Overview of general comments received on the exposure drafts of ISSAIs

Transcription

1 Overview of general comments received on the exposure drafts of ISSAIs

2 SAI/org Paragraph number Comment on the paragraph Decision Arguments Response to the SAI Sweeden Sweeden Why have three different documents? It becomes a lot of repetitions. Be careful how you uses and define words. sometimes it seems that you uses different definitions. For example benchmark is defined narrow in the draft ISSAI 3200 as one example on criteria "Benchmarks same entity, different years; different entities same activity" at one place. At another place in the draft ISSAI 3200 it is defined as a synonym to criteria " Alternatively, to define and obtain support for well founded and realistic criteria, it may prove helpful to discuss benchmarks with stakeholders and decision makers." In the draft ISSAI 3000 it is defined as a synonym to criteria. "Audit criteria are the benchmarks used to evaluate the subject matter." Sweeden Sometimes you uses the auditors when the decision is actually at a SAI management level, sometimes you use auditors when it concerns the individual auditor or team. For example you state "The auditor shall give the audited entity the opportunity to comment on the audit findings, conclusions and recommendations before the SAI issues its audit report" How do you define auditor here, I believe that to release the draft report with recommendations should be done on a higher level in the SAI that the auditor in a team. GAO Cover Consistency Title of ISSAI 3000 is not consistent with references in body (see para 1, 2, 7, 8). Suggest revising title to: International Standard for Performance Auditing GAO More information The introduction to ISSAI 3200 states that it is based on best practices of SAIs with long traditions of performance auditing. However, there are a number of areas that ISSAI 3200 is silent on which are well developed by such SAIs. We would suggest that the committee consider adding additional information on topics such as: (1) internal controls, (2) IT controls, (3) fraud and abuse, and (4) using the work of others. Cour des comptes 3000, 3100, 3200 and 4000 The first general observation that might be made is a common defect in international audit standards: the lack of conciseness. The texts, since they are level 4 (four digits), distinguish "requirements" and "explanations" and the lack of conciseness is in regard to the "explanations": too many terms are used but are not always properly defined or really necessary.

3 Cour des comptes 3000, 3100, 3200 and 4001 The second general observation is the lack of consistency between the 3000 series of standards and ISSAI 4000: some of the same concepts are covered by provisions worded in very similar, but not identical, terms. The order of presentation of some headings is not the same from one to another whereas the headings are. Cour des comptes 3000, 3100, 3200 and 4002 The last general observation is the difference between standard 4000, the most successful, and which is a single document, and the standards in the 3000 series. It is hard to understand why ISSAI 3000 is separate from ISSAI 3100; it would be better to merge the two documents. Vietnam Methodology for developing the ISSAI 3000 series I realised that the draft series repeated as many words as written in ISSAI 300 as well as among themselves (ISSAI 3000 with ISSAI 3100, ISSAI 3100 and ISSAI 3200). To my knowledge, those repetitions would increase volume of the series without any new information. In order to keep ISSAI 300 and the ISSAI 3000 series coherent and concise, it should be clear to indentify how the ISSAI 3000 series should be developed. The series should be read in order, i.e. ISSAI 300 prior to the ISSAI 3000 series and ISSAI 3000 prior to ISSAI 3100 and ISSAI Concepts that already displayed in ISSAI 300 should not be unnecessarily repeated in ISSAI I suggest that it should brief mention the main idea that will be clarified or explained in ISSAI Likewise, the same methodology should be applied when developing ISSAI 3100 and ISSAI 3200 with foundation of ISSAI Vietnam Consistently use common terms through the ISSAI 3000 series In 3000/113 and 3200/25, audit plan is used as the result of planning phase. However, in 3000/114 and 3200/27 28, perspective audit design and audit proposal are used with the same meaning. Differently, audit plan is used as a synonym of audit procedures in 3000/111. Other common terms should be considered such as: is the audit programme a result of the strategic planning process (ISSAI 3200/14) or a kind of document in planning a particular audit (practices in Vietnam and Canada). I suggest that some common terms should be used in such highly standardised documents like ISSAIs.

