PUBLIC SECTOR AUDITS
Public sector audits are governed by International Standards on Supreme Audit Institutions (ISSAI) which are developed by International Organization of Supreme Audit Institutions (INTOSAI)
All public-sector audits start from objectives, which may differ depending on the type of audit
being conducted. However, all public-sector auditing contributes to good governance by:
- providing the intended users with independent, objective and reliable information, conclusions or opinions based on sufficient and appropriate evidence relating to public entities;
- enhancing accountability and transparency, encouraging continuous improvement and sustained confidence in the appropriate use of public funds and assets and the performance of public administration;
- reinforcing the effectiveness of those bodies within the constitutional arrangement that exercise general monitoring and corrective functions over government, and those responsible for the management of publicly-funded activities;
- creating incentives for change by providing knowledge, comprehensive analysis and well- founded recommendations for improvement.
In general, public-sector audits can be categorised into one or more of three main types: audits of financial statements, audits of compliance with authorities and performance audits. The objectives of any given audit will determine which standards apply.
Types of public-sector audit
The three main types of public-sector audit are defined as follows:
- financial audits
Financial audit focuses on determining whether an entity’s financial information is presented in accordance with the applicable financial reporting and regulatory framework. This is accomplished by obtaining sufficient and appropriate audit evidence to enable the auditor to express an opinion as to whether the financial information is free from material misstatement due to fraud or error.
- Performance audits
Performance audit focuses on whether interventions, programmes and institutions are performing in accordance with the principles of economy, efficiency and effectiveness and whether there is room for improvement. Performance is examined against suitable criteria, and the causes of deviations from those criteria or other problems are analysed. The aim is to answer key audit questions and to provide recommendations for improvement.
- Compliance audits
Compliance audit focuses on whether a particular subject matter is in compliance with authorities identified as criteria. Compliance auditing is performed by assessing whether activities, financial transactions and information are, in all material respects, in compliance with the authorities which govern the audited entity. These authorities may include rules, laws and regulations, budgetary resolutions, policy, established codes, agreed terms or the general principles governing sound public-sector financial management and the conduct of public officials.
SAIs may carry out audits or other engagements on any subject of relevance to the responsibilities of management and those charged with governance and the appropriate use of public resources. These engagements may include reporting on the quantitative outputs and outcomes of the entity’s service delivery activities, sustainability reports, future resource requirements, adherence to internal control standards, real-time audits of projects or other matters. SAIs may also conduct combined audits incorporating financial, performance and/or compliance aspects.
ELEMENTS OF PUBLIC-SECTOR AUDITING
Public-sector auditing is indispensable for the public administration, as the management of public resources is a matter of trust. Responsibility for the management of public resources in line with intended purposes is entrusted to an entity or person who acts on behalf of the public.
Public-sector auditing enhances the confidence of the intended users by providing information and independent and objective assessments concerning deviations from accepted standards or principles of good governance.
All public-sector audits have the same basic elements: the auditor, the responsible party, intended users (the three parties to the audit), criteria for assessing the subject matter and the resulting subject matter information. They can be categorised as two different types of audit engagement: attestation engagements and direct reporting engagements.
The three parties
Public-sector audits involve at least three separate parties: the auditor, a responsible party and intended users. The relationship between the parties should be viewed within the context of the specific constitutional arrangements for each type of audit.
- The auditor: In public-sector auditing the role of auditor is fulfilled by the Head of the SAI and by persons to whom the task of conducting the audits is delegated. The overall responsibility for public-sector auditing remains as defined by the SAI’s mandate.
- The responsible party: In public-sector auditing the relevant responsibilities are determined by constitutional or legislative arrangement. The responsible parties may be responsible for the subject matter information, for managing the subject matter or for addressing recommendations, and may be individuals or organisations.
- Intended users: The individuals, organisations or classes thereof for whom the auditor prepares the audit report. The intended users may be legislative or oversight bodies, those charged with governance or the general public.
Subject matter, criteria and subject matter information
Subject matter refers to the information, condition or activity that is measured or evaluated against certain criteria. It can take many forms and have different characteristics depending on the audit objective. An appropriate subject matter is identifiable and capable of consistent evaluation or measurement against the criteria, such that it can be subjected to procedures for gathering sufficient and appropriate audit evidence to support the audit opinion or conclusion.
