Financial Audit iCAT A mapping tool for ISSAI Implementation

Draft Version 1 December 2012

iCAT: Financial Audit

How to read this document

The ISSAI Compliance Assessment Tool (iCAT) is detailed drilled down tool, based entirely on the ISSAIs at level 2 and level 4 of the ISSAI framework. This tool is meant to assist SAIs in mapping their current audit practices to ISSAI requirements, so that they can identify their needs for ISSAI implementation.

This document is divided into seven chapters. The first chapter explains briefly the ISSAIs, the ISSAI framework and the format of the iCAT. The ISSAI requirements at level 2 of the ISSAI framework are detailed in Chapter 2. This chapter needs to be read with Annexe 1. Chapters 3 to 6 contain detailed guidance on how to assess the current audit practice against each ISSAI requirement for financial audit at level 4 of the ISSAI framework. For the purpose of assessing current audit practice, the ISSAI requirements at level 4 have been categorised as per the stages of a financial audit process. These chapters should be read with Annexe 2 that contains all ISSAI requirements at level 4. The last chapter provides guidance on writing a report based on the use of the iCAT. This report would be necessary for the SAI management to formulate its strategy for ISSAI implementation.

This is the first draft version of the guidance document. It is still work in progress. Your comments, suggestions and feedback will help the project team in further refining this tool and making it more relevant and useful for all stakeholders.

iCAT: Financial Audit

Table of Content:

Chapter Topic Page no. 1. Implementing ISSAIs and Introduction to ISSAI Compliance 4 Assessment Tools (iCATs)

2. Understanding the Prerequisites for Robust Audit 20 Practices – ISSAIs at level 2 and Ascertain Status on Level 2 ISSAI Requirements

3. Pre-engagement 29

4. Planning an Audit of Financial Statement 44

5. Fieldwork 58

6. Conclusion and Reporting 69

7. Writing the ISSAI Compliance Assessment Report 80

iCAT: Financial Audit

Chapter 1

Implementing ISSAIs and Introduction to ISSAI Compliance Assessment Tools (iCATs)

Introduction

The International Organization of Supreme Audit Institutions (INTOSAI), the umbrella organization for the external auditing community, has, since it was founded in 1953, developed and improved public sector auditing worldwide. Standards, guidelines and best practices are developed under the auspices of three of INTOSAI’s standing committees, the Professional Standards Committee (PSC), the Knowledge Sharing Committee (KSC) and the Capacity Building Committee (CBC). The adoption of a comprehensive set of International Standards for Supreme Audit Institutions (ISSAIs) at the 2010 INTOSAI Congress gives INTOSAI members an updated framework of international standards, guidelines and best practices for public sector auditing. The standards are of significant value for member SAIs as well as providing a common frame of reference for public sector auditing. In 2010 INTOSAI identified the implementation of the International Standards for Supreme Audit Institutions (ISSAIs) framework as a key strategic priority for the coming years.

In line with the Lima and Mexico Declarations and recognizing the independence of each individual INTOSAI member to determine its own approach consistent with national legislation, through the Johannesburg Accords the XX INCOSAI called upon INTOSAI members to use the ISSAI framework as a common frame of reference. In addition SAIs were encouraged to implement the ISSAIs in accordance with their mandate and national legislation and to measure their own performance and auditing guidance against the ISSAIs.

The implementation of the ISSAI framework is a demanding task that requires attention at global, regional and country levels.

The INTOSAI Strategic Plan and the ISSAI Rollout Model approved by INTOSAI Governing Board in October 2011 mandated the IDI to ‘support ISSAI Implementation’. In keeping with this mandate the IDI has launched a comprehensive capacity development programme called the ISSAI Implementation Initiative (3i programme).

In this chapter we will provide brief information on the ISSAI Framework, discuss strategic considerations that an SAI needs to think of in implementing ISSAIs, the process of ISSAI implementation and also introduce you to the ISSAI Compliance Assessment Tool. In this chapter we will get a brief overview of

4 Chapter 1: Implementing ISSAIs and Introduction to iCAT Page

iCAT: Financial Audit the ISSAI Compliance Assessment Tool (iCAT) in terms of its purpose, format and some broad principles on how to use the tool.

ISSAI Framework

INTOSAI issues two sets of professional standards: The International Standards of Supreme Audit Institutions (ISSAIs) and the INTOSAI Guidance for Good Governance (INTOSAI GOV).

The ISSAIs and INTOSAI GOVs convey the generally recognized principles and shared professional experiences of the international community of Supreme Audit Institutions. All ISSAIs and INTOSAI GOVs are developed and maintained in accordance with the Due Process for INTOSAI’s Professional Standards and issued after a decision of final endorsement by all Supreme Audit Institutions at INTO-SAI’s congress (INCOSAI).

The ISSAIs aim to safeguard independent and effective auditing and support the members of INTOSAI in the development of their own professional approach on the basis of their specific mandate.

The ISSAIs form a hierarchy of official pronouncements with four levels:

Level 1 - Founding Principles (ISSAI 1)

Level 1 of the ISSAI framework contains the founding principles of INTOSAI. ISSAI 1 The Lima Declaration from 1977 calls for the establishment of effective Supreme Audit Institutions and provide guide-lines on auditing precepts. The full set of ISSAIs draw and elaborate on this historical document.

Level 2 - Prerequisites for the Functioning of Supreme Audit Institutions (ISSAIs 10-99)

The Prerequisites for the Functioning of Supreme Audit Institutions contain INTOSAI’s pronouncements on the necessary preconditions for the proper functioning and professional conduct of Supreme Audit Institutions. These include principles and guidance on independence, transparency and accountability, ethics and quality control. The prerequisites may concern the institution’s mandate and further legislation as well as the established procedures and daily practices of the organization and its staff. By issuing pronouncements on these generally accepted prerequisites, INTOSAI aims to advance sound principles for the effective functioning of public sector auditing on an international level. 2/2

Level 3 - Fundamental Auditing Principles (ISSAIs 100-999)

The PSC Harmonisation Project is drafting new ISSAIs 100, 200, 300 and 400 on Level 3 of the ISSAI framework. You can read more about the project at www.psc-intosai.org

Level 4 - Auditing Guidelines (ISSAIs 1000-5999)

The Auditing Guidelines translate the fundamental auditing principles into more specific, detailed and operational guidelines that can be used on a daily basis in the conduct of auditing tasks. The purpose of the guidelines is to provide a basis for the standards and manuals on public sector auditing which may be applied by the individual members of INTOSAI. Each guideline has a defined scope of application and may be adopted in full or adapted as necessary to reflect the individual circumstances of the jurisdiction. Such

5 Chapter 1: Implementing ISSAIs and Introduction to iCAT Page

iCAT: Financial Audit circumstances may include the legal mandate and further strategies and capacity of the Supreme Audit Institution as well as the specific purpose and character of the audit assignments. Some of the level 4 guidelines include specific requirements related to authority. The General auditing guidelines (ISSAIs 1000-4999) contain the recommended requirements of financial, performance and compliance auditing and provide further guidance to the auditor. They are developed and continuously updated by specialized subcommittees and define the internationally recognized best current practice within their general scope of application. The Guidelines on specific subjects (ISSAIs 5000-5999) pro-vide supplementary guidance on specific subject matters or other important issues which may require the special attention of Supreme Audit Institutions. These guidelines express the key lessons resulting from the sharing of knowledge and good practices among INTOSAI’s experts.

Why should an SAI consider implementing ISSAIs?

Before any SAI takes on the onerous task of implementing the ISSAIs, a question that would come to mind is ‘what possible benefit can the SAI get from taking on such a project’. It is important for the SAI top management to answer this question and be convinced about the answer before plunging into ISSAI implementation. The draft CBC guidance on Implementing the ISSAIs – Strategic Considerations lists the following three benefits

Quality - Carrying out audits in accordance with globally accepted standards will ensure a certain level of quality and consistency in audits. All SAIs strive to earn the trust of citizens and stakeholders alike. Applying internationally accepted standards in audits is one important step in the direction of earning this trust. A high-quality standard will reduce auditor’s risk. The credibility of all audit organizations is built on the quality achieved in its audits. The use of globally accepted standards will simplify benchmarking, regional quality assurance initiatives and peer reviews as well as the sharing of experiences in other ways. Using similar audit methods in different countries can inspire organizations to continuous improvement.

Credibility - Using globally accepted standards will strengthen the credibility of both the audit organization and its auditors. External stakeholders will gain increased confidence and trust in the work of auditors using globally accepted standards. The results and conclusions of an audit conducted in accordance with globally accepted standards can stand external scrutiny. The transparency provided by using standards well-known to audited organizations and other stakeholders also leads to increased credibility of the audit results. Increase in credibility will help SAIs engage with their stakeholders for improved institutional framework and stronger audit mandates.

6 Chapter 1: Implementing ISSAIs and Introduction to iCAT Page

iCAT: Financial Audit

Professionalism - Standards form the basis for professionalization of auditors and audit organizations by providing a structured process for the audit work. Common standards can improve opportunities for exchange of professional views and experiences across national and sector borders. Joint training activities and sharing experiences will be easier if auditors apply the same set of professional standards. Globally accepted standards also provide a common language between public and private sector auditors in areas of similar responsibilities. Applying globally accepted standards will strengthen the audit profession in general.

Strategic Considerations in Implementing ISSAIs

If an SAI decides to implement ISSAIs, it is recommended that they may like to think of the following considerations

1. Implementing ISSAIs involves institutional, organisational and professional staff capacity development – As you have seen above the ISSAI framework operates at both the SAI and the individual audit level. As such it encompasses not only all functions in an SAI, but also covers the institutional framework within which the SAI operates. While considering ISSAI implementation the SAI management would need to put in place strategies that cover all three aspects. E.g. if the SAI management is considering ISSAI compliance in its performance audit function, it would not be enough to just train SAI staff in performance audit ISSAIs. The SAI would need to look at introduce changes in its performance audit practice at an organisational level. It would need to consider issues like appropriate mandate, competent staff, ethical considerations, audit methodology and quality control. 2. ISSAI Implementation, Strategic Planning and SAI Capacity Development may not be different process – We believe that implementing ISSAIs, developing and implementing a strategy to achieve a vision and developing capacity of the SAI are all different aspects of one and same process. It is important for the SAI leadership to understand and integrate these processes and not to start separate processes that may lead to duplication. 3. Role of SAI Leadership – SAI leadership needs to play a defining role in implementing ISSAIs. Creating a conducive culture and environment, formulating a strategy for implementation, engaging with internal and external stakeholders and putting in place a robust monitoring and evaluation mechanism are some of the key roles for SAI leadership. 4. Leading and Managing change – One important aspect of ISSAI Implementation is change management. As discussed earlier, ISSAI implementation would imply a relook and possible changes in all areas of functioning in an SAI. This can create uncertainty, fear and resistance in SAI staff. The

7 Chapter 1: Implementing ISSAIs and Introduction to iCAT Page

iCAT: Financial Audit

SAI management and leadership needs to carefully consider the implications of change and think of measure to manage change. Raising awareness of ISSAIs, adopting a participatory approach to the implementation process, creating champions for ISSAI implementation, providing opportunities for acquiring required knowledge and skills could be some of the change management strategies that an SAI employ. 5. SAI environment - Regardless of whether a SAI decides to implement the ISSAIs for financial, compliance, or performance audit, the organisation needs to take into consideration both its internal and external conditions. The importance of different conditions may vary depending on what ISSAIs are being implemented. However, accounting and financial management systems, access to necessary information, relations to parliament and other stakeholders as well as the country’s audit culture are relevant to all audit tasks. These conditions may provide opportunities or limitations which will influence the implementation of ISSAIs. If the SAI is considering introducing new audit tasks in accordance with the ISSAIs, it is important to ensure that the SAI has the required mandate and all legal prerequisites are in place. Furthermore, it is important to ensure that there is an appropriate and functioning recipient of audit results. Introducing new audit standards and practices will not only affect the SAI, but also the audited organizations and the parliament. It is therefore very important to consider when and how to communicate with external stakeholders to ensure a smooth implementation process. Informing stakeholders of the motives behind and benefits of the introduction of new standards is very important in order to create a supportive environment for audits in accordance with ISSAIs.

6. Stakeholder Expectations – In deciding on the implementation path to be followed an SAI should ascertain and consider the expectations that its clients and external stakeholders have. 7. Impact of implementation - It is important to differentiate ISSAI requirements that will create a paradigm shift in the audit practice, from those that might only involve changes in some procedures. 8. Resources required – If the ISSAIs are to be implemented and its requirements followed, an SAI would require considerable resources in terms of funds, systems, people etc. While developing a strategy the SAI should develop an implementation matrix where it details its plan for putting in place the required resources.

Process of ISSAI Implementation

In our view an ISSAI Implementation Process is the same as a strategic planning process. We would recommend the following stages in the implementation process

8 Chapter 1: Implementing ISSAIs and Introduction to iCAT Page

iCAT: Financial Audit

•The first step for a SAI is to ascertain ISSAI requirements ,assess the status of the SAI vis a vis the requirements , the causes for non compliance and SAI needs in order to be compliant. The end product of Assessing Compliance this stage would be an ISSAI Compliance Assessment Report. Needs

•Based on the issues and causes identified in the ISSAI Complaince Assessment report, the SAI management should determine a n implementation strategy that articluates its vision and goals for ISSAI Develop ISSAI implementation and the strategy that the SAI will employ to reach the Implementation goals. A broad based participatory approach is recommended. Strategy

• The SAI leadership should put in place a mechanism for implementing its strategy. It is advisable that this mechanism be integrated with the line function of the SAI and not run parallel to these fucntions. The SAI would Implement be required to do things differently rather that different thiings. Strategy

•The SAI needs to have a regualr mechanism for monitoring implementation acitivties and managing implementation risks . The SAI should also provide for periodic evaluation of its ISSAI implementation Monitor and Evaluate efforts. The lessons learned in implementation would help the SAI in & Lessons Learned enhancing its future implementation efforts.

•The SAI should report on the extent of its achievements in a overall performance report to its stakeholders. Report on Performance

9 Chapter 1: Implementing ISSAIs and Introduction to iCAT Page

iCAT: Financial Audit

Introduction to ISSAI Compliance Assessment Tool (iCAT)

As mentioned in the previous section, the first step in implementing ISSAIs is assessing the SAI’s present level of compliance. This is done by comparing its audit practices to the requirements recommended by the ISSAIs. In order to assist the SAIs in assessing their compliance needs the IDI has developed ISSAI Compliance Assessment Tools. A tool set of four iCATs have been developed. They are

1. iCAT for Level 2 ISSAIs 2. iCAT for Level 4 Financial Audit ISSAIs 3. iCAT for Level 4 Performance Audit ISSAIs 4. iCAT for Level 4 Compliance Audit ISSAIs The purpose of the iCATs is to present the ISSAI requirements in a simple form and define a process for assessing compliance iCAT Format

While the individual iCATs may have some variation in their formats, depending on the nature of the level 4 ISSAIs, all the iCATS have the following common components

ISSAI ISSAI Status of Mechanism / Reasons for non Reference Requirement Compliance Instrument of compliance Compliance This column This column Three options are In this column the When the status of references the contains the available for status person compliance is not met ISSAI ISSAI of compliance conducting the or partially met, the requirement requirement Met – To be selected iCAT should reasons for non to the ISSAI in a brief form. when the mention the compliance should be requirement is specific recorded here. This entirely met document, column is important in Partially Met – This provision, system determining future option covers the through which implementation entire gamut from the SAI complies strategy, which will where the SAI has with the ISSAI involve addressing the just started requirement. This reasons for non implementation of column will be compliance this requirement, it filled in when the has some elements status of of compliance in compliance is met place, it has a large or partially met extent of compliance in place but is not entirely complaint, Not met – The SAI

10 Chapter 1: Implementing ISSAIs and Introduction to iCAT Page

iCAT: Financial Audit

does not comply with the requirement at all Not applicable – The requirement is not applicable to the SAI due the laws and regulations that govern it.

Guiding Principles for conducting an iCAT iCAT is not an evaluation tool – The iCATs formulated as a part of the 3i programme aim to help SAIs in understanding ISSAI requirements and assessing their needs for complying with ISSAIs. The iCAT is thus formulated as a needs assessment tool rather than an evaluation tool.

Scope of the iCAT - As a part of the 3i programme four iCATs has been developed. Level 2 ISSAIs iCAT, Financial Audit Level 4 iCAT, Performance Audit Level 4 iCAT, Compliance Audit Level 4 iCAT. As far as possible, it is better to conduct all four iCATs so that a consolidated strategy can be developed for implementation of ISSAIs. However, if that is not feasible in an SAI, then it is recommended that the SAI conduct the level 2 iCAT along with the level four iCAT of the chosen audit stream. This is because, the compliance gaps identified at audit level (level 4) would invariably have their reasons at the institutional level (level 2).

Who can conduct an iCAT – If the SAI has adequate capacity it can decide to conduct its own iCATs. An SAI may also ask for external support in helping it conduct the iCAT. It is envisaged that the pool of ISSAI facilitators created as a part of the 3i programme will help their own SAIs, as well as other SAIs in the regions conduct iCATs. For the purpose of objectivity an SAI may also exercise the choice of having the iCAT conducted by an external team from the region. iCAT team - Whatever the approach the SAI selects, it is recommended that the iCAT be used by a team and not a single person. Forming a competent and credible needs iCAT team is the first step to be taken. The iCAT team should consist of at least one trained ISSAI facilitator. Team members must have managerial backgrounds so that they have a good organisational overview and necessary influence in subsequent implementation. Besides members who have a good understanding of SAI level issues ( level 2 ISSAIs), the team should also have members who are well conversant with the relevant audit practice as defined in the ISSAIs and as actually practiced in the SAI.

11 Chapter 1: Implementing ISSAIs and Introduction to iCAT Page

iCAT: Financial Audit

Participatory Approach - A broad-based consultative process is recommended for conducting iCATs. It is important for the iCAT team to consult with a cross section of SAI staff across various levels. Staff from different levels and different areas of the SAI should be consulted in this process and their views should be given due weight in iCAT. External stakeholders’ views and needs should also be taken into account. The involvement ranges from providing information or opinion to having an integral part on making decisions on needs and priorities. The more people feel they are involved, the greater the ownership and thus effectiveness of the results. If the SAI management is able to facilitate ownership for the process at the iCAT stage itself, the subsequent stages of developing and implementing an ISSAI strategy will have greater acceptance in the SAI.

