Three audit streams:

1. Financial Audit
2. Performance Audit
3. Compliance Audit

Compliance Audit Manual (CAM) – contains the framework of professional standards, provides an overview
of all the standards and guidelines for public sector auditing, assurance, engagements, and other related
services, and complies with the International Standards on Auditing (ISA).

CAM contains the framework for the process of compliance auditing in the Philippine public sector. The
COA auditors are enjoined to follow these guidelines in planning, execution, reporting, carrying out follow-
up processes and observing quality controls in compliance audit.

PURPOSE OF COMPLIANCE AUDIT

The auditors assess whether activities, financial transactions and information are, in all material respects,
in compliance with the authorities which govern the audited agency.

ELEMENTS OF COMPLIANCE AUDIT

1. Subject matter
2. Criteria for assessing the subject matter
3. Three parties
a. Auditor
b. Responsible party
c. Intended users

COMPLIANCE AUDIT – COMMISSION ON AUDIT (COA) DESIREE CEMEFRANIA

CONDUCT OF COMPLIANCE AUDIT

The COA shall conduct compliance audit, as a stand-alone activity, in accordance with International
Standards of Supreme Audit Institutions (ISSA) 4000. However, when there are limitations in resources or
existing conditions that would prevent the conduct of compliance audit as a stand alone activity, then
compliance audit in combination with the audit of financial statements or with performance audit may be
conducted.

COMPLIANCE AUDIT PROCESS

The compliance audit shall be conducted in accordance with the process as presented in CAM.

Level of assurance → Reasonable assurance

Type of engagement → Direct reporting

TIMING AND FREQUENCY

The sector heads shall determine the audit scope, timing and frequency of the conduct of the compliance
audit.

REPORTING THE RESULTS

The results of the compliance audit shall be reported through a Management Letter (ML) and transmitted
to the end-user within three (3) months after the last day of fieldwork or within the timelines prescribed in
the terms of the agreement, in cases where the Compliance Audit Report (CAR) is prepared for a specific
end-user. If ML has been transmitted before the issuance of the Annual Audit Report, the results of
compliance audit can be incorporated therein.

The CAR shall be published in the COA website.

RETENTION OF THE AUDIT WORKING PAPERS

The working papers shall be properly organized and retained within a period of five (5) years, provided
there is no court case or audit disallowance involved. Otherwise, those working papers shall be retained
until the case or the audit disallowance is settled.

COMPLIANCE AUDIT – COMMISSION ON AUDIT (COA) DESIREE CEMEFRANIA

 COMPLIANCE AUDIT IN THE PHILIPPINE PUBLIC SECTOR

The commission adopted the COA’s Framework of Professional Standards with reference to the
International Organization of Supreme Audit Institutions (INSTOSAI) Framework of Professional
Standards pursuant to COA Resolution No. 2013-006 dated Ja. 29, 2013, and as updated by Resolution
No. 2016-007 dated May 3, 2016.

The Framework provides an overview of the standards and guidelines for public sector auditing, assurance
engagements and other related services, and is harmonized by the ISA.

These standards were referred to as Philippine Public Sector Standards on Auditing (PPSSA).

In 2018, under Resolution No. 2018-11 dated Feb. 1, 2018, renamed the standards from PPSSA to
International Standards of Supreme Audit Institution (ISSAI) to strengthen the COA’s commitment to
implement ISSAIs. It is also made to dispel the notion that COA developed its own auditing standards.

IRRBA Manual - Integrated Result and Risk-Based Audit Approach manual. The objective is to integrate
the different audit services rendered by COA and to improve the effectiveness and efficiency of COA
auditors through the adoption of a results-based integrated audit methodology using risk-based audit
approach. IRRBA manual was prescribed through COA Resolution No. 2011-009 dated October 20, 2011

The audit teams should conduct separate planning,
execution, and reporting activities for each audit
stream
The templates for the common planning activities shall be used as
references/sources of information for the preparation of the other
planning templates for each audit stream.
The 1st phase of the COA Audit Framework calls for COA
to conduct a common strategic planning and risk
identification process.
COA as the Supreme Audit Institution shall independently identify the
risks that the Government as a whole may face in achieving its
objectives. COA will then be able to identify the focus areas which need
to be prioritized given its limited resources. The result will also be an
input in the determination of the appropriate audit strategies needed to
be applied for the allocation of resources appropriate for the audit
services such as the people, skills, competence, processes and
procedures.
This identification of government risks shall be annually conducted,
supervised by the Assistant Commissioners and attended by directors.
The results of this activity should be cascaded down to the concerned
sectors, clusters, and audit groups through the COA Strategic Planning.

