AUDIT AND ASSURANCE

AUDIT FRAMEWORKS

WORKBOOK 1

Updated 2018
Valid for exams from June 2019 to March 2020

1
 Audit and assurance

First published 2016

CIPFA
77 Mansell Street
London E1 8AN
+ 44 (0)20 75435600
Email: studentsupport@cipfa.org
Website: www.cipfa.org
Copyright © 2019 Chartered Institute of Public Finance and Accountancy
All rights reserved. No part of this publication may be reproduced, stored in
a retrieval system, or transmitted in any form or by any means, electronic,
mechanical, photocopying, recording or otherwise, without either the prior written
permission of the publishers or a licence permitting restricted copying in the
United Kingdom issued by the Copyright Licensing Agency Ltd, Saffron House,
6–10 Kirby Street, London EC1N 8TS.
Every possible care has been taken in the preparation of this publication but no
responsibility can be accepted for loss occasioned to any person acting or
refraining from action as a result of any material contained herein.

2
 1: Audit frameworks

Table of contents
The syllabus............................................................................ 5
Learning outcomes and content ................................................. 5
1 Introduction to Workbook 1 .................................................... 6
1.1 Audit Frameworks ........................................................... 6
1.2 Topic diagram ................................................................ 6
1.3 Assurance engagements .................................................. 7
1.3.1 What is assurance? .................................................... 7
1.3.2 What is an assurance engagement? ............................. 8
1.3.3 The parties involved .................................................. 8
1.3.4 The nature of the work ............................................... 9
1.3.5 External audit .......................................................... 10
1.3.6 Internal audit........................................................... 11
1.4 Levels of assurance and the concept of reasonable assurance
.................................................................................. 12
1.4.1 Reasonable assurance ............................................... 12
1.4.2 Limited assurance .................................................... 12
1.5 Accountability and stewardship ........................................ 14
1.5.1 Stewardship ............................................................ 14
1.5.2 Accountability .......................................................... 14
1.6 External audit ................................................................ 15
1.6.1 The purpose of external audit..................................... 15
1.6.2 True and fair - practical interpretation ......................... 16
1.7 Audit of financial statements – roles and responsibilities ...... 17
1.7.1 Audit of financial statements- roles and responsibilities .. 17
1.7.2 The auditor’s role and responsibilities .......................... 21
1.7.3 Auditor independence ............................................... 22
1.8 Audit of financial statements – the professional standards
framework ................................................................... 23
1.8.1 International Standards on Auditing (ISAs) .................. 23
1.8.2 International Standards of Supreme Audit Institutions
(ISSAI) ................................................................... 24
1.9 Audit of financial statements – the legal framework ............ 25

3
 Audit and assurance

1.9.1 The rights of the auditor ............................................ 25

1.9.2 Criminal and civil liabilities of auditors ......................... 26
1.10 Fundamental principles of public sector auditing ............... 27
1.10.1 ISSAI 100 ............................................................. 27
1.10.2 Public sector audit frameworks ................................. 27
1.10.3 Introduction to principles ......................................... 29
1.10.4 General principles ................................................... 30
1.10.5 Principles related to the audit process........................ 31
1.11 International Standards for Supreme Audit Institutions
(ISSAI) Framework – new development ........................... 32
1.11.1 International Organization of Supreme Audit Institutions
(INTOSAI) Framework of Professional Pronouncement ... 32
1.11.2 INTOSAI – Principles ............................................... 33
1.11.3 GUIDs ................................................................... 33
1.11.4 CMPs .................................................................... 33
1.12 Audit of financial statements – the private sector .............. 34
1.12.1 Company audit requirements ................................... 34
1.13 Audit of financial statements – the public sector ............... 35
1.13.1 Introduction ........................................................... 35
1.13.2 Comparison with company audit ............................... 35
1.13.3 Wider responsibilities .............................................. 36
1.14 Agreeing the terms of an audit engagement ..................... 37
Summary .............................................................................. 38
Quiz questions ....................................................................... 41
Quiz answers ......................................................................... 43

4
 1: Audit frameworks

The syllabus
Syllabus aim
Identify and explain the scope, regulatory and ethical environment
within which audits are performed.
Explain the risk assessment and planning procedures required by
relevant auditing standards.

Learning outcomes and content

Explain the concepts of audit and assurance:

 Objectives of external audit and other assurance engagements

 Levels of assurance and concept of reasonable assurance
 Accountability and stewardship
 True and fair presentation
 The assurance engagement process
Explain the provisions relating to audits within current public
services and private sector legislation:

 General requirements relating to the provision of internal and

external audit services

 Auditor’s rights and duties

 Auditor’s liability including criminal liability and liability to third

parties

 Impact of International Standards of Supreme Audit Institutions

Auditing (ISSAI) on external audit work

 Fundamental principles of public sector auditing

 Public sector audit frameworks

 Companies audit requirements

Explain the scope of internal and external audits:

 Basic tenets and concepts of internal and external audit work

 Power and authority available to internal and external auditors
Explain the objectives and general principles of audit planning and
risk assessment:

 Agreeing the terms of audit engagements

5
 Audit and assurance

1 Introduction to Workbook 1
1.1 Audit Frameworks
The need for confidence underpins the process by which audit and
assurance activities have been standardised and professionalised
over time, resulting in the current legal and regulatory frameworks
that are considered in this workbook and throughout this module.

