April 3, 2021

Introduction Scope of this ISA This International Standard on Auditing (ISA) deals with the auditor’s responsibility to request written representations, and the auditor’s actions when relevant parties do not provide the requested written representations, or when the auditor concludes that such written representations are not reliable. Appendix 1 lists other ISAs containing requirements and guidance for written representations. Those requirements do not limit the application of this ISA. Effective Date This ISA is effective for audits of financial statements for periods beginning on or after [date].[1] Objective  The objective of the auditor is to corroborate, by means of written representations: The validity of the premises, relating to management’s responsibilities, on which an audit is conducted;[2] and Other audit evidence obtained with regard to specific assertions in the financial statements. Definitions For purposes of the ISAs, the following terms have the meanings attributed below: Written representations – Written statements provided by relevant parties from within the entity to the auditor at the auditor’s request. Written representations are either general or specific. Written representations in the context of this ISA do not include financial statements, the assertions therein, and supporting books and records. General written representations – Written representations regarding the premises, relating to management’s responsibilities, on which an audit is conducted. Specific written representations – Written representations regarding specific assertions in the financial statements. Relevant parties – Parties responsible for preparing and presenting the financial statements and assertions therein. Regarding specific assertions, relevant parties may also include individuals who have specialized knowledge about those specific [1] This effective date will not be earlier than December 15, 2008. [2] The term “management” has been used in this ISA to describe those responsible for preparing and presenting the financial statements. Other terms may be appropriate depending on the legal framework in the particular jurisdiction. assertions and are part of the process followed in preparing and presenting the financial statements and assertions therein. (Ref: Para. A1-A2) The premises, relating to management’s responsibilities, on which an audit is conducted – Those responsibilities of management and, where appropriate, those charged with governance that are fundamental to the conduct of an audit in accordance with the ISAs. They are explained in ISA 200, “Objective and General Principles Governing an Audit of Financial Statements.” Requirements Relevant Parties The auditor shall determine the relevant parties from whom general and specific written representations shall be requested. (Ref: Para. A1-A3) The auditor shall request that relevant parties provide written representations based on relevant parties’ knowledge and belief, having made appropriate inquiries for them to be able to provide such representations. General Written Representations The auditor shall request relevant parties to provide the general written representations about the financial statements, including internal control, and the completeness of information made available to the auditor set out in paragraphs 8-10 for all financial statements and periods covered by the auditor’s report. Such general written representations provide necessary audit evidence about the validity of the premises, relating to management’s responsibilities, on which an audit is conducted. However, by themselves, they do not constitute sufficient appropriate audit evidence about the validity of the premises. Accordingly, they do not relieve the auditor of the responsibility to obtain other audit evidence. (Ref: Para. A4-A11, A16) Financial Statements The auditor shall request relevant parties to provide written representations that they acknowledge and understand their responsibility for preparing and presenting the financial statements, and whether they believe that the financial statements are prepared in accordance with the applicable financial reporting framework (or are fairly presented in accordance with the applicable financial reporting framework, when that framework is a fair presentation framework). The representations shall include: Whether the selection and application of accounting policies are appropriate; Whether all transactions have been recorded; and Whether the following matters, where relevant in view of the applicable financial reporting framework, have been recognized, measured or disclosed in accordance with that framework: o Plans or intentions that may affect the carrying value or classification of assets and liabilities; Liabilities, both actual and contingent; Title to or control over assets, and the liens or encumbrances on assets, and assets pledged as collateral; Aspects of contractual agreements that may affect the financial statements, including noncompliance; and o Events subsequent to the period end. Internal Control The auditor shall request relevant parties to provide a written representation that they acknowledge and understand their responsibility for designing, implementing and maintaining internal control relevant to preparing and presenting financial statements that are free from material misstatement, whether due to fraud or error, and whether they believe that the internal control they have maintained is adequate for that purpose. Completeness of Information The auditor shall request relevant parties to provide a written representation whether they believe that all records, documentation, unusual matters of which they are aware, and other information relevant to the audit have been made available to the auditor. Form and Date of General Written Representations The general written representations shall be in the form of a representation letter addressed to the auditor. The general written representations shall be as of the same date as the auditor’s report on the financial statements. (Ref: Para. A15) Specific Written Representations Other ISAs contain requirements for specific written representations. In addition to those, a specific written representation may be necessary to corroborate other audit evidence, particularly where judgment, intent or completeness is involved. The auditor shall determine whether specific written representations relating to specific assertions in the financial statements are necessary. Such specific written representations do not constitute sufficient appropriate audit evidence by themselves. Accordingly, they do not relieve the auditor of the responsibility to obtain other audit evidence. (Ref: Para. A12-A14, A16) The auditor shall determine whether it is necessary to request relevant parties to provide an updated specific written representation when the specific written representation is as of a date earlier than that of the auditor’s report on the financial statements. (Ref: Para. A15) Evaluating the Reliability of Written Representations Circumstances such as the following may cause the auditor

Introduction The purpose of this International Standard on Auditing (ISA) is to establish standards and to provide guidance on obtaining an understanding of the entity and its environment, including its internal control, and on assessing the risks of material misstatement in a financial statement audit. The importance of the auditor’s risk assessment as a basis for further audit procedures is discussed in the explanation of audit risk in ISA 200, “Objective and General Principles Governing an Audit of Financial Statements.” The auditor should obtain an understanding of the entity and its environment, including its internal control, sufficient to identify and assess the risks of material misstatement of the financial statements whether due to fraud or error, and sufficient to design and perform further audit procedures. ISA 500, “Audit Evidence,” requires the auditor to use assertions in sufficient detail to form a basis for the assessment of risks of material misstatement and the design and performance of further audit procedures. This ISA requires the auditor to make risk assessments at the financial statement and assertion levels based on an appropriate understanding of the entity and its environment, including its internal control. ISA 330, “The Auditor’s Procedures in Response to Assessed Risks” discusses the auditor’s responsibility to determine overall responses and to design and perform further audit procedures whose nature, timing, and extent are responsive to the risk assessments. The requirements and guidance of this ISA are to be applied in conjunction with the requirements and guidance provided in other ISAs. In particular, further guidance in relation to the auditor’s responsibility to assess the risks of material misstatement due to fraud is discussed in ISA 240, “The Auditor’s Responsibility to Consider Fraud in an Audit of Financial Statements.” The following is an overview of the requirements of this standard: Risk assessment procedures and sources of information about the entity and its environment, including its internal control. This section explains the audit procedures that the auditor is required to perform to obtain the understanding of the entity and its environment, including its internal control (risk assessment procedures). It also requires discussion among the engagement team about the susceptibility of the entity’s financial statements to material misstatement. Understanding the entity and its environment, including its internal control. This section requires the auditor to understand specified aspects of the entity and its environment, and components of its internal control, in order to identify and assess the risks of material misstatement. Assessing the risks of material misstatement. This section requires the auditor to identify and assess the risks of material misstatement at the financial statement and assertion levels. The