Annual Audit Report (AAR) or Consolidated Annual Audit Report (CAAR)
is prepared to report the results of audit of government agencies.
Part I of the AAR/CAAR consists of the independent auditor’s report
Part II presents the audit observations and recommendations on:
• material misstatements or errors in the financial statements and
noncompliance with laws, rules and regulations related to the audit
of the accounts in financial statements;
• noncompliance with laws, rules and regulations on subject matter
identified during the engagement but no audit conclusion/opinion is
rendered and no separate audit report is prepared; and
• economy, efficiency, and effectiveness of programs, projects, or
activities.
COA should conduct preliminary engagement
activities at the sector/cluster/regional levels to ensure
that:
1. the audit teams meet the relevant ethical requirements in carrying
out their audit work;
2. the members collectively possess the necessary professional
competence, knowledge, skills and expertise to perform the
different audit streams in accordance with the relevant professional
standards;
3. and the established quality control mechanism which includes
supervision, review, consultation, and adequate training that cover
all phases of the audit – planning, execution and reporting is
adhered to.

COMPLIANCE AUDIT – COMMISSION ON AUDIT (COA) DESIREE CEMEFRANIA

 BASIC ELEMENTS, CONCEPTS AND PRINCIPLES OF COMPLIANCE AUDITING

PUBLIC SECTOR AUDITING

ISSAI 100.17

Public sector auditing helps to create suitable conditions and reinforce the expectation that public sector
entities and public servants will perform their functions effectively, efficiently, ethically and in accordance
with the applicable laws and regulations.

Public sector auditing is described as the systematic process of objectively obtaining and evaluating
evidence to determine whether information or actual conditions conform to established criteria.

This is essential in that it provides the legislative and oversight bodies, those charged with governance, and
the general public with independent and objective assessments concerning the stewardship and
performance of government policies, programmes or operations (ISSAI 100.18).

All public-sector audits have the same basic elements namely:

1. The subject matter information,

2. Criteria for assessing the subject matter,
3. The three parties to the audit consisting of the:
a. Auditor
b. The responsible party
c. Intended users.

(ISSAI 100.24) Public sector audits can be categorized into two different types of audit engagement:

1. Attestation
2. Direct reporting engagements

The intended users will wish to be confident about the reliability and relevance of the information which they
use as the basis for taking decisions. Therefore, audits provide information based on sufficient and
appropriate evidence, and auditors should perform procedures to reduce or manage the risk of reaching
inappropriate conclusions (ISSAI 100.31).

The level of assurance may either be:

1. Reasonable
2. Limited assurance

Three Types of Public Sector Audits

Financial audit focuses on determining whether an agency’s financial information is presented in

accordance with the applicable financial reporting and regulatory framework. This is accomplished by
obtaining sufficient and appropriate audit evidence to enable the auditors to express an opinion as to
whether the financial information is free from material misstatement due to fraud or error.

A misstatement or error in the financial statements is considered material if, individually or in the aggregate,
it would influence the economic decision of the users knowing the assertions in the financial statements.

Performance audit focuses on whether interventions, programs, and institutions are performing in
accordance with the principles of economy, efficiency, and effectiveness and whether there is room for
improvement.

COMPLIANCE AUDIT – COMMISSION ON AUDIT (COA) DESIREE CEMEFRANIA

Performance is examined against suitable criteria, and the causes of deviations from those criteria or other
problems are analyzed. The aim is to answer key audit questions and to provide recommendations for
improvement. The auditors determine whether government resources are used economically or the
government agency is able to deliver the intended result and impact.

