This element of AQMS of audit planning along with its sub-elements is explained in the following flow diagram:
The sub-elements are discussed in subsequent sections.
4.1 This section contains the procedure involved and approach followed in planning audits, both performance and regularity. Adequate planning of the audit helps in ensuring that all significant entities and programmes, which are vulnerable to risks, are covered, available resources are optimally utilized for conducting the audits and the work is completed expeditiously. Operational planning of the individual audits is the most critical process for securing a high standard of audit. A good audit planning will ensure a focussed field work by the audit team and also facilitate monitoring and review of the progress of audit by senior audit functionaries.
4.2 While the primary objective of regularity (financial) audit is an expression of an opinion on the financial statements involving examination of and evaluation of financial records, regularity (compliance) audit or transaction audit is primarily concerned with compliance with laws and regulations and with the probity and propriety of administrative decisions taken within the audited entity. In performance auditing, on the other hand, objectives are usually expressed in terms of questions about performance i.e. achievement of economy, efficiency and effectiveness of an entity/programme/activity under audit.
INTOSAI Auditing Standards
4.3 The field standards for planning enshrined in the INTOSAI Auditing Standards (INTOSAI Auditing Standards, p.51 & 52) state:
‘The Auditor should plan the audit in a manner which ensures that an audit of high quality is carried out in an economic, efficient and effective way and in a timely manner'.
4.4 In planning an audit, the auditor should:
Audit Objectives, Scope and Methodology
4.5 In planning the audit, the most important process is defining the audit objectives. The objectives are what the audit is intended to accomplish. The scope of the audit is linked to the audit objectives and the SAI should design the methodology in such a fashion as to provide sufficient, competent and relevant evidence to achieve the objectives of the audit
4.6 The following steps are important in planning for financial audit:
Preparation of Annual Audit plan
4.7 The audit team should determine the appropriate materiality level, carry out risk assessment, determine the most appropriate audit approach and prepare the necessary planning document for the financial audit.
4.8 The important aspects in planning the individual performance audits are: collection of and research on the data and information relating to the subject, scope of audit, preliminary survey and pilot study, setting the audit objectives and criteria, assessment of skill and knowledge required for the conduct of the performance audit and those available internally, defining the gap in the requirement and its availability in-house, plan for bridging the gap through expert advice, assignment of the personnel and other resources and finalising the guidelines along with the audit programme, etc.
4.9 Risk analysis is an important tool for audit planning. A risk analysis should be carried out with reference to the various parameters of the entity, programme or the subject after a careful study of all relevant documents mentioned above. A good risk perception to the programme or entity’s performance will facilitate determining the audit thrust areas, audit objectives and setting the most appropriate audit criteria. It will also assist in selection of appropriate sampling techniques for the units to be audited and for the selection of vouchers/information/data.
4.10 Audit should be risk-based or focused on areas of greatest risk to the achievement of the audited entity’s objectives. Risk-based audit is an approach to audit that analyzes audit risks, sets materiality thresholds based on audit risk analysis and develops audit programmes that allocate a larger portion of audit resources to high-risk areas. Risk based audit may be applied both for financial and performance audits. The issues of risk-based audit, audit risk analysis, materiality, etc. are given in greater detail in Appendix –C
4.11 The first step in planning the individual performance audit is to develop a sound understanding of the subject of audit. Such understanding will help in identifying the key audit issues.
4.12 In performance audits, there is a need to appreciate the entity environment, legislation, rules and regulations applicable to the audited entity, organisation structure and delineation of duties and responsibilities within it, work and information flow, internal control mechanism and accountability relationships, etc.
4.13 In the performance audit planning process, determining audit criteria is a crucial step. Performance audit can proceed only after the audit objectives and audit criteria have been set.
4.14 Audit criteria are reasonable and attainable standards of performance against which economy, efficiency and effectiveness of programmes and activities can be assessed. They reflect a normative (i.e., desirable) control model for the subject matter under audit. They represent good practice - a reasonable and informed person’s expectation of ‘what should be’. When criteria are compared with what actually exists (what is), audit findings are generated.
4.15 Some of the characteristics of good criteria are reliability, objectivity, usefulness, understandability, comparability, completeness and acceptability.
4.16 Data base and knowledge repositories on audit and audited entity are the foundation of audit planning as this helps in assessing risk and materiality. Well-built database and portfolio files on audited entities and all audit related information provide proper direction and thrust to audit. SAI may ensure that the building up an electronic database and knowledge repositories is made a special component of the annual audit plan. The electronic database on auditee profile may contain:
4.17 Some of the information can be culled from Internet, newspapers, magazines, past audit files and by issuing questionnaires to the audited units, etc. Other possible sources are: press releases about the entity or the project/scheme, key economic indicators, industry journals, discussions with management and specialists, etc. The database may be revised at regular intervals. A dedicated unit would be normally required for this function.