Top and senior management support – The success of the iCAT is highly dependent on the level of commitment at high levels in the SAI. The SAI management should insist on knowing the situation and the needs as they are. The SAI management should also ensure that the iCAT team has the required resources to conduct the iCAT.

Documentation – The iCAT team should systematically document all the working papers and the evidence that it generates in filling out the iCAT format. Besides helping the team in later compiling its ISSAI Compliance Assessment Report, documentation will also be helpful in illustrating the finding of the iCAT to the SAI management and help future iCAT teams in conducting similar exercises.

Process of conducting an iCAT

Writing ISSAI Gathering data Planning the Compliance Planning the to fill in the iCAT Assessment format iCAT – Like any Report other project, conducting an iCAT would require resources in terms of financial resources, infrastructure, time, people etc. It is recommended that the iCAT team prepare an action plan detailing the milestones, the resource requirement and the risks attached to the achievement of each milestone.

Use variety of data gathering tools – In order to gather data to fill in the iCAT format the iCAT team should use a variety of data gathering tools like focus groups, interviews, document review, survey and physical observation. It is important that the tool used is appropriate for gathering valid and relevant information for assessing compliance. For example if the ISSAI facilitator wants to check the extent to which a policy is actually implemented, interviewing people may not be enough, he/she would have to

12 Chapter 1: Implementing ISSAIs and Introduction to iCAT Page

iCAT: Financial Audit review documentation supporting implementation. A table listing the pros and cons of each tool is attached as Annexe 1.

Writing the ISSAI Compliance Assessment Report – The end product of an iCAT is the ISSAI Compliance assessment report. The format of this report and guiding principles while writing this report are contained in the last chapter.

13 Chapter 1: Implementing ISSAIs and Introduction to iCAT Page

iCAT: Financial Audit

Annexe 1

The following five tools can be used for gathering data to fill the iCAT format. These are:

Document review: Process to gather/organise information contained in various documents to achieve pre-defined objectives.

Interview: Data and information collection procedure in the form of a carefully planned set of questions that is asked through a conversation to obtain in-depth ideas and perceptions on a topic of interest

Focus group: Group of interacting individuals having some common interest or characteristics, brought together by a facilitator, who uses the group and its interaction as a way to gain information about a specific or focused issue. Discussion method centres on key limited questions

Physical observation: Site visit by observers who record what they see/hear on site, using a checklist

Survey: systematic process that uses standardised questionnaires to obtain information from a large number of respondents

This document lists various aspects of these tools in a table.

14 Chapter 1: Implementing ISSAIs and Introduction to iCAT Page

iCAT: Financial Audit

Tools Purpose Skills required Target When to How to Strengths Limitations conduct conduct / Steps

• Language proficiency • Initial 1. Input • Time • Understand • Provides • Ability to assimilate review-at 2. Proces consuming functioning overview of large amounts of the very sing • Difficult to of SAI SAI, its information beginning 3. Outpu find a skilful • Understand activities and • Speed reading of planning t person environmen the • • Continuous • Lack of tal forces Structured/systematic environment process relevant influencing approach in which it • Analysis, evaluation, as/when written an SAI operates. synthesis need/oppo materials or • Identify • Allows to rtunity availability areas of • Subject matter reduce volume arises of too many focus knowledge of information documents • Identify • Writing skills to be probed • Documents information • Can be a may not

Document Review to be credible match with gathered source of actual • Validate information situation gathered information • Find weaknesses / their causes

15 Chapter 1: Implementing ISSAIs and Introduction to iCAT Page

iCAT: Financial Audit

Tools Purpose Skills required Target When to How to Strengths Limitations conduct conduct / Steps

• Language fluency Depen • After 1. Planni • Provides • Not To obtain • ds on obtaining ng flexibility to appropriate views/opinions Listening skills the an 2. Condu explore new for of the • Good observation skills intervi understand cting ideas / issues quantitative interviewee on • Discussion leading skills ew ing of the 3. Concl • data development • Time management Facilitates purpo SAI udin • needs of the skills expression of Risk of se: • g SAI, such as; • Ability to remain After diverse gathering • From survey / 4. Docu opinions / unreliable • Key result neutral withi document men ideas information areas • Good writing skills n SAI review ting • Allows • Information • Challenges • Ability to take notes • From respondent to provided to be quickly amo elaborate may not be addressed • Analytical and ng • Allows probing representati • Capacity synthesising skills • Knowledge and exter / clarification ve

building nal • • Susceptible strategies experience on the Facilitates stake common to • Support subject hold understanding interviewer required Interview ers • Provides bias • etc. opportunity to • Difficult to obtain prove sensitive / findings confidential • Not easy to information quantify/ • Provides analyse opportunity to information obtain gathered information • Can be from non- time- verbal consuming communicatio n

16 Chapter 1: Implementing ISSAIs and Introduction to iCAT Page

iCAT: Financial Audit

Tools Purpose Skills required Target When to How to Strengths Limitations conduct conduct / Steps

Knowledge: • Comp At any stage Before • Group thinking • Difficult to • To gain an osed of the NA Focus process can bring insight into of process: Group: enrich ideas of everyone certain • Group interaction and peopl • before • Define individual together issues dynamics e who other tools purpos participants / • Requires through a • Topics of discussion have are used e quality of financial ‘group somet • In • Specify discussions. and thinking’ hing preparatio particip • Can interact material process Skills: in n for other ants directly with resources comm tools • Develo participants • Limited • Active listening / on on • After p (allow ability to effective summarising some having questio clarification, generalise • Asking questions specifi gathered ns follow-up to larger • Giving feedback ed data • Check questions, populations • Observing behaviours criteri the probing) • May bias • Focusing attention a of settings • Can gain results by • Leading discussions intere information providing • Stimulating and st During from non- cues about sustaining interest • Level verbal what types of Focus responses to of homo supplement responses Attitudes: Group: geneit verbal are y responses. desirable depen • Empathy • Set the • Very flexible • Results may ds on • Acceptance environ be biased by • Flexibility purpo ment dominant/ se of • Not dogmatic, • Set opinionated FG opinionated, rigid, or expecta member • authoritarian Not tions • Data

more • Dealing with another • Ask analysis is than person at his/her pace questio often 12 if • Objectivity and ns and complex discus impartiality get and time- sions Focus Group • Freedom in expressing respons consuming in ideas and opinions es plenar • Displaying faith and • Encoura y trust in the group ge full • As particip many ation as 30 • Keep if the discus group sions on track will • Summa be rize and held close in the sub- session group s After Focus

17 Chapter 1: Implementing ISSAIs and Introduction to iCAT Group: Page

• Make conclusi

iCAT: Financial Audit

Tools Purpose Skills required Target When to How to Strengths Limitations conduct conduct / Steps

• At least two observers • Physic 1. Planni • Reveals real • Not relevant • To verify / • As to maximise al ng conditions of for appraise preliminary objectivity infras 2. Condu natural generalisati SAI’s task before • Observers not tructu cting settings on infrastructur interviews working at the site to re 3. Concl • Time saving • Observer e, / ensure impartial / (prem udin tool bias technology document external view point ises, g • • and support reviews Provides quick May affect • Experienced observers office 4. Docu appraisal of behaviours services • As on the subject to s, men the and reduce • To check validating enhance appraisals faciliti ting conditions/ reliability of existence of tool to and credibility es, things or results documents confirm utiliti people • To have results of es) • Requires no more prior NA • Peopl expertise

confidence, tools. e when accuracy, worki analysing the reliability ng on results and validity site, of the their results of intera prior NA ction, tools used Physical Observation • Interp erson al relati ons • Work climat e • Stake holde rs relati ons

18 Chapter 1: Implementing ISSAIs and Introduction to iCAT Page

iCAT: Financial Audit

Tools Purpose Skills required Target When to How to Strengths Limitations conduct conduct / Steps

Depends 1. Devel • Information • To obtain • Formulating questions • At the • Dependent on focus opin can be feedback on • Analytical skills beginning on area: g the obtained from SAI • Ability to synthesize of NA to respondents • For surv a large environmen • gain overall ’ Data analysis skills HR: ey number of t understand motivation, • Subject matter emplo 2. Imple respondents • To gather ing of SAI’s memory, knowledge yees men • Wide range of information operations ability to at all ting information on SAI • At a later respond levels the can be structures, stage to effectively • For surv collected at operational focus on • Respondent exter ey one time frameworks, specific s not nal 3. Data • Consistency of and areas motivated stake entr data employees • Where to holde y • Easy to informatio accurately r 4. Data administer n is answer, but relati anal • required Cost effective present ons: ysis from a themselves exter 5. Recor wide range in nal ding of favourable stake resul geographic light

holde ts ally • Doesn’t rs dispersed facilitate in- • For Survey employees depth audit • When examination meth intention is of causes odolo to arrive at • Errors due gy aggregated to non and quantified response stand informatio may exist ards: n • Could have field subjective audit responses ors and • Can be time senior consuming / • Doesn’t middl allow e probing for mana more geme detailed nt information • etc.

In the next chapter we will discuss about the Level 2 ISSAI requirements. These requirements are the basic pre-requisites for robust audit practices in the SAI.

19 Chapter 1: Implementing ISSAIs and Introduction to iCAT Page

iCAT: Financial Audit

Chapter 2

Understanding the Prerequisites for Robust Audit Practices – level 2 ISSAIs and Ascertain Status on Level 2 ISSAI Requirements

Introduction

As mentioned in the previous chapter the ISSAI framework is a very comprehensive framework that articulates both – the nature of robust audit practices in an SAI and the key drivers at institutional and SAI level that need to be in place for implementation of robust audit practices on a consistent basis. While the nature and requirements for robust audit practices are outlined in Level 3 and Level 4 ISSAIs, the key drivers and prerequisites for these are highlighted at level 1 and level 2 of the ISSAI Framework.

As such before going into the details of implementing level 4 ISSAIs, we need to look at the level 2 ISSAIs and understand their impact on Level 4 implementation issues. For the purpose of clarity and process, this chapter is divided into two parts:

Part 1 – Understanding the Prerequisites for Robust Audit Practices

Part 2 – Ascertain status on Level 2 Requirements.

For understanding of level 2 ISSAIs part 1 can be used. From Chapter 3 to Chapter 6 level 4 iCAT guidance is discussed. Please consider that, status Level 2 requirements of an SAI will be ascertained only after checking the Level 4 requirements (by following the guidance from Chapter 3 to 6). Though Level 2 guidance is mentioned in Chapter 2, please come back to this chapter after completing Chapter 3 to 6 on Level 4. At the end of the two parts you would be able to identify your SAIs needs regarding Level 2 requirements and also link the gaps in Level 2 requirements to the gaps in implementing level 4 ISSAI requirements which you will be able to find while going through Chapter 3 to 6.

Part 1 Understanding the Prerequisites for Robust Audit Practices

What does a SAI need for putting in place well functioning audit practices that generate value for SAI stakeholders? As per the ISSAIs an SAI would need the following four prerequisites ISSAI 30 ISSAI 20 Code of Ethics Accountability & Transparency These four prerequisites are the four Mechanisms main ISSAIs level 2 ISSAIs that we will look at.- ISSAI 10, 20, 30 and 40. In

ISSAI 10 ISSAI 40 recent years SAIs have been Independence & Legal Framework Quality Control increasingly expected to demonstrate ISSAI Level 4 their own value and benefit to their Robust Audit stakeholders. This has resulted in a Practices number of initiatives at the INTOSAI

Chapter 2: Understanding the Prerequisites for Robust Audit Practices – level 2 ISSAIs and Ascertain Status on Level

2 ISSAI Requirements 20

Page

iCAT: Financial Audit level that have centred around the SAI at a strategic level. Such initiatives include:

• Mexico declaration (now incorporated in ISSAI 10 with examples in ISSAI 11) – looking at the roles and responsibilities of SAIs • Principles of Transparency and Accountability of SAI (ISSAI 20 and examples provided in ISSAI 21) – looking at fundamental good principles of how an SAI should perform its functions and what type of functions it should perform. • Code of Ethics (ISSAI 30) – providing a framework for ensuring SAI behave at the highest level of credibility • Quality Assurance (ISSAI 40) looking at the critical ingredients required to make a SAI meet standards required to add credibility to any results or reports published by the SAIs.

The above documents form the basis for level 2 of the ISSAI framework and the participant should familiarize themselves with the documents.

The level 2 framework is also supported by a number of other publications and initiatives aimed at supporting SAIs. Some of these that are important for the participants include:

• IDI Capacity building initiatives and frameworks - this provides a mechanism for assisting SAI in identifying their needs to achieve the developments required to perform their tasks within the ISSAI framework. • SAI Performance Management Framework – this provides a framework for reporting the results of the SAI and measuring its improvement over time. ( version 2.0 of this document is available on www.idi.no ) • SAI value and benefits – this was the theme 1 paper from INCOSAI XX and it summarizes all the aspects of demonstrating how SAI can show their value to their stakeholders. It is intended that the document would be incorporated into the ISSAI framework.

There are numerous other documents available around this topic; however the ones listed above provide a sufficient overview.

The ISSAIs at level 2 require capacity development of an SAI in all three areas

1. Institutional Capacity Development 2. Organisational Systems Capacity Development 3. Professional Staff Capacity Development

Institutional capacity of an SAI refers to the SAI having the appropriate Independence and Legal Framework, mandate and environment to carry out its core business functions effectively. Organisational Capacity refers to the internal systems and process of a SAI and professional staff capacity refers to SAI people and their ability to carry out their roles professionally.

In order to have robust audit practices as described by level 4 ISSAIs, a SAI would need all three capacities – Independence and Legal Framework, appropriate internal processes and structures and sufficient number of qualified people. The IDI’s Capacity Building Framework shown explains the relationship between the requirements of level 2 ISSAIs and the three aspects of capacity building.

Chapter 2: Understanding the Prerequisites for Robust Audit Practices – level 2 ISSAIs and Ascertain Status on Level

2 ISSAI Requirements 21

Page

iCAT: Financial Audit

The capacity building framework attempts to show a picture of both the capacities that a SAI must have and the performance that the SAI must deliver to generate value for its stakeholders. For a SAI to contribute to good governance, it needs to have required audit impact. In order to achieve the audit impact the SAI must have high quality audit outputs. These audit outputs are a result of robust audit practices (ISSAI Level 4) or ‘SAI Core Processes’ as they are referred to in the capacity building framework. The key drivers of robust audit practices within the SAI are SAI Leadership and internal governance mechanism, SAI resources and SAI external stakeholder relations (Parliament, Executive, Media, Civil Society etc). It is the SAI leadership’s role to ensure that the governance mechanism (including implementation of code of ethics), required resources and stakeholder relations are in place. A critical factor outside the SAI that can hamper or help the SAI’s performance and effectiveness is the SAI independence and legal framework and the general public financial management environment that the SAI operates in.

SAI Leadership drives the performance and capacity building initiatives of the SAI. The leaders in the SAI need to set the tone and tenor for determining how things will be done in the SAI. The SAI as a whole also should set an example in good governance to be emulated by the audited entities. As such the leadership should ensure good SAI governance in terms of its planning, code of ethics and conduct, accountability & transparency, internal controls and continuous improvement. The SAI leadership will be considerably effective in its internal governance efforts if they have in place a robust and vibrant internal communication mechanism.

This element is the key driver to ensure that the SAI makes the most of what is within its control through amongst others, effective strategic and operational planning. The category of management arrangements has been used to identify these key drivers. This element then becomes the driver for the other sub elements of:

Chapter 2: Understanding the Prerequisites for Robust Audit Practices – level 2 ISSAIs and Ascertain Status on Level

2 ISSAI Requirements 22

Page

iCAT: Financial Audit

• Human resources • Support structures and infrastructure

These two elements are taken as sub elements of the leadership and internal governance. As often deficiencies or areas for improvement in these areas require senior management intervention, for example, identifying and running training programs.

SAI Core Processes consist of:

• Audit standards (as elaborated in the ISSAI Framework) • Audit manuals and guidance • Audit plans short term and long term • Audit tools such as computer assisted audit techniques • Quality assurance

All these aspects are aimed at ensuring that professional and consistent audit products are delivered by SAIs on a sustainable basis. The critical aspects are to ensure that the processes and intentions are reflected in the practice of the SAI and are not simply documents produced but not followed by the auditors.

External Stakeholders can be seen from two distinct perspectives, namely:

• Reporting to stakeholders • Communication with stakeholders

Reporting is often a combination of what is mandated and what may be good practice. This often includes reports to parliament and to the audited entities. SAI are often also expected to produce reports on their own performance. SAI annual report or equivalent provides an opportunity for the SAI to document its achievements as well as the results from the audits conducted.

In terms of communication with stakeholders SAIs have a very important role in dealing with legislatures, media and audited entity. Often enhancing the profile and image of the SAI can improve its effectiveness in carrying out its audits through improved cooperation.

For example if an SAI where to consider implementing Level 4 ISSAI in Performance audit it would need an appropriate mandate to do so, strong supporting institutional structures i.e. a well functioning PAC. Leadership that drives the implementation process and puts in place necessary systems and structures to ensure implementation, qualified people and adequate resources and good relations with important stakeholders.

As such implementing ISSAIs and building capacity of a SAI are in actual fact one and the same process. !

Seeing this match, we have tried to categorise the ISSAI requirements at level 2 into the following four categories and sub categories

Chapter 2: Understanding the Prerequisites for Robust Audit Practices – level 2 ISSAIs and Ascertain Status on Level

2 ISSAI Requirements 23

Page

iCAT: Financial Audit

Leadership & External Internal Stakeholder Governance Relations Independence •Code of ethics •Reporting SAI Core & Legal •Management Practices Arrangements Processes •Communication Framework •Resources

The first category refers to the institutional capacity of the SAI and describes the requirements under ISSAI 10. The second category refers to the organizational and professional staff capacity of the SAI that is driven by SAI leadership. A combination of Level 2 ISSAI requirements are placed under this category. The third category refers to SAI core processes, which are the SAI level requirements specific to audit processes. The fourth category refers to external stakeholder relations both in terms of reporting requirements and communicating with stakeholders for audit effectiveness and impact.

