Presentation by Helena Abreu Lopes from Portugal during the workshop on The role of the Court of Accounts in preventing and fighting fraud and corruption. This workshop was jointly organised by SIGMA and the Algerian Court of Accounts in Algiers 8-9 April 2015. Further information, please contact bianca.breteche@oecd.org.
4. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
ISSAI 100 & draft 5700
Public sector auditing contributes to good
governance and to prevent fraud and corruption
3
• Provides independent, objective and reliable information on public
management
• Enhances transparency, accountability, improvement and
confidence in the use of public funds and assets
• Favours that public bodies and public servants act effectively,
efficiently, ethically and in accordance with laws and regulations
• Supports those bodies with monitoring and corrective functions
over public management
7. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
ISSAI 10
• SAIs should respond appropriately, in accordance
with their mandates, to the risks of financial
impropriety, fraud and corruption, for example
by promoting mechanisms to address them.
• SAIs’ communication should contribute to
stakeholders’ awareness of the need for
transparency and accountability in the public
sector
6
8. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
ISSAI 100, 200 & 1240
Financial audit
• Is the financial information presented according with the
applicable financial reporting and regulatory framework
and free from material misstatement due to fraud or
error?
• The management of the audited body is responsible to implement the
internal controls needed to make sure that financial statements are free
from misstatements due to fraud or error
• The auditor should assess the risks of material misstatements due to fraud,
act appropriately to address them and obtain reasonable assurance that the
statements are free from material misstatement due to fraud
7
• By mandate or to keep up with public expectations, objectives of a financial
audit in the public sector are often broader and may include audit and reporting
on findings of fraud or non-compliance with laws, regulations or other
authorities
9. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
ISSAI 100, 400, 4000, 4100 & 4200
Compliance audit
• Are activities/transactions/reports/information in
compliance with applicable rules, laws, regulations,
budgetary resolutions, policy, codes, agreed terms
and/or general principles?
• Great degree of international diversity in organising and reporting on
compliance audit
• Although, due to the inherent limitations of an audit, there is an
unavoidable risk that errors, irregularities and illegal acts may occur and not
be detected, the audit should be designed to provide reasonable assurance
that those situations don’t significantly affect the audit objectives
8
• SAI’s special compliance audit responsibilities may include activities related
to suspected fraud and corruption
• Courts of Accounts are usually mandated to communicate compliance
deviations to appropriate bodies or open processes leading to judgements,
identifying responsible agents and offences
10. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
ISSAI 100 & 300
Performance audit
• Are interventions, programmes and/or institutions
performing in accordance with the principles of economy,
efficiency and effectiveness and is there room for
improvement?
• SAIs may conduct combined audits incorporating financial, compliance
and/or performance aspects
9
• When planning and conducting a performance audit, auditors should assess
the risk of fraud and examine whether there are signs of irregularities that
hamper performance
12. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
ISSAI 5530
SAIs can:
• Audit whether NIS (national integrity system) functions as it should to prevent
and deter fraud and corruption and point out the importance of strenghtening
this system
• Examine and recommend development and improvement of anti-fraud and
corruption strategies and controls(prevention, detection, response)
• Audit their country’s implementation of anti-corruption international
agreements
• Conduct joint, coordinated or parallel audits with other SAIs
• Engage in participatory auditing
11
13. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
SAIs can:
• Ensure that adequate follow-up is given to their observations and
recommendations on fraud and corruption so that preventive measures are
rapidly adopted
• Work closely with civil society organisations , media and parliament to enhance
due account of its audit findings and recommendations
• Encourage effective and culturally appropriate complaint mechanisms for staff
and beneficiaries and adequate protection for whistle-blowers (hotlines, tip-
offs)
• Set a good example to other areas of government by assessing the quality of
their own integrity system, being transparent about the results of the
assessment and making public the follow-up action
12
ISSAI 5530
14. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
• SAI of Norway: Audit of the internal control systems in the Defence procurement area,
including the impartiality of staff
• Cc Belgium: Audit of the integrity policy in federal tax departments
• ECA: Audit of the management of the conflict of interest situations in EU agencies
• NAO Malta: Audit “Addressing Social Benefit Fraud”
• Netherlands CA: Audit of how effective investigation and prosecution of tax fraud,
social security fraud and horizontal fraud is working
• UK NAO: Report on Making a Whistleblowing Policy Work