auditor: ◦ Identifies risks by considering the entity and its environment, including relevant controls, and by considering the classes of transactions, account balances, and disclosures in the financial statements; ◦ Relates the identified risks to what can go wrong at the assertion level; and ◦ Considers the significance and likelihood of the risks. This section also requires the auditor to determine whether any of the assessed risks are significant risks that require special audit consideration or risks for which substantive procedures alone do not provide sufficient appropriate audit evidence. The auditor is required to evaluate the design of the entity’s controls, including relevant control activities, over such risks and determine whether they have been implemented. Communicating with those charged with governance and management. This section deals with matters relating to internal control that the auditor communicates to those charged with governance and management. Documentation. This section establishes related documentation requirements. Obtaining an understanding of the entity and its environment is an essential aspect of performing an audit in accordance with ISAs. In particular, that understanding establishes a frame of reference within which the auditor plans the audit and exercises professional judgment about assessing risks of material misstatement of the financial statements and responding to those risks throughout the audit, for example when: Establishing materiality and evaluating whether the judgment about materiality remains appropriate as the audit progresses; Considering the appropriateness of the selection and application of accounting policies, and the adequacy of financial statement disclosures; Identifying areas where special audit consideration may be necessary, for example, related party transactions, the appropriateness of management’s use of the going concern assumption, or considering the business purpose of transactions; Developing expectations for use when performing analytical procedures; Designing and performing further audit procedures to reduce audit risk to an acceptably low level; and Evaluating the sufficiency and appropriateness of audit evidence obtained, such as the appropriateness of assumptions and of management’s oral and written representations. The auditor uses professional judgment to determine the extent of the understanding required of the entity and its environment, including its internal control. The auditor’s primary consideration is whether the understanding that has been obtained is sufficient to assess the risks of material misstatement of the financial statements and to design and perform further audit procedures. The depth of the overall understanding that is required by the auditor in performing the audit is less than that possessed by management in managing the entity. Risk Assessment Procedures and Sources of Information About the Entity and Its Environment, Including Its Internal Control Obtaining an understanding of the entity and its environment, including its internal control, is a continuous, dynamic process of gathering, updating and analyzing information throughout the audit. As described in ISA 500, audit procedures to obtain an understanding are referred to as “risk assessment procedures” because some of the information obtained by performing such procedures may be used by the auditor as audit evidence to support assessments of the risks of material misstatement. In addition, in performing risk assessment procedures, the auditor may obtain audit evidence about classes of transactions, account balances, or disclosures and related assertions and about the operating effectiveness of controls, even though such audit procedures were not specifically planned as substantive procedures or as tests of controls. The auditor also may choose to perform substantive procedures or tests of controls concurrently with risk assessment procedures because it is efficient to

Introduction Scope of this ISA This International Standard on Auditing (ISA) deals with the specific responsibilities of the auditor regarding quality control procedures for an audit of financial statements. It also addresses, where applicable, the responsibilities of the engagement quality control reviewer. This ISA is to be read in conjunction with relevant ethical requirements. System of Quality Control and Role of Engagement Teams Quality control systems, policies and procedures are the responsibility of the audit firm. Under ISQC 1, the firm has an obligation to establish and maintain a system of quality control to provide it with reasonable assurance that: The firm and its personnel comply with professional standards and applicable legal and regulatory requirements; and Reports issued by the firm or engagement partners are appropriate in the circumstances.[1] This ISA is premised on the basis that the firm is subject to ISQC 1 or to national requirements that are at least as demanding. (Ref: Para. A1) Within the context of the firm’s system of quality control, engagement teams have a responsibility to implement quality control procedures that are applicable to the audit engagement and provide the firm with relevant information to enable the functioning of that part of the firm’s system of quality control relating to independence. Engagement teams are entitled to rely on the firm’s system of quality control, unless information provided by the firm or other parties suggests otherwise. (Ref: Para. A2) Effective Date This ISA is effective for audits of financial statements for periods beginning on or after December 15, 2009. Objective The objective of the auditor is to implement quality control procedures at the engagement level that provide the auditor with reasonable assurance that: The audit complies with professional standards and applicable legal and regulatory requirements; and [1] ISQC 1, “Quality Control for Firms that Perform Audits and Reviews of Financial Statements, and Other Assurance and Related Services Engagements,” paragraph 11. The auditor’s report issued is appropriate in the circumstances. Definitions For purposes of the ISAs, the following terms have the meanings attributed below: Engagement partner[1] – The partner or other person in the firm who is responsible for the audit engagement and its performance, and for the auditor’s report that is issued on behalf of the firm, and who, where required, has the appropriate authority from a professional, legal or regulatory body. Engagement quality control review – A process designed to provide an objective evaluation, on or before the date of the auditor’s report, of the significant judgments the engagement team made and the conclusions it reached in formulating the auditor’s report. The engagement quality control review process is for audits of financial statements of listed entities and those other audit engagements, if any, for which the firm has determined an engagement quality control review is required. Engagement quality control reviewer – A partner, other person in the firm, suitably qualified external person, or a team made up of such individuals, none of whom is part of the engagement team, with sufficient and appropriate experience and authority to objectively evaluate the significant judgments the engagement team made and the conclusions it reached in formulating the auditor’s report. Engagement team – All partners and staff performing the engagement, and any individuals engaged by the firm or a network firm who perform audit procedures on the engagement. This excludes an auditor’s external expert engaged by the firm or a network firm.[2] Firm – A sole practitioner, partnership or corporation or other entity of professional accountants. Inspection – In relation to completed audit engagements, procedures designed to provide evidence of compliance by engagement teams with the firm’s quality control policies and procedures. Listed entity – An entity whose shares, stock or debt are quoted or listed on a recognized stock exchange, or are marketed under the regulations of a recognized stock exchange or other equivalent body. [1] “Engagement partner,” “partner,” and “firm” should be read as referring to their public sector equivalents where relevant. [2] ISA 620, “Using the Work of an Auditor’s Expert,” paragraph 6(a), defines the term “auditor’s expert.” Monitoring – A process comprising an ongoing consideration and evaluation of the firm’s system of quality control, including a periodic inspection of a selection of completed engagements, designed to provide the firm with reasonable assurance that its system of quality control is operating effectively. Network firm – A firm or entity that belongs to a network. Network – A larger structure: That is aimed at cooperation, and That is clearly aimed at profit or cost-sharing or shares common ownership, control or management, common quality control policies and procedures, common business strategy, the use of a common brand name, or a significant part of professional resources. Partner – Any individual with authority to bind the firm with respect to the performance of a professional services engagement. Personnel – Partners and staff. Professional standards – International Standards on Auditing (ISAs) and relevant ethical requirements. Relevant ethical requirements – Ethical requirements to which the engagement team and engagement quality control reviewer are subject, which ordinarily comprise Parts A and B of the International Ethics Standards Board for Accountants’ Code of Ethics for Professional Accountants (IESBA Code) related to an audit of financial statements together with national requirements that are more restrictive. Staff – Professionals, other than partners, including any experts the firm employs. Suitably qualified external person – An individual outside the firm with the competence and capabilities to act as an engagement partner, for example, a partner of another firm, or an employee (with appropriate experience) of either a professional accountancy body whose members may perform audits of historical financial information or of an organization that provides relevant quality control services. Requirements Leadership Responsibilities for Quality on Audits The engagement partner shall take responsibility for the overall quality on each audit engagement to which that partner is assigned. (Ref: Para. A3) Relevant Ethical Requirements Throughout the audit engagement, the engagement partner shall remain alert, through observation and making inquiries as necessary, for evidence of non-compliance with relevant