The level 2 ISSAI requirements placed under these four categories can be seen in the excel sheet called ISSAI Level 2 Requirements.

Part 2 of this chapter describes the requirements and how to assess needs related to the requirements. While we would recommend that you read through the Part 2 now, the actual collection of data and filling in of the format should be done after you have completed the iCAT format for level 4.

Chapter 2: Understanding the Prerequisites for Robust Audit Practices – level 2 ISSAIs and Ascertain Status on Level

2 ISSAI Requirements 24

Page

iCAT: Financial Audit

Part 2 – Ascertain Status on Level 2 ISSAI Requirements

The ISSAI framework is a very comprehensive framework that articulates the nature of robust audit practices in an SAI as well as the key drivers at institutional and SAI level that need to be in place for implementation of robust audit practices on a consistent basis. The nature and requirements for robust audit practices are outlined in Level 3 and Level 4 ISSAIs, and the key drivers and prerequisites for these are highlighted at level 1 and level 2 of the ISSAI Framework.

In part 1 we have mentioned that before going into the details of implementing level 4 ISSAIs, we need to look at the level 2 ISSAIs and understand their impact on Level 4 implementation issues. From Chapter 3 to Chapter 6 you will conduct the check for the Level 4 ISSAIs. You will ascertain the status of compliance at Level 4 in these four modules. You will also identify what are the reasons for non- compliance of the requirements at Level 4 in the Chapter3 to 6.

You will see that the reasons for non-compliance lies at the issues which actually the drivers or prerequisites for Level 4 ISSAIs. These are all highlighted at Level 2 ISSAIs. So it is clear that at Level 2 on a strategic level SAIs can take measures that would solve the issues of non-compliance at the Level 4. In this chapter you will look into this linkage between Level 2 and Level 4 ISSAIs, also how the gaps in Level 2 requirements lined to the gaps in implementing level 4 ISSAI requirements. Based on you findings at Level 2 and Level 4 you will write the ISSAI Compliance Assessment Report.

1. Ascertain the status of Level 2 ISSAI requirements

Before ascertaining the status of level 2 ISSAI requirements you would have done the following activities:

• Understood level 2 ISSAI requirements in Chapter2 • Completed the iCAT format for level 4 in Chapter 3 to Chapter 6

On this basis we will now proceed to discuss how to identify SAI needs and ascertain the status at level 2. This step in the process will also help you in consolidating your findings on level 4 ISSAIs particularly the reason for non-compliance which is related to the Level 2 ISSAIs and create the linkage between the two levels of ISSAIs. Based on this we will prepare the ISSAI Compliance Assessment Report.

4.1 How to complete the Level 2 ISSAI Requirements

As we have mentioned in Chapter2 the iCAT for Level 2 contains all the requirements from the ISSAI 10 - 40. All these requirements have been grouped under following major categories:

• Independence and legal framework • Leadership and internal governance o Code of ethics o Management arrangements o Resources • SAI core processes

Chapter 2: Understanding the Prerequisites for Robust Audit Practices – level 2 ISSAIs and Ascertain Status on Level

2 ISSAI Requirements 25

Page

iCAT: Financial Audit

• External Stakeholder o Reporting practices o Communication

In the following sections we will discuss how the columns of the individual ISSAI requirements can be filled in step by step.

Step 1 - Completing Columns 5 and 6 of Level 2 ISSAI requirement

After completion of level 4 of the iCAT:

• workshop should be held with relevant senior management to discuss the findings on level 4 • The purpose of the workshop is for senior management to assign level 4 findings to their specific requirements within the level 2 ISSAI requirements.

When completing the level 2 ISSAI requirement the participant should understand the relationship between levels 2 and 4 of the ISSAI Framework. Level 2 provides the strategic direction and level 4 is aimed at the details of audit practices when implementing the strategic aspects.

There are three possible results to be entered into column 4 SAI Status, namely:

1. Full compliance – where level 2 and level 4 requirements are met 2. Partial Compliance – where level 2 requirements are met but the implementation on level 4 has not been achieved. (example provided below) or where requirements are met at level 4 and not at level 2 (This is highly possible for instance Principle 8, ISSAI 20 requires that “The SAI reports are available and understandable to the wide public through various means (e.g. summaries, graphics, video presentations, press releases)”. While, at the SAI level there may not be such a requirement, some field offices may bring out summary of their performance audit reports and issue press releases after tabling of a Performance Audit Report and satisfy ISSAI 3100, Section 35 on making audit report easily accessible to general public). Another real-life example that was quoted by several participants on iCAT relating to disclosure of the source of data in the audit report is that while there is no such requirement in their standards to disclose source of data, it has been followed in the performance audit engagements reviewed by them. 3. Non compliance – where requirements on level 2 and 4 are not met

Example of Partial Compliance:

If the SAI has no individual declaration of interests for each audit, but the SAI has an organizational policy. Then this would be reflected in the iCAT as follows:

• Within column 4 the SAI status would be partially implemented • Within column 5 the entry should be that there is a finding with regard to “no individual declaration in the audit files” for the requirements under ISSAI 30 paragraph 13.

Column 6 should be used to state what action needs to be taken and within what timeframe.

Chapter 2: Understanding the Prerequisites for Robust Audit Practices – level 2 ISSAIs and Ascertain Status on Level

2 ISSAI Requirements 26

Page

iCAT: Financial Audit

Information gathered in Column 6 can then be used to complete the ISSAI Compliance Assessment Report.

Step 2 - Completing Columns 3 and 4 of Level 2 ISSAI requirement i. Independence and Legal Framework

This section largely deals with ISSAI 10 which as previously stated links to the Mexico Declaration. The ISSAI requirements can largely be linked in most jurisdictions to the enabling legislation of the SAI (SAI law). Most of the aspects should be readily identifiable from the law. Further enquiries from the Head of the SAI to clarify uncertainties may be useful.

It is important to simply identify the responsibilities and not necessarily to assess the implementation. For example if a SAI can “select the audit issues” but in practice is not doing so this should be included in column 4 (SAI status) as partially complying. There may be references to the SAIs in other legislation, for example, relating to the SAI budget (principle 8 ISSAI 10). In these instances the participant may need to be aware of such documents and reference them in column 3 of the iCAT. ii. Leadership and Internal Governance

Code of Ethics

This section largely deals with the ISSAI 30 Code of Ethics. In many SAIs this is covered through policies at the entity level as well as through declarations made in each audit engagement. The participant should obtain these documents and assess what type of compliance is expected by the staff (for example annual declarations of income and assets).

If there is an absence of compliance tools such as annual declarations these will be highlighted in the level 4 assessment and will be included in columns 5 and 6 of the iCAT.

Management Arrangements

This section takes fundamental aspects of the SAI leadership and internal arrangements at a strategic level. This section will give rise to the important elements that include strategic planning and therefore prioritization for future decision making. Whatever the SAI is deciding to do must be communicated through this area and therefore represents a fundamental area where many improvements at level 4 of the framework will be managed.

This section should be completed through reviews of strategies, business plans and other key strategic documentation including performance management policies, quality assurance policies and recruitment plans.

Resources

This aspect of the internal governance and leadership follows directly from the management arrangements. This is the assessment of the requirements of the SAI and should be identified through reviews and studies and be included in key policies and strategies. Therefore operational documents such as annual work plans and delegations should be reviewed.

Chapter 2: Understanding the Prerequisites for Robust Audit Practices – level 2 ISSAIs and Ascertain Status on Level

2 ISSAI Requirements 27

Page

iCAT: Financial Audit

Responses to this section should also relate to the management arrangements when considering the level 4 gaps. For example, issues regarding ISSAI 40 element 4 “ensuring staff have competencies to carry out their work” can be linked to the item under management arrangements principle 6 ISSAI 20 “the SAI measures the efficiency and effectiveness with which it uses its funds”. When completing columns 5 and 6 of the iCAT these relationships will be analyzed to ensure that the action plans are as practical as possible. iii. SAI Core Processes

This area of the Level 2 ISSAI requirements is mainly concerned with the ISSAI 40 Quality Assurance. For the SAI to meet the requirements of level of the framework a number of factors are required from a technical perspective. These include:

• Audit reporting • Follow up on audit findings • Methodology • Auditing Standards

All the above need to be in place to ensure that the audit risk (the risk the auditor reaches an incorrect conclusion) is minimized. To assess the requirements, it will be advisable to schedule an interview with the person responsible for quality assurance and control in the SAI. Many of the practices should be documented in instructions through manuals and/or circulars. These should be assessed if they include the elements stated in the Level 2 ISSAI Requirements. If the practice is stated in documentation and not followed: at this stage simply state under column 4 that there is partial compliance (to be consistent with the view espoused at Step 2 i. Independence and Legal Framework). When the level 4 assessment is undertaken this will identify the problem of the implementation. iv. External Stakeholder

Reporting Practices

This section lists all the reporting requirements identified in level 2 of the framework. There are 18 requirements. This represents a large expectation on SAIs to report on their activities and results. Many of these reports can be included in a single SAI annual report for example. The participant should therefore obtain all external correspondences that the SAI issues and assess them against the 18 requirements.

External Stakeholder Relations

This section assesses the SAI relationship with its primary stakeholders. This can include: legislature, parliaments and special committees of parliament. The SAI may include this information in a communication strategy and often have a spokesperson or an office directly linked to the Head of the SAI. It is advisable to interview the relevant personnel and obtain the necessary protocols, strategies and policies. From next chapter guidance on level 4 ISSAIs for Financial audit is elaborated. Guidance for irst step of the Financial audit process is Pre engagement and relevant ISSAIs is described in chapter 3.

Chapter 2: Understanding the Prerequisites for Robust Audit Practices – level 2 ISSAIs and Ascertain Status on Level

2 ISSAI Requirements 28

Page

iCAT: Financial Audit

Chapter 3

Pre-engagement

Introduction

This chapter is required to ensure that the facilitator identifies the preconditions for enabling the SAI to implement level 4 of ISSAI framework of financial auditing. It is important that the facilitator understands the requirements expected within a SAI environment before considering any specific audit. These aspects include factors which require decisions that are consistent with SAI policies as discussed on level 2. In this chapter specific references to policies and areas for consideration are highlighted for the appropriate foundation to be put in place before an audit commences.

Section 1 provides an overview of the financial audit process as is explained in the standards. Section 2 highlights all the areas where the requirements within the iCAT are contained. Section 3-6 provides emphasis to the most important elements of pre-engagement.

1. Overview of the financial audit process and the expectation of the ISSAI facilitator

1.1 Financial Audit Process:

Figure 1 below provides an understanding of the audit process. It is essential to understand that the audit process is not simply a one way process from planning through to reporting. Reconsideration of the critical aspects of the audit process is continually in need of re-evaluation. This is reflected in the feedback loops in the figure below. For example, when evaluating the results from the audit fieldwork, the assumptions made in the planning regarding material misstatement may be incorrect. In this situation the auditor is required to reflect the changes in the planning documentation.

29 Chapter 3: Pre engagement Page

iCAT: Financial Audit

Figure 1: Audit Process

RBA Audit Process

Preliminary Overall Audit Strategy Engagement Activities

Risk Assessment and response

Understanding the entity Understanding the entity’s environment including internal controls

Identifying and Assessing risk of material misstatement

Design further audit procedures

Conducting Field Audit

– Tests of controls – Substantive procedures

Evaluate Results

Accumulate and evaluate misstatements

Form Opinion and Report

30 Chapter 3: Pre engagement Page

iCAT: Financial Audit

1.2 Expectations from the ISSAI Facilitators

Table 1 below provides an overview of what the ISSAI facilitator is required to do at each stage of the audit process. In addition to the expectations in Table 1, the ISSAI facilitator is required to be familiar with the issues discussed in level 2 of the ISSAI framework covered in Chapter2. For financial audit some of these issues are given more emphasis as discussed in table 2 of this module.

At this stage, the ISSAI facilitator is expected to have access to SAI financial audit senior management and select a minimum of two audit files to support the conclusions drawn from the discussions with management.

Before looking at the iCAT, the facilitator should understand the auditing standards. The International Standards of Supreme Audit Institutions (ISSAIs) for financial auditing are based on the private sector International Standards on Auditing (ISA) issued by the International Federation of Accountants (IFAC). The ISSAIs therefore comprises of the entire ISA. The ISAs have a consistent structures including requirements of the standards and then referenced to this is what is called the application of the requirements. The application is effectively guidance on understanding the requirements.

The ISSAIs then enhances the ISA with specific guidance for the SAI environment through the use of practice notes. These often provide examples for the public sector context or explain situations in which the standards apply. iCAT comprises all requirements from 36 ISSAIs. In addition to requirements from International Standards on Auditing (ISAs) the requirements from the practice notes have been added. Altogether 531 requirements are included in iCAT.

In order to facilitate the use of iCAT:

• Requirements have been split into auditing phases: Pre-engagement, Planning, Fieldwork and Reporting and described in the respective modules of the course. Some of these requirements flow throughout the audit process and the facilitator will be required to understand the starting point of the requirement. • Whether the requirement is important on institutional level or audit level has also been identified. • Documents that prove the application of the requirement have been outlined, e.g. planning documents, working papers, audit report etc.

31 Chapter 3: Pre engagement Page

iCAT: Financial Audit

Table 1: Overview – Activities of ISSAI Facilitator

Audit Process Core Text module Brief Description ISSAI reference Explanation of Reference ISSAI Facilitator knowledge Preliminary audit Chapter3 This stage of the ISSAI 1210 The facilitator engagement audit is where should understand assessment of the the SAIs standard audit practice and requirements are assess if it has made and the been applied audit team consistently communicates with the audited entity Overall Audit Chapter4 To gain a high ISSAI 1300,1315 The facilitator Strategy level and 1320 should be able to understanding of identify the the audited entity documentation and assess the within the SAI to materiality. relates to the requirements of the overall audit strategy and assess whether the elements of the strategy are covered. Risk assessment Chapter4 The process ISSAI 1200 and The ISSAI and risk responses involves: 1300 series facilitator is Understanding the required to entity including its understand the control SAI methodology environment. and how it covers Identifying the risk the main aspects of material of the audit misstatement and planning designing further requirements. An audit procedures assessment of the for assessing the main elements of risks. the SAIs process is then assessed against audit files to see if they contain the information expected. Assessment of the adequacy of the

32 Chapter 3: Pre engagement Page

iCAT: Financial Audit

Audit Process Core Text module Brief Description ISSAI reference Explanation of Reference ISSAI Facilitator knowledge planning conclusions and the design of audit procedures is beyond the scope of the facilitator. Field Audit Chapter5 At this stage the ISSAI 1500 series The facilitator is auditor is required to review attempting to audit files and provide sufficient assess the appropriate and adequacy and reliable evidence sufficiency of to support the documentation conclusions including the reached based on application of test of controls professional and substantive judgment and procedures. professional skepticism. The facilitator is not expected assess whether the procedures followed are adequate to address the risks identified Evaluating results Chapter6 This section is ISSAI 1450 The facilitator concerned with should understand evaluating results the audit and assessing the methodology effect of the followed by the results on the SAI and assess the nature, extent and audit files selected timing of audit against the work as well as criteria. consideration of reporting consequences Forming an Chapter6 This is where the ISSAI 1700 series The facilitator is opinion and report outputs from the and 1800 series expected to audit process, understand the namely: audit decisions taken to reports and other arrive at the items reports are included in the

33 Chapter 3: Pre engagement Page

iCAT: Financial Audit

Audit Process Core Text module Brief Description ISSAI reference Explanation of Reference ISSAI Facilitator knowledge produced report and assess if they are compliant to the relevant standards and SAI practice.

2. Institutional level considerations prior to assessing an individual audit

As the facilitator you are already familiar with the level 2 considerations of the ISSAI framework. Level 2 ISSAIs state and explain the basic prerequisites for the proper functioning and professional conduct of SAIs. These are the institutional level considerations that required to be analyzed before assessing an individual audit process.

The focus shifts slightly to assessing these considerations in the specific context of financial auditing. The main areas where these considerations are necessary are broadly covered by:

2.1 Compliance to the level 4 financial audit ISSAIs 2.2 Assessment of the accounting and legal framework governing the financial statements in your jurisdiction 2.3 Consideration of the SAI before commencing with individual audits

2.1 Compliance to the level 4 financial audit ISSAIs

The iCAT has identified several references for example ISSAI 1200.20 where the use of ISA has to be carefully considered. It states “The auditor shall not represent compliance with ISAs in the auditor’s report unless the auditor has complied with the requirements of this ISA and all other ISAs relevant to the audit”. This means the SAI cannot decide to follow a few aspects of ISA and depart from others and still state they are complying with ISAs and therefore the ISSAIs for financial audit.

Examples where this situation will need to be considered could include the following scenarios:

• Where the SAI has fundamental capacity restrictions in meeting the ISSAI requirements from current resources • Where the stakeholder expectations or the auditing environment doesn’t provide for full ISSAI implementation

In the case of capacity restrictions the SAI can consider assessing the scope of the audits and as stated under ISSAI 40 (acceptance and continuation) and should bring this to the attention of the Head of SAI or even the legislature or budget authority. The SAI in this regard should have an overall plan that will be discussed under resource considerations below.

In the situation where full ISSAI implementation may be limited by the enabling environment, for example, where the accounting framework is still underdeveloped or the scrutiny of the financial statements and audit report is highly limited there are several factors that the SAI should consider.

34 Chapter 3: Pre engagement Page

iCAT: Financial Audit

Firstly the SAI should assess what aspects of the ISSAIs are the most relevant to implement and begin with these. In this instance as stated in ISSAI 1805.8 the auditor can consider the applicability of the ISSAIs. In general if the information provided to users is insufficient to cover their needs then the SAI should identify the deficiencies and report them to the appropriate stakeholders.

Secondly, SAI should assess overall the importance of the ISSAIs and identify the key value the ISSAIs will provide and focus on these areas. However, in these situations it may not be possible for the SAI to state that it is auditing in compliance with the ISSAIs. A statement in the SAI’s strategic documentation should reflect this position. The SAI should refer to ISSAI 1000.28 for other alternatives for compliance to the ISSAI Framework.