The criteria are the benchmarks used to evaluate the subject matter. Each audit should have criteria suitable to the circumstances of that audit. In determining the suitability of criteria the auditor considers their relevance and understandability for the intended users, as well as their completeness, reliability and objectivity (neutrality, general acceptance and comparability with the criteria used in similar audits).. The criteria used may depend on a range of factors, including the objectives and the type of audit. Criteria can be specific or more general, and may be drawn from various sources, including laws, regulations, standards, sound principles and best practices. They should be made available to the intended users to enable them to understand how the subject matter has been evaluated or measured.
Subject matter information refers to the outcome of evaluating or measuring the subject matter against the criteria. It can take many forms and have different characteristics depending on the audit objective and audit scope.
Types of engagement
There are two types of engagement.
- In attestation engagements the responsible party measures the subject matter against the criteria and presents the subject matter information, on which the auditor then gathers sufficient and appropriate audit evidence to provide a reasonable basis for expressing a conclusion.
- In direct reporting engagements it is the auditor who measures or evaluates the subject matter against the criteria. The auditor selects the subject matter and criteria, taking into consideration risk and materiality. The outcome of measuring the subject matter against the criteria is presented in the audit report in the form of findings, conclusions, recommendations or an opinion. The audit of the subject matter may also provide new information, analyses or insights.
Financial audits are always attestation engagements, as they are based on financial information presented by the responsible party. Performance audits are normally direct reporting engagements. Compliance audits may be attestation or direct reporting engagements, or both at once. The following constitute the subject matter or the subject matter information in the three types of audit covered by the ISSAIs.
- Financial audit: The subject matter of a financial audit is the financial position, performance, cash flow or other elements which are recognised, measured and presented in financial statements. The subject matter information is the financial statements.
- Performance audit: The subject matter of a performance audit is defined by the audit objectives and audit questions. The subject matter may be specific programmes, entities or funds or certain activities (with their outputs, outcomes and impacts), existing situations (including causes and consequences) as well as non-financial or financial information about any of these elements. The auditor measures or evaluates the subject matter to assess the extent to which the established criteria have or have not been met.
- Compliance audit: The subject matter of a compliance audit is defined by the scope of the audit. It may be activities, financial transactions or information. For attestation engagements on compliance it is more relevant to focus on the subject matter information, which may be a statement of compliance in accordance with an established and standardised reporting framework.
Confidence and assurance in public-sector auditing
The need for confidence and assurance
The intended users will wish to be confident about the reliability and relevance of the information which they use as the basis for taking decisions. Audits therefore provide information based on sufficient and appropriate evidence, and auditors should perform procedures to reduce or manage the risk of reaching inappropriate conclusions. The level of assurance that can be provided to the intended user should be communicated in a transparent way. Due to inherent limitations, however, audits can never provide absolute assurance.
Forms of providing assurance
Depending on the audit and the users’ needs, assurance can be communicated in two ways:
- Through opinions and conclusions which explicitly convey the level of assurance. This applies to all attestation engagements and certain direct reporting engagements.
- In other forms. In some direct reporting engagements the auditor does not give an explicit statement of assurance on the subject matter. In such cases the auditor provides the users with the necessary degree of confidence by explicitly explaining how findings, criteria and conclusions were developed in a balanced and reasoned manner, and why the combinations of findings and criteria result in a certain overall conclusion or recommendation.
Levels of assurance
Assurance can be either reasonable or limited.
Reasonable assurance is high but not absolute. The audit conclusion is expressed positively, conveying that, in the auditor’s opinion, the subject matter is or is not compliant in all material respects, or, where relevant, that the subject matter information provides a true and fair view, in accordance with the applicable criteria.
When providing limited assurance, the audit conclusion states that, based on the procedures performed, nothing has come to the auditor’s attention to cause the auditor to believe that the subject matter is not in compliance with the applicable criteria. The procedures performed in a limited assurance audit are limited compared with what is necessary to obtain reasonable assurance, but the level of assurance is expected, in the auditor’s professional judgement, to be meaningful to the intended users.