Compliance audit focuses on whether a particular subject matter is in compliance with authorities identified
as criteria. The auditors assess whether activities, financial transactions and information are, in all material
respects, in compliance with the authorities which govern the audited agency.

These authorities may include rules, laws and regulations, budgetary resolutions, policy, established codes,
agreed terms, general principles governing sound public-sector financial management, and the conduct of
public officials.

COMPLIANCE AUDIT

The main objective of compliance auditing is to provide the intended user(s) with information on whether
the audited government agencies comply with legislative decisions, laws, legislative acts, policy,
established codes and agreed upon terms. These information form the relevant authorities governing the
subject matter/agency that is going to be audited. These authorities are the sources of audit criteria (ISSAI
4000.23).

In compliance audit, the auditors identify material deviations or departure from established criteria to take
corrective action on individual cases, make those accountable accept responsibility, obtain compensation,
or take steps to prevent such breaches or at least make them more difficult to occur.

ISSAI 4000.27

Compliance auditing may be conducted either:

a. As a separate compliance audit, or

b. In relation with the audit of financial statements, or

c. In combination with performance auditing.

Compliance Audit in Relation with Audit of Financial Statements

Combining financial and compliance audits enable the auditors to obtain assurance that the financial
statements are free from material misstatement due to fraud or error and to obtain assurance on whether
activities, financial transactions and information comply, in all material respects, with the authorities/or laws
which govern the audited agency. When a CA is combined with a financial audit, the conclusion/opinion on
the aspect of compliance should be clearly separated from the opinion on the financial statements. The
identified applicable law(s) and regulation(s) should contain all laws and regulations that can influence the
outcomes (=amounts) of the financial transactions that are (or should be) accounted for in the financial
statements (ISSAI 4000.16).

Compliance Audit in Combination with Performance Audit

When CA is part of a performance audit, compliance is seen as one of the aspects of economy, efficiency
and effectiveness (ISSAI 400.26). Auditors use their professional judgment in deciding whether
performance or compliance is the primary focus of the audit and determine audit scope and criteria
accordingly.

COMPLIANCE AUDIT – COMMISSION ON AUDIT (COA) DESIREE CEMEFRANIA

Differences of Compliance and Performance Audit

In performance audit, a noncompliance may be a
cause of, an explanation for, or a consequence of,
the state of the activities being subject to the
performance audit
In a compliance audit, the auditors assess the
degree to which the audited agency (through its
officials) follows rules, laws and regulation, policy,
established codes, or agreed upon terms which
govern a public sector agency;

In performance audit, auditors look at whether or In compliance audit, auditors look for instances of
not the audited agency is operating economically, noncompliance with relevant authorities as defined
efficiently, and effectively. These parameters are above (e.g. applicable laws, policies, rules,
integral to the definition of performance audits. The regulations, procedures, terms of contract or
underlying concept is that, if an audited agency agreement) that can have material impact on the
uses resources economically, it generates more audited agency in achievingits objectives.
value for the input it uses, and creates the intended
impact. In performance audit, the larger focus is on
delivering results, though economy and efficiency
aspects are also relevant. Performance criteria are
usually based on economy, efficiency, and
effectiveness accordingly

BASIC ELEMENTS OF COMPLIANCE AUDITING

Subject matter refers to the information, condition or activity that is measured or evaluated against the
suitable criteria. Subject matter depends on the mandate of the SAI, the relevant authorities and the scope
of the audit.

The subject matter of a compliance audit is defined by the scope of the audit. The scope depends on the
needs of the intended user(s), the decided level of assurance, the assessed risk, and the competence and
resources available.

Subject matter information is the result of evaluating or measuring the subject matter against the criteria.
This is prepared by the responsible party for attestation engagements or by the auditors for direct reporting
engagements.

Authorities and Criteria

Authorities are relevant acts or resolutions of the legislature (Congress) or directions and guidance issued
by administrative agencies, oversight, or regulatory agencies with powers provided for in the statute, with
which the government agency is expected to comply. It includes laws, policies, rules, regulations, budgetary
resolutions, established codes, agreed terms or the general principles governing sound public sectors
financial management and the conduct of public official. The government agency, for which authorities have
been framed, has the responsibility to adhere to the rules, regulations, etc. in order to be compliant.
Authorities is the most fundamental element of compliance auditing, since its structure and content provide
the audit criteria.