In the specific instance of the deficiency of the financial reporting framework the SAI should consider the section below.

2.2 Assessment of the accounting and legal framework governing the financial statements in your jurisdiction

The ISAs make reference to the accounting framework under which the financial statements are made. There are two very popular frameworks that are well established in the international community namely:

• International Financial Reporting Standards (IFRS) • International Public Sector Accounting Standards (IPSAS)

These frameworks provide coverage for the requirements of the ISSAIs. For example, disclosures in relation to related parties are covered by the frameworks. It is in this regard that the financial reporting framework needs to be comprehensive as to provide the users of the statements with the relevant information provided in a suitably understandable format.

Many jurisdictions are operating with entities at different levels of accounting bases. For example Ministries may be on cash or modified cash basis whereas corporations can be fully compliant to IFRS. The IPSAS explains the different basis of accounting and provides for the migration from full cash to full accruals. The facilitator can obtain review the IPSAS and IFRS frameworks through the website www.ifac.org (public sector for IPSAS).

If the accounting framework is limited or under development the facilitator should consider whether the SAI has enquired of the relevant management whether the financial statements are sufficient to meet the user requirements (ISSAI 1200 practice note 5 refers).

Many SAIs operate in environments where the accounting framework is prescribed within the legislation of the country. In these cases the assessment of the applicability of the framework for users should still be undertaken and recommendations made to the relevant standard setters e.g. Ministry of Finance or Accountant General.

35 Chapter 3: Pre engagement Page

iCAT: Financial Audit

2.3 Consideration of the SAI before commencing with individual audits

When considering the overall financial audit strategy for the SAI there are many factors. These factors need to be considered prior to any resource allocation and assessment of individual audit strategy. Many of these aspects are also referred to at level 2 of the ISSAI framework and are reflected in SAI policy and procedures; however, there is a need for some annual considerations. Table 2 below is summary of the type of considerations a SAI should consider.

Table 2: SAI Precondition

Considerations Decision Guidance ISSAI Reference ISSAI compliance level 4 Full / Partial The SAI needs to decide on the All ISSAIs level 4 financial applicability of the framework and the intention to comply with the requirements. If there are reasons for elements of the framework to be omitted they should be stated. The statement of the basis of the opinion and any overall modifications to the audit reports should be provided.

Adequacy of Financial Adequate / SAI should consider communicating its ISSAI 40 under Reporting Framework Limited / Not conclusion if the framework is not acceptance and applicable adequate to the relevant standard continuance and setting bodies. In extreme situations ISSAI 1000 modifications to the audit reports or (paragraphs 43 special reports should be considered and 44)

Audit resources required Adequate / In the case of inadequate audit internally (ISSAI 40 inadequate resources the SAI should consider the acceptance and effect on the scope of the audit or continuation) identify alternative approaches to obtain assurance e.g. contracting out functions

This is particularly important in the case of small SAIs who have limited capacity

The SAI is also required to have responses in place to an audited entity, which may be preventing the SAI from adequately carrying out its responsibilities. As withdrawal is not usually an option in SAI environment alternatives measures may need to be sought.

36 Chapter 3: Pre engagement Page

iCAT: Financial Audit

Considerations Decision Guidance ISSAI Reference Management of Audit Appropriate/ Where other auditors outside the SAI ISSAI 1600 resources contracted out training or are employed to conduct audits, practice note guidance particular assessment should be made needed of their professional competence and their understanding of the public sector requirements (as elaborated in the practice notes) Use of Experts (including Required / A strategic decision is required to ISSAI 1610 and internal auditors) Not required assess the need for experts or other ISSAI1620 governmental agencies (e.g. anti money laundering agencies). The audits to which they related and the scope of work should be understood. The SAI should then assess the audit risk overall and prioritize the experts required. Specific complexities in Yes / No These can include: the audited entities that • Service organizations ISSAI 1402 effect the individual audit • Specific reporting strategies requirements ISSAI 1700 • High risk clients • Other audits / investigations ISSAI 1300 being performed by the SAI ISSAI 1240 • Related parties • Particular issues in the public interest e.g. high ranking ISSAI 1550 official expenses IISSAI 1315 • Consolidations • Restructuring of government organizations ISSAI 1600 • Specific instructions from legislature / third parties ISSAI 1510

• Previous allegations

ISSAI 1210 All the above should be considered and

the effect on the audit strategies and

resource allocations should be stated. ISSAI 1240

Reports issued other Yes / No If the SAI intends to issue other audit ISSAI 1700 than those in compliance reports that are not in conformance to series and 1800 to ISSAI 1700 and 1800 the standards. Then the SAI should series series. state the basis and criteria for such reports. Any discussion of key audit themes and the method the SAI uses to include these issues in the report should be explained.

37 Chapter 3: Pre engagement Page

iCAT: Financial Audit

Considerations Decision Guidance ISSAI Reference

Quality control plan Yes / no A quality control plan for the year ISSAI 40 and should be provided ISSAI 1220 Evidence of Ethical Yes / no The SAI should operationalize the ISSAI 30 Requirements in place requirements of ISSAI 30 to ensure an prior to the annual process for ethical commencement of the requirements is undertaken. audits

3. Quality Control

ISSAI 40 principle 1 Leadership states clearly the importance of quality control as shown below:

An SAI should establish policies and procedures designed to promote an internal culture recongnising that quality is essential in performing all of its work. Such policies and procedures should be set by the Head of the SAI, who retains overall responsibility for the system of quality control.

The facilitator has already understood the role of the ISSAI 40 on level 2 of the ISSAI Framework. At this stage the SAI also requires a mechanism for translating these institutional requirements into the individual audit process. ISSAI 1220 provides for such a link. It looks at the quality control function employed at the audit level. The quality control process is relatively straightforward and is captured in the flow below.

1. Planning 2. Conducting 3. Monitoring

3.1 Planning Quality Control Review

At the commencement of the audit cycle the SAI should be aware of the engagement quality control reviews that are required to take place. The SAI should ensure that the engagement quality control reviews include:

• Any listed companies audited by the SAI (ISSAI 220.19) • Other entities that the SAI deems necessary due to the nature of the engagement.

The criteria the SAI employs for selecting the audits to be quality control reviewed should be explicitly stated and approved as per the engagement quality control policy. The criteria could consider:

• Audits where modified opinions were previously issued • Audits which have a high public profile • Audits which have allegations related to the audit entity • Coverage to include all engagement partners

38 Chapter 3: Pre engagement Page

iCAT: Financial Audit

The quality control plan should be approved and communicated in line with the SAI policies and procedures. The carrying out of the QA function can involve outside expertise, a dedicated QA function or delegations to specific individuals or committees.

3.2 Conducting - Engagement Performance

3.2.1 Overview

During the fieldwork the engagement leader shall take responsibility, among other things, for:

a. the direction, supervision and performance of the audit engagement in compliance with professional standards and applicable legal and regulatory requirements; and the auditor’s report being appropriate in the circumstances; b. reviews being performed in accordance with the firm’s review policies and procedures; c. the engagement team undertook appropriate consultation on difficult or contentious matters; d. determining whether there is a need for an engagement quality review and if so determined, ensuring that an engagement quality assurance reviewer has been appointed.

Where differences of opinion arise within the audit team with those consulted and, where applicable, between the engagement leader and the engagement quality control reviewer, the audit team, should follow the SAI’s policies and procedures for dealing with and resolving differences of opinion.

The engagement leader ensures reviews are performed in accordance with the SAI’s review policies and procedures which should meet the requirements of ISSAI 40. (Ref: ISSAI 1220 paragraphs 16 and A.16 to A.17, A.20 and ISSAI 40- paragraphs 32 and A.34)

The engagement leader/supervisor is responsible for ensuring that reviews of the working papers are carried out in order to be satisfied that they demonstrate that sufficient appropriate audit evidence has been obtained to support conclusions reached for the auditor’s report to be issued. (Ref. ISSAI 1220 paragraphs 17 and A.18 to A.20)

3.2.2 Consultation and Differences of Opinion

ISSAI 1220 gives responsibility to the Head of the SAI for ensuring that the engagement team undertakes appropriate consultation on difficult or contentious matters, and that the conclusions of consultations are documented and implemented.

Where differences of opinion arise within the engagement team, with those consulted and, where applicable, within the SAI, the SAI should have policies and procedures for dealing with and resolving differences of opinion.

3.2.3 Engagement Quality Control Review (EQCR)

EQCR is the objective evaluation of the significant judgments made by the audit team and the conclusions reached in formulating the independent auditor’s report.

As part of the system of quality control, ISSAI 40 states that an EQCR should be performed for all audits meeting the agreed criteria. Examples:

39 Chapter 3: Pre engagement Page

iCAT: Financial Audit

• where a qualified or adverse opinion is being proposed or anticipated;

• where client activities are of special interest to the general public or media; and

• where clients are considered as being of higher audit risk, for example due to: a history of weak internal systems of control; or where complex or novel accounting issues exist

ISSAI 40 requires that an EQCR is conducted in a timely manner so that significant matters are resolved prior to the opinion being issued. Therefore the EQCR is performed before the issuing of the report.

3.3. Monitoring

The ISSAI 1220.32 to 1220.34 explains that monitoring is in respects of two elements:

• assessment, correcting and improving any issues with audit engagements • assessment and improving the quality control process itself

Any issues highlighted are not necessarily demonstrating failure to meet the standard but are merely aspects that relate to operational aspects of the SAIs activities.

4. Key aspects of audit evidence including linkages to professional skepticism

4.1 Overview The ISSAI facilitator has to be aware that throughout the audit process certain requirements in regard to audit evidence must be kept in mind. These are summarized in the table below.

Table 3: Aspects of Audit Evidence

Description ISSAI Reference Comment Understandability of ISSAI 1230.8 Within the application to the standard references are made audit evidence to the practicalities related to evidence. Clearly auditors including significant cannot record all documentation and judgments taken. The professional need to relate what is documented to assist the users judgment (including reviewers and future auditors) in discharging their functions is the criteria. Type of work ISSAI 1230.9 Ownership and evidence of review is essential to the performed, who authority of the work performed and to accountability and performed it and responsibility for the audit as a whole. who reviewed it Consideration of Not specifically As discussed above the implications on the audit scope and Small SAI to ISSAI compliance to standards has to be considered. framework Professional ISSAI 1240.12 This is perhaps one of the most difficult areas facing the skepticism auditors. The ability to demonstrate skepticism within the audit evidence may not be straightforward. It may require evidence through for example, team meetings. Consideration of allegations and other sources such as press

40 Chapter 3: Pre engagement Page

iCAT: Financial Audit

coverage should be assessed. See section 4.2 below for further illustration

Acceptance of documentation provided by the audited entity should be linked to the internal control assessment. Special ISSAI 1230 In SAIs where there is a responsibility beyond financial considerations in PN 15 and 16 reporting and expressing an opinion the SAI may have judicial aspects additional evidential requirements. For example, in relating SAI functions preparing documentation for imposing fines the evidential requirement may be stronger than simply highlighting the finding. This should be reflected in the policies and procedures of the SAI.

4.2 Skepticism

Recognizing That Management is always in a position to override otherwise good internal Management Can Always control. Commit Fraud Engagement team members are to set aside any beliefs that management and those charged with governance are honest and have integrity, notwithstanding the auditor’s past experience of their honesty and integrity.

A Questioning Mind Make critical assessments about the validity of audit evidence obtained.

Being Alert Does audit evidence contradict or bring into question the reliability of:

• Documents and responses to inquiries?

• Other information obtained from management and those charged with governance?

Being Careful Avoid:

• Overlooking unusual circumstances.

• Over-generalizing when drawing conclusions from audit observations.

• Using faulty assumptions in determining the nature, timing, and extent of the audit procedures and evaluating the results thereof.

• Accepting less than persuasive audit evidence in a belief that management and those charged with governance are honest and have integrity.

• Accepting representations from management as a substitute for obtaining sufficient appropriate audit evidence.

41 Chapter 3: Pre engagement Page

iCAT: Financial Audit

5. Audit Communication

5.1 Overview In the iCAT there are over 70 requirements where formal communication is identified. This therefore emphasizes the importance placed upon this element of the audit.

The facilitator should appreciate the importance of the formal communication with management and those charged with governance relating to the audited entities. In many cases those charged with governance can be audit committees. In instances where the auditor needs to communicate to those charged with governance, including on sensitive matters, the standard has some broad instructions ISSAI 1260.29 refers.

5.2 Types and Reasons for Formal Communication

Standard templates and policies and procedures are required to ensure that the SAI communicates in a consistent and professional manner with outside parties.

Table 4 below provides examples of the types of formal communication used during the course of an audit:

Table 4: Types of Communication with external stakeholders

Type of Communication Example Reference Informative Engagement letter ISSAI 1210.16 Clarification Further explanation is required on the accounting ISSAI 1210.18 and framework or significant transactions ISSAI 1550.14 Representations Management representation letter supporting the ISSAI 1580 financial statements. An entire ISSAI is concerned with management representations Permission In some instances the auditor may require ISSAI 1501.11 permission from the audited entity to contact third parties for confirmations Going to a higher The auditor may be faced with allegations or ISSAI 1250.24 authority problems with the entity which need to be addressed at a higher level. Instruction For example in situations where the auditor ISSAI 1720.16 requests modifications to the financial statements Informing audit entity Informing the audited entities of potential issues ISSAI 1720.15 of audit results that can affect the audit opinion 6. Engagement letter

‘ISSAI 1300 - Planning an Audit of Financial Statements’ stipulates that the auditor plans an audit to perform it in an effective manner. The initial stage of planning requires the auditor to carry out specific preliminary activities before agreeing to be associated with an entity for an audit engagement. The audit engagement includes any type of audit arrangement whether governed by the audit mandate of the SAI or any special audit work taken up by the SAI.

42 Chapter 3: Pre engagement Page

iCAT: Financial Audit

In the public sector, auditors usually appointed by statute and governed by the audit mandate of the SAI, often have no discretion in being associated with an entity for a particular audit engagement. However, carrying out preliminary engagement activities can provide the SAI with assurance that it and its staff comply with independence requirement, identify the need for specific competencies to deal with complex transactions, and identify issues associated with the integrity of entity management; and can remind entity management, through an engagement letter, of their responsibilities for financial reporting.

The preliminary engagement activities, to be carried out prior to audit engagement, assist the auditor in identifying and evaluating the events or circumstances that may adversely affect the auditor’s ability to plan and perform the audit engagement with integrity and impartiality and to reduce audit risk to an acceptable low level. Performing these activities also helps to identify issues with management that may affect the audit. It also ensures that management is fully aware of its responsibilities in relation to financial reporting.

In instances where the financial reporting framework has deficiencies the practice note within ISSAI 1210.5 urges the SAI to inform the legislature and the standard setters. Also the practice note highlights others significant issues that need to be communicated to management and those charged with governance regarding the specific focus areas an audit in the public sector can include. These are:

• Non-performance of operations • Non-compliance with authorities • Waste • Instances of abuse.

Although the SAI’s mandate may not require the issuance of an engagement letter, the practice is recommended and provides an opportunity to clearly identify potential problems such as scope limitations placed upon the auditors by management. An example of an engagement letter is provided at the end of the practice note 1210. It provides the scope and key considerations for the audit.

Conclusion

At the end of the chapter the facilitator should appreciate the institutional and external requirements that facilitate the environment for ISSAI Framework implementation. This also anticipates management of the SAI taking various policy decisions that direct the environment within the SAI.

The chapter has provided guidance on all the elements that are required to be considered before an individual audit takes place. Many of these requirements are required to be done across the whole SAI and are therefore categorized as institutional level. Other such as quality control requires a practice that can affect all audits and therefore requires central planning. By completing the iCAT for the pre- engagement the facilitator is providing a readiness assessment of the SAI to engage in the audit planning of a single audited entity.

In the next chapter the guidance on the ISSAI requirements pertaining to the planning an audit of financial statements is discussed.

43 Chapter 3: Pre engagement Page

iCAT: Financial Audit

Chapter 4

Planning an Audit of Financial Statement

Introduction

The previous chapter on Pre engagement provided the facilitator the information requires prior to the commencement of an individual audit. This chapter takes the facilitator through the planning stage of an individual audit. This is regarded as the most the important stage of the audit process and therefore includes a significant number of iCAT requirements as stated below.

In this chapter the facilitator will receive an overview of preparing an overall audit strategy and a detailed audit plan. The process of identifying and assessing risks of material misstatements as well auditor’s responses to assessed risks will be also discussed.

The guidance issued in the core text is to ensure that ISSAI Facilitator becomes familiar with audit planning process but the core text is not directly linked to all iCAT requirements. There are approximately 180 requirements for planning and therefore all of the requirements cannot be mapped directly to the guidance.

The facilitator will understand the primary requirements of planning through this core text and completing the related exercises of the module. Other requirements will flow from those that are covered in the detail in the core text. However, the facilitator should also familiarize themselves with the content of the iCAT for planning as they work through this module.

1. Overview of Planning

The overview of planning provides the key overall requirements including the purpose of an audit. The remaining sections go into the details of the iCAT planning requirements.

Audit planning is important to ensure that the audit is performed in an efficient and effective manner and that audit risk has been reduced to an acceptably low level. This means providing the correct opinion on the financial statements. Audit planning is not a discrete phase of the audit. It is a continual and iterative process that starts shortly after completion of the previous audit, and continues until the completion of the current audit (1).

Objectives of a financial audit

According to ISSAI 1200 in conducting an audit of financial statements, the overall objectives of the auditor are:

44 Chapter 4: Planning an audit of financial statement Page

iCAT: Financial Audit

a. To obtain reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error, thereby enabling the auditor to express an opinion on whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework; and b. To report on the financial statements, and communicate as required by the ISSAIs, in accordance with the auditor’s findings.

Audit risk of expressing an inappropriate audit opinion on financial statements usually means issuing an unqualified audit report on financial statements that are materially misstated. However, it can also mean issuing a qualified audit report on financial statements that are not materially misstated. In order to plan and carry out an audit that reduces audit risk to a low enough level, an auditor has to have a good understanding of what makes up that risk.

