Office of the Auditor General of Norway CAS project 2.2, SDP of IFPP on providing guidance on compliance audit, update and work in progress Ingvild Gulbrandsen Office of the Auditor General of Norway 27th of May 2019, Lisbon

Agenda for the presentation Objective of this GUID What is a GUID in INTOSAI Feedback from FIPP – some solutions Other feedback Questions for discussion Status – GUID 4900 - PSC/FIPP

Objective of this GUID The objective of this GUID is to provide support to the auditor in planning, executing and reporting on adherence to regularity and propriety criteria in a compliance audit. When deriving at propriety criteria, there can be grey areas where some SAIs conduct performance audit. In this GUID the scope is compliance audit.

Drafting conventions for guidance documents in the IFPP Definition of a GUID that will support the SAIs to: Enhance organisational performance in practice related to the organisational requirements and the implementation of ISSAIs Implement mechanisms and programms for competency development in line with the ISSAIs Definition of a GUID that will support the auditor to: Apply the ISSAIs in practice in the compliance audit processes. Understands a specific subject matter and the application of the relevant ISSAIs. The GUIDs translate the fundamental auditing principles into more specific, detailed and operational guidelines.

Supplementary guidance to the drafting conventions for the GUIDs The GUID should be closely linked to ISSAI 100 and the audit type. The GUID should expand on requirements and explanation for these principles, and not merely repeat or overlap the relevant ISSAIs The auditor should be directed to the relevant ISSAI for requirements for planning, execution and conclusion/reporting phases.

Working title for the new pronouncement Guidance on authorities to be considered while examining regularity and propriety aspects in compliance audit Added criteria after last CAS meeting: Guidance on authorities and criteria to be considered while examining regularity and propriety aspects in compliance audit

Feedback from FIPP This is a grey area that is not properly understood and that needs extra consideration – comment: nowhere to find proper CA explanation of authorities for propriety criteria, hench this is a new area to examine and explore. We note that reference to Performance Audit is now removed – comment: this is a CA Guideline, and introducing PA will only be confusing.

Feedback from FIPP, cont. However as far as structure is concerned we seem to be going in circles and there is a series of repetition throughout the document – comment: in some places there is a need for reference to ISSAI 100, 400 and 4000, but the repetitions are hopefully removed.

FIPP comments cont. The draft GUID copy/pastes all ‘regularity’ and ‘propriety’ definitions and requirements of audit criteria with no accompanying value addition explanatory notes. For example, characteristics of criteria such as neutrality and acceptability, are listed without reflecting on how these apply to either propriety or regularity. It is suggested that GUID reflects on the characteristics of criteria and explain how they apply to both propriety and regularity – comment: additional text is added to the characetristics. The most important in this respect is to discuss the criteria thoroughly with the auditee.

FIPP comments cont. We propose that the text relating to the 3 models be deleted as it stands it does not give any useful and clear guidance – comment: it is put in the appendix, we will ask for comments in the hearing. FIPP notes that INTOSAI Regions were consulted in the development of the Exposure Draft. However, there is also a need to consult with relevant sub-committees such as FAAS, PAS and the Forum of Jurisdictional SAIs – comment: there have been few comments from the sub-comittees, and the comments are integrated in the text.

FIPP comments cont. What is common for propriety and regularity, what is different – comment: it is still work in progress, but with the hearing we hope to get even more examples and clarifications.

FIPP comments cont. The GUID should include a clear message that what could be determined to be propriety in one jurisdiction may be regularity in another, depending on the content of the whole framework of laws, regulations – comment: this is a difficult area to be consistent, we will ask for examples in the hearing. However, it is noted that no examples have been given to further elaborate on how such situations can arise. Such examples could be solicited for in the “Request for comments” document when the exposure draft is launched – comment: ref previous, this will be done.

Feedback from others What is the authority of a GUID in INTOSAI The document has evolved beautifully regarding regulatory criteria. However, the issue with "unwritten propriety criteria" has become rather destructive. All attempts to describe the undescribable have just made the issue worse. The minimum acceptable line would be that at least ”a framework of rules which guide propriety issues” should be put on paper.

Feedback from others, cont. Commonly accepted in ”a public setting” is a perfect phrase to give the auditor an absolute upper hand and authority in his dealings. How to identify authority and determine propriety criteria? What IS NOT propriety criteria?

Feedback from others, cont. An unwritten, vague propriety criteria will not carry the characteristic complete. All unwritten propriety criteria are NOT reliable, since they become concrete only when someone claims that such a criterion exists. An auditee cannot follow unwritten and unspecific rules, and cannot be held liable to follow them.

Feedback from others, cont. Any criteria which is not readily identifiable before it is put forward during an audit cannot be neutral. One cannot claim that intended users understand unwritten and unspecified propriety criteria.

Feedback from others, cont. Unwritten propriety criteria cannot have a consistent usage, being comparable. How can one claim that unwritten propriety criteria is acceptable by the general public? Unwritten propriety criteria are not available for intended users. No one claim that everyone knows and interprets them in the same way, since they seem not to exist before being put forward.

Feedback from others, cont. These characteristics can be ensured by comparison to similar engagements, consulting independent experts in the subject matter, consulting the general public or using best practices and benchmarks that are relevant for the subject matter.   This would lead to a culture in which auditors support each other – by referring to this paragraph - to create a culture which gives the auditor absolute power over the auditee.

Feedback from others, cont. Maybe use auditor consequently and not s/he Are regularity and propriety types of criteria or differen audit approaches (aspects?) according to ISSAI 400 it’s an audit scope Why measurment or evaluation of an underlying subject matter? Is it not the subject matter itself that is measured/evaluated? Ref ISSAI 100/26

Feedback from others, cont. Are the authorities harder to identify or the criteria? This should also reflect that the criteria may change over time and should reflect the norms, standards, reaserch that reflect the time the subject matter took place.

By the 15th of May 2019 The new draft of the GUID 4900 was sent to PSC, asking to forward the draft to FIPP for written procedures. Together with the GUID 4900, the explanatory memorandum was also attached.

Questions for discussion Does the text followed by examples give the auditor guidance on : Authorities to be considered while examining regularity and propriety aspects in compliance audit? What is common for propriety and regularity, what is different? Are we still going in circles and are there a series of repetition throughout the document? What is missing? Where do we have to expand our explanations?

Thank you