Criteria are the benchmarks used to evaluate or measure the subject matter consistently and reasonably.
Criteria may be derived from laws, policies, rules, regulations, budgetary resolutions, etc. The sources of
legal criteria are rules and regulations, international treaties and other agreements, and code of conduct
(ISSAI 4000.114).

COMPLIANCE AUDIT – COMMISSION ON AUDIT (COA) DESIREE CEMEFRANIA

The suitable criteria have to be clearly stated in the CA report to enable the intended users to understand
how the subject matter was evaluated or measured by the auditors to prevent misunderstanding or different
interpretations.

Suitable audit criteria have to be identified using the following characteristics:

Relevance;

Completeness;

Reliability;

Neutrality;

Understandability;

Usefulness;

Comparability;

Acceptability; and

Availability.

Three Parties

Public sector audits involve three separate parties: the responsible party, the auditor and the intended
user(s).

The responsible party is the government agency to which the fund is released or the public officers who
managed and used the funds in their operations for the attainment of the mandate. They are responsible
for the subject matter.

The intended users could be the legislative (Congress), oversight bodies, those charged with governance,
donors or the general public who are interested to know whether or not the fund allocated to a government
agency has been used in accordance with the authority. Those charged with governance may also include
the head of the agency.

The auditor, Commission on Audit, expresses a conclusion, which is designed to enhance the degree of
confidence of the intended users after obtaining sufficient and appropriate audit evidence to reduce the risk
of making an inappropriate conclusion.

COMPLIANCE AUDIT – COMMISSION ON AUDIT (COA) DESIREE CEMEFRANIA

Responsible party are the public officials responsible for the management of funds entrusted to them and
the operations of the government agency in accordance with the authorities. There is a possibility that they
would be motivated to provide false or insufficient information regarding the result of the operation of their
managed agency to protect their personal interest. Thus, they shall be held accountable in case they fail to
effectively perform their responsibilities and functions, and comply with relevant laws, rules and regulations
governing their agency.

For this reason, the intended users would like to have an independent assessment of the correctness of
the information provided by the government agencies or if the actual conditions in the agency comply with
relevant laws, rules, and regulations.

The auditors provide assurance, though not absolute, owing to the inherent limitations in the conduct of the
audit, on the condition of the subject matter. This is done by performing procedures and obtaining sufficient
and appropriate evidence to reduce or manage the risk of providing incorrect conclusion.

Assurance

Every compliance audit is an assurance engagement. The auditor chooses the level of assurance based
on the needs of the intended user(s). The audit report provides either reasonable or limited assurance.

Compliance audit is an assurance engagement. The auditors have to provide credible information and
conclusion on the subject matter that will be the basis for the decision making of the intended user(s). The
conclusion should be based on sufficient and appropriate evidence obtained during the audit after
performing the necessary audit procedures that would reduce or manage the risk of reaching inappropriate
conclusions. The level of assurance to be selected by the auditors will depend on the need(s) of the
intended users. The intended users rely on the assurance of the auditors and should not be misled by
inappropriate conclusions that could render their decisions valueless.

Reasonable assurance is high but not absolute. The audit conclusion is expressed positively, conveying
that, in the auditors’ opinions, the subject matter is or is not compliant in all material respects, or, where
relevant, that the subject matter information provides a true and fair view, in accordance with the applicable
criteria (ISSAI 4000.33).

When providing limited assurance, the audit conclusion states that based on the procedures performed,
nothing has come to the auditors’ attention to cause the auditors to believe that the subject matter is not in
compliance with the applicable criteria. However, if the auditors believe that the subject matter is not in
compliance with the criteria, they have to perform limited procedures to conclude whether the subject matter
is in compliance with the criteria or not. The procedures performed in a limited assurance audit are limited

COMPLIANCE AUDIT – COMMISSION ON AUDIT (COA) DESIREE CEMEFRANIA

compared with what is necessary to obtain reasonable assurance; however, the level of assurance is
expected, in the auditors’ professional judgment, to be meaningful to the intended user(s). A limited
assurance report conveys the limited nature of the assurance provided (ISSAI 4000, paras. 35 and 36).