The auditor is required to identify and assess the risk of material misstatement, whether due to fraud or error, at the financial statement and assertion levels through understanding the entity and its environment, including the entity’s internal control. A risk of material misstatement that affects many assertions will affect the financial statements as a whole. A risk of material misstatement at the assertion level may affect only a particular class of transaction or an account balance.

This assessment provides a basis for designing and implementing responses to the assessed risks of material misstatement.

Practice note in ISSAI 1315 P3 mentions that the objectives of a financial audit in the public sector are often broader than expressing an opinion whether the financial statements have been prepared, in all material respects, in accordance with the applicable financial reporting framework. The audit mandate, or obligations for public sector entities, arising from:

• legislation,

• regulation,

• ministerial directives,

• government policy requirements, or

• resolutions of the legislature. These additional objectives may include audit and reporting responsibilities, for example, relating to reporting whether the SAI found any instances of noncompliance with authorities including budgets and accountability frameworks, and/or reporting on the effectiveness of internal control. These additional objectives may lead the SAI to assess additional risks of material misstatement.

Even where there are no such additional objectives, there may be general public or other stakeholder expectations in regard to the SAI’s reporting of non-compliance with authorities or reporting on effectiveness of internal control. In some situations where this has been a previous practice of the SAI there may need to be an awareness arising to explain changes to the SAI practice. Therefore, public

45 Chapter 4: Planning an audit of financial statement Page

iCAT: Financial Audit sector auditors keep such expectations in mind, and are aware of the areas that may give rise to risks of non-compliance with authorities or risks relating to effectiveness of internal control when planning and performing the audit.

ISSAI 1200 states that in order to achieve the overall objectives of the audit, the auditor shall use the objectives stated in relevant ISAs in planning and performing the audit, having regard to the interrelationships among the ISAs. In exceptional circumstances, the auditor may judge it necessary to depart from a relevant requirement in an ISA. In such circumstances, the auditor shall perform alternative audit procedures to achieve the aim of that requirement.

2. Developing Overall Audit Strategy

ISSAI 1300 outlines the process for developing an overall audit strategy for the audit engagement. The first step in audit planning involves establishing the overall audit strategy that forms a basis for developing a detailed audit plan.

The overall audit strategy is distinct from the audit plan in that it sets a framework for the scope, timing and direction of the audit. This rather guides the preparation of the detailed audit plan, which contains more in-depth information on the results of the risk assessment and on the actual audit procedures to be conducted.

The overall strategy may be influenced by additional information obtained while understanding the entity and its environment, performing risk assessment procedures, performing further audit procedures, evidence gathering and at the time of accumulating misstatements. Such additional information may be used to review and update the strategy. As stated in ISSAI 1300.10 overall strategy document is a live document that will be continuously updated at each stage of audit, depending on the additional information gathered by the auditor. The overall audit strategy and any significant changes therein should be documented.

According to ISSAI 1300.7 the auditor shall establish an overall audit strategy that sets the scope, timing and direction of the audit and that guides the development of the audit plan. ISSAI 1300.8 requires that in establishing the overall audit strategy, the auditor shall:

a. identify the characteristics of the engagement that define its scope, e.g. additional funds from donors may extend the scope; b. ascertain the reporting objectives of the engagement to plan the timing of the audit and the nature of the communications required; c. consider the factors that, in the auditor’s professional judgment, are significant in directing the engagement team’s efforts, in areas such as auditing in sensitive environments; d. consider the results of preliminary engagement activities and, where applicable, whether knowledge gained on other engagements performed by the engagement partner for the entity is relevant; and e. ascertain the nature, timing and extent of resources necessary to perform the engagement.

46 Chapter 4: Planning an audit of financial statement Page

iCAT: Financial Audit

These requirements will be explained in following paragraphs. The issues of resources is often determined without assessment of the assignment, this should be brought to the attention of management.

a. The characteristics of the engagement that define its scope are: ISSAI 1300.8

1) Under characteristics of the audit engagement the auditor will need to consider the Financial Reporting Framework for the Financial Statements. This refers to the source of accounting principles used to prepare the financial statements (e.g. IFRS, IPSAS, legislation, national accounting standards, government directives etc.). Knowledge of the basis of the financial reporting framework is fundamental to the auditor’s understanding. The financial reporting framework establishes the criteria for preparation of the financial statements. An example of a risk that can arise may be that the entity does not have staff that is knowledgeable about accrual accounting and the related financial reporting standards. The risk that the financial statements do not meet the standards is therefore increased and will have an impact at the financial statements level. Disclosure and recognition requirements for the financial statements may not be met.

2) The entity may also have reports which are required by regulators of their specific industry. The nature of the public sector is such that is rarely subject to industry-specific regulation. However, in the public sector there may be specific reporting requirements in legislation that the auditor must understand. For example, there may be regulation or policy that requires a government entity to report on actual results versus budget or appropriation.

3) The scope of the audit outlines the aspects of the audit such as the financial reporting framework, the number and location of components to be audited, whether the financial statements are stand-alone or consolidated. See also requirements stated in ISSAI 1600 “Special Considerations – Audits of Group Financial Statements (Including the Work of Component Auditors). It also details the extent to which components are audited by other auditors, and the requirement to produce regulatory reports. Timing sets out the timeframe for reporting by the entity, audit by the financial statement auditor, and the communication with the entity and within the audit office.

4) As stated in practice note to ISSAI 1300 in defining the scope of audit public sector auditors need to consider additional characteristics. Examples of such characteristics may encompass:

• Additional reporting responsibilities for the entity established by the legislature that may influence the scope and timing of the audit, and the nature of communication. Examples of such additional requirements may include a requirement for the entity to report on government funding, including grants;

• Additional reporting responsibilities for the public sector auditors as a result of the audit mandate or other requirements that may influence the scope and timing of the audit, and the nature of communication Examples of such additional responsibilities for the public

47 Chapter 4: Planning an audit of financial statement Page

iCAT: Financial Audit

sector auditors may include reporting instances of non-compliance with authorities including budgets and accountability frameworks, and/or reporting on effectiveness of internal control. b. Timetable for Reporting and Communication: ISSAI 1300.8

Reporting objectives deal with the entity’s reporting timetable, the timing of the audit and audit report and communication between auditors and management, those charged with governance and third parties, as well as among the audit team.

The overall strategy will have to consider the availability of staff to meet the deadlines. This will be impacted by the results of the risk assessment procedures and the extent of work to be performed. The manner and timing of communications with management and those charged with governance concerning the nature, timing and extent of the audit work, auditor’s report, management letters and other communications should be documented at this stage. For example, arrangements for entrance interviews and preliminary review of financial information can be made. Minutes of those meetings should be agreed and documented. References for those minutes can be included in the working paper. Communication will also be taking place among the audit team and with auditors of other components, where relevant. Timelines for team meetings and agendas for those meetings and reviews can be listed with reference to the supporting documents. c. In developing the overall audit strategy, the auditor should consider following significant factors:ISSAI 1300.8

1) Materiality The auditor should determine materiality for the financial statements as a whole, for specific classes of transactions, balances and events (if applicable) and performance materiality. Performance materiality is used in the planning stage for assessing the risk of material misstatements and the nature, timing and extent of further audit procedures. For materiality see section 3.

2) Material misstatements In certain areas there is a higher risk of material misstatement based on the knowledge of the entity and information gathered. The auditor considers the likelihood and the impact of the risk of material misstatement at the financial statement level and for those specific components, classes of transactions, balances and events for which a lower materiality has been set. For material misstatements see section 4.

3) Internal control Evidence of management’s commitment to the design, implementation and maintenance of sound internal controls should be obtained. The auditor uses the results of previous audits as part of the evaluation of the operating effectiveness of internal controls. For example, auditors can note the nature

48 Chapter 4: Planning an audit of financial statement Page

iCAT: Financial Audit of identified deficiencies and the action taken to address them. Additional considerations in obtaining the understanding of internal control public sector are stated in practice note to ISSAI

4) Other significant factors Significant changes in the business development such as changes in information technology and business processes and key management: changes in the industry such as industry relations and new financial reporting: changes in the financial reporting framework, such as changes in the accounting standards; changes in the legal environment affecting the entity should be documented. Such factors may affect more than one audited entity and should be identified at the overall SAI level.

5) Considering fraud The primary responsibility for the prevention and detection of fraud rests with both those charged with governance of the entity and management. An auditor conducting an audit in accordance with ISAs is responsible for obtaining reasonable assurance that the financial statements taken as a whole are free from material misstatement, whether caused by fraud or error.

Owing to the inherent limitations of an audit, there is an unavoidable risk that some material misstatements of the financial statements may not be detected, even though the audit is properly planned and performed. When obtaining reasonable assurance, the auditor is responsible for maintaining professional skepticism throughout the audit, considering the potential for management override of controls and recognizing the fact that audit procedures that are effective for detecting error may not be effective in detecting fraud.

(e) Issues such as the nature, timing and extent of resources need to be considered. ISSAI 1300.8

The resources required for specific audit areas should be determined, allowing for high risk areas to be assigned to experienced team members and considering whether there is a need for experts. The amount of resources to allocate to specific audit areas, such as the number of team members assigned to observe the inventory count at the material locations, the extent of review of other auditor’s work or the audit budget in hours to allocate to high risk areas.

Other factors to be considered: In addition to ISSAI 1300.8 requirements completing overall audit strategy:

• Whether the entity has more than one division to be audited and their locations; in case of government organizations, there are often multiple locations where control over transactions is exerted locally.

• Whether the entity utilizes segment reporting and/or there is need for specialized knowledge.

• Some entities may use service organizations as explained in ISSAI 1402. For example payroll processing may be done by a company offering such services. In other cases, the entire accounting process may be outsourced to the entity’s parent ministry or department. While the latter case may not meet the technical definition of service organization, it does raise the same types of issues for

49 Chapter 4: Planning an audit of financial statement Page

iCAT: Financial Audit

auditors-i.e. how does the auditor gain an understanding of the processes and controls relevant to the audit, for transactions processed outside the audited entity? The overall audit strategy must take into consideration the implications of such arrangements, particularly on audit risk.

• Many ministries and government entities utilize internal audit as part of their control mechanism. The availability of the work of internal auditors and the level of reliance that is to be placed on such work should be considered in the overall audit strategy. Use of work of internal auditors is described in ISSAI 1610. Information to be documented about internal audit at this stage includes: • The size and structure of internal audit and their work review process. • Who internal audit reports to (i.e. to determine the degree of independence from clients). • The qualification and experience of the internal auditors. • An outline of how their work is documented. The ability to place reliance on the work of internal audit can reduce audit risk. The auditor may then be able to focus resources on areas not covered by internal audit. Total coverage in terms of audit review would then be increased. The work of internal audit could also help in focusing audit resources in areas of high risk identified in internal audit reports.

The considerations in establishing an overall audit strategy have been listed in appendix to ISSAI 1300.

To conclude on overall audit strategy sets the direction of the audit and relates to where the resources of the audit will be focused. This is based on significant factors such as materiality and the impact of assessed risks of material misstatement, the results of preliminary engagement activities and review of knowledge gained on other engagements.

3. Materiality in Planning and Performing an Audit

As part of the overall audit strategy, the auditor establishes overall materiality for the financial statements as a whole as stated in ISSAI 1320.10. This is one amount covering all financial statements. The concept of materiality is considered in financial reporting frameworks in context of preparation and presentation of financial statements. This includes consideration of: • Misstatements, including omissions that are considered to be material if they, individually or in aggregate, could reasonably be expected to influence the economic (or in the case of public sector entities, other relevant) decisions of users taken on the basis of the financial statements; • Judgments about materiality, that are made in light of surrounding circumstances, and are affected by the size or nature of a misstatement, or a combinations of both; and • Judgments about matters that are material to users of the financial statements are based on a consideration of the common financial information needs of users as group.

The determination of materiality is always a matter of auditor’s professional judgment, and is affected by his or her perception of the financial information needs of users of the financial statements. SAIs must also consider the public sector environment in which the entities operate. Therefore the impact of legislation, other regulations or authority and more general expectations of stakeholders are also considered by SAIs when establishing materiality for audit. Practice note in ISSAI 1315 elaborates that

50 Chapter 4: Planning an audit of financial statement Page

iCAT: Financial Audit when determining materiality for planning purposes in the public sector both quantitative and qualitative matters as well as the nature of items are of importance. The context in which the matter appears may be of importance.

ISSAI 1315. P10: When determining whether a particular class of transactions, account balance, disclosure, or other assertion which is part of the financial reporting framework, is material by virtue of its nature, public sector auditors take into account qualitative aspects such as: • The context in which the matter appears, for example if the matter is also subject to compliance with authorities, legislation or regulations, or if law or regulation prohibits overspending of public funds, regardless of the amounts involved; • The needs of the various stakeholders and how they use the financial statements; • The nature of the transactions that are considered sensitive to users of the financial statements; • Public expectations and public interest, including emphasis placed on the particular matter by relevant committees in the legislature, such as a public accounts committee, including the necessity of certain disclosures; • The need for legislative oversight and regulation in a particular area; and • The need for openness and transparency, for example if there are particular disclosure requirements for frauds or other losses.

The concept of materiality is applied by the auditor throughout the audit in: • Planning; • Performing the audit; • Evaluating the effect of identified misstatements on the audit and of uncorrected misstatements, if any, on the financial statements; and • Forming the opinion in the auditor’s report.

ISSAI 1320.11 has an additional concept that auditors must consider when planning and performing an audit - that of performance materiality. Performance materiality is the amount(s) set by the auditor at less than overall materiality for the financial statements as a whole or, if applicable, for the materiality established for particular classes of transactions, account balances or disclosures. Performance materiality is used to reduce to an appropriately low level the probability that uncorrected and undetected misstatements will exceed materiality for the financial statements as a whole or for the materiality established for particular classes of transactions, account balances or disclosures.

A lower performance materiality increases the amount of work that the auditor will have to perform. On the other hand, a higher performance materiality increases the risk of undetected misstatements, increasing detection risk and the possible resulting conclusion that insufficient evidence has been gathered. In such a case the auditor would have to revise the overall audit strategy (i.e. known and projected misstatements plus uncertainty about undetected misstatements exceeds overall materiality for the audit) and carry out further audit procedures.

51 Chapter 4: Planning an audit of financial statement Page

iCAT: Financial Audit

4. Performing Risk Assessment Procedures

The objective of the risk assessment phase of the audit is to identify sources of risk, and then to assess whether they could possibly result in a material misstatement in the financial statements.

Risk assessment consists of following steps:

1. Inherent risk identification; 2. Inherent (preliminary) risk assessment; 3. Identification of significant risk; 4. Understanding internal control; 5. Evaluating internal control; 6. Final risk assessment; There are two major classifications of inherent risk: business risk and fraud risk. Business risks result from significant conditions, events, circumstances, actions that could adversely affect the entity’s ability to achieve its objectives and execute its strategies. Fraud risk relates to events or conditions that indicate an incentive or pressure to commit fraud or provide an opportunity to commit fraud (2).

1. Inherent Risk Identification

To begin with the risk assessment process is to gather relevant information about the entity. The first step is called risk identification and this involves:

• Identifying sources of inherent risk through understanding the entity;

• Determining the possible effects of the risk sources identified (potential misstatements in the financial statements), including the possibility of fraud;

• Relating the effects of risks to the financial statement area and assertions affected, or determining that the risks are pervasive to the financial statements as a whole and potentially affect many assertions.

For identifying risks auditor may consider following areas:

1) External factors like nature of industry, regulatory environment, financial reporting framework;

2) Nature of entity like operations and key personnel, governance, investment, structure and financing;

3) Accounting policies like selection and application of policy, reasons for changes and appropriateness to entity

4) Entity objectives and strategies and financial implications;

5) Review of financial performance;

52 Chapter 4: Planning an audit of financial statement Page

iCAT: Financial Audit

6) Internal control relevant to the audit – processes and relevant controls to mitigate risks at the entity level and at the transactional level.

As stated in Practice note to ISSAI 1315 identifying and assessing the risks of material misstatement auditor may have to consider a need for additional assertion that transactions and events have been carried out in accordance with legislation. Inherent risk identification is described in ISSAI 1200.13; 1240.11-15, 17-18, 22-24, 44; 1315.11.

2. Inherent (preliminary) Risk Assessment

The second step is to assess the identified risks and determine their importance for the audit of the financial statements. It is preferable to assess the inherent risks before considering any internal control that might mitigate such risks.

Risk assessment involves consideration of two attributes about the risk:

• The likelihood of a misstatement occurring as a result of the risk. The auditor could evaluate this probability simply as high, medium, or low, or could assign a numerical score.

• The magnitude (monetary impact) if the risk would occur.

Risk assessment should be addressed by the entity’s management as well. The auditor shall make inquiries of management as to how it identifies and manages risk, and then as to what risks have actually been identified and managed. Requirements of assessment of inherent risks have been covered in ISSAI 1240.25-27; 1315.25-26.

3. Identification of Significant Risks

Third step after the business and fraud (inherent) risks have been identified and assessed is to consider the existence of significant risks. A significant risk is where the assessed risk of material misstatement is so high that, in the auditor’s judgment, it will require special audit consideration. Significant risks are assessed before consideration of any mitigating controls. Significant risk is based on the inherent risk (before considering the related internal control) and not the combined risk (considering both inherent and internal control risks).

Examples for significant risks are large non-routine transactions; matters requiring judgment or management intervention or potential fraud.

When a risk is classified as significant, the auditor should consider the respond:

1) Evaluating internal control design and implementation over each significant risk. Consider the existence of direct controls such as control activities and indirect (pervasive) controls which may be included in the control environment, risk assessment, information systems, and monitoring elements.

2) Designing an audit response to the identified significant risks. These procedures would be designed to obtain audit evidence with high reliability, and could include tests of controls and substantive procedures.

53 Chapter 4: Planning an audit of financial statement Page

iCAT: Financial Audit

3) Substantive analytical procedures alone are not sufficient. The use of substantive analytical procedures is not considered an appropriate response to address a significant risk.

ISSAIs requirements concerning significant risks are as following: 1240.26; 1315.4, 25, 27-29; 1330.21; 1550.18-19.

