The INTOSAI Compliance Audit Guidelines

1. PSC meeting - Beijing - October 2008 1 The INTOSAI Compliance Audit Guidelines   Presentation of Exposure Drafts ISSAIs 4000, 4100 and 4200 This presentation will cover the following: Background and objective of CAS Status of the guidelines Activities since last PSC meeting in Bahrain Structure of the guidelines Process going forward Some examples of convergenceThis presentation will cover the following: Background and objective of CAS Status of the guidelines Activities since last PSC meeting in Bahrain Structure of the guidelines Process going forward Some examples of convergence

2. PSC meeting - Beijing - October 2008 2 To develop INTOSAI guidelines for compliance audit that support the audit relating to prevention and detection of fraud, corruption and misuse of public funds, and promote the development of good governance, and accountability and transparency in the public sector. The objective and members of the subcommittee are shown here. According to the Terms of Reference agreed upon at the ASC meeting in Budapest 10 October 2004, the overall objective of the CA Subcommittee was to develop INTOSAI guidelines for compliance audit that support the audit relating to prevention and detection of fraud, corruption and misuse of public funds, and promote the development of good governance, and accountability and transparency in the public sector. The objective and members of the subcommittee are shown here. According to the Terms of Reference agreed upon at the ASC meeting in Budapest 10 October 2004, the overall objective of the CA Subcommittee was to develop INTOSAI guidelines for compliance audit that support the audit relating to prevention and detection of fraud, corruption and misuse of public funds, and promote the development of good governance, and accountability and transparency in the public sector.

3. PSC meeting - Beijing - October 2008 3 The result to date is a complete set of draft INTOSAI Compliance Audit Guidelines – drawing upon internationally recognized best practice guidance - the ISAs and the IFAC assurance framework - while dealing with compliance issues in a public sector context and retaining unique INTOSAI flavor. The Compliance Audit Guidelines represent the fourth level (Auditing Guidelines) of the International Standards of Supreme Audit Institutions (ISSAI) Framework, where the Founding Principles constitute level 1, the Codes for SAIs the second level and the Fundamental Auditing Principles the third level (including the INTOSAI Auditing Standards). For compliance audits performed together with the audit of financial statements, the Compliance Audit Guidelines supplement the INTOSAI Financial Audit Guidelines (ISSAI 1000 – 2999). Depending on the structure of the public sector and the mandate of the SAI, the Compliance Audit Guidelines cover compliance audit at all levels of government: central, regional as well as local. Furthermore, the guidelines may also be applied to audits of private entities when they are involved in the management of public services, for instance through partnership arrangements or as recipients of public grants or subsidies. ISSAI 4000 provides a high level introduction to the guidelines. The Compliance Audit Guidelines themselves are written from two main perspectives: ISSAI 4100 deals with compliance audit performed separately from the audit of financial statements, for example as a separate audit task or related to performance audit ISSAI 4200 deals with compliance audit related to the audit of financial statements The result to date is a complete set of draft INTOSAI Compliance Audit Guidelines – drawing upon internationally recognized best practice guidance - the ISAs and the IFAC assurance framework - while dealing with compliance issues in a public sector context and retaining unique INTOSAI flavor. The Compliance Audit Guidelines represent the fourth level (Auditing Guidelines) of the International Standards of Supreme Audit Institutions (ISSAI) Framework, where the Founding Principles constitute level 1, the Codes for SAIs the second level and the Fundamental Auditing Principles the third level (including the INTOSAI Auditing Standards). For compliance audits performed together with the audit of financial statements, the Compliance Audit Guidelines supplement the INTOSAI Financial Audit Guidelines (ISSAI 1000 – 2999). Depending on the structure of the public sector and the mandate of the SAI, the Compliance Audit Guidelines cover compliance audit at all levels of government: central, regional as well as local. Furthermore, the guidelines may also be applied to audits of private entities when they are involved in the management of public services, for instance through partnership arrangements or as recipients of public grants or subsidies. ISSAI 4000 provides a high level introduction to the guidelines. The Compliance Audit Guidelines themselves are written from two main perspectives: ISSAI 4100 deals with compliance audit performed separately from the audit of financial statements, for example as a separate audit task or related to performance audit ISSAI 4200 deals with compliance audit related to the audit of financial statements