4.18 Investigative audit focuses on risks to securing financial objectives. Investigative audit is a security net to address those risks. Investigative audit tends to concentrate on the standards of financial management, implementation of internal control regimes and electronic service delivery. Investigative audit is a valuable part of the audit toolkit, because it focuses on the risks that threaten achievement, and whether those risks have matured.
4.19 Investigative audit that focuses on the risks of fraud and corruption may also be referred to as forensic audit. Such audits examine how systems can be reinforced for fraud prevention and detection. Forensic audit is appropriate where there is a risk of fraudulent claims for expenditure, fraudulent provision of services to an organisation or fraud and evasion of revenue payments. SAI may need to develop necessary policy guidelines, including an appropriate risk assessment model, for forensic audit.
4.20 The quality assurance of the planning of the individual audit can be achieved through:
4.21 While conducting audit quality assurance review of the planning process, it should be seen whether the planning process was:
4.22 Audit work can only be done effectively when audit personnel are competent and dedicated to their assigned tasks. A successful audit engagement largely depends on the professionalism of the people tasked to perform the job. This requirement has put serious attention to the process of staffing the audit functions. Every audit engagement is a coordinated effort by a group of auditors working together to produce the desired results.
4.23 The knowledge, abilities, and skills of auditors are significant elements in the completion of efficient and relevant audit assignments. Equally important is the proper development and training of the audit workforce to enable them to maximize their talents and potentials. The audit teams should have collective knowledge of their subject matter and auditing proficiency necessary to fulfil the requirements of the audit.
4.24 “The SAI should adopt policies and procedures to support the skills and experience available within the SAI and identify those skills which are absent; provide a good distribution of skills to auditing tasks and a sufficient number of persons for the audit; and have proper planning and supervision to achieve its goals at the required level of due care and concern.
4.25 Resources required to undertake each audit need to be assessed so that suitably skilled staff may be assigned to the work and a control placed on staff resources to be applied to the audit.
4.26 The extent to which academic attainments should be related specifically to the audit task varies with the type of auditing undertaken. It is not necessary that each auditor possesses competence in all aspects of the audit mandate. However, policies and procedures governing the assignment of personnel to audit tasks should aim at deploying personnel who have the auditing skills required by the nature of the audit task so that the team involved on a particular audit collectively possesses the necessary skills and expertise.”
4.27 Successful audit teams will have the following characteristics:
4.28 The audit team should identify at an early stage in the planning process if specialized or technical skills, required to complete the audits, are not available with the audit team. The early identification will allow the necessary lead time to acquire suitable staff from within the office or seek experts outside.
4.29 In the context of both performance and financial audits, the audit team should have:
4.30 The audit team should have the benefit of drawing services of subject matter experts and other knowledgeable groups or individuals available within the organisation, where it may be necessary to obtain expert advice, particularly when the audit team lacks the necessary specialized knowledge. If skills are not available internally, SAI may take a decision to hire the services of an outside expert.
4.31 Using the profiles of auditors and the schedule of audit engagement, the staff should be identified based on the needed competence, knowledge and skills in the audit work to be engaged in and the audit work assigned. The role of each member of the audit should be clearly defined. The following factors should be taken into consideration in making assignments of individuals:
4.32 Independence from the audited entity and other outside interest groups is indispensable for auditors. Independence requires that the SAI and members of the audit team be free of any hindrances to their independence that could impair their impartiality in carrying out their work, making judgments, forming opinions and conclusions or making recommendations. Auditors should strive not only to be independent of audited entities and other interested groups, but also to be objective in dealing with the issues and topics under review
4.33 Auditors should not disclose information obtained in the auditing process to third parties, either orally or in writing, except for the purpose of meeting the SAI’s statutory or other identified responsibilities as part of the SAI’s normal procedures or in accordance with relevant laws.
4.34 Integrity is the core value of a ‘Code of Ethics’. Auditors have a duty to adhere to high standards of behavior (e.g. honesty and candidness) in the course of their work and their relationships with the staff of the audited entities. An SAI should develop and promulgate to its staff a Code of Professional Ethics that is applicable to the institution and to its employees. This Code would help instill in the organisation a culture of professional ethics in audit work that is conducive to quality in the audit product. Matters commonly discussed in an SAI Code of Ethics relate to Trust, Confidentiality, Credibility; Integrity; Independence, Objectivity, Impartiality, Political Neutrality; Conflicts of Interest; Professional Secrecy; Competence; and Professional Development (reference INTOSAI Code of Ethics).
4.35 Due care requires the auditors to carry out their audit work diligently, conscientiously and with proper rigour. It requires that the audit work be performed in accordance with auditing standards and SAI policy instructions. Due care also requires that those supervising and reviewing the audit work exercise similar vigilance.
4.36 Information technology (IT) is being increasingly used within government entities in planning, execution and monitoring of operations and is also now a key component of government entities business strategic and core business processing activities. IT is being increasingly used as an important audit tool for improving audit quality.