• OLACEFS: SAI’s Toolbox for Corruption Control
13
Some examples
15. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
Exposure Draft ISSAI 5700
• The role of SAIs in the fight against corruption
• Concept, causes and types of corruption
• Components of preventing and fighting corruption (organisation, risk
assessment, delimitation of duties, job rotation, supervision, decision
making, internal control, cooperation with anti-corruption agencies,
and inspectors general, training, codes of conduct, monitoring,
reporting)
14
Guideline for the audit of corruption prevention
in government agencies
16. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
INTOSAI GOV 9100-9160
• Guidelines for internal control standards for the public sector
• Guidance for reporting on the effectiveness of internal controls
• Foundation for accountability in government
• Entity risk management
• Internal audit independence in the public sector
• Coordenation and cooperation between SAIs and internal auditors in
the public sector
• Enhancing good governance for public assets (draft)
15
INTOSAI Guidance for Good Governance
18. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
ISSAIs 100, 200, 400, 1000, 1240, 4100,
4200 & 5530
While and even if detecting fraud or corruption is not the
main objective of SAI’s audits, auditors should:
• Include fraud and corruption risk factors in their risk
assessments
• Perform procedures to respond to the identified risks
• 0btain sufficient appropriate audit evidence
• Remain alert to indications of fraud and corruption
throughout the whole audit process
17
19. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
ISSAIs 200, 1000, 4100, 4200 & 5530
• The auditor is expected to obtain reasonable assurance as
to whether the financial statements, taken as a whole, are
free from material misstatement, whether due to fraud or
error
• But the auditor cannot be expected to detect all breaches
of laws and regulations. There is an unavoidable risk that
fraud, corruption or other unlawful acts may occur and
not be detected by auditors, moreover because acts are
designed to intentionally conceal existence.
18
• While private sector auditors are not responsible for
preventing non-compliance, public sector auditors may
have addittional responsibilities related to compliance
with laws and regulations
21. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
AUDIT PLANNING
1. Conduct risk assessment by:
(ISSAIs 100.47, 1240, 1315 & 5530)
• Discussing where and how the increased risks of fraud and corruption
may be manifested and how they can be relevant to the audit
objectives
• Consulting relevant information from permanent files and databases
(reported fraud, media reports, complaints, stakeholder feedback,
information from regulators, prosecutors, investigative agencies,
complaint officers, whistle blowers, other auditors, outcomes of
investigations or audits)
• Considering information obtained in prior periods and changes
introduced
20
22. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
AUDIT PLANNING
1. Conduct risk assessment by:
(ISSAIs 100.47, 1240 & 1315)
• Inquiring management, internal audit, oversight bodies and others
about knowledge of any actual, suspected or alleged fraud affecting
the entity
• Analysing information in sensitive areas, v.g. f revenue recognition,
procurement or payment of grants, to identify unusual or unexpected
transactions, events or relationships
21
23. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
AUDIT PLANNING
1. Conduct risk assessment by:
(ISSAIs 100.47, 1240, 1315 & 5530)
• Listing type of fraud and corruption risks identified, their potential
significance, the likelyhood of their occurence and how they are
perceived
• Inquiring management on their assessment, identification and
response to risks of fraud (relevant internal controls)
• Analysing oversight exercised over management
• Evaluating preventive and detective controls, mechanisms for dealing
with cases of suspected fraud or corruption and arrangements for
complaints and whistleblowing
• Reviewing ethics management practices in the audited body (culture
of honesty and ethical behaviour)
22
24. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
AUDIT PLANNING
2. Conduct risk assessment by:
(ISSAIs 100.47, 1240, 1315 & 5530)
• Assessing the fraud and corruption risks listed against the operation
of the internal controls identified and the quality of the anti-fraud
environment
• Determining which risks are addressed by the controls in place and
which and to what extent the other risks remain exposed.
23
25. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
AUDIT PLANNING
3. Identify potential high risk areas and evaluate
fraud risk factors
(ISSAIs 100.47, 1240, 1315, 4100, 4200 & 5530)
• Identify events or conditions that indicate incentive, pressure,
opportunity or rationale to commit fraud or corruption. Exs:
- Privatisations, grants and benefits to 3rd parties, procurement, PPP
- Budget reductions
- Hierarquical structures
- Political ties and loyalties
- Exercise of public officials’ power
- Deficiencies in internal control
- Weak IT systems
- Unrecording of assets
- Low salaries
24
26. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
AUDIT PLANNING
3. Evaluate fraud risk factors
(ISSAIs 100.47, 1240, 1315, 4100, 4200 & 5530)
• Auditors should analyse the nature and type of risk factors and
understand where key viulnerabilities to fraud and corruption lie
• Red Flags: indicators of increased risk of fraud and corruption due to
circumstances that are unusual in nature or vary from normal activity.
