Quality Considerations in Complex, Non-routine, and High-Impact Audit Engagements
by Aamir Fayyaz, Director, Specialized Audit Unit, SAI Pakistan
It is commonly held wisdom that every staff member in a Supreme Audit Institution (SAI) is responsible for audit quality, and that SAIs should ensure quality at every stage of the audit process through standard operating procedures. This is certainly true, especially for routine audits. However, in the case of audits that are complex, non-routine, and high impact, the role of professional judgment—particularly on the part of management—in ensuring audit quality comes more into play, especially at key moments in the audit process.
Complex, Non-routine Audits Pose a Significant Risk
SAIs devote most of their resources to routine audits. At times, however, SAIs need to perform special audits covering complex topics and sectors (see figure below). These audits—which could be financial, compliance, performance, or a combination thereof—can pose significant risks to the reputation of SAIs and client entities, donor agencies, and other stakeholders.
While quality standards must be adhered to in every audit engagement, complex and non-routine audits require special attention, a principle affirmed in ISSAI 140, which states that “some work of SAIs may have a high level of complexity and importance that requires intensive quality control before a report is issued.” Moreover, while SAIs should give due consideration to quality throughout the audit cycle, there are critical junctures when decisions may have a far-reaching impact on quality and require the sound professional judgment of managers.
To illustrate this, consider two scenarios, in which an SAI is tasked with auditing government expenditures to address the COVID-19 pandemic. With the reporting period defined, the SAI’s first quality-related decision is the type of audit best suited to the engagement.
Scenario A: The SAI Opts for a Financial Audit
Materiality Level. After deciding on the type of audit, the SAI must now determine the materiality level—i.e., the acceptable level of errors and misstatements. In normal engagements, SAIs may set materiality in the range of 1 to 5 percent of the selected financial statement component, and then use this materiality level to audit all of the components. However, since this is a complex, non-routine audit, the SAI must give this decision special consideration, as the materiality level could have serious implications for the extent of audit work performed and will be the determining factor for the type of audit opinion released. To ensure the materiality level is appropriate, the head of the SAI, most senior audit manager, or audit board should make this critical decision.
Assurance. The next key decision with quality implications is to determine the sources of assurance—or, in other words, to assess audit risk (the possibility that a material misstatement is present in financial statements) and its components (inherent, control, and detection risks). Like materiality level, this determination will affect the extent of audit tests and procedures, types of evidence to be collected, anticipated audit findings, possible recommendations, and ultimately the usefulness of the audit product to stakeholders.
The SAI cannot simply set the inherent risk of the audit of COVID-19 expenditures at 20 percent, as it might for some routine audits. While doing so could mean the audit would require fewer SAI resources and management controls, efficiency would come at the expense of quality.
However, this does not mean the SAI should be overly conservative and set the inherent risk at 80 or 100 percent, which would require maximum audit effort and unnecessarily drain its limited resources. The same applies for the assessment of assurance derived from internal controls and internal auditing regimes.
Scenario B: The SAI Opts for a Performance Audit
Audit Type. Generally, SAIs undertake a “value for money”—or performance—audit only after performing a preliminary study to determine whether it is a better choice than a financial or compliance audit. ISSAI 3200 (guidelines for the performance auditing process) suggests that after the SAI has chosen an audit topic, the auditor should complete a “pre-study” to “establish whether the conditions for an audit exist.” The Performance Audit Manual of the Pacific Association of Supreme Audit Institutions (PASAI) states, “If the head of an SAI decides to move from a preliminary study to a full audit, an audit proposal for management consideration and endorsement is the next step.” Following these steps will help the SAI determine whether a performance audit is justified, thereby avoiding the fallacy that performance audits are always superior to other types of audits.
Audit Criteria. The selection of audit criteria is another critical decision with ramifications for the quality of the audit product. As appropriate criteria for complex, non-routine audits may not be available “off-the-shelf,” senior management at the SAI and client should discuss, and hopefully come to an agreement on, the criteria to be used. This effort will make conducting the audit easier and enhance the impact of the audit report.
Capacity and Expertise. Since the subject at hand is new and non-routine, the audit is bound to enter uncharted territory, and the SAI may understandably lack the necessary capacity and expertise to carry it out. Since building these proficiencies can take time, the SAI should be flexible in acquiring them through consultancy or outsourcing, applicable standards permitting. If, however, the SAI decides to proceed with the performance audit with inadequate human resources, then the quality of the audit product will likely suffer.
Other Key Decisions
Regardless of audit type, the SAI will confront other key, quality-related decisions, including: Who is assigned to the audit? Who are the supervisors and reviewers, and what tools will they use? Who will oversee the quality of audit working papers and the process of collecting and documenting evidence? How much time is allocated for the various phases of the audit cycle?
Unlike routine audits of public sector entities, complex and non-routine audits are usually one-off engagements that pose more significant risks, and therefore require special quality assurance and control considerations. The onus is on the SAI’s management to exercise due care and professional judgment when making key decisions that affect quality. Doing so will help the SAI protect its own reputation and that of its clients, safeguard its relationship with stakeholders, and prove itself an invaluable national institution in times of crisis.