INTRODUCTION   Professional standards and guidelines are essential for the credibility, quality and professionalism of public-sector auditing. The International Standards of Supreme Audit Institutions (ISSAIs) developed by the International Organisation of Supreme Audit Institutions (INTOSAI) aim to promote independent and effective auditing and support the members of INTOSAI in the development of their own professional approach in accordance with their mandates and with national laws and regulations.   ISSAI 100 – Fundamental Principles of Public-Sector Auditing provides the fundamental principles for public-sector auditing in general and defines the authority of the ISSAIs. ISSAI 200 – Fundamental Principles of Financial Auditing has been developed to address the key principles related to an audit of financial statements in the public sector. It builds on and further develops the fundamental principles of ISSAI 100 to suit the specific context of audits of financial statements, and constitutes the basis for auditing standards related to audits of financial statements. ISSAI 200 should be read and understood in conjunction with ISSAI 100.   The main purpose of the ISSAIs on financial audit is to provide INTOSAI members with a comprehensive set of principles, standards and guidelines for the audit of financial statements of public-sector entities. In addition to ISSAI 200, the ISSAIs on financial audit comprise the Financial Audit Guidelines (ISSAIs 1000-2999) at level 4 of the ISSAI Framework. A general introduction to these guidelines is given in ISSAI 1000, while ISSAIs 1200 to 1810 each contain Practice Notes issued by INTOSAI to provide guidance on the application of the International Standards on Auditing (ISAs 200 to 810) developed by the International Auditing and Assurance Standards Board (IAASB). Each Practice Note and the corresponding ISA together constitute a guideline in the ISSAI Framework.   Financial audit focuses on determining whether an entity’s financial information is presented in accordance with the applicable financial reporting and regulatory framework. The scope of financial audits in the public sector may be defined by the SAI’s mandate as a range of audit objectives in addition to the objectives of an audit of financial statements prepared in accordance with a financial reporting framework. These objectives may include the auditing of:   states’ or entities’ accounts or other financial reports, not necessarily prepared in accordance with a general-purpose financial reporting framework; budgets, budget sections, appropriations and other decisions on the allocation of resources, and the implementation thereof; policies, programmes or activities defined by their legal basis or source of financing;  legally-defined areas of responsibility, such as the responsibilities of ministers; and  categories of income or payments or assets or liabilities.   When the SAI’s mandate defines such additional audit objectives, the SAI may also need to consider developing or adopting standards based on the general fundamental principles of public-sector auditing in ISSAI 100 and the fundamental principles of compliance and performance auditing. The guidance of the Financial Audit Guidelines on special-purpose frameworks[1], audits of single financial statements and specific elements, accounts or items of a financial statement[2], and reports on summary financial statements[3], may also be relevant for such purposes.   This ISSAI provides detailed information on the following:   The purpose and authority of the Fundamental Principles of Financial Auditing The framework for auditing financial statements in the public sector  The elements of an audit of financial statements  The principles of an audit of financial statements.   PURPOSE AND AUTHORITY OF THE FUNDAMENTAL PRINCIPLES OF FINANCIAL AUDITING   ISSAI 200 provides the fundamental principles for an audit of financial statements prepared in accordance with a financial reporting framework. The principles also apply when an SAI is engaged or has responsibility to audit single financial statements and specific elements, accounts or items of a financial statement, or financial statements prepared in accordance with special-purpose financial frameworks, or summary financial statements. Where reference is made in ISSAI 200 to audits of financial statements, this includes responsibilities of this nature.   ISSAIs 1000 to 1810 on financial audits may be applied as appropriate to these responsibilities. However, auditors are prohibited from making reference to the use of the ISSAIs if:   the preconditions for an audit in accordance with the ISSAIs on financial audit are not in place[4]; or the auditor is not able to comply with the authority attached to the ISAs5 and ISSAIs.   The Fundamental Principles of Financial Auditing apply to all public-sector audits of financial statements, whether for the whole of government, parts of government or single entities.   ISSAI 200 – Fundamental Principles of Financial Auditing represents the core of the detailed auditing standards provided by ISSAIs 1000 to 1810 at level 4 of the ISSAI Framework. The principles in ISSAI 200 can be used in three ways:   as a basis on which to develop standards, as a basis on which to adopt consistent national standards, as a basis for adoption of the Financial Audit Guidelines as the authoritative standards.   Reference to ISSAI 200 in reports should only be made if auditing standards have been developed or adopted that fully comply with all relevant principles of ISSAI 200. A principle is considered relevant when it deals with the type of audit or combinations of audit types and the [1] ISSAI 1800 – Special Considerations – Audits of Financial Statements Prepared in Accordance with Special Purpose Frameworks. [2] ISSAI 1805 – Special Considerations – Audits of Single Financial Statements and Specific Elements, Accounts or Items of a Financial Statement. [3] ISSAI 1810 – Engagements to Report on Summary Financial Statements. [4] ISSAI 1210 – Agreeing the Terms of Audit Engagements, paragraphs 6-8. 5 ISSAI 1000, paragraphs 37-43. circumstances or procedures are applicable. The principles in no way override national laws, regulations or mandates.   When adopting or developing audit standards based on the Fundamental Auditing Principles, reference to these in reports may be made by stating:   …We conducted our audit in accordance with [standards], which are based on [or consistent with] the Fundamental Auditing Principles (ISSAIs 100-999) of the International Standards of Supreme

EXPLORING ISSUES TO DETERMINE A WAY FORWARD                     I.      Background The term non-assurance services is used throughout the Code when referring to engagements that do not meet the definition of an assurance engagement. An assurance engagement is an engagement in which a professional accountant in public practice (PAPP) expresses a conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the outcome of the evaluation or measurement of a subject matter against criteria. An audit engagement is a reasonable assurance engagement in which a PAPP expresses an opinion on whether financial statements are prepared, in all material respects (or give a true and fair view or are presented fairly, in all material respects), in accordance with an applicable financial reporting framework. This includes statutory audits, which is an audit required by legislation or other regulation. Auditor independence is critical to public trust in audited financial statements, and contributes to audit quality. In recent years, there have been a number of legal and regulatory developments aimed at responding to issues affecting auditor independence, including audit firms’ provision of non-assurance services (NAS)[1] to audit clients.[2] Some stakeholders and the Public Interest Oversight Board have called for IESBA to review its International Independence Standards relating to the provision of NAS to audit clients. Having completed a number of projects which culminated in the April 2018 release of a completely rewritten and substantively revised International Code of Ethics for Professional Accountants (including International Independence Standards) (the Code[3]), the IESBA has established a Working Group to further understand and respond to those calls. Global Roundtables In deciding to hold three global roundtables in North America (Washington, DC, USA), Europe (Paris, France), and Asia Pacific (Tokyo, Japan), the IESBA is seeking to further understand stakeholders’ views about specific issues that might arise when firms and network firms provide NAS to their audit clients and whether changes are needed to the Code to address them. Purpose of Briefing Note This briefing note summarizes the NAS issues that the IESBA has identified to-date, in particular, in relation to audit clients that are public interest entities (PIEs). Some of the issues were raised by [1] Except where otherwise noted, NAS in this paper is used to refer to the term “non-assurance services” as used in the IESBA Code. In some jurisdictions the term “non-audit” services is used in describing similar issues. For example, the term “non-audit services” is used in the UK to cover any service that does not form part of the audit engagement (i.e., both “non-assurance” and “assurance services” other than an audit).The terms “non-audit services” and “non-assurance services” are not defined terms in the IESBA Code. [2] The main focus of this paper and the roundtable discussions is on firms’ provision of NAS to audit clients in the context of independence. Some of the issues may be relevant also to circumstances where firms provide NAS to assurance clients in the context of independence. [3] The references to “the Code” in this paper are to the revised and restructured Code which was released on April 9, 2018, and which will become effective in June 2019. respondents to Exposure Drafts (EDs) relating to the IESBA’s recently completed Safeguards and Structure of the Code (Structure) projects, and respondents to the IESBA’s November 2017 Fees Questionnaire. The paper is intended to facilitate a multi-stakeholder dialogue to explore possible solutions to the public interest issues that have been raised in relation to the provision of NAS by audit firms. The paper is organized as follows: Overview of NAS provisions in the Code; General policy objective; Summary of specific issues identified by stakeholders; and Questions for roundtable participants. II.     