Types of Audit Engagements

Direct Reporting Engagement In direct reporting engagements, it is the auditors who measure or evaluate
the subject matter evidence against the criteria. The auditors are responsible for preparing the subject
matter information. The auditors select the subject matter and criteria, taking into consideration risks and
materiality. By measuring the subject matter evidence against the criteria, the auditors are able to form a
conclusion. The conclusion is expressed in the form of findings, answers to specific audit questions,
recommendations or an opinion (ISSAI 4000.37).

In direct reporting engagements performed with reasonable assurance, the auditors state in the audit
conclusion that the subject matter is or is not compliant in all material respects with the applicable criteria.

If it is performed with limited assurance, the conclusion states that nothing has come to the auditors’
attention that the subject matter is not in compliance with the criteria.

Attestation Engagement In attestation engagements, the responsible party measures the subject matter
against the criteria and presents the subject matter information on which the auditors then gather sufficient
and appropriate audit evidence to provide a reasonable basis for expressing a conclusion. The conclusion
is expressed in the form of findings, conclusions, recommendations or an opinion (ISSAI 4000.40). When
the auditors have been aware of instances of noncompliance, these need to be reflected in the conclusion.
In an attestation engagement with reasonable assurance, the auditors’ conclusions express their views that
the subject matter information is or is not in accordance with the applicable criteria.

In an attestation engagement with limited assurance, the auditors state whether or not, based on the
procedures performed, nothing has come to their attention to cause the auditors to believe that the subject
matter is not in compliance, in all material respects, with the applicable criteria. The procedures performed
are limited compared with what is necessary to obtain reasonable assurance (ISSAI 4000.42).

Levels of Assurance and Types of Audit

Regularity and Propriety Compliance

Audit Compliance auditing may be concerned with regularity (adherence to formal criteria such as relevant
laws, regulations and agreements) or with propriety (observance of the general principles governing sound
financial management and the conduct of public officials). While regularity is the main focus of compliance
auditing, propriety may also be pertinent given the public sector context, in which there are certain
expectations about financial management and the conduct of officials.

COMPLIANCE AUDIT – COMMISSION ON AUDIT (COA) DESIREE CEMEFRANIA

The criteria for propriety may be less formal, and it considers public expectations regarding the actions and
behaviour of government officials. This requires the auditors to ascertain if the audited agency has followed
the principles of sound financial management and its officials have acted transparently and equitably in
making decisions for the agency.

When assessing the regularity or propriety aspects of an agency, the auditors have to exercise their
professional judgment for the quality of the audit opinion or conclusion depending on how auditors establish
and apply the suitable criteria. The auditors are expected to carry out proper risk assessment to determine
which compliance requirements are likely to be violated. This will be the basis for the design of the audit
procedures to ensure that such violations are detected.

PRINCIPLES OF COMPLIANCE AUDITING

Compliance audit is a systematic process of objectively obtaining and evaluating evidence as to whether a
given subject matter is in compliance with applicable authorities identified as criteria. The nature of
compliance auditing is iterative and cumulative; but the principles fundamental to the conduct of the audit
may be divided into principles that the auditors should consider prior to the commencement and at more
than one point during the audit process (general principles) and those related to steps in the audit process
itself (ISSAI 400.42).

The general principles are:

• Professional judgment and skepticism

• Quality control

• Audit team management and skills

• Audit risk

• Materiality

• Documentation

COMPLIANCE AUDIT – COMMISSION ON AUDIT (COA) DESIREE CEMEFRANIA

Professional Judgment and Professional Skepticism
Professional Judgment is a skill that the auditors acquire over time through relevant training, knowledge,
and experience, and should be exercised so that informed decisions can be made about the courses of
action that are appropriate given the circumstances of the audit.

The auditors use professional judgment when deciding the level of assurance, assessing risk and
materiality, defining the subject matter, scope and the corresponding audit criteria, assessing the
procedures necessary to gather sufficient and appropriate audit evidence and the evaluation thereof. The
use of professional judgment is crucial when analyzing the audit evidence and forming conclusions based
on the findings.

