DECISION

PROMULGATING THE STATE AUDITING STANDARD NO. 100 – FUNDAMENTAL AUDITING PRINCIPLES OF THE STATE AUDIT OFFICE

THE STATE AUDITOR GENERAL

Pursuant to the Law on the State Audit;

Pursuant to the Resolution of the Standing Committee of the National Assembly No. 916/2005/NQ-UBTVQH11 dated September 15, 2005 on the organization structure of the State Audit;

Pursuant to the Resolution of the Standing Committee of the National Assembly No. 917/2005/NQ-UBTVQH11 dated September 15, 2005 on providing Regulations on the procedure for formulation and introduction of the State Auditing Standards;

At the request of the Director of Audit Policy and Audit Quality Control Department and the Director of the Legal Affair Department,

HEREBY DECIDES

...

...

...

Article 2. This Decision shall come into force after 45 days from the signing date.

Article 3. Heads of affiliates of the State Audit Office, organizations and individuals concerned, shall be responsible for implementing this Decision./.

THE STATE AUDITOR GENERAL




Nguyen Huu Van

THE STATE AUDITING STANDARD NO. 100 – FUNDAMENTAL AUDITING PRINCIPLES OF THE STATE AUDIT OFFICE

(Issued together with the Decision No. 02/2014/QĐ-KTNN of the State Auditor General dated July 14, 2014)

...

...

...

Establishment basis

1. These standards are established and developed on the basis of the Law on State Audit and INTOSAI ISSAI 100 – Fundamental principles of public sector auditing.  These fundamental auditing principles are developed into professional practice guidelines (State Auditing Standard at Level 4) and applied in the auditing process.

Objectives, scope of application and regulations on implementation

2. These auditing standards provide fundamental principles which are applicable to all public-sector audit engagements, irrespective of their form.  State Auditing Standards - Fundamental principles of financial, performance and compliance auditing (SAS 200, 300 and 400) build on and further develop the principles to be applied in the context of financial, performance and compliance auditing respectively.    Principles set out in SAS 200, 300 and 400 should be applied in conjunction with principles set out in these standards.

Principles applied to use of terms in these standards

3. Terms used herein are defined the same as those used in auditing standards adopted by the State Audit Office.

CONTENTS OF STANDARDS

4. These standards include the following contents, such as general regulations on public sector auditing; elements of public sector auditing; fundamental principles of public sector auditing.

General regulations on public sector auditing

...

...

...

5. The State Audit Office must exercise its public sector audit function within the Constitution of the Socialist Republic of Vietnam, laws and its mandates, and ensure independence and objectivity in performing its duties.

The State Audit Office shall be mandated to determine its responsibilities and powers in the public-sector auditing and set out specific provisions on auditing duties and others that the State Audit Office must perform.

6. The State Audit Office must make decisions so as to respond to requirements in its mandate as well as other legislative requirements. Such decisions may include which auditing standards are applicable, which engagements will be conducted and how they will be prioritized.

Public sector auditing and its objectives

7. The public sector audit environment is that in which governments and other public-sector entities exercise responsibility for the management and use of public funds and assets. These entities shall be accountable for the management and use of financial resources and public assets both to those that provide such resources and the general public. Public sector auditing shall help to reinforce the expectation that public-sector entities and public servants will perform their functions of management, use of financial funds and assets in an efficient, effective and ethical manner and in accordance with the applicable laws and regulations.  

8. In general, public-sector auditing can be described as a systematic process of objectively obtaining and evaluating evidence to determine whether information or actual conditions conform to established criteria.  Public-sector auditing is essential in that it provides legislative and oversight bodies, those charged with governance and the general public with information and independent and objective assessments concerning the stewardship and performance of government policies, programmes or operations of entities charged with managing and using public funds and assets.

9. Public sector auditing shall play an important role in enhancing public sector administration by emphasizing the principles of transparency, accountability, governance and performance.

10. Public sector auditing shall start from determination of auditing objectives which may differ depending on the type of audit being conducted.  All public-sector auditing is aimed at enhancing the good governance of public funds and assets by:

(i) Providing the intended users with independent, objective and reliable information, conclusions and opinions based on sufficient and appropriate evidence relating to public entities;

...

