IDI understanding of ISSAI Implementation

The IDI believes in an integrated approach to ISSAI implementation. The IDI recommends that the SAI and those supporting the SAI consider implementation of the ISSAI framework as a whole. While the implementation definitely needs to be taken up in a phased manner over a period of time – it is important that the SAI considers the entire framework before determining its strategy. Unless the SAI looks at the whole framework and the relationship between the different levels, it will not be able to get a proper picture. For example if a SAI wishes to implement the requirements of ISSAI 30, it needs to ensure that the requirements are not only followed at the SAI level, but also at the individual audit. Similarly, it may also be essential for an SAI to establish its value by doing good quality audits, before it can lobby for greater independence as envisaged in ISSAI 10. As such a SAI may decide to use its resources for implementing ISSAIs at level 3 or 4, even as it tries to get a better legal framework for itself.

The ISSAI framework comprises four levels. Each level has its own nature although interrelated. Level 1 contains founding principles. Level 2 contains prerequisites for the functioning of SAI, many of which are contextual and out of the control of the SAI. Level 3 contains fundamental auditing principles. Level 4 contains requirements to guide the audit practice. It provides a basis for the standards and manuals which may be applied by individual SAIs. Implementation of level 4 is not an advanced level of ISSAI implementation. For its nature, level 4 is the main level when referring to an ISSAI based audit practice. While a SAI has the option of deciding on whether it wants to refer to ISSAIs at level 3 or level 4, a SAI must be aware that if it decides to refer to ISSAIs at level 3, it must have detailed national standards that are aligned to level 3 and can substitute level 4 ISSAIs. Many SAIs in developing countries may not have such detailed national standards and may need to refer to ISSAIs at level 4. As such, level 4 is important for individual audit. Moreover, it would not be possible for a SAI to implement Level 2 without working on Level 4. Therefore, in supporting SAIs in implementing ISSAIs it is important to take an integrated approach rather than a sequential approach. However, taking an integrated approach does not imply that the SAI will implement all ISSAIs at the same time. It means that the SAI will consider the ISSAI framework holistically before deciding on its implementation strategy. The implementation strategy, which involves working with ISSAIs at different levels simultaneously, can then be implemented gradually based on SAI requirements and resources.

It is also important to answer the question – when can a SAI say that it has implemented ISSAIs? It has been our experience ( based on the 3i Management Workshops and iCATs) that SAIs report that they have met ISSAI requirements when they have a policy or a manual in place, even if the policy of the manual is not completely followed in practice. However, for an SAI to say that it meets ISSAI requirements, the SAI must have a not just the policy and the manuals but must also have a system to ensure that the requirements of the ISSAIs are actually followed in the practices of the SAI. For example a SAI cannot say that it meets ISSAI 30 requirements if it only has a Code of Ethics. It is necessary for the SAI to have a documented system that defines how the provisions of the code are to be implemented both at the SAI level and at the individual audit level. The SAI also needs to have a system for ascertaining that the prescribed system is, indeed, being followed in the SAI.

ISSAI implementation is not about training alone. It involves a change management process that requires an SAI to work on: 
• its institutional capacity i.e. its mandate and legal framework and environment in which it operates,
• organizational capacity i.e. the systems, processes, procedures and resources required for implementing ISSAIs
• professional staff capacity i.e. the professional capacity of its people to implement ISSAIs, both managers and staff

As such we believe that the SAI and those supporting the SAI would need to look holistically at capacity development needs in the following domains
• Independence and Legal framework
• SAI culture and environment
• Leadership and internal governance
• SAI core processes – audit and other processes
• SAI resources – human resources, support structures, infrastructure
• External stakeholder relations

ISSAI Implementation needs to address all levels in an SAI – top management, senior management, operational management and staff. While the IDI, regions and other partners can support ISSAI implementation, it is only the SAI that can actually implement ISSAIs. As such the role played by the SAI leadership assumes great significance in successful ISSAI implementation.

The IDI recommends the following process for implementing the ISSAI framework: