Back

Appendix - ‘B’

Quality Control in the Audit Process (Quality in the Audit Process Volume I & Guidelines on Audit Quality - Report to SAIs of Central & Eastern European Countries, Cyprus, Malta, Turkey and the European Court of Auditors)

1.      Supreme Audit Institution (SAI) should seek to carry out its audit work at a consistently high level of quality in the following dimensions:

• Significance and value of matters addressed in its audits;

• Objectiveness and fairness in the basis of assessments made and opinions given;

• Scope and completeness in the planning and performance of audits carried out;
• Reliability and validity of the opinions, or findings and conclusions, appropriateness of the recommendations and relevance of other matters presented in its audit reports and other products;
• Timeliness of the issue of audit reports and other products in relation to statutory deadlines and the needs of anticipated users;
• Clarity in the presentation of audit reports and other products;
• Efficiency in the performance of audits and audit-related work; and
• Effectiveness in terms of results and impacts achieved.

2.      In pursuit of this goal, an SAI should establish policies, systems and procedures that will encourage actions leading to high quality and discourage or prevent actions that might impair quality. These quality controls should be developed and implemented with respect to all phases of the audit process, including: 

• Selecting matters for audit;
• Deciding the timing of the audit;
• Planning the audit;
• Executing the audit;
• Reporting the audit results; and
• Follow-up and evaluation of audit findings, conclusions and recommendations.

3.    Quality control consists of all measures and procedures carried out within the audit process to guarantee the quality of audit work and of the resulting report. Quality control in the audit process provides reasonable assurance that the audit has examined significant matters and that the results of the audit, contained in the audit report, are an accurate reflection, in all material respects, of the true conditions of the matters under consideration.

4.    SAIs need to establish procedures to control the quality of individual audits undertaken by an SAI. However, because of the diversity in form and structure of SAIs as well as the different types of audits they perform, there is no single set of detailed procedures that will accomplish the goal of quality in all circumstances. Nevertheless, there are attributes that are applicable to all SAIs and to all audits. Among these are the characteristics of quality and the phases of the audit process.

5.    SAIs need to pay special attention to the problems and potential advantages of computerisation. Auditing requires special skills when the auditee operates in a computerised environment. At the same time, computerised audit tools and programmes – when properly employed – can greatly increase the efficiency of the audit process.

6.    An automated quality control system should incorporate a strictly defined set of authorisation and approved criteria, as well as features that ensure that standard documents and checklists are used and compiled in all cases. The principles of quality control remain intrinsically the same as those in a non-automated audit process.

7.    The quality controls needed in each phase of the audit process – planning, execution and reporting of audits - are dealt with in the following text. SAI should ensure that all the three phases of the audit are carried out in terms of the SAI’s rules, practices and procedures.

Quality in planning

8.    Within the context of this appendix, planning refers to the detailed audit plans and subsequent audit programmes. No reference is being made to the macro level of planning that an SAI may carry out.

9.    The preparation of an audit plan should take into account risk and materiality based on an understanding of the audited entity and its business. The plan should set out how and when the audit will be conducted and how sufficient and appropriate evidence is obtained in order to enable to conclusions to be drawn and support the audit opinion.

10.    Typical contents of an audit task plan (European Implementing Guidelines for the INTOSAI Auditing Standards – No. 11 Audit Planning, Annex 1, Appendix 2.)

1. Legal framework for the audit
2. Brief description of the activity, programme or body to be audited (including a summary of the results of previous audits and their impacts)
3. Reasons for the audit;
4. Factors affecting the audit, including those determining the materiality of the matters to be considered;
5. Risk assessment;
6. Audit objectives;
7. Audit scope and approach: what evidence is to be obtained to meet the audit objectives; when; how?
8. Materiality thresholds;
9. Systems to be evaluated and tested;
10. Sampling strategies;
11. Anticipated sample sizes;
12. planning for methodologies;
13. Resources required, and when;
14. Audit staff (in detail), responsibilities;
15. Specialist staff (who and when);
16. External experts;
17. Travel arrangements;
18. Time and cost budgets;
19. If appropriate, an estimate of the fee to be charged for the audit;
20. Details of those within the audited entity responsible for liaison;
21. Timetable for the audit, and date that draft report will be available for internal consideration; and
22. Form, content and users of final output.