Overview of NAS Provisions in the Code In addition to the requirement to apply the enhanced conceptual framework[1] to identify, evaluate and address threats when providing NAS to audit clients, Section 600[2] of the Code contains general and specific requirements and application material that apply to firms and network firms when providing NAS to audit clients. The general provisions set out in paragraphs 600.1 to R600.10 apply in all situations when a NAS is provided to an audit client. Additional and more specific provisions are set out in subsections 601-610 and apply when providing certain types of NAS to audit clients. A list of the types of NAS that are dealt with in the Code is included in Appendix 1 of this document. As part of the general provisions in paragraphs 600.1 to R600.10, the Code includes: An overarching requirement that prohibits the assumption of management responsibilities when providing any NAS to audit clients.[3] Management responsibilities involve controlling, leading and directing an entity, including making decisions regarding the acquisition, deployment and control of human, financial, technological, physical and intangible resources. The conceptual framework specifies the approach that all professional accountants, including auditors, are required to use to identify, evaluate and address threats to compliance with the fundamental principles and, where applicable, independence. Clarifications and improvements to assist firms and network firms to better apply the conceptual framework in relation to identifying, evaluating and addressing threats created by providing a NAS to an audit client. For example, the Code now states in a more explicit manner that there are some situations in which safeguards might not be available, or capable of reducing threats created by providing a NAS to an acceptable level and that in such situations, the firm or network is required to decline or end the NAS or the audit engagement. Highlights of the clarifications and improvements to the conceptual framework is included in Appendix 2 of this document. [1] The conceptual framework is set out in Part 1 – Complying with the Code, Fundamental Principles and Conceptual Framework, Section 120, The Conceptual Framework.  [2] International Independence Standards, Part 4A – Independence for Audits and Reviews, Section 600, Provision of Nonassurance Services to an Audit Client [3] See Part 4, Section 600, paragraph R600.7 and related provisions in paragraphs 600.7 A1

INTRODUCTION INTOSAI’s fundamental auditing principles recognise that due to the differing approaches and structures of Supreme Audit Institutions (SAIs), not all auditing standards apply to all aspects of their work[1]. Furthermore, on the basis of the terms of the audit mandate with which SAIs are empowered, any auditing standards external to the SAI cannot be prescriptive, nor have a mandatory application to the work of the SAI[2]. However, in order to promote high quality work across its members, INTOSAI advocates that each SAI should establish a policy which has regard to INTOSAI standards, and other specific professional standards, which should be followed in carrying out various types of work that the organisation conducts. This audit guideline of key principles outlines a common understanding of what defines high quality work in performance auditing. Comparisons between the practices of performance auditing in different countries show considerable variations depending on the mandate, organisation and methods used by the SAIs. The legal, administrative and economic environment can have a bearing on the nature of performance audits conducted and how they are carried out. The maturity of public sector administration also impacts on the extent and nature of performance audits that can be performed. Performance auditing generally follows one of three approaches in examining the performance of the audited entity. The audit may take a result-oriented approach, which assesses whether pre-defined objectives have been achieved as intended, a problemoriented approach, which verifies and analyses the causes of a particular problem(s), or a system-oriented approach which examines the proper functioning of management systems: or a combination of the three approaches. Performance audit may also adopt one of two perspectives for the audit: a top-down perspective, which focuses on the requirements, intentions, objectives and expectations of the Legislature, Executive and/or regulatory body, or a bottom-up perspective, that focuses on the effects of the activity on the audited entity and the larger community[3]. In the case of the former performance audit does not question the intentions and decisions of the legislature, but instead examines whether possible shortcomings in the laws and regulations have affected those intentions being met. Depending on their mandate, SAIs may audit the assumptions on which policy decisions were based and the impact of such policy decisions. The audit provides an objective assessment to inform the legislature on such issues as how to enhance policy target achievement and/or how to accomplish objectives more efficiently and effectively. Whichever approach or perspective is adopted, performance audit aims mainly towards examining the economy, efficiency and effectiveness of the audited entity in the performance of its functions and activities, not excluding the verification of the audited entity’s compliance with established legislation and regulations[4]. Where appropriate, the impact of the regulatory or institutional framework on the performance of the entity should also be taken into account. Performance audit often achieves this by attempting to answer two basic questions: are the right things being done, and are things being done in the right way? As performance auditing can deal with all facets of the public sector, it would not be possible or appropriate to propose detailed common auditing standards to cover all situations. Accordingly, auditors are required to apply their own professional judgments and applicable professional standards to the diverse situations that arise in the course of performance auditing. This document is largely based upon the concepts contained in ISSAI 3000 – Implementation guidelines for Performance Auditing, to which auditors should refer for additional guidance. 2. KEY PRINCIPLES OF PERFORMANCE AUDITING   2.1              Definitions Performance auditing is an independent and objective examination of government undertakings, systems, programmes or organisations, with regard to one or more of the three aspects of economy, efficiency and effectiveness, aiming to lead to improvements5. The performance audit task is a separately identifiable piece of audit work, typically resulting in the issuing of a statement, or report. It should have clearly identifiable objectives and pertain to a single or clearly identifiable group of activities, systems, programmes or bodies know as the “audited entity”. 2.2.             Performance audit objective   According to ISSAI 100[5], an individual performance audit should have the objective of examining one or more of these three assertions: the economy of activities in accordance with sound administrative principles and practices, and management policies; the efficiency of utilisation of human, financial and other resources, including examination of information systems, performance measures and monitoring arrangements, and procedures followed by audited entities for remedying identified deficiencies; and the effectiveness of performance in relation to the achievement of the objectives of the audited entity, and the actual impact of activities compared with the intended impact.   The audit objectives are usually expressed in the form of one overall audit question and a limited number of subsidiary questions that the audit will answer and conclude against. Such questions are thematically related, complementary, not overlapping and collectively exhaustive in addressing the overall question. The audit questions addressed by performance audit do not have to be exclusively based on a retrospective audit approach. In a performance audit, SAIs can take an early initiative and furnish proactive audit findings, and/or recommendations, where appropriate, if this is explicitly allowed by their legal mandate. Furthermore, financial and compliance audit aspects[6], including environmental considerations in the context of sustainable development, can also be included in a performance audit. Finally, the perspective of the citizen that is related to the performance of the audited entity should be taken into account where appropriate. 2.3 Selecting audit topics   Auditors should select audit topics that are significant, auditable, and reflect the SAI’s mandate8. The audit should lead to important benefits for public finance and administration, the audited entity, or the general public. Where there is an overlap between other types of audit and performance auditing, classification of the audit engagement will be determined by the primary purpose of that audit[7]. Aside from audits carried out under legal mandate at the request of the Parliament or other empowered entity, performance audit topics should be selected on the basis

