Frequently Asked Questions - All FAQs
Ideally, only three responses should be possible (Met, Not met and Not applicable). If the SAI has fully complied with the requirement, the compliance status would be ‘Met’. In all other situations where the requirement is applicable, the status would be ‘Not met’. However, such a rigid stance would mean that the SAI’s compliance status would continue to be ‘Not met’ even if it had made some/large progress towards meeting ISSAI requirements. Hence, for giving a sense of achievement/progress another layer ‘Met to some extent’ has been added. This response could be selected in all cases of partial compliance. Adding yet another response ‘Met to large extent’ would introduce an element of subjectivity in deciding when to categorise compliance status as ‘Met to large extent’ or as ‘Met to some extent’. Hence, it is desirable to stick with four responses.
The key question to be asked while assessing the compliance status is "Are we happy with the existing mechanisms in place and their implementation or is there a need for something more?" If the assessment team is of the view that either new mechanisms will have to be put in place or implementation of existing practices will have to be strengthened to achieve full compliance with ISSAI, then compliance status will be ‘Met to some extent’. The mechanism that is absent or the weakness in implementation should be captured under the column ‘Reasons for non-compliance’. On the other hand, if the assessment team is fully satisfied with the current scenario and feels that no changes are necessary, then the compliance status will be "Met".
Simply because an ISSAI requirement is being adopted in audit practice does not mean that the requirement is fully complied with, unless there is also a national standard/policy/guideline requiring compliance with such a requirement. Codification of ISSAI requirement in SAI standards/policies etc will facilitate (a) the good practice to be sustained and (b) regular verification of compliance during internal reviews. So, in such a scenario, the compliance status will be ‘Met to some extent’ and ‘Absence of standard/policy’ could be captured under the ‘Reasons for non-compliance’ column.
This is an inverse of the earlier situation. It has been observed that several facilitators who participated in the IDI 3i e-learning course recorded their assessment only based on review of standards/policies/guidelines. Existence of ISSAI requirements in national standards/policies/guidelines alone is not adequate. Actual implementation of the requirement will have to be checked in the sample real life audit engagements for a correct assessment.
An iCAT assessment is akin in certain aspects to an audit engagement. During audit engagements, it is probable that different offices within an organization may be at different levels of performance against an audit criterion. The performance of all the units are considered together to arrive at an audit conclusion. Similarly, during an iCAT assessment also different levels of compliance at different offices/divisions within the SAI could be considered together to form an opinion. So, a single iCAT assessment for the entire SAI should suffice; provided the offices/divisions to be test checked are selected with due care to be representative. However, if the SAI can afford the time and resources it can conduct more granular assessments for Level 4 ISSAIs as such assessments may provide greater insight into areas requiring corrective action.
The top management must clearly define at the outset the scope (time period, offices/divisions to be covered). For instance, management may decide to exclude a newly formed division from the scope of the review, as the practices in such a division may not be mature enough. Similarly, top management must clearly define the sample size of real life audit engagements to be checked and the manner in which these are to be selected.
Relating the national standard/policies to the ISSAI requirements has been found to be a major challenge, particularly in those SAIs whose standards/policies etc are not in English. Lack of access of the assessment team to audit policies and working paper of real life audit engagements can also thwart a quality assessment. iCAT assessment is an intense exercise that requires substantial time for completion. Pressure to complete the assessment within a limited time has been found to be a challenge.
The following strategies can be adopted to enhance objectivity of iCAT assessments:
- Assessment could be done by a team instead of by an individual for a more balanced perspective
- Workshops/focus groups for discussion of draft iCAT assessment with top management and auditors at different levels could be conducted
- Reasons for iCAT assessment (that it is an exercise to learn and improve and not a fault finding activity) must be communicated to all involved with iCAT so as to deter the tendency to depict a rosier picture
While it is desirable to relate Level 4 ISSAI examples for Level 2 ISSAI requirements while conducting Level 2 assessments, it is not always possible/necessary to maintain such a link. For instance, Principle 1 of ISSAI 20 requires that legislation/regulations must cover conditions surrounding appointment and dismissal of the head of SAI. It is not necessary to provide a level 4 ISSAI example for this requirement.