4 As the consequence of (2), a glossary of terms should be added to ISSAI 3000 to clarify and provide the consistent understanding of terms as well as avoid confusing, especially for countries not using English as the first language. For some alternative terms, they should also be included in the glossary. Vietnam A glossary of terms for performance auditing should be added Example could be seen in ISSAI 1230: it is showed in the definition of audit documentation that working papers or workpapers are sometimes used. Japan Japan 3000, 3100 and , 3100 and 3200 Spell checking and editing font style are needed. Spelling in American English or British English should be unified. Paragraph number should be assigned based on "Requirement" instead of each sentences/paragraphs. It would make definitions of "Requirement"clearer and also help readers better understand the structure (relation between "Requirement" and "Explanation"/"Good practice") of the ISSAI. This style is adopted in ISSAI 10. Japan 3100 and 3200 Based on "Requirement" of ISSAI 3000, "Good practice" of ISSAI 3100 and 3200 are organized, however, it is not clear which "Requirement(s)" of ISSAI 3000 "Good practice(s)" of ISSAI 3100 and 3200 refer to. Therefore, same "Requirement" numbers should be assigned among ISSAI 3000 series in order to make it clearer that ISSAI 3000 and 3100 & 3200 are linked. Malta 3000 A further requirement that may be considered is that the auditor is to report if a current Government activity or programme is in his opinion unsustainable economically, socially or environmentally. This requirement would be the equivalent of a going concern qualification in a financial audit. Malta Norway Norway Guidance could be included on instances when external auditors may rely on previous performance audit work carried out by other auditors including the internal audit function within an organisation. The use of the word "requirement" in this document is confusing. It should be made clear in the introduction that this document does not add any new requirements but just go through each requirement and describe good practice for that requirement. We would suggest that the structure of this document follows the structure of ISSAI 3000 and give further information on the requirements covering the audit process. We believe that through scoping, we identify the basis to perform an performance audit.

5 Brazil Swiss Consider informing the sources of information below each table and box in the text We find that the new alignment with ISSAI 300 is appropriate and we noticed that the standards for performance auditing get closer to the standards for evaluations. In this perspective, we think that the INTOSAI Working Group on Evaluation and its exposure draft of INTOSAI GOV 9400 entitled Guidelines on the evaluation of public policies should also be integrated / referenced in this process. Swiss Swiss It is in our opinion very important to establish a link between ISSAI 300/3XXX and INTOSAI GOV 9400 in order to avoid any misunderstanding for performance auditors and evaluators. Through our critical reading we got the impression that (too) many repetitions occur between the second and third levels and within the third level. It is sometimes difficult to find rapidly the respective standards or guidelines in the four documents (300, 3000, 3100, 3200). With regard to this, making references between the second and third level structures, as well as within the third level, could in our view bring added value and facilitate the navigation between them. Swiss Swiss Netherlands Netherlands Netherlands , 3100, and 3100 The mentioning of Quality Control, Independence and Ethics (ISSAI 11, 30 and 40) is not necessary because they are mandatory already at the second level. Maybe a complete example of one or more best practices would help performance auditors to work with this guideline. It would be more reader friendly to use the same numbers for the standards in 3000, 3100 en Level 4 of the ISSAIs are Auditing Guidelines according to ISSAI 3000 are no guidelines but standards. This in itself is ok. But it means that the Level 4 statement (Auditing Guidelines) should be changed in order to prevent confusion. A general flaw in 3000 (and 300) is that the only possible result of a performance audit seems to be a report. That closes the door for innovation and developments like online publishing. And it is contradictory to ISSAI We strongly advise to make room in 3100 for other means of presenting the results of audit work.