It is a signal that something is out of the ordinary and may need to be
investigated further
25
27. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
AUDIT PLANNING
3. Examine red flags in high risk areas
• Appendixes to ISSAI 1240
• Appendixes to ISSAIs 4100 & 4200
• Part 3 of ISSAI 5530 (Risks and red flags)
• EU CC PPWG checklist for financial and compliance audit of public
procurement
• Addressing Fraud and Corruption Issues when Auditing Environmental
and Natural Resource Management: Guidance for Supreme Audit
Institutions
26
28. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
AUDIT PLANNING
3. Evaluate fraud risk factors
(ISSAI 5530)
• List the red flags relevant for the concrete audit, to be used and
updated during planning and conducting the audit
• Examine whether they are valid indicators of risk for the case and
whether they are adressed by controls in operation
• Where there is doubt, the risk remains high and audit procedures
should be adapted accordingly
27
29. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
CONDUCTING THE AUDIT
1. Audit procedures: address the assessed risks
and gather audit evidence
(ISSAIs 100.47, 1240, 1315, 1330 & 5530)
Design audit procedures adequate to the risks identified
Assign specialised staff (forensic, IT, engineering)
Incorporate unpredictability in the selection of the nature, timing
and extent of audit procedures (surprise factor)
Include physical observation or inspection of certain assets or
activities
Use computer assisted audit techniques to extend testing and
gather more evidence
Test the integrity of computer-produced records and transactions
28
30. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
CONDUCTING THE AUDIT
1. Audit procedures: address the assessed risks
and gather audit evidence
(ISSAIs 100.47, 1240, 1315, 1330, 4100 & 5530)
Inquire individuals involved about inappropriate or unusual
activities and investigate their resourcing
Obtain additional (external and internal) corroborative
information
Select and test risky operations
Test controls
Adapt the timing and extent of substantive procedures
Increase sample sizes
Perform analytical procedures at a more detailed or disaggregated
level
29
31. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
CONDUCTING THE AUDIT
1. Audit procedures: address the assessed risks
and gather audit evidence
(ISSAIs 100.47, 1240, 1315, 1330, 4100 & 5530)
Reevaluate/review potentially biased management estimates (use
experts)
Evaluate the rationale and process of unusual transactions (real-
estate, land swaps, PPP, privatisation of public services, debt
operations, guarantees)
Review budget process and budget adjustments
Confirm contract terms and look for side agreements
Obtain evidence that contracts are being carried out in
accordance with their terms
Review travel and expense reports
30
32. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
CONDUCTING THE AUDIT
1. Audit procedures: address the assessed risks
and gather audit evidence
(ISSAIs 100.47, 1240, 1315, 1330, 4100 & 5530)
Review excessive or unusual amounts of overtime
Perform substantive testing of payroll accounts
Review hiring procedures and controls
Investigate inconsistencies
Investigate further about documents that may not be authentic or
that may have been modified (confirm, use experts)
Obtain written representation from management
31
33. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
CONDUCTING THE AUDIT
2. Evaluate the audit evidence
(ISSAIs 1200, 1240, 1315, 1330, 4100, 4200 & 5530)
Be attentive to previously unrecognised risks
Evaluate whether a misstatement is indicative of fraud
An instance of fraud is unlikely to be an isolated occurence
Evaluate possible involvement of management and collusion
involving employees, management or third parties
Reevaluate risks and audit procedures if needed
32
34. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
CONDUCTING THE AUDIT
2. Evaluate the audit evidence
(ISSAIs 1200, 1240, 1315, 1330, 4100, 4200 & 5530)
Identify circumstances that indicate the possibility of fraud:
– Abnormal budget processes
– Discrepancies in the accounting records
– Unauthorised transactions
– Significant transfer of transactions between funds and/or
programs
– Significant non-delivery
– Unjustified access to systems and records
– Unauthorised use of assets
– Equipment or assets subject or susceptible to personal use
– Loss of materials used in confidential government processes
33
35. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
CONDUCTING THE AUDIT
2. Evaluate the audit evidence
(ISSAIs 400, 1200, 1240, 1315, 1330, 4100, 4200 & 5530)
Identify circumstances that indicate the possibility of fraud:
– Abuse of public authority
– Misreporting on compliance issues
– Complaints about alleged fraud
– Missing or altered documents
– Unexplained items on reconciliations
– Inconsistent, vague or implausible responses
– Unusual discrepancies
– Missing or non-existant cancelled checks
– Grants not reaching the originally intended recipient
– Revolving doors
34
36. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
CONDUCTING THE AUDIT
3. Apply materiality
(ISSAIs 200, 1000, 1450, 4100 & 4200)
Uncorrected misstatements should be evaluated for materiality,
individually or in aggregate, to determine what effect they may
have on the opinion to be given in the auditor’s report
The circumstances related to some misstatements may cause the
auditor to evaluate them as material even if they are below
quantitative materiality. That is the case of fraud and corruption