PRINCIPLES OF PUBLIC-SECTOR AUDITING
The principles detailed below are fundamental to the conduct of an audit. Auditing is a cumulative and iterative process. However, for the purposes of presentation the fundamental principles are grouped by principles related to the SAI’s organisational requirements, general principles that the auditor should consider prior to commencement and at more than one point during the audit and principles related to specific steps in the audit process. Areas covered by the principles for public-sector auditing
GENERAL PRINCIPLES PRINCIPLES RELATED TO THE AUDIT PROCESS
General principles
Ethics and independence. Auditors should comply with the relevant ethical requirements and be independent Ethical principles should be embodied in an auditor’s professional behaviour. The SAIs should have policies addressing ethical requirements and emphasising the need for compliance by each auditor. Auditors should remain independent so that their reports will be impartial and be seen as such by the intended users. Auditors can find guidance on independence in the ISSAI 10 – Mexico Declaration on SAI Independence. Guidance on the key ethical principles of integrity, objectivity, professional competence and due care, confidentiality and professional behaviour are defined in ISSAI 30 – Code of Ethics.
Professional judgement, due care and scepticism . Auditors should maintain appropriate professional behaviour by applying professional scepticism, professional judgment and due care throughout the audit The auditor’s attitude should be characterised by professional scepticism and professional judgement, which are to be applied when forming decisions about the appropriate course of action. Auditors should exercise due care to ensure that their professional behaviour is appropriate. Professional scepticism means maintaining professional distance and an alert and questioning attitude when assessing the sufficiency and appropriateness of evidence obtained throughout the audit. It also entails remaining open-minded and receptive to all views and arguments. Professional judgement implies the application of collective knowledge, skills and experience to the audit process. Due care means that the auditor should plan and conduct audits in a diligent manner. Auditors should avoid any conduct that might discredit their work..
Quality control
Auditors should perform the audit in accordance with professional standards on quality control An SAI’s quality control policies and procedures should comply with professional standards, the aim being to ensure that audits are conducted at a consistently high level. Quality control procedures should cover matters such as the direction, review and supervision of the audit process and the need for consultation in order to reach decisions on difficult or contentious matters. Auditors can find additional guidance in ISSAI 40 – Quality Control for SAIs.
Audit team management and skills . Auditors should possess or have access to the necessary skills The individuals in the audit team should collectively possess the knowledge, skills and expertise necessary to successfully complete the audit. This includes an understanding and practical experience of the type of audit being conducted, familiarity with the applicable standards and legislation, an understanding of the entity’s operations and the ability and experience to exercise professional judgement. Common to all audits is the need to recruit personnel with suitable qualifications, offer staff development and training, prepare manuals and other written guidance and instructions concerning the conduct of audits, and assign sufficient audit resources. Auditors should maintain their professional competence through ongoing professional development. Where relevant or necessary, and in line with the SAI’s mandate and the applicable legislation, the auditor may use the work of internal auditors, other auditors or experts. The auditor’s procedures should provide a sufficient basis for using the work of others, and in all cases the auditor should obtain evidence of other auditors’ or experts’ competence and independence and the quality of the work performed. However, the SAI has sole responsibility for any audit opinion or report it might produce on the subject matter; that responsibility is not reduced by its use of work done by other parties. The objectives of internal audit are different from those of external audit. However, both internal and external audit promote good governance through contributions to transparency and accountability for the use of public resources, as well as economy, efficiency and effectiveness in public administration. This offers opportunities for coordination and cooperation and the possibility of eliminating duplication of effort. Some SAIs use the work of other auditors at state, provincial, regional, district or local level, or of public accounting firms that have completed audit work related to the audit objective. Arrangements should be made to ensure that any such work was carried out in accordance with public-sector auditing standards. Audits may require specialised techniques, methods or skills from disciplines not available within the SAI. In such cases experts may be used to provide knowledge or carry out specific tasks or for other purposes.
Audit risk .
