The auditor should identify suitable criteria to provide a basis for evaluating the
audit evidence and developing audit findings and conclusions. The criteria should be
made available to the intended users and others as appropriate. They should also be
communicated to the responsible party.
Understanding the entity
52. Auditors should understand the audited entity in the light of the relevant
Compliance auditing may cover all levels of the executive and can include various
administrative levels, types of entities and combinations of entities. The auditor
should therefore be familiar with the structure and operations of the audited entity
and its procedures for achieving compliance. The auditor will use this knowledge to
determine materiality and assess the risk of non-compliance.
Understanding internal controls and the control environment
53. Auditors should understand the control environment and the relevant internal
controls and consider whether they are likely to ensure compliance.
An understanding of the audited entity and/or the subject matter relevant to the audit
scope depends on the auditor’s knowledge of the control environment. The control
environment is the culture of honesty and ethical behaviour that provides the
foundation for the system of internal controls to ensure compliance with the
authorities. In compliance auditing, a control environment that focuses on achieving
compliance is of particular importance.
In order to understand the audited entity or the subject matter, the auditor also needs
to understand the system of internal controls. The particular type of controls which
the auditor focuses on will depend on the subject matter and the specific nature and
scope of the audit. As the subject matter may be qualitative or quantitative, the
auditor will focus on quantitative or qualitative internal controls, or a combination
thereof, according to the audit scope. In evaluating internal controls, the auditor
assesses the risk that they may not prevent or detect material instances of noncompliance.
The auditor should consider whether the internal controls are in
harmony with the control environment so as to ensure compliance with the
authorities in all material respects.
54. Auditors should perform a risk assessment to identify risks of non-compliance.
In the light of the audit criteria, the audit scope and the characteristics of the audited
entity, the auditor should perform a risk assessment to determine the nature, timing
and extent of the audit procedures to be performed. In this the auditor should
consider the risks that the subject matter will not comply with the criteria. Noncompliance
may arise due to fraud, error, the inherent nature of the subject matter
39 | C o m p l i a n c e A u d i t G u i d e l i n e s