4.37 The value of good IT systems is that they can be an efficient and effective programme delivery mechanism, provide a range of additional services with greater efficiency, security and control and at a cheaper cost than are available from manual systems. However, there are an increasingly range of IT vulnerabilities and the IT systems also have the potential to result in major systemic errors. As a consequence, the confidentiality, integrity, availability and reliability and reliability of computerized data and of the systems that process, maintain and report these data are a major concern to audit. IT auditors evaluate the effectiveness and efficiency of IT controls in information systems and related operations to ensure they are operating as intended.
4.38 The approach towards auditing in an IT environment should involve the following inter-related processes:
4.39 Computer Assisted Audit Techniques and Tools are computer-based tools and techniques which permit auditors to increase their productivity as well that of the audit function in gathering audit evidence by exploiting the power and speed of computer. CAATTs have the ability to improve the range and quality of audit. CAATTs can be used for both sampling of system transaction data and for testing the system as a whole. CAATTs tools can be developed to:
4.40 CAATTs can be split into two discreet areas of operation namely to validate programmes/systems and to analyse data files. CAATTs used to analyse data files are primarily used on data files. Of course, results of data analysis can indirectly help the auditor to reach conclusions regarding the quality of programmes.
4.41 File interrogation software – involves various test performed on a data file by using Structured Query Language (SQL) statements, writing programmes specific to the system being audited or by using generalized audit software. With resource constraints, it may not often be feasible to develop specific programmes for every system that will extract, manipulate and report data required for audit purposes. For this reason, generalized audit software has been developed that is capable of handling a wide variety of different systems. The generalized audit software is a powerful tool that can add tremendously to the auditor’s efficiency with minimum IT-skill requirement. In addition, specialized audit software packages are available that are oriented towards a specific industry in which an auditor works.
4.42 Information Technology has opened up new opportunities for standardizing and upgrading audit procedures. Appendix-‘D’ contains some of the more important considerations to be kept in view while auditing in IT environment.
4.43 All important guidance, tools and other specialized material relating to both financial and performance audits may be made available through the office INTRAnet site, which should be updated at regular intervals.
4.44 SAI may have a ‘Knowledge Management Group’ to help implement knowledge-based initiatives, with the objective to make progress in the following areas:
4.45 To ensure uniformity and consistently high quality, SAI may develop elaborate good practice guides for each discipline/branch of audit. The documented global good practices on audit methodology, tools and techniques may be used as benchmarks for improvements in audit quality.
4.46 This section contains the practices and procedures to be followed by the audit team in carrying out financial and performance audits. These are dealt with separately. Broadly, the process of audit includes entry conference, determination of the audit approach, developing and executing the audit test programme and finally developing audit opinions, findings and recommendations.
4.47 SAI should have in place appropriate audit methodology, procedures and policies to guide practical operations of audit which should result in efficient audit approaches that produce sufficient, appropriate audit evidence at the appropriate time. This would enable the SAI to meet its reporting responsibilities. SAI should have a system where the significant matters are communicated through out the audit process between audit teams and management of the audit entities.
4.48 The Key stages are:
4.49 The starting point is SAI’s assessment of risk for the entity as a whole and for individual account areas. Where risks of material misstatement have been identified, the audit managers should look to test controls that have been identified as mitigating the risks.
4.50 Where no risks of material misstatement have been identified, the audit team should still look to test controls relevant to the account area to provide the majority of audit assurance.
4.51 Beyond controls testing, the balance of reassurance will come from substantive procedures, including analytical procedures.
4.52 Substantive assurance may be required at three different levels:
4.53 SAI’s quality management process for financial audit should encompass the following: (Adapted from ‘Audit-21’- Financial Audit Methodology, NAO, UK)
4.54 The field audit is directed at testing the audit objectives and criteria with help of an audit programme.
4.55 Following the audit objectives, audit criteria and evidence required to be gathered, the audit team should prepare a list of questions, which they would seek answers to, and a tentative list of documents and information to be obtained from each unit where the audit would be conducted. The list of questions and documents and information audits could be refined, in case it is considered necessary, on the basis of the field visit.
Focus on criteria
4.56 The first stage for field audits is development of an audit programme. In developing the audit programme, it is important that the focus is retained throughout the field audit on the criteria, which are also inherently related to the audit objectives. Proper understanding of the criteria and its logical presentation along with the types and sources of evidence will assist the audit team to form an efficient method of gathering sufficient evidence without superfluous testing.
4.57 Approach in the context of performance audit is the method and means adopted for analysis of data for deriving audit conclusions. No uniform audit approach can be prescribed that is applicable to all types of subjects of performance audits. Some of the approaches include:
4.58 In developing an audit programme, it may not be possible to anticipate all contingencies. It is essential to have in-built flexibility in the programme; it would be preferable to start with a programme outlining the approach to the audit issues and revise and extend it as the audit develops.
4.59 The level of details of the final audit programme will depend on a number of factors. Some of the factors are:
4.60 Audit test programmes form an integral part of the audit programme. An audit test programme refines audit criteria into a series of procedures and/or activities (tests) to obtain relevant and reliable evidence upon which conclusions may be drawn.