Auditors should manage the risks of providing a report that is inappropriate in the circumstances of the audit The audit risk is the risk that the audit report may be inappropriate. The auditor performs procedures to reduce or manage the risk of reaching inappropriate conclusions, recognising that the limitations inherent to all audits mean that an audit can never provide absolute certainty of the condition of the subject matter. When the objective is to provide reasonable assurance, the auditor should reduce audit risk to an acceptably low level given the circumstances of the audit. The audit may also aim to provide limited assurance, in which case the acceptable risk that criteria are not complied with is greater than in a reasonable assurance audit. A limited assurance audit provides a level of assurance that, in the auditor’s professional judgment, will be meaningful to the intended users.
Materiality
. Auditors should consider materiality throughout the audit process Materiality is relevant in all audits. A matter can be judged material if knowledge of it would be likely to influence the decisions of the intended users. Determining materiality is a matter of professional judgement and depends on the auditor’s interpretation of the users’ needs. This judgement may relate to an individual item or to a group of items taken together. Materiality is often considered in terms of value, but it also has other quantitative as well as qualitative aspects. The inherent characteristics of an item or group of items may render a matter material by its very nature. A matter may also be material because of the context in which it occurs. Materiality considerations affect decisions concerning the nature, timing and extent of audit procedures and the evaluation of audit results. Considerations may include stakeholder concerns, public interest, regulatory requirements and consequences for society.
Documentation
Auditors should prepare audit documentation that is sufficiently detailed to provide a clear understanding of the work performed, evidence obtained and conclusions reached Audit documentation should include an audit strategy and audit plan. It should record the procedures performed and evidence obtained and support the communicated results of the audit. Documentation should be sufficiently detailed to enable an experienced auditor, with no prior knowledge of the audit, to understand the nature, timing, scope and results of the procedures performed, the evidence obtained in support of the audit conclusions recommendations, the reasoning behind all significant matters that required the exercise of professional judgement, and the related conclusions.
Communication
Auditors should establish effective communication throughout the audit process It is essential that the audited entity be kept informed of all matters relating to the audit. This is key to developing a constructive working relationship. Communication should include obtaining information relevant to the audit and providing management and those charged with governance with timely observations and findings throughout the engagement. The auditor may also have a responsibility to communicate audit-related matters to other stakeholders, such as legislative and oversight bodies.
Principles related to the audit process
- Planning an audit
Auditors should ensure that the terms of the audit have been clearly established Audits may be required by statute, requested by a legislative or oversight body, initiated by the SAI or carried out by simple agreement with the audited entity. In all cases the auditor, the audited entity’s management, those charged with governance and others as applicable should reach a common formal understanding of the terms of the audit and their respective roles and responsibilities.
Important information may include the subject, scope and objectives of the audit, access to data, the report that will result from the audit, the audit process, contact persons, and the roles and responsibilities of the different parties to the engagement.
Auditors should obtain an understanding of the nature of the entity/programme to be audited
This includes understanding the relevant objectives, operations, regulatory environment, internal controls, financial and other systems and business processes, and researching the potential sources of audit evidence. Knowledge can be obtained from regular interaction with management, those charged with governance and other relevant stakeholders. This may mean consulting experts and examining documents (including earlier studies and other sources) in order to gain a broad understanding of the subject matter to be audited and its context.
Auditors should conduct a risk assessment or problem analysis and revise this as necessary in response to the audit findings
The nature of the risks identified will vary according to the audit objective. The auditor should consider and assess the risk of different types of deficiencies, deviations or misstatements that may occur in relation to the subject matter. Both general and specific risks should be considered. This can be achieved through procedures that serve to obtain an understanding of the entity or programme and its environment, including the relevant internal controls. The auditor should assess the management’s response to identified risks, including its implementation and design of internal controls to address them. In a problem analysis the auditor should consider actual indications of problems or deviations from what should be or is expected. This process involves examining various problem indicators in order to define the audit objectives. The identification of risks and their impact on the audit should be considered throughout the audit process.
Auditors should identify and assess the risks of fraud relevant to the audit objectives
Auditors should make enquiries and perform procedures to identify and respond to the risks of fraud relevant to the audit objectives. They should maintain an attitude of professional scepticism and be alert to the possibility of fraud throughout the audit process.