Introduction The purpose of this International Standard on Review Engagements (ISRE) is to establish standards and provide guidance on the practitioner’s professional responsibilities when a practitioner, who is not the auditor of an entity, undertakes an engagement to review financial statements and on the form and content of the report that the practitioner issues in connection with such a review. A practitioner, who is the auditor of the entity, engaged to perform a review of interim financial information performs such a review in accordance with ISRE 2410, “Review of Interim Financial Information Performed by the Independent Auditor of the Entity.” This ISRE is directed towards the review of financial statements. However, it is to be applied, adapted as necessary in the circumstances, to engagements to review other historical financial information. Guidance in the International Standard on Auditing (ISAs) may be useful to the practitioner in applying this ISRE.∗ Objective of a Review Engagement The objective of a review of financial statements is to enable a practitioner to state whether, on the basis of procedures which do not provide all the evidence that would be required in an audit, anything has come to the practitioner’s attention that causes the practitioner to believe that the financial statements are not prepared, in all material respects, in accordance with the applicable financial reporting framework (negative assurance). General Principles of a Review Engagement The practitioner should comply with the Code of Ethics for Professional Accountants issued by the International Ethics Standards Board for Accountants (the IESBA Code). Ethical principles governing the practitioner’s professional responsibilities are: Independence; Integrity; Objectivity; Professional competence and due care; Confidentiality; (f) Professional behavior; and (g)      Technical standards. * Paragraph 2 of this ISRE was amended in December 2007 to clarify the application of the ISRE. The practitioner should conduct a review in accordance with this ISRE. The practitioner should plan and perform the review with an attitude of professional skepticism recognizing that circumstances may exist which cause the financial statements to be materially misstated. For the purpose of expressing negative assurance in the review report, the practitioner should obtain sufficient appropriate evidence primarily through inquiry and analytical procedures to be able to draw conclusions. Scope of a Review The term “scope of a review” refers to the review procedures deemed necessary in the circumstances to achieve the objective of the review. The procedures required to conduct a review of financial statements should be determined by the practitioner having regard to the requirements of this ISRE, relevant professional bodies, legislation, regulation and, where appropriate, the terms of the review engagement and reporting requirements. Moderate Assurance A review engagement provides a moderate level of assurance that the information subject to review is free of material misstatement, this is expressed in the form of negative assurance. Terms of Engagement The practitioner and the client should agree on the terms of the engagement. The agreed terms would be recorded in an engagement letter or other suitable form such as a contract. An engagement letter will be of assistance in planning the review work. It is in the interests of both the practitioner and the client that the practitioner sends an engagement letter documenting the key terms of the appointment. An engagement letter confirms the practitioner’s acceptance of the appointment and helps avoid misunderstanding regarding such matters as the objectives and scope of the engagement, the extent of the practitioner’s responsibilities and the form of reports to be issued. Matters that would be included in the engagement letter include the following: The objective of the service being performed. Management’s responsibility for the financial statements. The scope of the review, including reference to this ISRE (or relevant national standards or practices). Unrestricted access to whatever records, documentation and other information requested in connection with the review. A sample of the report expected to be rendered. The fact that the engagement cannot be relied upon to disclose errors, illegal acts or other irregularities, for example, fraud or defalcations that may exist. A statement that an audit is not being performed and that an audit opinion will not be expressed. To emphasize this point and to avoid confusion, the practitioner may also consider pointing out that a review engagement will not satisfy any statutory or third party requirements for an audit. An example of an engagement letter for a review of financial statements appears in Appendix 1 to this ISRE. Planning The practitioner should plan the work so that an effective engagement will be performed. In planning a review of financial statements, the practitioner should obtain or update the knowledge of the business including consideration of the entity’s organization, accounting systems, operating characteristics and the nature of its assets, liabilities, revenues and expenses. The practitioner needs to possess an understanding of such matters and other matters relevant to the financial statements, for example, a knowledge of the entity’s production and distribution methods, product lines, operating locations and related parties. The practitioner requires this understanding to be able to make relevant inquiries and to design appropriate procedures, as well as to assess the responses and other information obtained. Work Performed by Others When using work performed by another practitioner or an expert, the practitioner should be satisfied that such work is adequate for the purposes of the review. Documentation The practitioner should document matters which are important in providing evidence to support the review report, and evidence that the review was carried out in accordance with this ISRE. Procedures and Evidence The practitioner should apply judgment in determining the specific nature, timing and extent of review procedures. The practitioner will be guided by such matters as the following: Any knowledge acquired by carrying out audits or reviews of the financial statements for prior periods. The practitioner’s knowledge of the business including knowledge of the accounting principles and practices of the industry in which the entity operates. The entity’s accounting systems. The extent to which a particular item is affected by management judgment. The materiality of transactions and account

Introduction Scope of this ISA This International Standard on Auditing (ISA) deals with the auditor’s responsibility to form an opinion on the financial statements. It also deals with the form and content of the auditor’s report issued as a result of an audit of financial statements. ISA 701[1] deals with the auditor’s responsibility to communicate key audit matters in the auditor’s report. ISA 705[2] (Revised) and ISA 706[3] (Revised) deal with how the form and content of the auditor’s report are affected when the auditor expresses a modified opinion or includes an Emphasis of Matter paragraph or an Other Matter paragraph in the auditor’s report. Other ISAs also contain reporting requirements that are applicable when issuing an auditor’s report. This ISA applies to an audit of a complete set of general purpose financial statements and is written in that context. ISA 800[4] deals with special considerations when financial statements are prepared in accordance with a special purpose framework. ISA 805[5] deals with special considerations relevant to an audit of a single financial statement or of a specific element, account or item of a financial statement. This ISA also applies to audits for which ISA 800 or ISA 805 apply. The requirements of this ISA are aimed at addressing an appropriate balance between the need for consistency and comparability in auditor reporting globally and the need to increase the value of auditor reporting by making the information provided in the auditor’s report more relevant to users. This ISA promotes consistency in the auditor’s report, but recognizes the need for flexibility to accommodate particular circumstances of individual jurisdictions. Consistency in the auditor’s report, when the audit has been conducted in accordance with ISAs, promotes credibility in the global marketplace by making more readily identifiable those audits that have been conducted in accordance with globally recognized standards. It also helps to promote the user’s understanding and to identify unusual circumstances when they occur. Effective Date This ISA is effective for audits of financial statements for periods ending on or after December 15, 2016. Objectives The objectives of the auditor are: To form an opinion on the financial statements based on an evaluation of the conclusions drawn from the audit evidence obtained; and To express clearly that opinion through a written report. [1] ISA 701, Communicating Key Audit Matters in the Independent Auditor’s Report [2] ISA 705 (Revised), Modifications to the Opinion in the Independent Auditor’s Report [3] ISA 706 (Revised), Emphasis of Matter Paragraphs and Other Matter Paragraphs in the Independent Auditor’s Report [4] ISA 800, Special Considerations—Audits of Financial Statements Prepared in Accordance with Special Purpose Frameworks [5] ISA 805, Special Considerations—Audits of Single Financial Statements and Specific Elements, Accounts or Items of a Financial Statement Definitions For purposes of the ISAs, the following terms have the meanings attributed below: General purpose financial statements – Financial statements prepared in accordance with a general purpose framework. General purpose framework – A financial reporting framework designed to meet the common financial information needs of a wide range of users. The financial reporting framework may be a fair presentation framework or a compliance framework. The term “fair presentation framework” is used to refer to a financial reporting framework that requires compliance with the requirements of the framework and: Acknowledges explicitly or implicitly that, to achieve fair presentation of the financial statements, it may be necessary for management to provide disclosures beyond those specifically required by the framework; or Acknowledges explicitly that it may be necessary for management to depart from a requirement of the framework to achieve fair presentation of the financial statements. Such departures are expected to be necessary only in extremely rare circumstances. The term “compliance framework” is used to refer to a financial reporting framework that requires compliance with the requirements of the framework, but does not contain the acknowledgements in (i) or (ii) above.[1] Unmodified opinion – The opinion expressed by the auditor when the auditor concludes that the financial statements are prepared, in all material respects, in accordance with the applicable financial reporting framework.[2] Reference to “financial statements” in this ISA means “a complete set of general purpose financial statements, including the related notes.” The related notes ordinarily comprise a summary of significant accounting policies and other explanatory information. The requirements of the applicable financial reporting framework determine the form and content of the financial statements, and what constitutes a complete set of financial statements. Reference to “International Financial Reporting Standards” in this ISA means the International Financial Reporting Standards (IFRSs) issued by the International Accounting Standards Board, and reference to “International Public Sector Accounting Standards” means the International Public Sector Accounting Standards (IPSASs) issued by the International Public Sector Accounting Standards Board. Requirements Forming an Opinion on the Financial Statements The auditor shall form an opinion on whether the financial statements are prepared, in all material respects, in accordance with the applicable financial reporting framework.[3],[4] In order to form that opinion, the auditor shall conclude as to whether the auditor has obtained reasonable assurance about whether the financial statements as a whole are free from material misstatement, whether due to fraud or error. That conclusion shall take into account: The auditor’s conclusion, in accordance with ISA 330, whether sufficient appropriate audit evidence has been obtained;[5] The auditor’s conclusion, in accordance with ISA 450, whether uncorrected misstatements are material, individually or in aggregate;[6] and The evaluations required by paragraphs 12–15. The auditor shall evaluate whether the financial statements are prepared, in all material respects, in accordance with the requirements of the applicable financial reporting framework. This evaluation shall include consideration of the qualitative aspects of the entity’s accounting practices, including indicators of possible bias in management’s judgments. (Ref: Para. A1–A3) In particular, the auditor shall evaluate whether, in view of the requirements of the applicable financial reporting framework: The financial statements adequately disclose the significant accounting policies selected and applied; The accounting policies selected and applied are consistent with the applicable financial reporting framework and are appropriate; The accounting

Introduction Scope of this ISA This International Standard on Auditing (ISA) deals with the auditor’s responsibilities relating to the work of an individual or organization in a field of expertise other than accounting or auditing, when that work is used to assist the auditor in obtaining sufficient appropriate audit evidence. This ISA does not deal with: Situations where the engagement team includes a member, or consults an individual or organization, with expertise in a specialized area of accounting or auditing, which are dealt with in ISA 220;[1] or The auditor’s use of the work of an individual or organization possessing expertise in a field other than accounting or auditing, whose work in that field is used by the entity to assist the entity in preparing the financial statements (a management’s expert), which is dealt with in ISA 500.2 The Auditor’s Responsibility for the Audit Opinion The auditor has sole responsibility for the audit opinion expressed, and that responsibility is not reduced by the auditor’s use of the work of an auditor’s expert. Nonetheless, if the auditor using the work of an auditor’s expert, having followed this ISA, concludes that the work of that expert is adequate for the auditor’s purposes, the auditor may accept that expert’s findings or conclusions in the expert’s field as appropriate audit evidence. Effective Date This ISA is effective for audits of financial statements for periods beginning on or after December 15, 2009. Objectives The objectives of the auditor are: To determine whether to use the work of an auditor’s expert; and If using the work of an auditor’s expert, to determine whether that work is adequate for the auditor’s purposes. [1] ISA 220, “Quality Control for an Audit of Financial Statements,” paragraphs A10, A20–A22. 2      ISA 500, “Audit Evidence,” paragraphs A34–A48. Definitions For purposes of the ISAs, the following terms have the meanings attributed below: Auditor’s expert – An individual or organization possessing expertise in a field other than accounting or auditing, whose work in that field is used by the auditor to assist the auditor in obtaining sufficient appropriate audit evidence. An auditor’s expert may be either an auditor’s internal expert (who is a partner[1] or staff, including temporary staff, of the auditor’s firm or a network firm), or an auditor’s external (Ref: Para. A1–A3) Expertise – Skills, knowledge and experience in a particular field. Management’s expert – An individual or organization possessing expertise in a field other than accounting or auditing, whose work in that field is used by the entity to assist the entity in preparing the financial statements. Requirements Determining the Need for an Auditor’s Expert If expertise in a field other than accounting or auditing is necessary to obtain sufficient appropriate audit evidence, the auditor shall determine whether to use the work of an auditor’s expert. (Ref: Para. A4–A9) Nature, Timing and Extent of Audit Procedures The nature, timing and extent of the auditor’s procedures with respect to the requirements in paragraphs 9–13 of this ISA will vary depending on the circumstances. In determining the nature, timing and extent of those procedures, the auditor shall consider matters including: (Ref: Para. A10) (a) The nature of the matter to which that expert’s work relates; The risks of material misstatement in the matter to which that expert’s work relates; The significance of that expert’s work in the context of the audit; The auditor’s knowledge of and experience with previous work performed by that expert; and Whether that expert is subject to the auditor’s firm’s quality control policies and procedures. (Ref: Para. A11–A13) The Competence, Capabilities and Objectivity of the Auditor’s Expert The auditor shall evaluate whether the auditor’s expert has the necessary competence, capabilities and objectivity for the auditor’s purposes. In the case of an auditor’s external expert, the evaluation of objectivity shall include inquiry regarding interests and relationships that may create a threat to that expert’s objectivity. (Ref: Para. A14–A20) Obtaining an Understanding of the Field of Expertise of the Auditor’s Expert The auditor shall obtain a sufficient understanding of the field of expertise of the auditor’s expert to enable the auditor to: (Ref: Para. A21–A22) Determine the nature, scope and objectives of that expert’s work for the auditor’s purposes; and Evaluate the adequacy of that work for the auditor’s purposes. Agreement with the Auditor’s Expert The auditor shall agree, in writing when appropriate, on the following matters with the auditor’s expert: (Ref: Para. A23–A26) The nature, scope and objectives of that expert’s work; (Ref: Para. A27) The respective roles and responsibilities of the auditor and that expert; (Ref: Para. A28–A29) The nature, timing and extent of communication between the auditor and that expert, including the form of any report to be provided by that expert; and (Ref: Para. A30) The need for the auditor’s expert to observe confidentiality requirements. (Ref: Para. A31) Evaluating the Adequacy of the Auditor’s Expert’s Work The auditor shall evaluate the adequacy of the auditor’s expert’s work for the auditor’s purposes, including: (Ref: Para. A32) The relevance and reasonableness of that expert’s findings or conclusions, and their consistency with other audit evidence; (Ref: Para. A33–A34) If that expert’s work involves use of significant assumptions and methods, the relevance and reasonableness of those assumptions and methods in the circumstances; and (Ref: Para. A35–A37) If that expert’s work involves the use of source data that is significant to that expert’s work, the relevance, completeness, and accuracy of that source data. (Ref: Para. A38–A39) If the auditor determines that the work of the auditor’s expert is not adequate for the auditor’s purposes, the auditor shall: (Ref: Para. A40) Agree with that expert on the nature and extent of further work to be performed by that expert; or Perform additional audit procedures appropriate to the circumstances. Reference to the Auditor’s Expert in the Auditor’s Report The auditor shall not refer to the work of an auditor’s expert in an auditor’s report containing an unmodified opinion unless required by law or regulation to do so. If such reference is

Introduction Scope of this ISA This International Standard on Auditing (ISA) deals with the auditor’s responsibility to identify and assess the risks of material misstatement in the financial statements, through understanding the entity and its environment, including the entity’s internal control. Effective Date This ISA is effective for audits of financial statements for periods beginning on or after December 15, 2009. Objective The objective of the auditor is to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels, through understanding the entity and its environment, including the entity’s internal control, thereby providing a basis for designing and implementing responses to the assessed risks of material misstatement. Definitions For purposes of the ISAs, the following terms have the meanings attributed below: Assertions – Representations by management, explicit or otherwise, that are embodied in the financial statements, as used by the auditor to consider the different types of potential misstatements that may occur. Business risk – A risk resulting from significant conditions, events, circumstances, actions or inactions that could adversely affect an entity’s ability to achieve its objectives and execute its strategies, or from the setting of inappropriate objectives and strategies. Internal control – The process designed, implemented and maintained by those charged with governance, management and other personnel to provide reasonable assurance about the achievement of an entity’s objectives with regard to reliability of financial reporting, effectiveness and efficiency of operations, and compliance with applicable laws and regulations. The term “controls” refers to any aspects of one or more of the components of internal control. Risk assessment procedures – The audit procedures performed to obtain an understanding of the entity and its environment, including the entity’s internal control, to identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels. Significant risk – An identified and assessed risk of material misstatement that, in the auditor’s judgment, requires special audit consideration. Requirements Risk Assessment Procedures and Related Activities The auditor shall perform risk assessment procedures to provide a basis for the identification and assessment of risks of material misstatement at the financial statement and assertion levels. Risk assessment procedures by themselves, however, do not provide sufficient appropriate audit evidence on which to base the audit opinion. (Ref: Para. A1–A5) The risk assessment procedures shall include the following: Inquiries of management, and of others within the entity who in the auditor’s judgment may have information that is likely to assist in identifying risks of material misstatement due to fraud or error. (Ref: Para. A6) Analytical procedures. (Ref: Para. A7–A10) Observation and inspection. (Ref: Para. A11) The auditor shall consider whether information obtained from the auditor’s client acceptance or continuance process is relevant to identifying risks of material misstatement. If the engagement partner has performed other engagements for the entity, the engagement partner shall consider whether information obtained is relevant to identifying risks of material misstatement. Where the auditor intends to use information obtained from the auditor’s previous experience with the entity and from audit procedures performed in previous audits, the auditor shall determine whether changes have occurred since the previous audit that may affect its relevance to the current audit. (Ref: Para. A12–A13) The engagement partner and other key engagement team members shall discuss the susceptibility of the entity’s financial statements to material misstatement, and the application of the applicable financial reporting framework to the entity’s facts and circumstances. The engagement partner shall determine which matters are to be communicated to engagement team members not involved in the discussion. (Ref: Para. A14–A16) The Required Understanding of the Entity and Its Environment, Including the Entity’s Internal Control The Entity and Its Environment The auditor shall obtain an understanding of the following: Relevant industry, regulatory, and other external factors including the applicable financial reporting framework. (Ref: Para. A17–A22) The nature of the entity, including: its operations; its ownership and governance structures; the types of investments that the entity is making and plans to make, including investments in special-purpose entities; and (iv)  the way that the entity is structured and how it is financed, to enable the auditor to understand the classes of transactions, account balances, and disclosures to be expected in the financial statements. (Ref: Para. A23–A27) The entity’s selection and application of accounting policies, including the reasons for changes thereto. The auditor shall evaluate whether the entity’s accounting policies are appropriate for its business and consistent with the applicable financial reporting framework and accounting policies used in the relevant industry. (Ref: Para. A28) The entity’s objectives and strategies, and those related business risks that may result in risks of material misstatement. (Ref: Para. A29–A35) The measurement and review of the entity’s financial performance. (Ref: Para. A36–A41) The Entity’s Internal Control The auditor shall obtain an understanding of internal control relevant to the audit. Although most controls relevant to the audit are likely to relate to financial reporting, not all controls that relate to financial reporting are relevant to the audit. It is a matter of the auditor’s professional judgment whether a control, individually or in combination with others, is relevant to the audit. (Ref: Para. A42–A65) Nature and Extent of the Understanding of Relevant Controls When obtaining an understanding of controls that are relevant to the audit, the auditor shall evaluate the design of those controls and determine whether they have been implemented, by performing procedures in addition to inquiry of the entity’s personnel. (Ref: Para. A66–A68) Components of Internal Control Control environment The auditor shall obtain an understanding of the control environment. As part of obtaining this understanding, the auditor shall evaluate whether: Management, with the oversight of those charged with governance, has created and maintained a culture of honesty and ethical behavior; and The strengths in the control environment elements collectively provide an appropriate foundation for the other components of internal control, and whether those other components are not undermined by deficiencies in the control environment. (Ref: Para. A69–A78)

Introduction Scope of this ISA This International Standard on Auditing (ISA) deals with the external auditor’s responsibilities relating to the work of internal auditors when the external auditor has determined, in accordance with ISA 315,[1] that the internal audit function is likely to be relevant to the audit. (Ref: Para. A1–A2) This ISA does not deal with instances when individual internal auditors provide direct assistance to the external auditor in carrying out audit procedures. Relationship between the Internal Audit Function and the External Auditor The objectives of the internal audit function are determined by management and, where applicable, those charged with governance. While the objectives of the internal audit function and the external auditor are different, some of the ways in which the internal audit function and the external auditor achieve their respective objectives may be similar. (Ref: Para. A3) Irrespective of the degree of autonomy and objectivity of the internal audit function, such function is not independent of the entity as is required of the external auditor when expressing an opinion on financial statements. The external auditor has sole responsibility for the audit opinion expressed, and that responsibility is not reduced by the external auditor’s use of the work of the internal auditors. Effective Date This ISA is effective for audits of financial statements for periods beginning on or after December 15, 2009. Objectives The objectives of the external auditor, where the entity has an internal audit function that the external auditor has determined is likely to be relevant to the audit, are: To determine whether, and to what extent, to use specific work of the internal auditors; and If using the specific work of the internal auditors, to determine whether that work is adequate for the purposes of the audit. [1] ISA 315, “Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment,” paragraph 23. Introduction Scope of this ISA This International Standard on Auditing (ISA) deals with the external auditor’s responsibilities relating to the work of internal auditors when the external auditor has determined, in accordance with ISA 315,[1] that the internal audit function is likely to be relevant to the audit. (Ref: Para. A1–A2) This ISA does not deal with instances when individual internal auditors provide direct assistance to the external auditor in carrying out audit procedures. Relationship between the Internal Audit Function and the External Auditor The objectives of the internal audit function are determined by management and, where applicable, those charged with governance. While the objectives of the internal audit function and the external auditor are different, some of the ways in which the internal audit function and the external auditor achieve their respective objectives may be similar. (Ref: Para. A3) Irrespective of the degree of autonomy and objectivity of the internal audit function, such function is not independent of the entity as is required of the external auditor when expressing an opinion on financial statements. The external auditor has sole responsibility for the audit opinion expressed, and that responsibility is not reduced by the external auditor’s use of the work of the internal auditors. Effective Date This ISA is effective for audits of financial statements for periods beginning on or after December 15, 2009. Objectives The objectives of the external auditor, where the entity has an internal audit function that the external auditor has determined is likely to be relevant to the audit, are: To determine whether, and to what extent, to use specific work of the internal auditors; and If using the specific work of the internal auditors, to determine whether that work is adequate for the purposes of the audit. [1] ISA 315, “Identifying and Assessing the Risks of Material Misstatement through Understanding the Entity and Its Environment,” paragraph 23. A2.  