...

...

(iii) Reinforcing the effectiveness of oversight bodies and entities responsible for the management of publicly-funded activities;

(iv) Creating incentives for change by providing the auditing result and recommendations.

11. Public-sector audits can be categorized into three main types such as financial, performance and compliance audit. The objectives of each audit shall determine which state auditing standards apply.

Types of public-sector audit

12. The three main types of public-sector audit are defined as follows:

(i) Financial audit is the audit employed to inspect, assess and verify the accuracy and authentication of financial statements or information provided by the audited entity. The financial audit focuses on determining whether an entity’s financial information is presented in accordance with the applicable financial reporting and regulatory framework as well as other applicable and relevant laws and regulations.  This is accomplished by obtaining sufficient and appropriate audit evidence to enable the auditor to express an opinion as to whether the financial information is free from material misstatement due to fraud or error.

(ii) Performance audit is the audit employed to inspect and assess the economy, efficiency and effectiveness in management and use of financial funds and assets.  The performance audit focuses on determining whether programs, activities, entities or public funds and institutions are performing in accordance with the principles of economy, efficiency and effectiveness and whether there is room for improvement.   The auditor shall examine the performance of activities, programs against suitable established criteria; analyze the causes of deviations from those criteria as well as other problems with the aim of making judgments about the economy, efficiency and effectiveness as well as providing recommendations for improvement.

(iii) Compliance audit is the audit employed to inspect, assess the compliance with authorities identified as the auditing criteria which the audited entity must apply.  The compliance audit is performed by assessing whether particular subject matters such as financial activities, transactions and information of the audited entity are, in all material aspects, in compliance with the authorities which govern the audited entity. These authorities may include rules, laws, regulations, budgetary resolutions, policies and principles governing management of public funds, assets and the conduct of public officials.

13. The State Audit Office can perform a single audit or a mixture of audits as mentioned above.

...

...

...

14. Basic elements of public-sector auditing shall include the auditor, the responsible party, intended users (the three parties to the audit); the subject matter and the subject matter information and audit criteria; different types of audit engagements.

Three parties

15. Public sector audits involve at least three separate parties: the auditor, the responsible party and intended users.  The relationship between the parties is prescribed in the Law on State Audit and other relevant legislative documents.

(i) The auditor: The responsibilities of the State Audit Office and the auditor are stipulated in the Law on State Audit and documents providing instructions on implementation of the Law on State Audit and regulations of the State Audit Office. During the auditing process, the auditor shall be directly managed and supervised by the Head of Audit Unit or Group.

(ii) The responsible party: audited entities; agencies, organizations and individuals responsible for issues relating to the audited entity, for managing the audited entity or implementing related recommendations. The relationship between the parties is prescribed in the Law on State Budget and other relevant legislative documents.

(iii) The intended users of audit reports: agencies, organizations or individuals using the audit report under the provisions of the Law on State Audit. The intended users may be legislative, oversight, governance and administration bodies or the general public.

Subject matter, subject matter information and criteria

16. The subject matter refers to the information, condition or activity that measured or evaluated against certain criteria. It can take many forms and have different characteristics depending on the audit objective. An appropriate subject matter must be definite and can be evaluated or measured by the established criteria and gather sufficient and appropriate audit evidence to support the audit opinion or conclusion.

Three audit types shall have the subject matter and the subject matter information as defined below:

...

...

...

(ii) Performance audit: The subject matter of a performance audit is defined by the audit objectives and audit questions.  The subject matter may be specific programmes, activities, entities or public funds (with their outputs, outcomes and impacts), existing situations (including causes and consequences). The  information concerning the subject matter of performance audit can be financial or non-financial information. The auditor shall measure or evaluate the subject matter to assess the extent to which the established criteria have or have not been met.

(iii) Compliance audit: The subject matter of a compliance audit is defined by the scope of the audit. It may be financial activities, operations, transactions or information.