1.2 Topic diagram

Reasonable Limited assurance

assurance

Audit and
assurance
engagements

AUDIT
FRAMEWORKS ISSAIs

Companies Public Services

6
 1: Audit frameworks

1.3 Assurance engagements

1.3.1 What is assurance?

There are many different definitions of ‘assurance’ but they all centre
on the idea that good quality information enhances people’s
confidence in an organisation. Such assurance, or confidence, is
often very important.
For example, heightened confidence encourages people to invest,
which contributes to wider economic development. Conversely,
major assurance failures can have a negative effect on investor
confidence and, in turn, on stock markets and the wider economy. In
the public sector, assurance builds confidence in publicly funded
bodies, reinforces the idea that those receiving public money are
accountable, and ultimately assists the whole democratic process.
Exercise 1.1
Consider what factors might affect the level of assurance you could
take from an assurance statement given to you by a third party. You
need not focus on the audit context here.
For example you might want to consider what factors you would take
into account when someone reviewed and reported to you on the
quality of work an engineer had done to your car.
What factors would you take into account when deciding whether to
trust in such a report?

As this exercise shows, not all assurance is equal – those seeking

assurance require confidence in the assurances they are being given.
This need for confidence underpins the process by which audit and
assurance activities have been standardised and professionalised
over time, resulting in the current legal and regulatory frameworks
considered throughout this module.

7
 Audit and assurance

1.3.2 What is an assurance engagement?

An assurance engagement typically provides improved or additional
information that enhances stakeholders’ confidence in the
organisation and may also allow senior management to make better
decisions.
The term covers a wide range of activities, which may focus on both
financial and non-financial information. Examples include:
information systems evaluations, data security reviews, risk
assessments, and customer satisfaction surveys.

1.3.3 The parties involved

There are usually three discrete parties involved in an assurance
engagement:

 The responsible party – normally the owners and management

who run the organisation and therefore produce the information
which the piece of assurance work will assess.

 The users– normally the shareholders, or the general public in

the case of public sector bodies, who are affected by the
activities of the responsible party.

 The practitioner – the firm or individual who will conduct the

assurance work.
Either the responsible party, or the users, or in some circumstances
both, may engage the practitioner to carry out the assurance
engagement.

8
 1: Audit frameworks

1.3.4 The nature of the work

The practitioner is responsible for determining the nature, timing
and extent of the work to be carried out, so as to gather sufficient
and appropriate evidence. They also pursue, as far as possible, any
issue which leads them to question whether material changes should
be made by the responsible party to the information being examined
or to the assertions arising from that information, and to consider
the effect on the assurance report if no changes are made.
An assurance engagement may focus on a range of aspects, such
as:

 The fairness of the way that a particular management activity or

information stream is described.

 The design of internal processes (e.g. business activities,

control procedures).

 The effectiveness of processes.

 Business outcomes.
or

 A comprehensive report (e.g. a report that may include

elements of all of the above with an overall view on
management’s performance).

9
 Audit and assurance

1.3.5 External audit

An external audit is a form of assurance engagement.

Key definition
Audit:
Audit is the systematic process of obtaining, and then objectively
evaluating, the accounts or financial records of an organisation.
The external auditor is a professionally qualified person working
outside the organisation in question, who is commissioned to
perform an audit in accordance with the specific laws and rules that
are in force in a particular place at a particular time.
Why is audit needed?
Audit is needed because there are stakeholders who need to know
that an organisation’s accounts are accurate, but who cannot
possibly develop the insights required to provide that knowledge
themselves.
In the commercial sector, for example, shareholders want to know
that the financial statements provided to them by management are
reliable. Such knowledge is fundamental to the trust that underpins
capital markets and long term investment.
In public sector bodies – for example, government departments and
educational establishments – slightly different considerations apply.
Funding generally comes from taxation rather than private capital,
so it is the general public rather than the shareholder that needs to
know the funding is being accounted for properly.
However, the external auditor plays a fundamentally similar role,
providing an independent professional opinion on the accuracy of the
financial statements.

10
 1: Audit frameworks

1.3.6 Internal audit

Key definition
Internal audit:
Internal audit is ‘an independent, objective assurance and consulting
activity designed to add value and improve an organisation’s
operations. It helps an organisation accomplish its objectives by
bringing a systematic, disciplined approach to evaluate and improve
the effectiveness of risk management, control and governance
processes’.1
We can see from this definition that internal audit is provided as a
service to the entity itself rather than to external stakeholders. The
purpose of internal audit is to make a contribution to the improved
management of an organisation. When discussing the role of internal
audit and internal auditors, The Chartered Institute of Internal
Auditors make the following comments:
‘Performed by professionals with an in-depth understanding of the
business culture, systems, and processes, the internal audit activity
provides assurance that internal controls in place are adequate to
mitigate the risks, governance processes are effective and efficient,
and organizational goals and objectives are met.
Evaluating emerging technologies. Analysing opportunities.
Examining global issues. Assessing risks, controls, ethics, quality,
economy, and efficiency. Assuring that controls in place are
adequate to mitigate the risks. Communicating information and
opinions with clarity and accuracy. Such diversity gives internal
auditors a broad perspective on the organization. And that, in turn,
makes internal auditors a valuable resource to executive
management and boards of directors in accomplishing overall goals
and objectives, as well as in strengthening internal controls and
organizational governance’.2
Internal audit will be considered in detail in Workbook 7. For now it
is sufficient for you to be aware of what is meant by internal audit.