4.61 Audit test programmes are the key link between the development of audit objectives/criteria and the conduct of an audit leading to credible and defensible findings.
4.62 Audit findings are identified by relating audit observations to audit criteria. Audit observations are based on the analysis of information collected during the audit. Audit findings should be developed and evaluated throughout the various phases of performance audit. Potential findings identified in the planning stage or during the preliminary study should be followed up in the detailed examination phase of the audit.
4.63 All performance audits ought to conclude with well thought-out recommendations. For developing recommendation, the senior audit managers should identify the underlying cause(s) of a finding, as this forms the basis for the recommendation. The cause is that which, if changed, would prevent similar findings. Recommendations emerge from identification of the ‘cause’ of audit findings, which ought to be addressed by the entity.
4.64 For recommendations to be effective, the characteristics are that they should be technically sound, economically viable and cost-effective.
Quality assurance in implementation of performance audit (Performance auditing guidelines, SAI, India)
4.65 Quality in implementation of the performance audit is assured through the following:
4.66 It should be open to the SAI to acquire specialized skills from external sources if the successful carrying out of an audit so requires in order that the audit findings, conclusions and recommendations are perceptive and soundly based and reflect an adequate understanding of the subject area of the audit. It is for the SAI to judge, in its particular circumstances, to what extent its requirements are best met by in-house expertise as against employment of outside experts.
4.67 If the SAI employs external experts as consultants it must exercise due care to assure itself of the consultants’ competence and aptitude for the particular tasks involved. This standard applies also where outside auditors are engaged on contract with the SAI. In addition care must be taken to ensure that audit contracts include adequate provision for the SAI to determine the planning, the audit scope, the performing, and the reporting on the audit
4.68 Should the SAI, in the performance of its functions, need to seek advice from specialists external to the SAI, the standards for exercise of due care in such arrangements have a bearing also on the maintenance of quality of performance. Obtaining advice from an external expert does not relieve the SAI of responsibility for the opinions formed or conclusions reached on the audit task.
4.69 An important element of every audit, be it performance or financial, is the informal and formal consultation that takes place within the audit teams and between audit teams and office specialists. When dealing with complex, unusual or unfamiliar issues, audit teams are expected to refer to authoritative literature and/or seek the assistance of in-house experts and/or individuals or groups from outside the office with appropriate competence, judgment and authority. SAI may maintain a reference library for all technical literature for the audit teams to consult. Performance audits are often complex exercises requiring a wide range of skills, expertise and experience to be completed cost-effectively. These audits also require considerable judgment at all stages of the audit. The requirement to have an Audit Forum, Quality Reviewer and the support of specialists and subject matter experts ensures that appropriate advice and assistance are available to the audit teams.
4.70 Audit Forums may be established for major performance audits. Members of the forum may be selected on the basis of their skills, insights, relevant knowledge and experience. The audit team may consult with forum members on the following aspects of the audit:
4.71 The role of the forum should be to:
The forum may also be considered as an internal arrangement within SAI to help improve audit approach and enhance professional quality through mutual exchange of ideas and experiences. It may be considered as a common platform for professional development. Individual members of the forum with expert knowledge can be associated with the audit teams as special advisors.
4.72 The fact that the audit teams have consulted the audit forum should be spelled out in the scope and methodology section of the audit reports so that the reader will have full knowledge of what techniques, methodologies and processes have been followed to arrive at SAI’s findings
4.73 A Quality Reviewer, who is an SAI official, may be named for major financial and performance audits in order to provide an enhanced level of quality assurance and could be an instrument for consultation and advice for audit teams. The Quality Reviewer may provide advice on major audit risk areas.
4.74 The audit forums and the quality reviewers are crucial, along with SAI’s other quality assurance activities, to assuring that the work is of the highest quality.
4.75 SAI should ensure that the staff with appropriate skills is selected for each audit. It is up to the SAI management to judge to what extent the SAI’s requirements would be fulfilled by in-house expertise or employment of outside experts. An audit organisation may need to rely on specialists and experts to help ensure that it has the requisite knowledge, skills and experience for tasks required for an audit engagement. Experts and specialists may have expertise in subjects such as law, statistics, economics, accounting, budgeting issues, social and other sciences, engineering, environmental studies, information technology, fraud investigation, specialized audit methodologies, etc.
4.76 SAI may have other support groups in the office to provide advice on media relations, report style and use of graphics, need-based training, etc.
4.77 If the SAI, in the performance of its functions, seeks advice from external experts and specialists, the standards for exercise of due care and confidentiality of information will apply to such arrangements.
4.78 SAI may consult the auditee before taking a decision to engage an expert whether, in the opinion of the audited entity, an actual or potential conflict of interest could exist in the event of engaging a consultant. It is ultimately a decision of the SAI whether or not to engage a consultant to assist in the conduct of an audit, taking into consideration the views and opinion of the audited entity and of the expert. Experts may be engaged for both financial and performance audits.
