CAG’s Auditing Standards

Introduction to CAG’s Auditing Standards

The Comptroller and Auditor General of India (CAG) serves as the head of the Supreme Audit Institution of India (SAI India). The Indian Audit and Accounts Department, led by the CAG, continuously works to improve and update its auditing practices to achieve professional excellence. The Auditing Standards were first introduced in 1994 and revised in 2002. The third edition, released in March 2017, incorporates the prerequisites for the functioning of a Supreme Audit Institution and aligns with the fundamental auditing principles of the International Standards of Supreme Audit Institutions (ISSAIs), adapted to SAI India’s mandate and rules. These standards establish the norms applicable to all public sector audit engagements. They determine the audit procedures to be applied and serve as the benchmark for evaluating audit quality. These standards are effective from April 1, 2017, and all audit engagements by SAI India from this date onward must be conducted according to them. The overarching governance framework for both accounting and auditing functions is provided by the Regulations on Audit and Accounts, 2007, framed by the CAG. The Auditing Standards form the next layer of this framework, setting professional standards for the organization and its personnel. They are periodically reviewed and updated for continuous improvement. Adherence to these standards is expected from all officers and staff to achieve the mission of promoting accountability, transparency, and good governance.

Basic Postulates and Audit Mandate

The Constitution of India provides for the Comptroller and Auditor General, appointed by the President. Parliament determines the CAG’s salary, conditions of service, duties, and powers through law, specifically the CAG’s (Duties, Powers and Conditions of Service) Act, 1971 (DPC Act). The audit mandate of the CAG is derived from the Constitution, the DPC Act, and specific legislations enacted by Parliament and State Legislatures.

Key Constitutional Provisions:

  • Article 149: Envisages the CAG performing duties and exercising powers related to the accounts of the Union, States, and other specified bodies as prescribed by law made by Parliament.
  • Article 151: Requires CAG reports on Union accounts to be submitted to the President for tabling before Parliament, and reports on State accounts to the Governor for tabling before the State Legislature.
  • Article 279: Stipulates that ‘net proceeds’ of any tax or duty are ascertained and certified by the CAG, and this certificate is final.
  • Sixth Schedule: Envisages audit of accounts of District and Regional Councils of autonomous regions.

The DPC Act elaborates on general audit provisions (Sections 13 to 21 and 24). The CAG’s audit mandate extends to various entities including statutory corporations, government companies, autonomous bodies (societies, trusts, not-for-profit companies), urban and rural local bodies, and any other entity whose audit is entrusted to the CAG by law. To fulfill this broad mandate, SAI India conducts financial audit, compliance audit, performance audit, and combinations thereof.

Prerequisites for Functioning of SAI India

Certain principles are considered essential for the proper functioning of SAI India and public sector auditing within it. These prerequisites include:

  • Independence
  • Accountability and Transparency
  • Ethics
  • Quality assurance

1. Independence: An adequate degree of independence from both the legislative and executive branches is crucial for conducting audits and ensuring the credibility of results. This independence is secured through institutionalized principles and conditions within an appropriate legal framework.