4. Understanding Internal Control

Next step in risk assessment phase is to understand internal control relevant to the audit. Internal control refers to the processes, policies, and procedures designed by management to ensure reliable financial reporting and the preparation of financial statements in accordance with the applicable accounting framework. Internal control addresses such matters as management’s attitude toward control, competence of key people, risk assessment, accounting, and other financial information systems in use, as well as the traditional control activities. Internal controls can be broadly categorized as pervasive (or entity-level) controls that address pervasive risks and specific (transactional) controls that address specific risks.

Obtaining a sufficient understanding of internal control relevant to the audit involves the performance of risk assessment procedures to identify the controls that will directly or indirectly mitigate material misstatements. Not all control activities are relevant to the audit and auditor is only concerned with evaluating those controls that mitigate a risk of a material misstatement in the financial statements.

The information obtained about internal controls will assist the auditor in assessing the residual risk (inherent and control risk) of material misstatement at the financial statement and assertion levels and designing further audit procedures that are responsive to the assessed risks. Understanding of internal controls is covered in ISSAI 1315.4, 12, 14-15, 18-22.

5. Evaluating Internal Control

Next auditor will evaluate control design and implementation of internal controls (3). Evaluation of control design and implementation of internal controls means that auditor shall:

• Identify the inherent risks of material misstatement (business and fraud risks), and whether they are pervasive risks or specific risks.

• Identify the controls mitigate the risks identified and assess whether the controls do in fact mitigate the risks.

• Observe or inspect the operation of relevant internal controls to ensure that they have indeed been implemented.

• Document the operation of the relevant internal controls identified.

Evaluating internal controls ISSAI has following requirements ISSAI 1315. 13, 29, 32; 1260.10; 1265.6-11.

6. Risk Assessment

54 Chapter 4: Planning an audit of financial statement Page

iCAT: Financial Audit

The final step in the risk assessment phase of the audit is to review the results of the risk assessment procedures performed, and assess the risks of material misstatements at the financial statement level and the assertion level for classes of transactions, account balances, and disclosures.

The resulting list of assessed risks will form the foundation for the next phase in the audit, which is to determine how to respond appropriately to the assessed risks through the design of further audit procedures.

The evidence obtained to date, by performing risk assessment procedures, consists of identification and assessment of inherent risks, and the design and implementation of internal controls that address those risks. The risk of material misstatement is the remaining risk after taking into account the effect of internal controls put in place to mitigate the inherent risks. Assessing the risk of material misstatements has been explained ISSAI 1315. 25, 26, 32.

The summary of assessed risks can be documented:

• A separate document that summarizes the inherent and control risk assessments.

• Include with the overall audit strategy and audit plan. The first part of each section of the audit plan (such as for receivables, payables, etc.) could outline the risk assessments and the impact on the planned audit procedures.

• Incorporate risk assessments as part of the auditor’s documentation of further procedures. In this case, the risk assessments, audit plans, and the results of work performed could all be documented in one comprehensive working paper for each financial statement area.

5. Risk Response

In the risk response phase of the audit, the objective is to obtain sufficient appropriate audit evidence regarding the assessed risks. This means designing and implementing appropriate responses to the assessed risks of material misstatement at the financial statement and assertion levels. The objective in designing an appropriate audit response is to obtain evidence that addresses the risk assessments developed for each relevant assertion. Pervasive risks at the financial statement level are addressed through the design and implementation of an overall response by the auditor.

Developing an audit plan involves 3 general steps. The first step is to develop an appropriate overall response to assessed risks at the financial statement level. The next step is to identify specific procedures required for material financial statement areas. If the assertions cannot be addressed by substantive tests alone, tests of controls will be required. The last step is to determine the nature and extent of audit procedures required. Auditor shall use professional judgment to choose the appropriate mix of procedures and extent of testing required to respond appropriately to the assessed risks at the assertion level.

A complete audit plan should cover areas:

• All material financial statement areas been addressed

55 Chapter 4: Planning an audit of financial statement Page

iCAT: Financial Audit

• Use of evidence obtained in prior periods is decided

• The financial statement closing process been addressed

• Significant risks have been addressed

• Evidence obtained from interim testing has been updated

• Potential risks of fraud have been addressed

Documentation of risk response:

The overall risk responses may be documented as a stand-alone document or as part of the overall audit strategy. The detailed audit plan can be documented in the form of an audit program that outlines the nature and extent of procedures and the assertion(s) being addressed.

ISSAI requirements concerning risk response are following: ISSAI 1330. 5-10, 15, 18-22, 24; ISSAI 1260.15; ISSAI 1300.9-12; ISSAI 6-7, 10.

6. Further Explanations of Consideration in the Audit Planning

Accounting estimates: When and how public sector entities’ use accounting estimates depends on the types of financial items reported and on the applicable financial reporting framework. Some important estimates in the public sector may relate to assets, liabilities and disclosure items and are listed in practice note of ISSAI 1540. The objective of the public sector auditor is to obtain sufficient appropriate audit evidence about whether accounting estimates are reasonable and related disclosures are adequate in the context of the financial reporting framework.

Related parties: As stated in the practice note ISSAI 1550 public sector entities may also be subject to specific restrictions on the nature and scope of the transactions that they can have with related parties. The restrictions may prohibit transactions or practices that might be permissible in related party relationships outside the public sector. The specifies for public sector auditors in obtaining an understanding of the public sector entity’s related party relationships and transactions are explained in practice note to ISSAI 1550.

Going concern: As explained in practice note of ISSAI 1570 public sector entities may spend more in one year than they have resources to cover, such that their income may be less than their expenditure or there is an excess of liabilities over assets. However, it is uncommon for the operational existence of a public sector entity to cease or its scale of operations to be subject to a forced reduction as a result of an inability to finance its operations or of net liabilities. In forming a view of the entity’s ability to continue its operations, public sector auditors’ consideration of going concern embraces two separate, but sometimes overlapping, factors:

56 Chapter 4: Planning an audit of financial statement Page

iCAT: Financial Audit

• The greater risk associated with changes in policy direction (for example, where there is a change in government); and • The less common operational, or business, risk (for example, where an entity has insufficient working capital to continue its operations at its existing level). Further guidance on going concern issues in public sector is outlined in practice note of ISSAI 1570.

Summary

This chapter outlined the process for developing an overall audit strategy for the audit. It indicated that the first step in audit planning involves establishing the overall audit strategy for the engagement as a basis for developing a detailed audit plan. The overall audit strategy is distinct from the audit plan in that it sets a framework for the scope, timing and direction of the audit. This rather guides the development of the detailed audit plan, which contains more in-depth information on the results of the risk assessment and on the actual audit procedures to be conducted.

The objective of the risk assessment phase of the audit is to identify sources of risk, and then to assess whether they could possibly result in a material misstatement in the financial statements. Risk assessment consists of identification of inherent (business and fraud) risk, preliminary assessment of those risks, then identification of significant risks, followed by understanding and evaluating of internal controls relevant to audit. The final step in the risk assessment phase of the audit is to review the results of the risk assessment procedures performed, and then assess (or, if already assessed, summarize) the risks of material misstatements at financial statement level or assertion level. The next phase of the audit is determining how to respond appropriately to the assessed risks through the design of further audit procedures.

Next chapter on Fieldwork provide guidance on the issues of conducting audit procedures and obtaining sufficient audit evidence.

57 Chapter 4: Planning an audit of financial statement Page

iCAT: Financial Audit

Chapter 5

Fieldwork

Introduction

In the previous chapter the facilitator has become aware of the various phases of the planning cycle. After assessing the risk the auditor’s response is to design audit procedures to address those risks identified. In this chapter the facilitator will be taken through the requirements of the fieldwork stage of the audit.

ISSAI 1330 notes that the auditor needs to design and implement overall responses to address the assessed risks of material misstatement at the financial statement level as we have discussed in the last module. Such overall responses to address the assessed risks of material misstatement include:

• Emphasizing to the audit team the need to maintain professional scepticism. It is discussed in Pre-engagement chapter core text in section 4.

• Assigning more experienced staff or those with special skills or using experts.

• Providing more supervision.

• Designing further audit procedures to address the elements of unpredictability.

• Making general changes to the nature, timing, or extent of audit procedures; for example, performing substantive procedures at the period end instead of at an interim date; or modifying the nature of audit procedures to obtain more persuasive audit evidence. (ISSAI 1330 Para 3)

The ISSAIs has 123 requirements for the fieldwork stage of the audit and these requirements are cross referenced in the iCAT. This core text is not a substitute for the reading of the ISSAIs but it can be used to develop a better understanding of the standards relating to fieldwork.

In the core text we will be focusing on the audit documentation, audit procedures, the quality control relating to the audit field work and explanation of some key concepts relevant to conducting an audit.

1. Audit Documentation

1.1 Purpose of Audit Documentation

The audit documentation shall include the overall responses to address the assessed risks of material misstatement at the financial statement level, and the nature, timing, and extent of the further audit procedures performed. Documentation should establish the linkage of those procedures with the assessed risks at the assertion level; and the results of the audit procedures, including the conclusions where these are not otherwise clear.

58 Chapter 5: Fieldwork Page

iCAT: Financial Audit

The form and extent of audit documentation is a matter of professional judgment, and is influenced by the nature, size and complexity of the entity and its internal control, availability of information from the entity and the audit methodology and technology used in the audit.

If the auditor plans to use audit evidence about the operating effectiveness of controls obtained in previous audits, the auditor shall include in the audit documentation the conclusions reached about relying on such controls that were tested in a previous audit. The auditor’s documentation shall demonstrate that the financial statements agree or reconcile with the underlying accounting records.

1.2 Working papers

The working papers of audit should document the audit procedures undertaken, the conclusion drawn and implications on the audit opinion. They should also record the reasoning on all significant matters where the auditors have used their judgment. This documentation will help auditors of financial statements ensure that they completed all the work required. The documents provide the evidence to support the audit opinion reached and allow review of the audit work.

The working papers should record:

• All the audit procedures in the plan performed and the justification given for any deviation there from;

• Results of the audit procedures, drawing out clearly any errors or control weaknesses identified;

• All errors or control weaknesses investigated and discussed with the management, as necessary;

• Any matters that are unresolved or that should be informed to the entity; and

• The conclusions made by the auditors from the audit execution phase, the judgments made in reaching such conclusions and reasons underlying them.

All correspondence with the entity should be retained together with any minutes of the meeting in accordance with the SAI’s policy.

Audit documentation should be of good quality so that an experienced and competent auditor with no previous association with the entity should be able to ascertain the evidence gathered and understand and support the conclusions reached without any difficulty. This will also be more relevant in the event that there is an unexpected change in the audit team.

2. Audit Sampling

2.1 Overview

After designing tests of controls and substantive tests, the auditor should identify the items or transactions on which to perform the audit procedures, appropriate to the purpose. This should be done in order to gather sufficient appropriate audit evidence to meet the objectives of the audit procedures including when the objective is to evaluate the compliance with laws and regulations. The objective is to

59 Chapter 5: Fieldwork Page

iCAT: Financial Audit provide a reasonable basis for the auditor to draw conclusions about the population from which the sample is selected. (ISSAI 1530.4-9)

In the Public Sector audit sampling may be affected by the SAI’s mandate, which in addition to expressing an opinion on the financial statement may be to report on compliance with legislature, regulatory, ministerial directive and government policies. Also, reviewing non-financial information contained in financial statements, public sector auditors consider whether sampling will be useful in testing such non- financial information contained in financial statements.

The use of audit sampling for testing compliance with authorities is similar to other uses of audit sampling in that public sector auditors:

• Determine sample design and audit parameters, including materiality, desired confidence level, and sample selection method;

• Perform relevant audit procedures on each item selected;

• Investigate the nature and causes of non-compliance; and

• Evaluate the results, including projecting the results across the population if the sample was selected using statistical procedures

2.2 Sample Design, Size and Selection of Items for Testing

When designing an audit sample as required by ISSAI 1530 public sector auditors may set different levels of parameters, including materiality and a higher level of confidence, and this may affect the sample size. Public sector auditors might design separate samples to test controls and compliance or may design one sample to test both. For example, a sample of disbursements might be used to test controls over disbursements as well as whether the disbursements were in accordance with authorities.

The auditor should select items for the sample with the expectation that all sampling units in the population have a chance of selection. The sample size can be determined by the application of a statistically-based formula or through the exercise of professional judgment objectively applied to the circumstances.

2.3 Perform relevant audit procedures

The auditor should perform audit procedures appropriate to the particular audit objective on each item selected. If a selected item is not appropriate for the application of the audit procedure, the audit procedure should be performed on a replacement item.

Sometimes however, the auditor is unable to apply the designed audit procedures to a selected item because, for instance, documentation relating to that item has been lost. If suitable alternative audit procedures cannot be performed on that item, the auditor ordinarily considers that item to be either a deviation from the prescribed control, in the case of tests of controls, or a misstatement, in the case of substantive tests. (ISSAI 1530.11)

2.4 Evaluation of Results

60 Chapter 5: Fieldwork Page

iCAT: Financial Audit

The auditor should evaluate the sample results, the nature and cause of any deviations or misstatements identified, and their possible effect on the particular audit objective and other areas of the audit. At the end the auditors should evaluate whether the use of audit sampling has provided a reasonable basis for conclusions about the population that has been tested. (ISSAI 1530.12;15)

Auditors should also consider instances where for example management cannot provide adequate explanations for deviations and misstatements. In some environments such as a Court of Accounts environment auditors may be obliged to investigate further the underlying reasons for the lack of information and determine who is responsible. (ISSAI 1530 P11; P12)

In the case of tests of controls, an unexpectedly high sample error rate may lead to an increase in the assessed risk of material misstatement, unless further audit evidence substantiating the initial assessment is obtained. Auditors should re-assess the control reliance to a lower level (medium or none) in the Reliance on key controls for components.

In the case of substantive testing, unexpectedly high rate of misstatements in a sample may cause the auditor to believe that an account balance may be materially misstated. This is the case for example when the total accumulated errors and misstatements on the account balance projected to the total account balance exceed the tolerable misstatement.

3. Audit Procedures

3.1 Overview

After gaining an understanding of the audit entity, its environment and internal controls and having conducted a risk assessment, audit procedures are identified to address those risks. These can be summarized as follows:

• Test of control • Substantive procedures o Substantive analytical procedures o Test of details

3.2 Tests of controls

Test of controls are performed to address the effectiveness of the entity’s controls. In designing and performing tests of controls, the auditor should consider how the controls were applied, the consistency of application and by whom or by what means they were applied. The auditor should also establish whether the controls to be tested are affected by other indirect controls and if it is necessary to consider these controls when obtaining supportive audit evidence. Tests of controls should be conducted for the particular time or period for which the auditor intends to rely on these controls (ISSAI 1330, Para 10 to 11).

The controls that are required to be assessed are: • Relevant controls • Controls relating to significant risks

61 Chapter 5: Fieldwork Page

iCAT: Financial Audit

3.3 Substantive Procedures

ISSAI 1330 stipulates that, irrespective of the assessed risks of material misstatement, the auditor should design and perform substantive procedures (i.e. substantive analytical procedures and/or substantive test of details) for each material class of transactions, account balance, and disclosure. This requirement reflects the fact that (a) the auditor’s assessment of risk is judgmental and so may not identify all risks of material misstatement; and (b) there are inherent limitations to internal control, including management override.

3.3.1 Nature and Extent of Substantive Procedures

Depending on the circumstances, the auditor may determine that: • Performing only substantive analytical procedures will be sufficient to reduce audit risk to an acceptably low level. For example, where the auditor’s assessment of risk is supported by audit evidence from tests of controls. • Only tests of details are appropriate. • A combination of substantive analytical procedures and tests of details are most responsive to the assessed risks.

If substantive procedures are performed at an interim date, the auditor shall cover the remaining period by performing:

a. substantive procedures, combined with tests of controls for the intervening period; or

b. if the auditor determines that further substantive procedures alone is sufficient to provide a reasonable basis for extending the audit conclusions from the interim date to the period end.

The extent of testing should be linked to the SAIs sampling methodology and assessment of materiality.

3.3.2 Substantive Analytical Procedures

Analytical procedures can be used in each phase of the audit.

• At the beginning of the audit, analytical procedures are used as a risk assessment procedure.

• During the audit, analytical procedures are performed to analyze variances in data and to substantiate certain transaction streams and account balances.

• Near the end of the audit, analytical procedures are performed to determine whether the financial statements are consistent with the auditor’s understanding of the entity, or to indicate a previously unrecognized risk of material misstatement due to fraud.

3.3.3 Test of Details

The audit opinion requires assurance on the assertions that when aggregated provides an opinion on the financial statements. The test of controls and substantive analytical procedures can provide a substantial

62 Chapter 5: Fieldwork Page

iCAT: Financial Audit amount of assurance; however, there are instances where they may not be comprehensive. Two examples of where further test of details may be required include:

• Testing compliance of laws and regulations • Testing of items linked to significant risks

4. Audit Evidence

4.1 Overview

During the audit execution phase, the auditor should obtain the audit evidence from a number of sources in a number of ways in support of both testing of controls and substantive procedures. Following are the methods of obtaining audit evidence: • Inspection • Observation • Inquiry and confirmation • Computation • Analytical procedure • Surveys • Interviews

4.2 Evaluating the Sufficiency and Appropriateness of Audit Evidence

If the auditor has not obtained sufficient appropriate audit evidence as to a material financial statement assertion, the auditor shall attempt to obtain further audit evidence. If the auditor is unable to obtain sufficient appropriate audit evidence, the auditor shall express a qualified opinion or disclaim an opinion on the financial statements.

The reliability of audit evidence is increased (with some exceptions) when it is obtained from independent sources outside the entity.

To avoid unwarranted reliance on a source of data used, the auditor would perform substantive tests of the underlying data to determine whether it is sufficiently reliable, or test whether internal controls over the data’s completeness, existence, and accuracy are operating effectively. In some cases, non-financial data (for example, quantities and types of items produced) will be used in performing analytical procedures. Accordingly, the auditor needs an appropriate basis for determining whether the non- financial data is sufficiently reliable for the purposes of performing the analytical procedures.

