize, or to not recognize, the accounting estimates in the financial statements; and A113-
(b) the selected measurement basis for the accounting estimates, are in accordance with the requirements of the applicable A115
financial reporting framework.
249 The auditor shall evaluate, based on the audit evidence, whether the accounting estimates in the financial statements are either ISSAI 2540.18 Para.
reasonable in the context of the applicable financial reporting framework, or are misstated. A116-
A119
250 The auditor shall obtain sufficient appropriate audit evidence about whether the disclosures in the financial statements related to ISSAI 2540.19 Para.
accounting estimates are in accordance with the requirements of the applicable financial reporting framework. A120-
A121
251 For accounting estimates that give rise to significant risks, the auditor shall also evaluate the adequacy of the disclosure of their ISSAI 2540.20 Para.
estimation uncertainty in the financial statements in the context of the applicable financial reporting framework. A122-
A123
252 The auditor shall review the judgments and decisions made by management in the making of accounting estimates to identify ISSAI 2540.21 Para.
whether there are indicators of possible management bias. Indicators of possible management bias do not themselves constitute A124-
misstatements for the purposes of drawing conclusions on the reasonableness of individual accounting estimates. A125
253 The auditor shall obtain written representations from management and, where appropriate, those charged with governance ISSAI 2540.22 Para.A126-
whether they believe significant assumptions used in making accounting estimates are reasonable. A127
254 The auditor shall include in the audit documentation:8(a) The basis for the auditor’s conclusions about the reasonableness of ISSAI 2540.23 Para. A128
accounting estimates and their disclosure that give rise to significant risks; and(b) Indicators of possible management bias, if any.
255 As part of the risk assessment procedures and related activities that ISA 315 (Revised) and ISA 240 require the auditor to perform ISSAI 2550.11 Para. A8
during the audit, the auditor shall perform the audit procedures and related activities set out in paragraphs 12-17 to obtain
information relevant to identifying the risks of material misstatement associated with related party relationships and transactions.
192
256 The engagement team discussion that ISA 315 (Revised) and ISA 240 require shall include specific consideration of the ISSAI 2550.12 Para. A9-
susceptibility of the financial statements to material misstatement due to fraud or error that could result from the entity’s related A10
party relationships and transactions.
257 The auditor shall inquire of management regarding:(a) The identity of the entity’s related parties, including changes from the prior ISSAI 2550.13 Para. A11-
period; (b) The nature of the relationships between the entity and these related parties; and(c) Whether the entity entered into A14
any transactions with these related parties during the period and, if so, the type and purpose of the transactions.
258 The auditor shall inquire of management and others within the entity, and perform other risk assessment procedures considered ISSAI 2550.14 Para. A15-
appropriate, to obtain an understanding of the controls, if any, that management has established to: (a) Identify, account for, and A21
disclose related party relationships and transactions in accordance with the applicable financial reporting framework;(b) Authorize
and approve significant transactions and arrangements with related parties; and(c) Authorize and approve significant transactions
and arrangements outside the normal course of business.
259 During the audit, the auditor shall remain alert, when inspecting records or documents, for arrangements or other information ISSAI 2550.15 Para. A22-
that may indicate the existence of related party relationships or transactions that management has not previously identified or A23
disclosed to the auditor. In particular, the auditor shall inspect the following for indications of the existence of related party
relationships or transactions that management has not previously identified or disclosed to the auditor:(a) Bank and legal
confirmations obtained as part of the auditor’s procedures;(b) Minutes of meetings of shareholders and of those charged with
governance; and(c) Such other records or documents as the auditor considers necessary in the circumstances of the entity.
260 If the auditor identifies significant transactions outside the entity’s normal course of business when performing the audit ISSAI 2550.16 Para. A24-
procedures required by paragraph 15 or through other audit procedures, the auditor shall inquire of management about: (a) The A27
nature of these transactions; and (b) Whether related parties could be involved.
261 The auditor shall share relevant information obtained about the entity’s related parties with the other members of the ISSAI 2550.17 Para. A28
engagement team.
262 In meeting the ISA 315 (Revised) requirement to identify and assess the risks of material misstatement, the auditor shall identify ISSAI 2550.18
and assess the risks of material misstatement associated with related party relationships and transactions and determine whether
any of those risks are significant risks. In making this determination, the auditor shall treat identified significant related party
transactions outside the entity’s normal course of business as giving rise to significant risks.
263 If the auditor identifies fraud risk factors including circumstances relating to the existence of a related party with dominant ISSAI 2550.19 Para. A6,
influence when performing the risk assessment procedures and related activities in connection with related parties, the auditor A29-A30
shall consider such information when identifying and assessing the risks of material misstatement due to fraud in accordance with
ISA 240.
264 As part of the ISA 330 requirement that the auditor respond to assessed risks, the auditor designs and performs further audit ISSAI 2550.20 Para. A31-
procedures to obtain sufficient appropriate audit evidence about the assessed risks of material misstatement associated with A34
related party relationships and transactions. These audit procedures shall include those required by paragraphs 21-24.
193
265 If the auditor identifies arrangements or information that suggests the existence of related party relationships or transactions that ISSAI 2550.21
management has not previously identified or disclosed to the auditor, the auditor shall determine whether the underlying
circumstances confirm the existence of those relationships or transactions.
266 If the auditor identifies related parties or significant related party transactions that management has not previously identified or ISSAI 2550.22 Para. A35-
disclosed to the auditor, the auditor shall:(a) Promptly communicate the relevant information to the other members of the 37
engagement team; (b) Where the applicable financial reporting framework establishes related party requirements: (i) Request
management to identify all transactions with the newly identified related parties for the auditor’s further evaluation; and(ii)
Inquire as to why the entity’s controls over related party relationships and transactions failed to enable the identification or
disclosure of the related party relationships or transactions;(c) Perform appropriate substantive audit procedures relating to such
newly identified related parties or significant related party transactions; (d) Reconsider the risk that other related parties or
significant related party transactions may exist that management has not previously identified or disclosed to the auditor, and
perform additional audit procedures as necessary; and(e) If the non-disclosure by management appears intentional (and therefore
indicative of a risk of material misstatement due to fraud), evaluate the implications for the audit.
267 For identified significant related party transactions outside the entity’s normal course of business, the auditor shall:(a) Inspect the ISSAI 2550.23 Para. A38-
underlying contracts or agreements, if any, and evaluate whether:(i) The business rationale (or lack thereof) of the transactions A41
suggests that they may have been entered into to engage in fraudulent financial reporting or to conceal misappropriation of
assets;(ii) The terms of the transactions are consistent with management’s explanations; and(iii) The transactions have been
appropriately accounted for and disclosed in accordance with the applicable financial reporting framework; and(b) Obtain audit
evidence that the transactions have been appropriately authorized and approved.
268 If management has made an assertion in the financial statements to the effect that a related party transaction was conducted on ISSAI 2550.24 Para. A42-
terms equivalent to those prevailing in an arm’s length transaction, the auditor shall obtain sufficient appropriate audit evidence A45
about the assertion.
269 In forming an opinion on the financial statements in accordance with ISA 700 (Revised), the auditor shall evaluate: (a) Whether ISSAI 2550.25 Para. A46;
the identified related party relationships and transactions have been appropriately accounted for and disclosed in accordance Para. A47
with the applicable financial reporting framework; and (b) Whether the effects of the related party relationships and transactions:
(i) Prevent the financial statements from achieving fair presentation (for fair presentation frameworks); or(ii) Cause the financial
statements to be misleading (for compliance frameworks).
270 Where the applicable financial reporting framework establishes related party requirements, the auditor shall obtain written ISSAI 2550.26 Para. A48-
representations from management and, where appropriate, those charged with governance that: (a) They have disclosed to the A49
auditor the identity of the entity’s related parties and all the related party relationships and transactions of which they are aware;
and(b) They have appropriately accounted for and disclosed such relationships and transactions in accordance with the
requirements of the framework.
271 Unless all of those charged with governance are involved in managing the entity, the auditor shall communicate with those ISSAI 2550.27 Para. A50
charged with governance significant matters arising during the audit in connection with the entity’s related parties.
194
272 The auditor shall include in the audit documentation the names of the identified related parties and the nature of the related ISSAI 2550.28
party relationships.
273 The auditor shall perform audit procedures designed to obtain sufficient appropriate audit evidence that all events occurring ISSAI 2560.6 Para. A6
between the date of the financial statements and the date of the auditor’s report that require adjustment of, or disclosure in, the
financial statements have been identified. The auditor is not, however, expected to perform additional audit procedures on
matters to which previously applied audit procedures have provided satisfactory conclusions.
274 The auditor shall perform the procedures required by paragraph 6 so that they cover the period from the date of the financial ISSAI 2560.7 Para. A7-
statements to the date of the auditor’s report, or as near as practicable thereto. The auditor shall take into account the auditor’s A8 Para.
risk assessment in determining the nature and extent of such audit procedures, which shall include the following: (a)Obtaining an A9 Para.
understanding of any procedures management has established to ensure that subsequent events are identified. (b)Inquiring of A10
management and, where appropriate, those charged with governance as to whether any subsequent events have occurred which
might affect the financial statements. (c) Reading minutes, if any, of the meetings, of the entity’s owners, management and those
charged with governance, that have been held after the date of the financial statements and inquiring about matters discussed at
any such meetings for which minutes are not yet available.(d) Reading the entity’s latest subsequent interim financial statements,
if any.
275 If, as a result of the procedures performed as required by paragraphs 6 and 7, the auditor identifies events that require ISSAI 2560.8
adjustment of, or disclosure in, the financial statements, the auditor shall determine whether each such event is appropriately
reflected in those financial statements in accordance with the applicable financial reporting framework.
276 The auditor shall request management and, where appropriate, those charged with governance, to provide a written ISSAI 2560.9
representation in accordance with ISA 580 that all events occurring subsequent to the date of the financial statements and for
which the applicable financial reporting framework requires adjustment or disclosure have been adjusted or disclosed.
277 The auditor has no obligation to perform any audit procedures regarding the financial statements after the date of the auditor’s ISSAI 2560.10 Para. A11
report. However, if, after the date of the auditor’s report but before the date the financial statements are issued, a fact becomes
known to the auditor that, had it been known to the auditor at the date of the auditor’s report, may have caused the auditor to
amend the auditor’s report, the auditor shall (a) Discuss the matter with management and, where appropriate, those charged
with governance.(b) Determine whether the financial statements need amendment and, if so,(c) Inquire how management
intends to address the matter in the financial statements.
278 If management amends the financial statements, the auditor shall: Carry out the audit procedures necessary in the circumstances ISSAI 2560.11
on the amendment.(b) Unless the circumstances in paragraph 12 apply:(i) Extend the audit procedures referred to in paragraphs 6
and 7 to the date of the new auditor’s report; and(ii) Provide a new auditor’s report on the amended financial statements. The
new auditor’s report shall not be dated earlier than the date of approval of the amended financial statements.
195
279 Where law, regulation or the financial reporting framework does not prohibit management from restricting the amendment of ISSAI 2560.12 Para. A12
the financial statements to the effects of the subsequent event or events causing that amendment and those responsible for
approving the financial statements are not prohibited from restricting their approval to that amendment, the auditor is permitted
to restrict the audit procedures on subsequent events required in paragraph 11(b)(i) to that amendment. In such cases, the
auditor shall either:(a) Amend the auditor’s report to include an additional date restricted to that amendment that thereby
indicates that the auditor’s procedures on subsequent events are restricted solely to the amendment of the financial statements
described in the relevant note to the financial statements; (b) Provide a new or amended auditor’s report that includes a
statement in an Emphasis of Matter paragraph 4 or Other Matter paragraph that conveys that the auditor’s procedures on
subsequent events are restricted solely to the amendment of the financial statements as described in the relevant note to the
financial statements.
280 In some jurisdictions, management may not be required by law, regulation or the financial reporting framework to issue amended ISSAI 2560.13 Para.: A15-
financial statements and, accordingly, the auditor need not provide an amended or new auditor’s report. However, if A16 Para.
management does not amend the financial statements in circumstances where the auditor believes they need to be amended, A13-A14
then: (a) If the auditor’s report has not yet been provided to the entity, the auditor shall modify the opinion as required by ISA 705
(Revised) and then provide the auditor’s report; or(b) If the auditor’s report has already been provided to the entity, the auditor
shall notify management and, unless all of those charged with governance are involved in managing the entity, those charged with
governance, not to issue the financial statements to third parties before the necessary amendments have been made. If the
financial statements are nevertheless subsequently issued without the necessary amendments, the auditor shall take appropriate
action, to seek to prevent reliance on the auditor’s report.
281 After the financial statements have been issued, the auditor has no obligation to perform any audit procedures regarding such ISSAI 2560.14
financial statements. However, if, after the financial statements have been issued, a fact becomes known to the auditor that, had
it been known to the auditor at the date of the auditor’s report, may have caused the auditor to amend the auditor’s report, the
auditor shall:(a) Discuss the matter with management and, where appropriate, those charged with governance;(b) Determine
whether the financial statements need amendment; and, if so,(c) Inquire how management intends to address the matter in the
financial statements.
282 If management amends the financial statements, the auditor shall: (a) Carry out the audit procedures necessary in the ISSAI 2560.15 Para. A17
circumstances on the amendment.(b) Review the steps taken by management to ensure that anyone in receipt of the previously
issued financial statements together with the auditor’s report thereon is informed of the situation.(c) Unless the circumstances in
paragraph 12 apply:(i) Extend the audit procedures referred to in paragraphs 6 and 7 to the date of the new auditor’s report, and
date the new auditor’s report no earlier than the date of approval of the amended financial statements; and(ii) Provide a new
auditor’s report on the amended financial statements.(d) When the circumstances in paragraph 12 apply, amend the auditor’s
report, or provide a new auditor’s report as required by paragraph 12.
283 The auditor shall include in the new or amended auditor’s report an Emphasis of Matter paragraph or Other Matter(s) paragraph ISSAI 2560.16
referring to a note to the financial statements that more extensively discusses the reason for the amendment of the previously
issued financial statements and to the earlier report provided by the auditor.
196
284 If management does not take the necessary steps to ensure that anyone in receipt of the previously issued financial statements is ISSAI 2560.17 Para. A18
informed of the situation and does not amend the financial statements in circumstances where the auditor believes they need to
be amended, the auditor shall notify management and, unless all of those charged with governance are involved in managing the
entity, those charged with governance, that the auditor will seek to prevent future reliance on the auditor’s report. If, despite
such notification, management or those charged with governance do not take these necessary steps, the auditor shall take
appropriate action to seek to prevent reliance on the auditor’s report
285 When performing risk assessment procedures as required by ISA 315 (Revised), the auditor shall consider whether events or ISSAI 2570.10 Para. A3–
conditions exist that may cast significant doubt on the entity’s ability to continue as a going concern. In so doing, the auditor shall A6
determine whether management has already performed a preliminary assessment of the entity’s ability to continue as a going
concern, and: (a) If such an assessment has been performed, the auditor shall discuss the assessment with management and
determine whether management has identified events or conditions that, individually or collectively, may cast significant doubt
on the entity’s ability to continue as a going concern and, if so, management’s plans to address them; or (b) If such an assessment
has not yet been performed, the auditor shall discuss with management the basis for the intended use of the going concern basis
of accounting, and inquire of management whether events or conditions exist that, individually or collectively, may cast significant
doubt on the entity’s ability to continue as a going concern.
286 The auditor shall evaluate management’s assessment of the entity’s ability to continue as a going concern. ISSAI 2570.12 Para. A8–
A10, A12–
A13
287 In evaluating management’s assessment of the entity’s ability to continue as a going concern, the auditor shall cover the same ISSAI 2570.13 Para. A11–
period as that used by management to make its assessment as required by the applicable financial reporting framework, or by law A13 See
or regulation if it specifies a longer period. If management’s assessment of the entity’s ability to continue as a going concern also 2570
covers less than twelve months from the date of the financial statements as defined in ISA 560 the auditor shall request Para. A5
management to extend its assessment period to at least twelve months from that date.
288 In evaluating management’s assessment, the auditor shall consider whether management’s assessment includes all relevant ISSAI 2570.14
information of which the auditor is aware as a result of the audit.
289 The auditor shall inquire of management as to its knowledge of events or conditions beyond the period of management’s ISSAI 2570.15 Para. A14–
assessment that may cast significant doubt on the entity’s ability to continue as a going concern. A15
197
290 If events or conditions have been identified that may cast significant doubt on the entity’s ability to continue as a going concern, ISSAI 2570.16 Para. A16-
the auditor shall obtain sufficient appropriate audit evidence to determine whether or not a material uncertainty exists related to 20
events or conditions that may cast significant doubt on the entity’s ability to continue as a going concern (hereinafter referred to
as “material uncertainty”) through performing additional audit procedures, including consideration of mitigating factors. These
procedures shall include: (a) Where management has not yet performed an assessment of the entity’s ability to continue as a
going concern, requesting management to make its assessment. (b) Evaluating management’s plans for future actions in relation
to its going concern assessment, whether the outcome of these plans is likely to improve the situation and whether
management’s plans are feasible in the circumstances. (c) Where the entity has prepared a cash flow forecast, and analysis of the
forecast is a significant factor in considering the future outcome of events or conditions in the evaluation of management’s plans
for future actions: (i) Evaluating the reliability of the underlying data generated to prepare the forecast; and (ii) Determining
whether there is adequate support for the assumptions underlying the forecast. (d) Considering whether any additional facts or
information have become available since the date on which management made its assessment. (e) Requesting written
representations from management and, where appropriate, those charged with governance, regarding their plans for future
actions and the feasibility of these plans.
291 The auditor shall evaluate whether sufficient appropriate audit evidence has been obtained regarding, and shall conclude on, the ISSAI 2570.17
appropriateness of management’s use of the going concern basis of accounting in the preparation of the financial statements.
292 Based on the audit evidence obtained, the auditor shall conclude whether, in the auditor’s judgment, a material uncertainty exists ISSAI 2570.18 Para. A21-
related to events or conditions that, individually or collectively, may cast significant doubt on the entity’s ability to continue as a A22
going concern. A material uncertainty exists when the magnitude of its potential impact and likelihood of occurrence is such that,
in the auditor’s judgment, appropriate disclosure of the nature and implications of the uncertainty is necessary for: (a) In the case
of a fair presentation financial reporting framework, the fair presentation of the financial statements, or (b) In the case of a
compliance framework, the financial statements not to be misleading.
293 If the auditor concludes that management’s use of the going concern basis of accounting is appropriate in the circumstances but a ISSAI 2570.19 Para. A22‒
material uncertainty exists, the auditor shall determine whether the financial statements: (a) Adequately disclose the principal A23
events or conditions that may cast significant doubt on the entity’s ability to continue as a going concern and management’s plans
to deal with these events or conditions; and (b) Disclose clearly that there is a material uncertainty related to events or conditions
that may cast significant doubt on the entity’s ability to continue as a going concern and, therefore, that it may be unable to
realize its assets and discharge its liabilities in the normal course of business.
294 If events or conditions have been identified that may cast significant doubt on the entity’s ability to continue as a going concern ISSAI 2570.20 Para. A24–
but, based on the audit evidence obtained the auditor concludes that no material uncertainty exists, the auditor shall evaluate A25
whether, in view of the requirements of the applicable financial reporting framework, the financial statements provide adequate
disclosures about these events or conditions.
295 If the financial statements have been prepared using the going concern basis of accounting but, in the auditor’s judgment, ISSAI 2570.21 Para. A26–
management’s use of the going concern basis of accounting in the preparation of the financial statements is inappropriate, the A27
198
auditor shall express an adverse
opinion.
296 If adequate disclosure about the material uncertainty is made in the financial statements, the auditor shall express an unmodified ISSAI 2570.22 Para. A28–
opinion and the auditor’s report shall include a separate section under the heading “Material Uncertainty Related to Going A31, A34
Concern” to: (a) Draw attention to the note in the financial statements that discloses the matters set out in paragraph 19; and (b)
State that these events or conditions indicate that a material uncertainty exists that may cast significant doubt on the entity’s
ability to continue as a going concern and that the auditor’s opinion is not modified in respect of the matter.
297 If adequate disclosure about the material uncertainty is not made in the financial statements, the auditor shall: (a) Express a ISSAI 2570.23 Para. A32–
qualified opinion or adverse opinion, as appropriate, in accordance with ISA 705 (Revised); and (b) In the Basis for Qualified A34
(Adverse) Opinion section of the auditor’s report, state that a material uncertainty exists that may cast significant doubt on the
entity’s ability to continue as a going concern and that the financial statements do not adequately disclose this matter.
298 If management is unwilling to make or extend its assessment when requested to do so by the auditor, the auditor shall consider ISSAI 2570.24 Para. A35
the implications for the auditor’s report.
299 Unless all those charged with governance are involved in managing the entity, the auditor shall communicate with those charged ISSAI 2570.25
with governance events or conditions identified that may cast significant doubt on the entity’s ability to continue as a going
concern. Such communication with those charged with governance shall include the following: (a) Whether the events or
conditions constitute a material uncertainty; (b) Whether management’s use of the going concern basis of accounting is
appropriate in the preparation of the financial statements; (c) The adequacy of related disclosures in the financial statements; and
(d) Where applicable, the implications for the auditor’s report.