6 Thailand The Exposure drafts of ISSAI 3000 series have provided standards and guidelines for performance auditing and can be divided into three parts. The first part is ISSAI 3000 which clearly defines general requirements by providing each of its explanation and how to implement such requirements. While, ISSAI 3100 as a second part and ISSAI 3200 as the third part, present guidelines or good practices on concepts and processes of performance auditing. As a result, It helps users to get better understanding than the current version. However, we would like to recommend that standards and guidelines should provide additional information to be useful for users and also the accuracy of the cross reference between ISSAIs should be verified. The additional details are as follow: 1. The audit mandate as well as independence and ethics are the essential requirements for performance auditing. ISSAI 3000 and ISSAI 3100 should provide more explanation on how the audit mandate will affect, to the extent of, the audit to which a SAI can apply to public sector auditing, conditions of performance auditing, or the initiative of audit, that SAI can apply in order to conduct performance audit (Refer to ISSAI 3000/2.1, current version) 2. Regarding ISSAI 3100 paragraph 23 referred to the auditor s independence, it should be more explanation for auditors on how to confirm their independence, both before commencing the audit work and throughout the audit. 3. In ISSAI 3100 paragraph mentioned about the Subject matter which might not be clearly illustrated. The example should be given more in order that the user will be able to get better understanding. For example, ISSAI 300 stated that Examples of Subject matter might be service delivery by the responsible parties or the effects of government policy and regulations on administration, stakeholders, businesses, citizens and society. In addition, the content in paragraph 41 may not directly relate to good practice of Subject matter. It might be more relevant, if refer to the content in ISSAI 3200 paragraph The standard should elaborate more about audit themes and audit areas and also their relevance in relation to planning process or other sections. 5. The references within guidelines aim to be useful for the standard users but due to the errors of the cross references between the content in guidelines, the review process for the correctness of the cross references is necessary. For example, ISSAI 3100 page 3, the content from the end of paragraph 14 should be referred to paragraph 59. Moreover, the content in paragraph 126 of the ISSAI 3200 should be referred to paragraph 92.

7 Latvia In general, after evaluating the exposure drafts, it is not clear why there is a different approach to the standards, for example, why ISSAI 4000, in conjunction with explanation of requirements, does not include examples of best practices. Similarly, all three standards ISSAI 1000, ISSAI 3000 and ISSAI 4000 are very different by their size and structure. This approach can lead to confusion among users of the standards as to whether compliance and performance audits are simpler than financial audits and if they state less requirements than standards for financial audits. On ISSAI 3000, 3100 and ISSAI 3200 evaluating the standards and guidelines contained in the drafts, we conclude that in general documents are well structured, understandable and applicable to performance audits. We believe that the approach by separating the substantive provisions from the procedural provisions is user friendly, as well as the reiteration of the standard requirements in the guidelines will facilitate better understanding of the standards. However, we want to draw attention to the need to avoid certain terms of generalization / non specification, such as the use of the term "professional standards" without specifying which exact standards are meant (such as ISSAI 3000/75, 3000/82, 3100/118, 3100/126). On ISSAI 4000 evaluating the information contained in the draft, we have to conclude that in general it does not improve or complement the already existing ISSAI 400, therefore we propose to consider the possibility to structure and draft ISSAI 4000 similarly as 3000 ISSAI (ISSAI 3100 and ISSAI 3200). Additionally we would like to draw your attention to the need to avoid ambiguous interpretation of the requirements relating to the "Audit sampling", because, for example, explanation included in 4000/137 and 4000/141 suggests that the only applicable method is to use statistical sampling methods. Portugal As the title of ED ISSAI 3100 and 3200 clearly identifies its contents, it is suggested that also ED ISSAI 3000 might be better referenced and be added to the subtitle general requirements, thus: ISSAI 3000 Standard for Performance Auditing general requirements. IDI Level 4 standards are to be used by SAIs directly when they adopt the option of referring to them directly. In its current form ISSAI 3000 cannot be used directly at the audit practice level. It lacks the details necessary to guide a practice. As such the option provided by ISSAI 100 is not a real option in case of PA standards. IDI Is level 4 supposed to be a mix of standards and guidance? Is it a good idea to keep standards and guidance at the same level in the ISSAI framework?

