Editor’s note: INTOSAI contributes actively to the harmonization of public and private sector financial auditing standards. Experience to date shows that the international standards used in the private sector are relevant to public sector audits. However, the public sector audit mandate is generally broader, and public sector auditors must also take into account additional considerations. The following is an expanded version of the article that appeared in the print October 2007 Journal.
INTOSAI continues to contribute actively to the harmonization of public and private sector financial auditing standards. The Memorandum of Understanding between INTOSAI’s Professional Standards Committee and the International Auditing and Assurance Standards Board (IAASB) of the International Federation of Accountants (IFAC) was renewed in June 2006 for 3 more years. The cooperation process was described in articles in the April 2004 and October 2004 issues of this Journal.
INTOSAI contributes to this harmonization by
The INTOSAI Financial Audit Guidelines Subcommittee is working to develop the INTOSAI Financial Audit Guidelines, which will consist of an ISA and an INTOSAI practice note. The guidelines will be part of the fourth level of the planned INTOSAI framework—International Standards for Supreme Audit Institutions (ISSAI). The ISSAI framework and the Financial Audit Guidelines developed to date will be presented for endorsement at INCOSAI 2007.
The harmonization process requires ongoing cooperation between the parties involved, and all phases of the process must be considered. It also requires continuous focus on the issues particular to the public sector to help ensure that practical application guidance is developed. Furthermore, effective implementation, training about how to use the guidelines, and ongoing monitoring that highlights the need to revise existing guidelines or develop new material are important. The phases of the process are illustrated in figure 1.
Figure 1. Harmonization Process Phases Related to Auditing Standards and Guidance
The following sections provide a brief overview of the main areas in which differences between the two sectors have been identified through the cooperation process to date. These differences are being addressed in the text of the ISAs themselves (as general statements or specific public sector considerations) or in the INTOSAI practice notes.
The Objective of a Financial Statement Audit
In the private sector, the overall objective of the audit is to enable the auditor to express an opinion about whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework. This is the fundamental starting point for auditors in the private sector, and it guides the work throughout the audit process until completion and issuance of the audit report.
The objective of a financial statement audit in the public sector is generally broader than in the private sector. Public sector auditors also express an opinion about whether the financial statements are prepared, in all material respects, in accordance with an applicable financial reporting framework. In addition, they are generally responsible for reporting on compliance with authorities, including budget and accountability, or on the effectiveness of internal control. There may also be public expectations regarding the scope of matters to be included in a public sector audit. Although reporting on the audited entity’s economy, efficiency, and effectiveness is not part of the scope of developing guidelines for financial statement audits, many SAIs also have a performance audit mandate to report on these issues. Nonetheless, in regard to the audit of financial statements, public sector auditors generally have a broader mandate to consider when applying the INTOSAI financial audit guidelines throughout the process of a financial statement audit.
Terminology in the Standards
As part of the harmonization process, attempts are being made to use “sector neutral” terminology to draft the international standards1 so that they can be readily understood and applied in both the public and private sectors. This is done by including appropriate text in the standards themselves or in the related glossary. Additional definitions and guidance may also be included in INTOSAI’s practice notes as needed.
For example, one of the fundamental concepts in the international standards is that there are significant public interest issues related to the audits of “listed entities” (entities quoted on a recognized stock exchange). The international standards set out several requirements related specifically to listed entities. Examples include the following:
Listed entities, as such, may not be common in the public sector. However, public sector entities that are significant due to size, complexity, or public interest aspects and consequently have a wide range of stakeholders (for example, state-owned corporations and public utilities) may be comparable to listed entities. This is in line with the trend in the private sector, which is moving toward broadening the concept of “listed entities” to “significant public interest entities,” which would include both listed entities and other entities.
The Relationship between Auditor and Auditee
In the private sector, the auditor/auditee relationship is normally contractual. Certain preconditions must be present before the relationship can be established. These include a suitable framework for financial reporting and management’s acknowledgement of and agreement to its responsibilities for preparing and presenting financial statements in accordance with this framework. The contract terms are normally set out in an engagement letter. This letter includes matters such as the objective and scope of the audit, the responsibilities of the various parties, and the form of reports to be issued. Even in private sector cases in which certain aspects of the audit are regulated by law, engagement letters may be useful to address other aspects, such as access to documentation, timetables, communication, or billing arrangements.
Auditors in the private sector normally carry out certain procedures when determining whether or not to accept or continue an audit engagement. These procedures may include an evaluation of management’s reputation, competence, and integrity; the audit team’s competence, time, and resources to carry out the engagement; the engagement team’s ability to comply with ethical requirements; and significant previous audit findings.
Private sector auditors generally have the option to decline or withdraw from the
engagement if, for example,
In the public sector, the appointment of public sector auditors, the engagement portfolio, the auditor’s responsibilities and powers, and perhaps even the form of report to be issued may be set out in law and regulation or the audit mandate. Nonetheless, the use of engagement letters may be beneficial when an entity is being audited for the first time or when there have been changes in the structure of the audited entity or in key entity personnel responsible for communication with public sector auditors. Use of such engagement letters is normal practice in many SAIs today.
Public sector auditors are generally appointed under statutory procedures and do not normally have the option to decline or withdraw from an audit engagement. Despite any significant difficulties that may be encountered in connection with the audit, it is generally in the public interest that they complete the assignment to the extent possible and report to the governing body, the legislature, or others as appropriate. Whereas private sector auditors might withdraw from the audit engagement in certain cases, as described above, public sector auditors may extend the scope of their work or expand their reporting as appropriate when confronted with similar situations.
In addition to the requirements and guidance set out in the ISAs, there may be further considerations for public sector auditors in undertaking audit engagements. For example, the capabilities and competence required in an audit may be broader and include the need to understand applicable reporting arrangements, such as requirements for reporting to the legislature, governing body, or the public.
Public sector auditors may sometimes need to adapt their approach in order to promote compliance with the requirements of the ISAs. They may do this, for example, by expanding their reporting when a private sector auditor withdraws from the engagement or by performing procedures such as those related to client acceptance and continuance to obtain valuable information for assessing risk and carrying out reporting responsibilities.
International standards related to quality control are written to apply to two different levels:
ISQC 1 requires, before the date of the audit report, engagement quality control reviews of listed entities and other entities meeting applicable criteria. In the context of SAIs, listed entities would comprise significant public interest entities, as discussed above.
In private sector audit firms, engagement partners generally have individual responsibility for audit engagements and also have the authority to bind the audit firm in this respect. For SAIs, an auditor general or a court of auditors has overall responsibility, although the day-to-day operational responsibility may be delegated to others. For example, all those with engagement partner responsibility in an SAI with an auditor general system would, because of the hierarchical structure of SAIs, ultimately report to the auditor general. In the public sector, it is important to select engagement quality control reviewers that are independent of the audited entity and can provide an objective evaluation even though they are part of the same hierarchy as the person with engagement partner responsibility.
Furthermore, ISQC 1 requires engagement partner rotation for listed entities after a predefined period, which normally does not exceed 7 years. In the public sector, this requirement would be applied to significant public interest entities. However, legislation establishing the appointments and terms of office of the auditor general may make rotation impractical. SAIs may establish policies and procedures to promote compliance with the spirit of this requirement (e.g., by rotating key personnel with operational responsibility for the audit engagement, requiring engagement quality control reviews, or carrying out regular peer reviews).
The importance of and need for further guidance on quality control was emphasized at the April 2007 meeting of the INTOSAI Professional Standards Committee where participants agreed to establish a project, chaired by the SAI of New Zealand, to draft guidance on quality control in audits (a code of quality along the lines of IFAC's ISQC 1). The guidance would apply to all types of audits (financial, compliance, and performance) and would be relevant to all types of SAIs (auditor general and court models) for both annual audits and other types of audit engagements.
The requirements the ISAs set out for planning an audit are relevant for public sector auditors. In addition to the ISA guidance, there may be other considerations for public sector auditors, including the following:
In a court of accounts environment, public sector auditors may plan and perform certain procedures to meet legal requirements. This may include identifying those responsible for financial acts in cases where the court's judgment may have personal legal implications. Furthermore, public sector auditors in a court of accounts environment may work closely with prosecutors and police when dealing with financial fraud and may obtain information from them in the planning process when appropriate.
Risk Assessment and Audit Procedures
Audit risk standards are fundamental in today’s risk-based audit approach. These standards typically refer to business risk, which ISA 315 defines as a “risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity's ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies." Business risk is broader than the risk of material misstatement on financial statements.
While the term business risk may seem unfamiliar or somewhat commercially oriented to auditors in the public sector, the general concept still applies in the context of identifying and assessing risk in public sector audit work. In the public sector, business risk relates to the risk that government activities—including relevant programs, program strategies, and objectives—will not be completed or achieved. In addition, risks related to issues such as the political climate, public interest, and program sensitivity or potential noncompliance with legislation or proper authority are relevant in the public sector context.
In addition to the requirements and guidance set out in ISAs, there may be further considerations for public sector auditors in assessing risk and designing audit procedures. To gain an understanding of the entity, public sector auditors consider their broader mandate as well as any relevant legislation, regulations, directives, or other requirements that affect the entity's operations. Management objectives, including public accountability concerns, are also considered. Risk assessment information may be obtained from performance auditors or other relevant sources, such as testimonies from government officials or legislative reports or minutes.
In addition to the assertions embedded in the financial statements (e.g., occurrence, accuracy, completeness, valuation, and disclosure), public sector auditors may also take regularity assertions into account. A regularity assertion relates to whether or not transactions and events have been carried out in accordance with legislation or proper authority. Public sector auditors may be required or expected to perform additional procedures, such as tests of travel expenditures, sensitive payments, procurements, or controls designed to prevent or detect fraud.
Public sector auditors may also have reporting responsibilities, such as those related to internal control or compliance, that private sector auditors do not have. Consequently, public sector auditors' reviews of internal controls may be broader and more detailed than in the private sector. Reporting requirements may also be broader in that public sector auditors may be required to report all identified internal control deficiencies or compliance deviations (not only those that are material) to the legislature or other governing body.
Audit Documentation and the Balance between Transparency and Confidentiality
Transparency is a fundamental principle in public sector auditing or government activities carried out by public sector entities.
In the private sector, the relationship between the auditor and auditee is often more confidential than in the public sector. In the private sector, the financial reporting framework or laws and regulations may require certain disclosures in the financial statements. However, the information obtained during the audit and communication between the auditor and the auditee is generally confidential unless law, regulation, or professional duty requires its disclosure.
In the public sector there is an ongoing need to balance confidentiality with transparency and accountability. This balance between confidentiality and transparency requires professional judgment to ensure that documentation of a confidential nature (e.g., sensitive personal information or classified information) is clearly identified and treated as such while at the same time granting access to third parties as appropriate. This may be relevant in situations where third parties have access to audit correspondence through such means as electronic or other post journals that are open to public scrutiny.
Transparency may also apply to public sector audit reports when, for example, there are requirements to make reference to experts, third-party service organization auditors, or component auditors involved in the audit work. The intention behind such references is not to diminish the public sector auditor's responsibility for the report but rather to provide complete and transparent information to the report readers.
In the public sector, there may also be documentation retention requirements that go beyond those set out in ISAs and ISQC 1. Such requirements may, for example, relate to documentation that would be subject to indefinite retention in a country’s national historical archives.
In a court of accounts environment, there may also be specific rules of evidence that must be followed in preparing audit documentation.
ISA 260 defines those charged with governance as “the person(s) with responsibility for overseeing the strategic direction of the entity and obligations related to the accountability of the entity." In the public sector, identifying those charged with governance may be a challenge. The audited entity may be part of a larger or broader structure with governance bodies at several organizational levels. In some cases, there may be separate reporting requirements related to aspects of financial and compliance audits involving separate governance bodies. Public sector auditors take care to communicate so that the needs and expectations of the legislature or appropriate regulators are met. This may also involve communicating matters that come to the attention of public sector auditors as a result of other work, such as performance audits.
As described previously in this article, ISA 260 sets out requirements for the annual communication of compliance with ethical requirements regarding independence. In addition to the considerations described in the ISA, matters set out in the INTOSAI Code of Ethics, such as political neutrality, may also be important.
Public sector auditors may also have broader communication responsibilities than those envisioned by ISA 260. For example, when the communication process with management or those charged with governance does not function effectively, public sector auditors may communicate with the legislature, appropriate regulators, or relevant funding agencies.
Many SAIs are responsible for contributing to the prevention and detection of fraud. ISA 240, The Auditor's Responsibilities Relating to Fraud in an Audit of Financial Statements, expands on the audit risk standards described above and deals with their application in relation to the risk of material misstatement due to fraud.
In the public sector, auditors' responsibilities may result from legislation, regulation, or directives related to the audited entity or may be covered separately by the audit mandate. As a result, those responsibilities may not be limited to the risk of material misstatement of the financial statements due to fraud. The auditor’s responsibilities related to fraud may be broader than in the private sector and may include aspects of compliance, public accountability, and sound public sector financial management.
In addition to the guidance set out in the ISAs, typical areas where public sector auditors are alert to fraud risks include procurement, grants, privatization, intentional misrepresentation of results or information, and misuse of authority or power.
Materiality and Evaluation of Misstatements
The concept of materiality is defined in different ways in different financial reporting frameworks. In a financial statement audit, a misstatement is material if it would influence the economic decisions users take based on the financial statements. Materiality has both quantitative and qualitative aspects.
In the public sector, materiality is not limited to the economic decisions of users. Legislators and regulators are often the primary users of public sector financial statements. They may use the financial statements to make not only economic decisions but also decisions about whether to continue certain government programs or grant schemes. The qualitative aspects of materiality generally play a greater role in the public sector than in the private sector.
Materiality standards3 set out procedures for determining levels of materiality. In the public sector, materiality levels may be set lower than those prescribed by the ISAs due to considerations such as the sensitive nature of certain transactions or programs, the public interest, the need for effective legislative oversight and regulation, and the nature of the misstatement or deviation (e.g., if it is related to fraud or corruption).
The broader mandate in the public sector may require audits of certain aspects related to compliance and internal control. While misstatements of small monetary amounts may be deemed trivial, even small deviations related to compliance or internal control are, by their nature, generally not seen as trivial. Even if a transaction—regardless of its size—is correctly recorded in the financial statements, the transaction represents an instance of noncompliance or a control deviation if it is illegal or fraudulent or if the control was not followed.
The ISAs also require the auditor to communicate identified misstatements, other than those that are clearly trivial, to the appropriate level of management. Misstatements that are not corrected by management are reported to those charged with governance.
Many public sector auditors report all (not only nontrivial) identified misstatements or compliance and control deviations to management. Such misstatements or deviations may also have implications in a broader context. Public sector auditors may report to not only management but also those charged with governance or other parties, such as government officials, as appropriate. Based on their mandates, some SAIs may also order that any instances of noncompliance be corrected. In such cases, public sector auditors determine whether their independence will be impaired.
In the private sector, audits are generally conducted based on the premise that management understands its responsibilities for (1) preparing and presenting financial statements in accordance with the applicable financial reporting framework, (2) designing and maintaining internal controls, and (3) providing complete information to the auditor. Auditors obtain written representations from management to confirm that it acknowledges this premise and understands its responsibilities. Such representations corroborate audit evidence and may also be requested in regard to other matters. Written representations also serve to remind management of its responsibilities from year to year, especially in cases where significant changes have taken place. Such changes may include the introduction of new financial reporting or internal control systems or changes in key members of management during the financial reporting period.
Although the same issues generally apply in the public sector, in some cases it may be argued that management's responsibilities in that sector are set out in law or regulation. However, this does not serve as a substitute for written representations requested by the auditor. For example, it is important to ask management to confirm that it understands the premise on which the audit is conducted as well as its responsibilities in this regard. It is also important to confirm with management that all relevant information has been made available to the auditor, especially in light of the auditor’s responsibilities to prevent and detect fraud. Furthermore, in the public sector it may also be appropriate to request additional representations in regard to regularity or compliance issues.
In the private sector, the trend is toward greater consistency in the form of reports for audits conducted in accordance with the same standards. This promotes credibility, as the report can be readily identified as being prepared based on certain standards. It also helps readers to more easily identify any unusual situations as they arise. The form of reports is set out in the reporting ISAs.4
In the private sector, the audit report is generally a one-way communication addressed to the appropriate parties, such as the shareholders or the board of directors. It identifies the audit work performed and the standards on which the work was based. The responsibilities of the auditor and management are set out and the auditor's opinion is clearly stated. In certain circumstances, the report may also include additional paragraphs that further elaborate on important matters.
This same structure is relevant to public sector audit reports even though they tend to be longer and include a wider range of matters.
The concept of contradiction is a unique concept in public sector audit reporting that is not addressed by the reporting ISAs. As described in INTOSAI Auditing Standards,5 this principle relates to verifying the facts with the audited entity to ensure that they are complete, accurate, and fairly presented in the audit report. It may also involve including the audited entity's responses to the matters raised, either word for word or in summary, especially where the SAI presents its own views or recommendations. The INTOSAI practice notes to the reporting ISAs, when developed, will likely provide further guidance on how this principle is to be applied in practice.
Conclusion and the Way Forward
Although this article emphasizes the differences between auditing in the private and public sectors, experience in harmonizing financial auditing standards demonstrates that the similarities outweigh the differences. In the public sector, the scope of auditing is broader than in the private sector. Consequently, public sector auditors take into account additional considerations compared to those set out in international standards. INTOSAI practice notes elaborate on these considerations. Furthermore, public sector auditors adapt their approach in certain situations—e.g., the obligation to accept and the inability to withdraw from an engagement; the need for transparency and accountability; and public interest aspects, especially in regard to communication and reporting.
The ISAs are already in use in many SAIs today and are gaining widespread recognition. They were recently designated by the international Financial Stability Forum (FSF)6 as one of 12 key sets of standards (and the only set of auditing standards) contributing to financial stability and international economic development. In some countries, the ISAs have been incorporated through legislation into the laws that regulate financial reporting. If the European Union adopts the ISAs in 2008, this will be the case for the 27 European Union member states.
INTOSAI financial audit guidelines draw upon the ISAs, including the public sector considerations incorporated into them, and provide additional guidance in the form of practice notes. INTOSAI financial audit guidelines have the same authority as the INTOSAI Auditing Standards. They represent good practice but do not have mandatory application among SAIs.
At a national level, SAIs may supplement INTOSAI financial audit guidelines with additional guidance tailored to national circumstances, as appropriate. The use of internationally recognized standards that have been subject to rigorous due process in their development enhances credibility and public confidence. By performing audits based on such robust standards and guidelines, audit quality can be improved.
Numerous challenges still remain for the harmonization process to be successful. For example, the private sector faces the challenge of finding methodologies to assist in implementing the standards on the large number of audits of small- and medium-sized entities.
INTOSAI faces a significant challenge in ensuring that there are dedicated resources for continually developing, updating, and implementing the guidelines and monitoring their implementation. Implementation of the guidelines, including providing the necessary training, must also be given sufficient focus during the appropriate phases of the process.
The way forward involves building on the experiences gained to date; focusing on the task at hand while not losing sight of long-term goals; dedicating the resources necessary to achieve the goals; and continual, active cooperation with others, both within INTOSAI and with external partners. Continuing to take an active role in this development is of strategic, long-term importance for INTOSAI.
For further information on the development of the financial audit guidelines, please visit the Web site of the INTOSAI Financial Audit Guidelines Subcommittee: http://psc.rigsrevisionen.dk/fas.
1The term “international standards” refers to the body of IFAC pronouncements, including ISAs and the International Standards on Quality Control (ISQC). The ISAs consist of an introduction, an objective, definitions (where applicable), requirements, and application material. The international standards do not have mandatory application among SAIs.
2ISA 315, Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and its Environment, and ISA 330, The Auditor's Responses to Assessed Risks.
3[Proposed] ISA 320 (Revised and Redrafted), Materiality in Planning and Performing an Audit, and [Proposed] ISA 450 (Redrafted), Evaluation of Misstatements Identified during the Audit.
4[Proposed] ISA 700 (Redrafted), The Independent Auditor's Report on General Purpose Financial Statements; [Proposed] ISA 705 (Revised and Redrafted), Modifications to the Opinion in the Independent Auditor's Report; and [Proposed] ISA 706 (Revised and Redrafted), Emphasis of Matter Paragraphs and Other Matter(s) Paragraphs in the Independent Auditor's Report.
5INTOSAI Auditing Standards, paragraph 4.0.24.
6The FSF consists of experienced representatives from national financial authorities, such as central banks; finance ministries and other national regulators; international financial institutions such as the World Bank, the Organisation for Economic Co-operation and Development, and the International Monetary Fund; associations of international regulators such as the International Organization of Securities Commissions and the Basel Committee; committees of experts from central banks; and the European Central Bank.