Back

Appendix B (ii)

ISQC 1, “Quality Control for Firms That Perform Audits and Reviews of Historical Financial Information, and Other Assurance and Related Services Engagements”

The material in this Annex is excerpted from the International Federation of Accountants (IFAC) ISQC1, “Quality Control for Firms That Perform Audits and Reviews of Historical Financial Information, and Other Assurance and Related Services Engagements”. It includes the basic principles and essential procedures set forth in ISQC1, without the detailed explanatory material presented in that document. It has been further adapted to the environment of an SAI by substituting public sector terminology in lieu of private sector equivalents where it was believed that this would facilitate understanding.

1.    Some of the terms used in this ISQC, such as “engagement partner” and “firm” have been changed to “audit team leader or audit director and SAI (Supreme Audit Institution)”, being the SAI equivalent of audit terminology used. With limited exceptions, there is no public sector equivalent to “listed entities” which has not been referred to in this adapted ISQC.

2.    This ISQC states that the firm (SAI)’s policies and procedures are designed to maintain the objectivity of the audit quality control reviewer. The audit quality control reviewer may not be selected by the audit team leader or audit director. In many jurisdictions, there is a single statutorily appointed auditor-general (in audit office SAI models) who has overall responsibility for public sector audits. In other jurisdictions, such as Courts of Audit, overall responsibility may rest on a collegiate basis. In both circumstances, the audit reviewer should be selected having regard to the need for independence and objectivity.

3.    In the public sector, SAI‘s auditors may be appointed in accordance with statutory procedures. Accordingly, considerations regarding the acceptance and continuance of auditee relationships and specific audit, may not apply.

4.    Similarly, the independence of public sector auditors may be protected by statutory measures, with the consequence that certain of the threats to independence of the nature envisaged by ISQC 1 are unlikely to occur.

Introduction

• The SAI should establish a system of quality control designed to provide it with reasonable assurance that the SAI and its personnel comply with professional standards and applicable regulatory and legal requirements, and that the reports issued by the SAI are appropriate in the circumstances.

Elements of a System of Quality Control

• The SAI’s system of quality control should include policies and procedures, appropriately documented and communicated, addressing each of the following elements:

1. Leadership responsibilities for quality within the SAI;
2. Ethical requirements;
3. Acceptance and continuance of auditee relationships and specific audits;
4. Human resources;
5. Audit performance;
6. Monitoring.

Leadership Responsibilities for Quality Within the SAI

• The SAI should establish policies and procedures designed to promote an internal culture that recognizes that quality is essential in performing audits.
• The SAI’s policies and procedures should acknowledge that the head of the SAI (or equivalent) has ultimate responsibility for the SAI’s system of quality control;
• If the head of SAI assigns operational responsibility for the system to one or more individuals, the head of the SAI should appoint a person or persons with sufficient and appropriate experience and ability and the necessary authority to assume that operational responsibility;

Ethical Requirements

• The SAI should establish policies and procedures designed to provide it with reasonable assurance that the SAI and its personnel comply with relevant ethical requirements.

Independence

• The SAI should establish policies and procedures to provide it with reasonable assurance that the SAI and its personnel and, where applicable, others subject to the independence requirements (including experts contracted by the SAI), maintain independence in circumstances where required by the IFAC Code of Ethics and national ethical requirements. Such policies and procedures should enable the SAI to:

1. Communicate its independence requirements to its personnel and, where applicable, others subject to them;
2. Identify and evaluate circumstances and relationships that create threats to independence, and to take appropriate action to eliminate those threats or reduce them to an acceptable level by applying necessary safeguards.

• Such policies and procedures should include requirements for:

1. Audit teams to provide the SAI with relevant information about auditee audits, including the scope of services provided to that auditee, to enable it to evaluate the impact, if any, on independence requirements;
2. Personnel to notify the SAI in a timely manner of matters that may pose a threat to independence, where applicable, so that appropriate action can be taken; and
3. The accumulation and communication of relevant information to appropriate personnel in order to enable:

    i. The SAI and its personnel to readily determine whether they satisfy relevant independence requirements;

    ii. The SAI to keep up to date records relating to independence; and

    iii. The SAI to take appropriate action regarding identified threats to independence on specific audits.

