Frequently Asked Questions - All FAQs
Please select your question category
View all frequently asked questions
View FAQ Tags
No faqs found in this category
No faqs found in this category
1. There are only four types of response (Met, Met to some extent, Not met and Not applicable) suggested against ‘compliance status’ in the iCAT. If the SAI meets the requirement substantially, can a new response ‘Met to large extent’ be added?
Ideally, only three responses should be possible (Met, Not met and Not applicable). If the SAI has fully complied with the requirement, the compliance status would be ‘Met’. In all other situations where the requirement is applicable, the status would be ‘Not met’. However, such a rigid stance would mean that the SAI’s compliance status would continue to be ‘Not met’ even if it had made some/large progress towards meeting ISSAI requirements. Hence, for giving a sense of achievement/progress another layer ‘Met to some extent’ has been added. This response could be selected in all cases of partial compliance. Adding yet another response ‘Met to large extent’ would introduce an element of subjectivity in deciding when to categorise compliance status as ‘Met to large extent’ or as ‘Met to some extent’. Hence, it is desirable to stick with four responses.
The key question to be asked while assessing the compliance status is "Are we happy with the existing mechanisms in place and their implementation or is there a need for something more?" If the assessment team is of the view that either new mechanisms will have to be put in place or implementation of existing practices will have to be strengthened to achieve full compliance with ISSAI, then compliance status will be ‘Met to some extent’. The mechanism that is absent or the weakness in implementation should be captured under the column ‘Reasons for non-compliance’. On the other hand, if the assessment team is fully satisfied with the current scenario and feels that no changes are necessary, then the compliance status will be "Met".
3. How does one deal with a situation in which there is no corresponding national standard/policy/guidelines for a particular ISSAI requirement, while the requirement is met in actual practice as verified from the real-life performance audit engagement working papers?
Simply because an ISSAI requirement is being adopted in audit practice does not mean that the requirement is fully complied with, unless there is also a national standard/policy/guideline requiring compliance with such a requirement. Codification of ISSAI requirement in SAI standards/policies etc will facilitate (a) the good practice to be sustained and (b) regular verification of compliance during internal reviews. So, in such a scenario, the compliance status will be ‘Met to some extent’ and ‘Absence of standard/policy’ could be captured under the ‘Reasons for non-compliance’ column.
4. Is it necessary to review real life audit engagement working papers in addition to checking national standards/guidelines/policies etc to complete iCAT?
This is an inverse of the earlier situation. It has been observed that several facilitators who participated in the IDI 3i e-learning course recorded their assessment only based on review of standards/policies/guidelines. Existence of ISSAI requirements in national standards/policies/guidelines alone is not adequate. Actual implementation of the requirement will have to be checked in the sample real life audit engagements for a correct assessment.
5. It is possible that the level of compliance with ISSAI requirements may vary widely between different audit offices/divisions within the SAI, particularly in large SAIs. In such a case, is it necessary to carry out separate iCAT for different offices/divisions rather than perform a single iCAT for the entire SAI?
An iCAT assessment is akin in certain aspects to an audit engagement. During audit engagements, it is probable that different offices within an organization may be at different levels of performance against an audit criterion. The performance of all the units are considered together to arrive at an audit conclusion. Similarly, during an iCAT assessment also different levels of compliance at different offices/divisions within the SAI could be considered together to form an opinion. So, a single iCAT assessment for the entire SAI should suffice; provided the offices/divisions to be test checked are selected with due care to be representative. However, if the SAI can afford the time and resources it can conduct more granular assessments for Level 4 ISSAIs as such assessments may provide greater insight into areas requiring corrective action.
6. How is the scope and sample size (for review of engagement working papers) determined for the iCAT assessment?
The top management must clearly define at the outset the scope (time period, offices/divisions to be covered). For instance, management may decide to exclude a newly formed division from the scope of the review, as the practices in such a division may not be mature enough. Similarly, top management must clearly define the sample size of real life audit engagements to be checked and the manner in which these are to be selected.
Relating the national standard/policies to the ISSAI requirements has been found to be a major challenge, particularly in those SAIs whose standards/policies etc are not in English. Lack of access of the assessment team to audit policies and working paper of real life audit engagements can also thwart a quality assessment. iCAT assessment is an intense exercise that requires substantial time for completion. Pressure to complete the assessment within a limited time has been found to be a challenge.
The following strategies can be adopted to enhance objectivity of iCAT assessments:
9. Is it always possible/ necessary to link Level 4 ISSAIs with Level 2 ISSAIs while completing Level 2 ISSAI assessments?
While it is desirable to relate Level 4 ISSAI examples for Level 2 ISSAI requirements while conducting Level 2 assessments, it is not always possible/necessary to maintain such a link. For instance, Principle 1 of ISSAI 20 requires that legislation/regulations must cover conditions surrounding appointment and dismissal of the head of SAI. It is not necessary to provide a level 4 ISSAI example for this requirement.