4.79 SAI should take the following steps before engaging the services of an outside expert:
4.80 Audit evidence is information collected and used to support audit findings. Audit conclusions and recommendations stand on the basis of such evidence. Consequently, auditors must give careful thought to the nature and amount of evidence they collect. The auditor should obtain sufficient and appropriate audit evidence to be able to draw reasonable conclusions and audit opinion.
4.81 ‘Competent, relevant and reasonable evidence should be obtained to support the auditor’s judgement and conclusions regarding the organisation, programme, activity or function under audit.’
4.82 The standards further prescribe inter-alia that (i) data collection and sampling techniques should be carefully chosen; (ii) the auditors should have a sound understanding of techniques and procedures such as inspection, observation, enquiry and confirmation, to collect audit evidence; and (iii) the evidence should be competent, relevant and reasonable.
QUALITY OF AUDIT EVIDENCE
4.83 The evidence must be valid, reliable, accurate and complete. The reliability of audit evidence is influenced by its source: internal or external, and by its nature: visual, documentary or oral. While the reliability of audit evidence is dependent on individual circumstances, the following generalizations will help in assessing the reliability of audit evidence:
4.84 The evidence must have a logical, sensible and important relationship to the issue being addressed.
4.85 Sufficiency and appropriateness are interrelated and apply to audit evidence obtained from both tests of control and substantive procedures. Sufficiency is the measure of quantity of audit evidence while appropriateness is the measure of quality of audit evidence and its relevance to assertion and its reliability.
4.86 In forming the audit opinion, the auditor does not ordinarily examine all of the information available because conclusions can be reached about an account balance, class of transactions or control by way of using judgmental or statistical sampling procedures.
4.87 The auditor’s judgment as to what is sufficient and appropriate audit evidence is influenced by such factors as the:
4.88 Physical evidence is obtained by observing: photographs, charts, maps, graphs or other pictorial representations, etc. are some examples. Physical evidence involves direct inspection or observation of people, property or events like observing inventory management of stores and stock, counting cash, etc to verify the existing of a tangible asset. It is desirable to corroborate the physical evidence by getting the acceptance of such evidence by the entity.
4.89 Testimonial evidence describes the receipt of a written or oral response obtained from witnesses through interview and questionnaires, from an independent third party verifying the accuracy of information that was requested by the auditor. Since the testimonial evidence comes from independent sources, it is highly regarded and is often used.
4.90 Documentation is the most common form of evidence. Documentary evidence is the auditor’s examination of letters, subject files, contracts, invoices, internal memorandums of the entity, budgets, policy statements and legislations, management reports and reviews, published programme performance data, internal audit reports, accounting records and data gathered during audit. Databases maintained by the entity, independent surveys, evaluation, research, etc. by external sources and written evidence collected in previous audits are important sources of audit evidence.
4.91 Analytical evidence is derived from other evidence through computations and comparisons to determine whether account balances or other data appear reasonable. Analytical procedures involve a comparison of the value of an actual with the expected values. The objective of this comparison is to identify and investigate the reason for any unusual or unexpected relationship between the actual and expected values.
4.92 Evidence may also be gathered by:
4.93 Evidence is sometimes classified into compliance evidence and substantive evidence. Compliance evidence deals with the reliability of internal controls whereas substantive evidence deals with the reliability of the financial statements.
4.94 The effectiveness of an audited entity’s internal controls is a critical factor at a time when the auditor decides whether to follow an approach of compliance testing of the internal controls or to rely on ‘Direct Substantive Testing’ (DST). In case the auditor considers that the controls can be relied upon to some degree and that compliance testing should be followed, the auditor may confirm his assessment of the control risk through testing the operation of the controls in practice. If compliance testing is adopted, the quantum of substantive evidence required will be reduced.
4.95 Compliance testing may not be enough to support the auditor’s opinion. In that case, substantive testing has to be resorted to. If the audit approach is direct substantive testing, the opinion should be based solely on substantive tests of transactions and records.
4.96 Evidence gathered in the context of audit objectives should be analysed and tested against the audit criteria transparently to arrive at audit observations, conclusions and recommendations. Sound evidence analysis consists, among others, of the following important characteristics:
4.97 In most performance and financial audits, it may not be possible to examine all units or all data, documents and records. It will, therefore, be necessary that a representative sample be selected. The sampling techniques to be applied will depend upon the nature of data and audit objectives. The central issue in selection of the sample should be that:
4.98 Audit managers may carry out the sampling themselves, including the statistical sampling or the SAI may employ statistical adviser to assist the audit teams with the selection of the sample. The sampling technique and sample selected may be shared with the entity. However, prior selection of the sample and sharing of the information with the entity impose no restriction on the audit team to limit the audit tests to the sample size only. Statistical sampling and other evidence gathering techniques are explained in more detail in Appendix-‘E’. Other evidence gathering techniques (Adapted from the Peer Review Report on OAG Canada’s VFM practices, 2004) are explained in brief:
4.99 Quality assurance of evidence is ensured through the following:
4.100 The auditor should document matters which are important in providing evidence to support the audit conclusions and findings and to confirm that the audit was carried out in accordance in accordance with relevant SAI standards, which should be aligned to INTOSAI standards. The documentation may be in the form of data stored on paper, film, electronic and other media and provides the link between the audit work and its resultant outputs. The documentation should cover the basis and extent of audit planning, audit methodology, procedures and policies, research design, the audit performance, and the audit results and findings. Proper documentation of evidence is also one of the important measures of quality assurance.
