In defining what Compliance Auditing is, we need to consider The International Standards of Supreme Audit Institutions’ (ISSAI) definition of public sector auditing as the definition of Compliance auditing builds on from it.
Public-sector auditing can be described as a systematic process of objectively obtaining and evaluating evidence to determine whether the information or actual conditions conform to established criteria. The definition of compliance audit builds on this definition with a specific focus on assessing compliance with criteria derived from authorities.
A compliance audit is an independent assessment of whether a given subject matter is in compliance with applicable authorities identified as criteria. Auditors assess whether activities, financial transactions, and information are, in all material respect, in compliance with the authorities which govern the audited entity. Auditors in compliance audit look for material deviations or departure from established criteria which could be based on laws and regulations, principles of sound financial management, or propriety.
Compliance Audit in a Public Sector Context
Public sector audit is essential for public sector administration because the management of scarce public funds is placed into public sector officials’ care. The usage of these funds is regulated by principles, rules and standards, which altogether constitute the authorities. The officials are expected to act in the best interest of the public, by spending the funds for the intended purposes, and in line with the authorities. It is the responsibility of public sector bodies and their appointed officials to be transparent about their actions and accountable to citizens for the funds with which they are entrusted, and to exercise good governance over those funds.
Whether and how public sector managers fulfil their responsibilities is not a matter of absolute trust. Compliance audit plays an important role in ensuring that the principles of transparency, accountability and good governance are actually met. Compliance auditing promotes transparency by providing reliable reports as to whether public funds have been utilized in line with the applicable authorities. It promotes accountability by reporting deviations from and violations of authorities. This information makes it possible to take corrective action and to hold public officials accountable for their activities.
Compliance audit promotes good governance by identifying weaknesses and deviations from laws and regulations and also by assessing the propriety of officials. Compliance auditing may be concerned with regularity (adherence to formal criteria such as relevant laws, regulations and agreements) or with propriety (observance of the general principles governing sound financial management and the conduct of public officials). While regularity is the main focus of compliance auditing, propriety may also be pertinent given the public-sector context, in which there are certain expectations concerning financial management and the conduct of officials. Depending on the mandate of the Supreme Audit Institutions (SAI) and the nature of laws and regulations in the public-sector context of the SAI, the audit scope may, therefore, include aspects of propriety.
Internal vs External Audit
Internal audits are carried out by employees of a company to gauge overall risks to compliance and security and to determine whether the company is following internal guidelines. Internal audits occur throughout the fiscal year and reports can be used by management teams to identify areas that require improvement. Internal audits measure company objectives against output and strategic risks.
External audits are formal compliance audits that are carried out by independent third parties and follow a specific format that is determined based on the compliance regulation being assessed. External audit reports measure if an organisation is complying with British, EU or corporate regulations, rules and standards.
Importance of Compliance Auditing
Compliance auditing, either internal or external, can help a company identify weaknesses in regulatory compliance processes and create paths for improvement. In some cases, guidance provided by a compliance audit can help reduce risk, while also avoiding potential legal trouble or fines for noncompliance. Much like the laws that drive them, compliance programs are in a constant state of flux as existing regulations evolve, and new ones are implemented. Compliance auditing provides an outline of internal business processes that can be changed or improved as regulations and requirements change.
What auditors look for?
When carrying out compliance audit procedures; audit professionals specifically look for these:
The organisation’s security policies.
The user access controls the organisation has put in place.
The risk management procedure that the organisation has taken.
Elements of Compliance Audit
The elements relevant to compliance auditing, which should be identified by the auditor before commencing the audit are:
Authorities and criteria
Authorities are relevant acts or resolutions of the legislature or other statutory instruments, directions and guidance issued by the public sector bodies with powers provided for in statute, with which the audited entity is expected to comply. Authorities may include laws, policies, rules, regulations, and other instruments that people/organisations, for whom the authorities have been framed, must follow in order to be compliant. These elements are sometimes collectively referred to as legislative authorities or just authorities. This should not be confused with authorities in the sense of bodies or persons exercising power or command such as law enforcement authorities or regulatory authorities. For example, governments in many countries have laws to provide income support to individuals meeting certain eligibility requirements. These laws serve as authorities in case if a compliance audit of Income Support Programmes. Criteria are the benchmarks used to evaluate or measure the subject matter consistently and reasonably.
