International Journal of Government Auditing – January 2013

INTOSAI’s New Fundamental Auditing Principles: Part 2

Editor's Note: The October 2012 Journal contained an article by Kristoffer Blegvad, chair of the ISSAI Harmonization Project, providing background on why INTOSAI needs to revise its fundamental auditing principles. This article provides additional information on the four ISSAIs that comprise the new fundamental auditing principles, all of which are currently available for comment on the ISSAI website (http://www.issai.org).

INTOSAI is now in the final phase of defining the revised fundamental auditing principles, a common set of auditing principles and concepts that are designed to be useful and supportive for all INTOSAI members. The project group of the ISSAI Harmonization Project has sent exposure drafts for ISSAIs 100, 200, 300, and 400 to all INTOSAI members and other interested parties for comment.

The exposure period for all four documents expires on February 15, 2013, so there is still time to read, review, and comment on the documents.

In the articles below, four of the key persons involved in drafting the new ISSAIs have presented the most significant elements in the revised fundamental auditing principles.

What Are the New Fundamental Auditing Principles?

In 2007, INCOSAI established the ISSAI framework, including level 3 of the framework (ISSAIs 100–999), which covers fundamental auditing principles. According to the XIX INCOSAI’s decision on the ISSAI framework in 2007, level 3 contains the broad, fundamental principles for auditing public sector entities, while level 4 translates the fundamental auditing principles into more specific, detailed, and operational guidelines that can be used on a daily basis for auditing.

The ISSAI Harmonization Project is revising the fundamental auditing principles and, in this way, aims to provide a conceptual basis for public sector auditing and ensure consistency in the ISSAI framework.

The following are the key characteristics of the revised fundamental auditing principles:

  • Cover all types of public sector audits, whatever their form or context. ISSAI 100 defines public sector auditing, provides the fundamental principles and concepts for all areas of public sector auditing, and can therefore be used by all SAIs regardless of their assignments and mandate. ISSAIs 200, 300, and 400 provide the fundamental principles related to the contexts of financial, performance, and compliance auditing, respectively. The principles of ISSAIs 200, 300, and 400 build on the fundamental principles of ISSAI 100 and should be applied in conjunction with them.
  • Provide the bedrock for ISSAI guidance on auditing. With the endorsement of the new ISSAIs, a range of overlaps and inconsistencies between levels 2, 3, and 4 of the ISSAI framework will be resolved. The new ISSAIs at level 3 do not repeat the ISSAIs at levels 1 and 2 but make consistent reference to them. The new ISSAIs are also consistent with the general auditing guidelines at level 4. Through the planned process of ongoing maintenance, improvement, and alignment of other ISSAIs in the framework with the fundamental auditing principles, the ISSAI framework will further develop into a more coherent and credible set of professional standards.
  • Provide a common, globally recognized professional basis for the INTOSAI community. This will also further the rollout and implementation of the ISSAIs. ISSAIs 100, 200, 300, and 400 encourage and support SAIs in their efforts to develop or adopt auditing standards that are consistent with the principles in the ISSAIs and relevant for the SAI within its mandate and the national context.
  • Provide the core of the more detailed auditing guidelines at level 4. Levels 3 and 4 of the framework will thus provide a learning ladder that will support a step-wise and flexible implementation of the ISSAIs. The new fundamental auditing principles will also be the basis for any further development of the level 4 guidelines in the future.
  • Clarify the authority of the ISSAIs and explain how SAIs can reference these standards in audit reports. This will clarify the basis for the individual SAI’s decisions on implementation of the ISSAIs. It will also provide an improved basis for INTOSAI’s common efforts to implement the ISSAIs—for example, through the Performance Measurement Framework (PMF), the ISSAI Compliance Assessment Tool (iCAT), as well as in other areas of cooperation.

The project group has based its revision of the fundamental auditing principles on the text of the old ISSAIs 100, 200, 300, and 400 from 1992; the new general auditing guidelines (ISSAIs 1000–4999) endorsed by the XX INCOSAI in 2010; the information on the mandates of different SAIs provided by representatives of INTOSAI’s regions; as well as the collective knowledge and expertise of the project group members and the related three INTOSAI Professional Standards Committee (PSC) subcommittees on financial, performance, and compliance audits. The result of this work is four new ISSAIs, rather than a simple update of the old ISSAIs 100, 200, 300, and 400.

The members of the ISSAI Harmonization Project Group
The project group consists of members from 13 SAIs. In addition to the chair (Denmark), it includes members from three PSC subcommittees: the Financial Audit Subcommittee (Sweden, the United Kingdom, and the United States), the Performance Audit Subcommittee (Brazil, Sweden, and Austria), and the Compliance Audit Subcommittee (Norway, the European Court of Auditors, and Slovakia). The project group also includes the chair (South Africa) and vice chair (China) of INTOSAI’s Governing Board, and the chairs of the Knowledge Sharing Committee (India) and the Task Force for the SAI Information Database (Mexico).

ISSAI 100: Fundamental Principles of Public Sector Auditing

ISSAI 100—Fundamental Principles of Public Sector Auditing—presents a definition of public sector auditing and provides the essential concepts, elements, and principles that apply to all public sector audit activities. Thereby, it provides the basis for the specific principles and concepts that define each area and that are included in ISSAIs 200, 300, and 400, which have a more targeted scope of application and contain only principles relevant to financial, performance, and compliance auditing, respectively.

ISSAI 100 states that public sector auditing is essential in providing independent and reliable information to legislatures, oversight bodies, those charged with governance, and the public. Public sector auditing enhances the confidence of the intended users in the appropriate use of public funds and assets, adherence to applicable authorities, and the performance of public administration. Audits are required to be objective, and results are based on findings supported by sufficient and appropriate audit evidence.

However, because of inherent limitations in all audits, an audit can never provide absolute certainty for the intended users, and this should be communicated in a transparent way. Depending on the purpose of the audit, this may be communicated in different ways. SAIs may choose to provide an explicit statement on the level of assurance in an opinion in a standardized format or in a conclusion in a non-standardized form. They may also choose to provide a consistent and persuasive description of the audit objective, the evidence obtained, the findings, the conclusions, and the recommendations.

ISSAI 100 contains the section “Making references to the ISSAIs” that explains the authority of the fundamental auditing principles set out in ISSAIs 100, 200, 300, and 400. ISSAI 100 recognizes that SAIs conduct their audits according to different national, regional, or international auditing standards that may be issued by the SAI or adopted from another source or may be within the ISSAI 1000-4999 financial, performance, and compliance auditing guidelines.

Therefore, depending on the standards applied, the ISSAIs can be referred to in two principal ways: audit reports may state that the audit was conducted in accordance with (1) a national standard based on or consistent with the ISSAI fundamental auditing principles or (2) the ISSAIs. In the latter case, the auditing guidelines on level 4 of the framework for financial, performance, or compliance auditing are applied as the authoritative standards. By providing these two options, the project group and the PSC Steering Committee have ensured a high degree of flexibility whereby each SAI can decide its own approach and standards that are relevant within its environment.

ISSAI 200: Fundamental Principles of Financial Auditing

ISSAI 200—Fundamental Principles of Financial Auditing—provides an overview of the nature, elements, and principles of auditing financial statements. The principles presented are consistent with the International Standards on Accounting (ISA) and the financial auditing guidelines on level 4 of the ISSAI framework. ISSAI 200 provides references (links) to ISSAIs 1000–1810 (ISAs with practice notes), which contain the requirements for such audits.

ISSAI 200 has been developed to provide the basis for developing or adopting auditing standards for financial auditing. It is based on the same premises as the financial auditing guidelines; that is, it requires, on a principle level, the same considerations of suitable criteria, ethical requirements, and demand for the auditors to be part of the same procedures for quality control. This ISSAI provides detailed information on the following:

  • the purpose and authority of the fundamental principles of financial auditing,
  • a framework for auditing financial statements in the public sector,
  • the elements of an audit of financial statements, and
  • the principles of an audit of financial statements.

ISSAI 200 addresses audits of financial statements and requires the auditor to consider the relevance and applicability of the financial reporting framework adopted to prepare the financial statements. It clearly states that such a financial reporting framework may be adopted for special purposes, such as reporting of public sector entities’ expenditures in relation to the budget as may be required, or it may be a general purpose financial reporting framework, such as International Public Sector Accounting Standards (IPSAS). For all types of financial reporting, it still requires the auditor to consider the relevance of the framework applied.