11.    Requisites and measures to ensure quality control

The audit plan is divided into a number of detailed tasks, which are assigned to individual team members. To ensure quality control during the planning process, measures could include direction, supervision and review procedures to ensure that the audit task referred to above is adequately carried out.

12.    Possible Checklist:

• Ensuring that planning is carried out in accordance with auditing policies, standards, manuals, guidelines and practices of SAI.
• Obtaining relevant information regarding laws and regulations that might have a significant impact on the audit objectives;
• Preliminary investigative audit (an audit that aims at conducting an initial study of specific issues to help prepare an audit task plan);
• Determining objectives and scope of audit;
• Identification of sources (e.g. media, findings of audited entity’s internal audit, inspection and other control bodies) as background for audits;
• Determining list of activities for audit;
• Highlighting of special problems foreseen when planning the audit;
• Ensuring that members of audit team have a clear and consistent understanding of the audit plan;
• Follow-up is made of issues in previous related audit;
• Understanding the finance, accounting and other relevant functions of the organisation;
• Identification of key elements of internal control system of auditee;
• Using appropriate analytical procedures;
• Identification and analysis of relevant ratios and comparative figures;
• Identification of trends or deviations from predicted amounts;
• Identification of sampling method and sampling population;
• Choice of relevant performance indicators;
• Assessment of inherent and controls risks;
• Establishment of materiality criteria and thresholds;
• Establishment of degree of confidence decided for audit;
• Choice of appropriate experts/consultants;
• Preparation of budget and schedule for audit;
• Assessment of reasonable resources necessary to undertake audit;
• Assessment of staff requirements and team allocated for audit;
• Investigation and settlement of queries raised during review stage;
• Drawing up, approval, review of audit programme by Head of Division;
• Checklists used in the process of (a) drawing up, (b) issuing an opinion about, (c) approving an audit task plan;
• Other procedures and practices used in the planning phase of an audit;
• Practices to continuously enhance quality control procedures in the planning phase of audit.

Quality in Execution

13.    The field work has to be performed in accordance with the approved audit plans and should result in sufficient appropriate evidence being obtained to determine with reasonable confidence whether or not financial statements are free from material misstatements and irregularity or that facts relating to VFM/performance audits are scientifically and/or fairly arrived at.

14.    The following methodologies and practices are used in the execution of audits: (European Implementing Guidelines for the INTOSAI Auditing Standards)

i. Sources: Methods and Nature of the reliability and evaluation of audit evidence include

Sources:

Generated by auditor directly
Obtained by third party
Obtained from auditee

Methods:

Inspection
Observation
Inquiry and Confirmation
Computation
Analysis of financial systems

Nature:

Documentary, visual or oral (the reliability of oral evidence, in particular, depends upon the source)

ii. Audit approach includes

Objectives

Regularity (financial and compliance)
Performance or value for money (economic, effective, efficient)

Testing

Systems Based Approach (testing of internal controls)
Direct Substantive Testing

iii. Study and examination of internal controls and tests of control

iv. Information Systems

General Installation Controls

Planning, staffing, reporting and segregation of duties
Security awareness and policy of both hardware and software
Continuity and disaster recovery
Management of IT assets and use of external service providers

Application Audits

Organisation and Documentation
Input
Processing
Data Transmission
Standing Data
Output

v. Audit Sampling

vi. Analytical Procedures

Trend Analysis
Ratio
Analysis

vii. Using the work of other auditors and experts

viii. Documentation :

This is particularly important for supervision, review and quality assurance. Working papers – current and permanent files; confidentiality; retention procedures.

