You are here: Home ISSAI Talks Compliance Audit - its origins, forms and development into an ISSAI format


Mona Paulsrud, CAS-secretariat, Norway

Origins of Compliance Audit within INTOSAI

Most SAIs will recognize that in their audit of public sector budget execution and income there are premises and decisions of their legislatures attached as requirements of the cash flow. As the international standards of SAIs gradually developed, INTOSAI recognized that the requirements set on the cash flow of public funds representing a trust, play a crucial and independent role in governmental auditing. Hence, Compliance Audit was recognized as the third type of public sector auditing by the establishment of the Compliance Audit Subcommittee in 2004 and the endorsement of the ISSAI 4000 series on Compliance Audit by INCOSAI in 2010.

Compliance Audit is the "lingua franca" of a wide range of auditing practices amongst SAIs where the state of affairs of the public sector is evaluated against laws, regulations and expected behavior stemming from democratic institutions representing the citizens. In order to create a set of ISSAIs expressing the common terminology, process and requirements for Compliance Audit, two main strategic choices were made: On the one hand to start the process with a top down approach where the commonalities where identified in a standard at a very high level. On the other hand to develop an integrated approach with financial audit exploring the use of financial audit concepts for broader purposes and adding public sector terminology where necessary.

Compliance Audit as an audit type

Compliance Audit may be performed related to the audit of financial statements or separately from the audit of financial statements. Compliance Audit may be performed as a direct reporting engagement where the auditor is the one to measure or evaluate a subject matter against criteria. Compliance Audit may also be performed as an attestation engagement where a responsible party presents the auditor with an evaluation of the subject matter against criteria in the form of subject matter information. Compliance Audit may be reported in the form of an opinion or in long or short form reports.

Hence, the generic definition of Compliance Audit is the following:

Compliance audit is the independent assessment of whether a particular subject matter is in compliance with applicable authorities identified as criteria.

The concept of authorities is a fundamental point of departure for the audit type, expressing the hierarchy of delegation from the legislature to the audited entity, both in the form of rules, regulations, codes or expected behavior. The existence of authorities is a prerequisite for conducting Compliance Audit, as they are the sources of the criteria the subject matter is evaluated against. A through consideration of the authorities governing the                audited entity is also a means to ensure that the audit provides relevant and meaningful information to the users, as the user is often the entity issuing the authorities of the audit.

Compliance Audit is often an integral part of the audit mandate of SAIs in their audits of public sector entities. This is because legislation and other authorities are the primary means by which legislatures control income and expenditure, management and due process rights of citizens in the public sector. Public funds are entrusted to public sector entities for their proper management. It is the responsibility of these public sector bodies and their appointed officials to be transparent about their actions, accountable to the citizens for the funds with which they are entrusted, and to exercise good governance over such funds.

Implementing the ISSAIs on Compliance Audit

The first and fundamental step of implementing the ISSAIs on Compliance Audit is to determine the audit scope. The audit scope may be prescribed in the mandate of the SAI, but may also be determined by the auditor. The audit scope expresses the focus, extent and boundary of the audit in terms of what subject matter is in compliance with what criteria.

The subject matters of compliance audits may vary enormously on worldwide basis depending on the criteria used. They may be of both a quantitative or qualitative nature and of extensive or limited size. Still, in broadening the use of technical audit terms, the Compliance Audit Guidelines outline an audit process designed to enhance the degree of confidence of the intended users by providing either limited or reasonable assurance. Assurance in the context of Compliance Audit is provided through sufficient and appropriate audit evidence covering the scope of the audit considered in light of information needs of users. Hence, the need for a precise audit scope is fundamental.

The way to perform audits when implementing the ISSAIs on Compliance Audit has a multitude of opportunities as a long as evidence collected is relevant, sufficient and appropriate to cover the audit scope and as long as the information needs of users, in the sense of the legislature as representative of the citizens, are considered.

"How will I be able to do this?" - you might ask as your reading progresses. As the Compliance Audit Guidelines were developed with a top down approach, unfortunately there is limited operational guidance available at this stage. So our common means of finding the concrete solutions is through implementation; by trying out your best professional judgment as how to perform your compliance audit with reasonable or limited assurance and sharing your experiences with other SAIs you may provide one step forward for Compliance Audit within INTOSAI.

You are here: Home ISSAI Talks Compliance Audit - its origins, forms and development into an ISSAI format