Public sector auditors’s responsibilities may not be limited to the
risk of material misstatements due to fraud and may include
aspects of non-compliance and control deviation
35
37. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
CONDUCTING THE AUDIT
4. Audit documentation and evidence:
(ISSAIs 1240, 1230, 1315, 1330 & 5530)
Discussions on fraud risks
Identified and assessed fraud risks
Reasons for not addressing risks
Nature, timing and extent of audit procedures and their link to
risks
Results of audit procedures (incl. witnesses, physical evidences,
observations)
All documents presented by staff in support of recorded
transactions, internal auditor reports, interviews, inspections and
observations, questionnaires, documents from external sources,
results of analytical reviews and expert opinions
Communications about fraud to management, those charged with
governance and others
36
38. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
CONDUCTING THE AUDIT
4. Audit documentation and evidence:
(ISSAIs 200, 4100, 4200 & 5530)
• In cases where SAI mandates require auditors to stop audit work and
hand the details over to the appropriate investigate or prosecuting
authorities when there is suspicion of fraud or corruption, the audit
evidence should be carefully collected together and clearly
presented to those authorities
• Some SAIs have the option of putting together teams including both
auditors and investigators
• In Courts of Accounts there may be specific requirements to follow
precise procedures related to rules of evidence
37
39. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
REPORTING
(ISSAIs 200, 400, 1000, 1240, 4100 & 5530)
• The way in which the audit results are presented depend on the
mandate of the SAI, the audit objectives and the approach used
• Whether or not individual cases of suspected fraud and corruption
are detected, SAIs’ mandates include the requirement to report on
the increased risks of fraud and corruption and to recommend
improvements
38
• In situations where the auditors are convinced that fraud or
corruption has occurred, but can find no evidence of that, they can
indicate the existence of opportunities for fraud or corruption and
suggest ways in which corrective action can be taken to minimise or
diminish them
40. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
REPORTING
(ISSAIs 200, 400, 1000, 1240, 4100 & 5530)
• By mandate, requirements or public expectations, public sector
auditors may have responsibilities :
– To report all instances of non-compliance, even where
inconsequencial
– To report on all identified internal control deficiencies
– To order that any instances of non-compliance be
corrected
– To follow-up that appropriate action has been taken
– To take actions when offences are discovered
39
41. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
REPORTING
(ISSAIs 200, 1000, 1240, 4100 & 5530)
• Public sector auditors do not normallly have the option to withdraw
from an audit engagement . In case of suspected or confirmed fraud
in financial audit they must consider the impact on the audit opinion
(ISSAIs 1450 & 1700) – material unlawful acts normally result in a
modified audit conclusion
40
42. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
REPORTING
(ISSAIs 200, 1000, 1240, 4100 & 5530)
• According to circumstances, identified or suspected fraud may be
communicated to management, those charged with governance
and/or legislature
• There may be a duty to refer indications of fraud and criminal
offenses to jurisdictional or investigative bodies (prosecutors, police)
and even cooperate with them to determine if fraud, abuse or crime
has ocurred. The public auditor’s legal responsibilities to report the
occurence or suspicion of fraud to supervisory, regulatory and/or
enforcement authorities may override the duty of confidentiality
41
43. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
REPORTING
(ISSAIs 200, 400, 1240, 4100 & 5530)
• Some SAIs can extend their own work or initiate a special investigation
alongside the statutory audit
• SAIs with jurisdictional powers pronounce judgements and sanctions
on those responsible for financial offences (reimbursements, fines or
other penalties)
• An instruction phase to gather enough judicial evidence can be a part
of the audit or an autonomous process
42
44. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
REPORTING
(ISSAIs 200, 400, 1240, 4100 & 5530)
SAI’s jurisdictional responsibilities may give rise to additional
considerations:
– Identify the individuals to be held responsible for acts
– Consider periods relevant for personal liability
– Clearly identify criteria and amounts involved
– Gather additional and preferably written evidence
– Comply with relevant rules of evidence
– Liaise with prosecutors
– Follow due process of law
– Public hearing and disclosure
43
45. AjointinitiativeoftheOECDandtheEuropeanUnion,
principallyfinancedbytheEU
REPORTING
(ISSAIs 400, 1240, 4100 & 5530)
• Making cases of fraud and corruption public may have an important
deterrent effect
• But caution is needed with unconfirmed cases, which usually need a
court of law decision, and auditors must also take care to avoid
interfering with any future legal proceedings or investigations
• There may be requirements for separate, classified or restricted
reports
• Auditors must be familiar with applicable laws and regulations on
reporting, communicating and documenting indications or suspicions
of fraud
• They should consider the need to obtain legal advice in issues
regarding indications and communication of fraud
44