Professional skepticism is the attitude of the auditors that include maintaining an open and objective mind
by being alert to conditions which may indicate possible noncompliance due to error or fraud.

Professional skepticism is important when evaluating audit evidence contradicting other audit evidence
already obtained, and information that brings into question the reliability of audit evidence, such as
documents and responses to inquiries. Exercising professional skepticism is necessary to ensure that the
auditors avoid personal bias and to make sure that the auditors are not overgeneralizing when drawing
conclusions from observations. In addition, the auditors will act rationally based on a critical assessment of
all the evidence collected (ISSAI 4000.77-79). The auditors need to maintain professional skepticism
throughout the audit.

Quality Control
Quality control refers to the processes in place whereby the overall quality of a CA is reviewed to ensure
that the audit is in compliance with applicable governing standards and the audit report, conclusion or
opinion is appropriate given the circumstances. The quality control procedures include supervision, reviews,
consultation, and adequate training; and may cover the planning, execution, and reporting stages. There
must be a quality control system where roles and responsibilities are clearly defined to secure the overall
quality of the audit.

Each audit sector in the Commission ensures that appropriate procedures, reviews, and supervision are
performed throughout the audit process. The quality controls are to be documented in the audit file. ISSAI
40, Quality Control for SAIs, provides additional guidance on quality control.

Audit Risk
Audit risk is the risk of the auditors that the report, conclusion or opinion may be inappropriate in the
circumstances of the audit. Thus, the auditors need to consider audit risk throughout the audit process, and

COMPLIANCE AUDIT – COMMISSION ON AUDIT (COA) DESIREE CEMEFRANIA

have to manage or reduce it to an acceptable low level. Audit risk is relevant in both direct reporting and
attestation engagements.

The auditors have to consider the three dimensions of audit risk – inherent risk, control risk, and detection
risk – in relation to the subject matter and the reporting format. By identifying and evaluating the agency’s
inherent and control risks, the auditors can define the nature and extent of the evidence gathering
procedures required to test compliance with the criteria. The higher the level of risk, the greater the extent
of audit work that will be required to lower detection risk sufficiently to achieve the acceptable level of audit
risk.

Materiality
A matter can be judged material if knowledge of it would likely influence the decisions of the intended users.
In identifying materiality, the auditors pay attention to specific areas of legislative focus, public interest or
expectations, requests, and significant public funding, as well as fraud. For example, a noncompliance with
the terms and conditions of a donor-funded project would be considered material if that noncompliance
could lead to the donor discontinuing funding for the project or imposing more stringent controls as pre-
condition for continued funding.

Determining materiality is a matter of professional judgment and depends on the auditors’ interpretation of
the users’ needs. In this context, it is reasonable for the auditors to assume that intended users:

• have adequate knowledge of the underlying subject matter, and willingness to study the subject matter
information with reasonable diligence;

• understand that the subject matter information is prepared and assured to appropriate levels of materiality,
and have an understanding of any materiality concepts included in the applicable criteria;

• understand any inherent uncertainties involved in measuring or evaluating the underlying subject matter;
and

• make reasonable decisions on the basis of the subject matter information taken as a whole.

Materiality includes the nature, context, and value of an individual item or a group of items taken together,
but it also has other quantitative as well as qualitative aspects. The inherent characteristics of an item or
group of items may render a matter material by its very nature or context in which it occurs.

In performing compliance audits, materiality is determined for all stages of audit:

a. In the planning phase, assessing materiality helps the auditors identify the audit questions which
are of importance to the intended user(s);

b. In performing the audit, the auditors use materiality in deciding the extent of audit procedures to
be executed, and evaluating the audit evidence obtained and the effects of identified instances of
noncompliance; and

c. In evaluating and concluding the audit, the auditors use materiality to evaluate the scope of work
and the level of noncompliance to determine the impact on the conclusion/opinion.