Audit evidence in the form of external confirmations received directly by the auditor from appropriate confirming parties may assist the auditor in obtaining audit evidence with the high level of reliability that the auditor requires to respond to significant risks of material misstatement, whether due to fraud or error.

4.3 Differences from Expectations/Contradictory Evidence

When differences are identified between recorded amounts and the auditor’s expectations, the auditor would consider the level of assurance that the procedures are intended to provide and the auditor’s

63 Chapter 5: Fieldwork Page

iCAT: Financial Audit performance materiality. The amount of the acceptable difference without investigation would, in any event, need to be less than performance materiality.

Procedures used for the investigation could include: • Reconsidering the methods and factors used in forming the expectation; • Making inquiries of management regarding the causes of differences from the auditor’s expectations and assessing management’s responses, taking into account the auditor’s understanding of the business obtained during the course of the audit; and • Performing other audit procedures to corroborate management’s explanations As a result of this investigation, the auditor may conclude that: • Differences between the auditor’s expectations and recorded amounts do not represent misstatements; or • Differences may represent misstatements, and further audit procedures need to be performed to obtain sufficient appropriate audit evidence as to whether a material misstatement does or does not exist.

5. Communication with the Audit Team

5.1 Internal Communication

Communication with the audit team should be throughout the audit and this should be documented. Discussion could focus on the: • Audit results • Progress, and issues identified • Changes in audit plan • New information • Unusual events/transactions, such as fraud and related parties transactions • Suggestions for next period’s audit

Audit team members should be encouraged to communicate and share the information that they obtain throughout the audit on any matters of relevance, particularly when it affects the assessment of risk and planned audit procedure.

ISSAI 1240 Paragraph 15 requires a discussion among the engagement team members and determination by the engagement partner of which matters are to be communicated to those team members not involved in the discussion. In the public sector, the discussion may also cover the additional objectives and related risks of material misstatement. Public sector auditors may include auditors engaged in performance audits and other audit activities of the entity in such a discussion.

Discussing the susceptibility of the entity’s financial statements to material misstatement due to fraud with the engagement team: • Provides an opportunity for more experienced engagement team members to share their insights about how and where the financial statements may be susceptible to material misstatement due to fraud. • Enables the auditor to consider an appropriate response to such susceptibility and to determine which members of the engagement team will conduct certain audit procedures.

64 Chapter 5: Fieldwork Page

iCAT: Financial Audit

• Permits the auditor to determine how the results of audit procedures will be shared among the engagement team and how to deal with any allegations of fraud that may come to the auditor’s attention. ISSAI 1240 (A10)

5.2 External Communication: Written Representations

Written representations are an important source of audit evidence, for reasons such as the following:

• If management modifies or does not provide the requested written representations, it may alert the auditor to the possibility that one or more significant issues may exist; and

• A request for written (rather than oral) representations may prompt management to consider such matters more rigorously, thereby enhancing the quality of the representations.

Written representations are requested from those responsible for the preparation and presentation of the financial statements and knowledge of the matters concerned.

The auditor is required to request management to provide a written representation that: • It has fulfilled its responsibility for the preparation of the financial statements in accordance with the applicable financial reporting framework; • It has provided the auditor with all relevant information and access as agreed in the terms of the audit engagement; and • All transactions have been recorded and are reflected in the financial statements.

If management does not provide these required representations, or if the auditor concludes there is sufficient doubt about the integrity of management such that these representations are not reliable, then the auditor must disclaim an opinion on the financial statements. Written representations also support other evidence relevant to the financial statements.

6. Quality Control

6.1 Before the Audit

Before the commencement of the audit, the engagement leader should ensure that the engagement team is: • Independent, and that no conflicts of interest exist: and • Competent to perform the work with the required resources and time availability;

The engagement should ensure that if the SAI policy includes completion of a declaration to attest to independence, then this form is completed and placed on file as part of the documentation. Also, during the audit the engagement should be alert of any matter or circumstances that might threaten the team’s independence.

6.2 During the Audit

Engagement Performance

During the fieldwork the engagement leader shall take responsibility, among other things, for:

65 Chapter 5: Fieldwork Page

iCAT: Financial Audit

a. the direction, supervision and performance of the audit engagement in compliance with professional standards and applicable legal and regulatory requirements; and the auditor’s report being appropriate in the circumstances; b. reviews being performed in accordance with the firm’s review policies and procedures; c. the engagement team undertook appropriate consultation on difficult or contentious matters; d. determining whether there is a need for an engagement quality review and if so determined ensuring that an engagement quality assurance reviewer has been appointed.

Where differences of opinion arise within the audit ream with those consulted and, where applicable, between the engagement leader and the engagement quality control reviewer, the audit team, should follow the SAI’s policies and procedures for dealing with and resolving differences of opinion.

The engagement leader should ensure that reviews are performed in accordance with the SAI’s review policies and procedures which should meet the requirements of ISSAI 40. (Ref: ISSAI 1220 paragraphs 16 and A.16 to A.17, A.20 and ISSAI 40- paragraphs 32 and A.34)

The engagement leader/supervisor is responsible for ensuring that reviews of the working papers are carried out in order to be satisfied that they demonstrate that sufficient appropriate audit evidence has been obtained to support conclusions reached for the auditor’s report to be issued (Ref. ISSAI 1220 paragraphs 17 and A.18 to A.20). Evidence of working paper review should indicate what audit work was reviewed, who reviewed such work, and when it was reviewed.

6.3 Consultation and Differences of Opinion

Where differences of opinion arise during the audit within the engagement team, with those consulted and, where applicable, within the SAI, the SAI should have policies and procedures for dealing with and resolving differences of opinion. The engagement leader in carrying out reviews should ensure that the SAI’s policy and procedures were followed and results documented.

6.4 Engagement Quality Control Review (EQCR)

EQCR is the objective evaluation of the significant judgments made by the audit team and the conclusions reached in formulating the independent auditor’s report. As part of the system of quality control, ISSAI 40 states that an EQCR should be performed for all audits meeting the agreed criteria. Examples: • where a qualified or adverse opinion is being proposed or anticipated; • where client activities are of special interest to the general public or media; and • where clients are considered as being of higher audit risk, for example due to: a history of weak internal systems of control; or where complex or novel accounting issues exist

During the fieldwork, the engagement leader should ensure that EQCR is conducted in a timely manner in accordance with the SAI’s policy and significant matters were resolved prior to the opinion being issued. Also, the engagement leader should ensure that the person who conducted the ECQR was objective and not involved with the audit. Additionally, conclusions reached on the EQCR must be documented.

7. Other key areas namely: Accounting Estimates and Going Concern

66 Chapter 5: Fieldwork Page

iCAT: Financial Audit

7.1 Accounting Estimates

Reviewing estimates relating to specific transactions and balances to identify possible biases on the part of management according to ISSAI 1540. Further procedures could include the following: • Reconsidering the estimates taken as a whole; • Performing a retrospective review of management’s judgments and assumptions related to significant accounting estimates made in the prior period; and • Determining whether the cumulative effect of bias in management’s estimates amounts to a material misstatement in the financial statements.

7.2 Going Concern

Public Sector Assumption on Going Concern

Cessation of a public sector entity is most likely to result from a government policy decision. A policy decision may be taken to wind up and dissolve an entity in its entirety, to scale back its operations and transfer some of its functions to another public entity, merge with another public entity or privatize the entity. In each of these cases the operational existence of all or part of the entity ceases.

Only in the case of dissolution without any continuation of the entity would the going concern basis cease to be appropriate in the public sector.

In forming a view of the entity’s ability to continue its operations, public sector auditors’ consideration of going concern embraces two separate, but sometimes overlapping, factors:

• The greater risk associated with changes in policy direction (for example, where there is a change in government); and • The less common operational, or business, risk (for example, where an entity has insufficient working capital to continue its operations at its existing level; cessation of donor funding).

Anomaly and misstatements identified

To progress the audit, the facilitator will evaluate all misstatements and other audit findings (including anomalies) and consider them for the reporting phase which is covered in the next module

Conclusion

In this chapter we have covered the auditor’s response to the assessed risk of material misstatement at the financial statement and assertion level. In responding to such risk the auditor should determine the nature, timing and extent of testing that will be performed. The sufficiency and appropriateness of audit evidence will then be assessed. The results of the audit will also be assessed, documenting work performed and communication both internally and externally.

Having completed this chapter it is expected that facilitators/persons carrying out the iCAT assessment will be familiar with the requirements of the ISSAIs that relates to fieldwork and should ensure that the

67 Chapter 5: Fieldwork Page

iCAT: Financial Audit

SAI has documentary evidence maybe in the form of an audit program that link the audit plan to the assessed risk, the work performed, audit results that will form the basis of the audit opinion, staff supervision and working paper review. In filling the columns of the iCAT where such evidence exists the facilitator should ensure that it meets the requirement of the ISSAIs and indicate this in the relevant column. If the SAI is non-compliant the reason for non-compliance should also be indicated in the related iCAT column.

At the end of this chapter the facilitator will be able to evaluate the critical aspects of the fieldwork stage of the audit. The main issues surround ensuring that the audit evidence supports any conclusions drawn from the fieldwork. Furthermore, that the conclusions drawn are in line with the audit approach of the SAI as to minimize audit risk and make an appropriate assessment as to whether there is material misstatements in the financial statements.

Next chapter is the last part of guidance for level 4 ISSAIs on reporting. After completing next chapter please consider ascertaining the status of level 2 ISSAIs as mentioned in chapter 2.

.

68 Chapter 5: Fieldwork Page

iCAT: Financial Audit

Chapter 6

Conclusion and Reporting

Introduction

In the previous chapter the focus was on the concepts of designing and implementing further audit procedures, which included whether tests of control or substantive procedures (substantive analytical procedures and test of details) have been determined and conducted. In this chapter we will cover how the misstatements accumulated during the audit will be evaluated and the preparation of auditor’s report with an opinion on the financial statement.

ISSAI 1450 (Evaluating Misstatements Identified during the Audit) stipulates that, after completing the audit, the auditor shall accumulate the misstatements and evaluate the misstatements on basis of the overall materiality. After evaluating the audit evidence obtained, the auditors’ needs to form an opinion on the financial statements based on conclusions drawn and express that opinion through a written report.

1. Accumulating Misstatements

To evaluate the aggregate effects of misstatements on the financial statements, the auditor needs to accumulate all known and likely misstatements. This should include all misstatements detected by the auditor, including any that the entity corrected during the audit. It is important to consider all misstatements to have a record of the impact of the audit, bring all misstatements to the attention of the appropriate level of management, and assist the auditor in evaluating the risk of further misstatement as a part of the consideration of unadjusted misstatements. ISSAI 1450. 5-9.

Misstatements may result from incorrect data, omission of an amount or disclosure, incorrect accounting, judgments of management that the auditor considers unreasonable. Public sector auditors may have an additional responsibility to include instances of non-compliance and weaknesses in internal controls in accumulating misstatements. ISSAI 1450 PNP9, PNP10

The auditor’s responsibility in accumulating misstatements is to determine:

• whether the audit strategy and plan need to be revised in order to do more detailed testing, if there is evidence that the misstatement may not be an isolated incidence; • if an aggregate of misstatements is likely to exceed the materiality level; • further audit procedures, if management has examined the cause of misstatements, and identified the amount misstated.

69 Chapter 6: Conclusion and reporting Page

iCAT: Financial Audit

2. Evaluating Misstatements

Throughout the course of audit, the auditor proposes adjusting entries for all material misstatements that are discovered in the financial records. To issue an unmodified opinion on the financial statements any material misstatement discovered by the auditor need to be corrected. To do so, the auditor must conclude that there is a low level of risk of material misstatement of the financial statements. In evaluating this risk, the auditor develops an estimate of the total likely misstatement in the financial statement.

The auditor designs an audit to obtain reasonable assurance that all misstatements, either individually or in combination with others, greater than materiality is detected. In evaluating misstatements, the auditor considers the impact of uncertainty in the audit. The amount of materiality represents this uncertainty – the auditor has only designed an audit to detect misstatements greater than this amount.

2.1 Impact of uncorrected misstatement in the financial statement

Having accumulated all non-trivial misstatements throughout the audit, the auditor should evaluate the impact of those misstatements to determine, if individually or in total, the misstatements are material. ISSAI 1450.10-11.

Misstatements do not just consist of monetary errors on the balance sheet or income statement. For example, the auditor must also consider the impact of any misstatements that affect presentation and disclosure such as failure to present or disclose items required by the applicable framework.

3. Forming an Opinion

The auditor delivers an opinion on whether the financial statements are prepared, in all material respects, in accordance with the applicable financial reporting framework. For the audit of public sector entities the auditor often needs to report on matters such as regularity and/or legal compliance. It is reported under the subtitle Other Matters in the auditors report.

It is the auditor’s responsibility to consider whether the financial reporting framework is appropriate in jurisdiction and the actual circumstances. Auditors of public sector entities (Supreme Audit Institutions) must often consider whether there are additional legislative or regulatory requirements that affect the auditors report. These additional requirements often oblige the SAI auditor to provide an opinion on the entity’s compliance with legislative or regulatory requirements or on the strength of internal controls.

If the auditor concludes that the financial statements are free from material misstatement, he or she issues an unmodified auditors report. However, if the auditor concludes that material misstatements are present, the auditors report must be modified. The following paragraphs will outline:

• The steps the auditor takes to determine if financial statements are free from material misstatement; • The auditor’s standard report; and • Modifications to the opinion in the auditor’s report if there are material misstatements or if the auditor cannot obtain sufficient appropriate evidence to conclude that the financial statements are free from material misstatement;

70 Chapter 6: Conclusion and reporting Page

iCAT: Financial Audit

• The other reporting matters including Emphasis of Matter and Other Matter paragraphs that have an impact on the reporting of the SAIs.

3.1 Misstatement less than threshold of materiality

The basic steps in reaching a conclusion on whether the financial statements are free from material misstatement, and therefore call for auditors unmodified opinion are:

1) Consideration of whether sufficient appropriate audit evidence has been obtained.

2) Consideration of whether the financial statements have been prepared in accordance with the applicable reporting framework.

If the financial statements are prepared based on compliance framework, then this is a straightforward consideration of whether the financial statements have been prepared in all material respects in accordance with the framework. However, if the financial statements are prepared based on a fair presentation framework, the auditor must also consider whether the fair presentation has been achieved. In other words, if the auditors report uses words such as “fairly presented” or “true and fair view”, the auditor must conclude whether that objective has been achieved. In such cases it is possible for the auditor to conclude that the financial statements are not fairly presented even if they have been prepared in accordance with the applicable reporting framework.

3.2 Misstatement over the threshold of materiality

When the auditor discovers a misstatement of the financial statement over the threshold of materiality he or she has to issue a modified opinion. Misstatements are material either individually or in total which depends on the nature of the audit evidence.

The different types of modifications of the opinion, and circumstances describing why and how such an opinion in the auditors report is modified are explained below - ISSAI 1700.7-15:

Qualified Opinion A qualified opinion is given when: i. The auditor has obtained sufficient appropriate audit evidence and has concluded that there are misstatements that are material; but not pervasive; or ii. The auditor is unable to obtain sufficient appropriate audit evidence on which to base the opinion and concludes that the possible effects on the financial statements of undetected misstatements, if any, could be material but not pervasive.

Adverse Opinion An adverse opinion is given when, having obtained sufficient appropriate audit evidence, the auditor concludes that misstatements are both material and pervasive to the financial statements.

Disclaimer of Opinion When the auditor is unable to obtain sufficient appropriate audit evidence on which to base the opinion, and concludes that the possible effects on the financial statements of undetected misstatements, if any, could be both material and pervasive, the auditor disclaims an opinion.

71 Chapter 6: Conclusion and reporting Page

iCAT: Financial Audit

The auditor also disclaims an opinion in some rare circumstances involving multiple uncertainties. The auditor concludes that, although he or she has obtained sufficient appropriate audit evidence regarding each of the individual uncertainties, it is not possible to form an opinion on the financial statements due to the potential interaction of the uncertainties and their possible cumulative effect on the financial statements.

The different types of opinions under which they arise are listed below:

Nature of Matter Giving rise Auditors judgment about the pervasiveness of the Effects or to the Modification Possible Effects on the Financial Statements

Material but not Pervasive Material and Pervasive

Financial statements are Qualified opinion Adverse opinion materially misstated

Inability to obtain sufficient Qualified opinion Disclaimer of opinion appropriate audit evidence

4. Reporting

This section exemplifies the forms and content of a standard audit report. Once the auditor forms an opinion on financial statements, it is his or her responsibility to express clearly the opinion through a written report which provides a basis for that opinion. The contents of an auditor’s standard report in relation to the opinion on the financial statement are covered in this section. Other reporting matters that frequently impact the reporting of SAIs, including Emphasis of Matter and Other Matter paragraphs are also covered in this section.

4.1 The Auditor’s Standard Report

An auditor presents a standard report which contains the opinion formed by the auditor. The key elements required for auditors report to meet International Auditing Standards are: • The report is in writing; • The report has a title that clearly indicates that it is the report of an independent auditor; ISSAI 1700.21 • The report is addressed as required by the circumstances of the engagement. This is usually specified in law or regulation;

The auditor issues a standard report when he or she has formed an unmodified opinion.

Contents of a report - The auditor’s standard report shall include the following nine sections (A-I): ISSAI 1700.20-42

A. Introductory Paragraph B. Management’s Responsibility for the Financial Statements C. Auditor’s Responsibility D. Auditor’s Opinion

72 Chapter 6: Conclusion and reporting Page

iCAT: Financial Audit

E. Other Reporting Responsibilities F. Signature of the Auditor G. Date of the Auditor’s Report H. Auditor’s Address I. Other Issues

4.2 Form and Content of the Auditor’s Report when modified

When the auditor modifies the audit opinion, the auditor uses the heading “Qualified Opinion,” “Adverse Opinion,” or “Disclaimer of Opinion,” as appropriate, for the opinion paragraph.

To modify an auditors report, the auditor needs to include an extra paragraph before the auditor’s opinion that describes the basis for the modified opinion. This paragraph has a heading that is appropriate, for example, “Basis for the Qualified Opinion”.