4.101 ‘Auditors should adequately document the audit evidence in working papers, including the basis and extent of the planning, work performed and the findings of the audit.
4.102 Adequate documentation is important for several reasons. It will:
4.103 The auditor should bear in mind that the content and arrangement of the working papers reflect the degree of the auditor’s proficiency, experience and knowledge. Working papers should be sufficiently complete and detailed to enable an experienced auditor having no previous connection with the audit subsequently to ascertain from them what work was performed to support the conclusions.
4.104 Good working papers can contribute to the effectiveness of various administrative tasks required for the proper management of an audit assignment like facilitating adequate planning, adequate control over the field work and review and reporting to superiors. The content and arrangement of the working papers reflect the degree of proficiency, experience and knowledge. Documentation is a vital aspect of maintaining professionally acceptable standards of auditing for the following reasons:
4.105 All relevant documents and information collected and generated during an audit constitute the working papers. They include the documents recording the audit planning including the audit objectives, determination of criteria, field audit and evidence gathering procedures and evidence analysis, the nature, timing and the extent of audit procedures performed and the audit findings and conclusions. The working papers should encompass the entire process of auditing right from planning to execution and reporting and should serve as a connecting link among them. These should, therefore, be sufficiently complete and detailed to provide a clear trail and understanding of the audit. There is an important necessity of maintaining confidentiality of the working papers and safe custody of the working papers. They should be retained for a period sufficient to meet the professional, legislative and legal requirements.
4.106 Some of the broad characteristics of working papers are:
| Completeness and accuracy: | Working papers should be complete and accurate to provide support to audit conclusions and recommendations. |
| Clarity and conciseness: | Working papers should be clear and concise. Any one using them should be able to understand the entire audit process without need for any supplementary examination. |
| Ease of preparation: | Working papers should be easy to prepare. This may be achieved by using agency-produced documents and reports, pre-printed standard audit stationery and automatically generated standard working paper formats. |
| Legibility and neatness: | Working papers should be neat and legible. |
| Relevance: | Working papers should be restricted to matters, which are important, pertinent and useful for the purpose. |
| Ease of review: | The working papers should contain cross-references to the audit memoranda, discussion papers, audit observation, field audit report etc. to enable SAI audit management to link the working papers to audit conclusions and recommendations. |
| Organisation and ease of reference: | The working papers may contain an easy to follow index with proper narration for all volumes in an audit summary file and an index for each of the working paper files. |
4.107 SAI management may use an electronic work paper package that simplifies and enhances the effectiveness of audit documentation process.
Quality assurance of documentation/working papers is ensured through:
4.108 A sound system of supervision and review of audits, both financial and performance, is essential for maintaining good quality of audit. Supervision involves directing audit staff and monitoring their work to ensure that the audit objectives are met. Supervision involves assigning responsibilities, providing sufficient guidance to staff members, staying informed about significant problems encountered, reviewing the work performed, overseeing individual development, and coaching, providing periodic feedback & effective on-the-job training.
4.109 “The work of the audit staff at each level and audit phase should be properly supervised during the audit and documented work should be reviewed by a senior member of the audit staff.
4.110 Supervision is essential to ensure the fulfillment of audit objectives & the maintenance of the quality of the audit work.
4.111 Supervision involves ensuring that:
4.112 Supervisors should satisfy themselves that the staff members clearly understand the work expected of them, the reasons for accomplishing the work and time frame within which the work is to be accomplished. With experienced staff, supervisors may decide the scope of the audit work and leave details to the staff. Where the staff is less experienced, supervisors may have to specify audit procedures to be performed as well as techniques for gathering and analyzing data.
4.113 Performance audit being more open to judgement and interpretation requires close and careful supervision. Some of the more important responsibilities of the supervisory officers in relation to performance audit are to ensure:
4.114 The SAI may prepare a standard and detailed checklist which can form a framework for quality assurance review with a view to substantially enhancing the quality of supervision.
4.115 The INTOSAI Auditing Standards state:
All audit work should be reviewed by a senior member of the audit staff before audit opinions or reports are finalized. It should be carried out as audit progresses. Review brings more than one level of experience and judgment to the audit task and should ensure that:
4.116 A review ensures involvement of higher levels of management with the audit process and provides an assurance that the work has been carried out as per the standards and guidelines. Review of work should be carried out at each stage of audit cycle as under:
4.117 Reviews of audit work should be documented. The nature & extent of review of audit work may vary depending on a number of factors, such as the size of the audit organization, the significance of the work, the risk level and the experience of the staff.