8 IDI There is a need to be very clear on the concepts of assurance and confidence in PA. I do not see this clarity in the current draft. I am also concerned with the inclusion of limited assurance, especially in the context of the definition of assurance in PA. To me, these are key concepts that should have been included in the explanations in 3000, not in IDI IIA There is a need to distinguish between requirements that refer to an auditor and requirements that refer to a SAI. Consider elevating some best practices to requirements. The IIA believes that, collectively, ISSAIs 3000, 3100, and 3200 provide a solid foundation for Performance Auditing. ISSAI 3000 is sufficiently generic that application of the Performance Audit Standard can be tailored to meet the varying needs of SAIs. However, the generic nature of the standard can be construed to potentially set a low bar for compliance. For example, ISSAI 3100 recommends a continuous professional development program, and meaningful monitoring and reporting on the quality assurance and improvement program, as best practices. To strengthen the standard, INTOSAI should consider elevating these best practices from recommendations to requirements.

9 IIA Make a distinction between the terms independence, impartiality, and objectivity. ISSAIs 3000 and ISSAI 3100 have multiple references to the terms independence, impartiality, and objectivity. In reviewing these documents, and ISSAI 30 Code of Ethics, Chapter 3 Independence, Objectivity and Impartiality, the terms objectivity and impartiality are used interchangeably. In other contexts, we infer that independence and objectivity are required conditions for impartiality. However, the distinction between independence and objectivity/impartiality is not made clear. While related, we believe there is a fundamental difference between being independent and being objective/impartial. The IIA does not use the term impartiality, but our International Standards for the Professional Practice of Internal Auditing (Standards) distinguishes between the terms independence and objectivity. The IIA s Standards define independence as: The freedom from conditions that threaten the ability of the internal audit activity to carry out internal audit responsibilities in an unbiased manner. Therefore, the ability to be independent is generally a function of the reporting relationship(s). The IIA s Standards define objectivity as: An unbiased mental attitude that allows internal auditors to perform engagements in such a manner that they believe in their work product and that no quality compromises are made. Objectivity requires that internal auditors do not subordinate their judgment on audit matters to others. We suggest that the ability to be impartial/objective is the result of being able to take an unbiased approach to work. An internal auditor can be independent, while not being impartial/objective. Conversely, an internal auditor can be impartial/objective, while not having an independent reporting relationship. We did not address every instance where these terms are used, but Attachment A and Attachment B include recommendations for the specific areas we thought most critical. We encourage INTOSAI to review how these terms are used throughout its International Standards of Supreme Audit Institutions. IIA Further recognize the importance of internal audit. Another suggestion for strengthening ISSAIs 3000, 3100, and 3200 is to further recognize the importance of internal audit. The Memorandum of Understanding (MoU) between The Professional Standards Committee (PSC) of The International Organization of Supreme Audit Institutions (INTOSAI) and The Institute of Internal Auditors (IIA) recognizes the importance for SAIs to rely on the work of internal audit. Where feasible, we encourage SAIs to consider the work of internal audit with regard to Performance Auditing.

10 Finland The performance audit standards proposed for level 4 of the ISSAI framework are clear and well thought out. SAI of Finland (SAIF) is of the view that the ISSAI documents provide a good description of the nature of the performance audit and the professional competence required. SAIF has prepared its own performance audit manual, which is based on the Fundamental Principles of Performance Auditing (ISSAI 300). SAIF mainly assesses the exposure drafts from this perspective. When SAI s own manuals are based on ISSAI 300, one would expect that level 4 documents would sup plement the ISSAI 300 document. In fact, ISSAI 3100 and 3200 meet this expectation. At the same time, however, ISSAI 3000 is somewhat confusing in this respect as, with regard to its content, it is almost identical to ISSAI 300. Moreover, as ISSAI 300 and ISSAI 3000 present some of the matters in different order, it is difficult to point at any substantial differences between the contents of the two documents. On the other hand, those SAIs that choose to adopt ISSAI 3000 as their authoritative standard and make direct reference to it (ISSAI 3000 / 15) do not face this problem as they can adhere to level 4 stand ards. It is true that under ISSAI 3000 / 2, the ISSAI 3000 document should be read and understood in conjunction with ISSAI 100 and ISSAI 300, in which case these SAIs too may have to deal with the ques tion how ISSAI 300 and ISSAI 3000, which are at different levels, supplement each other. Such lack of clarity might perhaps have been avoided if INTOSAI had only prepared ISSAI 3100 and 3200 as level 4 documents that provide direct clarifications and explanations concerning ISSAI 300.