Authorities are the sources of criteria. Criteria may be derived from laws, policies, rules, regulations, and other instruments and used in assessing compliance or non-compliance.
Subject matter
Subject matter refers to the information, condition or activity that is measured or evaluated against certain criteria. It can be activities, financial transactions, or information. For example, in the context of income support programme, the subject matter could be:
Activity which is the actual income support programme itself and its operations, or
The financial transactions of the programme, or
Information such as financial statement, annual reports and accounts of the income support programme that management makes available for auditors.
Three parties
Compliance auditing is based on a three-party relationship, where an auditor aims to obtain sufficient, appropriate audit evidence in order to express a conclusion designed to enhance the degree of confidence of the intended users, other than the responsible party, about the measurement or evaluation of a subject matter against criteria. In all compliance audits we have:
A responsible party (usually a government agency) which gets funds for specified activities.
The intended users (parliament) that allocate fund to government agencies and expects that funds will be used as per relevant authorities and appropriate propriety considerations.
SAIs that conduct audits on behalf of the parliament and provide assurance as to whether or not the fund has been used as per criteria.
In the case of the previous example, the Income Support Programme Agency is the responsible party, whereas the intended user is the parliament.
Assurance
An auditor performs procedures to reduce or manage the risk of providing incorrect conclusions, recognising that, owing to the inherent limitations in all audits, no audit can ever provide absolute assurance of the condition of the subject matter. This should be communicated in a transparent way. In most cases, a compliance audit will not cover all elements of the subject matter but will rely on a degree of qualitative or quantitative sampling.
Compliance auditing carried out by obtaining assurance enhances the confidence of the intended users in the information provided by the auditor or another party. In compliance auditing there are two levels of assurance:
Reasonable assurance, conveying that, in the auditor's opinion, the subject matter is or is not in compliance, in all material respects, with the stated criteria.
Limited assurance, conveying that nothing has come to the auditor’s attention to cause him/her to believe that the subject matter is not compliant with the criteria. Both reasonable and limited assurances are possible in both direct reporting and attestation engagements in compliance auditing.
Principles of Compliance Auditing
A compliance audit is a systematic process of objectively obtaining and evaluating evidence as to whether a given subject matter is in compliance with applicable authorities identified as criteria. The principles below are fundamental to the conduct of a compliance audit. As the nature of the audit is iterative and cumulative, the auditor should consider these principles prior to commencement of any audit and also at more than one point during the audit process, i.e. planning and designing, gathering and evaluating evidence and reporting.
Professional judgment and scepticism
Professional judgment is the application of relevant training, knowledge and experience, within the context provided by auditing standards, so that informed decisions can be made about the courses of action that are appropriate given the circumstances of the audit. It is how an auditor views different contexts or situations from different angles or perspectives based on professional experience and knowledge. Professional scepticism refers to maintaining a professional distance and an alert and questioning attitude in assessing the sufficiency and appropriateness of evidence obtained throughout the audit. For example, an auditor doesn’t have to believe what is given as he/she will maintain a questioning mind until he/she has obtained some assurance that the said is proven correct.
Quality Control
Quality control refers to processes in place whereby the overall quality of a compliance audit is reviewed to ensure that the audit was in compliance with applicable governing standards and that the audit report; conclusion or opinion issued is appropriate in the circumstances. Some SAIs already have established quality control units for this purpose. Audit reports are issued only after SAIs has done this assessment.
Audit Team Management and Skills
The audit team should collectively possess the knowledge, skills and expertise necessary to successfully complete the audit. This includes an understanding and practical experience of the type of audit being undertaken, familiarity with the applicable standards and authorities, an understanding of the audited entity’s operations and the ability and experience to exercise professional judgement. Common to all audits is the need to recruit personnel with suitable qualifications, offer staff development and training, prepare manuals and other written guidance and instructions concerning the conduct of audits, and assign sufficient audit resources. Auditors should maintain their professional competence through ongoing professional development.
Audit Risk
Audit risk is the risk of the auditor that the auditor’s report, conclusion or opinion may be inappropriate. A compliance audit should be performed to reduce the audit risk to an acceptable low level in the circumstances of the audit. The different components of audit risk include inherent risk, control risk, and detection risk.