300 If there is significant delay in the approval of the financial statements by management or those charged with governance after the ISSAI 2570.26
date of the financial statements, the auditor shall inquire as to the reasons for the delay. If the auditor believes that the delay
could be related to events or conditions relating to the going concern assessment, the auditor shall perform those additional audit
procedures necessary, as described in paragraph 16, as well as consider the effect on the auditor’s conclusion regarding the
existence of a material uncertainty, as described in paragraph 18.
301 The auditor shall request written representations from management with appropriate responsibilities for the financial statements ISSAI 2580.9 Para. A2-
and knowledge of the matters concerned. A6
302 The auditor shall request management to provide a written representation that it has fulfilled its responsibility for the preparation ISSAI 2580.10 Para. A7-
of the financial statements in accordance with the applicable financial reporting framework, including where relevant their fair A9, A14,
presentation, as set out in the terms of the audit engagement. A22
303 The auditor shall request management to provide a written representation that:(a) It has provided the auditor with all relevant ISSAI 2580.11 Para. A7-
information and access as agreed in the terms of the audit engagement, and(b) All transactions have been recorded and are A9, A14,
reflected in the financial statements. A22
199
304 Management’s responsibilities shall be described in the written representations required by paragraphs 10 and 11 in the manner ISSAI 2580.12
in which these responsibilities are described in the terms of the audit engagement.
305 Other ISAs require the auditor to request written representations. If, in addition to such required representations, the auditor ISSAI 2580.13 Para. A10-
determines that it is necessary to obtain one or more written representations to support other audit evidence relevant to the A14, A22
financial statements or one or more specific assertions in the financial statements, the auditor shall request such other written
representations.
306 The date of the written representations shall be as near as practicable to, but not after, the date of the auditor’s report on the ISSAI 2580.14 Para. A15-
financial statements. The written representations shall be for all financial statements and period(s) referred to in the auditor’s A18
report.
307 The written representations shall be in the form of a representation letter addressed to the auditor. If law or regulation requires ISSAI 2580.15 Para. A19-
management to make written public statements about its responsibilities, and the auditor determines that such statements A21
provide some or all of the representations required by paragraphs 10 or 11, the relevant matters covered by such statements
need not be included in the representation letter.
308 If the auditor has concerns about the competence, integrity, ethical values or diligence of management, or about its commitment ISSAI 2580.16 Para. A24-
to or enforcement of these, the auditor shall determine the effect that such concerns may have on the reliability of A25
representations (oral or written) and audit evidence in general.
309 In particular, if written representations are inconsistent with other audit evidence, the auditor shall perform audit procedures to ISSAI 2580.17 Para. A23
attempt to resolve the matter. If the matter remains unresolved, the auditor shall reconsider the assessment of the competence,
integrity, ethical values or diligence of management, or of its commitment to or enforcement of these, and shall determine the
effect that this may have on the reliability of representations(oral or written) and audit evidence in general.
310 If the auditor concludes that the written representations are not reliable, the auditor shall take appropriate actions, including ISSAI 2580.18
determining the possible effect on the opinion in the auditor’s report in accordance with ISA 705 (Revised) having regard to the
requirement in paragraph 20 of this ISA.
311 If management does not provide one or more of the requested written representations, the auditor shall:(a) Discuss the matter ISSAI 2580.19
with management;(b) Reevaluate the integrity of management and evaluate the effect that this may have on the reliability of
representations (oral or written)and audit evidence in general; and(c) Take appropriate actions, including determining the
possible effect on the opinion in the auditor’s report in accordance with ISA 705 (Revised), having regard to the requirement in
paragraph 20 of this ISA.
312 The auditor shall disclaim an opinion on the financial statements in accordance with ISA 705 (Revised) if:(a) The auditor concludes ISSAI 2580.20 Para. A26-
that there is sufficient doubt about the integrity of management such that the written representations required by paragraphs 10 A27
and 11 are not reliable; or(b) Management does not provide the written representations required by paragraphs 10 and 11.
200
313 The group engagement partner is responsible for the direction, supervision and performance of the group audit engagement in ISSAI 2600.11 Para. A8-
compliance with professional standards and applicable legal and regulatory requirements, and whether the auditor’s report that is A9
issued is appropriate in the circumstances. As a result, the auditor’s report on the group financial statements shall not refer to a
component auditor, unless required by law or regulation to include such reference. If such reference is required by law or
regulation, the auditor’s report shall indicate that the reference does not diminish the group engagement partner’s or the group
engagement partner’s firm’s responsibility for the group audit opinion.
314 In applying ISA 220, the group engagement partner shall determine whether sufficient appropriate audit evidence can reasonably ISSAI 2600.12 Para. A10-
be expected to be obtained in relation to the consolidation process and the financial information of the components on which to A12
base the group audit opinion. For this purpose, the group engagement team shall obtain an understanding of the group, its
components, and their environments that is sufficient to identify components that are likely to be significant components. Where
component auditors will perform work on the financial information of such components, the group engagement partner shall
evaluate whether the group engagement team will be able to be involved in the work of those component auditors to the extent
necessary to obtain sufficient appropriate audit evidence.
315 If the group engagement partner concludes that:(a) it will not be possible for the group engagement team to obtain sufficient ISSAI 2600.13 Para. A13-
appropriate audit evidence due to restrictions imposed by group management; and(b) the possible effect of this inability will A19
result in a disclaimer of opinion on the group financial statements, the group engagement partner shall either:• in the case of a
new engagement, not accept the engagement, or, in the case of a continuing engagement, withdraw from the engagement,
where withdrawal is possible under applicable law or regulation; or• where law or regulation prohibits an auditor from declining
an engagement or where withdrawal from an engagement is not otherwise possible, having performed the audit of the group
financial statements to the extent possible, disclaim an opinion on the group financial statements.
316 The group engagement partner shall agree on the terms of the group audit engagement in accordance with ISA 210. ISSAI 2600.14 Para. A20-
A21
317 The group engagement team shall establish an overall group audit strategy and shall develop a group audit plan in accordance ISSAI 2600.15
with ISA 300.
318 The group engagement partner shall review the overall group audit strategy and group audit plan. ISSAI 2600.16 Para. A22
319 The auditor is required to identify and assess the risks of material misstatement through obtaining an understanding of the entity ISSAI 2600.17 Para.A23-
and its environment. The group engagement team shall:(a) Enhance its understanding of the group, its components, and their A29
environments, including group-wide controls, obtained during the acceptance or continuance stage; and(b) Obtain an
understanding of the consolidation process, including the instructions issued by group management to components.
320 The group engagement team shall obtain an understanding that is sufficient to:(a) Confirm or revise its initial identification of ISSAI 2600.18 Para. A30-
components that are likely to be significant; and(b) Assess the risks of material misstatement of the group financial statements, A31
whether due to fraud or error.
201
321 If the group engagement team plans to request a component auditor to perform work on the financial information of a ISSAI 2600.19 Para. A32-
component, the group engagement team shall obtain an understanding of the following: (a) Whether the component auditor A38
understands and will comply with the ethical requirements that are relevant to the group audit and, in particular, is independent.
(b) The component auditor’s professional competence.(c) Whether the group engagement team will be able to be involved in the
work of the component auditor to the extent necessary to obtain sufficient appropriate audit evidence.(d) Whether the
component auditor operates in a regulatory environment that actively oversees auditors.
322 If a component auditor does not meet the independence requirements that are relevant to the group audit, or the group ISSAI 2600.20 Para. A39-
engagement team has serious concerns about the other matters listed in paragraph 19(a)-(c), the group engagement team shall A41
obtain sufficient appropriate audit evidence relating to the financial information of the component without requesting that
component auditor to perform work on the financial information of that component.
323 The group engagement team shall determine the following (a) Materiality for the group financial statements as a whole when ISSAI 2600.21 Para. A42-
establishing the overall group audit strategy.(b) If, in the specific circumstances of the group, there are particular classes of A45
transactions, account balances or disclosures in the group financial statements for which misstatements of lesser amounts than
materiality for the group financial statements as a whole could reasonably be expected to influence the economic decisions of
users taken on the basis of the group financial statements, the materiality level or levels to be applied to those particular classes
of transactions, account balances or disclosures.(c) Component materiality for those components where component auditors will
perform an audit or a review for purposes of the group audit. To reduce to an appropriately low level the probability that the
aggregate of uncorrected and undetected misstatements in the group financial statements exceeds materiality for the group
financial statements as a whole, component materiality shall be lower than materiality for the group financial statements as a
whole(d) The threshold above which misstatements cannot be regarded as clearly trivial to the group financial statements.
324 Where component auditors will perform an audit for purposes of the group audit, the group engagement team shall evaluate the ISSAI 2600.22 Para. A46
appropriateness of performance materiality determined at the component level. Where component auditors will perform an
audit for purposes of the group audit, the group engagement team shall evaluate the appropriateness of performance materiality
determined at the component level
325 If a component is subject to audit by statute, regulation or other reason, and the group engagement team decides to use that ISSAI 2600.23
audit to provide audit evidence for the group audit, the group engagement team shall determine whether:(a) materiality for the
component financial statements as a whole; and(b) performance materiality at the component level meet the requirements of
this ISA.
326 The auditor is required to design and implement appropriate responses to address the assessed risks of material misstatement of ISSAI 2600.24
the financial statements. The group engagement team shall determine the type of work to be performed by the group
engagement team, or the component auditors on its behalf, on the financial information of the components (see paragraphs 26-
29). The group engagement team shall also determine the nature, timing and extent of its involvement in the work of the
component auditors (see paragraphs 30-31).
202
327 If the nature, timing and extent of the work to be performed on the consolidation process or the financial information of the ISSAI 2600.25
components are based on an expectation that group-wide controls are operating effectively, or if substantive procedures alone
cannot provide sufficient appropriate audit evidence at the assertion level, the group engagement team shall test, or request a
component auditor to test, the operating effectiveness of those controls.
328 For a component that is significant due to its individual financial significance to the group, the group engagement team, or a ISSAI 2600.26 Para. A47
component auditor on its behalf, shall perform an audit of the financial information of the component using component
materiality.
329 For a component that is significant because it is likely to include significant risks of material misstatement of the group financial ISSAI 2600.27 Para. A48
statements due to its specific nature or circumstances, the group engagement team, or a component auditor on its behalf, shall Para.A49
perform one or more of the following:(a) An audit of the financial information of the component using component materiality.(b)
An audit of one or more account balances, classes of transactions or disclosures relating to the likely significant risks of material
misstatement of the group financial statements (c) Specified audit procedures relating to the likely significant risks of material
misstatement of the group financial statements.
330 For components that are not significant components, the group engagement team shall perform analytical procedures at group ISSAI 2600.28 Para. A50
level.
331 If the group engagement team does not consider that sufficient appropriate audit evidence on which to base the group audit ISSAI 2600.29 Para. A51-
opinion will be obtained from:(a) the work performed on the financial information of significant components;(b) the work A53
performed on group-wide controls and the consolidation process; and(c) the analytical procedures performed at group level, the
group engagement team shall select components that are not significant components and shall perform, or request a component
auditor to perform, one or more of the following on the financial information of the individual components selected• An audit of
the financial information of the component using component materiality.• An audit of one or more account balances, classes of
transactions or disclosures. • A review of the financial information of the component using component materiality.• Specified
procedures. The group engagement team shall vary the selection of components over a period of time.
332 If a component auditor performs an audit of the financial information of a significant component, the group engagement team ISSAI 2600.30
shall be involved in the component auditor’s risk assessment to identify significant risks of material misstatement of the group
financial statements. The nature, timing and extent of this involvement are affected by the group engagement team’s
understanding of the component auditor, but at a minimum shall include:(a) Discussing with the component auditor or
component management those of the component’s business activities that are significant to the group;(b) Discussing with the
component auditor the susceptibility of the component to material misstatement of the financial information due to fraud or
error; and(c) Reviewing the component auditor’s documentation of identified significant risks of material misstatement of the
group financial statements. Such documentation may take the form of a memorandum that reflects the component auditor’s
conclusion with regard to the identified significant risks.
203
333 If significant risks of material misstatement of the group financial statements have been identified in a component on which a ISSAI 2600.31
component auditor performs the work, the group engagement team shall evaluate the appropriateness of the further audit
procedures to be performed to respond to the identified significant risks of material misstatement of the group financial
statements. Based on its understanding of the component auditor, the group engagement team shall determine whether it is
necessary to be involved in the further audit procedures.
334 In accordance with paragraph 17, the group engagement team obtains an understanding of group-wide controls and the ISSAI 2600.32
consolidation process, including the instructions issued by group management to components. In accordance with paragraph 25,
the group engagement team, or component auditor at the request of the group engagement team, tests the operating
effectiveness of group-wide controls if the nature, timing and extent of the work to be performed on the consolidation process
are based on an expectation that group wide controls are operating effectively, or if substantive procedures alone cannot provide
sufficient appropriate audit evidence at the assertion level.
335 The group engagement team shall design and perform further audit procedures on the consolidation process to respond to the ISSAI 2600.33
assessed risks of material misstatement of the group financial statements arising from the consolidation process. This shall include
evaluating whether all components have been included in the group financial statements.
336 The group engagement team shall evaluate the appropriateness, completeness and accuracy of consolidation adjustments and ISSAI 2600.34 Para. A56
reclassifications, and shall evaluate whether any fraud risk factors or indicators of possible management bias exist.
337 If the financial information of a component has not been prepared in accordance with the same accounting policies applied to the ISSAI 2600.35
group financial statements, the group engagement team shall evaluate whether the financial information of that component has
been appropriately adjusted for purposes of preparing and presenting the group financial statements.
338 The group engagement team shall determine whether the financial information identified in the component auditor’s ISSAI 2600.36
communication (see paragraph 41(c)) is the financial information that is incorporated in the group financial statements.
339 If the group financial statements include the financial statements of a component with a financial reporting period-end that ISSAI 2600.37
differs from that of the group, the group engagement team shall evaluate whether appropriate adjustments have been made to
those financial statements in accordance with the applicable financial reporting framework.
340 Where the group engagement team or component auditors perform audits on the financial information of components, the group ISSAI 2600.38
engagement team or the component auditors shall perform procedures designed to identify events at those components that
occur between the dates of the financial information of the components and the date of the auditor’s report on the group
financial statements, and that may require adjustment to or disclosure in the group financial statements.
341 Where component auditors perform work other than audits of the financial information of components, the group engagement ISSAI 2600.39
team shall request the component auditors to notify the group engagement team if they become aware of subsequent events
that may require an adjustment to or disclosure in the group financial statements.
204
342 The group engagement team shall communicate its requirements to the component auditor on a timely basis. This ISSAI 2600.40 Para. A57-
communication shall set out the work to be performed, the use to be made of that work, and the form and content of the A60
component auditor’s communication with the group engagement team. It shall also include the following: (a) A request that the
component auditor, knowing the context in which the group engagement team will use the work of the component auditor,
confirms that the component auditor will cooperate with the group engagement team. (b) The ethical requirements that are
relevant to the group audit and, in particular, the independence requirements.(c) In the case of an audit or review of the financial
information of the component, component materiality (and, if applicable, the materiality level or levels for particular classes of
transactions, account balances or disclosures) and the threshold above which misstatements cannot be regarded as clearly trivial
to the group financial statements.(d) Identified significant risks of material misstatement of the group financial statements, due to
fraud or error, that are relevant to the work of the component auditor. The group engagement team shall request the component
auditor to communicate on a timely basis any other identified significant risks of material misstatement of the group financial
statements, due to fraud or error, in the component, and the component auditor’s responses to such risks.(e) A list of related
parties prepared by group management, and any other related parties of which the group engagement team is aware. The group
engagement team shall request the component auditor to communicate on a timely basis related parties not previously identified
by group management or the group engagement team. The group engagement team shall determine whether to identify such
additional related parties to other component auditors.
343 The group engagement team shall request the component auditor to communicate matters relevant to the group engagement ISSAI 2600.41 Para. A60
team’s conclusion with regard to the group audit. Such communication shall include: (a) Whether the component auditor has
complied with ethical requirements that are relevant to the group audit, including independence and professional competence;(b)
Whether the component auditor has complied with the group engagement team’s requirements;(c) Identification of the financial
information of the component on which the component auditor is reporting; (d) Information on instances of non-compliance with
laws or regulations that could give rise to a material misstatement of the group financial statements;(e) A list of uncorrected
misstatements of the financial information of the component (the list need not include misstatements that are below the
threshold for clearly trivial misstatements communicated by the group engagement team (see paragraph 40(c));(f) Indicators of
possible management bias;(g) Description of any identified significant deficiencies in internal control at the component level;(h)
Other significant matters that the component auditor communicated or expects to communicate to those charged with
governance of the component, including fraud or suspected fraud involving component management, employees who have
significant roles in internal control at the component level or others where the fraud resulted in a material misstatement of the
financial information(i) Any other matters that may be relevant to the group audit, or that the component auditor wishes to draw
to the attention of the group engagement team, including exceptions noted in the written representations that the component
auditor requested from component management; and(j) The component auditor’s overall findings, conclusions or opinion.
344 The group engagement team shall evaluate the component auditor’s communication (see paragraph 41). The group engagement ISSAI 2600.42 Para. A61
team shall:(a) Discuss significant matters arising from that evaluation with the component auditor, component management or
group management, as appropriate; and(b) Determine whether it is necessary to review other relevant parts of the component
auditor’s audit documentation.
205
345 If the group engagement team concludes that the work of the component auditor is insufficient, the group engagement team ISSAI 2600.43
shall determine what additional procedures are to be performed, and whether they are to be performed by the component
auditor or by the group engagement team.
346 The auditor is required to obtain sufficient appropriate audit evidence to reduce audit risk to an acceptably low level and thereby ISSAI 2600.44 Para. A62
enable the auditor to draw reasonable conclusions on which to base the auditor’s opinion. The group engagement team shall
evaluate whether sufficient appropriate audit evidence has been obtained from the audit procedures performed on the
consolidation process and the work performed by the group engagement team and the component auditors on the financial
information of the components, on which to base the group audit opinion.
347 The group engagement partner shall evaluate the effect on the group audit opinion of any uncorrected misstatements (either ISSAI 2600.45 Para. A63
identified by the group engagement team or communicated by component auditors) and any instances where there has been an
inability to obtain sufficient appropriate audit evidence.
348 The group engagement team shall determine which identified deficiencies in internal control to communicate to those charged ISSAI 2600.46
with governance and group management in accordance with ISA 265. In making this determination, the group engagement team
shall consider:(a) Deficiencies in group-wide internal control that the group engagement team has identified;(b) Deficiencies in
internal control that the group engagement team has identified in internal controls at components; and(c) Deficiencies in internal
control that component auditors have brought to the attention of the group engagement team.
349 If fraud has been identified by the group engagement team or brought to its attention by a component auditor (see paragraph ISSAI 2600.47 Para. A64
41(h)), or information indicates that a fraud may exist, the group engagement team shall communicate this on a timely basis to
the appropriate level of group management in order to inform those with primary responsibility for the prevention and detection
of fraud of matters relevant to their responsibilities.
350 A component auditor may be required by statute, regulation or for another reason, to express an audit opinion on the financial ISSAI 2600.48 Para. A65
statements of a component. In that case, the group engagement team shall request group management to inform component
management of any matter of which the group engagement team becomes aware that may be significant to the financial
statements of the component, but of which component management may be unaware. If group management refuses to
communicate the matter to component management, the group engagement team shall discuss the matter with those charged
with governance of the group. If the matter remains unresolved, the group engagement team, subject to legal and professional
confidentiality considerations, shall consider whether to advise the component auditor not to issue the auditor’s report on the
financial statements of the component until the matter is resolved
351 The group engagement team shall communicate the following matters with those charged with governance of the group, in ISSAI 2600.49 Para. A66
addition to those required by ISA 260 (Revised) and other ISAs: (a) An overview of the type of work to be performed on the
financial information of the components.(b) An overview of the nature of the group engagement team’s planned involvement in
the work to be performed by the component auditors on the financial information of significant components.(c) Instances where
the group engagement team’s evaluation of the work of a component auditor gave rise to a concern about the quality of that
auditor’s work.(d) Any limitations on the group audit, for example, where the group engagement team’s access to information
may have been restricted.(e) Fraud or suspected fraud involving group management, component management, employees who
206
have significant roles in group-wide controls or others where the fraud resulted in a material misstatement of the group financial
statements.
352 The group engagement team shall include in the audit documentation the following matters:(a) An analysis of components, ISSAI 2600.50
indicating those that are significant, and the type of work performed on the financial information of the components. (b) The
nature, timing and extent of the group engagement team’s involvement in the work performed by the component auditors on
significant components including, where applicable, the group engagement team’s review of relevant parts of the component
auditors’ audit documentation and conclusions thereon.(c) Written communications between the group engagement team and
the component auditors about the group engagement team’s requirements.
353 The external auditor shall determine whether the work of the internal audit function can be used for purposes of the audit by ISSAI 2610.15 Para. A5–
evaluating the following: (a) The extent to which the internal audit function’s organizational status and relevant policies and A11
procedures support the objectivity of the internal auditors; (b) The level of competence of the internal audit function; and (c)
Whether the internal audit function applies a systematic and disciplined approach, including quality control.