1
Public Sector Internal Audit Standards (2013)

11
 Audit and assurance

1.4 Levels of assurance and the concept of

reasonable assurance

1.4.1 Reasonable assurance

When conducting an audit, the auditors cannot evaluate every
relevant piece of financial information and assess every relevant
financial system. As such, they cannot be expected to provide
absolute assurance that the financial statements are accurate.
However, they are expected to act in a way that provides
‘reasonable assurance’. The concept of reasonable assurance
appears in a number of places within ISSAI 200, which sets out the
overall objectives of the independent auditor. Paragraph 38 states
that:

Key definition
Reasonable assurance:
‘Audits of financial statements conducted in accordance with the
ISSAIs are reasonable assurance engagements. Reasonable
assurance is high, but not absolute, given the inherent limitations of
an audit, the result of which is that most of the audit evidence
obtained by the auditor will be persuasive rather than conclusive.’
The key points to note here are that reasonable assurance:

 Is a high level of assurance

 Is obtained when the auditor has obtained sufficient appropriate

audit evidence to reduce audit risk to an acceptably low level

 Is not an absolute level of assurance

Reasonable assurance enables a conclusion to be expressed
positively. A positive opinion is where the auditors state that they
have found something to be the case.
For example, the auditors might conclude that financial statements
do not contain material misstatement. This conclusion might be
worded: ‘I am of the opinion that client X’s financial statements are
free from material misstatement.’

1.4.2 Limited assurance

12
 1: Audit frameworks

Key definition
Limited assurance:
Limited assurance is a lower (but still meaningful) level of assurance
that the risk of material misstatement has been reduced to an
acceptable level, enabling a conclusion to be expressed negatively.
A negative opinion is where the auditors state that they have seen
nothing to indicate that something is not the case.
For example, the auditors might conclude that they have seen
nothing to suggest that financial statements are not materially
misstated. This conclusion might be worded: ‘In the course of
examining client X’s financial statements, nothing has come to my
attention indicating that they contain material misstatement.’
Auditors will be engaged in either a reasonable assurance
engagement or a limited assurance engagement. The level of
assurance required will depend on such factors as the level of
assurance sought by the users and/or responsible party (which
would depend on the nature of the aspect being audited) and any
legal requirements that might exist. The type of assurance
engagement will determine the quantity and quality of evidence
sought and the type of the audit opinion given.
Limited assurance engagements are not covered at present by the
ISSAIs on financial audit.

13
 Audit and assurance

1.5 Accountability and stewardship

1.5.1 Stewardship
One of the key functions of an entity’s financial statements is to
provide information to users about the management’s stewardship
of that entity and its resources. This means, essentially, the way
that management has run the entity and deployed its resources in
the past (e.g. the transactions entered into, the decisions taken, and
the policies adopted), and how they are planning to do so in the
future.
Stewardship is inherently linked to agency theory. That is, the fact
that management of the entity is acting on behalf of, or as agents
for, its owners. In the case of a public service organisation the
owners are principally taxpayers, on whose behalf management runs
that organisation.
Owners need to oversee management behaviour, to ensure that:

 It is aligned to their objectives (this includes the idea of

regularity in a public service organisation).

 Management are devising strategies aimed at making the best

use of the organisation’s assets.
and

 No misappropriation of the organisation’s assets takes place.

The financial statements therefore provide a bridge between owners
(the intended users) and management (the responsible party),
helping the former to understand and assess the latter’s
performance, and therefore to make informed decisions about the
organisation. By issuing an independent, professional opinion about
those statements, external auditors play a crucial role in helping the
intended users understand the responsible party’s performance.

1.5.2 Accountability
Related to the idea of stewardship is the notion that management
are accountable to the owners for the performance of the entity
they control. This important term has a number of meanings. In a
literal sense, it means that management have to provide an account
of, or disclose, their activities to the owners, in the form of financial
statements. It also means that they are responsible for the entity
insofar as they manage it, and that they are held accountable for
successes and failures.
14
 1: Audit frameworks

1.6 External audit

1.6.1 The purpose of external audit

External auditors are those where the ‘subject matter’ consists
primarily of matters which are in the public domain or ‘externally’
reported. By far the dominant form of such audit is the audit of
financial statements though, as we shall see, there are other forms
of assurance provided by external auditors, especially in the public
services.