Auditors should plan their work to ensure that the audit is conducted in an effective and efficient manner
Planning for a specific audit includes strategic and operational aspects. Strategically, planning should define the audit scope, objectives and approach. The objectives refer to what the audit is intended to accomplish. The scope relates to the subject matter and the criteria which the auditors will use to assess and report on the subject matter, and is directly related to the objectives. The approach will describe the nature and extent of the procedures to be used for gathering audit evidence. The audit should be planned to reduce audit risk to an acceptably low level.
Operationally, planning entails setting a timetable for the audit and defining the nature, timing and extent of the audit procedures. During planning, auditors should assign the members of their team as appropriate and identify other resources that may be required, such as subject experts. Audit planning should be responsive to significant changes in circumstances and conditions. It is an iterative process that takes place throughout the audit.
- Conducting an audit
.Auditors should perform audit procedures that provide sufficient appropriate audit evidence to support the audit report
The auditor’s decisions on the nature, timing and extent of audit procedures will impact on the evidence to be obtained. The choice of procedures will depend on the risk assessment or problem analysis. Audit evidence is any information used by the auditor to determine whether the subject matter complies with the applicable criteria. Evidence may take many forms, such as electronic and paper records of transactions, written and electronic communication with outsiders, observations by the auditor, and oral or written testimony by the audited entity. Methods of obtaining audit evidence can include inspection, observation, inquiry, confirmation, recalculation, reperformance, analytical procedures and/or other research techniques.
Evidence should be both sufficient (quantity) to persuade a knowledgeable person that the findings are reasonable, and appropriate (quality) – i.e. relevant, valid and reliable.
The auditor’s assessment of the evidence should be objective, fair and balanced. Preliminary findings should be communicated to and discussed with the audited entity to confirm their validity. The auditor must respect all requirements regarding confidentiality. Auditors should evaluate the audit evidence and draw conclusions After completing the audit procedures, the auditor will review the audit documentation in order to determine whether the subject matter has been sufficiently and appropriately audited.
Before drawing conclusions, the auditor reconsiders the initial assessment of risk and materiality in the light of the evidence collected and determines whether additional audit procedures need to be performed. The auditor should evaluate the audit evidence with a view to obtaining audit findings. When evaluating the audit evidence and assessing materiality of findings the auditor should take both quantitative and qualitative factors into consideration. Based on the findings, the auditor should exercise professional judgement to reach a conclusion on the subject matter or subject matter information.
- Reporting and follow-up
Auditors should prepare a report based on the conclusions reached
The audit process involves preparing a report to communicate the results of the audit to stakeholders, others responsible for governance and the general public. The purpose is also to facilitate follow-up and corrective action. In some SAIs, such as courts of audit with jurisdictional authority, this may include issuing legally binding reports or judicial decisions
Reports should be easy to understand, free from vagueness or ambiguity and complete. They should be objective and fair, only including information which is supported by sufficient and appropriate audit evidence and ensuring that findings are put into perspective and context. The form and content of a report will depend on the nature of the audit, the intended users, the applicable standards and legal requirements. The audit report should explain how the evidence obtained was used and why the resulting conclusions were drawn. This will enable it to provide the intended users with the necessary degree of confidence. Opinion When an audit opinion is used to convey the level of assurance, the opinion should be in a standardised format.
The opinion may be unmodified or modified. An unmodified opinion is used when either limited or reasonable assurance has been obtained.
A modified opinion may be:
- Qualified (except for) – where the auditor disagrees with, or is unable to obtain sufficient and appropriate audit evidence about, certain items in the subject matter which are, or could be, material but not pervasive;
- Adverse – where the auditor, having obtained sufficient and appropriate audit evidence, concludes that deviations or misstatements, whether individually or in the aggregate, are both material and pervasive;
- Disclaimed – where the auditor is unable to obtain sufficient and appropriate audit evidence due to an uncertainty or scope limitation which is both material and pervasive. Where the opinion is modified the reasons should be put in perspective by clearly explaining, with reference to the applicable criteria, the nature and extent of the modification. Depending on the type of audit, recommendations for corrective action and any contributing internal control deficiencies may also be included in the report. Follow-up SAIs have a role in monitoring action taken by the responsible party in response to the matters raised in an audit report. Follow-up focuses on whether the audited entity has adequately addressed the matters raised, including any wider implications. Insufficient or unsatisfactory action by the audited entity may call for a further report by the SAI.