4.118 In the case of financial audits, all audits (NAO, UK) should be subject to at least two levels of review before audit certificate is signed. In cases, where there are particular concerns of public interest or audit risk is high or accounts are qualified, a further review may be carried out before the audit certificate is signed.
4.119 In respect of important and major performance audit assignments also, multi-level review procedures may be applied as appropriate. However, where performance audit is assessed as ‘no known or minimal potential risk’, the number of layers or review and quality check should be reduced to have the audits completed in a shorter time frame.
4.120 A Quality Reviewer, who is an SAI official, may be named for major financial and performance audits in order to provide an enhanced level of quality assurance and could be an instrument for consultation and advice for audit teams. Quality reviewers may be assigned to audits generally perceived to be: of higher risk; complex to conduct or having complex accounting issue; significant or sensitive in nature. Quality reviewers should have significant experience in the office and no direct involvement in the particular audit(s) they are assigned to.
4.121 The principal mechanisms of managerial quality assurance are the documentation and systematic review and assessment of what is done. As a part of the managerial quality assurance, Regional Managers (heads of SAI field units) may prepare a report for the head of the SAI and the SAI top management at the end of the year indicating how they discharged their responsibility ensuring the effectiveness of the quality management processes. This report should include a description of the means by which they satisfy themselves regarding the following quality processes:
The report should also provide general comments on the working and professional environment in the SAI field office, together with details of any matters, which significantly affect that environment.
4.122 Quality assurance in supervision and review is ensured with the help of the following:
Introduction
4.123 Audit report is the written communication of the results of the audit undertaken. The audit report is the manifestation of the quality of all audit processes of an SAI. Thus, an SAI is ultimately judged by the quality of its audit report
4.124 The audit report should be in writing in order to-
4.125 The audit report is an important link in ensuring accountability for public resources because it enables the stakeholders including the public to determine whether:
General Reporting Standards
4.126 Audit reporting should comply with applicable laws and regulations, SAI’s auditing standards and INTOSAI standards.
4.127 INTOSAI Auditing Standards (INTOSAI Standards, p. 61) state:
At the end of each audit, the auditor should prepare a written report, as appropriate, setting out the findings in an appropriate form. The report should be easy to understand and free from vagueness or ambiguity, and include only information, which is supported by competent and relevant audit evidence. It should be independent, objective, fair and constructive.’
4.128 Interim reporting of significant matters may be made to appropriate officials to alert them to matters needing immediate attention and to allow them to correct them before the final report is completed. The audit report should be available promptly for timely use by management, legislative officials and other interested parties
Characteristics of a good audit report
4.129 The audit report should be complete, accurate, objective, convincing, clear and concise as the subject permits
Contents of audit report
4.130 Auditors should report the audit objectives, scope and methodology and the results of the audit which include the findings, conclusion and recommendations. These are explained below:
In addition to the above, following matters have to be reported on and included in the audit report:
Conformity of audit conducted with government auditing standards
4.131 The audit report should state that the audit was made in accordance with government auditing standards. The statement should be qualified in situations where the auditor did not follow an applicable standard.
Compliance with laws and regulations
4.132 Auditors should report all significant instances of non-compliance and all significant instances of abuse that were found during or in connection with the audit.
Reporting for Audit of Financial Statements
4.133 For attestation or certification audit, the auditor’s opinion on a set of financial statements is generally in a concise, standardized format, which reflects the results of a wide range of tests and other audit work. The basic principles governing reporting for attest audit are:
4.134 Opinions should be appended to and published with the financial statements to which they relate.
4.135 Audit opinions should indicate unambiguously whether it is unqualified or qualified, and if the latter, whether it is qualified in certain respects or is adverse or disclaimer paragraph.
4.136 The contents of the audit opinion are:
Reporting for Audit of Financial Operations and other Regularity Audits
4.137 For regularity audits, there is a requirement to report as to the compliance of transactions with laws and regulations and to report on the adequacy of systems of internal control. The auditor should also report on significant irregularities, whether perceived or potential, or inconsistency of application of regulations or on fraud and corrupt practices.
4.138 Auditors should report the scope of their testing of compliance with laws and regulations and of internal control and present the results of those tests. In presenting the results of such tests, auditors should report fraud, illegal acts or other material non-compliance.
4.139 The report on regularity audit may either be a part of the report on the financial statements, or a separate report.
Reporting for Performance Audit
4.140 Performance audit is wide-ranging in nature and is more open to judgment and interpretation. Its coverage is more selective and may be carried out over a cycle of several years, rather than in one financial period, and it does not normally relate to particular financial or other statements. For performance audits, the auditor shall report on the economy and efficiency with which resources are acquired and used, and the effectiveness with which objectives are met.