Key definition
Audit of financial statements:
‘The purpose of an audit of financial statements is to enhance the
degree of confidence of intended users in the financial statements.
This is achieved through the expression of an opinion by the auditor
as to whether the financial statements are prepared, in all material
respects, in accordance with an applicable financial reporting
framework, or – in the case of financial statements prepared in
accordance with a fair presentation financial reporting framework –
whether the financial statements are presented fairly, in all material
respects, or give a true and fair view, in accordance with that
framework. Laws or regulations binding public-sector audit
organisations may prescribe other wordings for this opinion. An audit
conducted in accordance with standards based on the INTOSAI
Fundamental Principles of Financial Auditing and relevant ethical
requirements will enable the auditor to express such an opinion’.2
External auditors are normally either:

 Private, profit-making enterprises.

or
 State auditors who focus on the audit of public bodies.

2
ISSAI 200.16

15
 Audit and assurance

1.6.2 True and fair - practical interpretation

You will see from the purpose of external audit above that auditors
often given an opinion on whether or not financial statements give a
true and fair view.
The expression ‘true and fair’ is not strictly defined in the accounting
literature. However, it simply means that the financial statements
are free from material misstatement and faithfully represent the
financial performance and position of the entity. It might be further
defined as follows:

 ‘True’ suggests that the financial statements are factually

correct and have been prepared according to applicable
reporting framework such as the International Financial
Reporting Standards (IFRS), and they do not contain any
material misstatements that may mislead the users.
Misstatements may result from material errors or omissions of
transactions and balances in the financial statements.

 ‘Fair’ implies that the financial statements present the

information faithfully without any element of bias, and that they
reflect the economic substance of transactions rather than just
their legal form.

16
 1: Audit frameworks

1.7 Audit of financial statements – roles and

responsibilities

1.7.1 Audit of financial statements- roles and

responsibilities
Before considering the detailed framework for the audit of financial
statements, the following exercise will allow you to consolidate your
understanding of the roles of the various parties involved in the
preparation, audit and use of financial statements.
Exercise 1.2
On the following pages is an exercise which will allow you to assess
your own understanding of who is responsible for what, with regard
to a large company. Considering these perspectives will help us to
understand the need for audit.
You can look at things from the perspective of

 Company management
 The external auditor
 The company shareholders
Requirement
If you are working on your own, pick one or more of the above and
complete the fields on the following pages. If you are working in a
group, work on one and compare your answers. Don’t worry if you
find this difficult – you can return again to this exercise after you
have studied the rest of this workbook and Workbook 2.

17
 Audit and assurance

You are the company management

Role
What is your role? What are your objectives?

Relationships
Who do you answer to? Who is relying on you? Who do you rely on?
Are there any conflicts in these relationships?

Risks
What can go wrong? What are the safeguards in place to protect
against these?

18
 1: Audit frameworks

You are the external auditor

Role
What is your role? What are your objectives?

Relationships
Who do you answer to? Who is relying on you? Who do you rely on?
Are there any conflicts in these relationships?

Risks
What can go wrong? What are the safeguards in place to protect
against these?

19
 Audit and assurance

You are a shareholder

Role
What is your role? What are your objectives?

Relationships
Who do you answer to? Who is relying on you? Who do you rely on?
Are there any conflicts in these relationships?

Risks
What can go wrong? What are the safeguards in place to protect
against these?

20
 1: Audit frameworks

1.7.2 The auditor’s role and responsibilities

In considering the overall nature of the audit of financial statements
we should return to the definition given earlier:

Key definition
Audit of financial statements:
‘The purpose of an audit [of financial statements] is to enhance the
degree of confidence of intended users in the financial statements.
This is achieved by the expression of an opinion by the auditor on
whether the financial statements are prepared, in all material
respects, in accordance with an applicable financial reporting
framework. In the case of most general purpose frameworks, that
opinion is on whether the financial statements are presented fairly,
in all material respects, or give a true and fair view in accordance
with the framework’.3
ISSAI are auditing standards issued by the International
Organization of Supreme Audit Institutions (INTOSAI). We shall
return to consider both in detail later in this workbook.
Key to this definition is that the core function of the auditor is to give
an opinion on the financial statements, based on an examination of
those statements and the evidence available to support them. This is
quite a narrow and precise remit and this can lead to what is often
referred to as an ‘expectation gap’ between public expectations of
auditors and their actual roles and responsibilities. For example, for
reasons we will explore later, auditors are not expected to:

 Correct financial statements that they consider to be misstated

 Prevent fraud or error
 Detect all cases of fraud or error
The ISSAI goes on to say that ‘The financial statements subject to
audit are those of the entity, prepared by management of the entity
with oversight from those charged with governance’4 and, crucially,
‘the audit of the financial statements does not relieve management
or those charged with governance of their responsibilities’.5

3
ISSAI 1200.3
4
ISSAI 1200.4
5
Ibid.

21
 Audit and assurance

The distinction between ‘those charged with governance’ and

‘management’ is an important one.

Key definition
Governance:
Those charged with governance are ‘the person(s) or organization(s)
(for example, a corporate trustee) with responsibility for overseeing
the strategic direction of the entity and obligations related to the
accountability of the entity’.6
Management:
Management are ‘the person(s) with executive responsibility for the
conduct of the entity’s operations’.7
Governance is thus concerned with oversight, whereas management
is concerned with ‘day-to-day’ executive responsibilities, including
the preparation of financial statements. Both have a role to play in
preparing the accounts but the key point here is that it is the
responsibility of the audited organisation itself to prepare accurate
financial statements and not the auditor.