354 The external auditor shall not use the work of the internal audit function if the external auditor determines that: (a) The function’s ISSAI 2610.16 Para. A12–
organizational status and relevant policies and procedures do not adequately support the objectivity of internal auditors; (b) The A14
function lacks sufficient competence; or (c) The function does not apply a systematic and disciplined approach, including quality
control.
355 As a basis for determining the areas and the extent to which the work of the internal audit function can be used, the external ISSAI 2610.17 Para. A15–
auditor shall consider the nature and scope of the work that has been performed, or is planned to be performed, by the internal A17
audit function and its relevance to the external auditor’s overall audit strategy and audit plan.
356 The external auditor shall make all significant judgments in the audit engagement and, to prevent undue use of the work of the ISSAI 2610.18 Para. A15–
internal audit function, shall plan to use less of the work of the function and perform more of the work directly: (a) The more A22, A25
judgment is involved in: (i) Planning and performing relevant audit procedures; and (ii) Evaluating the audit evidence gathered;
(b) The higher the assessed risk of material misstatement at the assertion level, with special consideration given to risks identified
as significant; (c) The less the internal audit function’s organizational status and relevant policies and procedures adequately
support the objectivity of the internal auditors; and (d) The lower the level of competence of the internal audit function.
357 The external auditor shall also evaluate whether, in aggregate, using the work of the internal audit function to the extent planned ISSAI 2610.19 Para. A15–
would still result in the external auditor being sufficiently involved in the audit, given the external auditor’s sole responsibility for A22, A25
the audit opinion expressed.
207
358 The external auditor shall, in communicating with those charged with governance an overview of the planned scope and timing of ISSAI 2610.20 Para. A23
the audit in accordance with ISA 260 (Revised) , communicate how the external auditor has planned to use the work of the See also
internal audit function. 2260,
Para. A15
359 If the external auditor plans to use the work of the internal audit function, the external auditor shall discuss the planned use of its ISSAI 2610.21 Para. A24–
work with the function as a basis for coordinating their respective activities. A26
360 The external auditor shall read the reports of the internal audit function relating to the work of the function that the external ISSAI 2610.22
auditor plans to use to obtain an understanding of the nature and extent of audit procedures it performed and the related
findings.
361 The external auditor shall perform sufficient audit procedures on the body of work of the internal audit function as a whole that ISSAI 2610.23 Para. A27–
the external auditor plans to use to determine its adequacy for purposes of the audit, including evaluating whether: (a) The work A30
of the function had been properly planned, performed, supervised, reviewed and documented; (b) Sufficient appropriate
evidence had been obtained to enable the function to draw reasonable conclusions; and (c) Conclusions reached are appropriate
in the circumstances and the reports prepared by the function are consistent with the results of the work performed.
362 The nature and extent of the external auditor’s audit procedures shall be responsive to the external auditor’s evaluation of: (a) ISSAI 2610.24 Para. A27–
The amount of judgment involved; (b) The assessed risk of material misstatement; (c) The extent to which the internal audit A29
function’s organizational status and relevant policies and procedures support the objectivity of the internal auditors; and (d) The Para. A30
level of competence of the function; and shall include reperformance of some of the work. Para. 18
363 The external auditor shall also evaluate whether the external auditor’s conclusions regarding the internal audit function in ISSAI 2610.25 Para. A15,
paragraph 15 of this ISA and the determination of the nature and extent of use of the work of the function for purposes of the A18-A19
audit in paragraphs 18–19 of this ISA remain appropriate.
364 If using internal auditors to provide direct assistance is not prohibited by law or regulation, and the external auditor plans to use ISSAI 2610.27 Para. A26,
internal auditors to provide direct assistance on the audit, the external auditor shall evaluate the existence and significance of A32–A34
threats to objectivity and the level of competence of the internal auditors who will be providing such assistance. The external
auditor’s evaluation of the existence and significance of threats to the internal auditors’ objectivity shall include inquiry of the
internal auditors regarding interests and relationships that may create a threat to their objectivity.
365 The external auditor shall not use an internal auditor to provide direct assistance if: (a) There are significant threats to the ISSAI 2610.28 Para. A26,
objectivity of the internal auditor; or (b) The internal auditor lacks sufficient competence to perform the proposed work. A32–A34
366 In determining the nature and extent of work that may be assigned to internal auditors and the nature, timing and extent of ISSAI 2610.29 Para. A26,
direction, supervision and review that is appropriate in the circumstances, the external auditor shall consider: (a) The amount of A35–A39
judgment involved in:
(i) Planning and performing relevant audit procedures; and (ii) Evaluating the audit evidence gathered; (b) The assessed risk of
material misstatement; and (c) The external auditor’s evaluation of the existence and significance of threats to the objectivity and
level of competence of the internal auditors who will be providing such assistance.
208
367 The external auditor shall not use internal auditors to provide direct assistance to perform procedures that: (a) Involve making ISSAI 2610.30 Para. A19,
significant judgments in the audit; (b) Relate to higher assessed risks of material misstatement where the judgment required in A26, A35–
performing the relevant audit procedures or evaluating the audit evidence gathered is more than limited; (c) Relate to work with A39
which the internal auditors have been involved and which has already been, or will be, reported to management or those charged
with governance by the internal audit function; or (d) Relate to decisions the external auditor makes in accordance with this ISA
regarding the internal audit function and the use of its work or direct assistance.
368 Having appropriately evaluated whether and, if so, to what extent internal auditors can be used to provide direct assistance on ISSAI 2610.31 Para. A39
the audit, the external auditor shall, in communicating with those charged with governance an overview of the planned scope and See 2260,
timing of the audit in accordance with ISA 260 (Revised), communicate the nature and extent of the planned use of internal Para.15
auditors to provide direct assistance so as to reach a mutual understanding that such use is not excessive in the circumstances of
the engagement.
369 The external auditor shall evaluate whether, in aggregate, using internal auditors to provide direct assistance to the extent ISSAI 2610.32 Para. 26
planned, together with the planned use of the work of the internal audit function, would still result in the external auditor being
sufficiently involved in the audit, given the external auditor’s sole responsibility for the audit opinion expressed.
370 Prior to using internal auditors to provide direct assistance for purposes of the audit, the external auditor shall: (a) Obtain written ISSAI 2610.33 Para. 26
agreement from an authorized representative of the entity that the internal auditors will be allowed to follow the external
auditor’s instructions, and that the entity will not intervene in the work the internal auditor performs for the external auditor; and
(b) Obtain written agreement from the internal auditors that they will keep confidential specific matters as instructed by the
external auditor and inform the external auditor of any threat to their objectivity.
371 The external auditor shall direct, supervise and review the work performed by internal auditors on the engagement in accordance ISSAI 2610.34 Para. A40–
with ISA 220. In so doing: (a) The nature, timing and extent of direction, supervision, and review shall recognize that the internal A41
auditors are not independent of the entity and be responsive to the outcome of the evaluation of the factors in paragraph 29 of Para. 26
this ISA; and (b) The review procedures shall include the external auditor checking back to the underlying audit evidence for some
of the work performed by the internal auditors. The direction, supervision and review by the external auditor of the work
performed by the internal auditors shall be sufficient in order for the external auditor to be satisfied that the internal auditors
have obtained sufficient appropriate audit evidence to support the conclusions based on that work.
372 If the external auditor uses the work of the internal audit function, the external auditor shall include in the audit documentation: ISSAI 2610.36
(a) The evaluation of: (i) Whether the function’s organizational status and relevant policies and procedures adequately support
the objectivity of the internal auditors; (ii) The level of competence of the function; and (iii) Whether the function applies a
systematic and disciplined approach, including quality control; (b) The nature and extent of the work used and the basis for that
decision; and (c) The audit procedures performed by the external auditor to evaluate the adequacy of the work used.
209
373 If the external auditor uses internal auditors to provide direct assistance on the audit, the external auditor shall include in the ISSAI 2610.37 Para. 26
audit documentation: (a) The evaluation of the existence and significance of threats to the objectivity of the internal auditors, and
the level of competence of the internal auditors used to provide direct assistance; (b) The basis for the decision regarding the
nature and extent of the work performed by the internal auditors; (c) Who reviewed the work performed and the date and extent
of that review in accordance with ISA 230; (d) The written agreements obtained from an authorized representative of the entity
and the internal auditors under paragraph 33 of this ISA; and (e) The working papers prepared by the internal auditors who
provided direct assistance on the audit engagement.
374 If expertise in a field other than accounting or auditing is necessary to obtain sufficient appropriate audit evidence, the auditor ISSAI 2620.7 Para. A4-
shall determine whether to use the work of an auditor’s expert. A9
375 The nature, timing and extent of the auditor’s procedures with respect to the requirements in paragraphs 9-13 of this ISA will vary ISSAI 2620.8 Para. A10-
depending on the circumstances. In determining the nature, timing and extent of those procedures, the auditor shall consider A13
matters including: (a) The nature of the matter to which that expert’s work relates;(b) The risks of material misstatement in the
matter to which that expert’s work relates;(c) The significance of that expert’s work in the context of the audit;(d) The auditor’s
knowledge of and experience with previous work performed by that expert; and(e) Whether that expert is subject to the auditor’s
firm’s quality control policies and procedures.
376 The auditor shall evaluate whether the auditor’s expert has the necessary competence, capabilities and objectivity for the ISSAI 2620.9 Para. A14-
auditor’s purposes. In the case of an auditor’s external expert, the evaluation of objectivity shall include inquiry regarding A20
interests and relationships that may create a threat to that expert’s objectivity.
377 The auditor shall obtain a sufficient understanding of the field of expertise of the auditor’s expert to enable the auditor to: (a) ISSAI 2620.10 Para. A21-
Determine the nature, scope and objectives of that expert’s work for the auditor’s purposes; and(b) Evaluate the adequacy of that A22
work for the auditor’s purposes.
378 The auditor shall agree, in writing when appropriate, on the following matters with the auditor’s expert: (a) The nature, scope and ISSAI 2620.11 Para. A23-
objectives of that expert’s work; (b) The respective roles and responsibilities of the auditor and that expert;(c) The nature, timing A31
and extent of communication between the auditor and that expert, including the form of any report to be provided by that
expert; and (d) The need for the auditor’s expert to observe confidentiality requirements.
379 The auditor shall evaluate the adequacy of the auditor’s expert’s work for the auditor’s purposes, including: (a) The relevance and ISSAI 2620.12 Para. A32-
reasonableness of that expert’s findings or conclusions, and their consistency with other audit evidence; (b) If that expert’s work A39
involves use of significant assumptions and methods, the relevance and reasonableness of those assumptions and methods in the
circumstances; and (c) If that expert’s work involves the use of source data that is significant to that expert’s work, the relevance,
completeness, and accuracy of that source data.
380 If the auditor determines that the work of the auditor’s expert is not adequate for the auditor’s purposes, the auditor shall: (a) ISSAI 2620.13 Para. A40
Agree with that expert on the nature and extent of further work to be performed by that expert; or(b) Perform additional audit
procedures appropriate to the circumstances.
210
381 The auditor shall not refer to the work of an auditor’s expert in an auditor’s report containing an unmodified opinion unless ISSAI 2620.14 Para. A41
required by law or regulation to do so.If such reference is required by law or regulation, the auditor shall indicate in the auditor’s
report that the reference does not reduce the auditor’s responsibility for the auditor’s opinion.
382 If the auditor makes reference to the work of an auditor’s expert in the auditor’s report because such reference is relevant to an ISSAI 2620.15 Para. A42
understanding of a modification to the auditor’s opinion, the auditor shall indicate in the auditor’s report that such reference does
not reduce the auditor’s responsibility for that opinion.
383 The auditor shall form an opinion on whether the financial statements are prepared, in all material respects, in accordance with ISSAI 2700.10 Para. A24-
the applicable financial reporting framework. A25
See also
2200,
Para. A11
384 In order to form that opinion, the auditor shall conclude as to whether the auditor has obtained reasonable assurance about ISSAI 2700.11 See also
whether the financial statements as a whole are free from material misstatement, whether due to fraud or error. That conclusion 2330,
shall take into account:(a) The auditor’s conclusion, in accordance with ISA 330, whether sufficient appropriate audit evidence has Para. 26
been obtained;(b) The auditor’s conclusion, in accordance with ISA 450, whether uncorrected misstatements are material, and 1450,
individually or in aggregate; and(c) The evaluations required by paragraphs 12-15. Para.11
385 The auditor shall evaluate whether the financial statements are prepared, in all material respects, in accordance with the ISSAI 2700.12 Para. A1-
requirements of the applicable financial reporting framework. This evaluation shall include consideration of the qualitative A3
aspects of the entity’s accounting practices, including indicators of possible bias in management’s judgments.
386 In particular, the auditor shall evaluate whether, in view of the requirements of the applicable financial reporting framework: (a) ISSAI 2700.13 Para. A4 -
The financial statements appropriately disclose the significant accounting policies selected and applied. In making this evaluation, A6
the auditor shall consider the relevance of the accounting policies to the entity, and whether they have been presented in an
understandable manner; (b) The accounting policies selected and applied are consistent with the applicable financial reporting
framework and are appropriate; (c) The accounting estimates made by management are reasonable; (d) The information
presented in the financial statements is relevant, reliable, comparable, and understandable. In making this evaluation, the auditor
shall consider whether: • The information that should have been included has been included, and whether such information is
appropriately classified, aggregated or disaggregated, and characterized. • The overall presentation of the financial statements
has been undermined by including information that is not relevant or that obscures a proper understanding of the matters
disclosed. (e) The financial statements provide adequate disclosures to enable the intended users to understand the effect of
material transactions and events on the information conveyed in the financial statements; and (f) The terminology used in the
financial statements, including the title of each financial statement, is appropriate.
211
387 When the financial statements are prepared in accordance with a fair presentation framework, the evaluation required by ISSAI 2700.14 Para. A12-
paragraphs 12–13 shall also include whether the financial statements achieve fair presentation. The auditor’s evaluation as to A14
whether the financial statements achieve fair presentation shall include consideration of: (a) The overall presentation, structure
and content of the financial statements; and (b) Whether the financial statements represent the underlying transactions and
events in a manner that achieves fair presentation.
388 The auditor shall evaluate whether the financial statements adequately refer to or describe the applicable financial reporting ISSAI 2700.15 Para. A15
framework.
389 The auditor shall express an unmodified opinion when the auditor concludes that the financial statements are prepared, in all ISSAI 2700.16
material respects, in accordance with the applicable financial reporting framework.
390 If the auditor:(a) concludes that, based on the audit evidence obtained, the financial statements as a whole are not free from ISSAI 2700.17 See also
material misstatement; or(b) is unable to obtain sufficient appropriate audit evidence to conclude that the financial statements as 2705
a whole are free from material misstatement, the auditor shall modify the opinion in the auditor’s report in accordance with ISA (Revised)
705 (Revised).
391 If financial statements prepared in accordance with the requirements of a fair presentation framework do not achieve fair ISSAI 2700.18 Para. A16
presentation, the auditor shall discuss the matter with management and, depending on the requirements of the applicable See also
financial reporting framework and how the matter is resolved, shall determine whether it is necessary to modify the opinion in 2705
the auditor’s report in accordance with ISA 705 (Revised). (Revised)
392 When the financial statements are prepared in accordance with a compliance framework, the auditor is not required to evaluate ISSAI 2700.19 Para. A17
whether the financial statements achieve fair presentation. However, if in extremely rare circumstances the auditor concludes
that such financial statements are misleading, the auditor shall discuss the matter with management and, depending on how it is
resolved, shall determine whether, and how, to communicate it in the auditor’s report.
393 The auditor’s report shall have a title that clearly indicates that it is the report of an independent auditor. ISSAI 2700.21 Para. A20
394 The auditor’s report shall be addressed, as appropriate, based on the circumstances of the engagement. ISSAI 2700.22 Para. A21
395 The first section of the auditor’s report shall include the auditor’s opinion, and shall have the heading “Opinion.” ISSAI 2700.23
396 The Opinion section of the auditor’s report shall also: (a) Identify the entity whose financial statements have been audited; (b) ISSAI 2700.24 Para. A22–
State that the financial statements have been audited; (c) Identify the title of each statement comprising the financial statements; A23
(d) Refer to the notes, including the summary of significant accounting policies; and (e) Specify the date of, or period covered by,
each financial statement comprising the financial statements.
212
397 When expressing an unmodified opinion on financial statements prepared in accordance with a fair presentation framework, the ISSAI 2700.25 Para. A24–
auditor’s opinion shall, unless otherwise required by law or regulation, use one of the following phrases, which are regarded as A31
being equivalent:
(a) In our opinion, the accompanying financial statements present fairly, in all material respects, […] in accordance with [the
applicable financial reporting framework]; or (b) In our opinion, the accompanying financial statements give a true and fair view of
[…] in accordance with [the applicable financial reporting framework].
398 When expressing an unmodified opinion on financial statements prepared in accordance with a compliance framework, the ISSAI 2700.26 Para.
auditor’s opinion shall be that the accompanying financial statements are prepared, in all material respects, in accordance with AA26-A31
[the applicable financial reporting framework].
399 If the reference to the applicable financial reporting framework in the auditor’s opinion is not to IFRSs issued by the International ISSAI 2700.27
Accounting Standards Board or IPSASs issued by the International Public Sector Accounting Standards Board, the auditor’s opinion
shall identify the jurisdiction of origin of the framework.
400 The auditor’s report shall include a section, directly following the Opinion section, with the heading “Basis for Opinion”, that: (a) ISSAI 2700.28 Para. A32-
States that the audit was conducted in accordance with International Standards on Auditing; (b) Refers to the section of the A39; See
auditor’s report that describes the auditor’s responsibilities under the ISAs; (c) Includes a statement that the auditor is also IESBA
independent of the entity in accordance with the relevant ethical requirements relating to the audit, and has fulfilled the auditor’s Code
other ethical responsibilities in accordance with these requirements. The statement shall identify the jurisdiction of origin of the
relevant ethical requirements or refer to the International Ethics Standards Board for Accountants’ Code of Ethics for Professional
Accountants (IESBA Code); and (d) States whether the auditor believes that the audit evidence the auditor has obtained is
sufficient and appropriate to provide a basis for the auditor’s opinion.
401 Where applicable, the auditor shall report in accordance with ISA 570 (Revised) ISSAI 2700.29 See also
2570
(Revised),
Para. 21-
23
402 For audits of complete sets of general purpose financial statements of listed entities, the auditor shall communicate key audit ISSAI 2700.30 See also
matters in the auditor’s report in accordance with ISA 701. 2701
403 When the auditor is otherwise required by law or regulation or decides to communicate key audit matters in the auditor’s report, ISSAI 2700.31 Para. A40–
the auditor shall do so in accordance with ISA 701. A41
404 Where applicable, the auditor shall report in accordance with ISA 720 (Revised). ISSAI 2700.32 Para. A39
405 The auditor’s report shall include a section with a heading “Responsibilities of Management for the Financial Statements.” The ISSAI 2700.33 Para. A44;
auditor’s report shall use the term that is appropriate in the context of the legal framework in the particular jurisdiction and need See also
not refer specifically to “management”. In some jurisdictions, the appropriate reference may be to those charged with 2570
governance.
213
(Revised),
Para. A2
406 This section of the auditor’s report shall also identify those responsible for the oversight of the financial reporting process, when ISSAI 2700.35 Para. A49
those responsible for such oversight are different from those who fulfill the responsibilities described in paragraph 33 above. In
this case, the heading of this section shall also refer to “Those Charged with Governance” or such term that is appropriate in the
context of the legal framework in the particular jurisdiction.
407 When the financial statements are prepared in accordance with a fair presentation framework, the description of responsibilities ISSAI 2700.36
for the financial statements in the auditor’s report shall refer to “the preparation and fair presentation of these financial
statements” or “the preparation of financial statements that give a true and fair view,” as appropriate in the circumstances.
408 The auditor’s report shall include a section with the heading “Auditor’s Responsibilities for the Audit of the Financial Statements.” ISSAI 2700.37 Para. A50
409 This section of the auditor’s report shall: (a) State that the objectives of the auditor are to: (i) Obtain reasonable assurance about ISSAI 2700.38 Para. A50-
whether the financial statements as a whole are free from material misstatement, whether due to fraud or error; and (ii) Issue an 53
auditor’s report that includes the auditor’s opinion. (b) State that reasonable assurance is a high level of assurance, but is not a
guarantee that an audit conducted in accordance with ISAs will always detect a material misstatement when it exists; and (c) State
that misstatements can arise from fraud or error, and either: (i) Describe that they are considered material if, individually or in the
aggregate, they could reasonably be expected to influence the economic decisions of users taken on the basis of these financial
statements; or (ii) Provide a definition or description of materiality in accordance with the applicable financial reporting
framework.