11 Finland Definition of Performance Auditing ISSAI 3000 / contains a concise and informative definition of performance auditing. According to ISSAI 3000 / 23, further information can be found in the ISSAI guidelines. In fact, in many respects, ISSAI 3100 / 6 19 provides a good explanation of what performance audit is actually about. However, SAIF would like to draw attention to some issues in these paragraphs. While the text describes the matters in great detail, the figure presenting the concepts does not sup port the text in an optimal manner. According to the figure, effectiveness only links outputs and out come and there is no relationship between effectiveness and the objectives of outputs and outcome. However, as ISSAI 3100 / 13 aptly states, effectiveness is concerned with the relationship between goals or objectives on the one hand, and output or outcome on the other. As shown in the figure the question of effectiveness consists of two parts: first, to what extent are the objectives. In Finland we use the concept tuloksellisuus, which is rather difficult to translate into English. The concept describes success throughout the chain, which starts from a societal need and the provision of resources for meeting the need and ends with the effects generated in the process. This is the criteri on for overall success or answer to the question Has the process generated value for money?. In our performance audits, we always have the assessment of the entire chain as the starting point. In the audit planning stage, there are many reasons why the auditors may want to focus on a specific section of the chain (and emphasise one of the three E s). However, it should be remembered that in order to ensure value for money, all three E s must be considered in the audit. The same aspect is also discussed in ISSAI 3100 / 17, which states that while a particular audit will not normally seek to reach conclusions on all three aspects it may be of limited benefit to examine aspects of economy or efficiency of activ ities in isolation, without also considering the effectiveness.. Conversely, according to paragraph 17, the same also applies to audits focusing on effectiveness, though here the requirement to also consid er economy and efficiency is mildly worded and formulated as a recommendation.

12 Finland The different audit approaches The three different approaches to audit are discussed in ISSAI 3000 / 44 48, ISSAI 3100 / and ISSAI 3200 / 49. As part of what is said above about focusing on the three E s, the principle of SAIF is to always combine the resultoriented and system oriented approach in the same audit (in problem oriented approach the situation is different). The actual focus depends on which of the two approaches is deemed to in volve greater risks (consideration of auditability may also influence the decision). Aspects of the three different approaches are discussed in ISSAI 3100 / The selection criterion for the problem oriented approach is clearly stated (= the problem is already known, which means that only the causes of the problem are of interest). At the same time, however, it is only vaguely explained which criteria should be applied when the choice is between result oriented approach and system oriented approach. Perhaps the weighing of system related risks against result related risks could be used as one selection criterion. The link between the three E s and the three different approaches should also be more clearly visible. The three approaches are also briefly discussed in ISSAI 3200 / 49. It states that there is a connection between defining the approach of the study and the question of what kind of study is needed to an swer the audit objective. As this is an essential choice in the establishment of the audit framework, the aspect should perhaps be discussed earlier, for example at the start of chapter 3200 / Kuwait Kuwait ISSAI 3200 Standard expanded in explanation, provided examples regarding the planning, and audit procedures. As for the report preparation and follow up, the explanation and examples were less than that. ISSAI 3200 Standard was not explicit in displaying the positives and negatives of choosing the audit subjects whether the proposed by the supreme management or the auditors. AFROSAI E Is conducting phase really proper English. Language is not may strong side. Trying to understand what the problem is, I have the feeling that a phase is a noun, while conducting is a verb. Combining them into a pretendto be noun just doesn t work (or does it?) I have tried not to comment on the language, but the quality of the text is problematic. I guess this somehow will be solved and hope that those solving it understand what was meant.

13 Overall, we find that the text works well to establish connection between gen eral requirements in ISSAI 3000 and the practical guidelines that follow from the requirements in ISSAis 3100 and Denmark We also find that the division between standards and guidelines is generally reasonably clear. However, ISSAI 3000 does include elements of 'advice', which would be better placed in ISSAis 3100 and 3200.