17. The audit criteria are standards for measurement and evaluation of the subject matter of an audit. Each audit should have criteria suitable to the circumstances of that audit. In determining the suitability of audit criteria, the auditor considers whether such criteria have their relevance to the subject matter of such audit, and the intended users of audit reports can understand such criteria. The auditor should consider other elements such as completeness, reliability, objectivity, general acceptance and comparability. The audit criteria used may depend on a range of factors, including the objectives and types of audit.  Audit criteria may be specific or more general, and may be drawn from various sources, including laws, regulations, standards, sound principles and best practices. They should be made available to the intended users to enable them to understand how the subject matter has been evaluated or measured.

Types of audit engagement

18. There are two types of public sector audit engagements: attestation engagement and direct reporting engagement.

(i) In attestation engagements, the audited entity shall measure the subject matter against audit criteria and present the subject matter information and outcome of such audit.  The auditor gathers sufficient and appropriate audit evidence to provide a reasonable basis for expressing a conclusion. The audit outcome presented in the audit report shall take the form of attestation to the suitability of the audit subject matter, information and data for audit criteria.

(ii) In direct reporting engagements, the auditor shall measure or evaluate the subject matter against the audit criteria. The auditor selects the subject matter and criteria on the basis of taking into consideration risk and materiality. The outcome of measuring or evaluating the subject matter against the criteria is presented in the audit report in the form of findings, conclusions, recommendations or opinions. Furthermore, such audit outcome also provides information, problems or new analyses.

19. Financial audits are always attestation engagements, as they are based on financial information presented by the responsible party. Performance audits are normally direct reporting engagements. Compliance audits may be attestation or direct reporting engagements, or both at once.

Confidence and assurance in public-sector auditing

...

...

...

20. The intended users always wish to be confident about information that they are going to use.  Audits therefore provide information based on sufficient and appropriate evidence, and auditors should perform procedures to reduce or manage the risk of reaching inappropriate conclusions. The level of assurance that can be provided to the intended user should be communicated in a transparent way. Due to inherent limitations, however, audits can never provide absolute assurance.

Forms of providing assurance

21. Depending on the audit and the users’ needs, assurance can be communicated in two ways:

(i) Through opinions and conclusions which explicitly convey the level of assurance. This applies to all attestation engagements and certain direct reporting engagements.

(ii) In other forms: In some direct reporting engagements, the auditor does not give an explicit statement of assurance on the subject matter. In such cases, the auditor provides the users with the necessary degree of confidence by explicitly explaining how findings, criteria and conclusions were developed, and why the combinations of findings and criteria result in a certain overall conclusion or recommendation.

Levels of assurance

22. Assurance can be either reasonable or limited.

(i) Reasonable assurance: Reasonable assurance is high but not absolute.  The audit conclusion is expressed by explicitly conveying that, in the auditor's opinion, the subject matter is or is not compliant in all material respects, or, where relevant, that the subject matter information provides a true and fair view and in accordance with the applicable criteria.

(ii) Limited assurance: When providing limited assurance, the audit conclusion states that, based on the audit procedures performed, nothing has come to the auditor’s attention to cause the auditor to believe that the subject matter is not in compliance with the applicable criteria. The procedures performed in a limited assurance audit are usually limited compared with what is necessary to obtain reasonable assurance. But the level of assurance is expected, in the auditor's professional judgement, to be meaningful to some extent to the intended users.

...

...

...

23. The principles detailed below are fundamental to the conduct of an audit.  To make it more understandable, fundamental principles shall be presented in the chart of groups as follows:

(i) Requirements that the auditor must meet;

(ii) General principles are those that the auditor must take into consideration before commencement of an audit and in some time of such audit;

(iii) Principles related to the audit process.

Areas covered by the principles for public-sector auditing

Requirements that the State Audit Office must meet

...

...

...

The State Audit Office must establish a set of regulations on ethics and quality control with reasonable assurance that the State Audit Office and its public officials and the auditor are complying with professional standards and the applicable ethical, legal and regulatory requirements (with reference to SAS 30 – Code of ethics and SAS 40 – Audit quality control). 

General principles

Ethics and independence

25. Auditors should comply with the relevant ethical requirements and be independent

Ethical principles should be embodied in an auditor’s professional behavior.  The State Audit Office should establish the ethical principles and emphasize the need for compliance by each auditor. Auditors should remain independent so that their audit reports will be impartial and be seen as such by the intended users.

Auditors should get an insight into the guidance on independence in the Mexico Declaration on SAI Independence coming into force in 2007. The key ethical principles, such as integrity, independence, objectivity, qualification, professional competence and due care and confidentiality, are defined in SAS 30 – Code of Ethics.

Professional judgement, due care and scepticism

26. Auditors should maintain appropriate professional behavior by applying professional scepticism, professional judgment and due care throughout the audit

The auditor’s attitude should be characterized by professional scepticism and professional judgement, which are to be applied when making decisions. Auditors should exercise due care to ensure that their professional behavior is appropriate.

...

...

...

Due care means that the auditor should plan and conduct audits in a diligent manner. Auditors should avoid any conduct that might discredit their work.

Professional scepticism means maintaining an alert against and questioning attitude towards specific situations which may be signs of misstatements due to mistakes or fraud as well as a discreet evaluation of audit evidence.    It also entails remaining open-minded and receptive to all views and even arguments.

Quality control

27. Auditors should conduct the audit in accordance with professional standards on quality control introduced by the State Audit Office.

A State Audit Office’s quality control policies and procedures should comply with professional standards with the aim of controlling audit risks, ensuring the audit quality and the high level of consistency in conducting audits. Quality control policies and procedures should cover matters such as the direction, review and supervision of the audit process and the need for consultation in order to reach decisions on difficult and contentious matters (with reference to SAS 40 – Audit quality control).

Other essential skills and use of the other entity’s work of inspection, examination and audit

28. Auditors should possess or have access to the skills necessary for to successfully complete the audit.

These skills include an understanding and practical experience of the type of audit being conducted, familiarity with the applicable standards and legislation, an understanding of the entity's operations and the ability and experience to exercise professional judgement. In order to help auditors obtain necessary skills, the State Audit Office prepares manuals and other written guidance and instructions concerning the conduct of audits. The State Audit Office should assign appropriate staff with suitable professional skills to conduct audits in order to offer opportunities for the staff development and training. Auditors should maintain their professional competence through ongoing professional development.

Where relevant or necessary, the auditor may use the work of inspection, examination and audit conducted by other auditors or experts. In such case, the auditor should provide sufficient and appropriate evidence for the competence and independence of these auditors or experts; the quality of the work performed; ensure the work has been performed in compliance with the auditing standards of the State Audit Office.   However, the State Audit Office has sole responsibility for any audit opinion or report released by the State Audit Office; that responsibility shall not be reduced by its use of such work.

...

...

...

Audit risk

29. Auditors should manage the risks of providing a report that is inappropriate in the circumstances of the audit

The audit risk is the risk that the auditor may express inappropriate opinions in the audit report and the audited information contains material misstatement.    The auditor must perform procedures to reduce or manage the risk of reaching inappropriate conclusions. However, there is a fact that all audits are faced with certain inherent limitations which mean that an audit can never provide absolute certainty of the whole condition of the subject matter.    When the objective is to provide reasonable assurance, the auditor should reduce audit risk to an acceptably low level. The audit may also aim to provide limited assurance, in which case the acceptable risk is greater than in a reasonable assurance audit.

Materiality

30. Auditors should consider materiality throughout the audit process

Materiality is relevant in all audits. A matter can be judged material if it influences the decisions of the intended users. Determining materiality is a matter of professional judgement and depends on the auditor’s interpretation of the users’ needs. This judgement may relate to an individual item or to a group of items taken together. Materiality is often considered in both quantitative and qualitative aspects. The inherent characteristics of an item or group of items may render a matter material by its very nature. A matter may also be material because of the context in which it occurs.

Materiality considerations affect decisions concerning the nature, timing and extent of audit procedures and the evaluation of audit results. Considerations may include the interested party’s concerns, public interest, regulatory requirements and consequences for society.

Documentation

31. Auditors should prepare audit documentation that is sufficiently detailed to provide a clear understanding of the work performed, evidence obtained and conclusions reached.

...

...