214
410 The Auditor’s Responsibilities for the Audit of the Financial Statements section of the auditor’s report shall further: (a) State that, ISSAI 2700.39 Para. A50
as part of an audit in accordance with ISAs, the auditor exercises professional judgment and maintains professional skepticism See also
throughout the audit; and (b) Describe an audit by stating that the auditor’s responsibilities are: (i) To identify and assess the risks 2600
of material misstatement of the financial statements, whether due to fraud or error; to design and perform audit procedures
responsive to those risks; and to obtain audit evidence that is sufficient and appropriate to provide a basis for the auditor’s
opinion. The risk of not detecting a material misstatement resulting from fraud is higher than for one resulting from error, as
fraud may involve collusion, forgery, intentional omissions, misrepresentations, or the override of internal control. (ii) To obtain
an understanding of internal control relevant to the audit in order to design audit procedures that are appropriate in the
circumstances, but not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control. In
circumstances when the auditor also has a responsibility to express an opinion on the effectiveness of internal control in
conjunction with the audit of the financial statements, the auditor shall omit the phrase that the auditor’s consideration of
internal control is not for the purpose of expressing an opinion on the effectiveness of the entity’s internal control.(iii) To evaluate
the appropriateness of accounting policies used and the reasonableness of accounting estimates and related disclosures made by
management. (iv) To conclude on the appropriateness of management’s use of the going concern basis of accounting and, based
on the audit evidence obtained, whether a material uncertainty exists related to events or conditions that may cast significant
doubt on the entity’s ability to continue as a going concern. If the auditor concludes that a material uncertainty exists, the auditor
is required to draw attention in the auditor’s report to the related disclosures in the financial statements or, if such disclosures are
inadequate, to modify the opinion. The auditor’s conclusions are based on the audit evidence obtained up to the date of the
auditor’s report. However, future events or conditions may cause an entity to cease to continue as a going concern. (v) When the
financial statements are prepared in accordance with a fair presentation framework, to evaluate the overall presentation,
structure and content of the financial statements, including the disclosures, and whether the financial statements represent the
underlying transactions and events in a manner that achieves fair presentation. (c) When ISA 600 applies, further describe the
auditor’s responsibilities in a group audit engagement by stating that: (i) The auditor’s responsibilities are to obtain sufficient
appropriate audit evidence regarding the financial information of the entities or business activities within the group to express an
opinion on the group financial statements; (ii) The auditor is responsible for the direction, supervision and performance of the
group audit; and (iii) The auditor remains solely responsible for the auditor’s opinion.
215
411 The Auditor’s Responsibilities for the Audit of the Financial Statements section of the auditor’s report also shall: (a) State that the ISSAI 2700.40 Para. A45
auditor communicates with those charged with governance regarding, among other matters, the planned scope and timing of the Para. A48;
audit and significant audit findings, including any significant deficiencies in internal control that the auditor identifies during the See also
audit; (b) For audits of financial statements of listed entities, state that the auditor provides those charged with governance with a 2701
statement that the auditor has complied with relevant ethical requirements regarding independence and communicate with them
all relationships and other matters that may reasonably be thought to bear on the auditor’s independence, and where applicable,
related safeguards; and (c) For audits of financial statements of listed entities and any other entities for which key audit matters
are communicated in accordance with ISA 701, state that, from the matters communicated with those charged with governance,
the auditor determines those matters that were of most significance in the audit of the financial statements of the current period
and are therefore the key audit matters. The auditor describes these matters in the auditor’s report unless law or regulation
precludes public disclosure about the matter or when, in extremely rare circumstances, the auditor determines that a matter
should not be communicated in the auditor’s report because the adverse consequences of doing so would reasonably be
expected to outweigh the public interest benefits of such communication.
412 The description of the auditor’s responsibilities for the audit of the financial statements required by paragraphs 39–40 shall be ISSAI 2700.41 Para. A54-
included: (a) Within the body of the auditor’s report; (b) Within an appendix to the auditor’s report, in which case the auditor’s 57
report shall include a reference to the location of the appendix; or (c) By a specific reference within the auditor’s report to the
location of such a description on a website of an appropriate authority, where law, regulation or national auditing standards
expressly permit the auditor to do so.
413 When the auditor refers to a description of the auditor’s responsibilities on a website of an appropriate authority, the auditor ISSAI 2700.42 Para. A56
shall determine that such description addresses, and is not inconsistent with, the requirements in paragraphs 39–40 of this ISA.
414 If the auditor addresses other reporting responsibilities in the auditor’s report on the financial statements that are in addition to ISSAI 2700.43 Para. A58–
the auditor’s responsibilities under the ISAs, these other reporting responsibilities shall be addressed in a separate section in the A60
auditor’s report with a heading titled “Report on Other Legal and Regulatory Requirements” or otherwise as appropriate to the
content of the section, unless these other reporting responsibilities address the same topics as those presented under the
reporting responsibilities required by the ISAs in which case the other reporting responsibilities may be presented in the same
section as the related report elements required by the ISAs.
415 If other reporting responsibilities are presented in the same section as the related report elements required by the ISAs, the ISSAI 2700.44 Para. A60
auditor’s report shall clearly differentiate the other reporting responsibilities from the reporting that is required by the ISAs.
416 If the auditor’s report contains a separate section that addresses other reporting responsibilities, the requirements of paragraphs ISSAI 2700.45 Para. A60
20–39 of this ISA shall be included under a section with a heading “Report on the Audit of the Financial Statements.” The “Report
on Other Legal and Regulatory Requirements” shall follow the “Report on the Audit of the Financial Statements.”
216
417 The name of the engagement partner shall be included in the auditor’s report for audits of complete sets of general purpose ISSAI 2700.46 Para. A61–
financial statements of listed entities unless, in rare circumstances, such disclosure is reasonably expected to lead to a significant A63
personal security threat. In the rare circumstances that the auditor intends not to include the name of the engagement partner in
the auditor’s report, the auditor shall discuss this intention with those charged with governance to inform the auditor’s
assessment of the likelihood and severity of a significant personal security threat.
418 The auditor’s report shall be signed. ISSAI 2700.47 Para. A64–
A65
419 The auditor’s report shall name the location in the jurisdiction where the auditor practices. ISSAI 2700.48
420 The auditor’s report shall be dated no earlier than the date on which the auditor has obtained sufficient appropriate audit ISSAI 2700.49 Para. A66–
evidence on which to base the auditor’s opinion on the financial statements, including evidence that: (a) All the statements that A69
comprise the financial statements, including the related notes, have been prepared; and (b) Those with the recognized authority
have asserted that they have taken responsibility for those financial statements.
421 If the auditor is required by law or regulation of a specific jurisdiction to use a specific layout, or wording of the auditor’s report, ISSAI 2700.50 Para. A70–
the auditor’s report shall refer to International Standards on Auditing only if the auditor’s report includes, at a minimum, each of A71
the following elements: (a) A title. (b) An addressee, as required by the circumstances of the engagement. (c) An Opinion section Para. A72-
containing an expression of opinion on the financial statements and a reference to the applicable financial reporting A75
framework used to prepare the financial statements (including identifying the jurisdiction of origin of the financial reporting Para. A52-
framework that is not International Financial Reporting Standards or International Public Sector Accounting Standards, see A53
paragraph 27). (d) An identification of the entity’s financial statements that have been audited. (e) A statement that the auditor is
independent of the entity in accordance with the relevant ethical requirements relating to the audit, and has fulfilled the auditor’s
other ethical responsibilities in accordance with these requirements. The statement shall identify the jurisdiction of origin of the
relevant ethical requirements or refer to the IESBA Code. (f) Where applicable, a section that addresses, and is not inconsistent
with, the reporting requirements in paragraph 22 of ISA 570 (Revised). (g) Where applicable, a Basis for Qualified (or Adverse)
Opinion section that addresses, and is not inconsistent with, the reporting requirements in paragraph 23 of ISA 570 (Revised). (h)
Where applicable, a section that includes the information required by ISA 701, or additional information about the audit that is
prescribed by law or regulation and that addresses, and is not inconsistent with, the reporting requirements in that ISA. (i) Where
applicable, a section that addresses the reporting requirements in paragraph 24 of ISA 720 (Revised). (j) A description of
management’s responsibilities for the preparation of the financial statements and an identification of those responsible for the
oversight of the financial reporting process that addresses, and is not inconsistent with, the requirements in paragraphs 33–36. (k)
A reference to International Standards on Auditing and the law or regulation, and a description of the auditor’s responsibilities for
an audit of the financial statements that addresses, and is not inconsistent with, the requirements in paragraphs 37–40. (l) For
audits of complete sets of general purpose financial statements of listed entities, the name of the engagement partner unless, in
rare circumstances, such disclosure is reasonably expected to lead to a significant personal security threat. (m) The auditor’s
signature. (n) The auditor’s address. (o) The date of the auditor’s report.
217
422 An auditor may be required to conduct an audit in accordance with the auditing standards of a specific jurisdiction (the “national ISSAI 2700.51 Para. A76–
auditing standards”), and has additionally complied with the ISAs in the conduct of the audit. If this is the case, the auditor’s A77
report may refer to International Standards on Auditing in addition to the national auditing standards, but the auditor shall do so
only if: (a) There is no conflict between the requirements in the national auditing standards and those in ISAs that would lead the
auditor (i) to form a different opinion, or (ii) not to include an Emphasis of Matter paragraph or Other Matter paragraph that, in
the particular circumstances, is required by ISAs; and (b) The auditor’s report includes, at a minimum, each of the elements set
out in paragraphs 50(a)–(o) when the auditor uses the layout or wording specified by the national auditing standards. However,
reference to “law or regulation” in paragraph 50(k) shall be read as reference to the national auditing standards. The auditor’s
report shall thereby identify such national auditing standards.
423 When the auditor’s report refers to both the national auditing standards and International Standards on Auditing, the auditor’s ISSAI 2700.52
report shall identify the jurisdiction of origin of the national auditing standards.
424 If supplementary information that is not required by the applicable financial reporting framework is presented with the audited ISSAI 2700.53 Para. A78–
financial statements, the auditor shall evaluate whether, in the auditor’s professional judgment, supplementary information is A84
nevertheless an integral part of the financial statements due to its nature or how it is presented. When it is an integral part of the
financial statements, the supplementary information shall be covered by the auditor’s opinion.
425 If supplementary information that is not required by the applicable financial reporting framework is not considered an integral ISSAI 2700.54 Para. A78–
part of the audited financial statements, the auditor shall evaluate whether such supplementary information is presented in a way A84
that sufficiently and clearly differentiates it from the audited financial statements. If this is not the case, then the auditor shall ask
management to change how the unaudited supplementary information is presented. If management refuses to do so, the auditor
shall identify the unaudited supplementary information and explain in the auditor’s report that such supplementary information
has not been audited.
426 The auditor shall determine, from the matters communicated with those charged with governance, those matters that required ISSAI 2701.9 Para. A9-
significant auditor attention in performing the audit. In making this determination, the auditor shall take into account the A26
following: (a) Areas of higher assessed risk of material misstatement, or significant risks identified in accordance with ISA 315
(Revised). (b) Significant auditor judgments relating to areas in the financial statements that involved significant management
judgment, including accounting estimates that have been identified as having high estimation uncertainty. (c) The effect on the
audit of significant events or transactions that occurred during the period.
427 The auditor shall determine which of the matters determined in accordance with paragraph 9 were of most significance in the ISSAI 2701.10 Para. A9–
audit of the financial statements of the current period and therefore are the key audit matters. A11, A18,
A27–A30
218
428 The auditor shall describe each key audit matter, using an appropriate subheading, in a separate section of the auditor’s report ISSAI 2701.11 Para. A31–
under the heading “Key Audit Matters,” unless the circumstances in paragraphs 14 or 15 apply. The introductory language in this A33
section of the auditor’s report shall state that: (a) Key audit matters are those matters that, in the auditor’s professional
judgment, were of most significance in the audit of the financial statements [of the current period]; and (b) These matters were
addressed in the context of the audit of the financial statements as a whole, and in forming the auditor’s opinion thereon, and the
auditor does not provide a separate opinion on these matters.
429 The auditor shall not communicate a matter in the Key Audit Matters section of the auditor’s report when the auditor would be ISSAI 2701.12 Para. A5
required to modify the opinion in accordance with ISA 705 (Revised) as a result of the matter.
430 The description of each key audit matter in the Key Audit Matters section of the auditor’s report shall include a reference to the ISSAI 2701.13 Para. A34–
related disclosure(s), if any, in the financial statements and shall address: (a) Why the matter was considered to be one of most A51
significance in the audit and therefore determined to be a key audit matter; and (b) How the matter was addressed in the audit.
431 The auditor shall describe each key audit matter in the auditor’s report unless: (a) Law or regulation precludes public disclosure ISSAI 2701.14 Para. A53–
about the matter; or (b) In extremely rare circumstances, the auditor determines that the matter should not be communicated in A56
the auditor’s report because the adverse consequences of doing so would reasonably be expected to outweigh the public interest Para. A52
benefits of such communication. This shall not apply if the entity has publicly disclosed information about the matter.
432 A matter giving rise to a modified opinion in accordance with ISA 705 (Revised), or a material uncertainty related to events or ISSAI 2701.15 Para. A6–
conditions that may cast significant doubt on the entity’s ability to continue as a going concern in accordance with ISA 570 A7, A18
(Revised), are by their nature key audit matters. However, in such circumstances, these matters shall not be described in the Key See also
Audit Matters section of the auditor’s report and the requirements in paragraphs 13–14 do not apply. Rather, the auditor shall: (a) 2705
Report on these matter(s) in accordance with the applicable ISA(s); and (b) Include a reference to the Basis for Qualified (Adverse) (revised)
Opinion or the Material Uncertainty Related to Going Concern section(s) in the Key Audit Matters section.
433 If the auditor determines, depending on the facts and circumstances of the entity and the audit, that there are no key audit ISSAI 2701.16 Para. A57–
matters to communicate or that the only key audit matters communicated are those matters addressed by paragraph 15, the A59
auditor shall include a statement to this effect in a separate section of the auditor’s report under the heading “Key Audit
Matters.”
434 The auditor shall communicate with those charged with governance: (a) Those matters the auditor has determined to be the key ISSAI 2701.17 Para. A60–
audit matters; or (b) If applicable, depending on the facts and circumstances of the entity and the audit, the auditor’s A63
determination that there are no key audit matters to communicate in the auditor’s report.
219
435 The auditor shall include in the audit documentation: (a) The matters that required significant auditor attention as determined in ISSAI 2701.18 Para. A64
accordance with paragraph 9, and the rationale for the auditor’s determination as to whether or not each of these matters is a See also
key audit matter in accordance with paragraph 10; (b) Where applicable, the rationale for the auditor’s determination that there 2230,
are no key audit matters to communicate in the auditor’s report or that the only key audit matters to communicate are those Para. A8–
matters addressed by paragraph 15; and (c) Where applicable, the rationale for the auditor’s determination not to communicate A11, A6
in the auditor’s report a matter determined to be a key audit matter.
436 The auditor shall modify the opinion in the auditor’s report when:(a) The auditor concludes that, based on the audit evidence ISSAI 2705.6 Para. A2-
obtained, the financial statements as a whole are not free from material misstatement; or (b) The auditor is unable to obtain A12
sufficient appropriate audit evidence to conclude that the financial statements as a whole are free from material misstatement.
437 The auditor shall express a qualified opinion when:(a) The auditor, having obtained sufficient appropriate audit evidence, ISSAI 2705.7
concludes that misstatements, individually or in the aggregate, are material, but not pervasive, to the financial statements; or(b)
The auditor is unable to obtain sufficient appropriate audit evidence on which to base the opinion, but the auditor concludes that
the possible effects on the financial statements of undetected misstatements, if any, could be material but not pervasive.
438 The auditor shall express an adverse opinion when the auditor, having obtained sufficient appropriate audit evidence, concludes ISSAI 2705.8
that misstatements, individually or in the aggregate, are both material and pervasive to the financial statements.
439 The auditor shall disclaim an opinion when the auditor is unable to obtain sufficient appropriate audit evidence on which to base ISSAI 2705.9
the opinion, and the auditor concludes that the possible effects on the financial statements of undetected misstatements, if any,
could be both material and pervasive.
440 The auditor shall disclaim an opinion when, in extremely rare circumstances involving multiple uncertainties, the auditor ISSAI 2705.10
concludes that, not withstanding having obtained sufficient appropriate audit evidence regarding each of the individual
uncertainties, it is not possible to form an opinion on the financial statements due to the potential interaction of the uncertainties
and their possible cumulative effect on the financial statements.
441 If, after accepting the engagement, the auditor becomes aware that management has imposed a limitation on the scope of the ISSAI 2705.11
audit that the auditor considers likely to result in the need to express a qualified opinion or to disclaim an opinion on the financial
statements, the auditor shall request that management remove the limitation.
442 If management refuses to remove the limitation referred to in paragraph 11, the auditor shall communicate the matter to those ISSAI 2705.12
charged with governance, unless all of those charged with governance are involved in managing the entity, and determine
whether it is possible to perform alternative procedures to obtain sufficient appropriate audit evidence.
220
443 If the auditor is unable to obtain sufficient appropriate audit evidence, the auditor shall determine the implications as follows:(a) ISSAI 2705.13 Para. A13-
If the auditor concludes that the possible effects on the financial statements of undetected misstatements, if any, could be A14
material but not pervasive, the auditor shall qualify the opinion; or(b) If the auditor concludes that the possible effects on the
financial statements of undetected misstatements, if any, could be both material and pervasive so that a qualification of the
opinion would be inadequate to communicate the gravity of the situation, the auditor shall:(i) Withdraw from the audit, where
practicable and possible under applicable law or regulation; or (ii) If withdrawal from the audit before issuing the auditor’s report
is not practicable or possible, disclaim an opinion on the financial statements.
444 If the auditor withdraws as contemplated by paragraph 13(b)(i), before withdrawing, the auditor shall communicate to those ISSAI 2705.14 Para. A15
charged with governance any matters regarding misstatements identified during the audit that would have given rise to a
modification of the opinion.
445 When the auditor considers it necessary to express an adverse opinion or disclaim an opinion on the financial statements as a ISSAI 2705.15 Para. A16
whole, the auditor’s report shall not also include an unmodified opinion with respect to the same financial reporting framework See also
on a single financial statement or one or more specific elements, accounts or items of a financial statement. To include such an 2805
unmodified opinion in the same report in these circumstances would contradict the auditor’s adverse opinion or disclaimer of
opinion on the financial statements as a whole.
446 When the auditor modifies the audit opinion, the auditor shall use the heading “Qualified Opinion,” “Adverse Opinion,” or ISSAI 2705.16 Para. A17–
“Disclaimer of Opinion,” as appropriate, for the Opinion section. A19
447 When the auditor expresses a qualified opinion due to a material misstatement in the financial statements, the auditor shall state ISSAI 2705.17 Para. A20
that, in the auditor’s opinion, except for the effects of the matter(s) described in the Basis for Qualified Opinion section: (a) When
reporting in accordance with a fair presentation framework, the accompanying financial statements present fairly, in all material
respects (or give a true and fair view of) […] in accordance with [the applicable financial reporting framework]; or (b) When
reporting in accordance with a compliance framework, the accompanying financial statements have been prepared, in all
material respects, in accordance with [the applicable financial reporting framework]. When the modification arises from an
inability to obtain sufficient appropriate audit evidence, the auditor shall use the corresponding phrase “except for the possible
effects of the matter(s) ...” for the modified opinion.
448 When the auditor expresses an adverse opinion, the auditor shall state that, in the auditor’s opinion, because of the significance ISSAI 2705.18
of the matter(s) described in the Basis for Adverse Opinion section:(a) When reporting in accordance with a fair presentation
framework, the accompanying financial statements do not present fairly (or give a true and fair view of) […] in accordance with
[the applicable financial reporting framework]; or (b) When reporting in accordance with a compliance framework, the
accompanying financial statements have not been prepared, in all material respects, in accordance with [the applicable financial
reporting framework].
221
449 When the auditor disclaims an opinion due to an inability to obtain sufficient appropriate audit evidence, the auditor shall: (a) ISSAI 2705.19 See also
State that the auditor does not express an opinion on the accompanying financial statements; (b) State that, because of the 2700,
significance of the matter(s) described in the Basis for Disclaimer of Opinion section, the auditor has not been able to obtain Para. 24
sufficient appropriate audit evidence to provide a basis for an audit opinion on the financial statements; and (c) Amend the
statement required by paragraph 24(b) of ISA 700 (Revised), which indicates that the financial statements have been audited, to
state that the auditor was engaged to audit the financial statements.
450 When the auditor modifies the opinion on the financial statements, the auditor shall, in addition to the specific elements required ISSAI 2705.20 Para. A21
by ISA 700 (Revised): (a) Amend the heading “Basis for Opinion” required by paragraph 28 of ISA 700 (Revised) to “Basis for See also
Qualified Opinion,” “Basis for Adverse Opinion,” or “Basis for Disclaimer of Opinion,” as appropriate; and (b) Within this section, 2700,
include a description of the matter giving rise to the modification. Para. 28
451 If there is a material misstatement of the financial statements that relates to specific amounts in the financial statements ISSAI 2705.21 Para. A22
(including quantitative disclosures in the notes to the financial statements), the auditor shall include in the Basis for Opinion
section a description and quantification of the financial effects of the misstatement, unless impracticable. If it is not practicable to
quantify the financial effects, the auditor shall so state in this section.
452 If there is a material misstatement of the financial statements that relates to narrative disclosures, the auditor shall include in the ISSAI 2705.22
Basis for Opinion section an explanation of how the disclosures are misstated.
453 If there is a material misstatement of the financial statements that relates to the non-disclosure of information required to be ISSAI 2705.23 Para. A23
disclosed, the auditor shall: (a) Discuss the non-disclosure with those charged with governance; (b) Describe in the Basis for
Opinion section the nature of the omitted information; and (c) Unless prohibited by law or regulation, include the omitted
disclosures, provided it is practicable to do so and the auditor has obtained sufficient appropriate audit evidence about the
omitted information.