  • Constitutional/Legal Framework: The framework must secure the functional independence of the SAI Head, including security of tenure. The Constitution states the CAG can only be removed in the same manner and grounds as a Supreme Court Judge. The DPC Act further ensures autonomy and security of tenure.
  • Broad Mandate and Full Discretion: SAI India has functional and organizational autonomy to carry out its mandate free from legislative or executive direction or interference. This includes discretion in selecting audit issues, planning, conducting, reporting, and following up audits, and managing its office. SAI India can accept specific audit requests from the Legislature or Government but retains the right to decline. While SAI India may consult with the Executive on matters like financial legislation or accounting standards, such advice must not impair its independent audit exercise.
  • Unrestricted Access to Information: The DPC Act empowers SAI India to inspect offices of accounts, require production of necessary documents, and access premises, operations, systems (including IT), and records of auditable entities. An ‘auditable entity’ is defined as any office, authority, body, company, corporation, or other entity subject to CAG audit.
  • Freedom in Reporting: SAI India is free to decide the form, content, and timing of audit reports, including making observations and recommendations, while considering the audited entity’s views. Reporting timing is free unless prescribed by law. Reports can be disseminated once formally tabled in the appropriate legislature.
  • Effective Follow-up Mechanisms: SAI India may submit reports to the Legislature or governing body for follow-up. It also has its own follow-up procedures to monitor action taken by the Executive on its observations and recommendations, as well as those from the Legislature or governing board.
  • Financial and Managerial Autonomy: The Constitution allows the President to prescribe conditions of service for Indian Audit and Accounts Department staff and the CAG’s administrative powers after consultation with the CAG. This empowers SAI India to manage human and budgetary resources. The Legislature is responsible for ensuring SAI India has the necessary resources to fulfill its mandate. Functional autonomy does not prevent arrangements with auditable entities for personnel, property, or purchasing management.

2. Accountability and Transparency: These are key elements of good governance.

  • Accountability: Refers to the legal and reporting framework, structure, strategy, procedures, and actions ensuring the SAI meets its legal obligations regarding its mandate and reporting, and that the SAI and personnel are responsible for their actions. SAI India operates under a constitutional and statutory framework covering its authority, jurisdiction, responsibilities, CAG appointment/removal, report publishing, oversight, and public access to information versus confidentiality.
  • Transparency: Refers to SAI’s timely, reliable, clear, and relevant public reporting on its status, mandate, strategy, activities, performance, and audit findings. It also includes public access to information about the SAI.
    • Public Mandate: SAI India’s mandate, mission, and responsibilities must be publicly available.
    • Objective and Transparent Standards: SAI India adopts standards, processes, and methods consistent with ISSAI fundamental auditing principles. During audits, SAI India communicates criteria, objectives, methodology, and findings to auditable entities. Scope of audits is communicated in reports. Findings and recommendations are subject to comment, discussion, and responses from the audited entity.
    • Reporting on Operations: SAI India manages its operations economically, efficiently, effectively, and in accordance with laws/regulations, reporting publicly on these matters. It employs sound management practices, including internal controls. Its financial statements are subject to Parliamentary review, and its budget and resource use are public.
    • Public Reporting on Audit Results: Audit reports, including conclusions and recommendations, are tabled in the concerned Legislature or presented to the audited entity’s governing body and subsequently become public domain.
    • Communication: Once tabled, SAI India communicates audit results via its website and other means. It may communicate with media and stakeholders on report matters. Public and academic interest in important conclusions is encouraged. Reports are made understandable to the public through various means like summaries, graphics, videos, and press releases.

3. Ethics: SAI India applies high standards of integrity and ethics for staff at all levels. It has a Code of Ethics aligned with ISSAI 30. Fundamental ethical principles include integrity, independence, objectivity and impartiality, confidentiality, and competence. SAI India ensures transparency and legality and promotes ethical behaviour. Policies and procedures reinforce these principles, including rotation of key audit personnel to reduce familiarity risk and ensure objectivity. All personnel and contractors must demonstrate appropriate ethical behaviour.

4. Quality Assurance and Quality Control: SAI India’s overriding objective is to consider risks to the quality of its work and establish a quality control system to mitigate these risks. Risk considerations depend on the mandate, functions, conditions, and environment.