Carrying out procedures in accordance with this ISA may cause the external auditor to re-evaluate the external auditor’s assessment of the risks of material misstatement. Consequently, this may affect the external auditor’s determination of the relevance of the internal audit function to the audit. Similarly, the external auditor may decide not to otherwise use the work of the internal auditors to affect the nature, timing or extent of the external auditor’s procedures. In such circumstances, the external auditor’s further application of this ISA may not be necessary. Objectives of the Internal Audit Function (Ref: Para. 3) A3. The objectives of internal audit functions vary widely and depend on the size and structure of the entity and the requirements of management and, where applicable, those charged with governance. The activities of the internal audit function may include one or more of the following: Monitoring of internal control. The internal audit function may be assigned specific responsibility for reviewing controls, monitoring their operation and recommending improvements thereto. Examination of financial and operating information. The internal audit function may be assigned to review the means used to identify, measure, classify and report financial and operating information, and to make specific inquiry into individual items, including detailed testing of transactions, balances and procedures. Review of operating activities. The internal audit function may be assigned to review the economy, efficiency and effectiveness of operating activities, including non-financial activities of an entity. Review of compliance with laws and regulations. The internal audit function may be assigned to review compliance with laws, regulations and other external requirements, and with management policies and directives and other internal requirements. Risk management. The internal audit function may assist the organization by identifying and evaluating significant exposures to risk and contributing to the improvement of risk management and control systems. The internal audit function may assess the governance process in its accomplishment of objectives on ethics and values, performance management and accountability, communicating risk and control information to appropriate areas of the organization and effectiveness of communication among those charged with governance, external and internal auditors, and management. Determining Whether and to What Extent to Use the Work of the Internal Auditors Whether the Work of the Internal Auditors Is Likely to Be Adequate for

INTRODUCTION   Professional standards and guidelines are essential for the credibility, quality and professionalism of public-sector auditing. The International Standards of Supreme Audit Institutions (ISSAIs) developed by the International Organisation of Supreme Audit Institutions (INTOSAI) aim to promote independent and effective auditing by supreme audit institutions (SAIs).   The ISSAIs encompass public-sector auditing requirements at the organisational (SAI) level, while on the level of individual audits they aim to support the members of INTOSAI in the development of their own professional approach in accordance with their mandates and with national laws and regulations.   INTOSAI’s Framework of Professional Standards has four levels. Level 1 contains the framework’s founding principles. Level 2 (ISSAIs 10-99) sets out prerequisites for the proper functioning and professional conduct of SAIs in terms of organisational considerations that include independence, transparency and accountability, ethics and quality control, which are relevant for all SAI audits. Levels 3 and 4 address the conduct of individual audits and include generally-recognised professional principles that underpin the effective and independent auditing of public-sector entities.   The Fundamental Auditing Principles at level 3 (ISSAIs 100-999) draw and elaborate on ISSAI 1 – The Lima Declaration and the ISSAIs at level 2 and provide an authoritative international frame of reference defining public-sector auditing.   Level 4 translates the Fundamental Auditing Principles into more specific and detailed operational guidelines that can be used on a daily basis in the conduct of an audit and as auditing standards when national auditing standards have not been developed. This level comprises General Auditing Guidelines (ISSAIs 1000-4999) which set the requirements for financial, performance and compliance auditing.   ISSAI 100 – Fundamental Principles of Public-sector Auditing provides detailed information on:   the purpose and authority of the ISSAIs; the framework for public-sector auditing; the elements of public-sector auditing; the principles to be applied in public-sector auditing. PURPOSE AND AUTHORITY OF THE ISSAIs   ISSAI 100 establishes fundamental principles which are applicable to all public-sector audit engagements, irrespective of their form or context. ISSAIs 200, 300 and 400 build on and further develop the principles to be applied in the context of financial, performance and compliance auditing respectively. They should be applied in conjunction with the principles set out in ISSAI 100. The principles in no way override national laws, regulations or mandates or prevent SAIs from carrying out investigations, reviews or other engagements which are not specifically covered by the existing ISSAIs.   The Fundamental Auditing Principles form the core of the General Auditing Guidelines at level 4 of the ISSAI framework. The principles can be used to establish authoritative standards in three ways:   as a basis on which SAIs can develop standards; as a basis for the adoption of consistent national standards; as a basis for adoption of the General Auditing Guidelines as standards.   SAIs may choose to compile a single standard-setting document, a series of such documents or a combination of standard-setting and other authoritative documents.   SAIs should declare which standards they apply when conducting audits, and this declaration should be accessible to users of the SAI’s reports. Where the standards are based on several sources taken together, this should also be stated. SAIs are encouraged to make such declarations part of their audit reports; however, a more general form of communication may be used.   An SAI may declare that the standards it has developed or adopted are based on or are consistent with the Fundamental Auditing Principles only if the standards fully comply with all relevant principles.   Audit reports may include a reference to the fact that the standards used were based on or consistent with the ISSAI or ISSAIs relevant to the audit work carried out. Such reference may be made by stating:   … We conducted our audit in accordance with [standards], which are based on [or consistent with] the Fundamental Auditing Principles (ISSAIs 100-999) of the International Standards of Supreme Audit Institutions.   In order to properly adopt or develop auditing standards based on the Fundamental Auditing Principles, an understanding of the entire text of the principles is necessary. To achieve this, it may be helpful to consult the relevant guidance in the General Auditing Guidelines.   SAIs may choose to adopt the General Auditing Guidelines as their authoritative standards. In such cases the auditor must comply with all ISSAIs relevant to the audit. Reference to the ISSAIs applied may be made by stating:   … We conducted our audit[s] in accordance with the International Standards of Supreme Audit Institutions.   In order to enhance transparency, the statement may further specify which ISSAI or range of ISSAIs the auditor has considered relevant and applied. This may be done by adding the following phrase:   The audit[s] was [were] based on ISSAI[s] xxx [number and name of the ISSAI or range of ISSAIs].   The International Standards on Auditing (ISAs) issued by the International Federation of Accountants (IFAC) are incorporated into the financial audit guidelines (ISSAIs 1000-2999). In financial audits reference may therefore be made either to the ISSAIs or to the ISAs. The ISSAIs provide additional public-sector guidance (’Practice Notes’), but the requirements of the auditor in financial audits are the same. The ISAs constitute an indivisible set of standards and the ISSAIs in which they are incorporated may not be referred to individually. If the ISSAIs or the ISAs have been adopted as the SAI’s standards for financial audits, the auditor’s report should include a reference to those standards. This applies equally to financial audits conducted in combination with other types of audit.   Audits may be conducted in accordance with both the General Auditing Guidelines and standards from other sources provided that no contradictions arise. In such cases reference should be made both to such standards and to the ISSAIs.   FRAMEWORK FOR PUBLIC-SECTOR AUDITING   Mandate   An SAI will exercise its public-sector audit function within a specific constitutional arrangement and by virtue of its office and mandate, which ensure sufficient independence and power