454 If the modification results from an inability to obtain sufficient appropriate audit evidence, the auditor shall include in the Basis ISSAI 2705.24
for Opinion section the reasons for that inability.
455 When the auditor expresses a qualified or adverse opinion, the auditor shall amend the statement about whether the audit ISSAI 2705.25 See also
evidence obtained is sufficient and appropriate to provide a basis for the auditor’s opinion required by paragraph 28(d) of ISA 700 2700,
(Revised) to include the word “qualified” or “adverse”, as appropriate. Para. 28
456 When the auditor disclaims an opinion on the financial statements, the auditor’s report shall not include the elements required by ISSAI 2705.26 See also
paragraphs 28(b) and 28(d) of ISA 700 (Revised). Those elements are: (a) A reference to the section of the auditor’s report where 2700,
the auditor’s responsibilities are described; and (b) A statement about whether the audit evidence obtained is sufficient and Para. 2
appropriate to provide a basis for the auditor’s opinion.
457 Even if the auditor has expressed an adverse opinion or disclaimed an opinion on the financial statements, the auditor shall ISSAI 2705.27 Para. A24
describe in the Basis for Opinion section the reasons for any other matters of which the auditor is aware that would have required
a modification to the opinion, and the effects thereof.
222
458 When the auditor disclaims an opinion on the financial statements due to an inability to obtain sufficient appropriate audit ISSAI 2705.28 Para. A25
evidence, the auditor shall amend the description of the auditor’s responsibilities required by paragraphs 38–40 of ISA 700
(Revised) to include only the following: (a) A statement that the auditor’s responsibility is to conduct an audit of the entity’s
financial statements in accordance with International Standards on Auditing and to issue an auditor’s report; (b) A statement that,
however, because of the matter(s) described in the Basis for Disclaimer of Opinion section, the auditor was not able to obtain
sufficient appropriate audit evidence to provide a basis for an audit opinion on the financial statements; and (c) The statement
about auditor independence and other ethical responsibilities required by paragraph 28(c) of ISA 700 (Revised).
459 Unless required by law or regulation, when the auditor disclaims an opinion on the financial statements, the auditor’s report shall ISSAI 2705.29 Para. A26
not include a Key Audit Matters section in accordance with ISA 701.
460 When the auditor expects to modify the opinion in the auditor’s report, the auditor shall communicate with those charged with ISSAI 2705.30 Para. A27
governance the circumstances that led to the expected modification and the wording of the modification.
461 If the auditor considers it necessary to draw users’ attention to a matter presented or disclosed in the financial statements that, in ISSAI 2706.8 Para. A1–
the auditor’s judgment, is of such importance that it is fundamental to users’ understanding of the financial statements, the A3, A5–A6
auditor shall include an Emphasis of Matter paragraph in the auditor’s report provided: (a) The auditor would not be required to See also
modify the opinion in accordance with ISA 705 (Revised) as a result of the matter; and (b) When ISA 701 applies, the matter has 2701 and
not been determined to be a key audit matter to be communicated in the auditor’s report. 2705
462 When the auditor includes an Emphasis of Matter paragraph in the auditor’s report, the auditor shall: (a) Include the paragraph ISSAI 2706.9 Para. A7–
within a separate section of the auditor’s report with an appropriate heading that includes the term “Emphasis of Matter”; (b) A8, A16–
Include in the paragraph a clear reference to the matter being emphasized and to where relevant disclosures that fully describe A17
the matter can be found in the financial statements. The paragraph shall refer only to information presented or disclosed in the
financial statements; and (c) Indicate that the auditor’s opinion is not modified in respect of the matter emphasized.
463 If the auditor considers it necessary to communicate a matter other than those that are presented or disclosed in the financial ISSAI 2706.10 Para. A9–
statements that, in the auditor’s judgment, is relevant to users’ understanding of the audit, the auditor’s responsibilities or the A14
auditor’s report, the auditor shall include an Other Matter paragraph in the auditor’s report, provided: (a) This is not prohibited by See also
law or regulation; and (b) When ISA 701 applies, the matter has not been determined to be a key audit matter to be 2701
communicated in the auditor’s report. (Ref: Para. A9–A14)
464 When the auditor includes an Other Matter paragraph in the auditor’s report, the auditor shall include the paragraph within a ISSAI 2706.11 Para. A15–
separate section with the heading “Other Matter,” or other appropriate heading. A17
465 If the auditor expects to include an Emphasis of Matter or an Other Matter paragraph in the auditor’s report, the auditor shall ISSAI 2706.12 Para. A18
communicate with those charged with governance regarding this expectation and the wording of this paragraph.
223
466 The auditor shall determine whether the financial statements include the comparative information required by the applicable ISSAI 2710.7
financial reporting framework and whether such information is appropriately classified. For this purpose, the auditor shall
evaluate whether: (a) The comparative information agrees with the amounts and other disclosures presented in the prior period
or, when appropriate, have been restated; and (b) The accounting policies reflected in the comparative information are consistent
with those applied in the current period or, if there have been changes in accounting policies, whether those changes have been
properly accounted for and adequately presented and disclosed.
467 If the auditor becomes aware of a possible material misstatement in the comparative information while performing the current ISSAI 2710.8
period audit, the auditor shall perform such additional audit procedures as are necessary in the circumstances to obtain sufficient
appropriate audit evidence to determine whether a material misstatement exists. If the auditor had audited the prior period’s
financial statements, the auditor shall also follow the relevant requirements of ISA 560. If the prior period financial statements are
amended, the auditor shall determine that the comparative information agrees with the amended financial statements.
468 As required by ISA 580, the auditor shall request written representations for all periods referred to in the auditor’s opinion. The ISSAI 2710.9 Para. A1
auditor shall also obtain a specific written representation regarding any restatement made to correct a material misstatement in
prior period financial statements that affect the comparative information.
469 If the auditor’s report on the prior period, as previously issued, included a qualified opinion, a disclaimer of opinion, or an adverse ISSAI 2710.11 Para. A3-
opinion and the matter which gave rise to the modification is unresolved, the auditor shall modify the auditor’s opinion on the A5
current period’s financial statements. In the Basis for Modification paragraph in the auditor’s report, the auditor shall either:(a)
Refer to both the current period’s figures and the corresponding figures in the description of the matter giving rise to the
modification when the effects or possible effects of the matter on the current period’s figures are material; or(b) In other cases,
explain that the audit opinion has been modified because of the effects or possible effects of the unresolved matter on the
comparability of the current period’s figures and the corresponding figures.
470 If the auditor obtains audit evidence that a material misstatement exists in the prior period financial statements on which an ISSAI 2710.12 Para. A6
unmodified opinion has been previously issued, and the corresponding figures have not been properly restated or appropriate
disclosures have not been made, the auditor shall express a qualified opinion or an adverse opinion in the auditor’s report on the
current period financial statements, modified with respect to the corresponding figures included therein.
471 If the financial statements of the prior period were audited by a predecessor auditor and the auditor is not prohibited by law or ISSAI 2710.13 Para. A7
regulation from referring to the predecessor auditor’s report on the corresponding figures and decides to do so, the auditor shall
state in an Other Matter paragraph in the auditor’s report:(a) That the financial statements of the prior period were audited by
the predecessor auditor;(b) The type of opinion expressed by the predecessor auditor and, if the opinion was modified, the
reasons therefore; and(c) The date of that report.
472 If the prior period financial statements were not audited, the auditor shall state in an Other Matter paragraph in the auditor’s ISSAI 2710.14 Para. A7a)
report that the corresponding figures are unaudited. Such a statement does not, however, relieve the auditor of the requirement
to obtain sufficient appropriate audit evidence that the opening balances do not contain misstatements that materially affect the
current period’s financial statements.
224
473 When comparative financial statements are presented, the auditor’s opinion shall refer to each period for which financial ISSAI 2710.15 Para. A8-
statements are presented and on which an audit opinion is expressed. A9
474 When reporting on prior period financial statements in connection with the current period’s audit, if the auditor’s opinion on such ISSAI 2710.16 Para. A10
prior period financial statements differs from the opinion the auditor previously expressed, the auditor shall disclose the See also
substantive reasons for the different opinion in an Other Matter paragraph in accordance with ISA 706 (Revised). 2706
(Revised)
475 If the financial statements of the prior period were audited by a predecessor auditor, in addition to expressing an opinion on the ISSAI 2710.17
current period’s financial statements, the auditor shall state in an Other Matter paragraph:(a) that the financial statements of the
prior period were audited by a predecessor auditor;(b) the type of opinion expressed by the predecessor auditor and, if the
opinion was modified, the reasons therefore; and(c) the date of that report, unless the predecessor auditor’s report on the prior
period’s financial statements is reissued with the financial statements.
476 If the auditor concludes that a material misstatement exists that affects the prior period financial statements on which the ISSAI 2710.18 Para. A11
predecessor auditor had previously reported without modification, the auditor shall communicate the misstatement with the
appropriate level of management and, unless all of those charged with governance are involved in managing the entity, those
charged with governance and request that the predecessor auditor be informed. If the prior period financial statements are
amended, and the predecessor auditor agrees to issue a new auditor’s report on the amended financial statements of the prior
period, the auditor shall report only on the current period.
477 If the prior period financial statements were not audited, the auditor shall state in an Other Matter paragraph that the ISSAI 2710.19 Para. A12
comparative financial statements are unaudited. Such a statement does not, however, relieve the auditor of the requirement to
obtain sufficient appropriate audit evidence that the opening balances do not contain misstatements that materially affect the
current period’s financial statements.
478 The auditor shall: (a) Determine, through discussion with management, which document(s) comprises the annual report, and the ISSAI 2720.13 Para. A11–
entity’s planned manner and timing of the issuance of such document(s); (b) Make appropriate arrangements with management A22
to obtain in a timely manner and, if possible, prior to the date of the auditor’s report, the final version of the document(s)
comprising the annual report; and (c) When some or all of the document(s) determined in (a) will not be available until after the
date of the auditor’s report, request management to provide a written representation that the final version of the document(s)
will be provided to the auditor when available, and prior to its issuance by the entity, such that the auditor can complete the
procedures required by this ISA.
479 The auditor shall read the other information and, in doing so shall: (a) Consider whether there is a material inconsistency between ISSAI 2720.14 Para. A23–
the other information and the financial statements. As the basis for this consideration, the auditor shall, to evaluate their A36
consistency, compare selected amounts or other items in the other information (that are intended to be the same as, to
summarize, or to provide greater detail about, the amounts or other items in the financial statements) with such amounts or
other items in the financial statements; and (b) Consider whether there is a material inconsistency between the other information
and the auditor’s knowledge obtained in the audit, in the context of audit evidence obtained and conclusions reached in the audit.
225
480 If the auditor identifies that a material inconsistency appears to exist (or becomes aware that the other information appears to be ISSAI 2720.16 Para. A39–
materially misstated), the auditor shall discuss the matter with management and, if necessary, perform other procedures to A43
conclude whether: (a) A material misstatement of the other information exists; (b) A material misstatement of the financial
statements exists; or (c) The auditor’s understanding of the entity and its environment needs to be updated.
481 If the auditor concludes that a material misstatement of the other information exists, the auditor shall request management to ISSAI 2720.17
correct the other information. If management: (a) Agrees to make the correction, the auditor shall determine that the correction
has been made; or (b) Refuses to make the correction, the auditor shall communicate the matter with those charged with
governance and request that the correction be made.
482 If the auditor concludes that a material misstatement exists in other information obtained prior to the date of the auditor’s ISSAI 2720.18 Para. A44–
report, and the other information is not corrected after communicating with those charged with governance, the auditor shall A47
take appropriate action, including: (a) Considering the implications for the auditor’s report and communicating with those
charged with governance about how the auditor plans to address the material misstatement in the auditor’s report (see
paragraph 22(e)(ii)); or (b) Withdrawing from the engagement, where withdrawal is possible under applicable law or regulation.
483 If the auditor concludes that a material misstatement exists in other information obtained after the date of the auditor’s report, ISSAI 2720.19 Para. A48–
the auditor shall: (a) If the other information is corrected, perform the procedures necessary in the circumstances; or (b) If the A50
other information is not corrected after communicating with those charged with governance, take appropriate action considering
the auditor’s legal rights and obligations, to seek to have the uncorrected material misstatement appropriately brought to the
attention of users for whom the auditor’s report is prepared.
484 If, as a result of performing the procedures in paragraphs 14–15, the auditor concludes that a material misstatement in the ISSAI 2720.20 Para. A51
financial statements exists or the auditor’s understanding of the entity and its environment needs to be updated, the auditor shall
respond appropriately in accordance with the other ISAs.
485 The auditor’s report shall include a separate section with a heading “Other Information”, or other appropriate heading, when, at ISSAI 2720.21 Para. A52
the date of the auditor’s report: (a) For an audit of financial statements of a listed entity, the auditor has obtained, or expects to
obtain, the other information; or (b) For an audit of financial statements of an entity other than a listed entity, the auditor has
obtained some or all of the other information.
486 When the auditor’s report is required to include an Other Information section in accordance with paragraph 21, this section shall ISSAI 2720.22 Para. A53
include: (a) A statement that management is responsible for the other information; (b) An identification of: (i) Other information,
if any, obtained by the auditor prior to the date of the auditor’s report; and (ii) For an audit of financial statements of a listed
entity, other information, if any, expected to be obtained after the date of the auditor’s report; (c) A statement that the auditor’s
opinion does not cover the other information and, accordingly, that the auditor does not express (or will not express) an audit
opinion or any form of assurance conclusion thereon; (d) A description of the auditor’s responsibilities relating to reading,
considering and reporting on other information as required by this ISA; and (e) When other information has been obtained prior
to the date of the auditor’s report, either: (i) A statement that the auditor has nothing to report; or (ii) If the auditor has
concluded that there is an uncorrected material misstatement of the other information, a statement that describes the
uncorrected material misstatement of the other information.
226
487 When the auditor expresses a qualified or adverse opinion in accordance with ISA 705 (Revised), the auditor shall consider the ISSAI 2720.23 Para. A54–
implications of the matter giving rise to the modification of opinion for the statement required in paragraph 22(e). A58
488 If the auditor is required by law or regulation of a specific jurisdiction to refer to the other information in the auditor’s report ISSAI 2720.24 Para. A59
using a specific layout or wording, the auditor’s report shall refer to International Standards on Auditing only if the auditor’s
report includes, at a minimum: (a) Identification of the other information obtained by the auditor prior to the date of the auditor’s
report; (b) A description of the auditor’s responsibilities with respect to the other information; and (c) An explicit statement
addressing the outcome of the auditor’s work for this purpose.
489 In addressing the requirements of ISA 230 as it applies to this ISA, the auditor shall include in the audit documentation: (a) ISSAI 2720.25 See also
Documentation of the procedures performed under this ISA; and (b) The final version of the other information on which the 2705
auditor has performed the work required under this ISA.
490 ISA 210 requires the auditor to determine the acceptability of the financial reporting framework applied in the preparation of the ISSAI 2800.8 Para. A5-
financial statements. In an audit of special purpose financial statements, the auditor shall obtain an understanding of: (a) The A8
purpose for which the financial statements are prepared;(b) The intended users; and(c) The steps taken by management to
determine that the applicable financial reporting framework is acceptable in the circumstances.
491 ISA 200 requires the auditor to comply with all ISAs relevant to the audit. In planning and performing an audit of special purpose ISSAI 2800.9 Para. A9-
financial statements, the auditor shall determine whether application of the ISAs requires special consideration in the A12
circumstances of the engagement.
492 ISA 315 (Revised) requires the auditor to obtain an understanding of the entity’s selection and application of accounting policies. ISSAI 2800.10
In the case of financial statements prepared in accordance with the provisions of a contract, the auditor shall obtain an
understanding of any significant interpretations of the contract that management made in the preparation of those financial
statements. An interpretation is significant when adoption of another reasonable interpretation would have produced a material
difference in the information presented in the financial statements.
493 When forming an opinion and reporting on special purpose financial statements, the auditor shall apply the requirements in ISA ISSAI 2800.11 Para.A13-
700 (Revised). A19
494 ISA 700 (Revised) requires the auditor to evaluate whether the financial statements adequately refer to or describe the applicable ISSAI 2800.12
financial reporting framework. In the case of financial statements prepared in accordance with the provisions of a contract, the
auditor shall evaluate whether the financial statements adequately describe any significant interpretations of the contract on
which the financial statements are based.
495 ISA 700 (Revised) deals with the form and content of the auditor’s report, including the specific ordering for certain elements. In ISSAI 2800.13
the case of an auditor’s report on special purpose financial statements:(a) The auditor’s report shall also describe the purpose for
which the financial statements are prepared and, if necessary, the intended users, or refer to a note in the special purpose
financial statements that contains that information; and(b) If management has a choice of financial reporting frameworks in the
preparation of such financial statements, the explanation of management’s responsibility for the financial statements shall also
make reference to its responsibility for determining that the applicable financial reporting framework is acceptable in the
circumstances.
227
496 The auditor’s report on special purpose financial statements shall include an Emphasis of Matter paragraph alerting users of the ISSAI 2800.14 Para.: A20-
auditor’s report that the financial statements are prepared in accordance with a special purpose framework and that, as a result, A21
the financial statements may not be suitable for another purpose.
497 ISA 200 requires the auditor to comply with all ISAs relevant to the audit. In the case of an audit of a single financial statement or ISSAI 2805.7 Para. A5-
of a specific element of a financial statement, this requirement applies irrespective of whether the auditor is also engaged to audit A6
the entity’s complete set of financial statements. If the auditor is not also engaged to audit the entity’s complete set of financial
statements, the auditor shall determine whether the audit of a single financial statement or of a specific element of those
financial statements in accordance with ISAs is practicable.
498 ISA 210 requires the auditor to determine the acceptability of the financial reporting framework applied in the preparation of the ISSAI 2805.8 Para. A7
financial statements. In the case of an audit of a single financial statement or of a specific element of a financial statement, this
shall include whether application of the financial reporting framework will result in a presentation that provides adequate
disclosures to enable the intended users to understand the information conveyed in the financial statement or the element, and
the effect of material transactions and events on the information conveyed in the financial statement or the element.
499 ISA 210 requires that the agreed terms of the audit engagement include the expected form of any reports to be issued by the ISSAI 2805.9 Para. A8-
auditor. In the case of an audit of a single financial statement or of a specific element of a financial statement, the auditor shall A9
consider whether the expected form of opinion is appropriate in the circumstances.
500 When forming an opinion and reporting on a single financial statement or on a specific element of a financial statement, the ISSAI 2805.11 Para. A16-
auditor shall apply the requirements in ISA 700 (Revised), and, when applicable, ISA 800 (Revised) adapted as necessary in the A22
circumstances of the engagement.
501 If the auditor undertakes an engagement to report on a single financial statement or on a specific element of a financial ISSAI 2805.12
statement in conjunction with an engagement to audit the entity’s complete set of financial statements, the auditor shall express
a separate opinion for each engagement.
502 The audited single financial statement or the audited specific element of a financial statement may be published together with ISSAI 2805.13
the entity’s audited complete set of financial statements. If the auditor concludes that the presentation of the single financial
statement or of the specific element of a financial statement does not differentiate it sufficiently from the complete set of
financial statements, the auditor shall ask management to rectify the situation. Subject to paragraphs 15 and 16, the auditor shall
also differentiate the opinion on the single financial statement or on the specific element of a financial statement from the
opinion on the complete set of financial statements. The auditor shall not issue the auditor’s report containing the opinion on the
single financial statement or on the specific element of a financial statement until satisfied with the differentiation.
503 If the auditor’s report on an entity’s complete set of financial statements includes: (a) A modified opinion in accordance with ISA ISSAI 2805.14 Para.: A23-
705 (Revised); (b) An Emphasis of Matter paragraph or an Other Matter paragraph, in accordance with ISA 706 (Revised); (c) A A27
Material Uncertainty Related to Going Concern section in accordance with ISA 570 (Revised); (d) Communication of key audit
matters in accordance with ISA 701; or; (e) A statement that describes an uncorrected material misstate ment of the other
information in accordance with ISA 720 (Revised), the auditor shall consider the implications, if any, that these matters have for
the audit of the single financial statement or of the specific element of a financial statement and for the auditor’s report thereon.
228
504 If the auditor concludes that it is necessary to express an adverse opinion or disclaim an opinion on the entity’s complete set of ISSAI 2805.15 Para. A28
financial statements as a whole, ISA 705 (Revised) does not permit the auditor to include in the same auditor’s report an
unmodified opinion on a single financial statement that forms part of those financial statements or on a specific element of those
financial statements. This is because such an unmodified opinion would contradict the adverse opinion or disclaimer of opinion on
the entity’s complete set of financial statements as a whole.
505 If the auditor concludes that it is necessary to express an adverse opinion or disclaim an opinion on the entity’s complete set of ISSAI 2805.16
financial statements as a whole but, in the context of a separate audit of a specific element of those financial statements, the
auditor nevertheless considers it appropriate to express an unmodified opinion on that element, the auditor shall only do so if:(a)
The auditor is not prohibited by law or regulation from doing so;(b) That opinion is expressed in an auditor’s report that is not
Publisher together with the auditor’s report containing the adverse opinion or disclaimer of opinion; and(c) The element does not
constitute a major portion of the entity’s complete set of financial statements.