4. PSC meeting - Beijing - October 2008 4 Activities since last PSC meeting - 1 Presentation of draft guidelines at PSC meeting in Bahrain – April 2007 PSC decision to expose guidelines (CA as part of FA – ‘old’ ISSAI 4100 only) Develop additional introductory document (ISSAI 4000) Develop additional guidelines for CA separate from FA (ISSAI 4200) Draft guidelines (CA as part of FA – ‘old’ ISSAI 4100 only) exposed for comment in INTOSAI – Summer 2007 Translated draft guidelines available at INCOSAI 2007 – Nov 2007 Comments received from over 40 SAIs

5. PSC meeting - Beijing - October 2008 5 Comments and suggestions for improvement included ie: Distinguish more precisely between CA related to financial statements and other aspects of CA Definition of CA consisting of regularity and/or propriety, while keeping the total scope Concept of reasonable assurance important Adapt provisions on audit criteria to the divided definition, while keeping less formal criteria and emphasizing the need for suitable criteria Further elaboration on materiality in a compliance context Need for guidance on assessment of compliance deviations Further guidance on reporting considerations including guidance on long form reports Special considerations for Court of Account SAIs Need for further application material: Risk assessment considerations Audit procedures Compliance deviations Sample reports Activities since last PSC meeting - 2

6. PSC meeting - Beijing - October 2008 6 Revision of guidelines based on comments received from respondents (dialogue with certain SAIs, FAS, members of CAREG, IFAC) – Fall 2007/ Winter 2008 Presentation of revised and renumbered complete set of guidelines at CAS meeting – Tunisia - 3-4 April 2008 ISSAI 4000 – Introduction ISSAI 4100 – Compliance Audit Performed Separately from the Audit of Financial Statements ISSAI 4200 – Compliance Audit Related to the Audit of Financial Statements Presentation of guidelines at FAS meeting – 9 April 2008 Mail of 13 May 2008 to all CAS members re proposed way forward with request for comments by end of May 3 consistent and stand alone documents Complete set to be exposed/re-exposed together Complete set for approval by GB in 2009 and endorsement by INCOSAI in 2010 Consider need for ISSAI 4300 (working group – SAIs of Tunisia, Brazil and ECA) Activities since last PSC meeting - 3

7. PSC meeting - Beijing - October 2008 7 Review of comments received – May/June 2008 Bilateral contact with CAS members on issues raised in Tunisia and comments received – May/June 2008 Meeting with PSC Secretariat – acceptance for proposed way forward – 26 June 2008 Meeting of the CAS working group (SAIs of Denmark, India, Sweden and ECA) in Oslo – 27 June 2008 Updated draft documents distributed 3 July 2008 to CAS, FAS and CAREG with request for comments by 20 August 2008 Comments received from 5 SAIs and incorporated – August 2008 Revised exposure drafts of ISSAIs 4000, 4100 and 4200 approved at CAS meeting in Bratislava – September 2008 including enhanced guidance drafted by CAS Court of Account SAIs within 4100 and 4200 (Section 10) Presentation of exposure drafts to PSC – October 2008 Activities since last PSC meeting - 4