Materiality
A matter can be judged material if knowledge of it would be likely to influence the decisions of the intended users. For example, a non-compliance with the terms and condition of a donor-funded project would be considered material if that non-compliance could lead to the donor discontinuing funding for the project or imposing more stringent controls as a precondition for continued funding. Materiality may relate to an individual item or to a group of items taken together. Materiality is often considered in terms of value, but it also has other quantitative as well as qualitative aspects. The inherent characteristics of an item or group of items may render a matter material by its very nature. A matter may also be material because of the context in which it occurs.
Documentation
Documentation should be prepared at the appropriate time and should provide a clear understanding of the criteria used, the scope of the audit, the judgments made, the evidence obtained, and the conclusions reached. Documentation should be sufficiently detailed to enable an experienced auditor, with no prior knowledge of the audit, to understand the following:
The relationship between the subject matter.
The criteria.
The audit scope.
The risk assessment.
The audit strategy and audit plan.
The nature, timing, extent and results of the procedures performed.
The evidence obtained in support of the auditor’s conclusion or opinion.
The reasoning behind all significant matters that required the exercise of professional judgment.
The related conclusions.
The auditor should prepare relevant audit documentation before the audit report is issued, and the documentation should be retained for an appropriate period of time.
Communication
Communication takes place at all audit stages:
Before the audit starts.
During initial planning.
During the gathering and evaluating evidence.
At the reporting phase.
It is essential that the audited entity, together with the SAI, are kept informed of all matters relating to the audit. This is key to developing a constructive working relationship between the auditor and the entity and also within the audit team. This would help keep all parties informed of the audit progress and would really assist in resolving any matters that may obstruct the audit and could cause delays to the audit. Communication should include obtaining information relevant to the audit and providing management and those charged with governance with timely observations and findings throughout the engagement. Any significant difficulties encountered during the audit, as well as instances of material noncompliance, should be communicated to the appropriate level of management or those charged with governance. This would assist in rectifying any deviations and any other findings the auditor may come up with immediately or at an earlier stage, rather than later where the impact of the finding could be substantially material and may be difficult to resolve. The auditor may also have a responsibility to communicate audit-related matters to other users, such as legislative and oversight bodies.
Compliance Audit Process
Initial Considerations and Planning the Audit
In the initial consideration phase, auditors determine the objective and scope, consider the principles of ethical significance, i.e. independence and objectivity of the auditor and ensure that quality control procedure is in place. In the planning phase, auditors look into the relationship between subject matter, criteria, and scope of compliance audit. Auditors are guided by professional judgment and the need of intended users while doing this exercise. Once they decide on the subject matter, criteria, and scope of a compliance audit, they work out audit the strategy and audit plan. They understand the internal control, establish materiality, assess risks of the entity and plan audit procedure as part of the designing of compliance audit.
Performing the Audit and Gathering Evidence
In this phase, auditors primarily gather and document evidence to form a conclusion or opinion as to whether the subject matter, in all material respects, complies with established criteria. In some cases, auditors may have to change the scope of a compliance audit when they come across audit evidence suggesting the need for that change. For instance, while gathering evidence, auditors find something that is indicative of fraud, they may have to modify their procedures. They will need to document why they change their audit plan.
Evaluating the Evidence and Forming Conclusions
At the end of the audit, auditors examine the evidence for sufficiency and appropriateness with a view to forming a conclusion or opinion as to whether or not the subject matter is in compliance with the established criteria. At this stage, auditors consider materiality for reporting purpose.
Reporting
The conclusion or opinion is presented in the form of a report to the intended user. Here the auditor includes the recommendations and responses from the entity. Auditors should follow up instances of non-compliance when appropriate. A follow-up process facilitates the effective implementation of corrective action and provides useful feedback to the audited entity, the users of the audit report and the auditor (for future audit planning). The need to follow up previously reported instances of non-compliance will vary with the nature of the subject matter, the non-compliance identified and the particular circumstances of the audit.
At some SAIs, including courts of accounts, the follow-up may include issuing legally binding reports or judicial decisions. In audits carried out on a regular basis the follow-up procedures may form part of the subsequent year’s risk assessment.
Comments