506 The auditor shall not express an unmodified opinion on a single financial statement of a complete set of financial statements if the ISSAI 2805.17
auditor has expressed an adverse opinion or disclaimed an opinion on the complete set of financial statements as a whole. This is
the case even if the auditor’s report on the single financial statement is not published together with the auditor’s report
containing the adverse opinion or disclaimer of opinion. This is because a single financial statement is deemed to constitute a
major portion of those financial statements.
507 The auditor shall accept an engagement to report on summary financial statements in accordance with this ISA only when the ISSAI 2810.5 Para. A1
auditor has been engaged to conduct an audit in accordance with ISAs of the financial statements from which the summary
financial statements are derived.
508 Before accepting an engagement to report on summary financial statements, the auditor shall: (a) Determine whether the applied ISSAI 2810.6 Para. A2-7
criteria are acceptable; ; (b) Obtain the agreement of management that it acknowledges and understands its responsibility: (i) For
the preparation of the summary financial statements in accordance with the applied criteria; (ii) To make the audited financial
statements available to the intended users of the summary financial statements without undue difficulty (or, if law or regulation
provides that the audited financial statements need not be made available to the intended users of the summary financial
statements and establishes the criteria for the preparation of the summary financial statements, to describe that law or regulation
in the summary financial statements); and (iii) To include the auditor’s report on the summary financial statements in any
document that contains the summary financial statements and that indicates that the auditor has reported on them. (c) Agree
with management the form of opinion to be expressed on the summary financial statements (see paragraphs 9 –11).
509 If the auditor concludes that the applied criteria are unacceptable or is unable to obtain the agreement of management set out in ISSAI 2810.7
paragraph 6(b), the auditor shall not accept the engagement to report on the summary financial statements, unless required by
law or regulation to do so. An engagement conducted in accordance with such law or regulation does not comply with this ISA.
Accordingly, the auditor’s report on the summary financial statements shall not indicate that the engagement was conducted in
accordance with this ISA. The auditor shall include appropriate reference to this fact in the terms of the engagement. The auditor
shall also determine the effect that this may have on the engagement to audit the financial statements from which the summary
financial statements are derived.
229
510 The auditor shall perform the following procedures, and any other procedures that the auditor may consider necessary, as the ISSAI 2810.8 Para. A8
basis for the auditor’s opinion on the summary financial statements:(a) Evaluate whether the summary financial statements
adequately disclose their summarized nature and identify the audited financial statements.(b) When summary financial
statements are not accompanied by the audited financial statements, evaluate whether they describe clearly:(i) From whom or
where the audited financial statements are available; or(ii) The law or regulation that specifies that the audited financial
statements need not be made available to the intended users of the summary financial statements and establishes the criteria for
the preparation of the summary financial statements.(c) Evaluate whether the summary financial statements adequately disclose
the applied criteria.(d) Compare the summary financial statements with the related information in the audited financial
statements to determine whether the summary financial statements agree with or can be recalculated from the related
information in the audited financial statements.(e) Evaluate whether the summary financial statements are prepared in
accordance with the applied criteria.(f) Evaluate, in view of the purpose of the summary financial statements, whether the
summary financial statements contain the information necessary, and are at an appropriate level of aggregation, so as not to be
misleading in the circumstances.(g) Evaluate whether the audited financial statements are available to the intended users of the
summary financial statements without undue difficulty, unless law or regulation provides that they need not be made available
and establishes the criteria for the preparation of the summary financial statements.
511 When the auditor has concluded that an unmodified opinion on the summary financial statements is appropriate, the auditor’s ISSAI 2810.9 Para. A9
opinion shall, unless otherwise required by law or regulation, use one of the following phrases: (a) The accompanying summary
financial statements are consistent, in all material respects, with the audited financial statements, in accordance with [the applied
criteria]; or(b) The accompanying summary financial statements are a fair summary of the audited financial statements, in
accordance with [the applied criteria].
512 If law or regulation prescribes the wording of the opinion on summary financial statements in terms that are different from those ISSAI 2810.10
described in paragraph 9, the auditor shall:(a) Apply the procedures described in paragraph 8 and any further procedures
necessary to enable the auditor to express the prescribed opinion; and(b) Evaluate whether users of the summary financial
statements might misunderstand the auditor’s opinion on the summary financial statements and, if so, whether additional
explanation in the auditor's report on the summary financial statements can mitigate possible misunderstanding.
513 If, in the case of paragraph 10(b), the auditor concludes that additional explanation in the auditor’s report on the summary ISSAI 2810.11
financial statements cannot mitigate possible misunderstanding, the auditor shall not accept the engagement, unless required by
law or regulation to do so. An engagement conducted in accordance with such law or regulation does not comply with this ISA.
Accordingly, the auditor’s report on the summary financial statements shall not indicate that the engagement was conducted in
accordance with this ISA.
514 The auditor’s report on the summary financial statements may be dated later than the date of the auditor’s report on the audited ISSAI 2810.12 Para. A10
financial statements. In such cases, the auditor’s report on the summary financial statements shall state that the summary
financial statements and audited financial statements do not reflect the effects of events that occurred subsequent to the date of
the auditor’s report on the audited financial statements.
230
515 The auditor may become aware of facts that existed at the date of the auditor’s report on the audited financial statements, but of ISSAI 2810.13
which the auditor previously was unaware. In such cases, the auditor shall not issue the auditor’s report on the summary financial
statements until the auditor’s consideration of such facts in relation to the audited financial statements in accordance with ISA
560 has been completed.
516 The auditor shall read the information included in a document containing the summary financial statements and the auditor’s ISSAI 2810.14
report thereon and consider whether there is a material inconsistency between that information and the summary financial
statements.
517 If, the auditor identifies a material inconsistency, the auditor shall discuss the matter with management and determine whether ISSAI 2810.15 Para. A11-
the summary financial statements or the information included in the document containing the summary financial statements and A16
the auditor’s report hereon needs to be revised. If, the auditor determines that the information needs to be revised and
management refuses to revise the information as necessary, the auditor shall take appropriate action in the circumstances,
including considering the implications for the auditor’s report on the summary financial statements.
518 The auditor’s report on summary financial statements shall include the following elements: (a) A title clearly indicating it as the ISSAI 2810.16 Para. A17-
report of an independent auditor; (b) An addressee; (c) Identification of the summary financial statements on which the auditor is A20
reporting, including the title of each statement included in the summary financial statements; (d) Identification of the audited
financial statements; (e) Subject to paragraph 20, a clear expression of an opinion (see paragraphs 9 –11); (f) A statement
indicating that the summary financial statements do not contain all the disclosures required by the financial reporting framework
applied in the preparation of the audited financial statements, and that reading the summary financial statements and the
auditor’s report thereon is not a substitute for reading the audited financial statements and the auditor’s report thereon; (g)
Where applicable, the statement required by paragraph 12; (h) Reference to the auditor’s report on the audited financial
statements, the date of that report, and, subject to paragraphs 19-20, the fact that an unmodified opinion is expressed on the
audited financial statements; (i) A description of management’s responsibility for the summary financial statements, explaining
that management is responsible for the preparation of the summary financial statements in accordance with the applied criteria;
(j) A statement that the auditor is responsible for expressing an opinion, based
on the auditor’s procedures conducted in accordance with this ISA, on whether the summary financial statements are consistent,
in all material respects, with [or are a fair summary of] the audited financial statements; (k) The auditor’s signature; (l) The
auditor’s address; (m) The date of the auditor’s report.
519 If the addressee of the summary financial statements is not the same as the addressee of the auditor’s report on the audited ISSAI 2810.17 Para. A18
financial statements, the auditor shall evaluate the appropriateness of using a different addressee.
520 The auditor shall date the auditor’s report on the summary financial statements no earlier than: (a) The date on which the auditor ISSAI 2810.18 Para. A20
has obtained sufficient appropriate evidence on which to base the opinion, including evidence that the summary financial
statements have been prepared and those with the recognized authority have asserted that they have taken responsibility for
them; and (b) The date of the auditor’s report on the audited financial statements.
231
521 When the auditor’s report on the audited financial statements includes: (a) A qualified opinion in accordance with ISA 705 ISSAI 2810.19 Para. A15,
(Revised); (b) An Emphasis of Matter paragraph, or an Other Matter paragraph in accordance with ISA 706 (Revised); (c) A A21-A22
Material Uncertainty Related to Going Concern section in accordance with ISA 570 (Revised); (d) Communication of key audit
matters in accordance with ISA 701; or (e) A statement that describes an uncorrected material misstatement of the other
information in accordance with ISA 720 (Revised); and the auditor is satisfied that the summary financial statements are
consistent, in all material respects, with or are a fair summary of the audited financial statements, in accordance with the applied
criteria, the auditor’s report on the summary financial statements shall, in addition to the elements in paragraph 16 (i) State that
the auditor’s report on the audited financial statements includes a qualified opinion, an Emphasis of Matter paragraph, an Other
Matter paragraph, a Material Uncertainty Related to Going Concern section, communication of key audit matters, or a statement
that describes an uncorrected material misstatement of the other information; and (ii) Describe (a) The basis for the qualified
opinion on the audited financial statements and the effect thereof, if any, on the summary financial statements; (b) The matter
referred to in the Emphasis of Matter paragraph, the Other Matter paragraph, or the Material Uncertainty Related to Going
Concern section in the auditor's report on the audited financial statements and the effect(s) thereof, if any, on the summary
financial statements; or (c) The uncorrected material misstatement of the other information and the effect(s) thereof, if any, on
the information included in a document containing the summary financial statements and the auditor’s report thereon
522 When the auditor’s report on the audited financial statements contains an adverse opinion or a disclaimer of opinion, the ISSAI 2810.20 Para. A23
auditor’s report on the summary financial statements shall, in addition to the elements in paragraph 16: (a) State that the
auditor’s report on the audited financial statements contains an adverse opinion or disclaimer of opinion; (b) Describe the basis
for that adverse opinion or disclaimer of opinion; and (c) State that, as a result of the adverse opinion or disclaimer of opinion on
the audited financial statements, it is inappropriate to express an opinion on the summary financial statements.
523 If the summary financial statements are not consistent, in all material respects, with or are not a fair summary of the audited ISSAI 2810.21 Para. A 23
financial statements, in accordance with the applied criteria, and management does not agree to make the necessary changes,
the auditor shall express an adverse opinion on the summary financial statements.
524 When distribution or use of the auditor’s report on the audited financial statements is restricted, or the auditor’s report on the ISSAI 2810.22
audited financial statements alerts readers that the audited financial statements are prepared in accordance with a special
purpose framework, the auditor shall include a similar restriction or alert in the auditor’s report on the summary financial
statements.
525 If the audited financial statements contain comparatives, but the summary financial statements do not, the auditor shall ISSAI 2810.23 Para. A24
determine whether such omission is reasonable in the circumstances of the engagement. The auditor shall determine the effect of
an unreasonable omission on the auditor’s report on the summary financial statements.
526 If the summary financial statements contain comparatives that were reported on by another auditor, the auditor’s report on the ISSAI 2810.24 Para. A25
summary financial statements shall also contain the matters that ISA 710 requires the auditor to include in the auditor’s report on
the audited financial statements
232
527 The auditor shall evaluate whether any unaudited supplementary information presented with the summary financial statements is ISSAI 2810.25 Para.A26
clearly differentiated from the summary financial statements. If the auditor concludes that the entity’s presentation of the
unaudited supplementary information is not clearly differentiated from the summary financial statements, the auditor shall ask
management to change the presentation of the unaudited supplementary information. If management refuses to do so, the
auditor shall explain in the auditor’s report on the summary financial statements that such information is not covered by that
report.
528 If the auditor becomes aware that the entity plans to state that the auditor has reported on summary financial statements in a ISSAI 2810.26 Para. A27
document containing the summary financial statements, but does not plan to include the related auditor’s report, the auditor
shall request management to include the auditor’s report in the document. If management does not do so, the auditor shall
determine and carry out other appropriate actions designed to prevent management from inappropriately associating the auditor
with the summary financial statements in that document.
529 The auditor may be engaged to report on the financial statements of an entity, while not engaged to report on the summary ISSAI 2810.27 Para. A27
financial statements. If, in this case, the auditor becomes aware that the entity plans to make a statement in a document that
refers to the auditor and the fact that summary financial statements are derived from the financial statements audited by the
auditor, the auditor shall be satisfied that:(a) The reference to the auditor is made in the context of the auditor’s report on the
audited financial statements; and(b) The statement does not give the impression that the auditor has reported on the summary
financial statements. If (a) or (b) are not met, the auditor shall request management to change the statement to meet them, or
not to refer to the auditor in the document. Alternatively, the entity may engage the auditor to report on the summary financial
statements and include the related auditor’s report in the document. If management does not change the statement, delete the
reference to the auditor, or include an auditor’s report on the summary financial statements in the document containing the
summary financial statements, the auditor shall advise management that the auditor disagrees with the reference to the auditor,
and the auditor shall determine and carry out other appropriate actions designed to prevent management from inappropriately
referring to the auditor.
233
Appendix 13 PAM Compliance
Audit Process Standards (NGAS/ISSAI) Audit Methodology PAM Reference Compliance checklist Comments
234
• ISSAI 3000:66,79, 86, 87, 88
• GUID 3920:104 Exit Meeting
235
Appendix 14 PA iCAT82
82 https://www.idi.no/elibrary/professional-sais/icats/icats-english/1137-performance-audit-icat-version-0/file
236
No. ISSAI 3000 Requirements Guidance
2 ISSAI 3000/23 Examine the SAI’s existing mechanisms for communicating with its stakeholders.
The auditor shall take care to remain independent so that the Examine the documentation (electronic and/or paper form) in the selected sample of
audit findings and conclusions are impartial and will be seen as audit files, and check whether the auditor has taken steps to ensure open and good
such by the intended users. communication with the responsible party of the audit about its understanding of
the auditor's independence.
Check if the SAI performance audit methodology covers the issue of independence
when conducting an audit.
Check if the implementation mechanisms outline the systems/ processes/ guidance
tools/ templates to help auditors consider threats to compliance with the relevant
independence requirements before and during an audit.
Examine the documentation (electronic and/or paper form) in the selected sample of
audit files, and check whether the auditor has determined the most significant
threats and applied control mechanisms to eliminate or reduce those threats to an
acceptable level.
3 ISSAI 3000/25 Check if the SAI performance audit guidelines and processes cover the issue of •
The auditor shall explicitly identify the intended users and the explicitly identifying the intended users and the responsible parties of the audit and
responsible parties of the audit and throughout the audit considering the implication of these roles in order to conduct the audit accordingly.
consider the implication of these roles in order to conduct the Check if the implementation mechanisms outline the systems/processes/guidance
audit accordingly. tools/templates to help auditors identify the intended users and the responsible
parties of the audit and consider the implication of these roles in the audit.
Examine the documentation (electronic and/or paper form) in the selected sample of
audit files, and check whether the auditor has explicitly identified the intended users
and the responsible parties of the audit and has registered the implications of these
roles in the way the audit was to be conducted.
4 ISSAI 3000/29 Check whether the SAI performance audit guidelines and processes have provision •
The auditor shall identify the subject matter of a performance that requires the identification of the subject matter to reflect the risk and
audit. materiality within the audit area.
Assess if the implementation mechanisms outline the processes/
systems/tools/templates for the auditors to identify the subject matter based on the
risk and materiality within the audit area.
Examine the documentation (electronic and/or paper form) in the selected sample of
audit files, and check whether the auditor has identified the subject matter based on
consideration of the risk and materiality within the audit area.
5 ISSAI 3000/32 Check if the SAI performance audit guidelines and processes cover the issue of •
The auditor shall communicate assurance about the outcome of providing assurance to users in audit reports.
237
No. ISSAI 3000 Requirements Guidance
the audit of the subject matter against criteria in a transparent Examine the reports in the selected sample of audits, and check whether it shows
way. how findings, criteria and conclusions were developed in a balanced and reasoned
manner, how the findings resulted in the conclusions and how the findings are
supported by sufficient, valid, relevant and reliable evidence.
6 ISSAI 3000/35 Examine the documentation (electronic and/or paper form) in the selected sample of •
The auditor shall set a clearly-defined audit objective(s) that audit files, and check whether:
relates to the principles of economy, efficiency and/or 1) Audit questions and sub-questions are mutually exclusive and collectively
effectiveness. exhaustive in addressing the audit objective, and addressing principles of
economy, efficiency and/or effectiveness.
2) All terms employed in the question are clearly defined.
Interview the audit team and supervisor to get information about the process
followed in the team to come up with the audit objective and audit questions.
7 ISSAI 3000/36 Examine the documentation (electronic and/or paper form) in the selected sample of
The auditor shall articulate the audit objective(s) in sufficient audit files, and check whether audit objective(s) is framed in a way that allows a clear and
detail in order to be clear about the questions that will be unambiguous conclusion.
answered and to allow logical development of the audit design.
8 ISSAI 3000/37 Examine the documentation (electronic and/or paper form) in the selected sample of
If the audit objective(s) is formulated as audit questions and audit files, and check whether:
broken down into sub-questions, then the auditor shall ensure 1) The audit questions are thematically related, complementary, not overlapping,
that they are thematically related, complementary, not mutually exclusive and collectively exhaustive in addressing the overall audit
overlapping and collectively exhaustive in addressing the overall question (the audit objective). It means that the questions together need to be
audit question. enough to answer the audit objective.
2) All terms employed in the questions are clearly defined.
9 ISSAI 3000/40 • Examine the documentation (electronic and/or paper form) in the selected sample of •
The auditor shall choose a result-, problem or system-oriented audit files, and check whether:
audit approach, or a combination thereof. 1) the selected audit planning memorandums and reports specifically state the
approach or the combination of approaches used during the audit.
2) Examine the audit plan, report and working papers to ensure that:
a. When using a system-oriented approach, the performance auditors have considered
the functioning of management systems.
b. Under the results-oriented approach the auditors dealt with questions that mainly the
form: ‘What is the performance or what results have been achieved, and have the
requirements or the objectives been met?’.
c. In a problem-oriented approach the auditors have dealt with questions that mainlytake
theform: ‘Do thestated problems really exist and, if so, how can they be understood and
238
No. ISSAI 3000 Requirements Guidance
what are the
causes?’, where hypotheses about possible causes and
consequences are formulated and tested.
d. When using a combination of approaches, the selection was justified and there is an
explanation on how the choice is linked to audit objectives.
• Interview the audit team and supervisor to obtain information about how they defined
the audit approach, in combination with the audit objective and the audit scope.
10 ISSAI 3000/45 • Examine the documentation (electronic and/or paper form) in the •
The auditor shall establish suitable audit criteria, which selected sample of audit files, and check whether:
correspond to the audit objective(s) and audit questions and are 1) The criteria and their sources were specified in the audit report.
related to the principles of economy, efficiency and/or 2) The criteria were specifically linked to audit questions and documented.
effectiveness. 3) The criteria were specifically linked to audit findings and documented.
4) The criteria can be considered relevant, understandable, complete, reliable, and
objective.
• Interview the audit team and supervisor to get information about the process developed
during the audit to define the audit criteria. Ask especially about the consultation with
audited entities and other stakeholders in the definition of the criteria.
11 ISSAI 3000/49 • Check if the SAI performance audit guidelines and processes •
The auditor shall, as part of planning and/or conducting the covers the issue of discussing audit criteria with the audited entities.
audit, discuss the audit criteria with the audited entity. • Examine the documentation (electronic and/or paper form) in the selected sample of
audit files, and check whether:
1) The working paper files contain relevant documents, e.g. minutes of meetings,
correspondence, that the criteria were discussed with the audited entities.
2) In case of disagreement with the audited entities, the auditors have documented the
reason for disagreement and the rationale for deciding on a specific criteria.
• Interview the audit team and supervisor to get information about the process developed
during the audit to define the audit criteria. Ask especially about the consultation with
audited entities and other stakeholders in the definition of the criteria.
12 ISSAI 3000/52 • Checkifthe SAI performance auditguidelines and processes cover the issue of managing audit •
The auditor shall actively manage audit risk to avoid the risk, including whether the audit team has sufficient and appropriate competence to
development of incorrect or incomplete audit findings, conduct the audit. Check if the same applies to external experts working for the SAI, if it
conclusions, and recommendations, providing unbalanced is the case.
information or failing to add value. • Check if the implementation mechanisms of the methodology outline the
systems/processes/ guidance tools/templates to help auditors manage audit risk.
• Examine the documentation (electronic and/or paper form) in the
239
No. ISSAI 3000 Requirements Guidance
selected sample of audit files, and check whether the auditor has:
1) identified the risks.
2) assessed these risks.
3) developed and implemented strategies to prevent and mitigate the risks. 5)
4) monitored audit risk and mitigation strategies throughout the audit and made
adjustments as needed to changing circumstances (i.e. apply a risk management approach
when addressing audit risk).
13 ISSAI 3000/55 • Check if the SAI performance audit guidelines and processes cover the issue of developing •
The auditor shall plan for and maintain effective and proper effective and proper communication of key aspects of the audit with the audited entity
communication of key aspects of the audit with the audited and relevant stakeholders throughout the audit process.
entity and relevant stakeholders throughout the audit process. • Check if the implementation mechanisms outline the systems/processes/guidance
tools/templates to help auditors develop a communication plan with the audited entity
and relevant stakeholders.