1.7.3 Auditor independence

ISSAI 1200 states that ‘The auditor shall comply with relevant
ethical requirements, including those pertaining to independence,
relating to financial statement audit engagements’.8
The importance of auditor independence cannot be overstated. When
an auditor gives an opinion on a separate entity, it is vital that the
auditor is indeed wholly independent and free from undue influence,
allowing them to take an objective stance and to form their
conclusions, and report these, without fear or favour. If the users of
the auditor’s report do not have full confidence in the objectivity and
independence of the auditor, this necessarily limits the confidence,
or assurance, that the users can draw from that report.

6
ISSAI 1003
7
Ibid.
8
ISSAI 1200.14
22
 1: Audit frameworks

1.8 Audit of financial statements – the

professional standards framework

1.8.1 International Standards on Auditing (ISAs)

The principle international auditing standards are known as
International Standards on Auditing (ISA). These are external audit
standards and are intended to be mandatory for all auditors of
company accounts, so that an audit opinion in one country can be
seen by investors as having been arrived at in the same way as in
another country.
ISAs are issued by the International Auditing and Assurance
Standards Board (IAASB).
The IAASB operates within the International Federation of
Accountants (IFAC). Auditors from IFAC member bodies (including
CIPFA) are expected to apply the ISAs unless national laws or
regulations override these requirements.

23
 Audit and assurance

1.8.2 International Standards of Supreme Audit

Institutions (ISSAI)
International Standards of Supreme Audit Institutions (ISSAI) are
auditing standards issued by the International Organization of
Supreme Audit Institutions (INTOSAI).
The main purpose of auditing guidelines is ‘to provide INTOSAI
members with a comprehensive set of guidelines for the audit of
financial statements of public sector entities’.9
Each of these auditing guidelines contains:

 The full verbatim text of the related ISA, issued by the IAASB;

 A supporting Practice Note (PN) which deals with specific

considerations relating to the audit of public sector entities.
Each ISSAI can thus be seen as providing public sector guidance
which ‘wraps around’ an existing ISA.
ISSAIs that are the primary standards referred to throughout the
Audit and Assurance workbooks. They can be found at:

9
ISSAI 1000.14
24
 1: Audit frameworks

http://www.intosai.org/issai-executive-
summaries/4-auditing-guidelines/general-
auditing-guidelines.html 1.9 Audit of financial
statements – the legal framework

1.9.1 The rights of the auditor

These will be determined in law but common rights of a public
auditor typically include:

 The right of access to all books and records of the audited

organisation

 The right to obtain information and explanations from all

officers of the audited organisation

 The right to report on any matter relating to the audited

organisation, without its consent
There may also be an entitlement to be notified, to attend and to
address any public meeting of the audited organisation, but this may
be dependent on the nature of the audited organisation and its
arrangements for public accountability.

25
 Audit and assurance

1.9.2 Criminal and civil liabilities of auditors

The audit of financial statements is normally governed by national
legislation and there are often further legal considerations for
auditors:

 In some jurisdictions there may be criminal sanctions that apply

to auditors who, for example, knowingly neglect their duties or
who knowingly take on audit work where a serious conflict of
interest exists.

 In some jurisdictions, auditors may be subject to laws to

counter money-laundering, fraud or other forms of financial
malpractice. Such law may create a legal duty to report
suspected malpractice by audit clients to an appropriate
authority.

 In some jurisdictions, auditors may be open to a civil liability

either through contract law or negligence.
 Auditors may be sued by the organisation they are auditing
under the law of contract, because of the letter of
engagement they sign. This is the contract between the
external auditor and the client, that is, the audited
company.
 Auditors may also be sued, if they fail to exercise their duty
with reasonable care and skill, for negligence under the law
of tort. They can be sued by anyone to whom they owe a
duty of care.
You should familiarise yourself with any legislation or case law which
applies to auditors within your own jurisdiction.

26
 1: Audit frameworks

1.10 Fundamental principles of public sector

auditing

1.10.1 ISSAI 100

ISSAI 100 Fundamental principles of public sector auditing relates
directly to public sector audit. The standard aims to provide a
conceptual base for public sector auditing and ensure consistency in
the INTOSAI framework.
The principles apply to all public sector audits regardless of their
form or context.

1.10.2 Public sector audit frameworks

ISSAI 100 addresses the mandate for public sector audit. This will
differ from country to country as the role of the audit organisations
will be determined in the constitution with the mandate further
detailed in legislation. The constitutional and legal arrangements will
determine the duties of the audit institution and ensure its power
and independence.
Public sector audit institutions may perform many types of
engagement on any subject relevant to its constitutional
responsibility. These will vary according to national legislation. Audit
institutions will need to develop plans and processes that respond to
their legislative position.
In some countries a court of auditors exists with authority over state
accountants and other public officials. This requires that whoever is
charged with public funds is held accountable.
An example of this is the Bundesrechnungshof (German federal court
of auditors) that examines the financial management of the federal
government. The constitution ensures its independence by not
making it subordinate to federal government. The Court chooses its
own areas for investigation and makes recommendations on these.
The state audit institution may carry out audits itself or supervise
the work of private audit firms.
The objectives of a public sector audit will vary according to the type
and nature of the audit, however according to ISSAI 100 all public
sector audits will contribute to good governance by:

27
 Audit and assurance

 ‘providing the intended users with independent, objective and

reliable information, conclusions or opinions based on sufficient
and appropriate evidence relating to public entities;

 enhancing accountability and transparency, encouraging

continuous improvement and sustained confidence in the
appropriate use of public funds and assets and the performance
of public administration;

 reinforcing the effectiveness of those bodies within the

constitutional arrangement that exercise general monitoring and
corrective functions over government, and those responsible for
the management of publicly-funded activities;

 creating incentives for change by providing knowledge,

comprehensive analysis and well-founded recommendations for
improvement’.10

10
ISSAI 100.20
28
 1: Audit frameworks

1.10.3 Introduction to principles

ISSAI 100 contains a number of fundamental principles. These are
grouped as general principles and principles that relate to various
stages of the audit. The principles that relate to the conduct of an
audit will be covered later in these materials and you will find that
the general principles are expanded on throughout the materials.
You should return to this diagram at the end of the course and
ensure that you can understand all of the principles.

Areas covered by the principles for public-sector auditing

29
 Audit and assurance

1.10.4 General principles

Ethics and independence
Auditors should comply with the relevant ethical requirements and
be independent.
Ethical principles should be embedded in an auditor’s professional
behaviour.11
Professional judgment, due care and scepticism
Auditors should maintain appropriate professional behaviour by
applying professional scepticism, professional judgment and due
care throughout the audit.
The auditor’s attitude should be characterised by professional
scepticism and professional judgement.12
Quality control
Auditors should perform the audit in accordance with professional
standards on quality control.13
Audit team management and skills
Auditors should possess or have access to the necessary skills
The individuals in the audit team should collectively possess the
knowledge, skills and expertise necessary to successfully complete
the audit.14
Audit risk
Auditors should manage the risks of providing a report that is
inappropriate in the circumstances of the audit15
Materiality
Auditors should consider materiality throughout the audit process.
A matter can be judged as material if knowledge of it would be likely
to influence the judgements of the user.16

11
ISSAI 100.36
12
ISSAI 100.37
13
ISSAI 100.38
14
ISSAI 100.39
15
ISSAI 100.40
16
ISSAI 100.41
30
 1: Audit frameworks

Documentation
Auditors should prepare audit documentation that is sufficiently
detailed to provide a clear understanding of the work performed,
evidence obtained and conclusions reached.17
Communication
Auditors should establish effective communication throughout the
audit process.18

1.10.5 Principles related to the audit process

Planning an audit19

 Auditors should ensure that the terms of the audit have been
clearly established.

 Auditors should obtain an understanding of the nature of the

entity/programme to be audited.

 Auditors should conduct a risk assessment or problem analysis

and revise this as necessary in response to the audit findings.

 Auditors should identify and assess the risks of fraud relevant to

the audit objectives.

 Auditors should plan their work to ensure that the audit is

conducted in an effective and efficient manner
Conducting an audit20

 Auditors should perform audit procedures that provide sufficient

appropriate audit evidence to support the audit report.

 Auditors should evaluate the audit evidence and draw

conclusions.
Reporting and follow up21

 Auditors should prepare a report based on the conclusions

reached.

17
ISSAI 100.42
18
ISSAI 100.43
19
ISSAI 100.44-48
20
ISSAI 100.49 & 50
21
ISSAI 100.51

31
 Audit and assurance

1.11 International Standards for Supreme

Audit Institutions (ISSAI) Framework – new
development

1.11.1 International Organization of Supreme Audit

Institutions (INTOSAI) Framework of Professional
Pronouncement
 The INTOSAI Framework of Professional Pronouncement (IFPP)
will be implemented in 2019. At the time of writing the final
framework is not yet available.

 IFPP is the INTOSAI Framework of Professional Pronouncement.

INTOSAI Professional Pronouncements are the formal and
authoritative announcements or declarations of the INTOSAI
Community. They rest upon the common professional expertise
of INTOSAI`s members and provide INTOSAI`s official
statements on audit-related matters. All professional
pronouncements are developed and approved through a due
process before they are presented to INCOSAI for endorsement.

 The purpose of IFPP is to improve the credibility of INTOSAI’s

professional pronouncements, assist in making them an
authoritative framework for public sector auditing and enhance
their technical quality.

 The INTOSAI Professional Pronouncements consist of INTOSAI

Principles (INTOSAI-P), International Standards of Supreme
Audit Institutions (ISSAI), Competency Pronouncements
(COMP), and INTOSAI Guidance (GUID).

 The IFPP will replace the existing ISSAI framework by 2019,

once the work of updating and migrating the current
pronouncements is completed.

32
 1: Audit frameworks

1.11.2 INTOSAI – Principles

 The INTOSAI Principles consist of founding Principles and core
Principles that have an overarching significance for the IFPP and
are therefore placed at the top of the IFPP framework.

 The founding principles have historical significance and specify

the role and functions which Supreme Audit Institutions (SAIs)
should aspire to, which can be used as reference to establish
SAIs’ mandates. These principles may be informative to
governments and parliaments, as well as SAIs and the wider
public and may be used as reference in establishing national
mandates for SAIs. The core principles support the founding
principles for an SAI, clarifying the SAl’s role in society as well
as high level prerequisites for professional functioning of SAIs

1.11.3 GUIDs
 Documents which are categorised at GUIDs represent
INTOSAI guidance that supports the standards (ISSAIs) by
translating them into more specific, detailed and operational
guidelines. GUIDs are in the nature of non-mandatory
guidance for an SAI that help the auditor gain a better
understanding of how to apply the elements and principles of
the standards (ISSAIs) during an audit.
 Within the IFPP, the GUIDs are divided into various
categories; SAI organisational guidance, supplementary
financial audit guidance, supplementary performance audit
guidance, supplementary compliance audit guidance, subject
matter specific guidance, and other guidance.

1.11.4 CMPs
 Competency Pronouncements (COMPs) set out the
competencies and professional skills, knowledge, ethics,
values and attitudes required by the public sector auditor to
undertake audits in line with the ISSAIs. COMPs are further
distinguished between COMP standards and principles, and
GUIDS.
You can follow the development of the IFPP at
http://www.issai.org/en_us/site-issai/issai_ifpp/

33
 Audit and assurance

1.12 Audit of financial statements – the

private sector

1.12.1 Company audit requirements

As with public sector audits company requirements vary from
country to country. In the majority of jurisdictions companies above
a certain size are required to have an annual audit of the financial
statements. In addition to legislative requirements Stock Exchange
listing will often require an annual financial audit.
Companies that are traded internationally may require an annual
audit, for example in the USA federal security laws require that
business whose ownership and debt securities are traded in the
public markets have annual audits.
ISSAI 1200 sets out the objectives of financial audit as being
‘In conducting an audit of financial statements, the overall objectives
of the auditor are:
1 To obtain reasonable assurance about whether the financial
statements as a whole are free from material misstatement,
whether due to fraud or error, thereby enabling the auditor to
express an opinion on whether the financial statements are
prepared, in all material respects, in accordance with an
applicable financial reporting framework; and
2 To report on the financial statements, and communicate the
result of the audit, in accordance with the auditor’s findings’.22
The country of operation will determine the applicable financial
reporting framework.

22
ISSAI 1200.17
34
 1: Audit frameworks

1.13 Audit of financial statements – the public

sector

1.13.1 Introduction
The arrangements for audit in the public sector are often more
complex than those for the private sector.
This section will briefly compare company and public audit models
and considering some of the wider roles that auditors play in the
public services.

1.13.2 Comparison with company audit

There are many features in common between company and public
audit. The audit of financial statements is the key similarity. Auditors
will normally have similar powers of access to information and
explanations required though the specific sources of such authority
will differ.
The appointment of company auditors is normally autonomous and
is controlled by the members of the company. In some instances,
the audit of larger public bodies in particular is governed by
statutory authority, giving the body no power to appoint its own
auditor. Audits are typically carried out by a public official (an
Auditor General or equivalent) who will typically control a public
body, staffed with audit professionals who allow him or her to fulfil
their responsibilities as a state auditor.
As there are no shareholders, the addressees of the auditor’s report
may vary. For example, the audit report of a government ministry
may be addressed to the members of the parliamentary authority
which granted the ministry the authority to spend public funds.

35
 Audit and assurance

1.13.3 Wider responsibilities

Auditors in the public sector often have wider responsibilities and
powers than the auditors of companies. This is a complex area, due
to the variety of arrangements in different countries and sectors, but
INTOSAI standards recognise that a ‘financial audit’ in the public is
normally somewhat broader than just the audit of financial
statements.
These wider roles can include examining and reporting on:
 The regularity of expenditure. This means that expenditure
was incurred in accordance with the legislation authorising it.
 Probity and general arrangements for sound financial
management. This is part of a wider public-interest duty to
report on whether public money is subject to proper
stewardship.
 Investigations of and reporting on mismanagement of public
funds.
 Audit of reported performance information.
 Performance audit
 Certification of grant claims made by public bodies.

36
 1: Audit frameworks

1.14 Agreeing the terms of an audit

engagement
ISSAI 1210 (Agreeing the terms of an audit engagement) is the
relevant standard here and it recognises that the terms of an audit
engagement in the public sector are normally mandated and
therefore not subject to requests from, and agreement with,
management. Therefore the requirements of the standard are useful
in establishing a common, formal understanding of the respective
roles and responsibilities of management and the auditor.
Management must accept their responsibility for preparing the
financial statements, for a system of internal control that enables
the preparation of financial statements that show a true and fair
view and for providing the auditor with appropriate supporting
information.
This should be documented and this document is commonly known
as an engagement letter. ISSAI 1210 requires that it contain:
 The objective and scope of the audit to be conducted
 The responsibilities of the auditor;
 The responsibilities of management;
 The applicable financial reporting framework for the
preparation of the financial statements;
and
 The expected form and content of any reports to be issued by
the auditor.