The paragraph “Basis for modification” includes a description and quantification of the financial effects of the misstatement. If it is not practicable to quantify the financial effects, this is stated in the basis for modification paragraph. If there is a material misstatement of the financial statements that relates to narrative disclosures, the basis for modification paragraph has an explanation of how the disclosures are misstated.

When an auditor reports his or her opinion: “Disclaimer of opinion”, it also includes special text concerning the auditors responsibility.

Different audit opinions: For financial statement with the material misstatement depending on the pervasiveness and the quality of the audit evidence. If there is a material misstatement of the financial statements that relates to the nondisclosure of information required to be disclosed, the auditor: a. Discusses the non-disclosure with those charged with governance; b. In the basis for modification paragraph, describes the nature of the omitted information; and c. Unless prohibited by law or regulation, includes the omitted disclosures, provided it is practicable to do so and the auditor has obtained sufficient appropriate audit evidence about the omitted information. If the modification results from an inability to obtain sufficient appropriate audit evidence, the basis for modification paragraph describes the reasons for that inability.

Opinion paragraph when modified

This subsection illustrates how the auditor’s different opinion is formulated and presented using four examples, depending on the opinion the auditor has formed on basis of the audit evidence. The circumstances of all four examples are based on following two common assumptions: i. Audit of a complete set of general purpose financial statements prepared by management of the entity in accordance with International Financial Reporting Standards. ii. The terms of the audit engagement reflect the description of management’s responsibility for the financial statements as depicted in ISSAI 1210: Agreeing the Terms of Audit Engagements.

Qualified opinion

73 Chapter 6: Conclusion and reporting Page

iCAT: Financial Audit

When expressing a qualified opinion due to a material misstatement in the financial statements, the auditor states in the opinion paragraph that, in the auditors opinion, except for the effects of the matter(s) described in the Basis for Qualified Opinion paragraph: a. The financial statements present fairly, in all material respects (or give a true and fair view) in accordance with the applicable financial reporting framework when reporting in accordance with a fair presentation framework; or b. The financial statements have been prepared, in all material respects, in accordance with the applicable financial reporting framework when reporting in accordance with a compliance framework.

4.3 Other Reporting Considerations

Up to this point, this chapter has focused on the auditor’s standard report, with and without modifications, in relation to the presentation of the general purpose financial statements in accordance with a financial reporting framework. However, there are a number of other reporting considerations that may be relevant to SAIs. Auditors should consult the respective ISSAIs for further information if circumstances warrant.

Report on Other Legal and Regulatory Requirements

In some jurisdictions, the auditor may have additional responsibilities to report on other matters that are supplementary to the auditor’s responsibility under the ISSAIs to report on the financial statements. For example, the auditor may be asked to report certain matters if those come to the auditor’s attention during the audit of the financial statements. Alternatively, the auditor may be asked to perform and report on additional specified procedures, or to express an opinion on specific matters, such as the adequacy of accounting books and records. Such responsibilities are often given to SAI. Auditing standards in the specific jurisdiction or ISSAIs provide guidance on the auditor’s responsibilities with respect to specific additional reporting responsibilities in that jurisdiction.

In some cases, the relevant law or regulation may require or permit the auditor to report on these other responsibilities within the auditors report on the financial statements. In other cases, the auditor may be required or permitted to report on those in a separate report.

These Other Reporting Responsibilities are addressed in a separate section of the auditors report in order to clearly distinguish them from the auditor’s responsibility under the ISSAIs to report on the financial statements. Where relevant, this section may contain sub-heading(s) that describe(s) the content of the other reporting responsibility paragraph(s).

If the auditor has been given additional reporting responsibilities by law or regulation, consideration must be given to whether sufficient appropriate evidence has been gathered to meet these responsibilities. Auditor also considers whether there is a need to modify his or her opinion in relation to these other responsibilities.

74 Chapter 6: Conclusion and reporting Page

iCAT: Financial Audit

These considerations affect the section of the auditors report under “Report on Other Legal and Regulatory Requirements” but not the “Opinion” paragraph. The “Opinion” paragraph is used to express the auditor’s opinion on the presentation of the financial statements in accordance with the financial reporting framework.

Because these reporting responsibilities vary among jurisdictions, auditors may refer to their respective SAI mandate and legal provisions for further guidance.

Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Auditor’s Report

Emphasis of Matter:

The auditor may encounter circumstances where he or she considers it necessary to: a. Draw users‟ attention to a matter presented or disclosed in the financial statements that is so important that it is fundamental to users‟ understanding of the financial statements; or b. Draw users‟ attention to any matter that is not presented or disclosed in the financial statements that is relevant to users‟ understanding of the audit, the auditor’s responsibilities or the auditors report. To address the circumstances described above an “Emphasis of Matter” paragraph is included in the auditors report. Such a paragraph is only included if auditor has obtained sufficient appropriate audit evidence that the matter is not materially misstated in the financial statements. In other words, an “Emphasis of Matter” paragraph is not a substitute or addition to matters that require modification of the auditor’s opinion. Such a paragraph shall refer only to information presented or disclosed in the financial statements. If included in the auditors report, an “Emphasis of Matter” paragraph is placed after the opinion paragraph.

An example of how an “Emphasis of Matter” paragraph might be used to highlight a lawsuit that has been properly disclosed in the financial statements:

Illustration: Emphasis of Matter We draw attention to Note X to the financial statements which describe the uncertainty related to the outcome of the lawsuit filed against the company by XYZ Company. Our opinion is not qualified in respect of this matter.

In some cases the auditor considers it necessary to communicate a matter other than those that are presented or disclosed in the financial statements that is relevant to users‟ understanding of the audit, auditor’s responsibilities or the auditors report. The auditor communicates these matters in a paragraph in the auditors report, with the heading “Other Matter,” or other appropriate heading. The auditor includes this paragraph immediately after the “Opinion” paragraph and any “Emphasis of matter” paragraph, or elsewhere in the auditors report if the content of the “Other matter” paragraph is relevant to the “Other Reporting Responsibilities” section.

An example of an “Other Matter” paragraph is provided below.

Illustration: Other Matter The audit found fundamental deficiencies in the asset management process of the entity including: • An incomplete asset register • No year- end reconciliation between recorded and physical assets

75 Chapter 6: Conclusion and reporting Page

iCAT: Financial Audit

• Poor controls over the safeguarding of assets

Comparative information – The amounts and disclosures included in the financial statements in respect of one or more prior periods in accordance with the applicable financial reporting framework.

Corresponding figures – Comparative information where amounts and other disclosures for the prior period are included as an integral part of the current period financial statements. These are intended to be read only in relation to the amounts and other disclosures relating to the current period which referred to as “current period figures. The level of detail presented in the corresponding amounts and disclosures is dictated primarily by its relevance to the current period figures.

Comparative financial statements – Comparative information where amounts and other disclosures for the prior period are included for comparison with the financial statements of the current period but, if audited, are referred to in the auditor’s opinion. The level of information included in those comparative financial statements is comparable with that of the financial statements of the current period.

Financial statements prepared following International Financial Reporting Standards (IFRS) have corresponding figures. However, the nature of the comparative information that is presented in an entity’s financial statements can vary depending on the requirements of the applicable financial reporting framework.

There are two different approaches to the auditors reporting responsibilities in respect of such comparative information: corresponding figures and comparative financial statements. The approach to be adopted is often specified by law or regulation but may also be specified in the terms of engagement.

The audit reporting differences between the two approaches are: a. For corresponding figures, the auditor’s opinion on the financial statements refers to the current period only; whereas b. For comparative financial statements, the auditor’s opinion refers to each period for which financial statements are presented.

Auditors should be aware of the approach required by the financial reporting framework used by the entity being audited. ISSAI 1710 (Comparative Information – Corresponding Figure and Comparative Financial Statements) provides guidance on the auditors responsibility relating to comparative information when auditing financial statements.

The Auditor’s Responsibilities Relating to Other Information in Documents Containing Audited Financial Statements

Other information – Either by law, regulation or custom, financial and non-financial information (other than the financial statements and the auditors report thereon) which is included in a document containing audited financial statements and the auditors report. Usually the documents containing the audited financial statements are annual reports that are issued to stakeholders. SAIs may adapt this guidance necessary in the circumstances, to other documents containing audited financial statements.

76 Chapter 6: Conclusion and reporting Page

iCAT: Financial Audit

It may be mentioned that the auditor’s responsibilities extend beyond issuing the auditors report on the financial statements.

The auditor is required to analyze the other information described in the preceding paragraph. This is done as soon as possible, preferably before the other information is released. Under the ISSAIs, the auditor’s opinion does not cover other information and the auditor has no specific responsibility for determining whether or not other information is properly stated. However, the auditor analyzes the other information because the credibility of the audited financial statements may be undermined by material inconsistencies between the audited financial statements and other information.

If the auditor identifies a material inconsistency between unaudited information and the audited financial statements, the auditor determines whether the audited financial statements or the other information needs to be revised. ISSAI 1710 (Comparative Information – Corresponding Figures and Comparative Financial Statements) provides guidance on the auditors responsibility relating to other information containing audited financial statements.

Special Considerations – Audits of Financial Statements Prepared in Accordance with Special Purpose Frameworks

ISSAIs 1000 –1700 series apply to an audit of financial statements. However, special considerations are given to applying those ISSAIs to an audit of financial statements prepared in accordance with a special purpose framework. SAIs may encounter financial statements prepared on the basis of special purpose frameworks. The considerations discussed below do not override other auditing standards – they provide additional guidance that may not cover all considerations related to a special purpose framework.

Key considerations when auditing financial statements prepared using special purpose frameworks are:

a. The auditor determines the acceptability of the financial reporting framework in the circumstances. To do so, the auditor obtains an understanding of the purpose for which the financial statements are prepared, the intended users, and the steps taken by management to determine that the applicable financial reporting framework is acceptable in the circumstances.

b. In planning and performing an audit of special purpose financial statements, the auditor determines whether application of the ISSAIs requires special consideration in the circumstances of the engagement.

c. When planning the audit, the auditor must obtain an understanding of the entity’s selection and application of accounting policies. If the financial statements are prepared based on a contract or other governing document, the auditor must obtain an understanding of any significant interpretations made by management when preparing the financial statements.

d. The auditor evaluates whether the financial statements adequately refer to or describe the applicable financial reporting framework. In the case of financial statements prepared in accordance with the provisions of a contract, the auditor shall evaluate whether the financial statements

77 Chapter 6: Conclusion and reporting Page

iCAT: Financial Audit

adequately describe any significant interpretations of the contract on which the financial statements are based. e. In the case of an auditors report on special purpose financial statements: i. The auditors report also describes the purpose for which the financial statements are prepared and, if necessary, the intended users, or refers to a note in the special purpose financial statements that contains that information; and ii. If management has a choice of financial reporting frameworks in the preparation of such financial statements, the explanation of management’s responsibility for the financial statements shall also make reference to its responsibility for determining that the applicable financial reporting framework is acceptable in the circumstances.

f. The auditors report on special purpose financial statements shall include an “Emphasis of matter” paragraph alerting users of the auditors report that the financial statements are prepared in accordance with a special purpose framework. As a result, the financial statements may not be suitable for another purpose. The auditor includes this paragraph under an appropriate heading. ISSAI 1800 (Special Considerations – Audits of Financial Statements Prepared in Accordance with Special Purpose Frameworks) provides guidance on auditing financial statements prepared using a special purpose framework.

Special Considerations – Audits of Single Financial Statements and Specific Elements, Accounts or Items of a Financial Statement

On occasions, SAIs are required to give auditors reports on a single financial statement or of a specific element, account or item of a financial statement. The single financial statement or the specific element, account or item of a financial statement may be prepared in accordance with a general or special purpose framework. If prepared in accordance with a special purpose framework ISSAI 1800 (Special Considerations – Audits of Financial Statements Prepared in Accordance with Special Purpose Frameworks) also applies to the audit.

ISSAI 1805 (Special Considerations – Audits of Single Financial Statements and Specific Elements, Accounts or Items of a Financial Statement) deals with special considerations in the application of the ISSAIs (100 to 1700 series) to an audit of a single financial statement or of a specific element, account or item of a financial statement. This ISSAI does not override the requirements of the other ISSAIs; nor does it necessarily deal with all special considerations that may be relevant in the circumstances of the engagement. ISSAI 1805 provides guidance to an auditor when applying ISSAIs in an audit of a single financial statement or of a specific element, account or item of a financial statement, in addressing appropriately the special considerations that are relevant to: a. The acceptance of the engagement; b. The planning and performance of that engagement; and c. Forming an opinion and reporting on the single financial statement or on the specific element, account or item of a financial statement.

Engagements to Report on Summary Financial Statements

78 Chapter 6: Conclusion and reporting Page

iCAT: Financial Audit

Occasionally SAIs may be required to provide an auditors report on summary financial statements derived from financial statements that have already been audited. ISSAI 1810 (Engagement to Report on Summary Financial Statements) provides guidance when required to provide such a report.

Conclusion

In this chapter we have covered the evaluation of misstatements accumulated during the audit and impact of uncorrected misstatement in the financial statement. On the basis of an evaluation of the accumulated misstatement and the performance materiality with the overall materiality, auditor forms an opinion which is embedded in the auditors report. These evaluations will lead to preparation of auditors report with an opinion on the financial statement.

With this we have completed the level 4 ISSAI guidance on financial audit. At this stage you are required to complete the status of level 2 ISSAIs in your SAI. After completing the level 2 requirements, and based on the results of the iCAT at level 4 you will write the ISSAI compliance assessment report which is discussed in the next chapter.

79 Chapter 6: Conclusion and reporting Page

iCAT: Financial Audit

Chapter 7

Writing the ISSAI compliance Assessment Report

The end product of an iCAT is an ISSAI Compliance Assessment Report that the iCAT team prepares and presents to the SAI top Management. The report is based on the iCAT format filled by the iCAT team and all the information that the team has collected from various sources while conducting the iCAT.

This report aims to present a comprehensive picture of the state of matters in the SAI in relation to the requirements of level 2 and Level 4 ISSAIs. The report will also bring out the SAI level and individual audit level issues in implementing the framework. The report is envisaged to provide SAI management with the necessary information to decide on the ISSAI Implementation Strategy.

Before writing the ISSAI Compliance Assessment Report, the iCAT team needs to complete the following two procedures:

1. Findings from the iCAT at Level 4 need to be categorized in terms of the stages of the audit 2. For each stage of the audit the issues should be grouped on the common causes as identified from Level 2.

In earlier part of the chapter we have ascertained the status of Level 2 requirements and linked that with Level 4 compliance findings. The ISSAI Compliance Assessment report will highlight this issue as well. By doing this the iCAT team will be able to identify main compliance issues that the SAI needs to focus at the strategic level.

Format of the ISSAI Compliance Assessment Report

The following format is recommended for writing the ISSAI Compliance Assessment Report:

STRUCTURE OF THE ISSAI COMPLIANCE ASSESSMENT REPORT

1. Executive Summary highlighting the key messages from the iCAT.

2. Introduction – Purpose, scope and timing of the iCAT

Why the SAI took up the iCAT, does the iCAT cover Level 2 and all Level 4 requirements (Financial, Performance and Compliance audit) or has the SAI chosen to conduct the iCAT for Level 2 and only one audit stream. The time period of conducting the iCAT.

3. About the SAI 3.1 Description of the environment that the SAI operates in 3.2 Description of the SAI’s legal and institutional framework and organizational structure

3. Description of the iCAT process • iCAT team • Data gathering process • Quality control mechanism used

4. SAI Compliance Status on Level 2 ISSAI Requirements

80 Chapter 7: Writing ISSAI compliance assessment report Page

iCAT: Financial Audit

(Category wise description of the status, mechanisms of compliance and reasons for non compliance)

Also describe significant ongoing initiatives for ISSAI Implementation

5. SAI Compliance Status on Level 4 ISSAI Requirements (Financial, Performance, Compliance Audit)

(Category wise description of the status, mechanisms of compliance and reasons for non compliance)

Also describe significant ongoing initiatives for ISSAI Implementation

The causes of Level 4 deficiencies should relate to items listed in Level 2. E.g. If planning is not properly done (Level 4), it could be linked to non-compliance with Level 2 requirements.

6. Description of Strategic ISSAI Implementation Issues

Overall SAI Level and Individual Audit Level compliance gaps and reasons

7. Response of SAI Top Management

Signatures of the iCAT team

Annex 1: ISSAI Requirements Level 2 Annex 2: iCAT Format Level 4 Annexe 3 : Data gathering tools used for collecting information

Guiding principles in writing ISSAI Compliance Assessment Report

Highlight key messages –

As the report is meant for the top management of a SAI, key messages from the iCAT should be highlighted in the executive summary, so that the SAI management can get a good overview of the status of compliance and the issues that need to be sorted out in areas where the SAI does not comply.

Involve the entire team in developing the report –

At the end of the iCAT process the team would have gathered a lot of information about different requirements. As compliance issues are interrelated, the iCAT team needs to work together to determine the categorisation of the issues and their causes.

Distinguish between high impact institutional issues and operational issues –

When the iCAT team reports on compliance status of the SAI, it should distinguish between compliance gaps that are central to the audit practice and compliance gaps that are more at the procedure level than at an institutional level. In order to become ISSAI compliant it is the institutional issues at level 2 that need to be addressed. The iCAT team would also find that the compliance gaps observed at the level of the audit practice at level 4 have their roots in institutional level issues at level 2 of the ISSAI framework.

81 Chapter 7: Writing ISSAI compliance assessment report Page

iCAT: Financial Audit

After ascertaining the status on level 2 requirements these would be highlighted in the report for the SAI top management.

Ensure that the causes are correctly identified –

The strategy for implementation will be based on the identified causes of the compliance gaps. As such it is important for the iCAT team to highlight the right causes. E.g. in some cases non implementation of an ISSAI compliant practice may not be due to knowledge and skills gap but be a management issue.

4. Conclusion

In this chapter we have identified status of level 2 requirements and the linkage between the Level 2 ISSAIs and the Level 4 ISSAIs. In preparing the ISSAI Compliance Assessment Report which is the end product of the iCAT we also considered how the two Levels of ISSAI are interrelated. The report highlights the strategic issues at level 2 that would be considered to address the issues of non- compliance at level 4.

82 Chapter 7: Writing ISSAI compliance assessment report Page