Documentation
Sufficient audit documentation is important within all steps of the compliance audit. This is to ensure that
all steps taken and decisions made during an audit are properly justified and documented in such a way

COMPLIANCE AUDIT – COMMISSION ON AUDIT (COA) DESIREE CEMEFRANIA

that experienced auditors who do not have any prior knowledge or connection with the previous audit review
will be able to understand the significant matters arising during the audit, the conclusion(s)/opinion(s)
reached thereon, and significant professional judgments made in reaching those conclusion(s)/opinion(s).
Documenting the audit work performed enhances transparency about the work. Documentation includes,
as appropriate:

a. an explanation of the subject matter of the audit;

b. risk assessment, audit strategy and plan, and related documents;
c. the methods applied and the scope and time period covered by the audit;
d. the nature, the time and extent of the audit procedures performed;
e. the results of the audit procedures performed, and the audit evidence obtained;
f. the evaluation of the audit evidence forming the finding(s), conclusion(s)/ opinion(s), and
recommendation(s);
g. judgments done in the audit process, including professional consultations and the reasoning behind
them;
h. communication with and feedback from the audited agency; and
i. supervisory reviews and other quality control safeguards undertaken.

Documentation needs to be sufficient to demonstrate how the auditors defined the audit objective, subject
matter, the criteria and the scope, as well as the reasons why a specific method of analysis was chosen.
For this purpose, documentation needs to be organized in order to provide a clear and direct link between
the findings and the evidence that support them.

Communication
Communication takes place in all audit stages; before the audit starts, during initial planning, during the
gathering and evaluating evidence, and in the reporting phase. It is essential that the audited agency,
together with the COA, are kept informed of all matters relating to the audit. This is a key in developing a
constructive working relationship between the auditors and the agency and also within the audit team. This
would help keep all parties informed of the audit progress and would assist in resolving any matters that
may obstruct and cause delays to the audit.

Communication should include obtaining information relevant to the audit, and providing management and
those charged with governance with timely observations and findings throughout the engagement. The
matters that are communicated in writing to the audited agency may include the following: the audit subject
matter, the audit criteria, the level of assurance, the time period for the audit, and the government
undertakings, organizations and/or programs to be included in the audit, i.e. confirming the terms of
engagement. Communicating these matters can help achieve mutual understanding of the audit process
and the audited agency’s operations.

Any significant difficulties encountered during the audit, as well as instances of material noncompliance,
have to be communicated to the appropriate level of management or those charged with governance.
Communicating these would assist in rectifying any deviations and any other findings the auditors may
come up with immediately or at an earlier stage, rather than later where the impact of the finding could be
substantially material and may be difficult to resolve. The auditors may also have a responsibility to
communicate audit-related matters to other users, such as legislative and oversight bodies.

Findings that are not deemed material, or do not warrant inclusion in the auditors’ report, may also be
communicated to management during the audit. Communicating such findings may help the audited agency
to remedy instances of noncompliance and avoid similar instances in the future (ISSAI 4000.100).

COMPLIANCE AUDIT – COMMISSION ON AUDIT (COA) DESIREE CEMEFRANIA

FRAMEWORK FOR COMPLIANCE AUDIT PROCES

SUMMARY

Section 25(2) of PD 1445, provides that one of the objectives of COA is to develop and implement a
comprehensive audit program that shall encompass an examination of financial transactions, accounts, and
reports, including evaluation of compliance with applicable laws and regulations. Thus, COA is mandated
to conduct compliance audit. The conduct of compliance audit shall be in conformance with the standards
provided under ISSAI 4000. COA shall conduct compliance audit, as a stand-alone activity, in accordance
with ISSAI 4000. However, when there are limitations in resources or existing conditions that would prevent
the conduct of compliance audit as a stand-alone activity, then compliance audit in combination with the
audit of financial statements or with performance auditing may be conducted. The auditors, after conducting
audit risk assessment and taking into consideration materiality, shall select the subject matter and the
suitable criteria in accordance with the risks and thrust area cascaded from the COA strategic plan. The
level of assurance, shall be reasonable assurance unless the needs of identified intended user(s) require
limited assurance. As regards the type of engagement, compliance audit engagements shall be direct
reporting, except when the enduser(s) would require that an attestation engagement be conducted in
accordance with existing agreements.

COMPLIANCE AUDIT – COMMISSION ON AUDIT (COA) DESIREE CEMEFRANIA