37
 Audit and assurance

Summary

 An assurance engagement typically provides improved or

additional information that enhances stakeholders’ confidence
in the organisation and may also allow senior management to
make better decisions.
 There are usually three discrete parties involved in an
assurance engagement: the responsible party, the users and
the practitioner.
 An external audit is a form of assurance engagement.
 The external auditor is a professionally qualified person
working outside the organisation in question, who is
commissioned to perform an audit in accordance with the
specific laws and rules that are in force in a particular place at
a particular time.
 Audit is needed because there are stakeholders who need to
know that an organisation’s accounts are accurate, but who
cannot possibly develop the insights required to provide that
knowledge themselves.
 When conducting an audit, the auditors cannot evaluate every
relevant piece of financial information and assess every
relevant financial system. As such, they cannot be expected to
provide absolute assurance that the financial statements are
accurate.
 Auditors are expected to act in a way that provides reasonable
assurance.
 Reasonable assurance is a high level of assurance. It is
obtained when the auditor has obtained sufficient appropriate
audit evidence to reduce audit risk (that is, the risk that the
auditor expresses an inappropriate opinion when the financial
statements are materially misstated) to an acceptably low
level.
 Reasonable assurance enables a conclusion to be expressed
positively.
 Some assurance engagements only require limited assurance
to be given.

38
 1: Audit frameworks

 Limited assurance is a lower (but still meaningful) level of

assurance enabling a conclusion to be expressed negatively.
 External auditors are those where the ‘subject matter’ consists
primarily of matters which are in the public domain or
‘externally’ reported.
 ‘The purpose of an audit [of financial statements] is to
enhance the degree of confidence of intended users in the
financial statements. This is achieved by the expression of an
opinion by the auditor on whether the financial statements are
prepared, in all material respects, in accordance with an
applicable financial reporting framework. In the case of most
general purpose frameworks, that opinion is on whether the
financial statements are presented fairly, in all material
respects, or give a true and fair view in accordance with the
framework’.23
 ‘True’ suggests that the financial statements are factually
correct and have been prepared according to the applicable
reporting framework and they do not contain any material
misstatements that may mislead the users.
 ‘Fair’ implies that the financial statements present the
information faithfully without any element of bias, and that
they reflect the economic substance of transactions rather
than just their legal form.
 The importance of auditor independence cannot be
overstated. If the users of the auditor’s report do not have full
confidence in the objectivity and independence of the auditor,
this necessarily limits the confidence, or assurance, that the
users can draw from that report.
 Common rights of a public auditor typically include:
 The right of access to all books and records of the audited
organisation
 The right to obtain information and explanations from all
officers of the audited organisation
 The right to report on any matter relating to the audited
organisation, without its consent

23
ISSAI 200.16

39
 Audit and assurance

 Auditors who fail to carry out their duties properly may be

held liable in one of two ways: contract law or negligence (law
of tort).
 Auditors in the public sector often have wider responsibilities
and powers than the auditors of companies.
 The INTOSAI Framework of Professional Pronouncement
(IFPP) will be implemented in 2019
 The IFPP will replace the existing ISSAI framework by 2019,
once the work of updating and migrating the current
pronouncements is completed

40
 1: Audit frameworks

Quiz questions

1. Which of the following would not normally be part of an

assurance engagement?
A. The responsible party, for example, the management of the
organisation
B. The users, for example, the shareholders
C. The practitioner, for example, the auditor
D. The standards board, for example, INTOSAI
2. Which of the following is an example of negative assurance?
A. The auditors states that the financial statements are
materially misstated
B. The auditor states that they are unable to obtain sufficient
appropriate audit evidence
C. The auditor states that audit procedures are not necessary
in a particular area
D. The auditor states that nothing has come to their attention
to indicate that the disclosures are inaccurate
3. Which of the following IS a common responsibility of the
external auditor?
A. To correct financial statements that they consider to be
misstated
B. To detect all misstatements whether due to fraud or error
C. To obtain sufficient appropriate audit evidence to base an
opinion on
D. To prepare financial statements that give a true and fair
view of the performance of the organisation
4. Which of the following could sue an external auditor under the
law of tort?
A. The management of the client organisation
B. Someone to whom they owe a duty of care
C. The internal auditors of the client organisation
D. Any stakeholder

41
 Audit and assurance

5. Which of the following are all defined as general principles

under ISSAI 100:
A. Ethics and independence, documentation, communication
and materiality
B. Planning the audit, conducting the audit and reporting and
follow up.
C. Confidentiality, professional competence and due care,
integrity and honesty
D. Ethics and independence, integrity, documentation and
materiality.

42
 1: Audit frameworks

Quiz answers

1. D
2. D
3. C
4. B
5. A

43
 Audit and assurance

77 Mansell Street
London E1 8AN
+ 44 (0)20 75435600
Email: studentsupport@cipfa.org
Website: www.cipfa.org

44