• Examine the documentation (electronic and/or paper form) in the
selected sample of audit files, and check whether the auditor has:
1) informed the audited entities of the audit subject matter, audit objective(s), audit
criteria, audit questions, the time period to be audited, and the government
undertakings, organisations and/or programmes to be included in the audit.
2) discussed with the audited entities audit planning, audit criteria, findings, arguments
and perspectives as they are developed and assessed throughout the audit.
• Interview the auditor team and supervisor to register which key aspects of the audit
have been communicated with the audited entities and other relevant stakeholders.
14 ISSAI 3000/59 • Check if the SAI performance audit guidelines and processes cover the issue of maintaining •
The auditor shall take care to ensure that communication with independence and impartiality, both in fact and appearance, in communicating with
stakeholders does stakeholders.
not compromise the independence and impartiality of the SAI. • Check if the implementation mechanisms outline the systems/ processes/guidance •
tools/templates to help auditors consider measures to ensure that communication with
stakeholders does not compromise the independence and impartiality of the SAI.
• Examine the documentation (electronic and/or paper form) in the selected sample of
audit files, and check whether the auditor has identified and adopted such measures.
15 ISSAI 3000/61 • Check if the SAI has clear and public standards for performance •
The SAI shall clearly communicate the standards that were audits, either on the SAI’s website or in its annual reports.
followed to conduct the performance audit. • If not, check whether the reports in the selected sample of audits refer to the standard that
was followed when conducting these audits.
16 ISSAI 3000/63 • Check whether the SAI has identified the knowledge and skill sets required in the selected •
240
No. ISSAI 3000 Requirements Guidance
The SAI shall ensure that, the audit team collectively has the sample of audits and that the audit team as a whole possessed the skill sets, including, if
necessary professional competence to perform the audit. necessary, those provided by external expertise.
• In the selected sample of audits, interview the auditors and the supervisor to understand
how it was ensured that the audit team had the sufficient knowledge and skills to conduct
the audit properly.
17 ISSAI 3000/66 • Check if the SAI performance audit guidelines and processes cover •
The SAI shall ensure that the work of the audit staff at each level the issue of audit supervision.
and audit phase is properly supervised during the audit process. • Check if the implementation mechanisms outline the systems/ processes/guidance
tools/templates to structure supervision activities.
• Examine the documentation (electronic and/or paper form) in the selected sample of audit
files, and check whether there are documents that register supervision activities.
• Interview the auditor team to check how the supervision was
carried out during the audit.
• Interview the supervisor to check how the supervision was carried
out during the audit.
18 ISSAI 3000/68 • Check if the SAI performance audit guidelines and processes cover the issue of professional •
The auditor shall exercise professional judgment and judgement and scepticism, as well as the need to maintain an open and objective attitude
scepticism and consider to various views and arguments.
issues from different perspectives,
maintaining an open and objective attitude to various views and • In the selected sample of audits, interview the auditors to check whether he/she has •
arguments. exercised professional judgement and scepticism. These interviews need to have open-
ended questions to capture what was behind the auditors reasoning and how they
reached their conclusion on these issues.
• In the interview, check whether the auditor has exercised
professional judgement when:
1) determining the objective(s), questions and scope of the audit.
2) determining the criteria.
3) determining which findings are significant enough to report.
4) evaluating whether sufficient and appropriate audit evidence has been obtained, and
whether more needs to be done to answer the audit questions and to conclude against
the objective(s).
• In the interview, check whether the auditor has exercised scepticism by, for example:
1) assessing the logic of the audit argument, alternative perspectives and views
presented, and amending where necessary his/her understanding during the course of
the audit, rather than just relying on evidence supporting the final conclusion.
241
No. ISSAI 3000 Requirements Guidance
2) challenging management views, assumptions, not just accepting them.
3) assessing the reliability of the source of the documents.
• Examine the documentation (electronic and/or paper form) in the selected sample of audit
files, and check whether the auditor has documented his/her decisions regarding the
issues mentioned (professional judgement, scepticism, consideration of different
perspectives, having and open and objective attitude to various views and arguments).
19 ISSAI 3000/73 • Check if the SAI performance audit guidelines and processes cover •
The auditor shall assess the risk of fraud when planning the the issue of assessing the risk of fraud when planning the audit.
audit and be alert to
the possibility of fraud throughout the audit process. • Check if the implementation mechanisms outline the systems/processes/guidance •
tools/ templates to assess the risk of fraud when planning the audit.
• Examine the documentation (electronic and/or paper form) in the selected sample of audit
files, and check whether the auditor has:
1) assessed the internal control systems during the understanding of entity in order to
evaluate the risk of fraud.
2) examined the measures taken by management to mitigate the risk of fraud.
3) designed adequate procedures to address the risk of fraud.
4) taken proper action if fraud was suspected or identified.
20 ISSAI 3000/75 • Check if the SAI performance audit guidelines and processes state the need for the auditor •
The auditor shall maintain a high standard of professional to maintain a high standard of professional behaviour.
behaviour. • Check if the implementation mechanisms outline the systems/processes/guidance
tools/templates to help auditors maintain a high standard of professional behaviour,
including the need to:
1) apply high professional standards in carrying out the work competently and with
impartiality.
2) not undertake work he/she is not competent to perform.
3) know and follow applicable laws, regulations, conventions, policies, procedures and 7)
practices.
4) possess a good understanding of the constitutional, legal and institutional principles
and standards governing the operations of the audited entity.
5) not engage in behaviour that may discredit the SAI.
6) comply with ethical principles and requirements.
• Interview audit team, supervisor, top manager and person responsible for quality
242
No. ISSAI 3000 Requirements Guidance
assurance to verify how the items above are ensured.
• Check working papers to verify how the decisions and occurrences related to the items above
are documented.
21 ISSAI 3000/77 • Interview top management and review documentation to check whether the •
The auditor shall be willing to innovate throughout the audit SAI fosters an innovative culture by:
process. a) stimulating innovative, low-cost, sustainable and web-based ways for SAIs to
exchange views, documents and experiences.
b) encouraging collaborative audits of relevant topics and foster experimentation with
new approaches, techniques and reporting.
c) leading by example in its governance and modus operandi;
d) seeking an independent evaluation of its own governance and modus operandi.
e) facilitating activities to develop its capacity to “deliver the message” in an effective
way.
f) keeping informed about new evaluation methodologies.
• In the selected sample of audits, interview the auditor to check whether he/she feels
encouraged by the SAI to develop or adopt innovative audit approaches for collecting,
interpreting, and analysing information, for example, by means of training in emerging
issues and new developments in performance auditing.
22 ISSAI 3000/79 • Interview top management and review documentation to check whether the SAI has •
The SAI shall establish and maintain a system to safeguard established a system of quality control covering the following elements (see ISSAI 140):
quality, which the auditor shall comply with to ensure that all a) leadership responsibilities for quality.
requirements are met, and place emphasis on appropriate, b) relevant ethical requirements.
balanced, and fair audit reports that add value and answer the c) acceptance and continuance of audits.
audit questions. d) human resources.
e) performance of audits.
f) monitoring.
• Check if the SAI performance audit guidelines and processes cover the issue of quality
control, with the elements stated in ISSAI 140.
• Check if the implementation mechanisms outline the systems/processes/guidance
tools/templates with the procedures to ensure compliance with professional standards
and applicable legal and regulatory requirements.
• Examine the documentation (electronic and/or paper form) in the selected sample of audit
files, and verify whether quality checks have been undertaken, such as management
243
No. ISSAI 3000 Requirements Guidance
review, peer review of draft work and editorial review of final reports.
23 ISSAI 3000/83 • Check if the SAI performance audit guidelines and processes cover the issue of considering •
The auditor shall consider materiality at all stages of the audit materiality at all stages of the audit process.
process, including the financial, social and political aspects of the • Check if the implementation mechanisms outline the systems/processes/guidance
subject matter with the goal of delivering as much added value tools/templates to help auditors consider materiality when selecting the audit topics,
as possible. determining the audit objective(s), questions and scope, defining the criteria, evaluating
the evidence, documenting the findings and developing the conclusions and
recommendations.
• Examine the documentation (electronic and/or paper form) in the
selected sample of audit files, and check whether there are detailed explanations about
how materiality was considered in selection of
the audit topics, determination of the audit objective(s), questions and scope, definition
of the criteria, evaluation of the evidence, documentation of the findings and
development of the conclusions and recommendations.
24 ISSAI 3000/86 • Check if the SAI performance audit guidelines and processes cover •
The auditor shall document the audit in a sufficiently complete the issue of audit documentation.
and detailed manner. • Check if the implementation mechanisms outline the systems/processes/guidance
tools/templates to help auditors identify which documents to keep, including the
minimum of (a) details of the audit plan and methodology, (b) results of fieldwork and
analysis, (c) communications and feedback with the audited entity, and (d) supervisory
reviews and other quality control safeguards.
• In the selected sample of audits, check whether the
documentation covers the aforementioned records.
B. Requirements related to performance auditing planning stage
25 ISSAI 3000/89 • Check whether: •
The auditor shall select audit topics through the SAI’s strategic 1) the SAI undertakes strategic planning and that a strategic plan has been formulated.
planning process by analysing potential topics and conducting 2) the strategic plan contains a section on performance audit which outlines a list of
research to identify risks and problems. potential areas for performance audits for the duration of the plan.
3) the selection of audit areas involves strategic choices and selection criteria are
established to be used for these choices.
4) the strategic planning was based on risk analysis, or analysis of indications of existing
or potential problems.
5) the audit topics chosen were aligned with the strategic plan.
26 ISSAI 3000/90 • Check if the SAI performance audit guidelines and processes cover •
The auditor shall select audit topics that are significant and the issue of assessing auditability.
244
No. ISSAI 3000 Requirements Guidance
auditable, and consistent with the SAI’s mandate. • Check if the implementation mechanisms outline the systems/processes/guidance
tools/templates to help auditors select audit topics that are significant and auditable, and
consistent with the SAI’s mandate.
• Examine the documentation (electronic and/or paper form) in the selected sample of audit •
files, and check whether the selection of the audit topic has included the assessment of
its auditability.
27 ISSAI 3000/91 • Check ifthe SAI performance audit guidelines and processes cover the issue of selecting audit •
The auditor shall conduct the process of selecting audit topics topics with the aim of maximising the expected impact of the audit.
with the aim of maximising the expected impact of the audit • Check if the implementation mechanisms outline the systems/processes/guidance
while taking account of audit capacities. tools/templates to help auditors select audit topics that maximise the expected impact
of the audit while taking account of audit capacities.
• Examine the documentation (electronic and/or paper form) in the selected sample of
audit files, and check whether the selection of the audit topic has considered maximising
the expected impact of the audit while taking account of audit capacities.
• Interview the audit team and the supervisor to obtain information about the process of
selection the audit topic, considering the impact and the audit capacities.
28 ISSAI 3000/96 • Check if the SAI performance audit guidelines and processes consider performance •
The auditor shall plan the audit in a manner that contributes to a auditing as a project where resources should be well managed in order to conduct a high-
high-quality audit that will be carried out in an economical, quality audit which should be carried out in an economical, efficient, effective and timely
efficient, effective and timely manner and in accordance with manner.
the principles of good project management. • Check if the implementation mechanisms outline the systems/ processes/ guidance tools/
templates to help auditors identify the necessary activities, staffing and skills
requirements (including the independence of the audit team, human resources and
possible external expertise), the estimated cost of the audit, the key project timeframes
and milestones and the main points for control.
• Examine the documentation (electronic and/or paper form) in the
selected sample of audit files, and check whether the
aforementioned aspects have been identified and implemented adequately.
29 ISSAI 3000/98 • Check if the SAI performance audit guidelines and processes cover the issue of acquiring •
The auditor shall acquire substantive and methodological substantive and methodological knowledge during the planning phase.
knowledge during the planning phase. • Check if the implementation mechanisms outline the systems/ processes/ guidance
tools/templates to help auditors build substantive and methodological knowledge during
the planning phase.
• Examine the documentation (electronic and/or paper form) in the selected sample of
audit files and interview the audit team to check whether they have conducted research
245
No. ISSAI 3000 Requirements Guidance
work to develop a sound understanding of the audited programme or the audited entity’s
business, as well as its context and possible impacts to facilitate the identification of
significant audit issues and to fulfil assigned audit responsibilities.
30 ISSAI 3000/101 • Check if the implementation mechanisms of the SAI performance audit guidelines and •
During planning, the auditor shall design the audit procedures to processes outline the systems/processes/guidance tools/templates to help auditors
be used for gathering sufficient and appropriate audit evidence design the audit procedures to be used for gathering sufficient and appropriate audit
that respond to the audit objective(s) and question(s). evidence that respond to the audit objective(s) and question(s).
• Examine the documentation (electronic and/or paper form) in the selected sample of audit
files, and check whether the audit plan shows the audit procedures to collect evidence to
respond to the audit objective(s) and question(s).
• If the plan changed during the conduction of the audit, check whether the changes
were documented, as well as the reasons for the changes and the procedures that led to
it (for example, discussions with supervisor and other stakeholders, documents examined
etc.).
31 ISSAI 3000/104 • Check if the SAI performance audit guidelines and processes cover the issue of submitting •
The auditor shall submit the audit plan to the audit supervisor the audit plan to the audit supervisor and SAI’s senior management for approval.
and SAI’s senior management for approval. • Examine the documentation (electronic and/or paper form) in the selected sample of audit
files, and check whether the auditor has submitted the audit plan to the audit supervisor
and SAI’s senior management for approval.
C. Requirements related to performance auditing conducting stage
32 ISSAI 3000/106 • Check whether the SAI has a policy that requires sufficient and •
The auditor shall obtain sufficient and appropriate audit appropriate evidence as basis for audit conclusions.
evidence in order to establish audit findings, reach conclusions • Examine if there is specific process/system/guidance/template in place to ensure that
in response to the audit objective(s) and audit questions and auditors gather sufficient and appropriate evidence for the purpose of drawing audit
issue recommendations when relevant and allowed by the SAI’s conclusions.
mandate. • Examine in the sample of audit files selected, if the auditors have gathered sufficient and
appropriate evidence for the purpose of drawing audit conclusions.
33 ISSAI 3000/112 • Check if the implementation mechanisms of the SAI performance audit guidelines and •
The auditor shall analyse the collected information and ensure processes outline the systems/processes/guidance tools/templates to ensure auditors
that the audit findings are put in perspectives and respond to the analyse the collected information with focus on audit objective(s) and questions.
audit objective(s) and audit questions; reformulating the audit • Examine the documentation (electronic and/or paper form) in the
objective(s) and audit questions as needed. selected sample of audit files, and check whether:
1) the analysis and its conclusion is documented.
2) the process took by the auditor to reach the conclusion and related it with the audit
objective(s) is documented.
246
No. ISSAI 3000 Requirements Guidance
3) there are records showing discussion of preliminary findings and conclusions, both
internally with senior auditors and experienced colleagues and externally with senior
managers, stakeholders and experts.
• Interview the audit team, supervisor, top manager and person responsible for quality
assurance to obtain information about the
analytical process during the conducting of the audit that led to audit conclusions and
recommendations.
A. Requirements related to performance auditing reporting stage
34 ISSAI 3000/116 • Check if the SAI performance audit guidelines and processes state the need for audit reports •
The auditor shall provide audit reports, which are a) to present the characteristics described before.
comprehensive, b) convincing, c) timely, d) reader friendly, and • Check if the implementation mechanisms outline the systems/processes/guidance
e) balanced. tools/templates to help auditors write audit reports in such manner and if the material
describes how to fulfil the requirement.
• In the selected sample of audits, check whether the reports can be considered a)
comprehensive, b) convincing, c) timely, d) reader friendly, and e) balanced, considering
the explanation given for each attribute.
• Interview the audit team and supervisor to get information about the discussions and the
process done by the team to write the audit report.
35 ISSAI 3000/122 • Check if the SAI performance audit guidelines and processes cover the issue of identifying the •
The auditor shall identify the audit criteria and their sources inaudit criteria and their sources in the audit report.
the audit report. • Check if the implementation mechanisms outline the systems/processes/guidance
tools/templates to help auditors identify the audit criteria and their sources in the
audit report.
• In the selected sample of audits, check whether the reports
identify the audit criteria and their sources.
36 ISSAI 3000/124 • Check if the SAI performance audit guidelines and processes state the need for congruence •
The auditor shall ensure that the audit findings clearly conclude between the audit objective(s), audit questions, audit findings and conclusions.
against the audit objective(s) and/or questions, or explain why • Check if the implementation mechanisms outline the systems/ processes/ guidance
this was not possible. tools/ templates to help auditors attain that congruence.
• In the selected sample of audits, check whether reports show congruence between the •
audit objective(s), audit questions, audit findings and conclusions. If it is not possible to
arrive at conclusions for a particular question, check if the reason for that is explained.
37 ISSAI 3000/126 • Check if the SAI performance audit guidelines and processes state •
The auditor shall provide constructive recommendations that the need for recommendations to be constructive.
247
No. ISSAI 3000 Requirements Guidance
are likely to contribute significantly to addressing the • Check if the implementation mechanisms outline the systems/processes/guidance
weaknesses or problems identified by the audit, whenever tools/templates to help auditors elaborate constructive recommendations, including the
relevant and allowed by the SAI’s mandate. examination of the audited entity’s comments and review of proposed recommendations
by a supervisor.
• In the selected sample of audits, check whether reports provide recommendations that
can be considered constructive, according to the explanation given.
• In the selected sample of audits, if follow-up has done, check whether the
recommendations were implemented by the audited entities. If not, check whether there
are explanations for that.
38 ISSAI 3000/129 • Check if the SAI performance audit guidelines and processes cover the issue of giving the •
The auditor shall give the audited entity the opportunity to audited entities the opportunity to comment on the audit findings, conclusions and
comment on the audit findings, conclusions and recommendations, before publishing the report.
recommendations before the SAI issues its audit report. • Examine the documentation (electronic and/or paper form) in the
selected sample of audit files, and check whether:
1) the draft report was sent to the audited entities for their comments.
2) adequate time was given to the audited entities to comment on the draft report.
39 ISSAI 3000/130 • Check if theSAI performance audit guidelines and processes state the need for auditors to •
The auditor shall record the examination of the audited entity’s record the examination of the audited entities’ comments in working papers.
comments in working papers, including the reasons for making • Examine the documentation (electronic and/or paper form) in the selected sample of audit
changes to the audit report or for rejecting comments received. files, and check whether new information provided by the audited entities has been duly
examined and reasons its inclusion/non-inclusion in the final audit report are available.
40 ISSAI 3000/133 • Check if the SAI performance audit guidelines and processes state the need to make its audit •
The SAI shall make its audit reports widely accessible taking into reports widely accessible taking into consideration regulations on confidential
consideration regulations on confidential information. information.
• Check if the implementation mechanisms outline the
systems/processes/guidance tools/templates to help auditors:
1) identify who are the intended users of the audit report and the best form to suit their
needs.
2) define other means to increase the influence of the audits.
3) identify instances of classified information and determine the extent and form of its
disclosure.
• Examine the documentation (electronic and/or paper form) in the selected sample of
audit files, and check whether the auditor has:
1) elaborated different forms of the audit report according to the needs of the intended
248
No. ISSAI 3000 Requirements Guidance
users.
2) used other means to increase the influence of the audit.
3) taken the necessary measures if classified information was obtained during the
audit.
B. Requirements related to follow-up
41 ISSAI 3000/136 • Check if the SAI has a policy on conducting follow-up of performance audit reports. •
The auditor shall follow up, as appropriate, on previous audit• Check if the implementation mechanisms of the SAI performance audit guidelines and
findings and recommendations and the SAI shall report to the processes outline the systems/processes/guidance tools/templates to help auditors
legislature, if possible, on the conclusions and impacts of all
select methods that may be used to follow-up on the findings and recommendations
relevant corrective actions. made.
• In a selected sample of follow-up of audit reports, check whether it is possible to:
1) identify the extent to which audited entities have implemented changes in response
to audit findings and recommendations.
2) determine the impacts which can be attributed to the audits.
3) identify areas that would be useful to follow up in future work.
4) evaluate the SAI’s performance.
• In the same sample, check whether a follow-up report was issued to the legislature. If so,
check whether the report includes the conclusions and impacts of all relevant corrective
actions taken by the audited entity.
42 ISSAI 3000/139 • Check if the implementation mechanisms of the SAI performance audit guidelines and •
The auditor shall focus the follow-up on whether the audited processes outline the systems/processes/guidance tools/templates to help auditors focus
entity has adequately addressed the problems and remedied the the follow-up on whether the audited entity has adequately addressed the problems and
underlying situation after a reasonable period. remedied the situation found during the audit, after a reasonable period.
• In a selected sample of follow-up of audit reports, check whether focus was like
mentioned above.