The principles formulated in ISSAI 200 are derived from the financial auditing guidelines on level 4, covering all aspects of the audit process, and focusing on the principles behind the comprehensive set of requirements at level 4. Flexibility is achieved by using these principles as the basis for adopting other standards as well as level 4. ISSAIs 1000–1810 are the best example of how the fundamental principles of financial auditing can be applied. For SAIs that choose to develop standards based on the fundamental auditing principles or adopt national standards consistent with the principles, the areas dealt with in ISSAI 200 are matters that should be addressed. ISSAI 200 also contains comprehensive guidance that may assist SAIs in developing or adopting standards consistent with the principles.

ISSAI 300: Fundamental Principles of Performance Auditing

ISSAI 300—Fundamental Principles of Performance Auditing—defines and provides INTOSAI’s principles for auditing economy, efficiency, and effectiveness. The framework for performance auditing is provided together with the general principles for performance audit engagements.

ISSAI 300 highlights elements considered to be relevant in performance auditing because they are essential in order to deal with the diverse facets of the public sector and to accomplish the objective of adding value by providing new information, analysis, or insights, and, where appropriate, suitable recommendations. ISSAI 300 emphasizes the following:

  • the need for flexibility to choose different approaches and methods;
  • the importance of effective communication with auditees and relevant stakeholders;
  • the definition of audit risk that goes beyond inaccuracy in the conclusions;
  • the concept of safeguarding quality, including the need for continuous learning activities to support the audit team in delivering a high quality performance report;
  • the appropriate attitude and professional behavior expected from performance auditors when exercising their professional judgment; and
  • the need to have a complete report that includes all relevant information and arguments to support conclusions.

These elements, already present in the performance auditing guidelines at level 4 of the ISSAI framework (ISSAIs 3000 and 3100), gain a clear and concise formulation in ISSAI 300.

At the same time, ISSAI 300 introduces new concepts not explicitly mentioned in ISSAIs 3000 and 3100 but considered relevant for all types of audit in ISSAI 100. These include

  • essential elements of an audit (e.g., responsible party, intended user, and the underlying subject matter);
  • how to convey confidence and assurance in a performance auditing engagement; and
  • how to refer to an ISSAI, for which a common approach in ISSAI 100 and a more specific one in ISSAI 300 were developed to suit the performance audit context.

ISSAI 300 reflects a balance between the common framework and principles established in ISSAI 100 and the specific characteristics of performance auditing.

ISSAI 400: Fundamental Principles of Compliance Auditing

ISSAI 400—Fundamental Principles of Compliance Auditing—states the principles of compliance auditing as conducted by SAIs and thus defines and provides INTOSAI’s principles for auditing compliance with authorities (laws, regulations, or propriety).

ISSAI 400 is the outcome of almost 10 years of INTOSAI efforts to identify the commonalities and basic requirements of compliance auditing as performed by SAIs worldwide. ISSAI 400 builds upon the operational guidance in the ISSAI 4000 series, Compliance Audit Guidelines, and aims at providing a coherent umbrella document for these guidelines on a high level.

ISSAI 400 constitutes the basis for auditing standards in compliance auditing in accordance with the ISSAIs and provides detailed information on the following:

  • the purpose and authority of the ISSAIs on compliance auditing,
  • the nature of compliance auditing and different ways in which it is performed,
  • the elements of compliance auditing, and
  • the principles to be applied when conducting compliance audits.

The Compliance Audit Subcommittee’s approach in developing both guidelines and principles of compliance auditing has been to build upon established audit theory and terminology and elaborate them to suit the specific public sector context; additionally, terminology and audit approaches specific to the public sector were added. To achieve this on a principle level covering all variations of compliance auditing performed by SAIs all over the world, the terminology and principles are drafted on a very high level, though they are still aimed at giving each SAI the necessary means to adjust them to their own mandate and national authorities.

All exposure drafts of the new ISSAIs have been posted on the ISSAI website at http://www.issai.org, and we would welcome any comments on how to improve the text of the four documents.

More information on the ISSAI Harmonization Project can be found at the project’s homepage at http://www.psc-intosai.org.