ix. Performance Audit Methodology

Data Gathering Techniques

File examination
Audit sampling
Secondary analysis/literature search
Surveys
Interviews
Focus Groups
Benchmarking

Techniques for Information Analysis

Programme Logic Model
Descriptive Statistics to understand data distribution
Regression analysis
Cost-benefit analysis
Cost-effectiveness
Meta evaluation

Requisites and measures to ensure quality control in execution/field work

15.    The field work, which would have been appropriately planned during the planning stage, should be assigned to individual team members. To ensure quality control during the execution/fieldwork process, measures could include direction, supervision and review procedures to ensure that team members understand their assigned tasks and that the chosen audit methodologies are adequately carried out.

16.    Possible checklist

• Execution of audit is carried out in accordance with auditing policies, standards, manuals, guidelines and practices of SAI;
• Audit examiners have a sound understanding of techniques and procedures such as inspection, observation, enquiry, etc. to collect audit evidence;
• All phases of audit have been carried out as planned and approved;
• Valid explanations are available for non-implementation of any phases of audit
• Appropriate approval exists for significant deviations that have taken place from approved audit;
• Staff resources used for audit are largely in line with those planned in terms of time, grade of staff and expenses entailed;
• Justification for material deviations for budgeted staff resources;
• Appropriate audit techniques and audit procedures used to fulfil each audit objective in order to provide for effective audit evidence
• Use of Computer Assisted Aids, Techniques and Tools CAATTs);
• All envisaged tests for evaluation and reliability of internal controls are used;
• Appropriate analytical procedures are used and the reliability, independence and quality of relevant supporting data is assessed;
• Sampling methods are used according to SAI’s manuals;
• All tests of transactions clearly indicate audit objectives, adequately explain nature and extent of audit work and provide an overall conclusion as to results of audit work;
• Audit steps and procedures have been designed to obtain sufficient, competent and relevant evidence;
• Full investigation is made of all queries during audit;
• Existence of adequate working papers in respect of:
  • Evaluation of internal controls systems
  • Audit of routine procedures
  • Tests of controls
  • Analytical review
  • Substantive tests;
  • Audit of computer-based applications.
• Working papers are appropriate cross-referenced;
• Audit completion checklists are comprehensive and have been completed, approved and duly evidenced;
• Work of consultants and other experts has been properly monitored;
• Other procedures and practices used in the execution phase of an audit; and
• Practices to continuously enhance procedures in the execution phase of audit.

Quality in Reporting

Typical methodologies for carrying out audit tasks

17.    Reports both for regularity and VFM audits should be in standard format. In terms of European Implementation Guidelines (Annexe 1 of No. 31), the auditor must have specific regard to the following aspects of the report:

• Title
• Signature and date
• Objectives and scope
• Completeness
• Addressee
• Identification of subject matters
• Legal basis
• Compliance with standards
• Timeliness

18.    Audit Reports on specific financial statements contain an Unqualified Opinion (Clean Report), if no material shortcomings are detected and the Financial Statements “Properly Represent” (for Accounts on Cash-Based System) or “True and Fair View” (for Accounts on Accrual Based System). If an unusual or important matter (“Emphasis of Matter”) needs to be included in the Audit Report to enable the reader to correctly understand the Financial Statements, this should be contained in a separate paragraph from the Audit Opinion in order not to give the impression that the Audit Report is not qualified.

19.    If the Audit Report expresses a Qualified Opinion, the Financial Statements are unusually qualified in one of the following ways:

• Qualified Opinion (if the auditor disagrees or expresses uncertainty with one or more items in Financial Statements which are material but not fundamental in understanding the Financial Statements)
• Adverse Opinion (if the auditor is unable to form an opinion on the Financial Statements as a whole due to disagreement that is material and fundamental; and
• Disclaimer of Opinion if the auditor is unable to arrive at an opinion on the Financial Statements as a whole due to uncertainty or scope restriction that is material and fundamental).