• The SAI should establish policies and procedures to provide it with reasonable assurance that it is notified of breaches of independence requirements and appropriate actions are taken to resolve such situations. The policies and procedures should require:

1. Personnel to notify the SAI in a timely manner of independence breaches of which they become aware;
2. Prompt communication by the SAI to the relevant audit team leader or audit director of identified serious breaches of the SAI’s policies and procedures. Such breaches represent a threat to independence on audits for which that audit team leader or audit director is responsible and need to be addressed by the audit team leader or audit director; and
3. Prompt communication by the audit team leader or audit director to the SAI regarding the action taken to resolve the matter.

• The SAI should obtain, at least annually, written confirmation of compliance with its policies and procedures on independence from all SAI personnel required to be independent by the IFAC Code and national ethical requirements.
• The SAI should establish policies and procedures setting out criteria for determining the need for safeguards to reduce threat of familiarity with auditee to an acceptable level when using the same senior personnel on an audit engagement over a long period of time.

• The SAI should establish policies and procedures for acceptance and continuance of non statutory auditee relationships and specific audits, designed to provide it with reasonable assurance that it undertakes or continues only those relationships and audits where it:

1. Has considered the integrity of the auditee and does not believe that the auditee lacks integrity;
2. Is competent to perform the audit and has the resources to do so; and
3. Can comply with ethical requirements including those relating to independence where applicable.

The SAI should obtain such information as it considers necessary in the circumstances before accepting a non-mandatory audit, and when deciding whether to continue an existing audit, and when considering acceptance of a new audit with an existing auditee. Where issues have been identified, and the SAI decides to accept or continue the auditee relationship or a specific audit, it should document how the issues were resolved.

Where the SAI obtains information that would have caused it to decline a non-mandatory audit if that information had been available earlier, policies and procedures on the continuance of the audit and the auditee relationship should include considerations of:

1. The professional and legal responsibilities that apply to the circumstances, including whether there is a requirement for the SAI to report to the person or persons who made the appointment or, in some cases, to regulatory responsibilities; and
2. The possibility of withdrawing from the audit or from both the audit and the auditee relationship.

• The SAI should establish policies and procedures to provide it with reasonable assurance that it has sufficient personnel with the capabilities, competence and commitment to ethical principles necessary to perform its audits in accordance with professional standards and applicable regulatory and legal requirements, and to enable the issuance of reports by the SAI or audit team leader or audit directors that are appropriate in the circumstances.

Assignment of Audit Teams

• The SAI should assign an audit team leader or audit director to each audit to take responsibility for that audit on behalf of the SAI. The SAI should establish policies and procedures requiring that:

1. The identity and role of the audit team leader or audit director are communicated to key members of auditee management and those responsible for governance;
2. The audit team leader or audit director has both the necessary capabilities, competence, authority and sufficient time to perform the role; and
3. The responsibilities of the audit team leader or audit director are clearly defined and communicated to that team leader or director.

• The SAI should also assign appropriate staff with the necessary capabilities, competence and time to perform audits in accordance with professional standards and applicable regulatory and legal requirements, and to enable the issuance of reports by the SAI that are appropriate in the circumstances.

Audit Performance

The SAI should establish policies and procedures to provide it with reasonable assurance that audits are performed in accordance with professional standards and applicable regulatory and legal requirements, and that the reports that are issued by the SAI are appropriate in the circumstances.

Consultation

• The SAI should establish policies and procedures to provide it with reasonable assurance that:

1.  Appropriate consultation takes place on difficult or contentious items within the SAI with external experts and with the auditee;
2.  Sufficient resources are available to enable appropriate consultation to take place;
3.  The nature and scope of such consultations are documented; and
4. Conclusions from consultations are documented and implemented.

Differences of Opinion

• The SAI should establish policies and procedures for dealing with and resolving differences of opinion within the audit team, with those consulted and, where applicable, between the audit team leader and/or audit director and the audit quality control reviewer. Conclusions reached should be documented and implemented.
• Report should not be issued until differences of opinion are resolved.