  • Internal Culture: SAI India establishes policies and procedures promoting an internal culture where quality is essential. The Head of SAI retains overall responsibility for the system. Sufficient resources must be available to maintain the system.
  • Ethical Compliance: Policies and procedures provide reasonable assurance that SAI, its personnel, and contractors comply with ethical requirements. Rotation of key audit personnel is a measure to ensure independence and objectivity.
  • Adherence to Standards and Laws: Policies and procedures provide reasonable assurance that audits are conducted according to relevant standards and legal/regulatory requirements, reports are appropriate, and resources are competent, capable, and ethical. SAI India has an Audit Quality Management Framework with appropriate control policies, procedures (like supervision and review), and tools (like audit methodologies). Applicable standards must be followed, and reasons for any departure must be documented and approved. SAI India may draw on various sources for skills, including collaboration with academic/research institutions or professional bodies, provided independence is not inhibited. Work may be prioritised to maintain quality.
  • Monitoring: A monitoring process provides reasonable assurance that quality control policies/procedures are relevant, adequate, and operating effectively. This includes independent monitoring of controls. External independent assessment (peer review), academic review, stakeholder surveys, follow-up reviews, and feedback from audited entities may be used for monitoring quality. Procedures exist for dealing with complaints about work quality.

Public Sector Auditing and its Objectives

The public sector environment involves entities exercising responsibility for national wealth, natural resources, and resources from taxation to deliver services. These entities are accountable to resource providers and service recipients (including citizens). Public sector auditing helps create conditions and reinforce expectations that public sector entities and servants will perform effectively, efficiently, ethically, and lawfully.

Public sector auditing is a systematic process of objectively obtaining and evaluating evidence to determine if information or conditions conform to established criteria. It is essential because it provides legislatures, oversight bodies, those charged with governance, and the public with independent, objective assessments of the stewardship and performance of public sector policies, programmes, or operations.

Public sector auditing contributes to good governance by:

  • Providing independent, objective, and reliable information, conclusions, or opinions based on sufficient and appropriate evidence about public sector entities.
  • Enhancing accountability and transparency, encouraging continuous improvement, and building confidence in the use of public funds/assets and performance of public administration.
  • Reinforcing the effectiveness of bodies that monitor public sector activities and those managing publicly funded activities.
  • Creating incentives for change by providing knowledge, analysis, and recommendations for improvement.

Types of Public Sector Audits

Public sector audits are generally categorized into three main types:

  • Financial Audit: Determines if an entity’s financial information is presented according to the applicable financial reporting and regulatory framework. This involves obtaining evidence to express an opinion on whether financial information is free from material misstatement due to fraud or error.
  • Compliance Audit: Focuses on whether a particular subject matter complies with criteria, assessing if activities, transactions, and information comply with applicable authorities (Constitution, laws, rules, regulations, budgets, policies, contracts, principles of sound financial management, ethical conduct).
  • Performance Audit: Assesses whether interventions, programmes, and institutions perform according to economy, efficiency, and effectiveness principles, and identifies areas for improvement. Performance is examined against criteria, and causes of deviations are analyzed. The aim is to answer key audit questions and provide recommendations.

SAI India’s mandate allows audits on any subject relevant to executive responsibilities, governance, and public resource use. These may include reporting on outputs/outcomes, sustainability, resource requirements, internal control adherence, and near real-time audits. Combined audits incorporating financial, performance, and/or compliance aspects may also be conducted.

Elements of Public Sector Auditing

Public sector auditing is indispensable as public resource management is a matter of trust. It enhances confidence by providing information and assessments of deviations from accepted standards or good governance principles. All public sector audits have the same basic elements:

  • The three parties
  • Subject matter, criteria, and subject matter information
  • Types of engagement

1. The Three Parties: At least three separate parties are involved:

  • The auditor: In public sector auditing, this role is fulfilled by SAI India and its personnel.
  • The responsible party: Determined by constitutional or legislative arrangement. Responsible for the subject matter information, managing the subject matter, or addressing recommendations. Generally, auditable entities and their governance are the responsible parties.
  • Intended users: Individuals, organizations, or classes for whom the audit report is prepared. This includes legislative/oversight bodies, those charged with governance, and the general public. The primary user is Parliament or the Legislature, representing citizens.

2. Subject Matter, Criteria, and Subject Matter Information:

  • Subject matter: The information, condition, or activity measured or evaluated against criteria. It must be identifiable and capable of consistent evaluation/measurement to allow evidence gathering.
  • Criteria: The benchmarks used to evaluate the subject matter. Suitable criteria for each audit must be relevant, understandable to users, complete, reliable, and objective. Criteria sources include the Constitution, laws, regulations, standards, sound principles, and best practices. Criteria must be available to users.
  • Subject matter information: The outcome of evaluating or measuring the subject matter against the criteria.

3. Types of Engagement: There are two types:

  • Attestation Engagements: The responsible party measures the subject matter against criteria and presents the information. The auditor gathers evidence to express a conclusion on this information. Financial audits are always attestation engagements.
  • Direct Reporting Engagements: The auditor measures or evaluates the subject matter against the criteria. The auditor selects the subject matter and criteria. The outcome is presented in the report as findings, conclusions, recommendations, or an opinion. Performance audits and compliance audits are generally direct reporting engagements.

Confidence and Assurance in Public Sector Auditing

Audits must provide reliable information based on sufficient and appropriate evidence. Auditors perform procedures to reduce the risk of incorrect conclusions. Assurance can be communicated through opinions/conclusions (explicit level of assurance, applies to attestation and certain direct reporting) or in other forms (explaining how findings/conclusions were developed, providing confidence without explicit statement, common in some direct reporting engagements).

Levels of assurance:

  • Reasonable assurance: High, but not absolute, given inherent audit limitations. Most evidence is persuasive, not conclusive. The conclusion is expressed positively.
  • Limited assurance: Conveys the limited nature of assurance. Conclusion is expressed negatively (e.g., “nothing has come to our attention…”). Procedures are limited compared to reasonable assurance, but the level is expected to be meaningful to users.

Principles of Public Sector Auditing

Auditing is a cumulative process. Principles constitute general standards for SAI India personnel. They are fundamental to all public sector audits and categorized into General Principles and Principles related to the Audit Process.

General Principles: Considered before and during the audit.

  • Ethics and Independence: Auditors must comply with ethical requirements (SAI India’s code) and remain independent for impartial reports.
  • Professional Judgement, Due Care and Scepticism: Auditors maintain professional behaviour using scepticism, judgment, and due care. Scepticism means an alert, questioning attitude, remaining open-minded. Judgement applies collective knowledge, skills, experience. Due care means diligent planning and conduct, avoiding discrediting behaviour.
  • Quality Control: Audits must be performed according to professional standards on quality control for a consistently high level. Procedures cover direction, review, supervision, and consultation.
  • Audit Team Management and Skills: The team must collectively possess necessary knowledge, skills, and competence. This includes understanding audit types, standards, legislation, entity operations, and professional judgement ability. Ongoing professional development is required. Work of others (internal auditors, experts) may be used if allowed, but SAI India retains sole responsibility for the report. Evidence of competence and quality of others’ work must be obtained. Experts from other disciplines may be needed.
  • Audit Risk: The risk that the audit report is inappropriate. Auditors reduce this risk, acknowledging inherent limitations prevent absolute certainty. For reasonable assurance, risk is reduced to acceptably low; for limited assurance, higher risk is acceptable but the level must be meaningful.
  • Materiality: Relevant in all audits. A matter is material if knowledge of it would influence intended users’ decisions. It’s a matter of professional judgement, depending on user needs. Materiality has quantitative and qualitative aspects. It is considered for planning, evidence evaluation, and reporting, with levels potentially differing for each. Considerations include stakeholder concerns, public interest, regulation, and societal consequences.
  • Documentation: Audit documentation must be sufficiently detailed to provide a clear understanding of work, evidence, and conclusions. It includes strategy and plan, records procedures and evidence, and supports results. Documentation should enable an experienced auditor with no prior knowledge to understand the audit. Importance: Confirms/supports reports, serves as information source, evidence of standard compliance, facilitates planning/supervision/review, helps professional development, ensures delegated work quality, and provides evidence for future reference. Additional requirements cover timely preparation, form/content/extent, documenting departures from standards, documenting subsequent procedures/conclusions, and file assembly.
  • Communication: Effective communication throughout the process is essential, especially with the audited entity, to build a constructive relationship. Communication includes obtaining information and providing timely observations/findings. Two-way communication is important. Significant findings require written communication to those charged with governance. Auditors may also communicate with other stakeholders like legislative bodies.

Principles related to the Audit Process: Relate to specific steps.

  • Planning an audit: Ensure terms of engagement are clear. For mandated audits, formal agreement may not be needed; for entrusted audits, agreement on terms (subject, scope, objectives, access, process, roles) is necessary.
    • Understand the entity/programme: Includes objectives, operations, regulatory environment, controls, systems, processes, and potential evidence sources. Knowledge is gained via interaction, research, and document examination.
    • Conduct risk assessment or problem analysis: Varies by objectives. Assess risk of deficiencies, deviations, misstatements. Consider general and specific risks through understanding the entity and its environment, including internal controls. Assess management’s response to risks and control design/implementation. Problem analysis involves examining indicators to define objectives. Data from multiple sources and technology/data analytics can help identify patterns. Risk identification is considered throughout the audit.
    • Identify and assess risks of fraud: Primary responsibility for fraud prevention/detection is with management/governance. Auditors don’t make legal determinations of fraud but identify/assess risks relevant to audit objectives. They maintain professional scepticism and are alert to fraud possibility.
    • Plan work effectively and efficiently: Includes strategic (scope, objectives, approach) and operational (timetable, procedures nature/timing/extent) aspects. Approach defines procedures for gathering/analysing evidence. Planning aims to reduce audit risk. Professional judgement is used for sampling. Planning is iterative and responsive to changes. For performance audits, pre-study/pilot study may be needed. Audit design should support quality and efficiency. Planning involves research, data analysis, hypothesis building, and method choice. Technology and data analytics are useful. For performance audits, assess fraud risk and examine relevant internal controls. Establish suitable criteria linked to economy, efficiency, effectiveness, using diverse sources like performance frameworks. Criteria should be discussed with auditable entities, but auditor is responsible for selection. Criteria may be defined during the audit for complex issues.
  • Conducting an Audit:
    • Perform audit procedures: Procedures are designed based on risk assessment/problem analysis. They obtain sufficient and appropriate audit evidence. Evidence is information used to determine compliance with criteria. Forms include records, communication, observation, testimony. Methods include inspection, observation, inquiry, confirmation, recalculation, re-performance, analytical procedures.
    • Evaluate audit evidence: Evidence must be sufficient (quantity) and appropriate (quality – relevant, valid, reliable). Sufficiency and appropriateness are interrelated; more evidence doesn’t fix poor quality. Reliability depends on source and nature. Reliability generalizations: More reliable from external sources, internally generated when controls are effective, obtained directly by auditor, in documentary form, from original documents. Assessment must be objective, fair, balanced. Preliminary findings are discussed with the audited entity. Confidentiality must be respected.
    • Draw conclusions: Review documentation to confirm sufficient/appropriate audit. Reconsider risk/materiality based on evidence. Obtain audit findings. Evaluate evidence and findings, considering quantitative/qualitative factors and materiality. Exercise professional judgement to reach a conclusion on the subject matter.