...

Communication

32. Auditors should establish effective communication throughout the audit process.

It is essential that the audited entity be kept informed of all matters relating to the audit. This is the key to developing a constructive working relationship. Communication should include obtaining information relevant to the audit and providing management and those charged with governance with timely observations and findings throughout the audit engagement. The auditor shall also take responsibility to communicate audit-related matters to other interested parties in accordance with legal regulations.

Principles related to the audit process

Planning an audit

33. Auditors should ensure that the terms of the audit have been clearly established

Audits may be required by statute, requested by a legislative or oversight body, initiated by the State Audit Office or carried out by simple agreement with the audited entity. In all cases, the auditor, those charged with management or administration in the audited entity and others as applicable should reach a common formal understanding of the terms of the audit and their respective roles and responsibilities in the audit engagement. Important information may include the subject, scope and objectives of the audit, access to data, the audited entity’s report, contact persons, the audit process and the roles and responsibilities of the different parties to the audit engagement.

34. Auditors should obtain an understanding of the nature of the entity, program to be audited

This includes understanding the relevant objectives, operations, regulatory environment, internal controls, financial and other systems and business processes, and researching the potential sources of audit evidence. Knowledge can be obtained from regular interaction with management, those charged with governance and other relevant parties. In order to obtain an understanding of the nature of the entity, program to be audited, the auditor can consult experts and examine available documents.

...

...

...

The nature of the risks identified will vary according to the audit objective. The auditor should consider and assess the risk of different types of deficiencies, deviations or misstatements that may occur in relation to the subject matter. Both general and specific risks should be considered.  This can be achieved through procedures that serve to obtain an understanding of the audited entity or program and its environment, including the relevant internal controls.  The auditor should assess the method of risk management applied by the audited entity, including its implementation of internal controls. The identification of risks and their impact on the audit should be considered throughout the audit process.

36. Auditors should identify and assess the risks of fraud in relation to the audit objectives

Auditors should make enquiries and perform procedures to identify and respond to the risks of fraud; maintain an attitude of professional scepticism and be alert to the possibility of fraud throughout the audit process.

37. The audit plan should be prepared to ensure that the audit is conducted in an effective and efficient manner

A specific audit shall be planned in strategic and operational aspects.

Planning in the strategic aspect should define the audit scope, objectives and approach. The audit objectives refer to what the audit is intended to accomplish. The scope relates to the subject matter and the criteria which the auditors will use to assess and report on the subject matter, and is directly related to the objectives. The approach will describe the nature and extent of the procedures for gathering audit evidence.  The audit should be planned to reduce audit risk to an acceptably low level.

Planning in the operational aspect should describe a timetable for the audit and define the nature, timing and extent of the audit procedures. During planning in the operational aspect, the audit team should assign the members of their team in an appropriate manner and identify other resources if required, such as experts in several disciplines, etc.

During the audit process, if there is any substantive change to the characteristics of the work, the audit plan must be adjusted.

Conducting an audit

...

...

...

The auditor’s decisions on the nature, timing and extent of audit procedures will impact on the evidence to be obtained.  The choice of specific procedures will depend on the risk assessment or problem analysis.

Audit evidence is any document or information obtained by the auditor in relation to the audit engagement and, based on such document or information, the auditor can reach conclusions from which audit opinions are formed. Audit evidence should be used to determine whether the subject matter is complying with the audit criteria. 

Evidence may take many forms, such as electronic and paper records, written and electronic communication with outsiders, observations by the auditor, and oral or written testimony by the audited entity.  Methods of obtaining audit evidence can include inspection, observation, confirmation from outsiders, recalculation, re-performance, analytical procedures and/or enquiries.  Evidence should be both sufficient and appropriate:

(i) The sufficiency of audit evidence is the standard for assessing the quantity of audit evidence items. The quantity of audit evidence items to be obtained shall be subjected to the auditor's assessment in terms of the risk of containing material misstatement and quality of each audit evidence item;

(ii) The appropriacy of audit evidence is the standard for assessing the quality of audit evidence items. Audit evidence must be appropriate and reliable to support the auditor’s conclusions based on which audit opinions are formed.

Preliminary findings should be communicated to and discussed with the audited entity to ensure the reliability and persuasiveness.  The auditor must respect all requirements regarding confidentiality.

39. Auditors should evaluate the audit evidence and draw conclusions

After completing the audit procedures, the auditor will review the audit documentation in order to determine whether the subject matter has been sufficiently and appropriately audited.  Before drawing conclusions, the auditor reconsiders the initial assessment of risk and materiality in the light of the evidence collected and determines whether additional audit procedures need to be performed.

The auditor should evaluate the audit evidence with a view to obtaining audit findings. This evaluation must be objective and impartial. When evaluating the audit evidence and assessing materiality of findings, the auditor should take both quantitative and qualitative factors into consideration.

...

...

...

Preparing the audit report

40. Auditors should prepare a report based on the conclusions reached

The audit report should be prepared to communicate the results of the audit to legislative and oversight bodies, others responsible for governance and the general public. It also serves as the basis for examining implementation of audit recommendations and measures to control limitations or misstatements.

Audit reports should be easy to understand, comprehensive and free from vagueness or ambiguity. They should be objective and fair, only including information which is supported by sufficient and appropriate audit evidence and ensuring that findings are relevant.

Reports should explain use of audit evidence obtained and reasons for drawing conclusions. This will help to provide the intended users with a degree of confidence in the audit.

The form and content of a report will depend on the nature of the audit, the intended users, the applicable standards and legal requirements. The State Audit Office should specify the layout or wording of reports, which can appear in short form or long form.

Long-form reports generally describe in detail the audit scope, audit findings and conclusions, including potential consequences resulted from limitations or misstatements, and constructive recommendations to enable remedial actions.

Short-form reports are more condensed, concise and straightforward.

Attestation engagements

...

...

...

Direct reporting engagements

The audit report needs to state the audit objectives and describe how they were addressed in the audit.  It includes findings, conclusions, recommendations or opinions on the result of measurement or evaluation of the subject matter against established criteria.  Additional information about criteria, methodology and sources of data may also be given, and any limitations to the audit scope should be described.

41. Audit opinion

An audit opinion is used to convey the level of assurance, and needs to be expressed in a standardized format. The opinion may be unmodified or modified.  A modified opinion may be qualified, adverse or disclaimed.

(i) An unmodified opinion means the opinion expressed when the auditor comes to a conclusion that the report, information, conditions or operations of the audited entity, in all materiality aspect, complies with established criteria.  An unmodified opinion is used when either limited or reasonable assurance has been obtained.

(ii) A qualified opinion means the opinion expressed when:

l Based on sufficient and appropriate evidence obtained, the auditor reaches a conclusion that misstatements, whether individually or in the aggregate, may cause material impacts but only limited impacts on several specific elements or items.

l The auditor is unable to obtain sufficient and appropriate evidence as the basis for drawing audit opinions, but the auditor reaches a conclusion that misstatements which have not been discovered (if any) may have material impacts but only limited impacts on several specific elements or items. 

(iii) An adverse opinion means the opinion expressed when, in the light of sufficient and appropriate evidence obtained, the auditor reaches a conclusion that misstatements, whether individually or in the aggregate, may have material impacts and significant impacts on the entire subject matter.

...

...

...

Where the opinion is modified, the reasons why the auditor expresses such opinion must be clearly stated in the audit report.  Depending on the type of audit, recommendations for corrective action and any contributing internal control deficiencies may also be included in the audit report.

Following up the implementation of conclusions or recommendations

42. The State Audit Office must monitor and examine the implementation of audit conclusions or recommendations

The State Audit Office should monitor and examine the implementation of conclusions, recommendations in order to assess such implementation of the audited entity, handling of problems mentioned in the audit report of the audited entity and relevant parties. The State Audit Office should prepare the report on the outcome of implementation of audit conclusions and recommendations. If these recommendations have not or have sufficiently been implemented, the State Audit Office should continue to give recommendations and request the audited entity to implement their recommendations.

The State Audit Office is able to make adjustment to recommendations when they have established that previous recommendations are not suitable or there is any change to recommendations.