249
Appendix 15 CAM Compliance
Audit Process Standards (NGAS/ISSAI) Audit Methodology CAM Reference Compliance checklist Comments
Initial Consideration • ISSAI 400.37-38, 50-51 Identify the subject 2.3.1 Subject matter for compliance
• ISSAI 4000.37-42, 44, 64- matter audit has been appropriately
67, 101-112, 114, 116, 118, selected as per the OAGN legal
121 mandate and requirements of the
standards
• ISSAI 400.45 Team Composition 2.3.2 Appropriate teams have been
• ISSAI 4000.85 assigned to plan and execute the
audit
• OAGN Code of Ethics Ethical Declaration 2.3.3 All personnel involved in the audit
• ISSAI 130 have committed themselves to the
• ISSAI 4000.45-46, 48-49, 51 ethical requirements of OAGN
• ISSAI 100.44 Terms of 2.3.4 Audit Engagement Letter has been
• ISSAI 4000.97 engagement signed outlining roles and
responsibilities
Audit Planning • ISSAI 400:46-47, 52-56 Overall Audit 3.3.1 - understanding the auditee
• ISSAI 4000:54-55, 58, 60, Strategy environment and its internal
126, 128-130, 132-137 controls
- determine materiality
- identify risk of material
misstatements including due to
fraud
• ISSAI 400:54, 56 Detailed audit plan 3.3.2 Risk response has been made in
• ISSAI 4000:137, 141 / (Audit checklist preparing audit plan (in the form of
audit checklists or audit
programmes)
Audit Execution • OAGN authorisation letter Authorisation letter 4.3.1 All filed auditors have received
formal authorisation to conduct
250
audit on behalf of the auditor
general
• ISSAI 100:43 Entry Meeting 4.3.2 The discussion about the conduct
and scope of the audit is done with
the auditee and documented as
entry meeting minutes
• Allocation of work 4.3.3 Field works have been allocated to
cover all identified audit areas in
the plan
• ISSAI ISSAI 4000.172-176 Sampling 4.3.4 Sampling is done to gather audit
evidence in accordance with the
applicable standards
• ISSAI 400.57 Performing 4.3.5 Audit testing procedures have been
• ISSAI 4000.144-152, 158- Procedures performed and documented
169
• Gathering evidence 4.3.6 Sufficient and appropriate audit
evidence have been recorded to
support the audit opinion and to
indicate that audit has been
conducted in accordance with
applicable standards
• ISSAI 100:43 Exit Meeting 4.3.8 Findings observed during the audit
is discussed with the auditee
management and recorded in the
form of exit meeting minutes
Audit Reporting • ISSAI 400.57-59 Evaluate Evidence 5.3.1 The findings and observations have
• ISSAI 4000. 179-187, 202- 5.3.2 been evaluated for their impact on
209 5.3.3 the audit report
• ISSAI 100:50; Supervisory review 5.3.4 Supervisor has conducted review
• ISSAI 400.58 before the issue of report
• ISQC-1 A35
• ISSAI 400.59 Compliance Audit 5.3.5 - Report communicates the level
• ISSAI 4000.188-192, 204, Report - Direct 5.3.6 of assurance
210-220, 225-231 Reporting 5.3.7 - Communicates the conclusions
5.3.8 reached
251
- Includes the response from the
auditee
• ISSAI 4000.225-231 Reporting 5.3.9 Any identified unlawful acts are
suspected unlawful reported in accordance with the
acts law and requirements of the
standards
Audit Follow-up • INTOSAI-P20.3; Periodic follow up 6.3.1 Legal requirements for audit
• ISSAI 100.51; 400.60 as per the law and follow-up have been complied with
• ISSAI 4000.232-236 standards
• Audit Act 2075, Financial
Procedure and Financial
Accountability Act, 2076
Documentation • ISSAI 400.48 Working papers 1.3.1 Audit works are appropriately
• ISSAI 4000.89-94 documented
Review • Review process 1.3.3 Work is reviewed by the team
leader and the supervisor
252
Appendix 16 CA iCAT83
83 https://www.idi.no/elibrary/professional-sais/icats/icats-english/1352-210801-ca-icat-v1-final-for-web/file
253
ISSAI 4000 requirements Guidance Comments
Assess if the implementation mechanisms of the methodology outline the processes,
systems, tools and templates for the auditors to identify and assess fraud risk and
carry out procedures for gathering related evidence.
Examine the documentation (electronic and/or paper form) in the selected sample of
audit files and check whether the auditor has identified risks of fraud and developed
appropriate audit procedures related to the identified risks.
Assess if the SAI has a mechanism in place to help auditors take appropriate
measures consistent with the mandate of their SAIs when they suspect fraud during
their work.
Examine documentation in the audit files selected and how the auditors have
responded to the situations where they suspected fraud during their work.
ISSAI 4000/64 Check if the SAI has policies and procedures to identify the significant areas to
Where the SAI has the discretion to select the coverage of determine the coverage of compliance audits.
compliance audits, it shall identify areas that are of significance Check what internal mechanisms the SAI has to consider the issues identified for
for the intended user(s). coverage and to consider the non-compliances identified in other audits.
Assess if the SAI has mechanisms to assist the auditors in engaging with the
stakeholders in different forums.
ISSAI 4000/71 Check whether the SAI audit methodology has a provision that requires exercising
The auditor shall exercise professional judgment throughout the professional judgement.
audit process. Assess if the implementation mechanisms of the methodology outline the processes,
systems, tools and templates to apply and document the auditor’s professional
judgement.
Examine the documentation (electronic and/or paper form) in the selected sample of
audit files and check whether the auditor has exercised professional judgement in
different stages of the audit.
ISSAI 4000/74 Check if the SAI has a policy for engaging external experts or internal experts to seek
If expertise in a difficult or contentious issue is not available in the advice. (In the case where there is no such policy, no further evaluation is required.)
audit team, professional advice shall be sought. In case the SAI has a policy, assess the systems, processes, guidance tools, templates,
etc. that are available to ensure that external or internal experts have the necessary
competence and capabilities for the work for which they are engaged.
Examine the documentation (electronic and/or paper form) in the selected sample of
audit files, check whether the use of external or internal experts is documented and
assess whether the experts meet the requirement of this standard.
254
ISSAI 4000 requirements Guidance Comments
ISSAI 4000/77 Check if the SAI has a policy for the auditors to apply professional scepticism within
The auditor shall exercise professional scepticism, and maintain an the context provided by auditing standards at all stages of the audit process.
open and objective mind. In case the SAI has a policy and methodology, assess the systems, processes,
guidance tools, templates, etc. that are available to ensure that the auditor has
exercised professional scepticism.
Examine the documentation (electronic and/or paper form) in the selected sample of
audit files and check whether the auditor demonstrated professional scepticism in
the analysis done.
ISSAI 4000/80 Check if the SAI has a policy on quality control, quality control procedures and the
The SAI shall take responsibility for the overall quality of the audit requirement to document that.
to ensure that the audits are carried out in accordance with Assess if the audit management, supervision and quality control systems, processes,
relevant professional standards, laws and regulations and that the guidance tools, templates, etc. enable the SAI to ensure that its compliance audit is
reports are appropriate in the circumstances. with appropriate quality.
Examine the quality control procedures performed (electronic and non-electronic) in
the sample of audit files selected.
ISSAI 4000/85 Check if the SAI has a policy that requires an audit team to have requisite
The SAI shall ensure that the audit team collectively has the competencies and skills sets for a compliance audit. Also check if the SAI has a policy
necessary professional competence to perform the audit. for engaging external experts and if the SAI’s policies and methodology state that
even if external experts perform audit work on behalf of the SAI, the SAI is still
responsible for the conclusion(s).
In case the SAI has a policy, assess SAI human resource management systems and
processes that are available to ensure that team competency is considered in
selection. Also, check whether the external experts have the necessary competence
and capabilities for the work for which they are engaged.
Examine if the SAI has a system to document the competencies for the compliance
audits planned for an audit cycle or year.
Examine the records (electronic and non-electronic) in the sample of audit files
selected and the composition of audit teams for appropriateness with the nature of
audit for compliance with this requirement. Also, see if the SAI has a training
arrangement to update the skills portfolio of its staff continuously.
ISSAI 4000/89 Check if the SAI has a policy requiring auditors to document the audit process at all
The auditor shall prepare audit documentation that is sufficiently stages of the audit, i.e. planning, gathering and evaluating evidence; reporting; and
detailed to provide a clear understanding of the work performed, follow-up.
evidence obtained and conclusions reached. The auditor shall Check the existence and adequacy of systems, processes, guidance tools, templates,
prepare the audit documentation in a timely manner, keep it up to etc. for documentation at all stages of the audit.
255
ISSAI 4000 requirements Guidance Comments
date throughout the audit and complete the documentation of Examine the sample of audit files selected, whether auditors have complied with
the evidence supporting the audit findings before the audit report applicable requirements for documentation in their work.
is issued. Examine how the auditors ensure that documentation takes place throughout the
entire audit process.
Assess what procedures or tools exist to fulfil this requirement.
Assess if there has been intervention by the management of the SAI to ensure quality
and determine the nature of the intervention.
ISSAI 4000/96 Check if the SAI has a policy or methodology requiring auditors to maintain proper
The auditor shall communicate in an effective manner with the communication with the audited entity at all stages of the audit process and if the
audited entity and those charged with governance throughout the policy includes the matters that must be communicated in writing.
audit process. Review the systems, processes, guidance tools, templates, etc. that are in place to
see whether (a) they facilitate proper communication between the SAI and the
audited entity as intended and (b) they prevent auditors’ independence from being
impaired.
Examine the communication records (electronic and non-electronic) in the sample of
audit files selected and check whether the SAI has followed the applicable
requirements in its communication with the audited entity.
ISSAI 4000/99 Check if the SAI has a policy showing how the auditors will communicate significant
Instances of material non-compliance shall be communicated with difficulties as well as instances of non-compliance detected during the audit to the
the appropriate level of management and (if applicable) those audited entity at an appropriate level.
charged with governance. Other significant matters arising from Check if systems, processes, guidance tools, templates, etc. are appropriate and
the audit that are directly relevant to the entity shall also be support effective communication to respond to this specific requirement of the
communicated. standard.
In the sample of audit files selected, examine whether the SAI has complied with this
requirement where relevant.
B. Requirements related to compliance auditing planning process
ISSAI 4000/101 Check whether the SAI has a policy on identifying the intended users of audit reports
The auditor shall explicitly identify the intended user(s) and the of an audit.
responsible party and consider the implication of their roles in Assess if specific processes, systems, guidance and templates are available to help
order to conduct the audit and communicate accordingly. the auditors with identifying the intended users.
Assess if the intended users were identified in the sample of audit files selected and
confirm if there is adequate documentation to support the identification.
Assess if specific processes, systems, guidance and templates are available for the
auditors to understand the legal status, applicable authorities and related
responsibilities of the audited entity.
256
ISSAI 4000 requirements Guidance Comments
Assess if the responsibilities of responsible parties and audited entities were
identified in the sample of audit files selected.
ISSAI 4000/107 Check if the SAI has an appropriate policy for auditors to identify the subject matter
Where the SAI has the discretion to select the coverage of of the audit.
compliance audits, the auditor shall define the subject matter to Assess if existing processes, systems, tools, templates, etc. made available by the SAI
be measured or evaluated against criteria. to the auditors help them in identifying the subject matter.
In a suitably sized and representative sample of audit files, examine whether the
auditors followed the applicable guidance in identifying the subject matter.
ISSAI 4000/110 Check if the SAI has a policy for the auditors to identify suitable criteria for
Where the SAI has the discretion to select the coverage of compliance audits.
compliance audits, the auditor shall identify relevant audit criteria Check whether the SAI has systems, processes, tools, templates, etc. to help auditors
prior to the audit to provide a basis for a conclusion/an opinion on in identifying suitable criteria.
the subject matter. In the sample of audit files selected, examine whether the auditors have followed
the procedures required on criteria.
ISSAI 4000/121 Check whether the SAI has a policy on identifying the level of assurance of an audit.
Depending on the mandate of the SAI, the characteristics of the Assess if there are processes, systems and templates available to help the auditors
subject matter, and the needs of the intended user(s), the auditor with identifying the level of assurance (reasonable or limited) in compliance audits.
shall decide whether the audit shall provide reasonable or limited Assess, in the sample of audit files selected, whether the auditors have followed the
assurance. process, system, templates, etc. in determining the level of assurance to be
provided. Confirm if there is adequate documentation to support the decision.
Assess if there is adequate supervision or monitoring in determining the level of
assurance.
ISSAI 4000/125 Check if the SAI has a policy on how the auditor shall determine materiality and if the
The auditor shall determine materiality to form a basis for the policy requires to apply materiality throughout the audit process: in planning,
design of the audit, and re-assess it throughout the audit process. executing, evaluating and concluding the audit.
Check whether systems, processes and tools are in place to facilitate auditors’
compliance with this requirement in audits.
In the sample of audit files selected, examine whether the SAI has complied with this
requirement in the planning and performing these audits. Also, assess the quality of
the documentation of the process and evidence available in the files.
ISSAI 4000/131 Check if the SAI’s policy requires the auditors to understand the audited entity as
The auditor shall have an understanding of the audited entity and part of their auditing framework.
its environment, including the entity’s internal control, to enable
effective planning and execution of audit.
257
ISSAI 4000 requirements Guidance Comments
Examine whether the SAI has the systems, processes, tools, templates, etc. to help
the auditors in obtaining a proper understanding of the audited entity and internal
control.
In the audit files selected for review, examine whether the auditors have followed
the applicable guidance in obtaining the understanding of the audited entity and
internal control.
In the audit files selected for review, examine whether the auditors’ determination
of materiality and risk assessment is based on the understanding of the audited
entity or programme.
ISSAI 4000/137 Check whether the SAI has a policy that requires following the process suggested in
The auditor shall develop and document an audit strategy and an the development of an audit strategy and audit plan.
audit plan that together describe how the audit will be performed Assess if the processes, systems, tools and templates are in place to help the auditors
to issue reports that will be appropriate in the circumstances, the in developing the audit strategy and audit plan in the required manner.
resources needed to do so and the time schedule for the audit In the sample of audit files selected, examine if the auditors have developed an audit
work. strategy and audit plan in the required manner.
258
ISSAI 4000 requirements Guidance Comments
In the sample of audit files selected, examine if the auditors have used appropriate
techniques in gathering evidence.
In the sample of audit files selected, examine if there is enough supervision for the
above-mentioned process.
ISSAI 4000/170 Check whether the SAI has a policy requiring the auditors to use a written form of
In SAIs with jurisdictional powers, the inquiry shall be carried out inquiry when it is required by law.
in written form when requested by the national law. Examine if processes, systems, tools or templates are available to the auditors for
applying these techniques.
In the selected sample audit files, look for documentation of the preparation and
send a written communication to the relevant responsible persons requesting
specific information that the audit team considers necessary for supporting their
conclusion.
ISSAI 4000/172 Check whether the SAI has a policy and methodology regarding sampling in
The auditor shall use audit sampling, where appropriate, to conducting compliance audit.
provide a sufficient amount of items to draw conclusions about Examine if processes, systems, tools or templates are available to the auditors for
the population from which the sample is selected. When designing applying the sampling techniques.
an audit sample, the auditor shall consider the purpose of the In the sample of audit files selected, examine if the auditors have used the
audit procedure and the characteristics of the population from appropriate sampling techniques.
which the sample will be drawn. In the sample of audit files selected, examine if there is enough supervision for the
above-mentioned process.
D. Requirements related to evaluating audit evidence and forming conclusions
26 ISSAI 4000/179 Check whether the SAI has a policy to compare the obtained audit evidence with the
The auditor shall compare the obtained audit evidence with the stated audit criteria during audit work and before the issue of the compliance audit
stated audit criteria to form audit findings for the audit report and if policy requires auditors to assess whether there is sufficient and
conclusion(s). appropriate audit evidence to form a conclusion.
Assess if processes, systems, tools or templates are available for the auditors to
review the evidence on the subject matter’s compliance with the established criteria.
In the sample audit files selected, look for documentation on the performed
procedures to form audit findings.
27 ISSAI 4000/184 Check whether the SAI has methodology covering forming a conclusion by
Based on the audit findings, and the materiality, the auditor shall considering materiality.
draw a conclusion whether the subject matter is, in all material Assess if processes, systems, tools or templates are available for the auditors to form
respects, in compliance with the applicable criteria. conclusions.
259
ISSAI 4000 requirements Guidance Comments
In the sample audit files selected, look for documentation on the conclusion formed
and how materiality was applied in doing so.
28 ISSAI 4000/188 Check whether the SAI has a policy and methodology to communicate the level of
The auditor shall communicate the level of assurance provided in assurance.
a transparent way. Assess if processes, systems, tools or templates are available for the auditors to
communicate the level of assurance.
In the sample audit files selected, look for documentation on the communication
made by the auditor.
E. Requirements related to reporting
29 ISSAI 4000/191 Check whether the SAI has a policy and methodology on communicating the
The auditor shall communicate the conclusion in an audit report. conclusion of compliance audits in an audit report.
The conclusion can be expressed either as an opinion, conclusion, Assess if there are specific processes, systems, guidance or templates for
answer to specific audit questions or recommendations. determining the format of compliance audit conclusion, for direct reporting and
attestation engagements. In the selected sample audit files, look for documentation
on the conclusion of the audit.
30 ISSAI 4000/202 Check whether the SAI has a policy requiring the audit reports to cover the principles
The auditor shall prepare an audit report based on the principles stated.
of completeness, objectivity, timeliness, accuracy and Assess if auditors have been provided processes, systems, tools or templates to help
contradiction. them in properly incorporating these principles in audit reports.
In the sample audit files selected, examine whether the principles are applied while
preparing the audit reports.
31 Report structure for direct reporting engagement Check whether the SAI has a policy or methodology which requires including all
ISSAI 4000/210: The audit report shall include the following elements of a report.
elements (although not necessarily in this order): Assess if there are specific processes, systems, guidance or templates for
a) Title determining the format of compliance audit reports, ensuring that all required
b) Identification of the auditing standards elements are included.
c) Executive summary (as appropriate) In the sample of audit files selected, examine whether the audit report included all
d) Description of the subject matter and the scope (extent and elements as suggested in the requirement.
limits of the audit)
e) Audit criteria
f) Explanation and reasoning for the methods used
g) Findings
h) Conclusion(s) based on answers to specific audit questions or
opinion
i) Replies from the audited entity (as appropriate)
260
ISSAI 4000 requirements Guidance Comments
j) Recommendations (as appropriate)
32 Report structure for an attestation engagement Check whether the SAI has a policy or methodology which requires including all
ISSAI 4000/218: The audit report shall include the following elements.
elements (although not necessarily in this order): Assess if there are specific processes, systems, guidance or templates for
a) Title determining the format of compliance audit reports, ensuring that all required
b) Addressee elements are included.
c) Description of the subject matter information, and when In the sample of audit files selected, examine whether the audit report included all
appropriate, the underlying subject matter elements as suggested in the requirement.
d) Extent and limits of the audit, including the time period,
covered
e) Responsibilities of the responsible party and the auditor
f) Audit criteria
g) Identification of the auditing standards and level of assurance
h) A summary of the work performed and methods used
i) Opinion/conclusion
j) Replies from the audited entity (as appropriate)
k) Report date
l) Signature
33 Additional report structure - SAIs with jurisdictional powers This is applicable for SAIs with jurisdictional powers.
ISSAI 4000/221: In the SAIs with jurisdictional powers, the auditor If applicable, check whether the SAI has a policy or methodology that requires
shall consider the role of the prosecutor or those responsible for including all elements.
dealing with judgment issues within the SAI, and shall also include, Assess if there are specific processes, systems, guidance or templates for
as appropriate, the following elements in both direct reporting determining the format of compliance audit reports, ensuring that all required
and attestation engagements: elements are included.
a) Identification of the responsible parties and the audited entity Examine in the sample audit files selected whether the audit report included all
b) The responsible person(s) involved and their responsibilities elements as suggested in the requirement.
c) Identification of the auditing standards applied in performing
the work
d) Responsibilities of the auditor
e) A summary of the work performed
f) Operations and procedures etc. that are affected by non-
compliance acts and/or possible unlawful acts. This needs to
include, as appropriate:
261
ISSAI 4000 requirements Guidance Comments
A description of the finding and of its cause. The legal act which has
been infringed (the audit criteria). The consequences of the non-
compliance acts and/or possible unlawful acts
g) The responsible persons and their explanations regarding their
non-compliance act and/or possible unlawful acts, when
appropriate
h) The auditor’s professional judgment which determines
whether there is personal liability for non-compliance acts
i) The value of the loss/misuse/waste created and the amount to
be paid due to personal liability
j) Any measures taken by responsible persons during the audit to
repair the loss/misuse/waste created
k) The management’s arguments on the non-
compliance/unlawful acts
34 ISSAI 4000/225 Check whether the SAI has a policy that requires auditors to exercise due
In conducting compliance audits, if the auditor comes across professional care and caution and communicate those instances of non-compliance
instances of non-compliance which may be indicative of unlawful which may be indicative of unlawful acts or fraud to the responsible body.
acts or fraud, s/he shall exercise due professional care and caution Assess the processes, systems, tools and templates which are in place to help the
and communicate those instances to the responsible body. The auditors in proper consideration of the relationship between public entities,
auditor shall exercise due care not to interfere with potential especially to handle fraud risk.
future legal proceedings or investigations. In the sample of audit files selected, examine if auditors have considered the
relationship between the public entities in the fraud risk assessment process.
Examine, in the sample of the selected audit files, if there is evidence of the
communication of the cases of non-compliance detected in the audit, which can be
an indicator of illegal acts or fraud, to the responsible body.
262