4.141 The performance audit report should state clearly the objectives and scope of the audit and the audit criteria used. It may include significant criticism of how programmes are implemented and give independent information, advice or assurance as to whether and to what extent economy, efficiency and effectiveness are being or have been achieved.
4.142 Auditors should recognize that their judgments are being applied to actions resulting from past management decisions. Care should therefore be exercised in making such judgments. The presentation of weaknesses or critical findings should be in such a way as to encourage correction and to improve systems and guidance within the audited entity. Performance Audit reports should not concentrate solely on criticism of the past but should be constructive.
4.143 The auditor’s conclusions, recommendations and impact analysis are an important aspect of the audit, and where appropriate are written as a guide for action. Conclusions reached against each audit activity should be brought out clearly. The auditor comments on the policies and programmes and recommends changes designed to result in improvements. Generally, these recommendations suggest what improvements are needed rather than how to achieve them, though circumstances sometimes arise which warrant a specific recommendation, for example to correct a defect in the law in order to bring about an administrative improvement.
Contents of performance audit report
4.144 In addition to those enumerated above on the contents of an audit report in general, the following form part of the performance audit report:
4.145 SAI may be responsible for reporting illegal acts directly to parties outside the auditee in certain circumstances. The reporting should be to the auditee first and thereafter to the external party specified in the law or the rules. When the law requires reporting directly to investigative bodies, SAI should ask those authorities if reporting those illegal acts in the audit report would compromise investigative or legal proceedings. The auditors should limit their reporting to matters that would not compromise those proceedings such as information that are already part of public record.
4.146 Reporting on irregularities or instances of non-compliance with laws or regulations, the auditor should be careful to place his/her findings in the proper perspective. The extent of non-compliance can be related to the number of cases examined or quantified monetarily. Reports on irregularities may be prepared irrespective of a qualification of the auditor’s opinion. By their nature, they tend to contain significant criticisms, but in order to be constructive they should also address future remedial actions by incorporating statements by the audited entity or by the auditor, including conclusions or recommendations.
4.147 In general, the SAI should include in the audit report whatever it sees fit. However, certain information may not be freely disclosed as when the national security or interest is involved. In this situation, the auditor may make a separate unpublished report including such confidential or sensitive material but the same shall only be made available to persons authorized by law or regulations. Alternatively, the SAI may not include such information in the audit report, but, the nature of the information omitted and the requirement that makes the omission necessary should be stated in the report. Consultation with a legal counsel may be necessary
Performance Audit Management Committee (VFM Manual, OAG, Canada)
4.148 SAI may constitute a Performance Audit Management Committee to ensure that the quality of report meets the standards of the office. The Committee may review a sample of major performance audit reports prior to approval to ensure that the messages they contain are consistent with the objectives of the study and performance audit guidelines and other policy instructions issued by the SAI.
Improving readability of audit reports
4.149 Traditional voluminous audit reports are unable to attract attention and response from the stakeholders. Special arrangements may be introduced in the SAI to develop reporting formats to attract the attention of the readers.
Specialist to help in drafting (VFM Handbook, NAO, UK)
4.150 SAI may consider having in-house specialist to assist audit management teams with formatting & drafting of audit reports and to provider an independent view on the consistency of the draft.
Report Design Group (VFM Handbook, NAO, UK)
4.151 Performance Audit reports should increasingly use visual aids - photographs, imaginative graphics and graphic design- to present findings in more compelling ways. SAI may consider having a separate ‘Design Group’ to assist the performance audit senior managers in enlivening the report by the use of graphics and photographs.
Quality assurance of reporting
4.152 Quality assurance of reporting process and the final output is assured by:
4.153 The audit reports are essentially a ‘means to the end’ of improving auditee performance and accountability. This can be achieved through implementation of the audit recommendations. Consistent and systemic follow-up process in the SAI may contribute significantly to effectiveness of audit in bringing systemic improvement in the functioning of the entity.
4.154 The auditee management is basically responsible for implementation of audit recommendations. The responsibility of the auditor is to ensure the likelihood of implementation of audit recommendation.
4.155 A quality recommendation is one that is:
4.156 Objectives of the follow-up of SAI’s recommendations
4.157 SAI may prepare annual operational plan for follow-up programme in relation to the audits conducted in the past. The annual follow-up programme should be supported by data on major recommendations made in the past, recommendations stated to have been implemented but not tested through follow-up audit and recommendations not implemented by the entity.
4.158 The follow-up activity can be performed by:
4.159 As the starting point for follow-up procedures, SAI may maintain a comprehensive database of recommendations. The inventory should consist of all recommendations, with appropriate grading under ‘vital or critical’, ‘significant’ and ‘important’. The database should also contain other relevant information viz. the year of audit report, status of acceptance viz. accepted, partially accepted, not accepted and not replied, nominal implementation reported by the entity and the time of such reporting, risk associated with non-implementation or poor implementation, besides follow-up reviews. This inventory should be maintained as a permanent database and should be updated regularly, which may assist in audit planning in future.
4.160 Quality assurance of the follow-up programme is provided by: