3.4.1 Compliance audit is the independent assessment of whether a given subject matter is in compliance with applicable authorities identified as criteria. Compliance audits are carried out by assessing whether activities, financial transactions and information comply in all material respects, with the authorities which govern the audited entity. Compliance auditing may be concerned with
While regularity is the main focus of compliance auditing, propriety is equally pertinent in the public-sector context, in which there are certain expectations concerning financial management and the conduct of officials.
Compliance audit promotes transparency by providing reliable reports as to whether funds have been administered, management exercised and citizens’ rights to due process honoured as required by the applicable authorities. It promotes accountability by reporting deviations from and violations of authorities, so that corrective action may be taken and those accountable may be held responsible for their actions. It promotes good governance both by identifying weaknesses and deviations from laws and regulations and by assessing propriety where there are insufficient or inadequate laws and regulations. Fraud and corruption are, by their very nature, elements which counteract transparency, accountability and good stewardship. Compliance audit therefore also considers the risk of fraud in relation to compliance.
The objective of compliance auditing, therefore, is to enable assessment of whether the activities of auditable entities are in accordance with the authorities governing those entities in order to express a conclusion designed to enhance the degree of confidence of the intended users.
Compliance audit can be part of a combined audit that may also include other aspects. Though other possibilities exist, compliance auditing is generally conducted either:
The legislature, as an element of public democratic process, establishes the priorities for public-sector income and expenditure and for the calculation and attribution of expenditure and income. The underlying premises of legislative bodies, and the decisions they take are the source of the authorities governing cash flow in the public sector. Compliance with those authorities constitutes a broader perspective alongside the audit of financial statements in budgetary execution.
Laws and regulations are important both in compliance auditing and in the audit of financial statements. Which laws and regulations apply in each field will depend on the audit objectives. Compliance audit focusses on obtaining sufficient and appropriate evidence regarding compliance of a given subject matter with applicable authorities identified as criteria. Whereas, in the audit of financial statements, only those laws and regulations with a direct and material effect on the financial statement are relevant, in compliance auditing any law and regulation relevant to the subject matter may be relevant for audit.
Compliance audits may be planned, performed and reported on separately from the audit of financial statements and from performance audits. Such audits may be conducted separately on a regular basis, as distinct and clearly-defined audits each related to a specific subject matter.
When compliance audit is part of a performance audit, compliance is seen as one of the aspects of economy, efficiency and effectiveness. Non-compliance may be the cause of, an explanation for, or a consequence of the state of the activities that are the subject of performance audit. In combined audits of this kind, auditors shall use their professional judgement to decide whether performance or compliance is the primary focus of the audit and whether to apply the performance audit standards, compliance audit standards or both.
Compliance audits can be conducted as direct reporting engagements or attestation engagements. An auditor performs procedures to reduce or manage the risk of providing incorrect conclusions, recognising that, owing to the inherent limitations in all audits, no audit can ever provide absolute assurance of the condition of the subject matter. In most cases, a compliance audit will not cover all elements of the subject matter but will rely on a degree of qualitative or quantitative sampling. Compliance auditing enhances the confidence of the intended users in the information provided by the auditor or another party.
The auditor shall consider three different dimensions of audit risk – inherent risk, control risk and detection risk – in relation to the subject matter and the reporting format, i.e. whether the subject matter is quantitative or qualitative and whether the audit report is to include an opinion or a conclusion. The relative significance of these dimensions of audit risk depends on the nature of the subject matter and whether it is a direct reporting or an attestation engagement.
Materiality shall be considered for the purposes of planning, evaluating the evidence obtained and reporting. An essential part of determining materiality is to consider whether reported cases of compliance or non-compliance (potential or confirmed) could reasonably be expected to influence decisions by the intended users. Factors to be considered within this judgment assessment are mandated requirements, public interest or expectations, specific areas of legislative focus, requests and significant funding. Issues at a lower level of value or incidence than the general determination of materiality, such as fraud, may also be considered material. The assessment of materiality requires comprehensive professional judgement on the part of the auditor and is related to the audit scope.
In the light of the audit criteria, the audit scope and the characteristics of the audited entity, the auditor shall perform a risk assessment to determine the nature, timing and extent of the audit procedures to be performed. In this process, the auditor shall consider the risks that the subject matter will not comply with the criteria. Non-compliance may arise due to fraud, error, the inherent nature of the subject matter and/or the circumstances of the audit. The identification of risks of non-compliance and their potential impact on the audit procedures shall be considered throughout the audit process. As part of the risk assessment, the auditor shall evaluate any known instances of non-compliance in order to determine whether they are material.
Fraud in compliance auditing relates mainly to the abuse of public authority, but also to fraudulent reporting on compliance issues. Abuse occurs when the conduct of the entity, program, activity or function falls far short of societal expectations for prudent behaviour. Non-compliance comprises violation of laws, rules and regulations, provisions of contracts and other agreements. Instances of non-compliance with authorities may constitute deliberate misuse of public authority for improper benefit. The execution of public authority includes decisions, non-decisions, preparatory work, advice, information handling and other acts in the public service. Improper benefits are advantages of a non-economic or economic nature gained by an intentional act by one or more individuals among management, those charged with governance, employees or third parties. While detecting fraud is not the main objective of compliance audit, auditors shall include fraud risk factors in their risk assessments and remain alert to indications of fraud.
The principle of completeness requires the auditor to consider all relevant audit evidence before issuing a report. The principle of objectivity requires the auditor to apply professional judgement and scepticism in order to ensure that all reports are factually correct and that findings or conclusions are presented in a relevant and balanced manner. The principle of timeliness implies preparing the report in due time. The principle of a contradictory process implies checking the accuracy of facts with the audited entity and incorporating responses from responsible officials as appropriate. In both form and content, a compliance audit report shall conform to all these principles.
Reporting may vary between various forms of conclusions, presented in short or long form. However, the report shall be complete, accurate, objective, convincing and as clear and concise as the subject matter permits. The conclusion may take the form of a clear written statement on compliance or may be expressed as a more elaborate answer to specific audit questions. While a conclusion is common in attestation engagements, the answering of specific audit questions is more often used in direct reporting engagements.
A follow-up process facilitates the effective implementation of corrective action and provides useful feedback to the audited entity, the users of the audit report and the auditor (for future audit planning). The need to follow up previously reported instances of non-compliance will vary with the nature of the subject matter, the non-compliance identified and the particular circumstances of the audit.