Audit Quality Control Review

• The SAI should establish policies and procedures requiring, for appropriate audits, an audit quality control review that provides an objective evaluation of the significant judgments made by the audit team and the conclusions reached in formulating the report. Such policies and procedures should:

1.  Set out criteria against which all audits and reviews of historical financial information, and other assurance and related services audits should be evaluated for the purpose of determining whether an audit quality control review should be performed in each instance; and
2. Require the performance of an audit quality control review for all audits meeting the criteria established with (a) above.

• The SAI’s policies and procedures should require the completion of the audit quality control review before the report is issued.
• The SAI should establish policies and procedures setting out:

1.  The nature, timing and extent of an audit quality control review;
2.  Criteria for the eligibility of audit quality control reviewers; and
3.  Documentation requirements for an audit quality control review.

Nature, Timing and Extent of the Audit Quality Control Review

• An audit quality control review should include an objective evaluation of:

1. The significant judgments made by the audit team relating to materiality and significant risks;
2. Whether working papers selected for review reflect the work performed in relation to the significant judgments and support the conclusion reached in formulating the report;
3. The appropriateness of the report to be issued;
4. Other significant matters that have come to the attention of the audit quality control reviewer;
5. Significant risks identified during the audit and responses to those risks;
6. Whether the appropriate consultation has taken place on matters involving differences of opinion or other difficult or contentious matters;
7. The significance and disposition of corrected and uncorrected misstatements identified during the audit; and
8. The matters to be communicated to management and those charged with governance and other applicable parties.

Criteria for the Eligibility of Audit Quality Control Reviewers

• The SAI’s policies and procedures on the eligibility of audit quality control reviewers should address:

1. The technical qualifications required to perform the role, including the necessary experience and authority; and
2. The degree to which the audit quality control reviewer can be consulted on the audit without compromising his/her objectivity.

Documentation of the Audit Quality Control Review

• Policies and procedures on documentation of the audit quality control review should include evidencing:

1. The procedures required by the SAI’s policies on audit quality control review have been performed;
2. The completion of the audit quality control review before the issuance of the report; and
3. That there are no unresolved matters that have come to the attention of the audit quality control reviewer that would cause the audit quality control reviewer to believe that the audit was not performed in accordance with professional standards and applicable regulatory and legal requirements.

Monitoring

• The SAI should evaluate the effect of deficiencies noted as a result of the monitoring process and should determine whether they are either:

1. Instances that do not necessarily indicate that the SAI’s system of quality control is insufficient to provide it with reasonable assurance that it complies with professional standards and regulatory and legal requirements, and that the reports issued by the SAI are appropriate in the circumstances; or
2. Systemic, repetitive or other significant deficiencies that require prompt corrective action.

• The SAI should communicate to relevant audit directors and team leaders and other appropriate personnel deficiencies noted as a result of the monitoring process and recommendations for appropriate remedial action.
• The SAI’s evaluation of each type of deficiency should result in recommendations for one or more of the following:

1. Taking appropriate remedial action in relation to an individual audit or auditor;
2. The communication of the findings to those responsible for training and professional development;
3. Changes to the quality control policies and procedures; and
4. Disciplinary action against those who repeatedly fail to comply with the policies and procedures of the SAI.

• Where the results of the monitoring procedures indicate that a report may be inappropriate or that procedures were omitted during the performance of the audit, the SAI should determine what further action is appropriate to comply with relevant professional standards and regulatory and legal requirements. It should also consider obtaining legal advice.
• At least annually, the SAI should communicate the results of the monitoring of its quality control system to audit directors and other appropriate individuals within the SAI, including the head of the SAI. Such communication should enable the SAI and these individuals to take prompt and appropriate action where necessary in accordance with their defined roles and responsibilities. Information communicated should include the following:

1. A description of the monitoring procedures performed;
2. The Conclusions drawn from the monitoring procedures;
3. Where relevant, a description of systemic, repetitive or other significant deficiencies and of the actions taken to resolve or amend those deficiencies.

Complaints and Allegations

The SAI should establish policies and procedures that provide it with reasonable assurance that it deals appropriately with formal complaints and allegations about whether the work performed by the SAI in its practices in the areas of audit, assurance and related services fails to comply with professional standards and applicable regulatory and legal requirements.

Documentation

The SAI should establish policies and procedures requiring appropriate documentation to provide evidence of the operation of each element of its system of quality control.