  • Reporting and Follow-up:
    • Prepare a report: Communicates results to stakeholders, governance, public. Facilitates follow-up/corrective action. Reports must be easy to understand, clear, complete, objective, fair, supported by evidence, and put findings in context. Form/content depend on audit type, users, standards, legal requirements. Reports can be short (condensed, standardized) or long form (detailed scope, findings, conclusions, consequences, recommendations).
      • Attestation engagements: Report may express an opinion on whether subject matter information is free from misstatement or complies with criteria. Generally called Auditor’s Report.
      • Direct reporting engagements: Report states objectives, how addressed, findings, conclusions, and may include recommendations. May include criteria, methodology, data sources, scope limitations. Explains evidence use and conclusion reasoning. Performance audit reports aim to be comprehensive, convincing, timely, reader-friendly, balanced. They link objective, criteria, findings, conclusions, recommendations. Recommendations should be constructive, address problems, be practical, and addressed to responsible entities. Balance means impartiality in content/tone, presenting findings objectively, including different viewpoints, and noting positive aspects. Compliance reports are based on completeness, objectivity, timeliness, and a contradictory process (checking facts with entity). Form/content must conform to these principles. Conclusion may be a clear statement on compliance or answers to specific questions.
    • Opinion or conclusion: Used to convey assurance level. Standardized format. Unmodified (reasonable or limited assurance obtained) or modified. Modified opinions: Qualified (disagreement/insufficient evidence on material but not pervasive items), Adverse (disagreement/insufficient evidence on material and pervasive items), Disclaimed (unable to obtain sufficient evidence due to material and pervasive uncertainty/scope limitation). Reasons for modification must be explained. Opinion common for financial audits, conclusion for compliance audits. Recommendations and internal control deficiencies may be included. Determining modification type depends on nature (misstated or may be misstated) and pervasiveness. Unmodified financial audit opinion uses “present fairly” or “give a true and fair view” for fair presentation frameworks, or “prepared, in all material respects” for compliance frameworks. Modified opinion heading changes. Auditor’s Report includes sections on management responsibility, auditor responsibility (scope/procedures), Emphasis of Matter/Other Matters, and other regulatory duties.
      • Emphasis of Matter: Draws attention to fundamental matters presented/disclosed in financial statements that are not materially misstated.
      • Other Matter: Communicates matters not in financial statements but relevant to users’ understanding of the audit/auditor’s responsibilities/report.
    • Follow-up: SAI India monitors action taken by the responsible party on report matters. Focuses on whether the audited entity has adequately addressed problems. Insufficient action may warrant a further report. For performance audits, follow-up examines corrective action, strengthening audit impact and aiding future planning. It focuses on whether problems/situations were remedied. Follow-up should be unbiased and independent. Results may be reported individually or consolidated, potentially highlighting trends. For compliance audits, follow-up of non-compliance instances is done when appropriate. It aids implementation of corrective action and provides feedback.

Specific Standards

Chapter 3 details the application of general principles to financial, compliance, and performance audits.

  • Financial Audit Specifics: Enhances user confidence in financial statements by expressing an opinion on their preparation in accordance with the applicable framework and freedom from material misstatement. Objectives include obtaining reasonable assurance against material misstatement (fraud/error) and reporting findings. Financial reporting frameworks can be general purpose (IPSASs, IFRSs, Indian Accounting Standards, etc.) or special purpose (tailored for specific users, e.g., for governing bodies, funders, contracts). Frameworks prescribed by law/regulation (like Indian Government Accounting Standards – IGAS, Government Accounting Rules) are also relevant and govern presentation based on rules. Materiality is applied in planning/performing the audit; a misstatement is material if it could influence users’ decisions. Qualitative factors (fraud, nature of transaction) are important for materiality, especially in public sector. Audit risk is the risk of an inappropriate conclusion due to material misstatement. It depends on inherent risk (susceptibility to misstatement), control risk (controls fail to prevent/detect misstatement), and detection risk (auditor fails to detect misstatement). Risk assessment involves identifying risks at statement/assertion levels, evaluating pervasiveness, relating risks to what could go wrong, and considering likelihood/materiality. Significant risks require consideration of factors like fraud, recent developments, complexity, related parties, subjectivity, unusual transactions, and compliance with laws. Responses include designing procedures like substantive tests and tests of controls. Going Concern is assessed, though less relevant for entities funded by appropriations, but applicable to public business enterprises or programmes contracted to private entities. Risks of material misstatement due to fraud are identified/assessed; auditors respond appropriately. Auditors are concerned with fraud causing material misstatement (fraudulent financial reporting, misappropriation). Alertness to fraud risks in areas like procurement, grants, privatization is needed, considering public expectations. Risks of material misstatement due to direct and material non-compliance with laws/regulations (e.g., Appropriation Acts) are identified. Auditor isn’t responsible for preventing non-compliance or detecting all breaches. Non-compliance can have material effects (fines, litigation) and must be communicated to management/governance unless inconsequential. Subsequent events (between financial statement date and report date) require identification and appropriate adjustment/disclosure. Procedures cover understanding management’s process, inquiries, scrutiny of minutes/interim statements, written confirmation. If facts learned after report date but before issuance would have changed the report, discuss with management/governance, determine needed amendments, inquire about management intent, and obtain written confirmation. If management doesn’t amend, notify them and governance, and seek to prevent future reliance on the report (potentially legal advice/reporting to statutory body). Uncorrected misstatements are evaluated for materiality, individually and in aggregate, considering size, nature, circumstances, and prior periods. Management is asked to correct misstatements; reasons for refusal are ascertained and considered when evaluating the overall misstatement of statements. Governance is notified of uncorrected misstatements and their effect on the opinion. Uncorrected material misstatements must be individually identified for governance. Trivial misstatements needn’t be communicated unless mandated. Forming an opinion requires evaluating conclusions from evidence, assessing if reasonable assurance is obtained, and considering material uncorrected misstatements. Modified opinions (qualified, adverse, disclaimer) are used if statements aren’t free from material misstatement or sufficient evidence wasn’t obtained. Audits of special-purpose financial statements require understanding purpose, users, and acceptability of the framework. The report describes purpose, may reference management’s responsibility for framework choice, and includes an Emphasis of Matter paragraph noting the special-purpose nature. Audits of single financial statements/elements require determining practicability, adapting reporting, and potentially issuing a separate opinion even if the full set is also audited. Modifications or Emphasis/Other Matters in the full set report must be considered and potentially reflected in the single statement/element report. Consolidated financial statements (including Whole of Public Sector) require obtaining evidence for all components and the consolidation process. The principal auditor develops a consolidated strategy/plan, understands the group/components/environment/controls/consolidation, and assesses risk.
  • Performance Audit Specifics: Independent examination of economy, efficiency, effectiveness of public sector activities. Objective: Constructively promote economical, effective, and efficient governance, contribute to accountability/transparency. Promotes accountability by assessing implementation of legislative/executive decisions and value for money for citizens. Does not question legislative intent but examines implementation shortcomings. Focuses on high-value areas with improvement potential. Promotes transparency by giving insight into management/outcomes, providing useful information, and serving as basis for learning. May overlap or be combined with other audits; primary objective guides standards applied. Focuses on activity/results, not just reports/accounts, and promoting economy/efficiency/effectiveness. Performance audits are essentially direct reporting engagements. Not normally expected to give an overall opinion like financial audits. Degree of performance is conveyed via overall view (if objectives/evidence allow) or specific information on objectives, questions, evidence, criteria, findings, conclusions. Aim is reasonable assurance with conclusions and a balanced report. Audit risk (incorrect/incomplete conclusions, unbalanced info, failing to add value) must be actively managed. Risks include lack of competence, poor information access, inaccuracy, failure to put findings in perspective, not addressing relevant arguments. Topic selection is part of strategic planning, analyzing potential topics and identifying risks/problems. Topics should be significant, auditable, and within mandate, maximizing expected impact within capacity. Techniques like risk analysis/problem assessments aid selection but need professional judgement. Planning includes background knowledge, understanding entity/problem/risk/evidence sources/auditability/significance, consulting stakeholders/experts, defining objectives/questions/criteria/methodology, staffing/skills/resources, timeframes, control points. Research is part of planning. Audit approach can be system-oriented (management systems), result-oriented (outcome/output achievement), or problem-oriented (causes of problems/deviations). Approaches can be top-down (legislature/central government focus) or bottom-up (citizen/community problems focus). Audit procedures for evidence gathering are designed based on planning and risk assessment. Methods chosen should be efficient/effective. Stages: overall design (questions), level of observation (process/files), methodology (analysis/sample), data collection techniques (records, questionnaires, interviews). Practical considerations may restrict method choice; planning should be flexible. Procedures shouldn’t be overly standardized to allow flexibility, judgement, analytical skills. Detailed plans may be needed for large/complex audits. Quality control involves safeguarding quality, ensuring requirements are met, and emphasizing appropriate, balanced, fair reports that add value and answer questions. Specific quality issues: managing large info/judgement, ensuring balance/objectivity, defining quality for specific audits. Control mechanisms are complemented by support like training/guidance. Recommendations are constructive, likely to contribute significantly to addressing weaknesses/problems, well-founded, add value, address causes, but avoid encroaching on management. They should clarify responsibility and intended contribution to performance. Linked to objectives, findings, conclusions. Follow-up examines corrective action, strengthening impact and improving future work. It focuses on whether problems/situations are adequately addressed.
  • Compliance Audit Specifics: Independent assessment of compliance with applicable authorities (criteria). Assesses compliance of activities/transactions/information with governing authorities. Concerned with Regularity (adherence to formal criteria like laws, regulations, agreements) and Propriety (observance of general principles for sound financial management and ethical conduct). Propriety is pertinent in public sector expectations. Objectives: Promote transparency by reporting on fund administration/management/citizen rights compliance; promote accountability by reporting deviations/violations; promote good governance by identifying weaknesses/deviations and assessing propriety; consider fraud risk. Goal is assessment against governing authorities to enhance user confidence. Can be part of combined audit or conducted separately. Can be conducted in relation with financial statement audits (focus on compliance with authorities governing public finance like budget execution). Laws/regulations are key; in compliance audit, any law/regulation relevant to the subject matter is relevant, whereas financial audit focuses on those with direct/material effect on statements. Can be combined with performance auditing, viewing compliance as an aspect of economy/efficiency/effectiveness; professional judgement determines primary focus. Can be direct reporting or attestation engagements. Audit risk (incorrect conclusions) is managed, acknowledging inherent limitations prevent absolute assurance. Risk dimensions (inherent, control, detection) are considered relative to subject matter, reporting format (opinion/conclusion), and type of engagement. Materiality has quantitative/qualitative aspects, with qualitative generally more significant in public sector. Considered for planning, evidence, reporting; a matter is material if non-compliance could influence users’ decisions. Factors include mandated requirements, public interest, legislative focus, funding. Low-value issues like fraud may still be material. Assessment requires comprehensive professional judgement and relates to scope. Risk assessment identifies non-compliance risks based on criteria, scope, and entity characteristics. Auditor considers risks of subject matter not complying with criteria (due to fraud, error, inherent nature, circumstances). Risk identification continues throughout. Known instances of non-compliance are evaluated for materiality. Risk of fraud, abuse, non-compliance are considered. If fraud indications are found, exercise due care not to interfere with legal proceedings. Fraud in compliance audit relates mainly to abuse of public authority or fraudulent reporting on compliance. Abuse is conduct falling short of prudent behaviour expectations. Non-compliance is violating laws, rules, contracts, etc.. Deliberate misuse of public authority for improper benefit is an instance. Improper benefits can be non-economic or economic, gained intentionally by individuals within the entity or third parties. Auditors include fraud risk factors and remain alert. Reporting principles: completeness, objectivity, timeliness, contradictory process. Report form/content must conform. May vary from conclusions (short/long form) to answers to specific questions. Follow-up of non-compliance is done when appropriate. It facilitates corrective action and provides feedback.

These notes summarize the key aspects of the CAG’s Auditing Standards as presented in the provided excerpts, covering their purpose, authority, underlying principles, types of audits, essential elements, and specific considerations for financial, performance, and compliance audits.