20.    VFM Reports normally include the following elements (7.2 of No. 41 of European Implementing Guidelines):

• Summary of the environment within which the activity subject to audit takes place;
• Objectives of the audit;
• Summary of audit methodologies used for collecting and analyzing data and indication of sources of data;
• Explanation of criteria, such as benchmarks, used to interpret findings;
• Conclusions relating to audit objectives; and
• Recommendations.

21.    Management of the audited body should also be given the opportunity to comment on the draft report and have its comments included, where deemed appropriate.

22.    The Audit Opinion (Conclusions and Recommendations) in VFM Reports presents all significant instances of non-compliance and criticisms that are pertinent to the objectives of the audit and/or provides independent information on whether economy, efficiency and effectiveness have been achieved or how they can be improved.

Requisites and measures to ensure quality control in Reporting

23.    The reporting function should be appropriately taken into account in the planning stage and project management of an audit. This function should be mainly assigned to the audit team leader, together with the Audit Director. Quality control measures during the reporting phase include direction, supervision and review procedures to ensure that the contents of the audit reports are properly prepared in terms of SAI legislation, practices and procedures and that the elements that ensure a good quality report, mentioned under ‘Typical Contents of an Audit Report’, are taken into account.

24.    Possible checklist

• Reporting is carried out in accordance with the auditing policies, standards, manuals, guidelines and practices of SAI
• Performances of overall review of financial statements or activity being audited;
• Form and content of reports are in accordance with the established procedures ( e.g. title, signature and date, objectives and scope, completeness, addressee, identification of subject matters, legal basis, compliance with standards, timeliness)
• Terminology used in report can be easily understood by persons to who report is presented and technical terms are fully explained
• All audit findings have been evaluated in terms of materiality, errors and other irregularities
• All errors, deficiencies and unusual matters have been properly identified, documented and satisfactorily resolved or brought to attention of senior SAI officer
• Final audit reports cover all areas of objectives of audit activity and explanations are obtained for omissions
• Observations and conclusions in report are supported and well documented to ensure completeness, accuracy and validity of working papers
• All evaluations and conclusions are soundly based and supported by competent, relevant and reasonable audit evidence
• Only sufficiently material audit findings are included in the main audit report
• Report is timely, comprehensive, performed by suitably qualified staff, appropriately documented and adequately incorporates the audit opinion
• Letters of weakness/queries/Management letters are submitted to auditee in due time
• Receipt of relevant and timely replies to SAI reports and other correspondence is ensured
• Replies are carefully studied
• All observations contested by auditee are duly evaluated
• Material relevant comments are included in the audit report
• Relevant significant events occurring following completion of audit are taken into account in the final audit report
• All significant frauds or other irregularities are notified to appropriate authorities
• Audit files have been updated to take into account results of audit
• Material items requiring subsequent follow-up by SAI have been duly identified, recorded and taken into account
• Procedures to evaluate effectiveness of quality control arrangements

25.    These procedures need not – should not – curb the initiative and good judgment of the auditor in adapting to particular circumstances. The judgment depends upon the audit task in hand, problems encountered that need to be addressed immediately, as well as, most importantly, to the degree of direction, supervision and/or review, that is required on the auditors. The degree of professional judgment also depends upon the auditor’s competence, expertise, professional qualifications, aptitude and level in the hierarchy.

26.    The SAI’s general quality control policies and procedures should be communicated to its personnel in a manner that provides reasonable assurance that the policies are understood and implemented. Quality control requires a clear understanding of where responsibility lies for particular decisions.

27.    Quality control processes should be carried out in a prescribed way and be documented.

28.    The Appendices B (i) and B (ii) (Guidelines on Audit Quality – Report of the SAIs of the Central & Eastern European Countries, Cyprus, Malta, Turkey & the European Court of Auditors) give more detailed information on quality controls for the audits of financial statements issued by the International Federation of Accountants (IFAC); Appendix B (iii) brings out implementation guidelines for performance audit issued by INTOSAI.