8. PSC meeting - Beijing - October 2008 8 Performing the compliance audit and gathering evidence Evaluating evidence and forming conclusions Reporting Additional guidance – Court of Accounts Appendices with examples Introduction Scope of the guidelines Objectives to be achieved Definitions Initial considerations Planning and designing the compliance audit ISSAI 4100 and 4200 are written as stand alone documents. This means that they are sufficiently complete to be read and applied on their own, without having to read ISSAI 4000 or the other CA ISSAI. At the same time, there are many areas where there is no difference in the guidance, such as most aspects of planning and performing compliance audits. Therefore it was important that the documents should be consistent. However, where there was a need to provide specific guidance in one ISSAI or the other, this guidance should naturally be included in the relevant ISSAI. Remember as well, that when compliance audit is performed as part of an audit of FS, that ISSAI 4200 supplements the INTOSAI Financial Audit Guidelines and should be read together with them. The main differences between ISSAI 4100 and 4200 are in the wording of the objectives, the scope and initial considerations dealing with the subject matter, and in the reporting section including sample reports and ISSAI 4100’s emphasis on long-form reporting. ISSAI 4100 and 4200 are written as stand alone documents. This means that they are sufficiently complete to be read and applied on their own, without having to read ISSAI 4000 or the other CA ISSAI. At the same time, there are many areas where there is no difference in the guidance, such as most aspects of planning and performing compliance audits. Therefore it was important that the documents should be consistent. However, where there was a need to provide specific guidance in one ISSAI or the other, this guidance should naturally be included in the relevant ISSAI. Remember as well, that when compliance audit is performed as part of an audit of FS, that ISSAI 4200 supplements the INTOSAI Financial Audit Guidelines and should be read together with them. The main differences between ISSAI 4100 and 4200 are in the wording of the objectives, the scope and initial considerations dealing with the subject matter, and in the reporting section including sample reports and ISSAI 4100’s emphasis on long-form reporting.

9. PSC meeting - Beijing - October 2008 9 Approval of exposure drafts by PSC (Oct 2008) Exposure drafts to GB for information* (Nov 2008) Exposure drafts to INTOSAI (Nov 2008 – Jan 2009) Incorporate comments (Feb/Mar 2009) Final approval by CAS (Mar/April 2009) Final approval of documents by PSC (June 2009) Translations (Fall 2009 / Winter 2010) Presentation at INCOSAI and endorsement (Fall 2010) Process going forward – focus on complete set of CA guidelines. Approval of draft CA guidelines at CAS September. PSC meeting 20-22 October. GB in November – thereafter exposure in INTOSAI. Approx 3 month exposure period. Then comments and analysis. Finalize guidelines fall 2009. Then translations and endorsement in 2010. Would therefore ask for your approval of exposure drafts presented.Process going forward – focus on complete set of CA guidelines. Approval of draft CA guidelines at CAS September. PSC meeting 20-22 October. GB in November – thereafter exposure in INTOSAI. Approx 3 month exposure period. Then comments and analysis. Finalize guidelines fall 2009. Then translations and endorsement in 2010. Would therefore ask for your approval of exposure drafts presented.

10. PSC meeting - Beijing - October 2008 10 For your information, here are some other significant examples of convergence in the area of compliance audit: FEE’s (Federacion des Experts Comptables Europeens) Discussion Paper – Compliance with Laws and Regulations – Audits and Assurance Engagements in the Public sector Australia’s Standards on Assurance Engagements – Compliance Engagements (based on IFAC’s ISAE 3000) was finalised in June 2008. Australia has come very far in terms of new public sector management as well as harmonization of standards. The AG himself is on the IAASB and representatives of the OAG Australia have contributed to the development of the Australian standard shown here – the standard applies to compliance audit for both the public and private sector. A similar standard is being developed in Australia for performance audit engagements (exposure draft released, standard now being finalised) For your information, here are some other significant examples of convergence in the area of compliance audit: FEE’s (Federacion des Experts Comptables Europeens) Discussion Paper – Compliance with Laws and Regulations – Audits and Assurance Engagements in the Public sector Australia’s Standards on Assurance Engagements – Compliance Engagements (based on IFAC’s ISAE 3000) was finalised in June 2008. Australia has come very far in terms of new public sector management as well as harmonization of standards. The AG himself is on the IAASB and representatives of the OAG Australia have contributed to the development of the Australian standard shown here – the standard applies to compliance audit for both the public and private sector. A similar standard is being developed in Australia for performance audit engagements (exposure draft released, standard now being finalised)